<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[174934] releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/174934">174934</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2014-10-21 02:08:41 -0700 (Tue, 21 Oct 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/174121">r174121</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/174749">r174749</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/174856">r174856</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/174899">r174899</a> - DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
https://bugs.webkit.org/show_bug.cgi?id=137161
Reviewed by Mark Hahnenberg.
This looks like a 1% Octane speed-up.
* bytecode/SpeculatedType.h:
(JSC::isNotCellSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):
(JSC::DFG::FixupPhase::insertCheck):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNotCell):
REGRESSION (<a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>): Invalid cast in JSC::asString
https://bugs.webkit.org/show_bug.cgi?id=137224
Reviewed by Geoffrey Garen.
Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
when we speak of "the value being stored" we are really referring to the right value.
The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
child3. So we were incorrectly removing all barriers from PutClosureVar.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
REGRESSION(<a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>): remote inspector crashes frequently when executing inspector frontend's JavaScript
https://bugs.webkit.org/show_bug.cgi?id=137758
Rubber stamped by Filip Pizlo.
Reverted <a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a> for just PutByOffset Nodes.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
Web Process crash when starting the web inspector after <a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>.
<https://webkit.org/b/137340>
Reviewed by Filip Pizlo.
After <a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>, we can generate a bad graph in the DFG fixup phase like so:
102:<!0:-> StoreBarrier(Check:KnownCell:@19, ..., bc#44)
60:<!0:-> PutStructure(Check:KnownCell:@19, ..., bc#44)
103:<!0:-> Check(Check:NotCell:@54, ..., bc#44)
// ^-- PutByOffset's StoreBarrier has been elided and replaced
// with a speculation check which can OSR exit.
61:<!0:-> PutByOffset(Check:KnownCell:@19, ..., bc#44)
As a result, the structure change will get executed even if we end up OSR
exiting before the PutByOffset. In the baseline JIT code, the structure now
erroneously tells the put operation that there is a value in that property
slot when it is actually uninitialized (hence, the crash).
The fix is to insert the Check at the earliest point possible:
1. If the checked node is in the same bytecode as the PutByOffset, then
the earliest point where we can insert the Check is right after the
checked node.
2. If the checked node is from a preceding bytecode (before the PutByOffset),
then the earliest point where we can insert the Check is at the start
of the current bytecode.
Also reverted the workaround from <a href="http://trac.webkit.org/projects/webkit/changeset/174749">r174749</a>: https://webkit.org/b/137758.
Benchmark results appear to be a wash on aggregate.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::indexOfNode):
(JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertCheck):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertOutOfOrder):
(JSC::DFG::InsertionSet::insertOutOfOrderNode):
[Follow up] Web Process crash when starting the web inspector after <a href="http://trac.webkit.org/projects/webkit/changeset/174025">r174025</a>.
<https://webkit.org/b/137340>
Reviewed by Geoffrey Garen.
Applied Geoff's feedback to clean up some code for better clarity after
<a href="http://trac.webkit.org/projects/webkit/changeset/174856">r174856</a>.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::insertCheck):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertOutOfOrder):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit26SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit26SourceJavaScriptCorebytecodeSpeculatedTypeh">releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/bytecode/SpeculatedType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGFixupPhasecpp">releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGInsertionSeth">releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGInsertionSet.h</a></li>
<li><a href="#releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGNodeh">releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit26SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/ChangeLog (174933 => 174934)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/ChangeLog 2014-10-21 08:57:22 UTC (rev 174933)
+++ releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/ChangeLog 2014-10-21 09:08:41 UTC (rev 174934)
</span><span class="lines">@@ -1,3 +1,108 @@
</span><ins>+2014-10-20 Mark Lam <mark.lam@apple.com>
+
+ [Follow up] Web Process crash when starting the web inspector after r174025.
+ <https://webkit.org/b/137340>
+
+ Reviewed by Geoffrey Garen.
+
+ Applied Geoff's feedback to clean up some code for better clarity after
+ r174856.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::insertCheck):
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::InsertionSet::insertOutOfOrder):
+
+2014-10-17 Mark Lam <mark.lam@apple.com>
+
+ Web Process crash when starting the web inspector after r174025.
+ <https://webkit.org/b/137340>
+
+ Reviewed by Filip Pizlo.
+
+ After r174025, we can generate a bad graph in the DFG fixup phase like so:
+
+ 102:<!0:-> StoreBarrier(Check:KnownCell:@19, ..., bc#44)
+ 60:<!0:-> PutStructure(Check:KnownCell:@19, ..., bc#44)
+ 103:<!0:-> Check(Check:NotCell:@54, ..., bc#44)
+ // ^-- PutByOffset's StoreBarrier has been elided and replaced
+ // with a speculation check which can OSR exit.
