1. 08 Jan, 2014 1 commit
    • fpizlo@apple.com's avatar
      DFG fixup phase should be responsible for inserting ValueToInt32's as needed... · 027ed671
      fpizlo@apple.com authored
      DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit
      https://bugs.webkit.org/show_bug.cgi?id=126600
      
      Reviewed by Michael Saboff.
              
      This fixes an embarrassing OSR exit liveness bug. It also simplifies the code. We were
      already using FixupPhase as the place where conversion nodes get inserted. ValueToInt32
      was the only exception to that rule, and that was one of the reasons why we had this bug.
              
      Henceforth ValueToInt32 is only inserted by FixupPhase, and only when it is necessary:
      we have a BitOp that will want a ToInt32 conversion and the operand is not predicted to
      already be an int32. If FixupPhase inserts any ValueToInt32's then the BitOp will no
      longer appear to use the original operand, which will make OSR exit think that the
      original operand is dead. We work around this they way we always do: insert a Phantom on
      the original operands right after the BitOp. This ensures that any OSR exit in any of the
      ValueToInt32's or in the BitOp itself will have values for the original inputs.
      
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixIntEdge):
      (JSC::DFG::FixupPhase::fixBinaryIntEdges):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * tests/stress/bit-op-value-to-int32-input-liveness.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161465 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      027ed671
  2. 29 Dec, 2013 1 commit
    • fpizlo@apple.com's avatar
      Get rid of DFG forward exiting · 9df7fef8
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=125531
      
      Reviewed by Oliver Hunt.
              
      This finally gets rid of forward exiting. Forward exiting was always a fragile concept
      since it involved the compiler trying to figure out how to "roll forward" the
      execution from some DFG node to the next bytecode index. It was always easy to find
      counterexamples where it broke, and it has always served as an obstacle to adding
      compiler improvements - the latest being http://webkit.org/b/125523, which tried to
      make DCE work for more things.
              
      This change finishes the work of removing forward exiting. A lot of forward exiting
      was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
      is in many ways the hardest to remove, since the forward exiting of SetLocal also
      implied that any conversion nodes inserted before the SetLocal would then also be
      marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
      things also forward-exiting, and this was always a source of weirdo bugs.
              
      SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
      inserted just before SetLocal must also be able to exit - for example type check
      hoisting may insert a CheckStructure, or fixup phase may insert something like
      Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
      to the reexecution of a side-effecting operation, for example:
              
          a: Call(...)
          b: SetLocal(@a, r1)
              
      For a long time it seemed like SetLocal *had* to exit forward because of this. But
      this change side-steps the problem by changing the ByteCodeParser to always emit a
      kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
      wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
      The SetLocal isn't actually emitted until the beginning of the next bytecode
      instruction (which the exception of op_enter and op_ret, which emit theirs immediately
      since it's always safe to reexecute those bytecode instructions and since deferring
      SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
      followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
      jump and that would be awkward). This means that the above IR snippet would look
      something like:
              
          a: Call(..., bc#42)
          b: MovHint(@a, r1, bc#42)
          c: SetLocal(@a, r1, bc#47)
              
      Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
      instruction. This means that by the time we get to that SetLocal, the OSR exit
      analysis already knows that r1 is associated with @a, and it means that the SetLocal
      or anything hoisted above it can exit backwards as normal.
              
      This change also means that the "forward rewiring" can be killed. Previously, we might
      have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
      into a MovHint) and the conversion node either died completely or had its lifetime
      truncated to be less than the actual value's bytecode lifetime. This no longer happens
      since conversion nodes are only inserted at SetLocals.
              
      More precisely, this change introduces two laws that we were basically already
      following anyway:
              
      1) A MovHint's child should never be changed except if all other uses of that child
         are also replaced. Specifically, this prohibits insertion of conversion nodes at
         MovHints.
              
      2) Anytime any child is replaced with something else, and all other uses aren't also
         replaced, we must insert a Phantom use of the original child.
      
      This is a slight compile-time regression but has no effect on code-gen. It unlocks a
      bunch of optimization opportunities so I think it's worth it.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpAssumingJITType):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::instructionCount):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGArrayifySlowPathGenerator.h:
      (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::setDirect):
      (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
      (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::eliminate):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::run):
      (JSC::DFG::DCEPhase::fixupBlock):
      (JSC::DFG::DCEPhase::cleanVariables):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      * dfg/DFGLICMPhase.cpp:
      (JSC::DFG::LICMPhase::run):
      (JSC::DFG::LICMPhase::attemptHoist):
      * dfg/DFGMinifiedNode.cpp:
      (JSC::DFG::MinifiedNode::fromNode):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::constantNumber):
      (JSC::DFG::MinifiedNode::weakConstant):
      * dfg/DFGNode.cpp:
      (JSC::DFG::Node::hasVariableAccessData):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToPhantom):
      (JSC::DFG::Node::convertToPhantomUnchecked):
      (JSC::DFG::Node::convertToIdentity):
      (JSC::DFG::Node::containsMovHint):
      (JSC::DFG::Node::hasUnlinkedLocal):
      (JSC::DFG::Node::willHaveCodeGenOrOSR):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::dumpNodeFlags):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
      (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      (JSC::DFG::OSREntrypointCreationPhase::run):
      * dfg/DFGOSRExit.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitBase.cpp:
      * dfg/DFGOSRExitBase.h:
      (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSSAConversionPhase.cpp:
      (JSC::DFG::SSAConversionPhase::run):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculationCheck):
      (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
      (JSC::DFG::SpeculativeJIT::typeCheck):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::needsTypeCheck):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::run):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validateCPS):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::VariableAccessData):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileMovHint):
      (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
      (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::typeCheck):
      (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      * ftl/FTLOSRExit.cpp:
      * ftl/FTLOSRExit.h:
      * tests/stress/dead-int32-to-double.js: Added.
      (foo):
      * tests/stress/dead-uint32-to-number.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161126 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9df7fef8
  3. 14 Dec, 2013 1 commit
    • fpizlo@apple.com's avatar
      Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction · 9089acbe
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=125553
      
      Reviewed by Oliver Hunt.
              
      UInt32ToNumber was a super complicated node because it had to do a speculation, but it
      would do it after we already had computed the urshift. It couldn't just back to the
      beginning of the urshift because the inputs to the urshift weren't necessarily live
      anymore. We couldn't jump forward to the beginning of the next instruction because the
      result of the urshift was not yet unsigned-converted.
              
      For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
      gross and I want to get rid of all forward exits. They cause a lot of bugs.
              
      We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
      the urshift to be live. I figure that this might be a bit too extreme.
              
      So, I just created a new place that we can exit to: I split op_urshift into op_urshift
      followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
      UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
      forward exiting in UInt32ToNumber.
              
      This patch enables massive code carnage in the DFG and FTL, and brings us closer to
      eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
      bytecode slightly more complex (one new instruction). This is a profitable trade. We
      want the DFG and FTL to trend towards simplicity, since they are both currently too
      complicated.
      
      * bytecode/BytecodeUseDef.h:
      (JSC::computeUsesForBytecodeOffset):
      (JSC::computeDefsForBytecodeOffset):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecode/ValueRecovery.cpp:
      (JSC::ValueRecovery::dumpInContext):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::gpr):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::BinaryOpNode::emitBytecode):
      (JSC::emitReadModifyAssignment):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::toInt32):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGNodeType.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGStrengthReductionPhase.cpp:
      (JSC::DFG::StrengthReductionPhase::handleNode):
      (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
      (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
      (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
      * ftl/FTLFormattedValue.h:
      (JSC::FTL::int32Value):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
      * ftl/FTLValueFormat.cpp:
      (JSC::FTL::reboxAccordingToFormat):
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      * jit/JITArithmetic.cpp:
      (JSC::JIT::emit_op_urshift):
      (JSC::JIT::emitSlow_op_urshift):
      (JSC::JIT::emit_op_unsigned):
      (JSC::JIT::emitSlow_op_unsigned):
      * jit/JITArithmetic32_64.cpp:
      (JSC::JIT::emitRightShift):
      (JSC::JIT::emitRightShiftSlowCase):
      (JSC::JIT::emit_op_unsigned):
      (JSC::JIT::emitSlow_op_unsigned):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/CommonSlowPaths.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160587 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9089acbe
  4. 04 Dec, 2013 1 commit
    • fpizlo@apple.com's avatar
      Infer constant closure variables · 88fedde1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124630
      
      Source/JavaScriptCore: 
      
      Reviewed by Geoffrey Garen.
              
      Captured variables that are assigned once (not counting op_enter's Undefined
      initialization) and that are contained within a function that has thus far only been
      entered once are now constant folded. It's pretty awesome.
              
      This involves a watchpoint on the assignment to variables and a watchpoint on entry
      into the function. The former is reused from global variable constant inference and the
      latter is reused from one-time closure inference.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      * bytecode/Instruction.h:
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC::UnlinkedInstruction::UnlinkedInstruction):
      * bytecode/VariableWatchpointSet.h:
      (JSC::VariableWatchpointSet::invalidate):
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::invalidate):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::addVar):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::emitInitLazyRegister):
      (JSC::BytecodeGenerator::emitMove):
      (JSC::BytecodeGenerator::emitNewFunctionInternal):
      (JSC::BytecodeGenerator::createArgumentsIfNecessary):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::addVar):
      (JSC::BytecodeGenerator::watchableVariable):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::inferredConstant):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::tryGetActivation):
      (JSC::DFG::Graph::tryGetRegisters):
      * dfg/DFGGraph.h:
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_mov):
      (JSC::JIT::emit_op_captured_mov):
      (JSC::JIT::emit_op_new_captured_func):
      (JSC::JIT::emitSlow_op_captured_mov):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_mov):
      (JSC::JIT::emit_op_captured_mov):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/CommonSlowPaths.h:
      * runtime/ConstantMode.h: Added.
      * runtime/JSGlobalObject.h:
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::prepareToWatch):
      
      LayoutTests: 
      
      Reviewed by Geoffrey Garen.
              
      This adds both correctness and performance tests for constant closure variable
      inference.
      
      * js/regress/infer-closure-const-then-mov-expected.txt: Added.
      * js/regress/infer-closure-const-then-mov-no-inline-expected.txt: Added.
      * js/regress/infer-closure-const-then-mov-no-inline.html: Added.
      * js/regress/infer-closure-const-then-mov.html: Added.
      * js/regress/infer-closure-const-then-put-to-scope-expected.txt: Added.
      * js/regress/infer-closure-const-then-put-to-scope-no-inline-expected.txt: Added.
      * js/regress/infer-closure-const-then-put-to-scope-no-inline.html: Added.
      * js/regress/infer-closure-const-then-put-to-scope.html: Added.
      * js/regress/infer-closure-const-then-reenter-expected.txt: Added.
      * js/regress/infer-closure-const-then-reenter-no-inline-expected.txt: Added.
      * js/regress/infer-closure-const-then-reenter-no-inline.html: Added.
      * js/regress/infer-closure-const-then-reenter.html: Added.
      * js/regress/script-tests/infer-closure-const-then-mov-no-inline.js: Added.
      * js/regress/script-tests/infer-closure-const-then-mov.js: Added.
      * js/regress/script-tests/infer-closure-const-then-put-to-scope-no-inline.js: Added.
      (thingy.):
      (thingy):
      * js/regress/script-tests/infer-closure-const-then-put-to-scope.js: Added.
      (thingy.):
      (thingy):
      * js/regress/script-tests/infer-closure-const-then-reenter-no-inline.js: Added.
      (.return.foo):
      (foo):
      * js/regress/script-tests/infer-closure-const-then-reenter.js: Added.
      (.return.foo):
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160109 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      88fedde1
  5. 03 Dec, 2013 1 commit
  6. 02 Dec, 2013 2 commits
    • fpizlo@apple.com's avatar
      Stores to local captured variables should be intercepted · 0309686b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124883
      
      Source/JavaScriptCore: 
      
      Reviewed by Mark Hahnenberg.
              
