1. 18 Sep, 2013 1 commit
  2. 25 Jul, 2013 6 commits
    • commit-queue@webkit.org's avatar
      Build fix: add missing #include. · c717b211
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=119087
      
      Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
      Reviewed by Allan Sandfeld Jensen.
      
      * bytecode/ArrayProfile.cpp:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153328 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c717b211
    • oliver@apple.com's avatar
      fourthTier: DFG IR dumps should be easier to read · 237b1464
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119050
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Added a DumpContext that includes support for printing an endnote
      that describes all structures in full, while the main flow of the
      dump just uses made-up names for the structures. This is helpful
      since Structure::dump() may print a lot. The stuff it prints is
      useful, but if it's all inline with the surrounding thing you're
      dumping (often, a node in the DFG), then you get a ridiculously
      long print-out. All classes that dump structures (including
      Structure itself) now have dumpInContext() methods that use
      inContext() for dumping anything that might transitively print a
      structure. If Structure::dumpInContext() is called with a NULL
      context, it just uses dump() like before. Hence you don't have to
      know anything about DumpContext unless you want to.
      
      inContext(*structure, context) dumps something like %B4:Array,
      and the endnote will have something like:
      
          %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
      
      where B4 is the inferred name that StringHashDumpContext came up
      with.
      
      Also shortened a bunch of other dumps, removing information that
      isn't so important.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayProfile.cpp:
      (JSC::dumpArrayModes):
      * bytecode/CodeBlockHash.cpp:
      (JSC):
      (JSC::CodeBlockHash::CodeBlockHash):
      (JSC::CodeBlockHash::dump):
      * bytecode/CodeOrigin.cpp:
      (JSC::CodeOrigin::dumpInContext):
      (JSC):
      (JSC::InlineCallFrame::dumpInContext):
      (JSC::InlineCallFrame::dump):
      * bytecode/CodeOrigin.h:
      (CodeOrigin):
      (InlineCallFrame):
      * bytecode/Operands.h:
      (JSC::OperandValueTraits::isEmptyForDump):
      (Operands):
      (JSC::Operands::dump):
      (JSC):
      * bytecode/OperandsInlines.h: Added.
      (JSC):
      (JSC::::dumpInContext):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::dumpInContext):
      (JSC::StructureSet::dump):
      (StructureSet):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::dump):
      (DFG):
      (JSC::DFG::AbstractValue::dumpInContext):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::operator!):
      (AbstractValue):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGCommon.cpp:
      * dfg/DFGCommon.h:
      (JSC::DFG::NodePointerTraits::isEmptyForDump):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::createDumpList):
      * dfg/DFGDisassembler.h:
      (Disassembler):
      * dfg/DFGFlushFormat.h:
      (WTF::inContext):
      (WTF):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dumpCodeOrigin):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGLazyJSValue.cpp:
      (JSC::DFG::LazyJSValue::dumpInContext):
      (JSC::DFG::LazyJSValue::dump):
      (DFG):
      * dfg/DFGLazyJSValue.h:
      (LazyJSValue):
      * dfg/DFGNode.h:
      (JSC::DFG::nodeMapDump):
      (WTF::inContext):
      (WTF):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGStructureAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::dumpInContext):
      (JSC::DFG::StructureAbstractValue::dump):
      (StructureAbstractValue):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      (JSC::FTL::ExitValue::dump):
      (FTL):
      * ftl/FTLExitValue.h:
      (ExitValue):
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dumpInContext):
      (FTL):
      * ftl/FTLValueSource.h:
      (ValueSource):
      * runtime/DumpContext.cpp: Added.
      (JSC):
      (JSC::DumpContext::DumpContext):
      (JSC::DumpContext::~DumpContext):
      (JSC::DumpContext::isEmpty):
      (JSC::DumpContext::dump):
      * runtime/DumpContext.h: Added.
      (JSC):
      (DumpContext):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      (JSC):
      (JSC::JSValue::dumpInContext):
      * runtime/JSCJSValue.h:
      (JSC):
      (JSValue):
      * runtime/Structure.cpp:
      (JSC::Structure::dumpInContext):
      (JSC):
      (JSC::Structure::dumpBrief):
      (JSC::Structure::dumpContextHeader):
      * runtime/Structure.h:
      (JSC):
      (Structure):
      
      Source/WTF:
      
      Reviewed by Mark Hahnenberg.
      
      Added support for dumping values within a context. By default, if you say
      print(inContext(value, context)) it calls value.dumpInContext(out, context)
      instead of value.dump(out).
      
      Hoisted the support for six-character hashes out of JSC::CodeBlockHash into
      WTF, in the form of SixCharacterHash.h.
      
      Added a helper for creating dump contexts where the inContext() dump will
      just use a short string hash to "name" the object being dumped, and then
      will print out the full dumps in an endnote to your dump.
      
