<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[168756] branches/safari-538.34-branch/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/168756">168756</a></dd>
<dt>Author</dt> <dd>lforschler@apple.com</dd>
<dt>Date</dt> <dd>2014-05-13 16:56:32 -0700 (Tue, 13 May 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merged <a href="http://trac.webkit.org/projects/webkit/changeset/168443">r168443</a>. </pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreChangeLog">branches/safari-538.34-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">branches/safari-538.34-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorebytecodeCodeBlockcpp">branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorebytecodeVariableWatchpointSeth">branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGByteCodeParsercpp">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGOperationscpp">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGOperationsh">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJITh">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreftlFTLIntrinsicRepositoryh">branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreheapHeapcpp">branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreheapHeaph">branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorejitJITOpcodescpp">branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorejitJITOperationsh">branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorejitJITPropertyAccesscpp">branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorejitJITPropertyAccess32_64cpp">branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorellintLowLevelInterpreter32_64asm">branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCorellintLowLevelInterpreter64asm">branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeCommonSlowPathscpp">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeJSCJSValueh">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSCJSValue.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeJSGlobalObjectcpp">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeJSSymbolTableObjecth">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSSymbolTableObject.h</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeSymbolTablecpp">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp</a></li>
<li><a href="#branchessafari53834branchSourceJavaScriptCoreruntimeSymbolTableh">branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari53834branchSourceJavaScriptCorebytecodeVariableWatchpointSetInlinesh">branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari53834branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/ChangeLog (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/ChangeLog 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/ChangeLog 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,3 +1,122 @@
</span><ins>+2014-05-13 Lucas Forschler <lforschler@apple.com>
+
+ Merge r168443
+
+ 2014-05-07 Mark Lam <mark.lam@apple.com>
+
+ REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
+ <https://webkit.org/b/131356>
+
+ Reviewed by Geoffrey Garen.
+
+ The issue is that GC needs to be made aware of writes to m_inferredValue
+ in the VariableWatchpointSet, but was not. As a result, if a JSCell*
+ is written to a VariableWatchpointSet m_inferredValue, and that JSCell
+ does not survive an eden GC shortly after, we will end up with a stale
+ JSCell pointer left in the m_inferredValue.
+
+ This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
+ using DumpRenderTree with the VM heap in zombie mode.
+
+ The fix is to change VariableWatchpointSet m_inferredValue to type
+ WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
+ is executed by all the execution engines so that the WriteBarrier semantics
+ are honored.
+
+ We still check if the value to be written is the same as the one in the
+ inferredValue. We'll by-pass calling the slow path notifyWrite() if the
+ values are the same.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ - need to pass the symbolTable to prepareToWatch() because it will be needed
+ for instantiating the VariableWatchpointSet in prepareToWatch().
+
+ * bytecode/VariableWatchpointSet.h:
+ (JSC::VariableWatchpointSet::VariableWatchpointSet):
+ - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
+ write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
+ (JSC::VariableWatchpointSet::inferredValue):
+ (JSC::VariableWatchpointSet::invalidate):
+ (JSC::VariableWatchpointSet::finalizeUnconditionally):
+ (JSC::VariableWatchpointSet::addressOfInferredValue):
+ (JSC::VariableWatchpointSet::notifyWrite): Deleted.
+ * bytecode/VariableWatchpointSetInlines.h: Added.
+ (JSC::VariableWatchpointSet::notifyWrite):
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::cellConstant):
+ - Added an assert in case we try to make constants of zombified JSCells again.
+
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ - We now let the slow path handle the cases when the VariableWatchpointSet is
+ in state ClearWatchpoint and IsWatched, and the slow path will ensure that
+ we handle the needed write barrier semantics correctly.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * ftl/FTLIntrinsicRepository.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
+ - Let the slow path handle the cases when the VariableWatchpointSet is
+ in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * heap/Heap.cpp:
+ (JSC::Zombify::operator()):
+ - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
+ which is used everywhere else).
+ * heap/Heap.h:
+ (JSC::Heap::isZombified):
+ - Provide a convenience test function to check if JSCells are zombified. This is
+ currently only used in an assertion in the DFG bytecode parser, but the intent
+ it that we'll apply this test in other strategic places later to help with early
+ detection of usage of GC'ed objects when we run in zombie mode.
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emitSlow_op_captured_mov):
+ * jit/JITOperations.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitNotifyWrite):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitNotifyWrite):
+ (JSC::JIT::emitSlow_op_put_to_scope):
+ - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+ is in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+ is in state ClearWatchpoint and IsWatched.
+ We will by-pass the slow path if the value being written is the same as the
+ inferred value.
