<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[171613] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/171613">171613</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-07-25 13:55:17 -0700 (Fri, 25 Jul 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/169795">r169795</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/169819">r169819</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/169864">r169864</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/169902">r169902</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/169949">r169949</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/169950">r169950</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/170016">r170016</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/170017">r170017</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/170060">r170060</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/170064">r170064</a> from ftlopt.
2014-06-17 Filip Pizlo <fpizlo@apple.com>
Source/JavaScriptCore:
[ftlopt] Fold constant Phis
https://bugs.webkit.org/show_bug.cgi?id=133967
Reviewed by Mark Hahnenberg.
It's surprising but we didn't really do this before. Or, rather, we only did it
incidentally when we would likely crash if it ever happened.
Making this work required cleaning up the validater a bit, so I did that too. I also added
mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
the Phi header of basic blocks). But this required beefing up mayExit() a bit.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::isEmpty):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::fixUpsilons):
* dfg/DFGInPlaceAbstractState.h:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGMayExit.cpp:
(JSC::DFG::mayExit):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateSSA):
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
https://bugs.webkit.org/show_bug.cgi?id=133985
Reviewed by Michael Saboff and Mark Hahnenberg.
Store elimination phase has never been very profitable, and now that LLVM can do dead
store elimination for us, this phase is just completely pointless.
This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
maintain.
This patch does introduce a new mayExit() calculator that is independent of the CFA and
should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
for assertions in the DFG backend, but we could use it if we ever brought back any of the
other optimizations that previously relied upon NodeDoesNotExit.
This is performance-neutral, except for SunSpider, where it's a speed-up.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterEdgeByUse):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::CSEPhase):
(JSC::DFG::CSEPhase::invalidationPointElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::performBlockCSE):
(JSC::DFG::performCSE):
(JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
(JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
(JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
(JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
(JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
(JSC::DFG::performStoreElimination): Deleted.
* dfg/DFGCSEPhase.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::resetExitStates): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGMayExit.cpp: Added.
(JSC::DFG::mayExit):
* dfg/DFGMayExit.h: Added.
* dfg/DFGNode.h:
(JSC::DFG::Node::mergeFlags):
(JSC::DFG::Node::filterFlags):
(JSC::DFG::Node::setCanExit): Deleted.
(JSC::DFG::Node::canExit): Deleted.
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
* dfg/DFGNodeType.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
(JSC::DFG::SpeculativeJIT::bail):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-06-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
https://bugs.webkit.org/show_bug.cgi?id=133931
Reviewed by Oliver Hunt.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2014-06-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
https://bugs.webkit.org/show_bug.cgi?id=133935
Reviewed by Oliver Hunt.
* bytecode/Operands.h:
(JSC::Operands::Operands):
(JSC::Operands::ensureLocals):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::makeFullTop): Completeness.
(JSC::DFG::AbstractValue::bytecodeTop): Completeness.
(JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::ensureLocals):
* dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run): Compute the intersection.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader): Better dumping.
(JSC::DFG::Graph::dump): Better dumping.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2014-06-12 Filip Pizlo <fpizlo@apple.com>
[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
https://bugs.webkit.org/show_bug.cgi?id=133821
Reviewed by Mark Hahnenberg.
This allows us to efficiently cache accesses that differ only in the prototypes on the path
from the base to the prototype that has the field.
It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
data structure.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ConstantStructureCheck.cpp: Added.
(JSC::ConstantStructureCheck::dumpInContext):
(JSC::ConstantStructureCheck::dump):
(JSC::structureFor):
(JSC::areCompatible):
(JSC::mergeInto):
* bytecode/ConstantStructureCheck.h: Added.
(JSC::ConstantStructureCheck::ConstantStructureCheck):
(JSC::ConstantStructureCheck::operator!):
(JSC::ConstantStructureCheck::constant):
(JSC::ConstantStructureCheck::structure):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::attemptToMerge):
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::constantChecks):
(JSC::GetByIdVariant::alternateBase):
(JSC::GetByIdVariant::GetByIdVariant): Deleted.
(JSC::GetByIdVariant::chain): Deleted.
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::constantChecks):
(JSC::PutByIdVariant::structureChain): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
(JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
(JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDesiredStructureChains.cpp: Removed.
* dfg/DFGDesiredStructureChains.h: Removed.
* dfg/DFGGraph.h:
(JSC::DFG::Graph::watchpoints):
(JSC::DFG::Graph::chains): Deleted.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::isStillValid):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::cancel):
* dfg/DFGPlan.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::gatherChecks):
* runtime/IntendedStructureChain.h:
(JSC::IntendedStructureChain::at):
(JSC::IntendedStructureChain::operator[]):
2014-06-12 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Constant folding and strength reduction should work in SSA
https://bugs.webkit.org/show_bug.cgi?id=133839
Reviewed by Oliver Hunt.
* dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::AtTailAbstractState):
(JSC::DFG::AtTailAbstractState::forNode):
* dfg/DFGAtTailAbstractState.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::convertToConstant):
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::LICMPhase):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
2014-06-11 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133751
Reviewed by Mark Hahnenberg.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::appendVariant):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::attemptToMerge):
* bytecode/GetByIdVariant.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPrototypeChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::IntendedStructureChain):
(JSC::IntendedStructureChain::isStillValid):
(JSC::IntendedStructureChain::isNormalized):
(JSC::IntendedStructureChain::terminalPrototype):
(JSC::IntendedStructureChain::operator==):
(JSC::IntendedStructureChain::visitChildren):
(JSC::IntendedStructureChain::dumpInContext):
(JSC::IntendedStructureChain::chain): Deleted.
* runtime/IntendedStructureChain.h:
(JSC::IntendedStructureChain::prototype):
(JSC::IntendedStructureChain::operator!=):
(JSC::IntendedStructureChain::head): Deleted.
2014-06-11 Matthew Mirman <mmirman@apple.com>
Readded native calling to the FTL and Split the DFG nodes
Call and Construct into NativeCall and NativeConstruct
to better represent their semantics.
https://bugs.webkit.org/show_bug.cgi?id=133660
Reviewed by Filip Pizlo.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Added NativeCall and NativeConstruct case
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
(JSC::DFG::ByteCodeParser::handleCall):
set to return NativeCall or NativeConstruct instead of Call or Construct
in the presence of a native function.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
(JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
(JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
* dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall): ditto
(JSC::DFG::SpeculativeJIT::compile): ditto
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall): ditto
(JSC::DFG::SpeculativeJIT::compile): ditto
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): ditto
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower): ditto
(JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
(JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
* runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2014-06-11 Matthew Mirman <mmirman@apple.com>
Ensured Native Calls and Construct and associated checks
are only emitted during ftl mode.
https://bugs.webkit.org/show_bug.cgi?id=133718
Reviewed by Filip Pizlo.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
before attaching the native function to Call or Construct.
2014-06-10 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
https://bugs.webkit.org/show_bug.cgi?id=133426
Reviewed by Geoffrey Garen.
The impetus for this was to provide some sense and reason to race conditions arising from
cell constants having their structure changed on the main thread - this is harmess because
we defend against it, but when it goes wrong, it can be difficult to reproduce because it
requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
about constants. It no longer relies on the CodeBlock constant pool at all, which allows
for a more object-oriented approach: for example a Node that has a constant can tell you
what constant it has without needing a CodeBlock.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeExitSiteData):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
(JSC::exitKindIsCountable):
* bytecode/ExitKind.h:
(JSC::isWatchpoint): Deleted.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterByValue):
(JSC::DFG::AbstractInterpreter::setBuiltInConstant):
(JSC::DFG::AbstractInterpreter::setConstant):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setOSREntryValue):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::filterByValue):
(JSC::DFG::AbstractValue::setMostSpecific): Deleted.
* dfg/DFGAbstractValue.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
(JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::getDirect):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::getLocal):
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::jsConstant):
(JSC::DFG::ByteCodeParser::weakJSConstant):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleMinMax):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::prepareToParseBlock):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::addConstant): Deleted.
(JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
(JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
(JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
(JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
(JSC::DFG::ByteCodeParser::constantNull): Deleted.
(JSC::DFG::ByteCodeParser::one): Deleted.
(JSC::DFG::ByteCodeParser::constantNaN): Deleted.
(JSC::DFG::ByteCodeParser::cellConstant): Deleted.
(JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
(JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::constantCSE):
(JSC::DFG::CSEPhase::checkFunctionElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupMakeRope):
(JSC::DFG::FixupPhase::truncateConstantToInt32):
(JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGFrozenValue.cpp: Added.
(JSC::DFG::FrozenValue::emptySingleton):
(JSC::DFG::FrozenValue::dumpInContext):
(JSC::DFG::FrozenValue::dump):
* dfg/DFGFrozenValue.h: Added.
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::operator!):
(JSC::DFG::FrozenValue::value):
(JSC::DFG::FrozenValue::structure):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::tryGetActivation):
(JSC::DFG::Graph::tryGetFoldableView):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freezeFragile):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::convertToStrongConstant):
(JSC::DFG::Graph::assertIsWatched):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
(JSC::DFG::Graph::convertToConstant): Deleted.
(JSC::DFG::Graph::constantRegisterForConstant): Deleted.
(JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
(JSC::DFG::Graph::isConstant): Deleted.
(JSC::DFG::Graph::isJSConstant): Deleted.
(JSC::DFG::Graph::isInt32Constant): Deleted.
(JSC::DFG::Graph::isDoubleConstant): Deleted.
(JSC::DFG::Graph::isNumberConstant): Deleted.
(JSC::DFG::Graph::isBooleanConstant): Deleted.
(JSC::DFG::Graph::isCellConstant): Deleted.
(JSC::DFG::Graph::isFunctionConstant): Deleted.
(JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
(JSC::DFG::Graph::valueOfJSConstant): Deleted.
(JSC::DFG::Graph::valueOfInt32Constant): Deleted.
(JSC::DFG::Graph::valueOfNumberConstant): Deleted.
(JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
(JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
(JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertConstant):
(JSC::DFG::InsertionSet::insertConstantForUse):
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::getValue):
(JSC::DFG::LazyJSValue::strictEqual):
(JSC::DFG::LazyJSValue::dumpInContext):
* dfg/DFGLazyJSValue.h:
(JSC::DFG::LazyJSValue::LazyJSValue):
(JSC::DFG::LazyJSValue::tryGetValue):
(JSC::DFG::LazyJSValue::value):
(JSC::DFG::LazyJSValue::switchLookupValue):
* dfg/DFGMinifiedNode.cpp:
(JSC::DFG::MinifiedNode::fromNode):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasConstant):
(JSC::DFG::MinifiedNode::constant):
(JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
(JSC::DFG::MinifiedNode::constantNumber): Deleted.
(JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
(JSC::DFG::MinifiedNode::weakConstant): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::constant):
(JSC::DFG::Node::convertToConstant):
(JSC::DFG::Node::asJSValue):
(JSC::DFG::Node::isInt32Constant):
(JSC::DFG::Node::asInt32):
(JSC::DFG::Node::asUInt32):
(JSC::DFG::Node::isDoubleConstant):
(JSC::DFG::Node::isNumberConstant):
(JSC::DFG::Node::asNumber):
(JSC::DFG::Node::isMachineIntConstant):
(JSC::DFG::Node::asMachineInt):
(JSC::DFG::Node::isBooleanConstant):
(JSC::DFG::Node::asBoolean):
(JSC::DFG::Node::isCellConstant):
(JSC::DFG::Node::asCell):
(JSC::DFG::Node::dynamicCastConstant):
(JSC::DFG::Node::function):
(JSC::DFG::Node::isWeakConstant): Deleted.
(JSC::DFG::Node::constantNumber): Deleted.
(JSC::DFG::Node::convertToWeakConstant): Deleted.
(JSC::DFG::Node::weakConstant): Deleted.
(JSC::DFG::Node::valueOfJSConstant): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compileIn):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithMod):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
(JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
(JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isInteger): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp: Added.
(WTF::printInternal):
* dfg/DFGValueStrength.h: Added.
(JSC::DFG::merge):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVariableEventStream.h:
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
(JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
(JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContext):
(JSC::JSValue::dumpInContextAssumingStructure):
* runtime/JSCJSValue.h:
LayoutTests:
[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
https://bugs.webkit.org/show_bug.cgi?id=133821
Reviewed by Mark Hahnenberg.
* js/regress/poly-chain-access-different-prototypes-expected.txt: Added.
* js/regress/poly-chain-access-different-prototypes-simple-expected.txt: Added.
* js/regress/poly-chain-access-different-prototypes-simple.html: Added.
* js/regress/poly-chain-access-different-prototypes.html: Added.
* js/regress/script-tests/poly-chain-access-different-prototypes-simple.js: Added.
* js/regress/script-tests/poly-chain-access-different-prototypes.js: Added.
2014-06-11 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133751
Reviewed by Mark Hahnenberg.
* js/regress/poly-chain-access-expected.txt: Added.
* js/regress/poly-chain-access-simpler-expected.txt: Added.
* js/regress/poly-chain-access-simpler.html: Added.
* js/regress/poly-chain-access.html: Added.
* js/regress/script-tests/poly-chain-access-simpler.js: Added.
* js/regress/script-tests/poly-chain-access.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp">trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeExitKindcpp">trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeExitKindh">trunk/Source/JavaScriptCore/bytecode/ExitKind.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeGetByIdStatuscpp">trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeGetByIdVariantcpp">trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeGetByIdVarianth">trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeOperandsh">trunk/Source/JavaScriptCore/bytecode/Operands.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePutByIdStatuscpp">trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePutByIdVariantcpp">trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePutByIdVarianth">trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractValuecpp">trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractValueh">trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAdjacencyListh">trunk/Source/JavaScriptCore/dfg/DFGAdjacencyList.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGArgumentsSimplificationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAtTailAbstractStatecpp">trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAtTailAbstractStateh">trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGBackwardsPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGBasicBlockcpp">trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGBasicBlockh">trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCFAPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCFGSimplificationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCSEPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCSEPhaseh">trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCommonh">trunk/Source/JavaScriptCore/dfg/DFGCommon.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStatecpp">trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStateh">trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInsertionSeth">trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGIntegerCheckCombiningPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilerh">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGLICMPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGLazyJSValuecpp">trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGLazyJSValueh">trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMinifiedNodecpp">trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMinifiedNodeh">trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeFlagscpp">trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeFlagsh">trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlanh">trunk/Source/JavaScriptCore/dfg/DFGPlan.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValidatecpp">trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGVariableEventStreamcpp">trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGVariableEventStreamh">trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGWatchableStructureWatchingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLinkcpp">trunk/Source/JavaScriptCore/ftl/FTLLink.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntendedStructureChaincpp">trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntendedStructureChainh">trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValuecpp">trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValueh">trunk/Source/JavaScriptCore/runtime/JSCJSValue.h</a></li>
<li><a href="#trunkSourceWTFwtfListDumph">trunk/Source/WTF/wtf/ListDump.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregresspolychainaccessdifferentprototypesexpectedtxt">trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccessdifferentprototypessimpleexpectedtxt">trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccessdifferentprototypessimplehtml">trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple.html</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccessdifferentprototypeshtml">trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes.html</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccessexpectedtxt">trunk/LayoutTests/js/regress/poly-chain-access-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccesssimplerexpectedtxt">trunk/LayoutTests/js/regress/poly-chain-access-simpler-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccesssimplerhtml">trunk/LayoutTests/js/regress/poly-chain-access-simpler.html</a></li>
<li><a href="#trunkLayoutTestsjsregresspolychainaccesshtml">trunk/LayoutTests/js/regress/poly-chain-access.html</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestspolychainaccessdifferentprototypessimplejs">trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes-simple.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestspolychainaccessdifferentprototypesjs">trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestspolychainaccesssimplerjs">trunk/LayoutTests/js/regress/script-tests/poly-chain-access-simpler.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestspolychainaccessjs">trunk/LayoutTests/js/regress/script-tests/poly-chain-access.js</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeConstantStructureCheckcpp">trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeConstantStructureCheckh">trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFrozenValuecpp">trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFrozenValueh">trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMayExitcpp">trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMayExith">trunk/Source/JavaScriptCore/dfg/DFGMayExit.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValueStrengthcpp">trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValueStrengthh">trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDesiredStructureChainscpp">trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDesiredStructureChainsh">trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/LayoutTests/ChangeLog 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2014-07-25 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
+
+ 2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
+ https://bugs.webkit.org/show_bug.cgi?id=133821
+
+ Reviewed by Mark Hahnenberg.
+
+ * js/regress/poly-chain-access-different-prototypes-expected.txt: Added.
+ * js/regress/poly-chain-access-different-prototypes-simple-expected.txt: Added.
+ * js/regress/poly-chain-access-different-prototypes-simple.html: Added.
+ * js/regress/poly-chain-access-different-prototypes.html: Added.
+ * js/regress/script-tests/poly-chain-access-different-prototypes-simple.js: Added.
+ * js/regress/script-tests/poly-chain-access-different-prototypes.js: Added.
+
+ 2014-06-11 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
+ https://bugs.webkit.org/show_bug.cgi?id=133751
+
+ Reviewed by Mark Hahnenberg.
+
+ * js/regress/poly-chain-access-expected.txt: Added.
+ * js/regress/poly-chain-access-simpler-expected.txt: Added.
+ * js/regress/poly-chain-access-simpler.html: Added.
+ * js/regress/poly-chain-access.html: Added.
+ * js/regress/script-tests/poly-chain-access-simpler.js: Added.
+ * js/regress/script-tests/poly-chain-access.js: Added.
+
</ins><span class="cx"> 2014-07-25 David Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> [New Multicolumn] RenderViews paginated as RL or LR don't handle percentage widths correctly.
</span></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccessdifferentprototypesexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-expected.txt (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-expected.txt 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/poly-chain-access-different-prototypes
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccessdifferentprototypessimpleexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple-expected.txt (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple-expected.txt 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/poly-chain-access-different-prototypes-simple
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccessdifferentprototypessimplehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple.html (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple.html (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes-simple.html 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/poly-chain-access-different-prototypes-simple.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccessdifferentprototypeshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes.html (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes.html (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-different-prototypes.html 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/poly-chain-access-different-prototypes.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccessexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-expected.txt (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-expected.txt 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/poly-chain-access
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccesssimplerexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-simpler-expected.txt (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-simpler-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-simpler-expected.txt 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/poly-chain-access-simpler
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccesssimplerhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access-simpler.html (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access-simpler.html (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access-simpler.html 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/poly-chain-access-simpler.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresspolychainaccesshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/poly-chain-access.html (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/poly-chain-access.html (rev 0)
+++ trunk/LayoutTests/js/regress/poly-chain-access.html 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/poly-chain-access.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestspolychainaccessdifferentprototypessimplejs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes-simple.js (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes-simple.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes-simple.js 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+(function() {
+ function Foo() { }
+ Foo.prototype.f = 42;
+ function Bar() { }
+ Bar.prototype = new Foo();
+ function Baz() { }
+ Baz.prototype = new Foo();
+
+ function foo(o, p) {
+ var n = 1000000;
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ result += o.f;
+ var tmp = o;
+ o = p;
+ p = tmp;
+ }
+
+ if (result != n * 42)
+ throw "Error: bad result: " + result;
+ }
+
+ foo(new Bar(), new Baz());
+})();
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestspolychainaccessdifferentprototypesjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes.js (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/poly-chain-access-different-prototypes.js 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+(function() {
+ function Foo() { }
+ Foo.prototype.f = 42;
+ function Bar() { }
+ Bar.prototype = new Foo();
+ function Baz() { }
+ Baz.prototype = new Foo();
+
+ var o = new Bar();
+ var p = new Baz();
+
+ var n = 1000000;
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ result += o.f;
+ var tmp = o;
+ o = p;
+ p = tmp;
+ }
+
+ if (result != n * 42)
+ throw "Error: bad result: " + result;
+})();
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestspolychainaccesssimplerjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/poly-chain-access-simpler.js (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/poly-chain-access-simpler.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/poly-chain-access-simpler.js 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+(function() {
+ function Foo() { }
+ Foo.prototype.f = 42;
+ function Bar() { }
+ Bar.prototype = new Foo();
+
+ function foo(o, p) {
+ var n = 1000000;
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ result += o.f;
+ var tmp = o;
+ o = p;
+ p = tmp;
+ }
+
+ if (result != n * 42)
+ throw "Error: bad result: " + result;
+ }
+
+ var o = new Bar();
+ var p = new Bar();
+ p.g = 43;
+
+ foo(o, p);
+})();
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestspolychainaccessjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/poly-chain-access.js (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/poly-chain-access.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/poly-chain-access.js 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+(function() {
+ function Foo() { }
+ Foo.prototype.f = 42;
+ function Bar() { }
+ Bar.prototype = new Foo();
+
+ var o = new Bar();
+ var p = new Bar();
+ p.g = 43;
+
+ var n = 1000000;
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ result += o.f;
+ var tmp = o;
+ o = p;
+ p = tmp;
+ }
+
+ if (result != n * 42)
+ throw "Error: bad result: " + result;
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -68,6 +68,7 @@
</span><span class="cx"> bytecode/CodeBlockJettisoningWatchpoint.cpp
</span><span class="cx"> bytecode/CodeOrigin.cpp
</span><span class="cx"> bytecode/CodeType.cpp
</span><ins>+ bytecode/ConstantStructureCheck.cpp
</ins><span class="cx"> bytecode/DFGExitProfile.cpp
</span><span class="cx"> bytecode/DeferredCompilationCallback.cpp
</span><span class="cx"> bytecode/ExecutionCounter.cpp
</span><span class="lines">@@ -132,7 +133,6 @@
</span><span class="cx"> dfg/DFGCriticalEdgeBreakingPhase.cpp
</span><span class="cx"> dfg/DFGDCEPhase.cpp
</span><span class="cx"> dfg/DFGDesiredIdentifiers.cpp
</span><del>- dfg/DFGDesiredStructureChains.cpp
</del><span class="cx"> dfg/DFGDesiredTransitions.cpp
</span><span class="cx"> dfg/DFGDesiredWatchpoints.cpp
</span><span class="cx"> dfg/DFGDesiredWeakReferences.cpp
</span><span class="lines">@@ -147,6 +147,7 @@
</span><span class="cx"> dfg/DFGFixupPhase.cpp
</span><span class="cx"> dfg/DFGFlushFormat.cpp
</span><span class="cx"> dfg/DFGFlushedAt.cpp
</span><ins>+ dfg/DFGFrozenValue.cpp
</ins><span class="cx"> dfg/DFGFunctionWhitelist.cpp
</span><span class="cx"> dfg/DFGGraph.cpp
</span><span class="cx"> dfg/DFGGraphSafepoint.cpp
</span><span class="lines">@@ -162,6 +163,7 @@
</span><span class="cx"> dfg/DFGLivenessAnalysisPhase.cpp
</span><span class="cx"> dfg/DFGLongLivedState.cpp
</span><span class="cx"> dfg/DFGLoopPreHeaderCreationPhase.cpp
</span><ins>+ dfg/DFGMayExit.cpp
</ins><span class="cx"> dfg/DFGMinifiedNode.cpp
</span><span class="cx"> dfg/DFGNaturalLoops.cpp
</span><span class="cx"> dfg/DFGNode.cpp
</span><span class="lines">@@ -203,6 +205,7 @@
</span><span class="cx"> dfg/DFGUseKind.cpp
</span><span class="cx"> dfg/DFGValidate.cpp
</span><span class="cx"> dfg/DFGValueSource.cpp
</span><ins>+ dfg/DFGValueStrength.cpp
</ins><span class="cx"> dfg/DFGVariableAccessData.cpp
</span><span class="cx"> dfg/DFGVariableAccessDataDump.cpp
</span><span class="cx"> dfg/DFGVariableEvent.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,3 +1,651 @@
</span><ins>+2014-07-25 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
+
+ 2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Fold constant Phis
+ https://bugs.webkit.org/show_bug.cgi?id=133967
+
+ Reviewed by Mark Hahnenberg.
+
+ It's surprising but we didn't really do this before. Or, rather, we only did it
+ incidentally when we would likely crash if it ever happened.
+
+ Making this work required cleaning up the validater a bit, so I did that too. I also added
+ mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
+ the Phi header of basic blocks). But this required beefing up mayExit() a bit.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGAdjacencyList.h:
+ (JSC::DFG::AdjacencyList::isEmpty):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::run):
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
+ * dfg/DFGInPlaceAbstractState.h:
+ * dfg/DFGLICMPhase.cpp:
+ (JSC::DFG::LICMPhase::run):
+ (JSC::DFG::LICMPhase::attemptHoist):
+ * dfg/DFGMayExit.cpp:
+ (JSC::DFG::mayExit):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::validateSSA):
+
+ 2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
+ https://bugs.webkit.org/show_bug.cgi?id=133985
+
+ Reviewed by Michael Saboff and Mark Hahnenberg.
+
+ Store elimination phase has never been very profitable, and now that LLVM can do dead
+ store elimination for us, this phase is just completely pointless.
+
+ This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
+ computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
+ maintain.
+
+ This patch does introduce a new mayExit() calculator that is independent of the CFA and
+ should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
+ for assertions in the DFG backend, but we could use it if we ever brought back any of the
+ other optimizations that previously relied upon NodeDoesNotExit.
+
+ This is performance-neutral, except for SunSpider, where it's a speed-up.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractInterpreter.h:
+ (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
+ (JSC::DFG::AbstractInterpreter::filterByType):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::invalidationPointElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+ (JSC::DFG::performCSE):
+ (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
+ (JSC::DFG::performStoreElimination): Deleted.
+ * dfg/DFGCSEPhase.h:
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::resetExitStates): Deleted.
+ * dfg/DFGGraph.h:
+ * dfg/DFGMayExit.cpp: Added.
+ (JSC::DFG::mayExit):
+ * dfg/DFGMayExit.h: Added.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::mergeFlags):
+ (JSC::DFG::Node::filterFlags):
+ (JSC::DFG::Node::setCanExit): Deleted.
+ (JSC::DFG::Node::canExit): Deleted.
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::dumpNodeFlags):
+ * dfg/DFGNodeFlags.h:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::bail):
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+ 2014-06-15 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
+ https://bugs.webkit.org/show_bug.cgi?id=133931
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
+
+ 2014-06-15 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
+ https://bugs.webkit.org/show_bug.cgi?id=133935
+
+ Reviewed by Oliver Hunt.
+
+ * bytecode/Operands.h:
+ (JSC::Operands::Operands):
+ (JSC::Operands::ensureLocals):
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::makeFullTop): Completeness.
+ (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
+ (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
+ * dfg/DFGBasicBlock.cpp:
+ (JSC::DFG::BasicBlock::BasicBlock):
+ (JSC::DFG::BasicBlock::ensureLocals):
+ * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::run): Compute the intersection.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
+ (JSC::DFG::Graph::dump): Better dumping.
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
+
+ 2014-06-12 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
+ https://bugs.webkit.org/show_bug.cgi?id=133821
+
+ Reviewed by Mark Hahnenberg.
+
+ This allows us to efficiently cache accesses that differ only in the prototypes on the path
+ from the base to the prototype that has the field.
+
+ It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
+ data structure.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/ConstantStructureCheck.cpp: Added.
+ (JSC::ConstantStructureCheck::dumpInContext):
+ (JSC::ConstantStructureCheck::dump):
+ (JSC::structureFor):
+ (JSC::areCompatible):
+ (JSC::mergeInto):
+ * bytecode/ConstantStructureCheck.h: Added.
+ (JSC::ConstantStructureCheck::ConstantStructureCheck):
+ (JSC::ConstantStructureCheck::operator!):
+ (JSC::ConstantStructureCheck::constant):
+ (JSC::ConstantStructureCheck::structure):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * bytecode/GetByIdVariant.cpp:
+ (JSC::GetByIdVariant::GetByIdVariant):
+ (JSC::GetByIdVariant::operator=):
+ (JSC::GetByIdVariant::attemptToMerge):
+ (JSC::GetByIdVariant::dumpInContext):
+ * bytecode/GetByIdVariant.h:
+ (JSC::GetByIdVariant::constantChecks):
+ (JSC::GetByIdVariant::alternateBase):
+ (JSC::GetByIdVariant::GetByIdVariant): Deleted.
+ (JSC::GetByIdVariant::chain): Deleted.
+ * bytecode/PutByIdVariant.cpp:
+ (JSC::PutByIdVariant::dumpInContext):
+ * bytecode/PutByIdVariant.h:
+ (JSC::PutByIdVariant::transition):
+ (JSC::PutByIdVariant::constantChecks):
+ (JSC::PutByIdVariant::structureChain): Deleted.
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::emitChecks):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
+ (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
+ (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ * dfg/DFGDesiredStructureChains.cpp: Removed.
+ * dfg/DFGDesiredStructureChains.h: Removed.
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::watchpoints):
+ (JSC::DFG::Graph::chains): Deleted.
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::isStillValid):
+ (JSC::DFG::Plan::checkLivenessAndVisitChildren):
+ (JSC::DFG::Plan::cancel):
+ * dfg/DFGPlan.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
+ * runtime/IntendedStructureChain.cpp:
+ (JSC::IntendedStructureChain::gatherChecks):
+ * runtime/IntendedStructureChain.h:
+ (JSC::IntendedStructureChain::at):
+ (JSC::IntendedStructureChain::operator[]):
+
+ 2014-06-12 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Constant folding and strength reduction should work in SSA
+ https://bugs.webkit.org/show_bug.cgi?id=133839
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAtTailAbstractState.cpp:
+ (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
+ (JSC::DFG::AtTailAbstractState::forNode):
+ * dfg/DFGAtTailAbstractState.h:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::convertToConstant):
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
+ * dfg/DFGLICMPhase.cpp:
+ (JSC::DFG::LICMPhase::LICMPhase):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+
+ 2014-06-11 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
+ https://bugs.webkit.org/show_bug.cgi?id=133751
+
+ Reviewed by Mark Hahnenberg.
+
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::appendVariant):
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * bytecode/GetByIdVariant.cpp:
+ (JSC::GetByIdVariant::attemptToMerge):
+ * bytecode/GetByIdVariant.h:
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ * runtime/IntendedStructureChain.cpp:
+ (JSC::IntendedStructureChain::IntendedStructureChain):
+ (JSC::IntendedStructureChain::isStillValid):
+ (JSC::IntendedStructureChain::isNormalized):
+ (JSC::IntendedStructureChain::terminalPrototype):
+ (JSC::IntendedStructureChain::operator==):
+ (JSC::IntendedStructureChain::visitChildren):
+ (JSC::IntendedStructureChain::dumpInContext):
+ (JSC::IntendedStructureChain::chain): Deleted.
+ * runtime/IntendedStructureChain.h:
+ (JSC::IntendedStructureChain::prototype):
+ (JSC::IntendedStructureChain::operator!=):
+ (JSC::IntendedStructureChain::head): Deleted.
+
+ 2014-06-11 Matthew Mirman <mmirman@apple.com>
+
+ Readded native calling to the FTL and Split the DFG nodes
+ Call and Construct into NativeCall and NativeConstruct
+ to better represent their semantics.
+ https://bugs.webkit.org/show_bug.cgi?id=133660
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ Added NativeCall and NativeConstruct case
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
+ (JSC::DFG::ByteCodeParser::handleCall):
+ set to return NativeCall or NativeConstruct instead of Call or Construct
+ in the presence of a native function.
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
+ (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
+ (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
+ * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall): ditto
+ (JSC::DFG::SpeculativeJIT::compile): ditto
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall): ditto
+ (JSC::DFG::SpeculativeJIT::compile): ditto
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile): ditto
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::lower): ditto
+ (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
+ (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
+ (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
+ (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
+ * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
+
+ 2014-06-11 Matthew Mirman <mmirman@apple.com>
+
+ Ensured Native Calls and Construct and associated checks
+ are only emitted during ftl mode.
+ https://bugs.webkit.org/show_bug.cgi?id=133718
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
+ before attaching the native function to Call or Construct.
+
+ 2014-06-10 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
+ https://bugs.webkit.org/show_bug.cgi?id=133426
+
+ Reviewed by Geoffrey Garen.
+
+ The impetus for this was to provide some sense and reason to race conditions arising from
+ cell constants having their structure changed on the main thread - this is harmess because
+ we defend against it, but when it goes wrong, it can be difficult to reproduce because it
+ requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
+
+ But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
+ about constants. It no longer relies on the CodeBlock constant pool at all, which allows
+ for a more object-oriented approach: for example a Node that has a constant can tell you
+ what constant it has without needing a CodeBlock.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::computeExitSiteData):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ (JSC::exitKindIsCountable):
+ * bytecode/ExitKind.h:
+ (JSC::isWatchpoint): Deleted.
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::hasExitSite):
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::hasExitSite):
+ * dfg/DFGAbstractInterpreter.h:
+ (JSC::DFG::AbstractInterpreter::filterByValue):
+ (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
+ (JSC::DFG::AbstractInterpreter::setConstant):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::setOSREntryValue):
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::filterByValue):
+ (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
+ * dfg/DFGAbstractValue.h:
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGBackwardsPropagationPhase.cpp:
+ (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
+ (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getDirect):
+ (JSC::DFG::ByteCodeParser::get):
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::setLocal):
+ (JSC::DFG::ByteCodeParser::setArgument):
+ (JSC::DFG::ByteCodeParser::jsConstant):
+ (JSC::DFG::ByteCodeParser::weakJSConstant):
+ (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::prepareToParseBlock):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ (JSC::DFG::ByteCodeParser::addConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
+ (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
+ (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
+ (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
+ (JSC::DFG::ByteCodeParser::constantNull): Deleted.
+ (JSC::DFG::ByteCodeParser::one): Deleted.
+ (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
+ (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::constantCSE):
+ (JSC::DFG::CSEPhase::checkFunctionElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGCommon.h:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupMakeRope):
+ (JSC::DFG::FixupPhase::truncateConstantToInt32):
+ (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
+ (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
+ * dfg/DFGFrozenValue.cpp: Added.
+ (JSC::DFG::FrozenValue::emptySingleton):
+ (JSC::DFG::FrozenValue::dumpInContext):
+ (JSC::DFG::FrozenValue::dump):
+ * dfg/DFGFrozenValue.h: Added.
+ (JSC::DFG::FrozenValue::FrozenValue):
+ (JSC::DFG::FrozenValue::operator!):
+ (JSC::DFG::FrozenValue::value):
+ (JSC::DFG::FrozenValue::structure):
+ (JSC::DFG::FrozenValue::strengthenTo):
+ (JSC::DFG::FrozenValue::strength):
+ (JSC::DFG::FrozenValue::freeze):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::tryGetActivation):
+ (JSC::DFG::Graph::tryGetFoldableView):
+ (JSC::DFG::Graph::registerFrozenValues):
+ (JSC::DFG::Graph::visitChildren):
+ (JSC::DFG::Graph::freezeFragile):
+ (JSC::DFG::Graph::freeze):
+ (JSC::DFG::Graph::freezeStrong):
+ (JSC::DFG::Graph::convertToConstant):
+ (JSC::DFG::Graph::convertToStrongConstant):
+ (JSC::DFG::Graph::assertIsWatched):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
+ (JSC::DFG::Graph::convertToConstant): Deleted.
+ (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
+ (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
+ (JSC::DFG::Graph::isConstant): Deleted.
+ (JSC::DFG::Graph::isJSConstant): Deleted.
+ (JSC::DFG::Graph::isInt32Constant): Deleted.
+ (JSC::DFG::Graph::isDoubleConstant): Deleted.
+ (JSC::DFG::Graph::isNumberConstant): Deleted.
+ (JSC::DFG::Graph::isBooleanConstant): Deleted.
+ (JSC::DFG::Graph::isCellConstant): Deleted.
+ (JSC::DFG::Graph::isFunctionConstant): Deleted.
+ (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
+ (JSC::DFG::Graph::valueOfJSConstant): Deleted.
+ (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
+ (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
+ (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
+ (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
+ (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
+ * dfg/DFGInPlaceAbstractState.cpp:
+ (JSC::DFG::InPlaceAbstractState::initialize):
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::InsertionSet::insertConstant):
+ (JSC::DFG::InsertionSet::insertConstantForUse):
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGLazyJSValue.cpp:
+ (JSC::DFG::LazyJSValue::getValue):
+ (JSC::DFG::LazyJSValue::strictEqual):
+ (JSC::DFG::LazyJSValue::dumpInContext):
+ * dfg/DFGLazyJSValue.h:
+ (JSC::DFG::LazyJSValue::LazyJSValue):
+ (JSC::DFG::LazyJSValue::tryGetValue):
+ (JSC::DFG::LazyJSValue::value):
+ (JSC::DFG::LazyJSValue::switchLookupValue):
+ * dfg/DFGMinifiedNode.cpp:
+ (JSC::DFG::MinifiedNode::fromNode):
+ * dfg/DFGMinifiedNode.h:
+ (JSC::DFG::belongsInMinifiedGraph):
+ (JSC::DFG::MinifiedNode::hasConstant):
+ (JSC::DFG::MinifiedNode::constant):
+ (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
+ (JSC::DFG::MinifiedNode::constantNumber): Deleted.
+ (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
+ (JSC::DFG::MinifiedNode::weakConstant): Deleted.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasConstant):
+ (JSC::DFG::Node::constant):
+ (JSC::DFG::Node::convertToConstant):
+ (JSC::DFG::Node::asJSValue):
+ (JSC::DFG::Node::isInt32Constant):
+ (JSC::DFG::Node::asInt32):
+ (JSC::DFG::Node::asUInt32):
+ (JSC::DFG::Node::isDoubleConstant):
+ (JSC::DFG::Node::isNumberConstant):
+ (JSC::DFG::Node::asNumber):
+ (JSC::DFG::Node::isMachineIntConstant):
+ (JSC::DFG::Node::asMachineInt):
+ (JSC::DFG::Node::isBooleanConstant):
+ (JSC::DFG::Node::asBoolean):
+ (JSC::DFG::Node::isCellConstant):
+ (JSC::DFG::Node::asCell):
+ (JSC::DFG::Node::dynamicCastConstant):
+ (JSC::DFG::Node::function):
+ (JSC::DFG::Node::isWeakConstant): Deleted.
+ (JSC::DFG::Node::constantNumber): Deleted.
+ (JSC::DFG::Node::convertToWeakConstant): Deleted.
+ (JSC::DFG::Node::weakConstant): Deleted.
+ (JSC::DFG::Node::valueOfJSConstant): Deleted.
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::SpeculativeJIT::compileIn):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileArithSub):
+ (JSC::DFG::SpeculativeJIT::compileArithMod):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
+ (JSC::DFG::SpeculativeJIT::initConstantInfo):
+ (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ * dfg/DFGValueStrength.cpp: Added.
+ (WTF::printInternal):
+ * dfg/DFGValueStrength.h: Added.
+ (JSC::DFG::merge):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * dfg/DFGVariableEventStream.h:
+ * dfg/DFGWatchableStructureWatchingPhase.cpp:
+ (JSC::DFG::WatchableStructureWatchingPhase::run):
+ (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
+ * dfg/DFGWatchpointCollectionPhase.cpp:
+ (JSC::DFG::WatchpointCollectionPhase::handle):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLink.cpp:
+ (JSC::FTL::link):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
+ (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
+ (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
+ (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
+ (JSC::FTL::LowerDFGToLLVM::lowInt32):
+ (JSC::FTL::LowerDFGToLLVM::lowCell):
+ (JSC::FTL::LowerDFGToLLVM::lowBoolean):
+ (JSC::FTL::LowerDFGToLLVM::lowJSValue):
+ (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
+ (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileStub):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::dumpInContext):
+ (JSC::JSValue::dumpInContextAssumingStructure):
+ * runtime/JSCJSValue.h:
+
</ins><span class="cx"> 2014-07-24 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> [Win] Correct build order in JavaScriptCore.submit.sln
</span><span class="lines">@@ -3567,8 +4215,652 @@
</span><span class="cx"> Add a version of reifyStaticProperties that takes an array of HashTableValues
</span><span class="cx"> rather than a HashTable.
</span><span class="cx">
</span><ins>+2014-07-25 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Fold constant Phis
+ https://bugs.webkit.org/show_bug.cgi?id=133967
+
+ Reviewed by Mark Hahnenberg.
+
+ It's surprising but we didn't really do this before. Or, rather, we only did it
+ incidentally when we would likely crash if it ever happened.
+
+ Making this work required cleaning up the validater a bit, so I did that too. I also added
+ mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
+ the Phi header of basic blocks). But this required beefing up mayExit() a bit.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGAdjacencyList.h:
+ (JSC::DFG::AdjacencyList::isEmpty):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::run):
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
+ * dfg/DFGInPlaceAbstractState.h:
+ * dfg/DFGLICMPhase.cpp:
+ (JSC::DFG::LICMPhase::run):
+ (JSC::DFG::LICMPhase::attemptHoist):
+ * dfg/DFGMayExit.cpp:
+ (JSC::DFG::mayExit):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::validateSSA):
+
+2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
+ https://bugs.webkit.org/show_bug.cgi?id=133985
+
+ Reviewed by Michael Saboff and Mark Hahnenberg.
+
+ Store elimination phase has never been very profitable, and now that LLVM can do dead
+ store elimination for us, this phase is just completely pointless.
+
+ This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
+ computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
+ maintain.
+
+ This patch does introduce a new mayExit() calculator that is independent of the CFA and
+ should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
+ for assertions in the DFG backend, but we could use it if we ever brought back any of the
+ other optimizations that previously relied upon NodeDoesNotExit.
+
+ This is performance-neutral, except for SunSpider, where it's a speed-up.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractInterpreter.h:
+ (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
+ (JSC::DFG::AbstractInterpreter::filterByType):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::invalidationPointElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+ (JSC::DFG::performCSE):
+ (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
+ (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
+ (JSC::DFG::performStoreElimination): Deleted.
+ * dfg/DFGCSEPhase.h:
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::resetExitStates): Deleted.
+ * dfg/DFGGraph.h:
+ * dfg/DFGMayExit.cpp: Added.
+ (JSC::DFG::mayExit):
+ * dfg/DFGMayExit.h: Added.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::mergeFlags):
+ (JSC::DFG::Node::filterFlags):
+ (JSC::DFG::Node::setCanExit): Deleted.
+ (JSC::DFG::Node::canExit): Deleted.
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::dumpNodeFlags):
+ * dfg/DFGNodeFlags.h:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::bail):
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2014-06-15 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
+ https://bugs.webkit.org/show_bug.cgi?id=133931
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
+
+2014-06-15 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
+ https://bugs.webkit.org/show_bug.cgi?id=133935
+
+ Reviewed by Oliver Hunt.
+
+ * bytecode/Operands.h:
+ (JSC::Operands::Operands):
+ (JSC::Operands::ensureLocals):
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::makeFullTop): Completeness.
+ (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
+ (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
+ * dfg/DFGBasicBlock.cpp:
+ (JSC::DFG::BasicBlock::BasicBlock):
+ (JSC::DFG::BasicBlock::ensureLocals):
+ * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::run): Compute the intersection.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
+ (JSC::DFG::Graph::dump): Better dumping.
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
+
+2014-06-12 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
+ https://bugs.webkit.org/show_bug.cgi?id=133821
+
+ Reviewed by Mark Hahnenberg.
+
+ This allows us to efficiently cache accesses that differ only in the prototypes on the path
+ from the base to the prototype that has the field.
+
+ It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
+ data structure.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/ConstantStructureCheck.cpp: Added.
+ (JSC::ConstantStructureCheck::dumpInContext):
+ (JSC::ConstantStructureCheck::dump):
+ (JSC::structureFor):
+ (JSC::areCompatible):
+ (JSC::mergeInto):
+ * bytecode/ConstantStructureCheck.h: Added.
+ (JSC::ConstantStructureCheck::ConstantStructureCheck):
+ (JSC::ConstantStructureCheck::operator!):
+ (JSC::ConstantStructureCheck::constant):
+ (JSC::ConstantStructureCheck::structure):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * bytecode/GetByIdVariant.cpp:
+ (JSC::GetByIdVariant::GetByIdVariant):
+ (JSC::GetByIdVariant::operator=):
+ (JSC::GetByIdVariant::attemptToMerge):
+ (JSC::GetByIdVariant::dumpInContext):
+ * bytecode/GetByIdVariant.h:
+ (JSC::GetByIdVariant::constantChecks):
+ (JSC::GetByIdVariant::alternateBase):
+ (JSC::GetByIdVariant::GetByIdVariant): Deleted.
+ (JSC::GetByIdVariant::chain): Deleted.
+ * bytecode/PutByIdVariant.cpp:
+ (JSC::PutByIdVariant::dumpInContext):
+ * bytecode/PutByIdVariant.h:
+ (JSC::PutByIdVariant::transition):
+ (JSC::PutByIdVariant::constantChecks):
+ (JSC::PutByIdVariant::structureChain): Deleted.
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::emitChecks):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
+ (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
+ (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ * dfg/DFGDesiredStructureChains.cpp: Removed.
+ * dfg/DFGDesiredStructureChains.h: Removed.
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::watchpoints):
+ (JSC::DFG::Graph::chains): Deleted.
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::isStillValid):
+ (JSC::DFG::Plan::checkLivenessAndVisitChildren):
+ (JSC::DFG::Plan::cancel):
+ * dfg/DFGPlan.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
+ * runtime/IntendedStructureChain.cpp:
+ (JSC::IntendedStructureChain::gatherChecks):
+ * runtime/IntendedStructureChain.h:
+ (JSC::IntendedStructureChain::at):
+ (JSC::IntendedStructureChain::operator[]):
+
+2014-06-12 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Constant folding and strength reduction should work in SSA
+ https://bugs.webkit.org/show_bug.cgi?id=133839
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAtTailAbstractState.cpp:
+ (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
+ (JSC::DFG::AtTailAbstractState::forNode):
+ * dfg/DFGAtTailAbstractState.h:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::convertToConstant):
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
+ * dfg/DFGLICMPhase.cpp:
+ (JSC::DFG::LICMPhase::LICMPhase):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+
+2014-06-11 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
+ https://bugs.webkit.org/show_bug.cgi?id=133751
+
+ Reviewed by Mark Hahnenberg.
+
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::appendVariant):
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * bytecode/GetByIdVariant.cpp:
+ (JSC::GetByIdVariant::attemptToMerge):
+ * bytecode/GetByIdVariant.h:
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ * runtime/IntendedStructureChain.cpp:
+ (JSC::IntendedStructureChain::IntendedStructureChain):
+ (JSC::IntendedStructureChain::isStillValid):
+ (JSC::IntendedStructureChain::isNormalized):
+ (JSC::IntendedStructureChain::terminalPrototype):
+ (JSC::IntendedStructureChain::operator==):
+ (JSC::IntendedStructureChain::visitChildren):
+ (JSC::IntendedStructureChain::dumpInContext):
+ (JSC::IntendedStructureChain::chain): Deleted.