      Previously, in bytecode, you could assign to a captured variable just as you would
      assign to any other kind of variable. This complicates closure variable constant
      inference because we don't have any place where we can intercept stores to captured
      variables in the LLInt.
              
      This patch institutes a policy that only certain instructions can store to captured
      variables. If you interpret those instructions and you are required to notifyWrite()
      then you need to check if the relevant variable is captured. Those instructions are
      tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
      In the future, we'll probably modify those instructions to have a pointer directly to
      the VariableWatchpointSet; but for now we just introduce the captured instructions as
      placeholders.
              
      In order to validate that the placeholders are inserted correctly, this patch improves
      the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
      this patch refactors the liveness analysis' use/def calculator to be reusable; it now
      takes a functor for each use or def.
              
      In the process of refactoring the liveness analysis, I noticed that op_enter was
      claiming to def all callee registers. That's wrong; it only defs the non-temporary
      variables. Making that change revealed preexisting bugs in the liveness analysis, since
      now the validator would pick up cases where the bytecode claimed to use a temporary and
      the def calculator never noticed the definition (or the converse - where the bytecode
      was actually not using a temporary but the liveness analysis thought that it was a
      use). This patch fixes a few of those bugs.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/BytecodeLivenessAnalysis.cpp:
      (JSC::stepOverInstruction):
      * bytecode/BytecodeUseDef.h: Added.
      (JSC::computeUsesForBytecodeOffset):
      (JSC::computeDefsForBytecodeOffset):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::isCaptured):
      (JSC::CodeBlock::validate):
      * bytecode/CodeBlock.h:
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolveCallee):
      (JSC::BytecodeGenerator::emitMove):
      (JSC::BytecodeGenerator::isCaptured):
      (JSC::BytecodeGenerator::local):
      (JSC::BytecodeGenerator::constLocal):
      (JSC::BytecodeGenerator::emitNewFunction):
      (JSC::BytecodeGenerator::emitLazyNewFunction):
      (JSC::BytecodeGenerator::emitNewFunctionInternal):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::Local::Local):
      (JSC::Local::isCaptured):
      (JSC::Local::captureMode):
      (JSC::BytecodeGenerator::captureMode):
      (JSC::BytecodeGenerator::emitNode):
      (JSC::BytecodeGenerator::pushOptimisedForIn):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/SymbolTable.h:
      (JSC::SymbolTable::isCaptured):
      
      LayoutTests: 
      
      Reviewed by Mark Hahnenberg.
      
      * js/regress/captured-assignments-expected.txt: Added.
      * js/regress/captured-assignments.html: Added.
      * js/regress/script-tests/captured-assignments.js: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159943 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0309686b
    • fpizlo@apple.com's avatar
      Instead of watchpointing activation allocation, we should watchpoint entry... · a4ea0663
      fpizlo@apple.com authored
      Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
      https://bugs.webkit.org/show_bug.cgi?id=125052
      
      Reviewed by Mark Hahnenberg.
              
      This makes us watch function entry rather than activation creation. We only incur the
      costs of doing so for functions that have captured variables, and only on the first two
      entries into the function. This means that closure variable constant inference will
      naturally work even for local uses of the captured variable, like:
              
          (function(){
              var blah = 42;
              ... // stuff
              function () { ... blah /* we can fold this to 42 */ }
              ... blah // we can also fold this to 42.
          })();
              
      Previously, only the nested use would have been foldable.
      
      * bytecode/BytecodeLivenessAnalysis.cpp:
      (JSC::computeUsesForBytecodeOffset):
      (JSC::computeDefsForBytecodeOffset):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::touch):
      (JSC::InlineWatchpointSet::touch):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasSymbolTable):
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGWatchpointCollectionPhase.cpp:
      (JSC::DFG::WatchpointCollectionPhase::handle):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      * jit/JIT.h:
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_touch_entry):
      * llint/LowLevelInterpreter.asm:
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/CommonSlowPaths.h:
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTable::SymbolTable):
      * runtime/SymbolTable.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159942 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a4ea0663
  7. 30 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Finally remove those DFG_ENABLE things · ecd97b0c
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=125025
      
      Rubber stamped by Sam Weinig.
              
      This removes a bunch of unused and untested insanity.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::tallyFrequentExitSites):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
      (JSC::DFG::ByteCodeParser::makeSafe):
      (JSC::DFG::ByteCodeParser::makeDivSafe):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::linkBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      (JSC::DFG::ByteCodeParser::parse):
      (JSC::DFG::parse):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::convertToJump):
      (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::endIndexForPureCSE):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::setReplacement):
      (JSC::DFG::CSEPhase::eliminate):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.h:
      (JSC::DFG::verboseCompilationEnabled):
      (JSC::DFG::logCompilationChanges):
      (JSC::DFG::shouldDumpGraphAtEachPhase):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::initialize):
      (JSC::DFG::InPlaceAbstractState::endBasicBlock):
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::compileBody):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompilerCommon.cpp:
      (JSC::DFG::adjustAndJumpToTarget):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::run):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::propagateForward):
      (JSC::DFG::PredictionPropagationPhase::propagateBackward):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::use):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::SlowPathGenerator::generate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
      (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
      (JSC::DFG::SpeculativeJIT::dump):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * dfg/DFGVariableEventStream.h:
      (JSC::DFG::VariableEventStream::appendAndLog):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159886 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ecd97b0c
  8. 28 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Infer one-time scopes · 1a72409c
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124812
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This detects JSActivations that are created only once. The JSActivation pointer is then
      baked into the machine code.
              
      This takes advantage of the one-time scope inference to reduce the number of
      indirections needed to get to a closure variable in case where the scope is only
      allocated once. This isn't really a speed-up since in the common case the total number
      of instruction bytes needed to load the scope from the stack is about equal to the
      number of instruction bytes needed to materialize the absolute address of a scoped
      variable. But, this is a necessary prerequisite to
      https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::finalizeUnconditionally):
      * bytecode/Instruction.h:
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::notifyWrite):
      (JSC::InlineWatchpointSet::notifyWrite):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitResolveScope):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::scopedVarLoadElimination):
      (JSC::DFG::CSEPhase::scopedVarStoreElimination):
      (JSC::DFG::CSEPhase::getLocalLoadElimination):
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::tryGetRegisters):
      * dfg/DFGGraph.h:
      * dfg/DFGNode.h:
      (JSC::DFG::Node::varNumber):
      (JSC::DFG::Node::hasSymbolTable):
      (JSC::DFG::Node::symbolTable):
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGWatchpointCollectionPhase.cpp:
      (JSC::DFG::WatchpointCollectionPhase::handle):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      (JSC::JSScope::abstractResolve):
      * runtime/JSScope.h:
      (JSC::ResolveOp::ResolveOp):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::registers):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTable::SymbolTable):
      * runtime/SymbolTable.h:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/regress/infer-one-time-closure-expected.txt: Added.
      * js/regress/infer-one-time-closure-ten-vars-expected.txt: Added.
      * js/regress/infer-one-time-closure-ten-vars.html: Added.
      * js/regress/infer-one-time-closure-two-vars-expected.txt: Added.
      * js/regress/infer-one-time-closure-two-vars.html: Added.
      * js/regress/infer-one-time-closure.html: Added.
      * js/regress/infer-one-time-deep-closure-expected.txt: Added.
      * js/regress/infer-one-time-deep-closure.html: Added.
      * js/regress/script-tests/infer-one-time-closure-ten-vars.js: Added.
      * js/regress/script-tests/infer-one-time-closure-two-vars.js: Added.
      * js/regress/script-tests/infer-one-time-closure.js: Added.
      * js/regress/script-tests/infer-one-time-deep-closure.js: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159834 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1a72409c
  9. 27 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Restructure global variable constant inference so that it could work for any... · 8646834a
      fpizlo@apple.com authored
      Restructure global variable constant inference so that it could work for any kind of symbol table variable
      https://bugs.webkit.org/show_bug.cgi?id=124760
      
      Reviewed by Oliver Hunt.
              
      This changes the way global variable constant inference works so that it can be reused
      for closure variable constant inference. Some of the premises that originally motivated
      this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
      that we'll be able to fix those premises in the future. The main point of this patch is
      to make it easy to reuse global variable constant inference for closure variable
      constant inference, and this will be possible provided we can also either (a) infer
      one-shot closures (easy) or (b) infer closure variables that are always assigned prior
      to first use.
              
      One of the things that this patch is meant to enable is constant inference for closure
      variables that may be part of a multi-shot closure. Closure variables may be
      instantiated multiple times, like:
              
          function foo() {
              var WIDTH = 45;
              function bar() {
                  ... use WIDTH ...
              }
              ...
          }
              
      Even if foo() is called many times and WIDTH is assigned to multiple times, that
      doesn't change the fact that it's a constant. The goal of closure variable constant
      inference is to catch any case where a closure variable has been assigned at least once
      and its value has never changed. This patch doesn't implement that, but it does change
      global variable constant inference to have most of the powers needed to do that. Note
      that most likely we will use this functionality only to implement constant inference
      for one-shot closures, but the resulting machinery is still simpler than what we had
      before.
              
      This involves three changes:
              
          - The watchpoint object now contains the inferred value. This involves creating a
            new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
            for closure variables.
              
          - Writing to a variable that is watchpointed still involves these three states that
            we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
            now, the Initialized->Invalidated state transition only happens if we change the
            variable's value, rather than store to the variable. Repeatedly storing the same
            value won't change the variable's state.
              
          - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
            need fancy fencing to get a consistent view of the watchpoint in the JIT. The
            state of the VariableWatchpointSet for the purposes of constant folding is
            entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
            JSValue() then you cannot fold (either because the set is uninitialized or
            because it's invalidated - doesn't matter which); on the other hand if the value
            is anything other than JSValue() then you can fold, and that's the value you fold
            to. Simple!
              
      This also changes the way that DFG IR deals with variable watchpoints. It's now
      oblivious to global variables. You install a watchpoint using VariableWatchpoint and
      you notify write using NotifyWrite. Easy!
              
      Note that this will requires some more tweaks because of the fact that op_enter will
      store Undefined into every captured variable. Hence it won't even work for one-shot
      closures. One-shot closures are easily fixed by introducing another state (so we'll
      have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
      require static analysis. One-shot closures are clearly a higher priority.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/Instruction.h:
      * bytecode/VariableWatchpointSet.h: Added.
      (JSC::VariableWatchpointSet::VariableWatchpointSet):
      (JSC::VariableWatchpointSet::~VariableWatchpointSet):
      (JSC::VariableWatchpointSet::inferredValue):
      (JSC::VariableWatchpointSet::notifyWrite):
      (JSC::VariableWatchpointSet::invalidate):
      (JSC::VariableWatchpointSet::finalizeUnconditionally):
      (JSC::VariableWatchpointSet::addressOfInferredValue):
      * bytecode/Watchpoint.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasRegisterPointer):
      (JSC::DFG::Node::hasVariableWatchpointSet):
      (JSC::DFG::Node::variableWatchpointSet):
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGWatchpointCollectionPhase.cpp:
      (JSC::DFG::WatchpointCollectionPhase::handle):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
      * jit/JIT.h:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitNotifyWrite):
      (JSC::JIT::emitPutGlobalVar):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitNotifyWrite):
      (JSC::JIT::emitPutGlobalVar):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::addGlobalVar):
      (JSC::JSGlobalObject::addFunction):
      * runtime/JSGlobalObject.h:
      * runtime/JSScope.h:
      (JSC::ResolveOp::ResolveOp):
      * runtime/JSSymbolTableObject.h:
      (JSC::symbolTablePut):
      (JSC::symbolTablePutWithAttributes):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::inferredValue):
      (JSC::SymbolTableEntry::prepareToWatch):
      (JSC::SymbolTableEntry::addWatchpoint):
      (JSC::SymbolTableEntry::notifyWriteSlow):
      (JSC::SymbolTable::visitChildren):
      (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
      (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
      (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
      * runtime/SymbolTable.h:
      (JSC::SymbolTableEntry::watchpointSet):
      (JSC::SymbolTableEntry::notifyWrite):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159798 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8646834a
  10. 20 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Infer constant global variables · 33961712
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124464
      
      Source/JavaScriptCore: 
      
      Reviewed by Sam Weinig.
              