+
+ * runtime/CommonSlowPaths.cpp:
+
+ * runtime/JSCJSValue.h: Fixed some typos in the comments.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::addGlobalVar):
+ (JSC::JSGlobalObject::addFunction):
+ * runtime/JSSymbolTableObject.h:
+ (JSC::symbolTablePut):
+ (JSC::symbolTablePutWithAttributes):
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTableEntry::prepareToWatch):
+ (JSC::SymbolTableEntry::notifyWriteSlow):
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTableEntry::notifyWrite):
+
</ins><span class="cx"> 2014-04-17 Lucas Forschler <lforschler@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r168565
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1708,6 +1708,7 @@
</span><span class="cx"> FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> FE4A331F15BD2E07006F54F3 /* VMInspector.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */; };
</span><span class="cx"> FE4A332015BD2E07006F54F3 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE4A331E15BD2E07006F54F3 /* VMInspector.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> FE5932A7183C5A2600A1ECCC /* VMEntryScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */; };
</span><span class="cx"> FE5932A8183C5A2600A1ECCC /* VMEntryScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> FEA08620182B7A0400F6D851 /* Breakpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = FEA0861E182B7A0400F6D851 /* Breakpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -3333,6 +3334,7 @@
</span><span class="cx"> FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
</span><span class="cx"> FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMInspector.cpp; sourceTree = "<group>"; };
</span><span class="cx"> FE4A331E15BD2E07006F54F3 /* VMInspector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMInspector.h; sourceTree = "<group>"; };
</span><ins>+ FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableWatchpointSetInlines.h; sourceTree = "<group>"; };
</ins><span class="cx"> FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMEntryScope.cpp; sourceTree = "<group>"; };
</span><span class="cx"> FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMEntryScope.h; sourceTree = "<group>"; };
</span><span class="cx"> FEA0861E182B7A0400F6D851 /* Breakpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Breakpoint.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5029,6 +5031,7 @@
</span><span class="cx"> 0F24E55717F74EDB00ABB217 /* ValueRecovery.cpp */,
</span><span class="cx"> 0F426A451460CBAB00131F8F /* ValueRecovery.h */,
</span><span class="cx"> 0F9181C618415CA50057B669 /* VariableWatchpointSet.h */,
</span><ins>+ FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */,
</ins><span class="cx"> 0F426A461460CBAB00131F8F /* VirtualRegister.h */,
</span><span class="cx"> 0F919D2215853CDE004A4E7D /* Watchpoint.cpp */,
</span><span class="cx"> 0F919D2315853CDE004A4E7D /* Watchpoint.h */,
</span><span class="lines">@@ -5491,6 +5494,7 @@
</span><span class="cx"> 86D3B2C410156BDE002865E7 /* ARMAssembler.h in Headers */,
</span><span class="cx"> A584032018BFFBE1005A0811 /* InspectorAgent.h in Headers */,
</span><span class="cx"> 2AABCDE718EF294200002096 /* GCLogging.h in Headers */,
</span><ins>+ FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */,
</ins><span class="cx"> C2DA778318E259990066FCB6 /* HeapInlines.h in Headers */,
</span><span class="cx"> 2AACE63D18CA5A0300ED0191 /* GCActivityCallback.h in Headers */,
</span><span class="cx"> 2A83638618D7D0EE0000EBCC /* EdenGCActivityCallback.h in Headers */,
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1793,7 +1793,7 @@
</span><span class="cx"> ConcurrentJITLocker locker(m_symbolTable->m_lock);
</span><span class="cx"> SymbolTable::Map::iterator iter = m_symbolTable->find(locker, uid);
</span><span class="cx"> ASSERT(iter != m_symbolTable->end(locker));
</span><del>- iter->value.prepareToWatch();
</del><ins>+ iter->value.prepareToWatch(symbolTable());
</ins><span class="cx"> instructions[i + 3].u.watchpointSet = iter->value.watchpointSet();
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorebytecodeVariableWatchpointSeth"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,11 +31,14 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><ins>+class SymbolTable;
+
</ins><span class="cx"> class VariableWatchpointSet : public WatchpointSet {
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="cx"> public:
</span><del>- VariableWatchpointSet()
</del><ins>+ VariableWatchpointSet(SymbolTable& symbolTable)
</ins><span class="cx"> : WatchpointSet(ClearWatchpoint)
</span><ins>+ , m_symbolTable(symbolTable)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -52,35 +55,13 @@
</span><span class="cx"> // IsInvalidated: in this case the variable's value may be anything but you'll
</span><span class="cx"> // either notice that it's invalidated and not install the watchpoint, or
</span><span class="cx"> // you will have been notified that the watchpoint was fired.
