1. 27 Mar, 2013 2 commits
  2. 22 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      Fix some minor issues in the DFG's profiling of heap accesses · c5c0fa4e
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=113010
      
      Reviewed by Goeffrey Garen.
              
      1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.
      
      2) If a CodeBlock clears a structure stub during GC, it should record this, and
      the DFG should prefer to not inline that access (i.e. treat it as if it had an
      exit site).
      
      3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
      but it chose not to, then assume that it will take slow path.
      
      4) If we frequently exited because of a structure check on a weak constant,
      don't try to inline that access in the future.
      
      5) Treat all exits that were counted as being frequent.
              
      81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC):
      (JSC::CodeBlock::resetStubDuringGCInternal):
      (JSC::CodeBlock::reoptimize):
      (JSC::CodeBlock::jettison):
      (JSC::ProgramCodeBlock::jettisonImpl):
      (JSC::EvalCodeBlock::jettisonImpl):
      (JSC::FunctionCodeBlock::jettisonImpl):
      (JSC::CodeBlock::tallyFrequentExitSites):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::tallyFrequentExitSites):
      (ProgramCodeBlock):
      (EvalCodeBlock):
      (FunctionCodeBlock):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor):
      * bytecode/StructureStubInfo.h:
      (JSC::StructureStubInfo::StructureStubInfo):
      (StructureStubInfo):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
      * dfg/DFGOSRExit.h:
      (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
      (OSRExit):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * runtime/Options.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c5c0fa4e
  3. 21 Mar, 2013 1 commit
  4. 20 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG implementation of op_strcat should inline rope allocations · 4463e44f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112780
      
      Reviewed by Oliver Hunt.
              
      This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
      take either two or three operands, and allocates a rope string with either two or
      three fibers. (The magic choice of three children for non-VarArg nodes happens to
      match exactly with the magic choice of three fibers for rope strings.)
              
      ValueAdd on KnownString is replaced with MakeRope with two children.
              
      StrCat gets replaced by an appropriate sequence of MakeRope's.
              
      MakeRope does not do the dynamic check to see if its children are empty strings.
      This is replaced by a static check, instead. The downside is that we may use more
      memory if the strings passed to MakeRope turn out to dynamically be empty. The
      upside is that we do fewer checks in the cases where either the strings are not
      empty, or where the strings are statically known to be empty. I suspect both of
      those cases are more common, than the case where the string is dynamically empty.
              
      This also results in some badness for X86. MakeRope needs six registers if it is
      allocating a three-rope. We don't have six registers to spare on X86. Currently,
      the code side-steps this problem by just never usign three-ropes in optimized
      code on X86. All other architectures, including X86_64, don't have this problem.
              
      This is a shocking speed-up. 9% progressions on both V8/splay and
      SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
      on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAdjacencyList.h:
      (AdjacencyList):
      (JSC::DFG::AdjacencyList::removeEdge):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::createToString):
      (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
      (JSC::DFG::FixupPhase::convertStringAddUse):
      (FixupPhase):
      (JSC::DFG::FixupPhase::convertToMakeRope):
      (JSC::DFG::FixupPhase::fixupMakeRope):
      (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileMakeRope):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::gpr):
      (JSC::DFG::SpeculateCellOperand::use):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSString.h:
      (JSRopeString):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146382 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4463e44f
  5. 18 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG string conversions and allocations should be inlined · 0e6e1542
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112376
      
      Source/JavaScriptCore: 
      
      Reviewed by Geoffrey Garen.
              
      This turns new String(), String(), String.prototype.valueOf(), and
      String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
      conversions from StringObject to JSString and vice-versa, and also gives it the
      ability to handle cases where a variable may be either a StringObject or a JSString.
      To do this, I added StringObject to value profiling (and removed the stale
      distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
      handling, using some of the new functionality but also taking advantage of the
      existence of Identity(String:@a).
              
      This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
      On microbenchmarks that stress new String() this is a 14x speed-up.
      
      * CMakeLists.txt:
      * DerivedSources.make:
      * DerivedSources.pri:
      * GNUmakefile.list.am:
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::hasExitSite):
      (JSC):
      * bytecode/DFGExitProfile.cpp:
      (JSC::DFG::ExitProfile::hasExitSite):
      (DFG):
      * bytecode/DFGExitProfile.h:
      (ExitProfile):
      (JSC::DFG::ExitProfile::hasExitSite):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromClassInfo):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isStringObjectSpeculation):
      (JSC::isStringOrStringObjectSpeculation):
      * create_hash_table:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAbstractState.h:
      (JSC::DFG::AbstractState::filterEdgeByUse):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
      (DFG):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::shift):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
      (FixupPhase):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::hasGlobalExitSite):
      (Graph):
      (JSC::DFG::Graph::hasExitSite):
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToToString):
      (Node):
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::shouldSpeculateStringObject):
      (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileNewStringObject):
      (JSC::DFG::SpeculativeJIT::speculateObject):
      (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
      (JSC::DFG::SpeculativeJIT::speculateString):
      (JSC::DFG::SpeculativeJIT::speculateStringObject):
      (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      * interpreter/CallFrame.h:
      (JSC::ExecState::regExpPrototypeTable):
      * runtime/CommonIdentifiers.h:
      * runtime/Intrinsic.h:
      * runtime/JSDestructibleObject.h:
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfoOffset):
      * runtime/JSGlobalData.cpp:
      (JSC):
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::~JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSWrapperObject.h:
      (JSC::JSWrapperObject::allocationSize):
      (JSWrapperObject):
      (JSC::JSWrapperObject::internalValueOffset):
      (JSC::JSWrapperObject::internalValueCellOffset):
      * runtime/StringPrototype.cpp:
      (JSC):
      (JSC::StringPrototype::finishCreation):
      (JSC::StringPrototype::create):
      * runtime/StringPrototype.h:
      (StringPrototype):
      
      LayoutTests: 
      
      Reviewed by Geoffrey Garen.
      
      * fast/js/dfg-to-string-bad-toString-expected.txt: Added.
      * fast/js/dfg-to-string-bad-toString.html: Added.
      * fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
      * fast/js/dfg-to-string-bad-valueOf.html: Added.
      * fast/js/dfg-to-string-int-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string.html: Added.
      * fast/js/dfg-to-string-int.html: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
      * fast/js/dfg-to-string-side-effect-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad.html: Added.
      * fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-toString-in-string.html: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
      * fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-in-string.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/regress/script-tests/string-concat-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-repeat.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-tower.js: Added.
      (foo):
      * fast/js/regress/string-concat-object-expected.txt: Added.
      * fast/js/regress/string-concat-object.html: Added.
      * fast/js/regress/string-concat-pair-object-expected.txt: Added.
      * fast/js/regress/string-concat-pair-object.html: Added.
      * fast/js/regress/string-concat-pair-simple-expected.txt: Added.
      * fast/js/regress/string-concat-pair-simple.html: Added.
      * fast/js/regress/string-concat-simple-expected.txt: Added.
      * fast/js/regress/string-concat-simple.html: Added.
      * fast/js/regress/string-cons-repeat-expected.txt: Added.
      * fast/js/regress/string-cons-repeat.html: Added.
      * fast/js/regress/string-cons-tower-expected.txt: Added.
      * fast/js/regress/string-cons-tower.html: Added.
      * fast/js/script-tests/dfg-to-string-bad-toString.js: Added.
      (String.prototype.toString):
      (foo):
      * fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.
      (String.prototype.valueOf):
      (foo):
      * fast/js/script-tests/dfg-to-string-int-or-string.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-int.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.
      (foo):
      (.argument.toString):
      * fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.
      (foo):
      (.String.prototype.valueOf):
      * fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.
      (foo):
      (.argument.valueOf):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e6e1542
  6. 14 Mar, 2013 1 commit
  7. 06 Mar, 2013 1 commit
    • oliver@apple.com's avatar
      Bring back eager resolution of function scoped variables · 75f804e0
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=111497
      
      Reviewed by Geoffrey Garen.
      
      This reverts the get/put_scoped_var part of the great non-local
      variable resolution refactoring.  This still leaves all the lazy
      variable resolution logic as it's necessary for global property
      resolution, and i don't want to make the patch bigger than it
      already is.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::generateFunctionCodeBlock):
      (JSC::UnlinkedFunctionExecutable::codeBlockFor):
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (UnlinkedFunctionExecutable):
      (UnlinkedCodeBlock):
      (JSC::UnlinkedCodeBlock::usesGlobalObject):
      (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
      (JSC::UnlinkedCodeBlock::globalObjectRegister):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::emitLoadGlobalObject):
      (JSC):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetStaticVar):
      (JSC::BytecodeGenerator::emitPutStaticVar):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::lexicalResolve):
      (JSC::ResolveResult::isStatic):
      (JSC::ResolveResult::depth):
      (JSC::ResolveResult::index):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::TypeOfResolveNode::emitBytecode):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::debugFail):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      * jit/JIT.h:
      (JIT):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/CodeCache.cpp:
      (JSC::CodeCache::getCodeBlock):
      (JSC::CodeCache::getProgramCodeBlock):
      (JSC::CodeCache::getEvalCodeBlock):
      * runtime/CodeCache.h:
      (JSC):
      (CodeCache):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::createEvalCodeBlock):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145000 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      75f804e0
  8. 05 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG DCE might eliminate checks unsoundly · 06f82b56
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109389
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This gets rid of all eager reference counting, and does all dead code elimination
      in one phase - the DCEPhase. This phase also sets up the node reference counts,
      which are then used not just for DCE but also register allocation and stack slot
      allocation.
              
      Doing this required a number of surgical changes in places that previously relied
      on always having liveness information. For example, the structure check hoisting
      phase must now consult whether a VariableAccessData is profitable for unboxing to
      make sure that it doesn't try to do hoisting on set SetLocals. The arguments
      simplification phase employs its own light-weight liveness analysis. Both phases
      previously just used reference counts.
              
      The largest change is that now, dead nodes get turned into Phantoms. Those
      Phantoms will retain those child edges that are not proven. This ensures that any
      type checks performed by a dead node remain even after the node is killed. On the
      other hand, this Phantom conversion means that we need special handling for
      SetLocal. I decided to make the four forms of SetLocal explicit:
              
      MovHint(@a, rK): Just indicates that node @a contains the value that would have
           now been placed into virtual register rK. Does not actually cause @a to be
           stored into rK. This would have previously been a dead SetLocal with @a
           being live. MovHints are always dead.
              
      ZombieHint(rK): Indicates that at this point, register rK will contain a dead
           value and OSR should put Undefined into it. This would have previously been
           a dead SetLocal with @a being dead also. ZombieHints are always dead.
              
      MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
           according to whatever UseKind the edge to @a has. The type check is always a
           forward exit. MovHintAndChecks are always live, since they are
           NodeMustGenerate. Previously this would have been a dead SetLocal with a
           live @a, and the check would have disappeared. This is one of the bugs that
           this patch solves.
              
      SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
           live.
              
      Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
      ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
      also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
      has a type check and @a's type hasn't been proven to have that type then you get
      a MovHintAndCheck. Otherwise you get a MovHint.
              
      This is performance neutral.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (ArgumentsSimplificationPhase):
      (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
      * dfg/DFGBasicBlock.h:
      (BasicBlock):
      * dfg/DFGBasicBlockInlines.h:
      (DFG):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::addToGraph):
      (JSC::DFG::ByteCodeParser::insertPhiNode):
      (JSC::DFG::ByteCodeParser::emitFunctionChecks):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::run):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
      * dfg/DFGCPSRethreadingPhase.cpp:
      (JSC::DFG::CPSRethreadingPhase::run):
      (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::setReplacement):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.cpp:
      (WTF::printInternal):
      (WTF):
      * dfg/DFGCommon.h:
      (WTF):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
      (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
      * dfg/DFGDCEPhase.cpp: Added.
      (DFG):
      (DCEPhase):
      (JSC::DFG::DCEPhase::DCEPhase):
      (JSC::DFG::DCEPhase::run):
      (JSC::DFG::DCEPhase::findTypeCheckRoot):
      (JSC::DFG::DCEPhase::countEdge):
      (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::performDCE):
      * dfg/DFGDCEPhase.h: Added.
      (DFG):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      (JSC::DFG::FixupPhase::fixIntEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::truncateConstantToInt32):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      (DFG):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::changeChild):
      (JSC::DFG::Graph::changeEdge):
      (JSC::DFG::Graph::compareAndSwap):
      (JSC::DFG::Graph::clearAndDerefChild):
      (JSC::DFG::Graph::performSubstitution):
      (JSC::DFG::Graph::performSubstitutionForEdge):
      (Graph):
      (JSC::DFG::Graph::substitute):
      * dfg/DFGInsertionSet.h:
      (InsertionSet):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::convertToConstant):
      (JSC::DFG::Node::convertToGetLocalUnlinked):
      (JSC::DFG::Node::containsMovHint):
      (Node):
      (JSC::DFG::Node::hasVariableAccessData):
      (JSC::DFG::Node::willHaveCodeGenOrOSR):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
      (StructureCheckHoistingPhase):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * fast/js/dfg-arguments-osr-exit-multiple-blocks-before-exit-expected.txt: Added.
      * fast/js/dfg-arguments-osr-exit-multiple-blocks-before-exit.html: Added.
      * fast/js/dfg-arguments-osr-exit-multiple-blocks-expected.txt: Added.
      * fast/js/dfg-arguments-osr-exit-multiple-blocks.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js: Added.
      (baz):
      (foo):
      (bar):
      * fast/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js: Added.
      (baz):
      (foo):
      (bar):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144862 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      06f82b56
  9. 25 Feb, 2013 1 commit
    • fpizlo@apple.com's avatar
      The DFG special case checks for isCreatedThisArgument are fragile · 5470ec77
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=110535
      
      Reviewed by Oliver Hunt.
              
