1. 18 Sep, 2013 3 commits
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 6921b29b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt52Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt52AsDoubleSpeculation):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::fixupBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt52):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt52):
      * dfg/DFGNodeType.h:
      (JSC::DFG::permitsOSRBackwardRewiring):
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      * js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6921b29b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156019 and r156020. · 92c67000
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156019
      http://trac.webkit.org/changeset/156020
      https://bugs.webkit.org/show_bug.cgi?id=121540
      
      Broke tests (Requested by ap on #webkit).
      
      Source/JavaScriptCore:
      
      * assembler/MacroAssemblerX86_64.h:
      * assembler/X86Assembler.h:
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt48Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt48AsDoubleSpeculation):
      (JSC::isRealNumberSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::canonicalize):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt32):
      (JSC::DFG::GenerationInfo::fillInt32):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt48):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt48):
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      (JSC::DFG::shortOperandsDump):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::boxDouble):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int32Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt32):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::mulWithOverflow32):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      
      Source/WTF:
      
      * wtf/PrintStream.h:
      
      Tools:
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests:
      
      * js/regress/large-int-captured-expected.txt: Removed.
      * js/regress/large-int-captured.html: Removed.
      * js/regress/large-int-expected.txt: Removed.
      * js/regress/large-int-neg-expected.txt: Removed.
      * js/regress/large-int-neg.html: Removed.
      * js/regress/large-int.html: Removed.
      * js/regress/marsaglia-larger-ints-expected.txt: Removed.
      * js/regress/marsaglia-larger-ints.html: Removed.
      * js/regress/script-tests/large-int-captured.js: Removed.
      * js/regress/script-tests/large-int-neg.js: Removed.
      * js/regress/script-tests/large-int.js: Removed.
      * js/regress/script-tests/marsaglia-larger-ints.js: Removed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      92c67000
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 4c466ec6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c466ec6
  2. 11 Sep, 2013 1 commit
    • fpizlo@apple.com's avatar
      Propagate the Int48 stuff into the prediction propagator. · 3f780e4a
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121132
      
      Reviewed by Mark Hahnenberg.
              
      This still has no effect on codegen since Int48 still looks like a Double right now.
      
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isMachineIntSpeculation):
      (JSC::isMachineIntSpeculationExpectingDefined):
      (JSC::isMachineIntSpeculationForArithmetic):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateInt32):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      (JSC::DFG::Graph::hasExitSite):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateMachineInt):
      (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic):
      (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt48):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt48):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155499 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3f780e4a
  3. 10 Sep, 2013 2 commits
    • fpizlo@apple.com's avatar
      Introduce a SpecInt48 type and be more careful about what we mean by "Top" · ff779d0f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121116
      
      Reviewed by Oliver Hunt.
              
      SpecInt48 will mean that we have something that would be a double if it was a JSValue,
      but it's profitable to represent it as something other than a double.
              
      SpecInt48AsDouble means that it has a value that could have been represented like
      SpecInt48, but we're making a heuristic decision not to do it.
      
      * bytecode/SpeculatedType.h:
      (JSC::isInt48Speculation):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      (JSC::DFG::::clobberCapturedVars):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::filter):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::makeHeapTop):
      (JSC::DFG::AbstractValue::makeBytecodeTop):
      (JSC::DFG::AbstractValue::isHeapTop):
      (JSC::DFG::AbstractValue::heapTop):
      (JSC::DFG::AbstractValue::validateType):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::makeTop):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::initialize):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155480 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ff779d0f
    • fpizlo@apple.com's avatar
      SpecType should have SpecInt48AsDouble · cc5a1186
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121065
      
      Reviewed by Oliver Hunt.
      
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt48AsDoubleSpeculation):
      (JSC::isIntegerSpeculation):
      (JSC::isDoubleRealSpeculation):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155466 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cc5a1186
  4. 21 Aug, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should inline new typedArray() · 372fa82b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=120022
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      Adds inlining of typed array allocations in the DFG. Any operation of the
      form:
              
          new foo(blah)
              
      or:
              
          foo(blah)
              
      where 'foo' is a typed array constructor and 'blah' is exactly one argument,
      is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
      is predicted integer, we generate inline code for an allocation. Otherwise
      it turns into a call to an operation that behaves like the constructor would
      if it was passed one argument (i.e. it may wrap a buffer or it may create a
      copy or another array, or it may allocate an array of that length).
      
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromTypedArrayType):
      (JSC::speculationFromClassInfo):
      * bytecode/SpeculatedType.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasTypedArrayType):
      (JSC::DFG::Node::typedArrayType):
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      (JSC::DFG::newTypedArrayWithSize):
      (JSC::DFG::newTypedArrayWithOneArgument):
      * dfg/DFGOperations.h:
      (JSC::DFG::operationNewTypedArrayWithSizeForType):
      (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_object):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_new_object):
      * runtime/JSArray.h:
      (JSC::JSArray::allocationSize):
      * runtime/JSArrayBufferView.h:
      (JSC::JSArrayBufferView::allocationSize):
      * runtime/JSGenericTypedArrayViewConstructorInlines.h:
      (JSC::constructGenericTypedArrayView):
      * runtime/JSObject.h:
      (JSC::JSFinalObject::allocationSize):
      * runtime/TypedArrayType.cpp:
      (JSC::constructorClassInfoForType):
      * runtime/TypedArrayType.h:
      (JSC::indexToTypedArrayType):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * fast/js/regress/Float64Array-alloc-long-lived-expected.txt: Added.
      * fast/js/regress/Float64Array-alloc-long-lived.html: Added.
      * fast/js/regress/Int16Array-alloc-long-lived-expected.txt: Added.
      * fast/js/regress/Int16Array-alloc-long-lived.html: Added.
      * fast/js/regress/Int8Array-alloc-long-lived-expected.txt: Added.
      * fast/js/regress/Int8Array-alloc-long-lived.html: Added.
      * fast/js/regress/script-tests/Float64Array-alloc-long-lived.js: Added.
      * fast/js/regress/script-tests/Int16Array-alloc-long-lived.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-long-lived.js:
      * fast/js/regress/script-tests/Int8Array-alloc-long-lived.js: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154403 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      372fa82b
  5. 17 Aug, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should optimize typedArray.byteLength · c09dc63d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119909
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds typedArray.byteLength inlining to the DFG, and does so without changing
      the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
      legal since the byteLength of a typed array cannot exceed
      numeric_limits<int32_t>::max().
      
      * bytecode/SpeculatedType.cpp:
      (JSC::typedArrayTypeFromSpeculation):
      * bytecode/SpeculatedType.h:
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::toArrayType):
      * dfg/DFGArrayMode.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
      (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
      (JSC::DFG::FixupPhase::convertToGetArrayLength):
      (JSC::DFG::FixupPhase::prependGetArrayLength):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::constantRegisterForConstant):
      (JSC::DFG::Graph::convertToConstant):
      * runtime/TypedArrayType.h:
      (JSC::logElementSize):
      (JSC::elementSize):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
              
      Convert two of the tyepd array tests to use byteLength instead of length.
      These tests show speed-ups around 2.5x-5x.
      
      * fast/js/regress/Int16Array-bubble-sort-with-byteLength-expected.txt: Added.
      * fast/js/regress/Int16Array-bubble-sort-with-byteLength.html: Added.
      * fast/js/regress/Int8Array-load-with-byteLength-expected.txt: Added.
      * fast/js/regress/Int8Array-load-with-byteLength.html: Added.
      * fast/js/regress/script-tests/Int16Array-bubble-sort-with-byteLength.js: Added.
      (bubbleSort):
      (myRandom):
      (validateSort):
      * fast/js/regress/script-tests/Int8Array-load-with-byteLength.js: Added.
      (adler32):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c09dc63d
  6. 15 Aug, 2013 1 commit
    • fpizlo@apple.com's avatar
      Typed arrays should be rewritten · 0e0d9312
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119064
      
      .: 
      
      Reviewed by Oliver Hunt.
      
      Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
      
      * Source/autotools/symbols.filter:
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      Typed arrays were previously deficient in several major ways:
              
      - They were defined separately in WebCore and in the jsc shell. The two
        implementations were different, and the jsc shell one was basically wrong.
        The WebCore one was quite awful, also.
              
      - Typed arrays were not visible to the JIT except through some weird hooks.
        For example, the JIT could not ask "what is the Structure that this typed
        array would have if I just allocated it from this global object". Also,
        it was difficult to wire any of the typed array intrinsics, because most
        of the functionality wasn't visible anywhere in JSC.
              
      - Typed array allocation was brain-dead. Allocating a typed array involved
        two JS objects, two GC weak handles, and three malloc allocations.
              
      - Neutering. It involved keeping tabs on all native views but not the view
        wrappers, even though the native views can autoneuter just by asking the
        buffer if it was neutered anytime you touch them; while the JS view
        wrappers are the ones that you really want to reach out to.
              
      - Common case-ing. Most typed arrays have one buffer and one view, and
        usually nobody touches the buffer. Yet we created all of that stuff
        anyway, using data structures optimized for the case where you had a lot
        of views.
              
      - Semantic goofs. Typed arrays should, in the future, behave like ES
        features rather than DOM features, for example when it comes to exceptions.
        Firefox already does this and I agree with them.
              
      This patch cleanses our codebase of these sins:
              
      - Typed arrays are almost entirely defined in JSC. Only the lifecycle
        management of native references to buffers is left to WebCore.
              
      - Allocating a typed array requires either two GC allocations (a cell and a
        copied storage vector) or one GC allocation, a malloc allocation, and a
        weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
        latter). The latter is only used for oversize arrays. Remember that before
        it was 7 allocations no matter what.
              
      - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
        mode/length, void* vector. Before it was a lot more than that - remember,
        there were five additional objects that did absolutely nothing for anybody.
              
      - Native views aren't tracked by the buffer, or by the wrappers. They are
        transient. In the future we'll probably switch to not even having them be
        malloc'd.
              
      - Native array buffers have an efficient way of tracking all of their JS view
        wrappers, both for neutering, and for lifecycle management. The GC
        special-cases native array buffers. This saves a bunch of grief; for example
        it means that a JS view wrapper can refer to its buffer via the butterfly,
        which would be dead by the time we went to finalize.
              
      - Typed array semantics now match Firefox, which also happens to be where the
        standards are going. The discussion on webkit-dev seemed to confirm that
        Chrome is also heading in this direction. This includes making
        Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
        ArrayBufferView as a JS-visible construct.
              
      This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
      It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
      further typed array optimizations in the JSC JITs, including inlining typed
      array allocation, inlining more of the accessors, reducing the cost of type
      checks, etc.
              
      An additional property of this patch is that typed arrays are mostly
      implemented using templates. This deduplicates a bunch of code, but does mean
      that we need some hacks for exporting s_info's of template classes. See
      JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
      low-impact compared to code duplication.
              
      Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
      
      * CMakeLists.txt:
      * DerivedSources.make:
      * GNUmakefile.list.am:
      * JSCTypedArrayStubs.h: Removed.
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ByValInfo.h:
      (JSC::hasOptimizableIndexingForClassInfo):
      (JSC::jitArrayModeForClassInfo):
      (JSC::typedArrayTypeForJITArrayMode):
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromClassInfo):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::toTypedArrayType):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::typedArrayType):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * heap/CopyToken.h:
      * heap/DeferGC.h:
      (JSC::DeferGCForAWhile::DeferGCForAWhile):
      (JSC::DeferGCForAWhile::~DeferGCForAWhile):
      * heap/GCIncomingRefCounted.h: Added.
      (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
      (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
      (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
      (JSC::GCIncomingRefCounted::incomingReferenceAt):
      (JSC::GCIncomingRefCounted::singletonFlag):
      (JSC::GCIncomingRefCounted::hasVectorOfCells):
      (JSC::GCIncomingRefCounted::hasAnyIncoming):
      (JSC::GCIncomingRefCounted::hasSingleton):
      (JSC::GCIncomingRefCounted::singleton):
      (JSC::GCIncomingRefCounted::vectorOfCells):
      * heap/GCIncomingRefCountedInlines.h: Added.
      (JSC::::addIncomingReference):
      (JSC::::filterIncomingReferences):
      * heap/GCIncomingRefCountedSet.h: Added.
      (JSC::GCIncomingRefCountedSet::size):
      * heap/GCIncomingRefCountedSetInlines.h: Added.
      (JSC::::GCIncomingRefCountedSet):
      (JSC::::~GCIncomingRefCountedSet):
      (JSC::::addReference):
      (JSC::::sweep):
      (JSC::::removeAll):
      (JSC::::removeDead):
      * heap/Heap.cpp:
      (JSC::Heap::addReference):
      (JSC::Heap::extraSize):
      (JSC::Heap::size):
      (JSC::Heap::capacity):
      (JSC::Heap::collect):
      (JSC::Heap::decrementDeferralDepth):
      (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
      * heap/Heap.h:
      * interpreter/CallFrame.h:
      (JSC::ExecState::dataViewTable):
      * jit/JIT.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      (JSC::JIT::emitIntTypedArrayGetByVal):
      (JSC::JIT::emitFloatTypedArrayGetByVal):
      (JSC::JIT::emitIntTypedArrayPutByVal):
      (JSC::JIT::emitFloatTypedArrayPutByVal):
      * jsc.cpp:
      (GlobalObject::finishCreation):
      * runtime/ArrayBuffer.cpp:
      (JSC::ArrayBuffer::transfer):
      * runtime/ArrayBuffer.h:
      (JSC::ArrayBuffer::createAdopted):
      (JSC::ArrayBuffer::ArrayBuffer):
      (JSC::ArrayBuffer::gcSizeEstimateInBytes):
      (JSC::ArrayBuffer::pin):
      (JSC::ArrayBuffer::unpin):
      (JSC::ArrayBufferContents::tryAllocate):
      * runtime/ArrayBufferView.cpp:
      (JSC::ArrayBufferView::ArrayBufferView):
      (JSC::ArrayBufferView::~ArrayBufferView):
      (JSC::ArrayBufferView::setNeuterable):
      * runtime/ArrayBufferView.h:
      (JSC::ArrayBufferView::isNeutered):
      (JSC::ArrayBufferView::buffer):
      (JSC::ArrayBufferView::baseAddress):
      (JSC::ArrayBufferView::byteOffset):
      (JSC::ArrayBufferView::verifySubRange):
      (JSC::ArrayBufferView::clampOffsetAndNumElements):
      (JSC::ArrayBufferView::calculateOffsetAndLength):
      * runtime/ClassInfo.h:
      * runtime/CommonIdentifiers.h:
      * runtime/DataView.cpp: Added.
      (JSC::DataView::DataView):
      (JSC::DataView::create):
      (JSC::DataView::wrap):
      * runtime/DataView.h: Added.
      (JSC::DataView::byteLength):
      (JSC::DataView::getType):
      (JSC::DataView::get):
      (JSC::DataView::set):
      * runtime/Float32Array.h:
      * runtime/Float64Array.h:
      * runtime/GenericTypedArrayView.h: Added.
      (JSC::GenericTypedArrayView::data):
      (JSC::GenericTypedArrayView::set):
      (JSC::GenericTypedArrayView::setRange):
      (JSC::GenericTypedArrayView::zeroRange):
      (JSC::GenericTypedArrayView::zeroFill):
      (JSC::GenericTypedArrayView::length):
      (JSC::GenericTypedArrayView::byteLength):
      (JSC::GenericTypedArrayView::item):
      (JSC::GenericTypedArrayView::checkInboundData):
      (JSC::GenericTypedArrayView::getType):
      * runtime/GenericTypedArrayViewInlines.h: Added.
      (JSC::::GenericTypedArrayView):
      (JSC::::create):
      (JSC::::createUninitialized):
      (JSC::::subarray):
      (JSC::::wrap):
      * runtime/IndexingHeader.h:
      (JSC::IndexingHeader::arrayBuffer):
      (JSC::IndexingHeader::setArrayBuffer):
      * runtime/Int16Array.h:
      * runtime/Int32Array.h:
      * runtime/Int8Array.h:
      * runtime/JSArrayBuffer.cpp: Added.
      (JSC::JSArrayBuffer::JSArrayBuffer):
      (JSC::JSArrayBuffer::finishCreation):
      (JSC::JSArrayBuffer::create):
      (JSC::JSArrayBuffer::createStructure):
      (JSC::JSArrayBuffer::getOwnPropertySlot):
      (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
      (JSC::JSArrayBuffer::put):
      (JSC::JSArrayBuffer::defineOwnProperty):
      (JSC::JSArrayBuffer::deleteProperty):
      (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
      * runtime/JSArrayBuffer.h: Added.
      (JSC::JSArrayBuffer::impl):
      (JSC::toArrayBuffer):
      * runtime/JSArrayBufferConstructor.cpp: Added.
      (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
      (JSC::JSArrayBufferConstructor::finishCreation):
      (JSC::JSArrayBufferConstructor::create):
      (JSC::JSArrayBufferConstructor::createStructure):
      (JSC::constructArrayBuffer):
      (JSC::JSArrayBufferConstructor::getConstructData):
      (JSC::JSArrayBufferConstructor::getCallData):
      * runtime/JSArrayBufferConstructor.h: Added.
      * runtime/JSArrayBufferPrototype.cpp: Added.
      (JSC::arrayBufferProtoFuncSlice):
      (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
      (JSC::JSArrayBufferPrototype::finishCreation):
      (JSC::JSArrayBufferPrototype::create):
      (JSC::JSArrayBufferPrototype::createStructure):
      * runtime/JSArrayBufferPrototype.h: Added.
      * runtime/JSArrayBufferView.cpp: Added.
      (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
      (JSC::JSArrayBufferView::JSArrayBufferView):
      (JSC::JSArrayBufferView::finishCreation):
      (JSC::JSArrayBufferView::getOwnPropertySlot):
      (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
      (JSC::JSArrayBufferView::put):
      (JSC::JSArrayBufferView::defineOwnProperty):
      (JSC::JSArrayBufferView::deleteProperty):
      (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
      (JSC::JSArrayBufferView::finalize):
      * runtime/JSArrayBufferView.h: Added.
      (JSC::JSArrayBufferView::sizeOf):
      (JSC::JSArrayBufferView::ConstructionContext::operator!):
      (JSC::JSArrayBufferView::ConstructionContext::structure):
      (JSC::JSArrayBufferView::ConstructionContext::vector):
      (JSC::JSArrayBufferView::ConstructionContext::length):
      (JSC::JSArrayBufferView::ConstructionContext::mode):
      (JSC::JSArrayBufferView::ConstructionContext::butterfly):
      (JSC::JSArrayBufferView::mode):
      (JSC::JSArrayBufferView::vector):
      (JSC::JSArrayBufferView::length):
      (JSC::JSArrayBufferView::offsetOfVector):
      (JSC::JSArrayBufferView::offsetOfLength):
      (JSC::JSArrayBufferView::offsetOfMode):
      * runtime/JSArrayBufferViewInlines.h: Added.
      (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
      (JSC::JSArrayBufferView::buffer):
      (JSC::JSArrayBufferView::impl):
      (JSC::JSArrayBufferView::neuter):
      (JSC::JSArrayBufferView::byteOffset):
      * runtime/JSCell.cpp:
      (JSC::JSCell::slowDownAndWasteMemory):
      (JSC::JSCell::getTypedArrayImpl):
      * runtime/JSCell.h:
      * runtime/JSDataView.cpp: Added.
      (JSC::JSDataView::JSDataView):
      (JSC::JSDataView::create):
      (JSC::JSDataView::createUninitialized):
      (JSC::JSDataView::set):
      (JSC::JSDataView::typedImpl):
      (JSC::JSDataView::getOwnPropertySlot):
      (JSC::JSDataView::getOwnPropertyDescriptor):
      (JSC::JSDataView::slowDownAndWasteMemory):
      (JSC::JSDataView::getTypedArrayImpl):
      (JSC::JSDataView::createStructure):
      * runtime/JSDataView.h: Added.
      * runtime/JSDataViewPrototype.cpp: Added.
      (JSC::JSDataViewPrototype::JSDataViewPrototype):
      (JSC::JSDataViewPrototype::create):
      (JSC::JSDataViewPrototype::createStructure):
      (JSC::JSDataViewPrototype::getOwnPropertySlot):
      (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
      (JSC::getData):
      (JSC::setData):
      (JSC::dataViewProtoFuncGetInt8):
      (JSC::dataViewProtoFuncGetInt16):
      (JSC::dataViewProtoFuncGetInt32):
      (JSC::dataViewProtoFuncGetUint8):
      (JSC::dataViewProtoFuncGetUint16):
      (JSC::dataViewProtoFuncGetUint32):
      (JSC::dataViewProtoFuncGetFloat32):
      (JSC::dataViewProtoFuncGetFloat64):
      (JSC::dataViewProtoFuncSetInt8):
      (JSC::dataViewProtoFuncSetInt16):
      (JSC::dataViewProtoFuncSetInt32):
      (JSC::dataViewProtoFuncSetUint8):
      (JSC::dataViewProtoFuncSetUint16):
      (JSC::dataViewProtoFuncSetUint32):
      (JSC::dataViewProtoFuncSetFloat32):
      (JSC::dataViewProtoFuncSetFloat64):
      * runtime/JSDataViewPrototype.h: Added.
      * runtime/JSFloat32Array.h: Added.
      * runtime/JSFloat64Array.h: Added.
      * runtime/JSGenericTypedArrayView.h: Added.
      (JSC::JSGenericTypedArrayView::byteLength):
      (JSC::JSGenericTypedArrayView::byteSize):
      (JSC::JSGenericTypedArrayView::typedVector):
      (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
      (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
      (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
      (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
      (JSC::JSGenericTypedArrayView::getIndexQuickly):
      (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
      (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
      (JSC::JSGenericTypedArrayView::setIndexQuickly):
      (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
      (JSC::JSGenericTypedArrayView::typedImpl):
      (JSC::JSGenericTypedArrayView::createStructure):
      (JSC::JSGenericTypedArrayView::info):
      (JSC::toNativeTypedView):
      * runtime/JSGenericTypedArrayViewConstructor.h: Added.
      * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
      (JSC::::JSGenericTypedArrayViewConstructor):
      (JSC::::finishCreation):
      (JSC::::create):
      (JSC::::createStructure):
      (JSC::constructGenericTypedArrayView):
      (JSC::::getConstructData):
      (JSC::::getCallData):
      * runtime/JSGenericTypedArrayViewInlines.h: Added.
      (JSC::::JSGenericTypedArrayView):
      (JSC::::create):
      (JSC::::createUninitialized):
      (JSC::::validateRange):
      (JSC::::setWithSpecificType):
      (JSC::::set):
      (JSC::::getOwnPropertySlot):
      (JSC::::getOwnPropertyDescriptor):
      (JSC::::put):
      (JSC::::defineOwnProperty):
      (JSC::::deleteProperty):
      (JSC::::getOwnPropertySlotByIndex):
      (JSC::::putByIndex):
      (JSC::::deletePropertyByIndex):
      (JSC::::getOwnNonIndexPropertyNames):
      (JSC::::getOwnPropertyNames):
      (JSC::::visitChildren):
      (JSC::::copyBackingStore):
      (JSC::::slowDownAndWasteMemory):
      (JSC::::getTypedArrayImpl):
      * runtime/JSGenericTypedArrayViewPrototype.h: Added.
      * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
      (JSC::genericTypedArrayViewProtoFuncSet):
      (JSC::genericTypedArrayViewProtoFuncSubarray):
      (JSC::::JSGenericTypedArrayViewPrototype):
      (JSC::::finishCreation):
      (JSC::::create):
      (JSC::::createStructure):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::arrayBufferPrototype):
      (JSC::JSGlobalObject::arrayBufferStructure):
      (JSC::JSGlobalObject::typedArrayStructure):
      * runtime/JSInt16Array.h: Added.
      * runtime/JSInt32Array.h: Added.
      * runtime/JSInt8Array.h: Added.
      * runtime/JSTypedArrayConstructors.cpp: Added.
      * runtime/JSTypedArrayConstructors.h: Added.
      * runtime/JSTypedArrayPrototypes.cpp: Added.
      * runtime/JSTypedArrayPrototypes.h: Added.
      * runtime/JSTypedArrays.cpp: Added.
      * runtime/JSTypedArrays.h: Added.
      * runtime/JSUint16Array.h: Added.
      * runtime/JSUint32Array.h: Added.
      * runtime/JSUint8Array.h: Added.
      * runtime/JSUint8ClampedArray.h: Added.
      * runtime/Operations.h:
      * runtime/Options.h:
      * runtime/SimpleTypedArrayController.cpp: Added.
      (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
      (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
      (JSC::SimpleTypedArrayController::toJS):
      * runtime/SimpleTypedArrayController.h: Added.
      * runtime/Structure.h:
      (JSC::Structure::couldHaveIndexingHeader):
      * runtime/StructureInlines.h:
      (JSC::Structure::hasIndexingHeader):
      * runtime/TypedArrayAdaptors.h: Added.
      (JSC::IntegralTypedArrayAdaptor::toNative):
      (JSC::IntegralTypedArrayAdaptor::toJSValue):
      (JSC::IntegralTypedArrayAdaptor::toDouble):
      (JSC::FloatTypedArrayAdaptor::toNative):
      (JSC::FloatTypedArrayAdaptor::toJSValue):
      (JSC::FloatTypedArrayAdaptor::toDouble):
      (JSC::Uint8ClampedAdaptor::toNative):
      (JSC::Uint8ClampedAdaptor::toJSValue):
      (JSC::Uint8ClampedAdaptor::toDouble):
      (JSC::Uint8ClampedAdaptor::clamp):
      * runtime/TypedArrayController.cpp: Added.
      (JSC::TypedArrayController::TypedArrayController):
      (JSC::TypedArrayController::~TypedArrayController):
      * runtime/TypedArrayController.h: Added.
      * runtime/TypedArrayDescriptor.h: Removed.
      * runtime/TypedArrayInlines.h: Added.
      * runtime/TypedArrayType.cpp: Added.
      (JSC::classInfoForType):
      (WTF::printInternal):
      * runtime/TypedArrayType.h: Added.
      (JSC::toIndex):
      (JSC::isTypedView):
      (JSC::elementSize):
      (JSC::isInt):
      (JSC::isFloat):
      (JSC::isSigned):
      (JSC::isClamped):
      * runtime/TypedArrays.h: Added.
      * runtime/Uint16Array.h:
      * runtime/Uint32Array.h:
      * runtime/Uint8Array.h:
      * runtime/Uint8ClampedArray.h:
      * runtime/VM.cpp:
      (JSC::VM::VM):
      (JSC::VM::~VM):
      * runtime/VM.h:
      
      Source/WebCore: 
      
      Reviewed by Oliver Hunt.
      
      Typed arrays are now implemented in JavaScriptCore, and WebCore is merely a
      client of them. There is only one layering violation: WebCore installs a
      WebCoreTypedArrayController on VM, which makes the
      ArrayBuffer<->JSArrayBuffer relationship resemble DOM wrappers. By default,
      JSC makes the ownership go one way; the JSArrayBuffer keeps the ArrayBuffer
      alive but if ArrayBuffer is kept alive from native code then the
      JSArrayByffer may die. WebCoreTypedArrayController will keep the
      JSArrayBuffer alive if the ArrayBuffer is in the opaque root set.
              
      To make non-JSDOMWrappers behave like DOM wrappers, a bunch of code is
      changed to make most references to wrappers refer to JSObject* rather than
      JSDOMWrapper*.
              
      Array buffer views are now transient; the JS array buffer view wrappers
      don't own them or keep them alive. This required a bunch of changes to make
      bindings code use RefPtr<ArrayBufferView> to hold onto their views.
              
      Also there is a bunch of new code to make JSC-provided array buffers and
      views obey the toJS/to<ClassName> idiom for wrapping and unwrapping.
              
      Finally, the DataView API is now completely different: the JSDataView
      provides the same user-visible JS API but using its own internal magic; the
      C++ code that uses DataView now uses a rather different API that is not
      aware of usual DOM semantics, since it's in JSC and not WebCore. It's
      equally useful for all of WebCore's purposes, but some code had to change
      to adapt the new conventions.
              
      Some tests have been changed or rebased due to changes in behavior, that
      bring us into conformance with where the standards are going and allow us to
      match Firefox behavior.
      
      Automake work and some additional GTK changes courtesy of
      Zan Dobersek <zdobersek@igalia.com>.
              
      Additional Qt changes courtesy of Arunprasad Rajkumar <arurajku@cisco.com>.
      
      * CMakeLists.txt:
      * DerivedSources.make:
      * ForwardingHeaders/runtime/DataView.h: Added.
      * ForwardingHeaders/runtime/JSArrayBuffer.h: Added.
      * ForwardingHeaders/runtime/JSArrayBufferView.h: Added.
      * ForwardingHeaders/runtime/JSDataView.h: Added.
      * ForwardingHeaders/runtime/JSTypedArrays.h: Added.
      * ForwardingHeaders/runtime/TypedArrayController.h: Added.
      * ForwardingHeaders/runtime/TypedArrayInlines.h: Added.
      * ForwardingHeaders/runtime/TypedArrays.h: Added.
      * GNUmakefile.list.am:
      * Modules/webaudio/RealtimeAnalyser.h:
      * Target.pri:
      * UseJSC.cmake:
      * WebCore.exp.in:
      * WebCore.vcxproj/WebCore.vcxproj:
      * WebCore.xcodeproj/project.pbxproj:
      * bindings/js/DOMWrapperWorld.h:
      * bindings/js/JSArrayBufferCustom.cpp: Removed.
      * bindings/js/JSArrayBufferViewHelper.h: Removed.
      * bindings/js/JSAudioContextCustom.cpp:
      * bindings/js/JSBindingsAllInOne.cpp:
      * bindings/js/JSBlobCustom.cpp:
      * bindings/js/JSCSSRuleCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSCSSValueCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSCryptoCustom.cpp:
      (WebCore::JSCrypto::getRandomValues):
      * bindings/js/JSDOMBinding.h:
      (WebCore::wrapperOwner):
      (WebCore::wrapperContext):
      (WebCore::getInlineCachedWrapper):
      (WebCore::setInlineCachedWrapper):
      (WebCore::clearInlineCachedWrapper):
      (WebCore::getCachedWrapper):
      (WebCore::cacheWrapper):
      (WebCore::uncacheWrapper):
      (WebCore::wrap):
      (WebCore::toJS):
      (WebCore::toArrayBufferView):
      (WebCore::toInt8Array):
      (WebCore::toInt16Array):
      (WebCore::toInt32Array):
      (WebCore::toUint8Array):
      (WebCore::toUint8ClampedArray):
      (WebCore::toUint16Array):
      (WebCore::toUint32Array):
      (WebCore::toFloat32Array):
      (WebCore::toFloat64Array):
      (WebCore::toDataView):
      * bindings/js/JSDataViewCustom.cpp: Removed.
      * bindings/js/JSDictionary.cpp:
      * bindings/js/JSDictionary.h:
      * bindings/js/JSDocumentCustom.cpp:
      (WebCore::JSDocument::location):
      (WebCore::toJS):
      * bindings/js/JSEventCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSFileReaderCustom.cpp:
      * bindings/js/JSHTMLCollectionCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSHTMLTemplateElementCustom.cpp:
      (WebCore::JSHTMLTemplateElement::content):
      * bindings/js/JSImageDataCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      * bindings/js/JSMessageEventCustom.cpp:
      * bindings/js/JSMessagePortCustom.cpp:
      * bindings/js/JSSVGPathSegCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSStyleSheetCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSTrackCustom.cpp:
      (WebCore::toJS):
      * bindings/js/JSWebGLRenderingContextCustom.cpp:
      * bindings/js/JSXMLHttpRequestCustom.cpp:
      (WebCore::JSXMLHttpRequest::send):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::SerializedScriptValue::transferArrayBuffers):
      * bindings/js/WebCoreJSClientData.h:
      (WebCore::initNormalWorldClientData):
      * bindings/js/WebCoreTypedArrayController.cpp: Added.
      (WebCore::WebCoreTypedArrayController::WebCoreTypedArrayController):
      (WebCore::WebCoreTypedArrayController::~WebCoreTypedArrayController):
      (WebCore::WebCoreTypedArrayController::toJS):
      (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
      (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::finalize):
      * bindings/js/WebCoreTypedArrayController.h: Added.
      (WebCore::WebCoreTypedArrayController::wrapperOwner):
      * bindings/scripts/CodeGenerator.pm:
      (ForAllParents):
      (ParseInterface):
      (SkipIncludeHeader):
      (IsTypedArrayType):
      (IsWrapperType):
      * bindings/scripts/CodeGeneratorJS.pm:
      (AddIncludesForType):
      (GenerateHeader):
      (GenerateImplementation):
      (GenerateParametersCheck):
      (GetNativeType):
      (JSValueToNative):
      (NativeToJSValue):
      (GenerateConstructorDefinition):
      (GenerateConstructorHelperMethods):
      * fileapi/WebKitBlobBuilder.cpp:
      (WebCore::BlobBuilder::append):
      * fileapi/WebKitBlobBuilder.h:
      * html/canvas/ArrayBuffer.idl: Removed.
      * html/canvas/ArrayBufferView.idl: Removed.
      * html/canvas/DataView.cpp: Removed.
      * html/canvas/DataView.h: Removed.
      * html/canvas/DataView.idl: Removed.
      * html/canvas/Float32Array.idl: Removed.
      * html/canvas/Float64Array.idl: Removed.
      * html/canvas/Int16Array.idl: Removed.
      * html/canvas/Int32Array.idl: Removed.
      * html/canvas/Int8Array.idl: Removed.
      * html/canvas/Uint16Array.idl: Removed.
      * html/canvas/Uint32Array.idl: Removed.
      * html/canvas/Uint8Array.idl: Removed.
      * html/canvas/Uint8ClampedArray.idl: Removed.
      * html/canvas/WebGLRenderingContext.cpp:
      (WebCore::WebGLRenderingContext::readPixels):
      (WebCore::WebGLRenderingContext::validateTexFuncData):
      * page/Crypto.cpp:
      * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
      (WebCore::MediaPlayerPrivateAVFoundationObjC::shouldWaitForLoadingOfResource):
      (WebCore::MediaPlayerPrivateAVFoundationObjC::extractKeyURIKeyIDAndCertificateFromInitData):
      * platform/graphics/filters/FECustomFilter.h:
      * platform/graphics/filters/FEGaussianBlur.cpp:
      * platform/graphics/filters/FilterEffect.cpp:
      * testing/MockCDM.cpp:
      
      Source/WebKit2: 
      
      Reviewed by Oliver Hunt.
              
      You don't need to include JSUint8Array anymore if you just want to
      unwrap one; JSDOMBinding gives you all of the things you need.
      
      * WebProcess/InjectedBundle/InjectedBundle.cpp:
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
              
      - Added the notion of a reference counted object that can be marked Deferred,
        which is like a special-purpose upref.
              
      - Added a common byte flipper.
      
      Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
      
      * GNUmakefile.list.am:
      * WTF.xcodeproj/project.pbxproj:
      * wtf/DeferrableRefCounted.h: Added.
      (WTF::DeferrableRefCountedBase::ref):
      (WTF::DeferrableRefCountedBase::hasOneRef):
      (WTF::DeferrableRefCountedBase::refCount):
      (WTF::DeferrableRefCountedBase::isDeferred):
      (WTF::DeferrableRefCountedBase::DeferrableRefCountedBase):
      (WTF::DeferrableRefCountedBase::~DeferrableRefCountedBase):
      (WTF::DeferrableRefCountedBase::derefBase):
      (WTF::DeferrableRefCountedBase::setIsDeferredBase):
      (WTF::DeferrableRefCounted::deref):
      (WTF::DeferrableRefCounted::setIsDeferred):
      (WTF::DeferrableRefCounted::DeferrableRefCounted):
      (WTF::DeferrableRefCounted::~DeferrableRefCounted):
      * wtf/FlipBytes.h: Added.
      (WTF::needToFlipBytesIfLittleEndian):
      (WTF::flipBytes):
      (WTF::flipBytesIfLittleEndian):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * fast/canvas/webgl/array-set-invalid-arguments-expected.txt:
      * fast/canvas/webgl/array-set-out-of-bounds-expected.txt:
      * fast/canvas/webgl/array-unit-tests-expected.txt:
      * fast/canvas/webgl/array-unit-tests.html:
      * fast/canvas/webgl/data-view-crash-expected.txt:
      * fast/canvas/webgl/script-tests/arraybuffer-transfer-of-control.js:
      (checkView):
      * fast/dom/call-a-constructor-as-a-function-expected.txt:
      * fast/dom/call-a-constructor-as-a-function.html:
      * fast/js/constructor-length.html:
      * fast/js/global-constructors-attributes-dedicated-worker-expected.txt:
      * fast/js/global-constructors-attributes-expected.txt:
      * fast/js/global-constructors-attributes-shared-worker-expected.txt:
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-expected.txt: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-huge-long-lived-expected.txt: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-huge-long-lived.html: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-expected.txt: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived.html: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-buffer-expected.txt: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-buffer.html: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-expected.txt: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived.html: Added.
      * fast/js/regress/ArrayBuffer-Int8Array-alloc.html: Added.
      * fast/js/regress/Int32Array-Int8Array-view-alloc-expected.txt: Added.
      * fast/js/regress/Int32Array-Int8Array-view-alloc.html: Added.
      * fast/js/regress/Int32Array-alloc-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-huge-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-huge-long-lived-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-huge-long-lived.html: Added.
      * fast/js/regress/Int32Array-alloc-huge.html: Added.
      * fast/js/regress/Int32Array-alloc-large-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-large-long-lived-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-large-long-lived.html: Added.
      * fast/js/regress/Int32Array-alloc-large.html: Added.
      * fast/js/regress/Int32Array-alloc-long-lived-expected.txt: Added.
      * fast/js/regress/Int32Array-alloc-long-lived.html: Added.
      * fast/js/regress/Int32Array-alloc.html: Added.
      * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-huge-long-lived.js: Added.
      * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived.js: Added.
      * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-long-lived-buffer.js: Added.
      * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-long-lived.js: Added.
      * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc.js: Added.
      * fast/js/regress/script-tests/Int32Array-Int8Array-view-alloc.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-huge-long-lived.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-huge.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-large-long-lived.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-large.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc-long-lived.js: Added.
      * fast/js/regress/script-tests/Int32Array-alloc.js: Added.
      * platform/mac/fast/js/constructor-length-expected.txt:
      * webgl/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html:
      * webgl/resources/webgl_test_files/conformance/typedarrays/data-view-test.html:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154127 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e0d9312
  7. 14 Aug, 2013 1 commit
    • fpizlo@apple.com's avatar
      Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked · 10ae2d0d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119770
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      * API/JSCallbackConstructor.cpp:
      (JSC::JSCallbackConstructor::finishCreation):
      * API/JSCallbackConstructor.h:
      (JSC::JSCallbackConstructor::createStructure):
      * API/JSCallbackFunction.cpp:
      (JSC::JSCallbackFunction::finishCreation):
      * API/JSCallbackFunction.h:
      (JSC::JSCallbackFunction::createStructure):
      * API/JSCallbackObject.cpp:
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSC::JSCallbackObject::visitChildren):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::asCallbackObject):
      (JSC::::finishCreation):
      * API/JSObjectRef.cpp:
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp:
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp:
      * API/ObjCCallbackFunction.h:
      (JSC::ObjCCallbackFunction::createStructure):
      * JSCTypedArrayStubs.h:
      * bytecode/CallLinkStatus.cpp:
      (JSC::CallLinkStatus::CallLinkStatus):
      (JSC::CallLinkStatus::function):
      (JSC::CallLinkStatus::internalFunction):
      * bytecode/CodeBlock.h:
      (JSC::baselineCodeBlockForInlineCallFrame):
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromClassInfo):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedFunctionExecutable::visitChildren):
      (JSC::UnlinkedCodeBlock::visitChildren):
      (JSC::UnlinkedProgramCodeBlock::visitChildren):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC::UnlinkedFunctionExecutable::createStructure):
      (JSC::UnlinkedProgramCodeBlock::createStructure):
      (JSC::UnlinkedEvalCodeBlock::createStructure):
      (JSC::UnlinkedFunctionCodeBlock::createStructure):
      * debugger/Debugger.cpp:
      * debugger/DebuggerActivation.cpp:
      (JSC::DebuggerActivation::visitChildren):
      * debugger/DebuggerActivation.h:
      (JSC::DebuggerActivation::createStructure):
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::functionName):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::isInternalFunctionConstant):
      * dfg/DFGOperations.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileNewStringObject):
      * dfg/DFGThunks.cpp:
      (JSC::DFG::virtualForThunkGenerator):
      * interpreter/Interpreter.cpp:
      (JSC::loadVarargs):
      * jsc.cpp:
      (GlobalObject::createStructure):
      * profiler/LegacyProfiler.cpp:
      (JSC::LegacyProfiler::createCallIdentifier):
      * runtime/Arguments.cpp:
      (JSC::Arguments::visitChildren):
      * runtime/Arguments.h:
      (JSC::Arguments::createStructure):
      (JSC::asArguments):
      (JSC::Arguments::finishCreation):
      * runtime/ArrayConstructor.cpp:
      (JSC::arrayConstructorIsArray):
      * runtime/ArrayConstructor.h:
      (JSC::ArrayConstructor::createStructure):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::finishCreation):
      (JSC::arrayProtoFuncConcat):
      (JSC::attemptFastSort):
      * runtime/ArrayPrototype.h:
      (JSC::ArrayPrototype::createStructure):
      * runtime/BooleanConstructor.h:
      (JSC::BooleanConstructor::createStructure):
      * runtime/BooleanObject.cpp:
      (JSC::BooleanObject::finishCreation):
      * runtime/BooleanObject.h:
      (JSC::BooleanObject::createStructure):
      (JSC::asBooleanObject):
      * runtime/BooleanPrototype.cpp:
      (JSC::BooleanPrototype::finishCreation):
      (JSC::booleanProtoFuncToString):
      (JSC::booleanProtoFuncValueOf):
      * runtime/BooleanPrototype.h:
      (JSC::BooleanPrototype::createStructure):
      * runtime/DateConstructor.cpp:
      (JSC::constructDate):
      * runtime/DateConstructor.h:
      (JSC::DateConstructor::createStructure):
      * runtime/DateInstance.cpp:
      (JSC::DateInstance::finishCreation):
      * runtime/DateInstance.h:
      (JSC::DateInstance::createStructure):
      (JSC::asDateInstance):
      * runtime/DatePrototype.cpp:
      (JSC::formateDateInstance):
      (JSC::DatePrototype::finishCreation):
      (JSC::dateProtoFuncToISOString):
      (JSC::dateProtoFuncToLocaleString):
      (JSC::dateProtoFuncToLocaleDateString):
      (JSC::dateProtoFuncToLocaleTimeString):
      (JSC::dateProtoFuncGetTime):
      (JSC::dateProtoFuncGetFullYear):
      (JSC::dateProtoFuncGetUTCFullYear):
      (JSC::dateProtoFuncGetMonth):
      (JSC::dateProtoFuncGetUTCMonth):
      (JSC::dateProtoFuncGetDate):
      (JSC::dateProtoFuncGetUTCDate):
      (JSC::dateProtoFuncGetDay):
      (JSC::dateProtoFuncGetUTCDay):
      (JSC::dateProtoFuncGetHours):
      (JSC::dateProtoFuncGetUTCHours):
      (JSC::dateProtoFuncGetMinutes):
      (JSC::dateProtoFuncGetUTCMinutes):
      (JSC::dateProtoFuncGetSeconds):
      (JSC::dateProtoFuncGetUTCSeconds):
      (JSC::dateProtoFuncGetMilliSeconds):
      (JSC::dateProtoFuncGetUTCMilliseconds):
      (JSC::dateProtoFuncGetTimezoneOffset):
      (JSC::dateProtoFuncSetTime):
      (JSC::setNewValueFromTimeArgs):
      (JSC::setNewValueFromDateArgs):
      (JSC::dateProtoFuncSetYear):
      (JSC::dateProtoFuncGetYear):
      * runtime/DatePrototype.h:
      (JSC::DatePrototype::createStructure):
      * runtime/Error.h:
      (JSC::StrictModeTypeErrorFunction::createStructure):
      * runtime/ErrorConstructor.h:
      (JSC::ErrorConstructor::createStructure):
      * runtime/ErrorInstance.cpp:
      (JSC::ErrorInstance::finishCreation):
      * runtime/ErrorInstance.h:
      (JSC::ErrorInstance::createStructure):
      * runtime/ErrorPrototype.cpp:
      (JSC::ErrorPrototype::finishCreation):
      * runtime/ErrorPrototype.h:
      (JSC::ErrorPrototype::createStructure):
      * runtime/ExceptionHelpers.cpp:
      (JSC::isTerminatedExecutionException):
      * runtime/ExceptionHelpers.h:
      (JSC::TerminatedExecutionError::createStructure):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::visitChildren):
      (JSC::ProgramExecutable::visitChildren):
      (JSC::FunctionExecutable::visitChildren):
      (JSC::ExecutableBase::hashFor):
      * runtime/Executable.h:
      (JSC::ExecutableBase::createStructure):
      (JSC::NativeExecutable::createStructure):
      (JSC::EvalExecutable::createStructure):
      (JSC::ProgramExecutable::createStructure):
      (JSC::FunctionExecutable::compileFor):
      (JSC::FunctionExecutable::compileOptimizedFor):
      (JSC::FunctionExecutable::createStructure):
      * runtime/FunctionConstructor.h:
      (JSC::FunctionConstructor::createStructure):
      * runtime/FunctionPrototype.cpp:
      (JSC::functionProtoFuncToString):
      (JSC::functionProtoFuncApply):
      (JSC::functionProtoFuncBind):
      * runtime/FunctionPrototype.h:
      (JSC::FunctionPrototype::createStructure):
      * runtime/GetterSetter.cpp:
      (JSC::GetterSetter::visitChildren):
      * runtime/GetterSetter.h:
      (JSC::GetterSetter::createStructure):
      * runtime/InternalFunction.cpp:
      (JSC::InternalFunction::finishCreation):
      * runtime/InternalFunction.h:
      (JSC::InternalFunction::createStructure):
      (JSC::asInternalFunction):
      * runtime/JSAPIValueWrapper.h:
      (JSC::JSAPIValueWrapper::createStructure):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::argumentsGetter):
      * runtime/JSActivation.h:
      (JSC::JSActivation::createStructure):
      (JSC::asActivation):
      * runtime/JSArray.h:
      (JSC::JSArray::createStructure):
      (JSC::asArray):
      (JSC::isJSArray):
      * runtime/JSBoundFunction.cpp:
      (JSC::JSBoundFunction::finishCreation):
      (JSC::JSBoundFunction::visitChildren):
      * runtime/JSBoundFunction.h:
      (JSC::JSBoundFunction::createStructure):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dumpInContext):
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isFunction):
      * runtime/JSCell.h:
      (JSC::jsCast):
      (JSC::jsDynamicCast):
      * runtime/JSCellInlines.h:
      (JSC::allocateCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation):
      (JSC::JSFunction::visitChildren):
      (JSC::skipOverBoundFunctions):
      (JSC::JSFunction::callerGetter):
      * runtime/JSFunction.h:
      (JSC::JSFunction::createStructure):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::visitChildren):
      (JSC::slowValidateCell):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::createStructure):
      * runtime/JSNameScope.cpp:
      (JSC::JSNameScope::visitChildren):
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::createStructure):
      * runtime/JSNotAnObject.h:
      (JSC::JSNotAnObject::createStructure):
      * runtime/JSONObject.cpp:
      (JSC::JSONObject::finishCreation):
      (JSC::unwrapBoxedPrimitive):
      (JSC::Stringifier::Stringifier):
      (JSC::Stringifier::appendStringifiedValue):
      (JSC::Stringifier::Holder::Holder):
      (JSC::Walker::walk):
      (JSC::JSONProtoFuncStringify):
      * runtime/JSONObject.h:
      (JSC::JSONObject::createStructure):
      * runtime/JSObject.cpp:
      (JSC::getCallableObjectSlow):
      (JSC::JSObject::visitChildren):
      (JSC::JSObject::copyBackingStore):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::ensureInt32Slow):
      (JSC::JSObject::ensureDoubleSlow):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::finishCreation):
      (JSC::JSObject::createStructure):
      (JSC::JSNonFinalObject::createStructure):
      (JSC::JSFinalObject::createStructure):
      (JSC::isJSFinalObject):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::visitChildren):
      * runtime/JSPropertyNameIterator.h:
      (JSC::JSPropertyNameIterator::createStructure):
      * runtime/JSProxy.cpp:
      (JSC::JSProxy::visitChildren):
      * runtime/JSProxy.h:
      (JSC::JSProxy::createStructure):
      * runtime/JSScope.cpp:
      (JSC::JSScope::visitChildren):
      * runtime/JSSegmentedVariableObject.cpp:
      (JSC::JSSegmentedVariableObject::visitChildren):
      * runtime/JSString.h:
      (JSC::JSString::createStructure):
      (JSC::isJSString):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::visitChildren):
      * runtime/JSVariableObject.h:
      * runtime/JSWithScope.cpp:
      (JSC::JSWithScope::visitChildren):
      * runtime/JSWithScope.h:
      (JSC::JSWithScope::createStructure):
      * runtime/JSWrapperObject.cpp:
      (JSC::JSWrapperObject::visitChildren):
      * runtime/JSWrapperObject.h:
      (JSC::JSWrapperObject::createStructure):
      * runtime/MathObject.cpp:
      (JSC::MathObject::finishCreation):
      * runtime/MathObject.h:
      (JSC::MathObject::createStructure):
      * runtime/NameConstructor.h:
      (JSC::NameConstructor::createStructure):
      * runtime/NameInstance.h:
      (JSC::NameInstance::createStructure):
      (JSC::NameInstance::finishCreation):
      * runtime/NamePrototype.cpp:
      (JSC::NamePrototype::finishCreation):
      (JSC::privateNameProtoFuncToString):
      * runtime/NamePrototype.h:
      (JSC::NamePrototype::createStructure):
      * runtime/NativeErrorConstructor.cpp:
      (JSC::NativeErrorConstructor::visitChildren):
      * runtime/NativeErrorConstructor.h:
      (JSC::NativeErrorConstructor::createStructure):
      (JSC::NativeErrorConstructor::finishCreation):
      * runtime/NumberConstructor.cpp:
      (JSC::NumberConstructor::finishCreation):
      * runtime/NumberConstructor.h:
      (JSC::NumberConstructor::createStructure):
      * runtime/NumberObject.cpp:
      (JSC::NumberObject::finishCreation):
      * runtime/NumberObject.h:
      (JSC::NumberObject::createStructure):
      * runtime/NumberPrototype.cpp:
      (JSC::NumberPrototype::finishCreation):
      * runtime/NumberPrototype.h:
      (JSC::NumberPrototype::createStructure):
      * runtime/ObjectConstructor.h:
      (JSC::ObjectConstructor::createStructure):
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::finishCreation):
      * runtime/ObjectPrototype.h:
      (JSC::ObjectPrototype::createStructure):
      * runtime/PropertyMapHashTable.h:
      (JSC::PropertyTable::createStructure):
      * runtime/PropertyTable.cpp:
      (JSC::PropertyTable::visitChildren):
      * runtime/RegExp.h:
      (JSC::RegExp::createStructure):
      * runtime/RegExpConstructor.cpp:
      (JSC::RegExpConstructor::finishCreation):
      (JSC::RegExpConstructor::visitChildren):
      (JSC::constructRegExp):
      * runtime/RegExpConstructor.h:
      (JSC::RegExpConstructor::createStructure):
      (JSC::asRegExpConstructor):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::visitChildren):
      * runtime/RegExpMatchesArray.h:
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::finishCreation):
      (JSC::RegExpObject::visitChildren):
      * runtime/RegExpObject.h:
      (JSC::RegExpObject::createStructure):
      (JSC::asRegExpObject):
      * runtime/RegExpPrototype.cpp:
      (JSC::regExpProtoFuncTest):
      (JSC::regExpProtoFuncExec):
      (JSC::regExpProtoFuncCompile):
      (JSC::regExpProtoFuncToString):
      * runtime/RegExpPrototype.h:
      (JSC::RegExpPrototype::createStructure):
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::createStructure):
      * runtime/SparseArrayValueMap.h:
      * runtime/StrictEvalActivation.h:
      (JSC::StrictEvalActivation::createStructure):
      * runtime/StringConstructor.h:
      (JSC::StringConstructor::createStructure):
      * runtime/StringObject.cpp:
      (JSC::StringObject::finishCreation):
      * runtime/StringObject.h:
      (JSC::StringObject::createStructure):
      (JSC::asStringObject):
      * runtime/StringPrototype.cpp:
      (JSC::StringPrototype::finishCreation):
      (JSC::stringProtoFuncReplace):
      (JSC::stringProtoFuncToString):
      (JSC::stringProtoFuncMatch):
      (JSC::stringProtoFuncSearch):
      (JSC::stringProtoFuncSplit):
      * runtime/StringPrototype.h:
      (JSC::StringPrototype::createStructure):
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::get):
      (JSC::Structure::visitChildren):
      * runtime/Structure.h:
      (JSC::Structure::typeInfo):
      (JSC::Structure::previousID):
      (JSC::Structure::outOfLineSize):
      (JSC::Structure::totalStorageCapacity):
      (JSC::Structure::materializePropertyMapIfNecessary):
      (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
      * runtime/StructureChain.cpp:
      (JSC::StructureChain::visitChildren):
      * runtime/StructureChain.h:
      (JSC::StructureChain::createStructure):
      * runtime/StructureInlines.h:
      (JSC::Structure::get):
      * runtime/StructureRareData.cpp:
      (JSC::StructureRareData::createStructure):
      (JSC::StructureRareData::visitChildren):
      * runtime/StructureRareData.h:
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::createStructure):
      * runtime/VM.cpp:
      (JSC::VM::VM):
      (JSC::StackPreservingRecompiler::operator()):
      (JSC::VM::releaseExecutableMemory):
      * runtime/WriteBarrier.h:
      (JSC::validateCell):
      * testRegExp.cpp:
      (GlobalObject::createStructure):
      
      Source/WebCore: 
      
      No new tests because no new behavior.
      