      Added support for using CString as a hashtable key.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/PrintStream.h:
      (WTF):
      (ValueInContext):
      (WTF::ValueInContext::ValueInContext):
      (WTF::ValueInContext::dump):
      (WTF::inContext):
      * wtf/SixCharacterHash.cpp: Added.
      (WTF):
      (WTF::sixCharacterHashStringToInteger):
      (WTF::integerToSixCharacterHashString):
      * wtf/SixCharacterHash.h: Added.
      (WTF):
      * wtf/StringHashDumpContext.h: Added.
      (WTF):
      (StringHashDumpContext):
      (WTF::StringHashDumpContext::StringHashDumpContext):
      (WTF::StringHashDumpContext::getID):
      (WTF::StringHashDumpContext::dumpBrief):
      (WTF::StringHashDumpContext::brief):
      (WTF::StringHashDumpContext::isEmpty):
      (WTF::StringHashDumpContext::dump):
      * wtf/text/CString.cpp:
      (WTF::CString::hash):
      (WTF):
      (WTF::operator<):
      (WTF::CStringHash::equal):
      * wtf/text/CString.h:
      (WTF::CString::CString):
      (CString):
      (WTF::CString::isHashTableDeletedValue):
      (WTF):
      (WTF::CStringHash::hash):
      (CStringHash):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153296 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      237b1464
    • oliver@apple.com's avatar
      fourthTier: DFG shouldn't create CheckStructures for array accesses except if... · 58cdc336
      oliver@apple.com authored
      fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
      https://bugs.webkit.org/show_bug.cgi?id=118867
      
      Reviewed by Mark Hahnenberg.
      
      This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
      ArrayProfile.
      
      It also makes it easier to ask any array-using node how to create its type check.
      
      Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
      an array profile, thinking that it was storing into a value profile. Reshuffling the
      fields in ArrayProfile revealed this.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (ArrayProfile):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::updateAllArrayPredictions):
      (JSC::CodeBlock::updateAllPredictions):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::updateAllArrayPredictions):
      * dfg/DFGArrayMode.h:
      (ArrayMode):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * llint/LowLevelInterpreter64.asm:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153281 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      58cdc336
    • oliver@apple.com's avatar
      fourthTier: Have fewer Arrayify's · 4cd40f2e
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118335
      
      Reviewed by Mark Hahnenberg.
      
      A lot of Arrayify's arise because some program saw Int32 arrays early on in
      execution, but then they all got converted to Double arrays and the program
      will never see Int32 arrays ever again. Prior to this change you would always
      have an Arrayify in this case. But with this change, the first time that an
      ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
      instead forcibly monomorphises itself to the latest-seen structure.
      Thereafter it will never again perform this monomorphisation. This is
      controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
      speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
      unblocks a bunch of stuff we want to do in the future because it makes a
      bunch of loops effect-free.
      
      We will still want to implement Arrayify hoisting in the future, but this is
      great anyway because it's better to not have Arrayifications than it is to
      have hoisted Arrayifications.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      (JSC::ArrayProfile::briefDescription):
      (JSC):
      (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (ArrayProfile):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153264 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4cd40f2e
    • oliver@apple.com's avatar
      fourthTier: should use ConcurrentJITLock[er] directly and not through typedef · d205666b
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=116561
      