</span><del>- JSValue inferredValue() const { return m_inferredValue; }
</del><ins>+ JSValue inferredValue() const { return m_inferredValue.get(); }
</ins><span class="cx">
</span><del>- void notifyWrite(JSValue value)
- {
- ASSERT(!!value);
- switch (state()) {
- case ClearWatchpoint:
- m_inferredValue = value;
- startWatching();
- return;
-
- case IsWatched:
- ASSERT(!!m_inferredValue);
- if (value == m_inferredValue)
- return;
- invalidate();
- return;
-
- case IsInvalidated:
- ASSERT(!m_inferredValue);
- return;
- }
-
- ASSERT_NOT_REACHED();
- }
</del><ins>+ inline void notifyWrite(VM&, JSValue);
</ins><span class="cx">
</span><span class="cx"> void invalidate()
</span><span class="cx"> {
</span><del>- m_inferredValue = JSValue();
</del><ins>+ m_inferredValue.clear();
</ins><span class="cx"> WatchpointSet::invalidate();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -89,18 +70,20 @@
</span><span class="cx"> ASSERT(!!m_inferredValue == (state() == IsWatched));
</span><span class="cx"> if (!m_inferredValue)
</span><span class="cx"> return;
</span><del>- if (!m_inferredValue.isCell())
</del><ins>+ JSValue inferredValue = m_inferredValue.get();
+ if (!inferredValue.isCell())
</ins><span class="cx"> return;
</span><del>- JSCell* cell = m_inferredValue.asCell();
</del><ins>+ JSCell* cell = inferredValue.asCell();
</ins><span class="cx"> if (Heap::isMarked(cell))
</span><span class="cx"> return;
</span><span class="cx"> invalidate();
</span><span class="cx"> }
</span><del>-
- JSValue* addressOfInferredValue() { return &m_inferredValue; }
</del><span class="cx">
</span><ins>+ WriteBarrier<Unknown>* addressOfInferredValue() { return &m_inferredValue; }
+
</ins><span class="cx"> private:
</span><del>- JSValue m_inferredValue;
</del><ins>+ SymbolTable& m_symbolTable;
+ WriteBarrier<Unknown> m_inferredValue;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorebytecodeVariableWatchpointSetInlineshfromrev168443trunkSourceJavaScriptCorebytecodeVariableWatchpointSetInlinesh"></a>
<div class="copfile"><h4>Copied: branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h (from rev 168443, trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h) (0 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h (rev 0)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/bytecode/VariableWatchpointSetInlines.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -0,0 +1,60 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef VariableWatchpointSetInlines_h
+#define VariableWatchpointSetInlines_h
+
+#include "SymbolTable.h"
+#include "VariableWatchpointSet.h"
+
+namespace JSC {
+
+inline void VariableWatchpointSet::notifyWrite(VM& vm, JSValue value)
+{
+ ASSERT(!!value);
+ switch (state()) {
+ case ClearWatchpoint:
+ m_inferredValue.set(vm, &m_symbolTable, value);
+ startWatching();
+ return;
+
+ case IsWatched:
+ ASSERT(!!m_inferredValue);
+ if (value == m_inferredValue.get())
+ return;
+ invalidate();
+ return;
+
+ case IsInvalidated:
+ ASSERT(!m_inferredValue);
+ return;
+ }
+
+ ASSERT_NOT_REACHED();
+}
+
+} // namespace JSC
+
+#endif // VariableWatchpointSetInlines_h
</ins></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -36,6 +36,7 @@
</span><span class="cx"> #include "DFGCapabilities.h"
</span><span class="cx"> #include "DFGJITCode.h"
</span><span class="cx"> #include "GetByIdStatus.h"
</span><ins>+#include "Heap.h"
</ins><span class="cx"> #include "JSActivation.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "PreciseJumpTargets.h"
</span><span class="lines">@@ -720,8 +721,10 @@
</span><span class="cx"> Node* cellConstant(JSCell* cell)
</span><span class="cx"> {
</span><span class="cx"> HashMap<JSCell*, Node*>::AddResult result = m_cellConstantNodes.add(cell, nullptr);
</span><del>- if (result.isNewEntry)
</del><ins>+ if (result.isNewEntry) {
+ ASSERT(!Heap::isZombified(cell));
</ins><span class="cx"> result.iterator->value = addToGraph(WeakJSConstant, OpInfo(cell));
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> return result.iterator->value;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1018,12 +1018,13 @@
</span><span class="cx"> return static_cast<char*>(exec->codeBlock()->stringSwitchJumpTable(tableIndex).ctiForValue(string->value(exec).impl()).executableAddress());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT_OPERATION operationInvalidate(ExecState* exec, VariableWatchpointSet* set)
</del><ins>+void JIT_OPERATION operationNotifyWrite(ExecState* exec, VariableWatchpointSet* set, EncodedJSValue encodedValue)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><ins>+ JSValue value = JSValue::decode(encodedValue);
</ins><span class="cx">
</span><del>- set->invalidate();
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> double JIT_OPERATION operationFModOnInts(int32_t a, int32_t b)
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGOperations.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -124,7 +124,7 @@
</span><span class="cx"> JSCell* JIT_OPERATION operationMakeRope3(ExecState*, JSString*, JSString*, JSString*);
</span><span class="cx"> char* JIT_OPERATION operationFindSwitchImmTargetForDouble(ExecState*, EncodedJSValue, size_t tableIndex);
</span><span class="cx"> char* JIT_OPERATION operationSwitchString(ExecState*, size_t tableIndex, JSString*);
</span><del>-void JIT_OPERATION operationInvalidate(ExecState*, VariableWatchpointSet*);
</del><ins>+void JIT_OPERATION operationNotifyWrite(ExecState*, VariableWatchpointSet*, EncodedJSValue);
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx"> // FIXME: Make calls work well. Currently they're a pure regression.
