<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[173993] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/173993">173993</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-09-25 20:59:33 -0700 (Thu, 25 Sep 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>FTL should sink object allocations
https://bugs.webkit.org/show_bug.cgi?id=136330
Reviewed by Oliver Hunt.
Source/JavaScriptCore:
This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
eliminate it completely. The way sinking reasons about the CFG means that it resembles a
partial escape analysis: we create paths through a function where some allocation(s) don't
have to be done at all even if there are other paths along which those allocations still have
to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
along any path, the act of sinking reduces the number of barriers that have to execute.
Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
successors; and to add more functor goodness to allow for more lambdas.
This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
That's just an omission and there are likely others; we can easily fix them. I think it's
best to land it in its current form and then to worry about the big benchmarks in subsequent
work (see bug 137126).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/StructureSet.h:
(JSC::StructureSet::iterator::iterator):
(JSC::StructureSet::iterator::operator*):
(JSC::StructureSet::iterator::operator++):
(JSC::StructureSet::iterator::operator==):
(JSC::StructureSet::iterator::operator!=):
(JSC::StructureSet::begin):
(JSC::StructureSet::end):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::phiChildren):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
* dfg/DFGAvailability.h:
(JSC::DFG::Availability::shouldUseNode):
(JSC::DFG::Availability::isFlushUseful):
(JSC::DFG::Availability::isDead):
(JSC::DFG::Availability::operator!=):
* dfg/DFGAvailabilityMap.cpp: Added.
(JSC::DFG::AvailabilityMap::prune):
(JSC::DFG::AvailabilityMap::clear):
(JSC::DFG::AvailabilityMap::dump):
(JSC::DFG::AvailabilityMap::operator==):
(JSC::DFG::AvailabilityMap::merge):
* dfg/DFGAvailabilityMap.h: Added.
(JSC::DFG::AvailabilityMap::forEachAvailability):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::SSAData::SSAData):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::begin):
(JSC::DFG::BasicBlock::end):
(JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
(JSC::DFG::BasicBlock::SuccessorsIterable::begin):
(JSC::DFG::BasicBlock::SuccessorsIterable::end):
(JSC::DFG::BasicBlock::successors):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGFlushedAt.cpp:
(JSC::DFG::FlushedAt::dump):
* dfg/DFGFlushedAt.h:
(JSC::DFG::FlushedAt::FlushedAt):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::mergeRelevantToOSR):
(JSC::DFG::Graph::invalidateCFG):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
(JSC::DFG::Graph::NaturalBlockIterable::begin):
(JSC::DFG::Graph::NaturalBlockIterable::end):
(JSC::DFG::Graph::blocksInNaturalOrder):
(JSC::DFG::Graph::doToChildrenWithNode):
(JSC::DFG::Graph::doToChildren):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
(JSC::DFG::insertOSRHintsForUpdate):
* dfg/DFGInsertOSRHintsForUpdate.h: Added.
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::graph):
* dfg/DFGMayExit.cpp:
(JSC::DFG::mayExit):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffsetHint):
(JSC::DFG::Node::convertToPutStructureHint):
(JSC::DFG::Node::convertToPhantomNewObject):
(JSC::DFG::Node::isCellConstant):
(JSC::DFG::Node::castConstant):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasStorageAccessData):
(JSC::DFG::Node::hasObjectMaterializationData):
(JSC::DFG::Node::objectMaterializationData):
(JSC::DFG::Node::isPhantomObjectAllocation):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
(JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOSRAvailabilityAnalysisPhase.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
(JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
(JSC::DFG::ObjectAllocationSinkingPhase::run):
(JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
(JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
(JSC::DFG::ObjectAllocationSinkingPhase::resolve):
(JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
(JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
(JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
(JSC::DFG::performObjectAllocationSinking):
* dfg/DFGObjectAllocationSinkingPhase.h: Added.
* dfg/DFGObjectMaterializationData.cpp: Added.
(JSC::DFG::PhantomPropertyValue::dump):
(JSC::DFG::ObjectMaterializationData::dump):
(JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
(JSC::DFG::ObjectMaterializationData::similarityScore):
* dfg/DFGObjectMaterializationData.h: Added.
(JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
(JSC::DFG::PhantomPropertyValue::operator==):
* dfg/DFGPhantomCanonicalizationPhase.cpp:
(JSC::DFG::PhantomCanonicalizationPhase::run):
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPhiChildren.cpp: Added.
(JSC::DFG::PhiChildren::PhiChildren):
(JSC::DFG::PhiChildren::~PhiChildren):
(JSC::DFG::PhiChildren::upsilonsOf):
* dfg/DFGPhiChildren.h: Added.
(JSC::DFG::PhiChildren::forAllIncomingValues):
(JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPrePostNumbering.cpp: Added.
(JSC::DFG::PrePostNumbering::PrePostNumbering):
(JSC::DFG::PrePostNumbering::~PrePostNumbering):
(JSC::DFG::PrePostNumbering::compute):
(WTF::printInternal):
* dfg/DFGPrePostNumbering.h: Added.
(JSC::DFG::PrePostNumbering::preNumber):
(JSC::DFG::PrePostNumbering::postNumber):
(JSC::DFG::PrePostNumbering::isStrictAncestorOf):
(JSC::DFG::PrePostNumbering::isAncestorOf):
(JSC::DFG::PrePostNumbering::isStrictDescendantOf):
(JSC::DFG::PrePostNumbering::isDescendantOf):
(JSC::DFG::PrePostNumbering::edgeKind):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGPromoteHeapAccess.h: Added.
(JSC::DFG::promoteHeapAccess):
* dfg/DFGPromotedHeapLocation.cpp: Added.
(JSC::DFG::PromotedLocationDescriptor::dump):
(JSC::DFG::PromotedHeapLocation::createHint):
(JSC::DFG::PromotedHeapLocation::dump):
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h: Added.
(JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
(JSC::DFG::PromotedLocationDescriptor::operator!):
(JSC::DFG::PromotedLocationDescriptor::kind):
(JSC::DFG::PromotedLocationDescriptor::info):
(JSC::DFG::PromotedLocationDescriptor::hash):
(JSC::DFG::PromotedLocationDescriptor::operator==):
(JSC::DFG::PromotedLocationDescriptor::operator!=):
(JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
(JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
(JSC::DFG::PromotedHeapLocation::operator!):
(JSC::DFG::PromotedHeapLocation::kind):
(JSC::DFG::PromotedHeapLocation::base):
(JSC::DFG::PromotedHeapLocation::info):
(JSC::DFG::PromotedHeapLocation::descriptor):
(JSC::DFG::PromotedHeapLocation::hash):
(JSC::DFG::PromotedHeapLocation::operator==):
(JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
(JSC::DFG::PromotedHeapLocationHash::hash):
(JSC::DFG::PromotedHeapLocationHash::equal):
* dfg/DFGSSACalculator.cpp:
(JSC::DFG::SSACalculator::reset):
* dfg/DFGSSACalculator.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitPropertyValue.cpp: Added.
(JSC::FTL::ExitPropertyValue::dump):
* ftl/FTLExitPropertyValue.h: Added.
(JSC::FTL::ExitPropertyValue::ExitPropertyValue):
(JSC::FTL::ExitPropertyValue::operator!):
(JSC::FTL::ExitPropertyValue::location):
(JSC::FTL::ExitPropertyValue::value):
* ftl/FTLExitTimeObjectMaterialization.cpp: Added.
(JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
(JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
(JSC::FTL::ExitTimeObjectMaterialization::add):
(JSC::FTL::ExitTimeObjectMaterialization::get):
(JSC::FTL::ExitTimeObjectMaterialization::dump):
* ftl/FTLExitTimeObjectMaterialization.h: Added.
(JSC::FTL::ExitTimeObjectMaterialization::type):
(JSC::FTL::ExitTimeObjectMaterialization::properties):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::materializeNewObject):
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::isObjectMaterialization):
(JSC::FTL::ExitValue::objectMaterialization):
(JSC::FTL::ExitValue::withVirtualRegister):
(JSC::FTL::ExitValue::valueFormat):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileNewObject):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
(JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
(JSC::FTL::LowerDFGToLLVM::checkStructure):
(JSC::FTL::LowerDFGToLLVM::allocateCell):
(JSC::FTL::LowerDFGToLLVM::storeStructure):
(JSC::FTL::LowerDFGToLLVM::allocateObject):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
(JSC::FTL::LowerDFGToLLVM::exitValueForNode):
(JSC::FTL::LowerDFGToLLVM::weakStructureID):
(JSC::FTL::LowerDFGToLLVM::weakStructure):
(JSC::FTL::LowerDFGToLLVM::availabilityMap):
(JSC::FTL::LowerDFGToLLVM::availability): Deleted.
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileRecovery):
(JSC::FTL::compileStub):
* ftl/FTLOperations.cpp: Added.
(JSC::FTL::operationNewObjectWithButterfly):
(JSC::FTL::operationMaterializeObjectInOSR):
* ftl/FTLOperations.h: Added.
* ftl/FTLSwitchCase.h:
(JSC::FTL::SwitchCase::SwitchCase):
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
(JSC::JSFinalObject::JSFinalObject):
(JSC::JSFinalObject::create):
* runtime/Structure.cpp:
(JSC::Structure::canUseForAllocationsOf):
* runtime/Structure.h:
* tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
(sumOfArithSeries):
(foo):
* tests/stress/elide-new-object-dag-then-exit.js: Added.
(sumOfArithSeries):
(bar):
(verify):
(foo):
* tests/stress/obviously-elidable-new-object-then-exit.js: Added.
(sumOfArithSeries):
(foo):
Source/WTF:
Make it possible to reset a Bag.
* wtf/Bag.h:
(WTF::Bag::Bag):
(WTF::Bag::~Bag):
(WTF::Bag::clear):
LayoutTests:
* js/math-denorm.html: Added.
* js/regress/elidable-new-object-dag-expected.txt: Added.
* js/regress/elidable-new-object-dag.html: Added.
* js/regress/elidable-new-object-roflcopter-expected.txt: Added.
* js/regress/elidable-new-object-roflcopter.html: Added.
* js/regress/elidable-new-object-tree-expected.txt: Added.
* js/regress/elidable-new-object-tree.html: Added.
* js/regress/obvious-sink-pathology-expected.txt: Added.
* js/regress/obvious-sink-pathology-taken-expected.txt: Added.
* js/regress/obvious-sink-pathology-taken.html: Added.
* js/regress/obvious-sink-pathology.html: Added.
* js/regress/obviously-elidable-new-object-expected.txt: Added.
* js/regress/obviously-elidable-new-object.html: Added.
* js/regress/script-tests/elidable-new-object-dag.js: Added.
(sumOfArithSeries):
(foo):
* js/regress/script-tests/elidable-new-object-roflcopter.js: Added.
(sumOfArithSeries):
(foo):
* js/regress/script-tests/elidable-new-object-tree.js: Added.
(sumOfArithSeries):
(foo):
* js/regress/script-tests/obvious-sink-pathology-taken.js: Added.
(sumOfArithSeries):
(bar):
(foo):
* js/regress/script-tests/obvious-sink-pathology.js: Added.
(sumOfArithSeries):
(bar):
(foo):
* js/regress/script-tests/obviously-elidable-new-object.js: Added.
(sumOfArithSeries):
(foo):
* js/regress/script-tests/sinkable-new-object-dag.js: Added.
(sumOfArithSeries):
(verify):
(foo):
* js/regress/script-tests/sinkable-new-object-taken.js: Added.
(sumOfArithSeries):
(bar):
(foo):
* js/regress/script-tests/sinkable-new-object.js: Added.
(sumOfArithSeries):
(bar):
(foo):
* js/regress/sinkable-new-object-dag-expected.txt: Added.
* js/regress/sinkable-new-object-dag.html: Added.
* js/regress/sinkable-new-object-expected.txt: Added.
* js/regress/sinkable-new-object-taken-expected.txt: Added.
* js/regress/sinkable-new-object-taken.html: Added.
* js/regress/sinkable-new-object.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureSeth">trunk/Source/JavaScriptCore/bytecode/StructureSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAvailabilityh">trunk/Source/JavaScriptCore/dfg/DFGAvailability.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGBasicBlockcpp">trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGBasicBlockh">trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFlushedAtcpp">trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFlushedAth">trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInsertionSeth">trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMayExitcpp">trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRAvailabilityAnalysisPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRAvailabilityAnalysisPhaseh">trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSSACalculatorcpp">trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSSACalculatorh">trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStructureRegistrationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValidatecpp">trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValuecpp">trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValueh">trunk/Source/JavaScriptCore/ftl/FTLExitValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExith">trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLSwitchCaseh">trunk/Source/JavaScriptCore/ftl/FTLSwitchCase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructurecpp">trunk/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureh">trunk/Source/JavaScriptCore/runtime/Structure.h</a></li>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFwtfBagh">trunk/Source/WTF/wtf/Bag.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsmathdenormhtml">trunk/LayoutTests/js/math-denorm.html</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjectdagexpectedtxt">trunk/LayoutTests/js/regress/elidable-new-object-dag-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjectdaghtml">trunk/LayoutTests/js/regress/elidable-new-object-dag.html</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjectroflcopterexpectedtxt">trunk/LayoutTests/js/regress/elidable-new-object-roflcopter-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjectroflcopterhtml">trunk/LayoutTests/js/regress/elidable-new-object-roflcopter.html</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjecttreeexpectedtxt">trunk/LayoutTests/js/regress/elidable-new-object-tree-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresselidablenewobjecttreehtml">trunk/LayoutTests/js/regress/elidable-new-object-tree.html</a></li>
<li><a href="#trunkLayoutTestsjsregressobvioussinkpathologyexpectedtxt">trunk/LayoutTests/js/regress/obvious-sink-pathology-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregressobvioussinkpathologytakenexpectedtxt">trunk/LayoutTests/js/regress/obvious-sink-pathology-taken-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregressobvioussinkpathologytakenhtml">trunk/LayoutTests/js/regress/obvious-sink-pathology-taken.html</a></li>
<li><a href="#trunkLayoutTestsjsregressobvioussinkpathologyhtml">trunk/LayoutTests/js/regress/obvious-sink-pathology.html</a></li>
<li><a href="#trunkLayoutTestsjsregressobviouslyelidablenewobjectexpectedtxt">trunk/LayoutTests/js/regress/obviously-elidable-new-object-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregressobviouslyelidablenewobjecthtml">trunk/LayoutTests/js/regress/obviously-elidable-new-object.html</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestselidablenewobjectdagjs">trunk/LayoutTests/js/regress/script-tests/elidable-new-object-dag.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestselidablenewobjectroflcopterjs">trunk/LayoutTests/js/regress/script-tests/elidable-new-object-roflcopter.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestselidablenewobjecttreejs">trunk/LayoutTests/js/regress/script-tests/elidable-new-object-tree.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestsobvioussinkpathologytakenjs">trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology-taken.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestsobvioussinkpathologyjs">trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestsobviouslyelidablenewobjectjs">trunk/LayoutTests/js/regress/script-tests/obviously-elidable-new-object.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestssinkablenewobjectdagjs">trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-dag.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestssinkablenewobjecttakenjs">trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-taken.js</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestssinkablenewobjectjs">trunk/LayoutTests/js/regress/script-tests/sinkable-new-object.js</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjectdagexpectedtxt">trunk/LayoutTests/js/regress/sinkable-new-object-dag-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjectdaghtml">trunk/LayoutTests/js/regress/sinkable-new-object-dag.html</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjectexpectedtxt">trunk/LayoutTests/js/regress/sinkable-new-object-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjecttakenexpectedtxt">trunk/LayoutTests/js/regress/sinkable-new-object-taken-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjecttakenhtml">trunk/LayoutTests/js/regress/sinkable-new-object-taken.html</a></li>
<li><a href="#trunkLayoutTestsjsregresssinkablenewobjecthtml">trunk/LayoutTests/js/regress/sinkable-new-object.html</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAvailabilityMapcpp">trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAvailabilityMaph">trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInsertOSRHintsForUpdatecpp">trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInsertOSRHintsForUpdateh">trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhaseh">trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectMaterializationDatacpp">trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectMaterializationDatah">trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhiChildrencpp">trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPhiChildrenh">trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPrePostNumberingcpp">trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPrePostNumberingh">trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPromoteHeapAccessh">trunk/Source/JavaScriptCore/dfg/DFGPromoteHeapAccess.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPromotedHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPromotedHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitPropertyValuecpp">trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitPropertyValueh">trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationcpp">trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationh">trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOperationscpp">trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOperationsh">trunk/Source/JavaScriptCore/ftl/FTLOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresselidablenewobjectroflcopterthenexitjs">trunk/Source/JavaScriptCore/tests/stress/elidable-new-object-roflcopter-then-exit.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresselidenewobjectdagthenexitjs">trunk/Source/JavaScriptCore/tests/stress/elide-new-object-dag-then-exit.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressobviouslyelidablenewobjectthenexitjs">trunk/Source/JavaScriptCore/tests/stress/obviously-elidable-new-object-then-exit.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/LayoutTests/ChangeLog 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1,3 +1,62 @@
</span><ins>+2014-09-25 Filip Pizlo <fpizlo@apple.com>
+
+ FTL should sink object allocations
+ https://bugs.webkit.org/show_bug.cgi?id=136330
+
+ Reviewed by Oliver Hunt.
+
+ * js/math-denorm.html: Added.
+ * js/regress/elidable-new-object-dag-expected.txt: Added.
+ * js/regress/elidable-new-object-dag.html: Added.
+ * js/regress/elidable-new-object-roflcopter-expected.txt: Added.
+ * js/regress/elidable-new-object-roflcopter.html: Added.
+ * js/regress/elidable-new-object-tree-expected.txt: Added.
+ * js/regress/elidable-new-object-tree.html: Added.
+ * js/regress/obvious-sink-pathology-expected.txt: Added.
+ * js/regress/obvious-sink-pathology-taken-expected.txt: Added.
+ * js/regress/obvious-sink-pathology-taken.html: Added.
+ * js/regress/obvious-sink-pathology.html: Added.
+ * js/regress/obviously-elidable-new-object-expected.txt: Added.
+ * js/regress/obviously-elidable-new-object.html: Added.
+ * js/regress/script-tests/elidable-new-object-dag.js: Added.
+ (sumOfArithSeries):
+ (foo):
+ * js/regress/script-tests/elidable-new-object-roflcopter.js: Added.
+ (sumOfArithSeries):
+ (foo):
+ * js/regress/script-tests/elidable-new-object-tree.js: Added.
+ (sumOfArithSeries):
+ (foo):
+ * js/regress/script-tests/obvious-sink-pathology-taken.js: Added.
+ (sumOfArithSeries):
+ (bar):
+ (foo):
+ * js/regress/script-tests/obvious-sink-pathology.js: Added.
+ (sumOfArithSeries):
+ (bar):
+ (foo):
+ * js/regress/script-tests/obviously-elidable-new-object.js: Added.
+ (sumOfArithSeries):
+ (foo):
+ * js/regress/script-tests/sinkable-new-object-dag.js: Added.
+ (sumOfArithSeries):
+ (verify):
+ (foo):
+ * js/regress/script-tests/sinkable-new-object-taken.js: Added.
+ (sumOfArithSeries):
+ (bar):
+ (foo):
+ * js/regress/script-tests/sinkable-new-object.js: Added.
+ (sumOfArithSeries):
+ (bar):
+ (foo):
+ * js/regress/sinkable-new-object-dag-expected.txt: Added.
+ * js/regress/sinkable-new-object-dag.html: Added.
+ * js/regress/sinkable-new-object-expected.txt: Added.
+ * js/regress/sinkable-new-object-taken-expected.txt: Added.
+ * js/regress/sinkable-new-object-taken.html: Added.
+ * js/regress/sinkable-new-object.html: Added.
+
</ins><span class="cx"> 2014-09-25 Brian J. Burg <burg@cs.washington.edu>
</span><span class="cx">
</span><span class="cx"> Web Inspector: FunctionCall timeline records omit profile data if the debugger has paused
</span></span></pre></div>
<a id="trunkLayoutTestsjsmathdenormhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/math-denorm.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/math-denorm.html (rev 0)
+++ trunk/LayoutTests/js/math-denorm.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/math-denorm.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjectdagexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-dag-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-dag-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-dag-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/elidable-new-object-dag
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjectdaghtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-dag.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-dag.html (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-dag.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/elidable-new-object-dag.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjectroflcopterexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-roflcopter-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-roflcopter-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-roflcopter-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/elidable-new-object-roflcopter
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjectroflcopterhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-roflcopter.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-roflcopter.html (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-roflcopter.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/elidable-new-object-roflcopter.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjecttreeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-tree-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-tree-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-tree-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/elidable-new-object-tree
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresselidablenewobjecttreehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/elidable-new-object-tree.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/elidable-new-object-tree.html (rev 0)
+++ trunk/LayoutTests/js/regress/elidable-new-object-tree.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/elidable-new-object-tree.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobvioussinkpathologyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obvious-sink-pathology-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obvious-sink-pathology-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/obvious-sink-pathology-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/obvious-sink-pathology
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobvioussinkpathologytakenexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obvious-sink-pathology-taken-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obvious-sink-pathology-taken-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/obvious-sink-pathology-taken-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/obvious-sink-pathology-taken
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobvioussinkpathologytakenhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obvious-sink-pathology-taken.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obvious-sink-pathology-taken.html (rev 0)
+++ trunk/LayoutTests/js/regress/obvious-sink-pathology-taken.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/obvious-sink-pathology-taken.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobvioussinkpathologyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obvious-sink-pathology.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obvious-sink-pathology.html (rev 0)
+++ trunk/LayoutTests/js/regress/obvious-sink-pathology.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/obvious-sink-pathology.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobviouslyelidablenewobjectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obviously-elidable-new-object-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obviously-elidable-new-object-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/obviously-elidable-new-object-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/obviously-elidable-new-object
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressobviouslyelidablenewobjecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/obviously-elidable-new-object.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/obviously-elidable-new-object.html (rev 0)
+++ trunk/LayoutTests/js/regress/obviously-elidable-new-object.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/obviously-elidable-new-object.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestselidablenewobjectdagjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/elidable-new-object-dag.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/elidable-new-object-dag.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/elidable-new-object-dag.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var leaf = {f:i};
+ var o = {f:leaf};
+ var p = {f:leaf};
+ var q = {f:o, g:p};
+ result += q.f.f.f;
+ }
+ return result;
+}
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestselidablenewobjectroflcopterjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/elidable-new-object-roflcopter.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/elidable-new-object-roflcopter.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/elidable-new-object-roflcopter.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 500000;
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: i}}}}}}}}}}}}}}}}}}};
+ var p = {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: i + 1}}}}}}}}}}}}}}}}}}};
+ result += o.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f + p.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f;
+ }
+ return result;
+}
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestselidablenewobjecttreejs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/elidable-new-object-tree.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/elidable-new-object-tree.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/elidable-new-object-tree.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: {f:i}};
+ var p = {f: {f:i + 1}};
+ result += o.f.f + p.f.f;
+ }
+ return result;
+}
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestsobvioussinkpathologytakenjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology-taken.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology-taken.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology-taken.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function bar() { }
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ if (!(i % 100))
+ bar(o, p);
+ result += o.f + p.f;
+ }
+ return result;
+}
+
+noInline(bar);
+noInline(foo);
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestsobvioussinkpathologyjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/obvious-sink-pathology.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function bar() { }
+
+function foo(b) {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ if (b)
+ bar(o, p);
+ result += o.f + p.f;
+ }
+ return result;
+}
+
+noInline(bar);
+noInline(foo);
+
+var result = foo(false);
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestsobviouslyelidablenewobjectjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/obviously-elidable-new-object.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/obviously-elidable-new-object.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/obviously-elidable-new-object.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ result += o.f + p.f;
+ }
+ return result;
+}
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestssinkablenewobjectdagjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-dag.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-dag.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-dag.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function verify(q, i) {
+ if (q.f == q.g)
+ throw "Error: q.f == q.g";
+ if (q.f.f != q.g.f)
+ throw "Error: q.f.f != q.g.f";
+ if (q.f.f.f != i)
+ throw "Error: q.f.f.f != i";
+}
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var leaf = {f:i};
+ var o = {f:leaf};
+ var p = {f:leaf};
+ var q = {f:o, g:p};
+ result += q.f.f.f;
+ if (!(i % 100))
+ verify(q, i);
+ }
+ return result;
+}
+
+noInline(foo);
+noInline(verify);
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestssinkablenewobjecttakenjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-taken.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-taken.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/sinkable-new-object-taken.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function bar() { }
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ result += o.f + p.f;
+ if (!(i % 100))
+ bar(o, p);
+ }
+ return result;
+}
+
+noInline(bar);
+noInline(foo);
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestssinkablenewobjectjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/sinkable-new-object.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/sinkable-new-object.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/sinkable-new-object.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function bar() { }
+
+function foo(b) {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ if (b) {
+ bar(o, p);
+ return;
+ }
+ result += o.f + p.f;
+ }
+ return result;
+}
+
+noInline(bar);
+noInline(foo);
+
+var result = foo(false);
+if (result != sumOfArithSeries(n - 1) + sumOfArithSeries(n))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjectdagexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object-dag-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object-dag-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object-dag-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/sinkable-new-object-dag
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjectdaghtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object-dag.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object-dag.html (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object-dag.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/sinkable-new-object-dag.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/sinkable-new-object
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjecttakenexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object-taken-expected.txt (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object-taken-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object-taken-expected.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/sinkable-new-object-taken
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjecttakenhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object-taken.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object-taken.html (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object-taken.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/sinkable-new-object-taken.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregresssinkablenewobjecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/sinkable-new-object.html (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/sinkable-new-object.html (rev 0)
+++ trunk/LayoutTests/js/regress/sinkable-new-object.html 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/sinkable-new-object.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -122,6 +122,7 @@
</span><span class="cx"> dfg/DFGArrayMode.cpp
</span><span class="cx"> dfg/DFGAtTailAbstractState.cpp
</span><span class="cx"> dfg/DFGAvailability.cpp
</span><ins>+ dfg/DFGAvailabilityMap.cpp
</ins><span class="cx"> dfg/DFGBackwardsPropagationPhase.cpp
</span><span class="cx"> dfg/DFGBasicBlock.cpp
</span><span class="cx"> dfg/DFGBinarySwitch.cpp
</span><span class="lines">@@ -164,6 +165,7 @@
</span><span class="cx"> dfg/DFGGraphSafepoint.cpp
</span><span class="cx"> dfg/DFGHeapLocation.cpp
</span><span class="cx"> dfg/DFGInPlaceAbstractState.cpp
</span><ins>+ dfg/DFGInsertOSRHintsForUpdate.cpp
</ins><span class="cx"> dfg/DFGIntegerCheckCombiningPhase.cpp
</span><span class="cx"> dfg/DFGInvalidationPointInjectionPhase.cpp
</span><span class="cx"> dfg/DFGJITCode.cpp
</span><span class="lines">@@ -192,13 +194,18 @@
</span><span class="cx"> dfg/DFGOSRExitCompilerCommon.cpp
</span><span class="cx"> dfg/DFGOSRExitJumpPlaceholder.cpp
</span><span class="cx"> dfg/DFGOSRExitPreparation.cpp
</span><ins>+ dfg/DFGObjectAllocationSinkingPhase.cpp
+ dfg/DFGObjectMaterializationData.cpp
</ins><span class="cx"> dfg/DFGOperations.cpp
</span><span class="cx"> dfg/DFGPhantomCanonicalizationPhase.cpp
</span><span class="cx"> dfg/DFGPhantomRemovalPhase.cpp
</span><span class="cx"> dfg/DFGPhase.cpp
</span><ins>+ dfg/DFGPhiChildren.cpp
</ins><span class="cx"> dfg/DFGPlan.cpp
</span><ins>+ dfg/DFGPrePostNumbering.cpp
</ins><span class="cx"> dfg/DFGPredictionInjectionPhase.cpp
</span><span class="cx"> dfg/DFGPredictionPropagationPhase.cpp
</span><ins>+ dfg/DFGPromotedHeapLocation.cpp
</ins><span class="cx"> dfg/DFGPureValue.cpp
</span><span class="cx"> dfg/DFGResurrectionForValidationPhase.cpp
</span><span class="cx"> dfg/DFGSSACalculator.cpp
</span><span class="lines">@@ -774,7 +781,9 @@
</span><span class="cx"> ftl/FTLDataSection.cpp
</span><span class="cx"> ftl/FTLExitArgument.cpp
</span><span class="cx"> ftl/FTLExitArgumentForOperand.cpp
</span><ins>+ ftl/FTLExitPropertyValue.cpp
</ins><span class="cx"> ftl/FTLExitThunkGenerator.cpp
</span><ins>+ ftl/FTLExitTimeObjectMaterialization.cpp
</ins><span class="cx"> ftl/FTLExitValue.cpp
</span><span class="cx"> ftl/FTLFail.cpp
</span><span class="cx"> ftl/FTLForOSREntryJITCode.cpp
</span><span class="lines">@@ -789,6 +798,7 @@
</span><span class="cx"> ftl/FTLOSREntry.cpp
</span><span class="cx"> ftl/FTLOSRExitCompiler.cpp
</span><span class="cx"> ftl/FTLOSRExit.cpp
</span><ins>+ ftl/FTLOperations.cpp
</ins><span class="cx"> ftl/FTLOutput.cpp
</span><span class="cx"> ftl/FTLRecoveryOpcode.cpp
</span><span class="cx"> ftl/FTLRegisterAtOffset.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1,3 +1,302 @@
</span><ins>+2014-09-25 Filip Pizlo <fpizlo@apple.com>
+
+ FTL should sink object allocations
+ https://bugs.webkit.org/show_bug.cgi?id=136330
+
+ Reviewed by Oliver Hunt.