      There may be many situations in which we want to force a variable to never be
      unboxed. Capturing is one such case, and the created this argument is another.
      Previously all code that dealt with this issue had to query both scenarios.
              
      Now DFG::VariableAccessData knows these things. You just have to ask
      VariableAccessData for whether a variable should be unboxed. Anyone wishing to
      force a variable to never be unboxed just tells VariableAccessData.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      (DFG):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (CFGSimplificationPhase):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUnificationPhase.cpp:
      (JSC::DFG::UnificationPhase::run):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::VariableAccessData):
      (JSC::DFG::VariableAccessData::mergeIsCaptured):
      (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
      (VariableAccessData):
      (JSC::DFG::VariableAccessData::shouldNeverUnbox):
      (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
      (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143955 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5470ec77
  10. 21 Feb, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should not change its mind about what type speculations a node does, by... · 7a1964c5
      fpizlo@apple.com authored
      DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
      https://bugs.webkit.org/show_bug.cgi?id=109371
      
      Reviewed by Oliver Hunt.
              
      FixupPhase now locks in the speculations that each node will do. The DFG then
      remembers those speculations, and doesn't change its mind about them even if the
      graph is transformed - for example if a node's child is repointed to a different
      node as part of CSE, CFG simplification, or folding. Each node ensures that it
      executes the speculations promised by its edges. This is true even for Phantom
      nodes.
              
      This still leaves some craziness on the table for future work, like the
      elimination of speculating SetLocal's due to CFG simplification
      (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
              
      In all, this allows for a huge simplification of the DFG. Instead of having to
      execute the right speculation heuristic each time you want to decide what a node
      does (for example Node::shouldSpeculateInteger(child1, child2) &&
      node->canSpeculateInteger()), you just ask for the use kinds of its children
      (typically node->binaryUseKind() == Int32Use). Because the use kinds are
      discrete, you can often just switch over them. This makes many parts of the code
      more clear than they were before.
              
      Having UseKinds describe the speculations being performed also makes it far
      easier to perform analyses that need to know what speculations are done. This is
      so far only used to simplify large parts of the CFA.
              
      To have a larger vocabulary of UseKinds, this also changes the node allocator to
      be able to round up Node sizes to the nearest multiple of 16.
              
      This appears to be neutral on benchmarks, except for some goofy speed-ups, like
      8% on Octane/box2d.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::startExecuting):
      (DFG):
      (JSC::DFG::AbstractState::executeEdges):
      (JSC::DFG::AbstractState::verifyEdge):
      (JSC::DFG::AbstractState::verifyEdges):
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      (JSC::DFG::AbstractState::filterEdgeByUse):
      (JSC::DFG::AbstractState::filterByType):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::filter):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (JSC::DFG::AdjacencyList::child):
      (JSC::DFG::AdjacencyList::setChild):
      (JSC::DFG::AdjacencyList::reset):
      (JSC::DFG::AdjacencyList::firstChild):
      (JSC::DFG::AdjacencyList::setFirstChild):
      (JSC::DFG::AdjacencyList::numChildren):
      (JSC::DFG::AdjacencyList::setNumChildren):
      (AdjacencyList):
      * dfg/DFGAllocator.h:
      (DFG):
      (Allocator):
      (JSC::DFG::Allocator::cellSize):
      (JSC::DFG::Allocator::Region::headerSize):
      (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
      (JSC::DFG::Allocator::Region::payloadSize):
      (JSC::DFG::Allocator::Region::payloadBegin):
      (JSC::DFG::Allocator::Region::payloadEnd):
      (JSC::DFG::Allocator::Region::isInThisRegion):
      (JSC::DFG::::Allocator):
      (JSC::DFG::::~Allocator):
      (JSC::DFG::::allocate):
      (JSC::DFG::::free):
      (JSC::DFG::::freeAll):
      (JSC::DFG::::reset):
      (JSC::DFG::::indexOf):
      (JSC::DFG::::allocatorOf):
      (JSC::DFG::::bumpAllocate):
      (JSC::DFG::::freeListAllocate):
      (JSC::DFG::::allocateSlow):
      (JSC::DFG::::freeRegionsStartingAt):
      (JSC::DFG::::startBumpingIn):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::addToGraph):
      (JSC::DFG::ByteCodeParser::handleMinMax):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::setReplacement):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.h:
      (DFG):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGEdge.cpp:
      (JSC::DFG::Edge::dump):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::useKindUnchecked):
      (JSC::DFG::Edge::useKind):
      (JSC::DFG::Edge::shift):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      (JSC::DFG::FixupPhase::fixIntEdge):
      (JSC::DFG::FixupPhase::fixDoubleEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::truncateConstantToInt32):
      (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGGraph.cpp:
      (DFG):
      (JSC::DFG::Graph::refChildren):
      (JSC::DFG::Graph::derefChildren):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::ref):
      (JSC::DFG::Graph::deref):
      (JSC::DFG::Graph::performSubstitution):
      (JSC::DFG::Graph::isPredictedNumerical):
      (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
      (DFG):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::convertToGetByOffset):
      (JSC::DFG::Node::convertToPutByOffset):
      (JSC::DFG::Node::willHaveCodeGenOrOSR):
      (JSC::DFG::Node::child1):
      (JSC::DFG::Node::child2):
      (JSC::DFG::Node::child3):
      (JSC::DFG::Node::binaryUseKind):
      (Node):
      (JSC::DFG::Node::isBinaryUseKind):
      * dfg/DFGNodeAllocator.h:
      (DFG):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::nodeFlagsAsString):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculationCheck):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
      (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
      (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
      (JSC::DFG::SpeculativeJIT::typeCheck):
      (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
      (JSC::DFG::SpeculativeJIT::fillStorage):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateInt32):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculateBoolean):
      (JSC::DFG::SpeculativeJIT::speculateCell):
      (JSC::DFG::SpeculativeJIT::speculateObject):
      (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
      (JSC::DFG::SpeculativeJIT::speculateString):
      (JSC::DFG::SpeculativeJIT::speculateNotCell):
      (JSC::DFG::SpeculativeJIT::speculateOther):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
      (JSC::DFG::SpeculativeJIT::needsTypeCheck):
      (JSC::DFG::IntegerOperand::IntegerOperand):
      (JSC::DFG::IntegerOperand::edge):
      (IntegerOperand):
      (JSC::DFG::IntegerOperand::node):
      (JSC::DFG::IntegerOperand::gpr):
      (JSC::DFG::IntegerOperand::use):
      (JSC::DFG::JSValueOperand::JSValueOperand):
      (JSValueOperand):
      (JSC::DFG::JSValueOperand::edge):
      (JSC::DFG::JSValueOperand::node):
      (JSC::DFG::JSValueOperand::gpr):
      (JSC::DFG::JSValueOperand::fill):
      (JSC::DFG::JSValueOperand::use):
      (JSC::DFG::StorageOperand::StorageOperand):
      (JSC::DFG::StorageOperand::edge):
      (StorageOperand):
      (JSC::DFG::StorageOperand::node):
      (JSC::DFG::StorageOperand::gpr):
      (JSC::DFG::StorageOperand::use):
      (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
      (SpeculateIntegerOperand):
      (JSC::DFG::SpeculateIntegerOperand::edge):
      (JSC::DFG::SpeculateIntegerOperand::node):
      (JSC::DFG::SpeculateIntegerOperand::gpr):
      (JSC::DFG::SpeculateIntegerOperand::use):
      (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
      (SpeculateStrictInt32Operand):
      (JSC::DFG::SpeculateStrictInt32Operand::edge):
      (JSC::DFG::SpeculateStrictInt32Operand::node):
      (JSC::DFG::SpeculateStrictInt32Operand::gpr):
      (JSC::DFG::SpeculateStrictInt32Operand::use):
      (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
      (SpeculateDoubleOperand):
      (JSC::DFG::SpeculateDoubleOperand::edge):
      (JSC::DFG::SpeculateDoubleOperand::node):
      (JSC::DFG::SpeculateDoubleOperand::fpr):
      (JSC::DFG::SpeculateDoubleOperand::use):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::edge):
      (JSC::DFG::SpeculateCellOperand::node):
      (JSC::DFG::SpeculateCellOperand::gpr):
      (JSC::DFG::SpeculateCellOperand::use):
      (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
      (JSC::DFG::SpeculateBooleanOperand::edge):
      (SpeculateBooleanOperand):
      (JSC::DFG::SpeculateBooleanOperand::node):
      (JSC::DFG::SpeculateBooleanOperand::gpr):
      (JSC::DFG::SpeculateBooleanOperand::use):
      (DFG):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * dfg/DFGUseKind.cpp: Added.
      (WTF):
      (WTF::printInternal):
      * dfg/DFGUseKind.h: Added.
      (DFG):
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      (WTF):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::reportValidationContext):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143654 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7a1964c5
  11. 18 Feb, 2013 1 commit
  12. 17 Feb, 2013 1 commit
    • fpizlo@apple.com's avatar
      Move all Structure out-of-line inline methods to StructureInlines.h · bb8aa756
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=110024
      
      Source/JavaScriptCore: 
      
      Rubber stamped by Mark Hahnenberg and Sam Weinig.
              
      This was supposed to be easy.
              
      But, initially, there was a Structure inline method in CodeBlock.h, and moving that
      into StructureInlines.h meant that Operations.h included CodeBlock.h. This would
      cause WebCore build failures, because CodeBlock.h transitively included the JSC
      parser (via many, many paths), and the JSC parser defines tokens using enumeration
      elements that CSSGrammar.cpp (generated by bison) would #define. For example,
      bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before
      including anything interesting. The JSC parser would have an enum that included
      FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have
      a token element called FUNCTION declared in an enumeration, but FUNCTION was
      #define'd to 123, leading to a parser error.
              
      Wow.
              
      So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I
      believe I was able to do so without out-of-lining anything interesting or performance
      critical. This is probably a purely good thing to have done: it will be nice to be
      able to make changes to the parser without having to compile the universe.
              
      Of course, doing this caused a bunch of other things to not compile, since a bunch of
      headers relied on things being implicitly included for them when they transitively
      included the parser. I fixed a lot of that.
              
      Finally, I ended up removing the method that depended on CodeBlock.h from
      StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this
      was a waste of time, except that I suspect it was a worthwhile forcing function for
      cleaning up a bunch of cruft.
              
      * API/JSCallbackFunction.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.h:
      (JSC):
      * bytecode/EvalCodeCache.h:
      * bytecode/SamplingTool.h:
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedFunctionExecutable::parameterCount):
      (JSC):
      * bytecode/UnlinkedCodeBlock.h:
      (UnlinkedFunctionExecutable):
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/Label.h:
      (JSC):
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGByteCodeParser.h:
      * dfg/DFGFPRInfo.h:
      * dfg/DFGRegisterBank.h:
      * heap/HandleStack.cpp:
      * jit/JITWriteBarrier.h:
      * parser/Nodes.h:
      (JSC):
      * parser/Parser.h:
      * parser/ParserError.h: Added.
      (JSC):
      (JSC::ParserError::ParserError):
      (ParserError):
      (JSC::ParserError::toErrorObject):
      * parser/ParserModes.h:
      * parser/SourceProvider.cpp: Added.
      (JSC):
      (JSC::SourceProvider::SourceProvider):
      (JSC::SourceProvider::~SourceProvider):
      * parser/SourceProvider.h:
      (JSC):
      (SourceProvider):
      * runtime/ArrayPrototype.cpp:
      * runtime/DatePrototype.cpp:
      * runtime/Executable.h:
      * runtime/JSGlobalObject.cpp:
      * runtime/JSGlobalObject.h:
      (JSC):
      * runtime/Operations.h:
      * runtime/Structure.cpp:
      (JSC::Structure::prototypeForLookup):
      (JSC):
      * runtime/Structure.h:
      (JSC):
      * runtime/StructureInlines.h: Added.
      (JSC):
      (JSC::Structure::create):
      (JSC::Structure::createStructure):
      (JSC::Structure::get):
      (JSC::Structure::masqueradesAsUndefined):
      (JSC::SlotVisitor::internalAppend):
      (JSC::Structure::transitivelyTransitionedFrom):
      (JSC::Structure::setEnumerationCache):
      (JSC::Structure::enumerationCache):
      (JSC::Structure::prototypeForLookup):
      (JSC::Structure::prototypeChain):
      (JSC::Structure::isValid):
      * runtime/StructureRareData.cpp:
      
      Source/WebCore: 
      
      Rubber stamped by Sam Weinig.
      
      No new tests because no new behavior. Just rewiring includes.
      
      * ForwardingHeaders/parser/SourceProviderCache.h: Added.
      * loader/cache/CachedScript.cpp:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143147 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bb8aa756
  13. 13 Feb, 2013 2 commits
    • zandobersek@gmail.com's avatar
      The 'global isinf/isnan' compiler quirk required when using clang with libstdc++ · 9182d475
      zandobersek@gmail.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109325
      
      Reviewed by Anders Carlsson.
      
      Prefix calls to the isinf and isnan methods with std::, declaring we want to use the
      two methods as they're provided by the C++ standard library being used.
      