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1144,12 +1144,6 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JITCompiler::Call callOperation(V_JITOperation_EVws operation, VariableWatchpointSet* watchpointSet)
- {
- m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet));
- return appendCall(operation);
- }
-
</del><span class="cx"> JITCompiler::Call callOperationWithCallFrameRollbackOnException(V_JITOperation_ECb operation, void* pointer)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(pointer));
</span><span class="lines">@@ -1439,6 +1433,12 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg arg)
+ {
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), arg);
+ return appendCall(operation);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(D_JITOperation_EJ operation, FPRReg result, GPRReg arg1)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1);
</span><span class="lines">@@ -1704,6 +1704,12 @@
</span><span class="cx"> return appendCallWithExceptionCheck(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg argTag, GPRReg argPayload)
+ {
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), argPayload, argTag);
+ return appendCall(operation);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(D_JITOperation_EJ operation, FPRReg result, GPRReg arg1Tag, GPRReg arg1Payload)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag);
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -3898,45 +3898,19 @@
</span><span class="cx">
</span><span class="cx"> m_jit.load8(set->addressOfState(), tempGPR);
</span><span class="cx">
</span><del>- JITCompiler::JumpList ready;
-
- ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- JITCompiler::Jump isWatched =
- m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-
- m_jit.store32(valueTagGPR, &set->addressOfInferredValue()->u.asBits.tag);
- m_jit.store32(valuePayloadGPR, &set->addressOfInferredValue()->u.asBits.payload);
- m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(m_jit.jump());
-
- isWatched.link(&m_jit);
- }
-
- JITCompiler::Jump definitelyNotEqual = m_jit.branch32(
</del><ins>+ JITCompiler::Jump isDone = m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+ JITCompiler::JumpList notifySlow;
+ notifySlow.append(m_jit.branch32(
</ins><span class="cx"> JITCompiler::NotEqual,
</span><del>- JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload),
- valuePayloadGPR);
- ready.append(m_jit.branch32(
- JITCompiler::Equal,
- JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag),
</del><ins>+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()),
+ valuePayloadGPR));
+ notifySlow.append(m_jit.branch32(
+ JITCompiler::NotEqual,
+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->tagPointer()),
</ins><span class="cx"> valueTagGPR));
</span><del>- definitelyNotEqual.link(&m_jit);
-
- JITCompiler::Jump slowCase = m_jit.branchTest8(
- JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
- m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
- m_jit.store32(
- TrustedImm32(JSValue::EmptyValueTag),
- &set->addressOfInferredValue()->u.asBits.tag);
- m_jit.store32(
- TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-
- ready.link(&m_jit);
-
</del><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
</del><ins>+ slowPathCall(notifySlow, this, operationNotifyWrite, NoResult, set, valueTagGPR, valuePayloadGPR));
+ isDone.link(&m_jit);
</ins><span class="cx">
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -3962,36 +3962,15 @@
</span><span class="cx">
</span><span class="cx"> m_jit.load8(set->addressOfState(), tempGPR);
</span><span class="cx">
</span><del>- JITCompiler::JumpList ready;
</del><ins>+ JITCompiler::Jump isDone =
+ m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+ JITCompiler::Jump slowCase = m_jit.branch64(JITCompiler::NotEqual,
+ JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR);
+ isDone.link(&m_jit);
</ins><span class="cx">
</span><del>- ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- JITCompiler::Jump isWatched =
- m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-
- m_jit.store64(valueGPR, set->addressOfInferredValue());
- m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(m_jit.jump());
-
- isWatched.link(&m_jit);
- }
-
- ready.append(m_jit.branch64(
- JITCompiler::Equal,
- JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR));
-
- JITCompiler::Jump slowCase = m_jit.branchTest8(
- JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
- m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
- m_jit.move(TrustedImm64(JSValue::encode(JSValue())), tempGPR);
- m_jit.store64(tempGPR, set->addressOfInferredValue());
-
- ready.link(&m_jit);
-
</del><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
-
</del><ins>+ slowPathCall(slowCase, this, operationNotifyWrite, NoResult, set, valueGPR));
+
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreftlFTLIntrinsicRepositoryh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -87,7 +87,7 @@
</span><span class="cx"> macro(V_JITOperation_EOZJ, functionType(voidType, intPtr, intPtr, int32, int64)) \