+
+ This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
+ ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
+ eliminate it completely. The way sinking reasons about the CFG means that it resembles a
+ partial escape analysis: we create paths through a function where some allocation(s) don't
+ have to be done at all even if there are other paths along which those allocations still have
+ to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
+ along any path, the act of sinking reduces the number of barriers that have to execute.
+
+ Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
+ sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
+ successors; and to add more functor goodness to allow for more lambdas.
+
+ This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
+ is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
+ benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
+ That's just an omission and there are likely others; we can easily fix them. I think it's
+ best to land it in its current form and then to worry about the big benchmarks in subsequent
+ work (see bug 137126).
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/StructureSet.h:
+ (JSC::StructureSet::iterator::iterator):
+ (JSC::StructureSet::iterator::operator*):
+ (JSC::StructureSet::iterator::operator++):
+ (JSC::StructureSet::iterator::operator==):
+ (JSC::StructureSet::iterator::operator!=):
+ (JSC::StructureSet::begin):
+ (JSC::StructureSet::end):
+ * dfg/DFGAbstractInterpreter.h:
+ (JSC::DFG::AbstractInterpreter::phiChildren):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
+ * dfg/DFGAvailability.h:
+ (JSC::DFG::Availability::shouldUseNode):
+ (JSC::DFG::Availability::isFlushUseful):
+ (JSC::DFG::Availability::isDead):
+ (JSC::DFG::Availability::operator!=):
+ * dfg/DFGAvailabilityMap.cpp: Added.
+ (JSC::DFG::AvailabilityMap::prune):
+ (JSC::DFG::AvailabilityMap::clear):
+ (JSC::DFG::AvailabilityMap::dump):
+ (JSC::DFG::AvailabilityMap::operator==):
+ (JSC::DFG::AvailabilityMap::merge):
+ * dfg/DFGAvailabilityMap.h: Added.
+ (JSC::DFG::AvailabilityMap::forEachAvailability):
+ * dfg/DFGBasicBlock.cpp:
+ (JSC::DFG::BasicBlock::SSAData::SSAData):
+ * dfg/DFGBasicBlock.h:
+ (JSC::DFG::BasicBlock::begin):
+ (JSC::DFG::BasicBlock::end):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
+ (JSC::DFG::BasicBlock::SuccessorsIterable::end):
+ (JSC::DFG::BasicBlock::successors):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGFlushedAt.cpp:
+ (JSC::DFG::FlushedAt::dump):
+ * dfg/DFGFlushedAt.h:
+ (JSC::DFG::FlushedAt::FlushedAt):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::dumpBlockHeader):
+ (JSC::DFG::Graph::mergeRelevantToOSR):
+ (JSC::DFG::Graph::invalidateCFG):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
+ (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
+ (JSC::DFG::Graph::NaturalBlockIterable::begin):
+ (JSC::DFG::Graph::NaturalBlockIterable::end):
+ (JSC::DFG::Graph::blocksInNaturalOrder):
+ (JSC::DFG::Graph::doToChildrenWithNode):
+ (JSC::DFG::Graph::doToChildren):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
+ (JSC::DFG::insertOSRHintsForUpdate):
+ * dfg/DFGInsertOSRHintsForUpdate.h: Added.
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::InsertionSet::graph):
+ * dfg/DFGMayExit.cpp:
+ (JSC::DFG::mayExit):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToPutByOffsetHint):
+ (JSC::DFG::Node::convertToPutStructureHint):
+ (JSC::DFG::Node::convertToPhantomNewObject):
+ (JSC::DFG::Node::isCellConstant):
+ (JSC::DFG::Node::castConstant):
+ (JSC::DFG::Node::hasIdentifier):
+ (JSC::DFG::Node::hasStorageAccessData):
+ (JSC::DFG::Node::hasObjectMaterializationData):
+ (JSC::DFG::Node::objectMaterializationData):
+ (JSC::DFG::Node::isPhantomObjectAllocation):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+ (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
+ (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
+ (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
+ * dfg/DFGOSRAvailabilityAnalysisPhase.h:
+ * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
+ (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
+ (JSC::DFG::ObjectAllocationSinkingPhase::run):
+ (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
+ (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
+ (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
+ (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
+ (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
+ (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
+ (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
+ (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
+ (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
+ (JSC::DFG::performObjectAllocationSinking):
+ * dfg/DFGObjectAllocationSinkingPhase.h: Added.
+ * dfg/DFGObjectMaterializationData.cpp: Added.
+ (JSC::DFG::PhantomPropertyValue::dump):
+ (JSC::DFG::ObjectMaterializationData::dump):
+ (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
+ (JSC::DFG::ObjectMaterializationData::similarityScore):
+ * dfg/DFGObjectMaterializationData.h: Added.
+ (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
+ (JSC::DFG::PhantomPropertyValue::operator==):
+ * dfg/DFGPhantomCanonicalizationPhase.cpp:
+ (JSC::DFG::PhantomCanonicalizationPhase::run):
+ * dfg/DFGPhantomRemovalPhase.cpp:
+ (JSC::DFG::PhantomRemovalPhase::run):
+ * dfg/DFGPhiChildren.cpp: Added.
+ (JSC::DFG::PhiChildren::PhiChildren):
+ (JSC::DFG::PhiChildren::~PhiChildren):
+ (JSC::DFG::PhiChildren::upsilonsOf):
+ * dfg/DFGPhiChildren.h: Added.
+ (JSC::DFG::PhiChildren::forAllIncomingValues):
+ (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * dfg/DFGPrePostNumbering.cpp: Added.
+ (JSC::DFG::PrePostNumbering::PrePostNumbering):
+ (JSC::DFG::PrePostNumbering::~PrePostNumbering):
+ (JSC::DFG::PrePostNumbering::compute):
+ (WTF::printInternal):
+ * dfg/DFGPrePostNumbering.h: Added.
+ (JSC::DFG::PrePostNumbering::preNumber):
+ (JSC::DFG::PrePostNumbering::postNumber):
+ (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
+ (JSC::DFG::PrePostNumbering::isAncestorOf):
+ (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
+ (JSC::DFG::PrePostNumbering::isDescendantOf):
+ (JSC::DFG::PrePostNumbering::edgeKind):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGPromoteHeapAccess.h: Added.
+ (JSC::DFG::promoteHeapAccess):
+ * dfg/DFGPromotedHeapLocation.cpp: Added.
+ (JSC::DFG::PromotedLocationDescriptor::dump):
+ (JSC::DFG::PromotedHeapLocation::createHint):
+ (JSC::DFG::PromotedHeapLocation::dump):
+ (WTF::printInternal):
+ * dfg/DFGPromotedHeapLocation.h: Added.
+ (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
+ (JSC::DFG::PromotedLocationDescriptor::operator!):
+ (JSC::DFG::PromotedLocationDescriptor::kind):
+ (JSC::DFG::PromotedLocationDescriptor::info):
+ (JSC::DFG::PromotedLocationDescriptor::hash):
+ (JSC::DFG::PromotedLocationDescriptor::operator==):
+ (JSC::DFG::PromotedLocationDescriptor::operator!=):
+ (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
+ (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
+ (JSC::DFG::PromotedHeapLocation::operator!):
+ (JSC::DFG::PromotedHeapLocation::kind):
+ (JSC::DFG::PromotedHeapLocation::base):
+ (JSC::DFG::PromotedHeapLocation::info):
+ (JSC::DFG::PromotedHeapLocation::descriptor):
+ (JSC::DFG::PromotedHeapLocation::hash):
+ (JSC::DFG::PromotedHeapLocation::operator==):
+ (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
+ (JSC::DFG::PromotedHeapLocationHash::hash):
+ (JSC::DFG::PromotedHeapLocationHash::equal):
+ * dfg/DFGSSACalculator.cpp:
+ (JSC::DFG::SSACalculator::reset):
+ * dfg/DFGSSACalculator.h:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureRegistrationPhase.cpp:
+ (JSC::DFG::StructureRegistrationPhase::run):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLExitPropertyValue.cpp: Added.
+ (JSC::FTL::ExitPropertyValue::dump):
+ * ftl/FTLExitPropertyValue.h: Added.
+ (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
+ (JSC::FTL::ExitPropertyValue::operator!):
+ (JSC::FTL::ExitPropertyValue::location):
+ (JSC::FTL::ExitPropertyValue::value):
+ * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
+ (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
+ (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
+ (JSC::FTL::ExitTimeObjectMaterialization::add):
+ (JSC::FTL::ExitTimeObjectMaterialization::get):
+ (JSC::FTL::ExitTimeObjectMaterialization::dump):
+ * ftl/FTLExitTimeObjectMaterialization.h: Added.
+ (JSC::FTL::ExitTimeObjectMaterialization::type):
+ (JSC::FTL::ExitTimeObjectMaterialization::properties):
+ * ftl/FTLExitValue.cpp:
+ (JSC::FTL::ExitValue::materializeNewObject):
+ (JSC::FTL::ExitValue::dumpInContext):
+ * ftl/FTLExitValue.h:
+ (JSC::FTL::ExitValue::isObjectMaterialization):
+ (JSC::FTL::ExitValue::objectMaterialization):
+ (JSC::FTL::ExitValue::withVirtualRegister):
+ (JSC::FTL::ExitValue::valueFormat):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
+ (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
+ (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
+ (JSC::FTL::LowerDFGToLLVM::compileNewObject):
+ (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
+ (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
+ (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
+ (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
+ (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
+ (JSC::FTL::LowerDFGToLLVM::checkStructure):
+ (JSC::FTL::LowerDFGToLLVM::allocateCell):
+ (JSC::FTL::LowerDFGToLLVM::storeStructure):
+ (JSC::FTL::LowerDFGToLLVM::allocateObject):
+ (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
+ (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
+ (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
+ (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
+ (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
+ (JSC::FTL::LowerDFGToLLVM::weakStructureID):
+ (JSC::FTL::LowerDFGToLLVM::weakStructure):
+ (JSC::FTL::LowerDFGToLLVM::availabilityMap):
+ (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
+ * ftl/FTLOSRExit.h:
+ * ftl/FTLOSRExitCompiler.cpp:
+ (JSC::FTL::compileRecovery):
+ (JSC::FTL::compileStub):
+ * ftl/FTLOperations.cpp: Added.
+ (JSC::FTL::operationNewObjectWithButterfly):
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * ftl/FTLOperations.h: Added.
+ * ftl/FTLSwitchCase.h:
+ (JSC::FTL::SwitchCase::SwitchCase):
+ * runtime/JSObject.h:
+ (JSC::JSObject::finishCreation):
+ (JSC::JSFinalObject::JSFinalObject):
+ (JSC::JSFinalObject::create):
+ * runtime/Structure.cpp:
+ (JSC::Structure::canUseForAllocationsOf):
+ * runtime/Structure.h:
+ * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
+ (sumOfArithSeries):
+ (foo):
+ * tests/stress/elide-new-object-dag-then-exit.js: Added.
+ (sumOfArithSeries):
+ (bar):
+ (verify):
+ (foo):
+ * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
+ (sumOfArithSeries):
+ (foo):
+
</ins><span class="cx"> 2014-09-25 Brian J. Burg <burg@cs.washington.edu>
</span><span class="cx">
</span><span class="cx"> Web Replay: Check event loop input extents during replaying too
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-<?xml version="1.0" encoding="utf-8"?>
</del><ins>+<?xml version="1.0" encoding="utf-8"?>
</ins><span class="cx"> <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
</span><span class="cx"> <ItemGroup Label="ProjectConfigurations">
</span><span class="cx"> <ProjectConfiguration Include="DebugSuffix|Win32">
</span><span class="lines">@@ -368,6 +368,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGArrayMode.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGAtTailAbstractState.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGAvailability.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGAvailabilityMap.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGBackwardsPropagationPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGBasicBlock.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGBinarySwitch.cpp" />
</span><span class="lines">@@ -410,6 +411,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGGraphSafepoint.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGHeapLocation.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGInPlaceAbstractState.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGInsertOSRHintsForUpdate.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGIntegerCheckCombiningPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGInvalidationPointInjectionPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGJITCode.cpp" />
</span><span class="lines">@@ -439,12 +441,17 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitCompilerCommon.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitJumpPlaceholder.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGOSRExitPreparation.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGObjectAllocationSinkingPhase.cpp" />
+ <ClCompile Include="..\dfg\DFGObjectMaterializationData.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGPhantomCanonicalizationPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGPhantomRemovalPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGPhase.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGPhiChildren.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGPlan.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGPrePostNumbering.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGPredictionInjectionPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGPredictionPropagationPhase.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGPromotedHeapLocation.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGPureValue.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGResurrectionForValidationPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGSafepoint.cpp" />
</span><span class="lines">@@ -493,7 +500,9 @@
</span><span class="cx"> <ClCompile Include="..\ftl\FTLDWARFRegister.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLExitArgument.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLExitArgumentForOperand.cpp" />
</span><ins>+ <ClCompile Include="..\ftl\FTLExitPropertyValue.cpp" />
</ins><span class="cx"> <ClCompile Include="..\ftl\FTLExitThunkGenerator.cpp" />
</span><ins>+ <ClCompile Include="..\ftl\FTLExitTimeObjectMaterialization.cpp" />
</ins><span class="cx"> <ClCompile Include="..\ftl\FTLExitValue.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLFail.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLForOSREntryJITCode.cpp" />
</span><span class="lines">@@ -508,6 +517,7 @@
</span><span class="cx"> <ClCompile Include="..\ftl\FTLOSREntry.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLOSRExit.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLOSRExitCompiler.cpp" />
</span><ins>+ <ClCompile Include="..\ftl\FTLOperations.cpp" />
</ins><span class="cx"> <ClCompile Include="..\ftl\FTLOutput.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLRecoveryOpcode.cpp" />
</span><span class="cx"> <ClCompile Include="..\ftl\FTLRegisterAtOffset.cpp" />
</span><span class="lines">@@ -993,6 +1003,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGArrayMode.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGAtTailAbstractState.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGAvailability.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGAvailabilityMap.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGBackwardsPropagationPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGBasicBlock.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGBasicBlockInlines.h" />
</span><span class="lines">@@ -1049,6 +1060,7 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGGraphSafepoint.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGHeapLocation.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGInPlaceAbstractState.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGInsertOSRHintsForUpdate.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGInsertionSet.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGIntegerCheckCombiningPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGInvalidationPointInjectionPhase.h" />
</span><span class="lines">@@ -1073,6 +1085,8 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGNodeFlags.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGNodeOrigin.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGNodeType.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGObjectAllocationSinkingPhase.h" />
+ <ClInclude Include="..\dfg\DFGObjectMaterializationData.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGOperations.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGOSRAvailabilityAnalysisPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGOSREntry.h" />
</span><span class="lines">@@ -1087,9 +1101,13 @@
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPhantomCanonicalizationPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPhantomRemovalPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPhase.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGPhiChildren.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGPlan.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGPrePostNumbering.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGPredictionInjectionPhase.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGPredictionPropagationPhase.h" />
</span><ins>+ <ClInclude Include="..\dfg\DFGPromoteHeapAccess.h" />
+ <ClInclude Include="..\dfg\DFGPromotedHeapLocation.h" />
</ins><span class="cx"> <ClInclude Include="..\dfg\DFGPureValue.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGRegisterBank.h" />
</span><span class="cx"> <ClInclude Include="..\dfg\DFGRegisterSet.h" />
</span><span class="lines">@@ -1150,7 +1168,9 @@
</span><span class="cx"> <ClInclude Include="..\ftl\FTLExitArgument.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLExitArgumentForOperand.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLExitArgumentList.h" />
</span><ins>+ <ClInclude Include="..\ftl\FTLExitPropertyValue.h" />
</ins><span class="cx"> <ClInclude Include="..\ftl\FTLExitThunkGenerator.h" />
</span><ins>+ <ClInclude Include="..\ftl\FTLExitTimeObjectMaterialization.h" />
</ins><span class="cx"> <ClInclude Include="..\ftl\FTLExitValue.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLFail.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLFormattedValue.h" />
</span><span class="lines">@@ -1170,6 +1190,7 @@
</span><span class="cx"> <ClInclude Include="..\ftl\FTLOSRExit.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLOSRExitCompilationInfo.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLOSRExitCompiler.h" />
</span><ins>+ <ClInclude Include="..\ftl\FTLOperations.h" />
</ins><span class="cx"> <ClInclude Include="..\ftl\FTLOutput.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLRecoveryOpcode.h" />
</span><span class="cx"> <ClInclude Include="..\ftl\FTLRegisterAtOffset.h" />
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -209,6 +209,24 @@
</span><span class="cx"> 0F2B670917B6B5AB00A7AE3F /* TypedArrays.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B66DB17B6B5AB00A7AE3F /* TypedArrays.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F2B670A17B6B5AB00A7AE3F /* TypedArrayType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B66DC17B6B5AB00A7AE3F /* TypedArrayType.cpp */; };
</span><span class="cx"> 0F2B670B17B6B5AB00A7AE3F /* TypedArrayType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B66DD17B6B5AB00A7AE3F /* TypedArrayType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F2B9CE219D0BA7D00B1D1B5 /* DFGAvailabilityMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CD619D0BA7D00B1D1B5 /* DFGAvailabilityMap.cpp */; };
+ 0F2B9CE319D0BA7D00B1D1B5 /* DFGAvailabilityMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CD719D0BA7D00B1D1B5 /* DFGAvailabilityMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CE419D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CD819D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.cpp */; };
+ 0F2B9CE519D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CD919D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CE619D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CDA19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.cpp */; };
+ 0F2B9CE719D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CDB19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CE819D0BA7D00B1D1B5 /* DFGObjectMaterializationData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CDC19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.cpp */; };
+ 0F2B9CE919D0BA7D00B1D1B5 /* DFGObjectMaterializationData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CDD19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CEA19D0BA7D00B1D1B5 /* DFGPhiChildren.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CDE19D0BA7D00B1D1B5 /* DFGPhiChildren.cpp */; };
+ 0F2B9CEB19D0BA7D00B1D1B5 /* DFGPhiChildren.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CDF19D0BA7D00B1D1B5 /* DFGPhiChildren.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CEC19D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CE019D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.cpp */; };
+ 0F2B9CED19D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CE119D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CF419D0BAC100B1D1B5 /* FTLExitPropertyValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CEE19D0BAC100B1D1B5 /* FTLExitPropertyValue.cpp */; };
+ 0F2B9CF519D0BAC100B1D1B5 /* FTLExitPropertyValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CEF19D0BAC100B1D1B5 /* FTLExitPropertyValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CF619D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CF019D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.cpp */; };
+ 0F2B9CF719D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CF119D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2B9CF819D0BAC100B1D1B5 /* FTLOperations.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2B9CF219D0BAC100B1D1B5 /* FTLOperations.cpp */; };
+ 0F2B9CF919D0BAC100B1D1B5 /* FTLOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B9CF319D0BAC100B1D1B5 /* FTLOperations.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F2BDC15151C5D4D00CD8910 /* DFGFixupPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2BDC12151C5D4A00CD8910 /* DFGFixupPhase.cpp */; };
</span><span class="cx"> 0F2BDC16151C5D4F00CD8910 /* DFGFixupPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2BDC13151C5D4A00CD8910 /* DFGFixupPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F2BDC21151E803B00CD8910 /* DFGInsertionSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2BDC1F151E803800CD8910 /* DFGInsertionSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -272,6 +290,8 @@
</span><span class="cx"> 0F3B7E2D19A12AAE00D9BC56 /* CallEdge.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B7E2C19A12AAE00D9BC56 /* CallEdge.cpp */; };
</span><span class="cx"> 0F3D0BBC194A414300FC9CF9 /* ConstantStructureCheck.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */; };
</span><span class="cx"> 0F3D0BBD194A414300FC9CF9 /* ConstantStructureCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F3E01AA19D353A500F61B7F /* DFGPrePostNumbering.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3E01A819D353A500F61B7F /* DFGPrePostNumbering.cpp */; };
+ 0F3E01AB19D353A500F61B7F /* DFGPrePostNumbering.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3E01A919D353A500F61B7F /* DFGPrePostNumbering.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F426A481460CBB300131F8F /* ValueRecovery.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A451460CBAB00131F8F /* ValueRecovery.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F426A491460CBB700131F8F /* VirtualRegister.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A461460CBAB00131F8F /* VirtualRegister.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F426A4B1460CD6E00131F8F /* DataFormat.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A4A1460CD6B00131F8F /* DataFormat.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -443,6 +463,7 @@
</span><span class="cx"> 0FA7A8EB18B413C80052371D /* Reg.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8E918B413C80052371D /* Reg.cpp */; };
</span><span class="cx"> 0FA7A8EC18B413C80052371D /* Reg.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FA7A8EA18B413C80052371D /* Reg.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0FA7A8EE18CE4FD80052371D /* ScratchRegisterAllocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8ED18CE4FD80052371D /* ScratchRegisterAllocator.cpp */; };
</span><ins>+ 0FAA3E0919D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FAA3E0819D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0FAF7EFD165BA91B000C8455 /* JITDisassembler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FAF7EFA165BA919000C8455 /* JITDisassembler.cpp */; };
</span><span class="cx"> 0FAF7EFE165BA91F000C8455 /* JITDisassembler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FAF7EFB165BA919000C8455 /* JITDisassembler.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0FB105851675480F00F8AB6E /* ExitKind.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB105821675480C00F8AB6E /* ExitKind.cpp */; };
</span><span class="lines">@@ -1831,6 +1852,24 @@
</span><span class="cx"> 0F2B66DB17B6B5AB00A7AE3F /* TypedArrays.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TypedArrays.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F2B66DC17B6B5AB00A7AE3F /* TypedArrayType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TypedArrayType.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F2B66DD17B6B5AB00A7AE3F /* TypedArrayType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TypedArrayType.h; sourceTree = "<group>"; };
</span><ins>+ 0F2B9CD619D0BA7D00B1D1B5 /* DFGAvailabilityMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGAvailabilityMap.cpp; path = dfg/DFGAvailabilityMap.cpp; sourceTree = "<group>"; };
+ 0F2B9CD719D0BA7D00B1D1B5 /* DFGAvailabilityMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAvailabilityMap.h; path = dfg/DFGAvailabilityMap.h; sourceTree = "<group>"; };
+ 0F2B9CD819D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGInsertOSRHintsForUpdate.cpp; path = dfg/DFGInsertOSRHintsForUpdate.cpp; sourceTree = "<group>"; };
+ 0F2B9CD919D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGInsertOSRHintsForUpdate.h; path = dfg/DFGInsertOSRHintsForUpdate.h; sourceTree = "<group>"; };
+ 0F2B9CDA19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGObjectAllocationSinkingPhase.cpp; path = dfg/DFGObjectAllocationSinkingPhase.cpp; sourceTree = "<group>"; };
+ 0F2B9CDB19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGObjectAllocationSinkingPhase.h; path = dfg/DFGObjectAllocationSinkingPhase.h; sourceTree = "<group>"; };
+ 0F2B9CDC19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGObjectMaterializationData.cpp; path = dfg/DFGObjectMaterializationData.cpp; sourceTree = "<group>"; };
+ 0F2B9CDD19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGObjectMaterializationData.h; path = dfg/DFGObjectMaterializationData.h; sourceTree = "<group>"; };
+ 0F2B9CDE19D0BA7D00B1D1B5 /* DFGPhiChildren.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGPhiChildren.cpp; path = dfg/DFGPhiChildren.cpp; sourceTree = "<group>"; };
+ 0F2B9CDF19D0BA7D00B1D1B5 /* DFGPhiChildren.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPhiChildren.h; path = dfg/DFGPhiChildren.h; sourceTree = "<group>"; };
+ 0F2B9CE019D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGPromotedHeapLocation.cpp; path = dfg/DFGPromotedHeapLocation.cpp; sourceTree = "<group>"; };
+ 0F2B9CE119D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPromotedHeapLocation.h; path = dfg/DFGPromotedHeapLocation.h; sourceTree = "<group>"; };
+ 0F2B9CEE19D0BAC100B1D1B5 /* FTLExitPropertyValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLExitPropertyValue.cpp; path = ftl/FTLExitPropertyValue.cpp; sourceTree = "<group>"; };
+ 0F2B9CEF19D0BAC100B1D1B5 /* FTLExitPropertyValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLExitPropertyValue.h; path = ftl/FTLExitPropertyValue.h; sourceTree = "<group>"; };
+ 0F2B9CF019D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLExitTimeObjectMaterialization.cpp; path = ftl/FTLExitTimeObjectMaterialization.cpp; sourceTree = "<group>"; };
+ 0F2B9CF119D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLExitTimeObjectMaterialization.h; path = ftl/FTLExitTimeObjectMaterialization.h; sourceTree = "<group>"; };
+ 0F2B9CF219D0BAC100B1D1B5 /* FTLOperations.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLOperations.cpp; path = ftl/FTLOperations.cpp; sourceTree = "<group>"; };
