summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore
Commit message (Collapse)AuthorAgeFilesLines
* JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectlyMark Hahnenberg2013-07-011-3/+5
| | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Geoffrey Garen. Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable properties causes us not to cache any properties at all. We should only cache properties on the object itself since we currently don't take advantage of any sort of name caching for properties in the prototype chain. This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570. * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): Change-Id: I5853ab567cd0a8cd20aeac1372ec64fc4f25df1a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148036 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* get_by_pname can become confused when iterating over objects with static ↵Mark Hahnenberg2013-07-013-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | properties https://bugs.webkit.org/show_bug.cgi?id=113831 Reviewed by Geoffrey Garen. get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly access an object's backing store. One way to fix this is to not cache any properties when iterating over objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlots): (PropertyNameArray): Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* LLInt conditional branch compilation fault on MIPS.Balazs Kilvady2013-05-232-14/+20
| | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=114264 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-04-09 Reviewed by Filip Pizlo. Fix conditional branch compilation in LLInt offlineasm. * offlineasm/mips.rb: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148045 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Change-Id: I31b5c06f4424d06785ae53f2f5e34584082b4b02 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* offlineasm BaseIndex handling is broken on ARM due to MIPS changesBalazs Kilvady2013-05-233-4/+46
| | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=108261 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-01 Reviewed by Filip Pizlo. offlineasm BaseIndex handling fix on MIPS. * offlineasm/mips.rb: * offlineasm/risc.rb: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141641 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/offlineasm/mips.rb Change-Id: I7ec4d500e11717e1cb2b6fd7f310e4e66cfa7955 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* MIPS DFG implementation.Balazs Kilvady2013-05-2311-73/+873
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=101328 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-18 Reviewed by Oliver Hunt. DFG implementation for MIPS. Source/JavaScriptCore: * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::MIPSAssembler): (JSC::MIPSAssembler::sllv): (JSC::MIPSAssembler::movd): (MIPSAssembler): (JSC::MIPSAssembler::negd): (JSC::MIPSAssembler::labelForWatchpoint): (JSC::MIPSAssembler::label): (JSC::MIPSAssembler::vmov): (JSC::MIPSAssembler::linkDirectJump): (JSC::MIPSAssembler::maxJumpReplacementSize): (JSC::MIPSAssembler::revertJumpToMove): (JSC::MIPSAssembler::replaceWithJump): * assembler/MacroAssembler.h: (MacroAssembler): (JSC::MacroAssembler::poke): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::add32): (MacroAssemblerMIPS): (JSC::MacroAssemblerMIPS::and32): (JSC::MacroAssemblerMIPS::lshift32): (JSC::MacroAssemblerMIPS::mul32): (JSC::MacroAssemblerMIPS::or32): (JSC::MacroAssemblerMIPS::rshift32): (JSC::MacroAssemblerMIPS::urshift32): (JSC::MacroAssemblerMIPS::sub32): (JSC::MacroAssemblerMIPS::xor32): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::jump): (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::branchMul32): (JSC::MacroAssemblerMIPS::branchSub32): (JSC::MacroAssemblerMIPS::branchNeg32): (JSC::MacroAssemblerMIPS::call): (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::moveDouble): (JSC::MacroAssemblerMIPS::swapDouble): (JSC::MacroAssemblerMIPS::subDouble): (JSC::MacroAssemblerMIPS::mulDouble): (JSC::MacroAssemblerMIPS::divDouble): (JSC::MacroAssemblerMIPS::negateDouble): (JSC::MacroAssemblerMIPS::branchEqual): (JSC::MacroAssemblerMIPS::branchNotEqual): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32): (JSC::MacroAssemblerMIPS::truncateDoubleToInt32): (JSC::MacroAssemblerMIPS::truncateDoubleToUint32): (JSC::MacroAssemblerMIPS::branchDoubleNonZero): (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN): (JSC::MacroAssemblerMIPS::invert): (JSC::MacroAssemblerMIPS::replaceWithJump): (JSC::MacroAssemblerMIPS::maxJumpReplacementSize): * dfg/DFGAssemblyHelpers.h: (AssemblyHelpers): (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): (JSC::DFG::AssemblyHelpers::debugCall): * dfg/DFGCCallHelpers.h: (CCallHelpers): (JSC::DFG::CCallHelpers::setupArguments): (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): * dfg/DFGFPRInfo.h: (DFG): (FPRInfo): (JSC::DFG::FPRInfo::toRegister): (JSC::DFG::FPRInfo::toIndex): (JSC::DFG::FPRInfo::debugName): * dfg/DFGGPRInfo.h: (DFG): (GPRInfo): (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): (JSC::DFG::GPRInfo::debugName): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): * jit/JSInterfaceJIT.h: (JSInterfaceJIT): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::allocationSize): (ScratchBuffer): Source/WTF: * wtf/Platform.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143247 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h Source/WTF/ChangeLog Change-Id: Ibc6c2a2b1d5c70d351ede37c6c111b66b4cf7fef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* MIPS LLInt implementation.Balazs Kilvady2013-05-2311-18/+1047
