<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[172176] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/172176">172176</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-08-06 14:32:55 -0700 (Wed, 06 Aug 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/171389">r171389</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171495">r171495</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171508">r171508</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171510">r171510</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171605">r171605</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171606">r171606</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171611">r171611</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171614">r171614</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/171763">r171763</a> from ftlopt.
Source/JavaScriptCore:
2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
Support for-in in the FTL
https://bugs.webkit.org/show_bug.cgi?id=134140
Reviewed by Filip Pizlo.
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* ftl/FTLAbstractHeapRepository.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
(JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
(JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
(JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
(JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
(JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
(JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
(JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
(JSC::FTL::LowerDFGToLLVM::compileToIndexString):
2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
Remove JSPropertyNameIterator
https://bugs.webkit.org/show_bug.cgi?id=135066
Reviewed by Geoffrey Garen.
It has been replaced by JSPropertyNameEnumerator.
* JavaScriptCore.order:
* bytecode/BytecodeBasicBlock.cpp:
(JSC::isBranch):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/PreciseJumpTargets.cpp:
(JSC::getJumpTargetsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
(JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
* bytecompiler/BytecodeGenerator.h:
* interpreter/Interpreter.cpp:
* interpreter/Register.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
(JSC::JSPropertyNameIterator::create): Deleted.
(JSC::JSPropertyNameIterator::destroy): Deleted.
(JSC::JSPropertyNameIterator::get): Deleted.
(JSC::JSPropertyNameIterator::visitChildren): Deleted.
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure): Deleted.
(JSC::JSPropertyNameIterator::size): Deleted.
(JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
(JSC::JSPropertyNameIterator::cachedStructure): Deleted.
(JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::finishCreation): Deleted.
(JSC::Register::propertyNameIterator): Deleted.
(JSC::StructureRareData::enumerationCache): Deleted.
(JSC::StructureRareData::setEnumerationCache): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache): Deleted.
(JSC::Structure::enumerationCache): Deleted.
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
* runtime/StructureRareData.h:
* runtime/VM.cpp:
(JSC::VM::VM):
2014-07-25 Saam Barati <sbarati@apple.com>
Fix 32-bit build breakage for type profiling
https://bugs.webkit.org/process_bug.cgi
Reviewed by Mark Hahnenberg.
32-bit builds currently break because global variable IDs for high
fidelity type profiling are int64_t. Change this to intptr_t so that
it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::scopeDependentProfile):
* bytecode/TypeLocation.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
* runtime/SymbolTable.h:
* runtime/TypeLocationCache.cpp:
(JSC::TypeLocationCache::getTypeLocation):
* runtime/TypeLocationCache.h:
* runtime/VM.h:
(JSC::VM::getNextUniqueVariableID):
2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
Reindent PropertyNameArray.h
https://bugs.webkit.org/show_bug.cgi?id=135067
Reviewed by Geoffrey Garen.
* runtime/PropertyNameArray.h:
(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArrayData::create):
(JSC::PropertyNameArrayData::propertyNameVector):
(JSC::PropertyNameArrayData::PropertyNameArrayData):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::vm):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::operator[]):
(JSC::PropertyNameArray::setData):
(JSC::PropertyNameArray::data):
(JSC::PropertyNameArray::releaseData):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::size):
(JSC::PropertyNameArray::begin):
(JSC::PropertyNameArray::end):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2014-07-23 Mark Hahnenberg <mhahnenberg@apple.com>
Refactor our current implementation of for-in
https://bugs.webkit.org/show_bug.cgi?id=134142
Reviewed by Filip Pizlo.
This patch splits for-in loops into three distinct parts:
- Iterating over the indexed properties in the base object.
- Iterating over the Structure properties in the base object.
- Iterating over any other enumerable properties for that object and any objects in the prototype chain.
It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::emitGetEnumerableLength):
(JSC::BytecodeGenerator::emitHasGenericProperty):
(JSC::BytecodeGenerator::emitHasIndexedProperty):
(JSC::BytecodeGenerator::emitHasStructureProperty):
(JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
(JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
(JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
(JSC::BytecodeGenerator::emitToIndexString):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::popIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
(JSC::BytecodeGenerator::popStructureForInScope):
(JSC::BytecodeGenerator::invalidateForInContextForLocal):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::~ForInContext):
(JSC::ForInContext::isValid):
(JSC::ForInContext::invalidate):
(JSC::ForInContext::local):
(JSC::StructureForInContext::StructureForInContext):
(JSC::StructureForInContext::type):
(JSC::StructureForInContext::index):
(JSC::StructureForInContext::property):
(JSC::StructureForInContext::enumerator):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::IndexedForInContext::type):
(JSC::IndexedForInContext::index):
(JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
(JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ForInNode::tryGetBoundLocal):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForInNode::emitMultiLoopBytecode):
(JSC::ForInNode::emitBytecode):
* debugger/DebuggerScope.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
(JSC::JIT::compileHasIndexedProperty):
(JSC::JIT::emitInt32Load):
* jit/JITInlines.h:
(JSC::JIT::emitDoubleGetByVal):
(JSC::JIT::emitLoadForArrayMode):
(JSC::JIT::emitContiguousGetByVal):
(JSC::JIT::emitArrayStorageGetByVal):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.
* llint/LowLevelInterpreter.asm:
* parser/Nodes.h:
* runtime/Arguments.cpp:
(JSC::Arguments::getOwnPropertyNames):
* runtime/ClassInfo.h:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/EnumerationMode.h: Added.
(JSC::shouldIncludeDontEnumProperties):
(JSC::shouldExcludeDontEnumProperties):
(JSC::shouldIncludeJSObjectPropertyNames):
(JSC::modeThatSkipsJSObject):
* runtime/JSActivation.cpp:
(JSC::JSActivation::getOwnNonIndexPropertyNames):
* runtime/JSArray.cpp:
(JSC::JSArray::getOwnNonIndexPropertyNames):
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
* runtime/JSCell.cpp:
(JSC::JSCell::getEnumerableLength):
(JSC::JSCell::getStructurePropertyNames):
(JSC::JSCell::getGenericPropertyNames):
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnNonIndexPropertyNames):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
(JSC::JSObject::hasOwnProperty):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::getEnumerableLength):
(JSC::JSObject::getStructurePropertyNames):
(JSC::JSObject::getGenericPropertyNames):
* runtime/JSObject.h:
* runtime/JSPropertyNameEnumerator.cpp: Added.
(JSC::JSPropertyNameEnumerator::create):
(JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
(JSC::JSPropertyNameEnumerator::finishCreation):
(JSC::JSPropertyNameEnumerator::destroy):
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/JSPropertyNameEnumerator.h: Added.
(JSC::JSPropertyNameEnumerator::createStructure):
(JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
(JSC::JSPropertyNameEnumerator::identifierSet):
(JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::cachedStructure):
(JSC::JSPropertyNameEnumerator::cachedStructureID):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
(JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
(JSC::structurePropertyNameEnumerator):
(JSC::genericPropertyNameEnumerator):
* runtime/JSProxy.cpp:
(JSC::JSProxy::getEnumerableLength):
(JSC::JSProxy::getStructurePropertyNames):
(JSC::JSProxy::getGenericPropertyNames):
* runtime/JSProxy.h:
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.cpp:
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
* runtime/PropertyNameArray.h:
(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::getOwnNonIndexPropertyNames):
(JSC::RegExpObject::getPropertyNames):
(JSC::RegExpObject::getGenericPropertyNames):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::getOwnPropertyNames):
* runtime/Structure.cpp:
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::setCachedStructurePropertyNameEnumerator):
(JSC::Structure::cachedStructurePropertyNameEnumerator):
(JSC::Structure::setCachedGenericPropertyNameEnumerator):
(JSC::Structure::cachedGenericPropertyNameEnumerator):
(JSC::Structure::canCacheStructurePropertyNameEnumerator):
(JSC::Structure::canCacheGenericPropertyNameEnumerator):
(JSC::Structure::canAccessPropertiesQuickly):
* runtime/Structure.h:
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
(JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
(JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
* runtime/StructureRareData.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-07-23 Saam Barati <sbarati@apple.com>
Make improvements to Type Profiling
https://bugs.webkit.org/show_bug.cgi?id=134860
Reviewed by Filip Pizlo.
I improved the API between the inspector and JSC. We no longer send one huge
string to the inspector. We now send structured data that represents the type
information that JSC has collected. I've also created a beginning implementation
of a type lattice that allows us to resolve a display name for a type that
consists of a single word.
I created a data structure that knows which functions have executed. This
solves the bug where types inside an un-executed function will resolve
to the type of the enclosing expression of that function. This data
structure may also be useful later if the inspector chooses to create a UI
around showing which functions have executed.
Better type information is gathered for objects. StructureShape now
represents an object's prototype chain. StructureShape also collects
the constructor name for an object.
Expression ranges are now zero indexed.
Removed some extraneous methods.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::scopeDependentProfile):
* bytecode/CodeBlock.h:
* bytecode/TypeLocation.h:
(JSC::TypeLocation::TypeLocation):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* runtime/Executable.cpp:
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ProgramExecutable::ProgramExecutable):
(JSC::FunctionExecutable::FunctionExecutable):
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/Executable.h:
(JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
(JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
* runtime/FunctionHasExecutedCache.cpp: Added.
(JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
(JSC::FunctionHasExecutedCache::insertUnexecutedRange):
(JSC::FunctionHasExecutedCache::removeUnexecutedRange):
* runtime/FunctionHasExecutedCache.h: Added.
(JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
(JSC::FunctionHasExecutedCache::FunctionRange::operator==):
(JSC::FunctionHasExecutedCache::FunctionRange::hash):
* runtime/HighFidelityLog.cpp:
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
* runtime/HighFidelityLog.h:
(JSC::HighFidelityLog::recordTypeInformationForLocation):
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
(JSC::descriptorMatchesTypeLocation):
(JSC::HighFidelityTypeProfiler::findLocation):
(JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
* runtime/HighFidelityTypeProfiler.h:
(JSC::QueryKey::QueryKey):
(JSC::QueryKey::isHashTableDeletedValue):
(JSC::QueryKey::operator==):
(JSC::QueryKey::hash):
(JSC::QueryKeyHash::hash):
(JSC::QueryKeyHash::equal):
(JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
(JSC::HighFidelityTypeProfiler::typeLocationCache):
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/TypeLocationCache.cpp: Added.
(JSC::TypeLocationCache::getTypeLocation):
* runtime/TypeLocationCache.h: Added.
(JSC::TypeLocationCache::LocationKey::LocationKey):
(JSC::TypeLocationCache::LocationKey::operator==):
(JSC::TypeLocationCache::LocationKey::hash):
* runtime/TypeSet.cpp:
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::doesTypeConformTo):
(JSC::TypeSet::displayName):
(JSC::TypeSet::allPrimitiveTypeNames):
(JSC::TypeSet::allStructureRepresentations):
(JSC::TypeSet::leastCommonAncestor):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::leastCommonAncestor):
(JSC::StructureShape::stringRepresentation):
(JSC::StructureShape::inspectorRepresentation):
(JSC::StructureShape::leastUpperBound): Deleted.
* runtime/TypeSet.h:
(JSC::StructureShape::setConstructorName):
(JSC::StructureShape::constructorName):
(JSC::StructureShape::setProto):
* runtime/VM.cpp:
(JSC::VM::dumpHighFidelityProfilingTypes):
(JSC::VM::getTypesForVariableAtOffset): Deleted.
(JSC::VM::updateHighFidelityTypeProfileState): Deleted.
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity):
(JSC::VM::highFidelityTypeProfiler):
2014-07-23 Filip Pizlo <fpizlo@apple.com>
Fix debug build.
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
2014-07-20 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Phantoms in SSA form should be aggressively hoisted
https://bugs.webkit.org/show_bug.cgi?id=135111
Reviewed by Oliver Hunt.
In CPS form, Phantom means three things: (1) that the children should be kept alive so long
as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
second meaning is not used but the other two stay.
The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
even in a totally different basic block, complicates some SSA transformations. It's not
possible to just jettison some successor, since tha successor could have a Phantom that we
care about.
This change rationalizes how Phantoms work so that:
1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
in both CPS and SSA. This was true before and it's true now.
2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
now, except that now we also don't bother preserving the live-in-bytecode information
that Phantoms convey, when we are in SSA.
3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
Phantom.
The biggest part of this change is that in SSA, we canonicalize Phantoms:
- All Phantoms are replaced with Check nodes that include only those edges that have
checks.
- Nodes that were the children of any Phantoms have a Phantom right after them.
For example, the following code:
5: ArithAdd(@1, @2)
6: ArithSub(@5, @3)
7: Phantom(Int32:@5)
would be turned into the following:
5: ArithAdd(@1, @2)
8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
// @5. This is the only Phantom we will have for @5.
6: ArithSub(@5, @3)
7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
// a checking edge, we leave it.
This is a slight speed-up across the board, presumably because we now do a better job of
reducing the size of the graph during compilation. It could also be a fluke, though. The
main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
become a requirement to run phantom canonicalization prior to some SSA phases. None of the
current phases need it, but future phases probably will.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::findTypeCheckRoot):
(JSC::DFG::DCEPhase::countEdge):
(JSC::DFG::DCEPhase::fixupBlock):
(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
* dfg/DFGEdge.cpp:
(JSC::DFG::Edge::dump):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::isProved):
(JSC::DFG::Edge::needsCheck): Deleted.
* dfg/DFGNodeFlags.h:
* dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
(JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
(JSC::DFG::PhantomCanonicalizationPhase::run):
(JSC::DFG::performPhantomCanonicalization):
* dfg/DFGPhantomCanonicalizationPhase.h: Added.
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPhantomRemovalPhase.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
https://bugs.webkit.org/show_bug.cgi?id=135146
Reviewed by Oliver Hunt.
This greatly simplifies our closure call optimizations by taking advantage of the type
bits available in the cell header.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::visitWeak):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::dump):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::executable):
(JSC::CallLinkStatus::structure): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
(JSC::DFG::SpeculativeJIT::speculateCellType):
(JSC::DFG::SpeculativeJIT::speculateFunction):
(JSC::DFG::SpeculativeJIT::speculateFinalObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::isFunction):
(JSC::FTL::LowerDFGToLLVM::isNotFunction):
(JSC::FTL::LowerDFGToLLVM::speculateFunction):
* jit/ClosureCallStubRoutine.cpp:
(JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
(JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
* jit/ClosureCallStubRoutine.h:
(JSC::ClosureCallStubRoutine::structure): Deleted.
* jit/JIT.h:
(JSC::JIT::compileClosureCall): Deleted.
* jit/JITCall.cpp:
(JSC::JIT::privateCompileClosureCall): Deleted.
* jit/JITCall32_64.cpp:
(JSC::JIT::privateCompileClosureCall): Deleted.
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkClosureCall):
* jit/Repatch.h:
Source/WebCore:
2014-08-06 Mark Hahnenberg <mhahnenberg@apple.com>
Refactor our current implementation of for-in
https://bugs.webkit.org/show_bug.cgi?id=134142
Reviewed by Filip Pizlo.
No new tests.
This patch splits for-in loops into three distinct parts:
- Iterating over the indexed properties in the base object.
- Iterating over the Structure properties in the base object.
- Iterating over any other enumerable properties for that object and any objects in the prototype chain.
It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getEnumerableLength):
(WebCore::JSDOMWindow::getStructurePropertyNames):
(WebCore::JSDOMWindow::getGenericPropertyNames):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::getOwnPropertyNames):
Source/WebKit2:
2014-08-06 Mark Hahnenberg <mhahnenberg@apple.com>
Refactor our current implementation of for-in
https://bugs.webkit.org/show_bug.cgi?id=134142
Reviewed by Filip Pizlo.
* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::invalidate): Fixed an invalid ASSERT that was crashing in debug builds.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh">trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCoreorder">trunk/Source/JavaScriptCore/JavaScriptCore.order</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxprojfilters">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp">trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeListjson">trunk/Source/JavaScriptCore/bytecode/BytecodeList.json</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeUseDefh">trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkInfocpp">trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp">trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkStatush">trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockh">trunk/Source/JavaScriptCore/bytecode/CodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp">trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeTypeLocationh">trunk/Source/JavaScriptCore/bytecode/TypeLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerNodesCodegencpp">trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredebuggerDebuggerScopeh">trunk/Source/JavaScriptCore/debugger/DebuggerScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractHeaph">trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCapabilitiescpp">trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDCEPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGEdgecpp">trunk/Source/JavaScriptCore/dfg/DFGEdge.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGEdgeh">trunk/Source/JavaScriptCore/dfg/DFGEdge.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeFlagsh">trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhaseh">trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSSALoweringPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGUseKindcpp">trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGUseKindh">trunk/Source/JavaScriptCore/dfg/DFGUseKind.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectoragentsInspectorRuntimeAgentcpp">trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectoragentsInspectorRuntimeAgenth">trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorprotocolRuntimejson">trunk/Source/JavaScriptCore/inspector/protocol/Runtime.json</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterRegisterh">trunk/Source/JavaScriptCore/interpreter/Register.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitClosureCallStubRoutinecpp">trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitClosureCallStubRoutineh">trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCallcpp">trunk/Source/JavaScriptCore/jit/JITCall.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCall32_64cpp">trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlinesh">trunk/Source/JavaScriptCore/jit/JITInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchh">trunk/Source/JavaScriptCore/jit/Repatch.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntOffsetsExtractorcpp">trunk/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathsh">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodesh">trunk/Source/JavaScriptCore/parser/Nodes.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArgumentscpp">trunk/Source/JavaScriptCore/runtime/Arguments.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeClassInfoh">trunk/Source/JavaScriptCore/runtime/ClassInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathsh">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExecutablecpp">trunk/Source/JavaScriptCore/runtime/Executable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExecutableh">trunk/Source/JavaScriptCore/runtime/Executable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeHighFidelityLogcpp">trunk/Source/JavaScriptCore/runtime/HighFidelityLog.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeHighFidelityLogh">trunk/Source/JavaScriptCore/runtime/HighFidelityLog.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeHighFidelityTypeProfilercpp">trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeHighFidelityTypeProfilerh">trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSActivationcpp">trunk/Source/JavaScriptCore/runtime/JSActivation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBuffercpp">trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellcpp">trunk/Source/JavaScriptCore/runtime/JSCell.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellh">trunk/Source/JavaScriptCore/runtime/JSCell.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSProxycpp">trunk/Source/JavaScriptCore/runtime/JSProxy.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSProxyh">trunk/Source/JavaScriptCore/runtime/JSProxy.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSymbolTableObjectcpp">trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePropertyNameArraycpp">trunk/Source/JavaScriptCore/runtime/PropertyNameArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePropertyNameArrayh">trunk/Source/JavaScriptCore/runtime/PropertyNameArray.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpObjectcpp">trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpObjecth">trunk/Source/JavaScriptCore/runtime/RegExpObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStringObjectcpp">trunk/Source/JavaScriptCore/runtime/StringObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructurecpp">trunk/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureh">trunk/Source/JavaScriptCore/runtime/Structure.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureInlinesh">trunk/Source/JavaScriptCore/runtime/StructureInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureRareDatacpp">trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureRareDatah">trunk/Source/JavaScriptCore/runtime/StructureRareData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTablecpp">trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTableh">trunk/Source/JavaScriptCore/runtime/SymbolTable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeSetcpp">trunk/Source/JavaScriptCore/runtime/TypeSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeSeth">trunk/Source/JavaScriptCore/runtime/TypeSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWindowCustomcpp">trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorebridgeruntime_arraycpp">trunk/Source/WebCore/bridge/runtime_array.cpp</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2WebProcessPluginsNetscapeJSNPObjectcpp">trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhaseh">trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeEnumerationModeh">trunk/Source/JavaScriptCore/runtime/EnumerationMode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionHasExecutedCachecpp">trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionHasExecutedCacheh">trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp">trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorh">trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeLocationCachecpp">trunk/Source/JavaScriptCore/runtime/TypeLocationCache.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeLocationCacheh">trunk/Source/JavaScriptCore/runtime/TypeLocationCache.h</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforincapturestringloopvarjs">trunk/Source/JavaScriptCore/tests/stress/for-in-capture-string-loop-var.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforindeleteduringiterationjs">trunk/Source/JavaScriptCore/tests/stress/for-in-delete-during-iteration.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforinmodifyintloopvarjs">trunk/Source/JavaScriptCore/tests/stress/for-in-modify-int-loop-var.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforinmodifystringloopvarjs">trunk/Source/JavaScriptCore/tests/stress/for-in-modify-string-loop-var.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforinprototypejs">trunk/Source/JavaScriptCore/tests/stress/for-in-prototype.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforinshadowprototypepropertyjs">trunk/Source/JavaScriptCore/tests/stress/for-in-shadow-prototype-property.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforinstringjs">trunk/Source/JavaScriptCore/tests/stress/for-in-string.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforintestsjs">trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressforintypedarrayjs">trunk/Source/JavaScriptCore/tests/stress/for-in-typed-array.js</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorcpp">trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorh">trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreAPIJSCallbackObjectFunctionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -516,7 +516,7 @@
</span><span class="cx"> for (iterator it = staticValues->begin(); it != end; ++it) {
</span><span class="cx"> StringImpl* name = it->key.get();
</span><span class="cx"> StaticValueEntry* entry = it->value.get();
</span><del>- if (entry->getProperty && (!(entry->attributes & kJSPropertyAttributeDontEnum) || (mode == IncludeDontEnumProperties)))
</del><ins>+ if (entry->getProperty && (!(entry->attributes & kJSPropertyAttributeDontEnum) || shouldIncludeDontEnumProperties(mode)))
</ins><span class="cx"> propertyNames.add(Identifier(exec, name));
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -527,7 +527,7 @@
</span><span class="cx"> for (iterator it = staticFunctions->begin(); it != end; ++it) {
</span><span class="cx"> StringImpl* name = it->key.get();
</span><span class="cx"> StaticFunctionEntry* entry = it->value.get();
</span><del>- if (!(entry->attributes & kJSPropertyAttributeDontEnum) || (mode == IncludeDontEnumProperties))
</del><ins>+ if (!(entry->attributes & kJSPropertyAttributeDontEnum) || shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(Identifier(exec, name));
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -186,6 +186,7 @@
</span><span class="cx"> dfg/DFGOSRExitJumpPlaceholder.cpp
</span><span class="cx"> dfg/DFGOSRExitPreparation.cpp
</span><span class="cx"> dfg/DFGOperations.cpp
</span><ins>+ dfg/DFGPhantomCanonicalizationPhase.cpp
</ins><span class="cx"> dfg/DFGPhantomRemovalPhase.cpp
</span><span class="cx"> dfg/DFGPhase.cpp
</span><span class="cx"> dfg/DFGPlan.cpp
</span><span class="lines">@@ -451,7 +452,6 @@
</span><span class="cx"> runtime/JSPromiseFunctions.cpp
</span><span class="cx"> runtime/JSPromiseReaction.cpp
</span><span class="cx"> runtime/JSPromisePrototype.cpp
</span><del>- runtime/JSPropertyNameIterator.cpp
</del><span class="cx"> runtime/JSProxy.cpp
</span><span class="cx"> runtime/JSScope.cpp
</span><span class="cx"> runtime/JSSegmentedVariableObject.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,3 +1,725 @@
</span><ins>+2014-08-06 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
+
+ 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Support for-in in the FTL
+ https://bugs.webkit.org/show_bug.cgi?id=134140
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::handleNode):
+ * ftl/FTLAbstractHeapRepository.cpp:
+ * ftl/FTLAbstractHeapRepository.h:
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLIntrinsicRepository.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
+ (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
+ (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
+ (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
+ (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
+ (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
+ (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
+ (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
+ (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
+
+ 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Remove JSPropertyNameIterator
+ https://bugs.webkit.org/show_bug.cgi?id=135066
+
+ Reviewed by Geoffrey Garen.
+
+ It has been replaced by JSPropertyNameEnumerator.
+
+ * JavaScriptCore.order:
+ * bytecode/BytecodeBasicBlock.cpp:
+ (JSC::isBranch):
+ * bytecode/BytecodeList.json:
+ * bytecode/BytecodeUseDef.h:
+ (JSC::computeUsesForBytecodeOffset):
+ (JSC::computeDefsForBytecodeOffset):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/PreciseJumpTargets.cpp:
+ (JSC::getJumpTargetsForBytecodeOffset):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
+ (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
+ * bytecompiler/BytecodeGenerator.h:
+ * interpreter/Interpreter.cpp:
+ * interpreter/Register.h:
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_get_pnames): Deleted.
+ (JSC::JIT::emit_op_next_pname): Deleted.
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_get_pnames): Deleted.
+ (JSC::JIT::emit_op_next_pname): Deleted.
+ * jit/JITOperations.cpp:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_pname): Deleted.
+ (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_pname): Deleted.
+ (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
+ * llint/LLIntOffsetsExtractor.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
+ * llint/LLIntSlowPaths.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/CommonSlowPaths.cpp:
+ * runtime/JSPropertyNameIterator.cpp:
+ (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
+ (JSC::JSPropertyNameIterator::create): Deleted.
+ (JSC::JSPropertyNameIterator::destroy): Deleted.
+ (JSC::JSPropertyNameIterator::get): Deleted.
+ (JSC::JSPropertyNameIterator::visitChildren): Deleted.
+ * runtime/JSPropertyNameIterator.h:
+ (JSC::JSPropertyNameIterator::createStructure): Deleted.
+ (JSC::JSPropertyNameIterator::size): Deleted.
+ (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
+ (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
+ (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
+ (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
+ (JSC::JSPropertyNameIterator::finishCreation): Deleted.
+ (JSC::Register::propertyNameIterator): Deleted.
+ (JSC::StructureRareData::enumerationCache): Deleted.
+ (JSC::StructureRareData::setEnumerationCache): Deleted.
+ * runtime/Structure.cpp:
+ (JSC::Structure::addPropertyWithoutTransition):
+ (JSC::Structure::removePropertyWithoutTransition):
+ * runtime/Structure.h:
+ * runtime/StructureInlines.h:
+ (JSC::Structure::setEnumerationCache): Deleted.
+ (JSC::Structure::enumerationCache): Deleted.
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::visitChildren):
+ * runtime/StructureRareData.h:
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+
+ 2014-07-25 Saam Barati <sbarati@apple.com>
+
+ Fix 32-bit build breakage for type profiling
+ https://bugs.webkit.org/process_bug.cgi
+
+ Reviewed by Mark Hahnenberg.
+
+ 32-bit builds currently break because global variable IDs for high
+ fidelity type profiling are int64_t. Change this to intptr_t so that
+ it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::scopeDependentProfile):
+ * bytecode/TypeLocation.h:
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTable::uniqueIDForVariable):
+ (JSC::SymbolTable::uniqueIDForRegister):
+ * runtime/SymbolTable.h:
+ * runtime/TypeLocationCache.cpp:
+ (JSC::TypeLocationCache::getTypeLocation):
+ * runtime/TypeLocationCache.h:
+ * runtime/VM.h:
+ (JSC::VM::getNextUniqueVariableID):
+
+ 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Reindent PropertyNameArray.h
+ https://bugs.webkit.org/show_bug.cgi?id=135067
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/PropertyNameArray.h:
+ (JSC::RefCountedIdentifierSet::contains):
+ (JSC::RefCountedIdentifierSet::size):
+ (JSC::RefCountedIdentifierSet::add):
+ (JSC::PropertyNameArrayData::create):
+ (JSC::PropertyNameArrayData::propertyNameVector):
+ (JSC::PropertyNameArrayData::PropertyNameArrayData):
+ (JSC::PropertyNameArray::PropertyNameArray):
+ (JSC::PropertyNameArray::vm):
+ (JSC::PropertyNameArray::add):
+ (JSC::PropertyNameArray::addKnownUnique):
+ (JSC::PropertyNameArray::operator[]):
+ (JSC::PropertyNameArray::setData):
+ (JSC::PropertyNameArray::data):
+ (JSC::PropertyNameArray::releaseData):
+ (JSC::PropertyNameArray::identifierSet):
+ (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
+ (JSC::PropertyNameArray::size):
+ (JSC::PropertyNameArray::begin):
+ (JSC::PropertyNameArray::end):
+ (JSC::PropertyNameArray::numCacheableSlots):
+ (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
+ (JSC::PropertyNameArray::setBaseObject):
+ (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
+
+ 2014-07-23 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Refactor our current implementation of for-in
+ https://bugs.webkit.org/show_bug.cgi?id=134142
+
+ Reviewed by Filip Pizlo.
+
+ This patch splits for-in loops into three distinct parts:
+
+ - Iterating over the indexed properties in the base object.
+ - Iterating over the Structure properties in the base object.
+ - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
+
+ It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
+ support the various operations required for each loop.
+
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/BytecodeList.json:
+ * bytecode/BytecodeUseDef.h:
+ (JSC::computeUsesForBytecodeOffset):
+ (JSC::computeDefsForBytecodeOffset):
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitGetByVal):
+ (JSC::BytecodeGenerator::emitComplexPopScopes):
+ (JSC::BytecodeGenerator::emitGetEnumerableLength):
+ (JSC::BytecodeGenerator::emitHasGenericProperty):
+ (JSC::BytecodeGenerator::emitHasIndexedProperty):
+ (JSC::BytecodeGenerator::emitHasStructureProperty):
+ (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
+ (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
+ (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
+ (JSC::BytecodeGenerator::emitToIndexString):
+ (JSC::BytecodeGenerator::pushIndexedForInScope):
+ (JSC::BytecodeGenerator::popIndexedForInScope):
+ (JSC::BytecodeGenerator::pushStructureForInScope):
+ (JSC::BytecodeGenerator::popStructureForInScope):
+ (JSC::BytecodeGenerator::invalidateForInContextForLocal):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ForInContext::ForInContext):
+ (JSC::ForInContext::~ForInContext):
+ (JSC::ForInContext::isValid):
+ (JSC::ForInContext::invalidate):
+ (JSC::ForInContext::local):
+ (JSC::StructureForInContext::StructureForInContext):
+ (JSC::StructureForInContext::type):
+ (JSC::StructureForInContext::index):
+ (JSC::StructureForInContext::property):
+ (JSC::StructureForInContext::enumerator):
+ (JSC::IndexedForInContext::IndexedForInContext):
+ (JSC::IndexedForInContext::type):
+ (JSC::IndexedForInContext::index):
+ (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
+ (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ForInNode::tryGetBoundLocal):
+ (JSC::ForInNode::emitLoopHeader):
+ (JSC::ForInNode::emitMultiLoopBytecode):
+ (JSC::ForInNode::emitBytecode):
+ * debugger/DebuggerScope.h:
+ * dfg/DFGAbstractHeap.h:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::capabilityLevel):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasHeapPrediction):
+ (JSC::DFG::Node::hasArrayMode):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JSC::JIT::compileHasIndexedProperty):
+ (JSC::JIT::emitInt32Load):
+ * jit/JITInlines.h:
+ (JSC::JIT::emitDoubleGetByVal):
+ (JSC::JIT::emitLoadForArrayMode):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_get_enumerable_length):
+ (JSC::JIT::emit_op_has_structure_property):
+ (JSC::JIT::emitSlow_op_has_structure_property):
+ (JSC::JIT::emit_op_has_generic_property):
+ (JSC::JIT::privateCompileHasIndexedProperty):
+ (JSC::JIT::emit_op_has_indexed_property):
+ (JSC::JIT::emitSlow_op_has_indexed_property):
+ (JSC::JIT::emit_op_get_direct_pname):
+ (JSC::JIT::emitSlow_op_get_direct_pname):
+ (JSC::JIT::emit_op_get_structure_property_enumerator):
+ (JSC::JIT::emit_op_get_generic_property_enumerator):
+ (JSC::JIT::emit_op_next_enumerator_pname):
+ (JSC::JIT::emit_op_to_index_string):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_get_enumerable_length):
+ (JSC::JIT::emit_op_has_structure_property):
+ (JSC::JIT::emitSlow_op_has_structure_property):
+ (JSC::JIT::emit_op_has_generic_property):
+ (JSC::JIT::privateCompileHasIndexedProperty):
+ (JSC::JIT::emit_op_has_indexed_property):
+ (JSC::JIT::emitSlow_op_has_indexed_property):
+ (JSC::JIT::emit_op_get_direct_pname):
+ (JSC::JIT::emitSlow_op_get_direct_pname):
+ (JSC::JIT::emit_op_get_structure_property_enumerator):
+ (JSC::JIT::emit_op_get_generic_property_enumerator):
+ (JSC::JIT::emit_op_next_enumerator_pname):
+ (JSC::JIT::emit_op_to_index_string):
+ * jit/JITOperations.cpp:
+ * jit/JITOperations.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDoubleLoad):
+ (JSC::JIT::emitContiguousLoad):
+ (JSC::JIT::emitArrayStorageLoad):
+ (JSC::JIT::emitDoubleGetByVal): Deleted.
+ (JSC::JIT::emitContiguousGetByVal): Deleted.
+ (JSC::JIT::emitArrayStorageGetByVal): Deleted.
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitContiguousLoad):
+ (JSC::JIT::emitDoubleLoad):
+ (JSC::JIT::emitArrayStorageLoad):
+ (JSC::JIT::emitContiguousGetByVal): Deleted.
+ (JSC::JIT::emitDoubleGetByVal): Deleted.
+ (JSC::JIT::emitArrayStorageGetByVal): Deleted.
+ * llint/LowLevelInterpreter.asm:
+ * parser/Nodes.h:
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::getOwnPropertyNames):
+ * runtime/ClassInfo.h:
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.h:
+ * runtime/EnumerationMode.h: Added.
+ (JSC::shouldIncludeDontEnumProperties):
+ (JSC::shouldExcludeDontEnumProperties):
+ (JSC::shouldIncludeJSObjectPropertyNames):
+ (JSC::modeThatSkipsJSObject):
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::getOwnNonIndexPropertyNames):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::getOwnNonIndexPropertyNames):
+ * runtime/JSArrayBuffer.cpp:
+ (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
+ * runtime/JSArrayBufferView.cpp:
+ (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
+ * runtime/JSCell.cpp:
+ (JSC::JSCell::getEnumerableLength):
+ (JSC::JSCell::getStructurePropertyNames):
+ (JSC::JSCell::getGenericPropertyNames):
+ * runtime/JSCell.h:
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::getOwnNonIndexPropertyNames):
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
+ * runtime/JSObject.cpp:
+ (JSC::getClassPropertyNames):
+ (JSC::JSObject::hasOwnProperty):
+ (JSC::JSObject::getOwnPropertyNames):
+ (JSC::JSObject::getOwnNonIndexPropertyNames):
+ (JSC::JSObject::getEnumerableLength):
+ (JSC::JSObject::getStructurePropertyNames):
+ (JSC::JSObject::getGenericPropertyNames):
+ * runtime/JSObject.h:
+ * runtime/JSPropertyNameEnumerator.cpp: Added.
+ (JSC::JSPropertyNameEnumerator::create):
+ (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
+ (JSC::JSPropertyNameEnumerator::finishCreation):
+ (JSC::JSPropertyNameEnumerator::destroy):
+ (JSC::JSPropertyNameEnumerator::visitChildren):
+ * runtime/JSPropertyNameEnumerator.h: Added.
+ (JSC::JSPropertyNameEnumerator::createStructure):
+ (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
+ (JSC::JSPropertyNameEnumerator::identifierSet):
+ (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
+ (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
+ (JSC::JSPropertyNameEnumerator::cachedStructure):
+ (JSC::JSPropertyNameEnumerator::cachedStructureID):
+ (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
+ (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
+ (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
+ (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
+ (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
+ (JSC::structurePropertyNameEnumerator):
+ (JSC::genericPropertyNameEnumerator):
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::getEnumerableLength):
+ (JSC::JSProxy::getStructurePropertyNames):
+ (JSC::JSProxy::getGenericPropertyNames):
+ * runtime/JSProxy.h:
+ * runtime/JSSymbolTableObject.cpp:
+ (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
+ * runtime/PropertyNameArray.cpp:
+ (JSC::PropertyNameArray::add):
+ (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
+ * runtime/PropertyNameArray.h:
+ (JSC::RefCountedIdentifierSet::contains):
+ (JSC::RefCountedIdentifierSet::size):
+ (JSC::RefCountedIdentifierSet::add):
+ (JSC::PropertyNameArray::PropertyNameArray):
+ (JSC::PropertyNameArray::add):
+ (JSC::PropertyNameArray::addKnownUnique):
+ (JSC::PropertyNameArray::identifierSet):
+ (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
+ (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
+ * runtime/RegExpObject.cpp:
+ (JSC::RegExpObject::getOwnNonIndexPropertyNames):
+ (JSC::RegExpObject::getPropertyNames):
+ (JSC::RegExpObject::getGenericPropertyNames):
+ * runtime/RegExpObject.h:
+ * runtime/StringObject.cpp:
+ (JSC::StringObject::getOwnPropertyNames):
+ * runtime/Structure.cpp:
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::setCachedStructurePropertyNameEnumerator):
+ (JSC::Structure::cachedStructurePropertyNameEnumerator):
+ (JSC::Structure::setCachedGenericPropertyNameEnumerator):
+ (JSC::Structure::cachedGenericPropertyNameEnumerator):
+ (JSC::Structure::canCacheStructurePropertyNameEnumerator):
+ (JSC::Structure::canCacheGenericPropertyNameEnumerator):
+ (JSC::Structure::canAccessPropertiesQuickly):
+ * runtime/Structure.h:
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::visitChildren):
+ (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
+ (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
+ (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
+ (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
+ * runtime/StructureRareData.h:
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
+ 2014-07-23 Saam Barati <sbarati@apple.com>
+
+ Make improvements to Type Profiling
+ https://bugs.webkit.org/show_bug.cgi?id=134860
+
+ Reviewed by Filip Pizlo.
+
+ I improved the API between the inspector and JSC. We no longer send one huge
+ string to the inspector. We now send structured data that represents the type
+ information that JSC has collected. I've also created a beginning implementation
+ of a type lattice that allows us to resolve a display name for a type that
+ consists of a single word.
+
+ I created a data structure that knows which functions have executed. This
+ solves the bug where types inside an un-executed function will resolve
+ to the type of the enclosing expression of that function. This data
+ structure may also be useful later if the inspector chooses to create a UI
+ around showing which functions have executed.
+
+ Better type information is gathered for objects. StructureShape now
+ represents an object's prototype chain. StructureShape also collects
+ the constructor name for an object.
+
+ Expression ranges are now zero indexed.
+
+ Removed some extraneous methods.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::scopeDependentProfile):
+ * bytecode/CodeBlock.h:
+ * bytecode/TypeLocation.h:
+ (JSC::TypeLocation::TypeLocation):
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
+ (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
+ * heap/Heap.cpp:
+ (JSC::Heap::collect):
+ * inspector/agents/InspectorRuntimeAgent.cpp:
+ (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+ (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
+ * inspector/agents/InspectorRuntimeAgent.h:
+ * inspector/protocol/Runtime.json:
+ * runtime/Executable.cpp:
+ (JSC::ScriptExecutable::ScriptExecutable):
+ (JSC::ProgramExecutable::ProgramExecutable):
+ (JSC::FunctionExecutable::FunctionExecutable):
+ (JSC::ProgramExecutable::initializeGlobalProperties):
+ * runtime/Executable.h:
+ (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
+ (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
+ * runtime/FunctionHasExecutedCache.cpp: Added.
+ (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
+ (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
+ (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
+ * runtime/FunctionHasExecutedCache.h: Added.
+ (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
+ (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
+ (JSC::FunctionHasExecutedCache::FunctionRange::hash):
+ * runtime/HighFidelityLog.cpp:
+ (JSC::HighFidelityLog::processHighFidelityLog):
+ (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
+ * runtime/HighFidelityLog.h:
+ (JSC::HighFidelityLog::recordTypeInformationForLocation):
+ * runtime/HighFidelityTypeProfiler.cpp:
+ (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
+ (JSC::HighFidelityTypeProfiler::insertNewLocation):
+ (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
+ (JSC::descriptorMatchesTypeLocation):
+ (JSC::HighFidelityTypeProfiler::findLocation):
+ (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
+ (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
+ (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
+ * runtime/HighFidelityTypeProfiler.h:
+ (JSC::QueryKey::QueryKey):
+ (JSC::QueryKey::isHashTableDeletedValue):
+ (JSC::QueryKey::operator==):
+ (JSC::QueryKey::hash):
+ (JSC::QueryKeyHash::hash):
+ (JSC::QueryKeyHash::equal):
+ (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
+ (JSC::HighFidelityTypeProfiler::typeLocationCache):
+ * runtime/Structure.cpp:
+ (JSC::Structure::toStructureShape):
+ * runtime/Structure.h:
+ * runtime/TypeLocationCache.cpp: Added.
+ (JSC::TypeLocationCache::getTypeLocation):
+ * runtime/TypeLocationCache.h: Added.
+ (JSC::TypeLocationCache::LocationKey::LocationKey):
+ (JSC::TypeLocationCache::LocationKey::operator==):
+ (JSC::TypeLocationCache::LocationKey::hash):
+ * runtime/TypeSet.cpp:
+ (JSC::TypeSet::getRuntimeTypeForValue):
+ (JSC::TypeSet::addTypeForValue):
+ (JSC::TypeSet::seenTypes):
+ (JSC::TypeSet::doesTypeConformTo):
+ (JSC::TypeSet::displayName):
+ (JSC::TypeSet::allPrimitiveTypeNames):
+ (JSC::TypeSet::allStructureRepresentations):
+ (JSC::TypeSet::leastCommonAncestor):
+ (JSC::StructureShape::StructureShape):
+ (JSC::StructureShape::addProperty):
+ (JSC::StructureShape::propertyHash):
+ (JSC::StructureShape::leastCommonAncestor):
+ (JSC::StructureShape::stringRepresentation):
+ (JSC::StructureShape::inspectorRepresentation):
+ (JSC::StructureShape::leastUpperBound): Deleted.
+ * runtime/TypeSet.h:
+ (JSC::StructureShape::setConstructorName):
+ (JSC::StructureShape::constructorName):
+ (JSC::StructureShape::setProto):
+ * runtime/VM.cpp:
+ (JSC::VM::dumpHighFidelityProfilingTypes):
+ (JSC::VM::getTypesForVariableAtOffset): Deleted.
+ (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
+ * runtime/VM.h:
+ (JSC::VM::isProfilingTypesWithHighFidelity):
+ (JSC::VM::highFidelityTypeProfiler):
+
+ 2014-07-23 Filip Pizlo <fpizlo@apple.com>
+
+ Fix debug build.
+
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::CallLinkStatus):
+
+ 2014-07-20 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Phantoms in SSA form should be aggressively hoisted
+ https://bugs.webkit.org/show_bug.cgi?id=135111
+
+ Reviewed by Oliver Hunt.
+
+ In CPS form, Phantom means three things: (1) that the children should be kept alive so long
+ as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
+ at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
+ second meaning is not used but the other two stay.
+
+ The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
+ even in a totally different basic block, complicates some SSA transformations. It's not
+ possible to just jettison some successor, since tha successor could have a Phantom that we
+ care about.
+
+ This change rationalizes how Phantoms work so that:
+
+ 1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
+ in both CPS and SSA. This was true before and it's true now.
+
+ 2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
+ now, except that now we also don't bother preserving the live-in-bytecode information
+ that Phantoms convey, when we are in SSA.
+
+ 3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
+ use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
+ Phantom.
+
+ The biggest part of this change is that in SSA, we canonicalize Phantoms:
+
+ - All Phantoms are replaced with Check nodes that include only those edges that have
+ checks.
+
+ - Nodes that were the children of any Phantoms have a Phantom right after them.
+
+ For example, the following code:
+
+ 5: ArithAdd(@1, @2)
+ 6: ArithSub(@5, @3)
+ 7: Phantom(Int32:@5)
+
+ would be turned into the following:
+
+ 5: ArithAdd(@1, @2)
+ 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
+ // @5. This is the only Phantom we will have for @5.
+ 6: ArithSub(@5, @3)
+ 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
+ // a checking edge, we leave it.
+
+ This is a slight speed-up across the board, presumably because we now do a better job of
+ reducing the size of the graph during compilation. It could also be a fluke, though. The
+ main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
+ become a requirement to run phantom canonicalization prior to some SSA phases. None of the
+ current phases need it, but future phases probably will.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGDCEPhase.cpp:
+ (JSC::DFG::DCEPhase::run):
+ (JSC::DFG::DCEPhase::findTypeCheckRoot):
+ (JSC::DFG::DCEPhase::countEdge):
+ (JSC::DFG::DCEPhase::fixupBlock):
+ (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
+ * dfg/DFGEdge.cpp:
+ (JSC::DFG::Edge::dump):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::isProved):
+ (JSC::DFG::Edge::needsCheck): Deleted.
+ * dfg/DFGNodeFlags.h:
+ * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
+ (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
+ (JSC::DFG::PhantomCanonicalizationPhase::run):
+ (JSC::DFG::performPhantomCanonicalization):
+ * dfg/DFGPhantomCanonicalizationPhase.h: Added.
+ * dfg/DFGPhantomRemovalPhase.cpp:
+ (JSC::DFG::PhantomRemovalPhase::run):
+ * dfg/DFGPhantomRemovalPhase.h:
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::lowJSValue):
+ (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
+
+ 2014-07-22 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
+ https://bugs.webkit.org/show_bug.cgi?id=135146
+
+ Reviewed by Oliver Hunt.
+
+ This greatly simplifies our closure call optimizations by taking advantage of the type
+ bits available in the cell header.
+
+ * bytecode/CallLinkInfo.cpp:
+ (JSC::CallLinkInfo::visitWeak):
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ (JSC::CallLinkStatus::computeFor):
+ (JSC::CallLinkStatus::dump):
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ (JSC::CallLinkStatus::executable):
+ (JSC::CallLinkStatus::structure): Deleted.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::observeUseKindOnNode):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
+ (JSC::DFG::SpeculativeJIT::speculateCellType):
+ (JSC::DFG::SpeculativeJIT::speculateFunction):
+ (JSC::DFG::SpeculativeJIT::speculateFinalObject):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::isCell):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
+ (JSC::FTL::LowerDFGToLLVM::speculate):
+ (JSC::FTL::LowerDFGToLLVM::isFunction):
+ (JSC::FTL::LowerDFGToLLVM::isNotFunction):
+ (JSC::FTL::LowerDFGToLLVM::speculateFunction):
+ * jit/ClosureCallStubRoutine.cpp:
+ (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
+ (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
+ * jit/ClosureCallStubRoutine.h:
+ (JSC::ClosureCallStubRoutine::structure): Deleted.
+ * jit/JIT.h:
+ (JSC::JIT::compileClosureCall): Deleted.
+ * jit/JITCall.cpp:
+ (JSC::JIT::privateCompileClosureCall): Deleted.
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::privateCompileClosureCall): Deleted.