+ 0F2B9CF319D0BAC100B1D1B5 /* FTLOperations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLOperations.h; path = ftl/FTLOperations.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F2BDC12151C5D4A00CD8910 /* DFGFixupPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGFixupPhase.cpp; path = dfg/DFGFixupPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F2BDC13151C5D4A00CD8910 /* DFGFixupPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGFixupPhase.h; path = dfg/DFGFixupPhase.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F2BDC1F151E803800CD8910 /* DFGInsertionSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGInsertionSet.h; path = dfg/DFGInsertionSet.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -1892,6 +1931,8 @@
</span><span class="cx"> 0F3B7E2C19A12AAE00D9BC56 /* CallEdge.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallEdge.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ConstantStructureCheck.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConstantStructureCheck.h; sourceTree = "<group>"; };
</span><ins>+ 0F3E01A819D353A500F61B7F /* DFGPrePostNumbering.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGPrePostNumbering.cpp; path = dfg/DFGPrePostNumbering.cpp; sourceTree = "<group>"; };
+ 0F3E01A919D353A500F61B7F /* DFGPrePostNumbering.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPrePostNumbering.h; path = dfg/DFGPrePostNumbering.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F426A451460CBAB00131F8F /* ValueRecovery.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ValueRecovery.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F426A461460CBAB00131F8F /* VirtualRegister.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VirtualRegister.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F426A4A1460CD6B00131F8F /* DataFormat.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DataFormat.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2062,6 +2103,7 @@
</span><span class="cx"> 0FA7A8E918B413C80052371D /* Reg.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Reg.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0FA7A8EA18B413C80052371D /* Reg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Reg.h; sourceTree = "<group>"; };
</span><span class="cx"> 0FA7A8ED18CE4FD80052371D /* ScratchRegisterAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScratchRegisterAllocator.cpp; sourceTree = "<group>"; };
</span><ins>+ 0FAA3E0819D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPromoteHeapAccess.h; path = dfg/DFGPromoteHeapAccess.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0FAF7EFA165BA919000C8455 /* JITDisassembler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITDisassembler.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0FAF7EFB165BA919000C8455 /* JITDisassembler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITDisassembler.h; sourceTree = "<group>"; };
</span><span class="cx"> 0FB105821675480C00F8AB6E /* ExitKind.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExitKind.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -3471,8 +3513,12 @@
</span><span class="cx"> 0F235BBF17178E1C00690C7F /* FTLExitArgumentForOperand.cpp */,
</span><span class="cx"> 0F235BC017178E1C00690C7F /* FTLExitArgumentForOperand.h */,
</span><span class="cx"> 0F235BC117178E1C00690C7F /* FTLExitArgumentList.h */,
</span><ins>+ 0F2B9CEE19D0BAC100B1D1B5 /* FTLExitPropertyValue.cpp */,
+ 0F2B9CEF19D0BAC100B1D1B5 /* FTLExitPropertyValue.h */,
</ins><span class="cx"> 0F235BC217178E1C00690C7F /* FTLExitThunkGenerator.cpp */,
</span><span class="cx"> 0F235BC317178E1C00690C7F /* FTLExitThunkGenerator.h */,
</span><ins>+ 0F2B9CF019D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.cpp */,
+ 0F2B9CF119D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.h */,
</ins><span class="cx"> 0F235BC417178E1C00690C7F /* FTLExitValue.cpp */,
</span><span class="cx"> 0F235BC517178E1C00690C7F /* FTLExitValue.h */,
</span><span class="cx"> A7F2996917A0BB670010417A /* FTLFail.cpp */,
</span><span class="lines">@@ -3499,6 +3545,8 @@
</span><span class="cx"> 0FEA0A04170513DB00BB722C /* FTLLowerDFGToLLVM.cpp */,
</span><span class="cx"> 0FEA0A05170513DB00BB722C /* FTLLowerDFGToLLVM.h */,
</span><span class="cx"> A7D89D0117A0B90400773AD8 /* FTLLoweredNodeValue.h */,
</span><ins>+ 0F2B9CF219D0BAC100B1D1B5 /* FTLOperations.cpp */,
+ 0F2B9CF319D0BAC100B1D1B5 /* FTLOperations.h */,
</ins><span class="cx"> 0FD8A31717D51F2200CA2C40 /* FTLOSREntry.cpp */,
</span><span class="cx"> 0FD8A31817D51F2200CA2C40 /* FTLOSREntry.h */,
</span><span class="cx"> 0F235BC617178E1C00690C7F /* FTLOSRExit.cpp */,
</span><span class="lines">@@ -4528,6 +4576,8 @@
</span><span class="cx"> A7D9A29017A0BC7400EE2618 /* DFGAtTailAbstractState.h */,
</span><span class="cx"> 0F666EC21835672B00D017F1 /* DFGAvailability.cpp */,
</span><span class="cx"> 0F666EC31835672B00D017F1 /* DFGAvailability.h */,
</span><ins>+ 0F2B9CD619D0BA7D00B1D1B5 /* DFGAvailabilityMap.cpp */,
+ 0F2B9CD719D0BA7D00B1D1B5 /* DFGAvailabilityMap.h */,
</ins><span class="cx"> 0F714CA116EA92ED00F3EBEB /* DFGBackwardsPropagationPhase.cpp */,
</span><span class="cx"> 0F714CA216EA92ED00F3EBEB /* DFGBackwardsPropagationPhase.h */,
</span><span class="cx"> A7D89CE317A0B8CC00773AD8 /* DFGBasicBlock.cpp */,
</span><span class="lines">@@ -4626,6 +4676,8 @@
</span><span class="cx"> A704D90017A0BAA8006BA554 /* DFGInPlaceAbstractState.cpp */,
</span><span class="cx"> A704D90117A0BAA8006BA554 /* DFGInPlaceAbstractState.h */,
</span><span class="cx"> 0F2BDC1F151E803800CD8910 /* DFGInsertionSet.h */,
</span><ins>+ 0F2B9CD819D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.cpp */,
+ 0F2B9CD919D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.h */,
</ins><span class="cx"> 0F300B7918AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.cpp */,
</span><span class="cx"> 0F300B7A18AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.h */,
</span><span class="cx"> 0FC97F3718202119002C9B26 /* DFGInvalidationPointInjectionPhase.cpp */,
</span><span class="lines">@@ -4666,6 +4718,10 @@
</span><span class="cx"> 0FA581B8150E952A00B9A2D9 /* DFGNodeFlags.h */,
</span><span class="cx"> 0F300B7718AB051100A6D72E /* DFGNodeOrigin.h */,
</span><span class="cx"> 0FA581B9150E952A00B9A2D9 /* DFGNodeType.h */,
</span><ins>+ 0F2B9CDA19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.cpp */,
+ 0F2B9CDB19D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.h */,
+ 0F2B9CDC19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.cpp */,
+ 0F2B9CDD19D0BA7D00B1D1B5 /* DFGObjectMaterializationData.h */,
</ins><span class="cx"> 86EC9DBF1328DF82002B2AD7 /* DFGOperations.cpp */,
</span><span class="cx"> 86EC9DC01328DF82002B2AD7 /* DFGOperations.h */,
</span><span class="cx"> A7D89CEE17A0B8CC00773AD8 /* DFGOSRAvailabilityAnalysisPhase.cpp */,
</span><span class="lines">@@ -4695,12 +4751,19 @@
</span><span class="cx"> 0FBFDD03196C92BF007A5BFA /* DFGPhantomRemovalPhase.h */,
</span><span class="cx"> 0FFFC94F14EF909500C72532 /* DFGPhase.cpp */,
</span><span class="cx"> 0FFFC95014EF909500C72532 /* DFGPhase.h */,
</span><ins>+ 0F2B9CDE19D0BA7D00B1D1B5 /* DFGPhiChildren.cpp */,
+ 0F2B9CDF19D0BA7D00B1D1B5 /* DFGPhiChildren.h */,
</ins><span class="cx"> A78A9772179738B8009DF744 /* DFGPlan.cpp */,
</span><span class="cx"> A78A9773179738B8009DF744 /* DFGPlan.h */,
</span><span class="cx"> 0FBE0F6D16C1DB010082C5E8 /* DFGPredictionInjectionPhase.cpp */,
</span><span class="cx"> 0FBE0F6E16C1DB010082C5E8 /* DFGPredictionInjectionPhase.h */,
</span><span class="cx"> 0FFFC95114EF909500C72532 /* DFGPredictionPropagationPhase.cpp */,
</span><span class="cx"> 0FFFC95214EF909500C72532 /* DFGPredictionPropagationPhase.h */,
</span><ins>+ 0F3E01A819D353A500F61B7F /* DFGPrePostNumbering.cpp */,
+ 0F3E01A919D353A500F61B7F /* DFGPrePostNumbering.h */,
+ 0F2B9CE019D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.cpp */,
+ 0F2B9CE119D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.h */,
+ 0FAA3E0819D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h */,
</ins><span class="cx"> 0FB1765E196B8F9E0091052A /* DFGPureValue.cpp */,
</span><span class="cx"> 0FB1765F196B8F9E0091052A /* DFGPureValue.h */,
</span><span class="cx"> 86EC9DC11328DF82002B2AD7 /* DFGRegisterBank.h */,
</span><span class="lines">@@ -5281,6 +5344,7 @@
</span><span class="cx"> A5D2E665195E174000A518E7 /* JSContextRefInternal.h in Headers */,
</span><span class="cx"> A7D801A51880D66E0026C39B /* BuiltinExecutables.h in Headers */,
</span><span class="cx"> A75EE9B218AAB7E200AAD043 /* BuiltinNames.h in Headers */,
</span><ins>+ 0F2B9CF719D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.h in Headers */,
</ins><span class="cx"> 0FB7F39715ED8E4600F167B2 /* Butterfly.h in Headers */,
</span><span class="cx"> 0FB7F39815ED8E4600F167B2 /* ButterflyInlines.h in Headers */,
</span><span class="cx"> C2FCAE1117A9C24E0034C735 /* BytecodeBasicBlock.h in Headers */,
</span><span class="lines">@@ -5339,6 +5403,7 @@
</span><span class="cx"> 2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */,
</span><span class="cx"> 5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */,
</span><span class="cx"> 0F426A4B1460CD6E00131F8F /* DataFormat.h in Headers */,
</span><ins>+ 0F2B9CE519D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.h in Headers */,
</ins><span class="cx"> 0F2B66DF17B6B5AB00A7AE3F /* DataView.h in Headers */,
</span><span class="cx"> BCD2034A0E17135E002C7E82 /* DateConstructor.h in Headers */,
</span><span class="cx"> 41359CF30FDD89AD00206180 /* DateConversion.h in Headers */,
</span><span class="lines">@@ -5426,10 +5491,12 @@
</span><span class="cx"> A78A9779179738B8009DF744 /* DFGJITFinalizer.h in Headers */,
</span><span class="cx"> 0FC97F4018202119002C9B26 /* DFGJumpReplacement.h in Headers */,
</span><span class="cx"> A73A535B1799CD5D00170C19 /* DFGLazyJSValue.h in Headers */,
</span><ins>+ 0F2B9CE919D0BA7D00B1D1B5 /* DFGObjectMaterializationData.h in Headers */,
</ins><span class="cx"> A7D9A29817A0BC7400EE2618 /* DFGLICMPhase.h in Headers */,
</span><span class="cx"> A7D89CFC17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h in Headers */,
</span><span class="cx"> 0FF0F19B16B729FA005DF95B /* DFGLongLivedState.h in Headers */,
</span><span class="cx"> A767B5B617A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h in Headers */,
</span><ins>+ 0F2B9CED19D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.h in Headers */,
</ins><span class="cx"> A704D90717A0BAA8006BA554 /* DFGMergeMode.h in Headers */,
</span><span class="cx"> 0FB17663196B8F9E0091052A /* DFGPureValue.h in Headers */,
</span><span class="cx"> 0F2BDC451522801B00CD8910 /* DFGMinifiedGraph.h in Headers */,
</span><span class="lines">@@ -5486,6 +5553,7 @@
</span><span class="cx"> 0F2BDC471522802500CD8910 /* DFGValueRecoveryOverride.h in Headers */,
</span><span class="cx"> 0F2BDC481522802900CD8910 /* DFGValueSource.h in Headers */,
</span><span class="cx"> 0F620174143FCD330068B77C /* DFGVariableAccessData.h in Headers */,
</span><ins>+ 0FAA3E0919D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h in Headers */,
</ins><span class="cx"> 0FDDBFB61666EEDA00C55FEF /* DFGVariableAccessDataDump.h in Headers */,
</span><span class="cx"> 0F2BDC491522809600CD8910 /* DFGVariableEvent.h in Headers */,
</span><span class="cx"> 0F2BDC4B1522809D00CD8910 /* DFGVariableEventStream.h in Headers */,
</span><span class="lines">@@ -5623,6 +5691,7 @@
</span><span class="cx"> 0F24E55617F0B71C00ABB217 /* InlineCallFrameSet.h in Headers */,
</span><span class="cx"> 99E45A2718A1B2590026D88F /* InputCursor.h in Headers */,
</span><span class="cx"> A593CF7F1840362C00BFCE27 /* InspectorAgentBase.h in Headers */,
</span><ins>+ 0F3E01AB19D353A500F61B7F /* DFGPrePostNumbering.h in Headers */,
</ins><span class="cx"> A593CF87184038CA00BFCE27 /* InspectorAgentRegistry.h in Headers */,
</span><span class="cx"> A593CF7D1840360300BFCE27 /* InspectorBackendDispatcher.h in Headers */,
</span><span class="cx"> A5FD0082189B191A00633231 /* InspectorConsoleAgent.h in Headers */,
</span><span class="lines">@@ -5647,6 +5716,7 @@
</span><span class="cx"> 1429D77C0ED20D7300B89619 /* Interpreter.h in Headers */,
</span><span class="cx"> 860BD801148EA6F200112B2F /* Intrinsic.h in Headers */,
</span><span class="cx"> BC18C4130E16F5CD00B34460 /* JavaScript.h in Headers */,
</span><ins>+ 0F2B9CF519D0BAC100B1D1B5 /* FTLExitPropertyValue.h in Headers */,
</ins><span class="cx"> A503FA1A188E0FB000110F14 /* JavaScriptCallFrame.h in Headers */,
</span><span class="cx"> BC18C4140E16F5CD00B34460 /* JavaScriptCore.h in Headers */,
</span><span class="cx"> BC18C4150E16F5CD00B34460 /* JavaScriptCorePrefix.h in Headers */,
</span><span class="lines">@@ -5690,6 +5760,7 @@
</span><span class="cx"> 657CF45919BF6662004ACBF2 /* JSCallee.h in Headers */,
</span><span class="cx"> BC18C4190E16F5CD00B34460 /* JSCallbackConstructor.h in Headers */,
</span><span class="cx"> BC18C41A0E16F5CD00B34460 /* JSCallbackFunction.h in Headers */,
</span><ins>+ 0F2B9CF919D0BAC100B1D1B5 /* FTLOperations.h in Headers */,
</ins><span class="cx"> BC18C41B0E16F5CD00B34460 /* JSCallbackObject.h in Headers */,
</span><span class="cx"> BC18C41C0E16F5CD00B34460 /* JSCallbackObjectFunctions.h in Headers */,
</span><span class="cx"> A7D801A91880D6A80026C39B /* JSCBuiltins.h in Headers */,
</span><span class="lines">@@ -5790,6 +5861,7 @@
</span><span class="cx"> BC18C42D0E16F5CD00B34460 /* JSEnvironmentRecord.h in Headers */,
</span><span class="cx"> 86E3C615167BABD7006D760A /* JSVirtualMachine.h in Headers */,
</span><span class="cx"> 86E3C61D167BABEE006D760A /* JSVirtualMachineInternal.h in Headers */,
</span><ins>+ 0F2B9CE719D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.h in Headers */,
</ins><span class="cx"> A7CA3AE817DA41AE006538AF /* JSWeakMap.h in Headers */,
</span><span class="cx"> A7482E93116A7CAD003B0712 /* JSWeakObjectMapRefInternal.h in Headers */,
</span><span class="cx"> A7482B9311671147003B0712 /* JSWeakObjectMapRefPrivate.h in Headers */,
</span><span class="lines">@@ -5904,6 +5976,7 @@
</span><span class="cx"> 0F13912A16771C36009CCB07 /* ProfilerBytecodeSequence.h in Headers */,
</span><span class="cx"> 0FF729BA166AD360000F5BA3 /* ProfilerCompilation.h in Headers */,
</span><span class="cx"> 0FF729BB166AD360000F5BA3 /* ProfilerCompilationKind.h in Headers */,
</span><ins>+ 0F2B9CE319D0BA7D00B1D1B5 /* DFGAvailabilityMap.h in Headers */,
</ins><span class="cx"> 0FF729BC166AD360000F5BA3 /* ProfilerCompiledBytecode.h in Headers */,
</span><span class="cx"> 0FF729BD166AD360000F5BA3 /* ProfilerDatabase.h in Headers */,
</span><span class="cx"> 2A05ABD61961DF2400341750 /* JSPropertyNameEnumerator.h in Headers */,
</span><span class="lines">@@ -6011,6 +6084,7 @@
</span><span class="cx"> 0FD2C92416D01EE900C7803F /* StructureInlines.h in Headers */,
</span><span class="cx"> C2FE18A416BAEC4000AF3061 /* StructureRareData.h in Headers */,
</span><span class="cx"> C20BA92D16BB1C1500B3AEA2 /* StructureRareDataInlines.h in Headers */,
</span><ins>+ 0F2B9CEB19D0BA7D00B1D1B5 /* DFGPhiChildren.h in Headers */,
</ins><span class="cx"> 0F9332A514CA7DDD0085F3C6 /* StructureSet.h in Headers */,
</span><span class="cx"> 0F766D3915AE4A1F008F363E /* StructureStubClearingWatchpoint.h in Headers */,
</span><span class="cx"> BCCF0D080EF0AAB900413C8F /* StructureStubInfo.h in Headers */,
</span><span class="lines">@@ -6579,6 +6653,7 @@
</span><span class="cx"> 1429D8DD0ED2205B00B89619 /* CallFrame.cpp in Sources */,
</span><span class="cx"> 0F0B83B014BCF71600885B4F /* CallLinkInfo.cpp in Sources */,
</span><span class="cx"> 0F93329D14CA7DC30085F3C6 /* CallLinkStatus.cpp in Sources */,
</span><ins>+ 0F2B9CE419D0BA7D00B1D1B5 /* DFGInsertOSRHintsForUpdate.cpp in Sources */,
</ins><span class="cx"> 0F73D7AE165A142D00ACAB71 /* ClosureCallStubRoutine.cpp in Sources */,
</span><span class="cx"> 969A07960ED1D3AE00F1F681 /* CodeBlock.cpp in Sources */,
</span><span class="cx"> 0F8F94401667633000D61971 /* CodeBlockHash.cpp in Sources */,
</span><span class="lines">@@ -6623,12 +6698,14 @@
</span><span class="cx"> A7D9A29417A0BC7400EE2618 /* DFGAtTailAbstractState.cpp in Sources */,
</span><span class="cx"> 0F666EC61835672B00D017F1 /* DFGAvailability.cpp in Sources */,
</span><span class="cx"> 0F714CA416EA92F000F3EBEB /* DFGBackwardsPropagationPhase.cpp in Sources */,
</span><ins>+ 0F2B9CEC19D0BA7D00B1D1B5 /* DFGPromotedHeapLocation.cpp in Sources */,
</ins><span class="cx"> A7D89CF217A0B8CC00773AD8 /* DFGBasicBlock.cpp in Sources */,
</span><span class="cx"> A70B083217A0B79B00DAF14B /* DFGBinarySwitch.cpp in Sources */,
</span><span class="cx"> 2A88067819107D5500CB0BBB /* DFGFunctionWhitelist.cpp in Sources */,
</span><span class="cx"> A7D89CF317A0B8CC00773AD8 /* DFGBlockInsertionSet.cpp in Sources */,
</span><span class="cx"> 86EC9DC41328DF82002B2AD7 /* DFGByteCodeParser.cpp in Sources */,
</span><span class="cx"> 0FD82E2114172CE300179C94 /* DFGCapabilities.cpp in Sources */,
</span><ins>+ 0F2B9CE619D0BA7D00B1D1B5 /* DFGObjectAllocationSinkingPhase.cpp in Sources */,
</ins><span class="cx"> 0FFFC95714EF90A000C72532 /* DFGCFAPhase.cpp in Sources */,
</span><span class="cx"> 0F3B3A271544C995003ED0FF /* DFGCFGSimplificationPhase.cpp in Sources */,
</span><span class="cx"> A77A423F17A0BBFD00A8DB81 /* DFGClobberize.cpp in Sources */,
</span><span class="lines">@@ -6651,6 +6728,8 @@
</span><span class="cx"> 0FCA9113195E66A000426438 /* VariableWatchpointSet.cpp in Sources */,
</span><span class="cx"> 0FD81AD2154FB4EE00983E72 /* DFGDominators.cpp in Sources */,
</span><span class="cx"> 0FD3C82614115D4000FD81CB /* DFGDriver.cpp in Sources */,
</span><ins>+ 0F2B9CE219D0BA7D00B1D1B5 /* DFGAvailabilityMap.cpp in Sources */,
+ 0F2B9CE819D0BA7D00B1D1B5 /* DFGObjectMaterializationData.cpp in Sources */,
</ins><span class="cx"> 0FF0F19E16B72A0B005DF95B /* DFGEdge.cpp in Sources */,
</span><span class="cx"> 0FBC0AE71496C7C400D4FBDD /* DFGExitProfile.cpp in Sources */,
</span><span class="cx"> 0F0123321944EA1B00843A0C /* DFGValueStrength.cpp in Sources */,
</span><span class="lines">@@ -6767,6 +6846,7 @@
</span><span class="cx"> 0FC3CCFF19ADA410006AC72A /* DFGBlockWorklist.cpp in Sources */,
</span><span class="cx"> 0FEA0A0D170513DB00BB722C /* FTLJITCode.cpp in Sources */,
</span><span class="cx"> A78A9780179738D5009DF744 /* FTLJITFinalizer.cpp in Sources */,
</span><ins>+ 0F2B9CF419D0BAC100B1D1B5 /* FTLExitPropertyValue.cpp in Sources */,
</ins><span class="cx"> 0F6B1CB5185FC9E900845D97 /* FTLJSCall.cpp in Sources */,
</span><span class="cx"> 0F8F2B95172E04A0007DBDA5 /* FTLLink.cpp in Sources */,
</span><span class="cx"> 0FCEFADF180738C000472CE4 /* FTLLocation.cpp in Sources */,
</span><span class="lines">@@ -6818,6 +6898,7 @@
</span><span class="cx"> 0F24E55517F0B71C00ABB217 /* InlineCallFrameSet.cpp in Sources */,
</span><span class="cx"> A5CEEE14187F3BAD00E55C99 /* InspectorAgent.cpp in Sources */,
</span><span class="cx"> A593CF86184038CA00BFCE27 /* InspectorAgentRegistry.cpp in Sources */,
</span><ins>+ 0F2B9CF619D0BAC100B1D1B5 /* FTLExitTimeObjectMaterialization.cpp in Sources */,
</ins><span class="cx"> A593CF7C1840360300BFCE27 /* InspectorBackendDispatcher.cpp in Sources */,
</span><span class="cx"> 2AF7382C18BBBF92008A5A37 /* StructureIDTable.cpp in Sources */,
</span><span class="cx"> A5FD0081189B191A00633231 /* InspectorConsoleAgent.cpp in Sources */,
</span><span class="lines">@@ -6997,6 +7078,7 @@
</span><span class="cx"> 0F9FC8C314E1B5FE00D52AE0 /* PolymorphicPutByIdList.cpp in Sources */,
</span><span class="cx"> 0F98206016BFE38100240D02 /* PreciseJumpTargets.cpp in Sources */,
</span><span class="cx"> 95742F650DD11F5A000917FB /* Profile.cpp in Sources */,
</span><ins>+ 0F2B9CF819D0BAC100B1D1B5 /* FTLOperations.cpp in Sources */,
</ins><span class="cx"> 95CD45760E1C4FDD0085358E /* ProfileGenerator.cpp in Sources */,
</span><span class="cx"> 95AB83560DA43C3000BC83F3 /* ProfileNode.cpp in Sources */,
</span><span class="cx"> 0FF729AD166AD35C000F5BA3 /* ProfilerBytecode.cpp in Sources */,
</span><span class="lines">@@ -7019,6 +7101,7 @@
</span><span class="cx"> 65FB5117184EEE7000C12B70 /* ProtoCallFrame.cpp in Sources */,
</span><span class="cx"> 1474C33C16AA2D9B0062F01D /* PrototypeMap.cpp in Sources */,
</span><span class="cx"> 0F9332A314CA7DD70085F3C6 /* PutByIdStatus.cpp in Sources */,
</span><ins>+ 0F3E01AA19D353A500F61B7F /* DFGPrePostNumbering.cpp in Sources */,
</ins><span class="cx"> 0FF60AC316740F8800029779 /* ReduceWhitespace.cpp in Sources */,
</span><span class="cx"> 0FA7A8EB18B413C80052371D /* Reg.cpp in Sources */,
</span><span class="cx"> 14280841107EC0930013E7B2 /* RegExp.cpp in Sources */,
</span><span class="lines">@@ -7088,6 +7171,7 @@
</span><span class="cx"> 0FF42745158EBE91004CB9FF /* udis86_syn-att.c in Sources */,
</span><span class="cx"> 0FF42746158EBE91004CB9FF /* udis86_syn-intel.c in Sources */,
</span><span class="cx"> 0FF42747158EBE91004CB9FF /* udis86_syn.c in Sources */,
</span><ins>+ 0F2B9CEA19D0BA7D00B1D1B5 /* DFGPhiChildren.cpp in Sources */,
</ins><span class="cx"> 0FF42732158EBD58004CB9FF /* UDis86Disassembler.cpp in Sources */,
</span><span class="cx"> A76F279415F13C9600517D67 /* UnlinkedCodeBlock.cpp in Sources */,
</span><span class="cx"> B59F89391891F29F00D5CCDC /* UnlinkedInstructionStream.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureSet.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureSet.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/bytecode/StructureSet.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -166,6 +166,37 @@
</span><span class="cx"> return structureList()->list()[structureList()->m_length - 1];
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ class iterator {
+ public:
+ iterator()
+ : m_set(nullptr)
+ , m_index(0)
+ {
+ }
+
+ iterator(const StructureSet* set, size_t index)
+ : m_set(set)
+ , m_index(index)
+ {
+ }
+
+ Structure* operator*() const { return m_set->at(m_index); }
+ iterator& operator++()
+ {
+ m_index++;
+ return *this;
+ }
+ bool operator==(const iterator& other) const { return m_index == other.m_index; }
+ bool operator!=(const iterator& other) const { return !(*this == other); }
+
+ private:
+ const StructureSet* m_set;
+ size_t m_index;
+ };
+
+ iterator begin() const { return iterator(this, 0); }
+ iterator end() const { return iterator(this, size()); }
+
</ins><span class="cx"> bool operator==(const StructureSet& other) const;
</span><span class="cx">
</span><span class="cx"> SpeculatedType speculationFromStructures() const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "DFGBranchDirection.h"
</span><span class="cx"> #include "DFGGraph.h"
</span><span class="cx"> #include "DFGNode.h"
</span><ins>+#include "DFGPhiChildren.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><span class="lines">@@ -80,18 +81,15 @@
</span><span class="cx"> //
</span><span class="cx"> // This is guaranteed to be equivalent to doing:
</span><span class="cx"> //
</span><del>- // if (state.startExecuting(index)) {
- // state.executeEdges(index);
- // result = state.executeEffects(index);
- // } else
- // result = true;
</del><ins>+ // state.startExecuting()
+ // state.executeEdges(index);
+ // result = state.executeEffects(index);
</ins><span class="cx"> bool execute(unsigned indexInBlock);
</span><span class="cx"> bool execute(Node*);
</span><span class="cx">
</span><del>- // Indicate the start of execution of the node. It resets any state in the node
</del><ins>+ // Indicate the start of execution of a node. It resets any state in the node
</ins><span class="cx"> // that is progressively built up by executeEdges() and executeEffects().
</span><del>- bool startExecuting(Node*);
- bool startExecuting(unsigned indexInBlock);
</del><ins>+ void startExecuting();
</ins><span class="cx">
</span><span class="cx"> // Abstractly execute the edges of the given node. This runs filterEdgeByUse()
</span><span class="cx"> // on all edges of the node. You can skip this step, if you have already used
</span><span class="lines">@@ -146,6 +144,8 @@
</span><span class="cx"> FiltrationResult filter(AbstractValue&, SpeculatedType);
</span><span class="cx"> FiltrationResult filterByValue(AbstractValue&, FrozenValue);
</span><span class="cx">
</span><ins>+ PhiChildren* phiChildren() { return m_phiChildren.get(); }
+
</ins><span class="cx"> private:
</span><span class="cx"> void clobberWorld(const CodeOrigin&, unsigned indexInBlock);
</span><span class="cx"> void clobberCapturedVars(const CodeOrigin&);
</span><span class="lines">@@ -195,6 +195,7 @@
</span><span class="cx"> CodeBlock* m_codeBlock;
</span><span class="cx"> Graph& m_graph;
</span><span class="cx"> AbstractStateType& m_state;
</span><ins>+ std::unique_ptr<PhiChildren> m_phiChildren;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::DFG
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -43,6 +43,8 @@
</span><span class="cx"> , m_graph(graph)
</span><span class="cx"> , m_state(state)
</span><span class="cx"> {
</span><ins>+ if (m_graph.m_form == SSA)
+ m_phiChildren = std::make_unique<PhiChildren>(m_graph);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename AbstractStateType>
</span><span class="lines">@@ -81,23 +83,15 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename AbstractStateType>
</span><del>-bool AbstractInterpreter<AbstractStateType>::startExecuting(Node* node)
</del><ins>+void AbstractInterpreter<AbstractStateType>::startExecuting()
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(m_state.block());
</span><span class="cx"> ASSERT(m_state.isValid());
</span><span class="cx">
</span><span class="cx"> m_state.setDidClobber(false);
</span><del>-
- return node->shouldGenerate();
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename AbstractStateType>
</span><del>-bool AbstractInterpreter<AbstractStateType>::startExecuting(unsigned indexInBlock)
-{
- return startExecuting(m_state.block()->at(indexInBlock));
-}
-
-template<typename AbstractStateType>
</del><span class="cx"> void AbstractInterpreter<AbstractStateType>::executeEdges(Node* node)
</span><span class="cx"> {
</span><span class="cx"> DFG_NODE_DO_TO_CHILDREN(m_graph, node, filterEdgeByUse);
</span><span class="lines">@@ -1260,6 +1254,29 @@
</span><span class="cx"> forNode(node).set(m_graph, node->structure());
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case PhantomNewObject:
+ case BottomValue:
+ m_state.setDidClobber(true); // Prevent constant folding.
+ // This claims to return bottom.
+ break;
+
+ case PutByOffsetHint:
+ case PutStructureHint:
+ break;
+
+ case MaterializeNewObject: {
+ StructureSet set;
+
+ m_phiChildren->forAllTransitiveIncomingValues(
+ m_graph.varArgChild(node, 0).node(),
+ [&] (Node* incoming) {
+ set.add(incoming->castConstant<Structure*>());
+ });
+
+ forNode(node).set(m_graph, set);
+ break;
+ }
+
</ins><span class="cx"> case CreateActivation:
</span><span class="cx"> forNode(node).set(
</span><span class="cx"> m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->activationStructure());
</span><span class="lines">@@ -1459,7 +1476,6 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CheckStructure: {
</span><del>- // FIXME: We should be able to propagate the structure sets of constants (i.e. prototypes).
</del><span class="cx"> AbstractValue& value = forNode(node->child1());
</span><span class="cx"> ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
</span><span class="cx">
</span><span class="lines">@@ -1478,6 +1494,50 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case CheckStructureImmediate: {
+ // FIXME: This currently can only reason about one structure at a time.
+ // https://bugs.webkit.org/show_bug.cgi?id=136988
+
+ AbstractValue& value = forNode(node->child1());
+ StructureSet& set = node->structureSet();
+
+ if (value.value()) {
+ if (Structure* structure = jsDynamicCast<Structure*>(value.value())) {
+ if (set.contains(structure)) {
+ m_state.setFoundConstants(true);
+ break;
+ }
+ }
+ m_state.setIsValid(false);
+ break;
+ }
+
+ if (m_phiChildren) {
+ bool allGood = true;
+ m_phiChildren->forAllTransitiveIncomingValues(
+ node,
+ [&] (Node* incoming) {
+ if (Structure* structure = incoming->dynamicCastConstant<Structure*>()) {
+ if (set.contains(structure))
+ return;
+ }
+ allGood = false;
+ });
+ if (allGood) {
+ m_state.setFoundConstants(true);
+ break;
+ }
+ }
+
+ if (Structure* structure = set.onlyStructure()) {
+ filterByValue(node->child1(), *m_graph.freeze(structure));
+ break;
+ }
+
+ // Aw shucks, we can't do anything!
+ break;
+ }
+
</ins><span class="cx"> case PutStructure:
</span><span class="cx"> if (!forNode(node->child1()).m_structure.isClear()) {
</span><span class="cx"> if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
</span><span class="lines">@@ -1957,15 +2017,13 @@
</span><span class="cx">
</span><span class="cx"> case CheckTierUpAndOSREnter:
</span><span class="cx"> case LoopHint:
</span><del>- // We pretend that it can exit because it may want to get all state.