      * bindings/js/IDBBindingUtilities.cpp:
      (WebCore::createIDBKeyFromValue):
      * bindings/js/JSAttrCustom.cpp:
      (WebCore::JSAttr::visitChildren):
      * bindings/js/JSAudioTrackCustom.cpp:
      (WebCore::JSAudioTrack::visitChildren):
      * bindings/js/JSAudioTrackListCustom.cpp:
      (WebCore::JSAudioTrackList::visitChildren):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCSSRuleCustom.cpp:
      (WebCore::JSCSSRule::visitChildren):
      * bindings/js/JSCSSStyleDeclarationCustom.cpp:
      (WebCore::JSCSSStyleDeclaration::visitChildren):
      (WebCore::JSCSSStyleDeclaration::getOwnPropertyNames):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::toHTMLCanvasStyle):
      * bindings/js/JSCanvasRenderingContextCustom.cpp:
      (WebCore::JSCanvasRenderingContext::visitChildren):
      * bindings/js/JSDOMBinding.cpp:
      (WebCore::valueToDate):
      * bindings/js/JSDOMBinding.h:
      (WebCore::DOMConstructorObject::createStructure):
      (WebCore::getDOMStructure):
      (WebCore::toRefPtrNativeArray):
      (WebCore::getStaticValueSlotEntryWithoutCaching):
      * bindings/js/JSDOMFormDataCustom.cpp:
      (WebCore::toHTMLFormElement):
      (WebCore::JSDOMFormData::append):
      * bindings/js/JSDOMGlobalObject.cpp:
      (WebCore::JSDOMGlobalObject::finishCreation):
      (WebCore::JSDOMGlobalObject::scriptExecutionContext):
      (WebCore::JSDOMGlobalObject::visitChildren):
      * bindings/js/JSDOMGlobalObject.h:
      (WebCore::JSDOMGlobalObject::info):
      (WebCore::JSDOMGlobalObject::createStructure):
      (WebCore::getDOMConstructor):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMWindowBase.cpp:
      (WebCore::JSDOMWindowBase::finishCreation):
      (WebCore::toJSDOMWindow):
      * bindings/js/JSDOMWindowBase.h:
      (WebCore::JSDOMWindowBase::createStructure):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::visitChildren):
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertyDescriptor):
      (WebCore::toDOMWindow):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::finishCreation):
      * bindings/js/JSDOMWindowShell.h:
      (WebCore::JSDOMWindowShell::createStructure):
      * bindings/js/JSEventTargetCustom.cpp:
      (WebCore::toEventTarget):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::getOwnPropertySlotDelegate):
      (WebCore::JSHistory::getOwnPropertyDescriptorDelegate):
      * bindings/js/JSImageConstructor.cpp:
      (WebCore::JSImageConstructor::finishCreation):
      * bindings/js/JSImageConstructor.h:
      (WebCore::JSImageConstructor::createStructure):
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      (WebCore::JSInjectedScriptHost::isHTMLAllCollection):
      (WebCore::JSInjectedScriptHost::type):
      (WebCore::JSInjectedScriptHost::functionDetails):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::getOwnPropertySlotDelegate):
      (WebCore::JSLocation::getOwnPropertyDescriptorDelegate):
      (WebCore::JSLocation::putDelegate):
      * bindings/js/JSMessageChannelCustom.cpp:
      (WebCore::JSMessageChannel::visitChildren):
      * bindings/js/JSMessagePortCustom.cpp:
      (WebCore::JSMessagePort::visitChildren):
      * bindings/js/JSNodeCustom.cpp:
      (WebCore::JSNode::pushEventHandlerScope):
      (WebCore::JSNode::visitChildren):
      * bindings/js/JSNodeFilterCustom.cpp:
      (WebCore::JSNodeFilter::visitChildren):
      (WebCore::toNodeFilter):
      * bindings/js/JSNodeIteratorCustom.cpp:
      (WebCore::JSNodeIterator::visitChildren):
      * bindings/js/JSPluginElementFunctions.h:
      (WebCore::pluginElementCustomGetOwnPropertySlot):
      (WebCore::pluginElementCustomGetOwnPropertyDescriptor):
      * bindings/js/JSSVGElementInstanceCustom.cpp:
      (WebCore::JSSVGElementInstance::visitChildren):
      * bindings/js/JSSharedWorkerCustom.cpp:
      (WebCore::JSSharedWorker::visitChildren):
      * bindings/js/JSStyleSheetCustom.cpp:
      (WebCore::JSStyleSheet::visitChildren):
      * bindings/js/JSTextTrackCueCustom.cpp:
      (WebCore::JSTextTrackCue::visitChildren):
      * bindings/js/JSTextTrackCustom.cpp:
      (WebCore::JSTextTrack::visitChildren):
      * bindings/js/JSTextTrackListCustom.cpp:
      (WebCore::JSTextTrackList::visitChildren):
      * bindings/js/JSTrackCustom.cpp:
      (WebCore::toTrack):
      * bindings/js/JSTreeWalkerCustom.cpp:
      (WebCore::JSTreeWalker::visitChildren):
      * bindings/js/JSVideoTrackCustom.cpp:
      (WebCore::JSVideoTrack::visitChildren):
      * bindings/js/JSVideoTrackListCustom.cpp:
      (WebCore::JSVideoTrackList::visitChildren):
      * bindings/js/JSWebGLRenderingContextCustom.cpp:
      (WebCore::JSWebGLRenderingContext::visitChildren):
      (WebCore::JSWebGLRenderingContext::getAttachedShaders):
      (WebCore::JSWebGLRenderingContext::getProgramParameter):
      (WebCore::JSWebGLRenderingContext::getShaderParameter):
      (WebCore::JSWebGLRenderingContext::getUniform):
      (WebCore::dataFunctionf):
      (WebCore::dataFunctioni):
      (WebCore::dataFunctionMatrix):
      * bindings/js/JSWorkerGlobalScopeBase.cpp:
      (WebCore::JSWorkerGlobalScopeBase::finishCreation):
      (WebCore::toJSDedicatedWorkerGlobalScope):
      (WebCore::toJSSharedWorkerGlobalScope):
      * bindings/js/JSWorkerGlobalScopeBase.h:
      (WebCore::JSWorkerGlobalScopeBase::createStructure):
      * bindings/js/JSWorkerGlobalScopeCustom.cpp:
      (WebCore::JSWorkerGlobalScope::visitChildren):
      * bindings/js/JSXMLHttpRequestCustom.cpp:
      (WebCore::JSXMLHttpRequest::visitChildren):
      (WebCore::JSXMLHttpRequest::send):
      * bindings/js/JSXPathResultCustom.cpp:
      (WebCore::JSXPathResult::visitChildren):
      * bindings/js/ScriptDebugServer.cpp:
      (WebCore::ScriptDebugServer::dispatchDidPause):
      * bindings/js/ScriptState.cpp:
      (WebCore::domWindowFromScriptState):
      (WebCore::scriptExecutionContextFromScriptState):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::isArray):
      (WebCore::CloneSerializer::dumpArrayBufferView):
      (WebCore::CloneSerializer::dumpIfTerminal):
      (WebCore::CloneSerializer::serialize):
      (WebCore::CloneDeserializer::CloneDeserializer):
      (WebCore::CloneDeserializer::readArrayBufferView):
      * bindings/objc/DOM.mm:
      (+[DOMNode _nodeFromJSWrapper:]):
      * bindings/objc/DOMUtility.mm:
      (JSC::createDOMWrapper):
      * bindings/objc/WebScriptObject.mm:
      (+[WebScriptObject _convertValueToObjcValue:JSC::originRootObject:rootObject:]):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateGetOwnPropertySlotBody):
      (GenerateGetOwnPropertyDescriptorBody):
      (GenerateHeader):
      (GenerateParametersCheckExpression):
      (GenerateImplementation):
      (GenerateParametersCheck):
      (GenerateConstructorDeclaration):
      (GenerateConstructorHelperMethods):
      * bindings/scripts/test/JS/JSFloat64Array.cpp:
      (WebCore::JSFloat64ArrayConstructor::finishCreation):
      (WebCore::JSFloat64Array::finishCreation):
      (WebCore::JSFloat64Array::getOwnPropertySlot):
      (WebCore::JSFloat64Array::getOwnPropertyDescriptor):
      (WebCore::JSFloat64Array::getOwnPropertySlotByIndex):
      (WebCore::JSFloat64Array::put):
      (WebCore::JSFloat64Array::putByIndex):
      (WebCore::JSFloat64Array::getOwnPropertyNames):
      (WebCore::jsFloat64ArrayPrototypeFunctionFoo):
      (WebCore::jsFloat64ArrayPrototypeFunctionSet):
      (WebCore::JSFloat64Array::getByIndex):
      (WebCore::toFloat64Array):
      * bindings/scripts/test/JS/JSFloat64Array.h:
      (WebCore::JSFloat64Array::createStructure):
      (WebCore::JSFloat64ArrayPrototype::createStructure):
      (WebCore::JSFloat64ArrayConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
      (WebCore::JSTestActiveDOMObjectConstructor::finishCreation):
      (WebCore::JSTestActiveDOMObject::finishCreation):
      (WebCore::JSTestActiveDOMObject::getOwnPropertySlot):
      (WebCore::JSTestActiveDOMObject::getOwnPropertyDescriptor):
      (WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunction):
      (WebCore::jsTestActiveDOMObjectPrototypeFunctionPostMessage):
      (WebCore::toTestActiveDOMObject):
      * bindings/scripts/test/JS/JSTestActiveDOMObject.h:
      (WebCore::JSTestActiveDOMObject::createStructure):
      (WebCore::JSTestActiveDOMObjectPrototype::createStructure):
      (WebCore::JSTestActiveDOMObjectConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
      (WebCore::JSTestCustomNamedGetterConstructor::finishCreation):
      (WebCore::JSTestCustomNamedGetter::finishCreation):
      (WebCore::JSTestCustomNamedGetter::getOwnPropertySlot):
      (WebCore::JSTestCustomNamedGetter::getOwnPropertyDescriptor):
      (WebCore::JSTestCustomNamedGetter::getOwnPropertySlotByIndex):
      (WebCore::jsTestCustomNamedGetterPrototypeFunctionAnotherFunction):
      (WebCore::toTestCustomNamedGetter):
      * bindings/scripts/test/JS/JSTestCustomNamedGetter.h:
      (WebCore::JSTestCustomNamedGetter::createStructure):
      (WebCore::JSTestCustomNamedGetterPrototype::createStructure):
      (WebCore::JSTestCustomNamedGetterConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
      (WebCore::JSTestEventConstructorConstructor::finishCreation):
      (WebCore::JSTestEventConstructor::finishCreation):
      (WebCore::JSTestEventConstructor::getOwnPropertySlot):
      (WebCore::JSTestEventConstructor::getOwnPropertyDescriptor):
      (WebCore::toTestEventConstructor):
      * bindings/scripts/test/JS/JSTestEventConstructor.h:
      (WebCore::JSTestEventConstructor::createStructure):
      (WebCore::JSTestEventConstructorPrototype::createStructure):
      (WebCore::JSTestEventConstructorConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestEventTarget.cpp:
      (WebCore::JSTestEventTargetConstructor::finishCreation):
      (WebCore::JSTestEventTarget::finishCreation):
      (WebCore::JSTestEventTarget::getOwnPropertySlot):
      (WebCore::JSTestEventTarget::getOwnPropertyDescriptor):
      (WebCore::JSTestEventTarget::getOwnPropertySlotByIndex):
      (WebCore::JSTestEventTarget::getOwnPropertyNames):
      (WebCore::jsTestEventTargetPrototypeFunctionItem):
      (WebCore::jsTestEventTargetPrototypeFunctionAddEventListener):
      (WebCore::jsTestEventTargetPrototypeFunctionRemoveEventListener):
      (WebCore::jsTestEventTargetPrototypeFunctionDispatchEvent):
      (WebCore::JSTestEventTarget::visitChildren):
      (WebCore::JSTestEventTarget::indexGetter):
      (WebCore::toTestEventTarget):
      * bindings/scripts/test/JS/JSTestEventTarget.h:
      (WebCore::JSTestEventTarget::createStructure):
      (WebCore::JSTestEventTargetPrototype::createStructure):
      (WebCore::JSTestEventTargetConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestException.cpp:
      (WebCore::JSTestExceptionConstructor::finishCreation):
      (WebCore::JSTestException::finishCreation):
      (WebCore::JSTestException::getOwnPropertySlot):
      (WebCore::JSTestException::getOwnPropertyDescriptor):
      (WebCore::toTestException):
      * bindings/scripts/test/JS/JSTestException.h:
      (WebCore::JSTestException::createStructure):
      (WebCore::JSTestExceptionPrototype::createStructure):
      (WebCore::JSTestExceptionConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestInterface.cpp:
      (WebCore::JSTestInterfaceConstructor::finishCreation):
      (WebCore::JSTestInterface::finishCreation):
      (WebCore::JSTestInterface::getOwnPropertySlot):
      (WebCore::JSTestInterface::getOwnPropertyDescriptor):
      (WebCore::JSTestInterface::put):
      (WebCore::JSTestInterface::putByIndex):
      (WebCore::jsTestInterfacePrototypeFunctionImplementsMethod1):
      (WebCore::jsTestInterfacePrototypeFunctionImplementsMethod2):
      (WebCore::jsTestInterfacePrototypeFunctionImplementsMethod3):
      (WebCore::jsTestInterfacePrototypeFunctionSupplementalMethod1):
      (WebCore::jsTestInterfacePrototypeFunctionSupplementalMethod2):
      (WebCore::jsTestInterfacePrototypeFunctionSupplementalMethod3):
      (WebCore::toTestInterface):
      * bindings/scripts/test/JS/JSTestInterface.h:
      (WebCore::JSTestInterface::createStructure):
      (WebCore::JSTestInterfacePrototype::createStructure):
      (WebCore::JSTestInterfaceConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
      (WebCore::JSTestMediaQueryListListenerConstructor::finishCreation):
      (WebCore::JSTestMediaQueryListListener::finishCreation):
      (WebCore::JSTestMediaQueryListListener::getOwnPropertySlot):
      (WebCore::JSTestMediaQueryListListener::getOwnPropertyDescriptor):
      (WebCore::jsTestMediaQueryListListenerPrototypeFunctionMethod):
      (WebCore::toTestMediaQueryListListener):
      * bindings/scripts/test/JS/JSTestMediaQueryListListener.h:
      (WebCore::JSTestMediaQueryListListener::createStructure):
      (WebCore::JSTestMediaQueryListListenerPrototype::createStructure):
      (WebCore::JSTestMediaQueryListListenerConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
      (WebCore::JSTestNamedConstructorConstructor::finishCreation):
      (WebCore::JSTestNamedConstructorNamedConstructor::finishCreation):
      (WebCore::JSTestNamedConstructor::finishCreation):
      (WebCore::JSTestNamedConstructor::getOwnPropertySlot):
      (WebCore::JSTestNamedConstructor::getOwnPropertyDescriptor):
      (WebCore::toTestNamedConstructor):
      * bindings/scripts/test/JS/JSTestNamedConstructor.h:
      (WebCore::JSTestNamedConstructor::createStructure):
      (WebCore::JSTestNamedConstructorPrototype::createStructure):
      (WebCore::JSTestNamedConstructorConstructor::createStructure):
      (WebCore::JSTestNamedConstructorNamedConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestNode.cpp:
      (WebCore::JSTestNodeConstructor::finishCreation):
      (WebCore::JSTestNode::finishCreation):
      (WebCore::JSTestNode::getOwnPropertySlot):
      (WebCore::JSTestNode::getOwnPropertyDescriptor):
      (WebCore::JSTestNode::visitChildren):
      * bindings/scripts/test/JS/JSTestNode.h:
      (WebCore::JSTestNode::createStructure):
      (WebCore::JSTestNodePrototype::createStructure):
      (WebCore::JSTestNodeConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestObj.cpp:
      (WebCore::JSTestObjConstructor::finishCreation):
      (WebCore::JSTestObj::finishCreation):
      (WebCore::JSTestObj::getOwnPropertySlot):
      (WebCore::JSTestObj::getOwnPropertyDescriptor):
      (WebCore::JSTestObj::put):
      (WebCore::jsTestObjPrototypeFunctionVoidMethod):
      (WebCore::jsTestObjPrototypeFunctionVoidMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionByteMethod):
      (WebCore::jsTestObjPrototypeFunctionByteMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionOctetMethod):
      (WebCore::jsTestObjPrototypeFunctionOctetMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionLongMethod):
      (WebCore::jsTestObjPrototypeFunctionLongMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionObjMethod):
      (WebCore::jsTestObjPrototypeFunctionObjMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionMethodWithSequenceArg):
      (WebCore::jsTestObjPrototypeFunctionMethodReturningSequence):
      (WebCore::jsTestObjPrototypeFunctionMethodWithEnumArg):
      (WebCore::jsTestObjPrototypeFunctionMethodThatRequiresAllArgsAndThrows):
      (WebCore::jsTestObjPrototypeFunctionSerializedValue):
      (WebCore::jsTestObjPrototypeFunctionOptionsObject):
      (WebCore::jsTestObjPrototypeFunctionMethodWithException):
      (WebCore::jsTestObjPrototypeFunctionCustomMethod):
      (WebCore::jsTestObjPrototypeFunctionCustomMethodWithArgs):
      (WebCore::jsTestObjPrototypeFunctionAddEventListener):
      (WebCore::jsTestObjPrototypeFunctionRemoveEventListener):
      (WebCore::jsTestObjPrototypeFunctionWithScriptStateVoid):
      (WebCore::jsTestObjPrototypeFunctionWithScriptStateObj):
      (WebCore::jsTestObjPrototypeFunctionWithScriptStateVoidException):
      (WebCore::jsTestObjPrototypeFunctionWithScriptStateObjException):
      (WebCore::jsTestObjPrototypeFunctionWithScriptExecutionContext):
      (WebCore::jsTestObjPrototypeFunctionWithScriptExecutionContextAndScriptState):
      (WebCore::jsTestObjPrototypeFunctionWithScriptExecutionContextAndScriptStateObjException):
      (WebCore::jsTestObjPrototypeFunctionWithScriptExecutionContextAndScriptStateWithSpaces):
      (WebCore::jsTestObjPrototypeFunctionWithScriptArgumentsAndCallStack):
      (WebCore::jsTestObjPrototypeFunctionMethodWithOptionalArg):
      (WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndOptionalArg):
      (WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndTwoOptionalArgs):
      (WebCore::jsTestObjPrototypeFunctionMethodWithOptionalString):
      (WebCore::jsTestObjPrototypeFunctionMethodWithOptionalStringIsUndefined):
      (WebCore::jsTestObjPrototypeFunctionMethodWithOptionalStringIsNullString):
      (WebCore::jsTestObjPrototypeFunctionMethodWithCallbackArg):
      (WebCore::jsTestObjPrototypeFunctionMethodWithNonCallbackArgAndCallbackArg):
      (WebCore::jsTestObjPrototypeFunctionMethodWithCallbackAndOptionalArg):
      (WebCore::jsTestObjPrototypeFunctionConditionalMethod1):
      (WebCore::jsTestObjPrototypeFunctionConditionalMethod2):
      (WebCore::jsTestObjPrototypeFunctionConditionalMethod3):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod1):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod2):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod3):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod4):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod5):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod6):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod7):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod8):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod9):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod10):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod11):
      (WebCore::jsTestObjPrototypeFunctionOverloadedMethod):
      (WebCore::jsTestObjPrototypeFunctionClassMethodWithClamp):
      (WebCore::jsTestObjPrototypeFunctionMethodWithUnsignedLongSequence):
      (WebCore::jsTestObjPrototypeFunctionStringArrayFunction):
      (WebCore::jsTestObjPrototypeFunctionDomStringListFunction):
      (WebCore::jsTestObjPrototypeFunctionGetSVGDocument):
      (WebCore::jsTestObjPrototypeFunctionConvert1):
      (WebCore::jsTestObjPrototypeFunctionConvert2):
      (WebCore::jsTestObjPrototypeFunctionConvert4):
      (WebCore::jsTestObjPrototypeFunctionConvert5):
      (WebCore::jsTestObjPrototypeFunctionMutablePointFunction):
      (WebCore::jsTestObjPrototypeFunctionImmutablePointFunction):
      (WebCore::jsTestObjPrototypeFunctionOrange):
      (WebCore::jsTestObjPrototypeFunctionStrictFunction):
      (WebCore::jsTestObjPrototypeFunctionVariadicStringMethod):
      (WebCore::jsTestObjPrototypeFunctionVariadicDoubleMethod):
      (WebCore::jsTestObjPrototypeFunctionVariadicNodeMethod):
      (WebCore::JSTestObj::visitChildren):
      (WebCore::toTestObj):
      * bindings/scripts/test/JS/JSTestObj.h:
      (WebCore::JSTestObj::createStructure):
      (WebCore::JSTestObjPrototype::createStructure):
      (WebCore::JSTestObjConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
      (WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors):
      (WebCore::JSTestOverloadedConstructorsConstructor::finishCreation):
      (WebCore::JSTestOverloadedConstructors::finishCreation):
      (WebCore::JSTestOverloadedConstructors::getOwnPropertySlot):
      (WebCore::JSTestOverloadedConstructors::getOwnPropertyDescriptor):
      (WebCore::toTestOverloadedConstructors):
      * bindings/scripts/test/JS/JSTestOverloadedConstructors.h:
      (WebCore::JSTestOverloadedConstructors::createStructure):
      (WebCore::JSTestOverloadedConstructorsPrototype::createStructure):
      (WebCore::JSTestOverloadedConstructorsConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
      (WebCore::JSTestSerializedScriptValueInterfaceConstructor::finishCreation):
      (WebCore::JSTestSerializedScriptValueInterface::finishCreation):
      (WebCore::JSTestSerializedScriptValueInterface::getOwnPropertySlot):
      (WebCore::JSTestSerializedScriptValueInterface::getOwnPropertyDescriptor):
      (WebCore::JSTestSerializedScriptValueInterface::put):
      (WebCore::JSTestSerializedScriptValueInterface::visitChildren):
      (WebCore::toTestSerializedScriptValueInterface):
      * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h:
      (WebCore::JSTestSerializedScriptValueInterface::createStructure):
      (WebCore::JSTestSerializedScriptValueInterfacePrototype::createStructure):
      (WebCore::JSTestSerializedScriptValueInterfaceConstructor::createStructure):
      * bindings/scripts/test/JS/JSTestTypedefs.cpp:
      (WebCore::JSTestTypedefsConstructor::finishCreation):
      (WebCore::JSTestTypedefs::finishCreation):
      (WebCore::JSTestTypedefs::getOwnPropertySlot):
      (WebCore::JSTestTypedefs::getOwnPropertyDescriptor):
      (WebCore::JSTestTypedefs::put):
      (WebCore::jsTestTypedefsPrototypeFunctionFunc):
      (WebCore::jsTestTypedefsPrototypeFunctionSetShadow):
      (WebCore::jsTestTypedefsPrototypeFunctionMethodWithSequenceArg):
      (WebCore::jsTestTypedefsPrototypeFunctionNullableArrayArg):
      (WebCore::jsTestTypedefsPrototypeFunctionFuncWithClamp):
      (WebCore::jsTestTypedefsPrototypeFunctionImmutablePointFunction):
      (WebCore::jsTestTypedefsPrototypeFunctionStringArrayFunction):
      (WebCore::jsTestTypedefsPrototypeFunctionStringArrayFunction2):
      (WebCore::jsTestTypedefsPrototypeFunctionMethodWithException):
      (WebCore::toTestTypedefs):
      * bindings/scripts/test/JS/JSTestTypedefs.h:
      (WebCore::JSTestTypedefs::createStructure):
      (WebCore::JSTestTypedefsPrototype::createStructure):
      (WebCore::JSTestTypedefsConstructor::createStructure):
      * bridge/c/CRuntimeObject.cpp:
      (JSC::Bindings::CRuntimeObject::finishCreation):
      * bridge/c/CRuntimeObject.h:
      (JSC::Bindings::CRuntimeObject::createStructure):
      * bridge/c/c_instance.cpp:
      (JSC::Bindings::CRuntimeMethod::createStructure):
      (JSC::Bindings::CRuntimeMethod::finishCreation):
      (JSC::Bindings::CInstance::invokeMethod):
      * bridge/c/c_utility.cpp:
      (JSC::Bindings::convertValueToNPVariant):
      * bridge/objc/ObjCRuntimeObject.h:
      (JSC::Bindings::ObjCRuntimeObject::createStructure):
      * bridge/objc/objc_instance.mm:
      (ObjCRuntimeMethod::finishCreation):
      (ObjcInstance::invokeMethod):
      * bridge/objc/objc_runtime.h:
      (JSC::Bindings::ObjcFallbackObjectImp::createStructure):
      * bridge/objc/objc_runtime.mm:
      (JSC::Bindings::ObjcFallbackObjectImp::finishCreation):
      (JSC::Bindings::callObjCFallbackObject):
      * bridge/qt/qt_instance.cpp:
      (JSC::Bindings::QtRuntimeObject::createStructure):
      (JSC::Bindings::QtInstance::getInstance):
      * bridge/qt/qt_pixmapruntime.cpp:
      (JSC::Bindings::assignToHTMLImageElement):
      (JSC::Bindings::QtPixmapRuntime::toQt):
      * bridge/qt/qt_runtime.cpp:
      (JSC::Bindings::isJSUint8Array):
      (JSC::Bindings::isJSArray):
      (JSC::Bindings::isJSDate):
      (JSC::Bindings::isQtObject):
      (JSC::Bindings::unwrapBoxedPrimitive):
      (JSC::Bindings::convertQVariantToValue):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::finishCreation):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      * bridge/runtime_method.cpp:
      (JSC::RuntimeMethod::finishCreation):
      (JSC::callRuntimeMethod):
      * bridge/runtime_method.h:
      (JSC::RuntimeMethod::createStructure):
      * bridge/runtime_object.cpp:
      (JSC::Bindings::RuntimeObject::finishCreation):
      (JSC::Bindings::callRuntimeObject):
      (JSC::Bindings::callRuntimeConstructor):
      * bridge/runtime_object.h:
      (JSC::Bindings::RuntimeObject::createStructure):
      