      Source/JavaScriptCore: 
      
      * API/JSValueRef.cpp:
      (JSValueMakeNumber):
      * JSCTypedArrayStubs.h:
      (JSC):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitLoad):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::constantNaN):
      * offlineasm/cloop.rb:
      * runtime/DateConstructor.cpp:
      (JSC::dateUTC): Also include an opportunistic style fix.
      * runtime/DateInstance.cpp:
      (JSC::DateInstance::calculateGregorianDateTime):
      (JSC::DateInstance::calculateGregorianDateTimeUTC):
      * runtime/DatePrototype.cpp:
      (JSC::dateProtoFuncGetMilliSeconds):
      (JSC::dateProtoFuncGetUTCMilliseconds):
      (JSC::setNewValueFromTimeArgs):
      (JSC::setNewValueFromDateArgs):
      (JSC::dateProtoFuncSetYear):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::toInteger):
      * runtime/JSDateMath.cpp:
      (JSC::getUTCOffset):
      (JSC::parseDateFromNullTerminatedCharacters):
      (JSC::parseDate):
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncIsNaN):
      * runtime/MathObject.cpp:
      (JSC::mathProtoFuncMax):
      (JSC::mathProtoFuncMin):
      (JSC::mathProtoFuncPow):
      * runtime/PropertyDescriptor.cpp:
      (JSC::sameValue):
      
      Source/WebCore: 
      
      No new tests as there's no change in functionality.
      
      * Modules/mediasource/MediaSource.cpp:
      (WebCore::MediaSource::setDuration):
      * Modules/webaudio/AudioBufferSourceNode.cpp:
      (WebCore::AudioBufferSourceNode::totalPitchRate):
      * Modules/webaudio/AudioParam.cpp:
      (WebCore::AudioParam::setValue):
      * Modules/webaudio/AudioParamTimeline.cpp:
      (WebCore::isValidNumber):
      * Modules/webaudio/PannerNode.cpp:
      (WebCore::fixNANs):
      * bindings/js/IDBBindingUtilities.cpp:
      (WebCore::createIDBKeyFromValue):
      * bindings/js/JSDataViewCustom.cpp:
      (WebCore::getDataViewMember):
      * bindings/js/JSGeolocationCustom.cpp:
      (WebCore::setTimeout):
      (WebCore::setMaximumAge):
      * bindings/js/JSHTMLOptionsCollectionCustom.cpp:
      (WebCore::JSHTMLOptionsCollection::setLength):
      * bindings/js/JSWebKitPointCustom.cpp:
      (WebCore::JSWebKitPointConstructor::constructJSWebKitPoint):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateImplementation):
      (GenerateParametersCheck):
      * bindings/scripts/CodeGeneratorV8.pm:
      (GenerateParametersCheck):
      * bindings/scripts/test/JS/JSFloat64Array.cpp:
      (WebCore::JSFloat64Array::getByIndex):
      * bindings/scripts/test/JS/JSTestObj.cpp:
      (WebCore::jsTestObjPrototypeFunctionClassMethodWithClamp):
      * bindings/scripts/test/V8/V8TestObj.cpp:
      (WebCore::TestObjV8Internal::classMethodWithClampCallback):
      * bindings/v8/IDBBindingUtilities.cpp:
      (WebCore::createIDBKeyFromValue):
      * bindings/v8/V8Binding.cpp:
      (WebCore::toInt32):
      (WebCore::toUInt32):
      * bindings/v8/custom/V8GeolocationCustom.cpp:
      (WebCore::createPositionOptions):
      * bindings/v8/custom/V8HTMLOptionsCollectionCustom.cpp:
      (WebCore::V8HTMLOptionsCollection::lengthAccessorSetter):
      * bindings/v8/custom/V8WebKitPointCustom.cpp:
      (WebCore::V8WebKitPoint::constructorCallbackCustom):
      * bridge/qt/qt_runtime.cpp:
      (JSC::Bindings::convertValueToQVariant):
      * css/WebKitCSSMatrix.cpp:
      (WebCore::WebKitCSSMatrix::translate):
      (WebCore::WebKitCSSMatrix::scale):
      (WebCore::WebKitCSSMatrix::rotate):
      (WebCore::WebKitCSSMatrix::rotateAxisAngle):
      (WebCore::WebKitCSSMatrix::skewX):
      (WebCore::WebKitCSSMatrix::skewY):
      * html/HTMLMediaElement.cpp:
      (WebCore::HTMLMediaElement::percentLoaded):
      (WebCore::HTMLMediaElement::mediaPlayerTimeChanged):
      (WebCore::HTMLMediaElement::endedPlayback):
      * html/MediaController.cpp:
      (MediaController::duration):
      * html/canvas/WebGLRenderingContext.cpp:
      (WebCore):
      (WebCore::WebGLRenderingContext::clearColor):
      * html/track/TextTrack.cpp:
      (WebCore::TextTrack::addCue):
      * html/track/TextTrackCue.cpp:
      (WebCore::TextTrackCue::setStartTime):
      (WebCore::TextTrackCue::setEndTime):
      * page/DOMWindow.cpp:
      (WebCore::DOMWindow::adjustWindowRect):
      * page/WindowFeatures.cpp:
      (WebCore::WindowFeatures::floatFeature): Also include an opportunistic style fix.
      * platform/CalculationValue.cpp:
      (WebCore::CalculationValue::evaluate):
      * platform/Decimal.cpp:
      (WebCore::Decimal::fromDouble):
      * platform/Length.cpp:
      (WebCore::Length::nonNanCalculatedValue):
      * platform/audio/AudioResampler.cpp:
      (WebCore::AudioResampler::setRate):
      * platform/audio/DynamicsCompressorKernel.cpp:
      (WebCore::DynamicsCompressorKernel::process):
      * platform/audio/Reverb.cpp:
      (WebCore::calculateNormalizationScale):
      * platform/graphics/Font.cpp:
      (WebCore::Font::width):
      * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
      (WebCore::MediaPlayerPrivateAVFoundation::isLiveStream):
      * platform/graphics/gpu/LoopBlinnMathUtils.cpp:
      (LoopBlinnMathUtils):
      * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
      (WebCore::MediaPlayerPrivateGStreamer::buffered):
      (WebCore::MediaPlayerPrivateGStreamer::maxTimeSeekable):
      * platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
      (WebCore::MediaPlayerPrivateQTKit::maxTimeSeekable):
      * platform/graphics/opentype/OpenTypeVerticalData.cpp:
      (WebCore::OpenTypeVerticalData::getVerticalTranslationsForGlyphs):
      * platform/graphics/transforms/TransformationMatrix.cpp:
      (WebCore::clampEdgeValue):
      (WebCore::TransformationMatrix::clampedBoundsOfProjectedQuad):
      * platform/network/ResourceResponseBase.cpp:
      (WebCore::ResourceResponseBase::parseCacheControlDirectives):
      * rendering/RenderMediaControlsChromium.cpp:
      (WebCore::paintMediaSlider):
      (WebCore::paintMediaVolumeSlider):
      * rendering/RenderThemeMac.mm:
      (WebCore::RenderThemeMac::paintMediaSliderTrack):
      * svg/SVGAnimationElement.cpp:
      (WebCore::SVGAnimationElement::beginElementAt):
      (WebCore::SVGAnimationElement::endElementAt):
      * svg/SVGSVGElement.cpp:
      (WebCore::SVGSVGElement::setCurrentTime):
      * svg/animation/SMILTime.h:
      (WebCore::SMILTime::SMILTime):
      * svg/animation/SVGSMILElement.cpp:
      (WebCore::SVGSMILElement::addBeginTime):
      (WebCore::SVGSMILElement::addEndTime):
      * xml/XPathFunctions.cpp:
      (WebCore::XPath::FunSubstring::evaluate):
      (WebCore::XPath::FunRound::round):
      * xml/XPathValue.cpp:
      (WebCore::XPath::Value::toBoolean): Also include an opportunistic style fix.
      (WebCore::XPath::Value::toString):
      
      Source/WebKit/chromium: 
      
      * tests/DecimalTest.cpp:
      (TEST_F):
      
      Source/WebKit/mac: 
      
      * tests/DecimalTest.cpp:
      (TEST_F):
      
      Source/WTF: 
      
      * wtf/Compiler.h: Remove the global isinf/isnan compiler quirk definitions. They're not required anymore.
      * wtf/DateMath.cpp: Move the workaround for isinf on Solaris into the std namespace. Ditto for isinf and isnan
      when using MSVC. Stop bringing the isinf and isnan methods into the global scope when using other configurations.
      (WTF::parseDateFromNullTerminatedCharacters):
      * wtf/IntegralTypedArrayBase.h:
      (WTF::IntegralTypedArrayBase::set):
      * wtf/MathExtras.h:
      (std):
      (std::isinf):
      (wtf_fmod):
      (wtf_pow):
      (doubleToInteger):
      * wtf/MediaTime.cpp:
      (WTF::MediaTime::createWithFloat):
      (WTF::MediaTime::createWithDouble):
      * wtf/Uint8ClampedArray.h:
      (WTF::Uint8ClampedArray::set):
      
      Tools: 
      
      * DumpRenderTree/TestRunner.cpp:
      (setAppCacheMaximumSizeCallback):
      (setApplicationCacheOriginQuotaCallback):
      (setDatabaseQuotaCallback):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142810 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9182d475
    • oliver@apple.com's avatar
      Remove unnecessary indirection to non-local variable access operations · 951c7f58
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109724
      
      Reviewed by Filip Pizlo.
      
      Linked bytecode now stores a direct pointer to the resolve operation
      vectors, so the interpreter no longer needs a bunch of indirection to
      to perform non-local lookup.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/Instruction.h:
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (PutToBaseOperationData):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142769 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      951c7f58
  14. 11 Feb, 2013 3 commits
    • fpizlo@apple.com's avatar
      DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding · b03b1405
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109387
      
      Reviewed by Oliver Hunt and Mark Hahnenberg.
              
      Lock in the decision to use a non-speculative constant comparison as early as possible
      and don't let the CFA change it by folding constants. This might be a performance
      penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
      the other hand it completely side-steps the unsoundness that the bug speaks of.
              
      Rolling back in after adding 32-bit path.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142515 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b03b1405
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r142491. · e699b761
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/142491
      https://bugs.webkit.org/show_bug.cgi?id=109470
      
      broke the 32 bit build (Requested by jessieberlin on #webkit).
      
      Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2013-02-11
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142498 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e699b761
    • fpizlo@apple.com's avatar
      DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding · 7e414e84
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109387
      
      Reviewed by Oliver Hunt.
              
      Lock in the decision to use a non-speculative constant comparison as early as possible
      and don't let the CFA change it by folding constants. This might be a performance
      penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
      the other hand it completely side-steps the unsoundness that the bug speaks of.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142491 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7e414e84
  15. 09 Feb, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should allow phases to break Phi's and then have one phase to rebuild them · 3fa6f5d3
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108414
      
      Reviewed by Mark Hahnenberg.
              
      Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in
      detail in DFGCommon.h.
              
      Consequently, DFG phases no longer have to worry about preserving data flow
      links between basic blocks. It is generally always safe to request that the
      graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where
      the data flow is implicit. In this form, only liveness-at-head needs to be
      preserved.
              
      All of the machinery for "threading" the graph to introduce data flow between
      blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase.
      All phases that previously did this maintenance themselves now just rely on
      being able to dethread the graph. The one exception is the structure check
      hoising phase, which operates over a threaded graph and preserves it, for the
      sake of performance.
              
      Also moved two other things into their own phases: unification (previously found
      in the parser) and prediction injection (previously found in various places).
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/Operands.h:
      (Operands):
      (JSC::Operands::sizeFor):
      (JSC::Operands::atFor):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      * dfg/DFGAllocator.h:
      (JSC::DFG::::allocateSlow):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGBasicBlockInlines.h:
      (DFG):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (DFG):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::killUnreachable):
      (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
      (CFGSimplificationPhase):
      (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
      (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
      * dfg/DFGCPSRethreadingPhase.cpp: Added.
      (DFG):
      (CPSRethreadingPhase):
      (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
      (JSC::DFG::CPSRethreadingPhase::run):
      (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
      (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail):
      (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
      (JSC::DFG::CPSRethreadingPhase::addPhi):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
      (JSC::DFG::CPSRethreadingPhase::propagatePhis):
      (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry):
      (PhiStackEntry):
      (JSC::DFG::CPSRethreadingPhase::phiStackFor):
      (JSC::DFG::performCPSRethreading):
      * dfg/DFGCPSRethreadingPhase.h: Added.
      (DFG):
      * dfg/DFGCSEPhase.cpp:
      (CSEPhase):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.cpp:
      (WTF):
      (WTF::printInternal):
      * dfg/DFGCommon.h:
      (JSC::DFG::logCompilationChanges):
      (DFG):
      (WTF):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dethread):
      (JSC::DFG::Graph::collectGarbage):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::performSubstitution):
      (Graph):
      (JSC::DFG::Graph::performSubstitutionForEdge):
      (JSC::DFG::Graph::convertToConstant):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToPhantomLocal):
      (Node):
      (JSC::DFG::Node::convertToGetLocal):
      (JSC::DFG::Node::hasVariableAccessData):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPhase.cpp:
      (JSC::DFG::Phase::beginPhase):
      * dfg/DFGPhase.h:
      (JSC::DFG::runAndLog):
      * dfg/DFGPredictionInjectionPhase.cpp: Added.
      (DFG):
      (PredictionInjectionPhase):
      (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase):
      (JSC::DFG::PredictionInjectionPhase::run):
      (JSC::DFG::performPredictionInjection):
      * dfg/DFGPredictionInjectionPhase.h: Added.
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::run):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * dfg/DFGUnificationPhase.cpp: Added.
      (DFG):
      (UnificationPhase):
      (JSC::DFG::UnificationPhase::UnificationPhase):
      (JSC::DFG::UnificationPhase::run):
      (JSC::DFG::performUnification):
      * dfg/DFGUnificationPhase.h: Added.
      (DFG):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      (JSC::DFG::Validate::dumpGraphIfAppropriate):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::setUpCall):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      * runtime/JSString.h:
      (JSString):
      * runtime/Options.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142377 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3fa6f5d3
  16. 07 Feb, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint · cb6fd793
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=109000
      
      Reviewed by Oliver Hunt.
              