</del><ins>+ case ZombieHint:
</ins><span class="cx"> break;
</span><span class="cx">
</span><del>- case ZombieHint:
</del><span class="cx"> case Unreachable:
</span><span class="cx"> case LastNodeType:
</span><span class="cx"> case ArithIMul:
</span><span class="cx"> case FiatInt52:
</span><del>- case BottomValue:
</del><span class="cx"> DFG_CRASH(m_graph, node, "Unexpected node type");
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1983,9 +2041,8 @@
</span><span class="cx"> bool AbstractInterpreter<AbstractStateType>::execute(unsigned indexInBlock)
</span><span class="cx"> {
</span><span class="cx"> Node* node = m_state.block()->at(indexInBlock);
</span><del>- if (!startExecuting(node))
- return true;
</del><span class="cx">
</span><ins>+ startExecuting();
</ins><span class="cx"> executeEdges(node);
</span><span class="cx"> return executeEffects(indexInBlock, node);
</span><span class="cx"> }
</span><span class="lines">@@ -1993,9 +2050,7 @@
</span><span class="cx"> template<typename AbstractStateType>
</span><span class="cx"> bool AbstractInterpreter<AbstractStateType>::execute(Node* node)
</span><span class="cx"> {
</span><del>- if (!startExecuting(node))
- return true;
-
</del><ins>+ startExecuting();
</ins><span class="cx"> executeEdges(node);
</span><span class="cx"> return executeEffects(UINT_MAX, node);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAvailabilityh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAvailability.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAvailability.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGAvailability.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -85,6 +85,7 @@
</span><span class="cx"> bool nodeIsUnavailable() const { return m_node == unavailableMarker(); }
</span><span class="cx">
</span><span class="cx"> bool hasNode() const { return !nodeIsUndecided() && !nodeIsUnavailable(); }
</span><ins>+ bool shouldUseNode() const { return !isFlushUseful() && hasNode(); }
</ins><span class="cx">
</span><span class="cx"> Node* node() const
</span><span class="cx"> {
</span><span class="lines">@@ -94,7 +95,13 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> FlushedAt flushedAt() const { return m_flushedAt; }
</span><ins>+ bool isFlushUseful() const
+ {
+ return flushedAt().format() != DeadFlush && flushedAt().format() != ConflictingFlush;
+ }
</ins><span class="cx">
</span><ins>+ bool isDead() const { return !isFlushUseful() && !hasNode(); }
+
</ins><span class="cx"> bool operator!() const { return nodeIsUnavailable() && flushedAt().format() == ConflictingFlush; }
</span><span class="cx">
</span><span class="cx"> bool operator==(const Availability& other) const
</span><span class="lines">@@ -103,6 +110,11 @@
</span><span class="cx"> && m_flushedAt == other.m_flushedAt;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool operator!=(const Availability& other) const
+ {
+ return !(*this == other);
+ }
+
</ins><span class="cx"> Availability merge(const Availability& other) const
</span><span class="cx"> {
</span><span class="cx"> return Availability(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAvailabilityMapcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,96 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGAvailabilityMap.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "OperandsInlines.h"
+#include <wtf/ListDump.h>
+
+namespace JSC { namespace DFG {
+
+void AvailabilityMap::prune()
+{
+ if (m_heap.isEmpty())
+ return;
+
+ HashSet<Node*> possibleNodes;
+
+ for (unsigned i = m_locals.size(); i--;) {
+ if (m_locals[i].hasNode())
+ possibleNodes.add(m_locals[i].node());
+ }
+
+ int oldPossibleNodesSize;
+ do {
+ oldPossibleNodesSize = possibleNodes.size();
+ for (auto pair : m_heap) {
+ if (pair.value.hasNode() && possibleNodes.contains(pair.key.base()))
+ possibleNodes.add(pair.value.node());
+ }
+ } while (oldPossibleNodesSize != possibleNodes.size());
+
+ HashMap<PromotedHeapLocation, Availability> newHeap;
+ for (auto pair : m_heap) {
+ if (possibleNodes.contains(pair.key.base()))
+ newHeap.add(pair.key, pair.value);
+ }
+ m_heap = newHeap;
+}
+
+void AvailabilityMap::clear()
+{
+ m_locals.fill(Availability());
+ m_heap.clear();
+}
+
+void AvailabilityMap::dump(PrintStream& out) const
+{
+ out.print("{locals = ", m_locals, "; heap = ", mapDump(m_heap), "}");
+}
+
+bool AvailabilityMap::operator==(const AvailabilityMap& other) const
+{
+ return m_locals == other.m_locals
+ && m_heap == other.m_heap;
+}
+
+void AvailabilityMap::merge(const AvailabilityMap& other)
+{
+ for (unsigned i = other.m_locals.size(); i--;)
+ m_locals[i] = other.m_locals[i].merge(m_locals[i]);
+
+ for (auto pair : other.m_heap) {
+ auto result = m_heap.add(pair.key, Availability());
+ result.iterator->value = pair.value.merge(result.iterator->value);
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAvailabilityMaph"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGAvailabilityMap.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,64 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGAvailabilityMap_h
+#define DFGAvailabilityMap_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAvailability.h"
+#include "DFGPromotedHeapLocation.h"
+
+namespace JSC { namespace DFG {
+
+struct AvailabilityMap {
+ void prune();
+ void clear();
+
+ void dump(PrintStream& out) const;
+
+ bool operator==(const AvailabilityMap& other) const;
+
+ void merge(const AvailabilityMap& other);
+
+ template<typename Functor>
+ void forEachAvailability(const Functor& functor)
+ {
+ for (unsigned i = m_locals.size(); i--;)
+ functor(m_locals[i]);
+ for (auto pair : m_heap)
+ functor(pair.value);
+ }
+
+ Operands<Availability> m_locals;
+ HashMap<PromotedHeapLocation, Availability> m_heap;
+};
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGAvailabilityMap_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGBasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -118,9 +118,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> BasicBlock::SSAData::SSAData(BasicBlock* block)
</span><del>- : availabilityAtHead(OperandsLike, block->variablesAtHead)
- , availabilityAtTail(OperandsLike, block->variablesAtHead)
</del><span class="cx"> {
</span><ins>+ availabilityAtHead.m_locals = Operands<Availability>(OperandsLike, block->variablesAtHead);
+ availabilityAtTail.m_locals = Operands<Availability>(OperandsLike, block->variablesAtHead);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> BasicBlock::SSAData::~SSAData() { }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGBasicBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include "DFGAbstractValue.h"
</span><span class="cx"> #include "DFGAvailability.h"
</span><ins>+#include "DFGAvailabilityMap.h"
</ins><span class="cx"> #include "DFGBranchDirection.h"
</span><span class="cx"> #include "DFGFlushedAt.h"
</span><span class="cx"> #include "DFGNode.h"
</span><span class="lines">@@ -46,6 +47,7 @@
</span><span class="cx"> class InsertionSet;
</span><span class="cx">
</span><span class="cx"> typedef Vector<BasicBlock*, 2> PredecessorList;
</span><ins>+typedef Vector<Node*, 8> BlockNodeList;
</ins><span class="cx">
</span><span class="cx"> struct BasicBlock : RefCounted<BasicBlock> {
</span><span class="cx"> BasicBlock(
</span><span class="lines">@@ -85,6 +87,9 @@
</span><span class="cx"> bool isInPhis(Node* node) const;
</span><span class="cx"> bool isInBlock(Node* myNode) const;
</span><span class="cx">
</span><ins>+ BlockNodeList::iterator begin() { return m_nodes.begin(); }
+ BlockNodeList::iterator end() { return m_nodes.end(); }
+
</ins><span class="cx"> unsigned numSuccessors() { return last()->numSuccessors(); }
</span><span class="cx">
</span><span class="cx"> BasicBlock*& successor(unsigned index)
</span><span class="lines">@@ -96,6 +101,76 @@
</span><span class="cx"> return last()->successorForCondition(condition);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ class SuccessorsIterable {
+ public:
+ SuccessorsIterable()
+ : m_block(nullptr)
+ {
+ }
+
+ SuccessorsIterable(BasicBlock* block)
+ : m_block(block)
+ {
+ }
+
+ class iterator {
+ public:
+ iterator()
+ : m_block(nullptr)
+ , m_index(UINT_MAX)
+ {
+ }
+
+ iterator(BasicBlock* block, unsigned index)
+ : m_block(block)
+ , m_index(index)
+ {
+ }
+
+ BasicBlock* operator*()
+ {
+ return m_block->successor(m_index);
+ }
+
+ iterator& operator++()
+ {
+ m_index++;
+ return *this;
+ }
+
+ bool operator==(const iterator& other) const
+ {
+ return m_index == other.m_index;
+ }
+
+ bool operator!=(const iterator& other) const
+ {
+ return !(*this == other);
+ }
+ private:
+ BasicBlock* m_block;
+ unsigned m_index;
+ };
+
+ iterator begin()
+ {
+ return iterator(m_block, 0);
+ }
+
+ iterator end()
+ {
+ return iterator(m_block, m_block->numSuccessors());
+ }
+
+ private:
+ BasicBlock* m_block;
+ };
+
+ SuccessorsIterable successors()
+ {
+ return SuccessorsIterable(this);
+ }
+
</ins><span class="cx"> void removePredecessor(BasicBlock* block);
</span><span class="cx"> void replacePredecessor(BasicBlock* from, BasicBlock* to);
</span><span class="cx">
</span><span class="lines">@@ -169,8 +244,9 @@
</span><span class="cx"> unsigned innerMostLoopIndices[numberOfInnerMostLoopIndices];
</span><span class="cx">
</span><span class="cx"> struct SSAData {
</span><del>- Operands<Availability> availabilityAtHead;
- Operands<Availability> availabilityAtTail;
</del><ins>+ AvailabilityMap availabilityAtHead;
+ AvailabilityMap availabilityAtTail;
+
</ins><span class="cx"> HashSet<Node*> liveAtHead;
</span><span class="cx"> HashSet<Node*> liveAtTail;
</span><span class="cx"> HashMap<Node*, AbstractValue> valuesAtHead;
</span><span class="lines">@@ -183,7 +259,7 @@
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> friend class InsertionSet;
</span><del>- Vector<Node*, 8> m_nodes;
</del><ins>+ BlockNodeList m_nodes;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> typedef Vector<BasicBlock*, 5> BlockList;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -109,6 +109,7 @@
</span><span class="cx"> case HardPhantom:
</span><span class="cx"> case Check:
</span><span class="cx"> case ExtractOSREntryLocal:
</span><ins>+ case CheckStructureImmediate:
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> case BitAnd:
</span><span class="lines">@@ -273,6 +274,8 @@
</span><span class="cx"> case ProfileDidCall:
</span><span class="cx"> case StoreBarrier:
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><ins>+ case PutByOffsetHint:
+ case PutStructureHint:
</ins><span class="cx"> write(SideState);
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="lines">@@ -787,17 +790,15 @@
</span><span class="cx"> case NewObject:
</span><span class="cx"> case NewRegexp:
</span><span class="cx"> case NewStringObject:
</span><del>- read(HeapObjectCount);
- write(HeapObjectCount);
- return;
-
</del><ins>+ case PhantomNewObject:
+ case MaterializeNewObject:
</ins><span class="cx"> case NewFunctionNoCheck:
</span><span class="cx"> case NewFunction:
</span><span class="cx"> case NewFunctionExpression:
</span><span class="cx"> read(HeapObjectCount);
</span><span class="cx"> write(HeapObjectCount);
</span><span class="cx"> return;
</span><del>-
</del><ins>+
</ins><span class="cx"> case RegExpExec:
</span><span class="cx"> case RegExpTest:
</span><span class="cx"> read(RegExpState);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -124,6 +124,42 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case CheckStructureImmediate: {
+ AbstractValue& value = m_state.forNode(node->child1());
+ StructureSet& set = node->structureSet();
+
+ if (value.value()) {
+ if (Structure* structure = jsDynamicCast<Structure*>(value.value())) {
+ if (set.contains(structure)) {
+ m_interpreter.execute(indexInBlock);
+ node->convertToPhantom();
+ eliminated = true;
+ break;
+ }
+ }
+ }
+
+ if (PhiChildren* phiChildren = m_interpreter.phiChildren()) {
+ bool allGood = true;
+ phiChildren->forAllTransitiveIncomingValues(
+ node,
+ [&] (Node* incoming) {
+ if (Structure* structure = incoming->dynamicCastConstant<Structure*>()) {
+ if (set.contains(structure))
+ return;
+ }
+ allGood = false;
+ });
+ if (allGood) {
+ m_interpreter.execute(indexInBlock);
+ node->convertToPhantom();
+ eliminated = true;
+ break;
+ }
+ }
+ break;
+ }
+
</ins><span class="cx"> case CheckArray:
</span><span class="cx"> case Arrayify: {
</span><span class="cx"> if (!node->arrayMode().alreadyChecked(m_graph, node, m_state.forNode(node->child1())))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -199,6 +199,10 @@
</span><span class="cx"> case BooleanToNumber:
</span><span class="cx"> case CheckBadCell:
</span><span class="cx"> case BottomValue:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> case CreateActivation:
</span><span class="lines">@@ -225,6 +229,7 @@
</span><span class="cx"> case GetGenericPropertyEnumerator:
</span><span class="cx"> case GetEnumeratorPname:
</span><span class="cx"> case ToIndexString:
</span><ins>+ case MaterializeNewObject:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case MultiPutByOffset:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1013,6 +1013,11 @@
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case Identity: // This should have been cleaned up.
</span><span class="cx"> case BooleanToNumber:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject:
</ins><span class="cx"> // These are just nodes that we don't currently expect to see during fixup.
</span><span class="cx"> // If we ever wanted to insert them prior to fixup, then we just have to create
</span><span class="cx"> // fixup rules for them.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFlushedAtcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -36,8 +36,10 @@
</span><span class="cx"> {
</span><span class="cx"> if (m_format == DeadFlush || m_format == ConflictingFlush)
</span><span class="cx"> out.print(m_format);
</span><ins>+ else if (m_virtualRegister.isValid())
+ out.print("r", m_virtualRegister, ":", m_format);
</ins><span class="cx"> else
</span><del>- out.print("r", m_virtualRegister, ":", m_format);
</del><ins>+ out.print(m_format);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void FlushedAt::dumpInContext(PrintStream& out, DumpContext*) const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFlushedAth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGFlushedAt.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -52,8 +52,6 @@
</span><span class="cx"> {
</span><span class="cx"> if (format == DeadFlush)
</span><span class="cx"> ASSERT(!virtualRegister.isValid());
</span><del>- else
- ASSERT(virtualRegister.isValid());
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool operator!() const { return m_format == DeadFlush; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -323,6 +323,8 @@
</span><span class="cx"> out.print(comma, inContext(JSValue(node->typedArray()), context));
</span><span class="cx"> if (node->hasStoragePointer())
</span><span class="cx"> out.print(comma, RawPointer(node->storagePointer()));
</span><ins>+ if (node->hasObjectMaterializationData())
+ out.print(comma, node->objectMaterializationData());
</ins><span class="cx"> if (node->isConstant())
</span><span class="cx"> out.print(comma, pointerDumpInContext(node->constant(), context));
</span><span class="cx"> if (node->isJump())
</span><span class="lines">@@ -368,12 +370,21 @@
</span><span class="cx"> for (size_t i = 0; i < block->predecessors.size(); ++i)
</span><span class="cx"> out.print(" ", *block->predecessors[i]);
</span><span class="cx"> out.print("\n");
</span><ins>+ out.print(prefix, " Successors:");
+ for (BasicBlock* successor : block->successors()) {
+ out.print(" ", *successor);
+ if (m_prePostNumbering.isValid())
+ out.print(" (", m_prePostNumbering.edgeKind(block, successor), ")");
+ }
+ out.print("\n");
</ins><span class="cx"> if (m_dominators.isValid()) {
</span><span class="cx"> out.print(prefix, " Dominated by: ", m_dominators.dominatorsOf(block), "\n");
</span><span class="cx"> out.print(prefix, " Dominates: ", m_dominators.blocksDominatedBy(block), "\n");
</span><span class="cx"> out.print(prefix, " Dominance Frontier: ", m_dominators.dominanceFrontierOf(block), "\n");
</span><span class="cx"> out.print(prefix, " Iterated Dominance Frontier: ", m_dominators.iteratedDominanceFrontierOf(BlockList(1, block)), "\n");
</span><span class="cx"> }
</span><ins>+ if (m_prePostNumbering.isValid())
+ out.print(prefix, " Pre/Post Numbering: ", m_prePostNumbering.preNumber(block), "/", m_prePostNumbering.postNumber(block), "\n");
</ins><span class="cx"> if (m_naturalLoops.isValid()) {
</span><span class="cx"> if (const NaturalLoop* loop = m_naturalLoops.headerOf(block)) {
</span><span class="cx"> out.print(prefix, " Loop header, contains:");
</span><span class="lines">@@ -562,6 +573,27 @@
</span><span class="cx"> determineReachability();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void Graph::mergeRelevantToOSR()
+{
+ for (BasicBlock* block : blocksInNaturalOrder()) {
+ for (Node* node : *block) {
+ switch (node->op()) {
+ case MovHint:
+ node->child1()->mergeFlags(NodeRelevantToOSR);
+ break;
+
+ case PutStructureHint:
+ case PutByOffsetHint:
+ node->child2()->mergeFlags(NodeRelevantToOSR);
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+}
+
</ins><span class="cx"> namespace {
</span><span class="cx">
</span><span class="cx"> class RefCountCalculator {
</span><span class="lines">@@ -707,6 +739,7 @@
</span><span class="cx"> {
</span><span class="cx"> m_dominators.invalidate();
</span><span class="cx"> m_naturalLoops.invalidate();
</span><ins>+ m_prePostNumbering.invalidate();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void Graph::substituteGetLocal(BasicBlock& block, unsigned startIndexInBlock, VariableAccessData* variableAccessData, Node* newGetLocal)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx"> #include "DFGNode.h"
</span><span class="cx"> #include "DFGNodeAllocator.h"
</span><span class="cx"> #include "DFGPlan.h"
</span><ins>+#include "DFGPrePostNumbering.h"
</ins><span class="cx"> #include "DFGScannable.h"
</span><span class="cx"> #include "JSStack.h"
</span><span class="cx"> #include "MethodOfGettingAValueProfile.h"
</span><span class="lines">@@ -55,6 +56,47 @@
</span><span class="cx">
</span><span class="cx"> namespace DFG {
</span><span class="cx">
</span><ins>+#define DFG_NODE_DO_TO_CHILDREN(graph, node, thingToDo) do { \
+ Node* _node = (node); \
+ if (_node->flags() & NodeHasVarArgs) { \
+ for (unsigned _childIdx = _node->firstChild(); \
+ _childIdx < _node->firstChild() + _node->numChildren(); \
+ _childIdx++) { \
+ if (!!(graph).m_varArgChildren[_childIdx]) \
+ thingToDo(_node, (graph).m_varArgChildren[_childIdx]); \
+ } \
+ } else { \
+ if (!_node->child1()) { \
+ ASSERT( \
+ !_node->child2() \
+ && !_node->child3()); \
+ break; \
+ } \
+ thingToDo(_node, _node->child1()); \
+ \
+ if (!_node->child2()) { \
+ ASSERT(!_node->child3()); \
+ break; \
+ } \
+ thingToDo(_node, _node->child2()); \
+ \
+ if (!_node->child3()) \
+ break; \
+ thingToDo(_node, _node->child3()); \
+ } \
+ } while (false)
+
+#define DFG_ASSERT(graph, node, assertion) do { \
+ if (!!(assertion)) \
+ break; \
+ (graph).handleAssertionFailure( \
+ (node), __FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
+ } while (false)
+
+#define DFG_CRASH(graph, node, reason) \
+ (graph).handleAssertionFailure( \
+ (node), __FILE__, __LINE__, WTF_PRETTY_FUNCTION, (reason));
+
</ins><span class="cx"> struct InlineVariableData {
</span><span class="cx"> InlineCallFrame* inlineCallFrame;
</span><span class="cx"> unsigned argumentPositionStart;
</span><span class="lines">@@ -565,6 +607,8 @@
</span><span class="cx"> void determineReachability();
</span><span class="cx"> void resetReachability();
</span><span class="cx">
</span><ins>+ void mergeRelevantToOSR();
+
</ins><span class="cx"> void computeRefCounts();
</span><span class="cx">
</span><span class="cx"> unsigned varArgNumChildren(Node* node)
</span><span class="lines">@@ -676,6 +720,100 @@
</span><span class="cx"> BlockList blocksInPreOrder();
</span><span class="cx"> BlockList blocksInPostOrder();
</span><span class="cx">
</span><ins>+ class NaturalBlockIterable {
+ public:
+ NaturalBlockIterable()
+ : m_graph(nullptr)
+ {
+ }
+
+ NaturalBlockIterable(Graph& graph)
+ : m_graph(&graph)
+ {
+ }
+
+ class iterator {
+ public:
+ iterator()
+ : m_graph(nullptr)
+ , m_index(0)
+ {
+ }
+
+ iterator(Graph& graph, BlockIndex index)
+ : m_graph(&graph)
+ , m_index(findNext(index))
+ {
+ }
+
+ BasicBlock *operator*()
+ {
+ return m_graph->block(m_index);
+ }
+
+ iterator& operator++()
+ {
+ m_index = findNext(m_index + 1);
+ return *this;
+ }
+
+ bool operator==(const iterator& other) const
+ {
+ return m_index == other.m_index;
+ }
+
+ bool operator!=(const iterator& other) const
+ {
+ return !(*this == other);
+ }
+
+ private:
+ BlockIndex findNext(BlockIndex index)
+ {
+ while (index < m_graph->numBlocks() && !m_graph->block(index))
+ index++;
+ return index;
+ }
+
+ Graph* m_graph;
+ BlockIndex m_index;
+ };
+
+ iterator begin()
+ {
+ return iterator(*m_graph, 0);
+ }
+
+ iterator end()
+ {
+ return iterator(*m_graph, m_graph->numBlocks());
+ }
+
+ private:
+ Graph* m_graph;
+ };
+
+ NaturalBlockIterable blocksInNaturalOrder()
+ {
+ return NaturalBlockIterable(*this);
+ }
+
+ template<typename ChildFunctor>
+ void doToChildrenWithNode(Node* node, const ChildFunctor& functor)
+ {
+ DFG_NODE_DO_TO_CHILDREN(*this, node, functor);
+ }
+
+ template<typename ChildFunctor>
+ void doToChildren(Node* node, const ChildFunctor& functor)
+ {
+ doToChildrenWithNode(
+ node,
+ [&functor] (Node*, Edge& edge) {
+ functor(edge);
+ });
+ }
+
</ins><span class="cx"> Profiler::Compilation* compilation() { return m_plan.compilation.get(); }
</span><span class="cx">
</span><span class="cx"> DesiredIdentifiers& identifiers() { return m_plan.identifiers; }
</span><span class="lines">@@ -736,12 +874,14 @@
</span><span class="cx"> Bag<SwitchData> m_switchData;
</span><span class="cx"> Bag<MultiGetByOffsetData> m_multiGetByOffsetData;
</span><span class="cx"> Bag<MultiPutByOffsetData> m_multiPutByOffsetData;
</span><ins>+ Bag<ObjectMaterializationData> m_objectMaterializationData;
</ins><span class="cx"> Vector<InlineVariableData, 4> m_inlineVariableData;
</span><span class="cx"> HashMap<CodeBlock*, std::unique_ptr<FullBytecodeLiveness>> m_bytecodeLiveness;
</span><span class="cx"> bool m_hasArguments;
</span><span class="cx"> HashSet<ExecutableBase*> m_executablesWhoseArgumentsEscaped;
</span><span class="cx"> BitVector m_lazyVars;
</span><span class="cx"> Dominators m_dominators;
</span><ins>+ PrePostNumbering m_prePostNumbering;
</ins><span class="cx"> NaturalLoops m_naturalLoops;
</span><span class="cx"> unsigned m_localVars;
</span><span class="cx"> unsigned m_nextMachineLocal;
</span><span class="lines">@@ -786,47 +926,6 @@
</span><span class="cx"> }
</span><span class="cx"> };
</span><span class="cx">
</span><del>-#define DFG_NODE_DO_TO_CHILDREN(graph, node, thingToDo) do { \
- Node* _node = (node); \
- if (_node->flags() & NodeHasVarArgs) { \
- for (unsigned _childIdx = _node->firstChild(); \
- _childIdx < _node->firstChild() + _node->numChildren(); \
- _childIdx++) { \
- if (!!(graph).m_varArgChildren[_childIdx]) \
- thingToDo(_node, (graph).m_varArgChildren[_childIdx]); \
- } \
- } else { \
- if (!_node->child1()) { \
- ASSERT( \
- !_node->child2() \
- && !_node->child3()); \
- break; \
- } \
- thingToDo(_node, _node->child1()); \
- \
- if (!_node->child2()) { \
- ASSERT(!_node->child3()); \
- break; \
- } \
- thingToDo(_node, _node->child2()); \
- \
- if (!_node->child3()) \
- break; \
- thingToDo(_node, _node->child3()); \
- } \
- } while (false)
-
-#define DFG_ASSERT(graph, node, assertion) do { \
- if (!!(assertion)) \
- break; \
- (graph).handleAssertionFailure( \
- (node), __FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
- } while (false)
-
-#define DFG_CRASH(graph, node, reason) \
- (graph).handleAssertionFailure( \
- (node), __FILE__, __LINE__, WTF_PRETTY_FUNCTION, (reason));
-
</del><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -147,6 +147,10 @@
</span><span class="cx"> case AllocationProfileWatchpointLoc:
</span><span class="cx"> out.print("AllocationProfileWatchpointLoc");
</span><span class="cx"> return;
</span><ins>+
+ case StructureLoc:
+ out.print("StructureLoc");
+ return;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -55,6 +55,7 @@
</span><span class="cx"> MyArgumentsLengthLoc,
</span><span class="cx"> NamedPropertyLoc,
</span><span class="cx"> SetterLoc,
</span><ins>+ StructureLoc,
</ins><span class="cx"> TypeOfLoc,
</span><span class="cx"> TypedArrayByteOffsetLoc,
</span><span class="cx"> VarInjectionWatchpointLoc,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInsertOSRHintsForUpdatecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,60 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGInsertOSRHintsForUpdate.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "JSCInlines.h"
+
+namespace JSC { namespace DFG {
+
+void insertOSRHintsForUpdate(
+ InsertionSet& insertionSet, unsigned nodeIndex, NodeOrigin origin,
+ AvailabilityMap& availability, Node* originalNode, Node* newNode)
+{
+ for (unsigned i = availability.m_locals.size(); i--;) {
+ int operand = availability.m_locals.operandForIndex(i);
+
+ if (availability.m_locals[i].hasNode() && availability.m_locals[i].node() == originalNode) {
+ insertionSet.insertNode(
+ nodeIndex, SpecNone, MovHint, origin, OpInfo(operand),
+ newNode->defaultEdge());
+ }
+ }
+
+ for (auto pair : availability.m_heap) {
+ if (pair.value.hasNode() && pair.value.node() == originalNode) {
+ insertionSet.insert(
+ nodeIndex, pair.key.createHint(insertionSet.graph(), origin, newNode));
+ }
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInsertOSRHintsForUpdateh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGInsertOSRHintsForUpdate.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGInsertOSRHintsForUpdate_h
+#define DFGInsertOSRHintsForUpdate_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAvailabilityMap.h"
+#include "DFGInsertionSet.h"
+
+namespace JSC { namespace DFG {
+
+void insertOSRHintsForUpdate(
+ InsertionSet&, unsigned nodeIndex, NodeOrigin, AvailabilityMap&,
+ Node* originalNode, Node* newNode);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGInsertOSRHintsForUpdate_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInsertionSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -43,6 +43,8 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ Graph& graph() { return m_graph; }
+
</ins><span class="cx"> Node* insert(const Insertion& insertion)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_insertions.size() || m_insertions.last().index() <= insertion.index());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMayExitcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -75,6 +75,10 @@
</span><span class="cx"> case Phi:
</span><span class="cx"> case Upsilon:
</span><span class="cx"> case ZombieHint:
</span><ins>+ case BottomValue:
+ case PutStructureHint:
+ case PutByOffsetHint:
+ case PhantomNewObject:
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include "DFGNodeFlags.h"
</span><span class="cx"> #include "DFGNodeOrigin.h"
</span><span class="cx"> #include "DFGNodeType.h"
</span><ins>+#include "DFGObjectMaterializationData.h"
</ins><span class="cx"> #include "DFGTransition.h"
</span><span class="cx"> #include "DFGUseKind.h"
</span><span class="cx"> #include "DFGVariableAccessData.h"
</span><span class="lines">@@ -500,6 +501,35 @@
</span><span class="cx"> m_flags &= ~NodeClobbersWorld;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void convertToPutByOffsetHint()
+ {
+ ASSERT(m_op == PutByOffset);
+ m_opInfo = storageAccessData().identifierNumber;
+ m_op = PutByOffsetHint;
+ child1() = child2();
+ child2() = child3();
+ child3() = Edge();
+ }
+
+ void convertToPutStructureHint(Node* structure)
+ {
+ ASSERT(m_op == PutStructure);
+ ASSERT(structure->castConstant<Structure*>() == transition()->next);
+ m_op = PutStructureHint;
+ m_opInfo = 0;
+ child2() = Edge(structure, KnownCellUse);
+ }
+
+ void convertToPhantomNewObject()
+ {
+ ASSERT(m_op == NewObject || m_op == MaterializeNewObject);
+ m_op = PhantomNewObject;
+ m_flags &= ~NodeHasVarArgs;
+ m_opInfo = 0;
+ m_opInfo2 = 0;
+ children = AdjacencyList();
+ }
+
</ins><span class="cx"> void convertToPhantomLocal()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_op == Phantom && (child1()->op() == Phi || child1()->op() == SetLocal || child1()->op() == SetArgument));
</span><span class="lines">@@ -580,7 +610,7 @@
</span><span class="cx">
</span><span class="cx"> bool isCellConstant()
</span><span class="cx"> {
</span><del>- return isConstant() && constant()->value().isCell();
</del><ins>+ return isConstant() && constant()->value() && constant()->value().isCell();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSCell* asCell()
</span><span class="lines">@@ -595,6 +625,14 @@
</span><span class="cx"> return nullptr;
</span><span class="cx"> return jsDynamicCast<T>(asCell());
</span><span class="cx"> }
</span><ins>+
+ template<typename T>
+ T castConstant()
+ {
+ T result = dynamicCastConstant<T>();
+ RELEASE_ASSERT(result);
+ return result;
+ }
</ins><span class="cx">
</span><span class="cx"> bool containsMovHint()
</span><span class="cx"> {
</span><span class="lines">@@ -704,6 +742,7 @@
</span><span class="cx"> case PutById:
</span><span class="cx"> case PutByIdFlush:
</span><span class="cx"> case PutByIdDirect:
</span><ins>+ case PutByOffsetHint:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span><span class="lines">@@ -1155,7 +1194,14 @@
</span><span class="cx">
</span><span class="cx"> bool hasStorageAccessData()
</span><span class="cx"> {
</span><del>- return op() == GetByOffset || op() == GetGetterSetterByOffset || op() == PutByOffset;
</del><ins>+ switch (op()) {
+ case GetByOffset:
+ case PutByOffset:
+ case GetGetterSetterByOffset:
+ return true;
+ default:
+ return false;
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StorageAccessData& storageAccessData()
</span><span class="lines">@@ -1184,6 +1230,26 @@
</span><span class="cx"> return *reinterpret_cast<MultiPutByOffsetData*>(m_opInfo);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool hasObjectMaterializationData()
+ {
+ return op() == MaterializeNewObject;
+ }
+
+ ObjectMaterializationData& objectMaterializationData()
+ {
+ return *reinterpret_cast<ObjectMaterializationData*>(m_opInfo);
+ }
+
+ bool isPhantomObjectAllocation()
+ {
+ switch (op()) {
+ case PhantomNewObject:
+ return true;
+ default:
+ return false;
+ }
+ }
+
</ins><span class="cx"> bool hasFunctionDeclIndex()
</span><span class="cx"> {
</span><span class="cx"> return op() == NewFunction
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -228,6 +228,13 @@
</span><span class="cx"> macro(NewTypedArray, NodeResultJS | NodeClobbersWorld | NodeMustGenerate) \
</span><span class="cx"> macro(NewRegexp, NodeResultJS) \
</span><span class="cx"> \
</span><ins>+ /* Support for allocation sinking. */\
+ macro(PhantomNewObject, NodeResultJS) \
+ macro(PutByOffsetHint, NodeMustGenerate) \
+ macro(CheckStructureImmediate, NodeMustGenerate) \
+ macro(PutStructureHint, NodeMustGenerate) \
+ macro(MaterializeNewObject, NodeResultJS | NodeHasVarArgs) \
+ \
</ins><span class="cx"> /* Nodes for misc operations. */\
</span><span class="cx"> macro(Breakpoint, NodeMustGenerate) \
</span><span class="cx"> macro(ProfileWillCall, NodeMustGenerate) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRAvailabilityAnalysisPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "DFGGraph.h"
</span><span class="cx"> #include "DFGInsertionSet.h"
</span><span class="cx"> #include "DFGPhase.h"
</span><ins>+#include "DFGPromoteHeapAccess.h"
</ins><span class="cx"> #include "JSCInlines.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="lines">@@ -51,25 +52,18 @@
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="cx"> continue;
</span><del>- block->ssa->availabilityAtHead.fill(Availability());
- block->ssa->availabilityAtTail.fill(Availability());
</del><ins>+ block->ssa->availabilityAtHead.clear();
+ block->ssa->availabilityAtTail.clear();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> BasicBlock* root = m_graph.block(0);
</span><del>- for (unsigned argument = root->ssa->availabilityAtHead.numberOfArguments(); argument--;) {
- root->ssa->availabilityAtHead.argument(argument) =
</del><ins>+ root->ssa->availabilityAtHead.m_locals.fill(Availability::unavailable());
+ for (unsigned argument = root->ssa->availabilityAtHead.m_locals.numberOfArguments(); argument--;) {
+ root->ssa->availabilityAtHead.m_locals.argument(argument) =
</ins><span class="cx"> Availability::unavailable().withFlush(
</span><span class="cx"> FlushedAt(FlushedJSValue, virtualRegisterForArgument(argument)));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (m_graph.m_plan.mode == FTLForOSREntryMode) {
- for (unsigned local = m_graph.m_profiledBlock->m_numCalleeRegisters; local--;)
- root->ssa->availabilityAtHead.local(local) = Availability::unavailable();
- } else {
- for (unsigned local = root->ssa->availabilityAtHead.numberOfLocals(); local--;)
- root->ssa->availabilityAtHead.local(local) = Availability::unavailable();
- }
-
</del><span class="cx"> // This could be made more efficient by processing blocks in reverse postorder.