      Source/WebKit/mac: 
      
      * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
      (WebKit::getObjectID):
      (WebKit::NetscapePluginInstanceProxy::retainLocalObject):
      (WebKit::NetscapePluginInstanceProxy::releaseLocalObject):
      * Plugins/Hosted/ProxyInstance.mm:
      (WebKit::ProxyRuntimeMethod::finishCreation):
      (WebKit::ProxyInstance::invokeMethod):
      * Plugins/Hosted/ProxyRuntimeObject.h:
      (WebKit::ProxyRuntimeObject::createStructure):
      * WebView/WebView.mm:
      (aeDescFromJSValue):
      
      Source/WebKit/qt: 
      
      * Api/qwebelement.cpp:
      (convertJSValueToWebElementVariant):
      * WebCoreSupport/DumpRenderTreeSupportQt.cpp:
      (convertJSValueToNodeVariant):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154038 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      10ae2d0d
  8. 25 Jul, 2013 2 commits
    • oliver@apple.com's avatar
      fourthTier: DFG should optimize identifier string equality · bd15be8f
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117920
      
      Source/JavaScriptCore:
      
      Reviewed by Sam Weinig.
      
      This is a 20% speed-up for string equality comparisons when both strings are
      identifiers.
      
      This is important for two reasons:
      
      1) Using strings as enumerations is an idiom. A great example is typeof. It
         would be great if this performed better.
      
      2) When I implement switch_string in the DFG, it would be great to optimize
         the case where the switched-on value is an identifier. That would involve
         a simple binary switch rather than a more complicated trie-switch over
         characters.
      
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromCell):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isStringIdentSpeculation):
      (JSC::isStringSpeculation):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateStringIdent):
      (Node):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileStringEquality):
      (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculateString):
      (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
      (JSC::DFG::SpeculativeJIT::speculateStringIdent):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isCell):
      
      LayoutTests:
      
      Reviewed by Sam Weinig.
      
      Add a benchmark for string equality where there is a long identifier, and
      also add a benchmark for non-identifier string equality (since the previous
      test for string equality was really identifier equality).
      
      * fast/js/regress/script-tests/string-long-ident-equality.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-var-equality.js: Added.
      (addFoo):
      (foo):
      * fast/js/regress/string-long-ident-equality-expected.txt: Added.
      * fast/js/regress/string-long-ident-equality.html: Added.
      * fast/js/regress/string-var-equality-expected.txt: Added.
      * fast/js/regress/string-var-equality.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153245 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bd15be8f
    • oliver@apple.com's avatar
      fourthTier: DFG should CSE MakeRope · c2eda9aa
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117905
      
      Source/JavaScriptCore:
      
      Reviewed by Geoffrey Garen.
      
      Adds MakeRope to the CSE phase and removes the comment that says that
      we could do it but aren't doing it.
      
      Also fixed SpeculatedType dumping so that if you have a Cell type then
      it just prints "Cell" and if you just have Object then it just prints
      "Object", instead of printing the long list of types.
      
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      
      LayoutTests:
      
      Reviewed by Geoffrey Garen.
      
      This benchmark speeds up by 50%.
      
      * fast/js/regress/make-rope-cse-expected.txt: Added.
      * fast/js/regress/make-rope-cse.html: Added.
      * fast/js/regress/script-tests/make-rope-cse.js: Added.
      (foo):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153242 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c2eda9aa
  9. 18 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG string conversions and allocations should be inlined · 0e6e1542
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112376
      
      Source/JavaScriptCore: 
      
      Reviewed by Geoffrey Garen.
              
      This turns new String(), String(), String.prototype.valueOf(), and
      String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
      conversions from StringObject to JSString and vice-versa, and also gives it the
      ability to handle cases where a variable may be either a StringObject or a JSString.
      To do this, I added StringObject to value profiling (and removed the stale
      distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
      handling, using some of the new functionality but also taking advantage of the
      existence of Identity(String:@a).
              
      This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
      On microbenchmarks that stress new String() this is a 14x speed-up.
      
      * CMakeLists.txt:
      * DerivedSources.make:
      * DerivedSources.pri:
      * GNUmakefile.list.am:
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::hasExitSite):
      (JSC):
      * bytecode/DFGExitProfile.cpp:
      (JSC::DFG::ExitProfile::hasExitSite):
      (DFG):
      * bytecode/DFGExitProfile.h:
      (ExitProfile):
      (JSC::DFG::ExitProfile::hasExitSite):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromClassInfo):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isStringObjectSpeculation):
      (JSC::isStringOrStringObjectSpeculation):
      * create_hash_table:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAbstractState.h:
      (JSC::DFG::AbstractState::filterEdgeByUse):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
      (DFG):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::shift):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
      (FixupPhase):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::hasGlobalExitSite):
      (Graph):
      (JSC::DFG::Graph::hasExitSite):
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToToString):
      (Node):
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::shouldSpeculateStringObject):
      (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileNewStringObject):
      (JSC::DFG::SpeculativeJIT::speculateObject):
      (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
      (JSC::DFG::SpeculativeJIT::speculateString):
      (JSC::DFG::SpeculativeJIT::speculateStringObject):
      (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      * interpreter/CallFrame.h:
      (JSC::ExecState::regExpPrototypeTable):
      * runtime/CommonIdentifiers.h:
      * runtime/Intrinsic.h:
      * runtime/JSDestructibleObject.h:
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfoOffset):
      * runtime/JSGlobalData.cpp:
      (JSC):
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::~JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSWrapperObject.h:
      (JSC::JSWrapperObject::allocationSize):
      (JSWrapperObject):
      (JSC::JSWrapperObject::internalValueOffset):
      (JSC::JSWrapperObject::internalValueCellOffset):
      * runtime/StringPrototype.cpp:
      (JSC):
      (JSC::StringPrototype::finishCreation):
      (JSC::StringPrototype::create):
      * runtime/StringPrototype.h:
      (StringPrototype):
      
      LayoutTests: 
      
      Reviewed by Geoffrey Garen.
      
      * fast/js/dfg-to-string-bad-toString-expected.txt: Added.
      * fast/js/dfg-to-string-bad-toString.html: Added.
      * fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
      * fast/js/dfg-to-string-bad-valueOf.html: Added.
      * fast/js/dfg-to-string-int-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string.html: Added.
      * fast/js/dfg-to-string-int.html: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
      * fast/js/dfg-to-string-side-effect-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad.html: Added.
      * fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-toString-in-string.html: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
      * fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-in-string.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/regress/script-tests/string-concat-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-repeat.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-tower.js: Added.
      (foo):
      * fast/js/regress/string-concat-object-expected.txt: Added.
      * fast/js/regress/string-concat-object.html: Added.
      * fast/js/regress/string-concat-pair-object-expected.txt: Added.
      * fast/js/regress/string-concat-pair-object.html: Added.
      * fast/js/regress/string-concat-pair-simple-expected.txt: Added.
      * fast/js/regress/string-concat-pair-simple.html: Added.
      * fast/js/regress/string-concat-simple-expected.txt: Added.
      * fast/js/regress/string-concat-simple.html: Added.
      * fast/js/regress/string-cons-repeat-expected.txt: Added.
      * fast/js/regress/string-cons-repeat.html: Added.
      * fast/js/regress/string-cons-tower-expected.txt: Added.
      * fast/js/regress/string-cons-tower.html: Added.
      * fast/js/script-tests/dfg-to-string-bad-toString.js: Added.
      (String.prototype.toString):
      (foo):
      * fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.
      (String.prototype.valueOf):
      (foo):
      * fast/js/script-tests/dfg-to-string-int-or-string.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-int.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.
      (foo):
      (.argument.toString):
      * fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.
      (foo):
      (.String.prototype.valueOf):
      * fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.
      (foo):
      (.argument.valueOf):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e6e1542
  10. 12 Jan, 2013 1 commit
    • fpizlo@apple.com's avatar
      The JITThunks class should be in its own file, and doing so should not break the build · a4b4cbe9
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=105696
      
      Source/JavaScriptCore: 
      
      Rubber stamped by Sam Weinig and Geoffrey Garen.
              
      This patch was supposed to just move JITThunks into its own file. But then I
      realized that there is a horrible circular dependency chain between JSCell,
      JSGlobalData, CallFrame, and Weak, which only works because of magical include
      order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
      before it includes JSCell or JSValue.
              
      I first tried to just get JITThunks.h to just magically do the same pointless
      includes that JITStubs.h had, but then I decided to actually fix the underflying
      problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
      JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
      Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
      also gave me an opportunity to move JSValue inline methods from JSCell.h into
      JSValueInlines.h. But to make this really work, I needed to remove includes of
      *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
      which defeats the whole entire purpose of having an Inlines.h file), and I needed
      to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
      having .cpp files include Operations.h. In future, if you're adding a .cpp file
      to JSC, you'll almost certainly have to include Operations.h unless you enjoy
      link errors.
      