+ * jit/JITOperations.cpp:
+ * jit/Repatch.cpp:
+ (JSC::linkClosureCall):
+ * jit/Repatch.h:
+
</ins><span class="cx"> 2014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
</span><span class="cx">
</span><span class="cx"> [ARM] Incorrect handling of Unicode characters
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCoreorder"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.order (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.order 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.order 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1354,7 +1354,6 @@
</span><span class="cx"> __ZN3JSC17BytecodeGenerator7emitIncEPNS_10RegisterIDE
</span><span class="cx"> __ZN3JSC14jsIsObjectTypeEPNS_9ExecStateENS_7JSValueE
</span><span class="cx"> __ZN3JSC6JSCell11getCallDataEPS0_RNS_8CallDataE
</span><del>-__ZN3JSC22JSPropertyNameIterator6createEPNS_9ExecStateEPNS_8JSObjectE
</del><span class="cx"> __ZN3JSC8JSObject16getPropertyNamesEPS0_PNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
</span><span class="cx"> __ZN3JSC8JSObject19getOwnPropertyNamesEPS0_PNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
</span><span class="cx"> __ZN3JSC8JSObject27getOwnNonIndexPropertyNamesEPS0_PNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
</span><span class="lines">@@ -1638,13 +1637,10 @@
</span><span class="cx"> __ZN3JSC3JIT17emit_op_loop_hintEPNS_11InstructionE
</span><span class="cx"> __ZN3JSC8Watchdog9isEnabledEv
</span><span class="cx"> __ZN3JSC3JIT16emit_op_jeq_nullEPNS_11InstructionE
</span><del>-__ZN3JSC3JIT18emit_op_get_pnamesEPNS_11InstructionE
</del><span class="cx"> __ZN3JSC3JIT11emit_op_jmpEPNS_11InstructionE
</span><del>-__ZN3JSC3JIT20emit_op_get_by_pnameEPNS_11InstructionE
</del><span class="cx"> __ZN3JSC3JIT22compileGetDirectOffsetENS_12X86Registers10RegisterIDES2_S2_S2_NS0_15FinalObjectModeE
</span><span class="cx"> __ZN3JSC3JIT17emit_op_new_arrayEPNS_11InstructionE
</span><span class="cx"> __ZN3JSC3JIT17emit_op_nstricteqEPNS_11InstructionE
</span><del>-__ZN3JSC3JIT18emit_op_next_pnameEPNS_11InstructionE
</del><span class="cx"> __ZN3JSC3JIT11emit_op_incEPNS_11InstructionE
</span><span class="cx"> __ZN3JSC3JIT13emit_op_jlessEPNS_11InstructionE
</span><span class="cx"> __ZN3JSC3JIT24emitSlow_op_convert_thisEPNS_11InstructionERPNS_13SlowCaseEntryE
</span><span class="lines">@@ -1663,7 +1659,6 @@
</span><span class="cx"> __ZN3JSC12X86Assembler23X86InstructionFormatter11twoByteOp64ENS0_15TwoByteOpcodeIDEiNS_12X86Registers10RegisterIDE
</span><span class="cx"> __ZN3JSC23MacroAssemblerX86Common12branchDoubleENS0_15DoubleConditionENS_12X86Registers13XMMRegisterIDES3_
</span><span class="cx"> __ZN3JSC12X86Assembler23X86InstructionFormatter9twoByteOpENS0_15TwoByteOpcodeIDEiNS_12X86Registers10RegisterIDE
</span><del>-__ZN3JSC3JIT24emitSlow_op_get_by_pnameEPNS_11InstructionERPNS_13SlowCaseEntryE
</del><span class="cx"> __ZN3JSC3JIT21emitSlow_op_nstricteqEPNS_11InstructionERPNS_13SlowCaseEntryE
</span><span class="cx"> __ZN3JSC3JIT15emitSlow_op_incEPNS_11InstructionERPNS_13SlowCaseEntryE
</span><span class="cx"> __ZN3JSC3JIT17emitSlow_op_jlessEPNS_11InstructionERPNS_13SlowCaseEntryE
</span><span class="lines">@@ -1675,7 +1670,6 @@
</span><span class="cx"> _cti_op_stricteq
</span><span class="cx"> _cti_op_jtrue
</span><span class="cx"> _cti_op_is_object
</span><del>-_cti_op_get_pnames
</del><span class="cx"> __ZN3JSC8JSString12toThisObjectEPNS_6JSCellEPNS_9ExecStateE
</span><span class="cx"> __ZN3JSC12StringObjectC1ERNS_2VMEPNS_9StructureE
</span><span class="cx"> __ZNK3JSC6JSCell11toPrimitiveEPNS_9ExecStateENS_22PreferredPrimitiveTypeE
</span><span class="lines">@@ -2622,7 +2616,6 @@
</span><span class="cx"> __ZN3WTF7HashMapImPN3JSC21GCAwareJITStubRoutineENS_7IntHashImEENS_10HashTraitsImEENS6_IS3_EEE4findERKm
</span><span class="cx"> __ZN3JSC13JSFinalObject13visitChildrenEPNS_6JSCellERNS_11SlotVisitorE
</span><span class="cx"> __ZN3JSC17StructureRareData13visitChildrenEPNS_6JSCellERNS_11SlotVisitorE
</span><del>-__ZN3JSC22JSPropertyNameIterator13visitChildrenEPNS_6JSCellERNS_11SlotVisitorE
</del><span class="cx"> __ZN3JSC14StructureChain13visitChildrenEPNS_6JSCellERNS_11SlotVisitorE
</span><span class="cx"> __ZN3JSC14MarkStackArray6expandEv
</span><span class="cx"> __ZN3JSC17ProgramExecutable13visitChildrenEPNS_6JSCellERNS_11SlotVisitorE
</span><span class="lines">@@ -2666,7 +2659,6 @@
</span><span class="cx"> __ZN3JSC17ProgramExecutable7destroyEPNS_6JSCellE
</span><span class="cx"> __ZN3JSC17SharedSymbolTable7destroyEPNS_6JSCellE
</span><span class="cx"> __ZN3JSC10JSFunction7destroyEPNS_6JSCellE
</span><del>-__ZN3JSC22JSPropertyNameIterator7destroyEPNS_6JSCellE
</del><span class="cx"> __ZN3JSC19ResolveGlobalStatus10computeForEPNS_9CodeBlockEiPNS_16ResolveOperationERNS_10IdentifierE
</span><span class="cx"> __ZN3JSC13GetByIdStatus10computeForERNS_2VMEPNS_9StructureERNS_10IdentifierE
</span><span class="cx"> __ZN3JSC3DFG14SpeculativeJIT23emitObjectOrOtherBranchENS0_4EdgeEjj
</span><span class="lines">@@ -4940,7 +4932,6 @@
</span><span class="cx"> _llint_slow_path_del_by_id
</span><span class="cx"> _llint_slow_path_get_by_val
</span><span class="cx"> _llint_slow_path_get_argument_by_val
</span><del>-_llint_slow_path_get_by_pname
</del><span class="cx"> _llint_slow_path_put_by_val
</span><span class="cx"> _llint_slow_path_del_by_val
</span><span class="cx"> _llint_slow_path_put_by_index
</span><span class="lines">@@ -4968,8 +4959,6 @@
</span><span class="cx"> _llint_slow_path_tear_off_arguments
</span><span class="cx"> _llint_slow_path_strcat
</span><span class="cx"> _llint_slow_path_to_primitive
</span><del>-_llint_slow_path_get_pnames
-_llint_slow_path_next_pname
</del><span class="cx"> _llint_slow_path_push_with_scope
</span><span class="cx"> _llint_slow_path_pop_scope
</span><span class="cx"> _llint_slow_path_push_name_scope
</span><span class="lines">@@ -5036,7 +5025,6 @@
</span><span class="cx"> _llint_op_put_by_id_transition_normal_out_of_line
</span><span class="cx"> _llint_op_get_by_val
</span><span class="cx"> _llint_op_get_argument_by_val
</span><del>-_llint_op_get_by_pname
</del><span class="cx"> _llint_op_put_by_val
</span><span class="cx"> _llint_op_jmp
</span><span class="cx"> _llint_op_jeq_null
</span><span class="lines">@@ -5051,7 +5039,6 @@
</span><span class="cx"> _llint_op_call_put_result
</span><span class="cx"> _llint_op_ret_object_or_this
</span><span class="cx"> _llint_op_to_primitive
</span><del>-_llint_op_next_pname
</del><span class="cx"> _llint_op_catch
</span><span class="cx"> _llint_op_get_scoped_var
</span><span class="cx"> _llint_op_put_scoped_var
</span><span class="lines">@@ -5109,7 +5096,6 @@
</span><span class="cx"> _llint_op_call_eval
</span><span class="cx"> _llint_generic_return_point
</span><span class="cx"> _llint_op_strcat
</span><del>-_llint_op_get_pnames
</del><span class="cx"> _llint_op_push_with_scope
</span><span class="cx"> _llint_op_pop_scope
</span><span class="cx"> _llint_op_push_name_scope
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -433,6 +433,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitCompilerCommon.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitJumpPlaceholder.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitPreparation.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGPhantomCanonicalizationPhase.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGPhantomRemovalPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGPlan.cpp" />
</span><span class="lines">@@ -726,7 +727,6 @@
</span><span class="cx"> <ClCompile Include="..\runtime\JSPromiseFunctions.cpp" />
</span><span class="cx"> <ClCompile Include="..\runtime\JSPromiseReaction.cpp" />
</span><span class="cx"> <ClCompile Include="..\runtime\JSPromisePrototype.cpp" />
</span><del>- <ClCompile Include="..\runtime\JSPropertyNameIterator.cpp" />
</del><span class="cx"> <ClCompile Include="..\runtime\JSProxy.cpp" />
</span><span class="cx"> <ClCompile Include="..\runtime\JSScope.cpp" />
</span><span class="cx"> <ClCompile Include="..\runtime\JSSegmentedVariableObject.cpp" />
</span><span class="lines">@@ -1063,6 +1063,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGOSRExitCompilerCommon.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGOSRExitJumpPlaceholder.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGOSRExitPreparation.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGPhantomCanonicalizationPhase.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGPhantomRemovalPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPlan.h" />
</span><span class="lines">@@ -1479,7 +1480,6 @@
</span><span class="cx"> <ClInclude Include="..\runtime\JSPromiseFunctions.h" />
</span><span class="cx"> <ClInclude Include="..\runtime\JSPromiseReaction.h" />
</span><span class="cx"> <ClInclude Include="..\runtime\JSPromisePrototype.h" />
</span><del>- <ClInclude Include="..\runtime\JSPropertyNameIterator.h" />
</del><span class="cx"> <ClInclude Include="..\runtime\JSProxy.h" />
</span><span class="cx"> <ClInclude Include="..\runtime\JSScope.h" />
</span><span class="cx"> <ClInclude Include="..\runtime\JSSegmentedVariableObject.h" />
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxprojfilters"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -657,9 +657,6 @@
</span><span class="cx"> <ClCompile Include="..\runtime\JSONObject.cpp">
</span><span class="cx"> <Filter>runtime</Filter>
</span><span class="cx"> </ClCompile>
</span><del>- <ClCompile Include="..\runtime\JSPropertyNameIterator.cpp">
- <Filter>runtime</Filter>
- </ClCompile>
</del><span class="cx"> <ClCompile Include="..\runtime\JSProxy.cpp">
</span><span class="cx"> <Filter>runtime</Filter>
</span><span class="cx"> </ClCompile>
</span><span class="lines">@@ -2546,9 +2543,6 @@
</span><span class="cx"> <ClInclude Include="..\runtime\JSONObject.h">
</span><span class="cx"> <Filter>runtime</Filter>
</span><span class="cx"> </ClInclude>
</span><del>- <ClInclude Include="..\runtime\JSPropertyNameIterator.h">
- <Filter>runtime</Filter>
- </ClInclude>
</del><span class="cx"> <ClInclude Include="..\runtime\JSProxy.h">
</span><span class="cx"> <Filter>runtime</Filter>
</span><span class="cx"> </ClInclude>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -373,6 +373,8 @@
</span><span class="cx"> 0F7700921402FF3C0078EB39 /* SamplingCounter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F7700911402FF280078EB39 /* SamplingCounter.cpp */; };
</span><span class="cx"> 0F7B294B14C3CD2F007C3DB1 /* DFGCapabilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD82E1F14172C2F00179C94 /* DFGCapabilities.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F7B294D14C3CD4C007C3DB1 /* DFGCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC0977E1469EBC400CF2442 /* DFGCommon.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F7B3661197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F7B365F197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.cpp */; };
+ 0F7B3662197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7B3660197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F8335B71639C1E6001443B5 /* ArrayAllocationProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F8335B41639C1E3001443B5 /* ArrayAllocationProfile.cpp */; };
</span><span class="cx"> 0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -825,6 +827,8 @@
</span><span class="cx"> 1CAA9A2318F4A220000A369D /* JSGlobalObjectProfilerAgent.h in Headers */ = {isa = PBXBuildFile; fileRef = 1CAA9A2118F4A220000A369D /* JSGlobalObjectProfilerAgent.h */; };
</span><span class="cx"> 2600B5A6152BAAA70091EE5F /* JSStringJoiner.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2600B5A4152BAAA70091EE5F /* JSStringJoiner.cpp */; };
</span><span class="cx"> 2600B5A7152BAAA70091EE5F /* JSStringJoiner.h in Headers */ = {isa = PBXBuildFile; fileRef = 2600B5A5152BAAA70091EE5F /* JSStringJoiner.h */; };
</span><ins>+ 2A05ABD51961DF2400341750 /* JSPropertyNameEnumerator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A05ABD31961DF2400341750 /* JSPropertyNameEnumerator.cpp */; };
+ 2A05ABD61961DF2400341750 /* JSPropertyNameEnumerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A05ABD41961DF2400341750 /* JSPropertyNameEnumerator.h */; };
</ins><span class="cx"> 2A111245192FCE79005EE18D /* CustomGetterSetter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A111243192FCE79005EE18D /* CustomGetterSetter.cpp */; };
</span><span class="cx"> 2A111246192FCE79005EE18D /* CustomGetterSetter.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A111244192FCE79005EE18D /* CustomGetterSetter.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 2A2825D018341F2D0087FBA9 /* DelayedReleaseScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A2825CF18341F2D0087FBA9 /* DelayedReleaseScope.h */; };
</span><span class="lines">@@ -850,6 +854,7 @@
</span><span class="cx"> 2AC922BC18A16182003CE0FB /* FTLDWARFDebugLineInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AC922BA18A16182003CE0FB /* FTLDWARFDebugLineInfo.h */; };
</span><span class="cx"> 2ACCF3DE185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */; };
</span><span class="cx"> 2ACCF3DF185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */; };
</span><ins>+ 2AD2EDFB19799E38004D6478 /* EnumerationMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD2EDFA19799E38004D6478 /* EnumerationMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 2AD8932B17E3868F00668276 /* HeapIterationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD8932917E3868F00668276 /* HeapIterationScope.h */; };
</span><span class="cx"> 2ADFA26318EF3540004F9FCC /* GCLogging.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2ADFA26218EF3540004F9FCC /* GCLogging.cpp */; };
</span><span class="cx"> 2AF7382C18BBBF92008A5A37 /* StructureIDTable.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */; };
</span><span class="lines">@@ -858,6 +863,10 @@
</span><span class="cx"> 41359CF30FDD89AD00206180 /* DateConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = D21202290AD4310C00ED79B6 /* DateConversion.h */; };
</span><span class="cx"> 4443AE3316E188D90076F110 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 51F0EB6105C86C6B00E6DF1B /* Foundation.framework */; };
</span><span class="cx"> 451539B912DC994500EF7AC4 /* Yarr.h in Headers */ = {isa = PBXBuildFile; fileRef = 451539B812DC994500EF7AC4 /* Yarr.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 52B310FB1974AE610080857C /* FunctionHasExecutedCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B310FA1974AE610080857C /* FunctionHasExecutedCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 52B310FD1974AE870080857C /* FunctionHasExecutedCache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52B310FC1974AE870080857C /* FunctionHasExecutedCache.cpp */; };
+ 52B310FF1975B4240080857C /* TypeLocationCache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52B310FE1975B4240080857C /* TypeLocationCache.cpp */; };
+ 52B311011975B4670080857C /* TypeLocationCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B311001975B4670080857C /* TypeLocationCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 5510502618EB827500001F3E /* JSCallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 1440F88F0A508B100005F061 /* JSCallbackFunction.h */; };
</span><span class="cx"> 552EA70C1908704800A66F2F /* JSDataViewPrototype.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B66BF17B6B5AB00A7AE3F /* JSDataViewPrototype.cpp */; };
</span><span class="cx"> 5540757218DA58AD00EFF7F2 /* ArgList.h in Headers */ = {isa = PBXBuildFile; fileRef = BCF605120E203EF800B9A64D /* ArgList.h */; };
</span><span class="lines">@@ -1730,7 +1739,6 @@
</span><span class="cx"> A72028BA1797603D0098028C /* JSFunctionInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B91797603D0098028C /* JSFunctionInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72700780DAC605600E548D7 /* JSNotAnObject.cpp */; };
</span><span class="cx"> A72701B90DADE94900E548D7 /* ExceptionHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = A72701B30DADE94900E548D7 /* ExceptionHelpers.h */; };
</span><del>- A727FF6B0DA3092200E548D7 /* JSPropertyNameIterator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A727FF660DA3053B00E548D7 /* JSPropertyNameIterator.cpp */; };
</del><span class="cx"> A7280A2811557E3000D56957 /* JSObjectRefPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = A79EDB0811531CD60019E912 /* JSObjectRefPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A729009C17976C6000317298 /* MacroAssemblerARMv7.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */; };
</span><span class="cx"> A7299D9D17D12837005F5FF9 /* JSSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7299D9B17D12837005F5FF9 /* JSSet.cpp */; };
</span><span class="lines">@@ -2424,7 +2432,13 @@
</span><span class="cx"> 0F2D4DE419832D91007D4B19 /* TypeSet.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = TypeSet.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F2D4DE519832DAC007D4B19 /* ToThisStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ToThisStatus.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F2D4DE619832DAC007D4B19 /* ToThisStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ToThisStatus.h; sourceTree = "<group>"; };
</span><ins>+ 0F7B365F197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGPhantomCanonicalizationPhase.cpp; path = dfg/DFGPhantomCanonicalizationPhase.cpp; sourceTree = "<group>"; };
+ 0F7B3660197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPhantomCanonicalizationPhase.h; path = dfg/DFGPhantomCanonicalizationPhase.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F2D4DE719832DAC007D4B19 /* TypeLocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TypeLocation.h; sourceTree = "<group>"; };
</span><ins>+ 52B310FA1974AE610080857C /* FunctionHasExecutedCache.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FunctionHasExecutedCache.h; sourceTree = "<group>"; };
+ 52B310FC1974AE870080857C /* FunctionHasExecutedCache.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FunctionHasExecutedCache.cpp; sourceTree = "<group>"; };
+ 52B310FE1975B4240080857C /* TypeLocationCache.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = TypeLocationCache.cpp; sourceTree = "<group>"; };
+ 52B311001975B4670080857C /* TypeLocationCache.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = TypeLocationCache.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F2FC77016E12F6F0038D976 /* DFGDCEPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDCEPhase.cpp; path = dfg/DFGDCEPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F2FC77116E12F6F0038D976 /* DFGDCEPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGDCEPhase.h; path = dfg/DFGDCEPhase.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F2FCCF218A60070001A27F8 /* DFGGraphSafepoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGGraphSafepoint.cpp; path = dfg/DFGGraphSafepoint.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -2980,6 +2994,8 @@
</span><span class="cx"> 1CAA9A2118F4A220000A369D /* JSGlobalObjectProfilerAgent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalObjectProfilerAgent.h; sourceTree = "<group>"; };
</span><span class="cx"> 2600B5A4152BAAA70091EE5F /* JSStringJoiner.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSStringJoiner.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 2600B5A5152BAAA70091EE5F /* JSStringJoiner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringJoiner.h; sourceTree = "<group>"; };
</span><ins>+ 2A05ABD31961DF2400341750 /* JSPropertyNameEnumerator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPropertyNameEnumerator.cpp; sourceTree = "<group>"; };
+ 2A05ABD41961DF2400341750 /* JSPropertyNameEnumerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameEnumerator.h; sourceTree = "<group>"; };
</ins><span class="cx"> 2A111243192FCE79005EE18D /* CustomGetterSetter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CustomGetterSetter.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 2A111244192FCE79005EE18D /* CustomGetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CustomGetterSetter.h; sourceTree = "<group>"; };
</span><span class="cx"> 2A2825CF18341F2D0087FBA9 /* DelayedReleaseScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DelayedReleaseScope.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -3006,6 +3022,7 @@
</span><span class="cx"> 2AC922BA18A16182003CE0FB /* FTLDWARFDebugLineInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLDWARFDebugLineInfo.h; path = ftl/FTLDWARFDebugLineInfo.h; sourceTree = "<group>"; };
</span><span class="cx"> 2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStoreBarrierElisionPhase.cpp; path = dfg/DFGStoreBarrierElisionPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStoreBarrierElisionPhase.h; path = dfg/DFGStoreBarrierElisionPhase.h; sourceTree = "<group>"; };
</span><ins>+ 2AD2EDFA19799E38004D6478 /* EnumerationMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EnumerationMode.h; sourceTree = "<group>"; };
</ins><span class="cx"> 2AD8932917E3868F00668276 /* HeapIterationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapIterationScope.h; sourceTree = "<group>"; };
</span><span class="cx"> 2ADFA26218EF3540004F9FCC /* GCLogging.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GCLogging.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StructureIDTable.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -3400,8 +3417,6 @@
</span><span class="cx"> A72700770DAC605600E548D7 /* JSNotAnObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSNotAnObject.h; sourceTree = "<group>"; };
</span><span class="cx"> A72700780DAC605600E548D7 /* JSNotAnObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNotAnObject.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A72701B30DADE94900E548D7 /* ExceptionHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionHelpers.h; sourceTree = "<group>"; };
</span><del>- A727FF650DA3053B00E548D7 /* JSPropertyNameIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameIterator.h; sourceTree = "<group>"; };
- A727FF660DA3053B00E548D7 /* JSPropertyNameIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPropertyNameIterator.cpp; sourceTree = "<group>"; };
</del><span class="cx"> A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerARMv7.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A7299D9B17D12837005F5FF9 /* JSSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSet.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A7299D9C17D12837005F5FF9 /* JSSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSet.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -4691,6 +4706,8 @@
</span><span class="cx"> BC2680C10E16D4E900A06E92 /* FunctionConstructor.h */,
</span><span class="cx"> 0FB4B52116B6278D003F696B /* FunctionExecutableDump.cpp */,
</span><span class="cx"> 0FB4B52216B6278D003F696B /* FunctionExecutableDump.h */,
</span><ins>+ 52B310FA1974AE610080857C /* FunctionHasExecutedCache.h */,
+ 52B310FC1974AE870080857C /* FunctionHasExecutedCache.cpp */,
</ins><span class="cx"> F692A85C0255597D01FF60F7 /* FunctionPrototype.cpp */,
</span><span class="cx"> F692A85D0255597D01FF60F7 /* FunctionPrototype.h */,
</span><span class="cx"> 0F2B66B217B6B5AB00A7AE3F /* GenericTypedArrayView.h */,
</span><span class="lines">@@ -4800,8 +4817,6 @@
</span><span class="cx"> 7C184E1D17BEE22E007CB63A /* JSPromisePrototype.h */,
</span><span class="cx"> 7C008CDC1871258D00955C24 /* JSPromiseReaction.cpp */,
</span><span class="cx"> 7C008CDD1871258D00955C24 /* JSPromiseReaction.h */,
</span><del>- A727FF660DA3053B00E548D7 /* JSPropertyNameIterator.cpp */,
- A727FF650DA3053B00E548D7 /* JSPropertyNameIterator.h */,
</del><span class="cx"> 862553CE16136AA5009F17D0 /* JSProxy.cpp */,
</span><span class="cx"> 862553CF16136AA5009F17D0 /* JSProxy.h */,
</span><span class="cx"> 14874AE115EBDE4A002E3587 /* JSScope.cpp */,
</span><span class="lines">@@ -4972,6 +4987,8 @@
</span><span class="cx"> 0F2B66DB17B6B5AB00A7AE3F /* TypedArrays.h */,
</span><span class="cx"> 0F2B66DC17B6B5AB00A7AE3F /* TypedArrayType.cpp */,
</span><span class="cx"> 0F2B66DD17B6B5AB00A7AE3F /* TypedArrayType.h */,
</span><ins>+ 52B311001975B4670080857C /* TypeLocationCache.h */,
+ 52B310FE1975B4240080857C /* TypeLocationCache.cpp */,
</ins><span class="cx"> 0F2D4DE319832D91007D4B19 /* TypeSet.cpp */,
</span><span class="cx"> 0F2D4DE419832D91007D4B19 /* TypeSet.h */,
</span><span class="cx"> A7A8AF3217ADB5F3005AB174 /* Uint16Array.h */,
</span><span class="lines">@@ -4996,6 +5013,9 @@
</span><span class="cx"> 1420BE7A10AA6DDB00F455D2 /* WeakRandom.h */,
</span><span class="cx"> A7DCB77912E3D90500911940 /* WriteBarrier.h */,
</span><span class="cx"> C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
</span><ins>+ 2A05ABD31961DF2400341750 /* JSPropertyNameEnumerator.cpp */,
+ 2A05ABD41961DF2400341750 /* JSPropertyNameEnumerator.h */,
+ 2AD2EDFA19799E38004D6478 /* EnumerationMode.h */,
</ins><span class="cx"> );
</span><span class="cx"> path = runtime;
</span><span class="cx"> sourceTree = "<group>";
</span><span class="lines">@@ -5211,6 +5231,8 @@
</span><span class="cx"> 0FEFC9A81681A3B000567F53 /* DFGOSRExitJumpPlaceholder.h */,
</span><span class="cx"> 0F235BE917178E7300690C7F /* DFGOSRExitPreparation.cpp */,
</span><span class="cx"> 0F235BEA17178E7300690C7F /* DFGOSRExitPreparation.h */,
</span><ins>+ 0F7B365F197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.cpp */,
+ 0F7B3660197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.h */,
</ins><span class="cx"> 0FBFDD02196C92BF007A5BFA /* DFGPhantomRemovalPhase.cpp */,
</span><span class="cx"> 0FBFDD03196C92BF007A5BFA /* DFGPhantomRemovalPhase.h */,
</span><span class="cx"> 0FFFC94F14EF909500C72532 /* DFGPhase.cpp */,
</span><span class="lines">@@ -5961,6 +5983,7 @@
</span><span class="cx"> 0F6B1CB91861244C00845D97 /* ArityCheckMode.h in Headers */,
</span><span class="cx"> A1A009C11831A26E00CF8711 /* ARM64Assembler.h in Headers */,
</span><span class="cx"> 86D3B2C410156BDE002865E7 /* ARMAssembler.h in Headers */,
</span><ins>+ 2AD2EDFB19799E38004D6478 /* EnumerationMode.h in Headers */,
</ins><span class="cx"> 147B83AC0E6DB8C9004775A4 /* BatchedTransitionOptimizer.h in Headers */,
</span><span class="cx"> 2A111246192FCE79005EE18D /* CustomGetterSetter.h in Headers */,
</span><span class="cx"> A584032018BFFBE1005A0811 /* InspectorAgent.h in Headers */,
</span><span class="lines">@@ -6267,6 +6290,7 @@
</span><span class="cx"> 0F235BDD17178E1C00690C7F /* FTLOSRExit.h in Headers */,
</span><span class="cx"> 0F235BDE17178E1C00690C7F /* FTLOSRExitCompilationInfo.h in Headers */,
</span><span class="cx"> 0F235BE017178E1C00690C7F /* FTLOSRExitCompiler.h in Headers */,
</span><ins>+ 52B310FB1974AE610080857C /* FunctionHasExecutedCache.h in Headers */,
</ins><span class="cx"> 0FEA0A11170513DB00BB722C /* FTLOutput.h in Headers */,
</span><span class="cx"> 9E72940B190F0514001A91B5 /* BundlePath.h in Headers */,
</span><span class="cx"> 0F48532A187DFDEC0083B687 /* FTLRecoveryOpcode.h in Headers */,
</span><span class="lines">@@ -6437,6 +6461,7 @@
</span><span class="cx"> 0F2B66F217B6B5AB00A7AE3F /* JSGenericTypedArrayViewConstructor.h in Headers */,
</span><span class="cx"> 0F2B66F317B6B5AB00A7AE3F /* JSGenericTypedArrayViewConstructorInlines.h in Headers */,
</span><span class="cx"> 0F2B66F417B6B5AB00A7AE3F /* JSGenericTypedArrayViewInlines.h in Headers */,
</span><ins>+ 0F7B3662197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.h in Headers */,
</ins><span class="cx"> 0F5A1274192D9FDF008764A3 /* DFGDoesGC.h in Headers */,
</span><span class="cx"> 0F2B66F517B6B5AB00A7AE3F /* JSGenericTypedArrayViewPrototype.h in Headers */,
</span><span class="cx"> 0F2B66F617B6B5AB00A7AE3F /* JSGenericTypedArrayViewPrototypeInlines.h in Headers */,
</span><span class="lines">@@ -6620,6 +6645,8 @@
</span><span class="cx"> 0FF729BB166AD360000F5BA3 /* ProfilerCompilationKind.h in Headers */,
</span><span class="cx"> 0FF729BC166AD360000F5BA3 /* ProfilerCompiledBytecode.h in Headers */,
</span><span class="cx"> 0FF729BD166AD360000F5BA3 /* ProfilerDatabase.h in Headers */,
</span><ins>+ 2A05ABD61961DF2400341750 /* JSPropertyNameEnumerator.h in Headers */,
+ 52B311011975B4670080857C /* TypeLocationCache.h in Headers */,
</ins><span class="cx"> 0FF729BE166AD360000F5BA3 /* ProfilerExecutionCounter.h in Headers */,
</span><span class="cx"> 0F190CAD189D82F6000AE5F0 /* ProfilerJettisonReason.h in Headers */,
</span><span class="cx"> 0FF729BF166AD360000F5BA3 /* ProfilerOrigin.h in Headers */,
</span><span class="lines">@@ -7608,6 +7635,7 @@
</span><span class="cx"> isa = PBXSourcesBuildPhase;
</span><span class="cx"> buildActionMask = 2147483647;
</span><span class="cx"> files = (
</span><ins>+ 52B310FF1975B4240080857C /* TypeLocationCache.cpp in Sources */,
</ins><span class="cx"> 9EA5C7A2190F088700508EBE /* InitializeLLVMMac.cpp in Sources */,
</span><span class="cx"> 9EA5C7A1190F084200508EBE /* BundlePath.mm in Sources */,
</span><span class="cx"> 9E729408190F021E001A91B5 /* InitializeLLVMPOSIX.cpp in Sources */,
</span><span class="lines">@@ -7771,6 +7799,7 @@
</span><span class="cx"> 86880F1F14328BB900B08D42 /* DFGSpeculativeJIT32_64.cpp in Sources */,
</span><span class="cx"> 86880F4D14353B2100B08D42 /* DFGSpeculativeJIT64.cpp in Sources */,
</span><span class="cx"> A7D89CFF17A0B8CC00773AD8 /* DFGSSAConversionPhase.cpp in Sources */,
</span><ins>+ 2A05ABD51961DF2400341750 /* JSPropertyNameEnumerator.cpp in Sources */,
</ins><span class="cx"> 0FC20CB918556A3500C9E954 /* DFGSSALoweringPhase.cpp in Sources */,
</span><span class="cx"> 0F9FB4F417FCB91700CB67F8 /* DFGStackLayoutPhase.cpp in Sources */,
</span><span class="cx"> 0F4F29DF18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.cpp in Sources */,
</span><span class="lines">@@ -7856,6 +7885,7 @@
</span><span class="cx"> 0F5A6283188C98D40072C9DF /* FTLValueRange.cpp in Sources */,
</span><span class="cx"> 147F39CB107EC37600427A48 /* FunctionConstructor.cpp in Sources */,
</span><span class="cx"> 0FF0F19F16B72A17005DF95B /* FunctionExecutableDump.cpp in Sources */,
</span><ins>+ 52B310FD1974AE870080857C /* FunctionHasExecutedCache.cpp in Sources */,
</ins><span class="cx"> 147F39CC107EC37600427A48 /* FunctionPrototype.cpp in Sources */,
</span><span class="cx"> 0F766D2F15A8DCE0008F363E /* GCAwareJITStubRoutine.cpp in Sources */,
</span><span class="cx"> C2239D1A16262BDD005AC5FD /* GCThread.cpp in Sources */,
</span><span class="lines">@@ -7957,6 +7987,7 @@
</span><span class="cx"> A503FA1D188E0FB000110F14 /* JSJavaScriptCallFramePrototype.cpp in Sources */,
</span><span class="cx"> 14280875107EC13E0013E7B2 /* JSLock.cpp in Sources */,
</span><span class="cx"> 0F3D0BBC194A414300FC9CF9 /* ConstantStructureCheck.cpp in Sources */,
</span><ins>+ 0F7B3661197C525C00ED1DDC /* DFGPhantomCanonicalizationPhase.cpp in Sources */,
</ins><span class="cx"> C25D709B16DE99F400FCA6BC /* JSManagedValue.mm in Sources */,
</span><span class="cx"> A700874117CBE8EB00C3E643 /* JSMap.cpp in Sources */,
</span><span class="cx"> A74DEF95182D991400522C22 /* JSMapIterator.cpp in Sources */,
</span><span class="lines">@@ -7973,7 +8004,6 @@
</span><span class="cx"> 7C008CD2186F8A9300955C24 /* JSPromiseFunctions.cpp in Sources */,
</span><span class="cx"> 7C184E1E17BEE22E007CB63A /* JSPromisePrototype.cpp in Sources */,
</span><span class="cx"> 7C008CDE1871258D00955C24 /* JSPromiseReaction.cpp in Sources */,
</span><del>- A727FF6B0DA3092200E548D7 /* JSPropertyNameIterator.cpp in Sources */,
</del><span class="cx"> 862553D116136DA9009F17D0 /* JSProxy.cpp in Sources */,
</span><span class="cx"> 9928FF3B18AC4AEC00B8CF12 /* JSReplayInputs.cpp in Sources */,
</span><span class="cx"> 14874AE515EBDE4A002E3587 /* JSScope.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -52,8 +52,6 @@
</span><span class="cx"> case op_switch_imm:
</span><span class="cx"> case op_switch_char:
</span><span class="cx"> case op_switch_string:
</span><del>- case op_get_pnames:
- case op_next_pname:
</del><span class="cx"> case op_check_has_instance:
</span><span class="cx"> return true;
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeListjson"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeList.json (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -70,7 +70,6 @@
</span><span class="cx"> { "name" : "op_del_by_id", "length" : 4 },
</span><span class="cx"> { "name" : "op_get_by_val", "length" : 6 },
</span><span class="cx"> { "name" : "op_get_argument_by_val", "length" : 6 },
</span><del>- { "name" : "op_get_by_pname", "length" : 7 },
</del><span class="cx"> { "name" : "op_put_by_val", "length" : 5 },
</span><span class="cx"> { "name" : "op_put_by_val_direct", "length" : 5 },
</span><span class="cx"> { "name" : "op_del_by_val", "length" : 4 },
</span><span class="lines">@@ -108,8 +107,6 @@
</span><span class="cx"> { "name" : "op_construct_varargs", "length" : 9 },
</span><span class="cx"> { "name" : "op_strcat", "length" : 4 },
</span><span class="cx"> { "name" : "op_to_primitive", "length" : 3 },
</span><del>- { "name" : "op_get_pnames", "length" : 6 },
- { "name" : "op_next_pname", "length" : 7 },
</del><span class="cx"> { "name" : "op_resolve_scope", "length" : 6 },
</span><span class="cx"> { "name" : "op_get_from_scope", "length" : 8 },
</span><span class="cx"> { "name" : "op_get_from_scope_with_profile", "length" : 9 },
</span><span class="lines">@@ -125,7 +122,16 @@
</span><span class="cx"> { "name" : "op_profile_will_call", "length" : 2 },
</span><span class="cx"> { "name" : "op_profile_did_call", "length" : 2 },
</span><span class="cx"> { "name" : "op_end", "length" : 2 },
</span><del>- { "name" : "op_profile_types_with_high_fidelity", "length" : 4 }
</del><ins>+ { "name" : "op_profile_types_with_high_fidelity", "length" : 4 },
+ { "name" : "op_get_enumerable_length", "length" : 3 },
+ { "name" : "op_has_indexed_property", "length" : 5 },
+ { "name" : "op_has_structure_property", "length" : 5 },
+ { "name" : "op_has_generic_property", "length" : 4 },
+ { "name" : "op_get_direct_pname", "length" : 7 },
+ { "name" : "op_get_structure_property_enumerator", "length" : 4 },
+ { "name" : "op_get_generic_property_enumerator", "length" : 5 },
+ { "name" : "op_next_enumerator_pname", "length" : 4 },
+ { "name" : "op_to_index_string", "length" : 3 }
</ins><span class="cx"> ]
</span><span class="cx"> },
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeUseDefh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -118,6 +118,8 @@
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+ case op_get_enumerable_length:
+ case op_to_index_string:
</ins><span class="cx"> case op_init_global_const_nop:
</span><span class="cx"> case op_init_global_const:
</span><span class="cx"> case op_push_name_scope:
</span><span class="lines">@@ -144,12 +146,15 @@
</span><span class="cx"> case op_captured_mov:
</span><span class="cx"> case op_new_array_with_size:
</span><span class="cx"> case op_create_this:
</span><del>- case op_get_pnames:
</del><span class="cx"> case op_del_by_id:
</span><span class="cx"> case op_unsigned: {
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+ case op_has_generic_property:
+ case op_get_structure_property_enumerator:
+ case op_has_indexed_property:
+ case op_next_enumerator_pname:
</ins><span class="cx"> case op_get_by_val:
</span><span class="cx"> case op_get_argument_by_val:
</span><span class="cx"> case op_in:
</span><span class="lines">@@ -179,6 +184,8 @@
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+ case op_has_structure_property:
+ case op_get_generic_property_enumerator:
</ins><span class="cx"> case op_construct_varargs:
</span><span class="cx"> case op_call_varargs: {
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
</span><span class="lines">@@ -186,21 +193,13 @@
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><del>- case op_next_pname: {
</del><ins>+ case op_get_direct_pname: {
</ins><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[5].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><del>- case op_get_by_pname: {
- functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[5].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[6].u.operand);
- return;
- }
</del><span class="cx"> case op_switch_string:
</span><span class="cx"> case op_switch_char:
</span><span class="cx"> case op_switch_imm: {
</span><span class="lines">@@ -298,7 +297,15 @@
</span><span class="cx"> #undef LLINT_HELPER_OPCODES
</span><span class="cx"> return;
</span><span class="cx"> // These all have a single destination for the first argument.
</span><del>- case op_next_pname:
</del><ins>+ case op_to_index_string:
+ case op_get_generic_property_enumerator:
+ case op_get_enumerable_length:
+ case op_has_indexed_property:
+ case op_has_structure_property:
+ case op_has_generic_property:
+ case op_get_direct_pname:
+ case op_get_structure_property_enumerator:
+ case op_next_enumerator_pname:
</ins><span class="cx"> case op_resolve_scope:
</span><span class="cx"> case op_strcat:
</span><span class="cx"> case op_tear_off_activation:
</span><span class="lines">@@ -326,7 +333,6 @@
</span><span class="cx"> case op_instanceof:
</span><span class="cx"> case op_get_by_val:
</span><span class="cx"> case op_get_argument_by_val:
</span><del>- case op_get_by_pname:
</del><span class="cx"> case op_get_arguments_length:
</span><span class="cx"> case op_typeof:
</span><span class="cx"> case op_is_undefined:
</span><span class="lines">@@ -376,12 +382,6 @@
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><del>- case op_get_pnames: {
- functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
- functor(codeBlock, instruction, opcodeID, instruction[4].u.operand);
- return;
- }
</del><span class="cx"> case op_enter: {
</span><span class="cx"> for (unsigned i = codeBlock->m_numVars; i--;)
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, virtualRegisterForLocal(i).offset());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -61,8 +61,7 @@
</span><span class="cx"> {
</span><span class="cx"> if (isLinked()) {
</span><span class="cx"> if (stub) {
</span><del>- if (!Heap::isMarked(stub->structure())
- || !Heap::isMarked(stub->executable())) {
</del><ins>+ if (!Heap::isMarked(stub->executable())) {
</ins><span class="cx"> if (Options::verboseOSR()) {
</span><span class="cx"> dataLog(
</span><span class="cx"> "Clearing closure call from ", *repatchBuffer.codeBlock(), " to ",
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -40,15 +40,12 @@
</span><span class="cx"> CallLinkStatus::CallLinkStatus(JSValue value)
</span><span class="cx"> : m_callTarget(value)
</span><span class="cx"> , m_executable(0)
</span><del>- , m_structure(0)
</del><span class="cx"> , m_couldTakeSlowPath(false)
</span><span class="cx"> , m_isProved(false)
</span><span class="cx"> {
</span><span class="cx"> if (!value || !value.isCell())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- m_structure = value.asCell()->structure();
-
</del><span class="cx"> if (!value.asCell()->inherits(JSFunction::info()))
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="lines">@@ -176,14 +173,14 @@
</span><span class="cx"> return takesSlowPath();
</span><span class="cx">
</span><span class="cx"> if (ClosureCallStubRoutine* stub = callLinkInfo.stub.get())
</span><del>- return CallLinkStatus(stub->executable(), stub->structure());
</del><ins>+ return CallLinkStatus(stub->executable());
</ins><span class="cx">
</span><span class="cx"> JSFunction* target = callLinkInfo.lastSeenCallee.get();
</span><span class="cx"> if (!target)
</span><span class="cx"> return CallLinkStatus();
</span><span class="cx">
</span><span class="cx"> if (callLinkInfo.hasSeenClosure)
</span><del>- return CallLinkStatus(target->executable(), target->structure());
</del><ins>+ return CallLinkStatus(target->executable());
</ins><span class="cx">
</span><span class="cx"> return CallLinkStatus(target);
</span><span class="cx"> }
</span><span class="lines">@@ -282,9 +279,6 @@
</span><span class="cx"> if (!isCompilationThread())
</span><span class="cx"> out.print("/", m_executable->hashFor(CodeForCall));
</span><span class="cx"> }
</span><del>-
- if (m_structure)
- out.print(comma, "Structure: ", RawPointer(m_structure));
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkStatush"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -47,7 +47,6 @@
</span><span class="cx"> public:
</span><span class="cx"> CallLinkStatus()
</span><span class="cx"> : m_executable(0)
</span><del>- , m_structure(0)
</del><span class="cx"> , m_couldTakeSlowPath(false)
</span><span class="cx"> , m_isProved(false)
</span><span class="cx"> {
</span><span class="lines">@@ -62,13 +61,11 @@
</span><span class="cx">
</span><span class="cx"> explicit CallLinkStatus(JSValue);
</span><span class="cx">
</span><del>- CallLinkStatus(ExecutableBase* executable, Structure* structure)
</del><ins>+ CallLinkStatus(ExecutableBase* executable)
</ins><span class="cx"> : m_executable(executable)
</span><del>- , m_structure(structure)
</del><span class="cx"> , m_couldTakeSlowPath(false)
</span><span class="cx"> , m_isProved(false)
</span><span class="cx"> {
</span><del>- ASSERT(!!executable == !!structure);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> CallLinkStatus& setIsProved(bool isProved)
</span><span class="lines">@@ -122,7 +119,6 @@
</span><span class="cx"> InternalFunction* internalFunction() const;
</span><span class="cx"> Intrinsic intrinsicFor(CodeSpecializationKind) const;
</span><span class="cx"> ExecutableBase* executable() const { return m_executable; }
</span><del>- Structure* structure() const { return m_structure; }
</del><span class="cx"> bool isProved() const { return m_isProved; }
</span><span class="cx"> bool canOptimize() const { return (m_callTarget || m_executable) && !m_couldTakeSlowPath; }
</span><span class="cx">
</span><span class="lines">@@ -140,7 +136,6 @@
</span><span class="cx">
</span><span class="cx"> JSValue m_callTarget;
</span><span class="cx"> ExecutableBase* m_executable;
</span><del>- Structure* m_structure;
</del><span class="cx"> bool m_couldTakeSlowPath;
</span><span class="cx"> bool m_isProved;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx"> #include "JSFunction.h"
</span><span class="cx"> #include "JSNameScope.h"
</span><span class="cx"> #include "LLIntEntrypoint.h"
</span><del>-#include "TypeLocation.h"
</del><ins>+#include "TypeLocationCache.h"
</ins><span class="cx"> #include "LowLevelInterpreter.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "PolymorphicGetByIdList.h"
</span><span class="lines">@@ -1109,17 +1109,6 @@
</span><span class="cx"> dumpValueProfiling(out, it, hasPrintedProfiling);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_get_by_pname: {
- int r0 = (++it)->u.operand;
- int r1 = (++it)->u.operand;
- int r2 = (++it)->u.operand;
- int r3 = (++it)->u.operand;
- int r4 = (++it)->u.operand;
- int r5 = (++it)->u.operand;
- printLocationAndOp(out, exec, location, it, "get_by_pname");
- out.printf("%s, %s, %s, %s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), registerName(r3).data(), registerName(r4).data(), registerName(r5).data());
- break;
- }
</del><span class="cx"> case op_put_by_val: {
</span><span class="cx"> int r0 = (++it)->u.operand;
</span><span class="cx"> int r1 = (++it)->u.operand;
</span><span class="lines">@@ -1366,29 +1355,91 @@
</span><span class="cx"> out.printf("%s, %s", registerName(r0).data(), registerName(r1).data());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_get_pnames: {
- int r0 = it[1].u.operand;
- int r1 = it[2].u.operand;
- int r2 = it[3].u.operand;
- int r3 = it[4].u.operand;
- int offset = it[5].u.operand;
- printLocationAndOp(out, exec, location, it, "get_pnames");
- out.printf("%s, %s, %s, %s, %d(->%d)", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), registerName(r3).data(), offset, location + offset);
- it += OPCODE_LENGTH(op_get_pnames) - 1;
</del><ins>+ case op_get_enumerable_length: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_get_enumerable_length");
+ out.printf("%s, %s", registerName(dst).data(), registerName(base).data());
+ it += OPCODE_LENGTH(op_get_enumerable_length) - 1;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_next_pname: {
- int dest = it[1].u.operand;
</del><ins>+ case op_has_indexed_property: {
+ int dst = it[1].u.operand;
</ins><span class="cx"> int base = it[2].u.operand;
</span><del>- int i = it[3].u.operand;
- int size = it[4].u.operand;
- int iter = it[5].u.operand;
- int offset = it[6].u.operand;
- printLocationAndOp(out, exec, location, it, "next_pname");
- out.printf("%s, %s, %s, %s, %s, %d(->%d)", registerName(dest).data(), registerName(base).data(), registerName(i).data(), registerName(size).data(), registerName(iter).data(), offset, location + offset);
- it += OPCODE_LENGTH(op_next_pname) - 1;
</del><ins>+ int propertyName = it[3].u.operand;
+ ArrayProfile* arrayProfile = it[4].u.arrayProfile;
+ printLocationAndOp(out, exec, location, it, "op_has_indexed_property");
+ out.printf("%s, %s, %s, %p", registerName(dst).data(), registerName(base).data(), registerName(propertyName).data(), arrayProfile);
+ it += OPCODE_LENGTH(op_has_indexed_property) - 1;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+ case op_has_structure_property: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ int propertyName = it[3].u.operand;
+ int enumerator = it[4].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_has_structure_property");
+ out.printf("%s, %s, %s, %s", registerName(dst).data(), registerName(base).data(), registerName(propertyName).data(), registerName(enumerator).data());
+ it += OPCODE_LENGTH(op_has_structure_property) - 1;
+ break;
+ }
+ case op_has_generic_property: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ int propertyName = it[3].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_has_generic_property");
+ out.printf("%s, %s, %s", registerName(dst).data(), registerName(base).data(), registerName(propertyName).data());
+ it += OPCODE_LENGTH(op_has_generic_property) - 1;
+ break;
+ }
+ case op_get_direct_pname: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ int propertyName = it[3].u.operand;
+ int index = it[4].u.operand;
+ int enumerator = it[5].u.operand;
+ ValueProfile* profile = it[6].u.profile;
+ printLocationAndOp(out, exec, location, it, "op_get_direct_pname");
+ out.printf("%s, %s, %s, %s, %s, %p", registerName(dst).data(), registerName(base).data(), registerName(propertyName).data(), registerName(index).data(), registerName(enumerator).data(), profile);
+ it += OPCODE_LENGTH(op_get_direct_pname) - 1;
+ break;
+
+ }
+ case op_get_structure_property_enumerator: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_get_structure_property_enumerator");
+ out.printf("%s, %s", registerName(dst).data(), registerName(base).data());
+ it += OPCODE_LENGTH(op_get_structure_property_enumerator) - 1;
+ break;
+ }
+ case op_get_generic_property_enumerator: {
+ int dst = it[1].u.operand;
+ int base = it[2].u.operand;
+ int length = it[3].u.operand;
+ int structureEnumerator = it[4].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_get_generic_property_enumerator");
+ out.printf("%s, %s, %s, %s", registerName(dst).data(), registerName(base).data(), registerName(length).data(), registerName(structureEnumerator).data());
+ it += OPCODE_LENGTH(op_get_generic_property_enumerator) - 1;
+ break;
+ }
+ case op_next_enumerator_pname: {
+ int dst = it[1].u.operand;
+ int enumerator = it[2].u.operand;
+ int index = it[3].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_next_enumerator_pname");
+ out.printf("%s, %s, %s", registerName(dst).data(), registerName(enumerator).data(), registerName(index).data());
+ it += OPCODE_LENGTH(op_next_enumerator_pname) - 1;
+ break;
+ }
+ case op_to_index_string: {
+ int dst = it[1].u.operand;
+ int index = it[2].u.operand;
+ printLocationAndOp(out, exec, location, it, "op_to_index_string");
+ out.printf("%s, %s", registerName(dst).data(), registerName(index).data());
+ it += OPCODE_LENGTH(op_to_index_string) - 1;
+ break;
+ }
</ins><span class="cx"> case op_push_with_scope: {
</span><span class="cx"> int r0 = (++it)->u.operand;
</span><span class="cx"> printLocationOpAndRegisterOperand(out, exec, location, it, "push_with_scope", r0);
</span><span class="lines">@@ -1675,12 +1726,17 @@
</span><span class="cx"> ASSERT(m_source);
</span><span class="cx"> setNumParameters(unlinkedCodeBlock->numParameters());
</span><span class="cx">
</span><ins>+ if (vm()->isProfilingTypesWithHighFidelity())
+ vm()->highFidelityTypeProfiler()->functionHasExecutedCache()->removeUnexecutedRange(m_ownerExecutable->sourceID(), m_ownerExecutable->highFidelityTypeProfilingStartOffset(), m_ownerExecutable->highFidelityTypeProfilingEndOffset());
+
</ins><span class="cx"> setConstantRegisters(unlinkedCodeBlock->constantRegisters());
</span><span class="cx"> if (unlinkedCodeBlock->usesGlobalObject())
</span><span class="cx"> m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(*m_vm, ownerExecutable, m_globalObject.get());
</span><span class="cx"> m_functionDecls.resizeToFit(unlinkedCodeBlock->numberOfFunctionDecls());
</span><span class="cx"> for (size_t count = unlinkedCodeBlock->numberOfFunctionDecls(), i = 0; i < count; ++i) {
</span><span class="cx"> UnlinkedFunctionExecutable* unlinkedExecutable = unlinkedCodeBlock->functionDecl(i);
</span><ins>+ if (vm()->isProfilingTypesWithHighFidelity())
+ vm()->highFidelityTypeProfiler()->functionHasExecutedCache()->insertUnexecutedRange(m_ownerExecutable->sourceID(), unlinkedExecutable->highFidelityTypeProfilingStartOffset(), unlinkedExecutable->highFidelityTypeProfilingEndOffset());
</ins><span class="cx"> unsigned lineCount = unlinkedExecutable->lineCount();
</span><span class="cx"> unsigned firstLine = ownerExecutable->lineNo() + unlinkedExecutable->firstLineOffset();
</span><span class="cx"> bool startColumnIsOnOwnerStartLine = !unlinkedExecutable->firstLineOffset();
</span><span class="lines">@@ -1697,6 +1753,8 @@
</span><span class="cx"> m_functionExprs.resizeToFit(unlinkedCodeBlock->numberOfFunctionExprs());
</span><span class="cx"> for (size_t count = unlinkedCodeBlock->numberOfFunctionExprs(), i = 0; i < count; ++i) {
</span><span class="cx"> UnlinkedFunctionExecutable* unlinkedExecutable = unlinkedCodeBlock->functionExpr(i);
</span><ins>+ if (vm()->isProfilingTypesWithHighFidelity())
+ vm()->highFidelityTypeProfiler()->functionHasExecutedCache()->insertUnexecutedRange(m_ownerExecutable->sourceID(), unlinkedExecutable->highFidelityTypeProfilingStartOffset(), unlinkedExecutable->highFidelityTypeProfilingEndOffset());
</ins><span class="cx"> unsigned lineCount = unlinkedExecutable->lineCount();
</span><span class="cx"> unsigned firstLine = ownerExecutable->lineNo() + unlinkedExecutable->firstLineOffset();
</span><span class="cx"> bool startColumnIsOnOwnerStartLine = !unlinkedExecutable->firstLineOffset();
</span><span class="lines">@@ -1787,6 +1845,13 @@
</span><span class="cx"> instructions[i + j].u.operand = pc[j].u.operand;
</span><span class="cx"> }
</span><span class="cx"> switch (pc[0].u.opcode) {
</span><ins>+ case op_has_indexed_property: {
+ int arrayProfileIndex = pc[opLength - 1].u.operand;
+ m_arrayProfiles[arrayProfileIndex] = ArrayProfile(i);
+
+ instructions[i + opLength - 1] = &m_arrayProfiles[arrayProfileIndex];
+ break;
+ }
</ins><span class="cx"> case op_call_varargs:
</span><span class="cx"> case op_construct_varargs:
</span><span class="cx"> case op_get_by_val:
</span><span class="lines">@@ -1797,6 +1862,7 @@
</span><span class="cx"> instructions[i + opLength - 2] = &m_arrayProfiles[arrayProfileIndex];
</span><span class="cx"> FALLTHROUGH;
</span><span class="cx"> }
</span><ins>+ case op_get_direct_pname:
</ins><span class="cx"> case op_get_by_id: {
</span><span class="cx"> ValueProfile* profile = &m_valueProfiles[pc[opLength - 1].u.operand];
</span><span class="cx"> ASSERT(profile->m_bytecodeOffset == -1);
</span><span class="lines">@@ -1906,8 +1972,7 @@
</span><span class="cx"> if (pc[0].u.opcode == op_get_from_scope_with_profile) {
</span><span class="cx"> // The format of this instruction is: get_from_scope_with_profile dst, scope, id, ResolveModeAndType, Structure, Operand, ..., TypeLocation
</span><span class="cx"> size_t instructionOffset = i + opLength - 1;
</span><del>- TypeLocation* location = vm()->nextLocation();
- scopeDependentProfile(op, ident, instructionOffset, location);
</del><ins>+ TypeLocation* location = scopeDependentProfile(op, ident, instructionOffset);
</ins><span class="cx"> instructions[i + 8].u.location = location;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="lines">@@ -1933,8 +1998,7 @@
</span><span class="cx"> if (pc[0].u.opcode == op_put_to_scope_with_profile) {
</span><span class="cx"> // The format of this instruction is: put_to_scope_with_profile scope, id, value, ResolveModeAndType, Structure, Operand, TypeLocation*
</span><span class="cx"> size_t instructionOffset = i + opLength - 1;
</span><del>- TypeLocation* location = vm()->nextLocation();
- scopeDependentProfile(op, ident, instructionOffset, location);
</del><ins>+ TypeLocation* location = scopeDependentProfile(op, ident, instructionOffset);
</ins><span class="cx"> instructions[i + 7].u.location = location;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="lines">@@ -1943,44 +2007,52 @@
</span><span class="cx"> case op_profile_types_with_high_fidelity: {
</span><span class="cx"> size_t instructionOffset = i + opLength - 1;
</span><span class="cx"> unsigned divotStart, divotEnd;
</span><ins>+ GlobalVariableID globalVariableID;
+ RefPtr<TypeSet> globalTypeSet;
</ins><span class="cx"> bool shouldAnalyze = m_unlinkedCode->highFidelityTypeProfileExpressionInfoForBytecodeOffset(instructionOffset, divotStart, divotEnd);
</span><span class="cx"> VirtualRegister virtualRegister(pc[1].u.operand);
</span><span class="cx"> SymbolTable* symbolTable = m_symbolTable.get();
</span><del>- TypeLocation* location = vm()->nextLocation();
- location->m_divotStart = divotStart;
- location->m_divotEnd = divotEnd;
- location->m_sourceID = m_ownerExecutable->sourceID();
</del><span class="cx">
</span><span class="cx"> ProfileTypesWithHighFidelityBytecodeFlag flag = static_cast<ProfileTypesWithHighFidelityBytecodeFlag>(pc[3].u.operand);
</span><span class="cx"> switch (flag) {
</span><span class="cx"> case ProfileTypesBytecodeHasGlobalID: {
</span><span class="cx"> ConcurrentJITLocker locker(symbolTable->m_lock);
</span><del>- location->m_globalVariableID = symbolTable->uniqueIDForRegister(locker, virtualRegister.offset(), *vm());
- location->m_globalTypeSet = symbolTable->globalTypeSetForRegister(locker, virtualRegister.offset(), *vm());
</del><ins>+ globalVariableID = symbolTable->uniqueIDForRegister(locker, virtualRegister.offset(), *vm());
+ globalTypeSet = symbolTable->globalTypeSetForRegister(locker, virtualRegister.offset(), *vm());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case ProfileTypesBytecodeDoesNotHaveGlobalID:
</span><del>- case ProfileTypesBytecodeFunctionArgument:
</del><ins>+ case ProfileTypesBytecodeFunctionArgument: {
+ globalVariableID = HighFidelityNoGlobalIDExists;
+ break;
+ }
</ins><span class="cx"> case ProfileTypesBytecodeFunctionThisObject: {
</span><del>- location->m_globalVariableID = HighFidelityNoGlobalIDExists;
</del><ins>+ globalVariableID = HighFidelityThisStatement;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case ProfileTypesBytecodeFunctionReturnStatement: {
</span><del>- location->m_globalTypeSet = returnStatementTypeSet();
- location->m_globalVariableID = HighFidelityReturnStatement;
- location->m_divotForFunctionOffsetIfReturnStatement = m_sourceOffset;
</del><ins>+ globalTypeSet = returnStatementTypeSet();
+ globalVariableID = HighFidelityReturnStatement;
</ins><span class="cx"> if (!shouldAnalyze) {
</span><span class="cx"> // Because some return statements are added implicitly (to return undefined at the end of a function), and these nodes don't emit expression ranges, give them some range.
</span><span class="cx"> // Currently, this divot is on the open brace of the function.
</span><del>- location->m_divotStart = location->m_divotEnd = location->m_divotForFunctionOffsetIfReturnStatement;
</del><ins>+ divotStart = divotEnd = m_sourceOffset;
</ins><span class="cx"> shouldAnalyze = true;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (shouldAnalyze)
</del><ins>+ std::pair<TypeLocation*, bool> locationPair = vm()->highFidelityTypeProfiler()->typeLocationCache()->getTypeLocation(globalVariableID, m_ownerExecutable->sourceID(), divotStart, divotEnd, globalTypeSet, vm());
+ TypeLocation* location = locationPair.first;
+ bool isNewLocation = locationPair.second;
+
+ if (ProfileTypesBytecodeFunctionReturnStatement)
+ location->m_divotForFunctionOffsetIfReturnStatement = m_sourceOffset;
+
+ if (shouldAnalyze && isNewLocation)
</ins><span class="cx"> vm()->highFidelityTypeProfiler()->insertNewLocation(location);
</span><ins>+
</ins><span class="cx"> instructions[i + 2].u.location = location;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -3863,13 +3935,12 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>-void CodeBlock::scopeDependentProfile(ResolveOp op, const Identifier& ident, size_t instructionOffset, TypeLocation* location)
</del><ins>+TypeLocation* CodeBlock::scopeDependentProfile(ResolveOp op, const Identifier& ident, size_t instructionOffset)
</ins><span class="cx"> {
</span><span class="cx"> unsigned divotStart, divotEnd;
</span><span class="cx"> bool shouldAnalyze = m_unlinkedCode->highFidelityTypeProfileExpressionInfoForBytecodeOffset(instructionOffset, divotStart, divotEnd);
</span><del>- location->m_divotStart = divotStart;
- location->m_divotEnd = divotEnd;
- location->m_sourceID = m_ownerExecutable->sourceID();
</del><ins>+ GlobalVariableID globalVariableID;
+ RefPtr<TypeSet> globalTypeSet;
</ins><span class="cx">
</span><span class="cx"> // FIXME: handle other values for op.type here, and also consider what to do when we can't statically determine the globalID
</span><span class="cx"> SymbolTable* symbolTable = nullptr;
</span><span class="lines">@@ -3880,13 +3951,19 @@
</span><span class="cx">
</span><span class="cx"> if (symbolTable) {
</span><span class="cx"> ConcurrentJITLocker locker(symbolTable->m_lock);
</span><del>- location->m_globalVariableID = symbolTable->uniqueIDForVariable(locker, ident.impl(), *vm());
- location->m_globalTypeSet = symbolTable->globalTypeSetForVariable(locker, ident.impl(), *vm());
</del><ins>+ globalVariableID = symbolTable->uniqueIDForVariable(locker, ident.impl(), *vm());
+ globalTypeSet = symbolTable->globalTypeSetForVariable(locker, ident.impl(), *vm());
</ins><span class="cx"> } else
</span><del>- location->m_globalVariableID = HighFidelityNoGlobalIDExists;
</del><ins>+ globalVariableID = HighFidelityNoGlobalIDExists;
</ins><span class="cx">
</span><del>- if (shouldAnalyze)
</del><ins>+ std::pair<TypeLocation*, bool> locationPair = vm()->highFidelityTypeProfiler()->typeLocationCache()->getTypeLocation(globalVariableID, m_ownerExecutable->sourceID(), divotStart, divotEnd, globalTypeSet, vm());
+ TypeLocation* location = locationPair.first;
+ bool isNewLocation = locationPair.second;
+
+ if (shouldAnalyze & isNewLocation)
</ins><span class="cx"> vm()->highFidelityTypeProfiler()->insertNewLocation(location);
</span><ins>+
+ return location;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -83,6 +83,7 @@
</span><span class="cx"> class ExecState;
</span><span class="cx"> class LLIntOffsetsExtractor;
</span><span class="cx"> class RepatchBuffer;
</span><ins>+class TypeLocation;
</ins><span class="cx">
</span><span class="cx"> inline VirtualRegister unmodifiedArgumentsRegister(VirtualRegister argumentsRegister) { return VirtualRegister(argumentsRegister.offset() + 1); }
</span><span class="cx">
</span><span class="lines">@@ -1019,7 +1020,7 @@
</span><span class="cx"> m_rareData = adoptPtr(new RareData);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void scopeDependentProfile(ResolveOp, const Identifier&, size_t, TypeLocation*);
</del><ins>+ TypeLocation* scopeDependentProfile(ResolveOp, const Identifier&, size_t);
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> void resetStubInternal(RepatchBuffer&, StructureStubInfo&);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -73,12 +73,6 @@
</span><span class="cx"> out.append(bytecodeOffset + current[2].u.operand);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_get_pnames:
- out.append(bytecodeOffset + current[5].u.operand);
- break;
- case op_next_pname:
- out.append(bytecodeOffset + current[6].u.operand);
- break;
</del><span class="cx"> case op_check_has_instance:
</span><span class="cx"> out.append(bytecodeOffset + current[4].u.operand);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeTypeLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/TypeLocation.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/TypeLocation.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/TypeLocation.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -33,18 +33,22 @@
</span><span class="cx"> enum HighFidelityGlobalIDFlags {
</span><span class="cx"> HighFidelityNeedsUniqueIDGeneration = -1,
</span><span class="cx"> HighFidelityNoGlobalIDExists = -2,
</span><del>- HighFidelityReturnStatement = -3
</del><ins>+ HighFidelityReturnStatement = -3,
+ HighFidelityThisStatement = -4
</ins><span class="cx"> };
</span><span class="cx">
</span><ins>+typedef intptr_t GlobalVariableID;
+
</ins><span class="cx"> class TypeLocation {
</span><span class="cx"> public:
</span><span class="cx"> TypeLocation()
</span><del>- : m_instructionTypeSet(TypeSet::create())
</del><ins>+ : m_divotForFunctionOffsetIfReturnStatement(UINT_MAX)
+ , m_instructionTypeSet(TypeSet::create())
</ins><span class="cx"> , m_globalTypeSet(nullptr)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>- int64_t m_globalVariableID;
</del><ins>+ GlobalVariableID m_globalVariableID;
</ins><span class="cx"> intptr_t m_sourceID;
</span><span class="cx"> unsigned m_divotStart;
</span><span class="cx"> unsigned m_divotEnd;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -99,6 +99,8 @@
</span><span class="cx"> , m_unlinkedBodyEndColumn(m_lineCount ? node->endColumn() : node->endColumn() - node->startColumn())
</span><span class="cx"> , m_startOffset(node->source().startOffset() - source.startOffset())
</span><span class="cx"> , m_sourceLength(node->source().length())
</span><ins>+ , m_highFidelityTypeProfilingStartOffset(node->functionNameStart())
+ , m_highFidelityTypeProfilingEndOffset(node->startStartOffset() + node->source().length() - 1)
</ins><span class="cx"> , m_features(node->features())
</span><span class="cx"> , m_functionMode(node->functionMode())
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -125,6 +125,8 @@
</span><span class="cx"> unsigned unlinkedBodyEndColumn() const { return m_unlinkedBodyEndColumn; }
</span><span class="cx"> unsigned startOffset() const { return m_startOffset; }
</span><span class="cx"> unsigned sourceLength() { return m_sourceLength; }
</span><ins>+ unsigned highFidelityTypeProfilingStartOffset() const { return m_highFidelityTypeProfilingStartOffset; }
+ unsigned highFidelityTypeProfilingEndOffset() const { return m_highFidelityTypeProfilingEndOffset; }
</ins><span class="cx">
</span><span class="cx"> String paramString() const;
</span><span class="cx">
</span><span class="lines">@@ -185,6 +187,8 @@
</span><span class="cx"> unsigned m_unlinkedBodyEndColumn;
</span><span class="cx"> unsigned m_startOffset;
</span><span class="cx"> unsigned m_sourceLength;
</span><ins>+ unsigned m_highFidelityTypeProfilingStartOffset;
+ unsigned m_highFidelityTypeProfilingEndOffset;
</ins><span class="cx">
</span><span class="cx"> CodeFeatures m_features;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -337,7 +337,7 @@
</span><span class="cx">
</span><span class="cx"> m_symbolTable->setCaptureEnd(virtualRegisterForLocal(codeBlock->m_numVars).offset());
</span><span class="cx">
</span><del>- bool canLazilyCreateFunctions = !functionBody->needsActivationForMoreThanVariables() && !m_shouldEmitDebugHooks;
</del><ins>+ bool canLazilyCreateFunctions = !functionBody->needsActivationForMoreThanVariables() && !m_shouldEmitDebugHooks && !isProfilingTypesWithHighFidelity();
</ins><span class="cx"> m_firstLazyFunction = codeBlock->m_numVars;
</span><span class="cx"> for (size_t i = 0; i < functionStack.size(); ++i) {
</span><span class="cx"> FunctionBodyNode* function = functionStack[i];
</span><span class="lines">@@ -1116,6 +1116,14 @@
</span><span class="cx"> return dst;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo(const JSTextPosition& startDivot, const JSTextPosition& endDivot)
+{
+ unsigned start = startDivot.offset; // Ranges are inclusive of their endpoints, AND 0 indexed.
