<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[168443] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/168443">168443</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-05-07 15:00:10 -0700 (Wed, 07 May 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>REGRESSION(<a href="http://trac.webkit.org/projects/webkit/changeset/166678">r166678</a>): Dromaeo/cssquery-dojo.html crashes regularly.
<https://webkit.org/b/131356>
Reviewed by Geoffrey Garen.
The issue is that GC needs to be made aware of writes to m_inferredValue
in the VariableWatchpointSet, but was not. As a result, if a JSCell*
is written to a VariableWatchpointSet m_inferredValue, and that JSCell
does not survive an eden GC shortly after, we will end up with a stale
JSCell pointer left in the m_inferredValue.
This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
using DumpRenderTree with the VM heap in zombie mode.
The fix is to change VariableWatchpointSet m_inferredValue to type
WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
is executed by all the execution engines so that the WriteBarrier semantics
are honored.
We still check if the value to be written is the same as the one in the
inferredValue. We'll by-pass calling the slow path notifyWrite() if the
values are the same.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
- need to pass the symbolTable to prepareToWatch() because it will be needed
for instantiating the VariableWatchpointSet in prepareToWatch().
* bytecode/VariableWatchpointSet.h:
(JSC::VariableWatchpointSet::VariableWatchpointSet):
- VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
(JSC::VariableWatchpointSet::inferredValue):
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
(JSC::VariableWatchpointSet::addressOfInferredValue):
(JSC::VariableWatchpointSet::notifyWrite): Deleted.
* bytecode/VariableWatchpointSetInlines.h: Added.
(JSC::VariableWatchpointSet::notifyWrite):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::cellConstant):
- Added an assert in case we try to make constants of zombified JSCells again.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
- We now let the slow path handle the cases when the VariableWatchpointSet is
in state ClearWatchpoint and IsWatched, and the slow path will ensure that
we handle the needed write barrier semantics correctly.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
- Let the slow path handle the cases when the VariableWatchpointSet is
in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* heap/Heap.cpp:
(JSC::Zombify::operator()):
- Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
which is used everywhere else).
* heap/Heap.h:
(JSC::Heap::isZombified):
- Provide a convenience test function to check if JSCells are zombified. This is
currently only used in an assertion in the DFG bytecode parser, but the intent
it that we'll apply this test in other strategic places later to help with early
detection of usage of GC'ed objects when we run in zombie mode.
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_captured_mov):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitNotifyWrite):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitSlow_op_put_to_scope):
- Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
is in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
- Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
is in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* runtime/CommonSlowPaths.cpp:
* runtime/JSCJSValue.h: Fixed some typos in the comments.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::notifyWriteSlow):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::notifyWrite):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeVariableWatchpointSeth">trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationsh">trunk/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeaph">trunk/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValueh">trunk/Source/JavaScriptCore/runtime/JSCJSValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSymbolTableObjecth">trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTablecpp">trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTableh">trunk/Source/JavaScriptCore/runtime/SymbolTable.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCorebytecodeVariableWatchpointSetInlinesh">trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,3 +1,118 @@
</span><ins>+2014-05-07 Mark Lam <mark.lam@apple.com>
+
+ REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
+ <https://webkit.org/b/131356>
+
+ Reviewed by Geoffrey Garen.
+
+ The issue is that GC needs to be made aware of writes to m_inferredValue
+ in the VariableWatchpointSet, but was not. As a result, if a JSCell*
+ is written to a VariableWatchpointSet m_inferredValue, and that JSCell
+ does not survive an eden GC shortly after, we will end up with a stale
+ JSCell pointer left in the m_inferredValue.
+
+ This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
+ using DumpRenderTree with the VM heap in zombie mode.
+
+ The fix is to change VariableWatchpointSet m_inferredValue to type
+ WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
+ is executed by all the execution engines so that the WriteBarrier semantics
+ are honored.
+
+ We still check if the value to be written is the same as the one in the
+ inferredValue. We'll by-pass calling the slow path notifyWrite() if the
+ values are the same.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ - need to pass the symbolTable to prepareToWatch() because it will be needed
+ for instantiating the VariableWatchpointSet in prepareToWatch().
+
+ * bytecode/VariableWatchpointSet.h:
+ (JSC::VariableWatchpointSet::VariableWatchpointSet):
+ - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
+ write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
+ (JSC::VariableWatchpointSet::inferredValue):
+ (JSC::VariableWatchpointSet::invalidate):
+ (JSC::VariableWatchpointSet::finalizeUnconditionally):
+ (JSC::VariableWatchpointSet::addressOfInferredValue):
+ (JSC::VariableWatchpointSet::notifyWrite): Deleted.
+ * bytecode/VariableWatchpointSetInlines.h: Added.