</span><span class="cx"> macro(V_JITOperation_EC, functionType(voidType, intPtr, intPtr)) \
</span><span class="cx"> macro(V_JITOperation_ECb, functionType(voidType, intPtr, intPtr)) \
</span><del>- macro(V_JITOperation_EVws, functionType(voidType, intPtr, intPtr)) \
</del><ins>+ macro(V_JITOperation_EVwsJ, functionType(voidType, intPtr, intPtr, int64)) \
</ins><span class="cx"> macro(Z_JITOperation_D, functionType(int32, doubleType))
</span><span class="cx">
</span><span class="cx"> class IntrinsicRepository : public CommonValues {
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -3286,11 +3286,7 @@
</span><span class="cx"> LValue value = lowJSValue(m_node->child1());
</span><span class="cx">
</span><span class="cx"> LBasicBlock isNotInvalidated = FTL_NEW_BLOCK(m_out, ("NotifyWrite not invalidated case"));
</span><del>- LBasicBlock isClear = FTL_NEW_BLOCK(m_out, ("NotifyWrite clear case"));
- LBasicBlock isWatched = FTL_NEW_BLOCK(m_out, ("NotifyWrite watched case"));
- LBasicBlock invalidate = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate case"));
- LBasicBlock invalidateFast = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate fast case"));
- LBasicBlock invalidateSlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate slow case"));
</del><ins>+ LBasicBlock notifySlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite notify slow case"));
</ins><span class="cx"> LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NotifyWrite continuation"));
</span><span class="cx">
</span><span class="cx"> LValue state = m_out.load8(m_out.absolute(set->addressOfState()));
</span><span class="lines">@@ -3299,46 +3295,17 @@
</span><span class="cx"> m_out.equal(state, m_out.constInt8(IsInvalidated)),
</span><span class="cx"> usually(continuation), rarely(isNotInvalidated));
</span><span class="cx">
</span><del>- LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, isClear);
</del><ins>+ LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, notifySlow);
</ins><span class="cx">
</span><del>- LValue isClearValue;
- if (set->state() == ClearWatchpoint)
- isClearValue = m_out.equal(state, m_out.constInt8(ClearWatchpoint));
- else
- isClearValue = m_out.booleanFalse;
- m_out.branch(isClearValue, unsure(isClear), unsure(isWatched));
-
- m_out.appendTo(isClear, isWatched);
-
- m_out.store64(value, m_out.absolute(set->addressOfInferredValue()));
- m_out.store8(m_out.constInt8(IsWatched), m_out.absolute(set->addressOfState()));
- m_out.jump(continuation);
-
- m_out.appendTo(isWatched, invalidate);
-
</del><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.equal(value, m_out.load64(m_out.absolute(set->addressOfInferredValue()))),
</span><del>- unsure(continuation), unsure(invalidate));
-
- m_out.appendTo(invalidate, invalidateFast);
-
- m_out.branch(
- m_out.notZero8(m_out.load8(m_out.absolute(set->addressOfSetIsNotEmpty()))),
- rarely(invalidateSlow), usually(invalidateFast));
-
- m_out.appendTo(invalidateFast, invalidateSlow);
-
- m_out.store64(
- m_out.constInt64(JSValue::encode(JSValue())),
- m_out.absolute(set->addressOfInferredValue()));
- m_out.store8(m_out.constInt8(IsInvalidated), m_out.absolute(set->addressOfState()));
</del><ins>+ unsure(continuation), unsure(notifySlow));
+
+ m_out.appendTo(notifySlow, continuation);
+
+ vmCall(m_out.operation(operationNotifyWrite), m_callFrame, m_out.constIntPtr(set), value);
</ins><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><del>- m_out.appendTo(invalidateSlow, continuation);
-
- vmCall(m_out.operation(operationInvalidate), m_callFrame, m_out.constIntPtr(set));
- m_out.jump(continuation);
-
</del><span class="cx"> m_out.appendTo(continuation, lastNext);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1333,7 +1333,7 @@
</span><span class="cx">
</span><span class="cx"> void* limit = static_cast<void*>(reinterpret_cast<char*>(cell) + MarkedBlock::blockFor(cell)->cellSize());
</span><span class="cx"> for (; current < limit; current++)
</span><del>- *current = reinterpret_cast<void*>(0xbbadbeef);
</del><ins>+ *current = zombifiedBits;
</ins><span class="cx"> }
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/heap/Heap.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2009, 2013-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -73,6 +73,8 @@
</span><span class="cx"> class Worklist;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static void* const zombifiedBits = reinterpret_cast<void*>(0xdeadbeef);
+
</ins><span class="cx"> typedef std::pair<JSValue, WTF::String> ValueStringPair;
</span><span class="cx"> typedef HashCountedSet<JSCell*> ProtectCountSet;
</span><span class="cx"> typedef HashCountedSet<const char*> TypeCountSet;
</span><span class="lines">@@ -219,6 +221,8 @@
</span><span class="cx">
</span><span class="cx"> void removeCodeBlock(CodeBlock* cb) { m_codeBlocks.remove(cb); }
</span><span class="cx">
</span><ins>+ static bool isZombified(JSCell* cell) { return *(void**)cell == zombifiedBits; }
+
</ins><span class="cx"> private:
</span><span class="cx"> friend class CodeBlock;
</span><span class="cx"> friend class CopiedBlock;