+ * runtime/IntendedStructureChain.h:
+ (JSC::IntendedStructureChain::prototype):
+ (JSC::IntendedStructureChain::operator!=):
+ (JSC::IntendedStructureChain::head): Deleted.
+
+2014-06-11 Matthew Mirman <mmirman@apple.com>
+
+ Readded native calling to the FTL and Split the DFG nodes
+ Call and Construct into NativeCall and NativeConstruct
+ to better represent their semantics.
+ https://bugs.webkit.org/show_bug.cgi?id=133660
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ Added NativeCall and NativeConstruct case
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
+ (JSC::DFG::ByteCodeParser::handleCall):
+ set to return NativeCall or NativeConstruct instead of Call or Construct
+ in the presence of a native function.
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
+ (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
+ (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
+ * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall): ditto
+ (JSC::DFG::SpeculativeJIT::compile): ditto
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall): ditto
+ (JSC::DFG::SpeculativeJIT::compile): ditto
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile): ditto
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::lower): ditto
+ (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
+ (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
+ (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
+ (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
+ * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
+
+2014-06-11 Matthew Mirman <mmirman@apple.com>
+
+ Ensured Native Calls and Construct and associated checks
+ are only emitted during ftl mode.
+ https://bugs.webkit.org/show_bug.cgi?id=133718
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
+ before attaching the native function to Call or Construct.
+
</ins><span class="cx"> 2014-06-10 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><ins>+ [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
+ https://bugs.webkit.org/show_bug.cgi?id=133426
+
+ Reviewed by Geoffrey Garen.
+
+ The impetus for this was to provide some sense and reason to race conditions arising from
+ cell constants having their structure changed on the main thread - this is harmess because
+ we defend against it, but when it goes wrong, it can be difficult to reproduce because it
+ requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
+
+ But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
+ about constants. It no longer relies on the CodeBlock constant pool at all, which allows
+ for a more object-oriented approach: for example a Node that has a constant can tell you
+ what constant it has without needing a CodeBlock.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::computeExitSiteData):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ (JSC::exitKindIsCountable):
+ * bytecode/ExitKind.h:
+ (JSC::isWatchpoint): Deleted.
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::hasExitSite):
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::hasExitSite):
+ * dfg/DFGAbstractInterpreter.h:
+ (JSC::DFG::AbstractInterpreter::filterByValue):
+ (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
+ (JSC::DFG::AbstractInterpreter::setConstant):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::setOSREntryValue):
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::filterByValue):
+ (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
+ * dfg/DFGAbstractValue.h:
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGBackwardsPropagationPhase.cpp:
+ (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
+ (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getDirect):
+ (JSC::DFG::ByteCodeParser::get):
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::setLocal):
+ (JSC::DFG::ByteCodeParser::setArgument):
+ (JSC::DFG::ByteCodeParser::jsConstant):
+ (JSC::DFG::ByteCodeParser::weakJSConstant):
+ (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::prepareToParseBlock):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ (JSC::DFG::ByteCodeParser::addConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
+ (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
+ (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
+ (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
+ (JSC::DFG::ByteCodeParser::constantNull): Deleted.
+ (JSC::DFG::ByteCodeParser::one): Deleted.
+ (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
+ (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
+ (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::constantCSE):
+ (JSC::DFG::CSEPhase::checkFunctionElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGCommon.h:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupMakeRope):
+ (JSC::DFG::FixupPhase::truncateConstantToInt32):
+ (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
+ (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
+ * dfg/DFGFrozenValue.cpp: Added.
+ (JSC::DFG::FrozenValue::emptySingleton):
+ (JSC::DFG::FrozenValue::dumpInContext):
+ (JSC::DFG::FrozenValue::dump):
+ * dfg/DFGFrozenValue.h: Added.
+ (JSC::DFG::FrozenValue::FrozenValue):
+ (JSC::DFG::FrozenValue::operator!):
+ (JSC::DFG::FrozenValue::value):
+ (JSC::DFG::FrozenValue::structure):
+ (JSC::DFG::FrozenValue::strengthenTo):
+ (JSC::DFG::FrozenValue::strength):
+ (JSC::DFG::FrozenValue::freeze):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::tryGetActivation):
+ (JSC::DFG::Graph::tryGetFoldableView):
+ (JSC::DFG::Graph::registerFrozenValues):
+ (JSC::DFG::Graph::visitChildren):
+ (JSC::DFG::Graph::freezeFragile):
+ (JSC::DFG::Graph::freeze):
+ (JSC::DFG::Graph::freezeStrong):
+ (JSC::DFG::Graph::convertToConstant):
+ (JSC::DFG::Graph::convertToStrongConstant):
+ (JSC::DFG::Graph::assertIsWatched):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
+ (JSC::DFG::Graph::convertToConstant): Deleted.
+ (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
+ (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
+ (JSC::DFG::Graph::isConstant): Deleted.
+ (JSC::DFG::Graph::isJSConstant): Deleted.
+ (JSC::DFG::Graph::isInt32Constant): Deleted.
+ (JSC::DFG::Graph::isDoubleConstant): Deleted.
+ (JSC::DFG::Graph::isNumberConstant): Deleted.
+ (JSC::DFG::Graph::isBooleanConstant): Deleted.
+ (JSC::DFG::Graph::isCellConstant): Deleted.
+ (JSC::DFG::Graph::isFunctionConstant): Deleted.
+ (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
+ (JSC::DFG::Graph::valueOfJSConstant): Deleted.
+ (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
+ (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
+ (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
+ (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
+ (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
+ * dfg/DFGInPlaceAbstractState.cpp:
+ (JSC::DFG::InPlaceAbstractState::initialize):
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::InsertionSet::insertConstant):
+ (JSC::DFG::InsertionSet::insertConstantForUse):
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGLazyJSValue.cpp:
+ (JSC::DFG::LazyJSValue::getValue):
+ (JSC::DFG::LazyJSValue::strictEqual):
+ (JSC::DFG::LazyJSValue::dumpInContext):
+ * dfg/DFGLazyJSValue.h:
+ (JSC::DFG::LazyJSValue::LazyJSValue):
+ (JSC::DFG::LazyJSValue::tryGetValue):
+ (JSC::DFG::LazyJSValue::value):
+ (JSC::DFG::LazyJSValue::switchLookupValue):
+ * dfg/DFGMinifiedNode.cpp:
+ (JSC::DFG::MinifiedNode::fromNode):
+ * dfg/DFGMinifiedNode.h:
+ (JSC::DFG::belongsInMinifiedGraph):
+ (JSC::DFG::MinifiedNode::hasConstant):
+ (JSC::DFG::MinifiedNode::constant):
+ (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
+ (JSC::DFG::MinifiedNode::constantNumber): Deleted.
+ (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
+ (JSC::DFG::MinifiedNode::weakConstant): Deleted.
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasConstant):
+ (JSC::DFG::Node::constant):
+ (JSC::DFG::Node::convertToConstant):
+ (JSC::DFG::Node::asJSValue):
+ (JSC::DFG::Node::isInt32Constant):
+ (JSC::DFG::Node::asInt32):
+ (JSC::DFG::Node::asUInt32):
+ (JSC::DFG::Node::isDoubleConstant):
+ (JSC::DFG::Node::isNumberConstant):
+ (JSC::DFG::Node::asNumber):
+ (JSC::DFG::Node::isMachineIntConstant):
+ (JSC::DFG::Node::asMachineInt):
+ (JSC::DFG::Node::isBooleanConstant):
+ (JSC::DFG::Node::asBoolean):
+ (JSC::DFG::Node::isCellConstant):
+ (JSC::DFG::Node::asCell):
+ (JSC::DFG::Node::dynamicCastConstant):
+ (JSC::DFG::Node::function):
+ (JSC::DFG::Node::isWeakConstant): Deleted.
+ (JSC::DFG::Node::constantNumber): Deleted.
+ (JSC::DFG::Node::convertToWeakConstant): Deleted.
+ (JSC::DFG::Node::weakConstant): Deleted.
+ (JSC::DFG::Node::valueOfJSConstant): Deleted.
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::SpeculativeJIT::compileIn):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileArithSub):
+ (JSC::DFG::SpeculativeJIT::compileArithMod):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
+ (JSC::DFG::SpeculativeJIT::initConstantInfo):
+ (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
+ (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ * dfg/DFGValueStrength.cpp: Added.
+ (WTF::printInternal):
+ * dfg/DFGValueStrength.h: Added.
+ (JSC::DFG::merge):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * dfg/DFGVariableEventStream.h:
+ * dfg/DFGWatchableStructureWatchingPhase.cpp:
+ (JSC::DFG::WatchableStructureWatchingPhase::run):
+ (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
+ * dfg/DFGWatchpointCollectionPhase.cpp:
+ (JSC::DFG::WatchpointCollectionPhase::handle):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLink.cpp:
+ (JSC::FTL::link):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
+ (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
+ (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
+ (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
+ (JSC::FTL::LowerDFGToLLVM::lowInt32):
+ (JSC::FTL::LowerDFGToLLVM::lowCell):
+ (JSC::FTL::LowerDFGToLLVM::lowBoolean):
+ (JSC::FTL::LowerDFGToLLVM::lowJSValue):
+ (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
+ (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileStub):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::dumpInContext):
+ (JSC::JSValue::dumpInContextAssumingStructure):
+ * runtime/JSCJSValue.h:
+
+2014-06-10 Filip Pizlo <fpizlo@apple.com>
+
</ins><span class="cx"> Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=133698
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -321,6 +321,7 @@
</span><span class="cx"> <ClCompile Include="..\bytecode\CodeBlockJettisoningWatchpoint.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\CodeOrigin.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\CodeType.cpp" />
</span><ins>+ <ClCompile Include="..\bytecode\ConstantStructureCheck.cpp" />
</ins><span class="cx"> <ClCompile Include="..\bytecode\DeferredCompilationCallback.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\DFGExitProfile.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\ExecutionCounter.cpp" />
</span><span class="lines">@@ -382,7 +383,6 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGCSEPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGDCEPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGDesiredIdentifiers.cpp" />
</span><del>- <ClCompile Include="..\dfg\DFGDesiredStructureChains.cpp" />
</del><span class="cx"> <ClCompile Include="..\dfg\DFGDesiredTransitions.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGDesiredWatchpoints.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGDesiredWeakReferences.cpp" />
</span><span class="lines">@@ -397,6 +397,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGFixupPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGFlushedAt.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGFlushFormat.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGFrozenValue.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGFunctionWhitelist.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGGraph.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGGraphSafepoint.cpp" />
</span><span class="lines">@@ -412,6 +413,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGLivenessAnalysisPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGLongLivedState.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGLoopPreHeaderCreationPhase.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGMayExit.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGMinifiedNode.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGNaturalLoops.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGNode.cpp" />
</span><span class="lines">@@ -455,6 +457,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGUseKind.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGValidate.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGValueSource.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGValueStrength.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGVariableAccessData.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGVariableAccessDataDump.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGVariableEvent.cpp" />
</span><span class="lines">@@ -901,6 +904,7 @@
</span><span class="cx"> <ClInclude Include="..\bytecode\CodeOrigin.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\CodeType.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\Comment.h" />
</span><ins>+ <ClInclude Include="..\bytecode\ConstantStructureCheck.h" />
</ins><span class="cx"> <ClInclude Include="..\bytecode\DataFormat.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\DeferredCompilationCallback.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\DFGExitProfile.h" />
</span><span class="lines">@@ -988,7 +992,6 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGCSEPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGDCEPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGDesiredIdentifiers.h" />
</span><del>- <ClInclude Include="..\dfg\DFGDesiredStructureChains.h" />
</del><span class="cx"> <ClInclude Include="..\dfg\DFGDesiredTransitions.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGDesiredWatchpoints.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGDesiredWeakReferences.h" />
</span><span class="lines">@@ -1008,6 +1011,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGFlushedAt.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGFlushFormat.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGFPRInfo.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGFrozenValue.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGFunctionWhitelist.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGGenerationInfo.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGGPRInfo.h" />
</span><span class="lines">@@ -1026,6 +1030,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGLivenessAnalysisPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGLongLivedState.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGLoopPreHeaderCreationPhase.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGMayExit.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGMergeMode.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGMinifiedGraph.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGMinifiedID.h" />
</span><span class="lines">@@ -1083,6 +1088,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGValidate.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGValueRecoveryOverride.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGValueSource.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGValueStrength.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGVariableAccessData.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGVariableAccessDataDump.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGVariableEvent.h" />
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -74,6 +74,8 @@
</span><span class="cx"> /* End PBXAggregateTarget section */
</span><span class="cx">
</span><span class="cx"> /* Begin PBXBuildFile section */
</span><ins>+ 0F0123321944EA1B00843A0C /* DFGValueStrength.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0123301944EA1B00843A0C /* DFGValueStrength.cpp */; };
+ 0F0123331944EA1B00843A0C /* DFGValueStrength.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0123311944EA1B00843A0C /* DFGValueStrength.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F0332C018ADFAE1005F979A /* ExitingJITType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0332BF18ADFAE1005F979A /* ExitingJITType.cpp */; };
</span><span class="cx"> 0F0332C318B01763005F979A /* GetByIdVariant.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0332C118B01763005F979A /* GetByIdVariant.cpp */; };
</span><span class="cx"> 0F0332C418B01763005F979A /* GetByIdVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0332C218B01763005F979A /* GetByIdVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -252,6 +254,8 @@
</span><span class="cx"> 0F3B3A281544C997003ED0FF /* DFGCFGSimplificationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B3A251544C991003ED0FF /* DFGCFGSimplificationPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F3B3A2B15475000003ED0FF /* DFGValidate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B3A2915474FF4003ED0FF /* DFGValidate.cpp */; };
</span><span class="cx"> 0F3B3A2C15475002003ED0FF /* DFGValidate.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B3A2A15474FF4003ED0FF /* DFGValidate.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F3D0BBC194A414300FC9CF9 /* ConstantStructureCheck.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */; };
+ 0F3D0BBD194A414300FC9CF9 /* ConstantStructureCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F426A481460CBB300131F8F /* ValueRecovery.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A451460CBAB00131F8F /* ValueRecovery.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F426A491460CBB700131F8F /* VirtualRegister.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A461460CBAB00131F8F /* VirtualRegister.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F426A4B1460CD6E00131F8F /* DataFormat.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A4A1460CD6B00131F8F /* DataFormat.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -293,6 +297,8 @@
</span><span class="cx"> 0F56A1D515001CF4002992B1 /* ExecutionCounter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F56A1D415001CF2002992B1 /* ExecutionCounter.cpp */; };
</span><span class="cx"> 0F572D4F16879FDD00E57FBD /* ThunkGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F572D4D16879FDB00E57FBD /* ThunkGenerator.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F5780A218FE1E98001E72D9 /* PureNaN.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5780A118FE1E98001E72D9 /* PureNaN.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F5874ED194FEB1200AAB2C1 /* DFGMayExit.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */; };
+ 0F5874EE194FEB1200AAB2C1 /* DFGMayExit.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F5A1273192D9FDF008764A3 /* DFGDoesGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5A1271192D9FDF008764A3 /* DFGDoesGC.cpp */; };
</span><span class="cx"> 0F5A1274192D9FDF008764A3 /* DFGDoesGC.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A1272192D9FDF008764A3 /* DFGDoesGC.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F5A52D017ADD717008ECB2D /* CopyToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A52CF17ADD717008ECB2D /* CopyToken.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -319,6 +325,8 @@
</span><span class="cx"> 0F666ECD1836B37E00D017F1 /* DFGResurrectionForValidationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F666ECB1836B37E00D017F1 /* DFGResurrectionForValidationPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F66E16B14DF3F1600B7B2E4 /* DFGAdjacencyList.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F66E16C14DF3F1600B7B2E4 /* DFGEdge.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F69CC88193AC60A0045759E /* DFGFrozenValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F69CC86193AC60A0045759E /* DFGFrozenValue.cpp */; };
+ 0F69CC89193AC60A0045759E /* DFGFrozenValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F69CC87193AC60A0045759E /* DFGFrozenValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F6B1CB5185FC9E900845D97 /* FTLJSCall.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6B1CB3185FC9E900845D97 /* FTLJSCall.cpp */; };
</span><span class="cx"> 0F6B1CB6185FC9E900845D97 /* FTLJSCall.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6B1CB4185FC9E900845D97 /* FTLJSCall.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F6B1CB91861244C00845D97 /* ArityCheckMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6B1CB71861244C00845D97 /* ArityCheckMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -1725,8 +1733,6 @@
</span><span class="cx"> A7386556118697B400540279 /* ThunkGenerators.h in Headers */ = {isa = PBXBuildFile; fileRef = A7386553118697B400540279 /* ThunkGenerators.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A73A535A1799CD5D00170C19 /* DFGLazyJSValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A73A53581799CD5D00170C19 /* DFGLazyJSValue.cpp */; };
</span><span class="cx"> A73A535B1799CD5D00170C19 /* DFGLazyJSValue.h in Headers */ = {isa = PBXBuildFile; fileRef = A73A53591799CD5D00170C19 /* DFGLazyJSValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>- A73E1330179624CD00E4DEA8 /* DFGDesiredStructureChains.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A73E132C179624CD00E4DEA8 /* DFGDesiredStructureChains.cpp */; };
- A73E1331179624CD00E4DEA8 /* DFGDesiredStructureChains.h in Headers */ = {isa = PBXBuildFile; fileRef = A73E132D179624CD00E4DEA8 /* DFGDesiredStructureChains.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><span class="cx"> A741017F179DAF80002EB8BA /* DFGSaneStringGetByValSlowPathGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = A741017E179DAF80002EB8BA /* DFGSaneStringGetByValSlowPathGenerator.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A7482B9311671147003B0712 /* JSWeakObjectMapRefPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = A7482B791166CDEA003B0712 /* JSWeakObjectMapRefPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A7482B9411671147003B0712 /* JSWeakObjectMapRefPrivate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7482B7A1166CDEA003B0712 /* JSWeakObjectMapRefPrivate.cpp */; };
</span><span class="lines">@@ -2242,6 +2248,8 @@
</span><span class="cx"> /* End PBXCopyFilesBuildPhase section */
</span><span class="cx">
</span><span class="cx"> /* Begin PBXFileReference section */
</span><ins>+ 0F0123301944EA1B00843A0C /* DFGValueStrength.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGValueStrength.cpp; path = dfg/DFGValueStrength.cpp; sourceTree = "<group>"; };
+ 0F0123311944EA1B00843A0C /* DFGValueStrength.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGValueStrength.h; path = dfg/DFGValueStrength.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F0332BF18ADFAE1005F979A /* ExitingJITType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExitingJITType.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F0332C118B01763005F979A /* GetByIdVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetByIdVariant.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F0332C218B01763005F979A /* GetByIdVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetByIdVariant.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2419,6 +2427,8 @@
</span><span class="cx"> 0F3B3A251544C991003ED0FF /* DFGCFGSimplificationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCFGSimplificationPhase.h; path = dfg/DFGCFGSimplificationPhase.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F3B3A2915474FF4003ED0FF /* DFGValidate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGValidate.cpp; path = dfg/DFGValidate.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F3B3A2A15474FF4003ED0FF /* DFGValidate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGValidate.h; path = dfg/DFGValidate.h; sourceTree = "<group>"; };
</span><ins>+ 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ConstantStructureCheck.cpp; sourceTree = "<group>"; };
+ 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConstantStructureCheck.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F426A451460CBAB00131F8F /* ValueRecovery.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ValueRecovery.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F426A461460CBAB00131F8F /* VirtualRegister.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VirtualRegister.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F426A4A1460CD6B00131F8F /* DataFormat.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DataFormat.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2461,6 +2471,8 @@
</span><span class="cx"> 0F56A1D415001CF2002992B1 /* ExecutionCounter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutionCounter.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F572D4D16879FDB00E57FBD /* ThunkGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThunkGenerator.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F5780A118FE1E98001E72D9 /* PureNaN.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PureNaN.h; sourceTree = "<group>"; };
</span><ins>+ 0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMayExit.cpp; path = dfg/DFGMayExit.cpp; sourceTree = "<group>"; };
+ 0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGMayExit.h; path = dfg/DFGMayExit.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F5A1271192D9FDF008764A3 /* DFGDoesGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDoesGC.cpp; path = dfg/DFGDoesGC.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F5A1272192D9FDF008764A3 /* DFGDoesGC.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGDoesGC.h; path = dfg/DFGDoesGC.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F5A52CF17ADD717008ECB2D /* CopyToken.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyToken.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2487,6 +2499,8 @@
</span><span class="cx"> 0F666ECB1836B37E00D017F1 /* DFGResurrectionForValidationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGResurrectionForValidationPhase.h; path = dfg/DFGResurrectionForValidationPhase.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAdjacencyList.h; path = dfg/DFGAdjacencyList.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F66E16914DF3F1300B7B2E4 /* DFGEdge.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGEdge.h; path = dfg/DFGEdge.h; sourceTree = "<group>"; };
</span><ins>+ 0F69CC86193AC60A0045759E /* DFGFrozenValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGFrozenValue.cpp; path = dfg/DFGFrozenValue.cpp; sourceTree = "<group>"; };
+ 0F69CC87193AC60A0045759E /* DFGFrozenValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGFrozenValue.h; path = dfg/DFGFrozenValue.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F6B1CB3185FC9E900845D97 /* FTLJSCall.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLJSCall.cpp; path = ftl/FTLJSCall.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F6B1CB4185FC9E900845D97 /* FTLJSCall.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLJSCall.h; path = ftl/FTLJSCall.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F6B1CB71861244C00845D97 /* ArityCheckMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArityCheckMode.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -3371,8 +3385,6 @@
</span><span class="cx"> A7386553118697B400540279 /* ThunkGenerators.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThunkGenerators.h; sourceTree = "<group>"; };
</span><span class="cx"> A73A53581799CD5D00170C19 /* DFGLazyJSValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGLazyJSValue.cpp; path = dfg/DFGLazyJSValue.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A73A53591799CD5D00170C19 /* DFGLazyJSValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGLazyJSValue.h; path = dfg/DFGLazyJSValue.h; sourceTree = "<group>"; };
</span><del>- A73E132C179624CD00E4DEA8 /* DFGDesiredStructureChains.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDesiredStructureChains.cpp; path = dfg/DFGDesiredStructureChains.cpp; sourceTree = "<group>"; };
- A73E132D179624CD00E4DEA8 /* DFGDesiredStructureChains.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGDesiredStructureChains.h; path = dfg/DFGDesiredStructureChains.h; sourceTree = "<group>"; };
</del><span class="cx"> A741017E179DAF80002EB8BA /* DFGSaneStringGetByValSlowPathGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGSaneStringGetByValSlowPathGenerator.h; path = dfg/DFGSaneStringGetByValSlowPathGenerator.h; sourceTree = "<group>"; };
</span><span class="cx"> A7482B791166CDEA003B0712 /* JSWeakObjectMapRefPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSWeakObjectMapRefPrivate.h; sourceTree = "<group>"; };
</span><span class="cx"> A7482B7A1166CDEA003B0712 /* JSWeakObjectMapRefPrivate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSWeakObjectMapRefPrivate.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -5052,8 +5064,6 @@
</span><span class="cx"> 0F2FC77116E12F6F0038D976 /* DFGDCEPhase.h */,
</span><span class="cx"> 0F8F2B97172F04FD007DBDA5 /* DFGDesiredIdentifiers.cpp */,
</span><span class="cx"> 0F8F2B98172F04FD007DBDA5 /* DFGDesiredIdentifiers.h */,
</span><del>- A73E132C179624CD00E4DEA8 /* DFGDesiredStructureChains.cpp */,
- A73E132D179624CD00E4DEA8 /* DFGDesiredStructureChains.h */,
</del><span class="cx"> C2C0F7CB17BBFC5B00464FE4 /* DFGDesiredTransitions.cpp */,
</span><span class="cx"> C2C0F7CC17BBFC5B00464FE4 /* DFGDesiredTransitions.h */,
</span><span class="cx"> 0FE853491723CDA500B618F5 /* DFGDesiredWatchpoints.cpp */,
</span><span class="lines">@@ -5086,6 +5096,8 @@
</span><span class="cx"> 0F9D339517FFC4E60073C2BC /* DFGFlushedAt.h */,
</span><span class="cx"> A7D89CE817A0B8CC00773AD8 /* DFGFlushFormat.cpp */,
</span><span class="cx"> A7D89CE917A0B8CC00773AD8 /* DFGFlushFormat.h */,
</span><ins>+ 0F69CC86193AC60A0045759E /* DFGFrozenValue.cpp */,
+ 0F69CC87193AC60A0045759E /* DFGFrozenValue.h */,
</ins><span class="cx"> 2A88067619107D5500CB0BBB /* DFGFunctionWhitelist.cpp */,
</span><span class="cx"> 2A88067719107D5500CB0BBB /* DFGFunctionWhitelist.h */,
</span><span class="cx"> 86EC9DB61328DF82002B2AD7 /* DFGGenerationInfo.h */,
</span><span class="lines">@@ -5120,6 +5132,8 @@
</span><span class="cx"> 0FB4B51D16B62772003F696B /* DFGLongLivedState.h */,
</span><span class="cx"> A767B5B317A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.cpp */,
</span><span class="cx"> A767B5B417A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h */,
</span><ins>+ 0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */,
+ 0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */,
</ins><span class="cx"> A704D90217A0BAA8006BA554 /* DFGMergeMode.h */,
</span><span class="cx"> 0F2BDC3D1522801700CD8910 /* DFGMinifiedGraph.h */,
</span><span class="cx"> 0FB4B51016B3A964003F696B /* DFGMinifiedID.h */,
</span><span class="lines">@@ -5218,6 +5232,8 @@
</span><span class="cx"> 0F2BDC3F1522801700CD8910 /* DFGValueRecoveryOverride.h */,
</span><span class="cx"> 0F2BDC4E15228BE700CD8910 /* DFGValueSource.cpp */,
</span><span class="cx"> 0F2BDC401522801700CD8910 /* DFGValueSource.h */,
</span><ins>+ 0F0123301944EA1B00843A0C /* DFGValueStrength.cpp */,
+ 0F0123311944EA1B00843A0C /* DFGValueStrength.h */,
</ins><span class="cx"> 0F6E845919030BEF00562741 /* DFGVariableAccessData.cpp */,
</span><span class="cx"> 0F620172143FCD2F0068B77C /* DFGVariableAccessData.h */,
</span><span class="cx"> 0FDDBFB21666EED500C55FEF /* DFGVariableAccessDataDump.cpp */,
</span><span class="lines">@@ -5363,6 +5379,8 @@
</span><span class="cx"> 0FBD7E671447998F00481315 /* CodeOrigin.h */,
</span><span class="cx"> 0F8F943F1667632D00D61971 /* CodeType.cpp */,
</span><span class="cx"> 0F0B83A514BCF50400885B4F /* CodeType.h */,
</span><ins>+ 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */,
+ 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */,
</ins><span class="cx"> 0F426A4A1460CD6B00131F8F /* DataFormat.h */,
</span><span class="cx"> 0FC712DC17CD8778008CC93C /* DeferredCompilationCallback.cpp */,
</span><span class="cx"> 0FC712DD17CD8778008CC93C /* DeferredCompilationCallback.h */,
</span><span class="lines">@@ -5949,6 +5967,7 @@
</span><span class="cx"> 0F0B83B114BCF71800885B4F /* CallLinkInfo.h in Headers */,
</span><span class="cx"> 0F93329E14CA7DC50085F3C6 /* CallLinkStatus.h in Headers */,
</span><span class="cx"> 0F0B83B914BCF95F00885B4F /* CallReturnOffsetToBytecodeOffset.h in Headers */,
</span><ins>+ 0F69CC89193AC60A0045759E /* DFGFrozenValue.h in Headers */,
</ins><span class="cx"> 0F24E54217EA9F5900ABB217 /* CCallHelpers.h in Headers */,
</span><span class="cx"> BC6AAAE50E1F426500AD87D8 /* ClassInfo.h in Headers */,
</span><span class="cx"> 0F73D7AF165A143000ACAB71 /* ClosureCallStubRoutine.h in Headers */,
</span><span class="lines">@@ -6044,7 +6063,6 @@
</span><span class="cx"> 0FFFC95A14EF90A900C72532 /* DFGCSEPhase.h in Headers */,
</span><span class="cx"> 0F2FC77316E12F740038D976 /* DFGDCEPhase.h in Headers */,
</span><span class="cx"> 0F8F2B9A172F0501007DBDA5 /* DFGDesiredIdentifiers.h in Headers */,
</span><del>- A73E1331179624CD00E4DEA8 /* DFGDesiredStructureChains.h in Headers */,
</del><span class="cx"> C2C0F7CE17BBFC5B00464FE4 /* DFGDesiredTransitions.h in Headers */,
</span><span class="cx"> 0FE8534C1723CDA500B618F5 /* DFGDesiredWatchpoints.h in Headers */,
</span><span class="cx"> C2981FD917BAEE4B00A3BC98 /* DFGDesiredWeakReferences.h in Headers */,
</span><span class="lines">@@ -6146,6 +6164,7 @@
</span><span class="cx"> A70447EE17A0BD7000F5898E /* DumpContext.h in Headers */,
</span><span class="cx"> 99E45A2418A1B2590026D88F /* EmptyInputCursor.h in Headers */,
</span><span class="cx"> 99E45A2618A1B2590026D88F /* EncodedValue.h in Headers */,
</span><ins>+ 0F5874EE194FEB1200AAB2C1 /* DFGMayExit.h in Headers */,
</ins><span class="cx"> BC3046070E1F497F003232CF /* Error.h in Headers */,
</span><span class="cx"> BC02E90D0E1839DB000F9297 /* ErrorConstructor.h in Headers */,
</span><span class="cx"> FEB58C15187B8B160098EF0B /* ErrorHandlingScope.h in Headers */,
</span><span class="lines">@@ -6461,6 +6480,7 @@
</span><span class="cx"> FED287B215EC9A5700DA8161 /* LLIntOpcode.h in Headers */,
</span><span class="cx"> 0F4680A514BA7F8D00BFE272 /* LLIntSlowPaths.h in Headers */,
</span><span class="cx"> 0F0B839D14BCF46600885B4F /* LLIntThunks.h in Headers */,
</span><ins>+ 0F0123331944EA1B00843A0C /* DFGValueStrength.h in Headers */,
</ins><span class="cx"> 0FCEFACE1805E75500472CE4 /* LLVMAPI.h in Headers */,
</span><span class="cx"> 0FCEFACF1805E75500472CE4 /* LLVMAPIFunctions.h in Headers */,
</span><span class="cx"> A7E5AB381799E4B200D2833D /* LLVMDisassembler.h in Headers */,
</span><span class="lines">@@ -6495,6 +6515,7 @@
</span><span class="cx"> BC18C43C0E16F5CD00B34460 /* MathObject.h in Headers */,
</span><span class="cx"> 90213E3E123A40C200D422F3 /* MemoryStatistics.h in Headers */,
</span><span class="cx"> 0FB5467B14F5C7E1002C2989 /* MethodOfGettingAValueProfile.h in Headers */,
</span><ins>+ 0F3D0BBD194A414300FC9CF9 /* ConstantStructureCheck.h in Headers */,
</ins><span class="cx"> 7C008CE7187631B600955C24 /* Microtask.h in Headers */,
</span><span class="cx"> 86C568E211A213EE0007F7F0 /* MIPSAssembler.h in Headers */,
</span><span class="cx"> 86EBF3001560F06A008E9222 /* NameConstructor.h in Headers */,
</span><span class="lines">@@ -7558,6 +7579,7 @@
</span><span class="cx"> 147F39C0107EC37600427A48 /* ArrayPrototype.cpp in Sources */,
</span><span class="cx"> 0F24E54017EA9F5900ABB217 /* AssemblyHelpers.cpp in Sources */,
</span><span class="cx"> 14816E1B154CC56C00B8054C /* BlockAllocator.cpp in Sources */,
</span><ins>+ 0F69CC88193AC60A0045759E /* DFGFrozenValue.cpp in Sources */,
</ins><span class="cx"> 14280863107EC11A0013E7B2 /* BooleanConstructor.cpp in Sources */,
</span><span class="cx"> 14280864107EC11A0013E7B2 /* BooleanObject.cpp in Sources */,
</span><span class="cx"> 14280865107EC11A0013E7B2 /* BooleanPrototype.cpp in Sources */,
</span><span class="lines">@@ -7632,7 +7654,6 @@
</span><span class="cx"> 0FFFC95914EF90A600C72532 /* DFGCSEPhase.cpp in Sources */,
</span><span class="cx"> 0F2FC77216E12F710038D976 /* DFGDCEPhase.cpp in Sources */,
</span><span class="cx"> 0F8F2B99172F04FF007DBDA5 /* DFGDesiredIdentifiers.cpp in Sources */,
</span><del>- A73E1330179624CD00E4DEA8 /* DFGDesiredStructureChains.cpp in Sources */,
</del><span class="cx"> C2C0F7CD17BBFC5B00464FE4 /* DFGDesiredTransitions.cpp in Sources */,
</span><span class="cx"> 0FE8534B1723CDA500B618F5 /* DFGDesiredWatchpoints.cpp in Sources */,
</span><span class="cx"> C2981FD817BAEE4B00A3BC98 /* DFGDesiredWeakReferences.cpp in Sources */,
</span><span class="lines">@@ -7642,6 +7663,7 @@
</span><span class="cx"> 0FD3C82614115D4000FD81CB /* DFGDriver.cpp in Sources */,
</span><span class="cx"> 0FF0F19E16B72A0B005DF95B /* DFGEdge.cpp in Sources */,
</span><span class="cx"> 0FBC0AE71496C7C400D4FBDD /* DFGExitProfile.cpp in Sources */,
</span><ins>+ 0F0123321944EA1B00843A0C /* DFGValueStrength.cpp in Sources */,
</ins><span class="cx"> A78A9774179738B8009DF744 /* DFGFailedFinalizer.cpp in Sources */,
</span><span class="cx"> A78A9776179738B8009DF744 /* DFGFinalizer.cpp in Sources */,
</span><span class="cx"> 0F2BDC15151C5D4D00CD8910 /* DFGFixupPhase.cpp in Sources */,
</span><span class="lines">@@ -7708,6 +7730,7 @@
</span><span class="cx"> 0F3B3A2B15475000003ED0FF /* DFGValidate.cpp in Sources */,
</span><span class="cx"> 0F2BDC4F15228BF300CD8910 /* DFGValueSource.cpp in Sources */,
</span><span class="cx"> 0FDDBFB51666EED800C55FEF /* DFGVariableAccessDataDump.cpp in Sources */,
</span><ins>+ 0F5874ED194FEB1200AAB2C1 /* DFGMayExit.cpp in Sources */,
</ins><span class="cx"> 0F2BDC5115228FFD00CD8910 /* DFGVariableEvent.cpp in Sources */,
</span><span class="cx"> 0F2BDC4A1522809A00CD8910 /* DFGVariableEventStream.cpp in Sources */,
</span><span class="cx"> 0FFFC95F14EF90BB00C72532 /* DFGVirtualRegisterAllocationPhase.cpp in Sources */,
</span><span class="lines">@@ -7870,6 +7893,7 @@
</span><span class="cx"> A503FA1B188E0FB000110F14 /* JSJavaScriptCallFrame.cpp in Sources */,
</span><span class="cx"> A503FA1D188E0FB000110F14 /* JSJavaScriptCallFramePrototype.cpp in Sources */,
</span><span class="cx"> 14280875107EC13E0013E7B2 /* JSLock.cpp in Sources */,
</span><ins>+ 0F3D0BBC194A414300FC9CF9 /* ConstantStructureCheck.cpp in Sources */,
</ins><span class="cx"> C25D709B16DE99F400FCA6BC /* JSManagedValue.mm in Sources */,
</span><span class="cx"> A700874117CBE8EB00C3E643 /* JSMap.cpp in Sources */,
</span><span class="cx"> A74DEF95182D991400522C22 /* JSMapIterator.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -143,7 +143,6 @@
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx"> exitSiteData.m_takesSlowPath =
</span><span class="cx"> profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCache, exitingJITType))
</span><del>- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCacheWatchpoint, exitingJITType))
</del><span class="cx"> || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadExecutable, exitingJITType));
</span><span class="cx"> exitSiteData.m_badFunction =
</span><span class="cx"> profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadFunction, exitingJITType));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeConstantStructureCheckcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.cpp (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,76 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ConstantStructureCheck.h"
+
+#include "JSCInlines.h"
+
+namespace JSC {
+
+void ConstantStructureCheck::dumpInContext(PrintStream& out, DumpContext* context) const
+{
+ out.print(
+ "(Check if ", inContext(JSValue(m_constant), context), " has structure ",
+ pointerDumpInContext(m_structure, context), ")");
+}
+
+void ConstantStructureCheck::dump(PrintStream& out) const
+{
+ dumpInContext(out, nullptr);
+}
+
+Structure* structureFor(const ConstantStructureCheckVector& vector, JSCell* constant)
+{
+ for (unsigned i = vector.size(); i--;) {
+ if (vector[i].constant() == constant)
+ return vector[i].structure();
+ }
+ return nullptr;
+}
+
+bool areCompatible(const ConstantStructureCheckVector& a, const ConstantStructureCheckVector& b)
+{
+ for (unsigned i = a.size(); i--;) {
+ Structure* otherStructure = structureFor(b, a[i].constant());
+ if (!otherStructure)
+ continue;
+ if (a[i].structure() != otherStructure)
+ return false;
+ }
+ return true;
+}
+
+void mergeInto(const ConstantStructureCheckVector& source, ConstantStructureCheckVector& target)
+{
+ for (unsigned i = source.size(); i--;) {
+ if (structureFor(target, source[i].constant()))
+ continue;
+ target.append(source[i]);
+ }
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeConstantStructureCheckh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.h (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.h (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/ConstantStructureCheck.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,74 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ConstantStructureCheck_h
+#define ConstantStructureCheck_h
+
+#include "DumpContext.h"
+#include "JSCell.h"
+#include "Structure.h"
+#include <wtf/PrintStream.h>
+#include <wtf/Vector.h>
+
+namespace JSC {
+
+class ConstantStructureCheck {
+public:
+ ConstantStructureCheck()
+ : m_constant(nullptr)
+ , m_structure(nullptr)
+ {
+ }
+
+ ConstantStructureCheck(JSCell* constant, Structure* structure)
+ : m_constant(constant)
+ , m_structure(structure)
+ {
+ ASSERT(!!m_constant == !!m_structure);
+ }
+
+ bool operator!() const { return !m_constant; }
+
+ JSCell* constant() const { return m_constant; }
+ Structure* structure() const { return m_structure; }
+
+ void dumpInContext(PrintStream&, DumpContext*) const;
+ void dump(PrintStream&) const;
+
+private:
+ JSCell* m_constant;
+ Structure* m_structure;
+};
+
+typedef Vector<ConstantStructureCheck, 2> ConstantStructureCheckVector;
+
+Structure* structureFor(const ConstantStructureCheckVector& vector, JSCell* constant);
+bool areCompatible(const ConstantStructureCheckVector&, const ConstantStructureCheckVector&);
+void mergeInto(const ConstantStructureCheckVector& source, ConstantStructureCheckVector& target);
+
+} // namespace JSC
+
+#endif // ConstantStructureCheck_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeExitKindcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -44,12 +44,8 @@
</span><span class="cx"> return "BadExecutable";
</span><span class="cx"> case BadCache:
</span><span class="cx"> return "BadCache";
</span><del>- case BadCacheWatchpoint:
- return "BadCacheWatchpoint";
- case BadWeakConstantCache:
- return "BadWeakConstantCache";
- case BadWeakConstantCacheWatchpoint:
- return "BadWeakConstantCacheWatchpoint";
</del><ins>+ case BadConstantCache:
+ return "BadConstantCache";
</ins><span class="cx"> case BadIndexingType:
</span><span class="cx"> return "BadIndexingType";
</span><span class="cx"> case Overflow:
</span><span class="lines">@@ -72,8 +68,6 @@
</span><span class="cx"> return "NotStringObject";
</span><span class="cx"> case Uncountable:
</span><span class="cx"> return "Uncountable";
</span><del>- case UncountableWatchpoint:
- return "UncountableWatchpoint";
</del><span class="cx"> case UncountableInvalidation:
</span><span class="cx"> return "UncountableInvalidation";
</span><span class="cx"> case WatchdogTimerFired:
</span><span class="lines">@@ -92,7 +86,6 @@
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> case BadType:
</span><span class="cx"> case Uncountable:
</span><del>- case UncountableWatchpoint:
</del><span class="cx"> case LoadFromHole: // Already counted directly by the baseline JIT.
</span><span class="cx"> case StoreToHole: // Already counted directly by the baseline JIT.
</span><span class="cx"> case OutOfBounds: // Already counted directly by the baseline JIT.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeExitKindh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ExitKind.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ExitKind.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/ExitKind.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -34,9 +34,7 @@
</span><span class="cx"> BadFunction, // We exited because we made an incorrect assumption about what function we would see.
</span><span class="cx"> BadExecutable, // We exited because we made an incorrect assumption about what executable we would see.
</span><span class="cx"> BadCache, // We exited because an inline cache was wrong.
</span><del>- BadWeakConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
- BadCacheWatchpoint, // Same as BadCache but from a watchpoint.
- BadWeakConstantCacheWatchpoint, // Same as BadWeakConstantCache but from a watchpoint.
</del><ins>+ BadConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
</ins><span class="cx"> BadIndexingType, // We exited because an indexing type was wrong.
</span><span class="cx"> Overflow, // We exited because of overflow.
</span><span class="cx"> NegativeZero, // We exited because we encountered negative zero.
</span><span class="lines">@@ -49,7 +47,6 @@
</span><span class="cx"> NotStringObject, // We exited because we shouldn't have attempted to optimize string object access.
</span><span class="cx"> Uncountable, // We exited for none of the above reasons, and we should not count it. Most uses of this should be viewed as a FIXME.
</span><span class="cx"> UncountableInvalidation, // We exited because the code block was invalidated; this means that we've already counted the reasons why the code block was invalidated.
</span><del>- UncountableWatchpoint, // We exited because of a watchpoint, which isn't counted because watchpoints do tracking themselves.
</del><span class="cx"> WatchdogTimerFired, // We exited because we need to service the watchdog timer.
</span><span class="cx"> DebuggerEvent // We exited because we need to service the debugger.
</span><span class="cx"> };
</span><span class="lines">@@ -57,18 +54,6 @@
</span><span class="cx"> const char* exitKindToString(ExitKind);
</span><span class="cx"> bool exitKindIsCountable(ExitKind);
</span><span class="cx">
</span><del>-inline bool isWatchpoint(ExitKind kind)
-{
- switch (kind) {
- case BadCacheWatchpoint:
- case BadWeakConstantCacheWatchpoint:
- case UncountableWatchpoint:
- return true;
- default:
- return false;
- }
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> namespace WTF {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeGetByIdStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -39,10 +39,20 @@
</span><span class="cx">
</span><span class="cx"> bool GetByIdStatus::appendVariant(const GetByIdVariant& variant)
</span><span class="cx"> {
</span><ins>+ // Attempt to merge this variant with an already existing variant.
</ins><span class="cx"> for (unsigned i = 0; i < m_variants.size(); ++i) {
</span><ins>+ if (m_variants[i].attemptToMerge(variant))
+ return true;
+ }
+
+ // Make sure there is no overlap. We should have pruned out opportunities for
+ // overlap but it's possible that an inline cache got into a weird state. We are
+ // defensive and bail if we detect crazy.
+ for (unsigned i = 0; i < m_variants.size(); ++i) {
</ins><span class="cx"> if (m_variants[i].structureSet().overlaps(variant.structureSet()))
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> m_variants.append(variant);
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="lines">@@ -51,9 +61,7 @@
</span><span class="cx"> bool GetByIdStatus::hasExitSite(const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, unsigned bytecodeIndex, ExitingJITType jitType)
</span><span class="cx"> {
</span><span class="cx"> return profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCache, jitType))
</span><del>- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCacheWatchpoint, jitType))
- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadWeakConstantCache, jitType))
- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadWeakConstantCacheWatchpoint, jitType));
</del><ins>+ || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadConstantCache, jitType));
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="lines">@@ -185,10 +193,12 @@
</span><span class="cx"> profiledBlock, structure, list->at(listIndex).chain(),
</span><span class="cx"> list->at(listIndex).chainCount()));
</span><span class="cx">
</span><del>- if (!chain->isStillValid())
- return GetByIdStatus(slowPathState, true);
</del><ins>+ if (!chain->isStillValid()) {
+ // This won't ever run again so skip it.
+ continue;
+ }
</ins><span class="cx">
</span><del>- if (chain->head()->takesSlowPathInDFGForImpureProperty())
</del><ins>+ if (structure->takesSlowPathInDFGForImpureProperty())
</ins><span class="cx"> return GetByIdStatus(slowPathState, true);
</span><span class="cx">
</span><span class="cx"> size_t chainSize = chain->size();
</span><span class="lines">@@ -215,36 +225,7 @@
</span><span class="cx">
</span><span class="cx"> if (!isValidOffset(myOffset))
</span><span class="cx"> return GetByIdStatus(slowPathState, true);
</span><del>-
- if (!chain && !list->at(listIndex).doesCalls()) {
- // For non-chain, non-getter accesses, we try to do some coalescing.