+ (JSC::VariableWatchpointSet::notifyWrite):
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::cellConstant):
+ - Added an assert in case we try to make constants of zombified JSCells again.
+
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ - We now let the slow path handle the cases when the VariableWatchpointSet is
+ in state ClearWatchpoint and IsWatched, and the slow path will ensure that
+ we handle the needed write barrier semantics correctly.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * ftl/FTLIntrinsicRepository.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
+ - Let the slow path handle the cases when the VariableWatchpointSet is
+ in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * heap/Heap.cpp:
+ (JSC::Zombify::operator()):
+ - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
+ which is used everywhere else).
+ * heap/Heap.h:
+ (JSC::Heap::isZombified):
+ - Provide a convenience test function to check if JSCells are zombified. This is
+ currently only used in an assertion in the DFG bytecode parser, but the intent
+ it that we'll apply this test in other strategic places later to help with early
+ detection of usage of GC'ed objects when we run in zombie mode.
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emitSlow_op_captured_mov):
+ * jit/JITOperations.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitNotifyWrite):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitNotifyWrite):
+ (JSC::JIT::emitSlow_op_put_to_scope):
+ - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+ is in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+ is in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * runtime/CommonSlowPaths.cpp:
+
+ * runtime/JSCJSValue.h: Fixed some typos in the comments.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::addGlobalVar):
+ (JSC::JSGlobalObject::addFunction):
+ * runtime/JSSymbolTableObject.h:
+ (JSC::symbolTablePut):
+ (JSC::symbolTablePutWithAttributes):
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTableEntry::prepareToWatch):
+ (JSC::SymbolTableEntry::notifyWriteSlow):
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTableEntry::notifyWrite):
+
</ins><span class="cx"> 2014-05-06 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewd build fix for C-LOOP after r168396.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1708,6 +1708,7 @@
</span><span class="cx"> FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> FE4A331F15BD2E07006F54F3 /* VMInspector.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */; };
</span><span class="cx"> FE4A332015BD2E07006F54F3 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE4A331E15BD2E07006F54F3 /* VMInspector.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> FE5932A7183C5A2600A1ECCC /* VMEntryScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */; };
</span><span class="cx"> FE5932A8183C5A2600A1ECCC /* VMEntryScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> FEA08620182B7A0400F6D851 /* Breakpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861E182B7A0400F6D851 /* Breakpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -3333,6 +3334,7 @@
</span><span class="cx"> FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
</span><span class="cx"> FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMInspector.cpp; sourceTree = "<group>"; };
</span><span class="cx"> FE4A331E15BD2E07006F54F3 /* VMInspector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMInspector.h; sourceTree = "<group>"; };
</span><ins>+ FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableWatchpointSetInlines.h; sourceTree = "<group>"; };
</ins><span class="cx"> FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMEntryScope.cpp; sourceTree = "<group>"; };
</span><span class="cx"> FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMEntryScope.h; sourceTree = "<group>"; };
</span><span class="cx"> FEA0861E182B7A0400F6D851 /* Breakpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Breakpoint.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5029,6 +5031,7 @@
</span><span class="cx"> 0F24E55717F74EDB00ABB217 /* ValueRecovery.cpp */,
</span><span class="cx"> 0F426A451460CBAB00131F8F /* ValueRecovery.h */,
</span><span class="cx"> 0F9181C618415CA50057B669 /* VariableWatchpointSet.h */,
</span><ins>+ FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */,
</ins><span class="cx"> 0F426A461460CBAB00131F8F /* VirtualRegister.h */,
</span><span class="cx"> 0F919D2215853CDE004A4E7D /* Watchpoint.cpp */,
</span><span class="cx"> 0F919D2315853CDE004A4E7D /* Watchpoint.h */,
</span><span class="lines">@@ -5491,6 +5494,7 @@
</span><span class="cx"> 86D3B2C410156BDE002865E7 /* ARMAssembler.h in Headers */,
</span><span class="cx"> A584032018BFFBE1005A0811 /* InspectorAgent.h in Headers */,
</span><span class="cx"> 2AABCDE718EF294200002096 /* GCLogging.h in Headers */,
</span><ins>+ FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */,
</ins><span class="cx"> C2DA778318E259990066FCB6 /* HeapInlines.h in Headers */,
</span><span class="cx"> 2AACE63D18CA5A0300ED0191 /* GCActivityCallback.h in Headers */,
</span><span class="cx"> 2A83638618D7D0EE0000EBCC /* EdenGCActivityCallback.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1793,7 +1793,7 @@
</span><span class="cx"> ConcurrentJITLocker locker(m_symbolTable->m_lock);
</span><span class="cx"> SymbolTable::Map::iterator iter = m_symbolTable->find(locker, uid);
</span><span class="cx"> ASSERT(iter != m_symbolTable->end(locker));
</span><del>- iter->value.prepareToWatch();
</del><ins>+ iter->value.prepareToWatch(symbolTable());
</ins><span class="cx"> instructions[i + 3].u.watchpointSet = iter->value.watchpointSet();
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeVariableWatchpointSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,11 +31,14 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><ins>+class SymbolTable;
+
</ins><span class="cx"> class VariableWatchpointSet : public WatchpointSet {
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="cx"> public:
</span><del>- VariableWatchpointSet()
</del><ins>+ VariableWatchpointSet(SymbolTable& symbolTable)
</ins><span class="cx"> : WatchpointSet(ClearWatchpoint)
</span><ins>+ , m_symbolTable(symbolTable)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -52,35 +55,13 @@
</span><span class="cx"> // IsInvalidated: in this case the variable's value may be anything but you'll
</span><span class="cx"> // either notice that it's invalidated and not install the watchpoint, or
</span><span class="cx"> // you will have been notified that the watchpoint was fired.