      All global variables that are candidates for watchpoint-based constant inference (i.e.
      not 'const' variables) will now have WatchpointSet's associated with them and those
      are used to drive the inference by tracking three states of each variable:
              
      Uninitialized: the variable's value is Undefined and the WatchpointSet state is
          ClearWatchpoint.
              
      Initialized: the variable's value was set to something (could even be explicitly set
          to Undefined) and the WatchpointSet state is IsWatching.
              
      Invalidated: the variable's value was set to something else (could even be the same
          thing as before but the point is that a put operation did execute again) and the
          WatchpointSet is IsInvalidated.
              
      If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
      IsWatching, then the current value of the variable can be folded in place of the get,
      and a watchpoint on the variable can be registered.
              
      We handle race conditions between the mutator and compiler by mandating that:
              
      - The mutator changes the WatchpointSet state after executing the put.
              
      - There is no opportunity to install code or call functions between when the mutator
        executes a put and changes the WatchpointSet state.
              
      - The compiler checks the WatchpointSet state prior to reading the value.
              
      The concrete algorithm used by the mutator is:
              
          1. Store the new value into the variable.
          --- Execute a store-store fence.
          2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
             IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
             watchpoints.
              
      The concrete algorithm that the compiler uses is:
              
          1. Load the state. If it's *not* IsWatching, then give up on constant inference.
          --- Execute a load-load fence.
          2. Load the value of the variable and use that for folding, while also registering
             a DesiredWatchpoint. The various parts of this step can be done in any order.
              
      The desired watchpoint registration will fail if the watchpoint set is already
      invalidated. Now consider the following interesting interleavings:
              
      Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
          operation, and the variable is folded. The fencing ensures that C2 sees the value
          stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
          before the compilation is installed the mutator executes another store then we
          will be sure that it will be a complete sequence of M1+M2 since compilations get
          installed at safepoints and never "in the middle" of a put_to_scope. Hence that
          compilation installation will be invalidated. If the M1+M2 sequence happens after
          the code is installed, then the code will be invalidated by triggering a jettison.
              
      Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
          a sensible outcome since if the compiler read the variable's value, it would have
          seen Undefined.
              
      Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
      Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
      Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
      Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
              
      IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
              
      IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
          watchpoint, and that watchpoint will get invalidated before the code is installed.
              
      IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
      IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
      IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
      IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
              
      Note that this kind of reasoning shows why having the mutator first bump the state and
      then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
      execute put) then we could have the following deadly interleavings:
              
      Uninitialized->M1->C1->C2->M2:
      Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
          compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
          watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
          value other than Undefined, and you're toast.
              
      You could fix this sort of thing by making the Desired Watchpoints machinery more
      sophisticated, for example having it track the value that was folded; if the global
      variable's value was later found to be different then we could invalidate the
      compilation. You could also fix it by having the compiler also check that the value of
      the variable is not Undefined before folding. While those all sound great, I decided
      to instead just use the right interleaving since that results in less code and feels
      more intuitive.
              
      This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
      It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
      because 3d-cube takes global variable assignment slow paths very often. Note that this
      3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
      also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
      (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
      to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
      slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
      programming often leads to global-var-based idioms and those variables tend to be
      assigned once, leading to excellent constant folding opportunities in an optimizing
      JIT. This is very evident in the speed-ups on JSRegress.
      
      * assembler/ARM64Assembler.h:
      (JSC::ARM64Assembler::dmbSY):
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::dmbSY):
      * assembler/MacroAssemblerARM64.h:
      (JSC::MacroAssemblerARM64::memfence):
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::load8):
      (JSC::MacroAssemblerARMv7::memfence):
      * assembler/MacroAssemblerX86.h:
      (JSC::MacroAssemblerX86::load8):
      (JSC::MacroAssemblerX86::store8):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::getUnusedRegister):
      (JSC::MacroAssemblerX86Common::store8):
      (JSC::MacroAssemblerX86Common::memoryFence):
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::load8):
      (JSC::MacroAssemblerX86_64::store8):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::movb_rm):
      (JSC::X86Assembler::movzbl_mr):
      (JSC::X86Assembler::mfence):
      (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
      (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      * bytecode/Watchpoint.cpp:
      (JSC::WatchpointSet::WatchpointSet):
      (JSC::WatchpointSet::add):
      (JSC::WatchpointSet::notifyWriteSlow):
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::state):
      (JSC::WatchpointSet::isStillValid):
      (JSC::WatchpointSet::addressOfSetIsNotEmpty):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getJSConstantForValue):
      (JSC::DFG::ByteCodeParser::getJSConstant):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::isStronglyProvedConstantIn):
      (JSC::DFG::Node::hasIdentifierNumberForCheck):
      (JSC::DFG::Node::hasRegisterPointer):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLAbbreviatedTypes.h:
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildFence):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::fence):
      * jit/JIT.h:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * llvm/LLVMAPIFunctions.h:
      * offlineasm/arm.rb:
      * offlineasm/arm64.rb:
      * offlineasm/cloop.rb:
      * offlineasm/instructions.rb:
      * offlineasm/x86.rb:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::addGlobalVar):
      (JSC::JSGlobalObject::addFunction):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::addVar):
      (JSC::JSGlobalObject::addConst):
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      * runtime/JSSymbolTableObject.h:
      (JSC::symbolTablePut):
      (JSC::symbolTablePutWithAttributes):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::couldBeWatched):
      (JSC::SymbolTableEntry::prepareToWatch):
      (JSC::SymbolTableEntry::notifyWriteSlow):
      * runtime/SymbolTable.h:
      
      LayoutTests: 
      
      Reviewed by Sam Weinig.
      
      * js/regress/global-var-const-infer-expected.txt: Added.
      * js/regress/global-var-const-infer-fire-from-opt-expected.txt: Added.
      * js/regress/global-var-const-infer-fire-from-opt.html: Added.
      * js/regress/global-var-const-infer.html: Added.
      * js/regress/script-tests/global-var-const-infer-fire-from-opt.js: Added.
      (foo):
      (setA):
      (setB):
      (check):
      * js/regress/script-tests/global-var-const-infer.js: Added.
      (foo):
      (check):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159545 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      33961712
  11. 18 Nov, 2013 2 commits
    • fpizlo@apple.com's avatar
      put_to_scope[5] should not point to the structure if it's a variable access,... · 40f7cbf3
      fpizlo@apple.com authored
      put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet
      https://bugs.webkit.org/show_bug.cgi?id=124539
      
      Reviewed by Mark Hahnenberg.
              
      This is in preparation for getting put_to_scope to directly invalidate the watchpoint set
      on stores, which will allow us to run constant inference on all globals.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::finalizeUnconditionally):
      * bytecode/Instruction.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      (JSC::JSScope::abstractResolve):
      * runtime/JSScope.h:
      (JSC::ResolveOp::ResolveOp):
      * runtime/SymbolTable.h:
      (JSC::SymbolTableEntry::watchpointSet):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159462 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      40f7cbf3
    • fpizlo@apple.com's avatar
      FTL should have an explicit notion of bytecode liveness · 002405c0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124181
      
      Source/JavaScriptCore: 
      
      Reviewed by Sam Weinig.
              
      This makes FTL OSR exit use bytecode liveness analysis to determine which variables
      to include values for. The decision of how to get the values of variables is based on
      forward propagation of MovHints and SetLocals.
              
      This fixes a bunch of bugs (like https://bugs.webkit.org/show_bug.cgi?id=124138 but
      also others that I noticed when I started writing more targetted tests) and allows us
      to remove some sketchy code.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/BytecodeBasicBlock.h:
      * bytecode/BytecodeLivenessAnalysis.cpp:
      (JSC::isValidRegisterForLiveness):
      (JSC::setForOperand):
      (JSC::computeUsesForBytecodeOffset):
      (JSC::computeDefsForBytecodeOffset):
      (JSC::stepOverInstruction):
      (JSC::computeLocalLivenessForBytecodeOffset):
      (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
      (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
      (JSC::getLivenessInfo):
      (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
      (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
      * bytecode/BytecodeLivenessAnalysis.h:
      * bytecode/BytecodeLivenessAnalysisInlines.h: Added.
      (JSC::operandIsAlwaysLive):
      (JSC::operandThatIsNotAlwaysLiveIsLive):
      (JSC::operandIsLive):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::captureCount):
      (JSC::CodeBlock::captureStart):
      (JSC::CodeBlock::captureEnd):
      * bytecode/CodeOrigin.cpp:
      (JSC::InlineCallFrame::dumpInContext):
      * bytecode/FullBytecodeLiveness.h: Added.
      (JSC::FullBytecodeLiveness::FullBytecodeLiveness):
      (JSC::FullBytecodeLiveness::getOut):
      (JSC::FullBytecodeLiveness::operandIsLive):
      (JSC::FullBytecodeLiveness::getLiveness):
      * dfg/DFGAvailability.cpp: Added.
      (JSC::DFG::Availability::dump):
      (JSC::DFG::Availability::dumpInContext):
      * dfg/DFGAvailability.h: Added.
      (JSC::DFG::Availability::Availability):
      (JSC::DFG::Availability::unavailable):
      (JSC::DFG::Availability::withFlush):
      (JSC::DFG::Availability::withNode):
      (JSC::DFG::Availability::withUnavailableNode):
      (JSC::DFG::Availability::nodeIsUndecided):
      (JSC::DFG::Availability::nodeIsUnavailable):
      (JSC::DFG::Availability::hasNode):
      (JSC::DFG::Availability::node):
      (JSC::DFG::Availability::flushedAt):
      (JSC::DFG::Availability::operator!):
      (JSC::DFG::Availability::operator==):
      (JSC::DFG::Availability::merge):
      (JSC::DFG::Availability::mergeNodes):
      (JSC::DFG::Availability::unavailableMarker):
      * dfg/DFGBasicBlock.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::Disassembler):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      (JSC::DFG::dataFormatFor):
      * dfg/DFGFlushedAt.cpp:
      (JSC::DFG::FlushedAt::dump):
      * dfg/DFGFlushedAt.h:
      (JSC::DFG::FlushedAt::FlushedAt):
      (JSC::DFG::FlushedAt::merge):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::livenessFor):
      (JSC::DFG::Graph::isLiveInBytecode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::baselineCodeBlockFor):
      * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
      (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
      * dfg/DFGOSRAvailabilityAnalysisPhase.h:
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGResurrectionForValidationPhase.cpp: Added.
      (JSC::DFG::ResurrectionForValidationPhase::ResurrectionForValidationPhase):
      (JSC::DFG::ResurrectionForValidationPhase::run):
      (JSC::DFG::performResurrectionForValidation):
      * dfg/DFGResurrectionForValidationPhase.h: Added.
      * dfg/DFGSSAConversionPhase.cpp:
      (JSC::DFG::SSAConversionPhase::run):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::forFlushFormat):
      * dfg/DFGVariableAccessData.h:
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLInlineCacheSize.cpp:
      (JSC::FTL::sizeOfGetById):
      * ftl/FTLLocation.cpp:
      (JSC::FTL::Location::gpr):
      (JSC::FTL::Location::fpr):
      (JSC::FTL::Location::directGPR):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileBlock):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
      (JSC::FTL::LowerDFGToLLVM::compilePutById):
      (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::observeMovHint):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::alloca):
      * ftl/FTLValueSource.cpp: Removed.
      * ftl/FTLValueSource.h: Removed.
      * llvm/LLVMAPIFunctions.h:
      * runtime/DumpContext.cpp:
      (JSC::DumpContext::DumpContext):
      * runtime/DumpContext.h:
      * runtime/Options.h:
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::captureStart):
      (JSC::SharedSymbolTable::captureEnd):
      (JSC::SharedSymbolTable::captureCount):
      
      Tools: 
      
      Reviewed by Mark Hahnenberg.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Mark Hahnenberg or Sam Weinig.
              