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=99706 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-07 Reviewed by Filip Pizlo. LLInt implementation for MIPS. Source/JavaScriptCore: * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::jump): * dfg/DFGOperations.cpp: (JSC): * jit/JITStubs.cpp: (JSC): * jit/JITStubs.h: (JITStackFrame): * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * offlineasm/backends.rb: * offlineasm/instructions.rb: * offlineasm/mips.rb: Added. Source/WTF: * wtf/Platform.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138970 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/jit/JITStubs.h Change-Id: I1677d54c1641cf60e517772944582c8f387eeb6d Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* [Qt] Use GNU ar's thin archive format for intermediate static libsAndras Becsi2013-04-193-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=109052 http://trac.webkit.org/changeset/142088 Reviewed by Jocelyn Turcotte. With debug builds we exceed the 4GiB limit of GNU ar when creating the WebCore intermediate static library which results in build failure even with a x86_64 toolchain (http://sourceware.org/bugzilla/show_bug.cgi?id=14625). When using a GNU toolchain we can use the thin archive format for these static libraries which also has the benefit of not copying the object files, thus drastically reducing disk usage and overall compile time. Currently qmake does not support GNU ar's thin archive format so for now we need to do the magic in the build system as a stopgap solution. Adjust project files that used activeBuildConfig() to use targetSubDir(). Change-Id: I68604d5fc6acc32d45a734271aa87bfa5a14647f Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Implement JIT for MinGW-w64 64-bitJonathan Liu2013-04-191-1/+70
| | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=114580 Reviewed by Jocelyn Turcotte. * jit/JITStubs.cpp: (JSC): Change-Id: Ibdda0a09ba3db010bbd7858b745834dff2d92260 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148663 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Add more assertions to the property storage use in arraysOliver Hunt2013-04-162-5/+20
| | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107728 Reviewed by Filip Pizlo. Add a bunch of assertions to array and object butterfly usage. This should make debugging somewhat easier. I also converted a couple of assertions to release asserts as they were so low cost it seemed a sensible thing to do. * runtime/JSArray.cpp: (JSC::JSArray::sortVector): (JSC::JSArray::compactForSorting): * runtime/JSObject.h: (JSC::JSObject::getHolyIndexQuickly): Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Merge "Merge remote-tracking branch 'origin/release' into stable" into ↵Frederik Gladhorn2013-04-051-2/+2
|\ | | | | | | refs/staging/stable
| * Merge remote-tracking branch 'origin/release' into stableFrederik Gladhorn2013-04-031-2/+2
| |\ | | | | | | | | | Change-Id: If3305d4a24584f4289f840e60a2362220d005013
| | * Crash at JSC::call when loading www.gap.com with JSVALUE32_64 EnabledMichael Saboff2013-03-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=108991 Reviewed by Oliver Hunt. Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location may step on calleeGPR is it happen to be nonArgGPR2. * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkClosureCall): Change-Id: I2d27a111ae1edbfea9335f3a06c5cc53e065a673 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141951 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Fix the build with GCC 4.8 https://bugs.webkit.org/show_bug.cgi?id=113147Andras Becsi2013-04-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reviewed by Allan Sandfeld Jensen. Source/JavaScriptCore: Initialize JSObject* exception to suppress warnings that make the build fail because of -Werror=maybe-uninitialized. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): Source/WTF: Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8 since dummy typedefs are commonly used in the codebase. * wtf/Compiler.h: Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | WeakSet::removeAllocator leaks WeakBlocksMark Hahnenberg2013-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=110228 Reviewed by Geoffrey Garen. We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy. * heap/WeakSet.cpp: (JSC::WeakSet::removeAllocator): Change-Id: Iba6cff23e3d8b7a544a825dd1e435cf986b0d35f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143351 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | JSC asserting with long parameter list functions in debug mode on ARM ↵Gabor Rapcsanyi2013-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | traditional https://bugs.webkit.org/show_bug.cgi?id=109565 Reviewed by Zoltan Herczeg. Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80. * jit/JIT.h: Change-Id: I593f09494314a36cb50f2511908f6243fd43f902 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142616 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Change set r140201 broke editing/selection/move-by-word-visually-multi-line.htmlMichael Saboff2013-04-041-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107340 Reviewed by Filip Pizlo. Due to the change landed in r140201, more nodes might end up generating Int32ToDouble nodes. Therefore, changed the JSVALUE64 constant path of compileInt32ToDouble() to use the more restrictive isInt32Constant() check on the input. This check was the same as the existing ASSERT() so the ASSERT was eliminated. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Change-Id: I8e9f3858414e37f5b8232a58d8f6f9dada755343 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140221 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directlyMichael Saboff2013-04-041-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107321 Reviewed by Filip Pizlo. Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up an ArithDiv node with integer inputs and output for platforms that don't have integer division. Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node without any further checks. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixDoubleEdge): (FixupPhase): (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Change-Id: Ic79f2823a7cfb9ce52bb935536972f48508579fd git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140203 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Fix up of ArithDiv nodes for non-x86 CPUs is brokenMichael Saboff2013-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107309 Reviewed by Filip Pizlo. Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixDoubleEdge): Change-Id: I8e73ad242feb65c143857d3a4190e095aa5e9d06 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140201 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | r134080 causes heap problem on linux systems where PAGESIZE != 4096Balazs Kilvady2013-04-044-25/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=102828 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18 Reviewed by Mark Hahnenberg. Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * heap/MarkStack.cpp: (JSC): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (CapacityFromSize): (MarkStackArray): * heap/MarkStackInlines.h: (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::append): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::size): * runtime/Options.h: (JSC): Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Yarr JIT isn't big endian compatibleTobias Netzel2013-04-041-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=102897 Patch by Tobias Netzel <tobias.netzel@googlemail.com> on 2013-01-22 Reviewed by Oliver Hunt. This patch was tested in the current mozilla codebase only and has passed the regexp tests there. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): Change-Id: I1eb463aa79a7976a87d1f36a6c0123b058c3ec87 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140438 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | If array allocation profiling causes a new_array to allocate double arrays, ↵Filip Pizlo2013-04-041-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | then the holes should end up being correctly initialized https://bugs.webkit.org/show_bug.cgi?id=106363 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: * runtime/JSArray.h: (JSC::JSArray::tryCreateUninitialized): LayoutTests: * fast/js/jsc-test-list: * fast/js/new-array-double-with-holes-expected.txt: Added. * fast/js/new-array-double-with-holes.html: Added. * fast/js/script-tests/new-array-double-with-holes.js: Added. (foo): Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Dont use a node reference after appending to the graph.Filip Pizlo2013-04-041-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=103305 <rdar://problem/12753096> Reviewed by Mark Hahnenberg. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): Change-Id: I48ebd652e936ca5781fd6d1bab2df012b2027c34 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139264 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1Michael Saboff2013-04-041-2/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=106978 Reviewed by Filip Pizlo. Source/JavaScriptCore: Changed the numerator equal to -2^31 check to just return if we expect an integer result, since the check is after we have determined that the denominator is -1. The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): LayoutTests: Added a new DFG check for -2^31 / -1 when we expect and integer result. * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt: * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js: (myDivExpectingInt): Change-Id: Ifd8dd24e75e60520a140c09948dd3ab49aaa3fa8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139835 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Implement JIT on Windows 64 bitsJocelyn Turcotte2013-03-297-5/+177