      Rubber stamped by Geoffrey Garen.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      (JSC::ArrayProfile::briefDescription):
      * bytecode/ArrayProfile.h:
      (ArrayProfile):
      (JSC::ArrayProfile::expectedStructure):
      (JSC::ArrayProfile::structureIsPolymorphic):
      (JSC::ArrayProfile::hasDefiniteStructure):
      (JSC::ArrayProfile::observedArrayModes):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (JSC::ArrayProfile::mayStoreToHole):
      (JSC::ArrayProfile::outOfBounds):
      (JSC::ArrayProfile::usesOriginalArrayStructures):
      * bytecode/CallLinkStatus.cpp:
      (JSC::CallLinkStatus::computeFor):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpValueProfiling):
      (JSC::CodeBlock::dumpArrayProfiling):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC::CodeBlock::updateAllArrayPredictions):
      (JSC::CodeBlock::nameForRegister):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
      (CodeBlock):
      * bytecode/CodeBlockLock.h: Removed.
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor):
      * bytecode/LazyOperandValueProfile.cpp:
      (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
      (JSC::CompressedLazyOperandValueProfileHolder::add):
      (JSC::LazyOperandValueProfileParser::initialize):
      (JSC::LazyOperandValueProfileParser::prediction):
      * bytecode/LazyOperandValueProfile.h:
      (CompressedLazyOperandValueProfileHolder):
      (LazyOperandValueProfileParser):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::briefDescription):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::addVar):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      * dfg/DFGArrayMode.h:
      (ArrayMode):
      (JSC::DFG::ArrayMode::withProfile):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * jit/JITInlines.h:
      (JSC::JIT::chooseArrayMode):
      * jit/JITStubs.cpp:
      (JSC::tryCachePutByID):
      (JSC::tryCacheGetByID):
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC::lazyLinkFor):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      (JSC::LLInt::setUpCall):
      * profiler/ProfilerBytecodeSequence.cpp:
      (JSC::Profiler::BytecodeSequence::BytecodeSequence):
      * runtime/Executable.cpp:
      (JSC::ProgramExecutable::addGlobalVar):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      (JSC::JSActivation::symbolTablePutWithAttributes):
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolvePut):
      * runtime/JSSegmentedVariableObject.cpp:
      (JSC::JSSegmentedVariableObject::findRegisterIndex):
      (JSC::JSSegmentedVariableObject::addRegisters):
      * runtime/JSSegmentedVariableObject.h:
      (JSSegmentedVariableObject):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSC::symbolTableGet):
      (JSC::symbolTablePut):
      (JSC::symbolTablePutWithAttributes):
      * runtime/Structure.cpp:
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
      (JSC::Structure::addPropertyTransition):
      (JSC::Structure::takePropertyTableOrCloneIfPinned):
      (JSC::Structure::nonPropertyTransition):
      (JSC::Structure::putSpecificValue):
      (JSC::Structure::remove):
      (JSC::Structure::createPropertyMap):
      * runtime/Structure.h:
      (Structure):
      * runtime/SymbolTable.h:
      (SymbolTable):
      (JSC::SymbolTable::find):
      (JSC::SymbolTable::get):
      (JSC::SymbolTable::inlineGet):
      (JSC::SymbolTable::begin):
      (JSC::SymbolTable::end):
      (JSC::SymbolTable::size):
      (JSC::SymbolTable::add):
      (JSC::SymbolTable::set):
      (JSC::SymbolTable::contains):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153170 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d205666b
    • oliver@apple.com's avatar
      fourthTier: value profiles and array profiles should be thread-safe enough to... · c14eb7d0
      oliver@apple.com authored
      fourthTier: value profiles and array profiles should be thread-safe enough to be accessible in a concurrent compilation thread
      https://bugs.webkit.org/show_bug.cgi?id=114906
      
      Source/JavaScriptCore:
      
      Reviewed by Oliver Hunt.
      
      This introduces thread safety to value profiles, array profiles, and
      array allocation profiles.
      
      We already have three separate operations that happen on profiles:
      (1) writing, which the JIT, LLInt, and OSR exit do; (2) updating,
      which happens during GC, from OSR entry slow-paths, and in the DFG;
      and (3) reading, which happens in the DFG. For example, the JIT/LLInt
      and OSR exit write to ValueProfile::m_buckets, which gets synthesized
      into ValueProfile::m_prediction (and other fields) during update, and
      the latter gets read by the DFG. Note that (2) must also happen in
      the DFG since only the DFG knows which code blocks it will inline,
      and those blocks' profiles may not have otherwise been updated via
      any other mechanism.
      
      I refer to these three operations as writing, updating, and reading.
      
      Consequently, both profile updating and profile reading may happen
      asynchronously, if the JIT is asynchronous.
      
      The locking protocol for profiles works as follows:
      
      - Writing does not require locking, but is only allowed on the main
        thread. We require that these fields can be stored atomically by
        the profiling code, even without locks. For value profiles, this
        only works on 64-bit platforms, currently. For array profiles,
        which consist of multiple separate fields, this means that an
        asynchronous update of the profile may see slight inconsistencies
        (like a structure that doesn't quite match the array modes bits),
        but these should be harmless: at worst, the DFG will specialize
        too much and we'll have OSR exits.
      
      - Updating a value profile requires holding a lock, but must assume
        that the fields written by the profiling code in JIT/LLInt may
        be written to without locking.
      
      - Reading a value profile requires holding a lock.
      
      The one major exception to these rules is the ArrayAllocationProfile,
      which requires no locking. We do this because it's used so often and
      in places where we don't necessarily have access to the owning
      CodeBlock, so if we did want it to be locked it would have to have
      its own lock. Also, I believe that it is sound to just make this
      profile racy and not worry about locking at all. All that was needed
      were some changes to ensure that we explicitly read some raced-over
      fields only once.
      
      Two additional interesting things in this change:
      
      - To make it easy to see which profile methods require locking, they
        take a const CodeBlockLocker& as an argument. I saw this idiom for
        identifying which methods require which locks to be held being used
        in LLVM, and I quite like it.
      