      I totally added this test after the rest of the patch was r+'d. Under the right tier-up
      modes this triggers one of the bugs that the rest of the patch is trying to avoid.
      
      * js/regress/script-tests/weird-inlining-const-prop.js: Added.
      (foo):
      (bar):
      (fuzz):
      (testImpl):
      (test):
      * js/regress/weird-inlining-const-prop-expected.txt: Added.
      * js/regress/weird-inlining-const-prop.html: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159394 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      002405c0
  12. 31 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      Remove CachedTranscendentalFunction because caching math functions is an ugly idea · b3336c7b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123574
      
      Source/JavaScriptCore: 
      
      Reviewed by Mark Hahnenberg.
              
      This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
      we gain the "overhead" of actually computing sin and cos but we lose the overhead of
      going through the native call thunks.
              
      Caching transcendental functions is a really ugly idea. It works for SunSpider because
      that benchmark makes very predictable calls into Math.sin. But I don't believe that this
      is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
      that this was doing was adding more call overhead and some hashing overhead.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITOperations.h:
      * runtime/CachedTranscendentalFunction.h: Removed.
      * runtime/DateInstanceCache.h:
      * runtime/Intrinsic.h:
      * runtime/MathObject.cpp:
      (JSC::MathObject::finishCreation):
      (JSC::mathProtoFuncCos):
      (JSC::mathProtoFuncSin):
      * runtime/VM.h:
      
      Tools: 
      
      Reviewed by Mark Hahnenberg.
      
      Make it easier to see that a test doesn't have an -expected file.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Mark Hahnenberg.
      
      * js/dfg-cos-constant-expected.txt: Added.
      * js/dfg-cos-constant.html: Added.
      * js/dfg-sin-constant-expected.txt: Added.
      * js/dfg-sin-constant.html: Added.
      * js/script-tests/dfg-cos-constant.js: Added.
      (foo):
      * js/script-tests/dfg-sin-constant.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158384 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b3336c7b
  13. 29 Oct, 2013 1 commit
    • msaboff@apple.com's avatar
      Change local variable register allocation to start at offset -1 · d19c4622
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123182
      
      Reviewed by Geoffrey Garen.
      
      Adjusted the virtual register mapping down by one slot.  Reduced
      the CallFrame header slots offsets by one.  They now start at 0.
      Changed arity fixup to no longer skip passed register slot 0 as this
      is now part of the CallFrame header.
      
      * bytecode/VirtualRegister.h:
      (JSC::operandIsLocal):
      (JSC::operandIsArgument):
      (JSC::VirtualRegister::localToOperand):
      (JSC::VirtualRegister::operandToLocal):
        Adjusted functions for shift in mapping from local to register offset.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * interpreter/CallFrame.h:
      (JSC::ExecState::frameExtent):
      (JSC::ExecState::offsetFor):
      * interpreter/Interpreter.cpp:
      (JSC::loadVarargs):
      (JSC::Interpreter::dumpRegisters):
      (JSC::Interpreter::executeCall):
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions):
      * llint/LowLevelInterpreter.asm:
        Adjusted math to accomodate for shift in call frame slots.
      
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::compileFunction):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
      * interpreter/CallFrame.cpp:
      (JSC::CallFrame::frameExtentInternal):
      * interpreter/JSStackInlines.h:
      (JSC::JSStack::pushFrame):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      * jit/JITOperations.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::llint_slow_path_stack_check):
      * runtime/CommonSlowPaths.h:
      (JSC::CommonSlowPaths::arityCheckFor):
        Fixed offset calculation to use VirtualRegister and related calculation instead of
        doing seperate calculations.
      
      * interpreter/JSStack.h:
        Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
        in the process of testing the fixes.
      
      * jit/ThunkGenerators.cpp:
      (JSC::arityFixup):
        Changed arity fixup to no longer skip passed register slot 0 as this
        is now part of the CallFrame header.
      
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
        Changed arity fixup to no longer skip passed register slot 0 as this
        is now part of the CallFrame header.  Updated op_enter processing for
        the change in local registers.
      
      * runtime/JSGlobalObject.h:
        Removed the now unneeded extra slot in the global callframe
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158237 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d19c4622
  14. 28 Oct, 2013 2 commits
    • fpizlo@apple.com's avatar
      OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo · e8af48ca
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123423
      
      Reviewed by Mark Hahnenberg.
              
      Also enable ExitKind to tell you if it's a watchpoint.
      
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      (JSC::isWatchpoint):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::linkOSRExits):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::appendExitInfo):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompilationInfo.h:
      (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e8af48ca
    • fpizlo@apple.com's avatar
      Get rid of InlineStart so that I don't have to implement it in FTL · f5be8c90
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123302
      
      Reviewed by Geoffrey Garen.
              
      InlineStart was a special instruction that we would insert at the top of inlined code,
      so that the backend could capture the OSR state of arguments to an inlined call. It used
      to be that only the backend had this information, so this instruction was sort of an ugly
      callback from the backend for filling in some data structures.
              
      But in the time since when that code was written (two years ago?), we rationalized how
      variables work. It's now the case that variables that the runtime must know about are
      treated specially in IR (they are "flushed") and we know how we will represent them even
      before we get to the backend. The last place that makes changes to their representation
      is the StackLayoutPhase.
              
      So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
      instruction had. Instead of handling the bookkeeping in the backend, we handle it in
      StackLayoutPhase. This means that the DFG and FTL can share code for handling this
      bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
              
      Of course, giving the FTL the ability to handle code blocks that had inlining means that
      we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
      frames. This patch also fixes that.
      
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      * dfg/DFGNode.h:
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStackLayoutPhase.cpp:
      (JSC::DFG::StackLayoutPhase::run):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158116 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f5be8c90
  15. 19 Oct, 2013 2 commits
    • fpizlo@apple.com's avatar
      A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using... · d49bfe80
      fpizlo@apple.com authored
      A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
      https://bugs.webkit.org/show_bug.cgi?id=122940
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
      whereas previously it was in a Vector, so it moved. This allows you to use pointers to
      StructureStubInfo. This also eliminates the use of return PC as a way of finding the
      StructureStubInfo's. It removes some of the need for the compile-time property access
      records; for example the DFG no longer has to save information about registers in a
      property access record only to later save it to the stub info.
              
      The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
      at any stage of compilation.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::~CodeBlock):
      (JSC::CodeBlock::propagateTransitions):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::addStubInfo):
      (JSC::CodeBlock::getStubInfoMap):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::begin):
      (JSC::CodeBlock::end):
      (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
      * bytecode/CodeOrigin.h:
      (JSC::CodeOrigin::CodeOrigin):
      (JSC::CodeOrigin::isHashTableDeletedValue):
      (JSC::CodeOrigin::hash):
      (JSC::CodeOriginHash::hash):
      (JSC::CodeOriginHash::equal):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h:
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor):
      * bytecode/PutByIdStatus.h:
      * bytecode/StructureStubInfo.h:
      (JSC::getStructureStubInfoCodeOrigin):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
      (JSC::DFG::InRecord::InRecord):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileIn):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      * jit/CCallHelpers.h:
      (JSC::CCallHelpers::setupArgumentsWithExecState):
      * jit/JIT.cpp:
      (JSC::PropertyStubCompilationInfo::copyToStubInfo):
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC::PropertyStubCompilationInfo::slowCaseInfo):
      * jit/JITInlines.h:
      (JSC::JIT::callOperation):
      * jit/JITOperations.cpp:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitSlow_op_get_by_id):
      (JSC::JIT::emitSlow_op_put_by_id):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitSlow_op_get_by_id):
      (JSC::JIT::emitSlow_op_put_by_id):
      * jit/Repatch.cpp:
      (JSC::appropriateGenericPutByIdFunction):
      (JSC::appropriateListBuildingPutByIdFunction):
      (JSC::resetPutByID):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * GNUmakefile.list.am:
      * WTF.vcxproj/WTF.vcxproj:
      * WTF.xcodeproj/project.pbxproj:
      * wtf/BagToHashMap.h: Added.
      (WTF::toHashMap):
      * wtf/CMakeLists.txt:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d49bfe80
    • oliver@apple.com's avatar
      Spread operator should be performing direct "puts" and not triggering setters · e050d642
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123047
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore:
      
      Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
      to array construct.  This required a new PutByValDirect node to be introduced to
      the DFG.  The current implementation simply changes the slow path function that
      is called, but in future this could be made faster as it does not need to check
      the prototype chain.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutByVal):
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ArrayNode::emitBytecode):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
      (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      (JSC::DFG::operationPutByValInternal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JSC::JIT::compileDirectPutByVal):
      * jit/JITOperations.cpp:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitSlow_op_put_by_val):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      LayoutTests:
      
      Add a new testcase for the setter case.  run-javascriptcore-tests hits this with
      the llint, baseline, and dfg.
      
      * js/basic-spread-expected.txt:
      * js/script-tests/basic-spread.js:
      (Array):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157656 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e050d642
  16. 14 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      FTL should have an inefficient but correct implementation of GetById · 6cd705df
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122740
      
      Reviewed by Mark Hahnenberg.
              
      It took some effort to realize that the node->prediction() check in the DFG backends
      are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
      if !prediction.
              
      But other than that this was an easy patch.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetById):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileGetById):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157409 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6cd705df
  17. 06 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      Compress DFG stack layout · a62d4829
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122024
      
      Reviewed by Oliver Hunt.
              
      The DFG needs to be able to store things at a known offset from frame pointer so that
      the runtime can read those things. Prior to this patch, the DFG would use the exact
      offsets that the bytecode asked for, even in the case of inlining, where it would use
      the callsite stack offset to shift all of the inlined function's variables over just as
      they would have been if a bytecode interpreter had really made the call.
              
      But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
      storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
      that, but it would seriously complicate LLVM's stack layout. But what we might be able
      to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
      alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
      variables in a contiguous range that can be expressed to LLVM as a struct that we
      alloca, then all of this can still work just fine.
              
      Previously the flushed variables didn't fit in a contiguous range, but this patch makes
      them contiguous by allowing the stack layout to be compressed.
              
      What this really means is that there is now a distinction between where the DFG saw a
      variable stored in bytecode and where it will actually store it in the resulting machine
      code. Henceforth when the DFG says "local" or "virtual register" it means the variable
      according to bytecode (with the stack offsetting for inlined code as before), but when
      it says "machine local" or "machine virtual register" it means the actual place where it
      will store things in the resulting machine code. All of the OSR exit, inlined arguments,
      captured variables, and various stack unwinding machine now knows about all of this.
              
      Note that the DFG's abstract interpretation still uses bytecode variables rather than
      machine variables. Same for CSE and abstract heaps. This makes sense since it means that
      we don't have to decide on machine variable allocation just to do those optimizations.
              
      The decision of what a local's machine location becomes is deferred to very late in
      compilation. We only need to assign machine locations to variables that must be stored
      to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
      decision and updates all data structures.
              