      Previously our source parser's ASTBuilder did some surgical constant folding, but it
      didn't cover some cases.  It was particularly incapable of doing constant folding for
      cases where we do some minimal loop peeling in the bytecode generator - since it
      didn't "see" those constants prior to the peeling.  Example:
      
      for (var i = 0; i < 4; ++i)
          things;
      
      This will get peeled just a bit by the bytecode generator, so that the "i < 4" is
      duplicated both at the top of the loop and the bottom.  This means that we have a
      constant comparison: "0 < 4", which the bytecode generator emits without any further
      thought.
      
      The DFG optimization fixpoint of course folds this and simplifies the CFG 
      accordingly, but this incurs a compile-time cost.  The purpose of this change is to
      do some surgical constant folding in the DFG's bytecode parser, so that such
      constructs reduce load on the CFG simplifier and the optimization fixpoint.  The goal
      is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful
      sparse conditional constant propagation that we can always fall back on. Instead the
      goal is to cover enough cases that for common small functions we don't have to
      perform such transformations, thereby reducing compile times.
              
      This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call
      and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these
      things are used by the folder.
              
      As well, care has been taken to make sure that the bytecode parser only does folding
      that is statically provable, and that doesn't arise out of speculation. This means
      we cannot fold on data flow that crosses inlining boundaries. On the other hand, the
      folding that the bytecode parser uses doesn't require phantoming anything. Such is
      the trade-off: for anything that we do need phantoming, we defer it to the
      optimization fixpoint.
              
      Slight SunSpider speed-up.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
      (JSC::DFG::ByteCodeParser::toInt32):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::inlineCallFrame):
      (JSC::DFG::ByteCodeParser::currentCodeOrigin):
      (JSC::DFG::ByteCodeParser::canFold):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::getScope):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::isStronglyProvedConstantIn):
      (Node):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::pureToBoolean):
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142162 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cb6fd793
  17. 05 Feb, 2013 2 commits
    • mhahnenberg@apple.com's avatar
      put_to_base should emit a Phantom for "value" across the ForceOSRExit · 9a77de21
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108998
      
      Reviewed by Oliver Hunt.
      
      Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Ditto.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141962 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9a77de21
    • fpizlo@apple.com's avatar
      DFG should have a precise view of jump targets · 97ef8415
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108868
      
      Reviewed by Oliver Hunt.
              
      Previously, the DFG relied entirely on the CodeBlock's jump targets list for
      determining when to break basic blocks. This worked great, except sometimes it
      would be too conservative since the CodeBlock just says where the bytecode
      generator inserted labels.
              
      This change keeps the old jump target list in CodeBlock since it is still
      valuable to the baseline JIT, but switches the DFG to use its own jump target
      calculator. This ought to reduce pressure on the DFG simplifier, which would
      previously do a lot of work to try to merge redundantly created basic blocks.
      It appears to be a 1% progression on SunSpider.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/PreciseJumpTargets.cpp: Added.
      (JSC):
      (JSC::addSimpleSwitchTargets):
      (JSC::computePreciseJumpTargets):
      * bytecode/PreciseJumpTargets.h: Added.
      (JSC):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141931 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      97ef8415
  18. 01 Feb, 2013 2 commits
  19. 30 Jan, 2013 1 commit
  20. 29 Jan, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should not use a graph that is a vector, Nodes shouldn't move after... · 8ff092fc
      fpizlo@apple.com authored
      DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
      https://bugs.webkit.org/show_bug.cgi?id=106868
      
      Reviewed by Oliver Hunt.
              
      This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
      uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
      for debugging (Node::index(), which is not guaranteed to be O(1)).
              
      1% speed-up on SunSpider, presumably because this improves compile times.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::booleanResult):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
      (JSC::DFG::AbstractState::dump):
      * dfg/DFGAbstractState.h:
      (DFG):
      (JSC::DFG::AbstractState::forNode):
      (AbstractState):
      (JSC::DFG::AbstractState::speculateInt32Unary):
      (JSC::DFG::AbstractState::speculateNumberUnary):
      (JSC::DFG::AbstractState::speculateBooleanUnary):
      (JSC::DFG::AbstractState::speculateInt32Binary):
      (JSC::DFG::AbstractState::speculateNumberBinary):
      (JSC::DFG::AbstractState::trySetConstant):
      * dfg/DFGAbstractValue.h:
      (AbstractValue):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (JSC::DFG::AdjacencyList::initialize):
      * dfg/DFGAllocator.h: Added.
      (DFG):
      (Allocator):
      (JSC::DFG::Allocator::Region::size):
      (JSC::DFG::Allocator::Region::headerSize):
      (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
      (JSC::DFG::Allocator::Region::data):
      (JSC::DFG::Allocator::Region::isInThisRegion):
      (JSC::DFG::Allocator::Region::regionFor):
      (Region):
      (JSC::DFG::::Allocator):
      (JSC::DFG::::~Allocator):
      (JSC::DFG::::allocate):
      (JSC::DFG::::free):
      (JSC::DFG::::freeAll):
      (JSC::DFG::::reset):
      (JSC::DFG::::indexOf):
      (JSC::DFG::::allocatorOf):
      (JSC::DFG::::bumpAllocate):
      (JSC::DFG::::freeListAllocate):
      (JSC::DFG::::allocateSlow):
      (JSC::DFG::::freeRegionsStartingAt):
      (JSC::DFG::::startBumpingIn):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
      (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
      (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::originalArrayStructure):
      (JSC::DFG::ArrayMode::alreadyChecked):
      * dfg/DFGArrayMode.h:
      (ArrayMode):
      * dfg/DFGArrayifySlowPathGenerator.h:
      (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
      * dfg/DFGBasicBlock.h:
      (JSC::DFG::BasicBlock::node):
      (JSC::DFG::BasicBlock::isInPhis):
      (JSC::DFG::BasicBlock::isInBlock):
      (BasicBlock):
      * dfg/DFGBasicBlockInlines.h:
      (DFG):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::setDirect):
      (JSC::DFG::ByteCodeParser::set):
      (JSC::DFG::ByteCodeParser::setPair):
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::getToInt32):
      (JSC::DFG::ByteCodeParser::toInt32):
      (JSC::DFG::ByteCodeParser::getJSConstantForValue):
      (JSC::DFG::ByteCodeParser::getJSConstant):
      (JSC::DFG::ByteCodeParser::getCallee):
      (JSC::DFG::ByteCodeParser::getThis):
      (JSC::DFG::ByteCodeParser::setThis):
      (JSC::DFG::ByteCodeParser::isJSConstant):
      (JSC::DFG::ByteCodeParser::isInt32Constant):
      (JSC::DFG::ByteCodeParser::valueOfJSConstant):
      (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
      (JSC::DFG::ByteCodeParser::constantUndefined):
      (JSC::DFG::ByteCodeParser::constantNull):
      (JSC::DFG::ByteCodeParser::one):
      (JSC::DFG::ByteCodeParser::constantNaN):
      (JSC::DFG::ByteCodeParser::cellConstant):
      (JSC::DFG::ByteCodeParser::addToGraph):
      (JSC::DFG::ByteCodeParser::insertPhiNode):
      (JSC::DFG::ByteCodeParser::addVarArgChild):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
      (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getPrediction):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::makeSafe):
      (JSC::DFG::ByteCodeParser::makeDivSafe):
      (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
      (ConstantRecord):
      (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
      (PhiStackEntry):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitFunctionChecks):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::setIntrinsicResult):
      (JSC::DFG::ByteCodeParser::handleMinMax):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::getScope):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::processPhiStack):
      (JSC::DFG::ByteCodeParser::linkBlock):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
      (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
      (JSC::DFG::CFGSimplificationPhase::fixPhis):
      (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
      (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
      (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
      (OperandSubstitution):
      (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
      (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
      (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
      (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::canonicalize):
      (JSC::DFG::CSEPhase::endIndexForPureCSE):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::constantCSE):
      (JSC::DFG::CSEPhase::weakConstantCSE):
      (JSC::DFG::CSEPhase::getCalleeLoadElimination):
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::globalVarLoadElimination):
      (JSC::DFG::CSEPhase::scopedVarLoadElimination):
      (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
      (JSC::DFG::CSEPhase::globalVarStoreElimination):
      (JSC::DFG::CSEPhase::scopedVarStoreElimination):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::checkFunctionElimination):
      (JSC::DFG::CSEPhase::checkExecutableElimination):
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
      (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
      (JSC::DFG::CSEPhase::getLocalLoadElimination):
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      (JSC::DFG::CSEPhase::performSubstitution):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::setReplacement):
      (JSC::DFG::CSEPhase::eliminate):
      (JSC::DFG::CSEPhase::performNodeCSE):
      (JSC::DFG::CSEPhase::performBlockCSE):
      (CSEPhase):
      * dfg/DFGCommon.cpp: Added.
      (DFG):
      (JSC::DFG::NodePointerTraits::dump):
      * dfg/DFGCommon.h:
      (DFG):
      (JSC::DFG::NodePointerTraits::defaultValue):
      (NodePointerTraits):
      (JSC::DFG::verboseCompilationEnabled):
      (JSC::DFG::shouldDumpGraphAtEachPhase):
      (JSC::DFG::validationEnabled):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
      (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
      (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::Disassembler):
      (JSC::DFG::Disassembler::createDumpList):
      (JSC::DFG::Disassembler::dumpDisassembly):
      * dfg/DFGDisassembler.h:
      (JSC::DFG::Disassembler::setForNode):
      (Disassembler):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGEdge.cpp: Added.
      (DFG):
      (JSC::DFG::Edge::dump):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::Edge):
      (JSC::DFG::Edge::node):
      (JSC::DFG::Edge::operator*):
      (JSC::DFG::Edge::operator->):
      (Edge):
      (JSC::DFG::Edge::setNode):
      (JSC::DFG::Edge::useKind):
      (JSC::DFG::Edge::setUseKind):
      (JSC::DFG::Edge::isSet):
      (JSC::DFG::Edge::shift):
      (JSC::DFG::Edge::makeWord):
      (JSC::DFG::operator==):
      (JSC::DFG::operator!=):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupBlock):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      (JSC::DFG::FixupPhase::fixIntEdge):
      (JSC::DFG::FixupPhase::fixDoubleEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (FixupPhase):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::GenerationInfo):
      (JSC::DFG::GenerationInfo::initConstant):
      (JSC::DFG::GenerationInfo::initInteger):
      (JSC::DFG::GenerationInfo::initJSValue):
      (JSC::DFG::GenerationInfo::initCell):
      (JSC::DFG::GenerationInfo::initBoolean):
      (JSC::DFG::GenerationInfo::initDouble):
      (JSC::DFG::GenerationInfo::initStorage):
      (GenerationInfo):
      (JSC::DFG::GenerationInfo::node):
      (JSC::DFG::GenerationInfo::noticeOSRBirth):
      (JSC::DFG::GenerationInfo::use):
      (JSC::DFG::GenerationInfo::appendFill):
      (JSC::DFG::GenerationInfo::appendSpill):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::~Graph):
      (DFG):
      (JSC::DFG::Graph::dumpCodeOrigin):
      (JSC::DFG::Graph::amountOfNodeWhiteSpace):
      (JSC::DFG::Graph::printNodeWhiteSpace):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      (JSC::DFG::Graph::refChildren):
      (JSC::DFG::Graph::derefChildren):
      (JSC::DFG::Graph::predictArgumentTypes):
      (JSC::DFG::Graph::collectGarbage):
      (JSC::DFG::Graph::determineReachability):
      (JSC::DFG::Graph::resetExitStates):
      * dfg/DFGGraph.h:
      (Graph):
      (JSC::DFG::Graph::ref):
      (JSC::DFG::Graph::deref):
      (JSC::DFG::Graph::changeChild):
      (JSC::DFG::Graph::compareAndSwap):
      (JSC::DFG::Graph::clearAndDerefChild):
      (JSC::DFG::Graph::clearAndDerefChild1):
      (JSC::DFG::Graph::clearAndDerefChild2):
      (JSC::DFG::Graph::clearAndDerefChild3):
      (JSC::DFG::Graph::convertToConstant):
      (JSC::DFG::Graph::getJSConstantSpeculation):
      (JSC::DFG::Graph::addSpeculationMode):
      (JSC::DFG::Graph::valueAddSpeculationMode):
      (JSC::DFG::Graph::arithAddSpeculationMode):
      (JSC::DFG::Graph::addShouldSpeculateInteger):
      (JSC::DFG::Graph::mulShouldSpeculateInteger):
      (JSC::DFG::Graph::negateShouldSpeculateInteger):
      (JSC::DFG::Graph::isConstant):
      (JSC::DFG::Graph::isJSConstant):
      (JSC::DFG::Graph::isInt32Constant):
      (JSC::DFG::Graph::isDoubleConstant):
      (JSC::DFG::Graph::isNumberConstant):
      (JSC::DFG::Graph::isBooleanConstant):
      (JSC::DFG::Graph::isCellConstant):
      (JSC::DFG::Graph::isFunctionConstant):
      (JSC::DFG::Graph::isInternalFunctionConstant):
      (JSC::DFG::Graph::valueOfJSConstant):
      (JSC::DFG::Graph::valueOfInt32Constant):
      (JSC::DFG::Graph::valueOfNumberConstant):
      (JSC::DFG::Graph::valueOfBooleanConstant):
      (JSC::DFG::Graph::valueOfFunctionConstant):
      (JSC::DFG::Graph::valueProfileFor):
      (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
      (JSC::DFG::Graph::numSuccessors):
      (JSC::DFG::Graph::successor):
      (JSC::DFG::Graph::successorForCondition):
      (JSC::DFG::Graph::isPredictedNumerical):
      (JSC::DFG::Graph::byValIsPure):
      (JSC::DFG::Graph::clobbersWorld):
      (JSC::DFG::Graph::varArgNumChildren):
      (JSC::DFG::Graph::numChildren):
      (JSC::DFG::Graph::varArgChild):
      (JSC::DFG::Graph::child):
      (JSC::DFG::Graph::voteNode):
      (JSC::DFG::Graph::voteChildren):
      (JSC::DFG::Graph::substitute):
      (JSC::DFG::Graph::substituteGetLocal):
      (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
      (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
      * dfg/DFGInsertionSet.h:
      (JSC::DFG::Insertion::Insertion):
      (JSC::DFG::Insertion::element):
      (Insertion):
      (JSC::DFG::InsertionSet::insert):
      (InsertionSet):
      * dfg/DFGJITCompiler.cpp:
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::setForNode):
      (JSC::DFG::JITCompiler::addressOfDoubleConstant):
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGLongLivedState.cpp: Added.
      (DFG):
      (JSC::DFG::LongLivedState::LongLivedState):
      (JSC::DFG::LongLivedState::~LongLivedState):
      (JSC::DFG::LongLivedState::shrinkToFit):
      * dfg/DFGLongLivedState.h: Added.
      (DFG):
      (LongLivedState):
      * dfg/DFGMinifiedID.h:
      (JSC::DFG::MinifiedID::MinifiedID):
      (JSC::DFG::MinifiedID::node):
      * dfg/DFGMinifiedNode.cpp:
      (JSC::DFG::MinifiedNode::fromNode):
      * dfg/DFGMinifiedNode.h:
      (MinifiedNode):
      * dfg/DFGNode.cpp: Added.
      (DFG):
      (JSC::DFG::Node::index):
      (WTF):
      (WTF::printInternal):
      * dfg/DFGNode.h:
      (DFG):
      (JSC::DFG::Node::Node):
      (Node):
      (JSC::DFG::Node::convertToGetByOffset):
      (JSC::DFG::Node::convertToPutByOffset):
      (JSC::DFG::Node::ref):
      (JSC::DFG::Node::shouldSpeculateInteger):
      (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
      (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
      (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::shouldSpeculateFinalObject):
      (JSC::DFG::Node::shouldSpeculateArray):
      (JSC::DFG::Node::dumpChildren):
      (WTF):
      * dfg/DFGNodeAllocator.h: Added.
      (DFG):
      (operator new ):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      (SpeculationFailureDebugInfo):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGPhase.cpp:
      (DFG):
      (JSC::DFG::Phase::beginPhase):
      (JSC::DFG::Phase::endPhase):
      * dfg/DFGPhase.h:
      (Phase):
      (JSC::DFG::runAndLog):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::setPrediction):
      (JSC::DFG::PredictionPropagationPhase::mergePrediction):
      (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
      (JSC::DFG::PredictionPropagationPhase::isNotZero):
      (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
      (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
      (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
      (JSC::DFG::PredictionPropagationPhase::propagateForward):
      (JSC::DFG::PredictionPropagationPhase::propagateBackward):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      (PredictionPropagationPhase):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::ScoreBoard):
      (JSC::DFG::ScoreBoard::use):
      (JSC::DFG::ScoreBoard::useIfHasResult):
      (ScoreBoard):
      * dfg/DFGSilentRegisterSavePlan.h:
      (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
      (JSC::DFG::SilentRegisterSavePlan::node):
      (SilentRegisterSavePlan):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
      (JSC::DFG::SlowPathGenerator::generate):
      (SlowPathGenerator):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::speculationCheck):
      (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
      (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::fillStorage):
      (JSC::DFG::SpeculativeJIT::useChildren):
      (JSC::DFG::SpeculativeJIT::isStrictInt32):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownNumeric):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::writeBarrier):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
      (JSC::DFG::GPRTemporary::GPRTemporary):
      (JSC::DFG::FPRTemporary::FPRTemporary):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
      (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      (JSC::DFG::SpeculativeJIT::compileSoftModulo):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
      (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
      (JSC::DFG::SpeculativeJIT::compileRegExpExec):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isConstant):
      (JSC::DFG::SpeculativeJIT::isJSConstant):
      (JSC::DFG::SpeculativeJIT::isInt32Constant):
      (JSC::DFG::SpeculativeJIT::isDoubleConstant):
      (JSC::DFG::SpeculativeJIT::isNumberConstant):
      (JSC::DFG::SpeculativeJIT::isBooleanConstant):
      (JSC::DFG::SpeculativeJIT::isFunctionConstant):
      (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
      (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
      (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
      (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
      (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
      (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
      (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
      (JSC::DFG::SpeculativeJIT::isNullConstant):
      (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
      (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::integerResult):
      (JSC::DFG::SpeculativeJIT::noResult):
      (JSC::DFG::SpeculativeJIT::cellResult):
      (JSC::DFG::SpeculativeJIT::booleanResult):
      (JSC::DFG::SpeculativeJIT::jsValueResult):
      (JSC::DFG::SpeculativeJIT::storageResult):
      (JSC::DFG::SpeculativeJIT::doubleResult):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
      (JSC::DFG::SpeculativeJIT::setNodeForOperand):
      (JSC::DFG::IntegerOperand::IntegerOperand):
      (JSC::DFG::IntegerOperand::node):
      (JSC::DFG::IntegerOperand::gpr):
      (JSC::DFG::IntegerOperand::use):
      (IntegerOperand):
      (JSC::DFG::DoubleOperand::DoubleOperand):
      (JSC::DFG::DoubleOperand::node):
      (JSC::DFG::DoubleOperand::fpr):
      (JSC::DFG::DoubleOperand::use):
      (DoubleOperand):
      (JSC::DFG::JSValueOperand::JSValueOperand):
      (JSC::DFG::JSValueOperand::node):
      (JSC::DFG::JSValueOperand::gpr):
      (JSC::DFG::JSValueOperand::fill):
      (JSC::DFG::JSValueOperand::use):
      (JSValueOperand):
      (JSC::DFG::StorageOperand::StorageOperand):
      (JSC::DFG::StorageOperand::node):
      (JSC::DFG::StorageOperand::gpr):
      (JSC::DFG::StorageOperand::use):
      (StorageOperand):
      (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
      (JSC::DFG::SpeculateIntegerOperand::node):
      (JSC::DFG::SpeculateIntegerOperand::gpr):
      (JSC::DFG::SpeculateIntegerOperand::use):
      (SpeculateIntegerOperand):
      (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
      (JSC::DFG::SpeculateStrictInt32Operand::node):
      (JSC::DFG::SpeculateStrictInt32Operand::gpr):
      (JSC::DFG::SpeculateStrictInt32Operand::use):
      (SpeculateStrictInt32Operand):
      (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
      (JSC::DFG::SpeculateDoubleOperand::node):
      (JSC::DFG::SpeculateDoubleOperand::fpr):
      (JSC::DFG::SpeculateDoubleOperand::use):
      (SpeculateDoubleOperand):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::node):
      (JSC::DFG::SpeculateCellOperand::gpr):
      (JSC::DFG::SpeculateCellOperand::use):
      (SpeculateCellOperand):
      (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
      (JSC::DFG::SpeculateBooleanOperand::node):
      (JSC::DFG::SpeculateBooleanOperand::gpr):
      (JSC::DFG::SpeculateBooleanOperand::use):
      (SpeculateBooleanOperand):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileValueAdd):
      (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileValueAdd):
      (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureAbstractValue.h:
      (StructureAbstractValue):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * dfg/DFGValidate.cpp:
      (DFG):
      (Validate):
      (JSC::DFG::Validate::validate):
      (JSC::DFG::Validate::reportValidationContext):
      * dfg/DFGValidate.h:
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::ValueSource):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * runtime/FunctionExecutableDump.cpp: Added.
      (JSC):
      (JSC::FunctionExecutableDump::dump):
      * runtime/FunctionExecutableDump.h: Added.
      (JSC):
      (FunctionExecutableDump):
      (JSC::FunctionExecutableDump::FunctionExecutableDump):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSC):
      (DFG):
      (JSGlobalData):
      * runtime/Options.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141069 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8ff092fc
  21. 28 Jan, 2013 1 commit
    • ggaren@apple.com's avatar
      Static size inference for JavaScript objects · c862eacf
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108093
      