</span><del>- JSValue inferredValue() const { return m_inferredValue; }
</del><ins>+ JSValue inferredValue() const { return m_inferredValue.get(); }
</ins><span class="cx">
</span><del>- void notifyWrite(JSValue value)
- {
- ASSERT(!!value);
- switch (state()) {
- case ClearWatchpoint:
- m_inferredValue = value;
- startWatching();
- return;
-
- case IsWatched:
- ASSERT(!!m_inferredValue);
- if (value == m_inferredValue)
- return;
- invalidate();
- return;
-
- case IsInvalidated:
- ASSERT(!m_inferredValue);
- return;
- }
-
- ASSERT_NOT_REACHED();
- }
</del><ins>+ inline void notifyWrite(VM&, JSValue);
</ins><span class="cx">
</span><span class="cx"> void invalidate()
</span><span class="cx"> {
</span><del>- m_inferredValue = JSValue();
</del><ins>+ m_inferredValue.clear();
</ins><span class="cx"> WatchpointSet::invalidate();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -89,18 +70,20 @@
</span><span class="cx"> ASSERT(!!m_inferredValue == (state() == IsWatched));
</span><span class="cx"> if (!m_inferredValue)
</span><span class="cx"> return;
</span><del>- if (!m_inferredValue.isCell())
</del><ins>+ JSValue inferredValue = m_inferredValue.get();
+ if (!inferredValue.isCell())
</ins><span class="cx"> return;
</span><del>- JSCell* cell = m_inferredValue.asCell();
</del><ins>+ JSCell* cell = inferredValue.asCell();
</ins><span class="cx"> if (Heap::isMarked(cell))
</span><span class="cx"> return;
</span><span class="cx"> invalidate();
</span><span class="cx"> }
</span><del>-
- JSValue* addressOfInferredValue() { return &m_inferredValue; }
</del><span class="cx">
</span><ins>+ WriteBarrier<Unknown>* addressOfInferredValue() { return &m_inferredValue; }
+
</ins><span class="cx"> private:
</span><del>- JSValue m_inferredValue;
</del><ins>+ SymbolTable& m_symbolTable;
+ WriteBarrier<Unknown> m_inferredValue;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeVariableWatchpointSetInlinesh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h (0 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -0,0 +1,60 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef VariableWatchpointSetInlines_h
+#define VariableWatchpointSetInlines_h
+
+#include "SymbolTable.h"
+#include "VariableWatchpointSet.h"
+
+namespace JSC {
+
+inline void VariableWatchpointSet::notifyWrite(VM& vm, JSValue value)
+{
+ ASSERT(!!value);
+ switch (state()) {
+ case ClearWatchpoint:
+ m_inferredValue.set(vm, &m_symbolTable, value);
+ startWatching();
+ return;
+
+ case IsWatched:
+ ASSERT(!!m_inferredValue);
+ if (value == m_inferredValue.get())
+ return;
+ invalidate();
+ return;
+
+ case IsInvalidated:
+ ASSERT(!m_inferredValue);
+ return;
+ }
+
+ ASSERT_NOT_REACHED();
+}
+
+} // namespace JSC
+
+#endif // VariableWatchpointSetInlines_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -36,6 +36,7 @@
</span><span class="cx"> #include "DFGCapabilities.h"
</span><span class="cx"> #include "DFGJITCode.h"
</span><span class="cx"> #include "GetByIdStatus.h"
</span><ins>+#include "Heap.h"
</ins><span class="cx"> #include "JSActivation.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "PreciseJumpTargets.h"
</span><span class="lines">@@ -720,8 +721,10 @@
</span><span class="cx"> Node* cellConstant(JSCell* cell)
</span><span class="cx"> {
</span><span class="cx"> HashMap<JSCell*, Node*>::AddResult result = m_cellConstantNodes.add(cell, nullptr);
</span><del>- if (result.isNewEntry)
</del><ins>+ if (result.isNewEntry) {
+ ASSERT(!Heap::isZombified(cell));
</ins><span class="cx"> result.iterator->value = addToGraph(WeakJSConstant, OpInfo(cell));
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> return result.iterator->value;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1018,12 +1018,13 @@
</span><span class="cx"> return static_cast<char*>(exec->codeBlock()->stringSwitchJumpTable(tableIndex).ctiForValue(string->value(exec).impl()).executableAddress());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT_OPERATION operationInvalidate(ExecState* exec, VariableWatchpointSet* set)
</del><ins>+void JIT_OPERATION operationNotifyWrite(ExecState* exec, VariableWatchpointSet* set, EncodedJSValue encodedValue)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><ins>+ JSValue value = JSValue::decode(encodedValue);
</ins><span class="cx">
</span><del>- set->invalidate();
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> double JIT_OPERATION operationFModOnInts(int32_t a, int32_t b)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -124,7 +124,7 @@
</span><span class="cx"> JSCell* JIT_OPERATION operationMakeRope3(ExecState*, JSString*, JSString*, JSString*);
</span><span class="cx"> char* JIT_OPERATION operationFindSwitchImmTargetForDouble(ExecState*, EncodedJSValue, size_t tableIndex);
</span><span class="cx"> char* JIT_OPERATION operationSwitchString(ExecState*, size_t tableIndex, JSString*);
</span><del>-void JIT_OPERATION operationInvalidate(ExecState*, VariableWatchpointSet*);