      So far the way that this is being used is just to compress the DFG stack layout, which
      is something that we should have done anyway, a long time ago. And the compression isn't
      even that good - the current StackLayoutPhase just identifies local indices that are
      unused in machine code and slides all other variables towards zero. This doesn't achieve
      particularly good compression but it is better than nothing. Note that this phase makes
      it seem like the bytecode-machine mapping is based on bytecode local indices; for
      example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
      true for the current StackLayoutPhase but it _will not_ be true for all possible stack
      layout phases and it would be incorrect to assume that it should be true. This is why
      the current data structures have each VariableAccessData hold its own copy of the
      machine virtual register, and also have each InlineCallFrame report their own machine
      virtual registers for the various things. The DFG backend is likely to always use the
      dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
      eventually get a better one, where we do some kind of constraint-based coloring: we
      institute constraints where some VariableAccessData's must have the same indices as some
      other ones, and also must be right next to some other ones; then we process all
      VariableAccessData's and attempt to assign them machine locals while preserving those
      constraints. This could lead to two VariableAccessDatas for the same bytecode local
      ending up with different machine locals.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::isCaptured):
      (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
      (JSC::CodeBlock::machineSlowArguments):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::hasSlowArguments):
      * bytecode/CodeOrigin.cpp:
      (JSC::CodeOrigin::dump):
      (JSC::InlineCallFrame::calleeForCallFrame):
      (JSC::InlineCallFrame::dumpInContext):
      * bytecode/CodeOrigin.h:
      (JSC::InlineCallFrame::InlineCallFrame):
      (JSC::InlineCallFrame::calleeConstant):
      * bytecode/Operands.h:
      (JSC::Operands::indexForOperand):
      * dfg/DFGBasicBlock.cpp:
      (JSC::DFG::BasicBlock::SSAData::SSAData):
      * dfg/DFGBasicBlock.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::ByteCodeParser):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::flush):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCommon.h:
      * dfg/DFGCommonData.h:
      (JSC::DFG::CommonData::CommonData):
      * dfg/DFGDesiredWriteBarriers.cpp:
      (JSC::DFG::DesiredWriteBarrier::trigger):
      * dfg/DFGDesiredWriteBarriers.h:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      (JSC::DFG::FlushLivenessAnalysisPhase::run):
      (JSC::DFG::FlushLivenessAnalysisPhase::process):
      (JSC::DFG::FlushLivenessAnalysisPhase::reportError):
      * dfg/DFGFlushedAt.cpp: Added.
      (JSC::DFG::FlushedAt::dump):
      (JSC::DFG::FlushedAt::dumpInContext):
      * dfg/DFGFlushedAt.h: Added.
      (JSC::DFG::FlushedAt::FlushedAt):
      (JSC::DFG::FlushedAt::operator!):
      (JSC::DFG::FlushedAt::format):
      (JSC::DFG::FlushedAt::virtualRegister):
      (JSC::DFG::FlushedAt::operator==):
      (JSC::DFG::FlushedAt::operator!=):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::bytecodeRegisterForArgument):
      (JSC::DFG::Graph::argumentsRegisterFor):
      (JSC::DFG::Graph::machineArgumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
      (JSC::DFG::Graph::activationRegister):
      (JSC::DFG::Graph::uncheckedActivationRegister):
      (JSC::DFG::Graph::machineActivationRegister):
      (JSC::DFG::Graph::uncheckedMachineActivationRegister):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToGetLocalUnlinked):
      (JSC::DFG::Node::convertToGetLocal):
      (JSC::DFG::Node::machineLocal):
      (JSC::DFG::Node::hasUnlinkedMachineLocal):
      (JSC::DFG::Node::setUnlinkedMachineLocal):
      (JSC::DFG::Node::unlinkedMachineLocal):
      (JSC::DFG::Node::hasInlineStartData):
      (JSC::DFG::Node::inlineStartData):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::dumpNodeFlags):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompilerCommon.cpp:
      (JSC::DFG::reifyInlinedCallFrames):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::ScoreBoard):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::createOSREntries):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
      (JSC::DFG::SpeculativeJIT::callFrameSlot):
      (JSC::DFG::SpeculativeJIT::argumentSlot):
      (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
      (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
      (JSC::DFG::SpeculativeJIT::argumentTagSlot):
      (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
      (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStackLayoutPhase.cpp: Added.
      (JSC::DFG::StackLayoutPhase::StackLayoutPhase):
      (JSC::DFG::StackLayoutPhase::run):
      (JSC::DFG::performStackLayout):
      * dfg/DFGStackLayoutPhase.h: Added.
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::machineLocal):
      (JSC::DFG::VariableAccessData::flushedAt):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStack):
      (JSC::FTL::ExitValue::inJSStackAsInt32):
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      (JSC::FTL::ExitValue::inJSStackAsDouble):
      (JSC::FTL::ExitValue::virtualRegister):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      (JSC::FTL::ValueSource::ValueSource):
      (JSC::FTL::ValueSource::kind):
      (JSC::FTL::ValueSource::operator!):
      (JSC::FTL::ValueSource::node):
      (JSC::FTL::ValueSource::virtualRegister):
      * interpreter/Interpreter.cpp:
      (JSC::unwindCallFrame):
      * interpreter/StackVisitor.cpp:
      (JSC::StackVisitor::readInlinedFrame):
      (JSC::StackVisitor::Frame::createArguments):
      (JSC::StackVisitor::Frame::existingArguments):
      * interpreter/StackVisitor.h:
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::addressFor):
      (JSC::AssemblyHelpers::tagFor):
      (JSC::AssemblyHelpers::payloadFor):
      (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff):
      * runtime/Arguments.h:
      (JSC::Arguments::allocateSlowArguments):
      (JSC::Arguments::tryDeleteArgument):
      (JSC::Arguments::isDeletedArgument):
      (JSC::Arguments::isArgument):
      (JSC::Arguments::argument):
      (JSC::Arguments::finishCreation):
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      (JSC::JSActivation::JSActivation):
      * runtime/JSFunction.cpp:
      (JSC::RetrieveArgumentsFunctor::operator()):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156984 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a62d4829
  18. 28 Sep, 2013 1 commit
    • fpizlo@apple.com's avatar
      Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee... · 48cdafdc
      fpizlo@apple.com authored
      Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures
      https://bugs.webkit.org/show_bug.cgi?id=122047
      
      Reviewed by Oliver Hunt.
              
      Currently we have the DFG reserve space for inline call frames at exactly the same stack
      offsets that you would have gotten if the baseline interpreter/JIT had made the calls.
      We need to get rid of that. One of the weirder parts of this is that we have special DFG
      operations for accessing these inlined call frame headers. It's really hard for any
      analysis of DFG IR to see what the liveness of any of those frame header "variables" is;
      the liveness behaves like flushed arguments (it's all live until end of the inlinee) but
      we don't have anything like a Flush node for those special variables.
              
      This patch gets rid of the special operations for accessing inline call frame headers.
      GetMyScope and GetCallee still remain, and are only for accessing the machine call
      frame's scope/callee entries. The inline call frame's scope/callee now behave like
      normal variables, and have Flush behavior just like inline arguments.
      
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::setDirect):
      (JSC::DFG::ByteCodeParser::set):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::flush):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::getScope):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getCalleeLoadElimination):
      (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156594 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      48cdafdc
  19. 26 Sep, 2013 4 commits
    • msaboff@apple.com's avatar
      VirtualRegister should be a class · 62aa8b77
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121732
      
      Reviewed by Geoffrey Garen.
      
      This is a refactoring change.  Changed VirtualRegister from an enum to a class.
      Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
      and the similar functions for locals to VirtualRegister class.
      
      This is in preparation for changing the offset for the first local register from
      0 to -1.  This is needed since most native calling conventions have the architected
      frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
      pointer.  Local values start below that address.
      
      * bytecode/CodeBlock.cpp:
      * bytecode/CodeBlock.h:
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      * bytecode/MethodOfGettingAValueProfile.cpp:
      * bytecode/Operands.h:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecode/UnlinkedCodeBlock.h:
      * bytecode/ValueRecovery.h:
      * bytecode/VirtualRegister.h:
      * bytecompiler/BytecodeGenerator.cpp:
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/RegisterID.h:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGAbstractHeap.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      * dfg/DFGArgumentPosition.h:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      * dfg/DFGCapabilities.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCode.cpp:
      * dfg/DFGNode.h:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGScoreBoard.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGValidate.cpp:
      * dfg/DFGValueRecoveryOverride.h:
      * dfg/DFGVariableAccessData.h:
      * dfg/DFGVariableEvent.h:
      * dfg/DFGVariableEventStream.cpp:
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      * ftl/FTLExitArgumentForOperand.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLOSREntry.cpp:
      * ftl/FTLOSRExit.cpp:
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      * jit/AssemblyHelpers.h:
      * jit/JIT.h:
      * jit/JITCall.cpp:
      * jit/JITCall32_64.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      * jit/JITPropertyAccess32_64.cpp:
      * jit/JITStubs.cpp:
      * llint/LLIntSlowPaths.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * runtime/CommonSlowPaths.cpp:
      * runtime/JSActivation.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156511 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62aa8b77
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156474. · bf43ed96
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156474
      https://bugs.webkit.org/show_bug.cgi?id=121966
      