+ unsigned end = endDivot.offset - 1; // End Ranges already go one past the inclusive range, so subtract 1.
+ unsigned instructionOffset = instructions().size() - 1;
+ m_codeBlock->addHighFidelityTypeProfileExpressionInfo(instructionOffset, start, end);
+}
+
</ins><span class="cx"> void BytecodeGenerator::emitProfileTypesWithHighFidelity(RegisterID* registerToProfile, ProfileTypesWithHighFidelityBytecodeFlag flag)
</span><span class="cx"> {
</span><span class="cx"> emitOpcode(op_profile_types_with_high_fidelity);
</span><span class="lines">@@ -1436,18 +1444,30 @@
</span><span class="cx"> RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
</span><span class="cx"> {
</span><span class="cx"> for (size_t i = m_forInContextStack.size(); i > 0; i--) {
</span><del>- ForInContext& context = m_forInContextStack[i - 1];
- if (context.propertyRegister == property) {
- emitOpcode(op_get_by_pname);
- instructions().append(dst->index());
- instructions().append(base->index());
- instructions().append(property->index());
- instructions().append(context.expectedSubscriptRegister->index());
- instructions().append(context.iterRegister->index());
- instructions().append(context.indexRegister->index());
- return dst;
</del><ins>+ ForInContext* context = m_forInContextStack[i - 1].get();
+ if (context->local() != property)
+ continue;
+
+ if (!context->isValid())
+ break;
+
+ if (context->type() == ForInContext::IndexedForInContextType) {
+ property = static_cast<IndexedForInContext*>(context)->index();
+ break;
</ins><span class="cx"> }
</span><ins>+
+ ASSERT(context->type() == ForInContext::StructureForInContextType);
+ StructureForInContext* structureContext = static_cast<StructureForInContext*>(context);
+ UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);
+ instructions().append(kill(dst));
+ instructions().append(base->index());
+ instructions().append(property->index());
+ instructions().append(structureContext->index()->index());
+ instructions().append(structureContext->enumerator()->index());
+ instructions().append(profile);
+ return dst;
</ins><span class="cx"> }
</span><ins>+
</ins><span class="cx"> UnlinkedArrayProfile arrayProfile = newArrayProfile();
</span><span class="cx"> UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);
</span><span class="cx"> instructions().append(kill(dst));
</span><span class="lines">@@ -2153,7 +2173,7 @@
</span><span class="cx">
</span><span class="cx"> Vector<ControlFlowContext> savedScopeContextStack;
</span><span class="cx"> Vector<SwitchInfo> savedSwitchContextStack;
</span><del>- Vector<ForInContext> savedForInContextStack;
</del><ins>+ Vector<std::unique_ptr<ForInContext>> savedForInContextStack;
</ins><span class="cx"> Vector<TryContext> poppedTryContexts;
</span><span class="cx"> LabelScopeStore savedLabelScopes;
</span><span class="cx"> while (topScope > bottomScope && topScope->isFinallyBlock) {
</span><span class="lines">@@ -2180,7 +2200,7 @@
</span><span class="cx"> m_switchContextStack.shrink(finallyContext.switchContextStackSize);
</span><span class="cx"> }
</span><span class="cx"> if (flipForIns) {
</span><del>- savedForInContextStack = m_forInContextStack;
</del><ins>+ savedForInContextStack.swap(m_forInContextStack);
</ins><span class="cx"> m_forInContextStack.shrink(finallyContext.forInContextStackSize);
</span><span class="cx"> }
</span><span class="cx"> if (flipTries) {
</span><span class="lines">@@ -2220,7 +2240,7 @@
</span><span class="cx"> if (flipSwitches)
</span><span class="cx"> m_switchContextStack = savedSwitchContextStack;
</span><span class="cx"> if (flipForIns)
</span><del>- m_forInContextStack = savedForInContextStack;
</del><ins>+ m_forInContextStack.swap(savedForInContextStack);
</ins><span class="cx"> if (flipTries) {
</span><span class="cx"> ASSERT(m_tryContextStack.size() == finallyContext.tryContextStackSize);
</span><span class="cx"> for (unsigned i = poppedTryContexts.size(); i--;) {
</span><span class="lines">@@ -2258,33 +2278,6 @@
</span><span class="cx"> emitComplexPopScopes(&m_scopeContextStack.last(), &m_scopeContextStack.last() - scopeDelta);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-RegisterID* BytecodeGenerator::emitGetPropertyNames(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, Label* breakTarget)
-{
- size_t begin = instructions().size();
-
- emitOpcode(op_get_pnames);
- instructions().append(dst->index());
- instructions().append(base->index());
- instructions().append(i->index());
- instructions().append(size->index());
- instructions().append(breakTarget->bind(begin, instructions().size()));
- return dst;
-}
-
-RegisterID* BytecodeGenerator::emitNextPropertyName(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, RegisterID* iter, Label* target)
-{
- size_t begin = instructions().size();
-
- emitOpcode(op_next_pname);
- instructions().append(dst->index());
- instructions().append(base->index());
- instructions().append(i->index());
- instructions().append(size->index());
- instructions().append(iter->index());
- instructions().append(target->bind(begin, instructions().size()));
- return dst;
-}
-
</del><span class="cx"> TryData* BytecodeGenerator::pushTry(Label* start)
</span><span class="cx"> {
</span><span class="cx"> TryData tryData;
</span><span class="lines">@@ -2553,4 +2546,128 @@
</span><span class="cx"> emitLabel(scope->breakTarget());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+RegisterID* BytecodeGenerator::emitGetEnumerableLength(RegisterID* dst, RegisterID* base)
+{
+ emitOpcode(op_get_enumerable_length);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitHasGenericProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
+{
+ emitOpcode(op_has_generic_property);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(propertyName->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitHasIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
+{
+ UnlinkedArrayProfile arrayProfile = newArrayProfile();
+ emitOpcode(op_has_indexed_property);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(propertyName->index());
+ instructions().append(arrayProfile);
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitHasStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator)
+{
+ emitOpcode(op_has_structure_property);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(propertyName->index());
+ instructions().append(enumerator->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitGetStructurePropertyEnumerator(RegisterID* dst, RegisterID* base, RegisterID* length)
+{
+ emitOpcode(op_get_structure_property_enumerator);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(length->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitGetGenericPropertyEnumerator(RegisterID* dst, RegisterID* base, RegisterID* length, RegisterID* structureEnumerator)
+{
+ emitOpcode(op_get_generic_property_enumerator);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(length->index());
+ instructions().append(structureEnumerator->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitNextEnumeratorPropertyName(RegisterID* dst, RegisterID* enumerator, RegisterID* index)
+{
+ emitOpcode(op_next_enumerator_pname);
+ instructions().append(dst->index());
+ instructions().append(enumerator->index());
+ instructions().append(index->index());
+ return dst;
+}
+
+RegisterID* BytecodeGenerator::emitToIndexString(RegisterID* dst, RegisterID* index)
+{
+ emitOpcode(op_to_index_string);
+ instructions().append(dst->index());
+ instructions().append(index->index());
+ return dst;
+}
+
+void BytecodeGenerator::pushIndexedForInScope(RegisterID* localRegister, RegisterID* indexRegister)
+{
+ if (!localRegister)
+ return;
+ m_forInContextStack.append(std::make_unique<IndexedForInContext>(localRegister, indexRegister));
+}
+
+void BytecodeGenerator::popIndexedForInScope(RegisterID* localRegister)
+{
+ if (!localRegister)
+ return;
+ m_forInContextStack.removeLast();
+}
+
+void BytecodeGenerator::pushStructureForInScope(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+{
+ if (!localRegister)
+ return;
+ m_forInContextStack.append(std::make_unique<StructureForInContext>(localRegister, indexRegister, propertyRegister, enumeratorRegister));
+}
+
+void BytecodeGenerator::popStructureForInScope(RegisterID* localRegister)
+{
+ if (!localRegister)
+ return;
+ m_forInContextStack.removeLast();
+}
+
+void BytecodeGenerator::invalidateForInContextForLocal(RegisterID* localRegister)
+{
+ // Lexically invalidating ForInContexts is kind of weak sauce, but it only occurs if
+ // either of the following conditions is true:
+ //
+ // (1) The loop iteration variable is re-assigned within the body of the loop.
+ // (2) The loop iteration variable is captured in the lexical scope of the function.
+ //
+ // These two situations occur sufficiently rarely that it's okay to use this style of
+ // "analysis" to make iteration faster. If we didn't want to do this, we would either have
+ // to perform some flow-sensitive analysis to see if/when the loop iteration variable was
+ // reassigned, or we'd have to resort to runtime checks to see if the variable had been
+ // reassigned from its original value.
+ for (size_t i = m_forInContextStack.size(); i > 0; i--) {
+ ForInContext* context = m_forInContextStack[i - 1].get();
+ if (context->local() != localRegister)
+ continue;
+ context->invalidate();
+ break;
+ }
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -97,13 +97,78 @@
</span><span class="cx"> FinallyContext finallyContext;
</span><span class="cx"> };
</span><span class="cx">
</span><del>- struct ForInContext {
- RefPtr<RegisterID> expectedSubscriptRegister;
- RefPtr<RegisterID> iterRegister;
- RefPtr<RegisterID> indexRegister;
- RefPtr<RegisterID> propertyRegister;
</del><ins>+ class ForInContext {
+ public:
+ ForInContext(RegisterID* localRegister)
+ : m_localRegister(localRegister)
+ , m_isValid(true)
+ {
+ }
+
+ virtual ~ForInContext()
+ {
+ }
+
+ bool isValid() const { return m_isValid; }
+ void invalidate() { m_isValid = false; }
+
+ enum ForInContextType {
+ StructureForInContextType,
+ IndexedForInContextType
+ };
+ virtual ForInContextType type() const = 0;
+
+ RegisterID* local() const { return m_localRegister.get(); }
+
+ private:
+ RefPtr<RegisterID> m_localRegister;
+ bool m_isValid;
</ins><span class="cx"> };
</span><span class="cx">
</span><ins>+ class StructureForInContext : public ForInContext {
+ public:
+ StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+ : ForInContext(localRegister)
+ , m_indexRegister(indexRegister)
+ , m_propertyRegister(propertyRegister)
+ , m_enumeratorRegister(enumeratorRegister)
+ {
+ }
+
+ virtual ForInContextType type() const
+ {
+ return StructureForInContextType;
+ }
+
+ RegisterID* index() const { return m_indexRegister.get(); }
+ RegisterID* property() const { return m_propertyRegister.get(); }
+ RegisterID* enumerator() const { return m_enumeratorRegister.get(); }
+
+ private:
+ RefPtr<RegisterID> m_indexRegister;
+ RefPtr<RegisterID> m_propertyRegister;
+ RefPtr<RegisterID> m_enumeratorRegister;
+ };
+
+ class IndexedForInContext : public ForInContext {
+ public:
+ IndexedForInContext(RegisterID* localRegister, RegisterID* indexRegister)
+ : ForInContext(localRegister)
+ , m_indexRegister(indexRegister)
+ {
+ }
+
+ virtual ForInContextType type() const
+ {
+ return IndexedForInContextType;
+ }
+
+ RegisterID* index() const { return m_indexRegister.get(); }
+
+ private:
+ RefPtr<RegisterID> m_indexRegister;
+ };
+
</ins><span class="cx"> struct TryData {
</span><span class="cx"> RefPtr<Label> target;
</span><span class="cx"> unsigned targetScopeDepth;
</span><span class="lines">@@ -324,13 +389,6 @@
</span><span class="cx"> m_codeBlock->addExpressionInfo(instructionOffset, divotOffset, startOffset, endOffset, line, column);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void emitHighFidelityTypeProfilingExpressionInfo(const JSTextPosition& startDivot, const JSTextPosition& endDivot)
- {
- unsigned start = startDivot.offset + 1; // Ranges are inclusive of their endpoints, AND 1 indexed.
- unsigned end = endDivot.offset; // End Ranges already go one past the inclusive range, so no need to do + 1 - 1.
- unsigned instructionOffset = instructions().size() - 1;
- m_codeBlock->addHighFidelityTypeProfileExpressionInfo(instructionOffset, start, end);
- }
</del><span class="cx">
</span><span class="cx"> ALWAYS_INLINE bool leftHandSideNeedsCopy(bool rightHasAssignments, bool rightIsPure)
</span><span class="cx"> {
</span><span class="lines">@@ -348,6 +406,7 @@
</span><span class="cx"> return emitNode(n);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void emitHighFidelityTypeProfilingExpressionInfo(const JSTextPosition& startDivot, const JSTextPosition& endDivot);
</ins><span class="cx"> void emitProfileTypesWithHighFidelity(RegisterID* dst, ProfileTypesWithHighFidelityBytecodeFlag);
</span><span class="cx">
</span><span class="cx"> RegisterID* emitLoad(RegisterID* dst, bool);
</span><span class="lines">@@ -428,8 +487,14 @@
</span><span class="cx"> PassRefPtr<Label> emitJumpIfNotFunctionApply(RegisterID* cond, Label* target);
</span><span class="cx"> void emitPopScopes(int targetScopeDepth);
</span><span class="cx">
</span><del>- RegisterID* emitGetPropertyNames(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, Label* breakTarget);
- RegisterID* emitNextPropertyName(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, RegisterID* iter, Label* target);
</del><ins>+ RegisterID* emitHasIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
+ RegisterID* emitHasStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
+ RegisterID* emitHasGenericProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
+ RegisterID* emitGetEnumerableLength(RegisterID* dst, RegisterID* base);
+ RegisterID* emitGetStructurePropertyEnumerator(RegisterID* dst, RegisterID* base, RegisterID* length);
+ RegisterID* emitGetGenericPropertyEnumerator(RegisterID* dst, RegisterID* base, RegisterID* length, RegisterID* structureEnumerator);
+ RegisterID* emitNextEnumeratorPropertyName(RegisterID* dst, RegisterID* enumerator, RegisterID* index);
+ RegisterID* emitToIndexString(RegisterID* dst, RegisterID* index);
</ins><span class="cx">
</span><span class="cx"> void emitReadOnlyExceptionIfNeeded();
</span><span class="cx">
</span><span class="lines">@@ -460,17 +525,12 @@
</span><span class="cx"> void pushFinallyContext(StatementNode* finallyBlock);
</span><span class="cx"> void popFinallyContext();
</span><span class="cx">
</span><del>- void pushOptimisedForIn(RegisterID* expectedSubscript, RegisterID* iter, RegisterID* index, RegisterID* propertyRegister)
- {
- ForInContext context = { expectedSubscript, iter, index, propertyRegister };
- m_forInContextStack.append(context);
- }
</del><ins>+ void pushIndexedForInScope(RegisterID* local, RegisterID* index);
+ void popIndexedForInScope(RegisterID* local);
+ void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
+ void popStructureForInScope(RegisterID* local);
+ void invalidateForInContextForLocal(RegisterID* local);
</ins><span class="cx">
</span><del>- void popOptimisedForIn()
- {
- m_forInContextStack.removeLast();
- }
-
</del><span class="cx"> LabelScopePtr breakTarget(const Identifier&);
</span><span class="cx"> LabelScopePtr continueTarget(const Identifier&);
</span><span class="cx">
</span><span class="lines">@@ -668,7 +728,7 @@
</span><span class="cx">
</span><span class="cx"> Vector<ControlFlowContext, 0, UnsafeVectorOverflow> m_scopeContextStack;
</span><span class="cx"> Vector<SwitchInfo> m_switchContextStack;
</span><del>- Vector<ForInContext> m_forInContextStack;
</del><ins>+ Vector<std::unique_ptr<ForInContext>> m_forInContextStack;
</ins><span class="cx"> Vector<TryContext> m_tryContextStack;
</span><span class="cx"> Vector<std::pair<RefPtr<RegisterID>, const DeconstructionPatternNode*>> m_deconstructedParameters;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerNodesCodegencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1505,12 +1505,14 @@
</span><span class="cx"> generator.emitMove(result.get(), local.get());
</span><span class="cx"> emitReadModifyAssignment(generator, result.get(), result.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
</span><span class="cx"> generator.emitMove(local.get(), result.get());
</span><ins>+ generator.invalidateForInContextForLocal(local.get());
</ins><span class="cx"> if (generator.isProfilingTypesWithHighFidelity())
</span><span class="cx"> generator.emitHighFidelityTypeProfilingExpressionInfo(divotStart(), divotEnd());
</span><span class="cx"> return generator.moveToDestinationIfNeeded(dst, result.get());
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RegisterID* result = emitReadModifyAssignment(generator, local.get(), local.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
</span><ins>+ generator.invalidateForInContextForLocal(local.get());
</ins><span class="cx"> return generator.moveToDestinationIfNeeded(dst, result);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1540,11 +1542,13 @@
</span><span class="cx"> RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
</span><span class="cx"> generator.emitNode(tempDst.get(), m_right);
</span><span class="cx"> generator.emitMove(local.get(), tempDst.get());
</span><ins>+ generator.invalidateForInContextForLocal(local.get());
</ins><span class="cx"> if (generator.isProfilingTypesWithHighFidelity())
</span><span class="cx"> generator.emitHighFidelityTypeProfilingExpressionInfo(divotStart(), divotEnd());
</span><span class="cx"> return generator.moveToDestinationIfNeeded(dst, tempDst.get());
</span><span class="cx"> }
</span><span class="cx"> RegisterID* result = generator.emitNode(local.get(), m_right);
</span><ins>+ generator.invalidateForInContextForLocal(local.get());
</ins><span class="cx"> return generator.moveToDestinationIfNeeded(dst, result);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1920,104 +1924,219 @@
</span><span class="cx">
</span><span class="cx"> // ------------------------------ ForInNode ------------------------------------
</span><span class="cx">
</span><del>-void ForInNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
</del><ins>+RegisterID* ForInNode::tryGetBoundLocal(BytecodeGenerator& generator)
</ins><span class="cx"> {
</span><del>- LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
-
- if (!m_lexpr->isAssignmentLocation()) {
- emitThrowReferenceError(generator, "Left side of for-in statement is not a reference.");
- return;
</del><ins>+ if (m_lexpr->isResolveNode()) {
+ const Identifier& ident = static_cast<ResolveNode*>(m_lexpr)->identifier();
+ Local local = generator.local(ident);
+ if (local.isCaptured())
+ return nullptr;
+ return local.get();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
</del><ins>+ if (m_lexpr->isDeconstructionNode()) {
+ DeconstructingAssignmentNode* assignNode = static_cast<DeconstructingAssignmentNode*>(m_lexpr);
+ auto binding = assignNode->bindings();
+ if (!binding->isBindingNode())
+ return nullptr;
</ins><span class="cx">
</span><del>- RefPtr<RegisterID> base = generator.newTemporary();
- generator.emitNode(base.get(), m_expr);
- RefPtr<RegisterID> i = generator.newTemporary();
- RefPtr<RegisterID> size = generator.newTemporary();
- RefPtr<RegisterID> expectedSubscript;
- RefPtr<RegisterID> iter = generator.emitGetPropertyNames(generator.newTemporary(), base.get(), i.get(), size.get(), scope->breakTarget());
- generator.emitJump(scope->continueTarget());
</del><ins>+ auto simpleBinding = static_cast<BindingNode*>(binding);
+ const Identifier& ident = simpleBinding->boundProperty();
+ Local local = generator.local(ident);
+ if (local.isCaptured())
+ return nullptr;
+ return local.get();
+ }
</ins><span class="cx">
</span><del>- RefPtr<Label> loopStart = generator.newLabel();
- generator.emitLabel(loopStart.get());
- generator.emitLoopHint();
</del><ins>+ return nullptr;
+}
</ins><span class="cx">
</span><del>- RegisterID* propertyName;
- bool optimizedForinAccess = false;
</del><ins>+void ForInNode::emitLoopHeader(BytecodeGenerator& generator, RegisterID* propertyName)
+{
</ins><span class="cx"> if (m_lexpr->isResolveNode()) {
</span><span class="cx"> const Identifier& ident = static_cast<ResolveNode*>(m_lexpr)->identifier();
</span><span class="cx"> Local local = generator.local(ident);
</span><del>- if (!local.get()) {
- propertyName = generator.newTemporary();
- RefPtr<RegisterID> protect = propertyName;
</del><ins>+ if (local.get())
+ generator.emitMove(local.get(), propertyName);
+ else {
</ins><span class="cx"> if (generator.isStrictMode())
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><span class="cx"> RegisterID* scope = generator.emitResolveScope(generator.newTemporary(), ident);
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><span class="cx"> generator.emitPutToScope(scope, ident, propertyName, generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound);
</span><del>- } else {
- expectedSubscript = generator.newTemporary();
- propertyName = expectedSubscript.get();
- generator.emitMove(local.get(), propertyName);
- generator.pushOptimisedForIn(expectedSubscript.get(), iter.get(), i.get(), local.get());
- optimizedForinAccess = true;
</del><span class="cx"> }
</span><del>- } else if (m_lexpr->isDotAccessorNode()) {
</del><ins>+ return;
+ }
+ if (m_lexpr->isDotAccessorNode()) {
</ins><span class="cx"> DotAccessorNode* assignNode = static_cast<DotAccessorNode*>(m_lexpr);
</span><span class="cx"> const Identifier& ident = assignNode->identifier();
</span><del>- propertyName = generator.newTemporary();
- RefPtr<RegisterID> protect = propertyName;
</del><span class="cx"> RegisterID* base = generator.emitNode(assignNode->base());
</span><del>-
</del><span class="cx"> generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
</span><span class="cx"> generator.emitPutById(base, ident, propertyName);
</span><del>- } else if (m_lexpr->isBracketAccessorNode()) {
</del><ins>+ return;
+ }
+ if (m_lexpr->isBracketAccessorNode()) {
</ins><span class="cx"> BracketAccessorNode* assignNode = static_cast<BracketAccessorNode*>(m_lexpr);
</span><del>- propertyName = generator.newTemporary();
- RefPtr<RegisterID> protect = propertyName;
</del><span class="cx"> RefPtr<RegisterID> base = generator.emitNode(assignNode->base());
</span><span class="cx"> RegisterID* subscript = generator.emitNode(assignNode->subscript());
</span><del>-
</del><span class="cx"> generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
</span><span class="cx"> generator.emitPutByVal(base.get(), subscript, propertyName);
</span><del>- } else {
- ASSERT(m_lexpr->isDeconstructionNode());
</del><ins>+ return;
+ }
+
+ if (m_lexpr->isDeconstructionNode()) {
</ins><span class="cx"> DeconstructingAssignmentNode* assignNode = static_cast<DeconstructingAssignmentNode*>(m_lexpr);
</span><span class="cx"> auto binding = assignNode->bindings();
</span><del>- if (binding->isBindingNode()) {
- auto simpleBinding = static_cast<BindingNode*>(binding);
- Identifier ident = simpleBinding->boundProperty();
- Local local = generator.local(ident);
- propertyName = local.get();
- // FIXME: Should I emit expression info here?
- if (!propertyName || local.isCaptured() || generator.isProfilingTypesWithHighFidelity())
- goto genericBinding;
- expectedSubscript = generator.emitMove(generator.newTemporary(), propertyName);
- generator.pushOptimisedForIn(expectedSubscript.get(), iter.get(), i.get(), propertyName);
- optimizedForinAccess = true;
- goto completedSimpleBinding;
- } else {
- genericBinding:
- propertyName = generator.newTemporary();
- RefPtr<RegisterID> protect(propertyName);
</del><ins>+ if (!binding->isBindingNode()) {
</ins><span class="cx"> assignNode->bindings()->bindValue(generator, propertyName);
</span><ins>+ return;
</ins><span class="cx"> }
</span><del>- completedSimpleBinding:
- ;
</del><ins>+
+ auto simpleBinding = static_cast<BindingNode*>(binding);
+ const Identifier& ident = simpleBinding->boundProperty();
+ Local local = generator.local(ident);
+ if (!local.get() || local.isCaptured()) {
+ assignNode->bindings()->bindValue(generator, propertyName);
+ return;
+ }
+ generator.emitMove(local.get(), propertyName);
+ return;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- generator.emitNode(dst, m_statement);
</del><ins>+ RELEASE_ASSERT_NOT_REACHED();
+}
</ins><span class="cx">
</span><del>- if (optimizedForinAccess)
- generator.popOptimisedForIn();
</del><ins>+void ForInNode::emitMultiLoopBytecode(BytecodeGenerator& generator, RegisterID* dst)
+{
+ if (!m_lexpr->isAssignmentLocation()) {
+ emitThrowReferenceError(generator, "Left side of for-in statement is not a reference.");
+ return;
+ }
</ins><span class="cx">
</span><del>- generator.emitLabel(scope->continueTarget());
- generator.emitNextPropertyName(propertyName, base.get(), i.get(), size.get(), iter.get(), loopStart.get());
</del><ins>+ RefPtr<Label> end = generator.newLabel();
+
</ins><span class="cx"> generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
</span><del>- generator.emitLabel(scope->breakTarget());
</del><ins>+
+ RefPtr<RegisterID> base = generator.newTemporary();
+ RefPtr<RegisterID> length;
+ RefPtr<RegisterID> structureEnumerator;
+ generator.emitNode(base.get(), m_expr);
+ RefPtr<RegisterID> local = this->tryGetBoundLocal(generator);
+
+ // Indexed property loop.
+ {
+ LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
+ RefPtr<Label> loopStart = generator.newLabel();
+ RefPtr<Label> loopEnd = generator.newLabel();
+
+ length = generator.emitGetEnumerableLength(generator.newTemporary(), base.get());
+ RefPtr<RegisterID> i = generator.emitLoad(generator.newTemporary(), jsNumber(0));
+ RefPtr<RegisterID> propertyName = generator.newTemporary();
+
+ generator.emitLabel(loopStart.get());
+ generator.emitLoopHint();
+
+ RefPtr<RegisterID> result = generator.emitEqualityOp(op_less, generator.newTemporary(), i.get(), length.get());
+ generator.emitJumpIfFalse(result.get(), loopEnd.get());
+ generator.emitHasIndexedProperty(result.get(), base.get(), i.get());
+ generator.emitJumpIfFalse(result.get(), scope->continueTarget());
+
+ generator.emitToIndexString(propertyName.get(), i.get());
+ this->emitLoopHeader(generator, propertyName.get());
+
+ generator.pushIndexedForInScope(local.get(), i.get());
+ generator.emitNode(dst, m_statement);
+ generator.popIndexedForInScope(local.get());
+
+ generator.emitLabel(scope->continueTarget());
+ generator.emitInc(i.get());
+ generator.emitJump(loopStart.get());
+
+ generator.emitLabel(scope->breakTarget());
+ generator.emitJump(end.get());
+ generator.emitLabel(loopEnd.get());
+ }
+
+ // Structure property loop.
+ {
+ LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
+ RefPtr<Label> loopStart = generator.newLabel();
+ RefPtr<Label> loopEnd = generator.newLabel();
+
+ structureEnumerator = generator.emitGetStructurePropertyEnumerator(generator.newTemporary(), base.get(), length.get());
+ RefPtr<RegisterID> i = generator.emitLoad(generator.newTemporary(), jsNumber(0));
+ RefPtr<RegisterID> propertyName = generator.newTemporary();
+ generator.emitNextEnumeratorPropertyName(propertyName.get(), structureEnumerator.get(), i.get());
+
+ generator.emitLabel(loopStart.get());
+ generator.emitLoopHint();
+
+ RefPtr<RegisterID> result = generator.emitUnaryOp(op_eq_null, generator.newTemporary(), propertyName.get());
+ generator.emitJumpIfTrue(result.get(), loopEnd.get());
+ generator.emitHasStructureProperty(result.get(), base.get(), propertyName.get(), structureEnumerator.get());
+ generator.emitJumpIfFalse(result.get(), scope->continueTarget());
+
+ this->emitLoopHeader(generator, propertyName.get());
+
+ generator.pushStructureForInScope(local.get(), i.get(), propertyName.get(), structureEnumerator.get());
+ generator.emitNode(dst, m_statement);
+ generator.popStructureForInScope(local.get());
+
+ generator.emitLabel(scope->continueTarget());
+ generator.emitInc(i.get());
+ generator.emitNextEnumeratorPropertyName(propertyName.get(), structureEnumerator.get(), i.get());
+ generator.emitJump(loopStart.get());
+
+ generator.emitLabel(scope->breakTarget());
+ generator.emitJump(end.get());
+ generator.emitLabel(loopEnd.get());
+ }
+
+ // Generic property loop.
+ {
+ LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
+ RefPtr<Label> loopStart = generator.newLabel();
+ RefPtr<Label> loopEnd = generator.newLabel();
+
+ RefPtr<RegisterID> genericEnumerator = generator.emitGetGenericPropertyEnumerator(generator.newTemporary(), base.get(), length.get(), structureEnumerator.get());
+ RefPtr<RegisterID> i = generator.emitLoad(generator.newTemporary(), jsNumber(0));
+ RefPtr<RegisterID> propertyName = generator.newTemporary();
+
+ generator.emitNextEnumeratorPropertyName(propertyName.get(), genericEnumerator.get(), i.get());
+ RefPtr<RegisterID> result = generator.emitUnaryOp(op_eq_null, generator.newTemporary(), propertyName.get());
+ generator.emitJumpIfTrue(result.get(), loopEnd.get());
+
+ generator.emitLabel(loopStart.get());
+ generator.emitLoopHint();
+
+ this->emitLoopHeader(generator, propertyName.get());
+
+ generator.emitNode(dst, m_statement);
+
+ generator.emitLabel(scope->continueTarget());
+ generator.emitInc(i.get());
+ generator.emitNextEnumeratorPropertyName(propertyName.get(), genericEnumerator.get(), i.get());
+ generator.emitUnaryOp(op_eq_null, result.get(), propertyName.get());
+ generator.emitJumpIfTrue(result.get(), loopEnd.get());
+
+ generator.emitHasGenericProperty(result.get(), base.get(), propertyName.get());
+ generator.emitJumpIfTrue(result.get(), loopStart.get());
+ generator.emitJump(scope->continueTarget());
+
+ generator.emitLabel(scope->breakTarget());
+ generator.emitJump(end.get());
+ generator.emitLabel(loopEnd.get());
+ }
+
+ generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
+ generator.emitLabel(end.get());
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+void ForInNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
+{
+ this->emitMultiLoopBytecode(generator, dst);
+}
+
</ins><span class="cx"> // ------------------------------ ForOfNode ------------------------------------
</span><span class="cx"> void ForOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredebuggerDebuggerScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/debugger/DebuggerScope.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/debugger/DebuggerScope.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/debugger/DebuggerScope.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -94,7 +94,7 @@
</span><span class="cx">
</span><span class="cx"> JSScope* jsScope() const { return m_scope.get(); }
</span><span class="cx">
</span><del>- static const unsigned StructureFlags = OverridesGetOwnPropertySlot | JSObject::StructureFlags;
</del><ins>+ static const unsigned StructureFlags = OverridesGetOwnPropertySlot | OverridesGetPropertyNames | JSObject::StructureFlags;
</ins><span class="cx">
</span><span class="cx"> WriteBarrier<JSScope> m_scope;
</span><span class="cx"> WriteBarrier<DebuggerScope> m_next;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> macro(JSCell_typeInfoType) \
</span><span class="cx"> macro(JSObject_butterfly) \
</span><span class="cx"> macro(JSVariableObject_registers) \
</span><ins>+ macro(JSPropertyNameEnumerator_cachedPropertyNames) \
</ins><span class="cx"> macro(NamedProperties) \
</span><span class="cx"> macro(IndexedInt32Properties) \
</span><span class="cx"> macro(IndexedDoubleProperties) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1795,13 +1795,65 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case In:
</del><ins>+ case In: {
</ins><span class="cx"> // FIXME: We can determine when the property definitely exists based on abstract
</span><span class="cx"> // value information.
</span><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="cx"> forNode(node).setType(SpecBoolean);
</span><span class="cx"> break;
</span><ins>+ }
</ins><span class="cx">
</span><ins>+ case GetEnumerableLength: {
+ forNode(node).setType(SpecInt32);
+ break;
+ }
+ case HasGenericProperty: {
+ forNode(node).setType(SpecBoolean);
+ break;
+ }
+ case HasStructureProperty: {
+ forNode(node).setType(SpecBoolean);
+ break;
+ }
+ case HasIndexedProperty: {
+ ArrayMode mode = node->arrayMode();
+ switch (mode.type()) {
+ case Array::Int32:
+ case Array::Double:
+ case Array::Contiguous:
+ case Array::ArrayStorage: {
+ break;
+ }
+ default: {
+ clobberWorld(node->origin.semantic, clobberLimit);
+ break;
+ }
+ }
+ forNode(node).setType(SpecBoolean);
+ break;
+ }
+ case GetDirectPname: {
+ clobberWorld(node->origin.semantic, clobberLimit);
+ forNode(node).makeHeapTop();
+ break;
+ }
+ case GetStructurePropertyEnumerator: {
+ forNode(node).setType(SpecCell);
+ break;
+ }
+ case GetGenericPropertyEnumerator: {
+ forNode(node).setType(SpecCell);
+ break;
+ }
+ case GetEnumeratorPname: {
+ forNode(node).setType(SpecString | SpecOther);
+ break;
+ }
+ case ToIndexString: {
+ forNode(node).setType(SpecString);
+ break;
+ }
+
</ins><span class="cx"> case GetGlobalVar:
</span><span class="cx"> forNode(node).makeHeapTop();
</span><span class="cx"> break;
</span><span class="lines">@@ -1866,12 +1918,25 @@
</span><span class="cx"> case ProfileDidCall:
</span><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><del>- case Check:
</del><span class="cx"> case CountExecution:
</span><span class="cx"> case CheckTierUpInLoop:
</span><span class="cx"> case CheckTierUpAtReturn:
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case Check: {
+ // Simplify out checks that don't actually do checking.
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+ Edge edge = node->children.child(i);
+ if (!edge)
+ break;
+ if (edge.isProved() || edge.willNotHaveCheck()) {
+ m_state.setFoundConstants(true);
+ break;
+ }
+ }
+ break;
+ }
+
</ins><span class="cx"> case StoreBarrier: {
</span><span class="cx"> filter(node->child1(), SpecCell);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1107,10 +1107,8 @@
</span><span class="cx"> if (JSFunction* function = callLinkStatus.function())
</span><span class="cx"> addToGraph(CheckFunction, OpInfo(m_graph.freeze(function)), callTarget, thisArgument);
</span><span class="cx"> else {
</span><del>- ASSERT(callLinkStatus.structure());
</del><span class="cx"> ASSERT(callLinkStatus.executable());
</span><span class="cx">
</span><del>- addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(callLinkStatus.structure())), callTarget);
</del><span class="cx"> addToGraph(CheckExecutable, OpInfo(callLinkStatus.executable()), callTarget, thisArgument);
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -3208,6 +3206,82 @@
</span><span class="cx"> NEXT_OPCODE(op_in);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case op_get_enumerable_length: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetEnumerableLength,
+ get(VirtualRegister(currentInstruction[2].u.operand))));
+ NEXT_OPCODE(op_get_enumerable_length);
+ }
+
+ case op_has_generic_property: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(HasGenericProperty,
+ get(VirtualRegister(currentInstruction[2].u.operand)),
+ get(VirtualRegister(currentInstruction[3].u.operand))));
+ NEXT_OPCODE(op_has_generic_property);
+ }
+
+ case op_has_structure_property: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(HasStructureProperty,
+ get(VirtualRegister(currentInstruction[2].u.operand)),
+ get(VirtualRegister(currentInstruction[3].u.operand)),
+ get(VirtualRegister(currentInstruction[4].u.operand))));
+ NEXT_OPCODE(op_has_structure_property);
+ }
+
+ case op_has_indexed_property: {
+ Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+ ArrayMode arrayMode = getArrayModeConsideringSlowPath(currentInstruction[4].u.arrayProfile, Array::Read);
+ Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), base, property);
+ set(VirtualRegister(currentInstruction[1].u.operand), hasIterableProperty);
+ NEXT_OPCODE(op_has_indexed_property);
+ }
+
+ case op_get_direct_pname: {
+ SpeculatedType prediction = getPredictionWithoutOSRExit();
+
+ Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* index = get(VirtualRegister(currentInstruction[4].u.operand));
+ Node* enumerator = get(VirtualRegister(currentInstruction[5].u.operand));
+
+ addVarArgChild(base);
+ addVarArgChild(property);
+ addVarArgChild(index);
+ addVarArgChild(enumerator);
+ set(VirtualRegister(currentInstruction[1].u.operand),
+ addToGraph(Node::VarArg, GetDirectPname, OpInfo(0), OpInfo(prediction)));
+
+ NEXT_OPCODE(op_get_direct_pname);
+ }
+
+ case op_get_structure_property_enumerator: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetStructurePropertyEnumerator,
+ get(VirtualRegister(currentInstruction[2].u.operand)),
+ get(VirtualRegister(currentInstruction[3].u.operand))));
+ NEXT_OPCODE(op_get_structure_property_enumerator);
+ }
+
+ case op_get_generic_property_enumerator: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetGenericPropertyEnumerator,
+ get(VirtualRegister(currentInstruction[2].u.operand)),
+ get(VirtualRegister(currentInstruction[3].u.operand)),
+ get(VirtualRegister(currentInstruction[4].u.operand))));
+ NEXT_OPCODE(op_get_generic_property_enumerator);
+ }
+
+ case op_next_enumerator_pname: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetEnumeratorPname,
+ get(VirtualRegister(currentInstruction[2].u.operand)),
+ get(VirtualRegister(currentInstruction[3].u.operand))));
+ NEXT_OPCODE(op_next_enumerator_pname);
+ }
+
+ case op_to_index_string: {
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(ToIndexString,
+ get(VirtualRegister(currentInstruction[2].u.operand))));
+ NEXT_OPCODE(op_to_index_string);
+ }
+
</ins><span class="cx"> default:
</span><span class="cx"> // Parse failed! This should not happen because the capabilities checker
</span><span class="cx"> // should have caught it.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -193,6 +193,15 @@
</span><span class="cx"> case op_switch_char:
</span><span class="cx"> case op_in:
</span><span class="cx"> case op_get_from_scope:
</span><ins>+ case op_get_enumerable_length:
+ case op_has_generic_property:
+ case op_has_structure_property:
+ case op_has_indexed_property:
+ case op_get_direct_pname:
+ case op_get_structure_property_enumerator:
+ case op_get_generic_property_enumerator:
+ case op_next_enumerator_pname:
+ case op_to_index_string:
</ins><span class="cx"> return CanCompileAndInline;
</span><span class="cx">
</span><span class="cx"> case op_put_to_scope: {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -147,6 +147,87 @@
</span><span class="cx"> def(PureValue(node));
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ case HasGenericProperty:
+ case HasStructureProperty:
+ case GetEnumerableLength:
+ case GetStructurePropertyEnumerator:
+ case GetGenericPropertyEnumerator: {
+ read(World);
+ write(SideState);
+ return;
+ }
+
+ case GetDirectPname: {
+ // This reads and writes world because it can end up calling a generic getByVal
+ // if the Structure changed, which could in turn end up calling a getter.
+ read(World);
+ write(World);
+ return;
+ }
+
+ case ToIndexString:
+ case GetEnumeratorPname: {
+ def(PureValue(node));
+ return;
+ }
+
+ case HasIndexedProperty: {
+ read(JSObject_butterfly);
+ ArrayMode mode = node->arrayMode();
+ switch (mode.type()) {
+ case Array::Int32: {
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedInt32Properties);
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, node->child1(), node->child2()), node);
+ return;
+ }
+ read(World);
+ return;
+ }
+
+ case Array::Double: {
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedDoubleProperties);
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, node->child1(), node->child2()), node);
+ return;
+ }
+ read(World);
+ return;
+ }
+
+ case Array::Contiguous: {
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedContiguousProperties);
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, node->child1(), node->child2()), node);
+ return;
+ }
+ read(World);
+ return;
+ }
+
+ case Array::ArrayStorage: {
+ if (mode.isInBounds()) {
+ read(Butterfly_vectorLength);
+ read(IndexedArrayStorageProperties);
+ return;
+ }
+ read(World);
+ return;
+ }
+
+ default: {
+ read(World);
+ write(World);
+ return;
+ }
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+ return;
+ }
+
</ins><span class="cx"> case ArithAdd:
</span><span class="cx"> case ArithSub:
</span><span class="cx"> case ArithNegate:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -86,6 +86,7 @@
</span><span class="cx">
</span><span class="cx"> Node* node = block->at(indexInBlock);
</span><span class="cx">
</span><ins>+ bool alreadyHandled = false;
</ins><span class="cx"> bool eliminated = false;
</span><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><span class="lines">@@ -173,7 +174,7 @@
</span><span class="cx"> AbstractValue baseValue = m_state.forNode(base);
</span><span class="cx">
</span><span class="cx"> m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
</span><del>- eliminated = true; // Don't allow the default constant folder to do things to this.
</del><ins>+ alreadyHandled = true; // Don't allow the default constant folder to do things to this.
</ins><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < data.variants.size(); ++i) {
</span><span class="cx"> GetByIdVariant& variant = data.variants[i];
</span><span class="lines">@@ -181,6 +182,7 @@
</span><span class="cx"> if (variant.structureSet().isEmpty()) {
</span><span class="cx"> data.variants[i--] = data.variants.last();
</span><span class="cx"> data.variants.removeLast();
</span><ins>+ changed = true;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -189,6 +191,7 @@
</span><span class="cx">
</span><span class="cx"> emitGetByOffset(
</span><span class="cx"> indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
</span><ins>+ changed = true;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -200,7 +203,7 @@
</span><span class="cx"> AbstractValue baseValue = m_state.forNode(base);
</span><span class="cx">
</span><span class="cx"> m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
</span><del>- eliminated = true; // Don't allow the default constant folder to do things to this.
</del><ins>+ alreadyHandled = true; // Don't allow the default constant folder to do things to this.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < data.variants.size(); ++i) {
</span><span class="lines">@@ -210,6 +213,7 @@
</span><span class="cx"> if (variant.oldStructure().isEmpty()) {
</span><span class="cx"> data.variants[i--] = data.variants.last();
</span><span class="cx"> data.variants.removeLast();
</span><ins>+ changed = true;
</ins><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -218,6 +222,7 @@
</span><span class="cx"> variant = PutByIdVariant::replace(
</span><span class="cx"> variant.oldStructure(),
</span><span class="cx"> variant.offset());
</span><ins>+ changed = true;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -226,6 +231,7 @@
</span><span class="cx">
</span><span class="cx"> emitPutByOffset(
</span><span class="cx"> indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
</span><ins>+ changed = true;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -238,7 +244,7 @@
</span><span class="cx"> AbstractValue baseValue = m_state.forNode(child);
</span><span class="cx">
</span><span class="cx"> m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
</span><del>- eliminated = true; // Don't allow the default constant folder to do things to this.
</del><ins>+ alreadyHandled = true; // Don't allow the default constant folder to do things to this.
</ins><span class="cx">
</span><span class="cx"> if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered()
</span><span class="cx"> || (node->child1().useKind() == UntypedUse || (baseValue.m_type & ~SpecCell)))
</span><span class="lines">@@ -260,6 +266,7 @@
</span><span class="cx">
</span><span class="cx"> if (status.numVariants() == 1) {
</span><span class="cx"> emitGetByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
</span><ins>+ changed = true;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -270,6 +277,7 @@
</span><span class="cx"> data->variants = status.variants();
</span><span class="cx"> data->identifierNumber = identifierNumber;
</span><span class="cx"> node->convertToMultiGetByOffset(data);
</span><ins>+ changed = true;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -286,7 +294,7 @@
</span><span class="cx"> AbstractValue baseValue = m_state.forNode(child);
</span><span class="cx">
</span><span class="cx"> m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
</span><del>- eliminated = true; // Don't allow the default constant folder to do things to this.
</del><ins>+ alreadyHandled = true; // Don't allow the default constant folder to do things to this.
</ins><span class="cx">
</span><span class="cx"> if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered())
</span><span class="cx"> break;
</span><span class="lines">@@ -301,6 +309,13 @@
</span><span class="cx"> if (!status.isSimple())
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ ASSERT(status.numVariants());
+
+ if (status.numVariants() > 1 && !isFTL(m_graph.m_plan.mode))
+ break;
+
+ changed = true;
+
</ins><span class="cx"> for (unsigned i = status.numVariants(); i--;)
</span><span class="cx"> addChecks(origin, indexInBlock, status[i].constantChecks());
</span><span class="cx">
</span><span class="lines">@@ -309,8 +324,7 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (!isFTL(m_graph.m_plan.mode))
- break;
</del><ins>+ ASSERT(isFTL(m_graph.m_plan.mode));
</ins><span class="cx">
</span><span class="cx"> MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
</span><span class="cx"> data->variants = status.variants();
</span><span class="lines">@@ -324,6 +338,7 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> node->convertToIdentity();
</span><ins>+ changed = true;
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -354,16 +369,34 @@
</span><span class="cx">
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case Check: {
+ alreadyHandled = true;
+ m_interpreter.execute(indexInBlock);
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+ Edge edge = node->children.child(i);
+ if (!edge)
+ break;
+ if (edge.isProved() || edge.willNotHaveCheck()) {
+ node->children.removeEdge(i--);
+ changed = true;
+ }
+ }
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> if (eliminated) {
</span><span class="cx"> changed = true;
</span><span class="cx"> continue;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (alreadyHandled)
+ continue;
+
</ins><span class="cx"> m_interpreter.execute(indexInBlock);
</span><span class="cx"> if (!m_state.isValid()) {
</span><span class="cx"> // If we invalidated then we shouldn't attempt to constant-fold. Here's an
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDCEPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -49,12 +49,22 @@
</span><span class="cx"> ASSERT(m_graph.m_form == ThreadedCPS || m_graph.m_form == SSA);
</span><span class="cx">
</span><span class="cx"> // First reset the counts to 0 for all nodes.
</span><ins>+ //
+ // Also take this opportunity to pretend that Check nodes are not NodeMustGenerate. Check
+ // nodes are MustGenerate because they are executed for effect, but they follow the same
+ // DCE rules as nodes that aren't MustGenerate: they only contribute to the ref count of
+ // their children if the edges require checks. Non-checking edges are removed. Note that
+ // for any Checks left over, this phase will turn them back into NodeMustGenerate.
</ins><span class="cx"> for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="cx"> continue;
</span><del>- for (unsigned indexInBlock = block->size(); indexInBlock--;)
- block->at(indexInBlock)->setRefCount(0);
</del><ins>+ for (unsigned indexInBlock = block->size(); indexInBlock--;) {
+ Node* node = block->at(indexInBlock);
+ if (node->op() == Check)
+ node->clearFlags(NodeMustGenerate);
+ node->setRefCount(0);
+ }
</ins><span class="cx"> for (unsigned phiIndex = block->phis.size(); phiIndex--;)
</span><span class="cx"> block->phis[phiIndex]->setRefCount(0);
</span><span class="cx"> }
</span><span class="lines">@@ -119,6 +129,30 @@
</span><span class="cx"> cleanVariables(m_graph.m_arguments);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ // Just do a basic HardPhantom/Phantom/Check clean-up.
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+ unsigned sourceIndex = 0;
+ unsigned targetIndex = 0;
+ while (sourceIndex < block->size()) {
+ Node* node = block->at(sourceIndex++);
+ switch (node->op()) {
+ case Check:
+ case HardPhantom:
+ case Phantom:
+ if (node->children.isEmpty())
+ continue;
+ break;
+ default:
+ break;
+ }
+ block->at(targetIndex++) = node;
+ }
+ block->resize(targetIndex);
+ }
+
</ins><span class="cx"> m_graph.m_refCountState = ExactRefCount;
</span><span class="cx">
</span><span class="cx"> return true;
</span><span class="lines">@@ -129,7 +163,7 @@
</span><span class="cx"> {
</span><span class="cx"> // We may have an "unproved" untyped use for code that is unreachable. The CFA
</span><span class="cx"> // will just not have gotten around to it.
</span><del>- if (edge.willNotHaveCheck())
</del><ins>+ if (edge.isProved() || edge.willNotHaveCheck())
</ins><span class="cx"> return;
</span><span class="cx"> if (!edge->postfixRef())
</span><span class="cx"> m_worklist.append(edge.node());
</span><span class="lines">@@ -145,7 +179,7 @@
</span><span class="cx"> void countEdge(Node*, Edge edge)
</span><span class="cx"> {
</span><span class="cx"> // Don't count edges that are already counted for their type checks.