      Reviewed by Phil Pizlo.
      
      ../JavaScriptCore: 
      
      * API/JSObjectRef.cpp:
      * JavaScriptCore.order:
      * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
      have an extra inferredInlineCapacity argument. This is the statically
      inferred inline capacity, just from analyzing source text. op_new_object
      also gets a pointer to an allocation profile. (For op_create_this, the
      profile is in the construtor function.)
      
      (JSC::CodeBlock::CodeBlock): Link op_new_object.
      
      (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
      
      * bytecode/CodeBlock.h:
      (CodeBlock): Removed some dead code. Added object allocation profiles.
      
      * bytecode/Instruction.h:
      (JSC): New union type, since an instruction operand may point to an
      object allocation profile now.
      
      * bytecode/ObjectAllocationProfile.h: Added.
      (JSC):
      (ObjectAllocationProfile):
      (JSC::ObjectAllocationProfile::offsetOfAllocator):
      (JSC::ObjectAllocationProfile::offsetOfStructure):
      (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
      (JSC::ObjectAllocationProfile::isNull):
      (JSC::ObjectAllocationProfile::initialize):
      (JSC::ObjectAllocationProfile::structure):
      (JSC::ObjectAllocationProfile::inlineCapacity):
      (JSC::ObjectAllocationProfile::clear):
      (JSC::ObjectAllocationProfile::visitAggregate):
      (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
      for tracking a prediction about object allocation: structure, inline
      capacity, allocator to use.
      
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName): Updated instruction sizes.
      
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
      (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
      (UnlinkedCodeBlock): Unlinked support for allocation profiles.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
      end of codegen, since this is our last opportunity.
      
      (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
      analyzer to bytecode generation. It tracks initializing assignments and
      makes a guess about how many will happen.
      
      (JSC::BytecodeGenerator::newObjectAllocationProfile):
      (JSC):
      (JSC::BytecodeGenerator::emitProfiledOpcode):
      (JSC::BytecodeGenerator::emitMove):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetById):
      (JSC::BytecodeGenerator::emitPutById):
      (JSC::BytecodeGenerator::emitDirectPutById):
      (JSC::BytecodeGenerator::emitPutGetterSetter):
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
      analyzer, so it can observe allocations and stores.
      
      (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
      function because it was a significant amount of logic, and I wanted to
      add to it.
      
      (JSC::BytecodeGenerator::emitNewObject):
      (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
      (JSC::BytecodeGenerator::emitCall):
      (JSC::BytecodeGenerator::emitCallVarargs):
      (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
      to track their stores, in case a store kills a profiled allocation. Since
      profiled opcodes are basically the only interesting stores we do, this
      is a convenient place to notice any store that might kill an allocation.
      
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator): As above.
      
      * bytecompiler/StaticPropertyAnalysis.h: Added.
      (JSC):
      (StaticPropertyAnalysis):
      (JSC::StaticPropertyAnalysis::create):
      (JSC::StaticPropertyAnalysis::addPropertyIndex):
      (JSC::StaticPropertyAnalysis::record):
      (JSC::StaticPropertyAnalysis::propertyIndexCount):
      (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
      class for tracking allocations and stores.
      
      * bytecompiler/StaticPropertyAnalyzer.h: Added.
      (StaticPropertyAnalyzer):
      (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
      (JSC::StaticPropertyAnalyzer::createThis):
      (JSC::StaticPropertyAnalyzer::newObject):
      (JSC::StaticPropertyAnalyzer::putById):
      (JSC::StaticPropertyAnalyzer::mov):
      (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
      and stores and making an inline capacity guess. The heuristics here are
      intentionally minimal because we don't want this one class to try to
      re-create something like a DFG or a runtime analysis. If we discover that
      we need those kinds of analyses, we should just replace this class with
      something else.
      
      This class tracks multiple registers that alias the same object -- that
      happens a lot, when moving locals into temporary registers -- but it
      doesn't track control flow or multiple objects that alias the same register.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute): Updated for rename.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
      allocation profile.
      
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasInlineCapacity):
      (Node):
      (JSC::DFG::Node::inlineCapacity):
      (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
      inline capacity for an allocation.
      
      * dfg/DFGNodeType.h:
      (DFG): Updated for rename.
      
      * dfg/DFGOperations.cpp: Updated for interface change.
      
      * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
      an argument. This is the simplest way, since it's stored as a bytecode operand.
      
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
      
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
      appears when doing an inline cached load for property number 64 on a 32-bit
      system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
      offset of the 64bit JSValue -- but we'll actually issue two loads, one for
      the payload at that offset, and one for the tag at that offset + 4. We need
      to ensure that both loads have a compact representation, or we'll corrupt
      the instruction stream.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
      passing an allocator to our allocation function, and/or passing a Structure
      as a register instead of an immediate.
      
      * heap/MarkedAllocator.h:
      (DFG):
      (MarkedAllocator):
      (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
      JIT code generation of allocation from an arbitrary allocator.
      