      Broke the builds. (Requested by xenon on #webkit).
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::registerName):
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::createActivation):
      (JSC::CodeBlock::nameForRegister):
      * bytecode/CodeBlock.h:
      (JSC::unmodifiedArgumentsRegister):
      (JSC::CodeBlock::isKnownNotImmediate):
      (JSC::CodeBlock::setThisRegister):
      (JSC::CodeBlock::thisRegister):
      (JSC::CodeBlock::setArgumentsRegister):
      (JSC::CodeBlock::argumentsRegister):
      (JSC::CodeBlock::uncheckedArgumentsRegister):
      (JSC::CodeBlock::setActivationRegister):
      (JSC::CodeBlock::activationRegister):
      (JSC::CodeBlock::uncheckedActivationRegister):
      (JSC::CodeBlock::usesArguments):
      (JSC::CodeBlock::isCaptured):
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
      (JSC::LazyOperandValueProfileKey::operator!):
      (JSC::LazyOperandValueProfileKey::hash):
      (JSC::LazyOperandValueProfileKey::operand):
      (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
      (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/Operands.h:
      (JSC::localToOperand):
      (JSC::operandIsLocal):
      (JSC::operandToLocal):
      (JSC::operandIsArgument):
      (JSC::operandToArgument):
      (JSC::argumentToOperand):
      (JSC::Operands::operand):
      (JSC::Operands::hasOperand):
      (JSC::Operands::setOperand):
      (JSC::Operands::operandForIndex):
      (JSC::Operands::setOperandFirstTime):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC::UnlinkedCodeBlock::setThisRegister):
      (JSC::UnlinkedCodeBlock::setActivationRegister):
      (JSC::UnlinkedCodeBlock::setArgumentsRegister):
      (JSC::UnlinkedCodeBlock::usesArguments):
      (JSC::UnlinkedCodeBlock::argumentsRegister):
      (JSC::UnlinkedCodeBlock::usesGlobalObject):
      (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
      (JSC::UnlinkedCodeBlock::globalObjectRegister):
      (JSC::UnlinkedCodeBlock::thisRegister):
      (JSC::UnlinkedCodeBlock::activationRegister):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * bytecode/VirtualRegister.h:
      (WTF::printInternal):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::generate):
      (JSC::BytecodeGenerator::addVar):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
      (JSC::BytecodeGenerator::newRegister):
      (JSC::BytecodeGenerator::emitLoadGlobalObject):
      (JSC::BytecodeGenerator::emitGetArgumentsLength):
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::createArgumentsIfNecessary):
      (JSC::BytecodeGenerator::emitReturn):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::registerFor):
      * bytecompiler/RegisterID.h:
      (JSC::RegisterID::RegisterID):
      (JSC::RegisterID::setIndex):
      (JSC::RegisterID::index):
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::thisObject):
      * dfg/DFGAbstractHeap.h:
      (JSC::DFG::AbstractHeap::Payload::Payload):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      (JSC::DFG::::clobberCapturedVars):
      * dfg/DFGArgumentPosition.h:
      (JSC::DFG::ArgumentPosition::dump):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::newVariableAccessData):
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::setDirect):
      (JSC::DFG::ByteCodeParser::set):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
      (JSC::DFG::ByteCodeParser::findArgumentPosition):
      (JSC::DFG::ByteCodeParser::flush):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::getToInt32):
      (JSC::DFG::ByteCodeParser::getThis):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitFunctionChecks):
      (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::handleMinMax):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::argumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedActivationRegisterFor):
      (JSC::DFG::Graph::valueProfileFor):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::convertToGetLocalUnlinked):
      (JSC::DFG::Node::hasVirtualRegister):
      (JSC::DFG::Node::virtualRegister):
      (JSC::DFG::Node::setVirtualRegister):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      (JSC::DFG::OSREntrypointCreationPhase::run):
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGRegisterBank.h:
      (JSC::DFG::RegisterBank::tryAllocate):
      (JSC::DFG::RegisterBank::allocateSpecific):
      (JSC::DFG::RegisterBank::retain):
      (JSC::DFG::RegisterBank::isInUse):
      (JSC::DFG::RegisterBank::dump):
      (JSC::DFG::RegisterBank::releaseAtIndex):
      (JSC::DFG::RegisterBank::allocateInternal):
      (JSC::DFG::RegisterBank::MapEntry::MapEntry):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::allocate):
      (JSC::DFG::ScoreBoard::use):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::checkConsistency):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::allocate):
      (JSC::DFG::SpeculativeJIT::fprAllocate):
      (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
      (JSC::DFG::SpeculativeJIT::flushRegisters):
      (JSC::DFG::SpeculativeJIT::isFlushed):
      (JSC::DFG::SpeculativeJIT::argumentSlot):
      (JSC::DFG::SpeculativeJIT::argumentTagSlot):
      (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
      (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
      (JSC::DFG::SpeculativeJIT::setNodeForOperand):
      (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      (JSC::DFG::Validate::validateCPS):
      (JSC::DFG::Validate::checkOperand):
      (JSC::DFG::Validate::reportValidationContext):
      * dfg/DFGValueRecoveryOverride.h:
      (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::operand):
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
      (JSC::DFG::VariableAccessData::flushFormat):
      * dfg/DFGVariableEvent.h:
      (JSC::DFG::VariableEvent::spill):
      (JSC::DFG::VariableEvent::setLocal):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLExitArgumentForOperand.h:
      (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
      (JSC::FTL::ExitArgumentForOperand::operand):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::observeMovHint):
      (JSC::FTL::LowerDFGToLLVM::addressFor):
      (JSC::FTL::LowerDFGToLLVM::payloadFor):
      (JSC::FTL::LowerDFGToLLVM::tagFor):
      * ftl/FTLOSREntry.cpp:
      (JSC::FTL::prepareOSREntry):
      * ftl/FTLOSRExit.cpp:
      (JSC::FTL::OSRExit::convertToForward):
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::dumpRegisters):
      (JSC::unwindCallFrame):
      (JSC::Interpreter::unwind):
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::addressFor):
      (JSC::AssemblyHelpers::tagFor):
      (JSC::AssemblyHelpers::payloadFor):
      (JSC::AssemblyHelpers::argumentsRegisterFor):
      * jit/JIT.h:
      * jit/JITCall.cpp:
      (JSC::JIT::compileLoadVarargs):
      * jit/JITInlines.h:
      (JSC::JIT::emitGetVirtualRegister):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_tear_off_arguments):
      (JSC::JIT::emit_op_get_pnames):
      (JSC::JIT::emit_op_enter):
      (JSC::JIT::emit_op_create_arguments):
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_enter):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * profiler/ProfilerBytecodeSequence.cpp:
      (JSC::Profiler::BytecodeSequence::BytecodeSequence):
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::argumentsGetter):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bf43ed96
    • msaboff@apple.com's avatar
      VirtualRegister should be a class · 1796ad0f
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121732
      
      Reviewed by Geoffrey Garen.
      
      This is a refactoring change.  Changed VirtualRegister from an enum to a class.
      Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
      and the similar functions for locals to VirtualRegister class.
      
      This is in preparation for changing the offset for the first local register from
      0 to -1.  This is needed since most native calling conventions have the architected
      frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
      pointer.  Local values start below that address.
      
      * bytecode/CodeBlock.cpp:
      * bytecode/CodeBlock.h:
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      * bytecode/MethodOfGettingAValueProfile.cpp:
      * bytecode/Operands.h:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecode/UnlinkedCodeBlock.h:
      * bytecode/ValueRecovery.h:
      * bytecode/VirtualRegister.h:
      * bytecompiler/BytecodeGenerator.cpp:
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/RegisterID.h:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGAbstractHeap.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      * dfg/DFGArgumentPosition.h:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      * dfg/DFGCapabilities.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCode.cpp:
      * dfg/DFGNode.h:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGScoreBoard.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGValidate.cpp:
      * dfg/DFGValueRecoveryOverride.h:
      * dfg/DFGVariableAccessData.h:
      * dfg/DFGVariableEvent.h:
      * dfg/DFGVariableEventStream.cpp:
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      * ftl/FTLExitArgumentForOperand.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLOSREntry.cpp:
      * ftl/FTLOSRExit.cpp:
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      * jit/AssemblyHelpers.h:
      * jit/JIT.h:
      * jit/JITCall.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      * jit/JITStubs.cpp:
      * llint/LLIntSlowPaths.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * runtime/CommonSlowPaths.cpp:
      * runtime/JSActivation.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156474 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1796ad0f
    • mhahnenberg@apple.com's avatar
      op_to_this shouldn't use value profiling · c5684714
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121920
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore:
      
      Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is
      to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables
      during nursery collections.
      
      This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
      m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
      ValueProfile.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::stronglyVisitStrongReferences):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllPredictions):
      (JSC::CodeBlock::shouldOptimizeNow):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllPredictions):
      * bytecode/LazyOperandValueProfile.cpp:
      (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
      * bytecode/LazyOperandValueProfile.h:
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::ValueProfileBase):
      (JSC::ValueProfileBase::briefDescription):
      (JSC::ValueProfileBase::dump):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_to_this):
      (JSC::JIT::emitSlow_op_to_this):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_to_this):
      (JSC::JIT::emitSlow_op_to_this):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      
      LayoutTests:
      
      Updated a couple tests that waited for two DFG compiles, but with this patch we
      don't do two compiles any more, so we don't want to wait forever.
      
      * js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-other.js:
      * js/script-tests/dfg-convert-this-polymorphic-object-then-exit-on-string.js:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156468 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c5684714
  20. 25 Sep, 2013 1 commit
    • mhahnenberg@apple.com's avatar
      op_get_callee shouldn't use value profiling · 5f2e70b5
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121821
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore: 
      
      Currently it's one of the two opcodes that uses m_singletonValue, which is unnecessary. 
      Our current plan is to remove m_singletonValue so that GenGC can have a simpler story 
      for handling CodeBlocks/FunctionExecutables during nursery collections.
      
      Instead of using a ValueProfile op_get_callee now has a simple inline cache of the most 
      recent JSFunction that we saw.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::finalizeUnconditionally):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitCreateThis):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_get_callee):
      (JSC::JIT::emitSlow_op_get_callee):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_get_callee):
      (JSC::JIT::emitSlow_op_get_callee):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/CommonSlowPaths.h:
      
      LayoutTests: 
      
      Added two tests to make sure we didn't regress the performance of op_get_callee.
      
      * js/regress/get_callee_monomorphic-expected.txt: Added.
      * js/regress/get_callee_monomorphic.html: Added.
      * js/regress/get_callee_polymorphic-expected.txt: Added.
      * js/regress/get_callee_polymorphic.html: Added.
      * js/regress/script-tests/get_callee_monomorphic.js: Added.
      * js/regress/script-tests/get_callee_polymorphic.js: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156376 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5f2e70b5
  21. 23 Sep, 2013 1 commit
    • fpizlo@apple.com's avatar
      Never use ReturnPC for exception handling and quit using exception check... · 48a7bc89
      fpizlo@apple.com authored
      Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index
      https://bugs.webkit.org/show_bug.cgi?id=121734
      
      Reviewed by Mark Hahnenberg.
              
      Exception handling can deduce where the exception was thrown from by looking at the
      code origin that was stored into the call frame header. There is no need to pass any
      additional meta-data into the exception throwing logic. But the DFG was still doing it
      anyway.
              
      This removes all of the logic to pass extra meta-data into lookupExceptionHandler()
      and friends. It simplifies a lot of code.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::codeOrigins):
      (JSC::CodeBlock::hasCodeOrigins):
      (JSC::CodeBlock::canGetCodeOrigin):
      (JSC::CodeBlock::codeOrigin):
      * bytecode/CodeOrigin.h:
      (JSC::InlineCallFrame::InlineCallFrame):
      * bytecode/InlineCallFrameSet.cpp: Added.
      (JSC::InlineCallFrameSet::InlineCallFrameSet):
      (JSC::InlineCallFrameSet::~InlineCallFrameSet):
      (JSC::InlineCallFrameSet::add):
      (JSC::InlineCallFrameSet::shrinkToFit):
      * bytecode/InlineCallFrameSet.h: Added.
      (JSC::InlineCallFrameSet::isEmpty):
      (JSC::InlineCallFrameSet::size):
      (JSC::InlineCallFrameSet::at):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCommonData.cpp:
      (JSC::DFG::CommonData::addCodeOrigin):
      (JSC::DFG::CommonData::shrinkToFit):
      * dfg/DFGCommonData.h:
      * dfg/DFGDesiredWriteBarriers.cpp:
      (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
      (JSC::DFG::DesiredWriteBarrier::trigger):
      * dfg/DFGDesiredWriteBarriers.h:
      (JSC::DFG::DesiredWriteBarriers::add):
      (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
      (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::JITCompiler):
      (JSC::DFG::JITCompiler::compileExceptionHandlers):
      (JSC::DFG::JITCompiler::link):
      (JSC::DFG::JITCompiler::compileFunction):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
      (JSC::DFG::JITCompiler::exceptionCheck):
      (JSC::DFG::JITCompiler::fastExceptionCheck):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryBuildGetByIDList):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
      (JSC::DFG::SpeculativeJIT::appendCallSetResult):
      (JSC::DFG::SpeculativeJIT::appendCall):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::callPreflight):
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::emitExceptionCheck):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156300 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      48a7bc89
  22. 20 Sep, 2013 2 commits
    • fpizlo@apple.com's avatar
      Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them · cd8eb2c1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121637
      
      Rubber stamped by Michael Saboff.
              
      Also moved GPRInfo/FPRInfo into jit/. Rolling back in after fixing JIT-only build
      and tests.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAssemblyHelpers.cpp: Removed.
      * dfg/DFGAssemblyHelpers.h: Removed.
      * dfg/DFGBinarySwitch.h:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCCallHelpers.h: Removed.
      * dfg/DFGDisassembler.cpp:
      * dfg/DFGFPRInfo.h: Removed.
      * dfg/DFGGPRInfo.h: Removed.
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExit.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOSRExitCompilerCommon.h:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGRegisterSet.h:
      * dfg/DFGRepatch.cpp:
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGThunks.cpp:
      * dfg/DFGVariableEvent.cpp:
      * ftl/FTLCArgumentGetter.h:
      (JSC::FTL::CArgumentGetter::CArgumentGetter):
      (JSC::FTL::CArgumentGetter::loadNext8):
      (JSC::FTL::CArgumentGetter::loadNext32):
      (JSC::FTL::CArgumentGetter::loadNext64):
      (JSC::FTL::CArgumentGetter::loadNextPtr):
      (JSC::FTL::CArgumentGetter::loadNextDouble):
      * ftl/FTLCompile.cpp:
      * ftl/FTLExitThunkGenerator.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLThunks.cpp:
      * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
      * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
      (JSC::AssemblyHelpers::AssemblyHelpers):
      (JSC::AssemblyHelpers::debugCall):
      * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
      * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
      (WTF::printInternal):
      * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
      (WTF::printInternal):
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      * jit/JIT.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JSInterfaceJIT.h:
      (JSC::JSInterfaceJIT::JSInterfaceJIT):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
      (JSC::SpecializedThunkJIT::finalize):
      * jit/ThunkGenerators.cpp:
      (JSC::linkForGenerator):
      (JSC::virtualForGenerator):
      (JSC::stringLengthTrampolineGenerator):
      (JSC::nativeForGenerator):
      (JSC::arityFixup):
      (JSC::charCodeAtThunkGenerator):
      (JSC::charAtThunkGenerator):
      (JSC::fromCharCodeThunkGenerator):
      (JSC::sqrtThunkGenerator):
      (JSC::floorThunkGenerator):
      (JSC::ceilThunkGenerator):
      (JSC::roundThunkGenerator):
      (JSC::expThunkGenerator):
      (JSC::logThunkGenerator):
      (JSC::absThunkGenerator):
      (JSC::powThunkGenerator):
      (JSC::imulThunkGenerator):
      * llint/LLIntThunks.cpp:
      (JSC::LLInt::generateThunkWithJumpTo):
      * runtime/JSCJSValue.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cd8eb2c1
    • bfulgham@apple.com's avatar
      Unreviewed, rolling out r156120. · 63eba56c
      bfulgham@apple.com authored
      http://trac.webkit.org/changeset/156120
      https://bugs.webkit.org/show_bug.cgi?id=121651
      
      Broke windows runtime and all tests (Requested by bfulgham on
      #webkit).
      