- bool found = false;
- for (unsigned variantIndex = 0; variantIndex < result.m_variants.size(); ++variantIndex) {
- GetByIdVariant& variant = result.m_variants[variantIndex];
- if (variant.m_chain)
- continue;
-
- if (variant.m_offset != myOffset)
- continue;
-
- if (variant.callLinkStatus())
- continue;
-
- found = true;
- if (variant.m_structureSet.contains(structure))
- break;
-
- if (variant.m_specificValue != JSValue(specificValue))
- variant.m_specificValue = JSValue();
-
- variant.m_structureSet.add(structure);
- break;
- }
</del><span class="cx">
</span><del>- if (found)
- continue;
- }
-
</del><span class="cx"> std::unique_ptr<CallLinkStatus> callLinkStatus;
</span><span class="cx"> switch (list->at(listIndex).type()) {
</span><span class="cx"> case GetByIdAccess::SimpleInline:
</span><span class="lines">@@ -270,8 +251,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> GetByIdVariant variant(
</span><del>- StructureSet(structure), myOffset, specificValue, chain,
</del><ins>+ StructureSet(structure), myOffset, specificValue, chain.get(),
</ins><span class="cx"> std::move(callLinkStatus));
</span><ins>+
</ins><span class="cx"> if (!result.appendVariant(variant))
</span><span class="cx"> return GetByIdStatus(slowPathState, true);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeGetByIdVariantcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -28,9 +28,31 @@
</span><span class="cx">
</span><span class="cx"> #include "CallLinkStatus.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include <wtf/ListDump.h>
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><ins>+GetByIdVariant::GetByIdVariant(
+ const StructureSet& structureSet, PropertyOffset offset, JSValue specificValue,
+ const IntendedStructureChain* chain, std::unique_ptr<CallLinkStatus> callLinkStatus)
+ : m_structureSet(structureSet)
+ , m_alternateBase(nullptr)
+ , m_specificValue(specificValue)
+ , m_offset(offset)
+ , m_callLinkStatus(std::move(callLinkStatus))
+{
+ if (!structureSet.size()) {
+ ASSERT(offset == invalidOffset);
+ ASSERT(!specificValue);
+ ASSERT(!chain);
+ }
+
+ if (chain && chain->size()) {
+ m_alternateBase = chain->terminalPrototype();
+ chain->gatherChecks(m_constantChecks);
+ }
+}
+
</ins><span class="cx"> GetByIdVariant::~GetByIdVariant() { }
</span><span class="cx">
</span><span class="cx"> GetByIdVariant::GetByIdVariant(const GetByIdVariant& other)
</span><span class="lines">@@ -41,7 +63,8 @@
</span><span class="cx"> GetByIdVariant& GetByIdVariant::operator=(const GetByIdVariant& other)
</span><span class="cx"> {
</span><span class="cx"> m_structureSet = other.m_structureSet;
</span><del>- m_chain = other.m_chain;
</del><ins>+ m_constantChecks = other.m_constantChecks;
+ m_alternateBase = other.m_alternateBase;
</ins><span class="cx"> m_specificValue = other.m_specificValue;
</span><span class="cx"> m_offset = other.m_offset;
</span><span class="cx"> if (other.m_callLinkStatus)
</span><span class="lines">@@ -51,6 +74,26 @@
</span><span class="cx"> return *this;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool GetByIdVariant::attemptToMerge(const GetByIdVariant& other)
+{
+ if (m_alternateBase != other.m_alternateBase)
+ return false;
+ if (m_offset != other.m_offset)
+ return false;
+ if (m_callLinkStatus || other.m_callLinkStatus)
+ return false;
+ if (!areCompatible(m_constantChecks, other.m_constantChecks))
+ return false;
+
+ if (m_specificValue != other.m_specificValue)
+ m_specificValue = JSValue();
+
+ mergeInto(other.m_constantChecks, m_constantChecks);
+ m_structureSet.merge(other.m_structureSet);
+
+ return true;
+}
+
</ins><span class="cx"> void GetByIdVariant::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx"> dumpInContext(out, 0);
</span><span class="lines">@@ -65,10 +108,12 @@
</span><span class="cx">
</span><span class="cx"> out.print(
</span><span class="cx"> "<", inContext(structureSet(), context), ", ",
</span><del>- pointerDumpInContext(chain(), context), ", ",
- inContext(specificValue(), context), ", ", offset());
</del><ins>+ "[", listDumpInContext(m_constantChecks, context), "], ",
+ "alternateBase = ", inContext(JSValue(m_alternateBase), context), ", ",
+ "specificValue = ", inContext(specificValue(), context), ", ",
+ "offset = ", offset());
</ins><span class="cx"> if (m_callLinkStatus)
</span><del>- out.print("call: ", *m_callLinkStatus);
</del><ins>+ out.print("call = ", *m_callLinkStatus);
</ins><span class="cx"> out.print(">");
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeGetByIdVarianth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/GetByIdVariant.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #define GetByIdVariant_h
</span><span class="cx">
</span><span class="cx"> #include "CallLinkStatus.h"
</span><ins>+#include "ConstantStructureCheck.h"
</ins><span class="cx"> #include "IntendedStructureChain.h"
</span><span class="cx"> #include "JSCJSValue.h"
</span><span class="cx"> #include "PropertyOffset.h"
</span><span class="lines">@@ -43,20 +44,8 @@
</span><span class="cx"> GetByIdVariant(
</span><span class="cx"> const StructureSet& structureSet = StructureSet(),
</span><span class="cx"> PropertyOffset offset = invalidOffset, JSValue specificValue = JSValue(),
</span><del>- PassRefPtr<IntendedStructureChain> chain = nullptr,
- std::unique_ptr<CallLinkStatus> callLinkStatus = nullptr)
- : m_structureSet(structureSet)
- , m_chain(chain)
- , m_specificValue(specificValue)
- , m_offset(offset)
- , m_callLinkStatus(std::move(callLinkStatus))
- {
- if (!structureSet.size()) {
- ASSERT(offset == invalidOffset);
- ASSERT(!specificValue);
- ASSERT(!chain);
- }
- }
</del><ins>+ const IntendedStructureChain* chain = nullptr,
+ std::unique_ptr<CallLinkStatus> callLinkStatus = nullptr);
</ins><span class="cx">
</span><span class="cx"> ~GetByIdVariant();
</span><span class="cx">
</span><span class="lines">@@ -66,11 +55,14 @@
</span><span class="cx"> bool isSet() const { return !!m_structureSet.size(); }
</span><span class="cx"> bool operator!() const { return !isSet(); }
</span><span class="cx"> const StructureSet& structureSet() const { return m_structureSet; }
</span><del>- IntendedStructureChain* chain() const { return const_cast<IntendedStructureChain*>(m_chain.get()); }
</del><ins>+ const ConstantStructureCheckVector& constantChecks() const { return m_constantChecks; }
+ JSObject* alternateBase() const { return m_alternateBase; }
</ins><span class="cx"> JSValue specificValue() const { return m_specificValue; }
</span><span class="cx"> PropertyOffset offset() const { return m_offset; }
</span><span class="cx"> CallLinkStatus* callLinkStatus() const { return m_callLinkStatus.get(); }
</span><span class="cx">
</span><ins>+ bool attemptToMerge(const GetByIdVariant& other);
+
</ins><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx">
</span><span class="lines">@@ -78,7 +70,8 @@
</span><span class="cx"> friend class GetByIdStatus;
</span><span class="cx">
</span><span class="cx"> StructureSet m_structureSet;
</span><del>- RefPtr<IntendedStructureChain> m_chain;
</del><ins>+ ConstantStructureCheckVector m_constantChecks;
+ JSObject* m_alternateBase;
</ins><span class="cx"> JSValue m_specificValue;
</span><span class="cx"> PropertyOffset m_offset;
</span><span class="cx"> std::unique_ptr<CallLinkStatus> m_callLinkStatus;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeOperandsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Operands.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Operands.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/Operands.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -52,10 +52,10 @@
</span><span class="cx"> public:
</span><span class="cx"> Operands() { }
</span><span class="cx">
</span><del>- explicit Operands(size_t numArguments, size_t numLocals)
</del><ins>+ explicit Operands(size_t numArguments, size_t numLocals, const T& initialValue = Traits::defaultValue())
</ins><span class="cx"> {
</span><del>- m_arguments.fill(Traits::defaultValue(), numArguments);
- m_locals.fill(Traits::defaultValue(), numLocals);
</del><ins>+ m_arguments.fill(initialValue, numArguments);
+ m_locals.fill(initialValue, numLocals);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename U, typename OtherTraits>
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx"> return local(idx);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void ensureLocals(size_t size)
</del><ins>+ void ensureLocals(size_t size, const T& ensuredValue = Traits::defaultValue())
</ins><span class="cx"> {
</span><span class="cx"> if (size <= m_locals.size())
</span><span class="cx"> return;
</span><span class="lines">@@ -104,7 +104,7 @@
</span><span class="cx"> size_t oldSize = m_locals.size();
</span><span class="cx"> m_locals.resize(size);
</span><span class="cx"> for (size_t i = oldSize; i < m_locals.size(); ++i)
</span><del>- m_locals[i] = Traits::defaultValue();
</del><ins>+ m_locals[i] = ensuredValue;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void setLocal(size_t idx, const T& value)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePutByIdStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -51,9 +51,7 @@
</span><span class="cx"> bool PutByIdStatus::hasExitSite(const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, unsigned bytecodeIndex, ExitingJITType exitType)
</span><span class="cx"> {
</span><span class="cx"> return profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCache, exitType))
</span><del>- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCacheWatchpoint, exitType))
- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadWeakConstantCache, exitType))
- || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadWeakConstantCacheWatchpoint, exitType));
</del><ins>+ || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadConstantCache, exitType));
</ins><span class="cx">
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="lines">@@ -307,7 +305,7 @@
</span><span class="cx"> // dictionaries if we have evidence to suggest that those objects were never used as
</span><span class="cx"> // prototypes in a cacheable prototype access - i.e. there's a good chance that some of
</span><span class="cx"> // the other checks below will fail.
</span><del>- if (!chain->isNormalized())
</del><ins>+ if (structure->isProxy() || !chain->isNormalized())
</ins><span class="cx"> return PutByIdStatus(TakesSlowPath);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePutByIdVariantcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -26,6 +26,8 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "PutByIdVariant.h"
</span><span class="cx">
</span><ins>+#include <wtf/ListDump.h>
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> void PutByIdVariant::dump(PrintStream& out) const
</span><span class="lines">@@ -48,8 +50,8 @@
</span><span class="cx"> case Transition:
</span><span class="cx"> out.print(
</span><span class="cx"> "<Transition: ", pointerDumpInContext(oldStructure(), context), " -> ",
</span><del>- pointerDumpInContext(newStructure(), context), ", ",
- pointerDumpInContext(structureChain(), context), ", ", offset(), ">");
</del><ins>+ pointerDumpInContext(newStructure(), context), ", [",
+ listDumpInContext(constantChecks(), context), "], ", offset(), ">");
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePutByIdVarianth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -64,7 +64,8 @@
</span><span class="cx"> result.m_kind = Transition;
</span><span class="cx"> result.m_oldStructure = oldStructure;
</span><span class="cx"> result.m_newStructure = newStructure;
</span><del>- result.m_structureChain = structureChain;
</del><ins>+ if (structureChain)
+ structureChain->gatherChecks(result.m_constantChecks);
</ins><span class="cx"> result.m_offset = offset;
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="lines">@@ -92,10 +93,10 @@
</span><span class="cx"> return m_newStructure;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- IntendedStructureChain* structureChain() const
</del><ins>+ const ConstantStructureCheckVector& constantChecks() const
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(kind() == Transition);
</span><del>- return m_structureChain.get();
</del><ins>+ return m_constantChecks;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> PropertyOffset offset() const
</span><span class="lines">@@ -111,7 +112,7 @@
</span><span class="cx"> Kind m_kind;
</span><span class="cx"> Structure* m_oldStructure;
</span><span class="cx"> Structure* m_newStructure;
</span><del>- RefPtr<IntendedStructureChain> m_structureChain;
</del><ins>+ ConstantStructureCheckVector m_constantChecks;
</ins><span class="cx"> PropertyOffset m_offset;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -88,12 +88,8 @@
</span><span class="cx"> bool execute(unsigned indexInBlock);
</span><span class="cx"> bool execute(Node*);
</span><span class="cx">
</span><del>- // Indicate the start of execution of the node. It resets any state in the node,
- // that is progressively built up by executeEdges() and executeEffects(). In
- // particular, this resets canExit(), so if you want to "know" between calls of
- // startExecuting() and executeEdges()/Effects() whether the last run of the
- // analysis concluded that the node can exit, you should probably set that
- // information aside prior to calling startExecuting().
</del><ins>+ // Indicate the start of execution of the node. It resets any state in the node
+ // that is progressively built up by executeEdges() and executeEffects().
</ins><span class="cx"> bool startExecuting(Node*);
</span><span class="cx"> bool startExecuting(unsigned indexInBlock);
</span><span class="cx">
</span><span class="lines">@@ -103,11 +99,15 @@
</span><span class="cx"> void executeEdges(Node*);
</span><span class="cx"> void executeEdges(unsigned indexInBlock);
</span><span class="cx">
</span><del>- ALWAYS_INLINE void filterEdgeByUse(Node* node, Edge& edge)
</del><ins>+ ALWAYS_INLINE void filterEdgeByUse(Edge& edge)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(mayHaveTypeCheck(edge.useKind()) || !needsTypeCheck(edge));
</span><del>- filterByType(node, edge, typeFilterFor(edge.useKind()));
</del><ins>+ filterByType(edge, typeFilterFor(edge.useKind()));
</ins><span class="cx"> }
</span><ins>+ ALWAYS_INLINE void filterEdgeByUse(Node*, Edge& edge)
+ {
+ filterEdgeByUse(edge);
+ }
</ins><span class="cx">
</span><span class="cx"> // Abstractly execute the effects of the given node. This changes the abstract
</span><span class="cx"> // state assuming that edges have already been filtered.
</span><span class="lines">@@ -136,7 +136,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename T>
</span><del>- FiltrationResult filterByValue(T node, JSValue value)
</del><ins>+ FiltrationResult filterByValue(T node, FrozenValue value)
</ins><span class="cx"> {
</span><span class="cx"> return filterByValue(forNode(node), value);
</span><span class="cx"> }
</span><span class="lines">@@ -144,7 +144,7 @@
</span><span class="cx"> FiltrationResult filter(AbstractValue&, const StructureSet&);
</span><span class="cx"> FiltrationResult filterArrayModes(AbstractValue&, ArrayModes);
</span><span class="cx"> FiltrationResult filter(AbstractValue&, SpeculatedType);
</span><del>- FiltrationResult filterByValue(AbstractValue&, JSValue);
</del><ins>+ FiltrationResult filterByValue(AbstractValue&, FrozenValue);
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> void clobberWorld(const CodeOrigin&, unsigned indexInBlock);
</span><span class="lines">@@ -165,26 +165,25 @@
</span><span class="cx"> };
</span><span class="cx"> BooleanResult booleanResult(Node*, AbstractValue&);
</span><span class="cx">
</span><del>- void setBuiltInConstant(Node* node, JSValue value)
</del><ins>+ void setBuiltInConstant(Node* node, FrozenValue value)
</ins><span class="cx"> {
</span><span class="cx"> AbstractValue& abstractValue = forNode(node);
</span><span class="cx"> abstractValue.set(m_graph, value, m_state.structureClobberState());
</span><span class="cx"> abstractValue.fixTypeForRepresentation(node);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void setConstant(Node* node, JSValue value)
</del><ins>+ void setConstant(Node* node, FrozenValue value)
</ins><span class="cx"> {
</span><span class="cx"> setBuiltInConstant(node, value);
</span><span class="cx"> m_state.setFoundConstants(true);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ALWAYS_INLINE void filterByType(Node* node, Edge& edge, SpeculatedType type)
</del><ins>+ ALWAYS_INLINE void filterByType(Edge& edge, SpeculatedType type)
</ins><span class="cx"> {
</span><span class="cx"> AbstractValue& value = forNode(edge);
</span><del>- if (!value.isType(type)) {
- node->setCanExit(true);
</del><ins>+ if (!value.isType(type))
</ins><span class="cx"> edge.setProofStatus(NeedsCheck);
</span><del>- } else
</del><ins>+ else
</ins><span class="cx"> edge.setProofStatus(IsProved);
</span><span class="cx">
</span><span class="cx"> filter(value, type);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -87,8 +87,6 @@
</span><span class="cx">
</span><span class="cx"> m_state.setDidClobber(false);
</span><span class="cx">
</span><del>- node->setCanExit(false);
-
</del><span class="cx"> return node->shouldGenerate();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -137,9 +135,8 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case PhantomArguments: {
</span><del>- setBuiltInConstant(node, m_graph.valueOfJSConstant(node));
</del><ins>+ setBuiltInConstant(node, *node->constant());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -177,10 +174,6 @@
</span><span class="cx"> case GetLocal: {
</span><span class="cx"> VariableAccessData* variableAccessData = node->variableAccessData();
</span><span class="cx"> AbstractValue value = m_state.variables().operand(variableAccessData->local().offset());
</span><del>- if (!variableAccessData->isCaptured()) {
- if (value.isClear())
- node->setCanExit(true);
- }
</del><span class="cx"> if (value.value())
</span><span class="cx"> m_state.setFoundConstants(true);
</span><span class="cx"> forNode(node) = value;
</span><span class="lines">@@ -271,7 +264,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -305,7 +297,6 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).setType(SpecInt32);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -392,8 +383,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- if (shouldCheckOverflow(node->arithMode()))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case Int52RepUse:
</span><span class="cx"> if (left && right && left.isMachineInt() && right.isMachineInt()) {
</span><span class="lines">@@ -404,9 +393,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecMachineInt);
</span><del>- if (!forNode(node->child1()).isType(SpecInt32)
- || !forNode(node->child2()).isType(SpecInt32))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -425,7 +411,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case MakeRope: {
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -447,8 +432,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- if (shouldCheckOverflow(node->arithMode()))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case Int52RepUse:
</span><span class="cx"> if (left && right && left.isMachineInt() && right.isMachineInt()) {
</span><span class="lines">@@ -459,9 +442,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecMachineInt);
</span><del>- if (!forNode(node->child1()).isType(SpecInt32)
- || !forNode(node->child2()).isType(SpecInt32))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -500,8 +480,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- if (shouldCheckOverflow(node->arithMode()))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case Int52RepUse:
</span><span class="cx"> if (child && child.isMachineInt()) {
</span><span class="lines">@@ -517,10 +495,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecMachineInt);
</span><del>- if (m_state.forNode(node->child1()).couldBeType(SpecInt52))
- node->setCanExit(true);
- if (shouldCheckNegativeZero(node->arithMode()))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (child && child.isNumber()) {
</span><span class="lines">@@ -558,8 +532,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- if (shouldCheckOverflow(node->arithMode()))
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case Int52RepUse:
</span><span class="cx"> if (left && right && left.isMachineInt() && right.isMachineInt()) {
</span><span class="lines">@@ -573,7 +545,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecMachineInt);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -609,7 +580,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -645,7 +615,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -673,7 +642,6 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -703,7 +671,6 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (left && right && left.isNumber() && right.isNumber()) {
</span><span class="lines">@@ -735,7 +702,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> case DoubleRepUse:
</span><span class="cx"> if (child && child.isNumber()) {
</span><span class="lines">@@ -800,20 +766,6 @@
</span><span class="cx"> setConstant(node, jsBoolean(true));
</span><span class="cx"> break;
</span><span class="cx"> default:
</span><del>- switch (node->child1().useKind()) {
- case BooleanUse:
- case Int32Use:
- case DoubleRepUse:
- case UntypedUse:
- case StringUse:
- break;
- case ObjectOrOtherUse:
- node->setCanExit(true);
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
- }
</del><span class="cx"> forNode(node).setType(SpecBoolean);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -826,9 +778,6 @@
</span><span class="cx"> case IsString:
</span><span class="cx"> case IsObject:
</span><span class="cx"> case IsFunction: {
</span><del>- node->setCanExit(
- node->op() == IsUndefined
- && m_graph.masqueradesAsUndefinedWatchpointIsStillValid(node->origin.semantic));
</del><span class="cx"> JSValue child = forNode(node->child1()).value();
</span><span class="cx"> if (child) {
</span><span class="cx"> bool constantWasSet = true;
</span><span class="lines">@@ -873,46 +822,35 @@
</span><span class="cx"> AbstractValue& abstractChild = forNode(node->child1());
</span><span class="cx"> if (child) {
</span><span class="cx"> JSValue typeString = jsTypeStringForValue(*vm, m_codeBlock->globalObjectFor(node->origin.semantic), child);
</span><del>- setConstant(node, typeString);
</del><ins>+ setConstant(node, *m_graph.freeze(typeString));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isFullNumberSpeculation(abstractChild.m_type)) {
</span><del>- setConstant(node, vm->smallStrings.numberString());
</del><ins>+ setConstant(node, *m_graph.freeze(vm->smallStrings.numberString()));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isStringSpeculation(abstractChild.m_type)) {
</span><del>- setConstant(node, vm->smallStrings.stringString());
</del><ins>+ setConstant(node, *m_graph.freeze(vm->smallStrings.stringString()));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isFinalObjectSpeculation(abstractChild.m_type) || isArraySpeculation(abstractChild.m_type) || isArgumentsSpeculation(abstractChild.m_type)) {
</span><del>- setConstant(node, vm->smallStrings.objectString());
</del><ins>+ setConstant(node, *m_graph.freeze(vm->smallStrings.objectString()));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isFunctionSpeculation(abstractChild.m_type)) {
</span><del>- setConstant(node, vm->smallStrings.functionString());
</del><ins>+ setConstant(node, *m_graph.freeze(vm->smallStrings.functionString()));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isBooleanSpeculation(abstractChild.m_type)) {
</span><del>- setConstant(node, vm->smallStrings.booleanString());
</del><ins>+ setConstant(node, *m_graph.freeze(vm->smallStrings.booleanString()));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- switch (node->child1().useKind()) {
- case StringUse:
- case CellUse:
- node->setCanExit(true);
- break;
- case UntypedUse:
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
- }
</del><span class="cx"> forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -972,14 +910,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> forNode(node).setType(SpecBoolean);
</span><del>-
- // This is overly conservative. But the only thing this prevents is store elimination,
- // and how likely is it, really, that you'll have redundant stores across a comparison
- // operation? Comparison operations are typically at the end of basic blocks, so
- // unless we have global store elimination (super unlikely given how unprofitable that
- // optimization is to begin with), you aren't going to be wanting to store eliminate
- // across an equality op.
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1012,12 +942,10 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> forNode(node).setType(SpecBoolean);
</span><del>- node->setCanExit(true); // This is overly conservative.
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case StringCharCodeAt:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).setType(SpecInt32);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1026,12 +954,10 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case StringCharAt:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetByVal: {
</span><del>- node->setCanExit(true);
</del><span class="cx"> switch (node->arrayMode().type()) {
</span><span class="cx"> case Array::SelectUsingPredictions:
</span><span class="cx"> case Array::Unprofiled:
</span><span class="lines">@@ -1130,7 +1056,6 @@
</span><span class="cx"> case PutByValDirect:
</span><span class="cx"> case PutByVal:
</span><span class="cx"> case PutByValAlias: {
</span><del>- node->setCanExit(true);
</del><span class="cx"> switch (node->arrayMode().modeForPut().type()) {
</span><span class="cx"> case Array::ForceExit:
</span><span class="cx"> m_state.setIsValid(false);
</span><span class="lines">@@ -1162,13 +1087,11 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case ArrayPush:
</span><del>- node->setCanExit(true);
</del><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="cx"> forNode(node).setType(SpecBytecodeNumber);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ArrayPop:
</span><del>- node->setCanExit(true);
</del><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> break;
</span><span class="lines">@@ -1199,7 +1122,6 @@
</span><span class="cx"> // constant propagation, but we can do better:
</span><span class="cx"> // We can specialize the source variable's value on each direction of
</span><span class="cx"> // the branch.
</span><del>- node->setCanExit(true); // This is overly conservative.
</del><span class="cx"> m_state.setBranchDirection(TakeBoth);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1217,7 +1139,6 @@
</span><span class="cx"> case Throw:
</span><span class="cx"> case ThrowReferenceError:
</span><span class="cx"> m_state.setIsValid(false);
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ToPrimitive: {
</span><span class="lines">@@ -1254,10 +1175,8 @@
</span><span class="cx"> filter(
</span><span class="cx"> node->child1(),
</span><span class="cx"> m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
</span><del>- node->setCanExit(true); // We could be more precise but it's likely not worth it.
</del><span class="cx"> break;
</span><span class="cx"> case StringOrStringObjectUse:
</span><del>- node->setCanExit(true); // We could be more precise but it's likely not worth it.
</del><span class="cx"> break;
</span><span class="cx"> case CellUse:
</span><span class="cx"> case UntypedUse:
</span><span class="lines">@@ -1278,21 +1197,18 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case NewArray:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).set(
</span><span class="cx"> m_graph,
</span><span class="cx"> m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case NewArrayBuffer:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).set(
</span><span class="cx"> m_graph,
</span><span class="cx"> m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case NewArrayWithSize:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forNode(node).setType(SpecArray);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1336,7 +1252,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case AllocationProfileWatchpoint:
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case NewObject:
</span><span class="lines">@@ -1369,8 +1284,6 @@
</span><span class="cx"> m_state.variables().operand(
</span><span class="cx"> m_graph.argumentsRegisterFor(node->origin.semantic).offset()).m_type))
</span><span class="cx"> m_state.setFoundConstants(true);
</span><del>- else
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetMyArgumentsLength:
</span><span class="lines">@@ -1384,10 +1297,6 @@
</span><span class="cx"> m_state.setDidClobber(true); // Pretend that we clobbered to prevent constant folding.
</span><span class="cx"> } else
</span><span class="cx"> forNode(node).setType(SpecInt32);
</span><del>- node->setCanExit(
- !isEmptySpeculation(
- m_state.variables().operand(
- m_graph.argumentsRegisterFor(node->origin.semantic)).m_type));
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetMyArgumentsLengthSafe:
</span><span class="lines">@@ -1399,16 +1308,25 @@
</span><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case GetMyArgumentByVal:
- node->setCanExit(true);
- // We know that this executable does not escape its arguments, so we can optimize
- // the arguments a bit. Note that this ends up being further optimized by the
- // ArgumentsSimplificationPhase.
</del><ins>+ case GetMyArgumentByVal: {
+ InlineCallFrame* inlineCallFrame = node->origin.semantic.inlineCallFrame;
+ JSValue value = forNode(node->child1()).m_value;
+ if (inlineCallFrame && value && value.isInt32()) {
+ int32_t index = value.asInt32();
+ if (index >= 0
+ && static_cast<size_t>(index + 1) < inlineCallFrame->arguments.size()) {
+ forNode(node) = m_state.variables().operand(
+ inlineCallFrame->stackOffset +
+ m_graph.baselineCodeBlockFor(inlineCallFrame)->argumentIndexAfterCapture(index));
+ m_state.setFoundConstants(true);
+ break;
+ }
+ }
</ins><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> break;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> case GetMyArgumentByValSafe:
</span><del>- node->setCanExit(true);
</del><span class="cx"> // This potentially clobbers all structures if the property we're accessing has
</span><span class="cx"> // a getter. We don't speculate against this.
</span><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="lines">@@ -1450,7 +1368,7 @@
</span><span class="cx"> case SkipScope: {
</span><span class="cx"> JSValue child = forNode(node->child1()).value();
</span><span class="cx"> if (child) {
</span><del>- setConstant(node, JSValue(jsCast<JSScope*>(child.asCell())->next()));
</del><ins>+ setConstant(node, *m_graph.freeze(JSValue(jsCast<JSScope*>(child.asCell())->next())));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> forNode(node).setType(SpecObjectOther);
</span><span class="lines">@@ -1471,7 +1389,6 @@
</span><span class="cx">
</span><span class="cx"> case GetById:
</span><span class="cx"> case GetByIdFlush:
</span><del>- node->setCanExit(true);
</del><span class="cx"> if (!node->prediction()) {
</span><span class="cx"> m_state.setIsValid(false);
</span><span class="cx"> break;
</span><span class="lines">@@ -1490,14 +1407,15 @@
</span><span class="cx"> // Assert things that we can't handle and that the computeFor() method
</span><span class="cx"> // above won't be able to return.
</span><span class="cx"> ASSERT(status[0].structureSet().size() == 1);
</span><del>- ASSERT(!status[0].chain());
</del><ins>+ ASSERT(status[0].constantChecks().isEmpty());
+ ASSERT(!status[0].alternateBase());
</ins><span class="cx">
</span><span class="cx"> if (status[0].specificValue()) {
</span><span class="cx"> if (status[0].specificValue().isCell()) {
</span><span class="cx"> Structure* structure = status[0].specificValue().asCell()->structure();
</span><span class="cx"> m_graph.watchpoints().consider(structure);
</span><span class="cx"> }
</span><del>- setConstant(node, status[0].specificValue());
</del><ins>+ setConstant(node, *m_graph.freeze(status[0].specificValue()));
</ins><span class="cx"> } else
</span><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> filter(node->child1(), status[0].structureSet());
</span><span class="lines">@@ -1512,7 +1430,6 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetArrayLength:
</span><del>- node->setCanExit(true); // Lies, but it's true for the common case of JSArray, so it's good enough.
</del><span class="cx"> forNode(node).setType(SpecInt32);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1521,7 +1438,6 @@
</span><span class="cx"> // more thoroughly. https://bugs.webkit.org/show_bug.cgi?id=106200
</span><span class="cx"> // FIXME: We could eliminate these entirely if we know the exact value that flows into this.
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=106201
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1541,8 +1457,6 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- node->setCanExit(true);
-
</del><span class="cx"> filter(value, set);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1565,7 +1479,6 @@
</span><span class="cx"> m_state.setFoundConstants(true);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- node->setCanExit(true); // Lies, but this is followed by operations (like GetByVal) that always exit, so there is no point in us trying to be clever here.
</del><span class="cx"> switch (node->arrayMode().type()) {
</span><span class="cx"> case Array::String:
</span><span class="cx"> filter(node->child1(), SpecString);
</span><span class="lines">@@ -1620,7 +1533,6 @@
</span><span class="cx"> }
</span><span class="cx"> ASSERT(node->arrayMode().conversion() == Array::Convert
</span><span class="cx"> || node->arrayMode().conversion() == Array::RageConvert);
</span><del>- node->setCanExit(true);
</del><span class="cx"> clobberStructures(clobberLimit);
</span><span class="cx"> filterArrayModes(node->child1(), node->arrayMode().arrayModesThatPassFiltering());
</span><span class="cx"> break;
</span><span class="lines">@@ -1629,7 +1541,6 @@
</span><span class="cx"> AbstractValue& value = forNode(node->child1());
</span><span class="cx"> if (value.m_structure.isSubsetOf(StructureSet(node->structure())))
</span><span class="cx"> m_state.setFoundConstants(true);
</span><del>- node->setCanExit(true);
</del><span class="cx"> clobberStructures(clobberLimit);
</span><span class="cx">
</span><span class="cx"> // We have a bunch of options of how to express the abstract set at this point. Let set S
</span><span class="lines">@@ -1698,7 +1609,7 @@
</span><span class="cx"> if (!variant.structureSet().contains(structure))
</span><span class="cx"> continue;
</span><span class="cx">
</span><del>- if (variant.chain())
</del><ins>+ if (variant.alternateBase())
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> filter(value, structure);
</span><span class="lines">@@ -1781,14 +1692,13 @@
</span><span class="cx">
</span><span class="cx"> case CheckFunction: {
</span><span class="cx"> JSValue value = forNode(node->child1()).value();
</span><del>- if (value == node->function()) {
</del><ins>+ if (value == node->function()->value()) {
</ins><span class="cx"> m_state.setFoundConstants(true);
</span><span class="cx"> ASSERT(value);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- node->setCanExit(true); // Lies! We can do better.
- filterByValue(node->child1(), node->function());
</del><ins>+ filterByValue(node->child1(), *node->function());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1800,15 +1710,12 @@
</span><span class="cx"> m_state.setFoundConstants(true);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>-
- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case PutById:
</span><span class="cx"> case PutByIdFlush:
</span><span class="cx"> case PutByIdDirect:
</span><del>- node->setCanExit(true);
</del><span class="cx"> // This use of onlyStructure() should be replaced by giving PutByIdStatus the ability
</span><span class="cx"> // to compute things based on a StructureSet, and then to factor ByteCodeParser's
</span><span class="cx"> // ability to generate code based on a PutByIdStatus out of ByteCodeParser so that
</span><span class="lines">@@ -1853,7 +1760,6 @@
</span><span class="cx">
</span><span class="cx"> case VariableWatchpoint:
</span><span class="cx"> case VarInjectionWatchpoint:
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case PutGlobalVar:
</span><span class="lines">@@ -1861,26 +1767,25 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckHasInstance:
</span><del>- node->setCanExit(true);
</del><span class="cx"> // Sadly, we don't propagate the fact that we've done CheckHasInstance
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case InstanceOf:
</span><del>- node->setCanExit(true);
</del><span class="cx"> // Again, sadly, we don't propagate the fact that we've done InstanceOf
</span><span class="cx"> forNode(node).setType(SpecBoolean);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case Phi:
</span><span class="cx"> RELEASE_ASSERT(m_graph.m_form == SSA);
</span><del>- // The state of this node would have already been decided.
</del><ins>+ // The state of this node would have already been decided, but it may have become a
+ // constant, in which case we'd like to know.
+ if (forNode(node).m_value)
+ m_state.setFoundConstants(true);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case Upsilon: {
</span><span class="cx"> m_state.createValueForNode(node->phi());
</span><del>- AbstractValue value = forNode(node->child1());
- forNode(node) = value;
- forNode(node->phi()) = value;
</del><ins>+ forNode(node->phi()) = forNode(node->child1());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1890,24 +1795,22 @@
</span><span class="cx">
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><del>- node->setCanExit(true);
</del><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ForceOSRExit:
</span><del>- node->setCanExit(true);
</del><span class="cx"> m_state.setIsValid(false);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case InvalidationPoint:
</span><del>- node->setCanExit(true);
</del><span class="cx"> forAllValues(clobberLimit, AbstractValue::observeInvalidationPointFor);
</span><span class="cx"> m_state.setStructureClobberState(StructuresAreWatched);
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckWatchdogTimer:
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case Breakpoint:
</span><span class="lines">@@ -1933,7 +1836,6 @@
</span><span class="cx"> case CheckTierUpAndOSREnter:
</span><span class="cx"> case LoopHint:
</span><span class="cx"> // We pretend that it can exit because it may want to get all state.
</span><del>- node->setCanExit(true);
</del><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ZombieHint:
</span><span class="lines">@@ -2143,7 +2045,7 @@
</span><span class="cx">
</span><span class="cx"> template<typename AbstractStateType>
</span><span class="cx"> FiltrationResult AbstractInterpreter<AbstractStateType>::filterByValue(
</span><del>- AbstractValue& abstractValue, JSValue concreteValue)
</del><ins>+ AbstractValue& abstractValue, FrozenValue concreteValue)
</ins><span class="cx"> {
</span><span class="cx"> if (abstractValue.filterByValue(concreteValue) == FiltrationOK)
</span><span class="cx"> return FiltrationOK;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -47,10 +47,10 @@
</span><span class="cx"> checkConsistency();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void AbstractValue::setMostSpecific(Graph& graph, JSValue value)
</del><ins>+void AbstractValue::setOSREntryValue(Graph& graph, const FrozenValue& value)
</ins><span class="cx"> {
</span><del>- if (!!value && value.isCell()) {
- Structure* structure = value.asCell()->structure();
</del><ins>+ if (!!value && value.value().isCell()) {
+ Structure* structure = value.structure();
</ins><span class="cx"> graph.watchpoints().consider(structure);
</span><span class="cx"> m_structure = structure;
</span><span class="cx"> m_arrayModes = asArrayModes(structure->indexingType());
</span><span class="lines">@@ -59,17 +59,17 @@
</span><span class="cx"> m_arrayModes = 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- m_type = speculationFromValue(value);
- m_value = value;
</del><ins>+ m_type = speculationFromValue(value.value());
+ m_value = value.value();
</ins><span class="cx">
</span><span class="cx"> checkConsistency();
</span><span class="cx"> assertIsWatched(graph);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void AbstractValue::set(Graph& graph, JSValue value, StructureClobberState clobberState)
</del><ins>+void AbstractValue::set(Graph& graph, const FrozenValue& value, StructureClobberState clobberState)
</ins><span class="cx"> {
</span><del>- if (!!value && value.isCell()) {
- Structure* structure = value.asCell()->structure();
</del><ins>+ if (!!value && value.value().isCell()) {
+ Structure* structure = value.structure();
</ins><span class="cx"> if (graph.watchpoints().consider(structure)) {
</span><span class="cx"> // We should be able to assume that the watchpoint for this has already been set.
</span><span class="cx"> // But we can't because our view of what structure a value has keeps changing. That's
</span><span class="lines">@@ -90,8 +90,8 @@
</span><span class="cx"> m_arrayModes = 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- m_type = speculationFromValue(value);
- m_value = value;
</del><ins>+ m_type = speculationFromValue(value.value());
+ m_value = value.value();
</ins><span class="cx">
</span><span class="cx"> checkConsistency();
</span><span class="cx"> assertIsWatched(graph);
</span><span class="lines">@@ -233,14 +233,47 @@
</span><span class="cx"> return normalizeClarity();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-FiltrationResult AbstractValue::filterByValue(JSValue value)
</del><ins>+FiltrationResult AbstractValue::filterByValue(const FrozenValue& value)
</ins><span class="cx"> {
</span><del>- FiltrationResult result = filter(speculationFromValue(value));
</del><ins>+ FiltrationResult result = filter(speculationFromValue(value.value()));
</ins><span class="cx"> if (m_type)
</span><del>- m_value = value;
</del><ins>+ m_value = value.value();
</ins><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+FiltrationResult AbstractValue::filter(const AbstractValue& other)
+{
+ m_type &= other.m_type;
+ m_structure.filter(other.m_structure);
+ m_arrayModes &= other.m_arrayModes;
+
+ m_structure.filter(m_type);
+ filterArrayModesByType();
+ filterValueByType();
+
+ if (normalizeClarity() == Contradiction)
+ return Contradiction;
+
+ if (m_value == other.m_value)
+ return FiltrationOK;
+
+ // Neither of us are BOTTOM, so an empty value means TOP.
+ if (!m_value) {
+ // We previously didn't prove a value but now we have done so.
+ m_value = other.m_value;
+ return FiltrationOK;
+ }
+
+ if (!other.m_value) {
+ // We had proved a value but the other guy hadn't, so keep our proof.
+ return FiltrationOK;
+ }
+
+ // We both proved there to be a specific value but they are different.
+ clear();
+ return Contradiction;
+}
+
</ins><span class="cx"> void AbstractValue::filterValueByType()
</span><span class="cx"> {
</span><span class="cx"> // We could go further, and ensure that if the futurePossibleStructure contravenes
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include "ArrayProfile.h"
</span><span class="cx"> #include "DFGFiltrationResult.h"
</span><ins>+#include "DFGFrozenValue.h"
</ins><span class="cx"> #include "DFGNodeFlags.h"
</span><span class="cx"> #include "DFGStructureAbstractValue.h"
</span><span class="cx"> #include "DFGStructureClobberState.h"
</span><span class="lines">@@ -72,6 +73,11 @@
</span><span class="cx"> makeTop(SpecBytecodeTop);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void makeFullTop()
+ {
+ makeTop(SpecFullTop);
+ }
+
</ins><span class="cx"> void clobberStructures()
</span><span class="cx"> {
</span><span class="cx"> if (m_type & SpecCell) {
</span><span class="lines">@@ -173,8 +179,23 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void setMostSpecific(Graph&, JSValue);
- void set(Graph&, JSValue, StructureClobberState);
</del><ins>+ static AbstractValue bytecodeTop()
+ {
+ AbstractValue result;
+ result.makeBytecodeTop();
+ return result;
+ }
+
+ static AbstractValue fullTop()
+ {
+ AbstractValue result;
+ result.makeFullTop();
+ return result;
+ }
+
+ void setOSREntryValue(Graph&, const FrozenValue&);
+
+ void set(Graph&, const FrozenValue&, StructureClobberState);
</ins><span class="cx"> void set(Graph&, Structure*);
</span><span class="cx"> void set(Graph&, const StructureSet&);
</span><span class="cx">
</span><span class="lines">@@ -257,13 +278,11 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> FiltrationResult filter(Graph&, const StructureSet&);
</span><del>-
</del><span class="cx"> FiltrationResult filterArrayModes(ArrayModes);
</span><del>-
</del><span class="cx"> FiltrationResult filter(SpeculatedType);
</span><ins>+ FiltrationResult filterByValue(const FrozenValue& value);
+ FiltrationResult filter(const AbstractValue&);
</ins><span class="cx">
</span><del>- FiltrationResult filterByValue(JSValue);
-
</del><span class="cx"> bool validate(JSValue value) const
</span><span class="cx"> {
</span><span class="cx"> if (isHeapTop())
</span><span class="lines">@@ -349,7 +368,11 @@
</span><span class="cx"> // implies nothing about the structure. Oddly, JSValue() (i.e. the empty value)
</span><span class="cx"> // means either BOTTOM or TOP depending on the state of m_type: if m_type is
</span><span class="cx"> // BOTTOM then JSValue() means BOTTOM; if m_type is not BOTTOM then JSValue()
</span><del>- // means TOP.
</del><ins>+ // means TOP. Also note that this value isn't necessarily known to the GC
+ // (strongly or even weakly - it may be an "fragile" value, see
+ // DFGValueStrength.h). If you perform any optimization based on a cell m_value
+ // that requires that the value be kept alive, you must call freeze() on that
+ // value, which will turn it into a weak value.
</ins><span class="cx"> JSValue m_value;
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAdjacencyListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAdjacencyList.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAdjacencyList.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAdjacencyList.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -65,6 +65,8 @@
</span><span class="cx"> setNumChildren(numChildren);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool isEmpty() const { return !child1(); }
+
</ins><span class="cx"> const Edge& child(unsigned i) const
</span><span class="cx"> {
</span><span class="cx"> ASSERT(i < Size);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGArgumentsSimplificationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -208,8 +208,7 @@
</span><span class="cx"> // init_lazy_reg since it treats CreateArguments as reading
</span><span class="cx"> // local variables. That could be fixed, but it's easier to
</span><span class="cx"> // work around this here.
</span><del>- if (source->op() == JSConstant
- && !source->valueOfJSConstant(codeBlock()))
</del><ins>+ if (source->op() == JSConstant && !*source->constant())
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> // If the variable is totally dead, then ignore it.
</span><span class="lines">@@ -511,7 +510,8 @@
</span><span class="cx"> indexInBlock, SpecNone, CheckArgumentsNotCreated, origin);
</span><span class="cx">
</span><span class="cx"> m_graph.convertToConstant(
</span><del>- node, jsNumber(origin.semantic.inlineCallFrame->arguments.size() - 1));
</del><ins>+ node, m_graph.freeze(
+ jsNumber(origin.semantic.inlineCallFrame->arguments.size() - 1)));
</ins><span class="cx"> changed = true;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -528,12 +528,9 @@
</span><span class="cx"> }
</span><span class="cx"> if (!node->origin.semantic.inlineCallFrame)
</span><span class="cx"> break;
</span><del>- if (!node->child1()->hasConstant())
</del><ins>+ if (!node->child1()->isInt32Constant())
</ins><span class="cx"> break;
</span><del>- JSValue value = node->child1()->valueOfJSConstant(codeBlock());
- if (!value.isInt32())
- break;
- int32_t index = value.asInt32();
</del><ins>+ int32_t index = node->child1()->asInt32();
</ins><span class="cx"> if (index < 0
</span><span class="cx"> || static_cast<size_t>(index + 1) >=
</span><span class="cx"> node->origin.semantic.inlineCallFrame->arguments.size())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAtTailAbstractStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -32,8 +32,9 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><del>-AtTailAbstractState::AtTailAbstractState()
- : m_block(0)
</del><ins>+AtTailAbstractState::AtTailAbstractState(Graph& graph)
+ : m_graph(graph)
+ , m_block(0)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -47,7 +48,7 @@
</span><span class="cx"> AbstractValue& AtTailAbstractState::forNode(Node* node)
</span><span class="cx"> {
</span><span class="cx"> HashMap<Node*, AbstractValue>::iterator iter = m_block->ssa->valuesAtTail.find(node);
</span><del>- ASSERT(iter != m_block->ssa->valuesAtTail.end());
</del><ins>+ DFG_ASSERT(m_graph, node, iter != m_block->ssa->valuesAtTail.end());
</ins><span class="cx"> return iter->value;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAtTailAbstractStateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -36,7 +36,7 @@
</span><span class="cx">
</span><span class="cx"> class AtTailAbstractState {
</span><span class="cx"> public:
</span><del>- AtTailAbstractState();
</del><ins>+ AtTailAbstractState(Graph&);
</ins><span class="cx">
</span><span class="cx"> ~AtTailAbstractState();
</span><span class="cx">
</span><span class="lines">@@ -63,6 +63,7 @@
</span><span class="cx"> void setFoundConstants(bool) { }
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ Graph& m_graph;
</ins><span class="cx"> BasicBlock* m_block;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGBackwardsPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -67,17 +67,17 @@
</span><span class="cx"> private:
</span><span class="cx"> bool isNotNegZero(Node* node)
</span><span class="cx"> {
</span><del>- if (!m_graph.isNumberConstant(node))
</del><ins>+ if (!node->isNumberConstant())
</ins><span class="cx"> return false;
</span><del>- double value = m_graph.valueOfNumberConstant(node);
</del><ins>+ double value = node->asNumber();
</ins><span class="cx"> return (value || 1.0 / value > 0.0);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool isNotPosZero(Node* node)
</span><span class="cx"> {
</span><del>- if (!m_graph.isNumberConstant(node))
</del><ins>+ if (!node->isNumberConstant())
</ins><span class="cx"> return false;
</span><del>- double value = m_graph.valueOfNumberConstant(node);
</del><ins>+ double value = node->asNumber();
</ins><span class="cx"> return (value || 1.0 / value < 0.0);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -85,7 +85,7 @@
</span><span class="cx"> template<int power>
</span><span class="cx"> bool isWithinPowerOfTwoForConstant(Node* node)
</span><span class="cx"> {
</span><del>- JSValue immediateValue = node->valueOfJSConstant(codeBlock());
</del><ins>+ JSValue immediateValue = node->asJSValue();
</ins><span class="cx"> if (!immediateValue.isNumber())
</span><span class="cx"> return false;
</span><span class="cx"> double immediate = immediateValue.asNumber();
</span><span class="lines">@@ -130,7 +130,7 @@
</span><span class="cx"> Node* shiftAmount = node->child2().node();
</span><span class="cx"> if (shiftAmount->op() != JSConstant)
</span><span class="cx"> return false;
</span><del>- JSValue immediateValue = shiftAmount->valueOfJSConstant(codeBlock());
</del><ins>+ JSValue immediateValue = shiftAmount->asJSValue();
</ins><span class="cx"> if (!immediateValue.isInt32())
</span><span class="cx"> return false;
</span><span class="cx"> return immediateValue.asInt32() > 32 - power;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGBasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -52,6 +52,8 @@
</span><span class="cx"> , variablesAtTail(numArguments, numLocals)
</span><span class="cx"> , valuesAtHead(numArguments, numLocals)
</span><span class="cx"> , valuesAtTail(numArguments, numLocals)
</span><ins>+ , intersectionOfPastValuesAtHead(numArguments, numLocals, AbstractValue::fullTop())
+ , intersectionOfCFAHasVisited(true)
</ins><span class="cx"> , executionCount(executionCount)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -64,6 +66,7 @@
</span><span class="cx"> variablesAtTail.ensureLocals(newNumLocals);
</span><span class="cx"> valuesAtHead.ensureLocals(newNumLocals);
</span><span class="cx"> valuesAtTail.ensureLocals(newNumLocals);
</span><ins>+ intersectionOfPastValuesAtHead.ensureLocals(newNumLocals, AbstractValue::fullTop());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool BasicBlock::isInPhis(Node* node) const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGBasicBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -134,6 +134,26 @@
</span><span class="cx"> Operands<AbstractValue> valuesAtHead;
</span><span class="cx"> Operands<AbstractValue> valuesAtTail;
</span><span class="cx">
</span><ins>+ // The intersection of assumptions we have made previously at the head of this block. Note
+ // that under normal circumstances, each time we run the CFA, we will get strictly more precise
+ // results. But we don't actually require this to be the case. It's fine for the CFA to loosen
+ // up for any odd reason. It's fine when this happens, because anything that the CFA proves
+ // must be true from that point forward, except if some registered watchpoint fires, in which
+ // case the code won't ever run. So, the CFA proving something less precise later on is just an
+ // outcome of the CFA being imperfect; the more precise thing that it had proved earlier is no
+ // less true.