</del><ins>+void JIT_OPERATION operationNotifyWrite(ExecState*, VariableWatchpointSet*, EncodedJSValue);
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx"> // FIXME: Make calls work well. Currently they're a pure regression.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1144,12 +1144,6 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JITCompiler::Call callOperation(V_JITOperation_EVws operation, VariableWatchpointSet* watchpointSet)
- {
- m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet));
- return appendCall(operation);
- }
-
</del><span class="cx"> JITCompiler::Call callOperationWithCallFrameRollbackOnException(V_JITOperation_ECb operation, void* pointer)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(pointer));
</span><span class="lines">@@ -1439,6 +1433,12 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg arg)
+ {
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), arg);
+ return appendCall(operation);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(D_JITOperation_EJ operation, FPRReg result, GPRReg arg1)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1);
</span><span class="lines">@@ -1704,6 +1704,12 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg argTag, GPRReg argPayload)
+ {
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), argPayload, argTag);
+ return appendCall(operation);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(D_JITOperation_EJ operation, FPRReg result, GPRReg arg1Tag, GPRReg arg1Payload)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -3898,45 +3898,19 @@
</span><span class="cx">
</span><span class="cx"> m_jit.load8(set->addressOfState(), tempGPR);
</span><span class="cx">
</span><del>- JITCompiler::JumpList ready;
-
- ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- JITCompiler::Jump isWatched =
- m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-
- m_jit.store32(valueTagGPR, &set->addressOfInferredValue()->u.asBits.tag);
- m_jit.store32(valuePayloadGPR, &set->addressOfInferredValue()->u.asBits.payload);
- m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(m_jit.jump());
-
- isWatched.link(&m_jit);
- }
-
- JITCompiler::Jump definitelyNotEqual = m_jit.branch32(
</del><ins>+ JITCompiler::Jump isDone = m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+ JITCompiler::JumpList notifySlow;
+ notifySlow.append(m_jit.branch32(
</ins><span class="cx"> JITCompiler::NotEqual,
</span><del>- JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload),
- valuePayloadGPR);
- ready.append(m_jit.branch32(
- JITCompiler::Equal,
- JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag),
</del><ins>+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()),
+ valuePayloadGPR));
+ notifySlow.append(m_jit.branch32(
+ JITCompiler::NotEqual,
+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->tagPointer()),
</ins><span class="cx"> valueTagGPR));
</span><del>- definitelyNotEqual.link(&m_jit);
-
- JITCompiler::Jump slowCase = m_jit.branchTest8(
- JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
- m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
- m_jit.store32(
- TrustedImm32(JSValue::EmptyValueTag),
- &set->addressOfInferredValue()->u.asBits.tag);
- m_jit.store32(
- TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-
- ready.link(&m_jit);
-
</del><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
</del><ins>+ slowPathCall(notifySlow, this, operationNotifyWrite, NoResult, set, valueTagGPR, valuePayloadGPR));
+ isDone.link(&m_jit);
</ins><span class="cx">
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -3962,36 +3962,15 @@
</span><span class="cx">
</span><span class="cx"> m_jit.load8(set->addressOfState(), tempGPR);
</span><span class="cx">
</span><del>- JITCompiler::JumpList ready;
</del><ins>+ JITCompiler::Jump isDone =
+ m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+ JITCompiler::Jump slowCase = m_jit.branch64(JITCompiler::NotEqual,
+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR);
+ isDone.link(&m_jit);
</ins><span class="cx">
</span><del>- ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- JITCompiler::Jump isWatched =
- m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-
- m_jit.store64(valueGPR, set->addressOfInferredValue());
- m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(m_jit.jump());
-
- isWatched.link(&m_jit);
- }
-
- ready.append(m_jit.branch64(
- JITCompiler::Equal,
- JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR));
-
- JITCompiler::Jump slowCase = m_jit.branchTest8(
- JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
- m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
- m_jit.move(TrustedImm64(JSValue::encode(JSValue())), tempGPR);
- m_jit.store64(tempGPR, set->addressOfInferredValue());
-
- ready.link(&m_jit);
-
</del><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
-
</del><ins>+ slowPathCall(slowCase, this, operationNotifyWrite, NoResult, set, valueGPR));
+
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -87,7 +87,7 @@