      * API/JSBase.cpp:
      * API/JSCallbackConstructor.cpp:
      * API/JSCallbackFunction.cpp:
      * API/JSCallbackObject.cpp:
      * API/JSClassRef.cpp:
      * API/JSContextRef.cpp:
      * API/JSObjectRef.cpp:
      * API/JSScriptRef.cpp:
      * API/JSWeakObjectMapRefPrivate.cpp:
      * JSCTypedArrayStubs.h:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayAllocationProfile.cpp:
      * bytecode/CodeBlock.cpp:
      * bytecode/GetByIdStatus.cpp:
      * bytecode/LazyOperandValueProfile.cpp:
      * bytecode/ResolveGlobalStatus.cpp:
      * bytecode/SpeculatedType.cpp:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecompiler/BytecodeGenerator.cpp:
      * debugger/Debugger.cpp:
      * debugger/DebuggerActivation.cpp:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGArrayMode.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGDriver.cpp:
      * dfg/DFGFixupPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGJITCompiler.cpp:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGPredictionPropagationPhase.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (DFG):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      * dfg/DFGVariableEventStream.cpp:
      * heap/CopiedBlock.h:
      * heap/CopiedSpace.cpp:
      * heap/HandleSet.cpp:
      * heap/Heap.cpp:
      * heap/HeapStatistics.cpp:
      * heap/SlotVisitor.cpp:
      * heap/WeakBlock.cpp:
      * interpreter/CallFrame.cpp:
      * interpreter/CallFrame.h:
      * jit/ClosureCallStubRoutine.cpp:
      * jit/GCAwareJITStubRoutine.cpp:
      * jit/JIT.cpp:
      * jit/JITArithmetic.cpp:
      * jit/JITArithmetic32_64.cpp:
      * jit/JITCall.cpp:
      * jit/JITCall32_64.cpp:
      * jit/JITCode.h:
      * jit/JITExceptions.cpp:
      * jit/JITStubs.h:
      * jit/JITThunks.h:
      * jsc.cpp:
      * llint/LLIntExceptions.cpp:
      * profiler/LegacyProfiler.cpp:
      * profiler/ProfileGenerator.cpp:
      * profiler/ProfilerBytecode.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * profiler/ProfilerBytecodes.cpp:
      * profiler/ProfilerCompilation.cpp:
      * profiler/ProfilerCompiledBytecode.cpp:
      * profiler/ProfilerDatabase.cpp:
      * profiler/ProfilerOSRExit.cpp:
      * profiler/ProfilerOSRExitSite.cpp:
      * profiler/ProfilerOrigin.cpp:
      * profiler/ProfilerOriginStack.cpp:
      * profiler/ProfilerProfiledBytecodes.cpp:
      * runtime/ArgList.cpp:
      * runtime/Arguments.cpp:
      * runtime/ArrayConstructor.cpp:
      * runtime/BooleanConstructor.cpp:
      * runtime/BooleanObject.cpp:
      * runtime/BooleanPrototype.cpp:
      * runtime/CallData.cpp:
      * runtime/CodeCache.cpp:
      * runtime/Completion.cpp:
      * runtime/ConstructData.cpp:
      * runtime/DateConstructor.cpp:
      * runtime/DateInstance.cpp:
      * runtime/DatePrototype.cpp:
      * runtime/Error.cpp:
      * runtime/ErrorConstructor.cpp:
      * runtime/ErrorInstance.cpp:
      * runtime/ErrorPrototype.cpp:
      * runtime/ExceptionHelpers.cpp:
      * runtime/Executable.cpp:
      * runtime/FunctionConstructor.cpp:
      * runtime/FunctionPrototype.cpp:
      * runtime/GetterSetter.cpp:
      * runtime/Identifier.cpp:
      * runtime/InternalFunction.cpp:
      * runtime/JSActivation.cpp:
      * runtime/JSBoundFunction.cpp:
      * runtime/JSCell.cpp:
      * runtime/JSCell.h:
      (JSC):
      * runtime/JSCellInlines.h: Added.
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      (JSC::JSCell::structure):
      (JSC::JSCell::visitChildren):
      (JSC::allocateCell):
      (JSC::isZapped):
      (JSC::JSCell::isObject):
      (JSC::JSCell::isString):
      (JSC::JSCell::isGetterSetter):
      (JSC::JSCell::isProxy):
      (JSC::JSCell::isAPIValueWrapper):
      (JSC::JSCell::setStructure):
      (JSC::JSCell::methodTable):
      (JSC::JSCell::inherits):
      (JSC::JSCell::fastGetOwnPropertySlot):
      (JSC::JSCell::fastGetOwnProperty):
      (JSC::JSCell::toBoolean):
      * runtime/JSDateMath.cpp:
      * runtime/JSFunction.cpp:
      * runtime/JSFunction.h:
      (JSC):
      * runtime/JSGlobalData.h:
      (JSC):
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      * runtime/JSGlobalObjectFunctions.cpp:
      * runtime/JSLock.cpp:
      * runtime/JSNameScope.cpp:
      * runtime/JSNotAnObject.cpp:
      * runtime/JSONObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSProxy.cpp:
      * runtime/JSScope.cpp:
      * runtime/JSSegmentedVariableObject.cpp:
      * runtime/JSString.h:
      (JSC):
      * runtime/JSStringJoiner.cpp:
      * runtime/JSSymbolTableObject.cpp:
      * runtime/JSValue.cpp:
      * runtime/JSValueInlines.h:
      (JSC::JSValue::toInt32):
      (JSC::JSValue::toUInt32):
      (JSC):
      (JSC::JSValue::isUInt32):
      (JSC::JSValue::asUInt32):
      (JSC::JSValue::asNumber):
      (JSC::jsNaN):
      (JSC::JSValue::JSValue):
      (JSC::JSValue::encode):
      (JSC::JSValue::decode):
      (JSC::JSValue::operator bool):
      (JSC::JSValue::operator==):
      (JSC::JSValue::operator!=):
      (JSC::JSValue::isEmpty):
      (JSC::JSValue::isUndefined):
      (JSC::JSValue::isNull):
      (JSC::JSValue::isUndefinedOrNull):
      (JSC::JSValue::isCell):
      (JSC::JSValue::isInt32):
      (JSC::JSValue::isDouble):
      (JSC::JSValue::isTrue):
      (JSC::JSValue::isFalse):
      (JSC::JSValue::tag):
      (JSC::JSValue::payload):
      (JSC::JSValue::asInt32):
      (JSC::JSValue::asDouble):
      (JSC::JSValue::asCell):
      (JSC::JSValue::isNumber):
      (JSC::JSValue::isBoolean):
      (JSC::JSValue::asBoolean):
      (JSC::reinterpretDoubleToInt64):
      (JSC::reinterpretInt64ToDouble):
      (JSC::JSValue::isString):
      (JSC::JSValue::isPrimitive):
      (JSC::JSValue::isGetterSetter):
      (JSC::JSValue::isObject):
      (JSC::JSValue::getString):
      (JSC::::getString):
      (JSC::JSValue::getObject):
      (JSC::JSValue::getUInt32):
      (JSC::JSValue::toPrimitive):
      (JSC::JSValue::getPrimitiveNumber):
      (JSC::JSValue::toNumber):
      (JSC::JSValue::toObject):
      (JSC::JSValue::isFunction):
      (JSC::JSValue::inherits):
      (JSC::JSValue::toThisObject):
      (JSC::JSValue::get):
      (JSC::JSValue::put):
      (JSC::JSValue::putByIndex):
      (JSC::JSValue::structureOrUndefined):
      (JSC::JSValue::equal):
      (JSC::JSValue::equalSlowCaseInline):
      (JSC::JSValue::strictEqualSlowCaseInline):
      (JSC::JSValue::strictEqual):
      * runtime/JSVariableObject.cpp:
      * runtime/JSWithScope.cpp:
      * runtime/JSWrapperObject.cpp:
      * runtime/LiteralParser.cpp:
      * runtime/Lookup.cpp:
      * runtime/NameConstructor.cpp:
      * runtime/NameInstance.cpp:
      * runtime/NamePrototype.cpp:
      * runtime/NativeErrorConstructor.cpp:
      * runtime/NativeErrorPrototype.cpp:
      * runtime/NumberConstructor.cpp:
      * runtime/NumberObject.cpp:
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      * runtime/Operations.h:
      (JSC):
      * runtime/PropertySlot.cpp:
      * runtime/RegExp.cpp:
      * runtime/RegExpCache.cpp:
      * runtime/RegExpCachedResult.cpp:
      * runtime/RegExpConstructor.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/RegExpObject.cpp:
      * runtime/RegExpPrototype.cpp:
      * runtime/SmallStrings.cpp:
      * runtime/SparseArrayValueMap.cpp:
      * runtime/StrictEvalActivation.cpp:
      * runtime/StringConstructor.cpp:
      * runtime/StringObject.cpp:
      * runtime/StringRecursionChecker.cpp:
      * runtime/Structure.h:
      (JSC):
      * runtime/StructureChain.cpp:
      * runtime/TimeoutChecker.cpp:
      * testRegExp.cpp:
      
      Source/WebCore: 
      
      Rubber stamped by Sam Weinig.
      
      All .cpp files that use the JSC internal API must now transitively include
      Operations.h, and none of the major JSC headers do it for you to avoid
      circularity. WebCore doesn't have to worry about circularity with JSC, so
      this changes all of the major WebCore JSC base headers to include
      Operations.h.
      
      * bindings/js/BindingState.h:
      * bindings/js/JSArrayBufferViewHelper.h:
      * bindings/js/JSCustomXPathNSResolver.h:
      * bindings/js/JSDOMBinding.h:
      * bindings/js/JSDOMGlobalObject.h:
      * bindings/js/JSDictionary.h:
      * bindings/js/JSMessagePortCustom.h:
      * bindings/js/JSNodeFilterCondition.h:
      * bindings/js/ScriptValue.h:
      * bindings/js/ScriptWrappable.h:
      * bindings/js/SerializedScriptValue.cpp:
      * bridge/c/c_utility.h:
      * bridge/jsc/BridgeJSC.h:
      * dom/Node.cpp:
      * html/HTMLCanvasElement.cpp:
      * html/HTMLImageLoader.cpp:
      * plugins/efl/PluginViewEfl.cpp:
      * xml/XMLHttpRequest.cpp:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139541 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a4b4cbe9
  11. 29 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      SpeculatedType dumping should not use the static char buffer[thingy] idiom · 02e3563e
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=103584
      
      Reviewed by Michael Saboff.
      
      Source/JavaScriptCore: 
      
      Changed SpeculatedType to be "dumpable" by saying things like:
              
      dataLog("thingy = ", SpeculationDump(thingy))
              
      Removed the old stringification functions, and changed all code that referred to them
      to use the new dataLog()/print() style.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::dumpSpeculationAbbreviated):
      * bytecode/SpeculatedType.h:
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::dump):
      * bytecode/VirtualRegister.h:
      (WTF::printInternal):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGStructureAbstractValue.h:
      * dfg/DFGVariableAccessDataDump.cpp: Added.
      (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
      (JSC::DFG::VariableAccessDataDump::dump):
      * dfg/DFGVariableAccessDataDump.h: Added.
      (VariableAccessDataDump):
      
      Source/WTF: 
      
      Added a StringPrintStream, and made it easy to create dumpers for typedefs to primitives.
      
      * GNUmakefile.list.am:
      * WTF.gypi:
      * WTF.pro:
      * WTF.vcproj/WTF.vcproj:
      * WTF.xcodeproj/project.pbxproj:
      * wtf/CMakeLists.txt:
      * wtf/PrintStream.cpp:
      (WTF::dumpCharacter):
      * wtf/PrintStream.h:
      (WTF::printInternal):
      * wtf/StringPrintStream.cpp: Added.
      (WTF::StringPrintStream::StringPrintStream):
      (WTF::StringPrintStream::~StringPrintStream):
      (WTF::StringPrintStream::vprintf):
      (WTF::StringPrintStream::toCString):
      (WTF::StringPrintStream::increaseSize):
      * wtf/StringPrintStream.h: Added.
      (StringPrintStream):
      (WTF::toCString):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136096 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      02e3563e
  12. 02 Aug, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Remove all uses of ClassInfo for JSStrings in JIT code · 85c200b2
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92935
      
      Reviewed by Geoffrey Garen.
      
      This is the first step in removing our dependence on in-object ClassInfo pointers
      in JIT code. Most of the changes are to check the Structure, which is unique for 
      JSString primitives.
      
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromClassInfo):
      (JSC::speculationFromStructure): Changed to check the TypeInfo in the Structure
      since there wasn't a JSGlobalData immediately available to grab the JSString 
      Structure out of.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitLoadCharacterString):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emitSlow_op_eq):
      (JSC::JIT::emitSlow_op_neq):
      (JSC::JIT::compileOpStrictEq):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emitSlow_op_get_by_val):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emitSlow_op_get_by_val):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::loadJSStringArgument):
      * jit/ThunkGenerators.cpp:
      (JSC::stringCharLoad):
      (JSC::charCodeAtThunkGenerator):
      (JSC::charAtThunkGenerator):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124476 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      85c200b2
  13. 07 Jun, 2012 1 commit
    • fpizlo@apple.com's avatar
      PredictedType should be called SpeculatedType · 62336163
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=88477
      
      Rubber stamped by Gavin Barraclough.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::shouldOptimizeNow):
      (JSC::CodeBlock::dumpValueProfiles):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
      * bytecode/LazyOperandValueProfile.cpp:
      (JSC::LazyOperandValueProfileParser::prediction):
      * bytecode/LazyOperandValueProfile.h:
      (LazyOperandValueProfileParser):
      * bytecode/PredictedType.cpp: Removed.
      * bytecode/PredictedType.h: Removed.
      * bytecode/SpeculatedType.cpp: Copied from Source/JavaScriptCore/bytecode/PredictedType.cpp.
      (JSC::speculationToString):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromClassInfo):
      (JSC::speculationFromStructure):
      (JSC::speculationFromCell):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h: Copied from Source/JavaScriptCore/bytecode/PredictedType.h.
      (JSC):
      (JSC::isAnySpeculation):
      (JSC::isCellSpeculation):
      (JSC::isObjectSpeculation):
      (JSC::isFinalObjectSpeculation):
      (JSC::isFinalObjectOrOtherSpeculation):
      (JSC::isFixedIndexedStorageObjectSpeculation):
      (JSC::isStringSpeculation):
      (JSC::isArraySpeculation):
      (JSC::isFunctionSpeculation):
      (JSC::isInt8ArraySpeculation):
      (JSC::isInt16ArraySpeculation):
      (JSC::isInt32ArraySpeculation):
      (JSC::isUint8ArraySpeculation):
      (JSC::isUint8ClampedArraySpeculation):
      (JSC::isUint16ArraySpeculation):
      (JSC::isUint32ArraySpeculation):
      (JSC::isFloat32ArraySpeculation):
      (JSC::isFloat64ArraySpeculation):
      (JSC::isArgumentsSpeculation):
      (JSC::isActionableIntMutableArraySpeculation):
      (JSC::isActionableFloatMutableArraySpeculation):
      (JSC::isActionableTypedMutableArraySpeculation):
      (JSC::isActionableMutableArraySpeculation):
      (JSC::isActionableArraySpeculation):
      (JSC::isArrayOrOtherSpeculation):
      (JSC::isMyArgumentsSpeculation):
      (JSC::isInt32Speculation):
      (JSC::isDoubleRealSpeculation):
      (JSC::isDoubleSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isBooleanSpeculation):
      (JSC::isOtherSpeculation):
      (JSC::isEmptySpeculation):
      (JSC::mergeSpeculations):
      (JSC::mergeSpeculation):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::speculationFromStructures):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::ValueProfileBase):
      (JSC::ValueProfileBase::dump):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      (ValueProfileBase):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      * dfg/DFGAbstractState.h:
      (JSC::DFG::AbstractState::speculateInt32Unary):
      (JSC::DFG::AbstractState::speculateNumberUnary):
      (JSC::DFG::AbstractState::speculateBooleanUnary):
      (JSC::DFG::AbstractState::speculateInt32Binary):
      (JSC::DFG::AbstractState::speculateNumberBinary):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::filter):
      (JSC::DFG::StructureAbstractValue::speculationFromStructures):
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (JSC::DFG::AbstractValue::isTop):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::validateIgnoringValue):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      (AbstractValue):
      * dfg/DFGArgumentPosition.h:
      (JSC::DFG::ArgumentPosition::ArgumentPosition):
      (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
      (JSC::DFG::ArgumentPosition::prediction):
      (ArgumentPosition):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::getSpeculationWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getSpeculation):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::run):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixDoubleEdge):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::nameOfVariableAccessData):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::getJSConstantSpeculation):
      (JSC::DFG::Graph::isPredictedNumerical):
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::getSpeculation):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::getHeapPrediction):
      (JSC::DFG::Node::predictHeap):
      (JSC::DFG::Node::prediction):
      (JSC::DFG::Node::predict):
      (JSC::DFG::Node::shouldSpeculateInteger):
      (JSC::DFG::Node::shouldSpeculateDouble):
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateBoolean):
      (JSC::DFG::Node::shouldSpeculateFinalObject):
      (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
      (JSC::DFG::Node::shouldSpeculateArray):
      (JSC::DFG::Node::shouldSpeculateArguments):
      (JSC::DFG::Node::shouldSpeculateInt8Array):
      (JSC::DFG::Node::shouldSpeculateInt16Array):
      (JSC::DFG::Node::shouldSpeculateInt32Array):
      (JSC::DFG::Node::shouldSpeculateUint8Array):
      (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
      (JSC::DFG::Node::shouldSpeculateUint16Array):
      (JSC::DFG::Node::shouldSpeculateUint32Array):
      (JSC::DFG::Node::shouldSpeculateFloat32Array):
      (JSC::DFG::Node::shouldSpeculateFloat64Array):
      (JSC::DFG::Node::shouldSpeculateArrayOrOther):
      (JSC::DFG::Node::shouldSpeculateObject):
      (JSC::DFG::Node::shouldSpeculateCell):
      (Node):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::setPrediction):
      (JSC::DFG::PredictionPropagationPhase::mergePrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::fillStorage):
      (JSC::DFG::SpeculativeJIT::writeBarrier):
      (JSC::DFG::GPRTemporary::GPRTemporary):
      (JSC::DFG::FPRTemporary::FPRTemporary):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      (JSC::DFG::SpeculativeJIT::compileRegExpExec):
      * dfg/DFGSpeculativeJIT.h:
      (DFG):
      (JSC::DFG::ValueSource::forSpeculation):
      (SpeculativeJIT):
      (GPRTemporary):
      (FPRTemporary):
      (JSC::DFG::SpecDoubleOperand::SpecDoubleOperand):
      (JSC::DFG::SpecDoubleOperand::~SpecDoubleOperand):
      (JSC::DFG::SpecDoubleOperand::fpr):
      (JSC::DFG::SpecCellOperand::SpecCellOperand):
      (JSC::DFG::SpecCellOperand::~SpecCellOperand):
      (JSC::DFG::SpecCellOperand::gpr):
      (JSC::DFG::SpecBooleanOperand::SpecBooleanOperand):
      (JSC::DFG::SpecBooleanOperand::~SpecBooleanOperand):
      (JSC::DFG::SpecBooleanOperand::gpr):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpecDouble):
      (JSC::DFG::SpeculativeJIT::fillSpecCell):
      (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpecDouble):
      (JSC::DFG::SpeculativeJIT::fillSpecCell):
      (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::VariableAccessData):
      (JSC::DFG::VariableAccessData::predict):
      (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
      (JSC::DFG::VariableAccessData::prediction):
      (JSC::DFG::VariableAccessData::argumentAwarePrediction):
      (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
      (VariableAccessData):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62336163
  14. 20 May, 2012 1 commit
  15. 25 Apr, 2012 1 commit
    • kbr@google.com's avatar
      Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced · 94781154
      kbr@google.com authored
      https://bugs.webkit.org/show_bug.cgi?id=83655
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore:
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.gypi:
      * JavaScriptCore.order:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionToAbbreviatedString):
      (JSC::predictionFromClassInfo):
      * bytecode/PredictedType.h:
      (JSC):
      (JSC::isActionableIntMutableArrayPrediction):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::ValueSource::forPrediction):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::getByVal):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * runtime/JSByteArray.cpp: Removed.
      * runtime/JSByteArray.h: Removed.
      * runtime/JSGlobalData.cpp:
      
      Source/WebCore:
      
      Removed last few references to ByteArray, replacing with
      Uint8ClampedArray as necessary, and deleted now-obsolete
      CanvasPixelArray, ByteArray and JSByteArray. Removed code from
      JavaScriptCore special-casing ByteArray.
      
      No new tests. Did full layout test run on Mac OS; no regressions
      seen from this change.
      