      - Lazy operand value profiles, which are created lazily and at any
        time, require the CodeBlockLock to be held when they are being
        created. Writes to them are lockless and main-thread-only, but as
        with other profiles, updates and reads require locking.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayAllocationProfile.cpp:
      (JSC::ArrayAllocationProfile::updateIndexingType):
      * bytecode/ArrayAllocationProfile.h:
      (JSC::ArrayAllocationProfile::selectIndexingType):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      (JSC::ArrayProfile::briefDescription):
      * bytecode/ArrayProfile.h:
      (ArrayProfile):
      (JSC::ArrayProfile::expectedStructure):
      (JSC::ArrayProfile::structureIsPolymorphic):
      (JSC::ArrayProfile::hasDefiniteStructure):
      (JSC::ArrayProfile::observedArrayModes):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (JSC::ArrayProfile::mayStoreToHole):
      (JSC::ArrayProfile::outOfBounds):
      (JSC::ArrayProfile::usesOriginalArrayStructures):
      * bytecode/CallLinkStatus.cpp:
      (JSC::CallLinkStatus::computeFor):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpValueProfiling):
      (JSC::CodeBlock::dumpArrayProfiling):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC::CodeBlock::updateAllArrayPredictions):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
      (JSC::CodeBlock::updateAllPredictionsAndCheckIfShouldOptimizeNow):
      (CodeBlock):
      * bytecode/CodeBlockLock.h: Added.
      (JSC):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor):
      * bytecode/LazyOperandValueProfile.cpp:
      (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
      (JSC::CompressedLazyOperandValueProfileHolder::add):
      (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
      (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
      (JSC):
      (JSC::LazyOperandValueProfileParser::initialize):
      (JSC::LazyOperandValueProfileParser::prediction):
      * bytecode/LazyOperandValueProfile.h:
      (CompressedLazyOperandValueProfileHolder):
      (LazyOperandValueProfileParser):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::briefDescription):
      (ValueProfileBase):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      * dfg/DFGArrayMode.h:
      (ArrayMode):
      (JSC::DFG::ArrayMode::withProfile):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOSRExitPreparation.cpp:
      (JSC::DFG::prepareCodeOriginForOSRExit):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * jit/JITInlines.h:
      (JSC::JIT::chooseArrayMode):
      * jit/JITStubs.cpp:
      (JSC::tryCachePutByID):
      (JSC::tryCacheGetByID):
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC::lazyLinkFor):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      (JSC::LLInt::setUpCall):
      * profiler/ProfilerBytecodeSequence.cpp:
      (JSC::Profiler::BytecodeSequence::BytecodeSequence):
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolvePut):
      
      Source/WTF:
      
      Reviewed by Oliver Hunt.
      
      Add ability to abstract whether or not the CodeBlock requires locking at all,
      since some platforms may not support the byte spin-locking and/or may not want
      to, if they turn off concurrent JIT.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/ByteSpinLock.h:
      * wtf/NoLock.h: Added.
      (WTF):
      (NoLock):
      (WTF::NoLock::lock):
      (WTF::NoLock::unlock):
      (WTF::NoLock::isHeld):
      * wtf/Platform.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153123 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c14eb7d0
  3. 27 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should use CheckStructure for typed array checks whenever possible · 42949ede
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=113374
      
      Reviewed by Geoffrey Garen.
              
      We used to do the right thing, but it appears that this regressed at some point. Since the
      FixupPhase now has the ability to outright remove spurious CheckStructures on array
      operations, it is profitable for the ByteCodeParser to insert CheckStructures whenver there
      is a chance that it might be profitable, and when the profiling tells us what structure to
      check.
              
      Also added some code for doing ArrayProfile debugging.
              
      This is a slightly speed-up. Maybe 3% on Mandreel.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::benefitsFromStructureCheck):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146996 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      42949ede
  4. 17 Dec, 2012 1 commit
    • fpizlo@apple.com's avatar
      Rationalize array profiling for out-of-bounds and hole cases · 304fbcaa
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=105139
      
      Reviewed by Geoffrey Garen.
      
      This makes ArrayProfile track whether or not we had out-of-bounds, which allows
      for more precise decision-making in the DFG.
              
      Also cleaned up ExitKinds for out-of-bounds and hole cases to make it easier to
      look at them in the profiler.
              
      Slight speed-up (5-8%) on SunSpider/crypto-md5.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      (JSC::ArrayProfile::briefDescription):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::addressOfOutOfBounds):
      (JSC::ArrayProfile::expectedStructure):
      (JSC::ArrayProfile::structureIsPolymorphic):
      (JSC::ArrayProfile::outOfBounds):
      (JSC::ArrayProfile::polymorphicStructure):
      * bytecode/CodeBlock.cpp:
      (JSC::dumpChain):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      (JSC::exitKindIsCountable):
      * bytecode/ExitKind.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      * jit/JITInlines.h:
      (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emitSlow_op_put_by_val):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137937 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      304fbcaa
  5. 12 Dec, 2012 1 commit
    • fpizlo@apple.com's avatar
      Profiler should show bytecode dumps as they would have been visible to the... · 77ef0e33
      fpizlo@apple.com authored
      Profiler should show bytecode dumps as they would have been visible to the JITs, including the profiling data that the JITs would see
      https://bugs.webkit.org/show_bug.cgi?id=104647
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      Adds more profiling data to bytecode dumps, and adds the ability to do a secondary
      bytecode dump for each JIT compilation of a code block. This is relevant because both
      the bytecodes, and the profiling data, may change after some number of executions.
              