      * jit/JIT.h:
      (JSC):
      * jit/JITInlines.h:
      (JSC):
      (JSC::JIT::emitAllocateJSObject):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_object):
      (JSC::JIT::emitSlow_op_new_object):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emitSlow_op_create_this):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_new_object):
      (JSC::JIT::emitSlow_op_new_object):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
      
      * jit/JITStubs.cpp:
      (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
      
      (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
      
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions): Updated for interface changes.
      
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
      
      * profiler/ProfilerBytecode.cpp:
      * profiler/ProfilerBytecodes.cpp:
      * profiler/ProfilerCompilation.cpp:
      * profiler/ProfilerCompiledBytecode.cpp:
      * profiler/ProfilerDatabase.cpp:
      * profiler/ProfilerOSRExit.cpp:
      * profiler/ProfilerOrigin.cpp:
      * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
      because that's where createEmptyObject() lives now.
      
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction): Updated for rename.
      
      * runtime/JSCellInlines.h:
      (JSC::allocateCell): Updated to match the allocator selection code in
      the JIT, so it's clearer that both are correct.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::JSFunction):
      (JSC::JSFunction::createAllocationProfile):
      (JSC::JSFunction::visitChildren):
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::put):
      (JSC::JSFunction::defineOwnProperty):
      (JSC::JSFunction::getConstructData):
      * runtime/JSFunction.h:
      (JSC::JSFunction::offsetOfScopeChain):
      (JSC::JSFunction::offsetOfExecutable):
      (JSC::JSFunction::offsetOfAllocationProfile):
      (JSC::JSFunction::allocationProfile):
      (JSFunction):
      (JSC::JSFunction::tryGetAllocationProfile):
      (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
      data member to be an ObjectAllocationProfile, which includes a pointer
      to the desired allocator. This simplifies JIT code, since we don't have
      to compute the allocator on the fly. I verified by code inspection that
      JSFunction is still only 64 bytes.
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
      object structure anymore, because now clients need to specify how much
      inline capacity they want.
      
      * runtime/JSONObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      (JSFinalObject):
      (JSC::JSFinalObject::defaultInlineCapacity):
      (JSC::JSFinalObject::maxInlineCapacity):
      (JSC::JSFinalObject::createStructure): A little refactoring to try to 
      clarify where some of these constants derive from.
      
      (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
      
      * runtime/JSProxy.cpp:
      (JSC::JSProxy::setTarget): Ugly, but effective.
      
      * runtime/LiteralParser.cpp:
      * runtime/ObjectConstructor.cpp:
      (JSC::constructObject):
      (JSC::constructWithObjectConstructor):
      (JSC::callObjectConstructor):
      (JSC::objectConstructorCreate): Updated for interface changes.
      
      * runtime/ObjectConstructor.h:
      (JSC::constructEmptyObject): Clarified your options for how to allocate
      an empty object, to emphasize what things can actually vary.
      
      * runtime/PropertyOffset.h: These constants have moved because they're
      really higher level concepts to do with the layout of objects and the
      collector. PropertyOffset is just an abstract number line, independent
      of those things.
      
      * runtime/PrototypeMap.cpp:
      (JSC::PrototypeMap::emptyObjectStructureForPrototype):
      (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
      * runtime/PrototypeMap.h:
      (PrototypeMap): The map key is now a pair of prototype and inline capacity,
      since Structure encodes inline capacity.
      
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::addPropertyTransition):
      (JSC::Structure::nonPropertyTransition):
      (JSC::Structure::copyPropertyTableForPinning):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::totalStorageSize):
      (JSC::Structure::transitionCount):
      (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
      up after enabling variable-sized inline capacities: we were passing our
      type info where our inline capacity was expected. The compiler didn't
      notice because both have type int :(.
      
      ../WebCore: 
      
      * ForwardingHeaders/runtime/ObjectConstructor.h: Added.
      
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      * bindings/js/JSSQLResultSetRowListCustom.cpp: Include ObjectConstructor.h because
      that's where createEmptyObject() is located now.
      
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::deserialize): Updated for interface change.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c862eacf
  22. 24 Jan, 2013 1 commit
    • mhahnenberg@apple.com's avatar
      Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h · c1bc9d39
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=107327
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * API/APICast.h:
      * API/APIJSValue.h: Removed.
      * API/JSBlockAdaptor.mm:
      * API/JSStringRefCF.cpp:
      * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
      * API/JSValue.mm:
      * API/JSValueInternal.h:
      * API/JSValueRef.cpp:
      * API/JSWeakObjectMapRefPrivate.cpp:
      * API/JavaScriptCore.h:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkStatus.h:
      * bytecode/CodeBlock.cpp:
      * bytecode/MethodOfGettingAValueProfile.h:
      * bytecode/ResolveGlobalStatus.cpp:
      * bytecode/ResolveGlobalStatus.h:
      * bytecode/SpeculatedType.h:
      * bytecode/ValueRecovery.h:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGJITCompiler.cpp:
      * dfg/DFGNode.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * heap/CopiedBlock.h:
      * heap/HandleStack.cpp:
      * heap/HandleTypes.h:
      * heap/WeakImpl.h:
      * interpreter/Interpreter.h:
      * interpreter/Register.h:
      * interpreter/VMInspector.h:
      * jit/HostCallReturnValue.cpp:
      * jit/HostCallReturnValue.h:
      * jit/JITCode.h:
      * jit/JITExceptions.cpp:
      * jit/JITExceptions.h:
      * jit/JSInterfaceJIT.h:
      * llint/LLIntCLoop.h:
      * llint/LLIntData.h:
      * llint/LLIntSlowPaths.cpp:
      * profiler/ProfilerBytecode.h:
      * profiler/ProfilerBytecodeSequence.h:
      * profiler/ProfilerBytecodes.h:
      * profiler/ProfilerCompilation.h:
      * profiler/ProfilerCompiledBytecode.h:
      * profiler/ProfilerDatabase.h:
      * profiler/ProfilerOSRExit.h:
      * profiler/ProfilerOSRExitSite.h:
      * profiler/ProfilerOrigin.h:
      * profiler/ProfilerOriginStack.h:
      * runtime/ArgList.cpp:
      * runtime/CachedTranscendentalFunction.h:
      * runtime/CallData.h:
      * runtime/Completion.h:
      * runtime/ConstructData.h:
      * runtime/DateConstructor.cpp:
      * runtime/DateInstance.cpp:
      * runtime/DatePrototype.cpp:
      * runtime/JSAPIValueWrapper.h:
      * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
      * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
      (JSValue):
      * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
      * runtime/JSGlobalData.h:
      * runtime/JSGlobalObject.cpp:
      * runtime/JSGlobalObjectFunctions.h:
      * runtime/JSStringJoiner.h:
      * runtime/JSValue.cpp: Removed.
      * runtime/JSValue.h: Removed.
      * runtime/JSValueInlines.h: Removed.
      * runtime/LiteralParser.h:
      * runtime/Operations.h:
      * runtime/PropertyDescriptor.h:
      * runtime/PropertySlot.h:
      * runtime/Protect.h:
      * runtime/RegExpPrototype.cpp:
      * runtime/Structure.h:
      
      Source/WebCore:
      
      No new tests.
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * ForwardingHeaders/runtime/JSCJSValue.h: Copied from Source/WebCore/ForwardingHeaders/runtime/JSValue.h.
      * ForwardingHeaders/runtime/JSValue.h: Removed.
      * WebCore.vcproj/WebCore.vcproj:
      * bindings/js/JSArrayBufferViewHelper.h:
      * bindings/js/JSCustomXPathNSResolver.h:
      * bindings/js/JSHTMLAllCollectionCustom.cpp:
      * bindings/js/JSIntentConstructor.cpp:
      * bindings/js/JSMessagePortCustom.h:
      * bindings/js/JSNodeFilterCondition.h:
      * bindings/js/JavaScriptCallFrame.cpp:
      * bindings/js/ScriptCallStackFactory.cpp:
      * bindings/js/ScriptValue.h:
      * bindings/js/SerializedScriptValue.h:
      * bindings/objc/WebScriptObjectPrivate.h:
      * bridge/c/c_utility.h:
      * bridge/testbindings.cpp:
      * bridge/testbindings.mm:
      * bridge/testqtbindings.cpp:
      * plugins/PluginView.cpp:
      * plugins/blackberry/PluginViewBlackBerry.cpp:
      * plugins/gtk/PluginViewGtk.cpp:
      * plugins/mac/PluginViewMac.mm:
      * plugins/qt/PluginViewQt.cpp:
      * plugins/win/PluginViewWin.cpp:
      
      Source/WebKit/gtk:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * WebCoreSupport/DumpRenderTreeSupportGtk.cpp:
      
      Source/WebKit/mac:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * DOM/WebDOMOperations.mm:
      * ForwardingHeaders/runtime/JSCJSValue.h: Copied from Source/WebKit/mac/ForwardingHeaders/runtime/JSValue.h.
      * ForwardingHeaders/runtime/JSValue.h: Removed.
      * WebView/WebFrame.mm:
      * WebView/WebView.mm:
      
      Source/WebKit/win:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * WebFrame.cpp:
      * WebView.cpp:
      
      Source/WebKit/wx:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * WebFrame.cpp:
      * WebView.cpp:
      
      Source/WebKit2:
      
      We're renaming these two files, so we have to replace the names everywhere.
      
      * WebProcess/WebPage/WebPage.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140718 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c1bc9d39
  23. 23 Jan, 2013 1 commit
    • oliver@apple.com's avatar
      Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC · 5598c181
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=107736
      
      Reviewed by Mark Hahnenberg.
      
      Mechanical change with no performance impact.
      
      * API/JSBlockAdaptor.mm:
      (BlockArgumentTypeDelegate::typeVoid):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::construct):
      (JSC::::call):
      * API/JSScriptRef.cpp:
      * API/ObjCCallbackFunction.mm:
      (ArgumentTypeDelegate::typeVoid):
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::link):
      (JSC::ARMv7Assembler::replaceWithLoad):
      (JSC::ARMv7Assembler::replaceWithAddressComputation):
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::invert):
      * assembler/MacroAssemblerARM.h:
      (JSC::MacroAssemblerARM::countLeadingZeros32):
      (JSC::MacroAssemblerARM::divDouble):
      * assembler/MacroAssemblerMIPS.h:
      (JSC::MacroAssemblerMIPS::absDouble):
      (JSC::MacroAssemblerMIPS::replaceWithJump):
      (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
      * assembler/MacroAssemblerSH4.h:
      (JSC::MacroAssemblerSH4::absDouble):
      (JSC::MacroAssemblerSH4::replaceWithJump):
      (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
      * assembler/SH4Assembler.h:
      (JSC::SH4Assembler::shllImm8r):
      (JSC::SH4Assembler::shlrImm8r):
      (JSC::SH4Assembler::cmplRegReg):
      (JSC::SH4Assembler::branch):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::replaceWithLoad):
      (JSC::X86Assembler::replaceWithAddressComputation):
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CodeBlock.cpp:
      (JSC::debugHookName):
      (JSC::CodeBlock::printGetByIdOp):
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::visitAggregate):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::usesOpcode):
      * bytecode/DataFormat.h:
      (JSC::needDataFormatConversion):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      (JSC::exitKindIsCountable):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/Opcode.h:
      (JSC::opcodeLength):
      * bytecode/PolymorphicPutByIdList.cpp:
      (JSC::PutByIdAccess::fromStructureStubInfo):
      (JSC::PutByIdAccess::visitWeak):
      * bytecode/StructureStubInfo.cpp:
      (JSC::StructureStubInfo::deref):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::beginSwitch):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::BinaryOpNode::emitBytecode):
      (JSC::emitReadModifyAssignment):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
      (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::canHandleOpcodes):
      * dfg/DFGCommon.h:
      (JSC::DFG::useKindToString):
      * dfg/DFGDoubleFormatState.h:
      (JSC::DFG::mergeDoubleFormatStates):
      (JSC::DFG::doubleFormatStateToString):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::valueOfJSConstant):
      (JSC::DFG::Node::successor):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::nodeFlagsAsString):
      * dfg/DFGNodeType.h:
      (JSC::DFG::defaultFlags):
      * dfg/DFGRepatch.h:
      (JSC::DFG::dfgResetGetByID):
      (JSC::DFG::dfgResetPutByID):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::SlowPathGenerator::call):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::bitOp):
      (JSC::DFG::SpeculativeJIT::shiftOp):
      (JSC::DFG::SpeculativeJIT::integerResult):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableEvent.cpp:
      (JSC::DFG::VariableEvent::dump):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * heap/BlockAllocator.h:
      (JSC::BlockAllocator::regionSetFor):
      * heap/GCThread.cpp:
      (JSC::GCThread::gcThreadMain):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::isLive):
      * interpreter/CallFrame.h:
      (JSC::ExecState::inlineCallFrame):
      * interpreter/Interpreter.cpp:
      (JSC::getCallerInfo):
      (JSC::getStackFrameCodeType):
      (JSC::Interpreter::execute):
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      (JSC::JIT::privateCompile):
      * jit/JITArithmetic.cpp:
      (JSC::JIT::emitSlow_op_mod):
      * jit/JITArithmetic32_64.cpp:
      (JSC::JIT::emitBinaryDoubleOp):
      (JSC::JIT::emitSlow_op_mod):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::isDirectPutById):
      * jit/JITStubs.cpp:
      (JSC::getPolymorphicAccessStructureListSlot):
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::jitCompileAndSetHeuristics):
      * parser/Lexer.cpp:
      (JSC::::lex):
      * parser/Nodes.h:
      (JSC::ExpressionNode::emitBytecodeInConditionContext):
      * parser/Parser.h:
      (JSC::Parser::getTokenName):
      (JSC::Parser::updateErrorMessageSpecialCase):
      * parser/SyntaxChecker.h:
      (JSC::SyntaxChecker::operatorStackPop):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/DatePrototype.cpp:
      (JSC::formatLocaleDate):
      * runtime/Executable.cpp:
      (JSC::samplingDescription):
      * runtime/Executable.h:
      (JSC::ScriptExecutable::unlinkCalls):
      * runtime/Identifier.cpp:
      (JSC):
      * runtime/InternalFunction.cpp:
      (JSC::InternalFunction::getCallData):
      * runtime/JSArray.cpp:
      (JSC::JSArray::push):
      (JSC::JSArray::sort):
      * runtime/JSCell.cpp:
      (JSC::JSCell::defaultValue):
      (JSC::JSCell::getOwnPropertyNames):
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC::JSCell::className):
      (JSC::JSCell::getPropertyNames):
      (JSC::JSCell::customHasInstance):
      (JSC::JSCell::putDirectVirtual):
      (JSC::JSCell::defineOwnProperty):
      (JSC::JSCell::getOwnPropertyDescriptor):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSNameScope.cpp:
      (JSC::JSNameScope::put):
      * runtime/JSObject.cpp:
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      * runtime/JSScope.cpp:
      (JSC::JSScope::isDynamicScope):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::putDirectVirtual):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/RegExp.cpp:
      (JSC::RegExp::compile):
      (JSC::RegExp::compileMatchOnly):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      * tools/CodeProfile.cpp:
      (JSC::CodeProfile::sample):
      * yarr/YarrCanonicalizeUCS2.h:
      (JSC::Yarr::getCanonicalPair):
      (JSC::Yarr::areCanonicallyEquivalent):
      * yarr/YarrInterpreter.cpp:
      (JSC::Yarr::Interpreter::matchCharacterClass):
      (JSC::Yarr::Interpreter::matchBackReference):
      (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
      (JSC::Yarr::Interpreter::matchParentheses):
      (JSC::Yarr::Interpreter::backtrackParentheses):
      (JSC::Yarr::Interpreter::matchDisjunction):
      * yarr/YarrJIT.cpp:
      (JSC::Yarr::YarrGenerator::generateTerm):
      (JSC::Yarr::YarrGenerator::backtrackTerm):
      * yarr/YarrParser.h:
      (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
      (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
      * yarr/YarrPattern.cpp:
      (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140594 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5598c181
  24. 11 Jan, 2013 3 commits
    • fpizlo@apple.com's avatar
      The JITThunks class should be in its own file, and doing so should not break the build · a4b4cbe9
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=105696
      