</span><del>- if (edge.willHaveCheck())
</del><ins>+ if (!(edge.isProved() || edge.willNotHaveCheck()))
</ins><span class="cx"> return;
</span><span class="cx"> countNode(edge.node());
</span><span class="cx"> }
</span><span class="lines">@@ -214,10 +248,10 @@
</span><span class="cx"> for (unsigned childIdx = node->firstChild(); childIdx < node->firstChild() + node->numChildren(); childIdx++) {
</span><span class="cx"> Edge edge = m_graph.m_varArgChildren[childIdx];
</span><span class="cx">
</span><del>- if (!edge || edge.willNotHaveCheck())
</del><ins>+ if (!edge || edge.isProved() || edge.willNotHaveCheck())
</ins><span class="cx"> continue;
</span><span class="cx">
</span><del>- m_insertionSet.insertNode(indexInBlock, SpecNone, Phantom, node->origin, edge);
</del><ins>+ m_insertionSet.insertNode(indexInBlock, SpecNone, Check, node->origin, edge);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> node->convertToPhantom();
</span><span class="lines">@@ -226,8 +260,14 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- node->convertToPhantom();
- eliminateIrrelevantPhantomChildren(node);
</del><ins>+ node->convertToCheck();
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+ Edge edge = node->children.child(i);
+ if (!edge)
+ continue;
+ if (edge.isProved() || edge.willNotHaveCheck())
+ node->children.removeEdge(i--);
+ }
</ins><span class="cx"> node->setRefCount(1);
</span><span class="cx"> break;
</span><span class="cx"> } }
</span><span class="lines">@@ -236,17 +276,6 @@
</span><span class="cx"> m_insertionSet.execute(block);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void eliminateIrrelevantPhantomChildren(Node* node)
- {
- for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
- Edge edge = node->children.child(i);
- if (!edge)
- continue;
- if (edge.willNotHaveCheck())
- node->children.removeEdge(i--);
- }
- }
-
</del><span class="cx"> template<typename VariablesVectorType>
</span><span class="cx"> void cleanVariables(VariablesVectorType& variables)
</span><span class="cx"> {
</span><span class="lines">@@ -254,7 +283,7 @@
</span><span class="cx"> Node* node = variables[i];
</span><span class="cx"> if (!node)
</span><span class="cx"> continue;
</span><del>- if (node->op() != Phantom && node->shouldGenerate())
</del><ins>+ if (node->op() != Phantom && node->op() != Check && node->shouldGenerate())
</ins><span class="cx"> continue;
</span><span class="cx"> if (node->op() == GetLocal) {
</span><span class="cx"> node = node->child1().node();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -189,6 +189,11 @@
</span><span class="cx"> case GetByOffset:
</span><span class="cx"> case GetGetterSetterByOffset:
</span><span class="cx"> case PutByOffset:
</span><ins>+ case GetEnumerableLength:
+ case HasGenericProperty:
+ case HasStructureProperty:
+ case HasIndexedProperty:
+ case GetDirectPname:
</ins><span class="cx"> case FiatInt52:
</span><span class="cx"> case BooleanToNumber:
</span><span class="cx"> return false;
</span><span class="lines">@@ -213,6 +218,10 @@
</span><span class="cx"> case NewFunctionExpression:
</span><span class="cx"> case NewTypedArray:
</span><span class="cx"> case ThrowReferenceError:
</span><ins>+ case GetStructurePropertyEnumerator:
+ case GetGenericPropertyEnumerator:
+ case GetEnumeratorPname:
+ case ToIndexString:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case MultiPutByOffset:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGEdgecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGEdge.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGEdge.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGEdge.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -36,7 +36,7 @@
</span><span class="cx"> void Edge::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx"> if (useKindUnchecked() != UntypedUse) {
</span><del>- if (needsCheck())
</del><ins>+ if (!isProved())
</ins><span class="cx"> out.print("Check:");
</span><span class="cx"> out.print(useKind(), ":");
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGEdgeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGEdge.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGEdge.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGEdge.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -115,10 +115,6 @@
</span><span class="cx"> {
</span><span class="cx"> return proofStatus() == IsProved;
</span><span class="cx"> }
</span><del>- bool needsCheck() const
- {
- return proofStatus() == NeedsCheck;
- }
</del><span class="cx">
</span><span class="cx"> bool willNotHaveCheck() const
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -898,7 +898,11 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case CheckExecutable:
</del><ins>+ case CheckExecutable: {
+ fixEdge<FunctionUse>(node->child1());
+ break;
+ }
+
</ins><span class="cx"> case CheckStructure:
</span><span class="cx"> case CheckFunction:
</span><span class="cx"> case CheckHasInstance:
</span><span class="lines">@@ -1040,7 +1044,65 @@
</span><span class="cx"> observeUseKindOnNode<StringUse>(node);
</span><span class="cx"> }
</span><span class="cx"> break;
</span><ins>+
+ case GetEnumerableLength: {
+ fixEdge<CellUse>(node->child1());
+ break;
+ }
+ case HasGenericProperty: {
+ fixEdge<StringUse>(node->child2());
+ break;
+ }
+ case HasStructureProperty: {
+ fixEdge<StringUse>(node->child2());
+ fixEdge<KnownCellUse>(node->child3());
+ break;
+ }
+ case HasIndexedProperty: {
+ node->setArrayMode(
+ node->arrayMode().refine(
+ m_graph, node,
+ node->child1()->prediction(),
+ node->child2()->prediction(),
+ SpecNone, node->flags()));
</ins><span class="cx">
</span><ins>+ blessArrayOperation(node->child1(), node->child2(), node->child3());
+ fixEdge<CellUse>(node->child1());
+ fixEdge<KnownInt32Use>(node->child2());
+ break;
+ }
+ case GetDirectPname: {
+ Edge& base = m_graph.varArgChild(node, 0);
+ Edge& property = m_graph.varArgChild(node, 1);
+ Edge& index = m_graph.varArgChild(node, 2);
+ Edge& enumerator = m_graph.varArgChild(node, 3);
+ fixEdge<CellUse>(base);
+ fixEdge<KnownCellUse>(property);
+ fixEdge<KnownInt32Use>(index);
+ fixEdge<KnownCellUse>(enumerator);
+ break;
+ }
+ case GetStructurePropertyEnumerator: {
+ fixEdge<CellUse>(node->child1());
+ fixEdge<KnownInt32Use>(node->child2());
+ break;
+ }
+ case GetGenericPropertyEnumerator: {
+ fixEdge<CellUse>(node->child1());
+ fixEdge<KnownInt32Use>(node->child2());
+ fixEdge<KnownCellUse>(node->child3());
+ break;
+ }
+ case GetEnumeratorPname: {
+ fixEdge<KnownCellUse>(node->child1());
+ fixEdge<KnownInt32Use>(node->child2());
+ break;
+ }
+ case ToIndexString: {
+ fixEdge<KnownInt32Use>(node->child1());
+ break;
+ }
+
</ins><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx"> // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
</span><span class="cx"> case SetArgument:
</span><span class="lines">@@ -1543,6 +1605,7 @@
</span><span class="cx"> case CellUse:
</span><span class="cx"> case KnownCellUse:
</span><span class="cx"> case ObjectUse:
</span><ins>+ case FunctionUse:
</ins><span class="cx"> case StringUse:
</span><span class="cx"> case KnownStringUse:
</span><span class="cx"> case StringObjectUse:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -157,7 +157,6 @@
</span><span class="cx"> NodeType op = node->op();
</span><span class="cx">
</span><span class="cx"> unsigned refCount = node->refCount();
</span><del>- bool skipped = !refCount;
</del><span class="cx"> bool mustGenerate = node->mustGenerate();
</span><span class="cx"> if (mustGenerate)
</span><span class="cx"> --refCount;
</span><span class="lines">@@ -181,8 +180,8 @@
</span><span class="cx"> // arg# - an argument number.
</span><span class="cx"> // id# - the index in the CodeBlock of an identifier { if codeBlock is passed to dump(), the string representation is displayed }.
</span><span class="cx"> // var# - the index of a var on the global object, used by GetGlobalVar/PutGlobalVar operations.
</span><del>- out.printf("% 4d:%s<%c%u:", (int)node->index(), skipped ? " skipped " : " ", mustGenerate ? '!' : ' ', refCount);
- if (node->hasResult() && !skipped && node->hasVirtualRegister())
</del><ins>+ out.printf("% 4d:<%c%u:", (int)node->index(), mustGenerate ? '!' : ' ', refCount);
+ if (node->hasResult() && node->hasVirtualRegister() && node->virtualRegister().isValid())
</ins><span class="cx"> out.print(node->virtualRegister());
</span><span class="cx"> else
</span><span class="cx"> out.print("-");
</span><span class="lines">@@ -352,12 +351,10 @@
</span><span class="cx">
</span><span class="cx"> out.print(")");
</span><span class="cx">
</span><del>- if (!skipped) {
- if (node->hasVariableAccessData(*this) && node->tryGetVariableAccessData())
- out.print(" predicting ", SpeculationDump(node->tryGetVariableAccessData()->prediction()));
- else if (node->hasHeapPrediction())
- out.print(" predicting ", SpeculationDump(node->getHeapPrediction()));
- }
</del><ins>+ if (node->hasVariableAccessData(*this) && node->tryGetVariableAccessData())
+ out.print(" predicting ", SpeculationDump(node->tryGetVariableAccessData()->prediction()));
+ else if (node->hasHeapPrediction())
+ out.print(" predicting ", SpeculationDump(node->getHeapPrediction()));
</ins><span class="cx">
</span><span class="cx"> out.print("\n");
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -108,6 +108,10 @@
</span><span class="cx"> out.print("GlobalVariableLoc");
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ case HasIndexedPropertyLoc:
+ out.print("HasIndexedPorpertyLoc");
+ return;
+
</ins><span class="cx"> case IndexedPropertyLoc:
</span><span class="cx"> out.print("IndexedPorpertyLoc");
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -44,6 +44,7 @@
</span><span class="cx"> ClosureVariableLoc,
</span><span class="cx"> GetterLoc,
</span><span class="cx"> GlobalVariableLoc,
</span><ins>+ HasIndexedPropertyLoc,
</ins><span class="cx"> IndexedPropertyLoc,
</span><span class="cx"> IndexedPropertyStorageLoc,
</span><span class="cx"> InstanceOfLoc,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1001,6 +1001,7 @@
</span><span class="cx"> bool hasHeapPrediction()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><ins>+ case GetDirectPname:
</ins><span class="cx"> case GetById:
</span><span class="cx"> case GetByIdFlush:
</span><span class="cx"> case GetByVal:
</span><span class="lines">@@ -1267,6 +1268,7 @@
</span><span class="cx"> case ArrayifyToStructure:
</span><span class="cx"> case ArrayPush:
</span><span class="cx"> case ArrayPop:
</span><ins>+ case HasIndexedProperty:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeFlagsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -70,6 +70,9 @@
</span><span class="cx">
</span><span class="cx"> #define NodeIsFlushed 0x20000 // Used by Graph::computeIsFlushed(), will tell you which local nodes are backwards-reachable from a Flush.
</span><span class="cx">
</span><ins>+#define NodeMiscFlag1 0x40000
+#define NodeMiscFlag2 0x80000
+
</ins><span class="cx"> typedef uint32_t NodeFlags;
</span><span class="cx">
</span><span class="cx"> static inline bool bytecodeUsesAsNumber(NodeFlags flags)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> macro(GetArgument, NodeResultJS | NodeMustGenerate) \
</span><span class="cx"> macro(Phantom, NodeMustGenerate) \
</span><span class="cx"> macro(HardPhantom, NodeMustGenerate) /* Like Phantom, but we never remove any of its children. */ \
</span><del>- macro(Check, 0) /* Used if we want just a type check but not liveness. DCE eithers kills this or converts it to Phantom. */\
</del><ins>+ macro(Check, NodeMustGenerate) /* Used if we want just a type check but not liveness. Non-checking uses will be removed. */\
</ins><span class="cx"> macro(Upsilon, NodeRelevantToOSR) \
</span><span class="cx"> macro(Phi, NodeRelevantToOSR) \
</span><span class="cx"> macro(Flush, NodeMustGenerate) \
</span><span class="lines">@@ -293,6 +293,17 @@
</span><span class="cx"> /* Write barriers ! */\
</span><span class="cx"> macro(StoreBarrier, NodeMustGenerate) \
</span><span class="cx"> macro(StoreBarrierWithNullCheck, NodeMustGenerate) \
</span><ins>+ \
+ /* For-in enumeration opcodes */\
+ macro(GetEnumerableLength, NodeMustGenerate | NodeResultJS) \
+ macro(HasIndexedProperty, NodeResultBoolean) \
+ macro(HasStructureProperty, NodeResultBoolean) \
+ macro(HasGenericProperty, NodeResultBoolean) \
+ macro(GetDirectPname, NodeMustGenerate | NodeHasVarArgs | NodeResultJS) \
+ macro(GetStructurePropertyEnumerator, NodeMustGenerate | NodeResultJS) \
+ macro(GetGenericPropertyEnumerator, NodeMustGenerate | NodeResultJS) \
+ macro(GetEnumeratorPname, NodeMustGenerate | NodeResultJS) \
+ macro(ToIndexString, NodeResultJS)
</ins><span class="cx">
</span><span class="cx"> // This enum generates a monotonically increasing id for all Node types,
</span><span class="cx"> // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhasecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,137 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGPhantomCanonicalizationPhase.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGGraph.h"
+#include "DFGInsertionSet.h"
+#include "DFGPhase.h"
+#include "DFGPredictionPropagationPhase.h"
+#include "DFGVariableAccessDataDump.h"
+#include "JSCInlines.h"
+
+namespace JSC { namespace DFG {
+
+static const NodeFlags NodeNeedsPhantom = NodeMiscFlag1;
+static const NodeFlags NodeNeedsHardPhantom = NodeMiscFlag2;
+
+class PhantomCanonicalizationPhase : public Phase {
+public:
+ PhantomCanonicalizationPhase(Graph& graph)
+ : Phase(graph, "phantom canonicalization")
+ {
+ }
+
+ bool run()
+ {
+ ASSERT(m_graph.m_form == SSA);
+
+ m_graph.clearFlagsOnAllNodes(NodeNeedsPhantom | NodeNeedsHardPhantom | NodeRelevantToOSR);
+
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+
+ for (unsigned i = block->size(); i--;) {
+ Node* node = block->at(i);
+ if (node->op() == MovHint)
+ node->child1()->mergeFlags(NodeRelevantToOSR);
+ }
+ }
+
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+
+ unsigned sourceIndex = 0;
+ unsigned targetIndex = 0;
+ while (sourceIndex < block->size()) {
+ Node* node = block->at(sourceIndex++);
+ if (node->op() == HardPhantom || node->op() == Phantom || node->op() == Check) {
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+ Edge edge = node->children.child(i);
+ if (!edge)
+ break;
+ if (node->op() == HardPhantom)
+ edge->mergeFlags(NodeNeedsHardPhantom);
+ if ((edge->flags() & NodeRelevantToOSR) && node->op() == Phantom) {
+ // A Phantom on a node that is RelevantToOSR means that we need to keep
+ // a Phantom on this node instead of just having a Check.
+ edge->mergeFlags(NodeNeedsPhantom);
+ }
+ if (edge.willHaveCheck())
+ continue; // Keep the type check.
+
+ node->children.removeEdge(i--);
+ }
+
+ if (node->children.isEmpty())
+ continue;
+
+ node->convertToCheck();
+ }
+ block->at(targetIndex++) = node;
+ }
+ block->resize(targetIndex);
+ }
+
+ InsertionSet insertionSet(m_graph);
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+
+ for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+ Node* node = block->at(nodeIndex);
+ if (node->flags() & NodeNeedsHardPhantom) {
+ insertionSet.insertNode(
+ nodeIndex + 1, SpecNone, HardPhantom, node->origin, node->defaultEdge());
+ } else if (node->flags() & NodeNeedsPhantom) {
+ insertionSet.insertNode(
+ nodeIndex + 1, SpecNone, Phantom, node->origin, node->defaultEdge());
+ }
+ }
+ insertionSet.execute(block);
+ }
+
+ return true;
+ }
+};
+
+bool performPhantomCanonicalization(Graph& graph)
+{
+ SamplingRegion samplingRegion("DFG Phantom Canonicalization Phase");
+ return runPhase<PhantomCanonicalizationPhase>(graph);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhaseh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.h (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGPhantomCanonicalizationPhase_h
+#define DFGPhantomCanonicalizationPhase_h
+
+#if ENABLE(DFG_JIT)
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+// Replaces all pre-existing Phantoms with Checks or removes them if the Check is unnecessary. If
+// the Phantom was necessary (it uses a node that is relevant to OSR) then the Phantom is hoisted
+// to just below the node.
+//
+// This phase is only valid in SSA, because it's only in SSA that Phantoms are ignored for the
+// purpose of liveness-at-some-point and are only used for absolute liveness.
+//
+// This phase makes a lot of things easier, like CFG simplification: you don't have to insert any
+// phantoms when jettisoning a CFG edge.
+
+bool performPhantomCanonicalization(Graph&);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGPhantomCanonicalizationPhase_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -96,14 +96,15 @@
</span><span class="cx"> Node* lastNode = nullptr;
</span><span class="cx"> while (sourceIndex < block->size()) {
</span><span class="cx"> Node* node = block->at(sourceIndex++);
</span><del>- if (node->op() == Phantom) {
</del><ins>+ switch (node->op()) {
+ case Phantom: {
</ins><span class="cx"> if (lastNode && (lastNode->origin.forExit != node->origin.forExit || (lastNode->flags() & NodeHasVarArgs)))
</span><span class="cx"> lastNode = nullptr;
</span><span class="cx"> for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
</span><span class="cx"> Edge edge = node->children.child(i);
</span><span class="cx"> if (!edge)
</span><span class="cx"> break;
</span><del>- if (edge.useKind() != UntypedUse)
</del><ins>+ if (edge.willHaveCheck())
</ins><span class="cx"> continue; // Keep the type check.
</span><span class="cx"> if (edge->flags() & NodeRelevantToOSR) {
</span><span class="cx"> bool found = false;
</span><span class="lines">@@ -123,9 +124,39 @@
</span><span class="cx"> changed = true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (node->children.isEmpty()) {
+ changed = true;
+ continue;
+ }
+ break;
+ }
+
+ case Check: {
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+ Edge edge = node->children.child(i);
+ if (!edge)
+ break;
+ if (edge.willHaveCheck())
+ continue;
+ node->children.removeEdge(i--);
+ changed = true;
+ }
+ if (node->children.isEmpty()) {
+ changed = true;
+ continue;
+ }
+ break;
+ }
+
+ case HardPhantom: {
</ins><span class="cx"> if (node->children.isEmpty())
</span><span class="cx"> continue;
</span><ins>+ break;
</ins><span class="cx"> }
</span><ins>+
+ default:
+ break;
+ }
</ins><span class="cx"> lastNode = node;
</span><span class="cx"> block->at(targetIndex++) = node;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -34,6 +34,9 @@
</span><span class="cx">
</span><span class="cx"> // Cleans up unnecessary Phantoms and Phanton children. This reduces live ranges, but also, it
</span><span class="cx"> // eliminates many Phantoms entirely. This invalidates liveness analysis.
</span><ins>+//
+// This should work over all IR forms; however, in SSA form it's better to run
+// PhantomCanonicalizationPhase since it's more powerful.
</ins><span class="cx">
</span><span class="cx"> bool performPhantomRemoval(Graph&);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -49,6 +49,7 @@
</span><span class="cx"> #include "DFGLoopPreHeaderCreationPhase.h"
</span><span class="cx"> #include "DFGOSRAvailabilityAnalysisPhase.h"
</span><span class="cx"> #include "DFGOSREntrypointCreationPhase.h"
</span><ins>+#include "DFGPhantomCanonicalizationPhase.h"
</ins><span class="cx"> #include "DFGPhantomRemovalPhase.h"
</span><span class="cx"> #include "DFGPredictionInjectionPhase.h"
</span><span class="cx"> #include "DFGPredictionPropagationPhase.h"
</span><span class="lines">@@ -311,7 +312,7 @@
</span><span class="cx"> return FailPath;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- performPhantomRemoval(dfg);
</del><ins>+ performPhantomRemoval(dfg); // Reduce the graph size a bit.
</ins><span class="cx"> performCriticalEdgeBreaking(dfg);
</span><span class="cx"> performLoopPreHeaderCreation(dfg);
</span><span class="cx"> performCPSRethreading(dfg);
</span><span class="lines">@@ -321,6 +322,7 @@
</span><span class="cx"> performLivenessAnalysis(dfg);
</span><span class="cx"> performCFA(dfg);
</span><span class="cx"> performConstantFolding(dfg);
</span><ins>+ performPhantomCanonicalization(dfg); // Reduce the graph size a lot.
</ins><span class="cx"> if (performStrengthReduction(dfg)) {
</span><span class="cx"> // State-at-tail and state-at-head will be invalid if we did strength reduction since
</span><span class="cx"> // it might increase live ranges.
</span><span class="lines">@@ -328,7 +330,7 @@
</span><span class="cx"> performCFA(dfg);
</span><span class="cx"> }
</span><span class="cx"> performLICM(dfg);
</span><del>- performPhantomRemoval(dfg);
</del><ins>+ performPhantomCanonicalization(dfg);
</ins><span class="cx"> performIntegerCheckCombining(dfg);
</span><span class="cx"> performGlobalCSE(dfg);
</span><span class="cx">
</span><span class="lines">@@ -337,7 +339,7 @@
</span><span class="cx"> dfg.m_fixpointState = FixpointConverged;
</span><span class="cx">
</span><span class="cx"> performStoreBarrierElision(dfg);
</span><del>- performPhantomRemoval(dfg);
</del><ins>+ performPhantomCanonicalization(dfg);
</ins><span class="cx"> performLivenessAnalysis(dfg);
</span><span class="cx"> performCFA(dfg);
</span><span class="cx"> if (Options::validateFTLOSRExitLiveness())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -185,6 +185,7 @@
</span><span class="cx"> case GetMyArgumentByValSafe:
</span><span class="cx"> case GetByOffset:
</span><span class="cx"> case MultiGetByOffset:
</span><ins>+ case GetDirectPname:
</ins><span class="cx"> case Call:
</span><span class="cx"> case Construct:
</span><span class="cx"> case NativeCall:
</span><span class="lines">@@ -584,6 +585,39 @@
</span><span class="cx"> changed |= setPrediction(SpecBoolean);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case GetEnumerableLength: {
+ changed |= setPrediction(SpecInt32);
+ break;
+ }
+ case HasGenericProperty: {
+ changed |= setPrediction(SpecBoolean);
+ break;
+ }
+ case HasStructureProperty: {
+ changed |= setPrediction(SpecBoolean);
+ break;
+ }
+ case HasIndexedProperty: {
+ changed |= setPrediction(SpecBoolean);
+ break;
+ }
+ case GetStructurePropertyEnumerator: {
+ changed |= setPrediction(SpecCell);
+ break;
+ }
+ case GetGenericPropertyEnumerator: {
+ changed |= setPrediction(SpecCell);
+ break;
+ }
+ case GetEnumeratorPname: {
+ changed |= setPrediction(SpecCell | SpecOther);
+ break;
+ }
+ case ToIndexString: {
+ changed |= setPrediction(SpecString);
+ break;
+ }
+
</ins><span class="cx"> #ifndef NDEBUG
</span><span class="cx"> // These get ignored because they don't return anything.
</span><span class="cx"> case StoreBarrier:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSSALoweringPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -69,6 +69,7 @@
</span><span class="cx"> {
</span><span class="cx"> switch (m_node->op()) {
</span><span class="cx"> case GetByVal:
</span><ins>+ case HasIndexedProperty:
</ins><span class="cx"> lowerBoundsCheck(m_node->child1(), m_node->child2(), m_node->child3());
</span><span class="cx"> break;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> case BooleanUse:
</span><span class="cx"> case CellUse:
</span><span class="cx"> case ObjectUse:
</span><ins>+ case FunctionUse:
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> case StringIdentUse:
</span><span class="lines">@@ -258,6 +259,15 @@
</span><span class="cx"> case FiatInt52:
</span><span class="cx"> case GetGetter:
</span><span class="cx"> case GetSetter:
</span><ins>+ case GetEnumerableLength:
+ case HasGenericProperty:
+ case HasStructureProperty:
+ case HasIndexedProperty:
+ case GetDirectPname:
+ case GetStructurePropertyEnumerator:
+ case GetGenericPropertyEnumerator:
+ case GetEnumeratorPname:
+ case ToIndexString:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case NativeCall:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -712,20 +712,14 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> case Array::Arguments:
</span><del>- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
- m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
- MacroAssembler::TrustedImm32(ArgumentsType)));
</del><ins>+ speculateCellTypeWithoutTypeFiltering(node->child1(), baseReg, ArgumentsType);
</ins><span class="cx">
</span><span class="cx"> noResult(m_currentNode);
</span><span class="cx"> return;
</span><span class="cx"> default:
</span><del>- speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
- m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
- MacroAssembler::TrustedImm32(typeForTypedArrayType(node->arrayMode().typedArrayType()))));
</del><ins>+ speculateCellTypeWithoutTypeFiltering(
+ node->child1(), baseReg,
+ typeForTypedArrayType(node->arrayMode().typedArrayType()));
</ins><span class="cx"> noResult(m_currentNode);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="lines">@@ -4508,6 +4502,28 @@
</span><span class="cx"> cellResult(resultGPR, node);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::speculateCellTypeWithoutTypeFiltering(
+ Edge edge, GPRReg cellGPR, JSType jsType)
+{
+ speculationCheck(
+ BadType, JSValueSource::unboxedCell(cellGPR), edge,
+ m_jit.branch8(
+ MacroAssembler::NotEqual,
+ MacroAssembler::Address(cellGPR, JSCell::typeInfoTypeOffset()),
+ MacroAssembler::TrustedImm32(jsType)));
+}
+
+void SpeculativeJIT::speculateCellType(
+ Edge edge, GPRReg cellGPR, SpeculatedType specType, JSType jsType)
+{
+ DFG_TYPE_CHECK(
+ JSValueSource::unboxedCell(cellGPR), edge, specType,
+ m_jit.branch8(
+ MacroAssembler::NotEqual,
+ MacroAssembler::Address(cellGPR, JSCell::typeInfoTypeOffset()),
+ TrustedImm32(jsType)));
+}
+
</ins><span class="cx"> void SpeculativeJIT::speculateInt32(Edge edge)
</span><span class="cx"> {
</span><span class="cx"> if (!needsTypeCheck(edge, SpecInt32))
</span><span class="lines">@@ -4581,18 +4597,22 @@
</span><span class="cx"> m_jit.vm()->stringStructure.get()));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::speculateFunction(Edge edge)
+{
+ if (!needsTypeCheck(edge, SpecFunction))
+ return;
+
+ SpeculateCellOperand operand(this, edge);
+ speculateCellType(edge, operand.gpr(), SpecFunction, JSFunctionType);
+}
+
</ins><span class="cx"> void SpeculativeJIT::speculateFinalObject(Edge edge)
</span><span class="cx"> {
</span><span class="cx"> if (!needsTypeCheck(edge, SpecFinalObject))
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> SpeculateCellOperand operand(this, edge);
</span><del>- GPRReg gpr = operand.gpr();
- DFG_TYPE_CHECK(
- JSValueSource::unboxedCell(gpr), edge, SpecFinalObject, m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(gpr, JSCell::typeInfoTypeOffset()),
- TrustedImm32(FinalObjectType)));
</del><ins>+ speculateCellType(edge, operand.gpr(), SpecFinalObject, FinalObjectType);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::speculateObjectOrOther(Edge edge)
</span><span class="lines">@@ -4836,6 +4856,9 @@
</span><span class="cx"> case ObjectUse:
</span><span class="cx"> speculateObject(edge);
</span><span class="cx"> break;
</span><ins>+ case FunctionUse:
+ speculateFunction(edge);
+ break;
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> speculateFinalObject(edge);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1034,6 +1034,16 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(C_JITOperation_ECZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(C_JITOperation_ECZC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(C_JITOperation_ECC operation, GPRReg result, GPRReg arg1, JSCell* cell)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr(cell));
</span><span class="lines">@@ -1132,6 +1142,11 @@
</span><span class="cx"> m_jit.setupArgumentsExecState();
</span><span class="cx"> return appendCallWithCallFrameRollbackOnExceptionSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(Z_JITOperation_EC operation, GPRReg result, GPRReg arg1)
+ {
+ m_jit.setupArgumentsWithExecState(arg1);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
</ins><span class="cx">
</span><span class="cx"> template<typename FunctionType, typename ArgumentType1>
</span><span class="cx"> JITCompiler::Call callOperation(FunctionType operation, NoResultTag, ArgumentType1 arg1)
</span><span class="lines">@@ -1258,6 +1273,11 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_ECZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_ESsiCI operation, GPRReg result, StructureStubInfo* stubInfo, GPRReg arg1, const StringImpl* uid)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(stubInfo), arg1, TrustedImmPtr(uid));
</span><span class="lines">@@ -1273,6 +1293,16 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_EJC operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(J_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJA operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="lines">@@ -1321,6 +1351,21 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1);
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(C_JITOperation_EJJC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(C_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(C_JITOperation_EJZC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(S_JITOperation_J operation, GPRReg result, GPRReg arg1)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArguments(arg1);
</span><span class="lines">@@ -1494,6 +1539,16 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg resultPayload, GPRReg resultTag, GPRReg arg1)
+ {
+ m_jit.setupArgumentsWithExecState(arg1);
+ return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+ }
+ JITCompiler::Call callOperation(J_JITOperation_EJC operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJssZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="lines">@@ -1525,6 +1580,11 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
</span><span class="cx"> return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_ECZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_ESsiCI operation, GPRReg resultTag, GPRReg resultPayload, StructureStubInfo* stubInfo, GPRReg arg1, const StringImpl* uid)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(stubInfo), arg1, TrustedImmPtr(uid));
</span><span class="lines">@@ -2211,6 +2271,9 @@
</span><span class="cx"> bool needsTypeCheck(Edge edge, SpeculatedType typesPassedThrough) { return m_interpreter.needsTypeCheck(edge, typesPassedThrough); }
</span><span class="cx"> void typeCheck(JSValueSource, Edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail);
</span><span class="cx">
</span><ins>+ void speculateCellTypeWithoutTypeFiltering(Edge, GPRReg cellGPR, JSType);
+ void speculateCellType(Edge, GPRReg cellGPR, SpeculatedType, JSType);
+
</ins><span class="cx"> void speculateInt32(Edge);
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> void convertMachineInt(Edge, GPRReg resultGPR);
</span><span class="lines">@@ -2222,6 +2285,7 @@
</span><span class="cx"> void speculateBoolean(Edge);
</span><span class="cx"> void speculateCell(Edge);
</span><span class="cx"> void speculateObject(Edge);
</span><ins>+ void speculateFunction(Edge);
</ins><span class="cx"> void speculateFinalObject(Edge);
</span><span class="cx"> void speculateObjectOrOther(Edge);
</span><span class="cx"> void speculateString(Edge edge, GPRReg cell);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include "Debugger.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><span class="cx"> #include "JSActivation.h"
</span><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "ObjectPrototype.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx">
</span><span class="lines">@@ -1784,8 +1785,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case MovHint:
</span><del>- case ZombieHint:
- case Check: {
</del><ins>+ case ZombieHint: {
</ins><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -3700,6 +3700,7 @@
</span><span class="cx">
</span><span class="cx"> case CheckExecutable: {
</span><span class="cx"> SpeculateCellOperand function(this, node->child1());
</span><ins>+ speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
</ins><span class="cx"> speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="lines">@@ -4601,6 +4602,252 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case GetEnumerableLength: {
+ SpeculateCellOperand base(this, node->child1());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetEnumerableLength, resultGPR, base.gpr());
+ int32Result(resultGPR, node);
+ break;
+ }
+ case HasGenericProperty: {
+ JSValueOperand base(this, node->child1());
+ SpeculateCellOperand property(this, node->child2());
+ GPRResult resultPayload(this);
+ GPRResult2 resultTag(this);
+ GPRReg basePayloadGPR = base.payloadGPR();
+ GPRReg baseTagGPR = base.tagGPR();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ flushRegisters();
+ callOperation(operationHasGenericProperty, resultTagGPR, resultPayloadGPR, baseTagGPR, basePayloadGPR, property.gpr());
+ booleanResult(resultPayloadGPR, node);
+ break;
+ }
+ case HasStructureProperty: {
+ JSValueOperand base(this, node->child1());
+ SpeculateCellOperand property(this, node->child2());
+ SpeculateCellOperand enumerator(this, node->child3());
+ GPRTemporary scratch(this);
+ GPRResult resultPayload(this);
+ GPRResult2 resultTag(this);
+
+ GPRReg baseTagGPR = base.tagGPR();
+ GPRReg basePayloadGPR = base.payloadGPR();
+ GPRReg propertyGPR = property.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ m_jit.load32(MacroAssembler::Address(basePayloadGPR, JSCell::structureIDOffset()), scratchGPR);
+ MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual,
+ scratchGPR,
+ MacroAssembler::Address(enumerator.gpr(), JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+ moveTrueTo(resultPayloadGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ done.link(&m_jit);
+
+ addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasGenericProperty, resultTagGPR, resultPayloadGPR, baseTagGPR, basePayloadGPR, propertyGPR));
+ booleanResult(resultPayloadGPR, node);
+ break;
+ }
+ case HasIndexedProperty: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand index(this, node->child2());
+ GPRResult resultPayload(this);
+ GPRResult2 resultTag(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ MacroAssembler::JumpList slowCases;
+ ArrayMode mode = node->arrayMode();
+ switch (mode.type()) {
+ case Array::Int32:
+ case Array::Contiguous: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ GPRTemporary scratch(this);
+
+ GPRReg storageGPR = storage.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+
+ slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength())));
+ m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
+ slowCases.append(m_jit.branch32(MacroAssembler::Equal, scratchGPR, TrustedImm32(JSValue::EmptyValueTag)));
+ break;
+ }
+ case Array::Double: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ FPRTemporary scratch(this);
+ FPRReg scratchFPR = scratch.fpr();
+ GPRReg storageGPR = storage.gpr();
+
+ slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength())));
+ m_jit.loadDouble(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchFPR);
+ slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, scratchFPR, scratchFPR));
+ break;
+ }
+ case Array::ArrayStorage: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ GPRTemporary scratch(this);
+
+ GPRReg storageGPR = storage.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+
+ slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, ArrayStorage::vectorLengthOffset())));
+ m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
+ slowCases.append(m_jit.branch32(MacroAssembler::Equal, scratchGPR, TrustedImm32(JSValue::EmptyValueTag)));
+ break;
+ }
+ default: {
+ slowCases.append(m_jit.jump());
+ break;
+ }
+ }
+
+ moveTrueTo(resultPayloadGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultTagGPR, resultPayloadGPR, baseGPR, indexGPR));
+
+ done.link(&m_jit);
+ booleanResult(resultPayloadGPR, node);
+ break;
+ }
+ case GetDirectPname: {
+ Edge& baseEdge = m_jit.graph().varArgChild(node, 0);
+ Edge& propertyEdge = m_jit.graph().varArgChild(node, 1);
+ Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
+ Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
+
+ SpeculateCellOperand base(this, baseEdge);
+ SpeculateCellOperand property(this, propertyEdge);
+ SpeculateInt32Operand index(this, indexEdge);
+ SpeculateCellOperand enumerator(this, enumeratorEdge);
+ GPRResult resultPayload(this);
+ GPRResult2 resultTag(this);
+ GPRTemporary scratch(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg propertyGPR = property.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg enumeratorGPR = enumerator.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+
+ // Check the structure
+ m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
+ MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual,
+ scratchGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+ // Compute the offset
+ // If index is less than the enumerator's cached inline storage, then it's an inline access
+ MacroAssembler::Jump outOfLineAccess = m_jit.branch32(MacroAssembler::AboveOrEqual,
+ indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+
+ m_jit.move(indexGPR, scratchGPR);
+ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR);
+ m_jit.load32(MacroAssembler::BaseIndex(baseGPR, scratchGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagGPR);
+ m_jit.load32(MacroAssembler::BaseIndex(baseGPR, scratchGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadGPR);
+
+ MacroAssembler::Jump done = m_jit.jump();
+
+ // Otherwise it's out of line
+ outOfLineAccess.link(&m_jit);
+ m_jit.move(indexGPR, scratchGPR);
+ m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratchGPR);
+ m_jit.neg32(scratchGPR);
+ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR);
+ // We use resultPayloadGPR as a temporary here. We have to make sure clobber it after getting the
+ // value out of indexGPR and enumeratorGPR because resultPayloadGPR could reuse either of those registers.
+ m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), resultPayloadGPR);
+ int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+ m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagGPR);
+ m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadGPR);
+
+ done.link(&m_jit);
+
+ m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
+ addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR));
+
+ jsValueResult(resultTagGPR, resultPayloadGPR, node);
+ break;
+ }
+ case GetStructurePropertyEnumerator: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand length(this, node->child2());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetStructurePropertyEnumerator, resultGPR, base.gpr(), length.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+ case GetGenericPropertyEnumerator: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand length(this, node->child2());
+ SpeculateCellOperand enumerator(this, node->child3());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetGenericPropertyEnumerator, resultGPR, base.gpr(), length.gpr(), enumerator.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+ case GetEnumeratorPname: {
+ SpeculateCellOperand enumerator(this, node->child1());
+ SpeculateInt32Operand index(this, node->child2());
+ GPRTemporary scratch(this);
+ GPRResult resultPayload(this);
+ GPRResult2 resultTag(this);
+
+ GPRReg enumeratorGPR = enumerator.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+
+ MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below,
+ indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+ m_jit.move(MacroAssembler::TrustedImm32(JSValue::NullTag), resultTagGPR);
+ m_jit.move(MacroAssembler::TrustedImm32(0), resultPayloadGPR);
+
+ MacroAssembler::Jump done = m_jit.jump();
+ inBounds.link(&m_jit);
+
+ m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratchGPR);
+ m_jit.loadPtr(MacroAssembler::BaseIndex(scratchGPR, indexGPR, MacroAssembler::ScalePtr), resultPayloadGPR);
+ m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), resultTagGPR);
+
+ done.link(&m_jit);
+ jsValueResult(resultTagGPR, resultPayloadGPR, node);
+ break;
+ }
+ case ToIndexString: {
+ SpeculateInt32Operand index(this, node->child1());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationToIndexString, resultGPR, index.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+
</ins><span class="cx"> case ForceOSRExit: {
</span><span class="cx"> terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
</span><span class="cx"> break;
</span><span class="lines">@@ -4625,6 +4872,7 @@
</span><span class="cx">
</span><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><ins>+ case Check:
</ins><span class="cx"> DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate);
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include "Debugger.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "ObjectPrototype.h"
</span><span class="cx"> #include "SpillRegistersMode.h"
</span><span class="cx">
</span><span class="lines">@@ -1869,8 +1870,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case MovHint:
</span><del>- case ZombieHint:
- case Check: {
</del><ins>+ case ZombieHint: {
</ins><span class="cx"> DFG_CRASH(m_jit.graph(), node, "Unexpected node");
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -3793,6 +3793,7 @@
</span><span class="cx">
</span><span class="cx"> case CheckExecutable: {
</span><span class="cx"> SpeculateCellOperand function(this, node->child1());
</span><ins>+ speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
</ins><span class="cx"> speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="lines">@@ -4647,6 +4648,7 @@
</span><span class="cx">
</span><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><ins>+ case Check:
</ins><span class="cx"> DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate);
</span><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="lines">@@ -4670,6 +4672,249 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case GetEnumerableLength: {
+ SpeculateCellOperand base(this, node->child1());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetEnumerableLength, resultGPR, base.gpr());
+ int32Result(resultGPR, node);
+ break;
+ }
+ case HasGenericProperty: {
+ JSValueOperand base(this, node->child1());
+ SpeculateCellOperand property(this, node->child2());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationHasGenericProperty, resultGPR, base.gpr(), property.gpr());
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
+ break;
+ }
+ case HasStructureProperty: {
+ JSValueOperand base(this, node->child1());
+ SpeculateCellOperand property(this, node->child2());
+ SpeculateCellOperand enumerator(this, node->child3());
+ GPRTemporary scratch(this);
+ GPRResult result(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg propertyGPR = property.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
+ MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual,
+ scratchGPR,
+ MacroAssembler::Address(enumerator.gpr(), JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+ moveTrueTo(resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ done.link(&m_jit);
+
+ addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasGenericProperty, resultGPR, baseGPR, propertyGPR));
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
+ break;
+ }
+ case HasIndexedProperty: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand index(this, node->child2());
+ GPRResult result(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ MacroAssembler::JumpList slowCases;
+ ArrayMode mode = node->arrayMode();
+ switch (mode.type()) {
+ case Array::Int32:
+ case Array::Contiguous: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ GPRTemporary scratch(this);
+
+ GPRReg storageGPR = storage.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+
+ MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+ if (mode.isInBounds())
+ speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+ else
+ slowCases.append(outOfBounds);
+
+ m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchGPR);
+ slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, scratchGPR));
+ moveTrueTo(resultGPR);
+ break;
+ }
+ case Array::Double: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ FPRTemporary scratch(this);
+ FPRReg scratchFPR = scratch.fpr();
+ GPRReg storageGPR = storage.gpr();
+
+ MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+ if (mode.isInBounds())
+ speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+ else
+ slowCases.append(outOfBounds);
+
+ m_jit.loadDouble(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchFPR);
+ slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, scratchFPR, scratchFPR));
+ break;
+ }
+ case Array::ArrayStorage: {
+ ASSERT(!!node->child3());
+ StorageOperand storage(this, node->child3());
+ GPRTemporary scratch(this);
+
+ GPRReg storageGPR = storage.gpr();
+ GPRReg scratchGPR = scratch.gpr();
+
+ MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, ArrayStorage::vectorLengthOffset()));
+ if (mode.isInBounds())
+ speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+ else
+ slowCases.append(outOfBounds);
+
+ m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()), scratchGPR);
+ slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, scratchGPR));
+ moveTrueTo(resultGPR);
+ break;
+ }
+ default: {
+ slowCases.append(m_jit.jump());
+ break;
+ }
+ }
+
+ addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultGPR, baseGPR, indexGPR));
+
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
+ break;
+ }
+ case GetDirectPname: {
+ Edge& baseEdge = m_jit.graph().varArgChild(node, 0);
+ Edge& propertyEdge = m_jit.graph().varArgChild(node, 1);
+ Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
+ Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
+
+ SpeculateCellOperand base(this, baseEdge);
+ SpeculateCellOperand property(this, propertyEdge);
+ SpeculateInt32Operand index(this, indexEdge);
+ SpeculateCellOperand enumerator(this, enumeratorEdge);
+ GPRResult result(this);
+ GPRTemporary scratch1(this);
+ GPRTemporary scratch2(this);
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg propertyGPR = property.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg enumeratorGPR = enumerator.gpr();
+ GPRReg resultGPR = result.gpr();
+ GPRReg scratch1GPR = scratch1.gpr();
+ GPRReg scratch2GPR = scratch2.gpr();
+
+ // Check the structure
+ m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratch1GPR);
+ MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual,
+ scratch1GPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+ // Compute the offset
+ // If index is less than the enumerator's cached inline storage, then it's an inline access
+ MacroAssembler::Jump outOfLineAccess = m_jit.branch32(MacroAssembler::AboveOrEqual,
+ indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+
+ m_jit.load64(MacroAssembler::BaseIndex(baseGPR, indexGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage()), resultGPR);
+
+ MacroAssembler::Jump done = m_jit.jump();
+
+ // Otherwise it's out of line
+ outOfLineAccess.link(&m_jit);
+ m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratch2GPR);
+ m_jit.move(indexGPR, scratch1GPR);
+ m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratch1GPR);
+ m_jit.neg32(scratch1GPR);
+ m_jit.signExtend32ToPtr(scratch1GPR, scratch1GPR);
+ int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+ m_jit.load64(MacroAssembler::BaseIndex(scratch2GPR, scratch1GPR, MacroAssembler::TimesEight, offsetOfFirstProperty), resultGPR);
+
+ done.link(&m_jit);
+
+ addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByVal, resultGPR, baseGPR, propertyGPR));
+
+ jsValueResult(resultGPR, node);
+ break;
+ }
+ case GetStructurePropertyEnumerator: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand length(this, node->child2());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetStructurePropertyEnumerator, resultGPR, base.gpr(), length.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+ case GetGenericPropertyEnumerator: {
+ SpeculateCellOperand base(this, node->child1());
+ SpeculateInt32Operand length(this, node->child2());
+ SpeculateCellOperand enumerator(this, node->child3());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetGenericPropertyEnumerator, resultGPR, base.gpr(), length.gpr(), enumerator.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+ case GetEnumeratorPname: {
+ SpeculateCellOperand enumerator(this, node->child1());
+ SpeculateInt32Operand index(this, node->child2());
+ GPRTemporary scratch1(this);
+ GPRTemporary scratch2(this);
+ GPRResult result(this);
+
+ GPRReg enumeratorGPR = enumerator.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg scratch1GPR = scratch1.gpr();
+ GPRReg scratch2GPR = scratch2.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below,
+ indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+ m_jit.move(MacroAssembler::TrustedImm32(ValueNull), resultGPR);
+
+ MacroAssembler::Jump done = m_jit.jump();
+ inBounds.link(&m_jit);
+
+ m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratch1GPR);
+ m_jit.move(indexGPR, scratch2GPR);
+ m_jit.signExtend32ToPtr(scratch2GPR, scratch2GPR);
+ m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, scratch2GPR, MacroAssembler::TimesEight), resultGPR);
+
+ done.link(&m_jit);
+ jsValueResult(resultGPR, node);
+ break;
+ }
+ case ToIndexString: {
+ SpeculateInt32Operand index(this, node->child1());
+ GPRResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationToIndexString, resultGPR, index.gpr());
+ cellResult(resultGPR, node);
+ break;
+ }
+
</ins><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx"> case CheckTierUpInLoop: {
</span><span class="cx"> MacroAssembler::Jump done = m_jit.branchAdd32(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGUseKindcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -39,80 +39,84 @@
</span><span class="cx"> switch (useKind) {
</span><span class="cx"> case UntypedUse:
</span><span class="cx"> out.print("Untyped");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case Int32Use:
</span><span class="cx"> out.print("Int32");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case KnownInt32Use:
</span><span class="cx"> out.print("KnownInt32");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case Int52RepUse:
</span><span class="cx"> out.print("Int52Rep");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case MachineIntUse:
</span><span class="cx"> out.print("MachineInt");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case NumberUse:
</span><span class="cx"> out.print("Number");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case DoubleRepUse:
</span><span class="cx"> out.print("DoubleRep");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case DoubleRepRealUse:
</span><span class="cx"> out.print("DoubleRepReal");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case DoubleRepMachineIntUse:
</span><span class="cx"> out.print("DoubleRepMachineInt");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case BooleanUse:
</span><span class="cx"> out.print("Boolean");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case CellUse:
</span><span class="cx"> out.print("Cell");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case KnownCellUse:
</span><span class="cx"> out.print("KnownCell");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case ObjectUse:
</span><span class="cx"> out.print("Object");
</span><del>- break;
</del><ins>+ return;
+ case FunctionUse:
+ out.print("Function");
+ return;
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> out.print("FinalObject");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> out.print("ObjectOrOther");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case StringIdentUse:
</span><span class="cx"> out.print("StringIdent");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case StringUse:
</span><span class="cx"> out.print("String");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case KnownStringUse:
</span><span class="cx"> out.print("KnownString");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case StringObjectUse:
</span><span class="cx"> out.print("StringObject");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case StringOrStringObjectUse:
</span><span class="cx"> out.print("StringOrStringObject");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case NotStringVarUse:
</span><span class="cx"> out.print("NotStringVar");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case NotCellUse:
</span><span class="cx"> out.print("NotCell");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case OtherUse:
</span><span class="cx"> out.print("Other");
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> case MiscUse:
</span><span class="cx"> out.print("Misc");
</span><del>- break;
- default:
</del><ins>+ return;
+ case LastUseKind:
</ins><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><del>- break;
</del><ins>+ return;
</ins><span class="cx"> }
</span><ins>+ RELEASE_ASSERT_NOT_REACHED();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace WTF
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGUseKindh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGUseKind.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGUseKind.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/dfg/DFGUseKind.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -48,6 +48,7 @@
</span><span class="cx"> CellUse,
</span><span class="cx"> KnownCellUse,
</span><span class="cx"> ObjectUse,
</span><ins>+ FunctionUse,
</ins><span class="cx"> FinalObjectUse,
</span><span class="cx"> ObjectOrOtherUse,
</span><span class="cx"> StringIdentUse,
</span><span class="lines">@@ -89,6 +90,8 @@
</span><span class="cx"> return SpecCell;
</span><span class="cx"> case ObjectUse:
</span><span class="cx"> return SpecObject;
</span><ins>+ case FunctionUse:
+ return SpecFunction;
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> return SpecFinalObject;
</span><span class="cx"> case ObjectOrOtherUse:
</span><span class="lines">@@ -171,6 +174,7 @@
</span><span class="cx"> case CellUse:
</span><span class="cx"> case KnownCellUse:
</span><span class="cx"> case ObjectUse:
</span><ins>+ case FunctionUse:
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> case StringIdentUse:
</span><span class="cx"> case StringUse:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx">
</span><span class="cx"> #include "GetterSetter.h"
</span><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSScope.h"
</span><span class="cx"> #include "JSVariableObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -59,6 +59,10 @@
</span><span class="cx"> macro(JSFunction_executable, JSFunction::offsetOfExecutable()) \
</span><span class="cx"> macro(JSFunction_scope, JSFunction::offsetOfScopeChain()) \
</span><span class="cx"> macro(JSObject_butterfly, JSObject::butterflyOffset()) \
</span><ins>+ macro(JSPropertyNameEnumerator_cachedInlineCapacity, JSPropertyNameEnumerator::cachedInlineCapacityOffset()) \
+ macro(JSPropertyNameEnumerator_cachedPropertyNamesLength, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()) \
+ macro(JSPropertyNameEnumerator_cachedPropertyNamesVector, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()) \
+ macro(JSPropertyNameEnumerator_cachedStructureID, JSPropertyNameEnumerator::cachedStructureIDOffset()) \
</ins><span class="cx"> macro(JSScope_next, JSScope::offsetOfNext()) \
</span><span class="cx"> macro(JSString_flags, JSString::offsetOfFlags()) \
</span><span class="cx"> macro(JSString_length, JSString::offsetOfLength()) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -158,6 +158,14 @@
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case BooleanToNumber:
</span><ins>+ case HasGenericProperty:
+ case HasStructureProperty:
+ case GetDirectPname:
+ case GetEnumerableLength:
+ case GetStructurePropertyEnumerator:
+ case GetGenericPropertyEnumerator:
+ case GetEnumeratorPname:
+ case ToIndexString:
</ins><span class="cx"> // These are OK.