+ //
+ // But for the purpose of OSR entry, we need to make sure that we remember what assumptions we
+ // had used for optimizing any given basic block. That's what this is for.
+ //
+ // It's interesting that we could use this to make the CFA more precise: all future CFAs could
+ // filter their results with this thing to sort of maintain maximal precision. Because we
+ // expect CFA to usually be monotonically more precise each time we run it to fixpoint, this
+ // would not be a productive optimization: it would make setting up a basic block more
+ // expensive and would only benefit bizarre pathological cases.
+ Operands<AbstractValue> intersectionOfPastValuesAtHead;
+ bool intersectionOfCFAHasVisited;
+
</ins><span class="cx"> float executionCount;
</span><span class="cx">
</span><span class="cx"> // These fields are reserved for NaturalLoops.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -132,18 +132,16 @@
</span><span class="cx"> , m_graph(graph)
</span><span class="cx"> , m_currentBlock(0)
</span><span class="cx"> , m_currentIndex(0)
</span><del>- , m_constantUndefined(UINT_MAX)
- , m_constantNull(UINT_MAX)
- , m_constantNaN(UINT_MAX)
- , m_constant1(UINT_MAX)
- , m_constants(m_codeBlock->numberOfConstantRegisters())
</del><ins>+ , m_constantUndefined(graph.freeze(jsUndefined()))
+ , m_constantNull(graph.freeze(jsNull()))
+ , m_constantNaN(graph.freeze(jsNumber(PNaN)))
+ , m_constantOne(graph.freeze(jsNumber(1)))
</ins><span class="cx"> , m_numArguments(m_codeBlock->numParameters())
</span><span class="cx"> , m_numLocals(m_codeBlock->m_numCalleeRegisters)
</span><span class="cx"> , m_parameterSlots(0)
</span><span class="cx"> , m_numPassedVarArgs(0)
</span><span class="cx"> , m_inlineStackTop(0)
</span><span class="cx"> , m_haveBuiltOperandMaps(false)
</span><del>- , m_emptyJSValueIndex(UINT_MAX)
</del><span class="cx"> , m_currentInstruction(0)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_profiledBlock);
</span><span class="lines">@@ -194,7 +192,7 @@
</span><span class="cx"> void handlePutById(
</span><span class="cx"> Node* base, unsigned identifierNumber, Node* value, const PutByIdStatus&,
</span><span class="cx"> bool isDirect);
</span><del>- Node* emitPrototypeChecks(Structure*, IntendedStructureChain*);
</del><ins>+ void emitChecks(const ConstantStructureCheckVector&);
</ins><span class="cx">
</span><span class="cx"> Node* getScope(bool skipTop, unsigned skipCount);
</span><span class="cx">
</span><span class="lines">@@ -217,12 +215,7 @@
</span><span class="cx"> // Get/Set the operands/result of a bytecode instruction.
</span><span class="cx"> Node* getDirect(VirtualRegister operand)
</span><span class="cx"> {
</span><del>- // Is this a constant?
- if (operand.isConstant()) {
- unsigned constant = operand.toConstantIndex();
- ASSERT(constant < m_constants.size());
- return getJSConstant(constant);
- }
</del><ins>+ ASSERT(!operand.isConstant());
</ins><span class="cx">
</span><span class="cx"> // Is this an argument?
</span><span class="cx"> if (operand.isArgument())
</span><span class="lines">@@ -234,13 +227,30 @@
</span><span class="cx">
</span><span class="cx"> Node* get(VirtualRegister operand)
</span><span class="cx"> {
</span><ins>+ if (operand.isConstant()) {
+ unsigned constantIndex = operand.toConstantIndex();
+ unsigned oldSize = m_constants.size();
+ if (constantIndex >= oldSize || !m_constants[constantIndex]) {
+ JSValue value = m_inlineStackTop->m_codeBlock->getConstant(operand.offset());
+ if (constantIndex >= oldSize) {
+ m_constants.grow(constantIndex + 1);
+ for (unsigned i = oldSize; i < m_constants.size(); ++i)
+ m_constants[i] = nullptr;
+ }
+ m_constants[constantIndex] =
+ addToGraph(JSConstant, OpInfo(m_graph.freezeStrong(value)));
+ }
+ ASSERT(m_constants[constantIndex]);
+ return m_constants[constantIndex];
+ }
+
</ins><span class="cx"> if (inlineCallFrame()) {
</span><span class="cx"> if (!inlineCallFrame()->isClosureCall) {
</span><span class="cx"> JSFunction* callee = inlineCallFrame()->calleeConstant();
</span><span class="cx"> if (operand.offset() == JSStack::Callee)
</span><del>- return cellConstant(callee);
</del><ins>+ return weakJSConstant(callee);
</ins><span class="cx"> if (operand.offset() == JSStack::ScopeChain)
</span><del>- return cellConstant(callee->scope());
</del><ins>+ return weakJSConstant(callee->scope());
</ins><span class="cx"> }
</span><span class="cx"> } else if (operand.offset() == JSStack::Callee)
</span><span class="cx"> return addToGraph(GetCallee);
</span><span class="lines">@@ -309,14 +319,7 @@
</span><span class="cx"> if (JSValue value = set->inferredValue()) {
</span><span class="cx"> addToGraph(FunctionReentryWatchpoint, OpInfo(m_codeBlock->symbolTable()));
</span><span class="cx"> addToGraph(VariableWatchpoint, OpInfo(set));
</span><del>- // Note: this is very special from an OSR exit standpoint. We wouldn't be
- // able to do this for most locals, but it works here because we're dealing
- // with a flushed local. For most locals we would need to issue a GetLocal
- // here and ensure that we have uses in DFG IR wherever there would have
- // been uses in bytecode. Clearly this optimization does not do this. But
- // that's fine, because we don't need to track liveness for captured
- // locals, and this optimization only kicks in for captured locals.
- return inferredConstant(value);
</del><ins>+ return weakJSConstant(value);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -367,8 +370,7 @@
</span><span class="cx">
</span><span class="cx"> VariableAccessData* variableAccessData = newVariableAccessData(operand, isCaptured);
</span><span class="cx"> variableAccessData->mergeStructureCheckHoistingFailed(
</span><del>- m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
- || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
</del><ins>+ m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
</ins><span class="cx"> variableAccessData->mergeCheckArrayHoistingFailed(
</span><span class="cx"> m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
</span><span class="cx"> Node* node = addToGraph(SetLocal, OpInfo(variableAccessData), value);
</span><span class="lines">@@ -424,8 +426,7 @@
</span><span class="cx"> variableAccessData->mergeShouldNeverUnbox(true);
</span><span class="cx">
</span><span class="cx"> variableAccessData->mergeStructureCheckHoistingFailed(
</span><del>- m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
- || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
</del><ins>+ m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
</ins><span class="cx"> variableAccessData->mergeCheckArrayHoistingFailed(
</span><span class="cx"> m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
</span><span class="cx"> Node* node = addToGraph(SetLocal, OpInfo(variableAccessData), value);
</span><span class="lines">@@ -466,18 +467,6 @@
</span><span class="cx"> return findArgumentPositionForLocal(operand);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void addConstant(JSValue value)
- {
- unsigned constantIndex = m_codeBlock->addConstantLazily();
- initializeLazyWriteBarrierForConstant(
- m_graph.m_plan.writeBarriers,
- m_codeBlock->constants()[constantIndex],
- m_codeBlock,
- constantIndex,
- m_codeBlock->ownerExecutable(),
- value);
- }
-
</del><span class="cx"> void flush(VirtualRegister operand)
</span><span class="cx"> {
</span><span class="cx"> flushDirect(m_inlineStackTop->remapOperand(operand));
</span><span class="lines">@@ -554,32 +543,15 @@
</span><span class="cx"> flushForTerminal();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // NOTE: Only use this to construct constants that arise from non-speculative
- // constant folding. I.e. creating constants using this if we had constant
- // field inference would be a bad idea, since the bytecode parser's folding
- // doesn't handle liveness preservation.
- Node* getJSConstantForValue(JSValue constantValue)
</del><ins>+ // Assumes that the constant should be strongly marked.
+ Node* jsConstant(JSValue constantValue)
</ins><span class="cx"> {
</span><del>- unsigned constantIndex;
- if (!m_codeBlock->findConstant(constantValue, constantIndex)) {
- addConstant(constantValue);
- m_constants.append(ConstantRecord());
- }
-
- ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-
- return getJSConstant(constantIndex);
</del><ins>+ return addToGraph(JSConstant, OpInfo(m_graph.freezeStrong(constantValue)));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- Node* getJSConstant(unsigned constant)
</del><ins>+ Node* weakJSConstant(JSValue constantValue)
</ins><span class="cx"> {
</span><del>- Node* node = m_constants[constant].asJSValue;
- if (node)
- return node;
-
- Node* result = addToGraph(JSConstant, OpInfo(constant));
- m_constants[constant].asJSValue = result;
- return result;
</del><ins>+ return addToGraph(JSConstant, OpInfo(m_graph.freeze(constantValue)));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Helper functions to get/set the this value.
</span><span class="lines">@@ -593,149 +565,6 @@
</span><span class="cx"> set(m_inlineStackTop->m_codeBlock->thisRegister(), value);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // Convenience methods for checking nodes for constants.
- bool isJSConstant(Node* node)
- {
- return node->op() == JSConstant;
- }
- bool isInt32Constant(Node* node)
- {
- return isJSConstant(node) && valueOfJSConstant(node).isInt32();
- }
- // Convenience methods for getting constant values.
- JSValue valueOfJSConstant(Node* node)
- {
- ASSERT(isJSConstant(node));
- return m_codeBlock->getConstant(FirstConstantRegisterIndex + node->constantNumber());
- }
- int32_t valueOfInt32Constant(Node* node)
- {
- ASSERT(isInt32Constant(node));
- return valueOfJSConstant(node).asInt32();
- }
-
- // This method returns a JSConstant with the value 'undefined'.
- Node* constantUndefined()
- {
- // Has m_constantUndefined been set up yet?
- if (m_constantUndefined == UINT_MAX) {
- // Search the constant pool for undefined, if we find it, we can just reuse this!
- unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
- for (m_constantUndefined = 0; m_constantUndefined < numberOfConstants; ++m_constantUndefined) {
- JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantUndefined);
- if (testMe.isUndefined())
- return getJSConstant(m_constantUndefined);
- }
-
- // Add undefined to the CodeBlock's constants, and add a corresponding slot in m_constants.
- ASSERT(m_constants.size() == numberOfConstants);
- addConstant(jsUndefined());
- m_constants.append(ConstantRecord());
- ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
- }
-
- // m_constantUndefined must refer to an entry in the CodeBlock's constant pool that has the value 'undefined'.
- ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantUndefined).isUndefined());
- return getJSConstant(m_constantUndefined);
- }
-
- // This method returns a JSConstant with the value 'null'.
- Node* constantNull()
- {
- // Has m_constantNull been set up yet?
- if (m_constantNull == UINT_MAX) {
- // Search the constant pool for null, if we find it, we can just reuse this!
- unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
- for (m_constantNull = 0; m_constantNull < numberOfConstants; ++m_constantNull) {
- JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNull);
- if (testMe.isNull())
- return getJSConstant(m_constantNull);
- }
-
- // Add null to the CodeBlock's constants, and add a corresponding slot in m_constants.
- ASSERT(m_constants.size() == numberOfConstants);
- addConstant(jsNull());
- m_constants.append(ConstantRecord());
- ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
- }
-
- // m_constantNull must refer to an entry in the CodeBlock's constant pool that has the value 'null'.
- ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNull).isNull());
- return getJSConstant(m_constantNull);
- }
-
- // This method returns a DoubleConstant with the value 1.
- Node* one()
- {
- // Has m_constant1 been set up yet?
- if (m_constant1 == UINT_MAX) {
- // Search the constant pool for the value 1, if we find it, we can just reuse this!
- unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
- for (m_constant1 = 0; m_constant1 < numberOfConstants; ++m_constant1) {
- JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1);
- if (testMe.isInt32() && testMe.asInt32() == 1)
- return getJSConstant(m_constant1);
- }
-
- // Add the value 1 to the CodeBlock's constants, and add a corresponding slot in m_constants.
- ASSERT(m_constants.size() == numberOfConstants);
- addConstant(jsNumber(1));
- m_constants.append(ConstantRecord());
- ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
- }
-
- // m_constant1 must refer to an entry in the CodeBlock's constant pool that has the integer value 1.
- ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1).isInt32());
- ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1).asInt32() == 1);
- return getJSConstant(m_constant1);
- }
-
- // This method returns a DoubleConstant with the value NaN.
- Node* constantNaN()
- {
- JSValue nan = jsNaN();
-
- // Has m_constantNaN been set up yet?
- if (m_constantNaN == UINT_MAX) {
- // Search the constant pool for the value NaN, if we find it, we can just reuse this!
- unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
- for (m_constantNaN = 0; m_constantNaN < numberOfConstants; ++m_constantNaN) {
- JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN);
- if (JSValue::encode(testMe) == JSValue::encode(nan))
- return getJSConstant(m_constantNaN);
- }
-
- // Add the value nan to the CodeBlock's constants, and add a corresponding slot in m_constants.
- ASSERT(m_constants.size() == numberOfConstants);
- addConstant(nan);
- m_constants.append(ConstantRecord());
- ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
- }
-
- // m_constantNaN must refer to an entry in the CodeBlock's constant pool that has the value nan.
- ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN).isDouble());
- ASSERT(std::isnan(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN).asDouble()));
- return getJSConstant(m_constantNaN);
- }
-
- Node* cellConstant(JSCell* cell)
- {
- HashMap<JSCell*, Node*>::AddResult result = m_cellConstantNodes.add(cell, nullptr);
- if (result.isNewEntry) {
- ASSERT(!Heap::isZombified(cell));
- result.iterator->value = addToGraph(WeakJSConstant, OpInfo(cell));
- }
-
- return result.iterator->value;
- }
-
- Node* inferredConstant(JSValue value)
- {
- if (value.isCell())
- return cellConstant(value.asCell());
- return getJSConstantForValue(value);
- }
-
</del><span class="cx"> InlineCallFrame* inlineCallFrame()
</span><span class="cx"> {
</span><span class="cx"> return m_inlineStackTop->m_inlineCallFrame;
</span><span class="lines">@@ -820,7 +649,7 @@
</span><span class="cx"> if (parameterSlots > m_parameterSlots)
</span><span class="cx"> m_parameterSlots = parameterSlots;
</span><span class="cx">
</span><del>- int dummyThisArgument = op == Call ? 0 : 1;
</del><ins>+ int dummyThisArgument = op == Call || op == NativeCall ? 0 : 1;
</ins><span class="cx"> for (int i = 0 + dummyThisArgument; i < argCount; ++i)
</span><span class="cx"> addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
</span><span class="cx">
</span><span class="lines">@@ -831,16 +660,11 @@
</span><span class="cx">
</span><span class="cx"> Node* cellConstantWithStructureCheck(JSCell* object, Structure* structure)
</span><span class="cx"> {
</span><del>- Node* objectNode = cellConstant(object);
</del><ins>+ Node* objectNode = weakJSConstant(object);
</ins><span class="cx"> addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(structure)), objectNode);
</span><span class="cx"> return objectNode;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Node* cellConstantWithStructureCheck(JSCell* object)
- {
- return cellConstantWithStructureCheck(object, object->structure());
- }
-
</del><span class="cx"> SpeculatedType getPredictionWithoutOSRExit(unsigned bytecodeIndex)
</span><span class="cx"> {
</span><span class="cx"> ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
</span><span class="lines">@@ -971,22 +795,6 @@
</span><span class="cx"> return node;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool structureChainIsStillValid(bool direct, Structure* previousStructure, StructureChain* chain)
- {
- if (direct)
- return true;
-
- if (!previousStructure->storedPrototype().isNull() && previousStructure->storedPrototype().asCell()->structure() != chain->head()->get())
- return false;
-
- for (WriteBarrier<Structure>* it = chain->head(); *it; ++it) {
- if (!(*it)->storedPrototype().isNull() && (*it)->storedPrototype().asCell()->structure() != it[1].get())
- return false;
- }
-
- return true;
- }
-
</del><span class="cx"> void buildOperandMapsIfNecessary();
</span><span class="cx">
</span><span class="cx"> VM* m_vm;
</span><span class="lines">@@ -999,37 +807,12 @@
</span><span class="cx"> // The bytecode index of the current instruction being generated.
</span><span class="cx"> unsigned m_currentIndex;
</span><span class="cx">
</span><del>- // We use these values during code generation, and to avoid the need for
- // special handling we make sure they are available as constants in the
- // CodeBlock's constant pool. These variables are initialized to
- // UINT_MAX, and lazily updated to hold an index into the CodeBlock's
- // constant pool, as necessary.
- unsigned m_constantUndefined;
- unsigned m_constantNull;
- unsigned m_constantNaN;
- unsigned m_constant1;
- HashMap<JSCell*, unsigned> m_cellConstants;
- HashMap<JSCell*, Node*> m_cellConstantNodes;
</del><ins>+ FrozenValue* m_constantUndefined;
+ FrozenValue* m_constantNull;
+ FrozenValue* m_constantNaN;
+ FrozenValue* m_constantOne;
+ Vector<Node*, 16> m_constants;
</ins><span class="cx">
</span><del>- // A constant in the constant pool may be represented by more than one
- // node in the graph, depending on the context in which it is being used.
- struct ConstantRecord {
- ConstantRecord()
- : asInt32(0)
- , asNumeric(0)
- , asJSValue(0)
- {
- }
-
- Node* asInt32;
- Node* asNumeric;
- Node* asJSValue;
- };
-
- // Track the index of the node whose result is the current value for every
- // register value in the bytecode - argument, local, and temporary.
- Vector<ConstantRecord, 16> m_constants;
-
</del><span class="cx"> // The number of arguments passed to the function.
</span><span class="cx"> unsigned m_numArguments;
</span><span class="cx"> // The number of locals (vars + temporaries) used in the function.
</span><span class="lines">@@ -1063,7 +846,6 @@
</span><span class="cx"> // (the machine code block, which is the transitive, though not necessarily
</span><span class="cx"> // direct, caller).
</span><span class="cx"> Vector<unsigned> m_identifierRemap;
</span><del>- Vector<unsigned> m_constantRemap;
</del><span class="cx"> Vector<unsigned> m_constantBufferRemap;
</span><span class="cx"> Vector<unsigned> m_switchRemap;
</span><span class="cx">
</span><span class="lines">@@ -1134,11 +916,7 @@
</span><span class="cx"> if (!m_inlineCallFrame)
</span><span class="cx"> return operand;
</span><span class="cx">
</span><del>- if (operand.isConstant()) {
- VirtualRegister result = VirtualRegister(m_constantRemap[operand.toConstantIndex()]);
- ASSERT(result.isConstant());
- return result;
- }
</del><ins>+ ASSERT(!operand.isConstant());
</ins><span class="cx">
</span><span class="cx"> return VirtualRegister(operand.offset() + m_inlineCallFrame->stackOffset);
</span><span class="cx"> }
</span><span class="lines">@@ -1172,11 +950,6 @@
</span><span class="cx"> bool m_haveBuiltOperandMaps;
</span><span class="cx"> // Mapping between identifier names and numbers.
</span><span class="cx"> BorrowedIdentifierMap m_identifierMap;
</span><del>- // Mapping between values and constant numbers.
- JSValueMap m_jsValueMap;
- // Index of the empty value, or UINT_MAX if there is no mapping. This is a horrible
- // work-around for the fact that JSValueMap can't handle "empty" values.
- unsigned m_emptyJSValueIndex;
</del><span class="cx">
</span><span class="cx"> CodeBlock* m_dfgCodeBlock;
</span><span class="cx"> CallLinkStatus::ContextMap m_callContextMap;
</span><span class="lines">@@ -1224,10 +997,8 @@
</span><span class="cx"> ASSERT(registerOffset <= 0);
</span><span class="cx"> CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
</span><span class="cx">
</span><del>- if (m_graph.isConstant(callTarget)) {
- callLinkStatus = CallLinkStatus(
- m_graph.valueOfJSConstant(callTarget)).setIsProved(true);
- }
</del><ins>+ if (callTarget->hasConstant())
+ callLinkStatus = CallLinkStatus(callTarget->asJSValue()).setIsProved(true);
</ins><span class="cx">
</span><span class="cx"> if (!callLinkStatus.canOptimize()) {
</span><span class="cx"> // Oddly, this conflates calls that haven't executed with calls that behaved sufficiently polymorphically
</span><span class="lines">@@ -1273,13 +1044,24 @@
</span><span class="cx"> if (m_graph.compilation())
</span><span class="cx"> m_graph.compilation()->noticeInlinedCall();
</span><span class="cx"> return;
</span><del>- } else if (JSFunction* function = callLinkStatus.function())
- if (function->isHostFunction()) {
</del><ins>+ } else if (isFTL(m_graph.m_plan.mode)) {
+ JSFunction* function = callLinkStatus.function();
+ if (function && function->isHostFunction()) {
</ins><span class="cx"> emitFunctionChecks(callLinkStatus, callTarget, registerOffset, specializationKind);
</span><span class="cx"> knownFunction = function;
</span><ins>+
+ if (op == Call)
+ op = NativeCall;
+ else {
+ ASSERT(op == Construct);
+ op = NativeConstruct;
+ }
</ins><span class="cx"> }
</span><del>-
- addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset)->giveKnownFunction(knownFunction);
</del><ins>+ }
+ Node* call = addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset);
+
+ if (knownFunction)
+ call->giveKnownFunction(knownFunction);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ByteCodeParser::emitFunctionChecks(const CallLinkStatus& callLinkStatus, Node* callTarget, int registerOffset, CodeSpecializationKind kind)
</span><span class="lines">@@ -1298,7 +1080,7 @@
</span><span class="cx"> ASSERT(callLinkStatus.canOptimize());
</span><span class="cx">
</span><span class="cx"> if (JSFunction* function = callLinkStatus.function())
</span><del>- addToGraph(CheckFunction, OpInfo(function), callTarget, thisArgument);
</del><ins>+ addToGraph(CheckFunction, OpInfo(m_graph.freeze(function)), callTarget, thisArgument);
</ins><span class="cx"> else {
</span><span class="cx"> ASSERT(callLinkStatus.structure());
</span><span class="cx"> ASSERT(callLinkStatus.executable());
</span><span class="lines">@@ -1455,6 +1237,7 @@
</span><span class="cx"> m_graph.m_inlineVariableData.append(inlineVariableData);
</span><span class="cx">
</span><span class="cx"> parseCodeBlock();
</span><ins>+ prepareToParseBlock(); // Reset our state now that we're back to the outer code.
</ins><span class="cx">
</span><span class="cx"> m_currentIndex = oldIndex;
</span><span class="cx">
</span><span class="lines">@@ -1544,7 +1327,7 @@
</span><span class="cx"> bool ByteCodeParser::handleMinMax(int resultOperand, NodeType op, int registerOffset, int argumentCountIncludingThis)
</span><span class="cx"> {
</span><span class="cx"> if (argumentCountIncludingThis == 1) { // Math.min()
</span><del>- set(VirtualRegister(resultOperand), constantNaN());
</del><ins>+ set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1569,7 +1352,7 @@
</span><span class="cx"> switch (intrinsic) {
</span><span class="cx"> case AbsIntrinsic: {
</span><span class="cx"> if (argumentCountIncludingThis == 1) { // Math.abs()
</span><del>- set(VirtualRegister(resultOperand), constantNaN());
</del><ins>+ set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1593,7 +1376,7 @@
</span><span class="cx"> case CosIntrinsic:
</span><span class="cx"> case SinIntrinsic: {
</span><span class="cx"> if (argumentCountIncludingThis == 1) {
</span><del>- set(VirtualRegister(resultOperand), constantNaN());
</del><ins>+ set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1740,19 +1523,19 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case DFGTrueIntrinsic: {
</span><del>- set(VirtualRegister(resultOperand), getJSConstantForValue(jsBoolean(true)));
</del><ins>+ set(VirtualRegister(resultOperand), jsConstant(jsBoolean(true)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case OSRExitIntrinsic: {
</span><span class="cx"> addToGraph(ForceOSRExit);
</span><del>- set(VirtualRegister(resultOperand), constantUndefined());
</del><ins>+ set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantUndefined)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case IsFinalTierIntrinsic: {
</span><span class="cx"> set(VirtualRegister(resultOperand),
</span><del>- getJSConstantForValue(jsBoolean(Options::useFTLJIT() ? isFTL(m_graph.m_plan.mode) : true)));
</del><ins>+ jsConstant(jsBoolean(Options::useFTLJIT() ? isFTL(m_graph.m_plan.mode) : true)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1762,7 +1545,7 @@
</span><span class="cx"> if (node->hasHeapPrediction())
</span><span class="cx"> node->setHeapPrediction(SpecInt32);
</span><span class="cx"> }
</span><del>- set(VirtualRegister(resultOperand), constantUndefined());
</del><ins>+ set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantUndefined)));
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1868,7 +1651,7 @@
</span><span class="cx"> Node* result;
</span><span class="cx">
</span><span class="cx"> if (argumentCountIncludingThis <= 1)
</span><del>- result = cellConstant(m_vm->smallStrings.emptyString());
</del><ins>+ result = jsConstant(m_vm->smallStrings.emptyString());
</ins><span class="cx"> else
</span><span class="cx"> result = addToGraph(ToString, get(virtualRegisterForArgument(1, registerOffset)));
</span><span class="cx">
</span><span class="lines">@@ -1924,20 +1707,10 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Node* ByteCodeParser::emitPrototypeChecks(
- Structure* structure, IntendedStructureChain* chain)
</del><ins>+void ByteCodeParser::emitChecks(const ConstantStructureCheckVector& vector)
</ins><span class="cx"> {
</span><del>- ASSERT(structure);
- Node* base = 0;
- m_graph.chains().addLazily(chain);
- Structure* currentStructure = structure;
- JSObject* currentObject = 0;
- for (unsigned i = 0; i < chain->size(); ++i) {
- currentObject = asObject(currentStructure->prototypeForLookup(m_inlineStackTop->m_codeBlock));
- currentStructure = chain->at(i);
- base = cellConstantWithStructureCheck(currentObject, currentStructure);
- }
- return base;
</del><ins>+ for (unsigned i = 0; i < vector.size(); ++i)
+ cellConstantWithStructureCheck(vector[i].constant(), vector[i].structure());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ByteCodeParser::handleGetById(
</span><span class="lines">@@ -1966,13 +1739,8 @@
</span><span class="cx"> // 1) Emit prototype structure checks for all chains. This could sort of maybe not be
</span><span class="cx"> // optimal, if there is some rarely executed case in the chain that requires a lot
</span><span class="cx"> // of checks and those checks are not watchpointable.
</span><del>- for (unsigned variantIndex = getByIdStatus.numVariants(); variantIndex--;) {
- if (getByIdStatus[variantIndex].chain()) {
- emitPrototypeChecks(
- getByIdStatus[variantIndex].structureSet().onlyStructure(),
- getByIdStatus[variantIndex].chain());
- }
- }
</del><ins>+ for (unsigned variantIndex = getByIdStatus.numVariants(); variantIndex--;)
+ emitChecks(getByIdStatus[variantIndex].constantChecks());
</ins><span class="cx">
</span><span class="cx"> // 2) Emit a MultiGetByOffset
</span><span class="cx"> MultiGetByOffsetData* data = m_graph.m_multiGetByOffsetData.add();
</span><span class="lines">@@ -1993,10 +1761,10 @@
</span><span class="cx">
</span><span class="cx"> addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.structureSet())), base);
</span><span class="cx">
</span><del>- if (variant.chain()) {
- base = emitPrototypeChecks(
- variant.structureSet().onlyStructure(), variant.chain());
- }
</del><ins>+ emitChecks(variant.constantChecks());
+
+ if (variant.alternateBase())
+ base = weakJSConstant(variant.alternateBase());
</ins><span class="cx">
</span><span class="cx"> // Unless we want bugs like https://bugs.webkit.org/show_bug.cgi?id=88783, we need to
</span><span class="cx"> // ensure that the base of the original get_by_id is kept alive until we're done with
</span><span class="lines">@@ -2009,7 +1777,7 @@
</span><span class="cx">
</span><span class="cx"> Node* loadedValue;
</span><span class="cx"> if (variant.specificValue())
</span><del>- loadedValue = cellConstant(variant.specificValue().asCell());
</del><ins>+ loadedValue = weakJSConstant(variant.specificValue());
</ins><span class="cx"> else {
</span><span class="cx"> loadedValue = handleGetByOffset(
</span><span class="cx"> prediction, base, identifierNumber, variant.offset(),
</span><span class="lines">@@ -2093,11 +1861,7 @@
</span><span class="cx"> for (unsigned variantIndex = putByIdStatus.numVariants(); variantIndex--;) {
</span><span class="cx"> if (putByIdStatus[variantIndex].kind() != PutByIdVariant::Transition)
</span><span class="cx"> continue;
</span><del>- if (!putByIdStatus[variantIndex].structureChain())
- continue;
- emitPrototypeChecks(
- putByIdStatus[variantIndex].oldStructure(),
- putByIdStatus[variantIndex].structureChain());
</del><ins>+ emitChecks(putByIdStatus[variantIndex].constantChecks());
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2124,16 +1888,8 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (variant.structureChain() && !variant.structureChain()->isStillValid()) {
- emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
- return;
- }
-
- m_graph.chains().addLazily(variant.structureChain());
-
</del><span class="cx"> addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.oldStructure())), base);
</span><del>- if (!isDirect)
- emitPrototypeChecks(variant.oldStructure(), variant.structureChain());
</del><ins>+ emitChecks(variant.constantChecks());
</ins><span class="cx">
</span><span class="cx"> ASSERT(variant.oldStructure()->transitionWatchpointSetHasBeenInvalidated());
</span><span class="cx">
</span><span class="lines">@@ -2183,9 +1939,7 @@
</span><span class="cx">
</span><span class="cx"> void ByteCodeParser::prepareToParseBlock()
</span><span class="cx"> {
</span><del>- for (unsigned i = 0; i < m_constants.size(); ++i)
- m_constants[i] = ConstantRecord();
- m_cellConstantNodes.clear();
</del><ins>+ m_constants.resize(0);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Node* ByteCodeParser::getScope(bool skipTop, unsigned skipCount)
</span><span class="lines">@@ -2217,8 +1971,7 @@
</span><span class="cx"> VariableAccessData* variable = newVariableAccessData(
</span><span class="cx"> virtualRegisterForArgument(argument), m_codeBlock->isCaptured(virtualRegisterForArgument(argument)));
</span><span class="cx"> variable->mergeStructureCheckHoistingFailed(
</span><del>- m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
- || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
</del><ins>+ m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
</ins><span class="cx"> variable->mergeCheckArrayHoistingFailed(
</span><span class="cx"> m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
</span><span class="cx">
</span><span class="lines">@@ -2264,13 +2017,15 @@
</span><span class="cx">
</span><span class="cx"> // === Function entry opcodes ===
</span><span class="cx">
</span><del>- case op_enter:
</del><ins>+ case op_enter: {
+ Node* undefined = addToGraph(JSConstant, OpInfo(m_constantUndefined));
</ins><span class="cx"> // Initialize all locals to undefined.
</span><span class="cx"> for (int i = 0; i < m_inlineStackTop->m_codeBlock->m_numVars; ++i)
</span><del>- set(virtualRegisterForLocal(i), constantUndefined(), ImmediateNakedSet);
</del><ins>+ set(virtualRegisterForLocal(i), undefined, ImmediateNakedSet);
</ins><span class="cx"> if (m_inlineStackTop->m_codeBlock->specializationKind() == CodeForConstruct)
</span><del>- set(virtualRegisterForArgument(0), constantUndefined(), ImmediateNakedSet);
</del><ins>+ set(virtualRegisterForArgument(0), undefined, ImmediateNakedSet);
</ins><span class="cx"> NEXT_OPCODE(op_enter);
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> case op_touch_entry:
</span><span class="cx"> if (m_inlineStackTop->m_codeBlock->symbolTable()->m_functionEnteredOnce.isStillValid())
</span><span class="lines">@@ -2285,7 +2040,6 @@
</span><span class="cx"> || cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
</span><span class="cx"> || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
</span><span class="cx"> || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
</span><del>- || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint)
</del><span class="cx"> || (op1->op() == GetLocal && op1->variableAccessData()->structureCheckHoistingFailed())) {
</span><span class="cx"> setThis(addToGraph(ToThis, op1));
</span><span class="cx"> } else {
</span><span class="lines">@@ -2302,13 +2056,9 @@
</span><span class="cx"> int calleeOperand = currentInstruction[2].u.operand;
</span><span class="cx"> Node* callee = get(VirtualRegister(calleeOperand));
</span><span class="cx"> bool alreadyEmitted = false;
</span><del>- if (callee->op() == WeakJSConstant) {
- JSCell* cell = callee->weakConstant();
- ASSERT(cell->inherits(JSFunction::info()));
-
- JSFunction* function = jsCast<JSFunction*>(cell);
</del><ins>+ if (JSFunction* function = callee->dynamicCastConstant<JSFunction*>()) {
</ins><span class="cx"> if (Structure* structure = function->allocationStructure()) {
</span><del>- addToGraph(AllocationProfileWatchpoint, OpInfo(function));
</del><ins>+ addToGraph(AllocationProfileWatchpoint, OpInfo(m_graph.freeze(function)));
</ins><span class="cx"> // The callee is still live up to this point.
</span><span class="cx"> addToGraph(Phantom, callee);
</span><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(NewObject, OpInfo(structure)));
</span><span class="lines">@@ -2380,10 +2130,11 @@
</span><span class="cx"> || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadFunction)) {
</span><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand), get(VirtualRegister(JSStack::Callee)));
</span><span class="cx"> } else {
</span><ins>+ FrozenValue* frozen = m_graph.freeze(cachedFunction);
</ins><span class="cx"> ASSERT(cachedFunction->inherits(JSFunction::info()));
</span><span class="cx"> Node* actualCallee = get(VirtualRegister(JSStack::Callee));
</span><del>- addToGraph(CheckFunction, OpInfo(cachedFunction), actualCallee);
- set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(WeakJSConstant, OpInfo(cachedFunction)));
</del><ins>+ addToGraph(CheckFunction, OpInfo(frozen), actualCallee);
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(JSConstant, OpInfo(frozen)));
</ins><span class="cx"> }
</span><span class="cx"> NEXT_OPCODE(op_get_callee);
</span><span class="cx"> }
</span><span class="lines">@@ -2447,7 +2198,7 @@
</span><span class="cx"> int srcDst = currentInstruction[1].u.operand;
</span><span class="cx"> VirtualRegister srcDstVirtualRegister = VirtualRegister(srcDst);
</span><span class="cx"> Node* op = get(srcDstVirtualRegister);
</span><del>- set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, one())));
</del><ins>+ set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne)))));
</ins><span class="cx"> NEXT_OPCODE(op_inc);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2455,7 +2206,7 @@
</span><span class="cx"> int srcDst = currentInstruction[1].u.operand;
</span><span class="cx"> VirtualRegister srcDstVirtualRegister = VirtualRegister(srcDst);
</span><span class="cx"> Node* op = get(srcDstVirtualRegister);
</span><del>- set(srcDstVirtualRegister, makeSafe(addToGraph(ArithSub, op, one())));
</del><ins>+ set(srcDstVirtualRegister, makeSafe(addToGraph(ArithSub, op, addToGraph(JSConstant, OpInfo(m_constantOne)))));
</ins><span class="cx"> NEXT_OPCODE(op_dec);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2672,7 +2423,7 @@
</span><span class="cx">
</span><span class="cx"> case op_eq_null: {
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
</span><del>- set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(CompareEqConstant, value, constantNull()));
</del><ins>+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull))));
</ins><span class="cx"> NEXT_OPCODE(op_eq_null);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2692,7 +2443,7 @@
</span><span class="cx">
</span><span class="cx"> case op_neq_null: {
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
</span><del>- set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(LogicalNot, addToGraph(CompareEqConstant, value, constantNull())));
</del><ins>+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(LogicalNot, addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)))));
</ins><span class="cx"> NEXT_OPCODE(op_neq_null);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2817,7 +2568,7 @@
</span><span class="cx"> case op_jeq_null: {
</span><span class="cx"> unsigned relativeOffset = currentInstruction[2].u.operand;
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[1].u.operand));
</span><del>- Node* condition = addToGraph(CompareEqConstant, value, constantNull());
</del><ins>+ Node* condition = addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)));
</ins><span class="cx"> addToGraph(Branch, OpInfo(branchData(m_currentIndex + relativeOffset, m_currentIndex + OPCODE_LENGTH(op_jeq_null))), condition);
</span><span class="cx"> LAST_OPCODE(op_jeq_null);
</span><span class="cx"> }
</span><span class="lines">@@ -2825,7 +2576,7 @@
</span><span class="cx"> case op_jneq_null: {
</span><span class="cx"> unsigned relativeOffset = currentInstruction[2].u.operand;
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[1].u.operand));
</span><del>- Node* condition = addToGraph(CompareEqConstant, value, constantNull());
</del><ins>+ Node* condition = addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)));
</ins><span class="cx"> addToGraph(Branch, OpInfo(branchData(m_currentIndex + OPCODE_LENGTH(op_jneq_null), m_currentIndex + relativeOffset)), condition);
</span><span class="cx"> LAST_OPCODE(op_jneq_null);
</span><span class="cx"> }
</span><span class="lines">@@ -2914,7 +2665,7 @@
</span><span class="cx"> unsigned target = m_currentIndex + table.branchOffsets[i];
</span><span class="cx"> if (target == data.fallThrough.bytecodeIndex())
</span><span class="cx"> continue;
</span><del>- data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(static_cast<int32_t>(table.min + i)), target));
</del><ins>+ data.cases.append(SwitchCase::withBytecodeIndex(m_graph.freeze(jsNumber(static_cast<int32_t>(table.min + i))), target));
</ins><span class="cx"> }
</span><span class="cx"> flushIfTerminal(data);
</span><span class="cx"> addToGraph(Switch, OpInfo(&data), get(VirtualRegister(currentInstruction[3].u.operand)));
</span><span class="lines">@@ -3065,7 +2816,8 @@
</span><span class="cx"> ASSERT(pointerIsFunction(currentInstruction[2].u.specialPointer));
</span><span class="cx"> addToGraph(
</span><span class="cx"> CheckFunction,
</span><del>- OpInfo(actualPointerFor(m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)),
</del><ins>+ OpInfo(m_graph.freeze(static_cast<JSCell*>(actualPointerFor(
+ m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)))),
</ins><span class="cx"> get(VirtualRegister(currentInstruction[1].u.operand)));
</span><span class="cx"> addToGraph(Jump, OpInfo(m_currentIndex + OPCODE_LENGTH(op_jneq_ptr)));
</span><span class="cx"> LAST_OPCODE(op_jneq_ptr);
</span><span class="lines">@@ -3084,7 +2836,7 @@
</span><span class="cx"> case GlobalVar:
</span><span class="cx"> case GlobalPropertyWithVarInjectionChecks:
</span><span class="cx"> case GlobalVarWithVarInjectionChecks:
</span><del>- set(VirtualRegister(dst), cellConstant(m_inlineStackTop->m_codeBlock->globalObject()));
</del><ins>+ set(VirtualRegister(dst), weakJSConstant(m_inlineStackTop->m_codeBlock->globalObject()));
</ins><span class="cx"> break;
</span><span class="cx"> case ClosureVar:
</span><span class="cx"> case ClosureVarWithVarInjectionChecks: {
</span><span class="lines">@@ -3092,7 +2844,7 @@
</span><span class="cx"> if (activation
</span><span class="cx"> && activation->symbolTable()->m_functionEnteredOnce.isStillValid()) {
</span><span class="cx"> addToGraph(FunctionReentryWatchpoint, OpInfo(activation->symbolTable()));
</span><del>- set(VirtualRegister(dst), cellConstant(activation));
</del><ins>+ set(VirtualRegister(dst), weakJSConstant(activation));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> set(VirtualRegister(dst),
</span><span class="lines">@@ -3141,7 +2893,7 @@
</span><span class="cx"> Node* base = cellConstantWithStructureCheck(globalObject, status[0].structureSet().onlyStructure());
</span><span class="cx"> addToGraph(Phantom, get(VirtualRegister(scope)));
</span><span class="cx"> if (JSValue specificValue = status[0].specificValue())
</span><del>- set(VirtualRegister(dst), cellConstant(specificValue.asCell()));
</del><ins>+ set(VirtualRegister(dst), weakJSConstant(specificValue.asCell()));
</ins><span class="cx"> else
</span><span class="cx"> set(VirtualRegister(dst), handleGetByOffset(prediction, base, identifierNumber, operand));
</span><span class="cx"> break;
</span><span class="lines">@@ -3160,7 +2912,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> addToGraph(VariableWatchpoint, OpInfo(watchpointSet));
</span><del>- set(VirtualRegister(dst), inferredConstant(specificValue));
</del><ins>+ set(VirtualRegister(dst), weakJSConstant(specificValue));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case ClosureVar:
</span><span class="lines">@@ -3176,7 +2928,7 @@
</span><span class="cx"> if (JSValue value = watchpointSet->inferredValue()) {
</span><span class="cx"> addToGraph(Phantom, scopeNode);
</span><span class="cx"> addToGraph(VariableWatchpoint, OpInfo(watchpointSet));
</span><del>- set(VirtualRegister(dst), inferredConstant(value));
</del><ins>+ set(VirtualRegister(dst), weakJSConstant(value));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -3277,7 +3029,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case op_init_lazy_reg: {
</span><del>- set(VirtualRegister(currentInstruction[1].u.operand), getJSConstantForValue(JSValue()));
</del><ins>+ set(VirtualRegister(currentInstruction[1].u.operand), jsConstant(JSValue()));
</ins><span class="cx"> ASSERT(operandIsLocal(currentInstruction[1].u.operand));
</span><span class="cx"> m_graph.m_lazyVars.set(VirtualRegister(currentInstruction[1].u.operand).toLocal());
</span><span class="cx"> NEXT_OPCODE(op_init_lazy_reg);
</span><span class="lines">@@ -3432,13 +3184,6 @@
</span><span class="cx">
</span><span class="cx"> for (size_t i = 0; i < m_codeBlock->numberOfIdentifiers(); ++i)
</span><span class="cx"> m_identifierMap.add(m_codeBlock->identifier(i).impl(), i);
</span><del>- for (size_t i = 0; i < m_codeBlock->numberOfConstantRegisters(); ++i) {
- JSValue value = m_codeBlock->getConstant(i + FirstConstantRegisterIndex);
- if (!value)
- m_emptyJSValueIndex = i + FirstConstantRegisterIndex;
- else
- m_jsValueMap.add(JSValue::encode(value), i + FirstConstantRegisterIndex);
- }
</del><span class="cx">
</span><span class="cx"> m_haveBuiltOperandMaps = true;
</span><span class="cx"> }
</span><span class="lines">@@ -3536,7 +3281,6 @@
</span><span class="cx"> byteCodeParser->buildOperandMapsIfNecessary();
</span><span class="cx">
</span><span class="cx"> m_identifierRemap.resize(codeBlock->numberOfIdentifiers());
</span><del>- m_constantRemap.resize(codeBlock->numberOfConstantRegisters());
</del><span class="cx"> m_constantBufferRemap.resize(codeBlock->numberOfConstantBuffers());
</span><span class="cx"> m_switchRemap.resize(codeBlock->numberOfSwitchJumpTables());
</span><span class="cx">
</span><span class="lines">@@ -3547,24 +3291,6 @@
</span><span class="cx"> byteCodeParser->m_graph.identifiers().addLazily(rep);
</span><span class="cx"> m_identifierRemap[i] = result.iterator->value;
</span><span class="cx"> }
</span><del>- for (size_t i = 0; i < codeBlock->numberOfConstantRegisters(); ++i) {
- JSValue value = codeBlock->getConstant(i + FirstConstantRegisterIndex);
- if (!value) {
- if (byteCodeParser->m_emptyJSValueIndex == UINT_MAX) {
- byteCodeParser->m_emptyJSValueIndex = byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex;
- byteCodeParser->addConstant(JSValue());
- byteCodeParser->m_constants.append(ConstantRecord());
- }
- m_constantRemap[i] = byteCodeParser->m_emptyJSValueIndex;
- continue;
- }
- JSValueMap::AddResult result = byteCodeParser->m_jsValueMap.add(JSValue::encode(value), byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex);
- if (result.isNewEntry) {
- byteCodeParser->addConstant(value);
- byteCodeParser->m_constants.append(ConstantRecord());
- }
- m_constantRemap[i] = result.iterator->value;
- }
</del><span class="cx"> for (unsigned i = 0; i < codeBlock->numberOfConstantBuffers(); ++i) {
</span><span class="cx"> // If we inline the same code block multiple times, we don't want to needlessly
</span><span class="cx"> // duplicate its constant buffers.
</span><span class="lines">@@ -3595,13 +3321,10 @@
</span><span class="cx"> m_inlineCallFrame = 0;
</span><span class="cx">
</span><span class="cx"> m_identifierRemap.resize(codeBlock->numberOfIdentifiers());
</span><del>- m_constantRemap.resize(codeBlock->numberOfConstantRegisters());
</del><span class="cx"> m_constantBufferRemap.resize(codeBlock->numberOfConstantBuffers());
</span><span class="cx"> m_switchRemap.resize(codeBlock->numberOfSwitchJumpTables());
</span><span class="cx"> for (size_t i = 0; i < codeBlock->numberOfIdentifiers(); ++i)
</span><span class="cx"> m_identifierRemap[i] = i;
</span><del>- for (size_t i = 0; i < codeBlock->numberOfConstantRegisters(); ++i)
- m_constantRemap[i] = i + FirstConstantRegisterIndex;
</del><span class="cx"> for (size_t i = 0; i < codeBlock->numberOfConstantBuffers(); ++i)
</span><span class="cx"> m_constantBufferRemap[i] = i;
</span><span class="cx"> for (size_t i = 0; i < codeBlock->numberOfSwitchJumpTables(); ++i)
</span><span class="lines">@@ -3609,14 +3332,13 @@
</span><span class="cx"> m_callsiteBlockHeadNeedsLinking = false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- for (size_t i = 0; i < m_constantRemap.size(); ++i)
- ASSERT(m_constantRemap[i] >= static_cast<unsigned>(FirstConstantRegisterIndex));
-
</del><span class="cx"> byteCodeParser->m_inlineStackTop = this;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ByteCodeParser::parseCodeBlock()
</span><span class="cx"> {
</span><ins>+ prepareToParseBlock();
+
</ins><span class="cx"> CodeBlock* codeBlock = m_inlineStackTop->m_codeBlock;
</span><span class="cx">
</span><span class="cx"> if (m_graph.compilation()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCFAPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -79,6 +79,19 @@
</span><span class="cx"> performForwardCFA();
</span><span class="cx"> } while (m_changed);
</span><span class="cx">
</span><ins>+ if (m_graph.m_form != SSA) {
+ // Make sure we record the intersection of all proofs that we ever allowed the
+ // compiler to rely upon.