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107965 Reviewed by Simon Hausmann. Source/JavaScriptCore: 1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file. 2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI. Differences that we have to handle here: - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9 - RDI and RSI must be preserved by callee - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word) - There is no red-zone after RIP on the stack, but instead 4 reserved words before it * Target.pri: * jit/JITStubs.cpp: * jit/JITStubs.h: (JSC): (JITStackFrame): (JSC::JITStackFrame::returnAddressSlot): * jit/JITStubsMSVC64.asm: Added. * jit/JSInterfaceJIT.h: (JSInterfaceJIT): * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * yarr/YarrJIT.cpp: (YarrGenerator): (JSC::Yarr::YarrGenerator::generateEnter): (JSC::Yarr::YarrGenerator::generateReturn): Source/WTF: * wtf/Platform.h: Change-Id: Ie1910350e36defcd427a95ceb9aa280fa61083e7 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144043 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSizeFilip Pizlo2013-03-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107081 Reviewed by Michael Saboff. This bug led to the 32_64 backend emitting contiguous allocation code to allocate ArrayStorage arrays. This then led to all manner of heap corruption, since subsequent array accesses would be accessing the contiguous array "as if" it was an arraystorage array. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Ide538ea42dc32f29daf7bfe4b035053f1e9471b1 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139949 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG Phantom node should be honest about the fact that it can exitv5.1.0-alpha1Filip Pizlo2013-03-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=111115 Reviewed by Mark Hahnenberg. The chances of this having cause serious issues are low, since most clients of the NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible case of badness is if the ByteCodeParser inserted a Phantom with a type check in between a LogicalNot and a Branch; then that peephole optimization in Fixup might go slightly wrong. * dfg/DFGNodeType.h: (DFG): Change-Id: I568e22c3577979de0eeea945de519a920ee212b6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144373 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG is too aggressive with eliding overflow checks in loopsFilip Pizlo2013-03-272-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105226 Reviewed by Mark Hahnenberg and Oliver Hunt. Source/JavaScriptCore: If we see a variable's live range cross basic block boundaries, conservatively assume that it may be part of a data-flow back-edge, and as a result, we may have entirely integer operations that could lead to the creation of an integer that is out of range of 2^52 (the significand of a double float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug. In future we may want to actually look at whether or not there was a data-flow back-edge instead of being super conservative about it. But we have no evidence, yet, that this would help us on real code. * dfg/DFGNodeFlags.h: (DFG): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-in-loop-expected.txt: Added. * fast/js/dfg-int-overflow-in-loop.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-in-loop.js: Added. (foo): Change-Id: I9df2d6d17ba404802456f4e2da313e47f0f4f62e git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137963 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG is too aggressive eliding overflow checks for additions involving large ↵Filip Pizlo2013-03-262-11/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | constants https://bugs.webkit.org/show_bug.cgi?id=105239 Reviewed by Gavin Barraclough. Source/JavaScriptCore: If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate, then make sure that the non-constant child of the addition knows that he's got to do an overflow check, by flowing the UsedAsNumber property at him. * dfg/DFGGraph.h: (JSC::DFG::Graph::addSpeculationMode): (Graph): (JSC::DFG::Graph::addShouldSpeculateInteger): (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-large-constants-in-a-line-expected.txt: Added. * fast/js/dfg-int-overflow-large-constants-in-a-line.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-large-constants-in-a-line.js: Added. (foo): Change-Id: If9f7c71050b6f07fc024e6e9f42083d7d3ca71f6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137980 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | javascript integer overflowFilip Pizlo2013-03-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=104967 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: Fix PutScopedVar backward flow. * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-put-scoped-var-backward-flow-expected.txt: Added. * fast/js/dfg-put-scoped-var-backward-flow.