      Also fixes some random dumping code to use PrintStream& rather than
      static const char[thingy].
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.cpp:
      (JSC::dumpArrayModes):
      (JSC::ArrayProfile::briefDescription):
      * bytecode/ArrayProfile.h:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printGetByIdOp):
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::printCallOp):
      (JSC::CodeBlock::dumpValueProfiling):
      (JSC::CodeBlock::dumpArrayProfiling):
      (JSC::CodeBlock::dumpBytecode):
      * bytecode/CodeBlock.h:
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::briefDescription):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      * profiler/ProfilerBytecodeSequence.cpp: Added.
      (JSC::Profiler::BytecodeSequence::BytecodeSequence):
      (JSC::Profiler::BytecodeSequence::~BytecodeSequence):
      (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
      (JSC::Profiler::BytecodeSequence::forBytecodeIndex):
      (JSC::Profiler::BytecodeSequence::addSequenceProperties):
      * profiler/ProfilerBytecodeSequence.h: Added.
      (JSC::Profiler::BytecodeSequence::size):
      (JSC::Profiler::BytecodeSequence::at):
      * profiler/ProfilerBytecodes.cpp:
      (JSC::Profiler::Bytecodes::Bytecodes):
      (JSC::Profiler::Bytecodes::toJS):
      * profiler/ProfilerBytecodes.h:
      (JSC::Profiler::Bytecodes::instructionCount):
      * profiler/ProfilerCompilation.cpp:
      (JSC::Profiler::Compilation::addProfiledBytecodes):
      (JSC::Profiler::Compilation::toJS):
      * profiler/ProfilerCompilation.h:
      (JSC::Profiler::Compilation::profiledBytecodesSize):
      (JSC::Profiler::Compilation::profiledBytecodesAt):
      * profiler/ProfilerDatabase.cpp:
      (JSC::Profiler::Database::ensureBytecodesFor):
      * profiler/ProfilerDatabase.h:
      * profiler/ProfilerProfiledBytecodes.cpp: Added.
      (JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes):
      (JSC::Profiler::ProfiledBytecodes::~ProfiledBytecodes):
      (JSC::Profiler::ProfiledBytecodes::toJS):
      * profiler/ProfilerProfiledBytecodes.h: Added.
      (JSC::Profiler::ProfiledBytecodes::bytecodes):
      * runtime/CommonIdentifiers.h:
      
      Tools: 
      
      Added a "profiling" (or "p") command to show the profiling data that the JITs saw
      for each JIT compilation of a code block.
              
      Also added instruction counts in the "full" display and made the "full" display the
      default thing you see.
      
      * Scripts/display-profiler-output:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137379 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      77ef0e33
  6. 08 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should infer when indexed storage contains only integers or doubles · 75c91a79
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98606
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      This adds two new indexing types: int32 and double. It also adds array allocation profiling,
      which allows array allocations to converge to allocating arrays using those types to which
      those arrays would have been converted.
              
      20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
      but a performance win overall on all benchmarks we track.
      