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+ block->intersectionOfCFAHasVisited &= block->cfaHasVisited;
+ for (unsigned i = block->intersectionOfPastValuesAtHead.size(); i--;)
+ block->intersectionOfPastValuesAtHead[i].filter(block->valuesAtHead[i]);
+ }
+ }
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCFGSimplificationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -150,7 +150,7 @@
</span><span class="cx">
</span><span class="cx"> // Switch on constant -> jettison all other targets and merge.
</span><span class="cx"> if (block->last()->child1()->hasConstant()) {
</span><del>- JSValue value = m_graph.valueOfJSConstant(block->last()->child1().node());
</del><ins>+ FrozenValue* value = block->last()->child1()->constant();
</ins><span class="cx"> TriState found = FalseTriState;
</span><span class="cx"> BasicBlock* targetBlock = 0;
</span><span class="cx"> for (unsigned i = data->cases.size(); found == FalseTriState && i--;) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCSEPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -39,13 +39,10 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><del>-enum CSEMode { NormalCSE, StoreElimination };
-
-template<CSEMode cseMode>
</del><span class="cx"> class CSEPhase : public Phase {
</span><span class="cx"> public:
</span><span class="cx"> CSEPhase(Graph& graph)
</span><del>- : Phase(graph, cseMode == NormalCSE ? "common subexpression elimination" : "store elimination")
</del><ins>+ : Phase(graph, "common subexpression elimination")
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -168,7 +165,7 @@
</span><span class="cx"> if (otherNode->op() != node->op())
</span><span class="cx"> continue;
</span><span class="cx">
</span><del>- if (otherNode->constantNumber() != node->constantNumber())
</del><ins>+ if (otherNode->constant() != node->constant())
</ins><span class="cx"> continue;
</span><span class="cx">
</span><span class="cx"> return otherNode;
</span><span class="lines">@@ -176,21 +173,6 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Node* weakConstantCSE(Node* node)
- {
- for (unsigned i = endIndexForPureCSE(); i--;) {
- Node* otherNode = m_currentBlock->at(i);
- if (otherNode->op() != WeakJSConstant)
- continue;
-
- if (otherNode->weakConstant() != node->weakConstant())
- continue;
-
- return otherNode;
- }
- return 0;
- }
-
</del><span class="cx"> Node* constantStoragePointerCSE(Node* node)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = endIndexForPureCSE(); i--;) {
</span><span class="lines">@@ -313,68 +295,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Node* globalVarStoreElimination(WriteBarrier<Unknown>* registerPointer)
- {
- for (unsigned i = m_indexInBlock; i--;) {
- Node* node = m_currentBlock->at(i);
- switch (node->op()) {
- case PutGlobalVar:
- if (node->registerPointer() == registerPointer)
- return node;
- break;
-
- case GetGlobalVar:
- if (node->registerPointer() == registerPointer)
- return 0;
- break;
-
- default:
- break;
- }
- if (m_graph.clobbersWorld(node) || node->canExit())
- return 0;
- }
- return 0;
- }
-
- Node* scopedVarStoreElimination(Node* scope, Node* registers, int varNumber)
- {
- for (unsigned i = m_indexInBlock; i--;) {
- Node* node = m_currentBlock->at(i);
- switch (node->op()) {
- case PutClosureVar: {
- if (node->varNumber() != varNumber)
- break;
- if (node->child1() == scope && node->child2() == registers)
- return node;
- return 0;
- }
-
- case GetClosureVar: {
- // Let's be conservative.
- if (node->varNumber() == varNumber)
- return 0;
- break;
- }
-
- case GetLocal:
- case SetLocal: {
- VariableAccessData* variableAccessData = node->variableAccessData();
- if (variableAccessData->isCaptured()
- && variableAccessData->local() == static_cast<VirtualRegister>(varNumber))
- return 0;
- break;
- }
-
- default:
- break;
- }
- if (m_graph.clobbersWorld(node) || node->canExit())
- return 0;
- }
- return 0;
- }
-
</del><span class="cx"> Node* getByValLoadElimination(Node* child1, Node* child2, ArrayMode arrayMode)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = m_indexInBlock; i--;) {
</span><span class="lines">@@ -420,7 +340,7 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool checkFunctionElimination(JSCell* function, Node* child1)
</del><ins>+ bool checkFunctionElimination(FrozenValue* function, Node* child1)
</ins><span class="cx"> {
</span><span class="cx"> for (unsigned i = endIndexForPureCSE(); i--;) {
</span><span class="cx"> Node* node = m_currentBlock->at(i);
</span><span class="lines">@@ -556,73 +476,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Node* putStructureStoreElimination(Node* child1)
- {
- for (unsigned i = m_indexInBlock; i--;) {
- Node* node = m_currentBlock->at(i);
- if (node == child1)
- break;
- switch (node->op()) {
- case CheckStructure:
- return 0;
-
- case PhantomPutStructure:
- if (node->child1() == child1) // No need to retrace our steps.
- return 0;
- break;
-
- case PutStructure:
- if (node->child1() == child1)
- return node;
- break;
-
- // PutStructure needs to execute if we GC. Hence this needs to
- // be careful with respect to nodes that GC.
- case CreateArguments:
- case TearOffArguments:
- case NewFunctionNoCheck:
- case NewFunction:
- case NewFunctionExpression:
- case CreateActivation:
- case TearOffActivation:
- case ToPrimitive:
- case NewRegexp:
- case NewArrayBuffer:
- case NewArray:
- case NewObject:
- case CreateThis:
- case AllocatePropertyStorage:
- case ReallocatePropertyStorage:
- case TypeOf:
- case ToString:
- case NewStringObject:
- case MakeRope:
- case NewTypedArray:
- case MultiPutByOffset:
- return 0;
-
- // This either exits, causes a GC (lazy string allocation), or clobbers
- // the world. The chances of it not doing any of those things are so
- // slim that we might as well not even try to reason about it.
- case GetByVal:
- return 0;
-
- case GetIndexedPropertyStorage:
- if (node->arrayMode().getIndexedPropertyStorageMayTriggerGC())
- return 0;
- break;
-
- default:
- break;
- }
- if (m_graph.clobbersWorld(node) || node->canExit())
- return 0;
- if (edgesUseStructure(m_graph, node))
- return 0;
- }
- return 0;
- }
-
</del><span class="cx"> Node* getByOffsetLoadElimination(unsigned identifierNumber, Node* base)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = m_indexInBlock; i--;) {
</span><span class="lines">@@ -713,55 +566,6 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Node* putByOffsetStoreElimination(unsigned identifierNumber, Node* child1)
- {
- for (unsigned i = m_indexInBlock; i--;) {
- Node* node = m_currentBlock->at(i);
- if (node == child1)
- break;
-
- switch (node->op()) {
- case GetByOffset:
- if (m_graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber == identifierNumber)
- return 0;
- break;
-
- case PutByOffset:
- if (m_graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber == identifierNumber) {
- if (node->child1() == child1) // Must be same property storage.
- return node;
- return 0;
- }
- break;
-
- case MultiPutByOffset:
- if (node->multiPutByOffsetData().identifierNumber == identifierNumber)
- return 0;
- break;
-
- case PutByValDirect:
- case PutByVal:
- case PutByValAlias:
- case GetByVal:
- if (m_graph.byValIsPure(node)) {
- // If PutByVal speculates that it's accessing an array with an
- // integer index, then it's impossible for it to cause a structure
- // change.
- break;
- }
- return 0;
-
- default:
- if (m_graph.clobbersWorld(node))
- return 0;
- break;
- }
- if (node->canExit())
- return 0;
- }
- return 0;
- }
-
</del><span class="cx"> Node* getPropertyStorageLoadElimination(Node* child1)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = m_indexInBlock; i--;) {
</span><span class="lines">@@ -944,7 +748,7 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool uncapturedSetLocalStoreElimination(VirtualRegister local, Node* expectedNode)
</del><ins>+ Node* uncapturedSetLocalStoreElimination(VirtualRegister local)
</ins><span class="cx"> {
</span><span class="cx"> for (unsigned i = m_indexInBlock; i--;) {
</span><span class="cx"> Node* node = m_currentBlock->at(i);
</span><span class="lines">@@ -952,26 +756,24 @@
</span><span class="cx"> case GetLocal:
</span><span class="cx"> case Flush:
</span><span class="cx"> if (node->local() == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetLocalUnlinked:
</span><span class="cx"> if (node->unlinkedLocal() == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case SetLocal: {
</span><span class="cx"> if (node->local() != local)
</span><span class="cx"> break;
</span><del>- if (node != expectedNode)
- return false;
- return true;
</del><ins>+ return node;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetClosureVar:
</span><span class="cx"> case PutClosureVar:
</span><span class="cx"> if (static_cast<VirtualRegister>(node->varNumber()) == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetMyScope:
</span><span class="lines">@@ -979,24 +781,24 @@
</span><span class="cx"> if (node->origin.semantic.inlineCallFrame)
</span><span class="cx"> break;
</span><span class="cx"> if (m_graph.uncheckedActivationRegister() == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckArgumentsNotCreated:
</span><span class="cx"> case GetMyArgumentsLength:
</span><span class="cx"> case GetMyArgumentsLengthSafe:
</span><span class="cx"> if (m_graph.uncheckedArgumentsRegisterFor(node->origin.semantic) == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetMyArgumentByVal:
</span><span class="cx"> case GetMyArgumentByValSafe:
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> case GetByVal:
</span><span class="cx"> // If this is accessing arguments then it's potentially accessing locals.
</span><span class="cx"> if (node->arrayMode().type() == Array::Arguments)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CreateArguments:
</span><span class="lines">@@ -1006,19 +808,18 @@
</span><span class="cx"> // are live. We could be clever here and check if the local qualifies as an
</span><span class="cx"> // argument register. But that seems like it would buy us very little since
</span><span class="cx"> // any kind of tear offs are rare to begin with.
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> if (m_graph.clobbersWorld(node))
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><del>- RELEASE_ASSERT_NOT_REACHED();
- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool capturedSetLocalStoreElimination(VirtualRegister local, Node* expectedNode)
</del><ins>+ Node* capturedSetLocalStoreElimination(VirtualRegister local)
</ins><span class="cx"> {
</span><span class="cx"> for (unsigned i = m_indexInBlock; i--;) {
</span><span class="cx"> Node* node = m_currentBlock->at(i);
</span><span class="lines">@@ -1026,20 +827,18 @@
</span><span class="cx"> case GetLocal:
</span><span class="cx"> case Flush:
</span><span class="cx"> if (node->local() == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetLocalUnlinked:
</span><span class="cx"> if (node->unlinkedLocal() == local)
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case SetLocal: {
</span><span class="cx"> if (node->local() != local)
</span><span class="cx"> break;
</span><del>- if (node != expectedNode)
- return false;
- return true;
</del><ins>+ return node;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case Phantom:
</span><span class="lines">@@ -1052,18 +851,17 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> default:
</span><del>- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><del>- RELEASE_ASSERT_NOT_REACHED();
- return false;
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool setLocalStoreElimination(VariableAccessData* variableAccessData, Node* expectedNode)
</del><ins>+ Node* setLocalStoreElimination(VariableAccessData* variableAccessData)
</ins><span class="cx"> {
</span><span class="cx"> if (variableAccessData->isCaptured())
</span><del>- return capturedSetLocalStoreElimination(variableAccessData->local(), expectedNode);
- return uncapturedSetLocalStoreElimination(variableAccessData->local(), expectedNode);
</del><ins>+ return capturedSetLocalStoreElimination(variableAccessData->local());
+ return uncapturedSetLocalStoreElimination(variableAccessData->local());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool invalidationPointElimination()
</span><span class="lines">@@ -1143,14 +941,11 @@
</span><span class="cx">
</span><span class="cx"> void performNodeCSE(Node* node)
</span><span class="cx"> {
</span><del>- if (cseMode == NormalCSE)
- m_graph.performSubstitution(node);
</del><ins>+ m_graph.performSubstitution(node);
</ins><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><span class="cx">
</span><span class="cx"> case Identity:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(node->child1().node());
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1189,8 +984,6 @@
</span><span class="cx"> case ValueRep:
</span><span class="cx"> case Int52Rep:
</span><span class="cx"> case BooleanToNumber:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(pureCSE(node));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1202,8 +995,6 @@
</span><span class="cx"> case ArithMod:
</span><span class="cx"> case UInt32ToNumber:
</span><span class="cx"> case DoubleAsInt32: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> Node* candidate = pureCSE(node);
</span><span class="cx"> if (!candidate)
</span><span class="cx"> break;
</span><span class="lines">@@ -1217,14 +1008,10 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetCallee:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getCalleeLoadElimination());
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetLocal: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> VariableAccessData* variableAccessData = node->variableAccessData();
</span><span class="cx"> if (!variableAccessData->isCaptured())
</span><span class="cx"> break;
</span><span class="lines">@@ -1251,83 +1038,28 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetLocalUnlinked: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> Node* relevantLocalOpIgnored;
</span><span class="cx"> setReplacement(getLocalLoadElimination(node->unlinkedLocal(), relevantLocalOpIgnored, true));
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case Flush: {
- ASSERT(m_graph.m_form != SSA);
- VariableAccessData* variableAccessData = node->variableAccessData();
- if (!node->child1()) {
- // FIXME: It's silly that we punt on flush-eliminating here. We don't really
- // need child1 to figure out what's going on.
- // https://bugs.webkit.org/show_bug.cgi?id=130521
- break;
- }
- Node* replacement = node->child1().node();
- if (replacement->op() != SetLocal)
- break;
- ASSERT(replacement->variableAccessData() == variableAccessData);
- // FIXME: We should be able to remove SetLocals that can exit; we just need
- // to replace them with appropriate type checks.
- if (cseMode == NormalCSE) {
- // Need to be conservative at this time; if the SetLocal has any chance of performing
- // any speculations then we cannot do anything.
- FlushFormat format = variableAccessData->flushFormat();
- ASSERT(format != DeadFlush);
- if (format != FlushedJSValue)
- break;
- } else {
- if (replacement->canExit())
- break;
- }
- if (!setLocalStoreElimination(variableAccessData, replacement))
- break;
- ASSERT(replacement->op() == SetLocal);
- node->convertToPhantom();
- Node* dataNode = replacement->child1().node();
- ASSERT(dataNode->hasResult());
- node->child1() = dataNode->defaultEdge();
- m_graph.dethread();
- m_changed = true;
- break;
- }
-
</del><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> // This is strange, but necessary. Some phases will convert nodes to constants,
</span><span class="cx"> // which may result in duplicated constants. We use CSE to clean this up.
</span><span class="cx"> setReplacement(constantCSE(node));
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case WeakJSConstant:
- if (cseMode == StoreElimination)
- break;
- // FIXME: have CSE for weak constants against strong constants and vice-versa.
- setReplacement(weakConstantCSE(node));
- break;
-
</del><span class="cx"> case ConstantStoragePointer:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(constantStoragePointerCSE(node));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetArrayLength:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getArrayLengthElimination(node->child1().node()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetMyScope:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getMyScopeLoadElimination());
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1338,8 +1070,6 @@
</span><span class="cx"> case CompareGreater:
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> case CompareEq: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (m_graph.isPredictedNumerical(node)) {
</span><span class="cx"> Node* replacement = pureCSE(node);
</span><span class="cx"> if (replacement && m_graph.isPredictedNumerical(replacement))
</span><span class="lines">@@ -1351,49 +1081,26 @@
</span><span class="cx"> // Finally handle heap accesses. These are not quite pure, but we can still
</span><span class="cx"> // optimize them provided that some subtle conditions are met.
</span><span class="cx"> case GetGlobalVar:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(globalVarLoadElimination(node->registerPointer()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetClosureVar: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(scopedVarLoadElimination(node->child1().node(), node->varNumber()));
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case VarInjectionWatchpoint:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (varInjectionWatchpointElimination())
</span><span class="cx"> eliminate();
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case PutGlobalVar:
- if (cseMode == NormalCSE)
- break;
- eliminate(globalVarStoreElimination(node->registerPointer()));
- break;
-
- case PutClosureVar: {
- if (cseMode == NormalCSE)
- break;
- eliminate(scopedVarStoreElimination(node->child1().node(), node->child2().node(), node->varNumber()));
- break;
- }
-
</del><span class="cx"> case GetByVal:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (m_graph.byValIsPure(node))
</span><span class="cx"> setReplacement(getByValLoadElimination(node->child1().node(), node->child2().node(), node->arrayMode()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case PutByValDirect:
</span><span class="cx"> case PutByVal: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> Edge child1 = m_graph.varArgChild(node, 0);
</span><span class="cx"> Edge child2 = m_graph.varArgChild(node, 1);
</span><span class="cx"> if (node->arrayMode().canCSEStorage()) {
</span><span class="lines">@@ -1406,42 +1113,26 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case CheckStructure:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (checkStructureElimination(node->structureSet(), node->child1().node()))
</span><span class="cx"> eliminate();
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case PutStructure:
- if (cseMode == NormalCSE)
- break;
- eliminate(putStructureStoreElimination(node->child1().node()), PhantomPutStructure);
- break;
-
</del><span class="cx"> case CheckFunction:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (checkFunctionElimination(node->function(), node->child1().node()))
</span><span class="cx"> eliminate();
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckExecutable:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (checkExecutableElimination(node->executable(), node->child1().node()))
</span><span class="cx"> eliminate();
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckArray:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> if (checkArrayElimination(node->child1().node(), node->arrayMode()))
</span><span class="cx"> eliminate();
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetIndexedPropertyStorage: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getIndexedPropertyStorageLoadElimination(node->child1().node(), node->arrayMode()));
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1449,42 +1140,26 @@
</span><span class="cx"> case GetTypedArrayByteOffset:
</span><span class="cx"> case GetGetter:
</span><span class="cx"> case GetSetter: {
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getInternalFieldLoadElimination(node->op(), node->child1().node()));
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetButterfly:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getPropertyStorageLoadElimination(node->child1().node()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetByOffset:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getByOffsetLoadElimination(m_graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber, node->child2().node()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case GetGetterSetterByOffset:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getGetterSetterByOffsetLoadElimination(m_graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber, node->child2().node()));
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case MultiGetByOffset:
</span><del>- if (cseMode == StoreElimination)
- break;
</del><span class="cx"> setReplacement(getByOffsetLoadElimination(node->multiGetByOffsetData().identifierNumber, node->child1().node()));
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case PutByOffset:
- if (cseMode == NormalCSE)
- break;
- eliminate(putByOffsetStoreElimination(m_graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber, node->child1().node()));
- break;
-
</del><span class="cx"> case InvalidationPoint:
</span><span class="cx"> if (invalidationPointElimination())
</span><span class="cx"> eliminate();
</span><span class="lines">@@ -1498,6 +1173,23 @@
</span><span class="cx"> eliminateIrrelevantPhantomChildren(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case Flush:
+ // This is needed for arguments simplification to work. We need to eliminate the
+ // redundancy between op_enter's undefined-all-the-things and the subsequent
+ // op_init_lazy_reg.
+
+ ASSERT(m_graph.m_form != SSA);
+
+ if (Node* setLocal = setLocalStoreElimination(node->variableAccessData())) {
+ node->convertToPhantom();
+ Node* dataNode = setLocal->child1().node();
+ ASSERT(dataNode->hasResult());
+ node->child1() = dataNode->defaultEdge();
+ m_graph.dethread();
+ m_changed = true;
+ }
+ break;
+
</ins><span class="cx"> default:
</span><span class="cx"> // do nothing.
</span><span class="cx"> break;
</span><span class="lines">@@ -1521,12 +1213,6 @@
</span><span class="cx"> m_currentNode = block->at(m_indexInBlock);
</span><span class="cx"> performNodeCSE(m_currentNode);
</span><span class="cx"> }
</span><del>-
- if (!ASSERT_DISABLED && cseMode == StoreElimination) {
- // Nobody should have replacements set.
- for (unsigned i = 0; i < block->size(); ++i)
- ASSERT(!block->at(i)->misc.replacement);
- }
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> BasicBlock* m_currentBlock;
</span><span class="lines">@@ -1539,15 +1225,9 @@
</span><span class="cx"> bool performCSE(Graph& graph)
</span><span class="cx"> {
</span><span class="cx"> SamplingRegion samplingRegion("DFG CSE Phase");
</span><del>- return runPhase<CSEPhase<NormalCSE>>(graph);
</del><ins>+ return runPhase<CSEPhase>(graph);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-bool performStoreElimination(Graph& graph)
-{
- SamplingRegion samplingRegion("DFG Store Elimination Phase");
- return runPhase<CSEPhase<StoreElimination>>(graph);
-}
-
</del><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCSEPhaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -40,9 +40,6 @@
</span><span class="cx"> // on a few benchmarks, and is relatively cheap to run.
</span><span class="cx"> bool performCSE(Graph&);
</span><span class="cx">
</span><del>-// Perform just block-local store elimination.
-bool performStoreElimination(Graph&);
-
</del><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -76,7 +76,6 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case Identity:
</span><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><span class="lines">@@ -202,6 +201,8 @@
</span><span class="cx"> case ArrayPop:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case ToPrimitive:
</span><span class="cx"> case In:
</span><span class="cx"> case GetMyArgumentsLengthSafe:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCommonh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCommon.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCommon.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGCommon.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -146,6 +146,8 @@
</span><span class="cx"> FixupPass
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+enum StructureWatchpointState { HaveNotStartedWatching, WatchingAllWatchableStructures };
+
</ins><span class="cx"> enum OptimizationFixpointState { BeforeFixpoint, FixpointNotConverged, FixpointConverged };
</span><span class="cx">
</span><span class="cx"> // Describes the form you can expect the entire graph to be in.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -62,6 +62,16 @@
</span><span class="cx"> changed |= foldConstants(block);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (changed && m_graph.m_form == SSA) {
+ // It's now possible that we have Upsilons pointed at JSConstants. Fix that.
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+ fixUpsilons(block);
+ }
+ }
+
</ins><span class="cx"> return changed;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -123,7 +133,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case CheckFunction: {
</span><del>- if (m_state.forNode(node->child1()).value() != node->function())
</del><ins>+ if (m_state.forNode(node->child1()).value() != node->function()->value())
</ins><span class="cx"> break;
</span><span class="cx"> node->convertToPhantom();
</span><span class="cx"> eliminated = true;
</span><span class="lines">@@ -157,7 +167,7 @@
</span><span class="cx"> if (!variant.structureSet().contains(structure))
</span><span class="cx"> continue;
</span><span class="cx">
</span><del>- if (variant.chain())
</del><ins>+ if (variant.alternateBase())
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> emitGetByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
</span><span class="lines">@@ -204,7 +214,8 @@
</span><span class="cx"> GetByIdStatus status = GetByIdStatus::computeFor(
</span><span class="cx"> vm(), structure, m_graph.identifiers()[identifierNumber]);
</span><span class="cx">
</span><del>- if (!status.isSimple() || status.numVariants() != 1) {
</del><ins>+ if (!status.isSimple() || status.numVariants() != 1 ||
+ !status[0].constantChecks().isEmpty() || status[0].alternateBase()) {
</ins><span class="cx"> // FIXME: We could handle prototype cases.
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=110386
</span><span class="cx"> break;
</span><span class="lines">@@ -252,6 +263,34 @@
</span><span class="cx"> node->convertToIdentity();
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case GetMyArgumentByVal: {
+ InlineCallFrame* inlineCallFrame = node->origin.semantic.inlineCallFrame;
+ JSValue value = m_state.forNode(node->child1()).m_value;
+ if (inlineCallFrame && value && value.isInt32()) {
+ int32_t index = value.asInt32();
+ if (index >= 0
+ && static_cast<size_t>(index + 1) < inlineCallFrame->arguments.size()) {
+ // Roll the interpreter over this.
+ m_interpreter.execute(indexInBlock);
+ eliminated = true;
+
+ int operand =
+ inlineCallFrame->stackOffset +
+ m_graph.baselineCodeBlockFor(inlineCallFrame)->argumentIndexAfterCapture(index);
+
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, CheckArgumentsNotCreated, node->origin);
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, node->origin, node->children);
+
+ node->convertToGetLocalUnlinked(VirtualRegister(operand));
+ break;
+ }
+ }
+
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="lines">@@ -280,32 +319,21 @@
</span><span class="cx"> }
</span><span class="cx"> if (!node->shouldGenerate() || m_state.didClobber() || node->hasConstant())
</span><span class="cx"> continue;
</span><del>- JSValue value = m_state.forNode(node).value();
- if (!value)
</del><ins>+
+ // Interesting fact: this freezing that we do right here may turn an fragile value into
+ // a weak value. See DFGValueStrength.h.
+ FrozenValue* value = m_graph.freeze(m_state.forNode(node).value());
+ if (!*value)
</ins><span class="cx"> continue;
</span><span class="cx">
</span><del>- // Check if merging the abstract value of the constant into the abstract value
- // we've proven for this node wouldn't widen the proof. If it widens the proof
- // (i.e. says that the set contains more things in it than it previously did)
- // then we refuse to fold.
- AbstractValue oldValue = m_state.forNode(node);
- AbstractValue constantValue;
- constantValue.set(m_graph, value, m_state.structureClobberState());
- constantValue.fixTypeForRepresentation(node);
- if (oldValue.merge(constantValue))
- continue;
-
</del><span class="cx"> NodeOrigin origin = node->origin;
</span><span class="cx"> AdjacencyList children = node->children;
</span><span class="cx">
</span><del>- if (node->op() == GetLocal)
- m_graph.dethread();
- else
- ASSERT(!node->hasVariableAccessData(m_graph));
-
</del><span class="cx"> m_graph.convertToConstant(node, value);
</span><del>- m_insertionSet.insertNode(
- indexInBlock, SpecNone, Phantom, origin, children);
</del><ins>+ if (!children.isEmpty()) {
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, origin, children);
+ }
</ins><span class="cx">
</span><span class="cx"> changed = true;
</span><span class="cx"> }
</span><span class="lines">@@ -323,7 +351,7 @@
</span><span class="cx">
</span><span class="cx"> bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
</span><span class="cx">
</span><del>- ASSERT(!variant.chain());
</del><ins>+ ASSERT(!variant.alternateBase());
</ins><span class="cx"> ASSERT_UNUSED(structure, variant.structureSet().contains(structure));
</span><span class="cx">
</span><span class="cx"> // Now before we do anything else, push the CFA forward over the GetById
</span><span class="lines">@@ -337,7 +365,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (variant.specificValue()) {
</span><del>- m_graph.convertToConstant(node, variant.specificValue());
</del><ins>+ m_graph.convertToConstant(node, m_graph.freeze(variant.specificValue()));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -386,23 +414,11 @@
</span><span class="cx"> if (variant.kind() == PutByIdVariant::Transition) {
</span><span class="cx"> transition = m_graph.m_transitions.add(structure, variant.newStructure());
</span><span class="cx">
</span><del>- if (node->op() == PutById) {
- if (!structure->storedPrototype().isNull()) {
- addStructureTransitionCheck(
- origin, indexInBlock,
- structure->storedPrototype().asCell());
- }
-
- m_graph.chains().addLazily(variant.structureChain());
-
- for (unsigned i = 0; i < variant.structureChain()->size(); ++i) {
- JSValue prototype = variant.structureChain()->at(i)->storedPrototype();
- if (prototype.isNull())
- continue;
- ASSERT(prototype.isCell());
- addStructureTransitionCheck(
- origin, indexInBlock, prototype.asCell());
- }
</del><ins>+ for (unsigned i = 0; i < variant.constantChecks().size(); ++i) {
+ addStructureTransitionCheck(
+ origin, indexInBlock,
+ variant.constantChecks()[i].constant(),
+ variant.constantChecks()[i].structure());
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -454,19 +470,41 @@
</span><span class="cx"> m_graph.m_storageAccessData.append(storageAccessData);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void addStructureTransitionCheck(NodeOrigin origin, unsigned indexInBlock, JSCell* cell)
</del><ins>+ void addStructureTransitionCheck(NodeOrigin origin, unsigned indexInBlock, JSCell* cell, Structure* structure)
</ins><span class="cx"> {
</span><span class="cx"> if (m_graph.watchpoints().consider(cell->structure()))
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> Node* weakConstant = m_insertionSet.insertNode(
</span><del>- indexInBlock, speculationFromValue(cell), WeakJSConstant, origin, OpInfo(cell));
</del><ins>+ indexInBlock, speculationFromValue(cell), JSConstant, origin,
+ OpInfo(m_graph.freeze(cell)));
</ins><span class="cx">
</span><span class="cx"> m_insertionSet.insertNode(
</span><span class="cx"> indexInBlock, SpecNone, CheckStructure, origin,
</span><del>- OpInfo(m_graph.addStructureSet(cell->structure())), Edge(weakConstant, CellUse));
</del><ins>+ OpInfo(m_graph.addStructureSet(structure)), Edge(weakConstant, CellUse));
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ void fixUpsilons(BasicBlock* block)
+ {
+ for (unsigned nodeIndex = block->size(); nodeIndex--;) {
+ Node* node = block->at(nodeIndex);
+ if (node->op() != Upsilon)
+ continue;
+ switch (node->phi()->op()) {
+ case Phi:
+ break;
+ case JSConstant:
+ case DoubleConstant:
+ case Int52Constant:
+ node->convertToPhantom();
+ break;
+ default:
+ DFG_CRASH(m_graph, node, "Bad Upsilon phi() pointer");
+ break;
+ }
+ }
+ }
+
</ins><span class="cx"> InPlaceAbstractState m_state;
</span><span class="cx"> AbstractInterpreter<InPlaceAbstractState> m_interpreter;
</span><span class="cx"> InsertionSet m_insertionSet;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDesiredStructureChainscpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,56 +0,0 @@
</span><del>-/*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "DFGDesiredStructureChains.h"
-
-#if ENABLE(DFG_JIT)
-
-#include "JSCInlines.h"
-
-namespace JSC { namespace DFG {
-
-DesiredStructureChains::DesiredStructureChains() { }
-DesiredStructureChains::~DesiredStructureChains() { }
-
-bool DesiredStructureChains::areStillValid() const
-{
- for (unsigned i = 0; i < m_vector.size(); ++i) {
- if (!m_vector[i]->isStillValid())
- return false;
- }
- return true;
-}
-
-void DesiredStructureChains::visitChildren(SlotVisitor& visitor)
-{
- for (unsigned i = m_vector.size(); i--;)
- m_vector[i]->visitChildren(visitor);
-}
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDesiredStructureChainsh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGDesiredStructureChains.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,59 +0,0 @@
</span><del>-/*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef DFGDesiredStructureChains_h
-#define DFGDesiredStructureChains_h
-
-#if ENABLE(DFG_JIT)
-
-#include "IntendedStructureChain.h"
-#include <wtf/Vector.h>
-
-namespace JSC { namespace DFG {
-
-class DesiredStructureChains {
-public:
- DesiredStructureChains();
- ~DesiredStructureChains();
-
- void addLazily(PassRefPtr<IntendedStructureChain> chain)
- {
- m_vector.append(chain);
- }
-
- bool areStillValid() const;
-
- void visitChildren(SlotVisitor&);
-
-private:
- Vector<RefPtr<IntendedStructureChain>> m_vector;
-};
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
-
-#endif // DFGDesiredStructureChains_h
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -46,7 +46,6 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case Identity:
</span><span class="cx"> case GetCallee:
</span><span class="cx"> case GetLocal:
</span><span class="lines">@@ -119,6 +118,8 @@
</span><span class="cx"> case CompareStrictEq:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case Breakpoint:
</span><span class="cx"> case ProfileWillCall:
</span><span class="cx"> case ProfileDidCall:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -712,38 +712,6 @@
</span><span class="cx"> fixIntOrBooleanEdge(node->child1());
</span><span class="cx"> else if (node->child1()->shouldSpeculateNumberOrBoolean())
</span><span class="cx"> fixDoubleOrBooleanEdge(node->child1());
</span><del>-
- Node* logicalNot = node->child1().node();
- if (logicalNot->op() == LogicalNot) {
-
- // Make sure that OSR exit can't observe the LogicalNot. If it can,
- // then we must compute it and cannot peephole around it.
- bool found = false;
- bool ok = true;
- for (unsigned i = m_indexInBlock; i--;) {
- Node* candidate = m_block->at(i);
- if (candidate == logicalNot) {
- found = true;
- break;
- }
- if (candidate->canExit()) {
- ok = false;
- found = true;
- break;
- }
- }
- ASSERT_UNUSED(found, found);
-
- if (ok) {
- Edge newChildEdge = logicalNot->child1();
- if (newChildEdge->hasBooleanResult()) {
- node->children.setChild1(newChildEdge);
-
- BranchData* data = node->branchData();
- std::swap(data->taken, data->notTaken);
- }
- }
- }
</del><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -848,7 +816,8 @@
</span><span class="cx"> m_indexInBlock, SpecNone, Phantom, node->origin,
</span><span class="cx"> Edge(node->child1().node(), OtherUse));
</span><span class="cx"> observeUseKindOnNode<OtherUse>(node->child1().node());
</span><del>- node->convertToWeakConstant(m_graph.globalThisObjectFor(node->origin.semantic));
</del><ins>+ m_graph.convertToConstant(
+ node, m_graph.globalThisObjectFor(node->origin.semantic));
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1040,8 +1009,8 @@
</span><span class="cx">
</span><span class="cx"> case PutGlobalVar: {
</span><span class="cx"> Node* globalObjectNode = m_insertionSet.insertNode(
</span><del>- m_indexInBlock, SpecNone, WeakJSConstant, node->origin,
- OpInfo(m_graph.globalObjectFor(node->origin.semantic)));
</del><ins>+ m_indexInBlock, SpecNone, JSConstant, node->origin,
+ OpInfo(m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic))));
</ins><span class="cx"> // FIXME: This probably shouldn't have an unconditional barrier.
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=133104
</span><span class="cx"> Node* barrierNode = m_graph.addNode(
</span><span class="lines">@@ -1073,7 +1042,6 @@
</span><span class="cx"> // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
</span><span class="cx"> case SetArgument:
</span><span class="cx"> case JSConstant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case GetLocal:
</span><span class="cx"> case GetCallee:
</span><span class="cx"> case Flush:
</span><span class="lines">@@ -1088,6 +1056,8 @@
</span><span class="cx"> case AllocationProfileWatchpoint:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case NewObject:
</span><span class="cx"> case NewArrayBuffer:
</span><span class="cx"> case NewRegexp:
</span><span class="lines">@@ -1199,9 +1169,9 @@
</span><span class="cx"> if (!edge)
</span><span class="cx"> break;
</span><span class="cx"> edge.setUseKind(KnownStringUse);
</span><del>- if (!m_graph.isConstant(edge.node()))
</del><ins>+ JSString* string = edge->dynamicCastConstant<JSString*>();
+ if (!string)
</ins><span class="cx"> continue;
</span><del>- JSString* string = jsCast<JSString*>(m_graph.valueOfJSConstant(edge.node()).asCell());
</del><span class="cx"> if (string->length())
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="lines">@@ -1666,27 +1636,15 @@
</span><span class="cx"> {
</span><span class="cx"> Node* oldNode = edge.node();
</span><span class="cx">
</span><del>- ASSERT(oldNode->hasConstant());
- JSValue value = m_graph.valueOfJSConstant(oldNode);
</del><ins>+ JSValue value = oldNode->asJSValue();
</ins><span class="cx"> if (value.isInt32())
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> value = jsNumber(JSC::toInt32(value.asNumber()));
</span><span class="cx"> ASSERT(value.isInt32());
</span><del>- unsigned constantRegister;
- if (!codeBlock()->findConstant(value, constantRegister)) {
- constantRegister = codeBlock()->addConstantLazily();
- initializeLazyWriteBarrierForConstant(
- m_graph.m_plan.writeBarriers,
- codeBlock()->constants()[constantRegister],
- codeBlock(),
- constantRegister,
- codeBlock()->ownerExecutable(),
- value);
- }
</del><span class="cx"> edge.setNode(m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecInt32, JSConstant, m_currentNode->origin,
</span><del>- OpInfo(constantRegister)));
</del><ins>+ OpInfo(m_graph.freeze(value))));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
</span><span class="lines">@@ -1789,7 +1747,7 @@
</span><span class="cx">
</span><span class="cx"> Node* shiftAmount = m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecInt32, JSConstant, node->origin,
</span><del>- OpInfo(m_graph.constantRegisterForConstant(jsNumber(logElementSize(type)))));
</del><ins>+ OpInfo(m_graph.freeze(jsNumber(logElementSize(type)))));
</ins><span class="cx">
</span><span class="cx"> // We can use a BitLShift here because typed arrays will never have a byteLength
</span><span class="cx"> // that overflows int32.
</span><span class="lines">@@ -1933,11 +1891,10 @@
</span><span class="cx">
</span><span class="cx"> addRequiredPhantom(edge.node());
</span><span class="cx">
</span><del>- if (edge->op() == JSConstant && m_graph.isNumberConstant(edge.node())) {
</del><ins>+ if (edge->isNumberConstant()) {
</ins><span class="cx"> result = m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecBytecodeDouble, DoubleConstant, node->origin,
</span><del>- OpInfo(m_graph.constantRegisterForConstant(
- jsDoubleNumber(m_graph.valueOfNumberConstant(edge.node())))));
</del><ins>+ OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
</ins><span class="cx"> } else if (edge->hasInt52Result()) {
</span><span class="cx"> result = m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecInt52AsDouble, DoubleRep, node->origin,
</span><span class="lines">@@ -1958,10 +1915,10 @@
</span><span class="cx">
</span><span class="cx"> addRequiredPhantom(edge.node());
</span><span class="cx">
</span><del>- if (edge->op() == JSConstant && m_graph.isMachineIntConstant(edge.node())) {
</del><ins>+ if (edge->isMachineIntConstant()) {
</ins><span class="cx"> result = m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecMachineInt, Int52Constant, node->origin,
</span><del>- OpInfo(edge->constantNumber()));
</del><ins>+ OpInfo(edge->constant()));
</ins><span class="cx"> } else if (edge->hasDoubleResult()) {
</span><span class="cx"> result = m_insertionSet.insertNode(
</span><span class="cx"> m_indexInBlock, SpecMachineInt, Int52Rep, node->origin,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFrozenValuecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.cpp (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,55 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGFrozenValue.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "JSCInlines.h"
+
+namespace JSC { namespace DFG {
+
+FrozenValue* FrozenValue::emptySingleton()
+{
+ static FrozenValue empty;
+ return &empty;
+}
+
+void FrozenValue::dumpInContext(PrintStream& out, DumpContext* context) const
+{
+ if (!!m_value && m_value.isCell())
+ out.print(m_strength, ":");
+ m_value.dumpInContextAssumingStructure(out, context, m_structure);
+}
+
+void FrozenValue::dump(PrintStream& out) const
+{
+ dumpInContext(out, 0);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFrozenValueh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,119 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGFrozenValue_h
+#define DFGFrozenValue_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGValueStrength.h"
+#include "JSCell.h"
+#include "JSCJSValue.h"
+#include "Structure.h"
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+class FrozenValue {
+public:
+ FrozenValue()
+ : m_structure(nullptr)
+ , m_strength(FragileValue)
+ {
+ }
+
+ FrozenValue(JSValue value)
+ : m_value(value)
+ , m_structure(nullptr)
+ , m_strength(FragileValue)
+ {
+ RELEASE_ASSERT(!value || !value.isCell());
+ }
+
+ FrozenValue(JSValue value, Structure* structure, ValueStrength strength)
+ : m_value(value)
+ , m_structure(structure)
+ , m_strength(strength)
+ {
+ ASSERT((!!value && value.isCell()) == !!structure);
+ ASSERT(!value || !value.isCell() || value.asCell()->classInfo() == structure->classInfo());
+ ASSERT(!!structure || (strength == FragileValue));
+ }
+
+ static FrozenValue* emptySingleton();
+
+ bool operator!() const { return !m_value; }
+
+ JSValue value() const { return m_value; }
+ Structure* structure() const { return m_structure; }
+
+ void strengthenTo(ValueStrength strength)
+ {
+ if (!!m_value && m_value.isCell())
+ m_strength = merge(m_strength, strength);
+ }
+
+ // The strength of the value itself. The structure should be viewed as fragile
+ // except if it is watched, in which case it's weak. Note that currently we
+ // watch all watchable structures indiscriminantly, and so we also mark them
+ // weakly. We could improve on this: any optimization that makes use of a
+ // structure could signal that it has done so, and we could avoid watching
+ // watchable structures that we had never marked in such a way.
+ ValueStrength strength() const { return m_strength; }
+
+ void dumpInContext(PrintStream& out, DumpContext* context) const;
+ void dump(PrintStream& out) const;
+
+private:
+ friend class Graph;
+
+ // This is a utility method for DFG::Graph::freeze(). You should almost always call
+ // Graph::freeze() directly. Calling this instead of Graph::freeze() can result in
+ // the same constant being viewed as having different structures during the course
+ // of compilation, which can sometimes cause bad things to happen. For example, we
+ // may observe that one version of the constant has an unwatchable structure but
+ // then a later version may start to have a watchable structure due to a transition.
+ // The point of freezing is to ensure that we generally only see one version of
+ // constants, but that requires freezing through the Graph.
+ static FrozenValue freeze(JSValue value)
+ {
+ return FrozenValue(
+ value,
+ (!!value && value.isCell()) ? value.asCell()->structure() : nullptr,
+ FragileValue);
+ }
+
+ JSValue m_value;
+ Structure* m_structure;
+ ValueStrength m_strength;
+};
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGFrozenValue_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -60,19 +60,20 @@
</span><span class="cx"> , m_codeBlock(m_plan.codeBlock.get())
</span><span class="cx"> , m_profiledBlock(m_codeBlock->alternative())
</span><span class="cx"> , m_allocator(longLivedState.m_allocator)
</span><del>- , m_mustHandleAbstractValues(OperandsLike, plan.mustHandleValues)
</del><ins>+ , m_mustHandleValues(OperandsLike, plan.mustHandleValues)
</ins><span class="cx"> , m_hasArguments(false)
</span><span class="cx"> , m_nextMachineLocal(0)
</span><span class="cx"> , m_machineCaptureStart(std::numeric_limits<int>::max())
</span><span class="cx"> , m_fixpointState(BeforeFixpoint)
</span><ins>+ , m_structureWatchpointState(HaveNotStartedWatching)
</ins><span class="cx"> , m_form(LoadStore)
</span><span class="cx"> , m_unificationState(LocallyUnified)
</span><span class="cx"> , m_refCountState(EverythingIsLive)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_profiledBlock);
</span><span class="cx">
</span><del>- for (unsigned i = m_mustHandleAbstractValues.size(); i--;)
- m_mustHandleAbstractValues[i].setMostSpecific(*this, plan.mustHandleValues[i]);
</del><ins>+ for (unsigned i = m_mustHandleValues.size(); i--;)
+ m_mustHandleValues[i] = freezeFragile(plan.mustHandleValues[i]);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Graph::~Graph()
</span><span class="lines">@@ -178,7 +179,6 @@
</span><span class="cx"> // (5) The arguments to the operation. The may be of the form:
</span><span class="cx"> // @# - a NodeIndex referencing a prior node in the graph.
</span><span class="cx"> // arg# - an argument number.
</span><del>- // $# - the index in the CodeBlock of a constant { for numeric constants the value is displayed | for integers, in both decimal and hex }.
</del><span class="cx"> // id# - the index in the CodeBlock of an identifier { if codeBlock is passed to dump(), the string representation is displayed }.
</span><span class="cx"> // var# - the index of a var on the global object, used by GetGlobalVar/PutGlobalVar operations.