      * CMakeLists.txt:
      * DerivedSources.pri:
      * ForwardingHeaders/runtime/JSByteArray.h: Removed.
      * GNUmakefile.list.am:
      * PlatformBlackBerry.cmake:
      * Target.pri:
      * UseV8.cmake:
      * WebCore.gypi:
      * WebCore.order:
      * WebCore.vcproj/WebCore.vcproj:
      * WebCore.xcodeproj/project.pbxproj:
      * bindings/v8/SerializedScriptValue.cpp:
      * bindings/v8/V8Binding.h:
      (WebCore::isHostObject):
      * bindings/v8/custom/V8CanvasPixelArrayCustom.cpp: Removed.
      * bindings/v8/custom/V8InjectedScriptHostCustom.cpp:
      (WebCore::V8InjectedScriptHost::typeCallback):
      * bridge/qt/qt_runtime.cpp:
      (JSC::Bindings::isJSUint8ClampedArray):
      (Bindings):
      (JSC::Bindings::valueRealType):
      (JSC::Bindings::convertValueToQVariant):
      (JSC::Bindings::convertQVariantToValue):
      * html/canvas/CanvasPixelArray.cpp: Removed.
      * html/canvas/CanvasPixelArray.h: Removed.
      * html/canvas/CanvasPixelArray.idl: Removed.
      * html/canvas/WebGLRenderingContext.cpp:
      (WebCore):
      * platform/graphics/filters/FEConvolveMatrix.h:
      * rendering/svg/RenderSVGResourceMasker.cpp:
      
      Source/WTF:
      
      * GNUmakefile.list.am:
      * WTF.gypi:
      * WTF.pro:
      * WTF.vcproj/WTF.vcproj:
      * WTF.xcodeproj/project.pbxproj:
      * wtf/ByteArray.cpp: Removed.
      * wtf/ByteArray.h: Removed.
      * wtf/CMakeLists.txt:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@115248 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      94781154
  16. 13 Mar, 2012 1 commit
  17. 25 Feb, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should support activations and nested functions · 17da7f37
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=79554
      
      Reviewed by Oliver Hunt.
              
      Wrote the simplest possible implementation of activations. Big speed-up on
      code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
      Kraken) because they do not appear to have sufficient coverage over code
      that uses activations.
      
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionFromValue):
      * bytecode/PredictedType.h:
      (JSC):
      (JSC::isEmptyPrediction):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::ByteCodeParser):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::needsActivation):
      * dfg/DFGNode.h:
      (DFG):
      (JSC::DFG::Node::storageAccessDataIndex):
      (Node):
      (JSC::DFG::Node::hasFunctionDeclIndex):
      (JSC::DFG::Node::functionDeclIndex):
      (JSC::DFG::Node::hasFunctionExprIndex):
      (JSC::DFG::Node::functionExprIndex):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108908 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      17da7f37
  18. 23 Feb, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG OSR exit value profiling should have graceful handling of local variables and arguments · 31659dee
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=79310
      
      Reviewed by Gavin Barraclough.
              
      Previously, if we OSR exited because a prediction in a local was wrong, we'd
      only realize what the true type of the local was if the regular value profiling
      kicked in and told us. Unless the local was block-locally copy propagated, in
      which case we'd know from an OSR exit profile.
              
      This patch adds OSR exit profiling to all locals and arguments. Now, if we OSR
      exit because of a mispredicted local or argument type, we'll know what the type of
      the local or argument should be immediately upon exiting.
              
      The way that local variable OSR exit profiling works is that we now have a lazily
      added set of OSR-exit-only value profiles for exit sites that are BadType and that
      cited a GetLocal as their value source. The value profiles are only added if the
      OSR exit is taken, and are keyed by CodeBlock, bytecode index of the GetLocal, and
      operand. The look-up is performed by querying the
      CompressedLazyOperandValueProfileHolder in the CodeBlock, using a key that contains
      the bytecode index and the operand. Because the value profiles are added at random
      times, they are not sorted; instead they are just stored in an arbitrarily-ordered
      SegmentedVector. Look-ups are made fast by "decompressing": the DFG::ByteCodeParser
      creates a LazyOperandValueProfileParser, which turns the
      CompressedLazyOperandValueProfileHolder's contents into a HashMap for the duration
      of DFG parsing.
              
      Previously, OSR exits had a pointer to the ValueProfile that had the specFailBucket
      into which values observed during OSR exit would be placed. Now it uses a lazy
      thunk for a ValueProfile. I call this the MethodOfGettingAValueProfile. It may
      either contain a ValueProfile inside it (which works for previous uses of OSR exit
      profiling) or it may just have knowledge of how to go about creating the
      LazyOperandValueProfile in the case that the OSR exit is actually taken. This
      ensures that we never have to create NumOperands*NumBytecodeIndices*NumCodeBlocks
      value profiling buckets unless we actually did OSR exit on every single operand,
      in every single instruction, in each code block (that's probably unlikely).
              
      This appears to be neutral on the major benchmarks, but is a double-digit speed-up
      on code deliberately written to have data flow that spans basic blocks and where
      the code exhibits post-optimization polymorphism in a local variable.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::stronglyVisitStrongReferences):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::lazyOperandValueProfiles):
      * bytecode/LazyOperandValueProfile.cpp: Added.
      (JSC):
      (JSC::CompressedLazyOperandValueProfileHolder::CompressedLazyOperandValueProfileHolder):
      (JSC::CompressedLazyOperandValueProfileHolder::~CompressedLazyOperandValueProfileHolder):
      (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
      (JSC::CompressedLazyOperandValueProfileHolder::add):
      (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
      (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
      (JSC::LazyOperandValueProfileParser::getIfPresent):
      (JSC::LazyOperandValueProfileParser::prediction):
      * bytecode/LazyOperandValueProfile.h: Added.
      (JSC):
      (LazyOperandValueProfileKey):
      (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
      (JSC::LazyOperandValueProfileKey::operator!):
      (JSC::LazyOperandValueProfileKey::operator==):
      (JSC::LazyOperandValueProfileKey::hash):
      (JSC::LazyOperandValueProfileKey::bytecodeOffset):
      (JSC::LazyOperandValueProfileKey::operand):
      (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
      (JSC::LazyOperandValueProfileKeyHash::hash):
      (JSC::LazyOperandValueProfileKeyHash::equal):
      (LazyOperandValueProfileKeyHash):
      (WTF):
      (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
      (LazyOperandValueProfile):
      (JSC::LazyOperandValueProfile::key):
      (CompressedLazyOperandValueProfileHolder):
      (LazyOperandValueProfileParser):
      * bytecode/MethodOfGettingAValueProfile.cpp: Added.
      (JSC):
      (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/MethodOfGettingAValueProfile.h: Added.
      (JSC):
      (MethodOfGettingAValueProfile):
      (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
      (JSC::MethodOfGettingAValueProfile::operator!):
      * bytecode/ValueProfile.cpp: Removed.
      * bytecode/ValueProfile.h:
      (JSC):
      (ValueProfileBase):
      (JSC::ValueProfileBase::ValueProfileBase):
      (JSC::ValueProfileBase::dump):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      (JSC::MinimalValueProfile::MinimalValueProfile):
      (ValueProfileWithLogNumberOfBuckets):
      (JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets):
      (JSC::ValueProfile::ValueProfile):
      (JSC::getValueProfileBytecodeOffset):
      (JSC::getRareCaseProfileBytecodeOffset):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
      (DFG):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::valueProfileFor):
      (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
      (Graph):
      * dfg/DFGNode.h:
      (Node):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPhase.cpp:
      (JSC::DFG::Phase::beginPhase):
      (JSC::DFG::Phase::endPhase):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::speculationCheck):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
      (VariableAccessData):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108677 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      31659dee
  19. 02 Feb, 2012 1 commit
    • fpizlo@apple.com's avatar
      Release build debugging should be easier · ce9f26de
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=77669
      
      Reviewed by Gavin Barraclough.
      
      * assembler/ARMAssembler.h:
      (ARMAssembler):
      (JSC::ARMAssembler::debugOffset):
      * assembler/ARMv7Assembler.h:
      (ARMv7Assembler):
      (JSC::ARMv7Assembler::debugOffset):
      (ARMInstructionFormatter):
      (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
      * assembler/AbstractMacroAssembler.h:
      (AbstractMacroAssembler):
      (JSC::AbstractMacroAssembler::debugOffset):
      * assembler/AssemblerBuffer.h:
      (AssemblerBuffer):
      (JSC::AssemblerBuffer::debugOffset):
      * assembler/LinkBuffer.h:
      (LinkBuffer):
      (JSC::LinkBuffer::debugSize):
      * assembler/MIPSAssembler.h:
      (MIPSAssembler):
      (JSC::MIPSAssembler::debugOffset):
      * assembler/X86Assembler.h:
      (X86Assembler):
      (JSC::X86Assembler::debugOffset):
      (X86InstructionFormatter):
      (JSC::X86Assembler::X86InstructionFormatter::debugOffset):
      * bytecode/CodeBlock.cpp:
      (JSC):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/CodeOrigin.h:
      (CodeOrigin):
      (JSC):
      (JSC::CodeOrigin::inlineStack):
      * bytecode/DFGExitProfile.h:
      (JSC::DFG::exitKindToString):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/PredictedType.cpp:
      (JSC):
      (JSC::predictionToString):
      * bytecode/PredictedType.h:
      (JSC):
      * bytecode/ValueRecovery.h:
      (ValueRecovery):
      (JSC::ValueRecovery::dump):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC):
      (JSC::BytecodeGenerator::setDumpsGeneratedCode):
      (JSC::BytecodeGenerator::dumpsGeneratedCode):
      (JSC::BytecodeGenerator::generate):
      * dfg/DFGAbstractValue.h:
      (StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::dump):
      (AbstractValue):
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGAssemblyHelpers.h:
      (DFG):
      (AssemblyHelpers):
      (JSC::DFG::AssemblyHelpers::debugCall):
      * dfg/DFGFPRInfo.h:
      (FPRInfo):
      (JSC::DFG::FPRInfo::debugName):
      * dfg/DFGGPRInfo.h:
      (GPRInfo):
      (JSC::DFG::GPRInfo::debugName):
      * dfg/DFGGraph.cpp:
      (DFG):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGNode.h:
      (DFG):
      (JSC::DFG::arithNodeFlagsAsString):
      (Node):
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::dumpChildren):
      * dfg/DFGOSRExit.cpp:
      (DFG):
      (JSC::DFG::OSRExit::dump):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * runtime/JSValue.cpp:
      (JSC):
      (JSC::JSValue::description):
      * runtime/JSValue.h:
      (JSValue):
      * wtf/BitVector.cpp:
      (WTF):
      (WTF::BitVector::dump):
      * wtf/BitVector.h:
      (BitVector):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106590 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ce9f26de
  20. 18 Jan, 2012 1 commit
    • caio.oliveira@openbossa.org's avatar
      Uint8ClampedArray support · 992fc376
      caio.oliveira@openbossa.org authored
      https://bugs.webkit.org/show_bug.cgi?id=74455
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore:
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionFromClassInfo):
      * bytecode/PredictedType.h:
      (JSC::isUint8ClampedArrayPrediction):
      (JSC::isActionableMutableArrayPrediction):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::fixupNode):
      (JSC::DFG::Propagator::performNodeCSE):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::clampDoubleToByte):
      (JSC::DFG::compileClampIntegerToByte):
      (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSCell.h:
      * runtime/JSGlobalData.h:
      * wtf/Forward.h:
      * wtf/Uint8Array.h:
      * wtf/Uint8ClampedArray.h: Added.
      (WTF::Uint8ClampedArray::set):
      (WTF::Uint8ClampedArray::create):
      (WTF::Uint8ClampedArray::Uint8ClampedArray):
      (WTF::Uint8ClampedArray::subarray):
      
      Source/WebCore:
      
      Test: fast/js/dfg-uint8clampedarray.html
      
      * CMakeLists.txt:
      * DerivedSources.cpp:
      * DerivedSources.make:
      * DerivedSources.pri:
      * ForwardingHeaders/wtf/Uint8ClampedArray.h: Added.
      * GNUmakefile.list.am:
      * Target.pri:
      * UseJSC.cmake:
      * WebCore.xcodeproj/project.pbxproj:
      * bindings/js/JSBindingsAllInOne.cpp:
      * bindings/js/JSDOMWindowCustom.cpp:
      * bindings/js/JSUint8ClampedArrayCustom.cpp: Added.
      (WebCore::JSUint8ClampedArray::indexSetter):
      (WebCore::toJS):
      (WebCore::JSUint8ClampedArray::set):
      (WebCore::JSUint8ClampedArrayConstructor::constructJSUint8ClampedArray):
      * bindings/scripts/CodeGeneratorJS.pm:
      (IsTypedArrayType):
      (GenerateHeader):
      * html/canvas/Uint8ClampedArray.idl: Added.
      * page/DOMWindow.idl:
      
      Source/WTF:
      
      * WTF.pro:
      
      LayoutTests:
      
      * fast/canvas/webgl/array-unit-tests-expected.txt:
      * fast/canvas/webgl/array-unit-tests.html:
      * fast/dom/Window/script-tests/window-property-descriptors.js:
      * fast/dom/Window/window-properties.html:
      * fast/dom/script-tests/constructed-objects-prototypes.js:
      (constructorPropertiesOnWindow):
      * fast/dom/script-tests/prototype-inheritance-2.js:
      (constructorNamesForWindow):
      * fast/js/dfg-uint8clampedarray-expected.txt: Added.
      * fast/js/dfg-uint8clampedarray.html: Added.
      * fast/js/script-tests/dfg-uint8clampedarray.js: Added.
      (getter1):
      (setter1):
      (getter2):
      (setter2):
      (getter3):
      (setter3):
      (getter4):
      (setter4):
      (getters.getter1.a):
      (.a):
      (setters.setter1.a):
      (safeGetter):
      (safeSetter):
      * fast/js/script-tests/global-constructors.js:
      * platform/chromium/fast/canvas/webgl/array-unit-tests-expected.txt: Copied from LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt.
      * platform/chromium/test_expectations.txt:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105217 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      992fc376
  21. 16 Dec, 2011 1 commit
  22. 02 Dec, 2011 1 commit
    • oliver@apple.com's avatar
      Support integer typed arrays in the DFG JIT · aeec3d81
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=73608
      
      Reviewed by Filip Pizlo.
      
      Add support for all the integral typed arrays in the DFG JIT.
      Currently this loads the contents of Uint32 arrays as doubles,
      which is clearly not as efficient as it could be, but this is
      still in the order of 10-20x faster than the existing behaviour.
      
      This needed us to add support for writing 16bit values to the
      macroassembler, and also to support double<->unsigned conversion.
      
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::strh):
      (JSC::ARMv7Assembler::vcvt_floatingPointToUnsigned):
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::store16):
      (JSC::MacroAssemblerARMv7::truncateDoubleToUint32):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::store16):
      (JSC::MacroAssemblerX86Common::truncateDoubleToUint32):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::movw_rm):
      (JSC::X86Assembler::cvttsd2siq_rr):
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionFromClassInfo):
      * bytecode/PredictedType.h:
      (JSC::isInt8ArrayPrediction):
      (JSC::isInt16ArrayPrediction):
      (JSC::isInt32ArrayPrediction):
      (JSC::isUint8ArrayPrediction):
      (JSC::isUint16ArrayPrediction):
      (JSC::isUint32ArrayPrediction):
      (JSC::isFloat32ArrayPrediction):
      (JSC::isFloat64ArrayPrediction):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateInt8Array):
      (JSC::DFG::Node::shouldSpeculateInt16Array):
      (JSC::DFG::Node::shouldSpeculateInt32Array):
      (JSC::DFG::Node::shouldSpeculateUint8Array):
      (JSC::DFG::Node::shouldSpeculateUint16Array):
      (JSC::DFG::Node::shouldSpeculateUint32Array):
      (JSC::DFG::Node::shouldSpeculateFloat32Array):
      (JSC::DFG::Node::shouldSpeculateFloat64Array):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::fixupNode):
      (JSC::DFG::Propagator::performNodeCSE):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSGlobalData.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@101729 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      aeec3d81
  23. 10 Nov, 2011 1 commit
    • fpizlo@apple.com's avatar
      ValueProfile/PredictedType contains dead code, and doesn't recognize functions · 1ca63d01
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=72065
      
      Reviewed by Gavin Barraclough and Geoff Garen.
              
      Added PredictFunction support, and did some cleaning up along the way.
      ValueProfile no longer has statistics machinery, because we never used
      it. Rearranged some bits in PredictedType to more easily make room for
      one more object type. Changed some debug code to use more consistent
      conventions (ByteArray becomes Bytearray so that if we ever have a
      "Byte" prediction we don't get confused between a prediction that is
      the union of Byte and Array and a prediction that indicates precisely
      a ByteArray).
      
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionFromClassInfo):
      * bytecode/PredictedType.h:
      (JSC::isFunctionPrediction):
      * bytecode/ValueProfile.cpp:
      * bytecode/ValueProfile.h:
      (JSC::ValueProfile::dump):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNodePredictions):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@99910 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1ca63d01
  24. 19 Oct, 2011 1 commit
    • oliver@apple.com's avatar
      Support CanvasPixelArray in the DFG · f4596cac
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=70384
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore:
      
      Add support for the old CanvasPixelArray optimisations to the
      DFG.  This removes the regression seen in the DFG when using
      a CPA.
      
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::store8):
      (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::movb_rm):
      (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      (JSC::predictionFromClassInfo):
      * bytecode/PredictedType.h:
      (JSC::isByteArrayPrediction):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateByteArray):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::fixupNode):
      (JSC::DFG::Propagator::performNodeCSE):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::compileClampDoubleToByte):
      (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSByteArray.h:
      (JSC::JSByteArray::offsetOfStorage):
      * wtf/ByteArray.cpp:
      * wtf/ByteArray.h:
      (WTF::ByteArray::offsetOfSize):
      (WTF::ByteArray::offsetOfData):
      
      Source/WebCore:
      
      Make CanvasPixelArray inherit from ByteArray's ClassInfo so
      can identify it more sensibly.
      
      * bindings/js/JSImageDataCustom.cpp:
      (WebCore::toJS):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97876 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f4596cac
  25. 12 Oct, 2011 2 commits
    • fpizlo@apple.com's avatar
      ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly · ab9a92ce
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=69906
      
      Reviewed by Gavin Barraclough.
              
      It turns out that the simplest fix is to switch computeUpdatedPredictions()
      to using predictionFromValue() combined with mergePrediction(). Doing so
      allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
      not only fixes a performance bug but kills off a lot of code that I never
      liked to begin with.
              
      This appears to be a 1% win on V8.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::visitAggregate):
      * bytecode/CodeBlock.h:
      * bytecode/PredictedType.cpp:
      (JSC::predictionFromValue):
      * bytecode/ValueProfile.cpp:
      (JSC::ValueProfile::computeStatistics):
      (JSC::ValueProfile::computeUpdatedPrediction):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfile::classInfo):
      (JSC::ValueProfile::numberOfSamples):
      (JSC::ValueProfile::isLive):
      (JSC::ValueProfile::dump):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97294 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ab9a92ce
    • fpizlo@apple.com's avatar
      DFG does not have flow-sensitive intraprocedural control flow analysis · 4ffd3956
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=69690
      
      Reviewed by Gavin Barraclough.
      