</span><span class="cx"> break;
</span><span class="cx"> case Identity:
</span><span class="lines">@@ -206,6 +214,17 @@
</span><span class="cx"> return CannotCompile;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><ins>+ case HasIndexedProperty:
+ switch (node->arrayMode().type()) {
+ case Array::ForceExit:
+ case Array::Int32:
+ case Array::Double:
+ case Array::Contiguous:
+ break;
+ default:
+ return CannotCompile;
+ }
+ break;
</ins><span class="cx"> case GetByVal:
</span><span class="cx"> switch (node->arrayMode().type()) {
</span><span class="cx"> case Array::ForceExit:
</span><span class="lines">@@ -374,6 +393,7 @@
</span><span class="cx"> case CellUse:
</span><span class="cx"> case KnownCellUse:
</span><span class="cx"> case ObjectUse:
</span><ins>+ case FunctionUse:
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> case StringUse:
</span><span class="cx"> case KnownStringUse:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -54,19 +54,24 @@
</span><span class="cx">
</span><span class="cx"> #define FOR_EACH_FUNCTION_TYPE(macro) \
</span><span class="cx"> macro(C_JITOperation_EC, functionType(intPtr, intPtr, intPtr)) \
</span><ins>+ macro(C_JITOperation_ECZ, functionType(intPtr, intPtr, intPtr, int32)) \
+ macro(C_JITOperation_ECZC, functionType(intPtr, intPtr, intPtr, int32, intPtr)) \
</ins><span class="cx"> macro(C_JITOperation_EJ, functionType(intPtr, intPtr, int64)) \
</span><span class="cx"> macro(C_JITOperation_EJssJss, functionType(intPtr, intPtr, intPtr, intPtr)) \
</span><span class="cx"> macro(C_JITOperation_EJssJssJss, functionType(intPtr, intPtr, intPtr, intPtr, intPtr)) \
</span><span class="cx"> macro(C_JITOperation_ESt, functionType(intPtr, intPtr, intPtr)) \
</span><ins>+ macro(C_JITOperation_EZ, functionType(intPtr, intPtr, int32)) \
</ins><span class="cx"> macro(D_JITOperation_D, functionType(doubleType, doubleType)) \
</span><span class="cx"> macro(I_JITOperation_EJss, functionType(intPtr, intPtr, intPtr)) \
</span><span class="cx"> macro(J_JITOperation_E, functionType(int64, intPtr)) \
</span><span class="cx"> macro(J_JITOperation_EA, functionType(int64, intPtr, intPtr)) \
</span><span class="cx"> macro(J_JITOperation_EAZ, functionType(int64, intPtr, intPtr, int32)) \
</span><span class="cx"> macro(J_JITOperation_ECJ, functionType(int64, intPtr, intPtr, int64)) \
</span><ins>+ macro(J_JITOperation_ECZ, functionType(int64, intPtr, intPtr, int32)) \
</ins><span class="cx"> macro(J_JITOperation_EDA, functionType(int64, intPtr, doubleType, intPtr)) \
</span><span class="cx"> macro(J_JITOperation_EJ, functionType(int64, intPtr, int64)) \
</span><span class="cx"> macro(J_JITOperation_EJA, functionType(int64, intPtr, int64, intPtr)) \
</span><ins>+ macro(J_JITOperation_EJC, functionType(int64, intPtr, int64, intPtr)) \
</ins><span class="cx"> macro(J_JITOperation_EJJ, functionType(int64, intPtr, int64, int64)) \
</span><span class="cx"> macro(J_JITOperation_EJssZ, functionType(int64, intPtr, intPtr, int32)) \
</span><span class="cx"> macro(J_JITOperation_ESsiJI, functionType(int64, intPtr, intPtr, int64, intPtr)) \
</span><span class="lines">@@ -94,8 +99,9 @@
</span><span class="cx"> macro(V_JITOperation_EVwsJ, functionType(voidType, intPtr, intPtr, int64)) \
</span><span class="cx"> macro(V_JITOperation_J, functionType(voidType, int64)) \
</span><span class="cx"> macro(V_JITOperation_Z, functionType(voidType, int32)) \
</span><del>- macro(Z_JITOperation_D, functionType(int32, doubleType))
-
</del><ins>+ macro(Z_JITOperation_D, functionType(int32, doubleType)) \
+ macro(Z_JITOperation_EC, functionType(int32, intPtr, intPtr))
+
</ins><span class="cx"> class IntrinsicRepository : public CommonValues {
</span><span class="cx"> public:
</span><span class="cx"> IntrinsicRepository(LContext);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -400,6 +400,7 @@
</span><span class="cx"> break;
</span><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><ins>+ case Check:
</ins><span class="cx"> compilePhantom();
</span><span class="cx"> break;
</span><span class="cx"> case ToThis:
</span><span class="lines">@@ -698,6 +699,34 @@
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><span class="cx"> compileStoreBarrierWithNullCheck();
</span><span class="cx"> break;
</span><ins>+ case HasIndexedProperty:
+ compileHasIndexedProperty();
+ break;
+ case HasGenericProperty:
+ compileHasGenericProperty();
+ break;
+ case HasStructureProperty:
+ compileHasStructureProperty();
+ break;
+ case GetDirectPname:
+ compileGetDirectPname();
+ break;
+ case GetEnumerableLength:
+ compileGetEnumerableLength();
+ break;
+ case GetStructurePropertyEnumerator:
+ compileGetStructurePropertyEnumerator();
+ break;
+ case GetGenericPropertyEnumerator:
+ compileGetGenericPropertyEnumerator();
+ break;
+ case GetEnumeratorPname:
+ compileGetEnumeratorPname();
+ break;
+ case ToIndexString:
+ compileToIndexString();
+ break;
+
</ins><span class="cx"> case PhantomLocal:
</span><span class="cx"> case SetArgument:
</span><span class="cx"> case LoopHint:
</span><span class="lines">@@ -1727,6 +1756,8 @@
</span><span class="cx"> {
</span><span class="cx"> LValue cell = lowCell(m_node->child1());
</span><span class="cx">
</span><ins>+ speculateFunction(m_node->child1(), cell);
+
</ins><span class="cx"> speculate(
</span><span class="cx"> BadExecutable, jsValueValue(cell), m_node->child1().node(),
</span><span class="cx"> m_out.notEqual(
</span><span class="lines">@@ -4102,6 +4133,225 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void compileHasIndexedProperty()
+ {
+ switch (m_node->arrayMode().type()) {
+ case Array::Int32:
+ case Array::Contiguous: {
+ LValue base = lowCell(m_node->child1());
+ LValue index = lowInt32(m_node->child2());
+ LValue storage = lowStorage(m_node->child3());
+
+ IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
+ m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
+
+ LBasicBlock checkHole = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty int/contiguous check hole"));
+ LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty int/contiguous slow case"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty int/contiguous continuation"));
+
+ if (!m_node->arrayMode().isInBounds()) {
+ m_out.branch(
+ m_out.aboveOrEqual(
+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
+ rarely(slowCase), usually(checkHole));
+ } else
+ m_out.jump(checkHole);
+
+ LBasicBlock lastNext = m_out.appendTo(checkHole, slowCase);
+ ValueFromBlock checkHoleResult = m_out.anchor(
+ m_out.notZero64(m_out.load64(baseIndex(heap, storage, index, m_node->child2()))));
+ m_out.branch(checkHoleResult.value(), usually(continuation), rarely(slowCase));
+
+ m_out.appendTo(slowCase, continuation);
+ ValueFromBlock slowResult = m_out.anchor(m_out.equal(
+ m_out.constInt64(JSValue::encode(jsBoolean(true))),
+ vmCall(m_out.operation(operationHasIndexedProperty), m_callFrame, base, index)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setBoolean(m_out.phi(m_out.boolean, checkHoleResult, slowResult));
+ return;
+ }
+ case Array::Double: {
+ LValue base = lowCell(m_node->child1());
+ LValue index = lowInt32(m_node->child2());
+ LValue storage = lowStorage(m_node->child3());
+
+ IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
+
+ LBasicBlock checkHole = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty double check hole"));
+ LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty double slow case"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("HasIndexedProperty double continuation"));
+
+ if (!m_node->arrayMode().isInBounds()) {
+ m_out.branch(
+ m_out.aboveOrEqual(
+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
+ rarely(slowCase), usually(checkHole));
+ } else
+ m_out.jump(checkHole);
+
+ LBasicBlock lastNext = m_out.appendTo(checkHole, slowCase);
+ LValue doubleValue = m_out.loadDouble(baseIndex(heap, storage, index, m_node->child2()));
+ ValueFromBlock checkHoleResult = m_out.anchor(
+ m_out.doubleNotEqualOrUnordered(doubleValue, doubleValue));
+ m_out.branch(checkHoleResult.value(), rarely(slowCase), usually(continuation));
+
+ m_out.appendTo(slowCase, continuation);
+ ValueFromBlock slowResult = m_out.anchor(m_out.equal(
+ m_out.constInt64(JSValue::encode(jsBoolean(true))),
+ vmCall(m_out.operation(operationHasIndexedProperty), m_callFrame, base, index)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setBoolean(m_out.phi(m_out.boolean, checkHoleResult, slowResult));
+ return;
+ }
+
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ return;
+ }
+ }
+
+ void compileHasGenericProperty()
+ {
+ LValue base = lowJSValue(m_node->child1());
+ LValue property = lowCell(m_node->child2());
+ setJSValue(vmCall(m_out.operation(operationHasGenericProperty), m_callFrame, base, property));
+ }
+
+ void compileHasStructureProperty()
+ {
+ LValue base = lowJSValue(m_node->child1());
+ LValue property = lowString(m_node->child2());
+ LValue enumerator = lowCell(m_node->child3());
+
+ LBasicBlock correctStructure = FTL_NEW_BLOCK(m_out, ("HasStructureProperty correct structure"));
+ LBasicBlock wrongStructure = FTL_NEW_BLOCK(m_out, ("HasStructureProperty wrong structure"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("HasStructureProperty continuation"));
+
+ m_out.branch(m_out.notEqual(
+ m_out.load32(base, m_heaps.JSCell_structureID),
+ m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedStructureID)),
+ rarely(wrongStructure), usually(correctStructure));
+
+ LBasicBlock lastNext = m_out.appendTo(correctStructure, wrongStructure);
+ ValueFromBlock correctStructureResult = m_out.anchor(m_out.booleanTrue);
+ m_out.jump(continuation);
+
+ m_out.appendTo(wrongStructure, continuation);
+ ValueFromBlock wrongStructureResult = m_out.anchor(
+ m_out.equal(
+ m_out.constInt64(JSValue::encode(jsBoolean(true))),
+ vmCall(m_out.operation(operationHasGenericProperty), m_callFrame, base, property)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setBoolean(m_out.phi(m_out.boolean, correctStructureResult, wrongStructureResult));
+ }
+
+ void compileGetDirectPname()
+ {
+ LValue base = lowCell(m_graph.varArgChild(m_node, 0));
+ LValue property = lowCell(m_graph.varArgChild(m_node, 1));
+ LValue index = lowInt32(m_graph.varArgChild(m_node, 2));
+ LValue enumerator = lowCell(m_graph.varArgChild(m_node, 3));
+
+ LBasicBlock checkOffset = FTL_NEW_BLOCK(m_out, ("GetDirectPname check offset"));
+ LBasicBlock inlineLoad = FTL_NEW_BLOCK(m_out, ("GetDirectPname inline load"));
+ LBasicBlock outOfLineLoad = FTL_NEW_BLOCK(m_out, ("GetDirectPname out-of-line load"));
+ LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("GetDirectPname slow case"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetDirectPname continuation"));
+
+ m_out.branch(m_out.notEqual(
+ m_out.load32(base, m_heaps.JSCell_structureID),
+ m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedStructureID)),
+ rarely(slowCase), usually(checkOffset));
+
+ LBasicBlock lastNext = m_out.appendTo(checkOffset, inlineLoad);
+ m_out.branch(m_out.aboveOrEqual(index, m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedInlineCapacity)),
+ unsure(outOfLineLoad), unsure(inlineLoad));
+
+ m_out.appendTo(inlineLoad, outOfLineLoad);
+ ValueFromBlock inlineResult = m_out.anchor(
+ m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(),
+ base, m_out.zeroExt(index, m_out.int64), ScaleEight, JSObject::offsetOfInlineStorage())));
+ m_out.jump(continuation);
+
+ m_out.appendTo(outOfLineLoad, slowCase);
+ LValue storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
+ LValue realIndex = m_out.signExt(
+ m_out.neg(m_out.sub(index, m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedInlineCapacity))),
+ m_out.int64);
+ int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+ ValueFromBlock outOfLineResult = m_out.anchor(
+ m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), storage, realIndex, ScaleEight, offsetOfFirstProperty)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(slowCase, continuation);
+ ValueFromBlock slowCaseResult = m_out.anchor(
+ vmCall(m_out.operation(operationGetByVal), m_callFrame, base, property));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setJSValue(m_out.phi(m_out.int64, inlineResult, outOfLineResult, slowCaseResult));
+ }
+
+ void compileGetEnumerableLength()
+ {
+ LValue base = lowCell(m_node->child1());
+ setInt32(vmCall(m_out.operation(operationGetEnumerableLength), m_callFrame, base));
+ }
+
+ void compileGetStructurePropertyEnumerator()
+ {
+ LValue base = lowCell(m_node->child1());
+ LValue length = lowInt32(m_node->child2());
+ setJSValue(vmCall(m_out.operation(operationGetStructurePropertyEnumerator), m_callFrame, base, length));
+ }
+
+ void compileGetGenericPropertyEnumerator()
+ {
+ LValue base = lowCell(m_node->child1());
+ LValue length = lowInt32(m_node->child2());
+ LValue enumerator = lowCell(m_node->child3());
+ setJSValue(vmCall(m_out.operation(operationGetGenericPropertyEnumerator), m_callFrame, base, length, enumerator));
+ }
+
+ void compileGetEnumeratorPname()
+ {
+ LValue enumerator = lowCell(m_node->child1());
+ LValue index = lowInt32(m_node->child2());
+
+ LBasicBlock inBounds = FTL_NEW_BLOCK(m_out, ("GetEnumeratorPname in bounds"));
+ LBasicBlock outOfBounds = FTL_NEW_BLOCK(m_out, ("GetEnumeratorPname out of bounds"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetEnumeratorPname continuation"));
+
+ m_out.branch(m_out.below(index, m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedPropertyNamesLength)),
+ usually(inBounds), rarely(outOfBounds));
+
+ LBasicBlock lastNext = m_out.appendTo(inBounds, outOfBounds);
+ LValue storage = m_out.loadPtr(enumerator, m_heaps.JSPropertyNameEnumerator_cachedPropertyNamesVector);
+ ValueFromBlock inBoundsResult = m_out.anchor(
+ m_out.load64(m_out.baseIndex(m_heaps.JSPropertyNameEnumerator_cachedPropertyNamesVector,
+ storage, m_out.signExt(index, m_out.int64), ScaleEight)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(outOfBounds, continuation);
+ ValueFromBlock outOfBoundsResult = m_out.anchor(m_out.constInt64(ValueNull));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setJSValue(m_out.phi(m_out.int64, inBoundsResult, outOfBoundsResult));
+ }
+
+ void compileToIndexString()
+ {
+ LValue index = lowInt32(m_node->child1());
+ setJSValue(vmCall(m_out.operation(operationToIndexString), m_callFrame, index));
+ }
+
</ins><span class="cx"> #if ENABLE(FTL_NATIVE_CALL_INLINING)
</span><span class="cx"> LValue getFunctionBySymbol(const CString symbol)
</span><span class="cx"> {
</span><span class="lines">@@ -5265,7 +5515,7 @@
</span><span class="cx">
</span><span class="cx"> LValue lowJSValue(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
</span><span class="cx"> {
</span><del>- ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || edge.useKind() == UntypedUse);
</del><ins>+ DFG_ASSERT(m_graph, m_node, mode == ManualOperandSpeculation || edge.useKind() == UntypedUse);
</ins><span class="cx"> DFG_ASSERT(m_graph, m_node, !isDouble(edge.useKind()));
</span><span class="cx"> DFG_ASSERT(m_graph, m_node, edge.useKind() != Int52RepUse);
</span><span class="cx">
</span><span class="lines">@@ -5559,6 +5809,9 @@
</span><span class="cx"> case ObjectUse:
</span><span class="cx"> speculateObject(edge);
</span><span class="cx"> break;
</span><ins>+ case FunctionUse:
+ speculateFunction(edge);
+ break;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> speculateObjectOrOther(edge);
</span><span class="cx"> break;
</span><span class="lines">@@ -5693,6 +5946,9 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ LValue isFunction(LValue cell) { return isType(cell, JSFunctionType); }
+ LValue isNotFunction(LValue cell) { return isNotType(cell, JSFunctionType); }
+
</ins><span class="cx"> LValue isType(LValue cell, JSType type)
</span><span class="cx"> {
</span><span class="cx"> return m_out.equal(
</span><span class="lines">@@ -5715,12 +5971,22 @@
</span><span class="cx"> speculateObject(edge, lowCell(edge));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void speculateFunction(Edge edge, LValue cell)
+ {
+ FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecFunction, isNotFunction(cell));
+ }
+
+ void speculateFunction(Edge edge)
+ {
+ speculateFunction(edge, lowCell(edge));
+ }
+
</ins><span class="cx"> void speculateObjectOrOther(Edge edge)
</span><span class="cx"> {
</span><span class="cx"> if (!m_interpreter.needsTypeCheck(edge))
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- LValue value = lowJSValue(edge);
</del><ins>+ LValue value = lowJSValue(edge, ManualOperandSpeculation);
</ins><span class="cx">
</span><span class="cx"> LBasicBlock cellCase = FTL_NEW_BLOCK(m_out, ("speculateObjectOrOther cell case"));
</span><span class="cx"> LBasicBlock primitiveCase = FTL_NEW_BLOCK(m_out, ("speculateObjectOrOther primitive case"));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -970,8 +970,6 @@
</span><span class="cx"> #if ENABLE(ALLOCATION_LOGGING)
</span><span class="cx"> dataLogF("JSC GC starting collection.\n");
</span><span class="cx"> #endif
</span><del>- if (vm()->isProfilingTypesWithHighFidelity())
- vm()->highFidelityLog()->processHighFidelityLog(false, "GC");
</del><span class="cx">
</span><span class="cx"> double before = 0;
</span><span class="cx"> if (Options::logGC()) {
</span><span class="lines">@@ -981,6 +979,11 @@
</span><span class="cx">
</span><span class="cx"> SamplingRegion samplingRegion("Garbage Collection");
</span><span class="cx">
</span><ins>+ if (vm()->isProfilingTypesWithHighFidelity()) {
+ DeferGCForAWhile awhile(*this);
+ vm()->highFidelityLog()->processHighFidelityLog("GC");
+ }
+
</ins><span class="cx"> RELEASE_ASSERT(!m_deferralDepth);
</span><span class="cx"> ASSERT(vm()->currentThreadIsHoldingAPILock());
</span><span class="cx"> RELEASE_ASSERT(vm()->atomicStringTable() == wtfThreadData().atomicStringTable());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectoragentsInspectorRuntimeAgentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -35,6 +35,8 @@
</span><span class="cx"> #if ENABLE(INSPECTOR)
</span><span class="cx">
</span><span class="cx"> #include "Completion.h"
</span><ins>+#include "HighFidelityLog.h"
+#include "HighFidelityTypeProfiler.h"
</ins><span class="cx"> #include "InjectedScript.h"
</span><span class="cx"> #include "InjectedScriptManager.h"
</span><span class="cx"> #include "InspectorValues.h"
</span><span class="lines">@@ -43,6 +45,7 @@
</span><span class="cx"> #include "ScriptDebugServer.h"
</span><span class="cx"> #include "SourceCode.h"
</span><span class="cx"> #include <wtf/PassRefPtr.h>
</span><ins>+#include <wtf/CurrentTime.h>
</ins><span class="cx">
</span><span class="cx"> using namespace JSC;
</span><span class="cx">
</span><span class="lines">@@ -191,11 +194,41 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset(ErrorString*, const String& in_variableName, const String& in_id, int in_divot, String* out_types)
</del><ins>+void InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets(ErrorString* errorString, const RefPtr<Inspector::InspectorArray>& in_locations, RefPtr<Inspector::InspectorArray>& out_types)
</ins><span class="cx"> {
</span><ins>+ static const bool verbose = false;
</ins><span class="cx"> VM& vm = globalVM();
</span><del>- String types(vm.getTypesForVariableAtOffset(in_divot, in_variableName, in_id));
- *out_types = types;
</del><ins>+ out_types = Inspector::InspectorArray::create();
+ if (!vm.isProfilingTypesWithHighFidelity())
+ return;
+
+ double start = currentTimeMS();
+ vm.highFidelityLog()->processHighFidelityLog("User Query");
+
+ for (size_t i = 0; i < in_locations->length(); i++) {
+ RefPtr<Inspector::InspectorValue> value = in_locations->get(i);
+ RefPtr<InspectorObject> location;
+ if (!value->asObject(&location)) {
+ *errorString = ASCIILiteral("Array of TypeLocation objects has an object that does not have type of TypeLocation.");
+ return;
+ }
+
+ int descriptor;
+ String sourceIDAsString;
+ int divot;
+ location->getNumber(ASCIILiteral("typeInformationDescriptor"), &descriptor);
+ location->getString(ASCIILiteral("sourceID"), &sourceIDAsString);
+ location->getNumber(ASCIILiteral("divot"), &divot);
+
+ RefPtr<Inspector::InspectorObject> typeDescription = Inspector::InspectorObject::create();
+ bool okay;
+ vm.highFidelityTypeProfiler()->getTypesForVariableAtOffsetForInspector(static_cast<TypeProfilerSearchDescriptor>(descriptor), divot, sourceIDAsString.toIntPtrStrict(&okay), typeDescription);
+ out_types->pushObject(typeDescription);
+ }
+
+ double end = currentTimeMS();
+ if (verbose)
+ dataLogF("Inspector::getRuntimeTypesForVariablesAtOffsets took %lfms\n", end - start);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace Inspector
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectoragentsInspectorRuntimeAgenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -66,8 +66,8 @@
</span><span class="cx"> virtual void getProperties(ErrorString*, const String& objectId, const bool* ownProperties, RefPtr<Inspector::TypeBuilder::Array<Inspector::TypeBuilder::Runtime::PropertyDescriptor>>& result, RefPtr<Inspector::TypeBuilder::Array<Inspector::TypeBuilder::Runtime::InternalPropertyDescriptor>>& internalProperties) override final;
</span><span class="cx"> virtual void releaseObjectGroup(ErrorString*, const String& objectGroup) override final;
</span><span class="cx"> virtual void run(ErrorString*) override;
</span><del>- virtual void getRuntimeTypeForVariableAtOffset(ErrorString*, const String& in_variableName, const String& in_id, int in_divot, String* out_types) override;
-
</del><ins>+ virtual void getRuntimeTypesForVariablesAtOffsets(ErrorString*, const RefPtr<Inspector::InspectorArray>& in_locations, RefPtr<Inspector::InspectorArray>& out_types) override;
+
</ins><span class="cx"> void setScriptDebugServer(ScriptDebugServer* scriptDebugServer) { m_scriptDebugServer = scriptDebugServer; }
</span><span class="cx">
</span><span class="cx"> bool enabled() const { return m_enabled; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorprotocolRuntimejson"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/protocol/Runtime.json (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/protocol/Runtime.json 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/inspector/protocol/Runtime.json 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -111,6 +111,39 @@
</span><span class="cx"> { "name": "startOffset", "type": "integer", "description": "Start offset of range (inclusive)." },
</span><span class="cx"> { "name": "endOffset", "type": "integer", "description": "End offset of range (exclusive)." }
</span><span class="cx"> ]
</span><ins>+ },
+ {
+ "id": "StructureDescription",
+ "type": "object",
+ "properties": [
+ { "name": "fields", "type": "array", "items": { "type": "string" }, "description": "Array of strings, where the strings represent object properties." },
+ { "name": "constructorName", "type": "string", "description": "Name of the constructor." },
+ { "name": "prototypeStructure", "$ref": "StructureDescription", "optional": "true", "description": "Pointer to the StructureRepresentation of the protoype if one exists." }
+ ]
+ },
+ {
+ "id": "TypeDescription",
+ "type": "object",
+ "description": "Container for type information that has been gathered.",
+ "properties": [
+ { "name": "displayTypeName", "type": "string", "optional": true, "description": "What the inspector should display as a simple type." },
+ { "name": "localPrimitiveTypeNames", "type": "array", "items": { "type": "string" }, "optional": "true", "description": "Array of type names for primtive types (int, string, etc) seen at an instruction" },
+ { "name": "localObjectTypeNames", "type": "array", "items": { "type": "string" }, "optional": "true", "description": "Array of type names for all object seen at an instruction" },
+ { "name": "localStructures", "type": "array", "items": { "$ref": "StructureDescription" }, "optional": true, "description": "Array of descriptions for all structures seen at this this instruction." },
+ { "name": "globalPrimitiveTypeNames", "type": "array", "items": { "type": "string" }, "optional": true, "description": "Array of type names for all primitive types seen globally." },
+ { "name": "globalObjectTypeNames", "type": "array", "items": { "type": "string" }, "optional": true, "description": "Array of type names for all primitive types seen globally." },
+ { "name": "globalStructures", "type": "array", "items": { "$ref": "StructureDescription" }, "optional": true, "description": "Array of descriptions for all structures seen for this variable." }
+ ]
+ },
+ {
+ "id": "TypeLocation",
+ "type": "object",
+ "description": "Describes the location of an expression we want type information for.",
+ "properties": [
+ { "name": "typeInformationDescriptor", "type": "integer", "description": "What kind of type information do we want (normal, function return values, 'this' statement)." },
+ { "name": "sourceID", "type": "string", "description": "sourceID uniquely identifying a script" },
+ { "name": "divot", "type": "integer", "description": "character offset for assignment range" }
+ ]
</ins><span class="cx"> }
</span><span class="cx"> ],
</span><span class="cx"> "commands": [
</span><span class="lines">@@ -198,14 +231,12 @@
</span><span class="cx"> "description": "Disables reporting of execution contexts creation."
</span><span class="cx"> },
</span><span class="cx"> {
</span><del>- "name": "getRuntimeTypeForVariableAtOffset",
</del><ins>+ "name": "getRuntimeTypesForVariablesAtOffsets",
</ins><span class="cx"> "parameters": [
</span><del>- { "name": "variableName", "type": "string", "description": "Variable we want type infromation for." },
- { "name": "sourceID", "type": "string", "description": "sourceID uniquely identifying a script" },
- { "name": "divot", "type": "integer", "description": "character offset for assignment range" }
</del><ins>+ { "name": "locations", "type": "array", "items": { "$ref": "TypeLocation" }, "description": "An array of type locations we're requesting information for. Results are expected in the same order they're sent in."}
</ins><span class="cx"> ],
</span><span class="cx"> "returns": [
</span><del>- { "name": "types", "type": "string", "description": "Types for requested variable." }
</del><ins>+ { "name": "types", "type": "array", "item": { "$ref": "TypeDescription", "description": "Types for requested variable." } }
</ins><span class="cx"> ],
</span><span class="cx"> "description": "Returns detailed informtation on given function."
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -47,7 +47,6 @@
</span><span class="cx"> #include "JSBoundFunction.h"
</span><span class="cx"> #include "JSNameScope.h"
</span><span class="cx"> #include "JSNotAnObject.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><span class="cx"> #include "JSStackInlines.h"
</span><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSWithScope.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterRegisterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Register.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Register.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/interpreter/Register.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -39,7 +39,6 @@
</span><span class="cx"> class ExecState;
</span><span class="cx"> class JSActivation;
</span><span class="cx"> class JSObject;
</span><del>- class JSPropertyNameIterator;
</del><span class="cx"> class JSScope;
</span><span class="cx">
</span><span class="cx"> typedef ExecState CallFrame;
</span><span class="lines">@@ -63,7 +62,6 @@
</span><span class="cx"> CallFrame* callFrame() const;
</span><span class="cx"> CodeBlock* codeBlock() const;
</span><span class="cx"> JSObject* function() const;
</span><del>- JSPropertyNameIterator* propertyNameIterator() const;
</del><span class="cx"> JSScope* scope() const;
</span><span class="cx"> int32_t unboxedInt32() const;
</span><span class="cx"> int64_t unboxedInt52() const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitClosureCallStubRoutinecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -39,9 +39,8 @@
</span><span class="cx">
</span><span class="cx"> ClosureCallStubRoutine::ClosureCallStubRoutine(
</span><span class="cx"> const MacroAssemblerCodeRef& code, VM& vm, const JSCell* owner,
</span><del>- Structure* structure, ExecutableBase* executable, const CodeOrigin& codeOrigin)
</del><ins>+ ExecutableBase* executable, const CodeOrigin& codeOrigin)
</ins><span class="cx"> : GCAwareJITStubRoutine(code, vm)
</span><del>- , m_structure(vm, owner, structure)
</del><span class="cx"> , m_executable(vm, owner, executable)
</span><span class="cx"> , m_codeOrigin(codeOrigin)
</span><span class="cx"> {
</span><span class="lines">@@ -53,7 +52,6 @@
</span><span class="cx">
</span><span class="cx"> void ClosureCallStubRoutine::markRequiredObjectsInternal(SlotVisitor& visitor)
</span><span class="cx"> {
</span><del>- visitor.append(&m_structure);
</del><span class="cx"> visitor.append(&m_executable);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitClosureCallStubRoutineh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/ClosureCallStubRoutine.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -37,11 +37,10 @@
</span><span class="cx"> public:
</span><span class="cx"> ClosureCallStubRoutine(
</span><span class="cx"> const MacroAssemblerCodeRef&, VM&, const JSCell* owner,
</span><del>- Structure*, ExecutableBase*, const CodeOrigin&);
</del><ins>+ ExecutableBase*, const CodeOrigin&);
</ins><span class="cx">
</span><span class="cx"> virtual ~ClosureCallStubRoutine();
</span><span class="cx">
</span><del>- Structure* structure() const { return m_structure.get(); }
</del><span class="cx"> ExecutableBase* executable() const { return m_executable.get(); }
</span><span class="cx"> const CodeOrigin& codeOrigin() const { return m_codeOrigin; }
</span><span class="cx">
</span><span class="lines">@@ -49,7 +48,6 @@
</span><span class="cx"> virtual void markRequiredObjectsInternal(SlotVisitor&) override;
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- WriteBarrier<Structure> m_structure;
</del><span class="cx"> WriteBarrier<ExecutableBase> m_executable;
</span><span class="cx"> // This allows us to figure out who a call is linked to by searching through
</span><span class="cx"> // stub routines.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -223,8 +223,6 @@
</span><span class="cx"> DEFINE_OP(op_get_arguments_length)
</span><span class="cx"> DEFINE_OP(op_get_by_val)
</span><span class="cx"> DEFINE_OP(op_get_argument_by_val)
</span><del>- DEFINE_OP(op_get_by_pname)
- DEFINE_OP(op_get_pnames)
</del><span class="cx"> DEFINE_OP(op_check_has_instance)
</span><span class="cx"> DEFINE_OP(op_instanceof)
</span><span class="cx"> DEFINE_OP(op_is_undefined)
</span><span class="lines">@@ -262,7 +260,6 @@
</span><span class="cx"> DEFINE_OP(op_new_func_exp)
</span><span class="cx"> DEFINE_OP(op_new_object)
</span><span class="cx"> DEFINE_OP(op_new_regexp)
</span><del>- DEFINE_OP(op_next_pname)
</del><span class="cx"> DEFINE_OP(op_not)
</span><span class="cx"> DEFINE_OP(op_nstricteq)
</span><span class="cx"> DEFINE_OP(op_pop_scope)
</span><span class="lines">@@ -307,6 +304,16 @@
</span><span class="cx"> DEFINE_OP(op_resolve_scope)
</span><span class="cx"> DEFINE_OP(op_get_from_scope)
</span><span class="cx"> DEFINE_OP(op_put_to_scope)
</span><ins>+
+ DEFINE_OP(op_get_enumerable_length)
+ DEFINE_OP(op_has_generic_property)
+ DEFINE_OP(op_has_structure_property)
+ DEFINE_OP(op_has_indexed_property)
+ DEFINE_OP(op_get_direct_pname)
+ DEFINE_OP(op_get_structure_property_enumerator)
+ DEFINE_OP(op_get_generic_property_enumerator)
+ DEFINE_OP(op_next_enumerator_pname)
+ DEFINE_OP(op_to_index_string)
</ins><span class="cx"> default:
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> }
</span><span class="lines">@@ -385,7 +392,6 @@
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_arguments_length)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_by_val)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_argument_by_val)
</span><del>- DEFINE_SLOWCASE_OP(op_get_by_pname)
</del><span class="cx"> DEFINE_SLOWCASE_OP(op_check_has_instance)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_instanceof)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_jfalse)
</span><span class="lines">@@ -424,6 +430,9 @@
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_sub)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_to_number)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_to_primitive)
</span><ins>+ DEFINE_SLOWCASE_OP(op_has_indexed_property)
+ DEFINE_SLOWCASE_OP(op_has_structure_property)
+ DEFINE_SLOWCASE_OP(op_get_direct_pname)
</ins><span class="cx">
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_resolve_scope)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_from_scope)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JIT.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -56,7 +56,6 @@
</span><span class="cx"> class CodeBlock;
</span><span class="cx"> class FunctionExecutable;
</span><span class="cx"> class JIT;
</span><del>- class JSPropertyNameIterator;
</del><span class="cx"> class Identifier;
</span><span class="cx"> class Interpreter;
</span><span class="cx"> class JSScope;
</span><span class="lines">@@ -199,13 +198,6 @@
</span><span class="cx"> return JIT(vm, codeBlock).privateCompile(effort);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static void compileClosureCall(VM* vm, CallLinkInfo* callLinkInfo, CodeBlock* callerCodeBlock, CodeBlock* calleeCodeBlock, Structure* expectedStructure, ExecutableBase* expectedExecutable, MacroAssemblerCodePtr codePtr)
- {
- JIT jit(vm, callerCodeBlock);
- jit.m_bytecodeOffset = callLinkInfo->codeOrigin.bytecodeIndex;
- jit.privateCompileClosureCall(callLinkInfo, calleeCodeBlock, expectedStructure, expectedExecutable, codePtr);
- }
-
</del><span class="cx"> static void compileGetByVal(VM* vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
</span><span class="cx"> {
</span><span class="cx"> JIT jit(vm, codeBlock);
</span><span class="lines">@@ -227,6 +219,13 @@
</span><span class="cx"> jit.privateCompilePutByVal(byValInfo, returnAddress, arrayMode);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static void compileHasIndexedProperty(VM* vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
+ {
+ JIT jit(vm, codeBlock);
+ jit.m_bytecodeOffset = byValInfo->bytecodeIndex;
+ jit.privateCompileHasIndexedProperty(byValInfo, returnAddress, arrayMode);
+ }
+
</ins><span class="cx"> static CodeRef compileCTINativeCall(VM* vm, NativeFunction func)
</span><span class="cx"> {
</span><span class="cx"> if (!vm->canUseJIT()) {
</span><span class="lines">@@ -247,11 +246,11 @@
</span><span class="cx"> void privateCompileSlowCases();
</span><span class="cx"> CompilationResult privateCompile(JITCompilationEffort);
</span><span class="cx">
</span><del>- void privateCompileClosureCall(CallLinkInfo*, CodeBlock* calleeCodeBlock, Structure*, ExecutableBase*, MacroAssemblerCodePtr);
-
</del><span class="cx"> void privateCompileGetByVal(ByValInfo*, ReturnAddressPtr, JITArrayMode);
</span><span class="cx"> void privateCompilePutByVal(ByValInfo*, ReturnAddressPtr, JITArrayMode);
</span><span class="cx">
</span><ins>+ void privateCompileHasIndexedProperty(ByValInfo*, ReturnAddressPtr, JITArrayMode);
+
</ins><span class="cx"> Label privateCompileCTINativeCall(VM*, bool isConstruct = false);
</span><span class="cx"> CodeRef privateCompileCTINativeCall(VM*, NativeFunction);
</span><span class="cx"> void privateCompilePatchGetArrayLength(ReturnAddressPtr returnAddress);
</span><span class="lines">@@ -337,6 +336,12 @@
</span><span class="cx"> // Property is int-checked and zero extended. Base is cell checked.
</span><span class="cx"> // Structure is already profiled. Returns the slow cases. Fall-through
</span><span class="cx"> // case contains result in regT0, and it is not yet profiled.
</span><ins>+ JumpList emitInt32Load(Instruction* instruction, PatchableJump& badType) { return emitContiguousLoad(instruction, badType, Int32Shape); }
+ JumpList emitDoubleLoad(Instruction*, PatchableJump& badType);
+ JumpList emitContiguousLoad(Instruction*, PatchableJump& badType, IndexingType expectedShape = ContiguousShape);
+ JumpList emitArrayStorageLoad(Instruction*, PatchableJump& badType);
+ JumpList emitLoadForArrayMode(Instruction*, JITArrayMode, PatchableJump& badType);
+
</ins><span class="cx"> JumpList emitInt32GetByVal(Instruction* instruction, PatchableJump& badType) { return emitContiguousGetByVal(instruction, badType, Int32Shape); }
</span><span class="cx"> JumpList emitDoubleGetByVal(Instruction*, PatchableJump& badType);
</span><span class="cx"> JumpList emitContiguousGetByVal(Instruction*, PatchableJump& badType, IndexingType expectedShape = ContiguousShape);
</span><span class="lines">@@ -478,7 +483,6 @@
</span><span class="cx"> void emit_op_get_arguments_length(Instruction*);
</span><span class="cx"> void emit_op_get_by_val(Instruction*);
</span><span class="cx"> void emit_op_get_argument_by_val(Instruction*);
</span><del>- void emit_op_get_by_pname(Instruction*);
</del><span class="cx"> void emit_op_init_lazy_reg(Instruction*);
</span><span class="cx"> void emit_op_check_has_instance(Instruction*);
</span><span class="cx"> void emit_op_instanceof(Instruction*);
</span><span class="lines">@@ -516,8 +520,6 @@
</span><span class="cx"> void emit_op_new_func_exp(Instruction*);
</span><span class="cx"> void emit_op_new_object(Instruction*);
</span><span class="cx"> void emit_op_new_regexp(Instruction*);
</span><del>- void emit_op_get_pnames(Instruction*);
- void emit_op_next_pname(Instruction*);
</del><span class="cx"> void emit_op_not(Instruction*);
</span><span class="cx"> void emit_op_nstricteq(Instruction*);
</span><span class="cx"> void emit_op_pop_scope(Instruction*);
</span><span class="lines">@@ -550,6 +552,15 @@
</span><span class="cx"> void emit_op_unexpected_load(Instruction*);
</span><span class="cx"> void emit_op_unsigned(Instruction*);
</span><span class="cx"> void emit_op_urshift(Instruction*);
</span><ins>+ void emit_op_get_enumerable_length(Instruction*);
+ void emit_op_has_generic_property(Instruction*);
+ void emit_op_has_structure_property(Instruction*);
+ void emit_op_has_indexed_property(Instruction*);
+ void emit_op_get_direct_pname(Instruction*);
+ void emit_op_get_structure_property_enumerator(Instruction*);
+ void emit_op_get_generic_property_enumerator(Instruction*);
+ void emit_op_next_enumerator_pname(Instruction*);
+ void emit_op_to_index_string(Instruction*);
</ins><span class="cx">
</span><span class="cx"> void emitSlow_op_add(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_bitand(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="lines">@@ -570,7 +581,6 @@
</span><span class="cx"> void emitSlow_op_get_arguments_length(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><del>- void emitSlow_op_get_by_pname(Instruction*, Vector<SlowCaseEntry>::iterator&);
</del><span class="cx"> void emitSlow_op_check_has_instance(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_jfalse(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="lines">@@ -603,6 +613,9 @@
</span><span class="cx"> void emitSlow_op_to_primitive(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_unsigned(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_urshift(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><ins>+ void emitSlow_op_has_indexed_property(Instruction*, Vector<SlowCaseEntry>::iterator&);
+ void emitSlow_op_has_structure_property(Instruction*, Vector<SlowCaseEntry>::iterator&);
+ void emitSlow_op_get_direct_pname(Instruction*, Vector<SlowCaseEntry>::iterator&);
</ins><span class="cx">
</span><span class="cx"> void emit_op_resolve_scope(Instruction*);
</span><span class="cx"> void emit_op_get_from_scope(Instruction*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCallcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCall.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCall.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITCall.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -268,52 +268,6 @@
</span><span class="cx"> emitPutCallResult(instruction);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::privateCompileClosureCall(CallLinkInfo* callLinkInfo, CodeBlock* calleeCodeBlock, Structure* expectedStructure, ExecutableBase* expectedExecutable, MacroAssemblerCodePtr codePtr)
-{
- JumpList slowCases;
-
- slowCases.append(branchTestPtr(NonZero, regT0, tagMaskRegister));
- slowCases.append(branchStructure(NotEqual, Address(regT0, JSCell::structureIDOffset()), expectedStructure));
- slowCases.append(branchPtr(NotEqual, Address(regT0, JSFunction::offsetOfExecutable()), TrustedImmPtr(expectedExecutable)));
-
- loadPtr(Address(regT0, JSFunction::offsetOfScopeChain()), regT1);
- emitPutToCallFrameHeader(regT1, JSStack::ScopeChain);
-
- Call call = nearCall();
- Jump done = jump();
-
- slowCases.link(this);
- move(TrustedImmPtr(callLinkInfo->callReturnLocation.executableAddress()), regT2);
- restoreReturnAddressBeforeReturn(regT2);
- Jump slow = jump();
-
- LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock);
-
- patchBuffer.link(call, FunctionPtr(codePtr.executableAddress()));
- patchBuffer.link(done, callLinkInfo->hotPathOther.labelAtOffset(0));
- patchBuffer.link(slow, CodeLocationLabel(m_vm->getCTIStub(virtualCallThunkGenerator).code()));
-
- RefPtr<ClosureCallStubRoutine> stubRoutine = adoptRef(new ClosureCallStubRoutine(
- FINALIZE_CODE(
- patchBuffer,
- ("Baseline closure call stub for %s, return point %p, target %p (%s)",
- toCString(*m_codeBlock).data(),
- callLinkInfo->hotPathOther.labelAtOffset(0).executableAddress(),
- codePtr.executableAddress(),
- toCString(pointerDump(calleeCodeBlock)).data())),
- *m_vm, m_codeBlock->ownerExecutable(), expectedStructure, expectedExecutable,
- callLinkInfo->codeOrigin));
-
- RepatchBuffer repatchBuffer(m_codeBlock);
-
- repatchBuffer.replaceWithJump(
- RepatchBuffer::startOfBranchPtrWithPatchOnRegister(callLinkInfo->hotPathBegin),
- CodeLocationLabel(stubRoutine->code().code()));
- repatchBuffer.relink(callLinkInfo->callReturnLocation, m_vm->getCTIStub(virtualCallThunkGenerator).code());
-
- callLinkInfo->stub = stubRoutine.release();
-}
-
</del><span class="cx"> void JIT::emit_op_call(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> compileOpCall(op_call, currentInstruction, m_callLinkInfoIndex++);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCall32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -359,52 +359,6 @@
</span><span class="cx"> emitPutCallResult(instruction);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::privateCompileClosureCall(CallLinkInfo* callLinkInfo, CodeBlock* calleeCodeBlock, Structure* expectedStructure, ExecutableBase* expectedExecutable, MacroAssemblerCodePtr codePtr)
-{
- JumpList slowCases;
-
- slowCases.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
- slowCases.append(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(expectedStructure)));
- slowCases.append(branchPtr(NotEqual, Address(regT0, JSFunction::offsetOfExecutable()), TrustedImmPtr(expectedExecutable)));
-
- loadPtr(Address(regT0, JSFunction::offsetOfScopeChain()), regT1);
- emitPutCellToCallFrameHeader(regT1, JSStack::ScopeChain);
-
- Call call = nearCall();
- Jump done = jump();
-
- slowCases.link(this);
- move(TrustedImmPtr(callLinkInfo->callReturnLocation.executableAddress()), regT2);
- restoreReturnAddressBeforeReturn(regT2);
- Jump slow = jump();
-
- LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock);
-
- patchBuffer.link(call, FunctionPtr(codePtr.executableAddress()));
- patchBuffer.link(done, callLinkInfo->hotPathOther.labelAtOffset(0));
- patchBuffer.link(slow, CodeLocationLabel(m_vm->getCTIStub(virtualCallThunkGenerator).code()));
-
- RefPtr<ClosureCallStubRoutine> stubRoutine = adoptRef(new ClosureCallStubRoutine(
- FINALIZE_CODE(
- patchBuffer,
- ("Baseline closure call stub for %s, return point %p, target %p (%s)",
- toCString(*m_codeBlock).data(),
- callLinkInfo->hotPathOther.labelAtOffset(0).executableAddress(),
- codePtr.executableAddress(),
- toCString(pointerDump(calleeCodeBlock)).data())),
- *m_vm, m_codeBlock->ownerExecutable(), expectedStructure, expectedExecutable,
- callLinkInfo->codeOrigin));
-
- RepatchBuffer repatchBuffer(m_codeBlock);
-
- repatchBuffer.replaceWithJump(
- RepatchBuffer::startOfBranchPtrWithPatchOnRegister(callLinkInfo->hotPathBegin),
- CodeLocationLabel(stubRoutine->code().code()));
- repatchBuffer.relink(callLinkInfo->callReturnLocation, m_vm->getCTIStub(virtualCallThunkGenerator).code());
-
- callLinkInfo->stub = stubRoutine.release();
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // USE(JSVALUE32_64)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlines.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlines.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITInlines.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -32,6 +32,50 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><ins>+#if USE(JSVALUE64)
+inline MacroAssembler::JumpList JIT::emitDoubleGetByVal(Instruction* instruction, PatchableJump& badType)
+{
+ JumpList slowCases = emitDoubleLoad(instruction, badType);
+ moveDoubleTo64(fpRegT0, regT0);
+ sub64(tagTypeNumberRegister, regT0);
+ return slowCases;
+}
+#else
+inline MacroAssembler::JumpList JIT::emitDoubleGetByVal(Instruction* instruction, PatchableJump& badType)
+{
+ JumpList slowCases = emitDoubleLoad(instruction, badType);
+ moveDoubleToInts(fpRegT0, regT0, regT1);
+ return slowCases;
+}
+#endif // USE(JSVALUE64)
+
+ALWAYS_INLINE MacroAssembler::JumpList JIT::emitLoadForArrayMode(Instruction* currentInstruction, JITArrayMode arrayMode, PatchableJump& badType)
+{
+ switch (arrayMode) {
+ case JITInt32:
+ return emitInt32Load(currentInstruction, badType);
+ case JITDouble:
+ return emitDoubleLoad(currentInstruction, badType);
+ case JITContiguous:
+ return emitContiguousLoad(currentInstruction, badType);
+ case JITArrayStorage:
+ return emitArrayStorageLoad(currentInstruction, badType);
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+}
+
+inline MacroAssembler::JumpList JIT::emitContiguousGetByVal(Instruction* instruction, PatchableJump& badType, IndexingType expectedShape)
+{
+ return emitContiguousLoad(instruction, badType, expectedShape);
+}
+
+inline MacroAssembler::JumpList JIT::emitArrayStorageGetByVal(Instruction* instruction, PatchableJump& badType)
+{
+ return emitArrayStorageLoad(instruction, badType);
+}
+
</ins><span class="cx"> ALWAYS_INLINE bool JIT::isOperandConstantImmediateDouble(int src)
</span><span class="cx"> {
</span><span class="cx"> return m_codeBlock->isConstantRegisterIndex(src) && getConstantOperand(src).isDouble();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009, 2012, 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2010 Patrick Gansterer <paroga@paroga.com>
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -36,8 +36,10 @@
</span><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "JSFunction.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
+#include "LinkBuffer.h"
</ins><span class="cx"> #include "MaxFrameExtentForSlowPathCall.h"
</span><ins>+#include "RepatchBuffer.h"
</ins><span class="cx"> #include "SlowPathCall.h"
</span><span class="cx"> #include "VirtualRegister.h"
</span><span class="cx">
</span><span class="lines">@@ -456,106 +458,6 @@
</span><span class="cx"> jumpToExceptionHandler();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_get_pnames(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int i = currentInstruction[3].u.operand;
- int size = currentInstruction[4].u.operand;
- int breakTarget = currentInstruction[5].u.operand;
-
- JumpList isNotObject;
-
- emitGetVirtualRegister(base, regT0);
- if (!m_codeBlock->isKnownNotImmediate(base))
- isNotObject.append(emitJumpIfNotJSCell(regT0));
- if (base != m_codeBlock->thisRegister().offset() || m_codeBlock->isStrictMode())
- isNotObject.append(emitJumpIfCellNotObject(regT0));
-
- // We could inline the case where you have a valid cache, but
- // this call doesn't seem to be hot.
- Label isObject(this);
- callOperation(operationGetPNames, regT0);
- emitStoreCell(dst, returnValueGPR);
- load32(Address(regT0, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStringsSize)), regT3);
- store64(tagTypeNumberRegister, addressFor(i));
- store32(TrustedImm32(Int32Tag), intTagFor(size));
- store32(regT3, intPayloadFor(size));
- Jump end = jump();
-
- isNotObject.link(this);
- move(regT0, regT1);
- and32(TrustedImm32(~TagBitUndefined), regT1);
- addJump(branch32(Equal, regT1, TrustedImm32(ValueNull)), breakTarget);
- callOperation(operationToObject, base, regT0);
- jump().linkTo(isObject, this);
-
- end.link(this);
-}
-
-void JIT::emit_op_next_pname(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int i = currentInstruction[3].u.operand;
- int size = currentInstruction[4].u.operand;
- int it = currentInstruction[5].u.operand;
- int target = currentInstruction[6].u.operand;
-
- JumpList callHasProperty;
-
- Label begin(this);
- load32(intPayloadFor(i), regT0);
- Jump end = branch32(Equal, regT0, intPayloadFor(size));
-
- // Grab key @ i
- loadPtr(addressFor(it), regT1);
- loadPtr(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStrings)), regT2);
-
- load64(BaseIndex(regT2, regT0, TimesEight), regT2);
-
- emitPutVirtualRegister(dst, regT2);
-
- // Increment i
- add32(TrustedImm32(1), regT0);
- store32(regT0, intPayloadFor(i));
-
- // Verify that i is valid:
- emitGetVirtualRegister(base, regT0);
-
- // Test base's structure
- emitLoadStructure(regT0, regT2, regT3);
- callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
-
- // Test base's prototype chain
- loadPtr(Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedPrototypeChain))), regT3);
- loadPtr(Address(regT3, OBJECT_OFFSETOF(StructureChain, m_vector)), regT3);
- addJump(branchTestPtr(Zero, Address(regT3)), target);
-
- Label checkPrototype(this);
- load64(Address(regT2, Structure::prototypeOffset()), regT2);
- callHasProperty.append(emitJumpIfNotJSCell(regT2));
- emitLoadStructure(regT2, regT2, regT1);
- callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
- addPtr(TrustedImm32(sizeof(Structure*)), regT3);
- branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
-
- // Continue loop.
- addJump(jump(), target);
-
- // Slow case: Ask the object if i is valid.
- callHasProperty.link(this);
- emitGetVirtualRegister(dst, regT1);
- callOperation(operationHasProperty, regT0, regT1);
-
- // Test for valid key.
- addJump(branchTest32(NonZero, regT0), target);
- jump().linkTo(begin, this);
-
- // End of loop.
- end.link(this);
-}
-
</del><span class="cx"> void JIT::emit_op_push_with_scope(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
</span><span class="lines">@@ -1209,6 +1111,235 @@
</span><span class="cx"> slowPathCall.call();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+#if USE(JSVALUE64)
+void JIT::emit_op_get_enumerable_length(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_enumerable_length);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_has_structure_property(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int enumerator = currentInstruction[4].u.operand;
+
+ emitGetVirtualRegister(base, regT0);
+ emitGetVirtualRegister(enumerator, regT1);
+ emitJumpSlowCaseIfNotJSCell(regT0, base);
+
+ load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+ addSlowCase(branch32(NotEqual, regT0, Address(regT1, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+
+ move(TrustedImm32(ValueTrue), regT0);
+ emitPutVirtualRegister(dst);
+}
+
+void JIT::emitSlow_op_has_structure_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ linkSlowCase(iter);
+ linkSlowCase(iter);
+
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_has_structure_property);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_has_generic_property(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_has_generic_property);
+ slowPathCall.call();
+}
+
+void JIT::privateCompileHasIndexedProperty(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
+{
+ Instruction* currentInstruction = m_codeBlock->instructions().begin() + byValInfo->bytecodeIndex;
+
+ PatchableJump badType;
+
+ // FIXME: Add support for other types like TypedArrays and Arguments.
+ // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+ JumpList slowCases = emitLoadForArrayMode(currentInstruction, arrayMode, badType);
+ move(TrustedImm64(JSValue::encode(jsBoolean(true))), regT0);
+ Jump done = jump();
+
+ LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock);
+
+ patchBuffer.link(badType, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+ patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+
+ patchBuffer.link(done, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone));
+
+ byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
+ m_codeBlock, patchBuffer,
+ ("Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value()));
+
+ RepatchBuffer repatchBuffer(m_codeBlock);
+ repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
+ repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(operationHasIndexedPropertyGeneric));
+}
+
+void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int property = currentInstruction[3].u.operand;
+ ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+
+ emitGetVirtualRegisters(base, regT0, property, regT1);
+
+ // This is technically incorrect - we're zero-extending an int32. On the hot path this doesn't matter.
+ // We check the value as if it was a uint32 against the m_vectorLength - which will always fail if
+ // number was signed since m_vectorLength is always less than intmax (since the total allocation
+ // size is always less than 4Gb). As such zero extending will have been correct (and extending the value
+ // to 64-bits is necessary since it's used in the address calculation. We zero extend rather than sign
+ // extending since it makes it easier to re-tag the value in the slow case.
+ zeroExtend32ToPtr(regT1, regT1);
+
+ emitJumpSlowCaseIfNotJSCell(regT0, base);
+ emitArrayProfilingSiteWithCell(regT0, regT2, profile);
+ and32(TrustedImm32(IndexingShapeMask), regT2);
+
+ JITArrayMode mode = chooseArrayMode(profile);
+ PatchableJump badType;
+
+ // FIXME: Add support for other types like TypedArrays and Arguments.
+ // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+ JumpList slowCases = emitLoadForArrayMode(currentInstruction, mode, badType);
+
+ move(TrustedImm64(JSValue::encode(jsBoolean(true))), regT0);
+
+ addSlowCase(badType);
+ addSlowCase(slowCases);
+
+ Label done = label();
+
+ emitPutVirtualRegister(dst);
+
+ m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
+}
+
+void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int property = currentInstruction[3].u.operand;
+ ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+
+ linkSlowCaseIfNotJSCell(iter, base); // base cell check
+ linkSlowCase(iter); // base array check
+
+ Jump skipProfiling = jump();
+
+ linkSlowCase(iter); // vector length check
+ linkSlowCase(iter); // empty value
+
+ emitArrayProfileOutOfBoundsSpecialCase(profile);
+
+ skipProfiling.link(this);
+
+ Label slowPath = label();
+
+ emitGetVirtualRegister(base, regT0);
+ emitGetVirtualRegister(property, regT1);
+ Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT0, regT1);
+
+ m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
+ m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
+ m_byValInstructionIndex++;
+}
+
+void JIT::emit_op_get_direct_pname(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int index = currentInstruction[4].u.operand;
+ int enumerator = currentInstruction[5].u.operand;
+
+ // Check that base is a cell
+ emitGetVirtualRegister(base, regT0);
+ emitJumpSlowCaseIfNotJSCell(regT0, base);
+
+ // Check the structure
+ emitGetVirtualRegister(enumerator, regT2);
+ load32(Address(regT0, JSCell::structureIDOffset()), regT1);
+ addSlowCase(branch32(NotEqual, regT1, Address(regT2, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+
+ // Compute the offset
+ emitGetVirtualRegister(index, regT1);
+ // If index is less than the enumerator's cached inline storage, then it's an inline access
+ Jump outOfLineAccess = branch32(AboveOrEqual, regT1, Address(regT2, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+ addPtr(TrustedImm32(JSObject::offsetOfInlineStorage()), regT0);
+ signExtend32ToPtr(regT1, regT1);
+ load64(BaseIndex(regT0, regT1, TimesEight), regT0);
+
+ Jump done = jump();
+
+ // Otherwise it's out of line
+ outOfLineAccess.link(this);
+ loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+ sub32(Address(regT2, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), regT1);
+ neg32(regT1);
+ signExtend32ToPtr(regT1, regT1);
+ int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+ load64(BaseIndex(regT0, regT1, TimesEight, offsetOfFirstProperty), regT0);
+
+ done.link(this);
+ emitValueProfilingSite();
+ emitPutVirtualRegister(dst, regT0);
+}
+
+void JIT::emitSlow_op_get_direct_pname(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ int base = currentInstruction[2].u.operand;
+ linkSlowCaseIfNotJSCell(iter, base);
+ linkSlowCase(iter);
+
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_direct_pname);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_get_structure_property_enumerator(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_structure_property_enumerator);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_get_generic_property_enumerator(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_generic_property_enumerator);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_next_enumerator_pname(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int enumerator = currentInstruction[2].u.operand;
+ int index = currentInstruction[3].u.operand;
+
+ emitGetVirtualRegister(index, regT0);
+ emitGetVirtualRegister(enumerator, regT1);
+ Jump inBounds = branch32(Below, regT0, Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+ move(TrustedImm32(ValueNull), regT0);
+
+ Jump done = jump();
+ inBounds.link(this);
+
+ loadPtr(Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), regT1);
+ signExtend32ToPtr(regT0, regT0);
+ load64(BaseIndex(regT1, regT0, TimesEight), regT0);
+
+ done.link(this);
+ emitPutVirtualRegister(dst);
+}
+
+void JIT::emit_op_to_index_string(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_index_string);
+ slowPathCall.call();
+}
+#endif // USE(JSVALUE64)
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -36,10 +36,11 @@
</span><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "JSFunction.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSVariableObject.h"
</span><span class="cx"> #include "LinkBuffer.h"
</span><span class="cx"> #include "MaxFrameExtentForSlowPathCall.h"
</span><ins>+#include "RepatchBuffer.h"
</ins><span class="cx"> #include "SlowPathCall.h"
</span><span class="cx"> #include "VirtualRegister.h"
</span><span class="cx">
</span><span class="lines">@@ -767,105 +768,6 @@
</span><span class="cx"> jumpToExceptionHandler();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_get_pnames(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int i = currentInstruction[3].u.operand;
- int size = currentInstruction[4].u.operand;
- int breakTarget = currentInstruction[5].u.operand;
-
- JumpList isNotObject;
-
- emitLoad(base, regT1, regT0);
- if (!m_codeBlock->isKnownNotImmediate(base))
- isNotObject.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
- if (VirtualRegister(base) != m_codeBlock->thisRegister() || m_codeBlock->isStrictMode())
- isNotObject.append(emitJumpIfCellNotObject(regT0));
-
- // We could inline the case where you have a valid cache, but
- // this call doesn't seem to be hot.
- Label isObject(this);
- callOperation(operationGetPNames, regT0);
- emitStoreCell(dst, returnValueGPR);
- load32(Address(regT0, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStringsSize)), regT3);
- store32(TrustedImm32(Int32Tag), intTagFor(i));
- store32(TrustedImm32(0), intPayloadFor(i));
- store32(TrustedImm32(Int32Tag), intTagFor(size));
- store32(regT3, payloadFor(size));
- Jump end = jump();
-
- isNotObject.link(this);
- addJump(branch32(Equal, regT1, TrustedImm32(JSValue::NullTag)), breakTarget);
- addJump(branch32(Equal, regT1, TrustedImm32(JSValue::UndefinedTag)), breakTarget);
- callOperation(operationToObject, base, regT1, regT0);
- jump().linkTo(isObject, this);
-
- end.link(this);
-}
-
-void JIT::emit_op_next_pname(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int i = currentInstruction[3].u.operand;
- int size = currentInstruction[4].u.operand;
- int it = currentInstruction[5].u.operand;
- int target = currentInstruction[6].u.operand;
-
- JumpList callHasProperty;
-
- Label begin(this);
- load32(intPayloadFor(i), regT0);
- Jump end = branch32(Equal, regT0, intPayloadFor(size));
-
- // Grab key @ i
- loadPtr(payloadFor(it), regT1);
- loadPtr(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStrings)), regT2);
- load32(BaseIndex(regT2, regT0, TimesEight), regT2);
- store32(TrustedImm32(JSValue::CellTag), tagFor(dst));
- store32(regT2, payloadFor(dst));
-
- // Increment i
- add32(TrustedImm32(1), regT0);
- store32(regT0, intPayloadFor(i));
-
- // Verify that i is valid:
- loadPtr(payloadFor(base), regT0);
-
- // Test base's structure
- loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
- callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
-
- // Test base's prototype chain
- loadPtr(Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedPrototypeChain))), regT3);
- loadPtr(Address(regT3, OBJECT_OFFSETOF(StructureChain, m_vector)), regT3);
- addJump(branchTestPtr(Zero, Address(regT3)), target);
-
- Label checkPrototype(this);
- callHasProperty.append(branch32(Equal, Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::NullTag)));
- loadPtr(Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT2);
- loadPtr(Address(regT2, JSCell::structureIDOffset()), regT2);
- callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
- addPtr(TrustedImm32(sizeof(Structure*)), regT3);
- branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
-
- // Continue loop.
- addJump(jump(), target);
-
- // Slow case: Ask the object if i is valid.
- callHasProperty.link(this);
- loadPtr(addressFor(dst), regT1);
- callOperation(operationHasProperty, regT0, regT1);
-
- // Test for valid key.
- addJump(branchTest32(NonZero, regT0), target);
- jump().linkTo(begin, this);
-
- // End of loop.
- end.link(this);
-}
-
</del><span class="cx"> void JIT::emit_op_push_with_scope(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> emitLoad(currentInstruction[1].u.operand, regT1, regT0);
</span><span class="lines">@@ -1176,6 +1078,236 @@
</span><span class="cx"> callOperation(WithProfile, operationGetByValGeneric, dst, regT1, regT0, regT3, regT2);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void JIT::emit_op_get_enumerable_length(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_enumerable_length);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_has_structure_property(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int enumerator = currentInstruction[4].u.operand;
+
+ emitLoadPayload(base, regT0);
+ emitJumpSlowCaseIfNotJSCell(base);
+
+ emitLoadPayload(enumerator, regT1);
+
+ load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+ addSlowCase(branch32(NotEqual, regT0, Address(regT1, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+
+ move(TrustedImm32(1), regT0);
+ emitStoreBool(dst, regT0);
+}
+
+void JIT::emitSlow_op_has_structure_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ linkSlowCase(iter);
+ linkSlowCase(iter);
+
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_has_structure_property);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_has_generic_property(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_has_generic_property);
+ slowPathCall.call();
+}
+
+void JIT::privateCompileHasIndexedProperty(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
+{
+ Instruction* currentInstruction = m_codeBlock->instructions().begin() + byValInfo->bytecodeIndex;
+
+ PatchableJump badType;
+
+ // FIXME: Add support for other types like TypedArrays and Arguments.
+ // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+ JumpList slowCases = emitLoadForArrayMode(currentInstruction, arrayMode, badType);
+ move(TrustedImm32(1), regT0);
+ Jump done = jump();
+
+ LinkBuffer patchBuffer(*m_vm, this, m_codeBlock);
+
+ patchBuffer.link(badType, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+ patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+
+ patchBuffer.link(done, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone));
+
+ byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
+ m_codeBlock, patchBuffer,
+ ("Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value()));
+
+ RepatchBuffer repatchBuffer(m_codeBlock);
+ repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
+ repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(operationHasIndexedPropertyGeneric));
+}
+
+void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int property = currentInstruction[3].u.operand;
+ ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+
+ emitLoadPayload(base, regT0);
+ emitJumpSlowCaseIfNotJSCell(base);
+
+ emitLoadPayload(property, regT1);
+
+ // This is technically incorrect - we're zero-extending an int32. On the hot path this doesn't matter.
+ // We check the value as if it was a uint32 against the m_vectorLength - which will always fail if
+ // number was signed since m_vectorLength is always less than intmax (since the total allocation
+ // size is always less than 4Gb). As such zero extending will have been correct (and extending the value
+ // to 64-bits is necessary since it's used in the address calculation. We zero extend rather than sign
+ // extending since it makes it easier to re-tag the value in the slow case.
+ zeroExtend32ToPtr(regT1, regT1);
+
+ emitArrayProfilingSiteWithCell(regT0, regT2, profile);
+ and32(TrustedImm32(IndexingShapeMask), regT2);
+
+ JITArrayMode mode = chooseArrayMode(profile);
+ PatchableJump badType;
+
+ // FIXME: Add support for other types like TypedArrays and Arguments.
+ // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+ JumpList slowCases = emitLoadForArrayMode(currentInstruction, mode, badType);
+ move(TrustedImm32(1), regT0);
+
+ addSlowCase(badType);
+ addSlowCase(slowCases);
+
+ Label done = label();
+
+ emitStoreBool(dst, regT0);
+
+ m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
+}
+
+void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int property = currentInstruction[3].u.operand;
+ ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+
+ linkSlowCaseIfNotJSCell(iter, base); // base cell check
+ linkSlowCase(iter); // base array check
+
+ Jump skipProfiling = jump();
+
+ linkSlowCase(iter); // vector length check
+ linkSlowCase(iter); // empty value
+
+ emitArrayProfileOutOfBoundsSpecialCase(profile);
+
+ skipProfiling.link(this);
+
+ Label slowPath = label();
+
+ emitLoad(base, regT1, regT0);
+ emitLoad(property, regT3, regT2);
+ Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT1, regT0, regT3, regT2);
+
+ m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
+ m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
+ m_byValInstructionIndex++;
+}
+
+void JIT::emit_op_get_direct_pname(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int base = currentInstruction[2].u.operand;
+ int index = currentInstruction[4].u.operand;
+ int enumerator = currentInstruction[5].u.operand;
+
+ // Check that base is a cell
+ emitLoadPayload(base, regT0);
+ emitJumpSlowCaseIfNotJSCell(base);
+
+ // Check the structure
+ emitLoadPayload(enumerator, regT1);
+ load32(Address(regT0, JSCell::structureIDOffset()), regT2);
+ addSlowCase(branch32(NotEqual, regT2, Address(regT1, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+
+ // Compute the offset
+ emitLoadPayload(index, regT2);
+ // If index is less than the enumerator's cached inline storage, then it's an inline access
+ Jump outOfLineAccess = branch32(AboveOrEqual, regT2, Address(regT1, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+ addPtr(TrustedImm32(JSObject::offsetOfInlineStorage()), regT0);
+ load32(BaseIndex(regT0, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+ load32(BaseIndex(regT0, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
+
+ Jump done = jump();
+
+ // Otherwise it's out of line
+ outOfLineAccess.link(this);
+ loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+ sub32(Address(regT1, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), regT2);
+ neg32(regT2);
+ int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+ load32(BaseIndex(regT0, regT2, TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+ load32(BaseIndex(regT0, regT2, TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
+
+ done.link(this);
+ emitValueProfilingSite();
+ emitStore(dst, regT1, regT0);
+}
+
+void JIT::emitSlow_op_get_direct_pname(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ int base = currentInstruction[2].u.operand;
+ linkSlowCaseIfNotJSCell(iter, base);
+ linkSlowCase(iter);
+
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_direct_pname);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_get_structure_property_enumerator(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_structure_property_enumerator);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_get_generic_property_enumerator(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_generic_property_enumerator);
+ slowPathCall.call();
+}
+
+void JIT::emit_op_next_enumerator_pname(Instruction* currentInstruction)
+{
+ int dst = currentInstruction[1].u.operand;
+ int enumerator = currentInstruction[2].u.operand;
+ int index = currentInstruction[3].u.operand;
+
+ emitLoadPayload(index, regT0);
+ emitLoadPayload(enumerator, regT1);
+ Jump inBounds = branch32(Below, regT0, Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+ move(TrustedImm32(JSValue::NullTag), regT2);
+ move(TrustedImm32(0), regT0);
+
+ Jump done = jump();
+ inBounds.link(this);
+
+ loadPtr(Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), regT1);
+ loadPtr(BaseIndex(regT1, regT0, timesPtr()), regT0);
+ move(TrustedImm32(JSValue::CellTag), regT2);
+
+ done.link(this);
+ emitStore(dst, regT2, regT0);
+}
+
+void JIT::emit_op_to_index_string(Instruction* currentInstruction)
+{
+ JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_index_string);
+ slowPathCall.call();
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // USE(JSVALUE32_64)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx"> #include "JITToDFGDeferredCompilationCallback.h"
</span><span class="cx"> #include "JSGlobalObjectFunctions.h"
</span><span class="cx"> #include "JSNameScope.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSStackInlines.h"
</span><span class="cx"> #include "JSWithScope.h"
</span><span class="cx"> #include "ObjectConstructor.h"
</span><span class="lines">@@ -776,13 +776,10 @@
</span><span class="cx"> if (!calleeAsFunctionCell)
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- VM& vm = execCallee->vm();
</del><span class="cx"> JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
</span><span class="cx"> JSFunction* oldCallee = callLinkInfo.callee.get();
</span><span class="cx">
</span><del>- if (!oldCallee
- || oldCallee->structure(vm) != callee->structure(vm)
- || oldCallee->executable() != callee->executable())
</del><ins>+ if (!oldCallee || oldCallee->executable() != callee->executable())
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> ASSERT(callee->executable()->hasJITCodeForCall());
</span><span class="lines">@@ -801,8 +798,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> linkClosureCall(
</span><del>- execCallee, callLinkInfo, codeBlock,
- callee->structure(), callee->executable(), codePtr, registers);
</del><ins>+ execCallee, callLinkInfo, codeBlock, callee->executable(), codePtr, registers);
</ins><span class="cx">
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="lines">@@ -1498,6 +1494,64 @@
</span><span class="cx"> return JSValue::encode(result);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSValue baseValue = JSValue::decode(encodedBase);
+ JSValue subscript = JSValue::decode(encodedSubscript);
+
+ ASSERT(baseValue.isObject());
+ ASSERT(subscript.isUInt32());
+
+ JSObject* object = asObject(baseValue);
+ bool didOptimize = false;
+
+ unsigned bytecodeOffset = exec->locationAsBytecodeOffset();
+ ASSERT(bytecodeOffset);
+ ByValInfo& byValInfo = exec->codeBlock()->getByValInfo(bytecodeOffset - 1);
+ ASSERT(!byValInfo.stubRoutine);
+
+ if (hasOptimizableIndexing(object->structure(vm))) {
+ // Attempt to optimize.
+ JITArrayMode arrayMode = jitArrayModeForStructure(object->structure(vm));
+ if (arrayMode != byValInfo.arrayMode) {
+ JIT::compileHasIndexedProperty(&vm, exec->codeBlock(), &byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
+ didOptimize = true;
+ }
+ }
+
+ if (!didOptimize) {
+ // If we take slow path more than 10 times without patching then make sure we
+ // never make that mistake again. Or, if we failed to patch and we have some object
+ // that intercepts indexed get, then don't even wait until 10 times. For cases
+ // where we see non-index-intercepting objects, this gives 10 iterations worth of
+ // opportunity for us to observe that the get_by_val may be polymorphic.
+ if (++byValInfo.slowPathCount >= 10
+ || object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
+ // Don't ever try to optimize.
+ RepatchBuffer repatchBuffer(exec->codeBlock());
+ repatchBuffer.relinkCallerToFunction(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationHasIndexedPropertyGeneric));
+ }
+ }
+
+ return JSValue::encode(jsBoolean(object->hasProperty(exec, subscript.asUInt32())));
+}
+
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSValue baseValue = JSValue::decode(encodedBase);
+ JSValue subscript = JSValue::decode(encodedSubscript);
+
+ ASSERT(baseValue.isObject());
+ ASSERT(subscript.isUInt32());
+
+ JSObject* object = asObject(baseValue);
+ return JSValue::encode(jsBoolean(object->hasProperty(exec, subscript.asUInt32())));
+}
+
</ins><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValString(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="lines">@@ -1557,18 +1611,6 @@
</span><span class="cx"> return JSValue::encode(result);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSCell* JIT_OPERATION operationGetPNames(ExecState* exec, JSObject* obj)
-{
- VM& vm = exec->vm();
- NativeCallFrameTracer tracer(&vm, exec);
-
- Structure* structure = obj->structure(vm);
- JSPropertyNameIterator* jsPropertyNameIterator = structure->enumerationCache();
- if (!jsPropertyNameIterator || jsPropertyNameIterator->cachedPrototypeChain() != structure->prototypeChain(exec))
- jsPropertyNameIterator = JSPropertyNameIterator::create(exec, obj);
- return jsPropertyNameIterator;
-}
-
</del><span class="cx"> EncodedJSValue JIT_OPERATION operationInstanceOf(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedProto)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="lines">@@ -1813,6 +1855,72 @@
</span><span class="cx"> #endif // COMPILER(CLANG)
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+int32_t JIT_OPERATION operationGetEnumerableLength(ExecState* exec, JSCell* baseCell)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSObject* base = baseCell->toObject(exec, exec->lexicalGlobalObject());
+ return base->methodTable(vm)->getEnumerableLength(exec, base);
+}
+
+EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState* exec, EncodedJSValue encodedBaseValue, JSCell* propertyName)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSValue baseValue = JSValue::decode(encodedBaseValue);
+ if (baseValue.isUndefinedOrNull())
+ return JSValue::encode(jsBoolean(false));
+
+ JSObject* base = baseValue.toObject(exec);
+ return JSValue::encode(jsBoolean(base->hasProperty(exec, asString(propertyName)->toIdentifier(exec))));
+}
+
+EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState* exec, JSCell* baseCell, int32_t subscript)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSObject* object = baseCell->toObject(exec, exec->lexicalGlobalObject());
+ return JSValue::encode(jsBoolean(object->hasProperty(exec, subscript)));
+}
+
+JSCell* JIT_OPERATION operationGetStructurePropertyEnumerator(ExecState* exec, JSCell* cell, int32_t length)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ JSObject* base = cell->toObject(exec, exec->lexicalGlobalObject());
+ ASSERT(length >= 0);
+
+ return structurePropertyNameEnumerator(exec, base, static_cast<uint32_t>(length));
+}
+
+JSCell* JIT_OPERATION operationGetGenericPropertyEnumerator(ExecState* exec, JSCell* baseCell, int32_t length, JSCell* structureEnumeratorCell)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ JSObject* base = baseCell->toObject(exec, exec->lexicalGlobalObject());
+ ASSERT(length >= 0);
+
+ return genericPropertyNameEnumerator(exec, base, length, jsCast<JSPropertyNameEnumerator*>(structureEnumeratorCell));
+}
+
+EncodedJSValue JIT_OPERATION operationNextEnumeratorPname(ExecState* exec, JSCell* enumeratorCell, int32_t index)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(enumeratorCell);
+ JSString* propertyName = enumerator->propertyNameAtIndex(index);
+ return JSValue::encode(propertyName ? propertyName : jsNull());
+}
+
+JSCell* JIT_OPERATION operationToIndexString(ExecState* exec, int32_t index)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ return jsString(exec, Identifier::from(exec, index).string());
+}
+
</ins><span class="cx"> } // extern "C"
</span><span class="cx">
</span><span class="cx"> // Note: getHostCallReturnValueWithExecState() needs to be placed before the
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -97,10 +97,13 @@
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_ECI)(ExecState*, JSCell*, StringImpl*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_ECJ)(ExecState*, JSCell*, EncodedJSValue);
</span><ins>+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_ECZ)(ExecState*, JSCell*, int32_t);
</ins><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EDA)(ExecState*, double, JSArray*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EE)(ExecState*, ExecState*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EI)(ExecState*, StringImpl*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><ins>+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJC)(ExecState*, EncodedJSValue, JSCell*);
</ins><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJA)(ExecState*, EncodedJSValue, JSArray*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJIdc)(ExecState*, EncodedJSValue, const Identifier*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
</span><span class="lines">@@ -119,9 +122,14 @@
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_E)(ExecState*);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EZ)(ExecState*, int32_t);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EC)(ExecState*, JSCell*);
</span><ins>+typedef JSCell* JIT_OPERATION (*C_JITOperation_ECZ)(ExecState*, JSCell*, int32_t);
+typedef JSCell* JIT_OPERATION (*C_JITOperation_ECZC)(ExecState*, JSCell*, int32_t, JSCell*);
</ins><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EIcf)(ExecState*, InlineCallFrame*);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><ins>+typedef JSCell* JIT_OPERATION (*C_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
+typedef JSCell* JIT_OPERATION (*C_JITOperation_EJZC)(ExecState*, EncodedJSValue, int32_t, JSCell*);
+typedef JSCell* JIT_OPERATION (*C_JITOperation_EJJC)(ExecState*, EncodedJSValue, EncodedJSValue, JSCell*);
</ins><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssSt)(ExecState*, JSString*, Structure*);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssJss)(ExecState*, JSString*, JSString*);
</span><span class="cx"> typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssJssJss)(ExecState*, JSString*, JSString*, JSString*);
</span><span class="lines">@@ -137,6 +145,7 @@
</span><span class="cx"> typedef int64_t JIT_OPERATION(*Q_JITOperation_D)(double);
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_D)(double);
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_E)(ExecState*);
</span><ins>+typedef int32_t JIT_OPERATION (*Z_JITOperation_EC)(ExecState*, JSCell*);
</ins><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
</span><span class="lines">@@ -280,6 +289,8 @@
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValDefault(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValString(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
</span><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
</ins><span class="cx"> void JIT_OPERATION operationTearOffActivation(ExecState*, JSCell*) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationTearOffArguments(ExecState*, JSCell*, JSCell*) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationDeleteById(ExecState*, EncodedJSValue base, const Identifier*) WTF_INTERNAL;
</span><span class="lines">@@ -305,6 +316,14 @@
</span><span class="cx">
</span><span class="cx"> void JIT_OPERATION operationExceptionFuzz();
</span><span class="cx">
</span><ins>+int32_t JIT_OPERATION operationGetEnumerableLength(ExecState*, JSCell*);
+EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);
+EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState*, JSCell*, int32_t);
+JSCell* JIT_OPERATION operationGetStructurePropertyEnumerator(ExecState*, JSCell*, int32_t);
+JSCell* JIT_OPERATION operationGetGenericPropertyEnumerator(ExecState*, JSCell*, int32_t, JSCell*);
+EncodedJSValue JIT_OPERATION operationNextEnumeratorPname(ExecState*, JSCell*, int32_t);
+JSCell* JIT_OPERATION operationToIndexString(ExecState*, int32_t);
+
</ins><span class="cx"> } // extern "C"
</span><span class="cx">
</span><span class="cx"> inline P_JITOperation_ECli operationLinkFor(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -35,7 +35,6 @@
</span><span class="cx"> #include "JITInlines.h"
</span><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSFunction.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><span class="cx"> #include "JSVariableObject.h"
</span><span class="cx"> #include "LinkBuffer.h"
</span><span class="cx"> #include "RepatchBuffer.h"
</span><span class="lines">@@ -151,7 +150,7 @@
</span><span class="cx"> m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitDoubleGetByVal(Instruction*, PatchableJump& badType)
</del><ins>+JIT::JumpList JIT::emitDoubleLoad(Instruction*, PatchableJump& badType)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="lines">@@ -160,13 +159,11 @@
</span><span class="cx"> slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
</span><span class="cx"> loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
</span><span class="cx"> slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
</span><del>- moveDoubleTo64(fpRegT0, regT0);
- sub64(tagTypeNumberRegister, regT0);
</del><span class="cx">
</span><span class="cx"> return slowCases;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitContiguousGetByVal(Instruction*, PatchableJump& badType, IndexingType expectedShape)
</del><ins>+JIT::JumpList JIT::emitContiguousLoad(Instruction*, PatchableJump& badType, IndexingType expectedShape)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="lines">@@ -179,7 +176,7 @@
</span><span class="cx"> return slowCases;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitArrayStorageGetByVal(Instruction*, PatchableJump& badType)
</del><ins>+JIT::JumpList JIT::emitArrayStorageLoad(Instruction*, PatchableJump& badType)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="lines">@@ -264,51 +261,6 @@
</span><span class="cx"> load64(BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), result);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_get_by_pname(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int property = currentInstruction[3].u.operand;
- unsigned expected = currentInstruction[4].u.operand;
- int iter = currentInstruction[5].u.operand;
- int i = currentInstruction[6].u.operand;
-
- emitGetVirtualRegister(property, regT0);
- addSlowCase(branch64(NotEqual, regT0, addressFor(expected)));
- emitGetVirtualRegisters(base, regT0, iter, regT1);
- emitJumpSlowCaseIfNotJSCell(regT0, base);
-
- // Test base's structure
- emitLoadStructure(regT0, regT2, regT3);
- addSlowCase(branchPtr(NotEqual, regT2, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure))));
- load32(addressFor(i), regT3);
- sub32(TrustedImm32(1), regT3);
- addSlowCase(branch32(AboveOrEqual, regT3, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_numCacheableSlots))));
- Jump inlineProperty = branch32(Below, regT3, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructureInlineCapacity)));
- add32(TrustedImm32(firstOutOfLineOffset), regT3);
- sub32(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructureInlineCapacity)), regT3);
- inlineProperty.link(this);
- compileGetDirectOffset(regT0, regT0, regT3, regT1);
-
- emitPutVirtualRegister(dst, regT0);
-}
-
-void JIT::emitSlow_op_get_by_pname(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int property = currentInstruction[3].u.operand;
-
- linkSlowCase(iter);
- linkSlowCaseIfNotJSCell(iter, base);
- linkSlowCase(iter);
- linkSlowCase(iter);
-
- emitGetVirtualRegister(base, regT0);
- emitGetVirtualRegister(property, regT1);
- callOperation(operationGetByValGeneric, dst, regT0, regT1);
-}
-
</del><span class="cx"> void JIT::emit_op_put_by_val(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> int base = currentInstruction[1].u.operand;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -35,7 +35,6 @@
</span><span class="cx"> #include "JITInlines.h"
</span><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSFunction.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><span class="cx"> #include "JSVariableObject.h"
</span><span class="cx"> #include "LinkBuffer.h"
</span><span class="cx"> #include "RepatchBuffer.h"
</span><span class="lines">@@ -173,15 +172,13 @@
</span><span class="cx"> m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitContiguousGetByVal(Instruction*, PatchableJump& badType, IndexingType expectedShape)
</del><ins>+JIT::JumpList JIT::emitContiguousLoad(Instruction*, PatchableJump& badType, IndexingType expectedShape)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="cx"> badType = patchableBranch32(NotEqual, regT1, TrustedImm32(expectedShape));
</span><del>-
</del><span class="cx"> loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
</span><span class="cx"> slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, Butterfly::offsetOfPublicLength())));
</span><del>-
</del><span class="cx"> load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
</span><span class="cx"> load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
</span><span class="cx"> slowCases.append(branch32(Equal, regT1, TrustedImm32(JSValue::EmptyValueTag)));
</span><span class="lines">@@ -189,32 +186,27 @@
</span><span class="cx"> return slowCases;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitDoubleGetByVal(Instruction*, PatchableJump& badType)
</del><ins>+JIT::JumpList JIT::emitDoubleLoad(Instruction*, PatchableJump& badType)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="cx"> badType = patchableBranch32(NotEqual, regT1, TrustedImm32(DoubleShape));
</span><del>-
</del><span class="cx"> loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
</span><span class="cx"> slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, Butterfly::offsetOfPublicLength())));
</span><del>-
</del><span class="cx"> loadDouble(BaseIndex(regT3, regT2, TimesEight), fpRegT0);
</span><span class="cx"> slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
</span><del>- moveDoubleToInts(fpRegT0, regT0, regT1);
</del><span class="cx">
</span><span class="cx"> return slowCases;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JIT::JumpList JIT::emitArrayStorageGetByVal(Instruction*, PatchableJump& badType)
</del><ins>+JIT::JumpList JIT::emitArrayStorageLoad(Instruction*, PatchableJump& badType)
</ins><span class="cx"> {
</span><span class="cx"> JumpList slowCases;
</span><span class="cx">
</span><span class="cx"> add32(TrustedImm32(-ArrayStorageShape), regT1, regT3);
</span><span class="cx"> badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
</span><del>-
</del><span class="cx"> loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
</span><span class="cx"> slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, ArrayStorage::vectorLengthOffset())));
</span><del>-
</del><span class="cx"> load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
</span><span class="cx"> load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
</span><span class="cx"> slowCases.append(branch32(Equal, regT1, TrustedImm32(JSValue::EmptyValueTag)));
</span><span class="lines">@@ -613,54 +605,6 @@
</span><span class="cx"> load32(BaseIndex(base, offset, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), resultTag);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_get_by_pname(Instruction* currentInstruction)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int property = currentInstruction[3].u.operand;
- unsigned expected = currentInstruction[4].u.operand;
- int iter = currentInstruction[5].u.operand;
- int i = currentInstruction[6].u.operand;
-
- emitLoad2(property, regT1, regT0, base, regT3, regT2);
- emitJumpSlowCaseIfNotJSCell(property, regT1);
- addSlowCase(branchPtr(NotEqual, regT0, payloadFor(expected)));
- // Property registers are now available as the property is known
- emitJumpSlowCaseIfNotJSCell(base, regT3);
- emitLoadPayload(iter, regT1);
-
- // Test base's structure
- loadPtr(Address(regT2, JSCell::structureIDOffset()), regT0);
- addSlowCase(branchPtr(NotEqual, regT0, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure))));
- load32(addressFor(i), regT3);
- sub32(TrustedImm32(1), regT3);
- addSlowCase(branch32(AboveOrEqual, regT3, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_numCacheableSlots))));
- Jump inlineProperty = branch32(Below, regT3, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructureInlineCapacity)));
- add32(TrustedImm32(firstOutOfLineOffset), regT3);
- sub32(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructureInlineCapacity)), regT3);
- inlineProperty.link(this);
- compileGetDirectOffset(regT2, regT1, regT0, regT3);
-
- emitStore(dst, regT1, regT0);
-}
-
-void JIT::emitSlow_op_get_by_pname(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
- int dst = currentInstruction[1].u.operand;
- int base = currentInstruction[2].u.operand;
- int property = currentInstruction[3].u.operand;
-
- linkSlowCaseIfNotJSCell(iter, property);
- linkSlowCase(iter);
- linkSlowCaseIfNotJSCell(iter, base);
- linkSlowCase(iter);
- linkSlowCase(iter);
-
- emitLoad(base, regT1, regT0);
- emitLoad(property, regT3, regT2);
- callOperation(operationGetByValGeneric, dst, regT1, regT0, regT3, regT2);
-}
-
</del><span class="cx"> void JIT::emitVarInjectionCheck(bool needsVarInjectionChecks)
</span><span class="cx"> {
</span><span class="cx"> if (!needsVarInjectionChecks)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1607,8 +1607,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void linkClosureCall(
</span><del>- ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* calleeCodeBlock,
- Structure* structure, ExecutableBase* executable, MacroAssemblerCodePtr codePtr,
</del><ins>+ ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* calleeCodeBlock,
+ ExecutableBase* executable, MacroAssemblerCodePtr codePtr,
</ins><span class="cx"> RegisterPreservationMode registers)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!callLinkInfo.stub);
</span><span class="lines">@@ -1642,10 +1642,10 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> slowPath.append(
</span><del>- branchStructure(stubJit,
</del><ins>+ stubJit.branch8(
</ins><span class="cx"> CCallHelpers::NotEqual,
</span><del>- CCallHelpers::Address(calleeGPR, JSCell::structureIDOffset()),
- structure));
</del><ins>+ CCallHelpers::Address(calleeGPR, JSCell::typeInfoTypeOffset()),
+ CCallHelpers::TrustedImm32(JSFunctionType)));
</ins><span class="cx">
</span><span class="cx"> slowPath.append(
</span><span class="cx"> stubJit.branchPtr(
</span><span class="lines">@@ -1699,7 +1699,7 @@
</span><span class="cx"> ("Closure call stub for %s, return point %p, target %p (%s)",
</span><span class="cx"> toCString(*callerCodeBlock).data(), callLinkInfo.callReturnLocation.labelAtOffset(0).executableAddress(),
</span><span class="cx"> codePtr.executableAddress(), toCString(pointerDump(calleeCodeBlock)).data())),
</span><del>- *vm, callerCodeBlock->ownerExecutable(), structure, executable, callLinkInfo.codeOrigin));
</del><ins>+ *vm, callerCodeBlock->ownerExecutable(), executable, callLinkInfo.codeOrigin));
</ins><span class="cx">
</span><span class="cx"> RepatchBuffer repatchBuffer(callerCodeBlock);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/jit/Repatch.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx"> void repatchIn(ExecState*, JSCell*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&);
</span><span class="cx"> void linkFor(ExecState*, CallLinkInfo&, CodeBlock*, JSFunction* callee, MacroAssemblerCodePtr, CodeSpecializationKind, RegisterPreservationMode);
</span><span class="cx"> void linkSlowFor(ExecState*, CallLinkInfo&, CodeSpecializationKind, RegisterPreservationMode);
</span><del>-void linkClosureCall(ExecState*, CallLinkInfo&, CodeBlock*, Structure*, ExecutableBase*, MacroAssemblerCodePtr, RegisterPreservationMode);
</del><ins>+void linkClosureCall(ExecState*, CallLinkInfo&, CodeBlock*, ExecutableBase*, MacroAssemblerCodePtr, RegisterPreservationMode);
</ins><span class="cx"> void resetGetByID(RepatchBuffer&, StructureStubInfo&);
</span><span class="cx"> void resetPutByID(RepatchBuffer&, StructureStubInfo&);
</span><span class="cx"> void resetIn(RepatchBuffer&, StructureStubInfo&);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntOffsetsExtractorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -39,7 +39,6 @@
</span><span class="cx"> #include "VM.h"
</span><span class="cx"> #include "JSGlobalObject.h"
</span><span class="cx"> #include "JSObject.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><span class="cx"> #include "JSStack.h"
</span><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSTypeInfo.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -42,7 +42,6 @@
</span><span class="cx"> #include "JSCJSValue.h"
</span><span class="cx"> #include "JSGlobalObjectFunctions.h"
</span><span class="cx"> #include "JSNameScope.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><span class="cx"> #include "JSStackInlines.h"
</span><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSWithScope.h"
</span><span class="lines">@@ -776,12 +775,6 @@
</span><span class="cx"> LLINT_RETURN_PROFILED(op_get_argument_by_val, getByVal(exec, arguments, LLINT_OP_C(3).jsValue()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-LLINT_SLOW_PATH_DECL(slow_path_get_by_pname)
-{
- LLINT_BEGIN();
- LLINT_RETURN(getByVal(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
-}
-
</del><span class="cx"> LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
</span><span class="cx"> {
</span><span class="cx"> LLINT_BEGIN();
</span><span class="lines">@@ -1290,42 +1283,6 @@
</span><span class="cx"> LLINT_RETURN(LLINT_OP_C(2).jsValue().toPrimitive(exec));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-LLINT_SLOW_PATH_DECL(slow_path_get_pnames)
-{
- LLINT_BEGIN();
- JSValue v = LLINT_OP(2).jsValue();
- if (v.isUndefinedOrNull()) {
- pc += pc[5].u.operand;
- LLINT_END();
- }
-
- JSObject* o = v.toObject(exec);
- Structure* structure = o->structure();
- JSPropertyNameIterator* jsPropertyNameIterator = structure->enumerationCache();
- if (!jsPropertyNameIterator || jsPropertyNameIterator->cachedPrototypeChain() != structure->prototypeChain(exec))
- jsPropertyNameIterator = JSPropertyNameIterator::create(exec, o);
-
- LLINT_OP(1) = JSValue(jsPropertyNameIterator);
- LLINT_OP(2) = JSValue(o);
- LLINT_OP(3) = Register::withInt(0);
- LLINT_OP(4) = Register::withInt(jsPropertyNameIterator->size());
-
- pc += OPCODE_LENGTH(op_get_pnames);
- LLINT_END();
-}
-
-LLINT_SLOW_PATH_DECL(slow_path_next_pname)
-{
- LLINT_BEGIN();
- JSObject* base = asObject(LLINT_OP(2).jsValue());
- JSString* property = asString(LLINT_OP(1).jsValue());
- if (base->hasProperty(exec, Identifier(exec, property->value(exec)))) {
- // Go to target.
- pc += pc[6].u.operand;
- } // Else, don't change the PC, so the interpreter will reloop.
- LLINT_END();
-}
-
</del><span class="cx"> LLINT_SLOW_PATH_DECL(slow_path_push_with_scope)
</span><span class="cx"> {
</span><span class="cx"> LLINT_BEGIN();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -76,7 +76,6 @@
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_del_by_id);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_val);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_argument_by_val);
</span><del>-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_pname);
</del><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_by_val);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_by_val_direct);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_del_by_val);
</span><span class="lines">@@ -107,8 +106,6 @@
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_tear_off_arguments);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_strcat);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_to_primitive);
</span><del>-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_pnames);
-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_next_pname);
</del><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_push_with_scope);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_pop_scope);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_push_name_scope);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1145,12 +1145,6 @@
</span><span class="cx"> dispatch(4)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_get_pnames:
- traceExecution()
- callSlowPath(_llint_slow_path_get_pnames)
- dispatch(0) # The slow_path either advances the PC or jumps us to somewhere else.
-
-
</del><span class="cx"> _llint_op_push_with_scope:
</span><span class="cx"> traceExecution()
</span><span class="cx"> callSlowPath(_llint_slow_path_push_with_scope)
</span><span class="lines">@@ -1220,7 +1214,51 @@
</span><span class="cx"> _llint_native_construct_trampoline:
</span><span class="cx"> nativeCallTrampoline(NativeExecutable::m_constructor)
</span><span class="cx">
</span><ins>+_llint_op_get_enumerable_length:
+ traceExecution()
+ callSlowPath(_slow_path_get_enumerable_length)
+ dispatch(3)
</ins><span class="cx">
</span><ins>+_llint_op_has_indexed_property:
+ traceExecution()
+ callSlowPath(_slow_path_has_indexed_property)
+ dispatch(5)
+
+_llint_op_has_structure_property:
+ traceExecution()
+ callSlowPath(_slow_path_has_structure_property)
+ dispatch(5)
+
+_llint_op_has_generic_property:
+ traceExecution()
+ callSlowPath(_slow_path_has_generic_property)
+ dispatch(4)
+
+_llint_op_get_direct_pname:
+ traceExecution()
+ callSlowPath(_slow_path_get_direct_pname)
+ dispatch(7)
+
+_llint_op_get_structure_property_enumerator:
+ traceExecution()
+ callSlowPath(_slow_path_get_structure_property_enumerator)
+ dispatch(4)
+
+_llint_op_get_generic_property_enumerator:
+ traceExecution()
+ callSlowPath(_slow_path_get_generic_property_enumerator)
+ dispatch(5)
+
+_llint_op_next_enumerator_pname:
+ traceExecution()
+ callSlowPath(_slow_path_next_enumerator_pname)
+ dispatch(4)
+
+_llint_op_to_index_string:
+ traceExecution()
+ callSlowPath(_slow_path_to_index_string)
+ dispatch(3)
+
</ins><span class="cx"> # Lastly, make sure that we can link even though we don't support all opcodes.
</span><span class="cx"> # These opcodes should never arise when using LLInt or either JIT. We assert
</span><span class="cx"> # as much.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1613,37 +1613,6 @@
</span><span class="cx"> dispatch(6)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_get_by_pname:
- traceExecution()
- loadi 12[PC], t0
- loadConstantOrVariablePayload(t0, CellTag, t1, .opGetByPnameSlow)
- loadi 16[PC], t0
- bpneq t1, PayloadOffset[cfr, t0, 8], .opGetByPnameSlow
- loadi 8[PC], t0
- loadConstantOrVariablePayload(t0, CellTag, t2, .opGetByPnameSlow)
- loadi 20[PC], t0
- loadi PayloadOffset[cfr, t0, 8], t3
- loadp JSCell::m_structureID[t2], t0
- bpneq t0, JSPropertyNameIterator::m_cachedStructure[t3], .opGetByPnameSlow
- loadi 24[PC], t0
- loadi [cfr, t0, 8], t0
- subi 1, t0
- biaeq t0, JSPropertyNameIterator::m_numCacheableSlots[t3], .opGetByPnameSlow
- bilt t0, JSPropertyNameIterator::m_cachedStructureInlineCapacity[t3], .opGetByPnameInlineProperty
- addi firstOutOfLineOffset, t0
- subi JSPropertyNameIterator::m_cachedStructureInlineCapacity[t3], t0
-.opGetByPnameInlineProperty:
- loadPropertyAtVariableOffset(t0, t2, t1, t3)
- loadi 4[PC], t0
- storei t1, TagOffset[cfr, t0, 8]
- storei t3, PayloadOffset[cfr, t0, 8]
- dispatch(7)
-
-.opGetByPnameSlow:
- callSlowPath(_llint_slow_path_get_by_pname)
- dispatch(7)
-
-
</del><span class="cx"> macro contiguousPutByVal(storeCallback)
</span><span class="cx"> biaeq t3, -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], .outOfBounds
</span><span class="cx"> .storeResult:
</span><span class="lines">@@ -2038,46 +2007,6 @@
</span><span class="cx"> dispatch(3)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_next_pname:
- traceExecution()
- loadi 12[PC], t1
- loadi 16[PC], t2
- loadi PayloadOffset[cfr, t1, 8], t0
- bieq t0, PayloadOffset[cfr, t2, 8], .opNextPnameEnd
- loadi 20[PC], t2
- loadi PayloadOffset[cfr, t2, 8], t2
- loadp JSPropertyNameIterator::m_jsStrings[t2], t3
- loadi [t3, t0, 8], t3
- addi 1, t0
- storei t0, PayloadOffset[cfr, t1, 8]
- loadi 4[PC], t1
- storei CellTag, TagOffset[cfr, t1, 8]
- storei t3, PayloadOffset[cfr, t1, 8]
- loadi 8[PC], t3
- loadi PayloadOffset[cfr, t3, 8], t3
- loadp JSCell::m_structureID[t3], t1
- bpneq t1, JSPropertyNameIterator::m_cachedStructure[t2], .opNextPnameSlow
- loadp JSPropertyNameIterator::m_cachedPrototypeChain[t2], t0
- loadp StructureChain::m_vector[t0], t0
- btpz [t0], .opNextPnameTarget
-.opNextPnameCheckPrototypeLoop:
- bieq Structure::m_prototype + TagOffset[t1], NullTag, .opNextPnameSlow
- loadp Structure::m_prototype + PayloadOffset[t1], t2
- loadp JSCell::m_structureID[t2], t1
- bpneq t1, [t0], .opNextPnameSlow
- addp 4, t0
- btpnz [t0], .opNextPnameCheckPrototypeLoop
-.opNextPnameTarget:
- dispatchBranch(24[PC])
-
-.opNextPnameEnd:
- dispatch(7)
-
-.opNextPnameSlow:
- callSlowPath(_llint_slow_path_next_pname) # This either keeps the PC where it was (causing us to loop) or sets it to target.
- dispatch(0)
-
-
</del><span class="cx"> _llint_op_catch:
</span><span class="cx"> # This is where we end up from the JIT's throw trampoline (because the
</span><span class="cx"> # machine code return address will be set to _llint_op_catch), and from
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1510,38 +1510,6 @@
</span><span class="cx"> dispatch(6)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_get_by_pname:
- traceExecution()
- loadisFromInstruction(3, t1)
- loadConstantOrVariable(t1, t0)
- loadisFromInstruction(4, t1)
- assertNotConstant(t1)
- bqneq t0, [cfr, t1, 8], .opGetByPnameSlow
- loadisFromInstruction(2, t2)
- loadisFromInstruction(5, t3)
- loadConstantOrVariableCell(t2, t0, .opGetByPnameSlow)
- assertNotConstant(t3)
- loadq [cfr, t3, 8], t1
- loadStructureWithScratch(t0, t2, t3)
- bpneq t2, JSPropertyNameIterator::m_cachedStructure[t1], .opGetByPnameSlow
- loadisFromInstruction(6, t3)
- loadi PayloadOffset[cfr, t3, 8], t3
- subi 1, t3
- biaeq t3, JSPropertyNameIterator::m_numCacheableSlots[t1], .opGetByPnameSlow
- bilt t3, JSPropertyNameIterator::m_cachedStructureInlineCapacity[t1], .opGetByPnameInlineProperty
- addi firstOutOfLineOffset, t3
- subi JSPropertyNameIterator::m_cachedStructureInlineCapacity[t1], t3
-.opGetByPnameInlineProperty:
- loadPropertyAtVariableOffset(t3, t0, t0)
- loadisFromInstruction(1, t1)
- storeq t0, [cfr, t1, 8]
- dispatch(7)
-
-.opGetByPnameSlow:
- callSlowPath(_llint_slow_path_get_by_pname)
- dispatch(7)
-
-
</del><span class="cx"> macro contiguousPutByVal(storeCallback)
</span><span class="cx"> biaeq t3, -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], .outOfBounds
</span><span class="cx"> .storeResult:
</span><span class="lines">@@ -1934,49 +1902,6 @@
</span><span class="cx"> dispatch(3)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_next_pname:
- traceExecution()
- loadisFromInstruction(3, t1)
- loadisFromInstruction(4, t2)
- assertNotConstant(t1)
- assertNotConstant(t2)
- loadi PayloadOffset[cfr, t1, 8], t0
- bieq t0, PayloadOffset[cfr, t2, 8], .opNextPnameEnd
- loadisFromInstruction(5, t2)
- assertNotConstant(t2)
- loadp [cfr, t2, 8], t2
- loadp JSPropertyNameIterator::m_jsStrings[t2], t3
- loadq [t3, t0, 8], t3
- addi 1, t0
- storei t0, PayloadOffset[cfr, t1, 8]
- loadisFromInstruction(1, t1)
- storeq t3, [cfr, t1, 8]
- loadisFromInstruction(2, t3)
- assertNotConstant(t3)
- loadq [cfr, t3, 8], t3
- loadStructureWithScratch(t3, t1, t0)
- bpneq t1, JSPropertyNameIterator::m_cachedStructure[t2], .opNextPnameSlow
- loadp JSPropertyNameIterator::m_cachedPrototypeChain[t2], t0
- loadp StructureChain::m_vector[t0], t0
- btpz [t0], .opNextPnameTarget
-.opNextPnameCheckPrototypeLoop:
- bqeq Structure::m_prototype[t1], ValueNull, .opNextPnameSlow
- loadq Structure::m_prototype[t1], t2
- loadStructureWithScratch(t2, t1, t3)
- bpneq t1, [t0], .opNextPnameSlow
- addp 8, t0
- btpnz [t0], .opNextPnameCheckPrototypeLoop
-.opNextPnameTarget:
- dispatchIntIndirect(6)
-
-.opNextPnameEnd:
- dispatch(7)
-
-.opNextPnameSlow:
- callSlowPath(_llint_slow_path_next_pname) # This either keeps the PC where it was (causing us to loop) or sets it to target.
- dispatch(0)
-
-
</del><span class="cx"> _llint_op_catch:
</span><span class="cx"> # This is where we end up from the JIT's throw trampoline (because the
</span><span class="cx"> # machine code return address will be set to _llint_op_catch), and from
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Nodes.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Nodes.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/parser/Nodes.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1280,6 +1280,10 @@
</span><span class="cx"> ForInNode(VM*, const JSTokenLocation&, DeconstructionPatternNode*, ExpressionNode*, StatementNode*);
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ RegisterID* tryGetBoundLocal(BytecodeGenerator&);
+ void emitLoopHeader(BytecodeGenerator&, RegisterID* propertyName);
+ void emitMultiLoopBytecode(BytecodeGenerator&, RegisterID* dst);
+
</ins><span class="cx"> virtual void emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArgumentscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Arguments.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Arguments.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/Arguments.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -221,7 +221,7 @@
</span><span class="cx"> continue;
</span><span class="cx"> propertyNames.add(Identifier::from(exec, i));
</span><span class="cx"> }
</span><del>- if (mode == IncludeDontEnumProperties) {
</del><ins>+ if (shouldIncludeDontEnumProperties(mode)) {
</ins><span class="cx"> propertyNames.add(exec->propertyNames().callee);
</span><span class="cx"> propertyNames.add(exec->propertyNames().length);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeClassInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ClassInfo.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ClassInfo.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/ClassInfo.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -82,6 +82,12 @@
</span><span class="cx"> typedef void (*GetPropertyNamesFunctionPtr)(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> GetPropertyNamesFunctionPtr getPropertyNames;
</span><span class="cx">
</span><ins>+ typedef uint32_t (*GetEnumerableLengthFunctionPtr)(ExecState*, JSObject*);
+ GetEnumerableLengthFunctionPtr getEnumerableLength;
+
+ GetPropertyNamesFunctionPtr getStructurePropertyNames;
+ GetPropertyNamesFunctionPtr getGenericPropertyNames;
+
</ins><span class="cx"> typedef String (*ClassNameFunctionPtr)(const JSObject*);
</span><span class="cx"> ClassNameFunctionPtr className;
</span><span class="cx">
</span><span class="lines">@@ -137,6 +143,9 @@
</span><span class="cx"> &ClassName::getOwnPropertyNames, \
</span><span class="cx"> &ClassName::getOwnNonIndexPropertyNames, \
</span><span class="cx"> &ClassName::getPropertyNames, \
</span><ins>+ &ClassName::getEnumerableLength, \
+ &ClassName::getStructurePropertyNames, \
+ &ClassName::getGenericPropertyNames, \
</ins><span class="cx"> &ClassName::className, \
</span><span class="cx"> &ClassName::customHasInstance, \
</span><span class="cx"> &ClassName::defineOwnProperty, \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx"> #include "JSCJSValue.h"
</span><span class="cx"> #include "JSGlobalObjectFunctions.h"
</span><span class="cx"> #include "JSNameScope.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSWithScope.h"
</span><span class="cx"> #include "LLIntCommon.h"
</span><span class="lines">@@ -537,4 +537,103 @@
</span><span class="cx"> END();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+SLOW_PATH_DECL(slow_path_get_enumerable_length)
+{
+ BEGIN();
+ JSValue baseValue = OP(2).jsValue();
+ if (baseValue.isUndefinedOrNull())
+ RETURN(jsNumber(0));
+
+ JSObject* base = baseValue.toObject(exec);
+ RETURN(jsNumber(base->methodTable(vm)->getEnumerableLength(exec, base)));
+}
+
+SLOW_PATH_DECL(slow_path_has_indexed_property)
+{
+ BEGIN();
+ JSObject* base = OP(2).jsValue().toObject(exec);
+ JSValue property = OP(3).jsValue();
+ pc[4].u.arrayProfile->observeStructure(base->structure(vm));
+ ASSERT(property.isUInt32());
+ RETURN(jsBoolean(base->hasProperty(exec, property.asUInt32())));
+}
+
+SLOW_PATH_DECL(slow_path_has_structure_property)
+{
+ BEGIN();
+ JSObject* base = OP(2).jsValue().toObject(exec);
+ JSValue property = OP(3).jsValue();
+ ASSERT(property.isString());
+ JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(OP(4).jsValue().asCell());
+ if (base->structure(vm)->id() == enumerator->cachedStructureID())
+ RETURN(jsBoolean(true));
+ RETURN(jsBoolean(base->hasProperty(exec, asString(property.asCell())->toIdentifier(exec))));
+}
+
+SLOW_PATH_DECL(slow_path_has_generic_property)
+{
+ BEGIN();
+ JSObject* base = OP(2).jsValue().toObject(exec);
+ JSValue property = OP(3).jsValue();
+ bool result;
+ if (property.isString())
+ result = base->hasProperty(exec, asString(property.asCell())->toIdentifier(exec));
+ else {
+ ASSERT(property.isUInt32());
+ result = base->hasProperty(exec, property.asUInt32());
+ }
+ RETURN(jsBoolean(result));
+}
+
+SLOW_PATH_DECL(slow_path_get_direct_pname)
+{
+ BEGIN();
+ JSValue baseValue = OP(2).jsValue();
+ JSValue property = OP(3).jsValue();
+ ASSERT(property.isString());
+ RETURN(baseValue.get(exec, property.toString(exec)->toIdentifier(exec)));
+}
+
+SLOW_PATH_DECL(slow_path_get_structure_property_enumerator)
+{
+ BEGIN();
+ JSValue baseValue = OP(2).jsValue();
+ if (baseValue.isUndefinedOrNull())
+ RETURN(JSPropertyNameEnumerator::create(vm));
+
+ JSObject* base = baseValue.toObject(exec);
+ uint32_t length = OP(3).jsValue().asUInt32();
+
+ RETURN(structurePropertyNameEnumerator(exec, base, length));
+}
+
+SLOW_PATH_DECL(slow_path_get_generic_property_enumerator)
+{
+ BEGIN();
+ JSValue baseValue = OP(2).jsValue();
+ if (baseValue.isUndefinedOrNull())
+ RETURN(JSPropertyNameEnumerator::create(vm));
+
+ JSObject* base = baseValue.toObject(exec);
+ uint32_t length = OP(3).jsValue().asUInt32();
+ JSPropertyNameEnumerator* structureEnumerator = jsCast<JSPropertyNameEnumerator*>(OP(4).jsValue().asCell());
+
+ RETURN(genericPropertyNameEnumerator(exec, base, length, structureEnumerator));
+}
+
+SLOW_PATH_DECL(slow_path_next_enumerator_pname)
+{
+ BEGIN();
+ JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(OP(2).jsValue().asCell());
+ uint32_t index = OP(3).jsValue().asUInt32();
+ JSString* propertyName = enumerator->propertyNameAtIndex(index);
+ RETURN(propertyName ? propertyName : jsNull());
+}
+
+SLOW_PATH_DECL(slow_path_to_index_string)
+{
+ BEGIN();
+ RETURN(jsString(exec, Identifier::from(exec, OP(2).jsValue().asUInt32()).string()));
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -224,6 +224,15 @@
</span><span class="cx"> SLOW_PATH_HIDDEN_DECL(slow_path_del_by_val);
</span><span class="cx"> SLOW_PATH_HIDDEN_DECL(slow_path_strcat);
</span><span class="cx"> SLOW_PATH_HIDDEN_DECL(slow_path_to_primitive);
</span><ins>+SLOW_PATH_HIDDEN_DECL(slow_path_get_enumerable_length);
+SLOW_PATH_HIDDEN_DECL(slow_path_has_generic_property);
+SLOW_PATH_HIDDEN_DECL(slow_path_has_structure_property);
+SLOW_PATH_HIDDEN_DECL(slow_path_has_indexed_property);
+SLOW_PATH_HIDDEN_DECL(slow_path_get_direct_pname);
+SLOW_PATH_HIDDEN_DECL(slow_path_get_structure_property_enumerator);
+SLOW_PATH_HIDDEN_DECL(slow_path_get_generic_property_enumerator);
+SLOW_PATH_HIDDEN_DECL(slow_path_next_enumerator_pname);
+SLOW_PATH_HIDDEN_DECL(slow_path_to_index_string);
</ins><span class="cx">
</span><span class="cx"> } // namespace JSC
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeEnumerationModeh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/EnumerationMode.h (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/EnumerationMode.h (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/EnumerationMode.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,87 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef EnumerationMode_h
+#define EnumerationMode_h
+
+namespace JSC {
+
+enum EnumerationMode {
+ ExcludeDontEnumProperties,
+ ExcludeDontEnumPropertiesAndSkipJSObject,
+ IncludeDontEnumProperties,
+ IncludeDontEnumPropertiesAndSkipJSObject
+};
+
+inline bool shouldIncludeDontEnumProperties(EnumerationMode mode)
+{
+ switch (mode) {
+ case IncludeDontEnumProperties:
+ case IncludeDontEnumPropertiesAndSkipJSObject:
+ return true;
+ default:
+ return false;
+ }
+}
+
+inline bool shouldExcludeDontEnumProperties(EnumerationMode mode)
+{
+ switch (mode) {
+ case ExcludeDontEnumProperties:
+ case ExcludeDontEnumPropertiesAndSkipJSObject:
+ return true;
+ default:
+ return false;
+ }
+}
+
+inline bool shouldIncludeJSObjectPropertyNames(EnumerationMode mode)
+{
+ switch (mode) {
+ case IncludeDontEnumProperties:
+ case ExcludeDontEnumProperties:
+ return true;
+ case ExcludeDontEnumPropertiesAndSkipJSObject:
+ case IncludeDontEnumPropertiesAndSkipJSObject:
+ return false;
+ }
+}
+
+inline EnumerationMode modeThatSkipsJSObject(EnumerationMode mode)
+{
+ switch (mode) {
+ case IncludeDontEnumProperties:
+ return IncludeDontEnumPropertiesAndSkipJSObject;
+ case ExcludeDontEnumProperties:
+ return ExcludeDontEnumPropertiesAndSkipJSObject;
+ case ExcludeDontEnumPropertiesAndSkipJSObject:
+ case IncludeDontEnumPropertiesAndSkipJSObject:
+ return mode;
+ }
+}
+
+} // namespace JSC
+
+#endif // EnumerationMode_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExecutablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Executable.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Executable.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/Executable.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> #include "BytecodeGenerator.h"
</span><span class="cx"> #include "CodeBlock.h"
</span><span class="cx"> #include "DFGDriver.h"
</span><ins>+#include "HighFidelityTypeProfiler.h"
</ins><span class="cx"> #include "JIT.h"
</span><span class="cx"> #include "LLIntEntrypoint.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="lines">@@ -103,6 +104,8 @@
</span><span class="cx"> , m_lastLine(-1)
</span><span class="cx"> , m_startColumn(UINT_MAX)
</span><span class="cx"> , m_endColumn(UINT_MAX)
</span><ins>+ , m_highFidelityTypeProfilingStartOffset(UINT_MAX)
+ , m_highFidelityTypeProfilingEndOffset(UINT_MAX)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -373,6 +376,10 @@
</span><span class="cx"> ProgramExecutable::ProgramExecutable(ExecState* exec, const SourceCode& source)
</span><span class="cx"> : ScriptExecutable(exec->vm().programExecutableStructure.get(), exec->vm(), source, false)
</span><span class="cx"> {
</span><ins>+ m_highFidelityTypeProfilingStartOffset = 0;
+ m_highFidelityTypeProfilingEndOffset = source.length() - 1;
+ if (exec->vm().isProfilingTypesWithHighFidelity())
+ exec->vm().highFidelityTypeProfiler()->functionHasExecutedCache()->insertUnexecutedRange(sourceID(), m_highFidelityTypeProfilingStartOffset, m_highFidelityTypeProfilingEndOffset);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ProgramExecutable::destroy(JSCell* cell)
</span><span class="lines">@@ -396,6 +403,8 @@
</span><span class="cx"> ASSERT(endColumn != UINT_MAX);
</span><span class="cx"> m_startColumn = startColumn;
</span><span class="cx"> m_endColumn = endColumn;
</span><ins>+ m_highFidelityTypeProfilingStartOffset = unlinkedExecutable->highFidelityTypeProfilingStartOffset();
+ m_highFidelityTypeProfilingEndOffset = unlinkedExecutable->highFidelityTypeProfilingEndOffset();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void FunctionExecutable::destroy(JSCell* cell)
</span><span class="lines">@@ -492,6 +501,11 @@
</span><span class="cx"> UnlinkedFunctionExecutable* unlinkedFunctionExecutable = functionDeclarations[i].second.get();
</span><span class="cx"> JSValue value = JSFunction::create(vm, unlinkedFunctionExecutable->link(vm, m_source, lineNo()), scope);
</span><span class="cx"> globalObject->addFunction(callFrame, functionDeclarations[i].first, value);
</span><ins>+ if (vm.isProfilingTypesWithHighFidelity()) {
+ vm.highFidelityTypeProfiler()->functionHasExecutedCache()->insertUnexecutedRange(sourceID(),
+ unlinkedFunctionExecutable->highFidelityTypeProfilingStartOffset(),
+ unlinkedFunctionExecutable->highFidelityTypeProfilingEndOffset());
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (size_t i = 0; i < variableDeclarations.size(); ++i) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Executable.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Executable.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/Executable.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -365,6 +365,8 @@
</span><span class="cx"> int lastLine() const { return m_lastLine; }
</span><span class="cx"> unsigned startColumn() const { return m_startColumn; }
</span><span class="cx"> unsigned endColumn() const { return m_endColumn; }
</span><ins>+ unsigned highFidelityTypeProfilingStartOffset() const { return m_highFidelityTypeProfilingStartOffset; }
+ unsigned highFidelityTypeProfilingEndOffset() const { return m_highFidelityTypeProfilingEndOffset; }
</ins><span class="cx">
</span><span class="cx"> bool usesEval() const { return m_features & EvalFeature; }
</span><span class="cx"> bool usesArguments() const { return m_features & ArgumentsFeature; }
</span><span class="lines">@@ -435,6 +437,8 @@
</span><span class="cx"> int m_lastLine;
</span><span class="cx"> unsigned m_startColumn;
</span><span class="cx"> unsigned m_endColumn;
</span><ins>+ unsigned m_highFidelityTypeProfilingStartOffset;
+ unsigned m_highFidelityTypeProfilingEndOffset;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class EvalExecutable : public ScriptExecutable {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionHasExecutedCachecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.cpp (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,81 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "FunctionHasExecutedCache.h"
+
+namespace JSC {
+
+bool FunctionHasExecutedCache::hasExecutedAtOffset(intptr_t id, unsigned offset)
+{
+ if (m_rangeMap.find(id) == m_rangeMap.end())
+ return false;
+
+ RangeMap& map = m_rangeMap.find(id)->second;
+ unsigned distance = UINT_MAX;
+ bool hasExecuted = false;
+ for (auto iter = map.begin(), end = map.end(); iter != end; ++iter) {
+ const FunctionRange& range = iter->first;
+ if (range.m_start <= offset && offset <= range.m_end && range.m_end - range.m_start < distance) {
+ hasExecuted = iter->second;
+ distance = range.m_end - range.m_start;
+ }
+ }
+
+ return hasExecuted;
+}
+
+void FunctionHasExecutedCache::insertUnexecutedRange(intptr_t id, unsigned start, unsigned end)
+{
+ if (m_rangeMap.find(id) == m_rangeMap.end()) {
+ RangeMap map;
+ m_rangeMap[id] = map;
+ }
+
+ RangeMap& map = m_rangeMap.find(id)->second;
+ FunctionRange range;
+ range.m_start = start;
+ range.m_end = end;
+ // Only insert unexecuted ranges once for a given sourceID because we may run into a situation where an executable executes, then is GCed, and then is allocated again,
+ // and tries to reinsert itself, claiming it has never run, but this is false because it indeed already executed.