</span><span class="cx"> out.printf("% 4d:%s<%c%u:", (int)node->index(), skipped ? " skipped " : " ", mustGenerate ? '!' : ' ', refCount);
</span><span class="lines">@@ -224,9 +224,10 @@
</span><span class="cx"> if (node->hasTransition())
</span><span class="cx"> out.print(comma, pointerDumpInContext(node->transition(), context));
</span><span class="cx"> if (node->hasFunction()) {
</span><del>- out.print(comma, "function(", RawPointer(node->function()), ", ");
- if (node->function()->inherits(JSFunction::info())) {
- JSFunction* function = jsCast<JSFunction*>(node->function());
</del><ins>+ out.print(comma, "function(", pointerDump(node->function()), ", ");
+ if (node->function()->value().isCell()
+ && node->function()->value().asCell()->inherits(JSFunction::info())) {
+ JSFunction* function = jsCast<JSFunction*>(node->function()->value().asCell());
</ins><span class="cx"> if (function->isHostFunction())
</span><span class="cx"> out.print("<host function>");
</span><span class="cx"> else
</span><span class="lines">@@ -306,7 +307,7 @@
</span><span class="cx"> out.print(node->startConstant(), ":[");
</span><span class="cx"> CommaPrinter anotherComma;
</span><span class="cx"> for (unsigned i = 0; i < node->numConstants(); ++i)
</span><del>- out.print(anotherComma, inContext(m_codeBlock->constantBuffer(node->startConstant())[i], context));
</del><ins>+ out.print(anotherComma, pointerDumpInContext(freeze(m_codeBlock->constantBuffer(node->startConstant())[i]), context));
</ins><span class="cx"> out.print("]");
</span><span class="cx"> }
</span><span class="cx"> if (node->hasIndexingType())
</span><span class="lines">@@ -323,13 +324,8 @@
</span><span class="cx"> out.print(comma, inContext(JSValue(node->typedArray()), context));
</span><span class="cx"> if (node->hasStoragePointer())
</span><span class="cx"> out.print(comma, RawPointer(node->storagePointer()));
</span><del>- if (node->isConstant()) {
- out.print(comma, "$", node->constantNumber());
- JSValue value = valueOfJSConstant(node);
- out.print(" = ", inContext(value, context));
- }
- if (op == WeakJSConstant)
- out.print(comma, RawPointer(node->weakConstant()), " (", inContext(*node->weakConstant()->structure(), context), ")");
</del><ins>+ if (node->isConstant())
+ out.print(comma, pointerDumpInContext(node->constant(), context));
</ins><span class="cx"> if (node->isJump())
</span><span class="cx"> out.print(comma, "T:", *node->targetBlock());
</span><span class="cx"> if (node->isBranch())
</span><span class="lines">@@ -368,7 +364,7 @@
</span><span class="cx">
</span><span class="cx"> void Graph::dumpBlockHeader(PrintStream& out, const char* prefix, BasicBlock* block, PhiNodeDumpMode phiNodeDumpMode, DumpContext* context)
</span><span class="cx"> {
</span><del>- out.print(prefix, "Block ", *block, " (", inContext(block->at(0)->origin.semantic, context), "):", block->isReachable ? "" : " (skipped)", block->isOSRTarget ? " (OSR target)" : "", block->cfaHasVisited ? "" : " (CFA-unreachable)", "\n");
</del><ins>+ out.print(prefix, "Block ", *block, " (", inContext(block->at(0)->origin.semantic, context), "):", block->isReachable ? "" : " (skipped)", block->isOSRTarget ? " (OSR target)" : "", "\n");
</ins><span class="cx"> if (block->executionCount == block->executionCount)
</span><span class="cx"> out.print(prefix, " Execution count: ", block->executionCount, "\n");
</span><span class="cx"> out.print(prefix, " Predecessors:");
</span><span class="lines">@@ -451,7 +447,12 @@
</span><span class="cx"> if (!block)
</span><span class="cx"> continue;
</span><span class="cx"> dumpBlockHeader(out, "", block, DumpAllPhis, context);
</span><del>- out.print(" States: ", block->cfaStructureClobberStateAtHead, "\n");
</del><ins>+ out.print(" States: ", block->cfaStructureClobberStateAtHead);
+ if (!block->cfaHasVisited)
+ out.print(", CurrentlyCFAUnreachable");
+ if (!block->intersectionOfCFAHasVisited)
+ out.print(", CFAUnreachable");
+ out.print("\n");
</ins><span class="cx"> switch (m_form) {
</span><span class="cx"> case LoadStore:
</span><span class="cx"> case ThreadedCPS: {
</span><span class="lines">@@ -461,6 +462,12 @@
</span><span class="cx"> else
</span><span class="cx"> out.print("<empty>");
</span><span class="cx"> out.print("\n");
</span><ins>+ out.print(" Intersected Vars Before: ");
+ if (block->intersectionOfCFAHasVisited)
+ out.print(inContext(block->intersectionOfPastValuesAtHead, context));
+ else
+ out.print("<empty>");
+ out.print("\n");
</ins><span class="cx"> out.print(" Var Links: ", block->variablesAtHead, "\n");
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -477,7 +484,10 @@
</span><span class="cx"> dump(out, "", block->at(i), context);
</span><span class="cx"> lastNode = block->at(i);
</span><span class="cx"> }
</span><del>- out.print(" States: ", block->cfaBranchDirection, ", ", block->cfaStructureClobberStateAtTail, "\n");
</del><ins>+ out.print(" States: ", block->cfaBranchDirection, ", ", block->cfaStructureClobberStateAtTail);
+ if (!block->cfaDidFinish)
+ out.print(", CFAInvalidated");
+ out.print("\n");
</ins><span class="cx"> switch (m_form) {
</span><span class="cx"> case LoadStore:
</span><span class="cx"> case ThreadedCPS: {
</span><span class="lines">@@ -588,17 +598,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void Graph::resetExitStates()
-{
- for (BlockIndex blockIndex = 0; blockIndex < m_blocks.size(); ++blockIndex) {
- BasicBlock* block = m_blocks[blockIndex].get();
- if (!block)
- continue;
- for (unsigned indexInBlock = block->size(); indexInBlock--;)
- block->at(indexInBlock)->setCanExit(true);
- }
-}
-
</del><span class="cx"> void Graph::invalidateCFG()
</span><span class="cx"> {
</span><span class="cx"> m_dominators.invalidate();
</span><span class="lines">@@ -792,9 +791,7 @@
</span><span class="cx">
</span><span class="cx"> JSActivation* Graph::tryGetActivation(Node* node)
</span><span class="cx"> {
</span><del>- if (!node->hasConstant())
- return 0;
- return jsDynamicCast<JSActivation*>(valueOfJSConstant(node));
</del><ins>+ return node->dynamicCastConstant<JSActivation*>();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> WriteBarrierBase<Unknown>* Graph::tryGetRegisters(Node* node)
</span><span class="lines">@@ -809,13 +806,11 @@
</span><span class="cx">
</span><span class="cx"> JSArrayBufferView* Graph::tryGetFoldableView(Node* node)
</span><span class="cx"> {
</span><del>- if (!node->hasConstant())
- return 0;
- JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(valueOfJSConstant(node));
</del><ins>+ JSArrayBufferView* view = node->dynamicCastConstant<JSArrayBufferView*>();
</ins><span class="cx"> if (!view)
</span><del>- return 0;
</del><ins>+ return nullptr;
</ins><span class="cx"> if (!view->length())
</span><del>- return 0;
</del><ins>+ return nullptr;
</ins><span class="cx"> WTF::loadLoadFence();
</span><span class="cx"> return view;
</span><span class="cx"> }
</span><span class="lines">@@ -832,8 +827,43 @@
</span><span class="cx"> return tryGetFoldableView(child(node, 0).node(), node->arrayMode());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void Graph::registerFrozenValues()
+{
+ m_codeBlock->constants().resize(0);
+ for (FrozenValue* value : m_frozenValues) {
+ if (value->structure() && value->structure()->dfgShouldWatch())
+ m_plan.weakReferences.addLazily(value->structure());
+
+ switch (value->strength()) {
+ case FragileValue: {
+ break;
+ }
+ case WeakValue: {
+ m_plan.weakReferences.addLazily(value->value().asCell());
+ break;
+ }
+ case StrongValue: {
+ unsigned constantIndex = m_codeBlock->addConstantLazily();
+ initializeLazyWriteBarrierForConstant(
+ m_plan.writeBarriers,
+ m_codeBlock->constants()[constantIndex],
+ m_codeBlock,
+ constantIndex,
+ m_codeBlock->ownerExecutable(),
+ value->value());
+ break;
+ } }
+ }
+ m_codeBlock->constants().shrinkToFit();
+}
+
</ins><span class="cx"> void Graph::visitChildren(SlotVisitor& visitor)
</span><span class="cx"> {
</span><ins>+ for (FrozenValue* value : m_frozenValues) {
+ visitor.appendUnbarrieredReadOnlyValue(value->value());
+ visitor.appendUnbarrieredReadOnlyPointer(value->structure());
+ }
+
</ins><span class="cx"> for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {
</span><span class="cx"> BasicBlock* block = this->block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="lines">@@ -843,15 +873,6 @@
</span><span class="cx"> Node* node = block->at(nodeIndex);
</span><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><del>- case JSConstant:
- case WeakJSConstant:
- visitor.appendUnbarrieredReadOnlyValue(valueOfJSConstant(node));
- break;
-
- case CheckFunction:
- visitor.appendUnbarrieredReadOnlyPointer(node->function());
- break;
-
</del><span class="cx"> case CheckExecutable:
</span><span class="cx"> visitor.appendUnbarrieredReadOnlyPointer(node->executable());
</span><span class="cx"> break;
</span><span class="lines">@@ -909,8 +930,60 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+FrozenValue* Graph::freezeFragile(JSValue value)
+{
+ if (UNLIKELY(!value))
+ return FrozenValue::emptySingleton();
+
+ auto result = m_frozenValueMap.add(JSValue::encode(value), nullptr);
+ if (LIKELY(!result.isNewEntry))
+ return result.iterator->value;
+
+ return result.iterator->value = m_frozenValues.add(FrozenValue::freeze(value));
+}
+
+FrozenValue* Graph::freeze(JSValue value)
+{
+ FrozenValue* result = freezeFragile(value);
+ result->strengthenTo(WeakValue);
+ return result;
+}
+
+FrozenValue* Graph::freezeStrong(JSValue value)
+{
+ FrozenValue* result = freeze(value);
+ result->strengthenTo(StrongValue);
+ return result;
+}
+
+void Graph::convertToConstant(Node* node, FrozenValue* value)
+{
+ if (value->structure())
+ assertIsWatched(value->structure());
+ if (m_form == ThreadedCPS) {
+ if (node->op() == GetLocal)
+ dethread();
+ else
+ ASSERT(!node->hasVariableAccessData(*this));
+ }
+ node->convertToConstant(value);
+}
+
+void Graph::convertToConstant(Node* node, JSValue value)
+{
+ convertToConstant(node, freeze(value));
+}
+
+void Graph::convertToStrongConstant(Node* node, JSValue value)
+{
+ convertToConstant(node, freezeStrong(value));
+}
+
</ins><span class="cx"> void Graph::assertIsWatched(Structure* structure)
</span><span class="cx"> {
</span><ins>+ if (m_structureWatchpointState == HaveNotStartedWatching)
+ return;
+
</ins><span class="cx"> if (!structure->dfgShouldWatch())
</span><span class="cx"> return;
</span><span class="cx"> if (watchpoints().isWatched(structure->transitionWatchpointSet()))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "DFGArgumentPosition.h"
</span><span class="cx"> #include "DFGBasicBlock.h"
</span><span class="cx"> #include "DFGDominators.h"
</span><ins>+#include "DFGFrozenValue.h"
</ins><span class="cx"> #include "DFGLongLivedState.h"
</span><span class="cx"> #include "DFGNaturalLoops.h"
</span><span class="cx"> #include "DFGNode.h"
</span><span class="lines">@@ -145,43 +146,16 @@
</span><span class="cx">
</span><span class="cx"> void dethread();
</span><span class="cx">
</span><del>- void convertToConstant(Node* node, unsigned constantNumber)
- {
- if (node->op() == GetLocal)
- dethread();
- else
- ASSERT(!node->hasVariableAccessData(*this));
- node->convertToConstant(constantNumber);
- }
</del><ins>+ FrozenValue* freezeFragile(JSValue value);
+ FrozenValue* freeze(JSValue value); // We use weak freezing by default.
+ FrozenValue* freezeStrong(JSValue value); // Shorthand for freeze(value)->markStrongly().
</ins><span class="cx">
</span><del>- unsigned constantRegisterForConstant(JSValue value)
- {
- unsigned constantRegister;
- if (!m_codeBlock->findConstant(value, constantRegister)) {
- constantRegister = m_codeBlock->addConstantLazily();
- initializeLazyWriteBarrierForConstant(
- m_plan.writeBarriers,
- m_codeBlock->constants()[constantRegister],
- m_codeBlock,
- constantRegister,
- m_codeBlock->ownerExecutable(),
- value);
- }
- return constantRegister;
- }
</del><ins>+ void convertToConstant(Node* node, FrozenValue* value);
+ void convertToConstant(Node* node, JSValue value);
+ void convertToStrongConstant(Node* node, JSValue value);
</ins><span class="cx">
</span><span class="cx"> void assertIsWatched(Structure* structure);
</span><span class="cx">
</span><del>- void convertToConstant(Node* node, JSValue value)
- {
- if (value.isCell())
- assertIsWatched(value.asCell()->structure());
- if (value.isObject())
- node->convertToWeakConstant(value.asCell());
- else
- convertToConstant(node, constantRegisterForConstant(value));
- }
-
</del><span class="cx"> // CodeBlock is optional, but may allow additional information to be dumped (e.g. Identifier names).
</span><span class="cx"> void dump(PrintStream& = WTF::dataFile(), DumpContext* = 0);
</span><span class="cx"> enum PhiNodeDumpMode { DumpLivePhisOnly, DumpAllPhis };
</span><span class="lines">@@ -195,11 +169,6 @@
</span><span class="cx"> // preceding node. Returns true if anything was printed.
</span><span class="cx"> bool dumpCodeOrigin(PrintStream&, const char* prefix, Node* previousNode, Node* currentNode, DumpContext*);
</span><span class="cx">
</span><del>- SpeculatedType getJSConstantSpeculation(Node* node)
- {
- return speculationFromValue(node->valueOfJSConstant(m_codeBlock));
- }
-
</del><span class="cx"> AddSpeculationMode addSpeculationMode(Node* add, bool leftShouldSpeculateInt32, bool rightShouldSpeculateInt32, PredictionPass pass)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(add->op() == ValueAdd || add->op() == ArithAdd || add->op() == ArithSub);
</span><span class="lines">@@ -315,92 +284,6 @@
</span><span class="cx"> baselineCodeBlockFor(codeOrigin)->argumentIndexAfterCapture(argument));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // Helper methods to check nodes for constants.
- bool isConstant(Node* node)
- {
- return node->hasConstant();
- }
- bool isJSConstant(Node* node)
- {
- return node->hasConstant();
- }
- bool isInt32Constant(Node* node)
- {
- return node->isInt32Constant(m_codeBlock);
- }
- bool isDoubleConstant(Node* node)
- {
- return node->isDoubleConstant(m_codeBlock);
- }
- bool isNumberConstant(Node* node)
- {
- return node->isNumberConstant(m_codeBlock);
- }
- bool isMachineIntConstant(Node* node)
- {
- return node->isMachineIntConstant(m_codeBlock);
- }
- bool isBooleanConstant(Node* node)
- {
- return node->isBooleanConstant(m_codeBlock);
- }
- bool isCellConstant(Node* node)
- {
- if (!isJSConstant(node))
- return false;
- JSValue value = valueOfJSConstant(node);
- return value.isCell() && !!value;
- }
- bool isFunctionConstant(Node* node)
- {
- if (!isJSConstant(node))
- return false;
- if (!getJSFunction(valueOfJSConstant(node)))
- return false;
- return true;
- }
- bool isInternalFunctionConstant(Node* node)
- {
- if (!isJSConstant(node))
- return false;
- JSValue value = valueOfJSConstant(node);
- if (!value.isCell() || !value)
- return false;
- JSCell* cell = value.asCell();
- if (!cell->inherits(InternalFunction::info()))
- return false;
- return true;
- }
- // Helper methods get constant values from nodes.
- JSValue valueOfJSConstant(Node* node)
- {
- return node->valueOfJSConstant(m_codeBlock);
- }
- int32_t valueOfInt32Constant(Node* node)
- {
- JSValue value = valueOfJSConstant(node);
- if (!value.isInt32()) {
- dataLog("Value isn't int32: ", value, "\n");
- dump();
- RELEASE_ASSERT_NOT_REACHED();
- }
- return value.asInt32();
- }
- double valueOfNumberConstant(Node* node)
- {
- return valueOfJSConstant(node).asNumber();
- }
- bool valueOfBooleanConstant(Node* node)
- {
- return valueOfJSConstant(node).asBoolean();
- }
- JSFunction* valueOfFunctionConstant(Node* node)
- {
- JSCell* function = getJSFunction(valueOfJSConstant(node));
- ASSERT(function);
- return jsCast<JSFunction*>(function);
- }
-
</del><span class="cx"> static const char *opName(NodeType);
</span><span class="cx">
</span><span class="cx"> StructureSet* addStructureSet(const StructureSet& structureSet)
</span><span class="lines">@@ -686,8 +569,6 @@
</span><span class="cx"> void determineReachability();
</span><span class="cx"> void resetReachability();
</span><span class="cx">
</span><del>- void resetExitStates();
-
</del><span class="cx"> unsigned varArgNumChildren(Node* node)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(node->flags() & NodeHasVarArgs);
</span><span class="lines">@@ -800,7 +681,6 @@
</span><span class="cx">
</span><span class="cx"> DesiredIdentifiers& identifiers() { return m_plan.identifiers; }
</span><span class="cx"> DesiredWatchpoints& watchpoints() { return m_plan.watchpoints; }
</span><del>- DesiredStructureChains& chains() { return m_plan.chains; }
</del><span class="cx">
</span><span class="cx"> FullBytecodeLiveness& livenessFor(CodeBlock*);
</span><span class="cx"> FullBytecodeLiveness& livenessFor(InlineCallFrame*);
</span><span class="lines">@@ -818,6 +698,8 @@
</span><span class="cx"> JSArrayBufferView* tryGetFoldableView(Node*, ArrayMode);
</span><span class="cx"> JSArrayBufferView* tryGetFoldableViewForChild1(Node*);
</span><span class="cx">
</span><ins>+ void registerFrozenValues();
+
</ins><span class="cx"> virtual void visitChildren(SlotVisitor&) override;
</span><span class="cx">
</span><span class="cx"> NO_RETURN_DUE_TO_CRASH void handleAssertionFailure(
</span><span class="lines">@@ -831,10 +713,14 @@
</span><span class="cx">
</span><span class="cx"> NodeAllocator& m_allocator;
</span><span class="cx">
</span><del>- Operands<AbstractValue> m_mustHandleAbstractValues;
</del><ins>+ Operands<FrozenValue*> m_mustHandleValues;
</ins><span class="cx">
</span><span class="cx"> Vector< RefPtr<BasicBlock> , 8> m_blocks;
</span><span class="cx"> Vector<Edge, 16> m_varArgChildren;
</span><ins>+
+ HashMap<EncodedJSValue, FrozenValue*, EncodedJSValueHash, EncodedJSValueHashTraits> m_frozenValueMap;
+ Bag<FrozenValue> m_frozenValues;
+
</ins><span class="cx"> Vector<StorageAccessData> m_storageAccessData;
</span><span class="cx"> Vector<Node*, 8> m_arguments;
</span><span class="cx"> SegmentedVector<VariableAccessData, 16> m_variableAccessData;
</span><span class="lines">@@ -865,6 +751,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> OptimizationFixpointState m_fixpointState;
</span><ins>+ StructureWatchpointState m_structureWatchpointState;
</ins><span class="cx"> GraphForm m_form;
</span><span class="cx"> UnificationState m_unificationState;
</span><span class="cx"> RefCountState m_refCountState;
</span><span class="lines">@@ -877,7 +764,7 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(immediate->hasConstant());
</span><span class="cx">
</span><del>- JSValue immediateValue = immediate->valueOfJSConstant(m_codeBlock);
</del><ins>+ JSValue immediateValue = immediate->asJSValue();
</ins><span class="cx"> if (!immediateValue.isNumber() && !immediateValue.isBoolean())
</span><span class="cx"> return DontSpeculateInt32;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -151,17 +151,18 @@
</span><span class="cx"> continue;
</span><span class="cx"> if (block->bytecodeBegin != m_graph.m_plan.osrEntryBytecodeIndex)
</span><span class="cx"> continue;
</span><del>- for (size_t i = 0; i < m_graph.m_mustHandleAbstractValues.size(); ++i) {
- int operand = m_graph.m_mustHandleAbstractValues.operandForIndex(i);
</del><ins>+ for (size_t i = 0; i < m_graph.m_mustHandleValues.size(); ++i) {
+ int operand = m_graph.m_mustHandleValues.operandForIndex(i);
</ins><span class="cx"> Node* node = block->variablesAtHead.operand(operand);
</span><span class="cx"> if (!node)
</span><span class="cx"> continue;
</span><del>- AbstractValue value = m_graph.m_mustHandleAbstractValues[i];
- AbstractValue& abstractValue = block->valuesAtHead.operand(operand);
</del><ins>+ AbstractValue source;
+ source.setOSREntryValue(m_graph, *m_graph.m_mustHandleValues[i]);
+ AbstractValue& target = block->valuesAtHead.operand(operand);
</ins><span class="cx"> VariableAccessData* variable = node->variableAccessData();
</span><span class="cx"> FlushFormat format = variable->flushFormat();
</span><del>- abstractValue.merge(value);
- abstractValue.fixTypeForRepresentation(resultFor(format));
</del><ins>+ target.merge(source);
+ target.fixTypeForRepresentation(resultFor(format));
</ins><span class="cx"> }
</span><span class="cx"> block->cfaShouldRevisit = true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -128,6 +128,12 @@
</span><span class="cx"> void setStructureClobberState(StructureClobberState value) { m_structureClobberState = value; }
</span><span class="cx"> void setIsValid(bool isValid) { m_isValid = isValid; }
</span><span class="cx"> void setBranchDirection(BranchDirection branchDirection) { m_branchDirection = branchDirection; }
</span><ins>+
+ // This method is evil - it causes a huge maintenance headache and there is a gross amount of
+ // code devoted to it. It would be much nicer to just always run the constant folder on each
+ // block. But, the last time we did it, it was a 1% SunSpider regression:
+ // https://bugs.webkit.org/show_bug.cgi?id=133947
+ // So, we should probably keep this method.
</ins><span class="cx"> void setFoundConstants(bool foundConstants) { m_foundConstants = foundConstants; }
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInsertionSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -62,23 +62,21 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Node* insertConstant(
</span><del>- size_t index, NodeOrigin origin, JSValue value,
</del><ins>+ size_t index, NodeOrigin origin, FrozenValue* value,
</ins><span class="cx"> NodeType op = JSConstant)
</span><span class="cx"> {
</span><del>- unsigned constantReg =
- m_graph.constantRegisterForConstant(value);
</del><span class="cx"> return insertNode(
</span><del>- index, speculationFromValue(value), op, origin, OpInfo(constantReg));
</del><ins>+ index, speculationFromValue(value->value()), op, origin, OpInfo(value));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Node* insertConstant(
</span><del>- size_t index, CodeOrigin origin, JSValue value, NodeType op = JSConstant)
</del><ins>+ size_t index, CodeOrigin origin, FrozenValue* value, NodeType op = JSConstant)
</ins><span class="cx"> {
</span><span class="cx"> return insertConstant(index, NodeOrigin(origin), value, op);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Edge insertConstantForUse(
</span><del>- size_t index, NodeOrigin origin, JSValue value, UseKind useKind)
</del><ins>+ size_t index, NodeOrigin origin, FrozenValue* value, UseKind useKind)
</ins><span class="cx"> {
</span><span class="cx"> NodeType op;
</span><span class="cx"> if (isDouble(useKind))
</span><span class="lines">@@ -91,11 +89,31 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Edge insertConstantForUse(
</span><del>- size_t index, CodeOrigin origin, JSValue value, UseKind useKind)
</del><ins>+ size_t index, CodeOrigin origin, FrozenValue* value, UseKind useKind)
</ins><span class="cx"> {
</span><span class="cx"> return insertConstantForUse(index, NodeOrigin(origin), value, useKind);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ Node* insertConstant(size_t index, NodeOrigin origin, JSValue value, NodeType op = JSConstant)
+ {
+ return insertConstant(index, origin, m_graph.freeze(value), op);
+ }
+
+ Node* insertConstant(size_t index, CodeOrigin origin, JSValue value, NodeType op = JSConstant)
+ {
+ return insertConstant(index, origin, m_graph.freeze(value), op);
+ }
+
+ Edge insertConstantForUse(size_t index, NodeOrigin origin, JSValue value, UseKind useKind)
+ {
+ return insertConstantForUse(index, origin, m_graph.freeze(value), useKind);
+ }
+
+ Edge insertConstantForUse(size_t index, CodeOrigin origin, JSValue value, UseKind useKind)
+ {
+ return insertConstantForUse(index, NodeOrigin(origin), value, useKind);
+ }
+
</ins><span class="cx"> void execute(BasicBlock* block)
</span><span class="cx"> {
</span><span class="cx"> executeInsertions(*block, m_insertions);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGIntegerCheckCombiningPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -311,11 +311,11 @@
</span><span class="cx"> if (node->arithMode() != Arith::CheckOverflow
</span><span class="cx"> && node->arithMode() != Arith::CheckOverflowAndNegativeZero)
</span><span class="cx"> break;
</span><del>- if (!m_graph.isInt32Constant(node->child2().node()))
</del><ins>+ if (!node->child2()->isInt32Constant())
</ins><span class="cx"> break;
</span><span class="cx"> return RangeKeyAndAddend(
</span><span class="cx"> RangeKey::addition(node->child1()),
</span><del>- m_graph.valueOfInt32Constant(node->child2().node()));
</del><ins>+ node->child2()->asInt32());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case CheckInBounds: {
</span><span class="lines">@@ -325,15 +325,15 @@
</span><span class="cx">
</span><span class="cx"> Edge index = node->child1();
</span><span class="cx">
</span><del>- if (m_graph.isInt32Constant(index.node())) {
</del><ins>+ if (index->isInt32Constant()) {
</ins><span class="cx"> source = Edge();
</span><del>- addend = m_graph.valueOfInt32Constant(index.node());
</del><ins>+ addend = index->asInt32();
</ins><span class="cx"> } else if (
</span><span class="cx"> index->op() == ArithAdd
</span><span class="cx"> && index->isBinaryUseKind(Int32Use)
</span><del>- && m_graph.isInt32Constant(index->child2().node())) {
</del><ins>+ && index->child2()->isInt32Constant()) {
</ins><span class="cx"> source = index->child1();
</span><del>- addend = m_graph.valueOfInt32Constant(index->child2().node());
</del><ins>+ addend = index->child2()->asInt32();
</ins><span class="cx"> } else {
</span><span class="cx"> source = index;
</span><span class="cx"> addend = 0;
</span><span class="lines">@@ -341,7 +341,7 @@
</span><span class="cx">
</span><span class="cx"> return RangeKeyAndAddend(RangeKey::arrayBounds(source, key), addend);
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -162,6 +162,8 @@
</span><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx"> m_jitCode->common.doubleConstants = WTF::move(m_graph.m_doubleConstants);
</span><span class="cx"> #endif
</span><ins>+
+ m_graph.registerFrozenValues();
</ins><span class="cx">
</span><span class="cx"> BitVector usedJumpTables;
</span><span class="cx"> for (Bag<SwitchData>::iterator iter = m_graph.m_switchData.begin(); !!iter; ++iter) {
</span><span class="lines">@@ -439,11 +441,7 @@
</span><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx"> void* JITCompiler::addressOfDoubleConstant(Node* node)
</span><span class="cx"> {
</span><del>- ASSERT(m_graph.isNumberConstant(node));
- JSValue jsvalue = node->valueOfJSConstant(codeBlock());
- ASSERT(jsvalue.isDouble());
-
- double value = jsvalue.asDouble();
</del><ins>+ double value = node->asNumber();
</ins><span class="cx"> int64_t valueBits = bitwise_cast<int64_t>(value);
</span><span class="cx"> auto it = m_graph.m_doubleConstantsMap.find(valueBits);
</span><span class="cx"> if (it != m_graph.m_doubleConstantsMap.end())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -271,12 +271,12 @@
</span><span class="cx"> void noticeOSREntry(BasicBlock& basicBlock, JITCompiler::Label blockHead, LinkBuffer& linkBuffer)
</span><span class="cx"> {
</span><span class="cx"> // OSR entry is not allowed into blocks deemed unreachable by control flow analysis.
</span><del>- if (!basicBlock.cfaHasVisited)
</del><ins>+ if (!basicBlock.intersectionOfCFAHasVisited)
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> OSREntryData* entry = m_jitCode->appendOSREntryData(basicBlock.bytecodeBegin, linkBuffer.offsetOf(blockHead));
</span><span class="cx">
</span><del>- entry->m_expectedValues = basicBlock.valuesAtHead;
</del><ins>+ entry->m_expectedValues = basicBlock.intersectionOfPastValuesAtHead;
</ins><span class="cx">
</span><span class="cx"> // Fix the expected values: in our protocol, a dead variable will have an expected
</span><span class="cx"> // value of (None, []). But the old JIT may stash some values there. So we really
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGLICMPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -62,13 +62,14 @@
</span><span class="cx"> public:
</span><span class="cx"> LICMPhase(Graph& graph)
</span><span class="cx"> : Phase(graph, "LICM")
</span><ins>+ , m_state(graph)
</ins><span class="cx"> , m_interpreter(graph, m_state)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool run()
</span><span class="cx"> {
</span><del>- ASSERT(m_graph.m_form == SSA);
</del><ins>+ DFG_ASSERT(m_graph, nullptr, m_graph.m_form == SSA);
</ins><span class="cx">
</span><span class="cx"> m_graph.m_dominators.computeIfNecessary(m_graph);
</span><span class="cx"> m_graph.m_naturalLoops.computeIfNecessary(m_graph);
</span><span class="lines">@@ -123,11 +124,11 @@
</span><span class="cx"> BasicBlock* predecessor = header->predecessors[i];
</span><span class="cx"> if (m_graph.m_dominators.dominates(header, predecessor))
</span><span class="cx"> continue;
</span><del>- RELEASE_ASSERT(!preHeader || preHeader == predecessor);
</del><ins>+ DFG_ASSERT(m_graph, nullptr, !preHeader || preHeader == predecessor);
</ins><span class="cx"> preHeader = predecessor;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- RELEASE_ASSERT(preHeader->last()->op() == Jump);
</del><ins>+ DFG_ASSERT(m_graph, preHeader->last(), preHeader->last()->op() == Jump);
</ins><span class="cx">
</span><span class="cx"> data.preHeader = preHeader;
</span><span class="cx"> }
</span><span class="lines">@@ -267,7 +268,7 @@
</span><span class="cx"> // It just so happens that all of the nodes we currently know how to hoist
</span><span class="cx"> // don't have var-arg children. That may change and then we can fix this
</span><span class="cx"> // code. But for now we just assert that's the case.
</span><del>- RELEASE_ASSERT(!(node->flags() & NodeHasVarArgs));
</del><ins>+ DFG_ASSERT(m_graph, node, !(node->flags() & NodeHasVarArgs));
</ins><span class="cx">
</span><span class="cx"> nodeRef = m_graph.addNode(SpecNone, Phantom, originalOrigin, node->children);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGLazyJSValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -36,14 +36,14 @@
</span><span class="cx"> {
</span><span class="cx"> switch (m_kind) {
</span><span class="cx"> case KnownValue:
</span><del>- return value();
</del><ins>+ return value()->value();
</ins><span class="cx"> case SingleCharacterString:
</span><span class="cx"> return jsSingleCharacterString(&vm, u.character);
</span><span class="cx"> case KnownStringImpl:
</span><span class="cx"> return jsString(&vm, u.stringImpl);
</span><span class="cx"> }
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><del>- return value();
</del><ins>+ return JSValue();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static TriState equalToSingleCharacter(JSValue value, UChar character)
</span><span class="lines">@@ -81,11 +81,11 @@
</span><span class="cx"> case KnownValue:
</span><span class="cx"> switch (other.m_kind) {
</span><span class="cx"> case KnownValue:
</span><del>- return JSValue::pureStrictEqual(value(), other.value());
</del><ins>+ return JSValue::pureStrictEqual(value()->value(), other.value()->value());
</ins><span class="cx"> case SingleCharacterString:
</span><del>- return equalToSingleCharacter(value(), other.character());
</del><ins>+ return equalToSingleCharacter(value()->value(), other.character());
</ins><span class="cx"> case KnownStringImpl:
</span><del>- return equalToStringImpl(value(), other.stringImpl());
</del><ins>+ return equalToStringImpl(value()->value(), other.stringImpl());
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> case SingleCharacterString:
</span><span class="lines">@@ -117,7 +117,7 @@
</span><span class="cx"> {
</span><span class="cx"> switch (m_kind) {
</span><span class="cx"> case KnownValue:
</span><del>- value().dumpInContext(out, context);
</del><ins>+ value()->dumpInContext(out, context);
</ins><span class="cx"> return;
</span><span class="cx"> case SingleCharacterString:
</span><span class="cx"> out.print("Lazy:SingleCharacterString(");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGLazyJSValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">
</span><del>-#include "JSCJSValue.h"
</del><ins>+#include "DFGFrozenValue.h"
</ins><span class="cx"> #include <wtf/text/StringImpl.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="lines">@@ -44,10 +44,10 @@
</span><span class="cx">
</span><span class="cx"> class LazyJSValue {
</span><span class="cx"> public:
</span><del>- LazyJSValue(JSValue value = JSValue())
</del><ins>+ LazyJSValue(FrozenValue* value = FrozenValue::emptySingleton())
</ins><span class="cx"> : m_kind(KnownValue)
</span><span class="cx"> {
</span><del>- u.value = JSValue::encode(value);
</del><ins>+ u.value = value;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static LazyJSValue singleCharacterString(UChar character)
</span><span class="lines">@@ -66,19 +66,19 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValue tryGetValue() const
</del><ins>+ FrozenValue* tryGetValue(Graph&) const
</ins><span class="cx"> {
</span><span class="cx"> if (m_kind == KnownValue)
</span><span class="cx"> return value();
</span><del>- return JSValue();
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue getValue(VM&) const;
</span><span class="cx">
</span><del>- JSValue value() const
</del><ins>+ FrozenValue* value() const
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(m_kind == KnownValue);
</span><del>- return JSValue::decode(u.value);
</del><ins>+ return u.value;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> UChar character() const
</span><span class="lines">@@ -102,7 +102,7 @@
</span><span class="cx"> // for a kind of value that can't.
</span><span class="cx"> switch (m_kind) {
</span><span class="cx"> case KnownValue:
</span><del>- return value().asInt32();
</del><ins>+ return value()->value().asInt32();
</ins><span class="cx"> case SingleCharacterString:
</span><span class="cx"> return character();
</span><span class="cx"> default:
</span><span class="lines">@@ -116,7 +116,7 @@
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> union {
</span><del>- EncodedJSValue value;
</del><ins>+ FrozenValue* value;
</ins><span class="cx"> UChar character;
</span><span class="cx"> StringImpl* stringImpl;
</span><span class="cx"> } u;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMayExitcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,89 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGMayExit.h"
+
+#include "DFGGraph.h"
+#include "DFGNode.h"
+#include "Operations.h"
+
+namespace JSC { namespace DFG {
+
+namespace {
+
+class EdgeMayExit {
+public:
+ EdgeMayExit()
+ : m_result(false)
+ {
+ }
+
+ void operator()(Node*, Edge edge)
+ {
+ m_result |= edge.willHaveCheck();
+ }
+
+ bool result() const { return m_result; }
+
+private:
+ bool m_result;
+};
+
+} // anonymous namespace
+
+bool mayExit(Graph& graph, Node* node)
+{
+ switch (node->op()) {
+ case SetArgument:
+ case JSConstant:
+ case DoubleConstant:
+ case Int52Constant:
+ case MovHint:
+ case SetLocal:
+ case Flush:
+ case Phantom:
+ case Check:
+ case HardPhantom:
+ case GetLocal:
+ case LoopHint:
+ case PhantomArguments:
+ case Phi:
+ case Upsilon:
+ case ZombieHint:
+ break;
+
+ default:
+ // If in doubt, return true.
+ return true;
+ }
+
+ EdgeMayExit functor;
+ DFG_NODE_DO_TO_CHILDREN(graph, node, functor);
+ return functor.result();
+}
+
+} } // namespace JSC::DFG
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMayExith"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGMayExit.h (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMayExit.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGMayExit.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,46 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGMayExit_h
+#define DFGMayExit_h
+
+#if ENABLE(DFG_JIT)
+
+namespace JSC { namespace DFG {
+
+class Graph;
+struct Node;
+
+// A *very* conservative approximation of whether or not a node could possibly exit. Usually
+// returns true except in cases where we obviously don't expect an exit.
+
+bool mayExit(Graph&, Node*);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGMayExit_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMinifiedNodecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -39,10 +39,8 @@
</span><span class="cx"> MinifiedNode result;
</span><span class="cx"> result.m_id = MinifiedID(node);
</span><span class="cx"> result.m_op = node->op();
</span><del>- if (hasConstantNumber(node->op()))
- result.m_info = node->constantNumber();
- else if (hasWeakConstant(node->op()))
- result.m_info = bitwise_cast<uintptr_t>(node->weakConstant());
</del><ins>+ if (hasConstant(node->op()))
+ result.m_info = JSValue::encode(node->asJSValue());
</ins><span class="cx"> else {
</span><span class="cx"> ASSERT(node->op() == PhantomArguments);
</span><span class="cx"> result.m_info = 0;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMinifiedNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGMinifiedNode.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -42,7 +42,6 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case DoubleConstant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case PhantomArguments:
</span><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="lines">@@ -59,24 +58,13 @@
</span><span class="cx"> MinifiedID id() const { return m_id; }
</span><span class="cx"> NodeType op() const { return m_op; }
</span><span class="cx">
</span><del>- bool hasConstant() const { return hasConstantNumber() || hasWeakConstant(); }
</del><ins>+ bool hasConstant() const { return hasConstant(m_op); }
</ins><span class="cx">
</span><del>- bool hasConstantNumber() const { return hasConstantNumber(m_op); }
-
- unsigned constantNumber() const
</del><ins>+ JSValue constant() const
</ins><span class="cx"> {
</span><del>- ASSERT(hasConstantNumber(m_op));
- return m_info;
</del><ins>+ return JSValue::decode(bitwise_cast<EncodedJSValue>(m_info));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool hasWeakConstant() const { return hasWeakConstant(m_op); }
-
- JSCell* weakConstant() const
- {
- ASSERT(hasWeakConstant(m_op));
- return bitwise_cast<JSCell*>(m_info);
- }
-
</del><span class="cx"> static MinifiedID getID(MinifiedNode* node) { return node->id(); }
</span><span class="cx"> static bool compareByNodeIndex(const MinifiedNode& a, const MinifiedNode& b)
</span><span class="cx"> {
</span><span class="lines">@@ -84,17 +72,13 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- static bool hasConstantNumber(NodeType type)
</del><ins>+ static bool hasConstant(NodeType type)
</ins><span class="cx"> {
</span><span class="cx"> return type == JSConstant || type == Int52Constant || type == DoubleConstant;
</span><span class="cx"> }
</span><del>- static bool hasWeakConstant(NodeType type)
- {
- return type == WeakJSConstant;
- }
</del><span class="cx">
</span><span class="cx"> MinifiedID m_id;
</span><del>- uintptr_t m_info;
</del><ins>+ uint64_t m_info;
</ins><span class="cx"> NodeType m_op;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -323,7 +323,6 @@
</span><span class="cx">
</span><span class="cx"> bool mergeFlags(NodeFlags flags)
</span><span class="cx"> {
</span><del>- ASSERT(!(flags & NodeDoesNotExit));
</del><span class="cx"> NodeFlags newFlags = m_flags | flags;
</span><span class="cx"> if (newFlags == m_flags)
</span><span class="cx"> return false;
</span><span class="lines">@@ -333,7 +332,6 @@
</span><span class="cx">
</span><span class="cx"> bool filterFlags(NodeFlags flags)
</span><span class="cx"> {
</span><del>- ASSERT(flags & NodeDoesNotExit);
</del><span class="cx"> NodeFlags newFlags = m_flags & flags;
</span><span class="cx"> if (newFlags == m_flags)
</span><span class="cx"> return false;
</span><span class="lines">@@ -381,19 +379,6 @@
</span><span class="cx"> return m_flags & NodeMustGenerate;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void setCanExit(bool exits)
- {
- if (exits)
- m_flags &= ~NodeDoesNotExit;
- else
- m_flags |= NodeDoesNotExit;
- }
-
- bool canExit()
- {
- return !(m_flags & NodeDoesNotExit);
- }
-
</del><span class="cx"> bool isConstant()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><span class="lines">@@ -406,11 +391,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool isWeakConstant()
- {
- return op() == WeakJSConstant;
- }
-
</del><span class="cx"> bool isPhantomArguments()
</span><span class="cx"> {
</span><span class="cx"> return op() == PhantomArguments;
</span><span class="lines">@@ -422,7 +402,6 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case PhantomArguments:
</span><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="lines">@@ -430,13 +409,16 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- unsigned constantNumber()
</del><ins>+ FrozenValue* constant()
</ins><span class="cx"> {
</span><del>- ASSERT(isConstant());
- return m_opInfo;
</del><ins>+ ASSERT(hasConstant());
+ if (op() == PhantomArguments)
+ return FrozenValue::emptySingleton();
+ return bitwise_cast<FrozenValue*>(m_opInfo);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void convertToConstant(unsigned constantNumber)
</del><ins>+ // Don't call this directly - use Graph::convertToConstant() instead!
+ void convertToConstant(FrozenValue* value)
</ins><span class="cx"> {
</span><span class="cx"> if (hasDoubleResult())
</span><span class="cx"> m_op = DoubleConstant;
</span><span class="lines">@@ -445,18 +427,10 @@
</span><span class="cx"> else
</span><span class="cx"> m_op = JSConstant;
</span><span class="cx"> m_flags &= ~(NodeMustGenerate | NodeMightClobber | NodeClobbersWorld);
</span><del>- m_opInfo = constantNumber;
</del><ins>+ m_opInfo = bitwise_cast<uintptr_t>(value);
</ins><span class="cx"> children.reset();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void convertToWeakConstant(JSCell* cell)
- {
- m_op = WeakJSConstant;
- m_flags &= ~(NodeMustGenerate | NodeMightClobber | NodeClobbersWorld);
- m_opInfo = bitwise_cast<uintptr_t>(cell);
- children.reset();
- }
-
</del><span class="cx"> void convertToConstantStoragePointer(void* pointer)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(op() == GetIndexedPropertyStorage);
</span><span class="lines">@@ -518,59 +492,79 @@
</span><span class="cx"> m_op = ToString;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSCell* weakConstant()
</del><ins>+ JSValue asJSValue()
</ins><span class="cx"> {
</span><del>- ASSERT(op() == WeakJSConstant);
- return bitwise_cast<JSCell*>(m_opInfo);
</del><ins>+ return constant()->value();
</ins><span class="cx"> }
</span><del>-
- JSValue valueOfJSConstant(CodeBlock* codeBlock)
</del><ins>+
+ bool isInt32Constant()
</ins><span class="cx"> {
</span><del>- switch (op()) {
- case WeakJSConstant:
- return JSValue(weakConstant());
- case JSConstant:
- case DoubleConstant:
- case Int52Constant:
- return codeBlock->constantRegister(FirstConstantRegisterIndex + constantNumber()).get();
- case PhantomArguments:
- return JSValue();
- default:
- RELEASE_ASSERT_NOT_REACHED();
- return JSValue(); // Have to return something in release mode.
- }
</del><ins>+ return isConstant() && constant()->value().isInt32();
</ins><span class="cx"> }
</span><del>-
- bool isInt32Constant(CodeBlock* codeBlock)
</del><ins>+
+ int32_t asInt32()
</ins><span class="cx"> {
</span><del>- return isConstant() && valueOfJSConstant(codeBlock).isInt32();
</del><ins>+ return asJSValue().asInt32();
</ins><span class="cx"> }
</span><del>-
- bool isDoubleConstant(CodeBlock* codeBlock)
</del><ins>+
+ uint32_t asUInt32()
</ins><span class="cx"> {
</span><del>- bool result = isConstant() && valueOfJSConstant(codeBlock).isDouble();
- if (result)
- ASSERT(!isInt32Constant(codeBlock));
- return result;
</del><ins>+ return asInt32();
</ins><span class="cx"> }
</span><del>-
- bool isNumberConstant(CodeBlock* codeBlock)
</del><ins>+
+ bool isDoubleConstant()
</ins><span class="cx"> {
</span><del>- bool result = isConstant() && valueOfJSConstant(codeBlock).isNumber();
- ASSERT(result == (isInt32Constant(codeBlock) || isDoubleConstant(codeBlock)));
- return result;
</del><ins>+ return isConstant() && constant()->value().isDouble();
</ins><span class="cx"> }
</span><del>-
- bool isMachineIntConstant(CodeBlock* codeBlock)
</del><ins>+
+ bool isNumberConstant()
</ins><span class="cx"> {
</span><del>- return isConstant() && valueOfJSConstant(codeBlock).isMachineInt();
</del><ins>+ return isConstant() && constant()->value().isNumber();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool isBooleanConstant(CodeBlock* codeBlock)
</del><ins>+ double asNumber()
</ins><span class="cx"> {
</span><del>- return isConstant() && valueOfJSConstant(codeBlock).isBoolean();
</del><ins>+ return asJSValue().asNumber();
</ins><span class="cx"> }
</span><del>-
</del><ins>+
+ bool isMachineIntConstant()
+ {
+ return isConstant() && constant()->value().isMachineInt();
+ }
+
+ int64_t asMachineInt()
+ {
+ return asJSValue().asMachineInt();
+ }
+
+ bool isBooleanConstant()
+ {
+ return isConstant() && constant()->value().isBoolean();
+ }
+
+ bool asBoolean()
+ {
+ return constant()->value().asBoolean();
+ }
+
+ bool isCellConstant()
+ {
+ return isConstant() && constant()->value().isCell();
+ }
+
+ JSCell* asCell()
+ {
+ return constant()->value().asCell();
+ }
+
+ template<typename T>
+ T dynamicCastConstant()
+ {
+ if (!isCellConstant())
+ return nullptr;
+ return jsDynamicCast<T>(asCell());
+ }
+
</ins><span class="cx"> bool containsMovHint()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><span class="lines">@@ -983,6 +977,8 @@
</span><span class="cx"> case GetMyArgumentByValSafe:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case GetByOffset:
</span><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> case GetClosureVar:
</span><span class="lines">@@ -1019,8 +1015,8 @@
</span><span class="cx"> bool canBeKnownFunction()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><del>- case Construct:
- case Call:
</del><ins>+ case NativeConstruct:
+ case NativeCall:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span><span class="lines">@@ -1030,8 +1026,8 @@
</span><span class="cx"> bool hasKnownFunction()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><del>- case Construct:
- case Call:
</del><ins>+ case NativeConstruct:
+ case NativeCall:
</ins><span class="cx"> return (bool)m_opInfo;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span><span class="lines">@@ -1061,12 +1057,10 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSCell* function()
</del><ins>+ FrozenValue* function()
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(hasFunction());
</span><del>- JSCell* result = reinterpret_cast<JSFunction*>(m_opInfo);
- ASSERT(JSValue(result).isFunction());
- return result;
</del><ins>+ return reinterpret_cast<FrozenValue*>(m_opInfo);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool hasExecutable()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeFlagscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -109,9 +109,6 @@
</span><span class="cx"> if (flags & NodeBytecodeUsesAsArrayIndex)
</span><span class="cx"> out.print(comma, "ReallyWantsInt");
</span><span class="cx">
</span><del>- if (!(flags & NodeDoesNotExit))
- out.print(comma, "CanExit");
-
</del><span class="cx"> if (flags & NodeIsFlushed)
</span><span class="cx"> out.print(comma, "IsFlushed");
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeFlagsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -66,12 +66,10 @@
</span><span class="cx">
</span><span class="cx"> #define NodeArithFlagsMask (NodeBehaviorMask | NodeBytecodeBackPropMask)
</span><span class="cx">
</span><del>-#define NodeDoesNotExit 0x10000 // This flag is negated to make it natural for the default to be that a node does exit.
</del><ins>+#define NodeRelevantToOSR 0x10000
</ins><span class="cx">
</span><del>-#define NodeRelevantToOSR 0x20000
</del><ins>+#define NodeIsFlushed 0x20000 // Used by Graph::computeIsFlushed(), will tell you which local nodes are backwards-reachable from a Flush.
</ins><span class="cx">
</span><del>-#define NodeIsFlushed 0x40000 // Used by Graph::computeIsFlushed(), will tell you which local nodes are backwards-reachable from a Flush.
-
</del><span class="cx"> typedef uint32_t NodeFlags;
</span><span class="cx">
</span><span class="cx"> static inline bool bytecodeUsesAsNumber(NodeFlags flags)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -35,16 +35,12 @@
</span><span class="cx"> // This macro defines a set of information about all known node types, used to populate NodeId, NodeType below.