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-put-scoped-var-backward-flow.js: Added. (sum): Change-Id: I63c3091751555d3690f22e38a55408ced098adf8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137951 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Don't assert that flags <= 0x3ff in JSTypeInfoFilip Pizlo2013-03-261-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=104988 Reviewed by Sam Weinig. This assertion doesn't accomplish anything other than crashes. * runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo): Change-Id: I16848f37dd75c3de061e737097f0a09a01e31626 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137705 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Named lookups on HTML documents produce inconsistent results in ↵Filip Pizlo2013-03-264-7/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JavaScriptCore bindings https://bugs.webkit.org/show_bug.cgi?id=104623 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching in some cases. This appears to be perf-neutral on benchmarks that we track. * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDProtoList): * jit/JITStubs.cpp: (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): * runtime/JSTypeInfo.h: (JSC): (JSC::TypeInfo::hasImpureGetOwnPropertySlot): * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Source/WebCore: All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as HasImpureGetOwnPropertySlot. Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): LayoutTests: * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): * fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Strange results calculating a square root in a loopFilip Pizlo2013-03-262-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=104247 <rdar://problem/12826880> Reviewed by Oliver Hunt. Source/JavaScriptCore: Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks under the merge. This fixes the assertion, and is also cleaner: our general rule is to not "revive" things that we've already proved to be dead. Also fixed some rotted debug code. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): * dfg/DFGStructureCheckHoistingPhase.cpp: (JSC::DFG::StructureCheckHoistingPhase::run): LayoutTests: * fast/js/dfg-cfg-simplify-redundant-dead-get-local-expected.txt: Added. * fast/js/dfg-cfg-simplify-redundant-dead-get-local.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-cfg-simplify-redundant-dead-get-local.js: Added. (getDist): (calcError): Change-Id: I70b28d61e3fcbbb551d9e71d458efe654149c12c git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136989 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Incorrect inequality for checking whether a statement is within bounds of a ↵Filip Pizlo2013-03-266-14/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | handler https://bugs.webkit.org/show_bug.cgi?id=104313 <rdar://problem/12808934> Reviewed by Geoffrey Garen. Source/JavaScriptCore: The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality used for checking whether a handler is pertinent to the current instruction. '<' is correct, but '<=' isn't, since the 'end' is not inclusive. Also found, and addressed, a benign goof in how the finally inliner works: sometimes we will have end > start. This falls out naturally from how the inliner works and how we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any future confusion, I added a comment and some code to prune those handlers out. Because of how the handler resolution works, these handlers would have been skipped anyway. Also made various fixes to debugging code, which was necessary for tracking this down. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::handlerForBytecodeOffset): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): * bytecompiler/Label.h: (JSC::Label::bind): * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * llint/LLIntExceptions.cpp: (JSC::LLInt::interpreterThrowInCaller): (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): LayoutTests: * fast/js/jsc-test-list: * fast/js/script-tests/try-catch-try-try-catch-try-finally-return-catch-finally.js: Added. (foo): * fast/js/try-catch-try-try-catch-try-finally-return-catch-finally-expected.txt: Added. * fast/js/try-catch-try-try-catch-try-finally-return-catch-finally.html: Added. Change-Id: Ic199b40daa2f8be3fb4dd01a762323d7309dfb47 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136927 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | jsc command line tool's support for typed arrays should be robust against ↵Filip Pizlo2013-03-261-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | array buffer allocation errors https://bugs.webkit.org/show_bug.cgi?id=104020 <rdar://problem/12802478> Reviewed by Mark Hahnenberg. Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it, and that is indeed the contract of ArrayBuffer and TypedArrayBase. * JSCTypedArrayStubs.h: (JSC): Change-Id: If57957cd1a5397aeae59a3b9347db9de2f8a56fc git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136536 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | replaceWithJump should not decrease the offset by 1 on ARM traditional.Zoltan Herczeg2013-03-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=109689 Reviewed by Zoltan Herczeg. * assembler/ARMAssembler.h: (JSC::ARMAssembler::replaceWithJump): Change-Id: I069f53f06a50248be17fa6c6f94cf1aab9aa70bc git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142751 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | revertBranchPtrWithPatch is incorrect on ARM traditionalZoltan Herczeg2013-03-252-12/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=110201 Reviewed by Oliver Hunt. Revert two instructions back to their original value. * assembler/ARMAssembler.h: (JSC::ARMAssembler::revertBranchPtrWithPatch): (ARMAssembler): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branchPtrWithPatch): (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch): Change-Id: Ic453e2d43913e1139a0f119e5f6c3e4d4ce0d7e1 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143346 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | Children method in LLINT AST Not class should return [@child]Peter Gal2013-03-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=90740 Patch by Peter Gal <galpeter@inf.u-szeged.hu> on 2013-03-07 Reviewed by Filip Pizlo. * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class. Change-Id: Id9737890167006198c25a585e89fc41f8a9ae784 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145047 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | LLInt CLoop backend misses Double2Ints() on 32bit architecturesGabor Rapcsanyi2013-03-252-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=112141 Reviewed by Filip Pizlo. Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures. * llint/LowLevelInterpreter.cpp: (LLInt): (JSC::LLInt::Double2Ints): * offlineasm/cloop.rb: Change-Id: I0617d06eda59afec2f0ddc7268ac1531f275f9ec git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145551 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | Invalid code is generated for storing constants with baseindex addressing ↵Zoltan Herczeg2013-03-251-4/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | modes on ARM traditional. https://bugs.webkit.org/show_bug.cgi?id=109050 Reviewed by Oliver Hunt. The S! scratch register is reused, but it should contain the constant value. * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::baseIndexTransfer32): (JSC::ARMAssembler::baseIndexTransfer16): Change-Id: Ib2487e008104e79b4e38e3031bd60bc25ed7f8a2 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142146 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | [QNX][ARM] REGRESSION(r135330): Various failures in OctaneCosmin Truta2013-03-252-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=112863 Reviewed by Yong Li. This was fixed in http://trac.webkit.org/changeset/146396 on Linux only. Enable this fix on QNX. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::replaceWithJump): (JSC::ARMv7Assembler::maxJumpReplacementSize): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): Change-Id: Ib9ced675a08b9351ddf36185140adeb1cfb24ee3 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146429 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | ARMv7 replaceWithJump ASSERT failure after r135330.Zoltan Herczeg2013-03-252-4/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=103146 Reviewed by Filip Pizlo. On Linux, the 24 bit distance range of jumps sometimes does not enough to cover all targets addresses. This patch supports jumps outside of this range using a mov/movt/bx 10 byte long sequence. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): (JSC::ARMv7Assembler::nopw): (JSC::ARMv7Assembler::label): (JSC::ARMv7Assembler::replaceWithJump): (JSC::ARMv7Assembler::maxJumpReplacementSize): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): Change-Id: Ic90230b5f5d74023b5476897966a01ce7152071a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146396 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> Reviewed-by: Andras Becsi <andras.becsi@digia.com>
* | [Qt] Fix the JSC build on MacJocelyn Turcotte2013-03-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | Unreviewed, build fix. * heap/HeapTimer.h: Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case. Change-Id: Ibf9d96a3492e47dc33e131322de16e52de00e5e5 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141097 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | [Qt] Implement GCActivityCallbackAllan Sandfeld Jensen2013-03-182-5/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=103998 Reviewed by Simon Hausmann. Source/JavaScriptCore: Implements the activity triggered garbage collector. * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::scheduleTimer): (JSC::DefaultGCActivityCallback::cancelTimer): * runtime/GCActivityCallback.h: (GCActivityCallback): (DefaultGCActivityCallback): Source/WebCore: Implements the activity triggered garbage collector, and disables the timer based fallback. * bindings/js/GCController.cpp: (WebCore::GCController::GCController): (WebCore::GCController::garbageCollectSoon): * bindings/js/GCController.h: (GCController): Change-Id: Idd8f714e71871b3cc991f8d1866cdd271a47eff4 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141114 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | [Qt] Implement IncrementalSweeper and HeapTimerAllan Sandfeld Jensen2013-03-184-5/+94
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=103996 Reviewed by Simon Hausmann. Implements the incremental sweeping garbage collection for the Qt platform. * heap/HeapTimer.cpp: (JSC::HeapTimer::HeapTimer): (JSC::HeapTimer::~HeapTimer): (JSC::HeapTimer::timerEvent): (JSC::HeapTimer::synchronize): (JSC::HeapTimer::invalidate): (JSC::HeapTimer::didStartVMShutdown): * heap/HeapTimer.h: (HeapTimer): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::IncrementalSweeper): (JSC::IncrementalSweeper::scheduleTimer): * heap/IncrementalSweeper.h: (IncrementalSweeper): Change-Id: I47b874c050e08519cf5e3ed5a98a98ac8785971f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141089 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Fix massive parallel buildshausmann@webkit.org2013-03-012-2/+18