+ if (map.find(range) == map.end())
+ map[range] = false;
+}
+
+void FunctionHasExecutedCache::removeUnexecutedRange(intptr_t id, unsigned start, unsigned end)
+{
+ // FIXME: We should never have an instance where we return here, but currently do in some situations. Find out why.
+ if (m_rangeMap.find(id) == m_rangeMap.end())
+ return;
+
+ RangeMap& map = m_rangeMap.find(id)->second;
+
+ FunctionRange range;
+ range.m_start = start;
+ range.m_end = end;
+ map[range] = true;
+}
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionHasExecutedCacheh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.h (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.h (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/FunctionHasExecutedCache.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef FunctionHasExecutedCache_h
+#define FunctionHasExecutedCache_h
+
+#include <unordered_map>
+#include <wtf/HashMethod.h>
+
+namespace JSC {
+
+class FunctionHasExecutedCache {
+public:
+ struct FunctionRange {
+ FunctionRange() {}
+ bool operator==(const FunctionRange& other) const
+ {
+ return m_start == other.m_start && m_end == other.m_end;
+ }
+ unsigned hash() const
+ {
+ return m_start * m_end;
+ }
+
+ unsigned m_start;
+ unsigned m_end;
+ };
+
+ bool hasExecutedAtOffset(intptr_t id, unsigned offset);
+ void insertUnexecutedRange(intptr_t id, unsigned start, unsigned end);
+ void removeUnexecutedRange(intptr_t id, unsigned start, unsigned end);
+
+private:
+ typedef std::unordered_map<FunctionRange, bool, HashMethod<FunctionRange>> RangeMap;
+ typedef std::unordered_map<intptr_t, RangeMap> SourceIDToRangeMap;
+ SourceIDToRangeMap m_rangeMap;
+};
+
+} // namespace JSC
+
+#endif // FunctionHasExecutedCache_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeHighFidelityLogcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/HighFidelityLog.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/HighFidelityLog.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/HighFidelityLog.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -53,45 +53,25 @@
</span><span class="cx"> delete[] m_nextBuffer;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void HighFidelityLog::processHighFidelityLog(bool asynchronously, String reason)
</del><ins>+void HighFidelityLog::processHighFidelityLog(String reason)
</ins><span class="cx"> {
</span><del>- // This should only be called from the main execution thread.
</del><span class="cx"> if (!m_currentOffset)
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> if (verbose)
</span><span class="cx"> dataLog("Process caller:'", reason,"'");
</span><span class="cx">
</span><del>- ByteSpinLocker* locker = new ByteSpinLocker(m_lock);
- ThreadData* data = new ThreadData;
- data->m_proccessLogToOffset = m_currentOffset;
- data->m_processLogPtr = m_logStartPtr;
- data->m_locker = locker;
-
- m_currentOffset = 0;
- std::swap(m_logStartPtr, m_nextBuffer);
-
- if (asynchronously)
- createThread(actuallyProcessLogThreadFunction, data, "ProcessHighFidelityLog");
- else
- actuallyProcessLogThreadFunction(data);
-}
-
-void HighFidelityLog::actuallyProcessLogThreadFunction(void* arg)
-{
</del><span class="cx"> double before = currentTimeMS();
</span><del>- ThreadData* data = static_cast<ThreadData*>(arg);
- LogEntry* entry = data->m_processLogPtr;
</del><ins>+ LogEntry* entry = m_logStartPtr;
</ins><span class="cx"> HashMap<StructureID, RefPtr<StructureShape>> seenShapes;
</span><del>- size_t processLogToOffset = data->m_proccessLogToOffset;
</del><span class="cx"> size_t i = 0;
</span><del>- while (i < processLogToOffset) {
</del><ins>+ while (i < m_currentOffset) {
</ins><span class="cx"> StructureID id = entry->structureID;
</span><span class="cx"> RefPtr<StructureShape> shape;
</span><span class="cx"> if (id) {
</span><span class="cx"> auto iter = seenShapes.find(id);
</span><span class="cx"> if (iter == seenShapes.end()) {
</span><del>- shape = entry->value.asCell()->structure()->toStructureShape();
</del><ins>+ shape = Heap::heap(entry->value.asCell())->structureIDTable().get(entry->structureID)->toStructureShape(entry->value);
</ins><span class="cx"> seenShapes.set(id, shape);
</span><span class="cx"> } else
</span><span class="cx"> shape = iter->value;
</span><span class="lines">@@ -105,11 +85,12 @@
</span><span class="cx"> i++;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- delete data->m_locker;
- delete data;
- double after = currentTimeMS();
- if (verbose)
</del><ins>+ m_currentOffset = 0;
+
+ if (verbose) {
+ double after = currentTimeMS();
</ins><span class="cx"> dataLogF(" Processing the log took: '%f' ms\n", after - before);
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } //namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeHighFidelityLogh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/HighFidelityLog.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/HighFidelityLog.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/HighFidelityLog.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -69,14 +69,13 @@
</span><span class="cx">
</span><span class="cx"> m_currentOffset += 1;
</span><span class="cx"> if (m_currentOffset == m_highFidelityLogSize)
</span><del>- processHighFidelityLog(true, "Log Full");
</del><ins>+ processHighFidelityLog("Log Full");
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void processHighFidelityLog(bool asynchronously = false, String = "");
</del><ins>+ void processHighFidelityLog(String);
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> void initializeHighFidelityLog();
</span><del>- static void actuallyProcessLogThreadFunction(void*);
</del><span class="cx">
</span><span class="cx"> unsigned m_highFidelityLogSize;
</span><span class="cx"> size_t m_currentOffset;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeHighFidelityTypeProfilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -26,40 +26,33 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "HighFidelityTypeProfiler.h"
</span><span class="cx">
</span><ins>+#include "InspectorJSTypeBuilders.h"
</ins><span class="cx"> #include "TypeLocation.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> static const bool verbose = false;
</span><span class="cx">
</span><del>-String HighFidelityTypeProfiler::getTypesForVariableInAtOffset(unsigned divot, const String& variableName, intptr_t sourceID)
</del><ins>+void HighFidelityTypeProfiler::logTypesForTypeLocation(TypeLocation* location)
</ins><span class="cx"> {
</span><del>- String global = getGlobalTypesForVariableAtOffset(divot, variableName, sourceID);
- if (!global.isEmpty())
- return global;
-
- return getLocalTypesForVariableAtOffset(divot, variableName, sourceID);
-}
</del><ins>+ TypeProfilerSearchDescriptor descriptor = location->m_globalVariableID == HighFidelityReturnStatement ? TypeProfilerSearchDescriptorFunctionReturn
+ : location->m_globalVariableID == HighFidelityThisStatement ? TypeProfilerSearchDescriptorThisStatement
+ : TypeProfilerSearchDescriptorNormal;
</ins><span class="cx">
</span><del>-String HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset(unsigned divot, const String& , intptr_t sourceID)
-{
- TypeLocation* location = findLocation(divot, sourceID);
- if (!location)
- return "";
</del><ins>+ dataLogF("[Start, End]::[%u, %u]\n", location->m_divotStart, location->m_divotEnd);
</ins><span class="cx">
</span><del>- if (location->m_globalVariableID == HighFidelityNoGlobalIDExists)
- return "";
</del><ins>+ if (findLocation(location->m_divotStart, location->m_sourceID, descriptor))
+ dataLog("\t\t[Entry IS in System]\n");
+ else
+ dataLog("\t\t[Entry IS NOT in system]\n");
</ins><span class="cx">
</span><del>- return location->m_globalTypeSet->seenTypes();
-}
</del><ins>+ dataLog("\t\t", location->m_globalVariableID == HighFidelityReturnStatement ? "[Return Statement]"
+ : location->m_globalVariableID == HighFidelityThisStatement ? "[This Statement]"
+ : "[Normal Statement]", "\n");
</ins><span class="cx">
</span><del>-String HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset(unsigned divot, const String& , intptr_t sourceID)
-{
- TypeLocation* location = findLocation(divot, sourceID);
- if (!location)
- return "";
-
- return location->m_instructionTypeSet->seenTypes();
</del><ins>+ dataLog("\t\t#Local#\n\t\t", location->m_instructionTypeSet->seenTypes().replace("\n", "\n\t\t"), "\n");
+ if (location->m_globalTypeSet)
+ dataLog("\t\t#Global#\n\t\t", location->m_globalTypeSet->seenTypes().replace("\n", "\n\t\t"), "\n");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void HighFidelityTypeProfiler::insertNewLocation(TypeLocation* location)
</span><span class="lines">@@ -76,22 +69,67 @@
</span><span class="cx"> bucket.append(location);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-TypeLocation* HighFidelityTypeProfiler::findLocation(unsigned divot, intptr_t sourceID)
</del><ins>+void HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector(TypeProfilerSearchDescriptor descriptor, unsigned divot, intptr_t sourceID, RefPtr<Inspector::InspectorObject>& ret)
</ins><span class="cx"> {
</span><del>- ASSERT(m_bucketMap.contains(sourceID));
</del><ins>+ TypeLocation* location = findLocation(divot, sourceID, descriptor);
+ if (!location)
+ return;
</ins><span class="cx">
</span><ins>+ if (location->m_globalTypeSet && location->m_globalVariableID != HighFidelityNoGlobalIDExists) {
+ ret->setString(ASCIILiteral("displayTypeName"), location->m_globalTypeSet->displayName());
+ ret->setArray(ASCIILiteral("globalPrimitiveTypeNames"), location->m_globalTypeSet->allPrimitiveTypeNames()->asArray());
+ ret->setArray(ASCIILiteral("globalStructures"), location->m_globalTypeSet->allStructureRepresentations()->asArray());
+ } else
+ ret->setString(ASCIILiteral("displayTypeName"), location->m_instructionTypeSet->displayName());
+
+ ret->setArray(ASCIILiteral("localPrimitiveTypeNames"), location->m_instructionTypeSet->allPrimitiveTypeNames()->asArray());
+ ret->setArray(ASCIILiteral("localStructures"), location->m_instructionTypeSet->allStructureRepresentations()->asArray());
+}
+
+static bool descriptorMatchesTypeLocation(TypeProfilerSearchDescriptor descriptor, TypeLocation* location)
+{
+ if (descriptor == TypeProfilerSearchDescriptorFunctionReturn && location->m_globalVariableID == HighFidelityReturnStatement)
+ return true;
+
+ if (descriptor == TypeProfilerSearchDescriptorThisStatement && location->m_globalVariableID == HighFidelityThisStatement)
+ return true;
+
+ if (descriptor == TypeProfilerSearchDescriptorNormal && location->m_globalVariableID != HighFidelityReturnStatement && location->m_globalVariableID != HighFidelityThisStatement)
+ return true;
+
+ return false;
+}
+
+TypeLocation* HighFidelityTypeProfiler::findLocation(unsigned divot, intptr_t sourceID, TypeProfilerSearchDescriptor descriptor)
+{
+ QueryKey queryKey(sourceID, divot);
+ auto iter = m_queryCache.find(queryKey);
+ if (iter != m_queryCache.end())
+ return iter->value;
+
+ if (!m_functionHasExecutedCache.hasExecutedAtOffset(sourceID, divot))
+ return nullptr;
+
+ ASSERT(m_bucketMap.contains(sourceID));
+
</ins><span class="cx"> Vector<TypeLocation*>& bucket = m_bucketMap.find(sourceID)->value;
</span><ins>+ TypeLocation* bestMatch = nullptr;
</ins><span class="cx"> unsigned distance = UINT_MAX; // Because assignments may be nested, make sure we find the closest enclosing assignment to this character offset.
</span><del>- TypeLocation* bestMatch = nullptr;
</del><span class="cx"> for (size_t i = 0, size = bucket.size(); i < size; i++) {
</span><span class="cx"> TypeLocation* location = bucket.at(i);
</span><del>- if (location->m_divotStart <= divot && divot <= location->m_divotEnd && location->m_divotEnd - location->m_divotStart <= distance) {
</del><ins>+ if (descriptor == TypeProfilerSearchDescriptorFunctionReturn && descriptorMatchesTypeLocation(descriptor, location) && location->m_divotForFunctionOffsetIfReturnStatement == divot)
+ return location;
+
+ if (location->m_divotStart <= divot && divot <= location->m_divotEnd && location->m_divotEnd - location->m_divotStart <= distance && descriptorMatchesTypeLocation(descriptor, location)) {
</ins><span class="cx"> distance = location->m_divotEnd - location->m_divotStart;
</span><span class="cx"> bestMatch = location;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // FIXME: BestMatch should never be null. This doesn't hold currently because we ignore some Eval/With/VarInjection variable assignments.
</del><ins>+ if (bestMatch)
+ m_queryCache.set(queryKey, bestMatch);
+ // FIXME: BestMatch should never be null past this point. This doesn't hold currently because we ignore var assignments when code contains eval/With (VarInjection).
+ // https://bugs.webkit.org/show_bug.cgi?id=135184
</ins><span class="cx"> return bestMatch;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeHighFidelityTypeProfilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -27,31 +27,93 @@
</span><span class="cx"> #define HighFidelityTypeProfiler_h
</span><span class="cx">
</span><span class="cx"> #include "CodeBlock.h"
</span><del>-#include <unordered_map>
</del><ins>+#include "FunctionHasExecutedCache.h"
+#include "TypeLocationCache.h"
</ins><span class="cx"> #include <wtf/HashMap.h>
</span><del>-#include <wtf/HashMethod.h>
</del><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx">
</span><ins>+namespace Inspector { namespace TypeBuilder { namespace Runtime {
+class TypeDescription;
+}}}
+namespace Inspector {
+class InspectorObject;
+}
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class TypeLocation;
</span><span class="cx">
</span><ins>+struct QueryKey {
+ QueryKey()
+ : m_sourceID(0)
+ , m_divot(0)
+ { }
+
+ QueryKey(intptr_t sourceID, unsigned divot)
+ : m_sourceID(sourceID)
+ , m_divot(divot)
+ { }
+
+ QueryKey(WTF::HashTableDeletedValueType)
+ : m_sourceID(INTPTR_MAX)
+ , m_divot(UINT_MAX)
+ { }
+
+ bool isHashTableDeletedValue() const { return m_sourceID == INTPTR_MAX && m_divot == UINT_MAX; }
+ bool operator==(const QueryKey& other) const { return m_sourceID == other.m_sourceID && m_divot == other.m_divot; }
+ unsigned hash() const { return m_sourceID + m_divot; }
+
+ intptr_t m_sourceID;
+ unsigned m_divot;
+};
+
+struct QueryKeyHash {
+ static unsigned hash(const QueryKey& key) { return key.hash(); }
+ static bool equal(const QueryKey& a, const QueryKey& b) { return a == b; }
+ static const bool safeToCompareToEmptyOrDeleted = true;
+};
+
+} //namespace JSC
+
+namespace WTF {
+
+template<typename T> struct DefaultHash;
+template<> struct DefaultHash<JSC::QueryKey> {
+ typedef JSC::QueryKeyHash Hash;
+};
+
+template<typename T> struct HashTraits;
+template<> struct HashTraits<JSC::QueryKey> : SimpleClassHashTraits<JSC::QueryKey> { };
+
+} // namespace WTF
+
+namespace JSC {
+
+enum TypeProfilerSearchDescriptor {
+ TypeProfilerSearchDescriptorNormal = 1,
+ TypeProfilerSearchDescriptorThisStatement = 2,
+ TypeProfilerSearchDescriptorFunctionReturn = 3
+};
+
</ins><span class="cx"> class HighFidelityTypeProfiler {
</span><del>-
</del><span class="cx"> public:
</span><del>- String getTypesForVariableInAtOffset(unsigned divot, const String& variableName, intptr_t sourceID);
- String getGlobalTypesForVariableAtOffset(unsigned divot, const String& variableName, intptr_t sourceID);
- String getLocalTypesForVariableAtOffset(unsigned divot, const String& variableName, intptr_t sourceID);
</del><ins>+ void logTypesForTypeLocation(TypeLocation*);
+ void getTypesForVariableAtOffsetForInspector(TypeProfilerSearchDescriptor descriptor, unsigned divot, intptr_t sourceID, RefPtr<Inspector::InspectorObject>&);
</ins><span class="cx"> void insertNewLocation(TypeLocation*);
</span><ins>+ FunctionHasExecutedCache* functionHasExecutedCache() { return &m_functionHasExecutedCache; }
+ TypeLocationCache* typeLocationCache() { return &m_typeLocationCache; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><del>- TypeLocation* findLocation(unsigned divot, intptr_t sourceID);
-
</del><ins>+ TypeLocation* findLocation(unsigned divot, intptr_t sourceID, TypeProfilerSearchDescriptor descriptor);
</ins><span class="cx"> typedef HashMap<intptr_t, Vector<TypeLocation*>> SourceIDToLocationBucketMap;
</span><span class="cx"> SourceIDToLocationBucketMap m_bucketMap;
</span><ins>+ FunctionHasExecutedCache m_functionHasExecutedCache;
+ TypeLocationCache m_typeLocationCache;
+ typedef HashMap<QueryKey, TypeLocation*> TypeLocationQueryCache;
+ TypeLocationQueryCache m_queryCache;
</ins><span class="cx"> };
</span><span class="cx">
</span><del>-} //namespace JSC
</del><ins>+} // namespace JSC
</ins><span class="cx">
</span><span class="cx"> #endif //HighFidelityTypeProfiler_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSActivationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSActivation.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSActivation.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSActivation.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -115,14 +115,14 @@
</span><span class="cx"> JSActivation* thisObject = jsCast<JSActivation*>(object);
</span><span class="cx">
</span><span class="cx"> CallFrame* callFrame = CallFrame::create(reinterpret_cast<Register*>(thisObject->m_registers));
</span><del>- if (mode == IncludeDontEnumProperties && !thisObject->isTornOff() && (callFrame->codeBlock()->usesArguments() || callFrame->codeBlock()->usesEval()))
</del><ins>+ if (shouldIncludeDontEnumProperties(mode) && !thisObject->isTornOff() && (callFrame->codeBlock()->usesArguments() || callFrame->codeBlock()->usesEval()))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().arguments);
</span><span class="cx">
</span><span class="cx"> {
</span><span class="cx"> ConcurrentJITLocker locker(thisObject->symbolTable()->m_lock);
</span><span class="cx"> SymbolTable::Map::iterator end = thisObject->symbolTable()->end(locker);
</span><span class="cx"> for (SymbolTable::Map::iterator it = thisObject->symbolTable()->begin(locker); it != end; ++it) {
</span><del>- if (it->value.getAttributes() & DontEnum && mode != IncludeDontEnumProperties)
</del><ins>+ if (it->value.getAttributes() & DontEnum && !shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> continue;
</span><span class="cx"> if (!thisObject->isValid(it->value))
</span><span class="cx"> continue;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -227,7 +227,7 @@
</span><span class="cx"> {
</span><span class="cx"> JSArray* thisObject = jsCast<JSArray*>(object);
</span><span class="cx">
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().length);
</span><span class="cx">
</span><span class="cx"> JSObject::getOwnNonIndexPropertyNames(thisObject, exec, propertyNames, mode);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBuffercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -119,7 +119,7 @@
</span><span class="cx"> {
</span><span class="cx"> JSArrayBuffer* thisObject = jsCast<JSArrayBuffer*>(object);
</span><span class="cx">
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> array.add(exec->propertyNames().byteLength);
</span><span class="cx">
</span><span class="cx"> Base::getOwnNonIndexPropertyNames(thisObject, exec, array, mode);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -201,7 +201,7 @@
</span><span class="cx"> JSArrayBufferView* thisObject = jsCast<JSArrayBufferView*>(object);
</span><span class="cx">
</span><span class="cx"> // length/byteOffset/byteLength are DontEnum, at least in Firefox.
</span><del>- if (mode == IncludeDontEnumProperties) {
</del><ins>+ if (shouldIncludeDontEnumProperties(mode)) {
</ins><span class="cx"> array.add(exec->propertyNames().byteOffset);
</span><span class="cx"> array.add(exec->propertyNames().byteLength);
</span><span class="cx"> array.add(exec->propertyNames().buffer);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -236,4 +236,19 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+uint32_t JSCell::getEnumerableLength(ExecState*, JSObject*)
+{
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+void JSCell::getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode)
+{
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+void JSCell::getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode)
+{
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -25,6 +25,7 @@
</span><span class="cx">
</span><span class="cx"> #include "CallData.h"
</span><span class="cx"> #include "ConstructData.h"
</span><ins>+#include "EnumerationMode.h"
</ins><span class="cx"> #include "Heap.h"
</span><span class="cx"> #include "IndexingType.h"
</span><span class="cx"> #include "JSLock.h"
</span><span class="lines">@@ -46,11 +47,6 @@
</span><span class="cx"> class PropertyNameArray;
</span><span class="cx"> class Structure;
</span><span class="cx">
</span><del>-enum EnumerationMode {
- ExcludeDontEnumProperties,
- IncludeDontEnumProperties
-};
-
</del><span class="cx"> template<typename T> void* allocateCell(Heap&);
</span><span class="cx"> template<typename T> void* allocateCell(Heap&, size_t);
</span><span class="cx">
</span><span class="lines">@@ -209,6 +205,11 @@
</span><span class="cx"> static NO_RETURN_DUE_TO_CRASH void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> static NO_RETURN_DUE_TO_CRASH void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> static NO_RETURN_DUE_TO_CRASH void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><ins>+
+ static NO_RETURN_DUE_TO_CRASH uint32_t getEnumerableLength(ExecState*, JSObject*);
+ static NO_RETURN_DUE_TO_CRASH void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+ static NO_RETURN_DUE_TO_CRASH void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+
</ins><span class="cx"> static String className(const JSObject*);
</span><span class="cx"> JS_EXPORT_PRIVATE static bool customHasInstance(JSObject*, ExecState*, JSValue);
</span><span class="cx"> static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -378,7 +378,7 @@
</span><span class="cx"> void JSFunction::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx"> JSFunction* thisObject = jsCast<JSFunction*>(object);
</span><del>- if (!thisObject->isHostOrBuiltinFunction() && (mode == IncludeDontEnumProperties)) {
</del><ins>+ if (!thisObject->isHostOrBuiltinFunction() && shouldIncludeDontEnumProperties(mode)) {
</ins><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> // Make sure prototype has been reified.
</span><span class="cx"> PropertySlot slot(thisObject);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -415,7 +415,7 @@
</span><span class="cx"> {
</span><span class="cx"> JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
</span><span class="cx">
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> array.add(exec->propertyNames().length);
</span><span class="cx">
</span><span class="cx"> Base::getOwnNonIndexPropertyNames(thisObject, exec, array, mode);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -76,7 +76,7 @@
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="cx"> for (auto iter = table->begin(); iter != table->end(); ++iter) {
</span><del>- if ((!(iter->attributes() & DontEnum) || (mode == IncludeDontEnumProperties)) && !((iter->attributes() & BuiltinOrFunction) && didReify))
</del><ins>+ if ((!(iter->attributes() & DontEnum) || shouldIncludeDontEnumProperties(mode)) && !((iter->attributes() & BuiltinOrFunction) && didReify))
</ins><span class="cx"> propertyNames.add(Identifier(&vm, iter.key()));
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -1305,6 +1305,12 @@
</span><span class="cx"> return const_cast<JSObject*>(this)->methodTable(exec->vm())->getOwnPropertySlot(const_cast<JSObject*>(this), exec, propertyName, slot);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool JSObject::hasOwnProperty(ExecState* exec, unsigned propertyName) const
+{
+ PropertySlot slot(this);
+ return const_cast<JSObject*>(this)->methodTable(exec->vm())->getOwnPropertySlotByIndex(const_cast<JSObject*>(this), exec, propertyName, slot);
+}
+
</ins><span class="cx"> bool JSObject::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned i)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObject = jsCast<JSObject*>(cell);
</span><span class="lines">@@ -1485,6 +1491,12 @@
</span><span class="cx">
</span><span class="cx"> void JSObject::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><ins>+ if (!shouldIncludeJSObjectPropertyNames(mode)) {
+ // We still have to get non-indexed properties from any subclasses of JSObject that have them.
+ object->methodTable(exec->vm())->getOwnNonIndexPropertyNames(object, exec, propertyNames, mode);
+ return;
+ }
+
</ins><span class="cx"> // Add numeric properties first. That appears to be the accepted convention.
</span><span class="cx"> // FIXME: Filling PropertyNameArray with an identifier for every integer
</span><span class="cx"> // is incredibly inefficient for large arrays. We need a different approach,
</span><span class="lines">@@ -1501,7 +1513,7 @@
</span><span class="cx"> for (unsigned i = 0; i < usedLength; ++i) {
</span><span class="cx"> if (!butterfly->contiguous()[i])
</span><span class="cx"> continue;
</span><del>- propertyNames.add(Identifier::from(exec, i));
</del><ins>+ propertyNames.add(i);
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1513,7 +1525,7 @@
</span><span class="cx"> double value = butterfly->contiguousDouble()[i];
</span><span class="cx"> if (value != value)
</span><span class="cx"> continue;
</span><del>- propertyNames.add(Identifier::from(exec, i));
</del><ins>+ propertyNames.add(i);
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1524,7 +1536,7 @@
</span><span class="cx"> unsigned usedVectorLength = std::min(storage->length(), storage->vectorLength());
</span><span class="cx"> for (unsigned i = 0; i < usedVectorLength; ++i) {
</span><span class="cx"> if (storage->m_vector[i])
</span><del>- propertyNames.add(Identifier::from(exec, i));
</del><ins>+ propertyNames.add(i);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (SparseArrayValueMap* map = storage->m_sparseMap.get()) {
</span><span class="lines">@@ -1533,13 +1545,13 @@
</span><span class="cx">
</span><span class="cx"> SparseArrayValueMap::const_iterator end = map->end();
</span><span class="cx"> for (SparseArrayValueMap::const_iterator it = map->begin(); it != end; ++it) {
</span><del>- if (mode == IncludeDontEnumProperties || !(it->value.attributes & DontEnum))
</del><ins>+ if (shouldIncludeDontEnumProperties(mode) || !(it->value.attributes & DontEnum))
</ins><span class="cx"> keys.uncheckedAppend(static_cast<unsigned>(it->key));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> std::sort(keys.begin(), keys.end());
</span><span class="cx"> for (unsigned i = 0; i < keys.size(); ++i)
</span><del>- propertyNames.add(Identifier::from(exec, keys[i]));
</del><ins>+ propertyNames.add(keys[i]);
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1547,7 +1559,7 @@
</span><span class="cx"> default:
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> object->methodTable(exec->vm())->getOwnNonIndexPropertyNames(object, exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1555,12 +1567,11 @@
</span><span class="cx"> {
</span><span class="cx"> getClassPropertyNames(exec, object->classInfo(), propertyNames, mode, object->staticFunctionsReified());
</span><span class="cx">
</span><ins>+ if (!shouldIncludeJSObjectPropertyNames(mode))
+ return;
+
</ins><span class="cx"> VM& vm = exec->vm();
</span><del>- bool canCachePropertiesFromStructure = !propertyNames.size();
</del><span class="cx"> object->structure(vm)->getPropertyNamesFromStructure(vm, propertyNames, mode);
</span><del>-
- if (canCachePropertiesFromStructure)
- propertyNames.setNumCacheableSlotsForObject(object, propertyNames.size());
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> double JSObject::toNumber(ExecState* exec) const
</span><span class="lines">@@ -2691,4 +2702,85 @@
</span><span class="cx"> setButterflyWithoutChangingStructure(vm, Butterfly::fromBase(newBase, preCapacity, outOfLineCapacityAfter));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+uint32_t JSObject::getEnumerableLength(ExecState* exec, JSObject* object)
+{
+ VM& vm = exec->vm();
+ Structure* structure = object->structure(vm);
+ if (structure->holesMustForwardToPrototype(vm))
+ return 0;
+ switch (object->indexingType()) {
+ case ALL_BLANK_INDEXING_TYPES:
+ case ALL_UNDECIDED_INDEXING_TYPES:
+ return 0;
+
+ case ALL_INT32_INDEXING_TYPES:
+ case ALL_CONTIGUOUS_INDEXING_TYPES: {
+ Butterfly* butterfly = object->butterfly();
+ unsigned usedLength = butterfly->publicLength();
+ for (unsigned i = 0; i < usedLength; ++i) {
+ if (!butterfly->contiguous()[i])
+ return 0;
+ }
+ return usedLength;
+ }
+
+ case ALL_DOUBLE_INDEXING_TYPES: {
+ Butterfly* butterfly = object->butterfly();
+ unsigned usedLength = butterfly->publicLength();
+ for (unsigned i = 0; i < usedLength; ++i) {
+ double value = butterfly->contiguousDouble()[i];
+ if (value != value)
+ return 0;
+ }
+ return usedLength;
+ }
+
+ case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
+ ArrayStorage* storage = object->m_butterfly->arrayStorage();
+ if (storage->m_sparseMap.get())
+ return 0;
+
+ unsigned usedVectorLength = std::min(storage->length(), storage->vectorLength());
+ for (unsigned i = 0; i < usedVectorLength; ++i) {
+ if (!storage->m_vector[i])
+ return 0;
+ }
+ return usedVectorLength;
+ }
+
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ return 0;
+ }
+}
+
+void JSObject::getStructurePropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ VM& vm = exec->vm();
+ object->structure(vm)->getPropertyNamesFromStructure(vm, propertyNames, mode);
+}
+
+void JSObject::getGenericPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ VM& vm = exec->vm();
+ object->methodTable(vm)->getOwnPropertyNames(object, exec, propertyNames, modeThatSkipsJSObject(mode));
+
+ if (object->prototype().isNull())
+ return;
+
+ JSObject* prototype = asObject(object->prototype());
+ while (true) {
+ if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
+ prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
+ break;
+ }
+ prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);
+ JSValue nextProto = prototype->prototype();
+ if (nextProto.isNull())
+ break;
+ prototype = asObject(nextProto);
+ }
+}
+
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -464,6 +464,7 @@
</span><span class="cx"> JS_EXPORT_PRIVATE bool hasProperty(ExecState*, PropertyName) const;
</span><span class="cx"> JS_EXPORT_PRIVATE bool hasProperty(ExecState*, unsigned propertyName) const;
</span><span class="cx"> bool hasOwnProperty(ExecState*, PropertyName) const;
</span><ins>+ bool hasOwnProperty(ExecState*, unsigned) const;
</ins><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE static bool deleteProperty(JSCell*, ExecState*, PropertyName);
</span><span class="cx"> JS_EXPORT_PRIVATE static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
</span><span class="lines">@@ -477,6 +478,10 @@
</span><span class="cx"> JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx">
</span><ins>+ JS_EXPORT_PRIVATE static uint32_t getEnumerableLength(ExecState*, JSObject*);
+ JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+ JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+
</ins><span class="cx"> JSValue toPrimitive(ExecState*, PreferredPrimitiveType = NoPreference) const;
</span><span class="cx"> bool getPrimitiveNumber(ExecState*, double& number, JSValue&) const;
</span><span class="cx"> JS_EXPORT_PRIVATE double toNumber(ExecState*) const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,90 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSPropertyNameEnumerator.h"
+
+#include "JSCInlines.h"
+#include "StrongInlines.h"
+
+namespace JSC {
+
+const ClassInfo JSPropertyNameEnumerator::s_info = { "JSPropertyNameEnumerator", 0, 0, CREATE_METHOD_TABLE(JSPropertyNameEnumerator) };
+
+JSPropertyNameEnumerator* JSPropertyNameEnumerator::create(VM& vm)
+{
+ if (!vm.emptyPropertyNameEnumerator.get()) {
+ PropertyNameArray propertyNames(&vm);
+ vm.emptyPropertyNameEnumerator = Strong<JSCell>(vm, create(vm, 0, propertyNames));
+ }
+ return jsCast<JSPropertyNameEnumerator*>(vm.emptyPropertyNameEnumerator.get());
+}
+
+JSPropertyNameEnumerator* JSPropertyNameEnumerator::create(VM& vm, Structure* structure, PropertyNameArray& propertyNames)
+{
+ StructureID structureID = structure ? structure->id() : 0;
+ uint32_t inlineCapacity = structure ? structure->inlineCapacity() : 0;
+ JSPropertyNameEnumerator* enumerator = new (NotNull,
+ allocateCell<JSPropertyNameEnumerator>(vm.heap)) JSPropertyNameEnumerator(vm, structureID, inlineCapacity, propertyNames.identifierSet());
+ enumerator->finishCreation(vm, propertyNames.data());
+ return enumerator;
+}
+
+JSPropertyNameEnumerator::JSPropertyNameEnumerator(VM& vm, StructureID structureID, uint32_t inlineCapacity, RefCountedIdentifierSet* set)
+ : JSCell(vm, vm.propertyNameEnumeratorStructure.get())
+ , m_identifierSet(set)
+ , m_cachedStructureID(structureID)
+ , m_cachedInlineCapacity(inlineCapacity)
+{
+}
+
+void JSPropertyNameEnumerator::finishCreation(VM& vm, PassRefPtr<PropertyNameArrayData> idents)
+{
+ Base::finishCreation(vm);
+
+ RefPtr<PropertyNameArrayData> identifiers = idents;
+ PropertyNameArrayData::PropertyNameVector& vector = identifiers->propertyNameVector();
+ m_propertyNames.resize(vector.size());
+ for (unsigned i = 0; i < vector.size(); ++i) {
+ const Identifier& identifier = vector[i];
+ m_propertyNames[i].set(vm, this, jsString(&vm, identifier.string()));
+ }
+}
+
+void JSPropertyNameEnumerator::destroy(JSCell* cell)
+{
+ jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
+}
+
+void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+ Base::visitChildren(cell, visitor);
+ JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
+ for (unsigned i = 0; i < thisObject->m_propertyNames.size(); ++i)
+ visitor.append(&thisObject->m_propertyNames[i]);
+ visitor.append(&thisObject->m_prototypeChain);
+}
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,155 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef JSPropertyNameEnumerator_h
+#define JSPropertyNameEnumerator_h
+
+#include "JSCell.h"
+#include "Operations.h"
+#include "PropertyNameArray.h"
+#include "Structure.h"
+
+namespace JSC {
+
+class Identifier;
+
+class JSPropertyNameEnumerator : public JSCell {
+public:
+ typedef JSCell Base;
+
+ static JSPropertyNameEnumerator* create(VM&);
+ static JSPropertyNameEnumerator* create(VM&, Structure*, PropertyNameArray&);
+
+ static const bool needsDestruction = true;
+ static const bool hasImmortalStructure = true;
+ static void destroy(JSCell*);
+
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+ {
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
+ }
+
+ DECLARE_EXPORT_INFO;
+
+ JSString* propertyNameAtIndex(uint32_t index) const
+ {
+ if (index >= m_propertyNames.size())
+ return nullptr;
+ return m_propertyNames[index].get();
+ }
+
+ RefCountedIdentifierSet* identifierSet() const
+ {
+ return m_identifierSet.get();
+ }
+
+ StructureChain* cachedPrototypeChain() const { return m_prototypeChain.get(); }
+ void setCachedPrototypeChain(VM& vm, StructureChain* prototypeChain) { return m_prototypeChain.set(vm, this, prototypeChain); }
+
+ Structure* cachedStructure(VM& vm) const { return vm.heap.structureIDTable().get(m_cachedStructureID); }
+ StructureID cachedStructureID() const { return m_cachedStructureID; }
+ uint32_t cachedInlineCapacity() const { return m_cachedInlineCapacity; }
+ static ptrdiff_t cachedStructureIDOffset() { return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_cachedStructureID); }
+ static ptrdiff_t cachedInlineCapacityOffset() { return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_cachedInlineCapacity); }
+ static ptrdiff_t cachedPropertyNamesLengthOffset()
+ {
+ return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames) + Vector<WriteBarrier<JSString>>::sizeMemoryOffset();
+ }
+ static ptrdiff_t cachedPropertyNamesVectorOffset()
+ {
+ return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames) + Vector<WriteBarrier<JSString>>::dataMemoryOffset();
+ }
+
+ static void visitChildren(JSCell*, SlotVisitor&);
+
+private:
+ static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
+
+ JSPropertyNameEnumerator(VM&, StructureID, uint32_t, RefCountedIdentifierSet*);
+ void finishCreation(VM&, PassRefPtr<PropertyNameArrayData>);
+
+ Vector<WriteBarrier<JSString>> m_propertyNames;
+ RefPtr<RefCountedIdentifierSet> m_identifierSet;
+ StructureID m_cachedStructureID;
+ WriteBarrier<StructureChain> m_prototypeChain;
+ uint32_t m_cachedInlineCapacity;
+};
+
+inline JSPropertyNameEnumerator* structurePropertyNameEnumerator(ExecState* exec, JSObject* base, uint32_t length)
+{
+ VM& vm = exec->vm();
+ Structure* structure = base->structure(vm);
+ if (JSPropertyNameEnumerator* enumerator = structure->cachedStructurePropertyNameEnumerator())
+ return enumerator;
+
+ if (!structure->canAccessPropertiesQuickly() || length != base->getArrayLength())
+ return JSPropertyNameEnumerator::create(vm);
+
+ PropertyNameArray propertyNames(exec);
+ base->methodTable(vm)->getStructurePropertyNames(base, exec, propertyNames, ExcludeDontEnumProperties);
+
+ JSPropertyNameEnumerator* enumerator = JSPropertyNameEnumerator::create(vm, structure, propertyNames);
+ if (structure->canCacheStructurePropertyNameEnumerator())
+ structure->setCachedStructurePropertyNameEnumerator(vm, enumerator);
+ return enumerator;
+}
+
+inline JSPropertyNameEnumerator* genericPropertyNameEnumerator(ExecState* exec, JSObject* base, uint32_t length, JSPropertyNameEnumerator* structureEnumerator)
+{
+ VM& vm = exec->vm();
+ Structure* structure = base->structure(vm);
+ if (JSPropertyNameEnumerator* enumerator = structure->cachedGenericPropertyNameEnumerator()) {
+ if (!length && enumerator->cachedPrototypeChain() == structure->prototypeChain(exec))
+ return enumerator;
+ }
+
+ PropertyNameArray propertyNames(exec);
+ propertyNames.setPreviouslyEnumeratedLength(length);
+ propertyNames.setPreviouslyEnumeratedProperties(structureEnumerator);
+
+ // If we still have the same Structure that we started with, our Structure allows us to access its properties
+ // quickly (i.e. the Structure property loop was able to do things), and we iterated the full length of the
+ // object (i.e. there are no more own indexed properties that need to be enumerated), then the generic property
+ // iteration can skip any properties it would get from the JSObject base class. This turns out to be important
+ // for hot loops because most of our time is then dominated by trying to add the own Structure properties to
+ // the new generic PropertyNameArray and failing because we've already visited them.
+ Structure* cachedStructure = structureEnumerator->cachedStructure(vm);
+ if (structure == cachedStructure && structure->canAccessPropertiesQuickly() && static_cast<uint32_t>(length) == base->getArrayLength())
+ base->methodTable(vm)->getGenericPropertyNames(base, exec, propertyNames, ExcludeDontEnumProperties);
+ else
+ base->methodTable(vm)->getPropertyNames(base, exec, propertyNames, ExcludeDontEnumProperties);
+
+ normalizePrototypeChain(exec, base);
+
+ JSPropertyNameEnumerator* enumerator = JSPropertyNameEnumerator::create(vm, base->structure(vm), propertyNames);
+ enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(exec));
+ if (!length && structure->canCacheGenericPropertyNameEnumerator())
+ structure->setCachedGenericPropertyNameEnumerator(vm, enumerator);
+ return enumerator;
+}
+
+} // namespace JSC
+
+#endif // JSPropertyNameEnumerator_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,113 +0,0 @@
</span><del>-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "JSPropertyNameIterator.h"
-
-#include "JSCInlines.h"
-#include "JSGlobalObject.h"
-#include <wtf/StdLibExtras.h>
-
-namespace JSC {
-
-const ClassInfo JSPropertyNameIterator::s_info = { "JSPropertyNameIterator", 0, 0, CREATE_METHOD_TABLE(JSPropertyNameIterator) };
-
-inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec, PropertyNameArrayData* propertyNameArrayData, size_t numCacheableSlots)
- : JSCell(exec->vm(), exec->vm().propertyNameIteratorStructure.get())
- , m_numCacheableSlots(numCacheableSlots)
- , m_jsStringsSize(propertyNameArrayData->propertyNameVector().size())
- , m_jsStrings(m_jsStringsSize ? std::make_unique<WriteBarrier<Unknown>[]>(m_jsStringsSize) : nullptr)
-{
-}
-
-JSPropertyNameIterator* JSPropertyNameIterator::create(ExecState* exec, JSObject* o)
-{
- ASSERT(!o->structure()->enumerationCache() ||
- o->structure()->enumerationCache()->cachedStructure() != o->structure() ||
- o->structure()->enumerationCache()->cachedPrototypeChain() != o->structure()->prototypeChain(exec));
-
- VM& vm = exec->vm();
-
- PropertyNameArray propertyNames(exec);
- o->methodTable()->getPropertyNames(o, exec, propertyNames, ExcludeDontEnumProperties);
- size_t numCacheableSlots = 0;
- if (!o->structure()->hasNonEnumerableProperties() && !o->structure()->hasGetterSetterProperties()
- && !o->structure()->isUncacheableDictionary() && !o->structure()->typeInfo().overridesGetPropertyNames())
- numCacheableSlots = propertyNames.numCacheableSlots();
-
- JSPropertyNameIterator* jsPropertyNameIterator = new (NotNull, allocateCell<JSPropertyNameIterator>(vm.heap)) JSPropertyNameIterator(exec, propertyNames.data(), numCacheableSlots);
- jsPropertyNameIterator->finishCreation(vm, propertyNames.data(), o);
-
- if (o->structure()->isDictionary())
- return jsPropertyNameIterator;
-
- if (o->structure()->typeInfo().overridesGetPropertyNames())
- return jsPropertyNameIterator;
-
- if (hasIndexedProperties(o->indexingType()))
- return jsPropertyNameIterator;
-
- size_t count = normalizePrototypeChain(exec, o);
- StructureChain* structureChain = o->structure()->prototypeChain(exec);
- WriteBarrier<Structure>* structure = structureChain->head();
- for (size_t i = 0; i < count; ++i) {
- if (structure[i]->typeInfo().overridesGetPropertyNames())
- return jsPropertyNameIterator;
- }
-
- jsPropertyNameIterator->setCachedPrototypeChain(vm, structureChain);
- jsPropertyNameIterator->setCachedStructure(vm, o->structure());
- o->structure()->setEnumerationCache(vm, jsPropertyNameIterator);
- return jsPropertyNameIterator;
-}
-
-void JSPropertyNameIterator::destroy(JSCell* cell)
-{
- static_cast<JSPropertyNameIterator*>(cell)->JSPropertyNameIterator::~JSPropertyNameIterator();
-}
-
-JSValue JSPropertyNameIterator::get(ExecState* exec, JSObject* base, size_t i)
-{
- JSValue identifier = m_jsStrings[i].get();
- if (m_cachedStructure.get() == base->structure() && m_cachedPrototypeChain.get() == base->structure()->prototypeChain(exec))
- return identifier;
-
- if (!base->hasProperty(exec, Identifier(exec, asString(identifier)->value(exec))))
- return JSValue();
- return identifier;
-}
-
-void JSPropertyNameIterator::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
- JSPropertyNameIterator* thisObject = jsCast<JSPropertyNameIterator*>(cell);
- ASSERT_GC_OBJECT_INHERITS(thisObject, info());
- visitor.appendValues(thisObject->m_jsStrings.get(), thisObject->m_jsStringsSize);
- visitor.append(&thisObject->m_cachedPrototypeChain);
-}
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,120 +0,0 @@
</span><del>-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef JSPropertyNameIterator_h
-#define JSPropertyNameIterator_h
-
-#include "JSObject.h"
-#include "JSString.h"
-#include "PropertyNameArray.h"
-#include <memory>
-
-namespace JSC {
-
- class Identifier;
- class JSObject;
- class LLIntOffsetsExtractor;
-
- class JSPropertyNameIterator : public JSCell {
- friend class JIT;
-
- public:
- typedef JSCell Base;
-
- static JSPropertyNameIterator* create(ExecState*, JSObject*);
-
- static const bool needsDestruction = true;
- static const bool hasImmortalStructure = true;
- static void destroy(JSCell*);
-
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
- {
- return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
- }
-
- static void visitChildren(JSCell*, SlotVisitor&);
-
- JSValue get(ExecState*, JSObject*, size_t i);
- size_t size() { return m_jsStringsSize; }
-
- void setCachedStructure(VM& vm, Structure* structure)
- {
- ASSERT(!m_cachedStructure);
- ASSERT(structure);
- m_cachedStructure.set(vm, this, structure);
- }
- Structure* cachedStructure() { return m_cachedStructure.get(); }
-
- void setCachedPrototypeChain(VM& vm, StructureChain* cachedPrototypeChain) { m_cachedPrototypeChain.set(vm, this, cachedPrototypeChain); }
- StructureChain* cachedPrototypeChain() { return m_cachedPrototypeChain.get(); }
-
- DECLARE_EXPORT_INFO;
-
- protected:
- static const unsigned StructureFlags = StructureIsImmortal;
-
- void finishCreation(VM& vm, PropertyNameArrayData* propertyNameArrayData, JSObject* object)
- {
- Base::finishCreation(vm);
- PropertyNameArrayData::PropertyNameVector& propertyNameVector = propertyNameArrayData->propertyNameVector();
- for (size_t i = 0; i < m_jsStringsSize; ++i)
- m_jsStrings[i].set(vm, this, jsOwnedString(&vm, propertyNameVector[i].string()));
- m_cachedStructureInlineCapacity = object->structure()->inlineCapacity();
- }
-
- private:
- friend class LLIntOffsetsExtractor;
-
- JSPropertyNameIterator(ExecState*, PropertyNameArrayData* propertyNameArrayData, size_t numCacheableSlot);
-
- WriteBarrier<Structure> m_cachedStructure;
- WriteBarrier<StructureChain> m_cachedPrototypeChain;
- uint32_t m_numCacheableSlots;
- uint32_t m_jsStringsSize;
- unsigned m_cachedStructureInlineCapacity;
- std::unique_ptr<WriteBarrier<Unknown>[]> m_jsStrings;
- };
-
- ALWAYS_INLINE JSPropertyNameIterator* Register::propertyNameIterator() const
- {
- return jsCast<JSPropertyNameIterator*>(jsValue().asCell());
- }
-
- inline JSPropertyNameIterator* StructureRareData::enumerationCache()
- {
- return m_enumerationCache.get();
- }
-
- inline void StructureRareData::setEnumerationCache(VM& vm, JSPropertyNameIterator* value)
- {
- m_enumerationCache.set(vm, this, value);
- }
-
-} // namespace JSC
-
-#endif // JSPropertyNameIterator_h
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSProxy.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSProxy.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSProxy.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -114,6 +114,24 @@
</span><span class="cx"> thisObject->target()->methodTable(exec->vm())->getPropertyNames(thisObject->target(), exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+uint32_t JSProxy::getEnumerableLength(ExecState* exec, JSObject* object)
+{
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ return thisObject->target()->methodTable(exec->vm())->getEnumerableLength(exec, thisObject->target());
+}
+
+void JSProxy::getStructurePropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ thisObject->target()->methodTable(exec->vm())->getStructurePropertyNames(thisObject->target(), exec, propertyNames, mode);
+}
+
+void JSProxy::getGenericPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ thisObject->target()->methodTable(exec->vm())->getGenericPropertyNames(thisObject->target(), exec, propertyNames, mode);
+}
+
</ins><span class="cx"> void JSProxy::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx"> JSProxy* thisObject = jsCast<JSProxy*>(object);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSProxy.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSProxy.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSProxy.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -83,6 +83,9 @@
</span><span class="cx"> JS_EXPORT_PRIVATE static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><ins>+ JS_EXPORT_PRIVATE static uint32_t getEnumerableLength(ExecState*, JSObject*);
+ JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+ JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</ins><span class="cx"> JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSymbolTableObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -63,7 +63,7 @@
</span><span class="cx"> for (SymbolTable::Map::iterator it = thisObject->symbolTable()->begin(locker); it != end; ++it) {
</span><span class="cx"> if (it->key->isEmptyUnique())
</span><span class="cx"> continue;
</span><del>- if (!(it->value.getAttributes() & DontEnum) || (mode == IncludeDontEnumProperties))
</del><ins>+ if (!(it->value.getAttributes() & DontEnum) || shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(Identifier(exec, it->key.get()));
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePropertyNameArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PropertyNameArray.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PropertyNameArray.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/PropertyNameArray.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -23,33 +23,32 @@
</span><span class="cx">
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSObject.h"
</span><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "Structure.h"
</span><span class="cx"> #include "StructureChain.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-static const size_t setThreshold = 20;
-
</del><span class="cx"> void PropertyNameArray::add(StringImpl* identifier)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!identifier || identifier == StringImpl::empty() || identifier->isAtomic());
</span><del>-
- size_t size = m_data->propertyNameVector().size();
- if (size < setThreshold) {
- for (size_t i = 0; i < size; ++i) {
- if (identifier == m_data->propertyNameVector()[i].impl())
- return;
- }
- } else {
- if (m_set.isEmpty()) {
- for (size_t i = 0; i < size; ++i)
- m_set.add(m_data->propertyNameVector()[i].impl());
- }
- if (!m_set.add(identifier).isNewEntry)
- return;
</del><ins>+ if (!ASSERT_DISABLED) {
+ uint32_t index = PropertyName(Identifier(m_vm, identifier)).asIndex();
+ ASSERT_UNUSED(index, index == PropertyName::NotAnIndex || index >= m_previouslyEnumeratedLength);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (m_alternateSet && m_alternateSet->contains(identifier))
+ return;
+
+ if (!m_set->add(identifier).isNewEntry)
+ return;
+
</ins><span class="cx"> addKnownUnique(identifier);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void PropertyNameArray::setPreviouslyEnumeratedProperties(const JSPropertyNameEnumerator* enumerator)
+{
+ m_alternateSet = enumerator->identifierSet();
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePropertyNameArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PropertyNameArray.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PropertyNameArray.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/PropertyNameArray.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -27,89 +27,123 @@
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><del>-
- class Structure;
- class StructureChain;
</del><span class="cx">
</span><del>- // FIXME: Rename to PropertyNameArray.
- class PropertyNameArrayData : public RefCounted<PropertyNameArrayData> {
- public:
- typedef Vector<Identifier, 20> PropertyNameVector;
</del><ins>+class JSPropertyNameEnumerator;
+class Structure;
+class StructureChain;
</ins><span class="cx">
</span><del>- static PassRefPtr<PropertyNameArrayData> create() { return adoptRef(new PropertyNameArrayData); }
</del><ins>+class RefCountedIdentifierSet : public RefCounted<RefCountedIdentifierSet> {
+public:
+ typedef HashSet<StringImpl*, PtrHash<StringImpl*>> Set;
</ins><span class="cx">
</span><del>- PropertyNameVector& propertyNameVector() { return m_propertyNameVector; }
</del><ins>+ bool contains(StringImpl* impl) const { return m_set.contains(impl); }
+ size_t size() const { return m_set.size(); }
+ Set::AddResult add(StringImpl* impl) { return m_set.add(impl); }
</ins><span class="cx">
</span><del>- private:
- PropertyNameArrayData()
- {
- }
</del><ins>+private:
+ Set m_set;
+};
</ins><span class="cx">
</span><del>- PropertyNameVector m_propertyNameVector;
- };
</del><ins>+// FIXME: Rename to PropertyNameArray.
+class PropertyNameArrayData : public RefCounted<PropertyNameArrayData> {
+public:
+ typedef Vector<Identifier, 20> PropertyNameVector;
</ins><span class="cx">
</span><del>- // FIXME: Rename to PropertyNameArrayBuilder.
- class PropertyNameArray {
- public:
- PropertyNameArray(VM* vm)
- : m_data(PropertyNameArrayData::create())
- , m_vm(vm)
- , m_numCacheableSlots(0)
- , m_baseObject(0)
- {
- }
</del><ins>+ static PassRefPtr<PropertyNameArrayData> create() { return adoptRef(new PropertyNameArrayData); }
</ins><span class="cx">
</span><del>- PropertyNameArray(ExecState* exec)
- : m_data(PropertyNameArrayData::create())
- , m_vm(&exec->vm())
- , m_numCacheableSlots(0)
- , m_baseObject(0)
- {
- }
</del><ins>+ PropertyNameVector& propertyNameVector() { return m_propertyNameVector; }
</ins><span class="cx">
</span><del>- VM* vm() { return m_vm; }
</del><ins>+private:
+ PropertyNameArrayData()
+ {
+ }
</ins><span class="cx">
</span><del>- void add(const Identifier& identifier) { add(identifier.impl()); }
- JS_EXPORT_PRIVATE void add(StringImpl*);
- void addKnownUnique(StringImpl* identifier) { m_data->propertyNameVector().append(Identifier(m_vm, identifier)); }
</del><ins>+ PropertyNameVector m_propertyNameVector;
+};
</ins><span class="cx">
</span><del>- Identifier& operator[](unsigned i) { return m_data->propertyNameVector()[i]; }
- const Identifier& operator[](unsigned i) const { return m_data->propertyNameVector()[i]; }
</del><ins>+// FIXME: Rename to PropertyNameArrayBuilder.
+class PropertyNameArray {
+public:
+ PropertyNameArray(VM* vm)
+ : m_data(PropertyNameArrayData::create())
+ , m_set(adoptRef(new RefCountedIdentifierSet))
+ , m_vm(vm)
+ , m_numCacheableSlots(0)
+ , m_baseObject(0)
+ , m_previouslyEnumeratedLength(0)
+ {
+ }
</ins><span class="cx">
</span><del>- void setData(PassRefPtr<PropertyNameArrayData> data) { m_data = data; }
- PropertyNameArrayData* data() { return m_data.get(); }
- PassRefPtr<PropertyNameArrayData> releaseData() { return m_data.release(); }
</del><ins>+ PropertyNameArray(ExecState* exec)
+ : m_data(PropertyNameArrayData::create())
+ , m_set(adoptRef(new RefCountedIdentifierSet))
+ , m_vm(&exec->vm())
+ , m_numCacheableSlots(0)
+ , m_baseObject(0)
+ , m_previouslyEnumeratedLength(0)
+ {
+ }
</ins><span class="cx">
</span><del>- // FIXME: Remove these functions.