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1202,7 +1202,10 @@
</span><span class="cx"> VariableWatchpointSet* set = currentInstruction[3].u.watchpointSet;
</span><span class="cx"> if (!set || set->state() == IsInvalidated)
</span><span class="cx"> return;
</span><ins>+#if USE(JSVALUE32_64)
</ins><span class="cx"> linkSlowCase(iter);
</span><ins>+#endif
+ linkSlowCase(iter);
</ins><span class="cx"> JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_captured_mov);
</span><span class="cx"> slowPathCall.call();
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOperations.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOperations.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITOperations.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EPc)(ExecState*, Instruction*);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EPZJ)(ExecState*, void*, int32_t, EncodedJSValue);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_ESsiJJI)(ExecState*, StructureStubInfo*, EncodedJSValue, EncodedJSValue, StringImpl*);
</span><del>-typedef void JIT_OPERATION (*V_JITOperation_EVws)(ExecState*, VariableWatchpointSet*);
</del><ins>+typedef void JIT_OPERATION (*V_JITOperation_EVwsJ)(ExecState*, VariableWatchpointSet*, EncodedJSValue);
</ins><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EZ)(ExecState*, int32_t);
</span><span class="cx"> typedef void JIT_OPERATION (*V_JITOperation_EVm)(ExecState*, VM*);
</span><span class="cx"> typedef char* JIT_OPERATION (*P_JITOperation_E)(ExecState*);
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -779,28 +779,9 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> load8(set->addressOfState(), scratch);
</span><del>-
- JumpList ready;
-
- ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-
- store64(value, set->addressOfInferredValue());
- store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(jump());
-
- isWatched.link(this);
- }
-
- ready.append(branch64(Equal, AbsoluteAddress(set->addressOfInferredValue()), value));
- addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
- store8(TrustedImm32(IsInvalidated), set->addressOfState());
- move(TrustedImm64(JSValue::encode(JSValue())), scratch);
- store64(scratch, set->addressOfInferredValue());
-
- ready.link(this);
</del><ins>+ Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
+ addSlowCase(branch64(NotEqual, AbsoluteAddress(set->addressOfInferredValue()), value));
+ isDone.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -812,34 +812,15 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> load8(set->addressOfState(), scratch);
</span><del>-
- JumpList ready;
-
- ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-
- if (set->state() == ClearWatchpoint) {
- Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-
- store32(tag, &set->addressOfInferredValue()->u.asBits.tag);
- store32(payload, &set->addressOfInferredValue()->u.asBits.payload);
- store8(TrustedImm32(IsWatched), set->addressOfState());
- ready.append(jump());
-
- isWatched.link(this);
- }
</del><ins>+ Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
</ins><span class="cx">
</span><del>- Jump definitelyNotEqual = branch32(
- NotEqual, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload), payload);
- ready.append(branch32(
- Equal, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag), tag));
- definitelyNotEqual.link(this);
- addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
- store8(TrustedImm32(IsInvalidated), set->addressOfState());
- store32(
- TrustedImm32(JSValue::EmptyValueTag), &set->addressOfInferredValue()->u.asBits.tag);
- store32(TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-
- ready.link(this);
</del><ins>+ JumpList notifySlow = branch32(
+ NotEqual, AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()), payload);
+ notifySlow.append(branch32(
+ NotEqual, AbsoluteAddress(set->addressOfInferredValue()->tagPointer()), tag));
+ addSlowCase(notifySlow);
+
+ isDone.link(this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
</span><span class="lines">@@ -900,7 +881,7 @@
</span><span class="cx"> linkCount++;
</span><span class="cx"> if ((resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
</span><span class="cx"> && currentInstruction[5].u.watchpointSet->state() != IsInvalidated)
</span><del>- linkCount++;
</del><ins>+ linkCount += 2;
</ins><span class="cx"> if (!linkCount)
</span><span class="cx"> return;
</span><span class="cx"> while (linkCount--)
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -796,21 +796,8 @@
</span><span class="cx"> macro notifyWrite(set, valueTag, valuePayload, scratch, slow)
</span><span class="cx"> loadb VariableWatchpointSet::m_state[set], scratch
</span><span class="cx"> bieq scratch, IsInvalidated, .done
</span><del>- bineq scratch, ClearWatchpoint, .overwrite
- storei valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
- storei valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
- storeb IsWatched, VariableWatchpointSet::m_state[set]
- jmp .done
-
-.overwrite:
- bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], .definitelyDifferent
- bieq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], .done