      Source/JavaScriptCore: 
      
      Rubber stamped by Sam Weinig and Geoffrey Garen.
              
      This patch was supposed to just move JITThunks into its own file. But then I
      realized that there is a horrible circular dependency chain between JSCell,
      JSGlobalData, CallFrame, and Weak, which only works because of magical include
      order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
      before it includes JSCell or JSValue.
              
      I first tried to just get JITThunks.h to just magically do the same pointless
      includes that JITStubs.h had, but then I decided to actually fix the underflying
      problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
      JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
      Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
      also gave me an opportunity to move JSValue inline methods from JSCell.h into
      JSValueInlines.h. But to make this really work, I needed to remove includes of
      *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
      which defeats the whole entire purpose of having an Inlines.h file), and I needed
      to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
      having .cpp files include Operations.h. In future, if you're adding a .cpp file
      to JSC, you'll almost certainly have to include Operations.h unless you enjoy
      link errors.
      
      * API/JSBase.cpp:
      * API/JSCallbackConstructor.cpp:
      * API/JSCallbackFunction.cpp:
      * API/JSCallbackObject.cpp:
      * API/JSClassRef.cpp:
      * API/JSContextRef.cpp:
      * API/JSObjectRef.cpp:
      * API/JSScriptRef.cpp:
      * API/JSWeakObjectMapRefPrivate.cpp:
      * JSCTypedArrayStubs.h:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayAllocationProfile.cpp:
      * bytecode/CodeBlock.cpp:
      * bytecode/GetByIdStatus.cpp:
      * bytecode/LazyOperandValueProfile.cpp:
      * bytecode/ResolveGlobalStatus.cpp:
      * bytecode/SpeculatedType.cpp:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecompiler/BytecodeGenerator.cpp:
      * debugger/Debugger.cpp:
      * debugger/DebuggerActivation.cpp:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGArrayMode.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGDriver.cpp:
      * dfg/DFGFixupPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGJITCompiler.cpp:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGPredictionPropagationPhase.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (DFG):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      * dfg/DFGVariableEventStream.cpp:
      * heap/CopiedBlock.h:
      * heap/CopiedSpace.cpp:
      * heap/HandleSet.cpp:
      * heap/Heap.cpp:
      * heap/HeapStatistics.cpp:
      * heap/SlotVisitor.cpp:
      * heap/WeakBlock.cpp:
      * interpreter/CallFrame.cpp:
      * interpreter/CallFrame.h:
      * jit/ClosureCallStubRoutine.cpp:
      * jit/GCAwareJITStubRoutine.cpp:
      * jit/JIT.cpp:
      * jit/JITArithmetic.cpp:
      * jit/JITArithmetic32_64.cpp:
      * jit/JITCall.cpp:
      * jit/JITCall32_64.cpp:
      * jit/JITCode.h:
      * jit/JITExceptions.cpp:
      * jit/JITStubs.h:
      * jit/JITThunks.h:
      * jsc.cpp:
      * llint/LLIntExceptions.cpp:
      * profiler/LegacyProfiler.cpp:
      * profiler/ProfileGenerator.cpp:
      * profiler/ProfilerBytecode.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * profiler/ProfilerBytecodes.cpp:
      * profiler/ProfilerCompilation.cpp:
      * profiler/ProfilerCompiledBytecode.cpp:
      * profiler/ProfilerDatabase.cpp:
      * profiler/ProfilerOSRExit.cpp:
      * profiler/ProfilerOSRExitSite.cpp:
      * profiler/ProfilerOrigin.cpp:
      * profiler/ProfilerOriginStack.cpp:
      * profiler/ProfilerProfiledBytecodes.cpp:
      * runtime/ArgList.cpp:
      * runtime/Arguments.cpp:
      * runtime/ArrayConstructor.cpp:
      * runtime/BooleanConstructor.cpp:
      * runtime/BooleanObject.cpp:
      * runtime/BooleanPrototype.cpp:
      * runtime/CallData.cpp:
      * runtime/CodeCache.cpp:
      * runtime/Completion.cpp:
      * runtime/ConstructData.cpp:
      * runtime/DateConstructor.cpp:
      * runtime/DateInstance.cpp:
      * runtime/DatePrototype.cpp:
      * runtime/Error.cpp:
      * runtime/ErrorConstructor.cpp:
      * runtime/ErrorInstance.cpp:
      * runtime/ErrorPrototype.cpp:
      * runtime/ExceptionHelpers.cpp:
      * runtime/Executable.cpp:
      * runtime/FunctionConstructor.cpp:
      * runtime/FunctionPrototype.cpp:
      * runtime/GetterSetter.cpp:
      * runtime/Identifier.cpp:
      * runtime/InternalFunction.cpp:
      * runtime/JSActivation.cpp:
      * runtime/JSBoundFunction.cpp:
      * runtime/JSCell.cpp:
      * runtime/JSCell.h:
      (JSC):
      * runtime/JSCellInlines.h: Added.
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      (JSC::JSCell::structure):
      (JSC::JSCell::visitChildren):
      (JSC::allocateCell):
      (JSC::isZapped):
      (JSC::JSCell::isObject):
      (JSC::JSCell::isString):
      (JSC::JSCell::isGetterSetter):
      (JSC::JSCell::isProxy):
      (JSC::JSCell::isAPIValueWrapper):
      (JSC::JSCell::setStructure):
      (JSC::JSCell::methodTable):
      (JSC::JSCell::inherits):
      (JSC::JSCell::fastGetOwnPropertySlot):
      (JSC::JSCell::fastGetOwnProperty):
      (JSC::JSCell::toBoolean):
      * runtime/JSDateMath.cpp:
      * runtime/JSFunction.cpp:
      * runtime/JSFunction.h:
      (JSC):
      * runtime/JSGlobalData.h:
      (JSC):
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      * runtime/JSGlobalObjectFunctions.cpp:
      * runtime/JSLock.cpp:
      * runtime/JSNameScope.cpp:
      * runtime/JSNotAnObject.cpp:
      * runtime/JSONObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSProxy.cpp:
      * runtime/JSScope.cpp:
      * runtime/JSSegmentedVariableObject.cpp:
      * runtime/JSString.h:
      (JSC):
      * runtime/JSStringJoiner.cpp:
      * runtime/JSSymbolTableObject.cpp:
      * runtime/JSValue.cpp:
      * runtime/JSValueInlines.h:
      (JSC::JSValue::toInt32):
      (JSC::JSValue::toUInt32):
      (JSC):
      (JSC::JSValue::isUInt32):
      (JSC::JSValue::asUInt32):
      (JSC::JSValue::asNumber):
      (JSC::jsNaN):
      (JSC::JSValue::JSValue):
      (JSC::JSValue::encode):
      (JSC::JSValue::decode):
      (JSC::JSValue::operator bool):
      (JSC::JSValue::operator==):
      (JSC::JSValue::operator!=):
      (JSC::JSValue::isEmpty):
      (JSC::JSValue::isUndefined):
      (JSC::JSValue::isNull):
      (JSC::JSValue::isUndefinedOrNull):
      (JSC::JSValue::isCell):
      (JSC::JSValue::isInt32):
      (JSC::JSValue::isDouble):
      (JSC::JSValue::isTrue):
      (JSC::JSValue::isFalse):
      (JSC::JSValue::tag):
      (JSC::JSValue::payload):
      (JSC::JSValue::asInt32):
      (JSC::JSValue::asDouble):
      (JSC::JSValue::asCell):
      (JSC::JSValue::isNumber):
      (JSC::JSValue::isBoolean):
      (JSC::JSValue::asBoolean):
      (JSC::reinterpretDoubleToInt64):
      (JSC::reinterpretInt64ToDouble):
      (JSC::JSValue::isString):
      (JSC::JSValue::isPrimitive):
      (JSC::JSValue::isGetterSetter):
      (JSC::JSValue::isObject):
      (JSC::JSValue::getString):
      (JSC::::getString):
      (JSC::JSValue::getObject):
      (JSC::JSValue::getUInt32):
      (JSC::JSValue::toPrimitive):
      (JSC::JSValue::getPrimitiveNumber):
      (JSC::JSValue::toNumber):
      (JSC::JSValue::toObject):
      (JSC::JSValue::isFunction):
      (JSC::JSValue::inherits):
      (JSC::JSValue::toThisObject):
      (JSC::JSValue::get):
      (JSC::JSValue::put):
      (JSC::JSValue::putByIndex):
      (JSC::JSValue::structureOrUndefined):
      (JSC::JSValue::equal):
      (JSC::JSValue::equalSlowCaseInline):
      (JSC::JSValue::strictEqualSlowCaseInline):
      (JSC::JSValue::strictEqual):
      * runtime/JSVariableObject.cpp:
      * runtime/JSWithScope.cpp:
      * runtime/JSWrapperObject.cpp:
      * runtime/LiteralParser.cpp:
      * runtime/Lookup.cpp:
      * runtime/NameConstructor.cpp:
      * runtime/NameInstance.cpp:
      * runtime/NamePrototype.cpp:
      * runtime/NativeErrorConstructor.cpp:
      * runtime/NativeErrorPrototype.cpp:
      * runtime/NumberConstructor.cpp:
      * runtime/NumberObject.cpp:
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      * runtime/Operations.h:
      (JSC):
      * runtime/PropertySlot.cpp:
      * runtime/RegExp.cpp:
      * runtime/RegExpCache.cpp:
      * runtime/RegExpCachedResult.cpp:
      * runtime/RegExpConstructor.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/RegExpObject.cpp:
      * runtime/RegExpPrototype.cpp:
      * runtime/SmallStrings.cpp:
      * runtime/SparseArrayValueMap.cpp:
      * runtime/StrictEvalActivation.cpp:
      * runtime/StringConstructor.cpp:
      * runtime/StringObject.cpp:
      * runtime/StringRecursionChecker.cpp:
      * runtime/Structure.h:
      (JSC):
      * runtime/StructureChain.cpp:
      * runtime/TimeoutChecker.cpp:
      * testRegExp.cpp:
      
      Source/WebCore: 
      
      Rubber stamped by Sam Weinig.
      
      All .cpp files that use the JSC internal API must now transitively include
      Operations.h, and none of the major JSC headers do it for you to avoid
      circularity. WebCore doesn't have to worry about circularity with JSC, so
      this changes all of the major WebCore JSC base headers to include
      Operations.h.
      
      * bindings/js/BindingState.h:
      * bindings/js/JSArrayBufferViewHelper.h:
      * bindings/js/JSCustomXPathNSResolver.h:
      * bindings/js/JSDOMBinding.h:
      * bindings/js/JSDOMGlobalObject.h:
      * bindings/js/JSDictionary.h:
      * bindings/js/JSMessagePortCustom.h:
      * bindings/js/JSNodeFilterCondition.h:
      * bindings/js/ScriptValue.h:
      * bindings/js/ScriptWrappable.h:
      * bindings/js/SerializedScriptValue.cpp:
      * bridge/c/c_utility.h:
      * bridge/jsc/BridgeJSC.h:
      * dom/Node.cpp:
      * html/HTMLCanvasElement.cpp:
      * html/HTMLImageLoader.cpp:
      * plugins/efl/PluginViewEfl.cpp:
      * xml/XMLHttpRequest.cpp:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139541 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a4b4cbe9
    • fpizlo@apple.com's avatar
      If you use Phantom to force something to be live across an OSR exit, you... · 895e5bbc
      fpizlo@apple.com authored
      If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
      https://bugs.webkit.org/show_bug.cgi?id=106724
      
      Reviewed by Oliver Hunt.
              