</span><span class="cx">
</span><span class="cx"> LocalOSRAvailabilityCalculator calculator;
</span><span class="lines">@@ -87,6 +81,8 @@
</span><span class="cx"> for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex)
</span><span class="cx"> calculator.executeNode(block->at(nodeIndex));
</span><span class="cx">
</span><ins>+ calculator.m_availability.prune();
+
</ins><span class="cx"> if (calculator.m_availability == block->ssa->availabilityAtTail)
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="lines">@@ -95,11 +91,7 @@
</span><span class="cx">
</span><span class="cx"> for (unsigned successorIndex = block->numSuccessors(); successorIndex--;) {
</span><span class="cx"> BasicBlock* successor = block->successor(successorIndex);
</span><del>- for (unsigned i = calculator.m_availability.size(); i--;) {
- successor->ssa->availabilityAtHead[i] =
- calculator.m_availability[i].merge(
- successor->ssa->availabilityAtHead[i]);
- }
</del><ins>+ successor->ssa->availabilityAtHead.merge(calculator.m_availability);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> } while (changed);
</span><span class="lines">@@ -127,38 +119,50 @@
</span><span class="cx"> m_availability = block->ssa->availabilityAtHead;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void LocalOSRAvailabilityCalculator::endBlock(BasicBlock* block)
+{
+ m_availability = block->ssa->availabilityAtTail;
+}
+
</ins><span class="cx"> void LocalOSRAvailabilityCalculator::executeNode(Node* node)
</span><span class="cx"> {
</span><span class="cx"> switch (node->op()) {
</span><span class="cx"> case SetLocal: {
</span><span class="cx"> VariableAccessData* variable = node->variableAccessData();
</span><del>- m_availability.operand(variable->local()) =
</del><ins>+ m_availability.m_locals.operand(variable->local()) =
</ins><span class="cx"> Availability(node->child1().node(), variable->flushedAt());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetArgument: {
</span><span class="cx"> VariableAccessData* variable = node->variableAccessData();
</span><del>- m_availability.operand(variable->local()) =
</del><ins>+ m_availability.m_locals.operand(variable->local()) =
</ins><span class="cx"> Availability(node, variable->flushedAt());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case MovHint: {
</span><del>- m_availability.operand(node->unlinkedLocal()) =
</del><ins>+ m_availability.m_locals.operand(node->unlinkedLocal()) =
</ins><span class="cx"> Availability(node->child1().node());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case ZombieHint: {
</span><del>- m_availability.operand(node->unlinkedLocal()) =
</del><ins>+ m_availability.m_locals.operand(node->unlinkedLocal()) =
</ins><span class="cx"> Availability::unavailable();
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ promoteHeapAccess(
+ node,
+ [&] (PromotedHeapLocation location, Edge value) {
+ m_availability.m_heap.set(location, Availability(value.node()));
+ },
+ [&] (PromotedHeapLocation) { });
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::DFG
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRAvailabilityAnalysisPhaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -37,7 +37,9 @@
</span><span class="cx">
</span><span class="cx"> // Computes BasicBlock::ssa->availabiltiyAtHead/Tail. This is a forward flow type inference
</span><span class="cx"> // over MovHints and SetLocals. This analysis is run directly by the Plan for preparing for
</span><del>-// lowering to LLVM IR, but it can also be used as a utility.
</del><ins>+// lowering to LLVM IR, but it can also be used as a utility. Note that if you run it before
+// stack layout, all of the flush availability will omit the virtual register - but it will
+// tell you the format.
</ins><span class="cx">
</span><span class="cx"> bool performOSRAvailabilityAnalysis(Graph&);
</span><span class="cx">
</span><span class="lines">@@ -49,9 +51,10 @@
</span><span class="cx"> ~LocalOSRAvailabilityCalculator();
</span><span class="cx">
</span><span class="cx"> void beginBlock(BasicBlock*);
</span><ins>+ void endBlock(BasicBlock*); // Useful if you want to get data for the end of the block. You don't need to call this if you did beginBlock() and then executeNode() for every node.
</ins><span class="cx"> void executeNode(Node*);
</span><span class="cx">
</span><del>- Operands<Availability> m_availability;
</del><ins>+ AvailabilityMap m_availability;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::DFG
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,812 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGObjectAllocationSinkingPhase.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAbstractHeap.h"
+#include "DFGBlockMapInlines.h"
+#include "DFGClobberize.h"
+#include "DFGGraph.h"
+#include "DFGInsertOSRHintsForUpdate.h"
+#include "DFGInsertionSet.h"
+#include "DFGLivenessAnalysisPhase.h"
+#include "DFGOSRAvailabilityAnalysisPhase.h"
+#include "DFGPhase.h"
+#include "DFGPromoteHeapAccess.h"
+#include "DFGSSACalculator.h"
+#include "DFGValidate.h"
+#include "JSCInlines.h"
+
+namespace JSC { namespace DFG {
+
+static bool verbose = false;
+
+class ObjectAllocationSinkingPhase : public Phase {
+public:
+ ObjectAllocationSinkingPhase(Graph& graph)
+ : Phase(graph, "object allocation sinking")
+ , m_ssaCalculator(graph)
+ , m_insertionSet(graph)
+ {
+ }
+
+ bool run()
+ {
+ ASSERT(m_graph.m_fixpointState == FixpointNotConverged);
+
+ m_graph.m_dominators.computeIfNecessary(m_graph);
+
+ // Logically we wish to consider every NewObject and sink it. However it's probably not
+ // profitable to sink a NewObject that will always escape. So, first we do a very simple
+ // forward flow analysis that determines the set of NewObject nodes that have any chance
+ // of benefiting from object allocation sinking. Then we fixpoint the following rules:
+ //
+ // - For each NewObject, we turn the original NewObject into a PhantomNewObject and then
+ // we insert MaterializeNewObject just before those escaping sites that come before any
+ // other escaping sites - that is, there is no path between the allocation and those sites
+ // that would see any other escape. Note that Upsilons constitute escaping sites. Then we
+ // insert additional MaterializeNewObject nodes on Upsilons that feed into Phis that mix
+ // materializations and the original PhantomNewObject. We then turn each PutByOffset over a
+ // PhantomNewObject into a PutByOffsetHint.
+ //
+ // - We perform the same optimization for MaterializeNewObject. This allows us to cover
+ // cases where we had MaterializeNewObject flowing into a PutByOffsetHint.
+ //
+ // We could also add this rule:
+ //
+ // - If all of the Upsilons of a Phi have a MaterializeNewObject that isn't used by anyone
+ // else, then replace the Phi with the MaterializeNewObject.
+ //
+ // FIXME: Implement this. Note that this totally doable but it requires some gnarly
+ // code, and to be effective the pruner needs to be aware of it. Currently any Upsilon
+ // is considered to be an escape even by the pruner, so it's unlikely that we'll see
+ // many cases of Phi over Materializations.
+ // https://bugs.webkit.org/show_bug.cgi?id=136927
+
+ if (!performSinking())
+ return false;
+
+ while (performSinking()) { }
+
+ if (verbose) {
+ dataLog("Graph after sinking:\n");
+ m_graph.dump();
+ }
+
+ return true;
+ }
+
+private:
+ bool performSinking()
+ {
+ m_graph.computeRefCounts();
+ performLivenessAnalysis(m_graph);
+ performOSRAvailabilityAnalysis(m_graph);
+
+ CString graphBeforeSinking;
+ if (Options::verboseValidationFailure() && Options::validateGraphAtEachPhase()) {
+ StringPrintStream out;
+ m_graph.dump(out);
+ graphBeforeSinking = out.toCString();
+ }
+
+ if (verbose) {
+ dataLog("Graph before sinking:\n");
+ m_graph.dump();
+ }
+
+ determineMaterializationPoints();
+ if (m_sinkCandidates.isEmpty())
+ return false;
+
+ // At this point we are committed to sinking the sinking candidates.
+ placeMaterializationPoints();
+ lowerNonReadingOperationsOnPhantomAllocations();
+ promoteSunkenFields();
+
+ if (Options::validateGraphAtEachPhase())
+ validate(m_graph, DumpGraph, graphBeforeSinking);
+
+ if (verbose)
+ dataLog("Sinking iteration changed the graph.\n");
+ return true;
+ }
+
+ void determineMaterializationPoints()
+ {
+ // The premise of this pass is that if there exists a point in the program where some
+ // path from a phantom allocation site to that point causes materialization, then *all*
+ // paths cause materialization. This should mean that there are never any redundant
+ // materializations.
+
+ m_sinkCandidates.clear();
+ m_edgeToMaterializationPoint.clear();
+
+ BlockMap<HashMap<Node*, bool>> materializedAtHead(m_graph);
+ BlockMap<HashMap<Node*, bool>> materializedAtTail(m_graph);
+
+ bool changed;
+ do {
+ if (verbose)
+ dataLog("Doing iteration of materialization point placement.\n");
+ changed = false;
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ HashMap<Node*, bool> materialized = materializedAtHead[block];
+ for (Node* node : *block) {
+ handleNode(
+ node,
+ [&] () {
+ materialized.add(node, false);
+ },
+ [&] (Node* escapee) {
+ auto iter = materialized.find(escapee);
+ if (iter != materialized.end())
+ iter->value = true;
+ });
+ }
+
+ if (verbose)
+ dataLog(" Materialized at tail of ", pointerDump(block), ": ", mapDump(materialized), "\n");
+
+ if (materialized == materializedAtTail[block])
+ continue;
+
+ materializedAtTail[block] = materialized;
+ changed = true;
+
+ // Only propagate things to our successors if they are alive in all successors.
+ // So, we prune materialized-at-tail to only include things that are live.
+ Vector<Node*> toRemove;
+ for (auto pair : materialized) {
+ if (!block->ssa->liveAtTail.contains(pair.key))
+ toRemove.append(pair.key);
+ }
+ for (Node* key : toRemove)
+ materialized.remove(key);
+
+ for (BasicBlock* successorBlock : block->successors()) {
+ for (auto pair : materialized) {
+ materializedAtHead[successorBlock].add(
+ pair.key, false).iterator->value |= pair.value;
+ }
+ }
+ }
+ } while (changed);
+
+ // Determine the sink candidates. Broadly, a sink candidate is a node that handleNode()
+ // believes is sinkable, and one of the following is true:
+ //
+ // 1) There exists a basic block with only backward outgoing edges (or no outgoing edges)
+ // in which the node wasn't materialized. This is meant to catch effectively-infinite
+ // loops in which we don't need to have allocated the object.
+ //
+ // 2) There exists a basic block at the tail of which the node is not materialized and the
+ // node is dead.
+ //
+ // 3) The sum of execution counts of the materializations is less than the sum of
+ // execution counts of the original node.
+ //
+ // We currently implement only rule #2.
+ // FIXME: Implement the two other rules.
+ // https://bugs.webkit.org/show_bug.cgi?id=137073 (rule #1)
+ // https://bugs.webkit.org/show_bug.cgi?id=137074 (rule #3)
+
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ for (auto pair : materializedAtTail[block]) {
+ if (pair.value)
+ continue; // It was materialized.
+
+ if (block->ssa->liveAtTail.contains(pair.key))
+ continue; // It might still get materialized in all of the successors.
+
+ // We know that it died in this block and it wasn't materialized. That means that
+ // if we sink this allocation, then *this* will be a path along which we never
+ // have to allocate. Profit!
+ m_sinkCandidates.add(pair.key);
+ }
+ }
+
+ if (m_sinkCandidates.isEmpty())
+ return;
+
+ // A materialization edge exists at any point where a node escapes but hasn't been
+ // materialized yet.
+ //
+ // FIXME: This can create duplicate allocations when we really only needed to perform one.
+ // For example:
+ //
+ // var o = new Object();
+ // if (rare) {
+ // if (stuff)
+ // call(o); // o escapes here.
+ // return;
+ // }
+ // // o doesn't escape down here.
+ //
+ // In this example, we would place a materialization point at call(o) and then we would find
+ // ourselves having to insert another one at the implicit else case of that if statement
+ // ('cause we've broken critical edges). We would instead really like to just have one
+ // materialization point right at the top of the then case of "if (rare)". To do this, we can
+ // find the LCA of the various materializations in the dom tree.
+ // https://bugs.webkit.org/show_bug.cgi?id=137124
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ HashSet<Node*> materialized;
+ for (auto pair : materializedAtHead[block]) {
+ if (pair.value && m_sinkCandidates.contains(pair.key))
+ materialized.add(pair.key);
+ }
+
+ for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+ Node* node = block->at(nodeIndex);
+
+ handleNode(
+ node,
+ [&] () { },
+ [&] (Node* escapee) {
+ if (!m_sinkCandidates.contains(escapee))
+ return;
+
+ if (!materialized.add(escapee).isNewEntry)
+ return;
+
+ Node* materialize = createMaterialize(escapee, node->origin);
+ if (verbose)
+ dataLog("Adding materialization point: ", node, "->", escapee, " = ", materialize, "\n");
+ m_edgeToMaterializationPoint.add(
+ std::make_pair(node, escapee), materialize);
+ });
+ }
+ }
+ }
+
+ void placeMaterializationPoints()
+ {
+ m_ssaCalculator.reset();
+
+ HashMap<Node*, SSACalculator::Variable*> nodeToVariable;
+ Vector<Node*> indexToNode;
+
+ for (Node* node : m_sinkCandidates) {
+ SSACalculator::Variable* variable = m_ssaCalculator.newVariable();
+ nodeToVariable.add(node, variable);
+ ASSERT(indexToNode.size() == variable->index());
+ indexToNode.append(node);
+ }
+
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ for (Node* node : *block) {
+ if (SSACalculator::Variable* variable = nodeToVariable.get(node))
+ m_ssaCalculator.newDef(variable, block, node);
+
+ m_graph.doToChildren(
+ node,
+ [&] (Edge edge) {
+ Node* materialize =
+ m_edgeToMaterializationPoint.get(std::make_pair(node, edge.node()));
+ if (!materialize)
+ return;
+
+ m_ssaCalculator.newDef(
+ nodeToVariable.get(edge.node()), block, materialize);
+ });
+ }
+ }
+
+ m_ssaCalculator.computePhis(
+ [&] (SSACalculator::Variable* variable, BasicBlock* block) -> Node* {
+ Node* allocation = indexToNode[variable->index()];
+ if (!block->ssa->liveAtHead.contains(allocation))
+ return nullptr;
+
+ Node* phiNode = m_graph.addNode(allocation->prediction(), Phi, NodeOrigin());
+ phiNode->mergeFlags(NodeResultJS);
+ return phiNode;
+ });
+
+ // Place Phis in the right places. Replace all uses of any allocation with the appropriate
+ // materialization. Create the appropriate Upsilon nodes.
+ LocalOSRAvailabilityCalculator availabilityCalculator;
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ HashMap<Node*, Node*> mapping;
+
+ for (Node* candidate : block->ssa->liveAtHead) {
+ SSACalculator::Variable* variable = nodeToVariable.get(candidate);
+ if (!variable)
+ continue;
+
+ SSACalculator::Def* def = m_ssaCalculator.reachingDefAtHead(block, variable);
+ if (!def)
+ continue;
+
+ mapping.set(indexToNode[variable->index()], def->value());
+ }
+
+ availabilityCalculator.beginBlock(block);
+ for (SSACalculator::Def* phiDef : m_ssaCalculator.phisForBlock(block)) {
+ m_insertionSet.insert(0, phiDef->value());
+
+ Node* originalNode = indexToNode[phiDef->variable()->index()];
+ insertOSRHintsForUpdate(
+ m_insertionSet, 0, NodeOrigin(), availabilityCalculator.m_availability,
+ originalNode, phiDef->value());
+
+ mapping.set(originalNode, phiDef->value());
+ }
+
+ for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+ Node* node = block->at(nodeIndex);
+
+ m_graph.doToChildren(
+ node,
+ [&] (Edge edge) {
+ Node* materialize = m_edgeToMaterializationPoint.get(
+ std::make_pair(node, edge.node()));
+ if (materialize) {
+ m_insertionSet.insert(nodeIndex, materialize);
+ insertOSRHintsForUpdate(
+ m_insertionSet, nodeIndex, node->origin,
+ availabilityCalculator.m_availability, edge.node(), materialize);
+ mapping.set(edge.node(), materialize);
+ }
+ });
+
+ availabilityCalculator.executeNode(node);
+
+ m_graph.doToChildren(
+ node,
+ [&] (Edge& edge) {
+ if (Node* materialize = mapping.get(edge.node()))
+ edge.setNode(materialize);
+ });
+ }
+
+ size_t upsilonInsertionPoint = block->size() - 1;
+ NodeOrigin upsilonOrigin = block->last()->origin;
+ for (BasicBlock* successorBlock : block->successors()) {
+ for (SSACalculator::Def* phiDef : m_ssaCalculator.phisForBlock(successorBlock)) {
+ Node* phiNode = phiDef->value();
+ SSACalculator::Variable* variable = phiDef->variable();
+ Node* allocation = indexToNode[variable->index()];
+
+ Node* originalIncoming = mapping.get(allocation);
+ Node* incoming;
+ if (originalIncoming == allocation) {
+ // If we have a Phi that combines materializations with the original
+ // phantom object, then the path with the phantom object must materialize.
+
+ incoming = createMaterialize(allocation, upsilonOrigin);
+ m_insertionSet.insert(upsilonInsertionPoint, incoming);
+ insertOSRHintsForUpdate(
+ m_insertionSet, upsilonInsertionPoint, upsilonOrigin,
+ availabilityCalculator.m_availability, originalIncoming, incoming);
+ } else
+ incoming = originalIncoming;
+
+ Node* upsilon = m_insertionSet.insertNode(
+ upsilonInsertionPoint, SpecNone, Upsilon, upsilonOrigin,
+ OpInfo(phiNode), incoming->defaultEdge());
+
+ if (originalIncoming == allocation) {
+ m_edgeToMaterializationPoint.add(
+ std::make_pair(upsilon, allocation), incoming);
+ }
+ }
+ }
+
+ m_insertionSet.execute(block);
+ }
+
+ // At this point we have dummy materialization nodes along with edges to them. This means
+ // that the part of the control flow graph that prefers to see actual object allocations
+ // is completely fixed up, except for the materializations themselves.
+ }
+
+ void lowerNonReadingOperationsOnPhantomAllocations()
+ {
+ // Lower everything but reading operations on phantom allocations. We absolutely have to
+ // lower all writes so as to reveal them to the SSA calculator. We cannot lower reads
+ // because the whole point is that those go away completely.
+
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+ Node* node = block->at(nodeIndex);
+ switch (node->op()) {
+ case PutByOffset: {
+ if (m_sinkCandidates.contains(node->child2().node()))
+ node->convertToPutByOffsetHint();
+ break;
+ }
+
+ case PutStructure: {
+ if (m_sinkCandidates.contains(node->child1().node())) {
+ Node* structure = m_insertionSet.insertConstant(
+ nodeIndex, node->origin, JSValue(node->transition()->next));
+ node->convertToPutStructureHint(structure);
+ }
+ break;
+ }
+
+ case NewObject: {
+ if (m_sinkCandidates.contains(node)) {
+ Node* structure = m_insertionSet.insertConstant(
+ nodeIndex + 1, node->origin, JSValue(node->structure()));
+ m_insertionSet.insertNode(
+ nodeIndex + 1, SpecNone, PutStructureHint, node->origin,
+ Edge(node, KnownCellUse), Edge(structure, KnownCellUse));
+ node->convertToPhantomNewObject();
+ }
+ break;
+ }
+
+ case MaterializeNewObject: {
+ if (m_sinkCandidates.contains(node)) {
+ m_insertionSet.insertNode(
+ nodeIndex + 1, SpecNone, PutStructureHint, node->origin,
+ Edge(node, KnownCellUse), m_graph.varArgChild(node, 0));
+ for (unsigned i = 0; i < node->objectMaterializationData().m_properties.size(); ++i) {
+ m_insertionSet.insertNode(
+ nodeIndex + 1, SpecNone, PutByOffsetHint, node->origin,
+ Edge(node, KnownCellUse), m_graph.varArgChild(node, i + 1));
+ }
+ node->convertToPhantomNewObject();
+ }
+ break;
+ }
+
+ case StoreBarrier:
+ case StoreBarrierWithNullCheck: {
+ if (m_sinkCandidates.contains(node->child1().node()))
+ node->convertToPhantom();
+ break;
+ }
+
+ default:
+ break;
+ }
+
+ m_graph.doToChildren(
+ node,
+ [&] (Edge& edge) {
+ if (m_sinkCandidates.contains(edge.node()))
+ edge.setUseKind(KnownCellUse);
+ });
+ }
+ m_insertionSet.execute(block);
+ }
+ }
+
+ void promoteSunkenFields()
+ {
+ // Henceforth when we encounter a materialization point, we will want to ask *who* it is
+ // a materialization for. Invert the map to be able to answer such questions.
+ m_materializationPointToEscapee.clear();
+ for (auto pair : m_edgeToMaterializationPoint)
+ m_materializationPointToEscapee.add(pair.value, pair.key.second);
+
+ // Collect the set of heap locations that we will be operating over.
+ HashSet<PromotedHeapLocation> locations;
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ for (Node* node : *block) {
+ promoteHeapAccess(
+ node,
+ [&] (PromotedHeapLocation location, Edge) {
+ locations.add(location);
+ },
+ [&] (PromotedHeapLocation location) {
+ locations.add(location);
+ });
+ }
+ }
+
+ // Figure out which locations belong to which allocations.
+ m_locationsForAllocation.clear();
+ for (PromotedHeapLocation location : locations) {
+ auto result = m_locationsForAllocation.add(location.base(), Vector<PromotedHeapLocation>());
+ ASSERT(!result.iterator->value.contains(location));
+ result.iterator->value.append(location);
+ }
+
+ // For each sunken thingy, make sure we create Bottom values for all of its fields.
+ // Note that this has the hilarious slight inefficiency of creating redundant hints for
+ // things that were previously materializations. This should only impact compile times and
+ // not code quality, and it's necessary for soundness without some data structure hackage.
+ // For example, a MaterializeNewObject that we choose to sink may have new fields added to
+ // it conditionally. That would necessitate Bottoms.
+ Node* bottom = nullptr;
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ if (block == m_graph.block(0))
+ bottom = m_insertionSet.insertNode(0, SpecNone, BottomValue, NodeOrigin());
+
+ for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+ Node* node = block->at(nodeIndex);
+ for (PromotedHeapLocation location : m_locationsForAllocation.get(node)) {
+ m_insertionSet.insert(
+ nodeIndex + 1, location.createHint(m_graph, node->origin, bottom));
+ }
+ }
+ m_insertionSet.execute(block);
+ }
+
+ m_ssaCalculator.reset();
+
+ // Collect the set of "variables" that we will be sinking.
+ m_locationToVariable.clear();
+ m_indexToLocation.clear();
+ for (PromotedHeapLocation location : locations) {
+ SSACalculator::Variable* variable = m_ssaCalculator.newVariable();
+ m_locationToVariable.add(location, variable);
+ ASSERT(m_indexToLocation.size() == variable->index());
+ m_indexToLocation.append(location);
+ }
+
+ // Create Defs from the existing hints.
+ for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+ for (Node* node : *block) {
+ promoteHeapAccess(
+ node,
+ [&] (PromotedHeapLocation location, Edge value) {
+ SSACalculator::Variable* variable = m_locationToVariable.get(location);
+ m_ssaCalculator.newDef(variable, block, value.node());
+ },
+ [&] (PromotedHeapLocation) { });
+ }
+ }
+
+ // OMG run the SSA calculator to create Phis!
+ m_ssaCalculator.computePhis(
+ [&] (SSACalculator::Variable* variable, BasicBlock* block) -> Node* {
+ PromotedHeapLocation location = m_indexToLocation[variable->index()];
+ if (!block->ssa->liveAtHead.contains(location.base()))
+ return nullptr;
+
+ Node* phiNode = m_graph.addNode(SpecHeapTop, Phi, NodeOrigin());
+ phiNode->mergeFlags(NodeResultJS);
+ return phiNode;
+ });
+
+ // Place Phis in the right places, replace all uses of any load with the appropriate
+ // value, and create the appropriate Upsilon nodes.
+ m_graph.clearReplacements();
+ for (BasicBlock* block : m_graph.blocksInPreOrder()) {
+ // This mapping table is intended to be lazy. If something is omitted from the table,
+ // it means that there haven't been any local stores to that promoted heap location.
+ m_localMapping.clear();
+
+ // Insert the Phi functions that we had previously created.
+ for (SSACalculator::Def* phiDef : m_ssaCalculator.phisForBlock(block)) {
+ PromotedHeapLocation location = m_indexToLocation[phiDef->variable()->index()];
+
+ m_insertionSet.insert(
+ 0, phiDef->value());
+ m_insertionSet.insert(
+ 0, location.createHint(m_graph, NodeOrigin(), phiDef->value()));
+ m_localMapping.add(location, phiDef->value());
+ }
+
+ if (verbose)
+ dataLog("Local mapping at ", pointerDump(block), ": ", mapDump(m_localMapping), "\n");
+
+ // Process the block and replace all uses of loads with the promoted value.
+ for (Node* node : *block) {
+ m_graph.performSubstitution(node);
+
+ if (Node* escapee = m_materializationPointToEscapee.get(node))
+ populateMaterialize(block, node, escapee);
+
+ promoteHeapAccess(
+ node,
+ [&] (PromotedHeapLocation location, Edge value) {
+ m_localMapping.set(location, value.node());
+ },
+ [&] (PromotedHeapLocation location) {
+ node->replaceWith(resolve(block, location));
+ });
+ }
+
+ // Gotta drop some Upsilons.