-.definitelyDifferent:
- btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
- storei EmptyValueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
- storei 0, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
- storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
</del><ins>+ bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], slow
+ bineq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], slow
</ins><span class="cx"> .done:
</span><span class="cx"> end
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -656,18 +656,8 @@
</span><span class="cx"> macro notifyWrite(set, value, scratch, slow)
</span><span class="cx"> loadb VariableWatchpointSet::m_state[set], scratch
</span><span class="cx"> bieq scratch, IsInvalidated, .done
</span><del>- bineq scratch, ClearWatchpoint, .overwrite
- storeq value, VariableWatchpointSet::m_inferredValue[set]
- storeb IsWatched, VariableWatchpointSet::m_state[set]
- jmp .done
-
-.overwrite:
- bqeq value, VariableWatchpointSet::m_inferredValue[set], .done
- btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
- storeq 0, VariableWatchpointSet::m_inferredValue[set]
- storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
-.done:
</del><ins>+ bqneq value, VariableWatchpointSet::m_inferredValue[set], slow
+.done:
</ins><span class="cx"> end
</span><span class="cx">
</span><span class="cx"> _llint_op_captured_mov:
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> #include "ObjectConstructor.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "StructureRareDataInlines.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx"> #include <wtf/StringPrintStream.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -262,7 +263,7 @@
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSValue value = OP_C(2).jsValue();
</span><span class="cx"> if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> RETURN(value);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -273,7 +274,7 @@
</span><span class="cx"> ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsActivation() || exec->hasActivation());
</span><span class="cx"> JSValue value = JSFunction::create(vm, codeBlock->functionDecl(pc[2].u.operand), exec->scope());
</span><span class="cx"> if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> RETURN(value);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeJSCJSValueh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSCJSValue.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -333,7 +333,7 @@
</span><span class="cx"> *
</span><span class="cx"> * This range of NaN space is represented by 64-bit numbers begining with the 16-bit
</span><span class="cx"> * hex patterns 0xFFFE and 0xFFFF - we rely on the fact that no valid double-precision
</span><del>- * numbers will begin fall in these ranges.
</del><ins>+ * numbers will fall in these ranges.
</ins><span class="cx"> *
</span><span class="cx"> * The top 16-bits denote the type of the encoded JSValue:
</span><span class="cx"> *
</span><span class="lines">@@ -347,7 +347,7 @@
</span><span class="cx"> * 64-bit integer addition of the value 2^48 to the number. After this manipulation
</span><span class="cx"> * no encoded double-precision value will begin with the pattern 0x0000 or 0xFFFF.
</span><span class="cx"> * Values must be decoded by reversing this operation before subsequent floating point
</span><del>- * operations my be peformed.
</del><ins>+ * operations may be peformed.
</ins><span class="cx"> *
</span><span class="cx"> * 32-bit signed integers are marked with the 16-bit tag 0xFFFF.
</span><span class="cx"> *
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2009, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -115,6 +115,7 @@
</span><span class="cx"> #include "StrictEvalActivation.h"
</span><span class="cx"> #include "StringConstructor.h"
</span><span class="cx"> #include "StringPrototype.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx"> #include "WeakMapConstructor.h"
</span><span class="cx"> #include "WeakMapPrototype.h"
</span><span class="cx">
</span><span class="lines">@@ -242,7 +243,7 @@
</span><span class="cx"> int index = symbolTable()->size(locker);
</span><span class="cx"> SymbolTableEntry newEntry(index, (constantMode == IsConstant) ? ReadOnly : 0);
</span><span class="cx"> if (constantMode == IsVariable)
</span><del>- newEntry.prepareToWatch();
</del><ins>+ newEntry.prepareToWatch(symbolTable());
</ins><span class="cx"> SymbolTable::Map::AddResult result = symbolTable()->add(locker, ident.impl(), newEntry);
</span><span class="cx"> if (result.isNewEntry)
</span><span class="cx"> addRegisters(1);
</span><span class="lines">@@ -256,11 +257,12 @@
</span><span class="cx">
</span><span class="cx"> void JSGlobalObject::addFunction(ExecState* exec, const Identifier& propertyName, JSValue value)
</span><span class="cx"> {
</span><del>- removeDirect(exec->vm(), propertyName); // Newly declared functions overwrite existing properties.
</del><ins>+ VM& vm = exec->vm();
+ removeDirect(vm, propertyName); // Newly declared functions overwrite existing properties.