</span><span class="cx"> macro(V_JITOperation_EOZJ, functionType(voidType, intPtr, intPtr, int32, int64)) \
</span><span class="cx"> macro(V_JITOperation_EC, functionType(voidType, intPtr, intPtr)) \
</span><span class="cx"> macro(V_JITOperation_ECb, functionType(voidType, intPtr, intPtr)) \
</span><del>- macro(V_JITOperation_EVws, functionType(voidType, intPtr, intPtr)) \
</del><ins>+ macro(V_JITOperation_EVwsJ, functionType(voidType, intPtr, intPtr, int64)) \
</ins><span class="cx"> macro(Z_JITOperation_D, functionType(int32, doubleType))
</span><span class="cx">
</span><span class="cx"> class IntrinsicRepository : public CommonValues {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -3286,11 +3286,7 @@
</span><span class="cx"> LValue value = lowJSValue(m_node->child1());
</span><span class="cx">
</span><span class="cx"> LBasicBlock isNotInvalidated = FTL_NEW_BLOCK(m_out, ("NotifyWrite not invalidated case"));
</span><del>- LBasicBlock isClear = FTL_NEW_BLOCK(m_out, ("NotifyWrite clear case"));
- LBasicBlock isWatched = FTL_NEW_BLOCK(m_out, ("NotifyWrite watched case"));
- LBasicBlock invalidate = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate case"));
- LBasicBlock invalidateFast = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate fast case"));
- LBasicBlock invalidateSlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate slow case"));
</del><ins>+ LBasicBlock notifySlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite notify slow case"));
</ins><span class="cx"> LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NotifyWrite continuation"));
</span><span class="cx">
</span><span class="cx"> LValue state = m_out.load8(m_out.absolute(set->addressOfState()));
</span><span class="lines">@@ -3299,46 +3295,17 @@
</span><span class="cx"> m_out.equal(state, m_out.constInt8(IsInvalidated)),
</span><span class="cx"> usually(continuation), rarely(isNotInvalidated));
</span><span class="cx">
</span><del>- LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, isClear);
</del><ins>+ LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, notifySlow);
</ins><span class="cx">
</span><del>- LValue isClearValue;
- if (set->state() == ClearWatchpoint)
- isClearValue = m_out.equal(state, m_out.constInt8(ClearWatchpoint));
- else
- isClearValue = m_out.booleanFalse;
- m_out.branch(isClearValue, unsure(isClear), unsure(isWatched));
-
- m_out.appendTo(isClear, isWatched);
-
- m_out.store64(value, m_out.absolute(set->addressOfInferredValue()));
- m_out.store8(m_out.constInt8(IsWatched), m_out.absolute(set->addressOfState()));
- m_out.jump(continuation);
-
- m_out.appendTo(isWatched, invalidate);
-
</del><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.equal(value, m_out.load64(m_out.absolute(set->addressOfInferredValue()))),
</span><del>- unsure(continuation), unsure(invalidate));
-
- m_out.appendTo(invalidate, invalidateFast);
-
- m_out.branch(
- m_out.notZero8(m_out.load8(m_out.absolute(set->addressOfSetIsNotEmpty()))),
- rarely(invalidateSlow), usually(invalidateFast));
-
- m_out.appendTo(invalidateFast, invalidateSlow);
-
- m_out.store64(
- m_out.constInt64(JSValue::encode(JSValue())),
- m_out.absolute(set->addressOfInferredValue()));
- m_out.store8(m_out.constInt8(IsInvalidated), m_out.absolute(set->addressOfState()));
</del><ins>+ unsure(continuation), unsure(notifySlow));
+
+ m_out.appendTo(notifySlow, continuation);
+
+ vmCall(m_out.operation(operationNotifyWrite), m_callFrame, m_out.constIntPtr(set), value);
</ins><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><del>- m_out.appendTo(invalidateSlow, continuation);
-
- vmCall(m_out.operation(operationInvalidate), m_callFrame, m_out.constIntPtr(set));
- m_out.jump(continuation);
-
</del><span class="cx"> m_out.appendTo(continuation, lastNext);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1333,7 +1333,7 @@
</span><span class="cx">
</span><span class="cx"> void* limit = static_cast<void*>(reinterpret_cast<char*>(cell) + MarkedBlock::blockFor(cell)->cellSize());
</span><span class="cx"> for (; current < limit; current++)
</span><del>- *current = reinterpret_cast<void*>(0xbbadbeef);
</del><ins>+ *current = zombifiedBits;
</ins><span class="cx"> }
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/heap/Heap.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2009, 2013-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -73,6 +73,8 @@
</span><span class="cx"> class Worklist;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static void* const zombifiedBits = reinterpret_cast<void*>(0xdeadbeef);
+
</ins><span class="cx"> typedef std::pair<JSValue, WTF::String> ValueStringPair;
</span><span class="cx"> typedef HashCountedSet<JSCell*> ProtectCountSet;
</span><span class="cx"> typedef HashCountedSet<const char*> TypeCountSet;
</span><span class="lines">@@ -219,6 +221,8 @@
</span><span class="cx">
</span><span class="cx"> void removeCodeBlock(CodeBlock* cb) { m_codeBlocks.remove(cb); }
</span><span class="cx">