+ size_t upsilonInsertionPoint = block->size() - 1;
+ NodeOrigin upsilonOrigin = block->last()->origin;
+ for (BasicBlock* successorBlock : block->successors()) {
+ for (SSACalculator::Def* phiDef : m_ssaCalculator.phisForBlock(successorBlock)) {
+ Node* phiNode = phiDef->value();
+ SSACalculator::Variable* variable = phiDef->variable();
+ PromotedHeapLocation location = m_indexToLocation[variable->index()];
+ Node* incoming = resolve(block, location);
+
+ m_insertionSet.insertNode(
+ upsilonInsertionPoint, SpecNone, Upsilon, upsilonOrigin,
+ OpInfo(phiNode), incoming->defaultEdge());
+ }
+ }
+
+ m_insertionSet.execute(block);
+ }
+ }
+
+ Node* resolve(BasicBlock* block, PromotedHeapLocation location)
+ {
+ if (Node* result = m_localMapping.get(location))
+ return result;
+
+ // This implies that there is no local mapping. Find a non-local mapping.
+ SSACalculator::Def* def = m_ssaCalculator.nonLocalReachingDef(
+ block, m_locationToVariable.get(location));
+ ASSERT(def);
+ ASSERT(def->value());
+ m_localMapping.add(location, def->value());
+ return def->value();
+ }
+
+ template<typename SinkCandidateFunctor, typename EscapeFunctor>
+ void handleNode(
+ Node* node,
+ const SinkCandidateFunctor& sinkCandidate,
+ const EscapeFunctor& escape)
+ {
+ switch (node->op()) {
+ case NewObject:
+ case MaterializeNewObject:
+ sinkCandidate();
+ m_graph.doToChildren(
+ node,
+ [&] (Edge edge) {
+ escape(edge.node());
+ });
+ break;
+
+ case CheckStructure:
+ case GetByOffset:
+ case MultiGetByOffset:
+ case PutStructure:
+ case GetGetterSetterByOffset:
+ case MovHint:
+ case Phantom:
+ case Check:
+ case HardPhantom:
+ case StoreBarrier:
+ case StoreBarrierWithNullCheck:
+ case PutByOffsetHint:
+ break;
+
+ case PutByOffset:
+ escape(node->child3().node());
+ break;
+
+ case MultiPutByOffset:
+ // FIXME: In the future we should be able to handle this. It's just a matter of
+ // building the appropriate *Hint variant of this instruction, along with a
+ // PhantomStructureSelect node - since this transforms the Structure in a conditional
+ // way.
+ // https://bugs.webkit.org/show_bug.cgi?id=136924
+ escape(node->child1().node());
+ escape(node->child2().node());
+ break;
+
+ default:
+ m_graph.doToChildren(
+ node,
+ [&] (Edge edge) {
+ escape(edge.node());
+ });
+ break;
+ }
+ }
+
+ Node* createMaterialize(Node* escapee, const NodeOrigin whereOrigin)
+ {
+ switch (escapee->op()) {
+ case NewObject:
+ case MaterializeNewObject: {
+ ObjectMaterializationData* data = m_graph.m_objectMaterializationData.add();
+
+ Node* result = m_graph.addNode(
+ escapee->prediction(), Node::VarArg, MaterializeNewObject,
+ NodeOrigin(
+ escapee->origin.semantic,
+ whereOrigin.forExit),
+ OpInfo(data), OpInfo(), 0, 0);
+ return result;
+ }
+
+ default:
+ DFG_CRASH(m_graph, escapee, "Bad escapee op");
+ return nullptr;
+ }
+ }
+
+ void populateMaterialize(BasicBlock* block, Node* node, Node* escapee)
+ {
+ switch (node->op()) {
+ case MaterializeNewObject: {
+ ObjectMaterializationData& data = node->objectMaterializationData();
+ unsigned firstChild = m_graph.m_varArgChildren.size();
+
+ Vector<PromotedHeapLocation> locations = m_locationsForAllocation.get(escapee);
+
+ PromotedHeapLocation structure(StructurePLoc, escapee);
+ ASSERT(locations.contains(structure));
+
+ m_graph.m_varArgChildren.append(Edge(resolve(block, structure), KnownCellUse));
+
+ for (unsigned i = 0; i < locations.size(); ++i) {
+ switch (locations[i].kind()) {
+ case StructurePLoc: {
+ ASSERT(locations[i] == structure);
+ break;
+ }
+
+ case NamedPropertyPLoc: {
+ Node* value = resolve(block, locations[i]);
+ if (value->op() == BottomValue) {
+ // We can skip Bottoms entirely.
+ break;
+ }
+
+ data.m_properties.append(PhantomPropertyValue(locations[i].info()));
+ m_graph.m_varArgChildren.append(value);
+ break;
+ }
+
+ default:
+ DFG_CRASH(m_graph, node, "Bad location kind");
+ }
+ }
+
+ node->children = AdjacencyList(
+ AdjacencyList::Variable,
+ firstChild, m_graph.m_varArgChildren.size() - firstChild);
+ break;
+ }
+
+ default:
+ DFG_CRASH(m_graph, node, "Bad materialize op");
+ break;
+ }
+ }
+
+ SSACalculator m_ssaCalculator;
+ HashSet<Node*> m_sinkCandidates;
+ HashMap<std::pair<Node*, Node*>, Node*> m_edgeToMaterializationPoint;
+ HashMap<Node*, Node*> m_materializationPointToEscapee;
+ HashMap<Node*, Vector<PromotedHeapLocation>> m_locationsForAllocation;
+ HashMap<PromotedHeapLocation, SSACalculator::Variable*> m_locationToVariable;
+ Vector<PromotedHeapLocation> m_indexToLocation;
+ HashMap<PromotedHeapLocation, Node*> m_localMapping;
+ InsertionSet m_insertionSet;
+};
+
+bool performObjectAllocationSinking(Graph& graph)
+{
+ SamplingRegion samplingRegion("DFG Object Allocation Sinking Phase");
+ return runPhase<ObjectAllocationSinkingPhase>(graph);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhaseh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGObjectAllocationSinkingPhase_h
+#define DFGObjectAllocationSinkingPhase_h
+
+#if ENABLE(DFG_JIT)
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+// Sinks object allocations down to their uses. This will sink the allocations over OSR exits, by
+// replacing all stores to those objects with store hints so that OSR exit can materialize the
+// object. This may sink allocations past returns, creating control flow paths along which the
+// objects are not allocated at all. Replaces all uses of the objects' fields with SSA data flow.
+
+bool performObjectAllocationSinking(Graph&);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGObjectAllocationSinkingPhase_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGObjectMaterializationDatacpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGObjectMaterializationData.h"
+
+#if ENABLE(DFG_JIT)
+
+#include <wtf/ListDump.h>
+
+namespace JSC { namespace DFG {
+
+void PhantomPropertyValue::dump(PrintStream& out) const
+{
+ out.print("id", m_identifierNumber);
+}
+
+void ObjectMaterializationData::dump(PrintStream& out) const
+{
+ out.print("[", listDump(m_properties), "]");
+}
+
+float ObjectMaterializationData::oneWaySimilarityScore(
+ const ObjectMaterializationData& other) const
+{
+ unsigned numHits = 0;
+ for (PhantomPropertyValue value : m_properties) {
+ if (other.m_properties.contains(value))
+ numHits++;
+ }
+ return static_cast<float>(numHits) / static_cast<float>(m_properties.size());
+}
+
+float ObjectMaterializationData::similarityScore(const ObjectMaterializationData& other) const
+{
+ return std::min(oneWaySimilarityScore(other), other.oneWaySimilarityScore(*this));
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGObjectMaterializationDatah"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,77 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGObjectMaterializationData_h
+#define DFGObjectMaterializationData_h
+
+#if ENABLE(DFG_JIT)
+
+#include <limits.h>
+#include <wtf/MathExtras.h>
+#include <wtf/PrintStream.h>
+#include <wtf/Vector.h>
+
+namespace JSC { namespace DFG {
+
+struct PhantomPropertyValue {
+ PhantomPropertyValue()
+ : m_identifierNumber(UINT_MAX)
+ {
+ }
+
+ PhantomPropertyValue(unsigned identifierNumber)
+ : m_identifierNumber(identifierNumber)
+ {
+ }
+
+ unsigned m_identifierNumber;
+
+ bool operator==(const PhantomPropertyValue& other) const
+ {
+ return m_identifierNumber == other.m_identifierNumber;
+ }
+
+ void dump(PrintStream&) const;
+};
+
+struct ObjectMaterializationData {
+ // Determines the meaning of the passed nodes.
+ Vector<PhantomPropertyValue> m_properties;
+
+ void dump(PrintStream&) const;
+
+ // The fraction of my properties that the other data has.
+ float oneWaySimilarityScore(const ObjectMaterializationData&) const;
+
+ // The minimum of the two possible one-way scores.
+ float similarityScore(const ObjectMaterializationData&) const;
+};
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGObjectMaterializationData_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomCanonicalizationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -52,24 +52,13 @@
</span><span class="cx"> ASSERT(m_graph.m_form == SSA);
</span><span class="cx">
</span><span class="cx"> m_graph.clearFlagsOnAllNodes(NodeNeedsPhantom | NodeNeedsHardPhantom | NodeRelevantToOSR);
</span><ins>+ m_graph.mergeRelevantToOSR();
</ins><span class="cx">
</span><span class="cx"> for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="cx"> continue;
</span><span class="cx">
</span><del>- for (unsigned i = block->size(); i--;) {
- Node* node = block->at(i);
- if (node->op() == MovHint)
- node->child1()->mergeFlags(NodeRelevantToOSR);
- }
- }
-
- for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
- BasicBlock* block = m_graph.block(blockIndex);
- if (!block)
- continue;
-
</del><span class="cx"> unsigned sourceIndex = 0;
</span><span class="cx"> unsigned targetIndex = 0;
</span><span class="cx"> while (sourceIndex < block->size()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhantomRemovalPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -74,17 +74,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
- BasicBlock* block = m_graph.block(blockIndex);
- if (!block)
- continue;
-
- for (unsigned i = block->size(); i--;) {
- Node* node = block->at(i);
- if (node->op() == MovHint)
- node->child1()->mergeFlags(NodeRelevantToOSR);
- }
- }
</del><ins>+ m_graph.mergeRelevantToOSR();
</ins><span class="cx">
</span><span class="cx"> for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhiChildrencpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,64 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGPhiChildren.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGGraph.h"
+
+namespace JSC { namespace DFG {
+
+PhiChildren::PhiChildren()
+{
+}
+
+PhiChildren::PhiChildren(Graph& graph)
+{
+ for (BasicBlock* block : graph.blocksInNaturalOrder()) {
+ for (Node* node : *block) {
+ if (node->op() != Upsilon)
+ continue;
+
+ m_children.add(node->phi(), List()).iterator->value.append(node);
+ }
+ }
+}
+
+PhiChildren::~PhiChildren()
+{
+}
+
+const PhiChildren::List& PhiChildren::upsilonsOf(Node* node) const
+{
+ ASSERT(node->op() == Phi);
+ return m_children.find(node)->value;
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPhiChildrenh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPhiChildren.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,92 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGPhiChildren_h
+#define DFGPhiChildren_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGNode.h"
+#include <wtf/HashSet.h>
+#include <wtf/Vector.h>
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+class PhiChildren {
+public:
+ typedef Vector<Node*, 3> List;
+
+ PhiChildren();
+ PhiChildren(Graph&);
+ ~PhiChildren();
+
+ // The list of Upsilons that point to the children of the Phi.
+ const List& upsilonsOf(Node*) const;
+
+ template<typename Functor>
+ void forAllIncomingValues(Node* node, const Functor& functor)
+ {
+ for (Node* upsilon : upsilonsOf(node))
+ functor(upsilon->child1().node());
+ }
+
+ // This walks the Phi graph.
+ template<typename Functor>
+ void forAllTransitiveIncomingValues(Node* node, const Functor& functor)
+ {
+ if (node->op() != Phi) {
+ functor(node);
+ return;
+ }
+ HashSet<Node*> seen;
+ Vector<Node*> worklist;
+ seen.add(node);
+ worklist.append(node);
+ while (!worklist.isEmpty()) {
+ Node* currentNode = worklist.takeLast();
+ forAllIncomingValues(
+ currentNode,
+ [&] (Node* incomingNode) {
+ if (incomingNode->op() == Phi) {
+ if (seen.add(incomingNode).isNewEntry)
+ worklist.append(incomingNode);
+ } else
+ functor(incomingNode);
+ });
+ }
+ }
+
+private:
+ HashMap<Node*, List> m_children;
+};
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGPhiChildren_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -49,6 +49,7 @@
</span><span class="cx"> #include "DFGLoopPreHeaderCreationPhase.h"
</span><span class="cx"> #include "DFGOSRAvailabilityAnalysisPhase.h"
</span><span class="cx"> #include "DFGOSREntrypointCreationPhase.h"
</span><ins>+#include "DFGObjectAllocationSinkingPhase.h"
</ins><span class="cx"> #include "DFGPhantomCanonicalizationPhase.h"
</span><span class="cx"> #include "DFGPhantomRemovalPhase.h"
</span><span class="cx"> #include "DFGPredictionInjectionPhase.h"
</span><span class="lines">@@ -277,6 +278,7 @@
</span><span class="cx"> if (validationEnabled()) {
</span><span class="cx"> dfg.m_dominators.computeIfNecessary(dfg);
</span><span class="cx"> dfg.m_naturalLoops.computeIfNecessary(dfg);
</span><ins>+ dfg.m_prePostNumbering.computeIfNecessary(dfg);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> switch (mode) {
</span><span class="lines">@@ -325,11 +327,16 @@
</span><span class="cx"> performCFA(dfg);
</span><span class="cx"> performConstantFolding(dfg);
</span><span class="cx"> performPhantomCanonicalization(dfg); // Reduce the graph size a lot.
</span><del>- if (performStrengthReduction(dfg)) {
</del><ins>+ changed = false;
+ changed |= performStrengthReduction(dfg);
+ changed |= performCriticalEdgeBreaking(dfg);
+ changed |= performObjectAllocationSinking(dfg);
+ if (changed) {
</ins><span class="cx"> // State-at-tail and state-at-head will be invalid if we did strength reduction since
</span><span class="cx"> // it might increase live ranges.
</span><span class="cx"> performLivenessAnalysis(dfg);
</span><span class="cx"> performCFA(dfg);
</span><ins>+ performConstantFolding(dfg);
</ins><span class="cx"> }
</span><span class="cx"> performLICM(dfg);
</span><span class="cx"> performPhantomCanonicalization(dfg);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPrePostNumberingcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,89 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGPrePostNumbering.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGBlockMapInlines.h"
+#include "DFGBlockWorklist.h"
+#include "DFGGraph.h"
+
+namespace JSC { namespace DFG {
+
+PrePostNumbering::PrePostNumbering() { }
+PrePostNumbering::~PrePostNumbering() { }
+
+void PrePostNumbering::compute(Graph& graph)
+{
+ m_map = BlockMap<Numbering>(graph);
+
+ PostOrderBlockWorklist worklist;
+ worklist.push(graph.block(0));
+ unsigned nextPreNumber = 0;
+ unsigned nextPostNumber = 0;
+ while (BlockWithOrder item = worklist.pop()) {
+ switch (item.order) {
+ case PreOrder:
+ m_map[item.block].m_preNumber = nextPreNumber++;
+ worklist.pushPost(item.block);
+ for (BasicBlock* successor : item.block->successors())
+ worklist.push(successor);
+ break;
+ case PostOrder:
+ m_map[item.block].m_postNumber = nextPostNumber++;
+ break;
+ }
+ }
+}
+
+} } // namespace JSC::DFG
+
+namespace WTF {
+
+using namespace JSC::DFG;
+
+void printInternal(PrintStream& out, EdgeKind kind)
+{
+ switch (kind) {
+ case ForwardEdge:
+ out.print("ForwardEdge");
+ return;
+ case CrossEdge:
+ out.print("CrossEdge");
+ return;
+ case BackEdge:
+ out.print("BackEdge");
+ return;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+} // namespace WTF
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPrePostNumberingh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPrePostNumbering.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,108 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGPrePostNumbering_h
+#define DFGPrePostNumbering_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAnalysis.h"
+#include "DFGBasicBlock.h"
+#include "DFGBlockMap.h"
+
+namespace JSC { namespace DFG {
+
+enum EdgeKind {
+ ForwardEdge,
+ CrossEdge,
+ BackEdge
+};
+
+class PrePostNumbering : public Analysis<PrePostNumbering> {
+public:
+ PrePostNumbering();
+ ~PrePostNumbering();
+
+ void compute(Graph&);
+
+ unsigned preNumber(BasicBlock* block) const { return m_map[block].m_preNumber; }
+ unsigned postNumber(BasicBlock* block) const { return m_map[block].m_postNumber; }
+
+ // Is from a strict ancestor of to?
+ bool isStrictAncestorOf(BasicBlock* from, BasicBlock* to) const
+ {
+ return preNumber(from) < preNumber(to)
+ && postNumber(from) > postNumber(to);
+ }
+
+ bool isAncestorOf(BasicBlock* from, BasicBlock* to) const
+ {
+ return from == to || isStrictAncestorOf(from, to);
+ }
+
+ bool isStrictDescendantOf(BasicBlock* from, BasicBlock* to) const
+ {
+ return isStrictAncestorOf(to, from);
+ }
+
+ bool isDescendantOf(BasicBlock* from, BasicBlock* to) const
+ {
+ return isAncestorOf(to, from);
+ }
+
+ // This will give a bogus answer if there is actually no such edge. If you want to determine
+ // if there is any such edge, you have to do it yourself.
+ EdgeKind edgeKind(BasicBlock* from, BasicBlock* to) const
+ {
+ if (isStrictDescendantOf(to, from))
+ return ForwardEdge;
+
+ if (isAncestorOf(to, from))
+ return BackEdge;
+
+ return CrossEdge;
+ }
+
+private:
+ struct Numbering {
+ unsigned m_preNumber;
+ unsigned m_postNumber;
+ };
+
+ BlockMap<Numbering> m_map;
+};
+
+} } // namespace JSC::DFG
+
+namespace WTF {
+
+void printInternal(PrintStream&, JSC::DFG::EdgeKind);
+
+} // namespace WTF
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGPrePostNumbering_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -560,7 +560,12 @@
</span><span class="cx"> case DoubleConstant:
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case Identity:
</span><del>- case BooleanToNumber: {
</del><ins>+ case BooleanToNumber:
+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject: {
</ins><span class="cx"> // This node should never be visible at this stage of compilation. It is
</span><span class="cx"> // inserted by fixup(), which follows this phase.
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPromoteHeapAccessh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPromoteHeapAccess.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPromoteHeapAccess.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPromoteHeapAccess.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,90 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGPromoteHeapAccess_h
+#define DFGPromoteHeapAccess_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGNode.h"
+#include "DFGPromotedHeapLocation.h"
+
+namespace JSC { namespace DFG {
+
+// Note that the write functor is really the useful thing here. The read functor is only useful
+// for the object allocation sinking phase.
+template<typename WriteFunctor, typename ReadFunctor>
+void promoteHeapAccess(Node* node, const WriteFunctor& write, const ReadFunctor& read)
+{
+ switch (node->op()) {
+ case CheckStructure: {
+ if (node->child1()->isPhantomObjectAllocation())
+ read(PromotedHeapLocation(StructurePLoc, node->child1()));
+ break;
+ }
+
+ case GetByOffset:
+ case GetGetterSetterByOffset: {
+ if (node->child2()->isPhantomObjectAllocation()) {
+ unsigned identifierNumber = node->storageAccessData().identifierNumber;
+ read(PromotedHeapLocation(NamedPropertyPLoc, node->child2(), identifierNumber));
+ }
+ break;
+ }
+
+ case MultiGetByOffset: {
+ if (node->child1()->isPhantomObjectAllocation()) {
+ unsigned identifierNumber = node->multiGetByOffsetData().identifierNumber;
+ read(PromotedHeapLocation(NamedPropertyPLoc, node->child1(), identifierNumber));
+ }
+ break;
+ }
+
+ case PutStructureHint: {
+ ASSERT(node->child1()->isPhantomObjectAllocation());
+ write(PromotedHeapLocation(StructurePLoc, node->child1()), node->child2());
+ break;
+ }
+
+ case PutByOffsetHint: {
+ ASSERT(node->child1()->isPhantomObjectAllocation());
+ unsigned identifierNumber = node->identifierNumber();
+ write(
+ PromotedHeapLocation(NamedPropertyPLoc, node->child1(), identifierNumber),
+ node->child2());
+ break;
+ }
+
+ default:
+ break;
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGPromoteHeapAccess_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPromotedHeapLocationcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,95 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGPromotedHeapLocation.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGGraph.h"
+#include "JSCInlines.h"
+
+namespace JSC { namespace DFG {
+
+void PromotedLocationDescriptor::dump(PrintStream& out) const
+{
+ out.print(m_kind, "(", m_info, ")");
+}
+
+Node* PromotedHeapLocation::createHint(Graph& graph, NodeOrigin origin, Node* value)
+{
+ switch (kind()) {
+ case StructurePLoc:
+ return graph.addNode(
+ SpecNone, PutStructureHint, origin,
+ Edge(base(), KnownCellUse), Edge(value, KnownCellUse));
+
+ case NamedPropertyPLoc:
+ return graph.addNode(
+ SpecNone, PutByOffsetHint, origin,
+ OpInfo(info()), Edge(base(), KnownCellUse), Edge(value, UntypedUse));
+
+ case InvalidPromotedLocationKind:
+ return nullptr;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+ return nullptr;
+}
+
+void PromotedHeapLocation::dump(PrintStream& out) const
+{
+ out.print(kind(), "(", m_base, ", ", info(), ")");
+}
+
+} } // namespace JSC::DFG
+
+namespace WTF {
+
+using namespace JSC::DFG;
+
+void printInternal(PrintStream& out, PromotedLocationKind kind)
+{
+ switch (kind) {
+ case InvalidPromotedLocationKind:
+ out.print("InvalidPromotedLocationKind");
+ return;
+
+ case StructurePLoc:
+ out.print("StructurePLoc");
+ return;
+
+ case NamedPropertyPLoc:
+ out.print("NamedPropertyPLoc");
+ return;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+} // namespace WTF;
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPromotedHeapLocationh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,172 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGPromotedHeapLocation_h
+#define DFGPromotedHeapLocation_h
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGNode.h"
+#include <wtf/PrintStream.h>
+
+namespace JSC { namespace DFG {
+
+enum PromotedLocationKind {
+ InvalidPromotedLocationKind,
+
+ StructurePLoc,
+ NamedPropertyPLoc
+};
+
+class PromotedLocationDescriptor {
+public:
+ PromotedLocationDescriptor(
+ PromotedLocationKind kind = InvalidPromotedLocationKind, unsigned info = 0)
+ : m_kind(kind)
+ , m_info(info)
+ {
+ }
+
+ bool operator!() const { return m_kind == InvalidPromotedLocationKind; }
+
+ PromotedLocationKind kind() const { return m_kind; }
+ unsigned info() const { return m_info; }
+
+ unsigned hash() const
+ {
+ return m_kind + m_info;
+ }
+
+ bool operator==(const PromotedLocationDescriptor& other) const
+ {
+ return m_kind == other.m_kind
+ && m_info == other.m_info;
+ }
+
+ bool operator!=(const PromotedLocationDescriptor& other) const
+ {
+ return !(*this == other);
+ }
+
+ bool isHashTableDeletedValue() const
+ {
+ return m_kind == InvalidPromotedLocationKind && m_info;
+ }
+
+ void dump(PrintStream& out) const;
+
+private:
+ PromotedLocationKind m_kind;
+ unsigned m_info;
+};
+
+class PromotedHeapLocation {
+public:
+ PromotedHeapLocation(
+ PromotedLocationKind kind = InvalidPromotedLocationKind,
+ Node* base = nullptr, unsigned info = 0)
+ : m_base(base)
+ , m_meta(kind, info)
+ {
+ }
+
+ PromotedHeapLocation(
+ PromotedLocationKind kind, Edge base, unsigned info = 0)
+ : PromotedHeapLocation(kind, base.node(), info)
+ {
+ }
+
+ PromotedHeapLocation(Node* base, PromotedLocationDescriptor meta)
+ : m_base(base)
+ , m_meta(meta)
+ {
+ }
+
+ PromotedHeapLocation(WTF::HashTableDeletedValueType)
+ : m_base(nullptr)
+ , m_meta(InvalidPromotedLocationKind, 1)
+ {
+ }
+
+ Node* createHint(Graph&, NodeOrigin, Node* value);
+
+ bool operator!() const { return kind() == InvalidPromotedLocationKind; }
+
+ PromotedLocationKind kind() const { return m_meta.kind(); }
+ Node* base() const { return m_base; }
+ unsigned info() const { return m_meta.info(); }
+ PromotedLocationDescriptor descriptor() const { return m_meta; }
+
+ unsigned hash() const
+ {
+ return m_meta.hash() + WTF::PtrHash<Node*>::hash(m_base);
+ }
+
+ bool operator==(const PromotedHeapLocation& other) const
+ {
+ return m_base == other.m_base
+ && m_meta == other.m_meta;
+ }
+
+ bool isHashTableDeletedValue() const
+ {
+ return m_meta.isHashTableDeletedValue();
+ }
+
+ void dump(PrintStream& out) const;
+
+private:
+ Node* m_base;
+ PromotedLocationDescriptor m_meta;
+};
+
+struct PromotedHeapLocationHash {
+ static unsigned hash(const PromotedHeapLocation& key) { return key.hash(); }
+ static bool equal(const PromotedHeapLocation& a, const PromotedHeapLocation& b) { return a == b; }
+ static const bool safeToCompareToEmptyOrDeleted = true;
+};
+
+} } // namespace JSC::DFG
+
+namespace WTF {
+
+void printInternal(PrintStream&, JSC::DFG::PromotedLocationKind);
+
+template<typename T> struct DefaultHash;
+template<> struct DefaultHash<JSC::DFG::PromotedHeapLocation> {
+ typedef JSC::DFG::PromotedHeapLocationHash Hash;
+};
+
+template<typename T> struct HashTraits;
+template<> struct HashTraits<JSC::DFG::PromotedHeapLocation> : SimpleClassHashTraits<JSC::DFG::PromotedHeapLocation> {
+ static const bool emptyValueIsZero = false;
+};
+
+} // namespace WTF
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGPromotedHeapLocation_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSSACalculatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -66,6 +66,17 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SSACalculator::reset()
+{
+ m_variables.clear();
+ m_defs.clear();
+ m_phis.clear();
+ for (BlockIndex blockIndex = m_data.size(); blockIndex--;) {
+ m_data[blockIndex].m_defs.clear();
+ m_data[blockIndex].m_phis.clear();
+ }
+}
+
</ins><span class="cx"> SSACalculator::Variable* SSACalculator::newVariable()
</span><span class="cx"> {
</span><span class="cx"> return &m_variables.alloc(Variable(m_variables.size()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSSACalculatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSSACalculator.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -105,6 +105,8 @@
</span><span class="cx"> SSACalculator(Graph&);
</span><span class="cx"> ~SSACalculator();
</span><span class="cx">
</span><ins>+ void reset();
+
</ins><span class="cx"> class Variable {
</span><span class="cx"> public:
</span><span class="cx"> unsigned index() const { return m_index; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -270,6 +270,11 @@
</span><span class="cx"> case GetGenericPropertyEnumerator:
</span><span class="cx"> case GetEnumeratorPname:
</span><span class="cx"> case ToIndexString:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case NativeCall:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1415,7 +1415,7 @@
</span><span class="cx"> else
</span><span class="cx"> m_canExit = mayExit(m_jit.graph(), m_currentNode);
</span><span class="cx">
</span><del>- bool shouldExecuteEffects = m_interpreter.startExecuting(m_currentNode);
</del><ins>+ m_interpreter.startExecuting();
</ins><span class="cx"> m_jit.setForNode(m_currentNode);
</span><span class="cx"> m_codeOriginForExitTarget = m_currentNode->origin.forExit;
</span><span class="cx"> m_codeOriginForExitProfile = m_currentNode->origin.semantic;
</span><span class="lines">@@ -1472,8 +1472,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Make sure that the abstract state is rematerialized for the next node.
</span><del>- if (shouldExecuteEffects)
- m_interpreter.executeEffects(m_indexInBlock);
</del><ins>+ m_interpreter.executeEffects(m_indexInBlock);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Perform the most basic verification that children have been used correctly.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -4912,6 +4912,11 @@
</span><span class="cx"> case NativeConstruct:
</span><span class="cx"> case CheckBadCell:
</span><span class="cx"> case BottomValue:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject:
</ins><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -4982,6 +4982,11 @@
</span><span class="cx"> case FiatInt52:
</span><span class="cx"> case CheckBadCell:
</span><span class="cx"> case BottomValue:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject:
</ins><span class="cx"> DFG_CRASH(m_jit.graph(), node, "Unexpected node");
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStructureRegistrationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -47,6 +47,7 @@
</span><span class="cx"> // These are pretty dumb, but needed to placate subsequent assertions. We don't actually
</span><span class="cx"> // have to watch these because there is no way to transition away from it, but they are
</span><span class="cx"> // watchable and so we will assert if they aren't watched.
</span><ins>+ registerStructure(m_graph.m_vm.structureStructure.get());
</ins><span class="cx"> registerStructure(m_graph.m_vm.stringStructure.get());
</span><span class="cx"> registerStructure(m_graph.m_vm.getterSetterStructure.get());
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -187,8 +187,6 @@
</span><span class="cx"> Node* node = block->node(i);
</span><span class="cx"> if (m_graph.m_refCountState == ExactRefCount)
</span><span class="cx"> V_EQUAL((node), m_myRefCounts.get(node), node->adjustedRefCount());
</span><del>- else
- V_EQUAL((node), node->refCount(), 1);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (size_t i = 0 ; i < block->size() - 1; ++i) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -168,6 +168,11 @@
</span><span class="cx"> case GetEnumeratorPname:
</span><span class="cx"> case ToIndexString:
</span><span class="cx"> case BottomValue:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case CheckStructureImmediate:
+ case PutStructureHint:
+ case MaterializeNewObject:
</ins><span class="cx"> // These are OK.