</span><span class="cx"> #define FOR_EACH_DFG_OP(macro) \
</span><span class="cx"> /* A constant in the CodeBlock's constant pool. */\
</span><del>- macro(JSConstant, NodeResultJS | NodeDoesNotExit) \
</del><ins>+ macro(JSConstant, NodeResultJS) \
</ins><span class="cx"> \
</span><span class="cx"> /* Constants with specific representations. */\
</span><del>- macro(DoubleConstant, NodeResultDouble | NodeDoesNotExit) \
- macro(Int52Constant, NodeResultInt52 | NodeDoesNotExit) \
</del><ins>+ macro(DoubleConstant, NodeResultDouble) \
+ macro(Int52Constant, NodeResultInt52) \
</ins><span class="cx"> \
</span><del>- /* A constant not in the CodeBlock's constant pool. Uses get patched to jumps that exit the */\
- /* code block. */\
- macro(WeakJSConstant, NodeResultJS | NodeDoesNotExit) \
- \
</del><span class="cx"> /* Marker to indicate that an operation was optimized entirely and all that is left */\
</span><span class="cx"> /* is to make one node alias another. CSE will later usually eliminate this node, */\
</span><span class="cx"> /* though it may choose not to if it would corrupt predictions (very rare). */\
</span><span class="lines">@@ -60,16 +56,16 @@
</span><span class="cx"> /* VariableAccessData, and thus will share predictions. */\
</span><span class="cx"> macro(GetLocal, NodeResultJS) \
</span><span class="cx"> macro(SetLocal, 0) \
</span><del>- macro(MovHint, NodeDoesNotExit) \
- macro(ZombieHint, NodeDoesNotExit) \
</del><ins>+ macro(MovHint, 0) \
+ macro(ZombieHint, 0) \
</ins><span class="cx"> macro(GetArgument, NodeResultJS | NodeMustGenerate) \
</span><span class="cx"> macro(Phantom, NodeMustGenerate) \
</span><span class="cx"> macro(HardPhantom, NodeMustGenerate) /* Like Phantom, but we never remove any of its children. */ \
</span><span class="cx"> macro(Check, 0) /* Used if we want just a type check but not liveness. DCE eithers kills this or converts it to Phantom. */\
</span><del>- macro(Upsilon, NodeDoesNotExit | NodeRelevantToOSR) \
- macro(Phi, NodeDoesNotExit | NodeRelevantToOSR) \
- macro(Flush, NodeMustGenerate | NodeDoesNotExit) \
- macro(PhantomLocal, NodeMustGenerate | NodeDoesNotExit) \
</del><ins>+ macro(Upsilon, NodeRelevantToOSR) \
+ macro(Phi, NodeRelevantToOSR) \
+ macro(Flush, NodeMustGenerate) \
+ macro(PhantomLocal, NodeMustGenerate) \
</ins><span class="cx"> \
</span><span class="cx"> /* Hint that this is where bytecode thinks is a good place to OSR. Note that this */\
</span><span class="cx"> /* will exist even in inlined loops. This has no execution semantics but it must */\
</span><span class="lines">@@ -92,7 +88,7 @@
</span><span class="cx"> macro(GetLocalUnlinked, NodeResultJS) \
</span><span class="cx"> \
</span><span class="cx"> /* Marker for an argument being set at the prologue of a function. */\
</span><del>- macro(SetArgument, NodeDoesNotExit) \
</del><ins>+ macro(SetArgument, 0) \
</ins><span class="cx"> \
</span><span class="cx"> /* Marker of location in the IR where we may possibly perform jump replacement to */\
</span><span class="cx"> /* invalidate this code block. */\
</span><span class="lines">@@ -159,9 +155,9 @@
</span><span class="cx"> macro(CheckStructure, NodeMustGenerate) \
</span><span class="cx"> macro(CheckExecutable, NodeMustGenerate) \
</span><span class="cx"> macro(PutStructure, NodeMustGenerate) \
</span><del>- macro(PhantomPutStructure, NodeMustGenerate | NodeDoesNotExit) \
- macro(AllocatePropertyStorage, NodeMustGenerate | NodeDoesNotExit | NodeResultStorage) \
- macro(ReallocatePropertyStorage, NodeMustGenerate | NodeDoesNotExit | NodeResultStorage) \
</del><ins>+ macro(PhantomPutStructure, NodeMustGenerate) \
+ macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
+ macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
</ins><span class="cx"> macro(GetButterfly, NodeResultStorage) \
</span><span class="cx"> macro(CheckArray, NodeMustGenerate) \
</span><span class="cx"> macro(Arrayify, NodeMustGenerate) \
</span><span class="lines">@@ -220,6 +216,8 @@
</span><span class="cx"> /* Calls. */\
</span><span class="cx"> macro(Call, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
</span><span class="cx"> macro(Construct, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
</span><ins>+ macro(NativeCall, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
+ macro(NativeConstruct, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
</ins><span class="cx"> \
</span><span class="cx"> /* Allocations. */\
</span><span class="cx"> macro(NewObject, NodeResultJS) \
</span><span class="lines">@@ -258,7 +256,7 @@
</span><span class="cx"> /* Nodes used for arguments. Similar to activation support, only it makes even less */\
</span><span class="cx"> /* sense. */\
</span><span class="cx"> macro(CreateArguments, NodeResultJS) \
</span><del>- macro(PhantomArguments, NodeResultJS | NodeDoesNotExit) \
</del><ins>+ macro(PhantomArguments, NodeResultJS) \
</ins><span class="cx"> macro(TearOffArguments, NodeMustGenerate) \
</span><span class="cx"> macro(GetMyArgumentsLength, NodeResultJS | NodeMustGenerate) \
</span><span class="cx"> macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -88,7 +88,7 @@
</span><span class="cx">
</span><span class="cx"> Profiler::OSRExit* profilerExit = compilation->addOSRExit(
</span><span class="cx"> exitIndex, Profiler::OriginStack(database, codeBlock, exit.m_codeOrigin),
</span><del>- exit.m_kind, isWatchpoint(exit.m_kind));
</del><ins>+ exit.m_kind, exit.m_kind == UncountableInvalidation);
</ins><span class="cx"> jit.add64(CCallHelpers::TrustedImm32(1), CCallHelpers::AbsoluteAddress(profilerExit->counterAddress()));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -239,34 +239,35 @@
</span><span class="cx"> performInvalidationPointInjection(dfg);
</span><span class="cx"> performTypeCheckHoisting(dfg);
</span><span class="cx">
</span><del>- unsigned count = 1;
</del><span class="cx"> dfg.m_fixpointState = FixpointNotConverged;
</span><del>- for (;; ++count) {
- if (logCompilationChanges(mode))
- dataLogF("DFG beginning optimization fixpoint iteration #%u.\n", count);
- bool changed = false;
</del><ins>+
+ // For now we're back to avoiding a fixpoint. Note that we've ping-ponged on this decision
+ // many times. For maximum throughput, it's best to fixpoint. But the throughput benefit is
+ // small and not likely to show up in FTL anyway. On the other hand, not fixpointing means
+ // that the compiler compiles more quickly. We want the third tier to compile quickly, which
+ // not fixpointing accomplishes; and the fourth tier shouldn't need a fixpoint.
+ if (validationEnabled())
+ validate(dfg);
</ins><span class="cx">
</span><del>- if (validationEnabled())
- validate(dfg);
-
- changed |= performStrengthReduction(dfg);
</del><ins>+ performStrengthReduction(dfg);
+ performCSE(dfg);
+ performArgumentsSimplification(dfg);
+ performCPSRethreading(dfg);
+ performCFA(dfg);
+ performConstantFolding(dfg);
+ bool changed = false;
+ changed |= performCFGSimplification(dfg);
+ changed |= performCSE(dfg);
+
+ if (validationEnabled())
+ validate(dfg);
+
+ performCPSRethreading(dfg);
+ if (changed) {
</ins><span class="cx"> performCFA(dfg);
</span><del>- changed |= performConstantFolding(dfg);
- changed |= performArgumentsSimplification(dfg);
- changed |= performCFGSimplification(dfg);
- changed |= performCSE(dfg);
-
- if (!changed)
- break;
-
- performCPSRethreading(dfg);
</del><ins>+ performConstantFolding(dfg);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- if (logCompilationChanges(mode))
- dataLogF("DFG optimization fixpoint converged in %u iterations.\n", count);
-
- dfg.m_fixpointState = FixpointConverged;
-
</del><span class="cx"> // If we're doing validation, then run some analyses, to give them an opportunity
</span><span class="cx"> // to self-validate. Now is as good a time as any to do this.
</span><span class="cx"> if (validationEnabled()) {
</span><span class="lines">@@ -276,10 +277,11 @@
</span><span class="cx">
</span><span class="cx"> switch (mode) {
</span><span class="cx"> case DFGMode: {
</span><ins>+ dfg.m_fixpointState = FixpointConverged;
+
</ins><span class="cx"> performTierUpCheckInjection(dfg);
</span><span class="cx">
</span><span class="cx"> performStoreBarrierElision(dfg);
</span><del>- performStoreElimination(dfg);
</del><span class="cx"> performCPSRethreading(dfg);
</span><span class="cx"> performDCE(dfg);
</span><span class="cx"> performStackLayout(dfg);
</span><span class="lines">@@ -320,12 +322,20 @@
</span><span class="cx"> performStoreBarrierElision(dfg);
</span><span class="cx"> performLivenessAnalysis(dfg);
</span><span class="cx"> performCFA(dfg);
</span><ins>+ performConstantFolding(dfg);
+ if (performStrengthReduction(dfg)) {
+ // State-at-tail and state-at-head will be invalid if we did strength reduction since
+ // it might increase live ranges.
+ performLivenessAnalysis(dfg);
+ performCFA(dfg);
+ }
</ins><span class="cx"> performLICM(dfg);
</span><span class="cx"> performIntegerCheckCombining(dfg);
</span><span class="cx"> performCSE(dfg);
</span><span class="cx">
</span><span class="cx"> // At this point we're not allowed to do any further code motion because our reasoning
</span><span class="cx"> // about code motion assumes that it's OK to insert GC points in random places.
</span><ins>+ dfg.m_fixpointState = FixpointConverged;
</ins><span class="cx">
</span><span class="cx"> performStoreBarrierElision(dfg);
</span><span class="cx"> performLivenessAnalysis(dfg);
</span><span class="lines">@@ -406,8 +416,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> if (!watchpoints.areStillValid())
</span><span class="cx"> return false;
</span><del>- if (!chains.areStillValid())
- return false;
</del><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -477,7 +485,6 @@
</span><span class="cx"> codeBlocks.mark(codeBlock.get());
</span><span class="cx"> codeBlocks.mark(profiledDFGCodeBlock.get());
</span><span class="cx">
</span><del>- chains.visitChildren(visitor);
</del><span class="cx"> weakReferences.visitChildren(visitor);
</span><span class="cx"> writeBarriers.visitChildren(visitor);
</span><span class="cx"> transitions.visitChildren(visitor);
</span><span class="lines">@@ -506,7 +513,6 @@
</span><span class="cx"> inlineCallFrames = nullptr;
</span><span class="cx"> watchpoints = DesiredWatchpoints();
</span><span class="cx"> identifiers = DesiredIdentifiers();
</span><del>- chains = DesiredStructureChains();
</del><span class="cx"> weakReferences = DesiredWeakReferences();
</span><span class="cx"> writeBarriers = DesiredWriteBarriers();
</span><span class="cx"> transitions = DesiredTransitions();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlanh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -30,7 +30,6 @@
</span><span class="cx"> #include "DFGCompilationKey.h"
</span><span class="cx"> #include "DFGCompilationMode.h"
</span><span class="cx"> #include "DFGDesiredIdentifiers.h"
</span><del>-#include "DFGDesiredStructureChains.h"
</del><span class="cx"> #include "DFGDesiredTransitions.h"
</span><span class="cx"> #include "DFGDesiredWatchpoints.h"
</span><span class="cx"> #include "DFGDesiredWeakReferences.h"
</span><span class="lines">@@ -92,7 +91,6 @@
</span><span class="cx"> RefPtr<InlineCallFrameSet> inlineCallFrames;
</span><span class="cx"> DesiredWatchpoints watchpoints;
</span><span class="cx"> DesiredIdentifiers identifiers;
</span><del>- DesiredStructureChains chains;
</del><span class="cx"> DesiredWeakReferences weakReferences;
</span><span class="cx"> DesiredWriteBarriers writeBarriers;
</span><span class="cx"> DesiredTransitions transitions;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -141,9 +141,8 @@
</span><span class="cx"> bool changed = false;
</span><span class="cx">
</span><span class="cx"> switch (op) {
</span><del>- case JSConstant:
- case WeakJSConstant: {
- SpeculatedType type = speculationFromValue(m_graph.valueOfJSConstant(node));
</del><ins>+ case JSConstant: {
+ SpeculatedType type = speculationFromValue(node->asJSValue());
</ins><span class="cx"> if (type == SpecInt52AsDouble && enableInt52())
</span><span class="cx"> type = SpecInt52;
</span><span class="cx"> changed |= setPrediction(type);
</span><span class="lines">@@ -188,6 +187,8 @@
</span><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case GetGlobalVar:
</span><span class="cx"> case GetClosureVar: {
</span><span class="cx"> changed |= setPrediction(node->getHeapPrediction());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -111,7 +111,6 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case Identity:
</span><span class="cx"> case ToThis:
</span><span class="cx"> case CreateThis:
</span><span class="lines">@@ -260,7 +259,11 @@
</span><span class="cx"> case GetGetter:
</span><span class="cx"> case GetSetter:
</span><span class="cx"> return true;
</span><del>-
</del><ins>+
+ case NativeCall:
+ case NativeConstruct:
+ return false; // TODO: add a check for already checked. https://bugs.webkit.org/show_bug.cgi?id=133769
+
</ins><span class="cx"> case GetByVal:
</span><span class="cx"> case GetIndexedPropertyStorage:
</span><span class="cx"> case GetArrayLength:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "DFGArrayifySlowPathGenerator.h"
</span><span class="cx"> #include "DFGBinarySwitch.h"
</span><span class="cx"> #include "DFGCallArrayAllocatorSlowPathGenerator.h"
</span><ins>+#include "DFGMayExit.h"
</ins><span class="cx"> #include "DFGSaneStringGetByValSlowPathGenerator.h"
</span><span class="cx"> #include "DFGSlowPathGenerator.h"
</span><span class="cx"> #include "LinkBuffer.h"
</span><span class="lines">@@ -215,6 +216,8 @@
</span><span class="cx"> return;
</span><span class="cx"> speculationCheck(kind, jsValueRegs, node, m_jit.jump());
</span><span class="cx"> m_compileOkay = false;
</span><ins>+ if (verboseCompilationEnabled())
+ dataLog("Bailing compilation.\n");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::terminateSpeculativeExecution(ExitKind kind, JSValueRegs jsValueRegs, Edge nodeUse)
</span><span class="lines">@@ -321,7 +324,7 @@
</span><span class="cx"> ASSERT(info.gpr() == source);
</span><span class="cx"> ASSERT(isJSInt32(info.registerFormat()));
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- ASSERT(isInt32Constant(node));
</del><ins>+ ASSERT(node->isInt32Constant());
</ins><span class="cx"> fillAction = SetInt32Constant;
</span><span class="cx"> } else
</span><span class="cx"> fillAction = Load32Payload;
</span><span class="lines">@@ -332,7 +335,7 @@
</span><span class="cx"> #elif USE(JSVALUE32_64)
</span><span class="cx"> ASSERT(info.gpr() == source);
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- ASSERT(isBooleanConstant(node));
</del><ins>+ ASSERT(node->isBooleanConstant());
</ins><span class="cx"> fillAction = SetBooleanConstant;
</span><span class="cx"> } else
</span><span class="cx"> fillAction = Load32Payload;
</span><span class="lines">@@ -340,8 +343,7 @@
</span><span class="cx"> } else if (registerFormat == DataFormatCell) {
</span><span class="cx"> ASSERT(info.gpr() == source);
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- JSValue value = valueOfJSConstant(node);
- ASSERT_UNUSED(value, value.isCell());
</del><ins>+ node->asCell(); // To get the assertion.
</ins><span class="cx"> fillAction = SetCellConstant;
</span><span class="cx"> } else {
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="lines">@@ -384,8 +386,9 @@
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> ASSERT(info.gpr() == source);
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- if (valueOfJSConstant(node).isCell())
</del><ins>+ if (node->isCellConstant())
</ins><span class="cx"> fillAction = SetTrustedJSConstant;
</span><ins>+ else
</ins><span class="cx"> fillAction = SetJSConstant;
</span><span class="cx"> } else if (info.spillFormat() == DataFormatInt32) {
</span><span class="cx"> ASSERT(registerFormat == DataFormatJSInt32);
</span><span class="lines">@@ -443,7 +446,7 @@
</span><span class="cx">
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- ASSERT(isNumberConstant(node));
</del><ins>+ node->asNumber(); // To get the assertion.
</ins><span class="cx"> fillAction = SetDoubleConstant;
</span><span class="cx"> } else {
</span><span class="cx"> ASSERT(info.spillFormat() == DataFormatNone || info.spillFormat() == DataFormatDouble);
</span><span class="lines">@@ -452,7 +455,7 @@
</span><span class="cx"> #elif USE(JSVALUE32_64)
</span><span class="cx"> ASSERT(info.registerFormat() == DataFormatDouble);
</span><span class="cx"> if (node->hasConstant()) {
</span><del>- ASSERT(isNumberConstant(node));
</del><ins>+ node->asNumber(); // To get the assertion.
</ins><span class="cx"> fillAction = SetDoubleConstant;
</span><span class="cx"> } else
</span><span class="cx"> fillAction = LoadDouble;
</span><span class="lines">@@ -497,21 +500,21 @@
</span><span class="cx"> case DoNothingForFill:
</span><span class="cx"> break;
</span><span class="cx"> case SetInt32Constant:
</span><del>- m_jit.move(Imm32(valueOfInt32Constant(plan.node())), plan.gpr());
</del><ins>+ m_jit.move(Imm32(plan.node()->asInt32()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> case SetInt52Constant:
</span><del>- m_jit.move(Imm64(valueOfJSConstant(plan.node()).asMachineInt() << JSValue::int52ShiftAmount), plan.gpr());
</del><ins>+ m_jit.move(Imm64(plan.node()->asMachineInt() << JSValue::int52ShiftAmount), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> case SetStrictInt52Constant:
</span><del>- m_jit.move(Imm64(valueOfJSConstant(plan.node()).asMachineInt()), plan.gpr());
</del><ins>+ m_jit.move(Imm64(plan.node()->asMachineInt()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> #endif // USE(JSVALUE64)
</span><span class="cx"> case SetBooleanConstant:
</span><del>- m_jit.move(TrustedImm32(valueOfBooleanConstant(plan.node())), plan.gpr());
</del><ins>+ m_jit.move(TrustedImm32(plan.node()->asBoolean()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> case SetCellConstant:
</span><del>- m_jit.move(TrustedImmPtr(valueOfJSConstant(plan.node()).asCell()), plan.gpr());
</del><ins>+ m_jit.move(TrustedImmPtr(plan.node()->asCell()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> case SetTrustedJSConstant:
</span><span class="lines">@@ -521,7 +524,7 @@
</span><span class="cx"> m_jit.move(valueOfJSConstantAsImm64(plan.node()), plan.gpr());
</span><span class="cx"> break;
</span><span class="cx"> case SetDoubleConstant:
</span><del>- m_jit.move(Imm64(reinterpretDoubleToInt64(valueOfNumberConstant(plan.node()))), canTrample);
</del><ins>+ m_jit.move(Imm64(reinterpretDoubleToInt64(plan.node()->asNumber())), canTrample);
</ins><span class="cx"> m_jit.move64ToDouble(canTrample, plan.fpr());
</span><span class="cx"> break;
</span><span class="cx"> case Load32PayloadBoxInt:
</span><span class="lines">@@ -539,10 +542,10 @@
</span><span class="cx"> break;
</span><span class="cx"> #else
</span><span class="cx"> case SetJSConstantTag:
</span><del>- m_jit.move(Imm32(valueOfJSConstant(plan.node()).tag()), plan.gpr());
</del><ins>+ m_jit.move(Imm32(plan.node()->asJSValue().tag()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> case SetJSConstantPayload:
</span><del>- m_jit.move(Imm32(valueOfJSConstant(plan.node()).payload()), plan.gpr());
</del><ins>+ m_jit.move(Imm32(plan.node()->asJSValue().payload()), plan.gpr());
</ins><span class="cx"> break;
</span><span class="cx"> case SetInt32Tag:
</span><span class="cx"> m_jit.move(TrustedImm32(JSValue::Int32Tag), plan.gpr());
</span><span class="lines">@@ -554,7 +557,7 @@
</span><span class="cx"> m_jit.move(TrustedImm32(JSValue::BooleanTag), plan.gpr());
</span><span class="cx"> break;
</span><span class="cx"> case SetDoubleConstant:
</span><del>- m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(plan.node())), plan.fpr());
</del><ins>+ m_jit.loadDouble(TrustedImmPtr(m_jit.addressOfDoubleConstant(plan.node())), plan.fpr());
</ins><span class="cx"> break;
</span><span class="cx"> #endif
</span><span class="cx"> case Load32Tag:
</span><span class="lines">@@ -856,12 +859,9 @@
</span><span class="cx"> {
</span><span class="cx"> SpeculateCellOperand base(this, node->child2());
</span><span class="cx"> GPRReg baseGPR = base.gpr();
</span><del>-
- if (isConstant(node->child1().node())) {
- JSString* string =
- jsDynamicCast<JSString*>(valueOfJSConstant(node->child1().node()));
- if (string && string->tryGetValueImpl()
- && string->tryGetValueImpl()->isAtomic()) {
</del><ins>+
+ if (JSString* string = node->child1()->dynamicCastConstant<JSString*>()) {
+ if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) {
</ins><span class="cx"> StructureStubInfo* stubInfo = m_jit.codeBlock()->addStubInfo();
</span><span class="cx">
</span><span class="cx"> GPRTemporary result(this);
</span><span class="lines">@@ -1219,13 +1219,13 @@
</span><span class="cx"> notTaken = tmp;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (isBooleanConstant(node->child1().node())) {
- bool imm = valueOfBooleanConstant(node->child1().node());
</del><ins>+ if (node->child1()->isBooleanConstant()) {
+ bool imm = node->child1()->asBoolean();
</ins><span class="cx"> SpeculateBooleanOperand op2(this, node->child2());
</span><span class="cx"> branch32(condition, JITCompiler::Imm32(static_cast<int32_t>(JSValue::encode(jsBoolean(imm)))), op2.gpr(), taken);
</span><del>- } else if (isBooleanConstant(node->child2().node())) {
</del><ins>+ } else if (node->child2()->isBooleanConstant()) {
</ins><span class="cx"> SpeculateBooleanOperand op1(this, node->child1());
</span><del>- bool imm = valueOfBooleanConstant(node->child2().node());
</del><ins>+ bool imm = node->child2()->asBoolean();
</ins><span class="cx"> branch32(condition, op1.gpr(), JITCompiler::Imm32(static_cast<int32_t>(JSValue::encode(jsBoolean(imm)))), taken);
</span><span class="cx"> } else {
</span><span class="cx"> SpeculateBooleanOperand op1(this, node->child1());
</span><span class="lines">@@ -1250,13 +1250,13 @@
</span><span class="cx"> notTaken = tmp;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (isInt32Constant(node->child1().node())) {
- int32_t imm = valueOfInt32Constant(node->child1().node());
</del><ins>+ if (node->child1()->isInt32Constant()) {
+ int32_t imm = node->child1()->asInt32();
</ins><span class="cx"> SpeculateInt32Operand op2(this, node->child2());
</span><span class="cx"> branch32(condition, JITCompiler::Imm32(imm), op2.gpr(), taken);
</span><del>- } else if (isInt32Constant(node->child2().node())) {
</del><ins>+ } else if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><del>- int32_t imm = valueOfInt32Constant(node->child2().node());
</del><ins>+ int32_t imm = node->child2()->asInt32();
</ins><span class="cx"> branch32(condition, op1.gpr(), JITCompiler::Imm32(imm), taken);
</span><span class="cx"> } else {
</span><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><span class="lines">@@ -1341,6 +1341,8 @@
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::bail(AbortReason reason)
</span><span class="cx"> {
</span><ins>+ if (verboseCompilationEnabled())
+ dataLog("Bailing compilation.\n");
</ins><span class="cx"> m_compileOkay = true;
</span><span class="cx"> m_jit.abortWithReason(reason, m_lastGeneratedNode);
</span><span class="cx"> clearGenerationInfo();
</span><span class="lines">@@ -1357,7 +1359,7 @@
</span><span class="cx">
</span><span class="cx"> m_jit.blockHeads()[m_block->index] = m_jit.label();
</span><span class="cx">
</span><del>- if (!m_block->cfaHasVisited) {
</del><ins>+ if (!m_block->intersectionOfCFAHasVisited) {
</ins><span class="cx"> // Don't generate code for basic blocks that are unreachable according to CFA.
</span><span class="cx"> // But to be sure that nobody has generated a jump to this block, drop in a
</span><span class="cx"> // breakpoint here.
</span><span class="lines">@@ -1404,8 +1406,12 @@
</span><span class="cx"> bail(DFGBailedAtTopOfBlock);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+
+ if (ASSERT_DISABLED)
+ m_canExit = true; // Essentially disable the assertions.
+ else
+ m_canExit = mayExit(m_jit.graph(), m_currentNode);
</ins><span class="cx">
</span><del>- m_canExit = m_currentNode->canExit();
</del><span class="cx"> bool shouldExecuteEffects = m_interpreter.startExecuting(m_currentNode);
</span><span class="cx"> m_jit.setForNode(m_currentNode);
</span><span class="cx"> m_codeOriginForExitTarget = m_currentNode->origin.forExit;
</span><span class="lines">@@ -1417,11 +1423,6 @@
</span><span class="cx"> m_minifiedGraph->append(MinifiedNode::fromNode(m_currentNode));
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case WeakJSConstant:
- m_jit.addWeakReference(m_currentNode->weakConstant());
- m_minifiedGraph->append(MinifiedNode::fromNode(m_currentNode));
- break;
-
</del><span class="cx"> case SetLocal:
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="lines">@@ -2071,7 +2072,7 @@
</span><span class="cx"> {
</span><span class="cx"> switch (node->child1().useKind()) {
</span><span class="cx"> case NumberUse: {
</span><del>- ASSERT(!isNumberConstant(node->child1().node())); // This should have been constant folded.
</del><ins>+ ASSERT(!node->child1()->isNumberConstant()); // This should have been constant folded.
</ins><span class="cx">
</span><span class="cx"> if (isInt32Speculation(m_state.forNode(node->child1()).m_type)) {
</span><span class="cx"> SpeculateInt32Operand op1(this, node->child1(), ManualOperandSpeculation);
</span><span class="lines">@@ -2268,7 +2269,7 @@
</span><span class="cx"> if (JSArrayBufferView* view = m_jit.graph().tryGetFoldableViewForChild1(node)) {
</span><span class="cx"> uint32_t length = view->length();
</span><span class="cx"> Node* indexNode = m_jit.graph().child(node, 1).node();
</span><del>- if (m_jit.graph().isInt32Constant(indexNode) && static_cast<uint32_t>(m_jit.graph().valueOfInt32Constant(indexNode)) < length)
</del><ins>+ if (indexNode->isInt32Constant() && indexNode->asUInt32() < length)
</ins><span class="cx"> return JITCompiler::Jump();
</span><span class="cx"> return m_jit.branch32(
</span><span class="cx"> MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Imm32(length));
</span><span class="lines">@@ -2364,7 +2365,7 @@
</span><span class="cx"> GPRReg valueGPR = InvalidGPRReg;
</span><span class="cx">
</span><span class="cx"> if (valueUse->isConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(valueUse.node());
</del><ins>+ JSValue jsValue = valueUse->asJSValue();
</ins><span class="cx"> if (!jsValue.isNumber()) {
</span><span class="cx"> terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
</span><span class="cx"> noResult(node);
</span><span class="lines">@@ -2652,8 +2653,8 @@
</span><span class="cx"> case Int32Use: {
</span><span class="cx"> ASSERT(!shouldCheckNegativeZero(node->arithMode()));
</span><span class="cx">
</span><del>- if (isInt32Constant(node->child1().node())) {
- int32_t imm1 = valueOfInt32Constant(node->child1().node());
</del><ins>+ if (node->child1()->isInt32Constant()) {
+ int32_t imm1 = node->child1()->asInt32();
</ins><span class="cx"> SpeculateInt32Operand op2(this, node->child2());
</span><span class="cx"> GPRTemporary result(this);
</span><span class="cx">
</span><span class="lines">@@ -2667,9 +2668,9 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (isInt32Constant(node->child2().node())) {
</del><ins>+ if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><del>- int32_t imm2 = valueOfInt32Constant(node->child2().node());
</del><ins>+ int32_t imm2 = node->child2()->asInt32();
</ins><span class="cx"> GPRTemporary result(this);
</span><span class="cx">
</span><span class="cx"> if (!shouldCheckOverflow(node->arithMode())) {
</span><span class="lines">@@ -2848,9 +2849,9 @@
</span><span class="cx"> case Int32Use: {
</span><span class="cx"> ASSERT(!shouldCheckNegativeZero(node->arithMode()));
</span><span class="cx">
</span><del>- if (isNumberConstant(node->child2().node())) {
</del><ins>+ if (node->child2()->isNumberConstant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><del>- int32_t imm2 = valueOfInt32Constant(node->child2().node());
</del><ins>+ int32_t imm2 = node->child2()->asInt32();
</ins><span class="cx"> GPRTemporary result(this);
</span><span class="cx">
</span><span class="cx"> if (!shouldCheckOverflow(node->arithMode())) {
</span><span class="lines">@@ -2865,8 +2866,8 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (isNumberConstant(node->child1().node())) {
- int32_t imm1 = valueOfInt32Constant(node->child1().node());
</del><ins>+ if (node->child1()->isNumberConstant()) {
+ int32_t imm1 = node->child1()->asInt32();
</ins><span class="cx"> SpeculateInt32Operand op2(this, node->child2());
</span><span class="cx"> GPRTemporary result(this);
</span><span class="cx">
</span><span class="lines">@@ -3279,8 +3280,8 @@
</span><span class="cx"> // (in case of |dividend| < |divisor|), so we speculate it as strict int32.
</span><span class="cx"> SpeculateStrictInt32Operand op1(this, node->child1());
</span><span class="cx">
</span><del>- if (isInt32Constant(node->child2().node())) {
- int32_t divisor = valueOfInt32Constant(node->child2().node());
</del><ins>+ if (node->child2()->isInt32Constant()) {
+ int32_t divisor = node->child2()->asInt32();
</ins><span class="cx"> if (divisor > 1 && hasOneBitSet(divisor)) {
</span><span class="cx"> unsigned logarithm = WTF::fastLog2(divisor);
</span><span class="cx"> GPRReg dividendGPR = op1.gpr();
</span><span class="lines">@@ -3341,8 +3342,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #if CPU(X86) || CPU(X86_64)
</span><del>- if (isInt32Constant(node->child2().node())) {
- int32_t divisor = valueOfInt32Constant(node->child2().node());
</del><ins>+ if (node->child2()->isInt32Constant()) {
+ int32_t divisor = node->child2()->asInt32();
</ins><span class="cx"> if (divisor && divisor != -1) {
</span><span class="cx"> GPRReg op1Gpr = op1.gpr();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -556,29 +556,6 @@
</span><span class="cx"> bool isKnownNotNumber(Node* node) { return !(m_state.forNode(node).m_type & SpecFullNumber); }
</span><span class="cx"> bool isKnownNotCell(Node* node) { return !(m_state.forNode(node).m_type & SpecCell); }
</span><span class="cx">
</span><del>- // Checks/accessors for constant values.
- bool isConstant(Node* node) { return m_jit.graph().isConstant(node); }
- bool isJSConstant(Node* node) { return m_jit.graph().isJSConstant(node); }
- bool isInt32Constant(Node* node) { return m_jit.graph().isInt32Constant(node); }
- bool isDoubleConstant(Node* node) { return m_jit.graph().isDoubleConstant(node); }
- bool isNumberConstant(Node* node) { return m_jit.graph().isNumberConstant(node); }
- bool isBooleanConstant(Node* node) { return m_jit.graph().isBooleanConstant(node); }
- bool isFunctionConstant(Node* node) { return m_jit.graph().isFunctionConstant(node); }
- int32_t valueOfInt32Constant(Node* node) { return m_jit.graph().valueOfInt32Constant(node); }
- double valueOfNumberConstant(Node* node) { return m_jit.graph().valueOfNumberConstant(node); }
-#if USE(JSVALUE32_64)
- void* addressOfDoubleConstant(Node* node) { return m_jit.addressOfDoubleConstant(node); }
-#endif
- JSValue valueOfJSConstant(Node* node) { return m_jit.graph().valueOfJSConstant(node); }
- bool valueOfBooleanConstant(Node* node) { return m_jit.graph().valueOfBooleanConstant(node); }
- JSFunction* valueOfFunctionConstant(Node* node) { return m_jit.graph().valueOfFunctionConstant(node); }
- bool isNullConstant(Node* node)
- {
- if (!isConstant(node))
- return false;
- return valueOfJSConstant(node).isNull();
- }
-
</del><span class="cx"> StringImpl* identifierUID(unsigned index)
</span><span class="cx"> {
</span><span class="cx"> return m_jit.graph().identifiers()[index];
</span><span class="lines">@@ -619,9 +596,9 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>- MacroAssembler::Imm64 valueOfJSConstantAsImm64(Node* node)
</del><ins>+ static MacroAssembler::Imm64 valueOfJSConstantAsImm64(Node* node)
</ins><span class="cx"> {
</span><del>- return MacroAssembler::Imm64(JSValue::encode(valueOfJSConstant(node)));
</del><ins>+ return MacroAssembler::Imm64(JSValue::encode(node->asJSValue()));
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="lines">@@ -957,7 +934,7 @@
</span><span class="cx"> }
</span><span class="cx"> void initConstantInfo(Node* node)
</span><span class="cx"> {
</span><del>- ASSERT(isInt32Constant(node) || isNumberConstant(node) || isJSConstant(node));
</del><ins>+ ASSERT(node->hasConstant());
</ins><span class="cx"> generationInfo(node).initConstant(node, node->refCount());
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1993,17 +1970,6 @@
</span><span class="cx">
</span><span class="cx"> void dump(const char* label = 0);
</span><span class="cx">
</span><del>- bool isInteger(Node* node)
- {
- if (node->hasInt32Result())
- return true;
-
- if (isInt32Constant(node))
- return true;
-
- return generationInfo(node).isJSInt32();
- }
-
</del><span class="cx"> bool betterUseStrictInt52(Node* node)
</span><span class="cx"> {
</span><span class="cx"> return !generationInfo(node).isInt52();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -58,11 +58,12 @@
</span><span class="cx"> if (edge->hasConstant()) {
</span><span class="cx"> tagGPR = allocate();
</span><span class="cx"> payloadGPR = allocate();
</span><del>- m_jit.move(Imm32(valueOfJSConstant(edge.node()).tag()), tagGPR);
- m_jit.move(Imm32(valueOfJSConstant(edge.node()).payload()), payloadGPR);
</del><ins>+ JSValue value = edge->asJSValue();
+ m_jit.move(Imm32(value.tag()), tagGPR);
+ m_jit.move(Imm32(value.payload()), payloadGPR);
</ins><span class="cx"> m_gprs.retain(tagGPR, virtualRegister, SpillOrderConstant);
</span><span class="cx"> m_gprs.retain(payloadGPR, virtualRegister, SpillOrderConstant);
</span><del>- info.fillJSValue(*m_stream, tagGPR, payloadGPR, isInt32Constant(edge.node()) ? DataFormatJSInt32 : DataFormatJS);
</del><ins>+ info.fillJSValue(*m_stream, tagGPR, payloadGPR, DataFormatJS);
</ins><span class="cx"> } else {
</span><span class="cx"> DataFormat spillFormat = info.spillFormat();
</span><span class="cx"> ASSERT(spillFormat != DataFormatNone && spillFormat != DataFormatStorage);
</span><span class="lines">@@ -638,14 +639,15 @@
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::emitCall(Node* node)
</span><span class="cx"> {
</span><del>- if (node->op() != Call)
</del><ins>+ bool isCall = node->op() == Call;
+ if (!isCall)
</ins><span class="cx"> ASSERT(node->op() == Construct);
</span><span class="cx">
</span><span class="cx"> // For constructors, the this argument is not passed but we have to make space
</span><span class="cx"> // for it.
</span><del>- int dummyThisArgument = node->op() == Call ? 0 : 1;
</del><ins>+ int dummyThisArgument = isCall ? 0 : 1;
</ins><span class="cx">
</span><del>- CallLinkInfo::CallType callType = node->op() == Call ? CallLinkInfo::Call : CallLinkInfo::Construct;
</del><ins>+ CallLinkInfo::CallType callType = isCall ? CallLinkInfo::Call : CallLinkInfo::Construct;
</ins><span class="cx">
</span><span class="cx"> Edge calleeEdge = m_jit.graph().m_varArgChildren[node->firstChild()];
</span><span class="cx"> JSValueOperand callee(this, calleeEdge);
</span><span class="lines">@@ -736,7 +738,7 @@
</span><span class="cx"> VirtualRegister virtualRegister = edge->virtualRegister();
</span><span class="cx"> GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
</span><span class="cx">
</span><del>- if (edge->hasConstant() && !isInt32Constant(edge.node())) {
</del><ins>+ if (edge->hasConstant() && !edge->isInt32Constant()) {
</ins><span class="cx"> terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
</span><span class="cx"> returnFormat = DataFormatInt32;
</span><span class="cx"> return allocate();
</span><span class="lines">@@ -745,9 +747,9 @@
</span><span class="cx"> switch (info.registerFormat()) {
</span><span class="cx"> case DataFormatNone: {
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- ASSERT(isInt32Constant(edge.node()));
</del><ins>+ ASSERT(edge->isInt32Constant());
</ins><span class="cx"> GPRReg gpr = allocate();
</span><del>- m_jit.move(MacroAssembler::Imm32(valueOfInt32Constant(edge.node())), gpr);
</del><ins>+ m_jit.move(MacroAssembler::Imm32(edge->asInt32()), gpr);
</ins><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> info.fillInt32(*m_stream, gpr);
</span><span class="cx"> returnFormat = DataFormatInt32;
</span><span class="lines">@@ -835,9 +837,9 @@
</span><span class="cx"> if (info.registerFormat() == DataFormatNone) {
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- RELEASE_ASSERT(isNumberConstant(edge.node()));
</del><ins>+ RELEASE_ASSERT(edge->isNumberConstant());
</ins><span class="cx"> FPRReg fpr = fprAllocate();
</span><del>- m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(edge.node())), fpr);
</del><ins>+ m_jit.loadDouble(TrustedImmPtr(m_jit.addressOfDoubleConstant(edge.node())), fpr);
</ins><span class="cx"> m_fprs.retain(fpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> info.fillDouble(*m_stream, fpr);
</span><span class="cx"> return fpr;
</span><span class="lines">@@ -874,7 +876,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(edge.node());
</del><ins>+ JSValue jsValue = edge->asJSValue();
</ins><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx"> if (jsValue.isCell()) {
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="lines">@@ -963,7 +965,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(edge.node());
</del><ins>+ JSValue jsValue = edge->asJSValue();
</ins><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx"> if (jsValue.isBoolean()) {
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="lines">@@ -1683,11 +1685,6 @@
</span><span class="cx"> initConstantInfo(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case WeakJSConstant:
- m_jit.addWeakReference(node->weakConstant());
- initConstantInfo(node);
- break;
-
</del><span class="cx"> case Identity: {
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="lines">@@ -1699,9 +1696,7 @@
</span><span class="cx"> // If the CFA is tracking this variable and it found that the variable
</span><span class="cx"> // cannot have been assigned, then don't attempt to proceed.
</span><span class="cx"> if (value.isClear()) {
</span><del>- // FIXME: We should trap instead.
- // https://bugs.webkit.org/show_bug.cgi?id=110383
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
</del><ins>+ m_compileOkay = false;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1856,18 +1851,18 @@
</span><span class="cx"> case BitAnd:
</span><span class="cx"> case BitOr:
</span><span class="cx"> case BitXor:
</span><del>- if (isInt32Constant(node->child1().node())) {
</del><ins>+ if (node->child1()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op2(this, node->child2());
</span><span class="cx"> GPRTemporary result(this, Reuse, op2);
</span><span class="cx">
</span><del>- bitOp(op, valueOfInt32Constant(node->child1().node()), op2.gpr(), result.gpr());
</del><ins>+ bitOp(op, node->child1()->asInt32(), op2.gpr(), result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><del>- } else if (isInt32Constant(node->child2().node())) {
</del><ins>+ } else if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><span class="cx"> GPRTemporary result(this, Reuse, op1);
</span><span class="cx">
</span><del>- bitOp(op, valueOfInt32Constant(node->child2().node()), op1.gpr(), result.gpr());
</del><ins>+ bitOp(op, node->child2()->asInt32(), op1.gpr(), result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><span class="cx"> } else {
</span><span class="lines">@@ -1886,11 +1881,11 @@
</span><span class="cx"> case BitRShift:
</span><span class="cx"> case BitLShift:
</span><span class="cx"> case BitURShift:
</span><del>- if (isInt32Constant(node->child2().node())) {
</del><ins>+ if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><span class="cx"> GPRTemporary result(this, Reuse, op1);
</span><span class="cx">
</span><del>- shiftOp(op, op1.gpr(), valueOfInt32Constant(node->child2().node()) & 0x1f, result.gpr());
</del><ins>+ shiftOp(op, op1.gpr(), node->child2()->asInt32() & 0x1f, result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><span class="cx"> } else {
</span><span class="lines">@@ -2158,7 +2153,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CompareEqConstant:
</span><del>- ASSERT(isNullConstant(node->child2().node()));
</del><ins>+ ASSERT(node->child2()->asJSValue().isNull());
</ins><span class="cx"> if (nonSpeculativeCompareNull(node, node->child1()))
</span><span class="cx"> return;
</span><span class="cx"> break;
</span><span class="lines">@@ -3693,7 +3688,7 @@
</span><span class="cx">
</span><span class="cx"> case CheckFunction: {
</span><span class="cx"> SpeculateCellOperand function(this, node->child1());
</span><del>- speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()));
</del><ins>+ speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()->value().asCell()));
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -4644,7 +4639,8 @@
</span><span class="cx"> // This is a no-op.
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><del>-
</del><ins>+
+
</ins><span class="cx"> case Unreachable:
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="lines">@@ -4664,6 +4660,8 @@
</span><span class="cx"> case ArithIMul:
</span><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> case MultiPutByOffset:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -80,21 +80,9 @@
</span><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- if (isInt32Constant(edge.node())) {
- info.fillJSValue(*m_stream, gpr, DataFormatJSInt32);
- JSValue jsValue = jsNumber(valueOfInt32Constant(edge.node()));
- m_jit.move(MacroAssembler::Imm64(JSValue::encode(jsValue)), gpr);
- } else if (isNumberConstant(edge.node())) {
- info.fillJSValue(*m_stream, gpr, DataFormatJSDouble);
- JSValue jsValue(JSValue::EncodeAsDouble, valueOfNumberConstant(edge.node()));
- m_jit.move(MacroAssembler::Imm64(JSValue::encode(jsValue)), gpr);
- } else {
- ASSERT(isJSConstant(edge.node()));
- JSValue jsValue = valueOfJSConstant(edge.node());
- m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
- info.fillJSValue(*m_stream, gpr, DataFormatJS);
- }
-
</del><ins>+ JSValue jsValue = edge->asJSValue();
+ m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
+ info.fillJSValue(*m_stream, gpr, DataFormatJS);
</ins><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> } else {
</span><span class="cx"> DataFormat spillFormat = info.spillFormat();
</span><span class="lines">@@ -637,14 +625,16 @@
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::emitCall(Node* node)
</span><span class="cx"> {
</span><del>- if (node->op() != Call)
</del><ins>+
+ bool isCall = node->op() == Call;
+ if (!isCall)
</ins><span class="cx"> RELEASE_ASSERT(node->op() == Construct);
</span><span class="cx">
</span><span class="cx"> // For constructors, the this argument is not passed but we have to make space
</span><span class="cx"> // for it.
</span><del>- int dummyThisArgument = node->op() == Call ? 0 : 1;
</del><ins>+ int dummyThisArgument = isCall ? 0 : 1;
</ins><span class="cx">
</span><del>- CallLinkInfo::CallType callType = node->op() == Call ? CallLinkInfo::Call : CallLinkInfo::Construct;
</del><ins>+ CallLinkInfo::CallType callType = isCall ? CallLinkInfo::Call : CallLinkInfo::Construct;
</ins><span class="cx">
</span><span class="cx"> Edge calleeEdge = m_jit.graph().m_varArgChildren[node->firstChild()];
</span><span class="cx"> JSValueOperand callee(this, calleeEdge);
</span><span class="lines">@@ -726,7 +716,7 @@
</span><span class="cx"> VirtualRegister virtualRegister = edge->virtualRegister();
</span><span class="cx"> GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
</span><span class="cx">
</span><del>- if (edge->hasConstant() && !isInt32Constant(edge.node())) {
</del><ins>+ if (edge->hasConstant() && !edge->isInt32Constant()) {
</ins><span class="cx"> // Protect the silent spill/fill logic by failing early. If we "speculate" on
</span><span class="cx"> // the constant then the silent filler may think that we have an int32 and a
</span><span class="cx"> // constant, so it will try to fill this as an int32 constant. Bad things will
</span><span class="lines">@@ -742,8 +732,8 @@
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><del>- ASSERT(isInt32Constant(edge.node()));
- m_jit.move(MacroAssembler::Imm32(valueOfInt32Constant(edge.node())), gpr);
</del><ins>+ ASSERT(edge->isInt32Constant());
+ m_jit.move(MacroAssembler::Imm32(edge->asInt32()), gpr);
</ins><span class="cx"> info.fillInt32(*m_stream, gpr);
</span><span class="cx"> returnFormat = DataFormatInt32;
</span><span class="cx"> return gpr;
</span><span class="lines">@@ -878,7 +868,7 @@
</span><span class="cx">
</span><span class="cx"> switch (info.registerFormat()) {
</span><span class="cx"> case DataFormatNone: {
</span><del>- if ((edge->hasConstant() && !valueOfJSConstant(edge.node()).isMachineInt())) {
</del><ins>+ if (edge->hasConstant() && !edge->isMachineIntConstant()) {
</ins><span class="cx"> terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
</span><span class="cx"> return allocate();
</span><span class="cx"> }
</span><span class="lines">@@ -886,7 +876,7 @@
</span><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(edge.node());
</del><ins>+ JSValue jsValue = edge->asJSValue();
</ins><span class="cx"> ASSERT(jsValue.isMachineInt());
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> int64_t value = jsValue.asMachineInt();
</span><span class="lines">@@ -967,9 +957,9 @@
</span><span class="cx"> if (edge->hasConstant()) {
</span><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx">
</span><del>- if (isNumberConstant(edge.node())) {
</del><ins>+ if (edge->isNumberConstant()) {
</ins><span class="cx"> FPRReg fpr = fprAllocate();
</span><del>- m_jit.move(MacroAssembler::Imm64(reinterpretDoubleToInt64(valueOfNumberConstant(edge.node()))), gpr);
</del><ins>+ m_jit.move(MacroAssembler::Imm64(reinterpretDoubleToInt64(edge->asNumber())), gpr);
</ins><span class="cx"> m_jit.move64ToDouble(gpr, fpr);
</span><span class="cx"> unlock(gpr);
</span><span class="cx">
</span><span class="lines">@@ -1010,7 +1000,7 @@
</span><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(edge.node());
</del><ins>+ JSValue jsValue = edge->asJSValue();
</ins><span class="cx"> if (jsValue.isCell()) {
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
</span><span class="lines">@@ -1096,7 +1086,7 @@
</span><span class="cx"> GPRReg gpr = allocate();
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue jsValue = valueOfJSConstant(edge.node());
</del><ins>+ JSValue jsValue = edge->asJSValue();
</ins><span class="cx"> if (jsValue.isBoolean()) {
</span><span class="cx"> m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
</span><span class="cx"> m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
</span><span class="lines">@@ -1796,11 +1786,6 @@
</span><span class="cx"> initConstantInfo(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case WeakJSConstant:
- m_jit.addWeakReference(node->weakConstant());
- initConstantInfo(node);
- break;
-
</del><span class="cx"> case Identity: {
</span><span class="cx"> // CSE should always eliminate this.