</span><ins>+ static bool isZombified(JSCell* cell) { return *(void**)cell == zombifiedBits; }
+
</ins><span class="cx"> private:
</span><span class="cx"> friend class CodeBlock;
</span><span class="cx"> friend class CopiedBlock;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1202,7 +1202,10 @@
</span><span class="cx"> VariableWatchpointSet* set = currentInstruction[3].u.watchpointSet;
</span><span class="cx"> if (!set || set->state() == IsInvalidated)
</span><span class="cx"> return;
</span><ins>+#if USE(JSVALUE32_64)
</ins><span class="cx"> linkSlowCase(iter);
</span><ins>+#endif
+ linkSlowCase(iter);
</ins><span class="cx"> JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_captured_mov);
</span><span class="cx"> slowPathCall.call();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EPc)(ExecState*, Instruction*);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EPZJ)(ExecState*, void*, int32_t, EncodedJSValue);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_ESsiJJI)(ExecState*, StructureStubInfo*, EncodedJSValue, EncodedJSValue, StringImpl*);
</span><del>-typedef void JIT_OPERATION (*V_JITOperation_EVws)(ExecState*, VariableWatchpointSet*);
</del><ins>+typedef void JIT_OPERATION (*V_JITOperation_EVwsJ)(ExecState*, VariableWatchpointSet*, EncodedJSValue);
</ins><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EZ)(ExecState*, int32_t);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EVm)(ExecState*, VM*);
</span><span class="cx"> typedef char* JIT_OPERATION (*P_JITOperation_E)(ExecState*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -779,28 +779,9 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> load8(set->addressOfState(), scratch);
</span><del>-
- JumpList ready;
-
- ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-
- store64(value, set->addressOfInferredValue());
- store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(jump());
-
- isWatched.link(this);
- }
-
- ready.append(branch64(Equal, AbsoluteAddress(set->addressOfInferredValue()), value));
- addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
- store8(TrustedImm32(IsInvalidated), set->addressOfState());
- move(TrustedImm64(JSValue::encode(JSValue())), scratch);
- store64(scratch, set->addressOfInferredValue());
-
- ready.link(this);
</del><ins>+ Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
+ addSlowCase(branch64(NotEqual, AbsoluteAddress(set->addressOfInferredValue()), value));
+ isDone.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -812,34 +812,15 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> load8(set->addressOfState(), scratch);
</span><del>-
- JumpList ready;
-
- ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-
- store32(tag, &set->addressOfInferredValue()->u.asBits.tag);
- store32(payload, &set->addressOfInferredValue()->u.asBits.payload);
- store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(jump());
-
- isWatched.link(this);
- }
</del><ins>+ Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
</ins><span class="cx">
</span><del>- Jump definitelyNotEqual = branch32(
- NotEqual, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload), payload);
- ready.append(branch32(
- Equal, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag), tag));
- definitelyNotEqual.link(this);
- addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
- store8(TrustedImm32(IsInvalidated), set->addressOfState());
- store32(
- TrustedImm32(JSValue::EmptyValueTag), &set->addressOfInferredValue()->u.asBits.tag);
- store32(TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-
- ready.link(this);
</del><ins>+ JumpList notifySlow = branch32(
+ NotEqual, AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()), payload);
+ notifySlow.append(branch32(
+ NotEqual, AbsoluteAddress(set->addressOfInferredValue()->tagPointer()), tag));
+ addSlowCase(notifySlow);
+
+ isDone.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
</span><span class="lines">@@ -900,7 +881,7 @@
</span><span class="cx"> linkCount++;
</span><span class="cx"> if ((resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
</span><span class="cx"> && currentInstruction[5].u.watchpointSet->state() != IsInvalidated)
</span><del>- linkCount++;
</del><ins>+ linkCount += 2;
</ins><span class="cx"> if (!linkCount)
</span><span class="cx"> return;
</span><span class="cx"> while (linkCount--)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -796,21 +796,8 @@
</span><span class="cx"> macro notifyWrite(set, valueTag, valuePayload, scratch, slow)
</span><span class="cx"> loadb VariableWatchpointSet::m_state[set], scratch
</span><span class="cx"> bieq scratch, IsInvalidated, .done
</span><del>- bineq scratch, ClearWatchpoint, .overwrite
- storei valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
- storei valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
- storeb IsWatched, VariableWatchpointSet::m_state[set]
- jmp .done
-
-.overwrite:
- bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], .definitelyDifferent