| | | | | | | | | | | | | | | Reviewed by Tor Arne Vestbø. There exists a race condition that LLIntDesiredOffsets.h is written to by two parllel instances of the ruby script. This patch ensures that similar to the output file, the generated file is also prefixed according to the build configuration. * LLIntOffsetsExtractor.pro: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144168 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Ibf60cf455c342fce5a4244aba788a2ad8e18e136 Reviewed-by: Iikka Eklund <iikka.eklund@digia.com>
* Restrictions on oversize CopiedBlock allocations should be relaxedMark Hahnenberg2013-02-0610-27/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105339 Reviewed by Filip Pizlo. Currently the DFG has a single branch in the inline allocation path for property/array storage where it checks to see if the number of bytes requested will fit in the current block. This does not match what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when the collector tries to perform some operation on a CopiedBlock. To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and we should figure out if a block is oversize by some other method than just whatever the JSObject says it is. One way we could record this info Region of the block, since we allocate a one-off Region for oversize blocks. * heap/BlockAllocator.h: (JSC::Region::isCustomSize): (Region): (JSC::Region::createCustomSize): (JSC::Region::Region): (JSC::BlockAllocator::deallocateCustomSize): * heap/CopiedBlock.h: (CopiedBlock): (JSC::CopiedBlock::isOversize): (JSC): * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateOversize): (JSC::CopiedSpace::tryReallocate): (JSC::CopiedSpace::tryReallocateOversize): * heap/CopiedSpace.h: (CopiedSpace): * heap/CopiedSpaceInlines.h: (JSC::CopiedSpace::contains): (JSC::CopiedSpace::tryAllocate): (JSC): * heap/CopyVisitor.h: (CopyVisitor): * heap/CopyVisitorInlines.h: (JSC::CopyVisitor::checkIfShouldCopy): (JSC::CopyVisitor::didCopy): * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::copyButterfly): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138067 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Icebcfe83d82ace7c3e1db6a979306f604459c5ae Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Butterfly::growArrayRight shouldn't be called on null Butterfly objectsMark Hahnenberg2013-02-064-3/+33
| | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105221 Reviewed by Filip Pizlo. Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly objects purely by coincidence. We should add a new static function that null checks the old Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for use in the couple of places in JSObject that expect such behavior to work. * runtime/Butterfly.h: (Butterfly): * runtime/ButterflyInlines.h: (JSC::Butterfly::createOrGrowArrayRight): (JSC): * runtime/JSObject.cpp: (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137961 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I643bc988f3e25b6f05be4e99f19fd2dc609152e4 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* [MinGW-w64] Centralize workaround for pow() implementationhausmann@webkit.org2013-01-102-16/+13
| | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105925 Reviewed by Sam Weinig. As suggested by Sam, move the MinGW-w64 workaround into MathExtras.h away from the JSC usage. Source/JavaScriptCore: * runtime/MathObject.cpp: (JSC::mathPow): Source/WTF: * wtf/MathExtras.h: (wtf_pow): Change-Id: I49b2365baae6fdd9700667d1ef53c78bd70f6de3 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138705 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
* Fix undefined reference to JSC::JSCell::classInfo with MinGW-w64Jonathan Liu2012-12-172-37/+31
| | | | | | | | | | | | | | | | JSC::JSCell::classInfo is defined inline in JSDestructibleObject.h but not all the classes that that inherit directly from JSCell include JSDestructibleObject.h. Move JSC::JSCell::classInfo from JSDestructibleObject.h into JSObject.h to resolve the undefined reference errors when compiling with MinGW-w64. JSDestructibleObject.h is already removed upstream in SVN r128851 but the commit has a lot of other changes which don't apply cleanly. Task-number: QTBUG-27764 Change-Id: I75b13c93dd13a346e672ca76fd7b23a616653a79 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com> Reviewed-by: Alexey Pavlov <alexey.pawlow@gmail.com>
* Fix Math.pow implementation with MinGW-w64Jonathan Liu2012-12-172-0/+36
| | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105087 Patch by Jonathan Liu <net147@gmail.com> on 2012-12-17 Reviewed by Simon Hausmann. The MinGW-w64 runtime has different behaviour for pow() compared to other C runtimes. This results in the following test262 tests failing with the latest MinGW-w64 runtime: - S15.8.2.13_A14 - S15.8.2.13_A16 - S15.8.2.13_A20 - S15.8.2.13_A22 Handle the special cases that are different with MinGW-w64. * runtime/MathObject.cpp: (JSC::mathPow): Change-Id: Ifad1aa24ac36f2d452e9166a4298525793597da3 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137895 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
View Lorry Controller Status