- typedef PropertyNameArrayData::PropertyNameVector::const_iterator const_iterator;
- size_t size() const { return m_data->propertyNameVector().size(); }
- const_iterator begin() const { return m_data->propertyNameVector().begin(); }
- const_iterator end() const { return m_data->propertyNameVector().end(); }
</del><ins>+ VM* vm() { return m_vm; }
</ins><span class="cx">
</span><del>- size_t numCacheableSlots() const { return m_numCacheableSlots; }
- void setNumCacheableSlotsForObject(JSObject* object, size_t numCacheableSlots)
- {
- if (object != m_baseObject)
- return;
- m_numCacheableSlots = numCacheableSlots;
- }
- void setBaseObject(JSObject* object)
- {
- if (m_baseObject)
- return;
- m_baseObject = object;
- }
</del><ins>+ void add(uint32_t index)
+ {
+ if (index < m_previouslyEnumeratedLength)
+ return;
+ add(Identifier::from(m_vm, index));
+ }
</ins><span class="cx">
</span><del>- private:
- typedef HashSet<StringImpl*, PtrHash<StringImpl*>> IdentifierSet;
</del><ins>+ void add(const Identifier& identifier) { add(identifier.impl()); }
+ JS_EXPORT_PRIVATE void add(StringImpl*);
+ void addKnownUnique(StringImpl* identifier)
+ {
+ m_set->add(identifier);
+ m_data->propertyNameVector().append(Identifier(m_vm, identifier));
+ }
</ins><span class="cx">
</span><del>- RefPtr<PropertyNameArrayData> m_data;
- IdentifierSet m_set;
- VM* m_vm;
- size_t m_numCacheableSlots;
- JSObject* m_baseObject;
- };
</del><ins>+ Identifier& operator[](unsigned i) { return m_data->propertyNameVector()[i]; }
+ const Identifier& operator[](unsigned i) const { return m_data->propertyNameVector()[i]; }
</ins><span class="cx">
</span><ins>+ void setData(PassRefPtr<PropertyNameArrayData> data) { m_data = data; }
+ PropertyNameArrayData* data() { return m_data.get(); }
+ PassRefPtr<PropertyNameArrayData> releaseData() { return m_data.release(); }
+
+ RefCountedIdentifierSet* identifierSet() const { return m_set.get(); }
+
+ // FIXME: Remove these functions.
+ bool canAddKnownUniqueForStructure() const { return !m_set->size() && (!m_alternateSet || !m_alternateSet->size()); }
+ typedef PropertyNameArrayData::PropertyNameVector::const_iterator const_iterator;
+ size_t size() const { return m_data->propertyNameVector().size(); }
+ const_iterator begin() const { return m_data->propertyNameVector().begin(); }
+ const_iterator end() const { return m_data->propertyNameVector().end(); }
+
+ size_t numCacheableSlots() const { return m_numCacheableSlots; }
+ void setNumCacheableSlotsForObject(JSObject* object, size_t numCacheableSlots)
+ {
+ if (object != m_baseObject)
+ return;
+ m_numCacheableSlots = numCacheableSlots;
+ }
+ void setBaseObject(JSObject* object)
+ {
+ if (m_baseObject)
+ return;
+ m_baseObject = object;
+ }
+
+ void setPreviouslyEnumeratedLength(uint32_t length) { m_previouslyEnumeratedLength = length; }
+ void setPreviouslyEnumeratedProperties(const JSPropertyNameEnumerator*);
+
+private:
+ RefPtr<PropertyNameArrayData> m_data;
+ RefPtr<RefCountedIdentifierSet> m_set;
+ RefPtr<RefCountedIdentifierSet> m_alternateSet;
+ VM* m_vm;
+ size_t m_numCacheableSlots;
+ JSObject* m_baseObject;
+ uint32_t m_previouslyEnumeratedLength;
+};
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // PropertyNameArray_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -106,18 +106,25 @@
</span><span class="cx">
</span><span class="cx"> void RegExpObject::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().lastIndex);
</span><span class="cx"> Base::getOwnNonIndexPropertyNames(object, exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void RegExpObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().lastIndex);
</span><span class="cx"> Base::getPropertyNames(object, exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void RegExpObject::getGenericPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ if (shouldIncludeDontEnumProperties(mode))
+ propertyNames.add(exec->propertyNames().lastIndex);
+ Base::getGenericPropertyNames(object, exec, propertyNames, mode);
+}
+
</ins><span class="cx"> static bool reject(ExecState* exec, bool throwException, const char* message)
</span><span class="cx"> {
</span><span class="cx"> if (throwException)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpObject.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpObject.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/RegExpObject.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -77,13 +77,14 @@
</span><span class="cx"> JS_EXPORT_PRIVATE RegExpObject(VM&, Structure*, RegExp*);
</span><span class="cx"> JS_EXPORT_PRIVATE void finishCreation(VM&);
</span><span class="cx">
</span><del>- static const unsigned StructureFlags = OverridesGetOwnPropertySlot | Base::StructureFlags;
</del><ins>+ static const unsigned StructureFlags = OverridesGetOwnPropertySlot | OverridesGetPropertyNames | Base::StructureFlags;
</ins><span class="cx">
</span><span class="cx"> static void visitChildren(JSCell*, SlotVisitor&);
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE static bool deleteProperty(JSCell*, ExecState*, PropertyName);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><span class="cx"> JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</span><ins>+ JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
</ins><span class="cx"> JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStringObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StringObject.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StringObject.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/StringObject.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -150,7 +150,7 @@
</span><span class="cx"> int size = thisObject->internalValue()->length();
</span><span class="cx"> for (int i = 0; i < size; ++i)
</span><span class="cx"> propertyNames.add(Identifier::from(exec, i));
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().length);
</span><span class="cx"> return JSObject::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -30,7 +30,7 @@
</span><span class="cx"> #include "DumpContext.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSObject.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "Lookup.h"
</span><span class="cx"> #include "PropertyMapHashTable.h"
</span><span class="cx"> #include "PropertyNameArray.h"
</span><span class="lines">@@ -712,8 +712,6 @@
</span><span class="cx">
</span><span class="cx"> PropertyOffset Structure::addPropertyWithoutTransition(VM& vm, PropertyName propertyName, unsigned attributes)
</span><span class="cx"> {
</span><del>- ASSERT(!enumerationCache());
-
</del><span class="cx"> DeferGC deferGC(vm.heap);
</span><span class="cx"> materializePropertyMapIfNecessaryForPinning(vm, deferGC);
</span><span class="cx">
</span><span class="lines">@@ -725,7 +723,6 @@
</span><span class="cx"> PropertyOffset Structure::removePropertyWithoutTransition(VM& vm, PropertyName propertyName)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(isUncacheableDictionary());
</span><del>- ASSERT(!enumerationCache());
</del><span class="cx">
</span><span class="cx"> DeferGC deferGC(vm.heap);
</span><span class="cx"> materializePropertyMapIfNecessaryForPinning(vm, deferGC);
</span><span class="lines">@@ -946,12 +943,12 @@
</span><span class="cx"> if (!propertyTable())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- bool knownUnique = !propertyNames.size();
</del><ins>+ bool knownUnique = propertyNames.canAddKnownUniqueForStructure();
</ins><span class="cx">
</span><span class="cx"> PropertyTable::iterator end = propertyTable()->end();
</span><span class="cx"> for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
</span><span class="cx"> ASSERT(hasNonEnumerableProperties() || !(iter->attributes & DontEnum));
</span><del>- if (!iter->key->isEmptyUnique() && (!(iter->attributes & DontEnum) || mode == IncludeDontEnumProperties)) {
</del><ins>+ if (!iter->key->isEmptyUnique() && (!(iter->attributes & DontEnum) || shouldIncludeDontEnumProperties(mode))) {
</ins><span class="cx"> if (knownUnique)
</span><span class="cx"> propertyNames.addKnownUnique(iter->key);
</span><span class="cx"> else
</span><span class="lines">@@ -1037,36 +1034,73 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-
-PassRefPtr<StructureShape> Structure::toStructureShape()
</del><ins>+PassRefPtr<StructureShape> Structure::toStructureShape(JSValue value)
</ins><span class="cx"> {
</span><del>- Vector<Structure*, 8> structures;
- Structure* structure;
- PropertyTable* table;
- RefPtr<StructureShape> shape = StructureShape::create();
</del><ins>+ RefPtr<StructureShape> baseShape = StructureShape::create();
+ RefPtr<StructureShape> curShape = baseShape;
+ Structure* curStructure = this;
+ JSValue curValue = value;
+ while (curStructure) {
+ Vector<Structure*, 8> structures;
+ Structure* structure;
+ PropertyTable* table;
</ins><span class="cx">
</span><del>- findStructuresAndMapForMaterialization(structures, structure, table);
-
- if (table) {
- PropertyTable::iterator iter = table->begin();
- PropertyTable::iterator end = table->end();
</del><ins>+ curStructure->findStructuresAndMapForMaterialization(structures, structure, table);
+ if (table) {
+ PropertyTable::iterator iter = table->begin();
+ PropertyTable::iterator end = table->end();
+ for (; iter != end; ++iter)
+ curShape->addProperty(iter->key);
+
+ structure->m_lock.unlock();
+ }
+ for (unsigned i = structures.size(); i--;) {
+ Structure* structure = structures[i];
+ if (structure->m_nameInPrevious)
+ curShape->addProperty(structure->m_nameInPrevious.get());
+ }
</ins><span class="cx">
</span><del>- for (; iter != end; ++iter)
- shape->addProperty(iter->key);
-
- structure->m_lock.unlock();
</del><ins>+ bool foundCtorName = false;
+ if (JSObject* profilingVal = curValue.getObject()) {
+ ExecState* exec = profilingVal->globalObject()->globalExec();
+ PropertySlot slot(storedPrototype());
+ PropertyName constructor(exec->propertyNames().constructor);
+ if (profilingVal->getPropertySlot(exec, constructor, slot)) {
+ if (slot.isValue()) {
+ JSValue constructorValue = slot.getValue(exec, constructor);
+ if (constructorValue.isCell()) {
+ if (JSCell* constructorCell = constructorValue.asCell()) {
+ if (JSObject* ctorObject = constructorCell->getObject()) {
+ if (JSFunction* constructorFunction = jsDynamicCast<JSFunction*>(ctorObject)) {
+ curShape->setConstructorName(constructorFunction->calculatedDisplayName(exec));
+ foundCtorName = true;
+ } else if (InternalFunction* constructorFunction = jsDynamicCast<InternalFunction*>(ctorObject)) {
+ curShape->setConstructorName(constructorFunction->calculatedDisplayName(exec));
+ foundCtorName = true;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ if (!foundCtorName)
+ curShape->setConstructorName(curStructure->classInfo()->className);
+
+ curShape->markAsFinal();
+
+ if (curStructure->storedPrototypeStructure()) {
+ RefPtr<StructureShape> newShape = StructureShape::create();
+ curShape->setProto(newShape);
+ curShape = newShape;
+ curValue = curStructure->storedPrototype();
+ }
+
+ curStructure = curStructure->storedPrototypeStructure();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- for (unsigned i = structures.size(); i--;) {
- Structure* structure = structures[i];
- if (!structure->m_nameInPrevious)
- continue;
-
- shape->addProperty(structure->m_nameInPrevious.get());
- }
-
- shape->markAsFinal();
- return shape.release();
</del><ins>+ return baseShape.release();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void Structure::dump(PrintStream& out) const
</span><span class="lines">@@ -1212,4 +1246,74 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void Structure::setCachedStructurePropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
+{
+ ASSERT(!isDictionary());
+ if (!hasRareData())
+ allocateRareData(vm);
+ rareData()->setCachedStructurePropertyNameEnumerator(vm, enumerator);
+}
+
+JSPropertyNameEnumerator* Structure::cachedStructurePropertyNameEnumerator() const
+{
+ if (!hasRareData())
+ return nullptr;
+ return rareData()->cachedStructurePropertyNameEnumerator();
+}
+
+void Structure::setCachedGenericPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
+{
+ ASSERT(!isDictionary());
+ if (!hasRareData())
+ allocateRareData(vm);
+ rareData()->setCachedGenericPropertyNameEnumerator(vm, enumerator);
+}
+
+JSPropertyNameEnumerator* Structure::cachedGenericPropertyNameEnumerator() const
+{
+ if (!hasRareData())
+ return nullptr;
+ return rareData()->cachedGenericPropertyNameEnumerator();
+}
+
+bool Structure::canCacheStructurePropertyNameEnumerator() const
+{
+ if (isDictionary())
+ return false;
+ return true;
+}
+
+bool Structure::canCacheGenericPropertyNameEnumerator() const
+{
+ if (!canCacheStructurePropertyNameEnumerator())
+ return false;
+
+ if (hasIndexedProperties(indexingType()))
+ return false;
+
+ StructureChain* structureChain = m_cachedPrototypeChain.get();
+ ASSERT(structureChain);
+ WriteBarrier<Structure>* structure = structureChain->head();
+ while (true) {
+ if (!structure->get())
+ break;
+ if (structure->get()->typeInfo().overridesGetPropertyNames())
+ return false;
+ structure++;
+ }
+
+ return true;
+}
+
+bool Structure::canAccessPropertiesQuickly() const
+{
+ if (hasNonEnumerableProperties())
+ return false;
+ if (hasGetterSetterProperties())
+ return false;
+ if (isUncacheableDictionary())
+ return false;
+ return true;
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/Structure.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -288,8 +288,14 @@
</span><span class="cx"> return !JSC::isValidOffset(m_offset);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void setEnumerationCache(VM&, JSPropertyNameIterator* enumerationCache); // Defined in JSPropertyNameIterator.h.
- JSPropertyNameIterator* enumerationCache(); // Defined in JSPropertyNameIterator.h.
</del><ins>+ void setCachedStructurePropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
+ void setCachedGenericPropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
+ JSPropertyNameEnumerator* cachedStructurePropertyNameEnumerator() const;
+ JSPropertyNameEnumerator* cachedGenericPropertyNameEnumerator() const;
+ bool canCacheStructurePropertyNameEnumerator() const;
+ bool canCacheGenericPropertyNameEnumerator() const;
+ bool canAccessPropertiesQuickly() const;
+
</ins><span class="cx"> void getPropertyNamesFromStructure(VM&, PropertyNameArray&, EnumerationMode);
</span><span class="cx">
</span><span class="cx"> JSString* objectToStringValue()
</span><span class="lines">@@ -397,7 +403,7 @@
</span><span class="cx"> structure->startWatchingInternalPropertiesIfNecessary(vm);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- PassRefPtr<StructureShape> toStructureShape();
</del><ins>+ PassRefPtr<StructureShape> toStructureShape(JSValue);
</ins><span class="cx">
</span><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureInlines.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -148,21 +148,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-inline void Structure::setEnumerationCache(VM& vm, JSPropertyNameIterator* enumerationCache)
-{
- ASSERT(!isDictionary());
- if (!hasRareData())
- allocateRareData(vm);
- rareData()->setEnumerationCache(vm, enumerationCache);
-}
-
-inline JSPropertyNameIterator* Structure::enumerationCache()
-{
- if (!hasRareData())
- return 0;
- return rareData()->enumerationCache();
-}
-
</del><span class="cx"> inline JSValue Structure::prototypeForLookup(JSGlobalObject* globalObject) const
</span><span class="cx"> {
</span><span class="cx"> if (isObject())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureRareDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -26,7 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "StructureRareData.h"
</span><span class="cx">
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx">
</span><span class="lines">@@ -66,7 +66,28 @@
</span><span class="cx"> JSCell::visitChildren(thisObject, visitor);
</span><span class="cx"> visitor.append(&thisObject->m_previous);
</span><span class="cx"> visitor.append(&thisObject->m_objectToStringValue);
</span><del>- visitor.append(&thisObject->m_enumerationCache);
</del><ins>+ visitor.append(&thisObject->m_cachedStructurePropertyNameEnumerator);
+ visitor.append(&thisObject->m_cachedGenericPropertyNameEnumerator);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+JSPropertyNameEnumerator* StructureRareData::cachedStructurePropertyNameEnumerator() const
+{
+ return m_cachedStructurePropertyNameEnumerator.get();
+}
+
+void StructureRareData::setCachedStructurePropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
+{
+ m_cachedStructurePropertyNameEnumerator.set(vm, this, enumerator);
+}
+
+JSPropertyNameEnumerator* StructureRareData::cachedGenericPropertyNameEnumerator() const
+{
+ return m_cachedGenericPropertyNameEnumerator.get();
+}
+
+void StructureRareData::setCachedGenericPropertyNameEnumerator(VM& vm, JSPropertyNameEnumerator* enumerator)
+{
+ m_cachedGenericPropertyNameEnumerator.set(vm, this, enumerator);
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureRareDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureRareData.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureRareData.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/StructureRareData.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -33,7 +33,7 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-class JSPropertyNameIterator;
</del><ins>+class JSPropertyNameEnumerator;
</ins><span class="cx"> class Structure;
</span><span class="cx">
</span><span class="cx"> class StructureRareData : public JSCell {
</span><span class="lines">@@ -55,8 +55,10 @@
</span><span class="cx"> JSString* objectToStringValue() const;
</span><span class="cx"> void setObjectToStringValue(VM&, JSString* value);
</span><span class="cx">
</span><del>- JSPropertyNameIterator* enumerationCache();
- void setEnumerationCache(VM&, JSPropertyNameIterator* value);
</del><ins>+ JSPropertyNameEnumerator* cachedStructurePropertyNameEnumerator() const;
+ JSPropertyNameEnumerator* cachedGenericPropertyNameEnumerator() const;
+ void setCachedStructurePropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
+ void setCachedGenericPropertyNameEnumerator(VM&, JSPropertyNameEnumerator*);
</ins><span class="cx">
</span><span class="cx"> DECLARE_EXPORT_INFO;
</span><span class="cx">
</span><span class="lines">@@ -69,7 +71,8 @@
</span><span class="cx">
</span><span class="cx"> WriteBarrier<Structure> m_previous;
</span><span class="cx"> WriteBarrier<JSString> m_objectToStringValue;
</span><del>- WriteBarrier<JSPropertyNameIterator> m_enumerationCache;
</del><ins>+ WriteBarrier<JSPropertyNameEnumerator> m_cachedStructurePropertyNameEnumerator;
+ WriteBarrier<JSPropertyNameEnumerator> m_cachedGenericPropertyNameEnumerator;
</ins><span class="cx">
</span><span class="cx"> typedef HashMap<PropertyOffset, RefPtr<WatchpointSet>, WTF::IntHash<PropertyOffset>, WTF::UnsignedWithZeroKeyHashTraits<PropertyOffset>> PropertyWatchpointMap;
</span><span class="cx"> std::unique_ptr<PropertyWatchpointMap> m_replacementWatchpointSets;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -192,13 +192,13 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-int64_t SymbolTable::uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm)
</del><ins>+GlobalVariableID SymbolTable::uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm)
</ins><span class="cx"> {
</span><span class="cx"> auto iter = m_uniqueIDMap->find(key);
</span><span class="cx"> auto end = m_uniqueIDMap->end();
</span><span class="cx"> ASSERT_UNUSED(end, iter != end);
</span><span class="cx">
</span><del>- int64_t& id = iter->value;
</del><ins>+ GlobalVariableID& id = iter->value;
</ins><span class="cx"> if (id == HighFidelityNeedsUniqueIDGeneration) {
</span><span class="cx"> id = vm.getNextUniqueVariableID();
</span><span class="cx"> m_uniqueTypeSetMap->set(key, TypeSet::create()); //make a new global typeset for the ID
</span><span class="lines">@@ -207,7 +207,7 @@
</span><span class="cx"> return id;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-int64_t SymbolTable::uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm)
</del><ins>+GlobalVariableID SymbolTable::uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm)
</ins><span class="cx"> {
</span><span class="cx"> auto iter = m_registerToVariableMap->find(registerIndex);
</span><span class="cx"> auto end = m_registerToVariableMap->end();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -337,7 +337,7 @@
</span><span class="cx"> typedef JSCell Base;
</span><span class="cx">
</span><span class="cx"> typedef HashMap<RefPtr<StringImpl>, SymbolTableEntry, IdentifierRepHash, HashTraits<RefPtr<StringImpl>>, SymbolTableIndexHashTraits> Map;
</span><del>- typedef HashMap<RefPtr<StringImpl>, int64_t> UniqueIDMap;
</del><ins>+ typedef HashMap<RefPtr<StringImpl>, GlobalVariableID> UniqueIDMap;
</ins><span class="cx"> typedef HashMap<RefPtr<StringImpl>, RefPtr<TypeSet>> UniqueTypeSetMap;
</span><span class="cx"> typedef HashMap<int, RefPtr<StringImpl>, WTF::IntHash<int>, WTF::UnsignedWithZeroKeyHashTraits<int>> RegisterToVariableMap;
</span><span class="cx">
</span><span class="lines">@@ -458,8 +458,8 @@
</span><span class="cx"> return contains(locker, key);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- int64_t uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm);
- int64_t uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm);
</del><ins>+ GlobalVariableID uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm);
+ GlobalVariableID uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm);
</ins><span class="cx"> RefPtr<TypeSet> globalTypeSetForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm);
</span><span class="cx"> RefPtr<TypeSet> globalTypeSetForVariable(const ConcurrentJITLocker& locker, StringImpl* key, VM& vm);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeLocationCachecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/TypeLocationCache.cpp (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeLocationCache.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/TypeLocationCache.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,59 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+#include "config.h"
+#include "TypeLocationCache.h"
+
+#include "VM.h"
+
+namespace JSC {
+
+std::pair<TypeLocation*, bool> TypeLocationCache::getTypeLocation(GlobalVariableID globalVariableID, intptr_t sourceID, unsigned start, unsigned end, PassRefPtr<TypeSet> globalTypeSet, VM* vm)
+{
+ LocationKey key;
+ key.m_globalVariableID = globalVariableID;
+ key.m_sourceID = sourceID;
+ key.m_start = start;
+ key.m_end = end;
+
+ bool isNewLocation = false;
+ if (m_locationMap.find(key) == m_locationMap.end()) {
+ TypeLocation* location = vm->nextLocation();
+ location->m_globalVariableID = globalVariableID;
+ location->m_sourceID = sourceID;
+ location->m_divotStart = start;
+ location->m_divotEnd = end;
+ location->m_globalTypeSet = globalTypeSet;
+
+ m_locationMap[key] = location;
+ isNewLocation = true;
+ }
+
+ TypeLocation* location = m_locationMap.find(key)->second;
+ return std::pair<TypeLocation*, bool>(location, isNewLocation);
+}
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeLocationCacheh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/TypeLocationCache.h (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeLocationCache.h (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/TypeLocationCache.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,68 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TypeLocationCache_h
+#define TypeLocationCache_h
+
+#include "TypeLocation.h"
+#include <unordered_map>
+#include <wtf/HashMethod.h>
+
+namespace JSC {
+
+class VM;
+
+class TypeLocationCache {
+public:
+ struct LocationKey {
+ LocationKey() {}
+ bool operator==(const LocationKey& other) const
+ {
+ return m_globalVariableID == other.m_globalVariableID
+ && m_sourceID == other.m_sourceID
+ && m_start == other.m_start
+ && m_end == other.m_end;
+ }
+
+ unsigned hash() const
+ {
+ return m_globalVariableID + m_sourceID + m_start + m_end;
+ }
+
+ GlobalVariableID m_globalVariableID;
+ intptr_t m_sourceID;
+ unsigned m_start;
+ unsigned m_end;
+ };
+
+ std::pair<TypeLocation*, bool> getTypeLocation(GlobalVariableID, intptr_t, unsigned start, unsigned end, PassRefPtr<TypeSet>, VM*);
+private:
+ typedef std::unordered_map<LocationKey, TypeLocation*, HashMethod<LocationKey>> LocationMap;
+ LocationMap m_locationMap;
+};
+
+} // namespace JSC
+
+#endif // TypeLocationCache_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypeSet.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeSet.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/TypeSet.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "TypeSet.h"
</span><span class="cx">
</span><ins>+#include "InspectorJSTypeBuilders.h"
</ins><span class="cx"> #include "JSCJSValue.h"
</span><span class="cx"> #include "JSCJSValueInlines.h"
</span><span class="cx"> #include <wtf/text/CString.h>
</span><span class="lines">@@ -58,8 +59,6 @@
</span><span class="cx"> ret = TypeNumber;
</span><span class="cx"> else if (v.isString())
</span><span class="cx"> ret = TypeString;
</span><del>- else if (v.isPrimitive())
- ret = TypePrimitive;
</del><span class="cx"> else if (v.isObject())
</span><span class="cx"> ret = TypeObject;
</span><span class="cx"> else
</span><span class="lines">@@ -73,7 +72,7 @@
</span><span class="cx"> RuntimeType t = getRuntimeTypeForValue(v);
</span><span class="cx"> m_seenTypes = m_seenTypes | t;
</span><span class="cx">
</span><del>- if (id && shape) {
</del><ins>+ if (id && shape && !v.isString() && !v.isFunction()) {
</ins><span class="cx"> ASSERT(m_structureIDHistory.isValidKey(id));
</span><span class="cx"> auto iter = m_structureIDHistory.find(id);
</span><span class="cx"> if (iter == m_structureIDHistory.end()) {
</span><span class="lines">@@ -95,7 +94,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-String TypeSet::seenTypes()
</del><ins>+String TypeSet::seenTypes() const
</ins><span class="cx"> {
</span><span class="cx"> if (m_seenTypes == TypeNothing)
</span><span class="cx"> return "(Unreached Statement)";
</span><span class="lines">@@ -116,17 +115,13 @@
</span><span class="cx"> seen.append("Number ");
</span><span class="cx"> if (m_seenTypes & TypeString)
</span><span class="cx"> seen.append("String ");
</span><del>- if (m_seenTypes & TypePrimitive)
- seen.append("Primitive ");
</del><span class="cx"> if (m_seenTypes & TypeObject)
</span><span class="cx"> seen.append("Object ");
</span><span class="cx">
</span><span class="cx"> for (size_t i = 0; i < m_structureHistory->size(); i++) {
</span><span class="cx"> RefPtr<StructureShape> shape = m_structureHistory->at(i);
</span><del>- if (!shape->m_constructorName.isEmpty()) {
- seen.append(shape->m_constructorName);
- seen.append(" ");
- }
</del><ins>+ seen.append(shape->m_constructorName);
+ seen.append(" ");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (m_structureHistory->size())
</span><span class="lines">@@ -139,20 +134,131 @@
</span><span class="cx"> seen.append("]");
</span><span class="cx">
</span><span class="cx"> if (m_structureHistory->size()) {
</span><del>- seen.append("\nLUB: ");
- seen.append(StructureShape::leastUpperBound(m_structureHistory));
</del><ins>+ seen.append("\nLeast Common Ancestor: ");
+ seen.append(leastCommonAncestor());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> return seen.toString();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool TypeSet::doesTypeConformTo(uint32_t test) const
+{
+ // This function checks if our seen types conform to the types described by the test bitstring. (i.e we haven't seen more types than test).
+ // We are <= to those types if ANDing with the bitstring doesn't zero out any of our bits.
+
+ // For example:
+
+ // 0b0110 (seen)
+ // 0b1111 (test)
+ // ------ (AND)
+ // 0b0110 == seen
+
+ // 0b0110 (seen)
+ // 0b0010 (test)
+ // ------ (AND)
+ // 0b0010 != seen
+
+ return (m_seenTypes & test) == m_seenTypes;
+}
+
+String TypeSet::displayName() const
+{
+ if (m_seenTypes == TypeNothing)
+ return "";
+
+ if (m_structureHistory->size() && doesTypeConformTo(TypeObject | TypeNull | TypeUndefined)) {
+ String ctorName = leastCommonAncestor();
+
+ if (doesTypeConformTo(TypeObject))
+ return ctorName;
+ else if (doesTypeConformTo(TypeObject | TypeNull | TypeUndefined))
+ return ctorName + "?";
+ }
+
+ // The order of these checks are important. For example, if a value is only a function, it conforms to TypeFunction, but it also conforms to TypeFunction | TypeNull.
+ // Therefore, more specific types must be checked first.
+
+ if (doesTypeConformTo(TypeFunction))
+ return "Function";
+ if (doesTypeConformTo(TypeUndefined))
+ return "Undefined";
+ if (doesTypeConformTo(TypeNull))
+ return "Null";
+ if (doesTypeConformTo(TypeBoolean))
+ return "Boolean";
+ if (doesTypeConformTo(TypeMachineInt))
+ return "Integer";
+ if (doesTypeConformTo(TypeNumber | TypeMachineInt))
+ return "Number";
+ if (doesTypeConformTo(TypeString))
+ return "String";
+
+ if (doesTypeConformTo(TypeNull | TypeUndefined))
+ return "(?)";
+
+ if (doesTypeConformTo(TypeFunction | TypeNull | TypeUndefined))
+ return "Function?";
+ if (doesTypeConformTo(TypeBoolean | TypeNull | TypeUndefined))
+ return "Boolean?";
+ if (doesTypeConformTo(TypeMachineInt | TypeNull | TypeUndefined))
+ return "Integer?";
+ if (doesTypeConformTo(TypeNumber | TypeMachineInt | TypeNull | TypeUndefined))
+ return "Number?";
+ if (doesTypeConformTo(TypeString | TypeNull | TypeUndefined))
+ return "String?";
+
+ if (doesTypeConformTo(TypeObject | TypeFunction | TypeString))
+ return "Object";
+ if (doesTypeConformTo(TypeObject | TypeFunction | TypeString | TypeNull | TypeUndefined))
+ return "Object?";
+
+ return "(many)";
+}
+
+PassRefPtr<Inspector::TypeBuilder::Array<String>> TypeSet::allPrimitiveTypeNames() const
+{
+ RefPtr<Inspector::TypeBuilder::Array<String>> seen = Inspector::TypeBuilder::Array<String>::create();
+ if (m_seenTypes & TypeFunction)
+ seen->addItem("Function");
+ if (m_seenTypes & TypeUndefined)
+ seen->addItem("Undefined");
+ if (m_seenTypes & TypeNull)
+ seen->addItem("Null");
+ if (m_seenTypes & TypeBoolean)
+ seen->addItem("Boolean");
+ if (m_seenTypes & TypeMachineInt)
+ seen->addItem("Integer");
+ if (m_seenTypes & TypeNumber)
+ seen->addItem("Number");
+ if (m_seenTypes & TypeString)
+ seen->addItem("String");
+
+ return seen.release();
+}
+
+PassRefPtr<Inspector::TypeBuilder::Array<Inspector::InspectorObject>> TypeSet::allStructureRepresentations() const
+{
+ RefPtr<Inspector::TypeBuilder::Array<Inspector::InspectorObject>> ret = Inspector::TypeBuilder::Array<Inspector::InspectorObject>::create();
+
+ for (size_t i = 0; i < m_structureHistory->size(); i++)
+ ret->addItem(m_structureHistory->at(i)->inspectorRepresentation());
+
+ return ret.release();
+}
+
+String TypeSet::leastCommonAncestor() const
+{
+ return StructureShape::leastCommonAncestor(m_structureHistory);
+}
+
</ins><span class="cx"> void TypeSet::dumpSeenTypes()
</span><span class="cx"> {
</span><span class="cx"> dataLog(seenTypes(), "\n");
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StructureShape::StructureShape()
</span><del>- : m_propertyHash(nullptr)
</del><ins>+ : m_proto(nullptr)
+ , m_propertyHash(nullptr)
</ins><span class="cx"> , m_final(false)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -166,7 +272,7 @@
</span><span class="cx"> void StructureShape::addProperty(RefPtr<StringImpl> impl)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_final);
</span><del>- m_fields.set(impl, true);
</del><ins>+ m_fields.append(impl);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> String StructureShape::propertyHash()
</span><span class="lines">@@ -177,53 +283,77 @@
</span><span class="cx">
</span><span class="cx"> StringBuilder builder;
</span><span class="cx"> builder.append(":");
</span><ins>+ builder.append(m_constructorName);
+ builder.append(":");
+
</ins><span class="cx"> for (auto iter = m_fields.begin(), end = m_fields.end(); iter != end; ++iter) {
</span><del>- String property = String(iter->key);
</del><ins>+ String property = String((*iter));
</ins><span class="cx"> property.replace(":", "\\:"); // Ensure that hash({"foo:", "bar"}) != hash({"foo", ":bar"}) because we're using colons as a separator and colons are legal characters in field names in JS.
</span><span class="cx"> builder.append(property);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (m_proto) {
+ builder.append(":");
+ builder.append("__proto__");
+ builder.append(m_proto->propertyHash());
+ }
+
</ins><span class="cx"> m_propertyHash = std::make_unique<String>(builder.toString());
</span><span class="cx"> return *m_propertyHash;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-String StructureShape::leastUpperBound(Vector<RefPtr<StructureShape>>* shapes)
</del><ins>+String StructureShape::leastCommonAncestor(const Vector<RefPtr<StructureShape>>* shapes)
</ins><span class="cx"> {
</span><span class="cx"> if (!shapes->size())
</span><span class="cx"> return "";
</span><span class="cx">
</span><del>- StringBuilder lub;
</del><span class="cx"> RefPtr<StructureShape> origin = shapes->at(0);
</span><del>- lub.append("{");
- for (auto iter = origin->m_fields.begin(), end = origin->m_fields.end(); iter != end; ++iter) {
- bool shouldAdd = true;
- for (size_t i = 1, size = shapes->size(); i < size; i++) {
- // If all other Shapes have the same field as origin, add it to the least upper bound.
- if (!shapes->at(i)->m_fields.contains(iter->key)) {
- shouldAdd = false;
- break;
</del><ins>+ for (size_t i = 1; i < shapes->size(); i++) {
+ bool foundLUB = false;
+ while (!foundLUB) {
+ RefPtr<StructureShape> check = shapes->at(i);
+ String curCtorName = origin->m_constructorName;
+ while (check) {
+ if (check->m_constructorName == curCtorName) {
+ foundLUB = true;
+ break;
+ }
+ check = check->m_proto;
</ins><span class="cx"> }
</span><ins>+ if (!foundLUB) {
+ origin = origin->m_proto;
+ // All Objects must share the 'Object' Prototype. Therefore, at the very least, we should always converge on 'Object' before reaching a null prototype.
+ RELEASE_ASSERT(origin);
+ }
</ins><span class="cx"> }
</span><del>- if (shouldAdd)
- lub.append(String(iter->key.get()) + String(", "));
</del><ins>+
+ if (origin->m_constructorName == "Object")
+ break;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- if (lub.length() >= 3)
- lub.resize(lub.length() - 2); // Remove the trailing ', '
-
- lub.append("}");
-
- return lub.toString();
</del><ins>+ return origin->m_constructorName;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> String StructureShape::stringRepresentation()
</span><span class="cx"> {
</span><span class="cx"> StringBuilder representation;
</span><ins>+ RefPtr<StructureShape> curShape = this;
+
</ins><span class="cx"> representation.append("{");
</span><del>- for (auto iter = m_fields.begin(), end = m_fields.end(); iter != end; ++iter) {
- String prop(iter->key.get());
- representation.append(prop);
- representation.append(", ");
</del><ins>+ while (curShape) {
+ for (auto iter = curShape->m_fields.begin(), end = curShape->m_fields.end(); iter != end; ++iter) {
+ String prop((*iter).get());
+ representation.append(prop);
+ representation.append(", ");
+ }
+
+ if (curShape->m_proto) {
+ String prot = String("__proto__") + String(" [") + curShape->m_proto->m_constructorName + String("]");
+ representation.append(prot);
+ representation.append(", ");
+ }
+
+ curShape = curShape->m_proto;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (representation.length() >= 3)
</span><span class="lines">@@ -234,4 +364,30 @@
</span><span class="cx"> return representation.toString();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+PassRefPtr<Inspector::InspectorObject> StructureShape::inspectorRepresentation()
+{
+ RefPtr<Inspector::InspectorObject> base = Inspector::InspectorObject::create();
+ RefPtr<Inspector::InspectorObject> currentObject = base;
+ RefPtr<StructureShape> currentShape = this;
+
+ while (currentShape) {
+ RefPtr<Inspector::TypeBuilder::Array<String>> fields = Inspector::TypeBuilder::Array<String>::create();
+ for (auto iter = currentShape->m_fields.begin(), end = currentShape->m_fields.end(); iter != end; ++iter)
+ fields->addItem((*iter).get());
+
+ currentObject->setArray(ASCIILiteral("fields"), fields->asArray());
+ currentObject->setString(ASCIILiteral("constructorName"), currentShape->m_constructorName);
+
+ if (currentShape->m_proto) {
+ RefPtr<Inspector::InspectorObject> nextObject = Inspector::InspectorObject::create();
+ currentObject->setObject(ASCIILiteral("prototypeStructure"), nextObject);
+ currentObject = nextObject;
+ }
+
+ currentShape = currentShape->m_proto;
+ }
+
+ return base.release();
+}
+
</ins><span class="cx"> } //namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypeSet.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeSet.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/TypeSet.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -32,6 +32,15 @@
</span><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx">
</span><ins>+namespace Inspector { namespace TypeBuilder {
+template<typename T>
+class Array;
+}}
+
+namespace Inspector {
+class InspectorObject;
+}
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class JSValue;
</span><span class="lines">@@ -45,8 +54,7 @@
</span><span class="cx"> TypeMachineInt = 0x10,
</span><span class="cx"> TypeNumber = 0x20,
</span><span class="cx"> TypeString = 0x40,
</span><del>- TypePrimitive = 0x80,
- TypeObject = 0x100
</del><ins>+ TypeObject = 0x80
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class StructureShape : public RefCounted<StructureShape> {
</span><span class="lines">@@ -59,12 +67,17 @@
</span><span class="cx"> String propertyHash();
</span><span class="cx"> void markAsFinal();
</span><span class="cx"> void addProperty(RefPtr<StringImpl>);
</span><del>- static String leastUpperBound(Vector<RefPtr<StructureShape>>*);
</del><span class="cx"> String stringRepresentation();
</span><del>- void setConstructorName(String name) { m_constructorName = name; }
</del><ins>+ PassRefPtr<Inspector::InspectorObject> inspectorRepresentation();
+ void setConstructorName(String name) { m_constructorName = (name.isEmpty() ? "Object" : name); }
+ String constructorName() { return m_constructorName; }
+ void setProto(PassRefPtr<StructureShape> shape) { m_proto = shape; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><del>- HashMap<RefPtr<StringImpl>, bool> m_fields;
</del><ins>+ static String leastCommonAncestor(const Vector<RefPtr<StructureShape>>*);
+
+ Vector<RefPtr<StringImpl>> m_fields;
+ RefPtr<StructureShape> m_proto;
</ins><span class="cx"> std::unique_ptr<String> m_propertyHash;
</span><span class="cx"> String m_constructorName;
</span><span class="cx"> bool m_final;
</span><span class="lines">@@ -77,11 +90,17 @@
</span><span class="cx"> TypeSet();
</span><span class="cx"> void addTypeForValue(JSValue v, PassRefPtr<StructureShape>, StructureID);
</span><span class="cx"> static RuntimeType getRuntimeTypeForValue(JSValue);
</span><del>- JS_EXPORT_PRIVATE String seenTypes();
</del><ins>+ JS_EXPORT_PRIVATE String seenTypes() const;
+ String displayName() const;
+ PassRefPtr<Inspector::TypeBuilder::Array<String>> allPrimitiveTypeNames() const;
+ PassRefPtr<Inspector::TypeBuilder::Array<Inspector::InspectorObject>> allStructureRepresentations() const;
</ins><span class="cx">
</span><span class="cx"> private:
</span><ins>+ String leastCommonAncestor() const;
+ void dumpSeenTypes();
+ bool doesTypeConformTo(uint32_t test) const;
+
</ins><span class="cx"> uint32_t m_seenTypes;
</span><del>- void dumpSeenTypes();
</del><span class="cx"> Vector<RefPtr<StructureShape>>* m_structureHistory;
</span><span class="cx"> HashMap<StructureID, uint8_t> m_structureIDHistory;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -65,7 +65,7 @@
</span><span class="cx"> #include "JSNotAnObject.h"
</span><span class="cx"> #include "JSPromiseDeferred.h"
</span><span class="cx"> #include "JSPromiseReaction.h"
</span><del>-#include "JSPropertyNameIterator.h"
</del><ins>+#include "JSPropertyNameEnumerator.h"
</ins><span class="cx"> #include "JSWithScope.h"
</span><span class="cx"> #include "Lexer.h"
</span><span class="cx"> #include "Lookup.h"
</span><span class="lines">@@ -208,7 +208,7 @@
</span><span class="cx"> terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
</span><span class="cx"> stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
</span><span class="cx"> notAnObjectStructure.set(*this, JSNotAnObject::createStructure(*this, 0, jsNull()));
</span><del>- propertyNameIteratorStructure.set(*this, JSPropertyNameIterator::createStructure(*this, 0, jsNull()));
</del><ins>+ propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
</ins><span class="cx"> getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
</span><span class="cx"> customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
</span><span class="cx"> apiWrapperStructure.set(*this, JSAPIValueWrapper::createStructure(*this, 0, jsNull()));
</span><span class="lines">@@ -856,43 +856,16 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-String VM::getTypesForVariableAtOffset(unsigned offset, const String& variableName, const String& sourceIDAsString)
-{
- if (!isProfilingTypesWithHighFidelity())
- return "(Not Profiling)";
-
- bool okay;
- intptr_t sourceID = sourceIDAsString.toIntPtrStrict(&okay);
- if (!okay)
- CRASH();
-
- updateHighFidelityTypeProfileState();
- return m_highFidelityTypeProfiler->getTypesForVariableInAtOffset(offset, variableName, sourceID);
-}
-
-void VM::updateHighFidelityTypeProfileState()
-{
- if (!isProfilingTypesWithHighFidelity())
- return;
-
- highFidelityLog()->processHighFidelityLog(false, "VM Update");
-}
-
</del><span class="cx"> void VM::dumpHighFidelityProfilingTypes()
</span><span class="cx"> {
</span><span class="cx"> if (!isProfilingTypesWithHighFidelity())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- updateHighFidelityTypeProfileState();
</del><ins>+ highFidelityLog()->processHighFidelityLog("VM Dump Types");
</ins><span class="cx"> HighFidelityTypeProfiler* profiler = m_highFidelityTypeProfiler.get();
</span><span class="cx"> for (Bag<TypeLocation>::iterator iter = m_locationInfo.begin(); !!iter; ++iter) {
</span><span class="cx"> TypeLocation* location = *iter;
</span><del>- dataLogF("[Start, End]::[%u, %u] ", location->m_divotStart, location->m_divotEnd);
- dataLog("\n\t\t#Local#\n\t\t",
- profiler->getLocalTypesForVariableAtOffset(location->m_divotStart, "", location->m_sourceID).replace("\n", "\n\t\t"),
- "\n\t\t#Global#\n\t\t",
- profiler->getGlobalTypesForVariableAtOffset(location->m_divotStart, "", location->m_sourceID).replace("\n", "\n\t\t"),
- "\n");
</del><ins>+ profiler->logTypesForTypeLocation(location);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/JavaScriptCore/runtime/VM.h 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -244,6 +244,7 @@
</span><span class="cx"> Strong<Structure> stringStructure;
</span><span class="cx"> Strong<Structure> notAnObjectStructure;
</span><span class="cx"> Strong<Structure> propertyNameIteratorStructure;
</span><ins>+ Strong<Structure> propertyNameEnumeratorStructure;
</ins><span class="cx"> Strong<Structure> getterSetterStructure;
</span><span class="cx"> Strong<Structure> customGetterSetterStructure;
</span><span class="cx"> Strong<Structure> apiWrapperStructure;
</span><span class="lines">@@ -270,6 +271,7 @@
</span><span class="cx"> Strong<Structure> promiseReactionStructure;
</span><span class="cx"> #endif
</span><span class="cx"> Strong<JSCell> iterationTerminator;
</span><ins>+ Strong<JSCell> emptyPropertyNameEnumerator;
</ins><span class="cx">
</span><span class="cx"> AtomicStringTable* m_atomicStringTable;
</span><span class="cx"> CommonIdentifiers* propertyNames;
</span><span class="lines">@@ -493,13 +495,11 @@
</span><span class="cx"> BuiltinExecutables* builtinExecutables() { return m_builtinExecutables.get(); }
</span><span class="cx">
</span><span class="cx"> bool isProfilingTypesWithHighFidelity() { return !!m_highFidelityTypeProfiler; }
</span><del>- String getTypesForVariableAtOffset(unsigned divot, const String& variableName, const String& sourceID);
</del><span class="cx"> HighFidelityLog* highFidelityLog() { return m_highFidelityLog.get(); }
</span><span class="cx"> HighFidelityTypeProfiler* highFidelityTypeProfiler() { return m_highFidelityTypeProfiler.get(); }
</span><del>- void updateHighFidelityTypeProfileState();
</del><span class="cx"> TypeLocation* nextLocation() { return m_locationInfo.add(); } //TODO: possible optmization: when codeblocks die, report which locations are no longer being changed so we don't walk over them
</span><span class="cx"> JS_EXPORT_PRIVATE void dumpHighFidelityProfilingTypes();
</span><del>- int64_t getNextUniqueVariableID() { return m_nextUniqueVariableID++; }
</del><ins>+ GlobalVariableID getNextUniqueVariableID() { return m_nextUniqueVariableID++; }
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="lines">@@ -551,7 +551,7 @@
</span><span class="cx"> HashMap<String, RefPtr<WatchpointSet>> m_impurePropertyWatchpointSets;
</span><span class="cx"> std::unique_ptr<HighFidelityTypeProfiler> m_highFidelityTypeProfiler;
</span><span class="cx"> std::unique_ptr<HighFidelityLog> m_highFidelityLog;
</span><del>- int64_t m_nextUniqueVariableID;
</del><ins>+ GlobalVariableID m_nextUniqueVariableID;
</ins><span class="cx"> Bag<TypeLocation> m_locationInfo;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforincapturestringloopvarjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-capture-string-loop-var.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-capture-string-loop-var.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-capture-string-loop-var.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+(function() {
+ // Capture the loop variable and modify it inside the loop.
+ var foo = function() {
+ var captured;
+ var g = function() {
+ captured = "foo";
+ };
+ var sum = 0;
+ var o = {"foo": 1, "bar": 2};
+ for (captured in o) {
+ g();
+ sum += o[captured];
+ }
+ return sum;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() != 2)
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforindeleteduringiterationjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-delete-during-iteration.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-delete-during-iteration.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-delete-during-iteration.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,70 @@
</span><ins>+(function() {
+ // Remove a yet-to-be-visited indexed property during iteration.
+ var foo = function() {
+ var a = [1, 2, 3, 4, 5];
+ var result = "";
+ for (var p in a) {
+ if (p == 2)
+ delete a[3];
+ result += a[p];
+ }
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "1235")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Remove a yet-to-be-visited non-indexed property during iteration.
+ var foo = function() {
+ var o = {};
+ o.x = "x";
+ o.y = "y";
+ o.z = "z";
+ var result = "";
+ for (var p in o) {
+ if (p == "x") {
+ delete o.y;
+ o.a = "a";
+ }
+ result += o[p];
+ }
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ // Note: it's undefined whether we visit o.a or not. Currently we do.
+ if (foo() !== "xza")
+ throw new Error("bad result");
+ }
+})();
+(function() {
+ // Remove then re-add a property during iteration.
+ var foo = function() {
+ var A = function() {};
+ A.prototype.x = "A.x";
+ A.prototype.y = "A.y";
+ var o = new A();
+ o.z = "o.z";
+ o.y = "o.y";
+ o.x = "o.x";
+ var result = "";
+ for (var p in o) {
+ if (p == "z")
+ delete o.x;
+ if (p == "y")
+ o.x = "o.x";
+ result += o[p];
+ }
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "o.zo.yo.x")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforinmodifyintloopvarjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-modify-int-loop-var.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-modify-int-loop-var.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-modify-int-loop-var.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+(function() {
+ // Change integer value of the loop variable in the loop.
+ var foo = function() {
+ var a = [1, 2, 3];
+ var sum = 0;
+ for (var i in a) {
+ i += 10;
+ sum += i;
+ }
+ return sum;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ var result = foo();
+ if (typeof result !== "string")
+ throw new Error("result should have type string");
+ if (result !== "0010110210")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforinmodifystringloopvarjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-modify-string-loop-var.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-modify-string-loop-var.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-modify-string-loop-var.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+(function() {
+ // Change string value of the loop variable in the loop.
+ var foo = function() {
+ var sum = 0;
+ var a = [1, 2, 3];
+ a.foo = 42;
+ for (var i in a) {
+ i = "foo";
+ sum += a[i];
+ }
+ return sum;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() != 42 * 4)
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforinprototypejs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-prototype.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-prototype.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-prototype.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+(function() {
+ // Iterate when the base object's properties shadow properties in the prototype chain.
+ var foo = function() {
+ var A = function() { };
+ A.prototype.x = 42;
+ var o = new A();
+ o.x = 43;
+ var result = "";
+ for (var p in o)
+ result += o[p];
+ return result;
+ };
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "43")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Iterate when the prototype has the same range of indexed properties as the base object.
+ var foo = function() {
+ var A = function() {};
+ A.prototype[0] = 42;
+ var a = new A();
+ a[0] = 43;
+ var result = "";
+ for (var p in a)
+ result += a[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "43")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Iterate when the prototype has indexed properties beyond the range of the base object.
+ var foo = function() {
+ var A = function() {};
+ A.prototype[0] = 42;
+ A.prototype[1] = 3;
+ var a = new A();
+ a[0] = 43;
+ var result = "";
+ for (var p in a)
+ result += a[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "433")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforinshadowprototypepropertyjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-shadow-prototype-property.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-shadow-prototype-property.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-shadow-prototype-property.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+(function() {
+ // Add a property to the base object that shadows a property in the prototype during iteration.
+ var foo = function() {
+ var A = function() {};
+ A.prototype.x = "A.x";
+ A.prototype.y = "A.y";
+ var o = new A();
+ var result = "";
+ for (var p in o) {
+ if (p == "x")
+ o.y = "o.y";
+ result += o[p];
+ }
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "A.xo.y")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforinstringjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-string.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-string.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-string.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+(function() {
+ // Iterate over characters in a string.
+ var o = "hello";
+ var foo = function(o) {
+ var result = "";
+ for (var s in o)
+ result += o[s];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo("hello") !== "hello")
+ throw new Error("incorrect result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforintestsjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,77 @@
</span><ins>+(function() {
+ // Iterate over an array with normal indexed properties.
+ var foo = function() {
+ var a = [1, 2, 3, 4, 5];
+ var sum = 0;
+ var result = "";
+ for (var p in a)
+ result += a[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "12345")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Iterate over an object with normal non-indexed properties.
+ var foo = function() {
+ var o = {};
+ o.x = 1;
+ o.y = 2;
+ o.z = 3;
+ var result = "";
+ for (var p in o)
+ result += o[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "123")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Iterate over an object with both indexed and non-indexed properties.
+ var foo = function() {
+ var o = {};
+ o.x = 1;
+ o.y = 2;
+ o.z = 3;
+ o[0] = 4;
+ o[1] = 5;
+ o[2] = 6;
+ var result = "";
+ for (var p in o)
+ result += o[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() != "456123")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
+(function() {
+ // Iterate over an array with both indexed and non-indexed properties.
+ var foo = function() {
+ var a = [4, 5, 6];
+ a.x = 1;
+ a.y = 2;
+ a.z = 3;
+ var result = "";
+ for (var p in a)
+ result += a[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "456123")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressforintypedarrayjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/for-in-typed-array.js (0 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/for-in-typed-array.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/for-in-typed-array.js 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+(function() {
+ // Iterate over typed arrays.
+ var foo = function() {
+ var a = new Uint8Array(5);
+ for (var i = 0; i < a.length; ++i)
+ a[i] = i;
+ var result = "";
+ for (var p in a)
+ result += a[p];
+ return result;
+ };
+ noInline(foo);
+ for (var i = 0; i < 10000; ++i) {
+ if (foo() !== "01234")
+ throw new Error("bad result");
+ }
+ foo(null);
+})();
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebCore/ChangeLog 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,3 +1,34 @@
</span><ins>+2014-08-06 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
+
+ 2014-08-06 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Refactor our current implementation of for-in
+ https://bugs.webkit.org/show_bug.cgi?id=134142
+
+ Reviewed by Filip Pizlo.
+
+ No new tests.
+
+ This patch splits for-in loops into three distinct parts:
+
+ - Iterating over the indexed properties in the base object.
+ - Iterating over the Structure properties in the base object.
+ - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
+
+ It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
+ support the various operations required for each loop.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::getEnumerableLength):
+ (WebCore::JSDOMWindow::getStructurePropertyNames):
+ (WebCore::JSDOMWindow::getGenericPropertyNames):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateHeader):
+ * bridge/runtime_array.cpp:
+ (JSC::RuntimeArray::getOwnPropertyNames):
+
</ins><span class="cx"> 2014-08-06 Alexey Proskuryakov <ap@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (WebKit2): iOS Safari default encoding doesn't follow system language
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWindowCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -389,6 +389,33 @@
</span><span class="cx"> return Base::deletePropertyByIndex(thisObject, exec, propertyName);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+uint32_t JSDOMWindow::getEnumerableLength(ExecState* exec, JSObject* object)
+{
+ JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
+ // Only allow the window to enumerated by frames in the same origin.
+ if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->impl()))
+ return 0;
+ return Base::getEnumerableLength(exec, thisObject);
+}
+
+void JSDOMWindow::getStructurePropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
+ // Only allow the window to enumerated by frames in the same origin.
+ if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->impl()))
+ return;
+ Base::getStructurePropertyNames(thisObject, exec, propertyNames, mode);
+}
+
+void JSDOMWindow::getGenericPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
+ // Only allow the window to enumerated by frames in the same origin.
+ if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->impl()))
+ return;
+ Base::getGenericPropertyNames(thisObject, exec, propertyNames, mode);
+}
+
</ins><span class="cx"> void JSDOMWindow::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx"> JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -964,6 +964,9 @@
</span><span class="cx"> # Custom getPropertyNames function exists on DOMWindow
</span><span class="cx"> if ($interfaceName eq "DOMWindow") {
</span><span class="cx"> push(@headerContent, " static void getPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode mode = JSC::ExcludeDontEnumProperties);\n");
</span><ins>+ push(@headerContent, " static void getGenericPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode mode = JSC::ExcludeDontEnumProperties);\n");
+ push(@headerContent, " static void getStructurePropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode mode = JSC::ExcludeDontEnumProperties);\n");
+ push(@headerContent, " static uint32_t getEnumerableLength(JSC::ExecState*, JSC::JSObject*);\n");
</ins><span class="cx"> $structureFlags{"JSC::OverridesGetPropertyNames"} = 1;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorebridgeruntime_arraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bridge/runtime_array.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bridge/runtime_array.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebCore/bridge/runtime_array.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -75,7 +75,7 @@
</span><span class="cx"> for (unsigned i = 0; i < length; ++i)
</span><span class="cx"> propertyNames.add(Identifier::from(exec, i));
</span><span class="cx">
</span><del>- if (mode == IncludeDontEnumProperties)
</del><ins>+ if (shouldIncludeDontEnumProperties(mode))
</ins><span class="cx"> propertyNames.add(exec->propertyNames().length);
</span><span class="cx">
</span><span class="cx"> JSObject::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebKit2/ChangeLog 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2014-08-06 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
+
+ 2014-08-06 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Refactor our current implementation of for-in
+ https://bugs.webkit.org/show_bug.cgi?id=134142
+
+ Reviewed by Filip Pizlo.
+
+ * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+ (WebKit::JSNPObject::invalidate): Fixed an invalid ASSERT that was crashing in debug builds.
+
</ins><span class="cx"> 2014-08-06 Alexey Proskuryakov <ap@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (WebKit2): iOS Safari default encoding doesn't follow system language
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessPluginsNetscapeJSNPObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp (172175 => 172176)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp 2014-08-06 21:09:47 UTC (rev 172175)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp 2014-08-06 21:32:55 UTC (rev 172176)
</span><span class="lines">@@ -90,7 +90,6 @@
</span><span class="cx"> void JSNPObject::invalidate()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_npObject);
</span><del>- ASSERT_GC_OBJECT_INHERITS(this, info());
</del><span class="cx">
</span><span class="cx"> releaseNPObject(m_npObject);
</span><span class="cx"> m_npObject = 0;
</span></span></pre>
</div>
</div>
</body>
</html>