- bieq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], .done
-.definitelyDifferent:
- btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
- storei EmptyValueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
- storei 0, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
- storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
</del><ins>+ bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], slow
+ bineq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], slow
</ins><span class="cx"> .done:
</span><span class="cx"> end
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -656,18 +656,8 @@
</span><span class="cx"> macro notifyWrite(set, value, scratch, slow)
</span><span class="cx"> loadb VariableWatchpointSet::m_state[set], scratch
</span><span class="cx"> bieq scratch, IsInvalidated, .done
</span><del>- bineq scratch, ClearWatchpoint, .overwrite
- storeq value, VariableWatchpointSet::m_inferredValue[set]
- storeb IsWatched, VariableWatchpointSet::m_state[set]
- jmp .done
-
-.overwrite:
- bqeq value, VariableWatchpointSet::m_inferredValue[set], .done
- btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
- storeq 0, VariableWatchpointSet::m_inferredValue[set]
- storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
-.done:
</del><ins>+ bqneq value, VariableWatchpointSet::m_inferredValue[set], slow
+.done:
</ins><span class="cx"> end
</span><span class="cx">
</span><span class="cx"> _llint_op_captured_mov:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> #include "ObjectConstructor.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "StructureRareDataInlines.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx"> #include <wtf/StringPrintStream.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -262,7 +263,7 @@
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSValue value = OP_C(2).jsValue();
</span><span class="cx"> if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> RETURN(value);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -273,7 +274,7 @@
</span><span class="cx"> ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsActivation() || exec->hasActivation());
</span><span class="cx"> JSValue value = JSFunction::create(vm, codeBlock->functionDecl(pc[2].u.operand), exec->scope());
</span><span class="cx"> if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> RETURN(value);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValue.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -333,7 +333,7 @@
</span><span class="cx"> *
</span><span class="cx"> * This range of NaN space is represented by 64-bit numbers begining with the 16-bit
</span><span class="cx"> * hex patterns 0xFFFE and 0xFFFF - we rely on the fact that no valid double-precision
</span><del>- * numbers will begin fall in these ranges.
</del><ins>+ * numbers will fall in these ranges.
</ins><span class="cx"> *
</span><span class="cx"> * The top 16-bits denote the type of the encoded JSValue:
</span><span class="cx"> *
</span><span class="lines">@@ -347,7 +347,7 @@
</span><span class="cx"> * 64-bit integer addition of the value 2^48 to the number. After this manipulation
</span><span class="cx"> * no encoded double-precision value will begin with the pattern 0x0000 or 0xFFFF.
</span><span class="cx"> * Values must be decoded by reversing this operation before subsequent floating point
</span><del>- * operations my be peformed.
</del><ins>+ * operations may be peformed.
</ins><span class="cx"> *
</span><span class="cx"> * 32-bit signed integers are marked with the 16-bit tag 0xFFFF.
</span><span class="cx"> *
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2009, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -115,6 +115,7 @@
</span><span class="cx"> #include "StrictEvalActivation.h"
</span><span class="cx"> #include "StringConstructor.h"
</span><span class="cx"> #include "StringPrototype.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx"> #include "WeakMapConstructor.h"
</span><span class="cx"> #include "WeakMapPrototype.h"
</span><span class="cx">
</span><span class="lines">@@ -242,7 +243,7 @@
</span><span class="cx"> int index = symbolTable()->size(locker);
</span><span class="cx"> SymbolTableEntry newEntry(index, (constantMode == IsConstant) ? ReadOnly : 0);
</span><span class="cx"> if (constantMode == IsVariable)
</span><del>- newEntry.prepareToWatch();
</del><ins>+ newEntry.prepareToWatch(symbolTable());
</ins><span class="cx"> SymbolTable::Map::AddResult result = symbolTable()->add(locker, ident.impl(), newEntry);
</span><span class="cx"> if (result.isNewEntry)
</span><span class="cx"> addRegisters(1);
</span><span class="lines">@@ -256,11 +257,12 @@
</span><span class="cx">
</span><span class="cx"> void JSGlobalObject::addFunction(ExecState* exec, const Identifier& propertyName, JSValue value)
</span><span class="cx"> {
</span><del>- removeDirect(exec->vm(), propertyName); // Newly declared functions overwrite existing properties.