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="lines">@@ -1813,9 +1798,7 @@
</span><span class="cx"> // If the CFA is tracking this variable and it found that the variable
</span><span class="cx"> // cannot have been assigned, then don't attempt to proceed.
</span><span class="cx"> if (value.isClear()) {
</span><del>- // FIXME: We should trap instead.
- // https://bugs.webkit.org/show_bug.cgi?id=110383
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
</del><ins>+ m_compileOkay = false;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1964,18 +1947,18 @@
</span><span class="cx"> case BitAnd:
</span><span class="cx"> case BitOr:
</span><span class="cx"> case BitXor:
</span><del>- if (isInt32Constant(node->child1().node())) {
</del><ins>+ if (node->child1()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op2(this, node->child2());
</span><span class="cx"> GPRTemporary result(this, Reuse, op2);
</span><span class="cx">
</span><del>- bitOp(op, valueOfInt32Constant(node->child1().node()), op2.gpr(), result.gpr());
</del><ins>+ bitOp(op, node->child1()->asInt32(), op2.gpr(), result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><del>- } else if (isInt32Constant(node->child2().node())) {
</del><ins>+ } else if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><span class="cx"> GPRTemporary result(this, Reuse, op1);
</span><span class="cx">
</span><del>- bitOp(op, valueOfInt32Constant(node->child2().node()), op1.gpr(), result.gpr());
</del><ins>+ bitOp(op, node->child2()->asInt32(), op1.gpr(), result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><span class="cx"> } else {
</span><span class="lines">@@ -1994,11 +1977,11 @@
</span><span class="cx"> case BitRShift:
</span><span class="cx"> case BitLShift:
</span><span class="cx"> case BitURShift:
</span><del>- if (isInt32Constant(node->child2().node())) {
</del><ins>+ if (node->child2()->isInt32Constant()) {
</ins><span class="cx"> SpeculateInt32Operand op1(this, node->child1());
</span><span class="cx"> GPRTemporary result(this, Reuse, op1);
</span><span class="cx">
</span><del>- shiftOp(op, op1.gpr(), valueOfInt32Constant(node->child2().node()) & 0x1f, result.gpr());
</del><ins>+ shiftOp(op, op1.gpr(), node->child2()->asInt32() & 0x1f, result.gpr());
</ins><span class="cx">
</span><span class="cx"> int32Result(result.gpr(), node);
</span><span class="cx"> } else {
</span><span class="lines">@@ -2307,7 +2290,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CompareEqConstant:
</span><del>- ASSERT(isNullConstant(node->child2().node()));
</del><ins>+ ASSERT(node->child2()->asJSValue().isNull());
</ins><span class="cx"> if (nonSpeculativeCompareNull(node, node->child1()))
</span><span class="cx"> return;
</span><span class="cx"> break;
</span><span class="lines">@@ -3804,7 +3787,7 @@
</span><span class="cx">
</span><span class="cx"> case CheckFunction: {
</span><span class="cx"> SpeculateCellOperand function(this, node->child1());
</span><del>- speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()));
</del><ins>+ speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()->value().asCell()));
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -3822,8 +3805,8 @@
</span><span class="cx"> ASSERT(node->structureSet().size());
</span><span class="cx">
</span><span class="cx"> ExitKind exitKind;
</span><del>- if (node->child1()->op() == WeakJSConstant)
- exitKind = BadWeakConstantCache;
</del><ins>+ if (node->child1()->hasConstant())
+ exitKind = BadConstantCache;
</ins><span class="cx"> else
</span><span class="cx"> exitKind = BadCache;
</span><span class="cx">
</span><span class="lines">@@ -4757,7 +4740,9 @@
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span><del>-
</del><ins>+
+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case LastNodeType:
</span><span class="cx"> case Phi:
</span><span class="cx"> case Upsilon:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -72,12 +72,9 @@
</span><span class="cx"> case BitOr:
</span><span class="cx"> handleCommutativity();
</span><span class="cx">
</span><del>- if (m_node->child2()->isConstant()) {
- JSValue op2 = m_graph.valueOfJSConstant(m_node->child2().node());
- if (op2.isInt32() && !op2.asInt32()) {
- convertToIdentityOverChild1();
- break;
- }
</del><ins>+ if (m_node->child2()->isInt32Constant() && !m_node->child2()->asInt32()) {
+ convertToIdentityOverChild1();
+ break;
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -89,39 +86,29 @@
</span><span class="cx"> case BitLShift:
</span><span class="cx"> case BitRShift:
</span><span class="cx"> case BitURShift:
</span><del>- if (m_node->child2()->isConstant()) {
- JSValue op2 = m_graph.valueOfJSConstant(m_node->child2().node());
- if (op2.isInt32() && !(op2.asInt32() & 0x1f)) {
- convertToIdentityOverChild1();
- break;
- }
</del><ins>+ if (m_node->child2()->isInt32Constant() && !(m_node->child2()->asInt32() & 0x1f)) {
+ convertToIdentityOverChild1();
+ break;
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case UInt32ToNumber:
</span><span class="cx"> if (m_node->child1()->op() == BitURShift
</span><del>- && m_node->child1()->child2()->isConstant()) {
- JSValue shiftAmount = m_graph.valueOfJSConstant(
- m_node->child1()->child2().node());
- if (shiftAmount.isInt32() && (shiftAmount.asInt32() & 0x1f)
- && m_node->arithMode() != Arith::DoOverflow) {
- m_node->convertToIdentity();
- m_changed = true;
- break;
- }
</del><ins>+ && m_node->child1()->child2()->isInt32Constant()
+ && (m_node->child1()->child2()->asInt32() & 0x1f)
+ && m_node->arithMode() != Arith::DoOverflow) {
+ m_node->convertToIdentity();
+ m_changed = true;
+ break;
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ArithAdd:
</span><span class="cx"> handleCommutativity();
</span><span class="cx">
</span><del>- if (m_graph.isInt32Constant(m_node->child2().node())) {
- int32_t value = m_graph.valueOfInt32Constant(
- m_node->child2().node());
- if (!value) {
- convertToIdentityOverChild1();
- break;
- }
</del><ins>+ if (m_node->child2()->isInt32Constant() && !m_node->child2()->asInt32()) {
+ convertToIdentityOverChild1();
+ break;
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -130,9 +117,9 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case ArithSub:
</span><del>- if (m_graph.isInt32Constant(m_node->child2().node())
</del><ins>+ if (m_node->child2()->isInt32Constant()
</ins><span class="cx"> && m_node->isBinaryUseKind(Int32Use)) {
</span><del>- int32_t value = m_graph.valueOfInt32Constant(m_node->child2().node());
</del><ins>+ int32_t value = m_node->child2()->asInt32();
</ins><span class="cx"> if (-value != value) {
</span><span class="cx"> m_node->setOp(ArithAdd);
</span><span class="cx"> m_node->child2().setNode(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">
</span><span class="cx"> #include "CodeBlockWithJITType.h"
</span><ins>+#include "DFGMayExit.h"
</ins><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include <wtf/Assertions.h>
</span><span class="cx"> #include <wtf/BitVector.h>
</span><span class="lines">@@ -197,13 +198,41 @@
</span><span class="cx"> for (size_t i = 0; i < block->size(); ++i) {
</span><span class="cx"> Node* node = block->at(i);
</span><span class="cx">
</span><del>- if (node->hasStructure())
- VALIDATE((node), !!node->structure());
-
</del><ins>+ VALIDATE((node), !mayExit(m_graph, node) || node->origin.forExit.isSet());
+ VALIDATE((node), !node->hasStructure() || !!node->structure());
+ VALIDATE((node), !node->hasFunction() || node->function()->value().isFunction());
+
+ if (!(node->flags() & NodeHasVarArgs)) {
+ if (!node->child2())
+ VALIDATE((node), !node->child3());
+ if (!node->child1())
+ VALIDATE((node), !node->child2());
+ }
+
</ins><span class="cx"> switch (node->op()) {
</span><span class="cx"> case Identity:
</span><span class="cx"> VALIDATE((node), canonicalResultRepresentation(node->result()) == canonicalResultRepresentation(node->child1()->result()));
</span><span class="cx"> break;
</span><ins>+ case MakeRope:
+ case ValueAdd:
+ case ArithAdd:
+ case ArithSub:
+ case ArithMul:
+ case ArithIMul:
+ case ArithDiv:
+ case ArithMod:
+ case ArithMin:
+ case ArithMax:
+ case CompareLess:
+ case CompareLessEq:
+ case CompareGreater:
+ case CompareGreaterEq:
+ case CompareEq:
+ case CompareEqConstant:
+ case CompareStrictEq:
+ VALIDATE((node), !!node->child1());
+ VALIDATE((node), !!node->child2());
+ break;
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -427,18 +456,18 @@
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="cx"> unsigned nodeIndex = 0;
</span><del>- for (; nodeIndex < block->size() && !block->at(nodeIndex)->origin.isSet(); nodeIndex++) { }
</del><ins>+ for (; nodeIndex < block->size() && !block->at(nodeIndex)->origin.forExit.isSet(); nodeIndex++) { }
</ins><span class="cx">
</span><span class="cx"> VALIDATE((block), nodeIndex < block->size());
</span><span class="cx">
</span><span class="cx"> for (; nodeIndex < block->size(); nodeIndex++)
</span><del>- VALIDATE((block->at(nodeIndex)), block->at(nodeIndex)->origin.isSet());
</del><ins>+ VALIDATE((block->at(nodeIndex)), block->at(nodeIndex)->origin.forExit.isSet());
</ins><span class="cx">
</span><span class="cx"> for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
</span><span class="cx"> Node* node = block->at(nodeIndex);
</span><span class="cx"> switch (node->op()) {
</span><span class="cx"> case Phi:
</span><del>- VALIDATE((node), !node->origin.isSet());
</del><ins>+ VALIDATE((node), !node->origin.forExit.isSet());
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValueStrengthcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,54 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGValueStrength.h"
+
+#if ENABLE(DFG_JIT)
+
+namespace WTF {
+
+using namespace JSC::DFG;
+
+void printInternal(PrintStream& out, ValueStrength strength)
+{
+ switch (strength) {
+ case FragileValue:
+ out.print("Fragile");
+ return;
+ case WeakValue:
+ out.print("Weak");
+ return;
+ case StrongValue:
+ out.print("Strong");
+ return;
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+} // namespace WTF
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValueStrengthh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h (0 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -0,0 +1,78 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGValueStrength_h
+#define DFGValueStrength_h
+
+#if ENABLE(DFG_JIT)
+
+#include <wtf/PrintStream.h>
+
+namespace JSC { namespace DFG {
+
+enum ValueStrength {
+ // The value is known to the DFG but no optimizations have been performed that require the
+ // value to be kept alive. All OSR entry values are fragile until we do some optimization that
+ // uses them, like actually constant folding a variable to that value. By convention we say
+ // that all non-cells are fragile.
+ FragileValue,
+
+ // The value has been used for optimization and it arose through inference. We don't want the
+ // fact that we optimized the code to result in the GC keeping this value alive unnecessarily,
+ // so we'd rather kill the code and recompile than keep the object alive longer.
+ WeakValue,
+
+ // The code will keep this value alive. This is true of constants that were present in the
+ // source. String constants tend to be strong.
+ StrongValue
+};
+
+inline ValueStrength merge(ValueStrength a, ValueStrength b)
+{
+ switch (a) {
+ case FragileValue:
+ return b;
+ case WeakValue:
+ if (b == StrongValue)
+ return StrongValue;
+ return WeakValue;
+ case StrongValue:
+ return StrongValue;
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+} } // namespace JSC::DFG
+
+namespace WTF {
+
+void printInternal(PrintStream&, JSC::DFG::ValueStrength);
+
+} // namespace WTF
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGValueStrength_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGVariableEventStreamcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -81,23 +81,16 @@
</span><span class="cx">
</span><span class="cx"> } // namespace
</span><span class="cx">
</span><del>-bool VariableEventStream::tryToSetConstantRecovery(ValueRecovery& recovery, CodeBlock* codeBlock, MinifiedNode* node) const
</del><ins>+bool VariableEventStream::tryToSetConstantRecovery(ValueRecovery& recovery, MinifiedNode* node) const
</ins><span class="cx"> {
</span><span class="cx"> if (!node)
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- if (node->hasConstantNumber()) {
- recovery = ValueRecovery::constant(
- codeBlock->constantRegister(
- FirstConstantRegisterIndex + node->constantNumber()).get());
</del><ins>+ if (node->hasConstant()) {
+ recovery = ValueRecovery::constant(node->constant());
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (node->hasWeakConstant()) {
- recovery = ValueRecovery::constant(node->weakConstant());
- return true;
- }
-
</del><span class="cx"> if (node->op() == PhantomArguments) {
</span><span class="cx"> recovery = ValueRecovery::argumentsThatWereNotCreated();
</span><span class="cx"> return true;
</span><span class="lines">@@ -187,7 +180,7 @@
</span><span class="cx">
</span><span class="cx"> ASSERT(source.kind() == HaveNode);
</span><span class="cx"> MinifiedNode* node = graph.at(source.id());
</span><del>- if (tryToSetConstantRecovery(valueRecoveries[i], codeBlock, node))
</del><ins>+ if (tryToSetConstantRecovery(valueRecoveries[i], node))
</ins><span class="cx"> continue;
</span><span class="cx">
</span><span class="cx"> MinifiedGenerationInfo info = generationInfos.get(source.id());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGVariableEventStreamh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -48,7 +48,7 @@
</span><span class="cx"> unsigned index, Operands<ValueRecovery>&) const;
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- bool tryToSetConstantRecovery(ValueRecovery&, CodeBlock*, MinifiedNode*) const;
</del><ins>+ bool tryToSetConstantRecovery(ValueRecovery&, MinifiedNode*) const;
</ins><span class="cx">
</span><span class="cx"> void logEvent(const VariableEvent&);
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGWatchableStructureWatchingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -47,9 +47,12 @@
</span><span class="cx"> // These are pretty dumb, but needed to placate subsequent assertions. We con't actually
</span><span class="cx"> // have to watch these because there is no way to transition away from it, but they are
</span><span class="cx"> // watchable and so we will assert if they aren't watched.
</span><del>- tryWatch(m_graph.m_vm.stringStructure.get());
</del><ins>+ tryWatch(m_graph.m_vm.stringStructure.get());
</ins><span class="cx"> tryWatch(m_graph.m_vm.getterSetterStructure.get());
</span><span class="cx">
</span><ins>+ for (FrozenValue* value : m_graph.m_frozenValues)
+ tryWatch(value->structure());
+
</ins><span class="cx"> for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="lines">@@ -59,17 +62,8 @@
</span><span class="cx"> Node* node = block->at(nodeIndex);
</span><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><del>- case JSConstant:
- case WeakJSConstant:
- tryWatch(m_graph.valueOfJSConstant(node));
- break;
-
- case CheckFunction:
- tryWatch(node->function());
- break;
-
</del><span class="cx"> case CheckExecutable:
</span><del>- tryWatch(node->executable());
</del><ins>+ tryWatch(node->executable()->structure());
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckStructure:
</span><span class="lines">@@ -93,7 +87,7 @@
</span><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
</span><span class="cx"> GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
</span><del>- tryWatch(variant.specificValue());
</del><ins>+ tryWatch(m_graph.freeze(variant.specificValue())->structure());
</ins><span class="cx"> tryWatch(variant.structureSet());
</span><span class="cx"> // Don't need to watch anything in the structure chain because that would
</span><span class="cx"> // have been decomposed into CheckStructure's. Don't need to watch the
</span><span class="lines">@@ -139,22 +133,12 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ m_graph.m_structureWatchpointState = WatchingAllWatchableStructures;
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- void tryWatch(JSValue value)
- {
- if (value.isCell())
- tryWatch(value.asCell());
- }
-
- void tryWatch(JSCell* cell)
- {
- if (cell)
- tryWatch(cell->structure());
- }
-
</del><span class="cx"> void tryWatch(const StructureSet& set)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = set.size(); i--;)
</span><span class="lines">@@ -163,7 +147,8 @@
</span><span class="cx">
</span><span class="cx"> void tryWatch(Structure* structure)
</span><span class="cx"> {
</span><del>- m_graph.watchpoints().consider(structure);
</del><ins>+ if (structure)
+ m_graph.watchpoints().consider(structure);
</ins><span class="cx"> }
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -114,7 +114,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case AllocationProfileWatchpoint:
</span><del>- addLazily(jsCast<JSFunction*>(m_node->function())->allocationProfileWatchpointSet());
</del><ins>+ addLazily(jsCast<JSFunction*>(m_node->function()->value())->allocationProfileWatchpointSet());
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case VariableWatchpoint:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -44,7 +44,6 @@
</span><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><span class="cx"> case JSConstant:
</span><del>- case WeakJSConstant:
</del><span class="cx"> case GetMyArgumentsLength:
</span><span class="cx"> case GetLocal:
</span><span class="cx"> case SetLocal:
</span><span class="lines">@@ -119,6 +118,8 @@
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> case ValueToInt32:
</span><span class="cx"> case Branch:
</span><span class="cx"> case LogicalNot:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLinkcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLink.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLink.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/ftl/FTLLink.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -63,6 +63,8 @@
</span><span class="cx"> if (!graph.m_plan.inlineCallFrames->isEmpty())
</span><span class="cx"> state.jitCode->common.inlineCallFrames = graph.m_plan.inlineCallFrames;
</span><span class="cx">
</span><ins>+ graph.registerFrozenValues();
+
</ins><span class="cx"> // Create the entrypoint. Note that we use this entrypoint totally differently
</span><span class="cx"> // depending on whether we're doing OSR entry or not.
</span><span class="cx"> CCallHelpers jit(&vm, codeBlock);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -153,13 +153,8 @@
</span><span class="cx"> Node* m_node = block->at(nodeIndex);
</span><span class="cx"> if (m_node->hasKnownFunction()) {
</span><span class="cx"> int numArgs = m_node->numChildren();
</span><del>- NativeFunction func = m_node->knownFunction()->nativeFunction();
- Dl_info info;
- if (dladdr((void*)func, &info)) {
- LValue callee = getFunctionBySymbol(info.dli_sname);
- if (callee && numArgs > maxNumberOfArguments)
- maxNumberOfArguments = numArgs;
- }
</del><ins>+ if (numArgs > maxNumberOfArguments)
+ maxNumberOfArguments = numArgs;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -358,9 +353,6 @@
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> compileInt52Constant();
</span><span class="cx"> break;
</span><del>- case WeakJSConstant:
- compileWeakJSConstant();
- break;
</del><span class="cx"> case PhantomArguments:
</span><span class="cx"> compilePhantomArguments();
</span><span class="cx"> break;
</span><span class="lines">@@ -639,6 +631,10 @@
</span><span class="cx"> case Construct:
</span><span class="cx"> compileCallOrConstruct();
</span><span class="cx"> break;
</span><ins>+ case NativeCall:
+ case NativeConstruct:
+ compileNativeCallOrConstruct();
+ break;
</ins><span class="cx"> case Jump:
</span><span class="cx"> compileJump();
</span><span class="cx"> break;
</span><span class="lines">@@ -773,22 +769,17 @@
</span><span class="cx">
</span><span class="cx"> void compileDoubleConstant()
</span><span class="cx"> {
</span><del>- setDouble(m_out.constDouble(m_graph.valueOfNumberConstant(m_node)));
</del><ins>+ setDouble(m_out.constDouble(m_node->asNumber()));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileInt52Constant()
</span><span class="cx"> {
</span><del>- int64_t value = m_graph.valueOfJSConstant(m_node).asMachineInt();
</del><ins>+ int64_t value = m_node->asMachineInt();
</ins><span class="cx">
</span><span class="cx"> setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
</span><span class="cx"> setStrictInt52(m_out.constInt64(value));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void compileWeakJSConstant()
- {
- setJSValue(weakPointer(m_node->weakConstant()));
- }
-
</del><span class="cx"> void compilePhantomArguments()
</span><span class="cx"> {
</span><span class="cx"> setJSValue(m_out.constInt64(JSValue::encode(JSValue())));
</span><span class="lines">@@ -1685,8 +1676,8 @@
</span><span class="cx"> LValue cell = lowCell(m_node->child1());
</span><span class="cx">
</span><span class="cx"> ExitKind exitKind;
</span><del>- if (m_node->child1()->op() == WeakJSConstant)
- exitKind = BadWeakConstantCache;
</del><ins>+ if (m_node->child1()->hasConstant())
+ exitKind = BadConstantCache;
</ins><span class="cx"> else
</span><span class="cx"> exitKind = BadCache;
</span><span class="cx">
</span><span class="lines">@@ -1724,7 +1715,7 @@
</span><span class="cx">
</span><span class="cx"> speculate(
</span><span class="cx"> BadFunction, jsValueValue(cell), m_node->child1().node(),
</span><del>- m_out.notEqual(cell, weakPointer(m_node->function())));
</del><ins>+ m_out.notEqual(cell, weakPointer(m_node->function()->value().asCell())));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileCheckExecutable()
</span><span class="lines">@@ -3295,8 +3286,8 @@
</span><span class="cx"> result = m_out.constInt64(JSValue::encode(variant.specificValue()));
</span><span class="cx"> else {
</span><span class="cx"> LValue propertyBase;
</span><del>- if (variant.chain())
- propertyBase = weakPointer(variant.chain()->terminalPrototype());
</del><ins>+ if (variant.alternateBase())
+ propertyBase = weakPointer(variant.alternateBase());
</ins><span class="cx"> else
</span><span class="cx"> propertyBase = base;
</span><span class="cx"> if (!isInlineOffset(variant.offset()))
</span><span class="lines">@@ -3505,7 +3496,7 @@
</span><span class="cx">
</span><span class="cx"> void compileCompareEqConstant()
</span><span class="cx"> {
</span><del>- ASSERT(m_graph.valueOfJSConstant(m_node->child2().node()).isNull());
</del><ins>+ ASSERT(m_node->child2()->asJSValue().isNull());
</ins><span class="cx"> setBoolean(
</span><span class="cx"> equalNullOrUndefined(
</span><span class="cx"> m_node->child1(), AllCellsAreFalse, EqualNullOrUndefined));
</span><span class="lines">@@ -3598,7 +3589,7 @@
</span><span class="cx">
</span><span class="cx"> void compileCompareStrictEqConstant()
</span><span class="cx"> {
</span><del>- JSValue constant = m_graph.valueOfJSConstant(m_node->child2().node());
</del><ins>+ JSValue constant = m_node->child2()->asJSValue();
</ins><span class="cx">
</span><span class="cx"> setBoolean(
</span><span class="cx"> m_out.equal(
</span><span class="lines">@@ -3631,16 +3622,66 @@
</span><span class="cx"> setBoolean(m_out.bitNot(boolify(m_node->child1())));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void compileNativeCallOrConstruct()
+ {
+ int dummyThisArgument = m_node->op() == NativeCall ? 0 : 1;
+ int numPassedArgs = m_node->numChildren() - 1;
+ int numArgs = numPassedArgs + dummyThisArgument;
+
+ ASSERT(m_node->hasKnownFunction());
+
+ JSFunction* knownFunction = m_node->knownFunction();
+ NativeFunction function = knownFunction->nativeFunction();
+
+ Dl_info info;
+ if (!dladdr((void*)function, &info))
+ ASSERT(false); // if we couldn't find the native function this doesn't bode well.
+
+ LValue callee = getFunctionBySymbol(info.dli_sname);
+
+ bool notInlinable;
+ if ((notInlinable = !callee))
+ callee = m_out.operation(function);
+
+ JSScope* scope = knownFunction->scopeUnchecked();
+ m_out.storePtr(m_callFrame, m_execStorage, m_heaps.CallFrame_callerFrame);
+ m_out.storePtr(constNull(m_out.intPtr), addressFor(m_execStorage, JSStack::CodeBlock));
+ m_out.storePtr(weakPointer(scope), addressFor(m_execStorage, JSStack::ScopeChain));
+ m_out.storePtr(weakPointer(knownFunction), addressFor(m_execStorage, JSStack::Callee));
+
+ m_out.store64(m_out.constInt64(numArgs), addressFor(m_execStorage, JSStack::ArgumentCount));
+
+ if (dummyThisArgument)
+ m_out.storePtr(getUndef(m_out.int64), addressFor(m_execStorage, JSStack::ThisArgument));
+
+ for (int i = 0; i < numPassedArgs; ++i) {
+ m_out.storePtr(lowJSValue(m_graph.varArgChild(m_node, 1 + i)),
+ addressFor(m_execStorage, dummyThisArgument ? JSStack::FirstArgument : JSStack::ThisArgument, i * sizeof(Register)));
+ }
+
+ LValue calleeCallFrame = m_out.address(m_execState, m_heaps.CallFrame_callerFrame).value();
+ m_out.storePtr(m_out.ptrToInt(calleeCallFrame, m_out.intPtr), m_out.absolute(&vm().topCallFrame));
+
+ LType typeCalleeArg;
+ getParamTypes(getElementType(typeOf(callee)), &typeCalleeArg);
+
+ LValue argument = notInlinable
+ ? m_out.ptrToInt(calleeCallFrame, typeCalleeArg)
+ : m_out.bitCast(calleeCallFrame, typeCalleeArg);
+ LValue call = vmCall(callee, argument);
+
+ if (Options::verboseCompilation())
+ dataLog("Native calling: ", info.dli_sname, "\n");
+
+ setJSValue(call);
+ }
+
</ins><span class="cx"> void compileCallOrConstruct()
</span><span class="cx"> {
</span><span class="cx"> int dummyThisArgument = m_node->op() == Call ? 0 : 1;
</span><span class="cx"> int numPassedArgs = m_node->numChildren() - 1;
</span><span class="cx"> int numArgs = numPassedArgs + dummyThisArgument;
</span><span class="cx">
</span><del>- if (m_node->hasKnownFunction()
- && possiblyCompileInlineableNativeCall(dummyThisArgument, numPassedArgs, numArgs))
- return;
-
</del><span class="cx"> LValue jsCallee = lowJSValue(m_graph.varArgChild(m_node, 0));
</span><span class="cx">
</span><span class="cx"> unsigned stackmapID = m_stackmapIDs++;
</span><span class="lines">@@ -4019,50 +4060,6 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool possiblyCompileInlineableNativeCall(int dummyThisArgument, int numPassedArgs, int numArgs)
- {
- JSFunction* knownFunction = m_node->knownFunction();
- NativeFunction function = knownFunction->nativeFunction();
- Dl_info info;
- if (dladdr((void*)function, &info)) {
- LValue callee = getFunctionBySymbol(info.dli_sname);
- LType typeCallee;
- if (callee && (typeCallee = typeOf(callee)) && (typeCallee = getElementType(typeCallee))) {
-
- JSScope* scope = knownFunction->scopeUnchecked();
- m_out.storePtr(m_callFrame, m_execStorage, m_heaps.CallFrame_callerFrame);
- m_out.storePtr(constNull(m_out.intPtr), addressFor(m_execStorage, JSStack::CodeBlock));
- m_out.storePtr(weakPointer(scope), addressFor(m_execStorage, JSStack::ScopeChain));
- m_out.storePtr(weakPointer(knownFunction), addressFor(m_execStorage, JSStack::Callee));
-
- m_out.store64(m_out.constInt64(numArgs), addressFor(m_execStorage, JSStack::ArgumentCount));
-
- if (dummyThisArgument)
- m_out.storePtr(getUndef(m_out.int64), addressFor(m_execStorage, JSStack::ThisArgument));
-
- for (int i = 0; i < numPassedArgs; ++i) {
- m_out.storePtr(lowJSValue(m_graph.varArgChild(m_node, 1 + i)),
- addressFor(m_execStorage, dummyThisArgument ? JSStack::FirstArgument : JSStack::ThisArgument, i * sizeof(Register)));
- }
-
- LType typeCalleeArg;
- getParamTypes(typeCallee, &typeCalleeArg);
- LValue calleeCallFrame = m_out.address(m_execState, m_heaps.CallFrame_callerFrame).value();
- m_out.storePtr(m_out.ptrToInt(calleeCallFrame, m_out.intPtr), m_out.absolute(&vm().topCallFrame));
-
- LValue call = vmCall(callee,
- m_out.bitCast(calleeCallFrame, typeCalleeArg));
-
- if (Options::verboseCompilation())
- dataLog("Inlining: ", info.dli_sname, "\n");
-
- setJSValue(call);
- return true;
- }
- }
- return false;
- }
-
</del><span class="cx"> LValue getFunctionBySymbol(const CString symbol)
</span><span class="cx"> {
</span><span class="cx"> if (!m_ftlState.symbolTable.contains(symbol))
</span><span class="lines">@@ -4194,6 +4191,8 @@
</span><span class="cx"> case PutById:
</span><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><ins>+ case NativeCall:
+ case NativeConstruct:
</ins><span class="cx"> return m_out.below(
</span><span class="cx"> m_callFrame,
</span><span class="cx"> m_out.loadPtr(
</span><span class="lines">@@ -4999,7 +4998,7 @@
</span><span class="cx"> ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || (edge.useKind() == Int32Use || edge.useKind() == KnownInt32Use));
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue value = m_graph.valueOfJSConstant(edge.node());
</del><ins>+ JSValue value = edge->asJSValue();
</ins><span class="cx"> if (!value.isInt32()) {
</span><span class="cx"> terminate(Uncountable);
</span><span class="cx"> return m_out.int32Zero;
</span><span class="lines">@@ -5114,7 +5113,7 @@
</span><span class="cx"> ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || DFG::isCell(edge.useKind()));
</span><span class="cx">
</span><span class="cx"> if (edge->op() == JSConstant) {
</span><del>- JSValue value = m_graph.valueOfJSConstant(edge.node());
</del><ins>+ JSValue value = edge->asJSValue();
</ins><span class="cx"> if (!value.isCell()) {
</span><span class="cx"> terminate(Uncountable);
</span><span class="cx"> return m_out.intPtrZero;
</span><span class="lines">@@ -5177,7 +5176,7 @@
</span><span class="cx"> ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || edge.useKind() == BooleanUse);
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant()) {
</span><del>- JSValue value = m_graph.valueOfJSConstant(edge.node());
</del><ins>+ JSValue value = edge->asJSValue();
</ins><span class="cx"> if (!value.isBoolean()) {
</span><span class="cx"> terminate(Uncountable);
</span><span class="cx"> return m_out.booleanFalse;
</span><span class="lines">@@ -5223,8 +5222,8 @@
</span><span class="cx"> DFG_ASSERT(m_graph, m_node, edge.useKind() != Int52RepUse);
</span><span class="cx">
</span><span class="cx"> if (edge->hasConstant())
</span><del>- return m_out.constInt64(JSValue::encode(m_graph.valueOfJSConstant(edge.node())));
-
</del><ins>+ return m_out.constInt64(JSValue::encode(edge->asJSValue()));
+
</ins><span class="cx"> LoweredNodeValue value = m_jsValueValues.get(edge.node());
</span><span class="cx"> if (isValid(value))
</span><span class="cx"> return value.value();
</span><span class="lines">@@ -6202,8 +6201,7 @@
</span><span class="cx"> case JSConstant:
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case DoubleConstant:
</span><del>- case WeakJSConstant:
- exit.m_values[index] = ExitValue::constant(m_graph.valueOfJSConstant(node));
</del><ins>+ exit.m_values[index] = ExitValue::constant(node->asJSValue());
</ins><span class="cx"> return true;
</span><span class="cx"> case PhantomArguments:
</span><span class="cx"> exit.m_values[index] = ExitValue::argumentsObjectThatWasNotCreated();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -87,7 +87,7 @@
</span><span class="cx">
</span><span class="cx"> Profiler::OSRExit* profilerExit = compilation->addOSRExit(
</span><span class="cx"> exitID, Profiler::OriginStack(database, codeBlock, exit.m_codeOrigin),
</span><del>- exit.m_kind, isWatchpoint(exit.m_kind));
</del><ins>+ exit.m_kind, exit.m_kind == UncountableInvalidation);
</ins><span class="cx"> jit.add64(CCallHelpers::TrustedImm32(1), CCallHelpers::AbsoluteAddress(profilerExit->counterAddress()));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntendedStructureChaincpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -33,27 +33,37 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-IntendedStructureChain::IntendedStructureChain(JSGlobalObject* globalObject, Structure* head)
</del><ins>+IntendedStructureChain::IntendedStructureChain(JSGlobalObject* globalObject, JSValue prototype)
</ins><span class="cx"> : m_globalObject(globalObject)
</span><del>- , m_head(head)
</del><ins>+ , m_prototype(prototype)
</ins><span class="cx"> {
</span><del>- JSValue prototype = head->prototypeForLookup(globalObject);
</del><ins>+ ASSERT(m_prototype.isNull() || m_prototype.isObject());
</ins><span class="cx"> if (prototype.isNull())
</span><span class="cx"> return;
</span><span class="cx"> for (Structure* current = asObject(prototype)->structure(); current; current = current->storedPrototypeStructure())
</span><span class="cx"> m_vector.append(current);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+IntendedStructureChain::IntendedStructureChain(JSGlobalObject* globalObject, Structure* head)
+ : m_globalObject(globalObject)
+ , m_prototype(head->prototypeForLookup(m_globalObject))
+{
+ if (m_prototype.isNull())
+ return;
+ for (Structure* current = asObject(m_prototype)->structure(); current; current = current->storedPrototypeStructure())
+ m_vector.append(current);
+}
+
</ins><span class="cx"> IntendedStructureChain::IntendedStructureChain(CodeBlock* codeBlock, Structure* head, Structure* prototypeStructure)
</span><span class="cx"> : m_globalObject(codeBlock->globalObject())
</span><del>- , m_head(head)
</del><ins>+ , m_prototype(head->prototypeForLookup(m_globalObject))
</ins><span class="cx"> {
</span><span class="cx"> m_vector.append(prototypeStructure);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> IntendedStructureChain::IntendedStructureChain(CodeBlock* codeBlock, Structure* head, StructureChain* chain)
</span><span class="cx"> : m_globalObject(codeBlock->globalObject())
</span><del>- , m_head(head)
</del><ins>+ , m_prototype(head->prototypeForLookup(m_globalObject))
</ins><span class="cx"> {
</span><span class="cx"> for (unsigned i = 0; chain->head()[i]; ++i)
</span><span class="cx"> m_vector.append(chain->head()[i].get());
</span><span class="lines">@@ -61,7 +71,7 @@
</span><span class="cx">
</span><span class="cx"> IntendedStructureChain::IntendedStructureChain(CodeBlock* codeBlock, Structure* head, StructureChain* chain, unsigned count)
</span><span class="cx"> : m_globalObject(codeBlock->globalObject())
</span><del>- , m_head(head)
</del><ins>+ , m_prototype(head->prototypeForLookup(m_globalObject))
</ins><span class="cx"> {
</span><span class="cx"> for (unsigned i = 0; i < count; ++i)
</span><span class="cx"> m_vector.append(chain->head()[i].get());
</span><span class="lines">@@ -73,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> bool IntendedStructureChain::isStillValid() const
</span><span class="cx"> {
</span><del>- JSValue currentPrototype = m_head->prototypeForLookup(m_globalObject);
</del><ins>+ JSValue currentPrototype = m_prototype;
</ins><span class="cx"> for (unsigned i = 0; i < m_vector.size(); ++i) {
</span><span class="cx"> if (asObject(currentPrototype)->structure() != m_vector[i])
</span><span class="cx"> return false;
</span><span class="lines">@@ -93,14 +103,6 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-StructureChain* IntendedStructureChain::chain(VM& vm) const
-{
- ASSERT(isStillValid());
- StructureChain* result = StructureChain::create(vm, m_head);
- ASSERT(matches(result));
- return result;
-}
-
</del><span class="cx"> bool IntendedStructureChain::mayInterceptStoreTo(VM& vm, StringImpl* uid)
</span><span class="cx"> {
</span><span class="cx"> for (unsigned i = 0; i < m_vector.size(); ++i) {
</span><span class="lines">@@ -118,8 +120,6 @@
</span><span class="cx">
</span><span class="cx"> bool IntendedStructureChain::isNormalized()
</span><span class="cx"> {
</span><del>- if (m_head->isProxy())
- return false;
</del><span class="cx"> for (unsigned i = 0; i < m_vector.size(); ++i) {
</span><span class="cx"> Structure* structure = m_vector[i];
</span><span class="cx"> if (structure->isProxy())
</span><span class="lines">@@ -134,14 +134,32 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_vector.isEmpty());
</span><span class="cx"> if (m_vector.size() == 1)
</span><del>- return asObject(m_head->prototypeForLookup(m_globalObject));
</del><ins>+ return asObject(m_prototype);
</ins><span class="cx"> return asObject(m_vector[m_vector.size() - 2]->storedPrototype());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool IntendedStructureChain::operator==(const IntendedStructureChain& other) const
+{
+ return m_globalObject == other.m_globalObject
+ && m_prototype == other.m_prototype
+ && m_vector == other.m_vector;
+}
+
+void IntendedStructureChain::gatherChecks(ConstantStructureCheckVector& vector) const
+{
+ JSValue currentPrototype = m_prototype;
+ for (unsigned i = 0; i < size(); ++i) {
+ JSObject* currentObject = asObject(currentPrototype);
+ Structure* currentStructure = at(i);
+ vector.append(ConstantStructureCheck(currentObject, currentStructure));
+ currentPrototype = currentStructure->prototypeForLookup(m_globalObject);
+ }
+}
+
</ins><span class="cx"> void IntendedStructureChain::visitChildren(SlotVisitor& visitor)
</span><span class="cx"> {
</span><span class="cx"> visitor.appendUnbarrieredPointer(&m_globalObject);
</span><del>- visitor.appendUnbarrieredPointer(&m_head);
</del><ins>+ visitor.appendUnbarrieredValue(&m_prototype);
</ins><span class="cx"> for (unsigned i = m_vector.size(); i--;)
</span><span class="cx"> visitor.appendUnbarrieredPointer(&m_vector[i]);
</span><span class="cx"> }
</span><span class="lines">@@ -155,7 +173,7 @@
</span><span class="cx"> {
</span><span class="cx"> out.print(
</span><span class="cx"> "(global = ", RawPointer(m_globalObject), ", head = ",
</span><del>- pointerDumpInContext(m_head, context), ", vector = [");
</del><ins>+ inContext(m_prototype, context), ", vector = [");
</ins><span class="cx"> CommaPrinter comma;
</span><span class="cx"> for (unsigned i = 0; i < m_vector.size(); ++i)
</span><span class="cx"> out.print(comma, pointerDumpInContext(m_vector[i], context));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntendedStructureChainh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/runtime/IntendedStructureChain.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef IntendedStructureChain_h
</span><span class="cx"> #define IntendedStructureChain_h
</span><span class="cx">
</span><ins>+#include "ConstantStructureCheck.h"
</ins><span class="cx"> #include "Structure.h"
</span><span class="cx"> #include <wtf/RefCounted.h>
</span><span class="cx">
</span><span class="lines">@@ -39,7 +40,8 @@
</span><span class="cx">
</span><span class="cx"> class IntendedStructureChain : public RefCounted<IntendedStructureChain> {
</span><span class="cx"> public:
</span><del>- IntendedStructureChain(JSGlobalObject* globalObject, Structure* head);
</del><ins>+ IntendedStructureChain(JSGlobalObject* globalObject, JSValue prototype);
+ IntendedStructureChain(JSGlobalObject* globalObject, Structure*);
</ins><span class="cx"> IntendedStructureChain(CodeBlock* codeBlock, Structure* head, Structure* prototypeStructure);
</span><span class="cx"> IntendedStructureChain(CodeBlock* codeBlock, Structure* head, StructureChain* chain);
</span><span class="cx"> IntendedStructureChain(CodeBlock* codeBlock, Structure* head, StructureChain* chain, unsigned count);
</span><span class="lines">@@ -47,27 +49,34 @@
</span><span class="cx">
</span><span class="cx"> bool isStillValid() const;
</span><span class="cx"> bool matches(StructureChain*) const;
</span><del>- StructureChain* chain(VM&) const;
</del><span class="cx"> bool mayInterceptStoreTo(VM&, StringImpl* uid);
</span><span class="cx"> bool isNormalized();
</span><span class="cx">
</span><del>- Structure* head() const { return m_head; }
</del><ins>+ JSValue prototype() const { return m_prototype; }
</ins><span class="cx">
</span><span class="cx"> size_t size() const { return m_vector.size(); }
</span><del>- Structure* at(size_t index) { return m_vector[index]; }
- Structure* operator[](size_t index) { return at(index); }
</del><ins>+ Structure* at(size_t index) const { return m_vector[index]; }
+ Structure* operator[](size_t index) const { return at(index); }
</ins><span class="cx">
</span><span class="cx"> JSObject* terminalPrototype() const;
</span><span class="cx">
</span><span class="cx"> Structure* last() const { return m_vector.last(); }
</span><span class="cx">
</span><ins>+ bool operator==(const IntendedStructureChain&) const;
+ bool operator!=(const IntendedStructureChain& other) const
+ {
+ return !(*this == other);
+ }
+
+ void gatherChecks(ConstantStructureCheckVector&) const;
+
</ins><span class="cx"> void visitChildren(SlotVisitor&);
</span><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> JSGlobalObject* m_globalObject;
</span><del>- Structure* m_head;
</del><ins>+ JSValue m_prototype;
</ins><span class="cx"> Vector<Structure*> m_vector;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -198,6 +198,13 @@
</span><span class="cx">
</span><span class="cx"> void JSValue::dumpInContext(PrintStream& out, DumpContext* context) const
</span><span class="cx"> {
</span><ins>+ dumpInContextAssumingStructure(
+ out, context, (!!*this && isCell()) ? asCell()->structure() : nullptr);
+}
+
+void JSValue::dumpInContextAssumingStructure(
+ PrintStream& out, DumpContext* context, Structure* structure) const
+{
</ins><span class="cx"> if (!*this)
</span><span class="cx"> out.print("<JSValue()>");
</span><span class="cx"> else if (isInt32())
</span><span class="lines">@@ -214,7 +221,7 @@
</span><span class="cx"> out.printf("Double: %08x:%08x, %lf", u.asTwoInt32s[1], u.asTwoInt32s[0], asDouble());
</span><span class="cx"> #endif
</span><span class="cx"> } else if (isCell()) {
</span><del>- if (asCell()->inherits(JSString::info())) {
</del><ins>+ if (structure->classInfo()->isSubClassOf(JSString::info())) {
</ins><span class="cx"> JSString* string = jsCast<JSString*>(asCell());
</span><span class="cx"> out.print("String");
</span><span class="cx"> if (string->isRope())
</span><span class="lines">@@ -230,11 +237,11 @@
</span><span class="cx"> } else
</span><span class="cx"> out.print(" (unresolved)");
</span><span class="cx"> out.print(": ", impl);
</span><del>- } else if (asCell()->inherits(Structure::info()))
</del><ins>+ } else if (structure->classInfo()->isSubClassOf(Structure::info()))
</ins><span class="cx"> out.print("Structure: ", inContext(*jsCast<Structure*>(asCell()), context));
</span><span class="cx"> else {
</span><span class="cx"> out.print("Cell: ", RawPointer(asCell()));
</span><del>- out.print(" (", inContext(*asCell()->structure(), context), ")");
</del><ins>+ out.print(" (", inContext(*structure, context), ")");
</ins><span class="cx"> }
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> out.print(", ID: ", asCell()->structureID());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValue.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValue.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -48,6 +48,7 @@
</span><span class="cx"> class PropertyName;
</span><span class="cx"> class PropertySlot;
</span><span class="cx"> class PutPropertySlot;
</span><ins>+class Structure;
</ins><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx"> namespace DFG {
</span><span class="cx"> class JITCompiler;
</span><span class="lines">@@ -246,7 +247,7 @@
</span><span class="cx"> JSObject* toObject(ExecState*, JSGlobalObject*) const;
</span><span class="cx">
</span><span class="cx"> // Integer conversions.
</span><del>- double toInteger(ExecState*) const;
</del><ins>+ JS_EXPORT_PRIVATE double toInteger(ExecState*) const;
</ins><span class="cx"> JS_EXPORT_PRIVATE double toIntegerPreserveNaN(ExecState*) const;
</span><span class="cx"> int32_t toInt32(ExecState*) const;
</span><span class="cx"> uint32_t toUInt32(ExecState*) const;
</span><span class="lines">@@ -283,6 +284,7 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><ins>+ void dumpInContextAssumingStructure(PrintStream&, DumpContext*, Structure*) const;
</ins><span class="cx"> void dumpForBacktrace(PrintStream&) const;
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;
</span></span></pre></div>
<a id="trunkSourceWTFwtfListDumph"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/ListDump.h (171612 => 171613)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/ListDump.h 2014-07-25 20:37:11 UTC (rev 171612)
+++ trunk/Source/WTF/wtf/ListDump.h 2014-07-25 20:55:17 UTC (rev 171613)
</span><span class="lines">@@ -119,12 +119,42 @@
</span><span class="cx"> return out.toCString();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+template<typename T, typename U>
+class ListDumpInContext {
+public:
+ ListDumpInContext(const T& list, U* context, const char* comma)
+ : m_list(list)
+ , m_context(context)
+ , m_comma(comma)
+ {
+ }
+
+ void dump(PrintStream& out) const
+ {
+ for (typename T::const_iterator iter = m_list.begin(); iter != m_list.end(); ++iter)
+ out.print(m_comma, inContext(*iter, m_context));
+ }
+
+private:
+ const T& m_list;
+ U* m_context;
+ CommaPrinter m_comma;
+};
+
+template<typename T, typename U>
+ListDumpInContext<T, U> listDumpInContext(
+ const T& list, U* context, const char* comma = ", ")
+{
+ return ListDumpInContext<T, U>(list, context, comma);
+}
+
</ins><span class="cx"> } // namespace WTF
</span><span class="cx">
</span><span class="cx"> using WTF::listDump;
</span><span class="cx"> using WTF::sortedListDump;
</span><span class="cx"> using WTF::mapDump;
</span><span class="cx"> using WTF::sortedMapDump;
</span><ins>+using WTF::listDumpInContext;
</ins><span class="cx">
</span><span class="cx"> #endif // ListDump_h
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>