      In cases where we were getting it wrong, I think it was benign because we would either already have an
      OSR exit prior to there, or the operand would be a constant.  But still, it's good to get this right.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139540 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      895e5bbc
    • fpizlo@apple.com's avatar
      Add a run-time option to print bytecode at DFG compile time · 067902be
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=106704
      
      Reviewed by Mark Hahnenberg.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      * runtime/Options.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139506 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      067902be
  25. 08 Jan, 2013 2 commits
    • oliver@apple.com's avatar
      Support op_typeof in the DFG · e722ad0f
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98898
      
      Reviewed by Filip Pizlo.
      
      Adds a TypeOf node to the DFG to support op_typeof.
      
      To avoid adding too much GC horror, this also makes the
      common strings portion of the SmallString cache strongly
      referenced.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
        We try to determine the result early here, and substitute in a constant.
        Otherwise we leave the node intact, and set the result type to SpecString.
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
        Parse op_typeof
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
        TypeOf nodes can be subjected to pure CSE
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
        We can handle typeof.
      * dfg/DFGNodeType.h:
      (DFG):
        Define the node.
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
        Add operationTypeOf to support the non-trivial cases.
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
        Actual codegen
      * runtime/Operations.cpp:
      (JSC::jsTypeStringForValue):
      (JSC):
      * runtime/Operations.h:
      (JSC):
        Some refactoring to allow us to get the type string for an
        object without needing a callframe.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e722ad0f
    • fpizlo@apple.com's avatar
      DFG initrinsic handling should ensure that we backwards propagate the fact... · 8dafd7dd
      fpizlo@apple.com authored
      DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape
      https://bugs.webkit.org/show_bug.cgi?id=106365
      
      Source/JavaScriptCore: 
      
      Reviewed by Mark Hahnenberg.
              
      Use the fact that Phantom means that things escaped, and just insert Phantoms for all
      of the operands.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleCall):
      
      LayoutTests: 
      
      Reviewed by Mark Hahnenberg.
              
      Add tests that cover the possible badness that could occur for all of those
      intrinsics that don't intrinsically (pun sort of intended) cause escapeage
      to happen. As in, if we did happen to know for sure that what we want is
      ArithSqrt, then we would have a guarantee that ArithSqrt does not by itself
      use its operands in a way that involves NodeUsedAsOther. But when ArithSqrt
      is inserted because of intrinsic optimization (i.e. something like
      Math.sqrt(blah)) then the intrinsic machinery needs to indicate that blah
      could escape in the case that we didn't end up doing ArithSqrt because we
      exited prior to it and called some other function.
      
      * fast/js/dfg-abs-backwards-propagation-expected.txt: Added.
      * fast/js/dfg-abs-backwards-propagation.html: Added.
      * fast/js/dfg-max-backwards-propagation-expected.txt: Added.
      * fast/js/dfg-max-backwards-propagation.html: Added.
      * fast/js/dfg-min-backwards-propagation-expected.txt: Added.
      * fast/js/dfg-min-backwards-propagation.html: Added.
      * fast/js/dfg-proven-sqrt-backwards-propagation-expected.txt: Added.
      * fast/js/dfg-proven-sqrt-backwards-propagation.html: Added.
      * fast/js/dfg-sqrt-backwards-propagation-expected.txt: Added.
      * fast/js/dfg-sqrt-backwards-propagation.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-abs-backwards-propagation.js: Added.
      (foo):
      (bar):
      * fast/js/script-tests/dfg-max-backwards-propagation.js: Added.
      (foo):
      (bar):
      * fast/js/script-tests/dfg-min-backwards-propagation.js: Added.
      (foo):
      (bar):
      * fast/js/script-tests/dfg-proven-sqrt-backwards-propagation.js: Added.
      (foo):
      (bar):
      * fast/js/script-tests/dfg-sqrt-backwards-propagation.js: Added.
      (foo):
      (bar):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139098 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8dafd7dd
  26. 06 Jan, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should inline closure calls · 5e2296a2
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=106067
      
      Reviewed by Gavin Barraclough.
              
      This adds initial support for inlining closure calls to the DFG. A call is considered
      to be a closure call when the JSFunction* varies, but always has the same executable.
      We already have closure call inline caching in both JITs, which works by checking that
      the callee has an expected structure (as a cheap way of detecting that it is in fact
      a JSFunction) and an expected executable. Closure call inlining uses profiling data
      aggregated by CallLinkStatus to decide when to specialize the call to the particular
      structure/executable, and inline the call rather than emitting a call sequence. When
      we choose to do a closure inline rather than an ordinary inline, a number of things
      change about how inlining is performed:
              
      - The inline is guarded by a CheckStructure/CheckExecutable rather than a
        CheckFunction.
              
      - Instead of propagating a constant value for the scope, we emit GetMyScope every time
        that the scope is needed, which loads the scope from a local variable. We do similar
        things for the callee.
              
      - The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly
        plant the scope and callee into the "true call frame", i.e. the place on the stack
        where the call frame would have been if the call had been actually performed. This
        allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It
        also allows for trivial handling of scope and callee for call frame reconstruction
        upon stack introspection and during OSR.
              
      - A new node called GetScope is introduced, which just gets the scope of a function.
        This node has the expected CSE support. This allows for the
        SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame.
              
      - GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that
        the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE,
        if we can prove that it is safe to do so.
              
      - Inlining heuristics are adjusted to grok the cost of inlining a closure. We are
        less likely to inline a closure call than we are to inline a normal call, since we
        end up emitting more code for closures due to CheckStructure, CheckExecutable,
        GetScope, SetMyScope, and SetCallee.
              
      Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to
      plant Undefined into the true call frames. This was previously a harmless oversight,
      but it becomes quite bad if OSR is relying on the scope/callee already having been
      set and not subsequently clobbered by the OSR itself.
              
      This is a ~60% speed-up on programs that frequently make calls to closures. It's
      neutral on V8v7 and other major benchmark suites.
              
      The lack of a definite speed-up is likely due the fact that closure inlining currently
      does not do any cardinality [1] optimizations. We don't observe when a closure was
      constructed within its caller, and so used the scope from its caller; and furthermore
      we have no facility to detect when the scope is single. All scoped variable accesses
      are assumed to be multiple instead. A subsequent step will be to ensure that closure
      call inlining will be single and loving it.
              
      [1] Single and loving it: Must-alias analysis for higher-order languages. Suresh
          Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98.
      
      * bytecode/CallLinkStatus.cpp:
      (JSC::CallLinkStatus::dump):
      * bytecode/CallLinkStatus.h:
      (JSC::CallLinkStatus::isClosureCall):
      (CallLinkStatus):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::globalObjectFor):
      (JSC):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/CodeOrigin.cpp:
      (JSC::InlineCallFrame::dump):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitFunctionChecks):
      (JSC::DFG::ByteCodeParser::handleInlining):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (CSEPhase):
      (JSC::DFG::CSEPhase::getCalleeLoadElimination):
      (JSC::DFG::CSEPhase::checkExecutableElimination):
      (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::mightInlineFunctionForClosureCall):
      * dfg/DFGCapabilities.h:
      (DFG):
      (JSC::DFG::mightInlineFunctionForClosureCall):
      (JSC::DFG::canInlineFunctionForClosureCall):
      (JSC::DFG::canInlineFunctionFor):
      * dfg/DFGNode.h:
      (Node):
      (JSC::DFG::Node::hasExecutable):
      (JSC::DFG::Node::executable):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * runtime/Options.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138921 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5e2296a2
  27. 04 Jan, 2013 1 commit
    • fpizlo@apple.com's avatar
      Rationalize exit site profiling for calls · a7536f9c
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=106150
      
      Reviewed by Sam Weinig.
              
      This adds two new exit kinds for calls: BadFunction and BadExecutable. The latter is not used
      yet, but is already integrated with profiling. CheckFunction uses a BadFunction speculation
      instead of BadCache, now. This allows CallLinkStatus to turn itself into a closure call status
      if we had a BadFunction exit site but the CallLinkInfo told us to use a non-closure call. This
      might happen if we had call unlinking that led to information loss along the way.
              
      No performance impact. This is meant as another step towards inlining closure calls.
      
      * bytecode/CallLinkStatus.cpp:
      * bytecode/CallLinkStatus.h:
      (JSC::CallLinkStatus::setIsProved):
      (JSC::CallLinkStatus::setHasBadFunctionExitSite):
      (CallLinkStatus):
      (JSC::CallLinkStatus::setHasBadCacheExitSite):
      (JSC::CallLinkStatus::setHasBadExecutableExitSite):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleCall):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138871 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a7536f9c
  28. 03 Jan, 2013 2 commits
    • fpizlo@apple.com's avatar
      DFG::ByteCodeCache serves little or no purpose ever since we decided to keep... · ec0c0887
      fpizlo@apple.com authored
      DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently
      https://bugs.webkit.org/show_bug.cgi?id=106058
      
      Reviewed by Michael Saboff.
              
      All baseline code blocks now always have bytecode, so the bytecode cache's ability to minimize the
      number of times that the DFG produces bytecode sequences for code blocks is superfluous.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGByteCodeCache.h: Removed.
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleInlining):
      * runtime/Executable.cpp:
      (JSC):
      * runtime/Executable.h:
      (FunctionExecutable):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138763 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ec0c0887
    • fpizlo@apple.com's avatar
      CallLinkStatus should be aware of closure calls, and the DFG bytecode parser... · 6bd61456
      fpizlo@apple.com authored
      CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls
      https://bugs.webkit.org/show_bug.cgi?id=106027
      
      Source/JavaScriptCore: 
      
      Reviewed by Mark Hahnenberg.
              
      Previously, the DFG bytecode parser had its own internal notion of exactly what CallLinkStatus was
      meant to do, in the form of a CallType, expectedFunction, intrinsic, etc. This change makes CallLinkStatus
      smart enough to do all of that, and also gives it the ability to understand closure calls.
      
      * bytecode/CallLinkStatus.cpp:
      (JSC::CallLinkStatus::CallLinkStatus):
      (JSC):
      (JSC::CallLinkStatus::function):
      (JSC::CallLinkStatus::internalFunction):
      (JSC::CallLinkStatus::intrinsicFor):
      (JSC::CallLinkStatus::setIsProved):
      (JSC::CallLinkStatus::computeFromLLInt):
      (JSC::CallLinkStatus::computeFor):
      (JSC::CallLinkStatus::dump):
      * bytecode/CallLinkStatus.h:
      (JSC):
      (JSC::CallLinkStatus::CallLinkStatus):
      (CallLinkStatus):
      (JSC::CallLinkStatus::takesSlowPath):
      (JSC::CallLinkStatus::isSet):
      (JSC::CallLinkStatus::isClosureCall):
      (JSC::CallLinkStatus::callTarget):
      (JSC::CallLinkStatus::executable):
      (JSC::CallLinkStatus::structure):
      (JSC::CallLinkStatus::isProved):
      (JSC::CallLinkStatus::canOptimize):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleCall):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::valueOfFunctionConstant):
      
      Source/WTF: 
      
      Reviewed by Mark Hahnenberg.
              
      I got tired of the various idioms for printing a list of things with comma in between, so I wrote a helper.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/CommaPrinter.h: Added.
      (WTF):
      (CommaPrinter):
      (WTF::CommaPrinter::CommaPrinter):
      (WTF::CommaPrinter::dump):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138737 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6bd61456
  29. 02 Jan, 2013 2 commits
    • fpizlo@apple.com's avatar
      DFG inlining machinery should be robust against the inline callee varying... · 439e9e55
      fpizlo@apple.com authored
      DFG inlining machinery should be robust against the inline callee varying while the executable stays the same
      https://bugs.webkit.org/show_bug.cgi?id=105953
      
      Reviewed by Mark Hahnenberg.
              
      This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already
      been stored into the true call frame (i.e. the place where the call frame of the inlined call would have
      been) and so any attempt to access the callee or scope should do a load instead of assuming that the value
      is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler
      optimization phases and backends.
      
      * bytecode/CodeOrigin.cpp:
      (JSC::InlineCallFrame::dump):
      * bytecode/CodeOrigin.h:
      (CodeOrigin):
      (InlineCallFrame):
      (JSC::InlineCallFrame::isClosureCall):
      (JSC::CodeOrigin::stackOffset):
      (JSC):
      * dfg/DFGAssemblyHelpers.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::get):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::getScope):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCSEPhase.cpp:
      (CSEPhase):
      (JSC::DFG::CSEPhase::genericPureCSE):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame):
      (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * interpreter/CallFrame.cpp:
      (JSC::CallFrame::trueCallFrame):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      439e9e55
    • fpizlo@apple.com's avatar
      DFG inliner should not use the callee's bytecode variable for resolving... · 7972a4d9
      fpizlo@apple.com authored
      DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code
      https://bugs.webkit.org/show_bug.cgi?id=105938
      
      Reviewed by Mark Hahnenberg.
              
      This simplifies a bunch of code for referring to the callee. It also ought to simplify how we do
      closure call inlining: for inlined closure call frames we will simply require that the callee is
      already stashed on the stack in the Callee slot in the inline call frame header.
      
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::get):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138641 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7972a4d9