</span><span class="cx"> break;
</span><span class="cx"> case ProfiledCall:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitPropertyValuecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,41 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "FTLExitPropertyValue.h"
+
+#if ENABLE(FTL_JIT)
+
+namespace JSC { namespace FTL {
+
+void ExitPropertyValue::dump(PrintStream& out) const
+{
+ out.print(m_location, " => ", m_value);
+}
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitPropertyValueh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,66 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef FTLExitPropertyValue_h
+#define FTLExitPropertyValue_h
+
+#if ENABLE(FTL_JIT)
+
+#include "DFGPromotedHeapLocation.h"
+#include "FTLExitValue.h"
+
+namespace JSC { namespace FTL {
+
+class ExitPropertyValue {
+public:
+ ExitPropertyValue()
+ {
+ }
+
+ ExitPropertyValue(DFG::PromotedLocationDescriptor location, const ExitValue& value)
+ : m_location(location)
+ , m_value(value)
+ {
+ ASSERT(!!location == !!value);
+ }
+
+ bool operator!() const { return !m_location; }
+
+ DFG::PromotedLocationDescriptor location() const { return m_location; }
+ const ExitValue& value() const { return m_value; }
+
+ void dump(PrintStream& out) const;
+
+private:
+ DFG::PromotedLocationDescriptor m_location;
+ ExitValue m_value;
+};
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
+#endif // FTLExitPropertyValue_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,69 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "FTLExitTimeObjectMaterialization.h"
+
+#if ENABLE(FTL_JIT)
+
+#include "DFGGraph.h"
+
+namespace JSC { namespace FTL {
+
+using namespace JSC::DFG;
+
+ExitTimeObjectMaterialization::ExitTimeObjectMaterialization(NodeType type)
+ : m_type(type)
+{
+}
+
+ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization()
+{
+}
+
+void ExitTimeObjectMaterialization::add(
+ PromotedLocationDescriptor location, const ExitValue& value)
+{
+ m_properties.append(ExitPropertyValue(location, value));
+}
+
+ExitValue ExitTimeObjectMaterialization::get(PromotedLocationDescriptor location) const
+{
+ for (ExitPropertyValue value : m_properties) {
+ if (value.location() == location)
+ return value.value();
+ }
+ return ExitValue();
+}
+
+void ExitTimeObjectMaterialization::dump(PrintStream& out) const
+{
+ out.print(RawPointer(this), ":", Graph::opName(m_type), "(", listDump(m_properties), ")");
+}
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef FTLExitTimeObjectMaterialization_h
+#define FTLExitTimeObjectMaterialization_h
+
+#if ENABLE(FTL_JIT)
+
+#include "DFGNodeType.h"
+#include "FTLExitPropertyValue.h"
+#include "FTLExitValue.h"
+#include <wtf/Noncopyable.h>
+
+namespace JSC { namespace FTL {
+
+class ExitTimeObjectMaterialization {
+ WTF_MAKE_NONCOPYABLE(ExitTimeObjectMaterialization)
+public:
+ ExitTimeObjectMaterialization(DFG::NodeType);
+ ~ExitTimeObjectMaterialization();
+
+ void add(DFG::PromotedLocationDescriptor, const ExitValue&);
+
+ DFG::NodeType type() const { return m_type; }
+
+ ExitValue get(DFG::PromotedLocationDescriptor) const;
+ const Vector<ExitPropertyValue>& properties() const { return m_properties; }
+
+ void dump(PrintStream& out) const;
+
+private:
+ DFG::NodeType m_type;
+ Vector<ExitPropertyValue> m_properties;
+};
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
+#endif // FTLExitTimeObjectMaterialization_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -28,10 +28,19 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx">
</span><ins>+#include "FTLExitTimeObjectMaterialization.h"
</ins><span class="cx"> #include "JSCInlines.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace FTL {
</span><span class="cx">
</span><ins>+ExitValue ExitValue::materializeNewObject(ExitTimeObjectMaterialization* data)
+{
+ ExitValue result;
+ result.m_kind = ExitValueMaterializeNewObject;
+ result.u.newObjectMaterializationData = data;
+ return result;
+}
+
</ins><span class="cx"> void ExitValue::dumpInContext(PrintStream& out, DumpContext* context) const
</span><span class="cx"> {
</span><span class="cx"> switch (kind()) {
</span><span class="lines">@@ -65,6 +74,9 @@
</span><span class="cx"> case ExitValueRecovery:
</span><span class="cx"> out.print("Recovery(", recoveryOpcode(), ", arg", leftRecoveryArgument(), ", arg", rightRecoveryArgument(), ", ", recoveryFormat(), ")");
</span><span class="cx"> return;
</span><ins>+ case ExitValueMaterializeNewObject:
+ out.print("Materialize(", pointerDump(objectMaterialization()), ")");
+ return;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -52,9 +52,12 @@
</span><span class="cx"> ExitValueInJSStackAsInt52,
</span><span class="cx"> ExitValueInJSStackAsDouble,
</span><span class="cx"> ExitValueArgumentsObjectThatWasNotCreated,
</span><del>- ExitValueRecovery
</del><ins>+ ExitValueRecovery,
+ ExitValueMaterializeNewObject
</ins><span class="cx"> };
</span><span class="cx">
</span><ins>+class ExitTimeObjectMaterialization;
+
</ins><span class="cx"> class ExitValue {
</span><span class="cx"> public:
</span><span class="cx"> ExitValue()
</span><span class="lines">@@ -137,6 +140,8 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static ExitValue materializeNewObject(ExitTimeObjectMaterialization*);
+
</ins><span class="cx"> ExitValueKind kind() const { return m_kind; }
</span><span class="cx">
</span><span class="cx"> bool isDead() const { return kind() == ExitValueDead; }
</span><span class="lines">@@ -156,6 +161,7 @@
</span><span class="cx"> bool isArgument() const { return kind() == ExitValueArgument; }
</span><span class="cx"> bool isArgumentsObjectThatWasNotCreated() const { return kind() == ExitValueArgumentsObjectThatWasNotCreated; }
</span><span class="cx"> bool isRecovery() const { return kind() == ExitValueRecovery; }
</span><ins>+ bool isObjectMaterialization() const { return kind() == ExitValueMaterializeNewObject; }
</ins><span class="cx">
</span><span class="cx"> ExitArgument exitArgument() const
</span><span class="cx"> {
</span><span class="lines">@@ -199,15 +205,21 @@
</span><span class="cx"> return VirtualRegister(u.virtualRegister);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ExitValue withVirtualRegister(VirtualRegister virtualRegister)
</del><ins>+ ExitTimeObjectMaterialization* objectMaterialization() const
</ins><span class="cx"> {
</span><ins>+ ASSERT(isObjectMaterialization());
+ return u.newObjectMaterializationData;
+ }
+
+ ExitValue withVirtualRegister(VirtualRegister virtualRegister) const
+ {
</ins><span class="cx"> ASSERT(isInJSStackSomehow());
</span><span class="cx"> ExitValue result;
</span><span class="cx"> result.m_kind = m_kind;
</span><span class="cx"> result.u.virtualRegister = virtualRegister.offset();
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> // If it's in the JSStack somehow, this will tell you what format it's in, in a manner
</span><span class="cx"> // that is compatible with exitArgument().format(). If it's a constant or it's dead, it
</span><span class="cx"> // will claim to be a JSValue. If it's an argument then it will tell you the argument's
</span><span class="lines">@@ -223,6 +235,7 @@
</span><span class="cx"> case ExitValueConstant:
</span><span class="cx"> case ExitValueInJSStack:
</span><span class="cx"> case ExitValueArgumentsObjectThatWasNotCreated:
</span><ins>+ case ExitValueMaterializeNewObject:
</ins><span class="cx"> return ValueFormatJSValue;
</span><span class="cx">
</span><span class="cx"> case ExitValueArgument:
</span><span class="lines">@@ -260,6 +273,7 @@
</span><span class="cx"> uint16_t opcode;
</span><span class="cx"> uint16_t format;
</span><span class="cx"> } recovery;
</span><ins>+ ExitTimeObjectMaterialization* newObjectMaterializationData;
</ins><span class="cx"> } u;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include "FTLFormattedValue.h"
</span><span class="cx"> #include "FTLInlineCacheSize.h"
</span><span class="cx"> #include "FTLLoweredNodeValue.h"
</span><ins>+#include "FTLOperations.h"
</ins><span class="cx"> #include "FTLOutput.h"
</span><span class="cx"> #include "FTLThunks.h"
</span><span class="cx"> #include "FTLWeightedTarget.h"
</span><span class="lines">@@ -341,7 +342,7 @@
</span><span class="cx">
</span><span class="cx"> m_availableRecoveries.resize(0);
</span><span class="cx">
</span><del>- bool shouldExecuteEffects = m_interpreter.startExecuting(m_node);
</del><ins>+ m_interpreter.startExecuting();
</ins><span class="cx">
</span><span class="cx"> switch (m_node->op()) {
</span><span class="cx"> case Upsilon:
</span><span class="lines">@@ -725,6 +726,12 @@
</span><span class="cx"> case ToIndexString:
</span><span class="cx"> compileToIndexString();
</span><span class="cx"> break;
</span><ins>+ case CheckStructureImmediate:
+ compileCheckStructureImmediate();
+ break;
+ case MaterializeNewObject:
+ compileMaterializeNewObject();
+ break;
</ins><span class="cx">
</span><span class="cx"> case PhantomLocal:
</span><span class="cx"> case SetArgument:
</span><span class="lines">@@ -735,6 +742,10 @@
</span><span class="cx"> case AllocationProfileWatchpoint:
</span><span class="cx"> case MovHint:
</span><span class="cx"> case ZombieHint:
</span><ins>+ case PhantomNewObject:
+ case PutByOffsetHint:
+ case PutStructureHint:
+ case BottomValue:
</ins><span class="cx"> break;
</span><span class="cx"> default:
</span><span class="cx"> DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
</span><span class="lines">@@ -742,10 +753,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> m_availabilityCalculator.executeNode(m_node);
</span><ins>+ m_interpreter.executeEffects(nodeIndex);
</ins><span class="cx">
</span><del>- if (shouldExecuteEffects)
- m_interpreter.executeEffects(nodeIndex);
-
</del><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1704,30 +1713,7 @@
</span><span class="cx">
</span><span class="cx"> LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</span><span class="cx">
</span><del>- if (m_node->structureSet().size() == 1) {
- speculate(
- exitKind, jsValueValue(cell), 0,
- m_out.notEqual(structureID, weakStructure(m_node->structureSet()[0])));
- return;
- }
-
- LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("CheckStructure continuation"));
-
- LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
- for (unsigned i = 0; i < m_node->structureSet().size() - 1; ++i) {
- LBasicBlock nextStructure = FTL_NEW_BLOCK(m_out, ("CheckStructure nextStructure"));
- m_out.branch(
- m_out.equal(structureID, weakStructure(m_node->structureSet()[i])),
- unsure(continuation), unsure(nextStructure));
- m_out.appendTo(nextStructure);
- }
-
- speculate(
- exitKind, jsValueValue(cell), 0,
- m_out.notEqual(structureID, weakStructure(m_node->structureSet().last())));
-
- m_out.jump(continuation);
- m_out.appendTo(continuation, lastNext);
</del><ins>+ checkStructure(structureID, jsValueValue(cell), exitKind, m_node->structureSet());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileCheckCell()
</span><span class="lines">@@ -1762,7 +1748,7 @@
</span><span class="cx"> LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</span><span class="cx">
</span><span class="cx"> m_out.branch(
</span><del>- m_out.notEqual(structureID, weakStructure(m_node->structure())),
</del><ins>+ m_out.notEqual(structureID, weakStructureID(m_node->structure())),
</ins><span class="cx"> rarely(unexpectedStructure), usually(continuation));
</span><span class="cx">
</span><span class="cx"> LBasicBlock lastNext = m_out.appendTo(unexpectedStructure, continuation);
</span><span class="lines">@@ -1806,7 +1792,7 @@
</span><span class="cx"> structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</span><span class="cx"> speculate(
</span><span class="cx"> BadIndexingType, jsValueValue(cell), 0,
</span><del>- m_out.notEqual(structureID, weakStructure(m_node->structure())));
</del><ins>+ m_out.notEqual(structureID, weakStructureID(m_node->structure())));
</ins><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><span class="cx"> m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -1824,7 +1810,7 @@
</span><span class="cx">
</span><span class="cx"> LValue cell = lowCell(m_node->child1());
</span><span class="cx"> m_out.store32(
</span><del>- weakStructure(newStructure),
</del><ins>+ weakStructureID(newStructure),
</ins><span class="cx"> cell, m_heaps.JSCell_structureID);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2649,28 +2635,7 @@
</span><span class="cx">
</span><span class="cx"> void compileNewObject()
</span><span class="cx"> {
</span><del>- Structure* structure = m_node->structure();
- size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
- MarkedAllocator* allocator = &vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
-
- LBasicBlock slowPath = FTL_NEW_BLOCK(m_out, ("NewObject slow path"));
- LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NewObject continuation"));
-
- LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
-
- ValueFromBlock fastResult = m_out.anchor(allocateObject(
- m_out.constIntPtr(allocator), structure, m_out.intPtrZero, slowPath));
-
- m_out.jump(continuation);
-
- m_out.appendTo(slowPath, continuation);
-
- ValueFromBlock slowResult = m_out.anchor(vmCall(
- m_out.operation(operationNewObject), m_callFrame, m_out.constIntPtr(structure)));
- m_out.jump(continuation);
-
- m_out.appendTo(continuation, lastNext);
- setJSValue(m_out.phi(m_out.intPtr, fastResult, slowResult));
</del><ins>+ setJSValue(allocateObject(m_node->structure()));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileNewArray()
</span><span class="lines">@@ -3290,7 +3255,7 @@
</span><span class="cx"> GetByIdVariant variant = data.variants[i];
</span><span class="cx"> for (unsigned j = variant.structureSet().size(); j--;) {
</span><span class="cx"> cases.append(SwitchCase(
</span><del>- weakStructure(variant.structureSet()[j]), blocks[i], Weight(1)));
</del><ins>+ weakStructureID(variant.structureSet()[j]), blocks[i], Weight(1)));
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> m_out.switchInstruction(
</span><span class="lines">@@ -3361,7 +3326,7 @@
</span><span class="cx"> PutByIdVariant variant = data.variants[i];
</span><span class="cx"> for (unsigned j = variant.oldStructure().size(); j--;) {
</span><span class="cx"> cases.append(
</span><del>- SwitchCase(weakStructure(variant.oldStructure()[j]), blocks[i], Weight(1)));
</del><ins>+ SwitchCase(weakStructureID(variant.oldStructure()[j]), blocks[i], Weight(1)));
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> m_out.switchInstruction(
</span><span class="lines">@@ -3370,7 +3335,7 @@
</span><span class="cx"> LBasicBlock lastNext = m_out.m_nextBlock;
</span><span class="cx">
</span><span class="cx"> for (unsigned i = data.variants.size(); i--;) {
</span><del>- m_out.appendTo(blocks[i], i + 1 < data.variants.size() ? blocks[i + 1] : exit);
</del><ins>+ m_out.appendTo(blocks[i], i + 1 < data.variants.size() ? blocks[i + 1] : exit);
</ins><span class="cx">
</span><span class="cx"> PutByIdVariant variant = data.variants[i];
</span><span class="cx">
</span><span class="lines">@@ -3393,7 +3358,7 @@
</span><span class="cx"> ASSERT(variant.oldStructureForTransition()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());
</span><span class="cx"> ASSERT(variant.oldStructureForTransition()->typeInfo().type() == variant.newStructure()->typeInfo().type());
</span><span class="cx"> m_out.store32(
</span><del>- weakStructure(variant.newStructure()), base, m_heaps.JSCell_structureID);
</del><ins>+ weakStructureID(variant.newStructure()), base, m_heaps.JSCell_structureID);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> storeProperty(value, storage, data.identifierNumber, variant.offset());
</span><span class="lines">@@ -3953,12 +3918,13 @@
</span><span class="cx"> void compileInvalidationPoint()
</span><span class="cx"> {
</span><span class="cx"> if (verboseCompilationEnabled())
</span><del>- dataLog(" Invalidation point with availability: ", availability(), "\n");
</del><ins>+ dataLog(" Invalidation point with availability: ", availabilityMap(), "\n");
</ins><span class="cx">
</span><span class="cx"> m_ftlState.jitCode->osrExit.append(OSRExit(
</span><span class="cx"> UncountableInvalidation, InvalidValueFormat, MethodOfGettingAValueProfile(),
</span><span class="cx"> m_codeOriginForExitTarget, m_codeOriginForExitProfile,
</span><del>- availability().numberOfArguments(), availability().numberOfLocals()));
</del><ins>+ availabilityMap().m_locals.numberOfArguments(),
+ availabilityMap().m_locals.numberOfLocals()));
</ins><span class="cx"> m_ftlState.finalizer->osrExit.append(OSRExitCompilationInfo());
</span><span class="cx">
</span><span class="cx"> OSRExit& exit = m_ftlState.jitCode->osrExit.last();
</span><span class="lines">@@ -4360,7 +4326,121 @@
</span><span class="cx"> LValue index = lowInt32(m_node->child1());
</span><span class="cx"> setJSValue(vmCall(m_out.operation(operationToIndexString), m_callFrame, index));
</span><span class="cx"> }
</span><ins>+
+ void compileCheckStructureImmediate()
+ {
+ LValue structureID = lowCell(m_node->child1());
+ checkStructure(structureID, noValue(), BadCache, m_node->structureSet());
+ }
+
+ void compileMaterializeNewObject()
+ {
+ ObjectMaterializationData& data = m_node->objectMaterializationData();
+
+ // Lower the values first, to avoid creating values inside a control flow diamond.
+
+ Vector<LValue, 8> values;
+ for (unsigned i = 0; i < data.m_properties.size(); ++i)
+ values.append(lowJSValue(m_graph.varArgChild(m_node, 1 + i)));
+
+ StructureSet set;
+ m_interpreter.phiChildren()->forAllTransitiveIncomingValues(
+ m_graph.varArgChild(m_node, 0).node(),
+ [&] (Node* incoming) {
+ set.add(incoming->castConstant<Structure*>());
+ });
+
+ Vector<LBasicBlock, 1> blocks(set.size());
+ for (unsigned i = set.size(); i--;)
+ blocks[i] = FTL_NEW_BLOCK(m_out, ("MaterializeNewObject case ", i));
+ LBasicBlock dummyDefault = FTL_NEW_BLOCK(m_out, ("MaterializeNewObject default case"));
+ LBasicBlock outerContinuation = FTL_NEW_BLOCK(m_out, ("MaterializeNewObject continuation"));
+
+ Vector<SwitchCase, 1> cases(set.size());
+ for (unsigned i = set.size(); i--;)
+ cases[i] = SwitchCase(weakStructure(set[i]), blocks[i], Weight(1));
+ m_out.switchInstruction(
+ lowCell(m_graph.varArgChild(m_node, 0)), cases, dummyDefault, Weight(0));
+
+ LBasicBlock outerLastNext = m_out.m_nextBlock;
+
+ Vector<ValueFromBlock, 1> results;
+
+ for (unsigned i = set.size(); i--;) {
+ m_out.appendTo(blocks[i], i + 1 < set.size() ? blocks[i + 1] : dummyDefault);
+
+ Structure* structure = set[i];
+
+ LValue object;
+ LValue butterfly;
+
+ if (structure->outOfLineCapacity()) {
+ size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
+ MarkedAllocator* allocator = &vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
+
+ LBasicBlock slowPath = FTL_NEW_BLOCK(m_out, ("MaterializeNewObject complex object allocation slow path"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("MaterializeNewObject complex object allocation continuation"));
+
+ LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
+
+ LValue endOfStorage = allocateBasicStorageAndGetEnd(
+ m_out.constIntPtr(structure->outOfLineCapacity() * sizeof(JSValue)),
+ slowPath);
+
+ LValue fastButterflyValue = m_out.add(
+ m_out.constIntPtr(sizeof(IndexingHeader)), endOfStorage);
+
+ LValue fastObjectValue = allocateObject(
+ m_out.constIntPtr(allocator), structure, fastButterflyValue, slowPath);
</ins><span class="cx">
</span><ins>+ ValueFromBlock fastObject = m_out.anchor(fastObjectValue);
+ ValueFromBlock fastButterfly = m_out.anchor(fastButterflyValue);
+ m_out.jump(continuation);
+
+ m_out.appendTo(slowPath, continuation);
+
+ ValueFromBlock slowObject = m_out.anchor(vmCall(
+ m_out.operation(operationNewObjectWithButterfly),
+ m_callFrame, m_out.constIntPtr(structure)));
+ ValueFromBlock slowButterfly = m_out.anchor(
+ m_out.loadPtr(slowObject.value(), m_heaps.JSObject_butterfly));
+
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+
+ object = m_out.phi(m_out.intPtr, fastObject, slowObject);
+ butterfly = m_out.phi(m_out.intPtr, fastButterfly, slowButterfly);
+ } else {
+ // In the easy case where we can do a one-shot allocation, we simply allocate the
+ // object to directly have the desired structure.
+ object = allocateObject(structure);
+ butterfly = nullptr; // Don't have one, don't need one.
+ }
+
+ for (PropertyMapEntry entry : structure->getPropertiesConcurrently()) {
+ for (unsigned i = data.m_properties.size(); i--;) {
+ PhantomPropertyValue value = data.m_properties[i];
+ if (m_graph.identifiers()[value.m_identifierNumber] != entry.key)
+ continue;
+
+ LValue base = isInlineOffset(entry.offset) ? object : butterfly;
+ storeProperty(values[i], base, value.m_identifierNumber, entry.offset);
+ break;
+ }
+ }
+
+ results.append(m_out.anchor(object));
+ m_out.jump(outerContinuation);
+ }
+
+ m_out.appendTo(dummyDefault, outerContinuation);
+ m_out.unreachable();
+
+ m_out.appendTo(outerContinuation, outerLastNext);
+ setJSValue(m_out.phi(m_out.intPtr, results));
+ }
+
</ins><span class="cx"> #if ENABLE(FTL_NATIVE_CALL_INLINING)
</span><span class="cx"> LValue getFunctionBySymbol(const CString symbol)
</span><span class="cx"> {
</span><span class="lines">@@ -4525,6 +4605,36 @@
</span><span class="cx"> return m_out.booleanFalse;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void checkStructure(
+ LValue structureID, const FormattedValue& formattedValue, ExitKind exitKind,
+ const StructureSet& set)
+ {
+ if (set.size() == 1) {
+ speculate(
+ exitKind, formattedValue, 0,
+ m_out.notEqual(structureID, weakStructureID(set[0])));
+ return;
+ }
+
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("checkStructure continuation"));
+
+ LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
+ for (unsigned i = 0; i < set.size() - 1; ++i) {
+ LBasicBlock nextStructure = FTL_NEW_BLOCK(m_out, ("checkStructure nextStructure"));
+ m_out.branch(
+ m_out.equal(structureID, weakStructureID(set[i])),
+ unsure(continuation), unsure(nextStructure));
+ m_out.appendTo(nextStructure);
+ }
+
+ speculate(
+ exitKind, formattedValue, 0,
+ m_out.notEqual(structureID, weakStructureID(set.last())));
+
+ m_out.jump(continuation);
+ m_out.appendTo(continuation, lastNext);
+ }
+
</ins><span class="cx"> LValue numberOrNotCellToInt32(Edge edge, LValue value)
</span><span class="cx"> {
</span><span class="cx"> LBasicBlock intCase = FTL_NEW_BLOCK(m_out, ("ValueToInt32 int case"));
</span><span class="lines">@@ -4831,7 +4941,7 @@
</span><span class="cx"> setBoolean(m_out.phi(m_out.boolean, fastResult, slowResult));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue allocateCell(LValue allocator, Structure* structure, LBasicBlock slowPath)
</del><ins>+ LValue allocateCell(LValue allocator, LBasicBlock slowPath)
</ins><span class="cx"> {
</span><span class="cx"> LBasicBlock success = FTL_NEW_BLOCK(m_out, ("object allocation success"));
</span><span class="cx">
</span><span class="lines">@@ -4846,12 +4956,21 @@
</span><span class="cx"> m_out.loadPtr(result, m_heaps.JSCell_freeListNext),
</span><span class="cx"> allocator, m_heaps.MarkedAllocator_freeListHead);
</span><span class="cx">
</span><del>- m_out.store32(m_out.constInt32(structure->id()), result, m_heaps.JSCell_structureID);
-
</del><ins>+ return result;
+ }
+
+ void storeStructure(LValue object, Structure* structure)
+ {
+ m_out.store32(m_out.constInt32(structure->id()), object, m_heaps.JSCell_structureID);
</ins><span class="cx"> m_out.store32(
</span><span class="cx"> m_out.constInt32(structure->objectInitializationBlob()),
</span><del>- result, m_heaps.JSCell_usefulBytes);
-
</del><ins>+ object, m_heaps.JSCell_usefulBytes);
+ }
+
+ LValue allocateCell(LValue allocator, Structure* structure, LBasicBlock slowPath)
+ {
+ LValue result = allocateCell(allocator, slowPath);
+ storeStructure(result, structure);
</ins><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -4898,6 +5017,31 @@
</span><span class="cx"> m_out.loadPtr(m_out.absolute(&allocator.m_currentPayloadEnd)), newRemaining);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ LValue allocateObject(Structure* structure)
+ {
+ size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
+ MarkedAllocator* allocator = &vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
+
+ LBasicBlock slowPath = FTL_NEW_BLOCK(m_out, ("allocateObject slow path"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("allocateObject continuation"));
+
+ LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
+
+ ValueFromBlock fastResult = m_out.anchor(allocateObject(
+ m_out.constIntPtr(allocator), structure, m_out.intPtrZero, slowPath));
+
+ m_out.jump(continuation);
+
+ m_out.appendTo(slowPath, continuation);
+
+ ValueFromBlock slowResult = m_out.anchor(vmCall(
+ m_out.operation(operationNewObject), m_callFrame, m_out.constIntPtr(structure)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ return m_out.phi(m_out.intPtr, fastResult, slowResult);
+ }
+
</ins><span class="cx"> struct ArrayValues {
</span><span class="cx"> ArrayValues()
</span><span class="cx"> : array(0)
</span><span class="lines">@@ -6107,7 +6251,7 @@
</span><span class="cx">
</span><span class="cx"> speculate(
</span><span class="cx"> NotStringObject, noValue(), 0,
</span><del>- m_out.notEqual(structureID, weakStructure(stringObjectStructure)));
</del><ins>+ m_out.notEqual(structureID, weakStructureID(stringObjectStructure)));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void speculateNonNullObject(Edge edge, LValue cell)
</span><span class="lines">@@ -6334,7 +6478,7 @@
</span><span class="cx"> ExitKind kind, FormattedValue lowValue, Node* highValue, LValue failCondition)
</span><span class="cx"> {
</span><span class="cx"> if (verboseCompilationEnabled()) {
</span><del>- dataLog(" OSR exit #", m_ftlState.jitCode->osrExit.size(), " with availability: ", availability(), "\n");
</del><ins>+ dataLog(" OSR exit #", m_ftlState.jitCode->osrExit.size(), " with availability: ", availabilityMap(), "\n");
</ins><span class="cx"> if (!m_availableRecoveries.isEmpty())
</span><span class="cx"> dataLog(" Available recoveries: ", listDump(m_availableRecoveries), "\n");
</span><span class="cx"> }
</span><span class="lines">@@ -6344,7 +6488,8 @@
</span><span class="cx"> m_ftlState.jitCode->osrExit.append(OSRExit(
</span><span class="cx"> kind, lowValue.format(), m_graph.methodOfGettingAValueProfileFor(highValue),
</span><span class="cx"> m_codeOriginForExitTarget, m_codeOriginForExitProfile,
</span><del>- availability().numberOfArguments(), availability().numberOfLocals()));
</del><ins>+ availabilityMap().m_locals.numberOfArguments(),
+ availabilityMap().m_locals.numberOfLocals()));
</ins><span class="cx"> m_ftlState.finalizer->osrExit.append(OSRExitCompilationInfo());
</span><span class="cx">
</span><span class="cx"> OSRExit& exit = m_ftlState.jitCode->osrExit.last();
</span><span class="lines">@@ -6384,58 +6529,54 @@
</span><span class="cx"> if (!!lowValue)
</span><span class="cx"> arguments.append(lowValue.value());
</span><span class="cx">
</span><ins>+ AvailabilityMap availabilityMap = this->availabilityMap();
+
</ins><span class="cx"> for (unsigned i = 0; i < exit.m_values.size(); ++i) {
</span><span class="cx"> int operand = exit.m_values.operandForIndex(i);
</span><span class="cx"> bool isLive = m_graph.isLiveInBytecode(VirtualRegister(operand), codeOrigin);
</span><del>- if (!isLive) {
- exit.m_values[i] = ExitValue::dead();
- continue;
- }
-
- Availability availability = this->availability()[i];
- FlushedAt flush = availability.flushedAt();
- switch (flush.format()) {
- case DeadFlush:
- case ConflictingFlush:
- if (availability.hasNode()) {
- exit.m_values[i] = exitValueForNode(arguments, availability.node());
- break;
- }
</del><ins>+ if (!isLive)
+ availabilityMap.m_locals[i] = Availability();
+ }
+
+ availabilityMap.prune();
+
+ HashMap<Node*, ExitTimeObjectMaterialization*> map;
+ availabilityMap.forEachAvailability(
+ [&] (Availability availability) {
+ if (!availability.shouldUseNode())
+ return;
</ins><span class="cx">
</span><del>- if (Options::validateFTLOSRExitLiveness())
- DFG_CRASH(m_graph, m_node, toCString("Expected r", operand, " to be available but it wasn't.").data());
</del><ins>+ Node* node = availability.node();
+ if (!node->isPhantomObjectAllocation())
+ return;
</ins><span class="cx">
</span><del>- // This means that the DFG's DCE proved that the value is dead in bytecode
- // even though the bytecode liveness analysis thinks it's live. This is
- // acceptable since the DFG's DCE is by design more aggressive while still
- // being sound.