      Patch by Commit Queue <commit-queue@webkit.org> on 2013-09-19
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAssemblyHelpers.cpp: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.cpp.
      (JSC::DFG::AssemblyHelpers::executableFor):
      (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
      (JSC::DFG::AssemblyHelpers::setSamplingFlag):
      (JSC::DFG::AssemblyHelpers::clearSamplingFlag):
      (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
      (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
      (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
      * dfg/DFGAssemblyHelpers.h: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.h.
      (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
      (JSC::DFG::AssemblyHelpers::codeBlock):
      (JSC::DFG::AssemblyHelpers::vm):
      (JSC::DFG::AssemblyHelpers::assembler):
      (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
      (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
      (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
      (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
      (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
      (JSC::DFG::AssemblyHelpers::branchIfNotCell):
      (JSC::DFG::AssemblyHelpers::addressFor):
      (JSC::DFG::AssemblyHelpers::tagFor):
      (JSC::DFG::AssemblyHelpers::payloadFor):
      (JSC::DFG::AssemblyHelpers::branchIfNotObject):
      (JSC::DFG::AssemblyHelpers::selectScratchGPR):
      (JSC::DFG::AssemblyHelpers::debugCall):
      (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
      (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
      (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
      (JSC::DFG::AssemblyHelpers::boxDouble):
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      (JSC::DFG::AssemblyHelpers::boxInt52):
      (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
      (JSC::DFG::AssemblyHelpers::emitCount):
      (JSC::DFG::AssemblyHelpers::globalObjectFor):
      (JSC::DFG::AssemblyHelpers::strictModeFor):
      (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
      (JSC::DFG::AssemblyHelpers::baselineCodeBlock):
      (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
      (JSC::DFG::AssemblyHelpers::symbolTableFor):
      (JSC::DFG::AssemblyHelpers::offsetOfLocals):
      (JSC::DFG::AssemblyHelpers::offsetOfArgumentsIncludingThis):
      * dfg/DFGBinarySwitch.h:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCCallHelpers.h: Renamed from Source/JavaScriptCore/jit/CCallHelpers.h.
      (JSC::DFG::CCallHelpers::CCallHelpers):
      (JSC::DFG::CCallHelpers::resetCallArguments):
      (JSC::DFG::CCallHelpers::addCallArgument):
      (JSC::DFG::CCallHelpers::setupArguments):
      (JSC::DFG::CCallHelpers::setupArgumentsExecState):
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (JSC::DFG::CCallHelpers::setupTwoStubArgs):
      (JSC::DFG::CCallHelpers::setupStubArguments):
      (JSC::DFG::CCallHelpers::setupResults):
      * dfg/DFGDisassembler.cpp:
      * dfg/DFGFPRInfo.h: Renamed from Source/JavaScriptCore/jit/FPRInfo.h.
      (JSC::DFG::FPRInfo::toRegister):
      (JSC::DFG::FPRInfo::toIndex):
      (JSC::DFG::FPRInfo::toArgumentRegister):
      (JSC::DFG::FPRInfo::debugName):
      * dfg/DFGGPRInfo.h: Renamed from Source/JavaScriptCore/jit/GPRInfo.h.
      (JSC::DFG::JSValueRegs::JSValueRegs):
      (JSC::DFG::JSValueRegs::payloadOnly):
      (JSC::DFG::JSValueRegs::operator!):
      (JSC::DFG::JSValueRegs::gpr):
      (JSC::DFG::JSValueRegs::payloadGPR):
      (JSC::DFG::JSValueSource::JSValueSource):
      (JSC::DFG::JSValueSource::unboxedCell):
      (JSC::DFG::JSValueSource::operator!):
      (JSC::DFG::JSValueSource::isAddress):
      (JSC::DFG::JSValueSource::offset):
      (JSC::DFG::JSValueSource::base):
      (JSC::DFG::JSValueSource::gpr):
      (JSC::DFG::JSValueSource::asAddress):
      (JSC::DFG::JSValueSource::notAddress):
      (JSC::DFG::JSValueRegs::tagGPR):
      (JSC::DFG::JSValueSource::tagGPR):
      (JSC::DFG::JSValueSource::payloadGPR):
      (JSC::DFG::JSValueSource::hasKnownTag):
      (JSC::DFG::JSValueSource::tag):
      (JSC::DFG::GPRInfo::toRegister):
      (JSC::DFG::GPRInfo::toIndex):
      (JSC::DFG::GPRInfo::debugName):
      (JSC::DFG::GPRInfo::toArgumentRegister):
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExit.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOSRExitCompilerCommon.h:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGRegisterSet.h:
      * dfg/DFGRepatch.cpp:
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGThunks.cpp:
      * dfg/DFGVariableEvent.cpp:
      * ftl/FTLCArgumentGetter.h:
      (JSC::FTL::CArgumentGetter::CArgumentGetter):
      (JSC::FTL::CArgumentGetter::loadNext8):
      (JSC::FTL::CArgumentGetter::loadNext32):
      (JSC::FTL::CArgumentGetter::loadNext64):
      (JSC::FTL::CArgumentGetter::loadNextPtr):
      (JSC::FTL::CArgumentGetter::loadNextDouble):
      * ftl/FTLCompile.cpp:
      * ftl/FTLExitThunkGenerator.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLThunks.cpp:
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      * jit/JIT.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JSInterfaceJIT.h:
      (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
      (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
      (JSC::SpecializedThunkJIT::finalize):
      * jit/ThunkGenerators.cpp:
      (JSC::linkForGenerator):
      (JSC::virtualForGenerator):
      (JSC::stringLengthTrampolineGenerator):
      (JSC::nativeForGenerator):
      (JSC::arityFixup):
      (JSC::charCodeAtThunkGenerator):
      (JSC::charAtThunkGenerator):
      (JSC::fromCharCodeThunkGenerator):
      (JSC::sqrtThunkGenerator):
      (JSC::floorThunkGenerator):
      (JSC::ceilThunkGenerator):
      (JSC::roundThunkGenerator):
      (JSC::expThunkGenerator):
      (JSC::logThunkGenerator):
      (JSC::absThunkGenerator):
      (JSC::powThunkGenerator):
      (JSC::imulThunkGenerator):
      * llint/LLIntThunks.cpp:
      (JSC::LLInt::generateThunkWithJumpTo):
      * runtime/JSCJSValue.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156136 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      63eba56c
  23. 19 Sep, 2013 2 commits
    • fpizlo@apple.com's avatar
      Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them · 620acab5
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121637
      
      Rubber stamped by Michael Saboff.
              
      Also moved GPRInfo/FPRInfo into jit/.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAssemblyHelpers.cpp: Removed.
      * dfg/DFGAssemblyHelpers.h: Removed.
      * dfg/DFGBinarySwitch.h:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCCallHelpers.h: Removed.
      * dfg/DFGDisassembler.cpp:
      * dfg/DFGFPRInfo.h: Removed.
      * dfg/DFGGPRInfo.h: Removed.
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExit.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOSRExitCompilerCommon.h:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGRegisterSet.h:
      * dfg/DFGRepatch.cpp:
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGThunks.cpp:
      * dfg/DFGVariableEvent.cpp:
      * ftl/FTLCArgumentGetter.h:
      (JSC::FTL::CArgumentGetter::CArgumentGetter):
      (JSC::FTL::CArgumentGetter::loadNext8):
      (JSC::FTL::CArgumentGetter::loadNext32):
      (JSC::FTL::CArgumentGetter::loadNext64):
      (JSC::FTL::CArgumentGetter::loadNextPtr):
      (JSC::FTL::CArgumentGetter::loadNextDouble):
      * ftl/FTLCompile.cpp:
      * ftl/FTLExitThunkGenerator.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLThunks.cpp:
      * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
      * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
      (JSC::AssemblyHelpers::AssemblyHelpers):
      (JSC::AssemblyHelpers::debugCall):
      * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
      * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
      (WTF::printInternal):
      * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
      (WTF::printInternal):
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      * jit/JIT.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      * jit/JSInterfaceJIT.h:
      (JSC::JSInterfaceJIT::JSInterfaceJIT):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
      (JSC::SpecializedThunkJIT::finalize):
      * jit/ThunkGenerators.cpp:
      (JSC::linkForGenerator):
      (JSC::virtualForGenerator):
      (JSC::stringLengthTrampolineGenerator):
      (JSC::nativeForGenerator):
      (JSC::arityFixup):
      (JSC::charCodeAtThunkGenerator):
      (JSC::charAtThunkGenerator):
      (JSC::fromCharCodeThunkGenerator):
      (JSC::sqrtThunkGenerator):
      (JSC::floorThunkGenerator):
      (JSC::ceilThunkGenerator):
      (JSC::roundThunkGenerator):
      (JSC::expThunkGenerator):
      (JSC::logThunkGenerator):
      (JSC::absThunkGenerator):
      (JSC::powThunkGenerator):
      (JSC::imulThunkGenerator):
      * llint/LLIntThunks.cpp:
      (JSC::LLInt::generateThunkWithJumpTo):
      * runtime/JSCJSValue.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156120 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      620acab5
    • weinig@apple.com's avatar
      Replace use of OwnArrayPtr<Foo> with std::unique_ptr<Foo[]> in JavaScriptCore · 5c4dbc40
      weinig@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121583
      
      Reviewed by Anders Carlsson.
      
      * API/JSStringRefCF.cpp:
      (JSStringCreateWithCFString):
      * API/JSStringRefQt.cpp:
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::dumpDisassembly):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff):
      * runtime/Arguments.h:
      (JSC::Arguments::isTornOff):
      (JSC::Arguments::allocateSlowArguments):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
      * runtime/JSPropertyNameIterator.h:
      * runtime/JSSegmentedVariableObject.h:
      * runtime/JSVariableObject.h:
      * runtime/PropertyNameArray.h:
      * runtime/RegExp.cpp:
      * runtime/StructureChain.h:
      (JSC::StructureChain::finishCreation):
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::setSlowArguments):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156079 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5c4dbc40
  24. 18 Sep, 2013 3 commits
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 6921b29b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt52Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt52AsDoubleSpeculation):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::fixupBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt52):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt52):
      * dfg/DFGNodeType.h:
      (JSC::DFG::permitsOSRBackwardRewiring):
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      * js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6921b29b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156019 and r156020. · 92c67000
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156019
      http://trac.webkit.org/changeset/156020
      https://bugs.webkit.org/show_bug.cgi?id=121540
      
      Broke tests (Requested by ap on #webkit).
      