      * API/JSObjectRef.cpp:
      (JSObjectMakeArray):
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/AbstractMacroAssembler.h:
      (JumpList):
      (JSC::AbstractMacroAssembler::JumpList::JumpList):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::branchDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::jnp):
      (X86Assembler):
      (JSC::X86Assembler::X86InstructionFormatter::emitRex):
      * bytecode/ArrayAllocationProfile.cpp: Added.
      (JSC):
      (JSC::ArrayAllocationProfile::updateIndexingType):
      * bytecode/ArrayAllocationProfile.h: Added.
      (JSC):
      (ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::selectIndexingType):
      (JSC::ArrayAllocationProfile::updateLastAllocation):
      (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
      (JSC::ArrayAllocationProfile::updateLastAllocationFor):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::updatedObservedArrayModes):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModesInclude):
      (JSC::shouldUseSlowPutArrayStorage):
      (JSC::shouldUseFastArrayStorage):
      (JSC::shouldUseContiguous):
      (JSC::shouldUseDouble):
      (JSC::shouldUseInt32):
      (ArrayProfile):
      * bytecode/ByValInfo.h:
      (JSC::isOptimizableIndexingType):
      (JSC::jitArrayModeForIndexingType):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      (JSC::CodeBlock::updateAllPredictions):
      (JSC::CodeBlock::shouldOptimizeNow):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::numberOfArrayAllocationProfiles):
      (JSC::CodeBlock::addArrayAllocationProfile):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      * bytecode/DFGExitProfile.h:
      (JSC::DFG::exitKindToString):
      * bytecode/Instruction.h:
      (JSC):
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isRealNumberSpeculation):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
      (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
      (UnlinkedCodeBlock):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::newArrayAllocationProfile):
      (JSC):
      (JSC::BytecodeGenerator::emitNewArray):
      (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::refine):
      (DFG):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayTypeToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withType):
      (ArrayMode):
      (JSC::DFG::ArrayMode::withTypeAndConversion):
      (JSC::DFG::ArrayMode::usesButterfly):
      (JSC::DFG::ArrayMode::isSpecific):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (CCallHelpers):
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (NewArrayBufferData):
      (JSC::DFG::Node::hasIndexingType):
      (Node):
      (JSC::DFG::Node::indexingType):
      (JSC::DFG::Node::setIndexingType):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (DFG):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (SpeculateIntegerOperand):
      (JSC::DFG::SpeculateIntegerOperand::use):
      (SpeculateDoubleOperand):
      (JSC::DFG::SpeculateDoubleOperand::use):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      (JSC::JIT::emitInt32GetByVal):
      (JIT):
      (JSC::JIT::emitInt32PutByVal):
      (JSC::JIT::emitDoublePutByVal):
      (JSC::JIT::emitContiguousPutByVal):
      * jit/JITExceptions.cpp:
      (JSC::genericThrow):
      * jit/JITInlineMethods.h:
      (JSC::arrayProfileSaw):
      (JSC::JIT::chooseArrayMode):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emit_op_new_array_with_size):
      (JSC::JIT::emit_op_new_array_buffer):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
      (JSC):
      * jsc.cpp:
      (GlobalObject::finishCreation):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::jitCompileAndSetHeuristics):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/x86.rb:
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/ArrayConstructor.h:
      (JSC):
      * runtime/ArrayPrototype.cpp:
      (JSC::arrayProtoFuncConcat):
      (JSC::arrayProtoFuncSlice):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      * runtime/Butterfly.h:
      (JSC::Butterfly::contiguousInt32):
      (JSC::Butterfly::contiguousDouble):
      (JSC::Butterfly::fromContiguous):
      * runtime/ButterflyInlineMethods.h:
      (JSC::Butterfly::createUninitializedDuringCollection):
      * runtime/FunctionPrototype.cpp:
      (JSC::functionProtoFuncBind):
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypes):
      (JSC):
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      (JSC::leastUpperBoundOfIndexingTypeAndValue):
      (JSC::indexingTypeToString):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasUndecided):
      (JSC::hasInt32):
      (JSC::hasDouble):
      * runtime/JSArray.cpp:
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCountWithAnyIndexingType):
      (JSC::JSArray::unshiftCountWithAnyIndexingType):
      (JSC::compareNumbersForQSortWithInt32):
      (JSC):
      (JSC::compareNumbersForQSortWithDouble):
      (JSC::JSArray::sortNumericVector):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sortCompactedVector):
      (JSC::JSArray::sort):
      (JSC::JSArray::sortVector):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSArray):
      (JSC::createContiguousArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
      (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
      (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
      (JSC::JSGlobalObject::isOriginalArrayStructure):
      (JSC::constructEmptyArray):
      (JSC::constructArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::copyButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createInitialIndexedStorage):
      (JSC):
      (JSC::JSObject::createInitialUndecided):
      (JSC::JSObject::createInitialInt32):
      (JSC::JSObject::createInitialDouble):
      (JSC::JSObject::createInitialContiguous):
      (JSC::JSObject::convertUndecidedToInt32):
      (JSC::JSObject::convertUndecidedToDouble):
      (JSC::JSObject::convertUndecidedToContiguous):
      (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
      (JSC::JSObject::convertUndecidedToArrayStorage):
      (JSC::JSObject::convertInt32ToDouble):
      (JSC::JSObject::convertInt32ToContiguous):
      (JSC::JSObject::convertInt32ToArrayStorage):
      (JSC::JSObject::convertDoubleToContiguous):
      (JSC::JSObject::convertDoubleToArrayStorage):
      (JSC::JSObject::convertContiguousToArrayStorage):
      (JSC::JSObject::convertUndecidedForValue):
      (JSC::JSObject::convertInt32ForValue):
      (JSC::JSObject::setIndexQuicklyToUndecided):
      (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
      (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
      (JSC::JSObject::ensureInt32Slow):
      (JSC::JSObject::ensureDoubleSlow):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::countElements):
      (JSC::JSObject::ensureLengthSlow):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      (JSObject):
      (JSC::JSObject::ensureInt32):
      (JSC::JSObject::ensureDouble):
      (JSC::JSObject::ensureLength):
      (JSC::JSObject::indexingData):
      (JSC::JSObject::currentIndexingData):
      (JSC::JSObject::getHolyIndexQuickly):
      (JSC::JSObject::relevantLength):
      (JSC::JSObject::currentRelevantLength):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      * runtime/StringPrototype.cpp:
      (JSC::stringProtoFuncMatch):
      (JSC::stringProtoFuncSplit):
      * runtime/Structure.cpp:
      (JSC::Structure::nonPropertyTransition):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      Source/WebCore: 
      
      Just refactoring WebCore to pass 0 for the ArrayAllocationProfile*.
      