</ins><span class="cx"> NewGlobalVar var = addGlobalVar(propertyName, IsVariable);
</span><span class="cx"> registerAt(var.registerNumber).set(exec->vm(), this, value);
</span><span class="cx"> if (var.set)
</span><del>- var.set->notifyWrite(value);
</del><ins>+ var.set->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static inline JSObject* lastInPrototypeChain(JSObject* object)
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeJSSymbolTableObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSSymbolTableObject.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "JSScope.h"
</span><span class="cx"> #include "PropertyDescriptor.h"
</span><span class="cx"> #include "SymbolTable.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="lines">@@ -138,7 +139,7 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> if (VariableWatchpointSet* set = iter->value.watchpointSet())
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> reg = &object->registerAt(fastEntry.getIndex());
</span><span class="cx"> }
</span><span class="cx"> // I'd prefer we not hold lock while executing barriers, since I prefer to reserve
</span><span class="lines">@@ -165,7 +166,7 @@
</span><span class="cx"> SymbolTableEntry& entry = iter->value;
</span><span class="cx"> ASSERT(!entry.isNull());
</span><span class="cx"> if (VariableWatchpointSet* set = entry.watchpointSet())
</span><del>- set->notifyWrite(value);
</del><ins>+ set->notifyWrite(vm, value);
</ins><span class="cx"> entry.setAttributes(attributes);
</span><span class="cx"> reg = &object->registerAt(entry.getIndex());
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeSymbolTablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "JSDestructibleObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "SlotVisitorInlines.h"
</span><ins>+#include "VariableWatchpointSetInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="lines">@@ -65,12 +66,12 @@
</span><span class="cx"> return fatEntry()->m_watchpoints->inferredValue();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void SymbolTableEntry::prepareToWatch()
</del><ins>+void SymbolTableEntry::prepareToWatch(SymbolTable* symbolTable)
</ins><span class="cx"> {
</span><span class="cx"> FatEntry* entry = inflate();
</span><span class="cx"> if (entry->m_watchpoints)
</span><span class="cx"> return;
</span><del>- entry->m_watchpoints = adoptRef(new VariableWatchpointSet());
</del><ins>+ entry->m_watchpoints = adoptRef(new VariableWatchpointSet(*symbolTable));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void SymbolTableEntry::addWatchpoint(Watchpoint* watchpoint)
</span><span class="lines">@@ -78,13 +79,13 @@
</span><span class="cx"> fatEntry()->m_watchpoints->add(watchpoint);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void SymbolTableEntry::notifyWriteSlow(JSValue value)
</del><ins>+void SymbolTableEntry::notifyWriteSlow(VM& vm, JSValue value)
</ins><span class="cx"> {
</span><span class="cx"> VariableWatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
</span><span class="cx"> if (!watchpoints)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- watchpoints->notifyWrite(value);
</del><ins>+ watchpoints->notifyWrite(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> SymbolTableEntry::FatEntry* SymbolTableEntry::inflateSlow()
</span></span></pre></div>
<a id="branchessafari53834branchSourceJavaScriptCoreruntimeSymbolTableh"></a>
<div class="modfile"><h4>Modified: branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.h (168755 => 168756)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.h 2014-05-13 23:47:16 UTC (rev 168755)
+++ branches/safari-538.34-branch/Source/JavaScriptCore/runtime/SymbolTable.h 2014-05-13 23:56:32 UTC (rev 168756)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2007, 2008, 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2012-2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -218,7 +218,7 @@
</span><span class="cx">
</span><span class="cx"> JSValue inferredValue();
</span><span class="cx">
</span><del>- void prepareToWatch();
</del><ins>+ void prepareToWatch(SymbolTable*);
</ins><span class="cx">
</span><span class="cx"> void addWatchpoint(Watchpoint*);
</span><span class="cx">
</span><span class="lines">@@ -229,11 +229,11 @@
</span><span class="cx"> return fatEntry()->m_watchpoints.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ALWAYS_INLINE void notifyWrite(JSValue value)
</del><ins>+ ALWAYS_INLINE void notifyWrite(VM& vm, JSValue value)
</ins><span class="cx"> {
</span><span class="cx"> if (LIKELY(!isFat()))
</span><span class="cx"> return;
</span><del>- notifyWriteSlow(value);
</del><ins>+ notifyWriteSlow(vm, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="lines">@@ -257,7 +257,7 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> SymbolTableEntry& copySlow(const SymbolTableEntry&);
</span><del>- JS_EXPORT_PRIVATE void notifyWriteSlow(JSValue);
</del><ins>+ JS_EXPORT_PRIVATE void notifyWriteSlow(VM&, JSValue);
</ins><span class="cx">
</span><span class="cx"> bool isFat() const
</span><span class="cx"> {
</span></span></pre>
</div>
</div>
</body>
</html>