      Implemented a control flow analysis (CFA). It currently propagates type
      proofs only. For example, if all predecessors to a basic block have
      checks that variable X is a JSFinalObject with structure 0xabcdef, then
      this basic block will now know this fact and will know that it does not
      have to emit either JSFinalObject checks or any structure checks since
      the structure is precisely known. The CFA takes heap side-effects into
      account (though somewhat conservatively), so that if the object pointed
      to by variable X could have possibly undergone a structure transition
      then this is reflected: the analysis may simply say that X's structure
      is unknown.
              
      This also propagates a wealth of other type information which is
      currently not being used. For example, we now know when a variable can
      only hold doubles. Even if a variable may hold other types at different
      points in its live range, we can still prove exactly when it will only
      be double.
              
      There's a bunch of stuff that the CFA could do that it still does not
      do, like precise handling of PutStructure (i.e. structure transitions),
      precise handling of CheckFunction and CheckMethod, etc. So this is
      very much intended to be a starting point rather than an end unto
      itself.
              
      This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
      and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
      Neutral on SunSpider.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ActionablePrediction.h: Removed.
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      * bytecode/PredictedType.h:
      * dfg/DFGAbstractState.cpp: Added.
      (JSC::DFG::AbstractState::AbstractState):
      (JSC::DFG::AbstractState::~AbstractState):
      (JSC::DFG::AbstractState::beginBasicBlock):
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::endBasicBlock):
      (JSC::DFG::AbstractState::reset):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::clobberStructures):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::merge):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
      (JSC::DFG::AbstractState::dump):
      * dfg/DFGAbstractState.h: Added.
      (JSC::DFG::AbstractState::forNode):
      (JSC::DFG::AbstractState::isValid):
      * dfg/DFGAbstractValue.h: Added.
      (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::clear):
      (JSC::DFG::StructureAbstractValue::makeTop):
      (JSC::DFG::StructureAbstractValue::top):
      (JSC::DFG::StructureAbstractValue::add):
      (JSC::DFG::StructureAbstractValue::addAll):
      (JSC::DFG::StructureAbstractValue::contains):
      (JSC::DFG::StructureAbstractValue::isSubsetOf):
      (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
      (JSC::DFG::StructureAbstractValue::isSupersetOf):
      (JSC::DFG::StructureAbstractValue::filter):
      (JSC::DFG::StructureAbstractValue::isClear):
      (JSC::DFG::StructureAbstractValue::isTop):
      (JSC::DFG::StructureAbstractValue::size):
      (JSC::DFG::StructureAbstractValue::at):
      (JSC::DFG::StructureAbstractValue::operator[]):
      (JSC::DFG::StructureAbstractValue::last):
      (JSC::DFG::StructureAbstractValue::predictionFromStructures):
      (JSC::DFG::StructureAbstractValue::operator==):
      (JSC::DFG::StructureAbstractValue::dump):
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (JSC::DFG::AbstractValue::isTop):
      (JSC::DFG::AbstractValue::top):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGBasicBlock.h: Added.
      (JSC::DFG::BasicBlock::BasicBlock):
      (JSC::DFG::BasicBlock::getBytecodeBegin):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::processPhiStack):
      (JSC::DFG::ByteCodeParser::setupPredecessors):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCodeGenerator.h:
      (JSC::DFG::block):
      * dfg/DFGJITCodeGenerator32_64.cpp:
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
      * dfg/DFGJITCodeGenerator64.cpp:
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGNode.h:
      (JSC::DFG::NodeIndexTraits::defaultValue):
      (JSC::DFG::Node::variableAccessData):
      (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
      (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
      (JSC::DFG::Node::setTakenBlockIndex):
      (JSC::DFG::Node::setNotTakenBlockIndex):
      (JSC::DFG::Node::takenBlockIndex):
      (JSC::DFG::Node::notTakenBlockIndex):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOperands.h: Added.
      (JSC::DFG::operandIsArgument):
      (JSC::DFG::OperandValueTraits::defaultValue):
      (JSC::DFG::Operands::Operands):
      (JSC::DFG::Operands::numberOfArguments):
      (JSC::DFG::Operands::numberOfLocals):
      (JSC::DFG::Operands::argument):
      (JSC::DFG::Operands::local):
      (JSC::DFG::Operands::setLocal):
      (JSC::DFG::Operands::setArgumentFirstTime):
      (JSC::DFG::Operands::setLocalFirstTime):
      (JSC::DFG::Operands::operand):
      (JSC::DFG::Operands::setOperand):
      (JSC::DFG::Operands::clear):
      (JSC::DFG::dumpOperands):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::fixpoint):
      (JSC::DFG::Propagator::propagateArithNodeFlags):
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::propagatePredictions):
      (JSC::DFG::Propagator::performBlockCFA):
      (JSC::DFG::Propagator::performForwardCFA):
      (JSC::DFG::Propagator::globalCFA):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureSet.h:
      (JSC::DFG::StructureSet::clear):
      (JSC::DFG::StructureSet::predictionFromStructures):
      (JSC::DFG::StructureSet::operator==):
      (JSC::DFG::StructureSet::dump):
      * dfg/DFGVariableAccessData.h: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ffd3956
  26. 07 Oct, 2011 1 commit
  27. 26 Sep, 2011 1 commit
    • fpizlo@apple.com's avatar
      DFG static prediction code is no longer needed and should be removed · d93c9ad2
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=68784
      
      Reviewed by Oliver Hunt.
              
      This gets rid of static prediction code, and ensures that we do not
      try to compile code where dynamic predictions are not available.
      This is accomplished by immediately performing an OSR exit wherever
      a value is retrieved for which no predictions exist.
              
      This also adds value profiling for this on functions used for calls.
              
      The heuristics for deciding when to optimize code are also tweaked,
      since it is now profitable to optimize sooner. This may need to be
      tweaked further, but this patch only makes minimal changes.
              
      This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
      overall win on Kraken.  It's neutral elsewhere.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::shouldOptimizeNow):
      (JSC::CodeBlock::dumpValueProfiles):
      * bytecode/CodeBlock.h:
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      * bytecode/PredictedType.h:
      (JSC::isCellPrediction):
      (JSC::isObjectPrediction):
      (JSC::isFinalObjectPrediction):
      (JSC::isStringPrediction):
      (JSC::isArrayPrediction):
      (JSC::isInt32Prediction):
      (JSC::isDoublePrediction):
      (JSC::isNumberPrediction):
      (JSC::isBooleanPrediction):
      (JSC::mergePredictions):
      * bytecode/PredictionTracker.h:
      (JSC::PredictionTracker::predictArgument):
      (JSC::PredictionTracker::predict):
      (JSC::PredictionTracker::predictGlobalVar):
      * bytecode/ValueProfile.cpp:
      (JSC::ValueProfile::computeUpdatedPrediction):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::set):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::getPrediction):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::predict):
      (JSC::DFG::Graph::predictGlobalVar):
      (JSC::DFG::Graph::getMethodCheckPrediction):
      (JSC::DFG::Graph::getJSConstantPrediction):
      (JSC::DFG::Graph::getPrediction):
      * dfg/DFGJITCodeGenerator.cpp:
      (JSC::DFG::JITCodeGenerator::writeBarrier):
      (JSC::DFG::JITCodeGenerator::emitBranch):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::getPrediction):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::valueOfJSConstantNode):
      (JSC::DFG::Node::isInt32Constant):
      (JSC::DFG::Node::isDoubleConstant):
      (JSC::DFG::Node::isNumberConstant):
      (JSC::DFG::Node::isBooleanConstant):
      (JSC::DFG::Node::predict):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::Propagator):
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::fixupNode):
      (JSC::DFG::Propagator::isPredictedNumerical):
      (JSC::DFG::Propagator::logicalNotIsPure):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
      (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
      (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95930 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d93c9ad2
  28. 20 Sep, 2011 1 commit
    • fpizlo@apple.com's avatar
      DFG JIT does not speculate aggressively enough on GetById · ffb7d5ea
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=68320
      
      Reviewed by Oliver Hunt.
              
      This adds the ability to access properties directly, by offset.
      This optimization kicks in when at the time of DFG compilation,
      it appears that the given get_by_id is self-cached by the old JIT.
      Two new opcodes get introduced: CheckStructure and GetByOffset.
      CheckStructure performs a speculation check on the object's
      structure, and returns the storage pointer. GetByOffset performs
      a direct read of the field from the storage pointer. Both
      CheckStructure and GetByOffset can be CSE'd, so that we can
      eliminate redundant structure checks, and redundant reads of the
      same field.
              
      This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
      neutral on SunSpider.
      
      * bytecode/PredictedType.cpp:
      (JSC::predictionFromClassInfo):
      (JSC::predictionFromStructure):
      (JSC::predictionFromCell):
      * bytecode/PredictedType.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::dataFormatToString):
      (JSC::DFG::needDataFormatConversion):
      (JSC::DFG::GenerationInfo::initStorage):
      (JSC::DFG::GenerationInfo::spill):
      (JSC::DFG::GenerationInfo::fillStorage):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::predict):
      (JSC::DFG::Graph::getPrediction):
      * dfg/DFGJITCodeGenerator.cpp:
      (JSC::DFG::JITCodeGenerator::fillInteger):
      (JSC::DFG::JITCodeGenerator::fillDouble):
      (JSC::DFG::JITCodeGenerator::fillJSValue):
      (JSC::DFG::JITCodeGenerator::fillStorage):
      (JSC::DFG::GPRTemporary::GPRTemporary):
      * dfg/DFGJITCodeGenerator.h:
      (JSC::DFG::JITCodeGenerator::silentSpillGPR):
      (JSC::DFG::JITCodeGenerator::silentFillGPR):
      (JSC::DFG::JITCodeGenerator::spill):
      (JSC::DFG::JITCodeGenerator::storageResult):
      (JSC::DFG::StorageOperand::StorageOperand):
      (JSC::DFG::StorageOperand::~StorageOperand):
      (JSC::DFG::StorageOperand::index):
      (JSC::DFG::StorageOperand::gpr):
      (JSC::DFG::StorageOperand::use):
      * dfg/DFGNode.h:
      (JSC::DFG::OpInfo::OpInfo):
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::hasPrediction):
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::structure):
      (JSC::DFG::Node::hasStorageAccessData):
      (JSC::DFG::Node::storageAccessDataIndex):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNode):
      (JSC::DFG::Propagator::globalVarLoadElimination):
      (JSC::DFG::Propagator::getMethodLoadElimination):
      (JSC::DFG::Propagator::checkStructureLoadElimination):
      (JSC::DFG::Propagator::getByOffsetLoadElimination):
      (JSC::DFG::Propagator::performNodeCSE):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * wtf/StdLibExtras.h:
      (WTF::safeCast):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95523 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ffb7d5ea
  29. 16 Sep, 2011 1 commit
    • fpizlo@apple.com's avatar
      DFG JIT does not optimize method_check · 6f1a3444
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=68215
      
      Reviewed by Oliver Hunt.
              
      MethodCallLinkInfo and StructureStubInfo are now searchable by
      bytecodeIndex, so that DFG::ByteCodeParser can use that information
      to determine how to optimize GetMethod.
              
      A new node op has been added to DFG: CheckMethod. This is a variant
      of GetMethod that has been optimized for the case that GetMethod
      always takes the fast path. CheckMethod results in only a very
      small amount of code (two loads and two branches in the worst case,
      one load and one branch in the best case). CheckMethod behaves as
      if it were a constant.  
              
      Introduced the notion that a DFG node that is not JSConstant
      behaves as a constant. CheckMethod uses this functionality.
              
      This is a 3% speed-up on Kraken, and a small speed-up on V8.
      Appears to be neutral on SunSpider.
      
      * bytecode/CodeBlock.h:
      (JSC::getStructureStubInfoBytecodeIndex):
      (JSC::getMethodCallLinkInfoBytecodeIndex):
      * bytecode/PredictedType.cpp:
      (JSC::predictionFromCell):
      (JSC::predictionFromValue):
      * bytecode/PredictedType.h:
      * bytecode/StructureStubInfo.h:
      * dfg/DFGAliasTracker.h:
      (JSC::DFG::AliasTracker::recordGetMethod):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::getMethodCheckPrediction):
      (JSC::DFG::Graph::getPrediction):
      (JSC::DFG::Graph::isConstant):
      (JSC::DFG::Graph::isJSConstant):
      (JSC::DFG::Graph::valueOfJSConstant):
      (JSC::DFG::Graph::valueOfInt32Constant):
      (JSC::DFG::Graph::valueOfNumberConstant):
      (JSC::DFG::Graph::valueOfBooleanConstant):
      (JSC::DFG::Graph::valueOfJSConstantNode):
      * dfg/DFGJITCodeGenerator.cpp:
      (JSC::DFG::JITCodeGenerator::fillInteger):
      (JSC::DFG::JITCodeGenerator::fillDouble):
      (JSC::DFG::JITCodeGenerator::fillJSValue):
      (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
      (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
      * dfg/DFGJITCodeGenerator.h:
      (JSC::DFG::JITCodeGenerator::silentSpillFPR):
      (JSC::DFG::JITCodeGenerator::silentFillGPR):
      (JSC::DFG::JITCodeGenerator::silentFillFPR):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::fillNumericToDouble):
      (JSC::DFG::JITCompiler::fillInt32ToInteger):
      (JSC::DFG::JITCompiler::fillToJS):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasConstant):
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::hasMethodCheckData):
      (JSC::DFG::Node::methodCheckDataIndex):
      (JSC::DFG::Node::valueOfJSConstant):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
      (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_method_check):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_method_check):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      * runtime/JSCell.h:
      (JSC::JSCell::JSCell::structureAddress):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95273 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6f1a3444
  30. 14 Sep, 2011 2 commits
    • fpizlo@apple.com's avatar
      Tiered compilation heuristics do not account for value profile fullness · 7f2d2345
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=68116
      
      Reviewed by Oliver Hunt.
              
      Tiered compilation avoids invoking the DFG JIT if it finds that value
      profiles contain insufficient information. Instead, it produces a
      prediction from the current value profile, and then clears the value
      profile. This allows the value profile to heat up from scratch for
      some number of additional executions. The new profiles will then be
      merged with the previous prediction. Once the amount of information
      in predictions is enough according to heuristics in CodeBlock.cpp,
      DFG optimization is allowed to proceed.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.pro:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::~CodeBlock):
      (JSC::CodeBlock::visitAggregate):
      (JSC::CodeBlock::visitWeakReferences):
      (JSC::CodeBlock::shouldOptimizeNow):
      (JSC::CodeBlock::dumpValueProfiles):
      * bytecode/CodeBlock.h:
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      * bytecode/PredictedType.h:
      * bytecode/ValueProfile.cpp: Added.
      (JSC::ValueProfile::computeStatistics):
      (JSC::ValueProfile::computeUpdatedPrediction):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfile::ValueProfile):
      (JSC::ValueProfile::classInfo):
      (JSC::ValueProfile::numberOfSamples):
      (JSC::ValueProfile::totalNumberOfSamples):
      (JSC::ValueProfile::isLive):
      (JSC::ValueProfile::numberOfInt32s):
      (JSC::ValueProfile::numberOfDoubles):
      (JSC::ValueProfile::numberOfBooleans):
      (JSC::ValueProfile::dump):
      (JSC::getValueProfileBytecodeOffset):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::stronglyPredict):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
      (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
      * jit/JIT.cpp:
      (JSC::JIT::emitOptimizationCheck):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitValueProfilingSite):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95134 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7f2d2345
    • fpizlo@apple.com's avatar
      Prediction tracking is not precise enough · d4608084
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=67993
      
      Reviewed by Oliver Hunt.
              
      Added a richer set of type predictions, including JSFinalObject, JSString,
      object that is not a JSFinalObject or JSArray (ObjectOther), some object
      but we don't or care know what kind (SomeObject), definitely an object,
      cell that is not an object or JSString, an value that is none of the above
      (so either Undefined or Null). Made the propagator and value profiler work
      with the new types.
              
      Performance is neutral, because the DFG JIT does not take advantage of this
      new knowledge yet.
              
      In the process of writing predictionToString() (which is now considerably
      more complex) I decided to finally add a BoundsCheckedPointer, which
      should come in handy in other places, like at least the OSR scratch buffer
      and the CompactJITCodeMap. It's great for cases where you want to
      do pointer arithmetic, you want to have assertions about the
      pointer not going out of bounds, but you don't want to write those
      assertions yourself.
              
      This also required refactoring inherits(), since the ValueProfiler may
      want to do the equivalent of inherits() but given two ClassInfo's.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/WTF/WTF.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/PredictedType.cpp: Added.
      (JSC::predictionToString):
      (JSC::makePrediction):
      (JSC::predictionFromValue):
      * bytecode/PredictedType.h:
      (JSC::isCellPrediction):
      (JSC::isObjectPrediction):
      (JSC::isFinalObjectPrediction):
      (JSC::isStringPrediction):
      (JSC::mergePredictions):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfile::numberOfObjects):
      (JSC::ValueProfile::numberOfFinalObjects):
      (JSC::ValueProfile::numberOfStrings):
      (JSC::ValueProfile::probabilityOfObject):
      (JSC::ValueProfile::probabilityOfFinalObject):
      (JSC::ValueProfile::probabilityOfString):
      (JSC::ValueProfile::dump):
      (JSC::ValueProfile::Statistics::Statistics):
      (JSC::ValueProfile::computeStatistics):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::stronglyPredict):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::predict):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::propagateNode):
      * runtime/ClassInfo.h:
      (JSC::ClassInfo::isSubClassOf):
      * runtime/JSObject.h:
      (JSC::JSCell::inherits):
      * wtf/BoundsCheckedPointer.h: Added.
      (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
      (WTF::BoundsCheckedPointer::operator=):
      (WTF::BoundsCheckedPointer::operator+=):
      (WTF::BoundsCheckedPointer::operator-=):
      (WTF::BoundsCheckedPointer::operator+):
      (WTF::BoundsCheckedPointer::operator-):
      (WTF::BoundsCheckedPointer::operator++):
      (WTF::BoundsCheckedPointer::operator--):
      (WTF::BoundsCheckedPointer::operator<):
      (WTF::BoundsCheckedPointer::operator<=):
      (WTF::BoundsCheckedPointer::operator>):
      (WTF::BoundsCheckedPointer::operator>=):
      (WTF::BoundsCheckedPointer::operator==):
      (WTF::BoundsCheckedPointer::operator!=):
      (WTF::BoundsCheckedPointer::operator!):
      (WTF::BoundsCheckedPointer::get):
      (WTF::BoundsCheckedPointer::operator*):
      (WTF::BoundsCheckedPointer::operator[]):
      (WTF::BoundsCheckedPointer::strcat):
      (WTF::BoundsCheckedPointer::validate):
      * wtf/CMakeLists.txt:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95115 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d4608084