- exit.m_values[i] = ExitValue::dead();
- break;
-
- case FlushedJSValue:
- case FlushedCell:
- case FlushedBoolean:
- exit.m_values[i] = ExitValue::inJSStack(flush.virtualRegister());
- break;
-
- case FlushedInt32:
- exit.m_values[i] = ExitValue::inJSStackAsInt32(flush.virtualRegister());
- break;
-
- case FlushedInt52:
- exit.m_values[i] = ExitValue::inJSStackAsInt52(flush.virtualRegister());
- break;
-
- case FlushedDouble:
- exit.m_values[i] = ExitValue::inJSStackAsDouble(flush.virtualRegister());
- break;
-
- case FlushedArguments:
- exit.m_values[i] = ExitValue::argumentsObjectThatWasNotCreated();
- break;
</del><ins>+ auto result = map.add(node, nullptr);
+ if (result.isNewEntry)
+ result.iterator->value = exit.m_materializations.add(node->op());
+ });
+
+ for (unsigned i = 0; i < exit.m_values.size(); ++i) {
+ int operand = exit.m_values.operandForIndex(i);
+
+ Availability availability = availabilityMap.m_locals[i];
+
+ if (Options::validateFTLOSRExitLiveness()) {
+ DFG_ASSERT(
+ m_graph, m_node,
+ !(availability.isDead() && m_graph.isLiveInBytecode(VirtualRegister(operand), codeOrigin)));
</ins><span class="cx"> }
</span><ins>+
+ exit.m_values[i] = exitValueForAvailability(arguments, map, availability);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ for (auto heapPair : availabilityMap.m_heap) {
+ Node* node = heapPair.key.base();
+ ExitTimeObjectMaterialization* materialization = map.get(node);
+ materialization->add(
+ heapPair.key.descriptor(),
+ exitValueForAvailability(arguments, map, heapPair.value));
+ }
+
</ins><span class="cx"> if (verboseCompilationEnabled())
</span><span class="cx"> dataLog(" Exit values: ", exit.m_values, "\n");
</span><span class="cx"> }
</span><span class="lines">@@ -6449,13 +6590,57 @@
</span><span class="cx"> m_out.call(m_out.stackmapIntrinsic(), arguments);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ExitValue exitValueForNode(ExitArgumentList& arguments, Node* node)
</del><ins>+ ExitValue exitValueForAvailability(
+ ExitArgumentList& arguments, const HashMap<Node*, ExitTimeObjectMaterialization*>& map,
+ Availability availability)
</ins><span class="cx"> {
</span><ins>+ FlushedAt flush = availability.flushedAt();
+ switch (flush.format()) {
+ case DeadFlush:
+ case ConflictingFlush:
+ if (availability.hasNode())
+ return exitValueForNode(arguments, map, availability.node());
+
+ // This means that the value is dead. It could be dead in bytecode or it could have
+ // been killed by our DCE, which can sometimes kill things even if they were live in
+ // bytecode.
+ return ExitValue::dead();
+
+ case FlushedJSValue:
+ case FlushedCell:
+ case FlushedBoolean:
+ return ExitValue::inJSStack(flush.virtualRegister());
+
+ case FlushedInt32:
+ return ExitValue::inJSStackAsInt32(flush.virtualRegister());
+
+ case FlushedInt52:
+ return ExitValue::inJSStackAsInt52(flush.virtualRegister());
+
+ case FlushedDouble:
+ return ExitValue::inJSStackAsDouble(flush.virtualRegister());
+
+ case FlushedArguments:
+ return ExitValue::argumentsObjectThatWasNotCreated();
+ }
+
+ DFG_CRASH(m_graph, m_node, "Invalid flush format");
+ }
+
+ ExitValue exitValueForNode(
+ ExitArgumentList& arguments, const HashMap<Node*, ExitTimeObjectMaterialization*>& map,
+ Node* node)
+ {
</ins><span class="cx"> ASSERT(node->shouldGenerate());
</span><span class="cx"> ASSERT(node->hasResult());
</span><span class="cx">
</span><span class="cx"> if (node) {
</span><span class="cx"> switch (node->op()) {
</span><ins>+ case BottomValue:
+ // This might arise in object materializations. I actually doubt that it would,
+ // but it seems worthwhile to be conservative.
+ return ExitValue::dead();
+
</ins><span class="cx"> case JSConstant:
</span><span class="cx"> case Int52Constant:
</span><span class="cx"> case DoubleConstant:
</span><span class="lines">@@ -6464,6 +6649,9 @@
</span><span class="cx"> case PhantomArguments:
</span><span class="cx"> return ExitValue::argumentsObjectThatWasNotCreated();
</span><span class="cx">
</span><ins>+ case PhantomNewObject:
+ return ExitValue::materializeNewObject(map.get(node));
+
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -6647,12 +6835,17 @@
</span><span class="cx"> return m_out.constIntPtr(pointer);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue weakStructure(Structure* structure)
</del><ins>+ LValue weakStructureID(Structure* structure)
</ins><span class="cx"> {
</span><span class="cx"> addWeakReference(structure);
</span><span class="cx"> return m_out.constInt32(structure->id());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ LValue weakStructure(Structure* structure)
+ {
+ return weakPointer(structure);
+ }
+
</ins><span class="cx"> TypedPointer addressFor(LValue base, int operand, ptrdiff_t offset = 0)
</span><span class="cx"> {
</span><span class="cx"> return m_out.address(base, m_heaps.variables[operand], offset);
</span><span class="lines">@@ -6711,7 +6904,7 @@
</span><span class="cx"> m_out.unreachable();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Operands<Availability>& availability() { return m_availabilityCalculator.m_availability; }
</del><ins>+ AvailabilityMap& availabilityMap() { return m_availabilityCalculator.m_availability; }
</ins><span class="cx">
</span><span class="cx"> VM& vm() { return m_graph.m_vm; }
</span><span class="cx"> CodeBlock* codeBlock() { return m_graph.m_codeBlock; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExith"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "DFGOSRExitBase.h"
</span><span class="cx"> #include "FTLAbbreviations.h"
</span><span class="cx"> #include "FTLExitArgumentList.h"
</span><ins>+#include "FTLExitTimeObjectMaterialization.h"
</ins><span class="cx"> #include "FTLExitValue.h"
</span><span class="cx"> #include "FTLFormattedValue.h"
</span><span class="cx"> #include "MethodOfGettingAValueProfile.h"
</span><span class="lines">@@ -160,6 +161,7 @@
</span><span class="cx"> unsigned m_patchableCodeOffset;
</span><span class="cx">
</span><span class="cx"> Operands<ExitValue> m_values;
</span><ins>+ Bag<ExitTimeObjectMaterialization> m_materializations;
</ins><span class="cx">
</span><span class="cx"> uint32_t m_stackmapID;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "FTLExitArgumentForOperand.h"
</span><span class="cx"> #include "FTLJITCode.h"
</span><span class="cx"> #include "FTLOSRExit.h"
</span><ins>+#include "FTLOperations.h"
</ins><span class="cx"> #include "FTLState.h"
</span><span class="cx"> #include "FTLSaveRestore.h"
</span><span class="cx"> #include "LinkBuffer.h"
</span><span class="lines">@@ -46,6 +47,87 @@
</span><span class="cx">
</span><span class="cx"> using namespace DFG;
</span><span class="cx">
</span><ins>+static void compileRecovery(
+ CCallHelpers& jit, const ExitValue& value, StackMaps::Record* record, StackMaps& stackmaps,
+ char* registerScratch,
+ const HashMap<ExitTimeObjectMaterialization*, EncodedJSValue*>& materializationToPointer)
+{
+ switch (value.kind()) {
+ case ExitValueDead:
+ jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsUndefined())), GPRInfo::regT0);
+ break;
+
+ case ExitValueConstant:
+ jit.move(MacroAssembler::TrustedImm64(JSValue::encode(value.constant())), GPRInfo::regT0);
+ break;
+
+ case ExitValueArgument:
+ record->locations[value.exitArgument().argument()].restoreInto(
+ jit, stackmaps, registerScratch, GPRInfo::regT0);
+ break;
+
+ case ExitValueInJSStack:
+ case ExitValueInJSStackAsInt32:
+ case ExitValueInJSStackAsInt52:
+ case ExitValueInJSStackAsDouble:
+ jit.load64(AssemblyHelpers::addressFor(value.virtualRegister()), GPRInfo::regT0);
+ break;
+
+ case ExitValueArgumentsObjectThatWasNotCreated:
+ jit.move(MacroAssembler::TrustedImm64(JSValue::encode(JSValue())), GPRInfo::regT0);
+ break;
+
+ case ExitValueRecovery:
+ record->locations[value.rightRecoveryArgument()].restoreInto(
+ jit, stackmaps, registerScratch, GPRInfo::regT1);
+ record->locations[value.leftRecoveryArgument()].restoreInto(
+ jit, stackmaps, registerScratch, GPRInfo::regT0);
+ switch (value.recoveryOpcode()) {
+ case AddRecovery:
+ switch (value.recoveryFormat()) {
+ case ValueFormatInt32:
+ jit.add32(GPRInfo::regT1, GPRInfo::regT0);
+ break;
+ case ValueFormatInt52:
+ jit.add64(GPRInfo::regT1, GPRInfo::regT0);
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ break;
+ case SubRecovery:
+ switch (value.recoveryFormat()) {
+ case ValueFormatInt32:
+ jit.sub32(GPRInfo::regT1, GPRInfo::regT0);
+ break;
+ case ValueFormatInt52:
+ jit.sub64(GPRInfo::regT1, GPRInfo::regT0);
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ break;
+
+ case ExitValueMaterializeNewObject:
+ jit.loadPtr(materializationToPointer.get(value.objectMaterialization()), GPRInfo::regT0);
+ break;
+
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+
+ reboxAccordingToFormat(
+ value.valueFormat(), jit, GPRInfo::regT0, GPRInfo::regT1, GPRInfo::regT2);
+}
+
</ins><span class="cx"> static void compileStub(
</span><span class="cx"> unsigned exitID, JITCode* jitCode, OSRExit& exit, VM* vm, CodeBlock* codeBlock)
</span><span class="cx"> {
</span><span class="lines">@@ -64,13 +146,39 @@
</span><span class="cx">
</span><span class="cx"> CCallHelpers jit(vm, codeBlock);
</span><span class="cx">
</span><del>- // We need scratch space to save all registers and to build up the JSStack.
- // Use a scratch buffer to transfer all values.
- ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(sizeof(EncodedJSValue) * exit.m_values.size() + requiredScratchMemorySizeInBytes() + jitCode->unwindInfo.m_registers.size() * sizeof(uint64_t));
</del><ins>+ // We need scratch space to save all registers, to build up the JS stack, to deal with unwind
+ // fixup, pointers to all of the objects we materialize, and the elements inside those objects
+ // that we materialize.
+
+ // Figure out how much space we need for those object allocations.
+ unsigned numMaterializations = 0;
+ size_t maxMaterializationNumArguments = 0;
+ for (ExitTimeObjectMaterialization* materialization : exit.m_materializations) {
+ numMaterializations++;
+
+ maxMaterializationNumArguments = std::max(
+ maxMaterializationNumArguments,
+ materialization->properties().size());
+ }
+
+ ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(
+ sizeof(EncodedJSValue) * (
+ exit.m_values.size() + numMaterializations + maxMaterializationNumArguments) +
+ requiredScratchMemorySizeInBytes() +
+ jitCode->unwindInfo.m_registers.size() * sizeof(uint64_t));
</ins><span class="cx"> EncodedJSValue* scratch = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
</span><del>- char* registerScratch = bitwise_cast<char*>(scratch + exit.m_values.size());
</del><ins>+ EncodedJSValue* materializationPointers = scratch + exit.m_values.size();
+ EncodedJSValue* materializationArguments = materializationPointers + numMaterializations;
+ char* registerScratch = bitwise_cast<char*>(materializationArguments + maxMaterializationNumArguments);
</ins><span class="cx"> uint64_t* unwindScratch = bitwise_cast<uint64_t*>(registerScratch + requiredScratchMemorySizeInBytes());
</span><span class="cx">
</span><ins>+ HashMap<ExitTimeObjectMaterialization*, EncodedJSValue*> materializationToPointer;
+ unsigned materializationCount = 0;
+ for (ExitTimeObjectMaterialization* materialization : exit.m_materializations) {
+ materializationToPointer.add(
+ materialization, materializationPointers + materializationCount++);
+ }
+
</ins><span class="cx"> // Note that we come in here, the stack used to be as LLVM left it except that someone called pushToSave().
</span><span class="cx"> // We don't care about the value they saved. But, we do appreciate the fact that they did it, because we use
</span><span class="cx"> // that slot for saveAllRegisters().
</span><span class="lines">@@ -120,86 +228,69 @@
</span><span class="cx"> if (!!exit.m_valueProfile)
</span><span class="cx"> jit.store64(GPRInfo::regT0, exit.m_valueProfile.getSpecFailBucket(0));
</span><span class="cx"> }
</span><del>-
- // Save all state from wherever the exit data tells us it was, into the appropriate place in
- // the scratch buffer. This also does the reboxing.
</del><span class="cx">
</span><del>- for (unsigned index = exit.m_values.size(); index--;) {
- ExitValue value = exit.m_values[index];
</del><ins>+ // Materialize all objects. Don't materialize an object until all of the objects it needs
+ // have been materialized.
+ HashSet<ExitTimeObjectMaterialization*> toMaterialize;
+ for (ExitTimeObjectMaterialization* materialization : exit.m_materializations)
+ toMaterialize.add(materialization);
+
+ while (!toMaterialize.isEmpty()) {
+ int previousToMaterializeSize = toMaterialize.size();
</ins><span class="cx">
</span><del>- switch (value.kind()) {
- case ExitValueDead:
- jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsUndefined())), GPRInfo::regT0);
- break;
-
- case ExitValueConstant:
- jit.move(MacroAssembler::TrustedImm64(JSValue::encode(value.constant())), GPRInfo::regT0);
- break;
-
- case ExitValueArgument:
- record->locations[value.exitArgument().argument()].restoreInto(
- jit, jitCode->stackmaps, registerScratch, GPRInfo::regT0);
- break;
-
- case ExitValueInJSStack:
- case ExitValueInJSStackAsInt32:
- case ExitValueInJSStackAsInt52:
- case ExitValueInJSStackAsDouble:
- jit.load64(AssemblyHelpers::addressFor(value.virtualRegister()), GPRInfo::regT0);
- break;
-
- case ExitValueArgumentsObjectThatWasNotCreated:
- // We can't actually recover this yet, but we can make the stack look sane. This is
- // a prerequisite to running the actual arguments recovery.
- jit.move(MacroAssembler::TrustedImm64(JSValue::encode(JSValue())), GPRInfo::regT0);
- break;
-
- case ExitValueRecovery:
- record->locations[value.rightRecoveryArgument()].restoreInto(
- jit, jitCode->stackmaps, registerScratch, GPRInfo::regT1);
- record->locations[value.leftRecoveryArgument()].restoreInto(
- jit, jitCode->stackmaps, registerScratch, GPRInfo::regT0);
- switch (value.recoveryOpcode()) {
- case AddRecovery:
- switch (value.recoveryFormat()) {
- case ValueFormatInt32:
- jit.add32(GPRInfo::regT1, GPRInfo::regT0);
</del><ins>+ Vector<ExitTimeObjectMaterialization*> worklist;
+ worklist.appendRange(toMaterialize.begin(), toMaterialize.end());
+ for (ExitTimeObjectMaterialization* materialization : worklist) {
+ // Check if we can do anything about this right now.
+ bool allGood = true;
+ for (ExitPropertyValue value : materialization->properties()) {
+ if (!value.value().isObjectMaterialization())
+ continue;
+ if (toMaterialize.contains(value.value().objectMaterialization())) {
+ // Gotta skip this one, since one of its fields points to a materialization
+ // that hasn't been materialized.
+ allGood = false;
</ins><span class="cx"> break;
</span><del>- case ValueFormatInt52:
- jit.add64(GPRInfo::regT1, GPRInfo::regT0);
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
</del><span class="cx"> }
</span><del>- break;
- case SubRecovery:
- switch (value.recoveryFormat()) {
- case ValueFormatInt32:
- jit.sub32(GPRInfo::regT1, GPRInfo::regT0);
- break;
- case ValueFormatInt52:
- jit.sub64(GPRInfo::regT1, GPRInfo::regT0);
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
- }
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
</del><span class="cx"> }
</span><del>- break;
</del><ins>+ if (!allGood)
+ continue;
</ins><span class="cx">
</span><del>- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
</del><ins>+ // All systems go for materializing the object. First we recover the values of all of
+ // its fields and then we call a function to actually allocate the beast.
+ for (unsigned propertyIndex = materialization->properties().size(); propertyIndex--;) {
+ const ExitValue& value = materialization->properties()[propertyIndex].value();
+ compileRecovery(
+ jit, value, record, jitCode->stackmaps, registerScratch,
+ materializationToPointer);
+ jit.storePtr(GPRInfo::regT0, materializationArguments + propertyIndex);
+ }
+
+ // This call assumes that we don't pass arguments on the stack.
+ jit.setupArgumentsWithExecState(
+ CCallHelpers::TrustedImmPtr(materialization),
+ CCallHelpers::TrustedImmPtr(materializationArguments));
+ jit.move(CCallHelpers::TrustedImmPtr(bitwise_cast<void*>(operationMaterializeObjectInOSR)), GPRInfo::nonArgGPR0);
+ jit.call(GPRInfo::nonArgGPR0);
+ jit.storePtr(GPRInfo::returnValueGPR, materializationToPointer.get(materialization));
+
+ // Let everyone know that we're done.
+ toMaterialize.remove(materialization);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- reboxAccordingToFormat(
- value.valueFormat(), jit, GPRInfo::regT0, GPRInfo::regT1, GPRInfo::regT2);
-
</del><ins>+ // We expect progress! This ensures that we crash rather than looping infinitely if there
+ // is something broken about this fixpoint. Or, this could happen if we ever violate the
+ // "materializations form a DAG" rule.
+ RELEASE_ASSERT(toMaterialize.size() < previousToMaterializeSize);
+ }
+
+ // Save all state from wherever the exit data tells us it was, into the appropriate place in
+ // the scratch buffer. This also does the reboxing.
+
+ for (unsigned index = exit.m_values.size(); index--;) {
+ compileRecovery(
+ jit, exit.m_values[index], record, jitCode->stackmaps, registerScratch,
+ materializationToPointer);
</ins><span class="cx"> jit.store64(GPRInfo::regT0, scratch + index);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOperationscpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,98 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "FTLOperations.h"
+
+#if ENABLE(FTL_JIT)
+
+#include "JSCInlines.h"
+
+namespace JSC { namespace FTL {
+
+using namespace JSC::DFG;
+
+extern "C" JSCell* JIT_OPERATION operationNewObjectWithButterfly(ExecState* exec, Structure* structure)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ Butterfly* butterfly = Butterfly::create(
+ vm, nullptr, 0, structure->outOfLineCapacity(), false, IndexingHeader(), 0);
+
+ return JSFinalObject::create(exec, structure, butterfly);
+}
+
+extern "C" JSCell* JIT_OPERATION operationMaterializeObjectInOSR(
+ ExecState* exec, ExitTimeObjectMaterialization* materialization, EncodedJSValue* values)
+{
+ VM& vm = exec->vm();
+ CodeBlock* codeBlock = exec->codeBlock();
+
+ // We cannot GC. We've got pointers in evil places.
+ DeferGCForAWhile deferGC(vm.heap);
+
+ // In the future, we may have many different kinds of materializations. For now we just
+ // materialize NewObject.
+ RELEASE_ASSERT(materialization->type() == PhantomNewObject);
+
+ // First figure out what the structure is.
+ Structure* structure = nullptr;
+ for (unsigned i = materialization->properties().size(); i--;) {
+ const ExitPropertyValue& property = materialization->properties()[i];
+ if (property.location() != PromotedLocationDescriptor(StructurePLoc))
+ continue;
+
+ structure = jsCast<Structure*>(JSValue::decode(values[i]));
+ }
+ RELEASE_ASSERT(structure);
+
+ // Let's create that object!
+ JSFinalObject* result = JSFinalObject::create(vm, structure);
+
+ // Now figure out what the heck to populate the object with. Use getPropertiesConcurrently()
+ // because that happens to be lower-level and more convenient. It doesn't change the
+ // materialization of the property table. We want to have minimal visible effects on the
+ // system. Also, don't mind that this is O(n^2). It doesn't matter. We only get here from OSR
+ // exit.
+ for (PropertyMapEntry entry : structure->getPropertiesConcurrently()) {
+ for (unsigned i = materialization->properties().size(); i--;) {
+ const ExitPropertyValue& property = materialization->properties()[i];
+ if (property.location().kind() != NamedPropertyPLoc)
+ continue;
+ if (codeBlock->identifier(property.location().info()).impl() != entry.key)
+ continue;
+
+ result->putDirect(vm, entry.offset, JSValue::decode(values[i]));
+ }
+ }
+
+ return result;
+}
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOperationsh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/ftl/FTLOperations.h (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOperations.h (rev 0)
+++ trunk/Source/JavaScriptCore/ftl/FTLOperations.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,50 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef FTLOperations_h
+#define FTLOperations_h
+
+#if ENABLE(FTL_JIT)
+
+#include "DFGOperations.h"
+#include "FTLExitTimeObjectMaterialization.h"
+
+namespace JSC { namespace FTL {
+
+extern "C" {
+
+JSCell* JIT_OPERATION operationNewObjectWithButterfly(ExecState*, Structure*) WTF_INTERNAL;
+
+JSCell* JIT_OPERATION operationMaterializeObjectInOSR(
+ ExecState*, ExitTimeObjectMaterialization*, EncodedJSValue*) WTF_INTERNAL;
+
+} // extern "C"
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(FTL_JIT)
+
+#endif // FTLOperations_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLSwitchCaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLSwitchCase.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLSwitchCase.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/ftl/FTLSwitchCase.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -35,6 +35,12 @@
</span><span class="cx">
</span><span class="cx"> class SwitchCase {
</span><span class="cx"> public:
</span><ins>+ SwitchCase()
+ : m_value(nullptr)
+ , m_target(nullptr)
+ {
+ }
+
</ins><span class="cx"> SwitchCase(LValue value, LBasicBlock target, Weight weight)
</span><span class="cx"> : m_value(value)
</span><span class="cx"> , m_target(target)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -724,8 +724,6 @@
</span><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> ASSERT(inherits(info()));
</span><del>- ASSERT(!structure()->outOfLineCapacity());
- ASSERT(structure()->isEmpty());
</del><span class="cx"> ASSERT(prototype().isNull() || Heap::heap(this) == Heap::heap(prototype()));
</span><span class="cx"> ASSERT(structure()->isObject());
</span><span class="cx"> ASSERT(classInfo());
</span><span class="lines">@@ -1052,7 +1050,7 @@
</span><span class="cx"> return (maxSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static JSFinalObject* create(ExecState*, Structure*);
</del><ins>+ static JSFinalObject* create(ExecState*, Structure*, Butterfly* = nullptr);
</ins><span class="cx"> static JSFinalObject* create(VM&, Structure*);
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
</span><span class="cx"> {
</span><span class="lines">@@ -1076,15 +1074,16 @@
</span><span class="cx"> private:
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="cx">
</span><del>- explicit JSFinalObject(VM& vm, Structure* structure)
- : JSObject(vm, structure)
</del><ins>+ explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = nullptr)
+ : JSObject(vm, structure, butterfly)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static const unsigned StructureFlags = JSObject::StructureFlags;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-inline JSFinalObject* JSFinalObject::create(ExecState* exec, Structure* structure)
</del><ins>+inline JSFinalObject* JSFinalObject::create(
+ ExecState* exec, Structure* structure, Butterfly* butterfly)
</ins><span class="cx"> {
</span><span class="cx"> JSFinalObject* finalObject = new (
</span><span class="cx"> NotNull,
</span><span class="lines">@@ -1092,7 +1091,7 @@
</span><span class="cx"> *exec->heap(),
</span><span class="cx"> allocationSize(structure->inlineCapacity())
</span><span class="cx"> )
</span><del>- ) JSFinalObject(exec->vm(), structure);
</del><ins>+ ) JSFinalObject(exec->vm(), structure, butterfly);
</ins><span class="cx"> finalObject->finishCreation(exec->vm());
</span><span class="cx"> return finalObject;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.cpp (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1105,6 +1105,13 @@
</span><span class="cx"> return baseShape.release();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool Structure::canUseForAllocationsOf(Structure* other)
+{
+ return inlineCapacity() == other->inlineCapacity()
+ && storedPrototype() == other->storedPrototype()
+ && objectInitializationBlob() == other->objectInitializationBlob();
+}
+
</ins><span class="cx"> void Structure::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx"> out.print(RawPointer(this), ":[", classInfo()->className, ", {");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/JavaScriptCore/runtime/Structure.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -433,6 +433,10 @@
</span><span class="cx">
</span><span class="cx"> PassRefPtr<StructureShape> toStructureShape(JSValue);
</span><span class="cx">
</span><ins>+ // Determines if the two structures match enough that this one could be used for allocations
+ // of the other one.
+ bool canUseForAllocationsOf(Structure*);
+
</ins><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx"> void dumpBrief(PrintStream&, const CString&) const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresselidablenewobjectroflcopterthenexitjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/elidable-new-object-roflcopter-then-exit.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/elidable-new-object-roflcopter-then-exit.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/elidable-new-object-roflcopter-then-exit.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 1000000;
+
+var array = [42, "hello"];
+
+function foo() {
+ var result = 0;
+ var q;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: i}}}}}}}}}}}}}}}}}}};
+ var p = {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: {f: i + 1}}}}}}}}}}}}}}}}}}};
+ q = array[(i > n - 100) | 0] + 1;
+ result += o.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f + p.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f;
+ }
+ return q + result;
+}
+
+var result = foo();
+if (result != "hello" + 1 + (sumOfArithSeries(n - 1) + sumOfArithSeries(n)))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresselidenewobjectdagthenexitjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/elide-new-object-dag-then-exit.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/elide-new-object-dag-then-exit.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/elide-new-object-dag-then-exit.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,43 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+function bar() { }
+
+function verify(q, i) {
+ if (q.f == q.g)
+ throw "Error: q.f == q.g";
+ if (q.f.f != q.g.f)
+ throw "Error: q.f.f != q.g.f";
+ if (q.f.f.f != i)
+ throw "Error: q.f.f.f != i";
+}
+
+function foo() {
+ var result = 0;
+ for (var i = 0; i < n; ++i) {
+ var leaf = {f:i};
+ var o = {f:leaf};
+ var p = {f:leaf};
+ var q = {f:o, g:p};
+ result += q.f.f.f;
+ if (i >= n - 100) {
+ // We want the materialization to happen in the exit. So, before calling the thing that
+ // causes the materialization, we call bar(). We've never profiled this call at the time
+ // of FTL compilation, so this should be an exit.
+ bar();
+ verify(q, i);
+ }
+ }
+ return result;
+}
+
+noInline(foo);
+noInline(verify);
+noInline(bar);
+
+var result = foo();
+if (result != sumOfArithSeries(n - 1))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressobviouslyelidablenewobjectthenexitjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/obviously-elidable-new-object-then-exit.js (0 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/obviously-elidable-new-object-then-exit.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/obviously-elidable-new-object-then-exit.js 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+function sumOfArithSeries(limit) {
+ return limit * (limit + 1) / 2;
+}
+
+var n = 10000000;
+
+var array = [1, "hello"];
+
+function foo() {
+ var result = 0;
+ var q;
+ for (var i = 0; i < n; ++i) {
+ var o = {f: i};
+ var p = {f: i + 1};
+ q = array[(i >= n - 100) | 0] + 1;
+ result += o.f + p.f;
+ }
+ return q + result;
+}
+
+var result = foo();
+if (result != "hello" + 1 + (sumOfArithSeries(n - 1) + sumOfArithSeries(n)))
+ throw "Error: bad result: " + result;
</ins></span></pre></div>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/WTF/ChangeLog 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2014-09-24 Filip Pizlo <fpizlo@apple.com>
+
+ FTL should sink object allocations
+ https://bugs.webkit.org/show_bug.cgi?id=136330
+
+ Reviewed by Oliver Hunt.
+
+ Make it possible to reset a Bag.
+
+ * wtf/Bag.h:
+ (WTF::Bag::Bag):
+ (WTF::Bag::~Bag):
+ (WTF::Bag::clear):
+
</ins><span class="cx"> 2014-09-25 Roger Fong <roger_fong@apple.com>
</span><span class="cx">
</span><span class="cx"> [Windows] Unreviewed build fix. Ensure that python2.7 is used for Windows builds.
</span></span></pre></div>
<a id="trunkSourceWTFwtfBagh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/Bag.h (173992 => 173993)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/Bag.h 2014-09-26 02:29:50 UTC (rev 173992)
+++ trunk/Source/WTF/wtf/Bag.h 2014-09-26 03:59:33 UTC (rev 173993)
</span><span class="lines">@@ -46,17 +46,23 @@
</span><span class="cx">
</span><span class="cx"> public:
</span><span class="cx"> Bag()
</span><del>- : m_head(0)
</del><ins>+ : m_head(nullptr)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ~Bag()
</span><span class="cx"> {
</span><ins>+ clear();
+ }
+
+ void clear()
+ {
</ins><span class="cx"> while (m_head) {
</span><span class="cx"> Node* current = m_head;
</span><span class="cx"> m_head = current->m_next;
</span><span class="cx"> delete current;
</span><span class="cx"> }
</span><ins>+ m_head = nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename... Args>
</span></span></pre>
</div>
</div>
</body>
</html>