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::webkitLineDash):
      * bindings/js/JSClipboardCustom.cpp:
      (WebCore::JSClipboard::types):
      * bindings/js/JSDOMBinding.cpp:
      (WebCore::jsArray):
      * bindings/js/JSDOMBinding.h:
      (WebCore::jsArray):
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      (WebCore::getJSListenerFunctions):
      * bindings/js/JSJavaScriptCallFrameCustom.cpp:
      (WebCore::JSJavaScriptCallFrame::scopeChain):
      * bindings/js/JSMessageEventCustom.cpp:
      (WebCore::JSMessageEvent::ports):
      * bindings/js/JSMutationCallbackCustom.cpp:
      (WebCore::JSMutationCallback::handleEvent):
      * bindings/js/JSWebGLRenderingContextCustom.cpp:
      (WebCore::toJS):
      (WebCore::JSWebGLRenderingContext::getAttachedShaders):
      (WebCore::JSWebGLRenderingContext::getSupportedExtensions):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::deserialize):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133953 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      75c91a79
  7. 29 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should be able to emit effectful structure checks · 99f3762d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99260
      
      Reviewed by Oliver Hunt.
      
      This change allows us to find out if an array access that has gone polymorphic
      is operating over known structures - i.e. the primordial array structures of the
      global object that the code block containing the array access belongs to. We
      term this state "OriginalArray" for short. The fact that the access has gone
      polymorphic means that the array profile will not be able to report the set of
      structures it had seen - but if it can tell us that all of the structures were
      primordial then it just so happens that we can deduce what the structure set
      would have been by just querying the code block's global object. This allows us
      to emit an ArrayifyToStructure instead of an Arrayify if we find that we need to
      do conversions. The fast path of an ArrayifyToStructure is exactly like the fast
      path of a CheckStructure and is mostly subject to the same optimizations. It
      also burns one fewer registers.
              
      Essentially the notion of OriginalArray is a super cheap way of getting the
      array profile to tell us a structure set instead of a singleton structure.
      Currently, the array profile can only tell us the structure seen at an array
      access if there was exactly one structure. If there were multiple structures, it
      won't tell us anything other than the array modes and other auxiliary profiling
      data (whether there were stores to holes, for example). With OriginalArray, we
      cheaply get a structure set if all of the structures were primordial for the
      code block's global object, since in that case the array mode set (ArrayModes)
      can directly tell us the structure set. In the future, we might consider adding
      complete structure sets to the array profiles, but I suspect that we would hit
      diminishing returns if we did so - it would only help if we have array accesses
      that are both polymorphic and are cross-global-object accesses (rare) or if the
      arrays had named properties or other structure transitions that are unrelated to
      indexing type (also rare).
              
      This also does away with Arrayify (and the new ArrayifyToStructure) returning
      the butterfly pointer. This turns out to be faster and easier to CSE.
              
      And, this also changes constant folding to be able to eliminate CheckStructure,
      ForwardCheckStructure, and ArrayifyToStructure in addition to being able to
      transform them into structure transition watchpoints. This is great for
      ArrayifyToStructure because then CSE and CFA know that there is no side effect.
      Converting CheckStructure and ForwardCheckStructure to also behave this way is
      just a matter of elegance.
              
      This has no performance impact right now. It's intended to alleviate some of the
      regressions seen in the early implementation of
      https://bugs.webkit.org/show_bug.cgi?id=98606.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::ArrayProfile::ArrayProfile):
      (ArrayProfile):
      (JSC::ArrayProfile::usesOriginalArrayStructures):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayClassToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withProfile):
      (JSC::DFG::ArrayMode::isJSArray):
      (ArrayMode):
      (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::hasArrayMode):
      (JSC::DFG::Node::arrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::isOriginalArrayStructure):
      * runtime/Structure.cpp:
      (JSC::Structure::nonPropertyTransition):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132759 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      99f3762d
  8. 26 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG Arrayify elimination should replace it with GetButterfly rather than Phantom · f08803ef
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=100441
      
      Reviewed by Oliver Hunt and Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      Made array profiler's to-string helper behave correctly.
              
      Made Arrayify elimination do the right thing (convert to GetButterfly).
              
      Made CFA's interference analysis track clobbered array modes correctly, mostly by
      simplifying the machinery.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::arrayModesToString):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::clobberArrayModes):
      (AbstractValue):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      
      LayoutTests: 
      
      * fast/js/dfg-arrayify-elimination-expected.txt: Added.
      * fast/js/dfg-arrayify-elimination.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-arrayify-elimination.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132554 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f08803ef
  9. 20 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should have some facility for recognizing redundant CheckArrays and Arrayifies · 372c6d51
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99287
      
      Reviewed by Mark Hahnenberg.
      
      Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which
      then enables us to fold away CheckArray's and Arrayify's that are redundant.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::arrayModesToString):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::mergeArrayModes):
      (JSC::arrayModesAlreadyChecked):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::arrayModesFromStructures):
      (StructureSet):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (AbstractValue):
      (JSC::DFG::AbstractValue::setMostSpecific):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::filterArrayModes):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      (JSC::DFG::AbstractValue::clobberArrayModes):
      (JSC::DFG::AbstractValue::clobberArrayModesSlow):
      (JSC::DFG::AbstractValue::setFuturePossibleStructure):
      (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::modeAlreadyChecked):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::arrayModesFor):
      (DFG):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131982 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      372c6d51
  10. 19 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should not call out to C++ every time that it tries to put to an object... · 497c7515
      fpizlo@apple.com authored
      DFG should not call out to C++ every time that it tries to put to an object that doesn't yet have array storage
      https://bugs.webkit.org/show_bug.cgi?id=96983
      
      Reviewed by Oliver Hunt.
      
      Introduce more polymorphism into the DFG's array mode support. Use that to
      introduce the notion of effectul array modes, where the check for the mode
      will perform actions necessary to ensure that we have the mode we want, if
      the object is not already in that mode. Also added profiling support for
      checking if an object is of a type that would not allow us to create array
      storage (like a typed array or a string for example).
              
      This is a ~2x speed-up on loops that transform an object that did not have
      indexed storage into one that does.
      
      * JSCTypedArrayStubs.h:
      (JSC):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (ArrayProfile):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (DFG):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::isSlowPutAccess):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Arguments.h:
      (Arguments):
      * runtime/JSNotAnObject.h:
      (JSNotAnObject):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::ensureArrayStorage):
      * runtime/JSString.h:
      (JSC::JSString::createStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128957 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      497c7515
  11. 17 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      Array profiling has convergence issues · c7be5be0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96891
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      Now each array profiling site merges in the indexing type it observed into
      the m_observedArrayModes bitset. The ArrayProfile also uses this to detect
      cases where the structure must have gone polymorphic (if the bitset is
      polymorphic then the structure must be). This achieves something like the
      best of both worlds: on the one hand, we get a probabilistic structure that
      we can use to optimize the monomorphic structure case, but on the other hand,
      we get an accurate view of the set of types that were encountered.
      
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::or32):
      (MacroAssemblerARMv7):
      * assembler/MacroAssemblerX86.h:
      (JSC::MacroAssemblerX86::or32):
      (MacroAssemblerX86):
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::or32):
      (MacroAssemblerX86_64):
      * assembler/X86Assembler.h:
      (X86Assembler):
      (JSC::X86Assembler::orl_rm):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::addressOfArrayModes):
      (JSC::ArrayProfile::structureIsPolymorphic):
      * jit/JIT.h:
      (JIT):
      * jit/JITInlineMethods.h:
      (JSC):
      (JSC::JIT::emitArrayProfilingSite):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      Source/WTF: 
      
      Added functions for testing if something is a power of 2.
      
      * wtf/MathExtras.h:
      (hasZeroOrOneBitsSet):
      (hasTwoOrMoreBitsSet):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128790 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c7be5be0
  12. 15 Aug, 2012 1 commit
    • fpizlo@apple.com's avatar
      Array checks should use the structure, not the class info · f24804c6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=93150
      
      Reviewed by Mark Hahnenberg.
      
      This changes all array checks used in array accesses (get, put, get length,
      push, pop) to use the structure, not the class info. Additionally, these
      checks in the LLInt and baseline JIT record the structure in an ArrayProfile,
      so that the DFG can know exactly what structure to check for.
              
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.cpp: Added.
      (JSC):
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h: Added.
      (JSC):
      (JSC::arrayModeFromStructure):
      (ArrayProfile):
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::bytecodeOffset):
      (JSC::ArrayProfile::addressOfLastSeenStructure):
      (JSC::ArrayProfile::observeStructure):
      (JSC::ArrayProfile::expectedStructure):
      (JSC::ArrayProfile::structureIsPolymorphic):
      (JSC::ArrayProfile::hasDefiniteStructure):
      (JSC::ArrayProfile::observedArrayModes):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::getArrayProfile):
      (JSC):
      (JSC::CodeBlock::getOrAddArrayProfile):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::executionEntryCount):
      (JSC::CodeBlock::numberOfArrayProfiles):
      (JSC::CodeBlock::arrayProfiles):
      (JSC::CodeBlock::addArrayProfile):
      (CodeBlock):
      * bytecode/Instruction.h:
      (JSC):
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::emitGetByVal):
      (JSC::BytecodeGenerator::emitPutByVal):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::hasSingleton):
      (StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::singleton):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculateArray):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LLIntOffsetsExtractor.cpp:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::classInfoOffset):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125637 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f24804c6