</del><ins>+ VM& vm = exec->vm();
+ removeDirect(vm, propertyName); // Newly declared functions overwrite existing properties.
</ins><span class="cx"> NewGlobalVar var = addGlobalVar(propertyName, IsVariable);
</span><span class="cx"> registerAt(var.registerNumber).set(exec->vm(), this, value);
</span><span class="cx"> if (var.set)
</span><del>- var.set->notifyWrite(value);
</del><ins>+ var.set->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static inline JSObject* lastInPrototypeChain(JSObject* object)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSymbolTableObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "JSScope.h"
</span><span class="cx"> #include "PropertyDescriptor.h"
</span><span class="cx"> #include "SymbolTable.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="lines">@@ -138,7 +139,7 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> if (VariableWatchpointSet* set = iter->value.watchpointSet())
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> reg = &object->registerAt(fastEntry.getIndex());
</span><span class="cx"> }
</span><span class="cx"> // I'd prefer we not hold lock while executing barriers, since I prefer to reserve
</span><span class="lines">@@ -165,7 +166,7 @@
</span><span class="cx"> SymbolTableEntry& entry = iter->value;
</span><span class="cx"> ASSERT(!entry.isNull());
</span><span class="cx"> if (VariableWatchpointSet* set = entry.watchpointSet())
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> entry.setAttributes(attributes);
</span><span class="cx"> reg = &object->registerAt(entry.getIndex());
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "JSDestructibleObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "SlotVisitorInlines.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="lines">@@ -65,12 +66,12 @@
</span><span class="cx"> return fatEntry()->m_watchpoints->inferredValue();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void SymbolTableEntry::prepareToWatch()
</del><ins>+void SymbolTableEntry::prepareToWatch(SymbolTable* symbolTable)
</ins><span class="cx"> {
</span><span class="cx"> FatEntry* entry = inflate();
</span><span class="cx"> if (entry->m_watchpoints)
</span><span class="cx"> return;
</span><del>- entry->m_watchpoints = adoptRef(new VariableWatchpointSet());
</del><ins>+ entry->m_watchpoints = adoptRef(new VariableWatchpointSet(*symbolTable));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void SymbolTableEntry::addWatchpoint(Watchpoint* watchpoint)
</span><span class="lines">@@ -78,13 +79,13 @@
</span><span class="cx"> fatEntry()->m_watchpoints->add(watchpoint);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void SymbolTableEntry::notifyWriteSlow(JSValue value)
</del><ins>+void SymbolTableEntry::notifyWriteSlow(VM& vm, JSValue value)
</ins><span class="cx"> {
</span><span class="cx"> VariableWatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
</span><span class="cx"> if (!watchpoints)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- watchpoints->notifyWrite(value);
</del><ins>+ watchpoints->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> SymbolTableEntry::FatEntry* SymbolTableEntry::inflateSlow()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.h (168442 => 168443)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2014-05-07 21:59:51 UTC (rev 168442)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2014-05-07 22:00:10 UTC (rev 168443)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2007, 2008, 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2012-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -218,7 +218,7 @@
</span><span class="cx">
</span><span class="cx"> JSValue inferredValue();
</span><span class="cx">
</span><del>- void prepareToWatch();
</del><ins>+ void prepareToWatch(SymbolTable*);
</ins><span class="cx">
</span><span class="cx"> void addWatchpoint(Watchpoint*);
</span><span class="cx">
</span><span class="lines">@@ -229,11 +229,11 @@
</span><span class="cx"> return fatEntry()->m_watchpoints.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ALWAYS_INLINE void notifyWrite(JSValue value)
</del><ins>+ ALWAYS_INLINE void notifyWrite(VM& vm, JSValue value)
</ins><span class="cx"> {
</span><span class="cx"> if (LIKELY(!isFat()))
</span><span class="cx"> return;
</span><del>- notifyWriteSlow(value);
</del><ins>+ notifyWriteSlow(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="lines">@@ -257,7 +257,7 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> SymbolTableEntry& copySlow(const SymbolTableEntry&);
</span><del>- JS_EXPORT_PRIVATE void notifyWriteSlow(JSValue);
</del><ins>+ JS_EXPORT_PRIVATE void notifyWriteSlow(VM&, JSValue);
</ins><span class="cx">
</span><span class="cx"> bool isFat() const
</span><span class="cx"> {
</span></span></pre>
</div>
</div>
</body>
</html>