      Source/JavaScriptCore:
      
      * assembler/MacroAssemblerX86_64.h:
      * assembler/X86Assembler.h:
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt48Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt48AsDoubleSpeculation):
      (JSC::isRealNumberSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::canonicalize):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt32):
      (JSC::DFG::GenerationInfo::fillInt32):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt48):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt48):
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      (JSC::DFG::shortOperandsDump):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::boxDouble):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int32Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt32):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::mulWithOverflow32):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      
      Source/WTF:
      
      * wtf/PrintStream.h:
      
      Tools:
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests:
      
      * js/regress/large-int-captured-expected.txt: Removed.
      * js/regress/large-int-captured.html: Removed.
      * js/regress/large-int-expected.txt: Removed.
      * js/regress/large-int-neg-expected.txt: Removed.
      * js/regress/large-int-neg.html: Removed.
      * js/regress/large-int.html: Removed.
      * js/regress/marsaglia-larger-ints-expected.txt: Removed.
      * js/regress/marsaglia-larger-ints.html: Removed.
      * js/regress/script-tests/large-int-captured.js: Removed.
      * js/regress/script-tests/large-int-neg.js: Removed.
      * js/regress/script-tests/large-int.js: Removed.
      * js/regress/script-tests/marsaglia-larger-ints.js: Removed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      92c67000
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 4c466ec6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c466ec6
  25. 17 Sep, 2013 1 commit
  26. 13 Sep, 2013 2 commits
    • andersca@apple.com's avatar
      Use nullptr instead of 0 in calls to HashMap::add · b9b4add1
      andersca@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121322
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore:
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitLoad):
      (JSC::BytecodeGenerator::addStringConstant):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::cellConstant):
      
      Source/WebCore:
      
      * bridge/IdentifierRep.cpp:
      (WebCore::IdentifierRep::get):
      * css/CSSFontFaceSource.cpp:
      (WebCore::CSSFontFaceSource::getFontData):
      * css/CSSFontSelector.cpp:
      (WebCore::CSSFontSelector::getFontFace):
      * css/CSSSegmentedFontFace.cpp:
      (WebCore::CSSSegmentedFontFace::getFontData):
      * css/CSSValuePool.cpp:
      (WebCore::CSSValuePool::createFontFamilyValue):
      (WebCore::CSSValuePool::createFontFaceValue):
      * dom/ChildListMutationScope.cpp:
      (WebCore::ChildListMutationAccumulator::getOrCreate):
      * dom/Document.cpp:
      (WebCore::Document::getCSSCanvasElement):
      * dom/NodeRareData.h:
      (WebCore::NodeListsNodeData::addCacheWithAtomicName):
      (WebCore::NodeListsNodeData::addCacheWithName):
      (WebCore::NodeListsNodeData::addCacheWithQualifiedName):
      * loader/appcache/ApplicationCacheStorage.cpp:
      (WebCore::ApplicationCacheStorage::findOrCreateCacheGroup):
      * page/PageGroup.cpp:
      (WebCore::PageGroup::pageGroup):
      * page/animation/AnimationController.cpp:
      (WebCore::AnimationControllerPrivate::ensureCompositeAnimation):
      * platform/mac/ScrollbarThemeMac.mm:
      (WebCore::ScrollbarThemeMac::registerScrollbar):
      * storage/StorageNamespaceImpl.cpp:
      (WebCore::StorageNamespaceImpl::localStorageNamespace):
      
      Source/WebKit/mac:
      
      * Plugins/Hosted/NetscapePluginHostManager.mm:
      (WebKit::NetscapePluginHostManager::hostForPlugin):
      
      Source/WebKit2:
      
      * Platform/CoreIPC/Connection.cpp:
      (CoreIPC::Connection::SyncMessageState::getOrCreate):
      * UIProcess/Storage/StorageManager.cpp:
      (WebKit::StorageManager::createLocalStorageMap):
      (WebKit::StorageManager::createSessionStorageMap):
      (WebKit::StorageManager::getOrCreateLocalStorageNamespace):
      * UIProcess/WebProcessProxy.cpp:
      (WebKit::WebProcessProxy::addBackForwardItem):
      * WebProcess/InjectedBundle/DOM/InjectedBundleNodeHandle.cpp:
      (WebKit::InjectedBundleNodeHandle::getOrCreate):
      * WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
      (WebKit::InjectedBundleRangeHandle::getOrCreate):
      * WebProcess/Storage/StorageNamespaceImpl.cpp:
      (WebKit::StorageNamespaceImpl::createLocalStorageNamespace):
      * WebProcess/WebProcess.cpp:
      (WebKit::WebProcess::createWebPage):
      (WebKit::WebProcess::webPageGroup):
      
      Tools:
      
      * DumpRenderTree/mac/TestRunnerMac.mm:
      (TestRunner::evaluateScriptInIsolatedWorld):
      * WebKitTestRunner/InjectedBundle/TestRunner.cpp:
      (WTR::TestRunner::evaluateScriptInIsolatedWorld):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155729 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b9b4add1
    • msaboff@apple.com's avatar
      fourthTier: Change JSStack to grow from high to low addresses · b70e41bc
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118758
      
      Reviewed by Oliver Hunt.
      
      Changed the JSC stack to grow down.  Effectively the JSC stack frame is flipped from
      what it was.  See JSStack.h for the new offsets.  Changed JSStack begin() and end()
      to be getBaseOfStack() and getLimitOfStack().  Most of the changes are address or offset
      calculation changes.  Decoupled a local register ordinal (loop variable or array index)
      from the offset into the callFrame using localToOperand() and the inverse operandToLocal().
      
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::trustedImm32ForShift):
      (JSC::MacroAssembler::lshiftPtr): Added to create scaled addresses with a negative index
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::lshift64): Added to create scaled addresses with a negative index
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::shlq_i8r): Added to create scaled addresses with a negative index
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode):
      * bytecode/CodeBlock.h:
      (JSC::unmodifiedArgumentsRegister):
      (JSC::CodeBlock::isCaptured):
      * bytecode/CodeOrigin.h:
      (JSC::CodeOrigin::stackOffset):
      * bytecode/Operands.h:
      (JSC::localToOperand):
      (JSC::operandIsLocal):
      (JSC::operandToLocal):
      (JSC::operandIsArgument):
      (JSC::operandToArgument):
      (JSC::argumentToOperand):
      * bytecode/VirtualRegister.h: Made InvalidVirtualRegister a positive value that fits in
      31 bits since it can be placed into the 31 bit field "stackOffset" in struct InlineCallFrame.
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::addVar):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
      (JSC::BytecodeGenerator::newRegister):
      (JSC::BytecodeGenerator::emitNewArray):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::CallArguments::registerOffset):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::CallArguments::CallArguments):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::compileFunction):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::allocate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callFrameSlot):
      (JSC::DFG::SpeculativeJIT::argumentSlot):
      (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
      (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
      (JSC::DFG::SpeculativeJIT::argumentTagSlot):
      (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::reportValidationContext):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * heap/ConservativeRoots.cpp:
      (JSC::ConservativeRoots::genericAddSpan):
      * interpreter/CallFrame.cpp:
      (JSC::CallFrame::frameExtentInternal):
      * interpreter/CallFrame.h:
      (JSC::ExecState::init):
      (JSC::ExecState::argumentOffset):
      (JSC::ExecState::argumentOffsetIncludingThis):
      (JSC::ExecState::argIndexForRegister):
      * interpreter/Interpreter.cpp:
      (JSC::loadVarargs):
      (JSC::Interpreter::dumpRegisters):
      * interpreter/JSStack.cpp:
      (JSC::JSStack::JSStack):
      (JSC::JSStack::~JSStack):
      (JSC::JSStack::growSlowCase):
      (JSC::JSStack::gatherConservativeRoots):
      (JSC::JSStack::releaseExcessCapacity):
      (JSC::JSStack::disableErrorStackReserve):
      * interpreter/JSStack.h:
      (JSC::JSStack::getBaseOfStack):
      (JSC::JSStack::getLimitOfStack):
      (JSC::JSStack::size):
      (JSC::JSStack::end):
      (JSC::JSStack::containsAddress):
      (JSC::JSStack::lowAddress):
      (JSC::JSStack::highAddress):
      (JSC::JSStack::reservationEnd):
      (JSC::JSStack::shrink):
      (JSC::JSStack::grow):
      * interpreter/JSStackInlines.h:
      (JSC::JSStack::getTopOfFrame):
      (JSC::JSStack::pushFrame):
      (JSC::JSStack::popFrame):
      (JSC::JSStack::installTrapsAfterFrame):
      * interpreter/StackVisitor.cpp:
      (JSC::inlinedFrameOffset):
      (JSC::StackVisitor::readInlinedFrame):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      * jit/JITCall.cpp:
      (JSC::JIT::compileLoadVarargs):
      (JSC::JIT::compileOpCall):
      * jit/JITCall32_64.cpp:
      (JSC::JIT::compileLoadVarargs):
      (JSC::JIT::compileOpCall):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_create_activation):
      (JSC::JIT::emit_op_get_argument_by_val):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_get_argument_by_val):
      * jit/JITStubs.cpp:
      (JSC::throwExceptionFromOpCall):
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/ThunkGenerators.cpp:
      (JSC::arityFixup):
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      (JSC::LLInt::genericCall):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/ArgList.cpp:
      (JSC::ArgList::getSlice):
      (JSC::MarkedArgumentBuffer::slowAppend):
      * runtime/ArgList.h:
      (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
      (JSC::MarkedArgumentBuffer::slotFor):
      (JSC::MarkedArgumentBuffer::mallocBase):
      (JSC::ArgList::at):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff):
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/JSActivation.h:
      (JSC::JSActivation::registersOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isValidIndex):
      * runtime/JSArray.h:
      (JSC::constructArrayNegativeIndexed): New method to create an array from registers that grow down.
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::globalExec):
      * runtime/JSGlobalObject.h:
      (JSC::constructArrayNegativeIndexed):
      * runtime/JSString.h:
      * runtime/Operations.h:
      (JSC::jsStringFromRegisterArray):
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::captureCount):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155711 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b70e41bc
  27. 10 Sep, 2013 2 commits
    • msaboff@apple.com's avatar
      Change virtual register function arguments from unsigned to int · 7535bbdc
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121055
      
      Reviewed by Filip Pizlo.
      
      This is a largely mechanical change.  This changes function paramaters and local variables used to
      represent bytecode operands from being unsigned to be int.
      
      * bytecode/CodeOrigin.h:
      * dfg/DFGByteCodeParser.cpp:
      * jit/JIT.h:
      * jit/JITArithmetic.cpp:
      * jit/JITArithmetic32_64.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      * jit/JITPropertyAccess.cpp:
      * jit/JITPropertyAccess32_64.cpp:
      * jit/JITStubCall.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155418 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7535bbdc
    • msaboff@apple.com's avatar
      Add local to/from operand helpers similar to argument to/from operand2 · 1a5f13c8
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121056
      
      Reviewed by Geoffrey Garen.
      
      Added localToOperand(), operandToLocal() and operandIsLocal() to Operands.h, very similar to
      argumentToOperand(), et al.  Used the new helpers everywhere where an index into a data
      structure is intended instead of the actual virtual register offset.  When the stack is
      changed to grow down, local register offsets can be negative.  Also added the helper
      DFG::SpeculativeJIT::generationInfoFromVirtualRegister() for the common case accessing 
      m_generationInfo[operandToLocal(val)].
      
      * bytecode/CodeBlock.cpp:
      * bytecode/CodeBlock.h:
      * bytecode/Operands.h:
      (JSC::localToOperand):
      (JSC::operandIsLocal):
      (JSC::operandToLocal):
      * bytecompiler/BytecodeGenerator.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGScoreBoard.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGValidate.cpp:
      * dfg/DFGVariableEventStream.cpp:
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155415 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1a5f13c8