+ 61:<!0:-> PutByOffset(Check:KnownCell:@19, ..., bc#44)
+
+ As a result, the structure change will get executed even if we end up OSR
+ exiting before the PutByOffset. In the baseline JIT code, the structure now
+ erroneously tells the put operation that there is a value in that property
+ slot when it is actually uninitialized (hence, the crash).
+
+ The fix is to insert the Check at the earliest point possible:
+
+ 1. If the checked node is in the same bytecode as the PutByOffset, then
+ the earliest point where we can insert the Check is right after the
+ checked node.
+
+ 2. If the checked node is from a preceding bytecode (before the PutByOffset),
+ then the earliest point where we can insert the Check is at the start
+ of the current bytecode.
+
+ Also reverted the workaround from r174749: https://webkit.org/b/137758.
+
+ Benchmark results appear to be a wash on aggregate.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::indexOfNode):
+ (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::insertCheck):
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::InsertionSet::insertOutOfOrder):
+ (JSC::DFG::InsertionSet::insertOutOfOrderNode):
+
+2014-10-15 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's JavaScript
+ https://bugs.webkit.org/show_bug.cgi?id=137758
+
+ Rubber stamped by Filip Pizlo.
+
+ Reverted r174025 for just PutByOffset Nodes.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2014-09-30 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION (r174025): Invalid cast in JSC::asString
+ https://bugs.webkit.org/show_bug.cgi?id=137224
+
+ Reviewed by Geoffrey Garen.
+
+ Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
+ when we speak of "the value being stored" we are really referring to the right value.
+
+ The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
+ child3. So we were incorrectly removing all barriers from PutClosureVar.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2014-09-26 Filip Pizlo <fpizlo@apple.com>
+
+ DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
+ https://bugs.webkit.org/show_bug.cgi?id=137161
+
+ Reviewed by Mark Hahnenberg.
+
+ This looks like a 1% Octane speed-up.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotCellSpeculation):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::insertStoreBarrier):
+ (JSC::DFG::FixupPhase::insertCheck):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateNotCell):
+
</ins><span class="cx"> 2014-09-26 Peter Varga <pvarga@webkit.org>
</span><span class="cx">
</span><span class="cx"> Fix typo in YARR at BOL check
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit26SourceJavaScriptCorebytecodeSpeculatedTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/bytecode/SpeculatedType.h (174933 => 174934)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/bytecode/SpeculatedType.h 2014-10-21 08:57:22 UTC (rev 174933)
+++ releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/bytecode/SpeculatedType.h 2014-10-21 09:08:41 UTC (rev 174934)
</span><span class="lines">@@ -98,6 +98,11 @@
</span><span class="cx"> return !!(value & SpecCell) && !(value & ~SpecCell);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline bool isNotCellSpeculation(SpeculatedType value)
+{
+ return !(value & SpecCell) && value;
+}
+
</ins><span class="cx"> inline bool isObjectSpeculation(SpeculatedType value)
</span><span class="cx"> {
</span><span class="cx"> return !!(value & SpecObject) && !(value & ~SpecObject);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (174933 => 174934)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-10-21 08:57:22 UTC (rev 174933)
+++ releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2014-10-21 09:08:41 UTC (rev 174934)
</span><span class="lines">@@ -86,6 +86,33 @@
</span><span class="cx"> m_insertionSet.execute(block);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ inline unsigned indexOfNode(Node* node, unsigned indexToSearchFrom)
+ {
+ unsigned index = indexToSearchFrom;
+ while (index) {
+ if (m_block->at(index) == node)
+ break;
+ index--;
+ }
+ ASSERT(m_block->at(index) == node);
+ return index;
+ }
+
+ inline unsigned indexOfFirstNodeOfExitOrigin(CodeOrigin& originForExit, unsigned indexToSearchFrom)
+ {
+ unsigned index = indexToSearchFrom;
+ ASSERT(m_block->at(index)->origin.forExit == originForExit);
+ while (index) {
+ index--;
+ if (m_block->at(index)->origin.forExit != originForExit) {
+ index++;
+ break;
+ }
+ }
+ ASSERT(m_block->at(index)->origin.forExit == originForExit);
+ return index;
+ }
+
</ins><span class="cx"> void fixupNode(Node* node)
</span><span class="cx"> {
</span><span class="cx"> NodeType op = node->op();
</span><span class="lines">@@ -644,7 +671,7 @@
</span><span class="cx"> case Array::Arguments:
</span><span class="cx"> fixEdge<KnownCellUse>(child1);
</span><span class="cx"> fixEdge<Int32Use>(child2);
</span><del>- insertStoreBarrier(m_indexInBlock, child1);
</del><ins>+ insertStoreBarrier(m_indexInBlock, child1, child3);
</ins><span class="cx"> break;
</span><span class="cx"> default:
</span><span class="cx"> fixEdge<KnownCellUse>(child1);
</span><span class="lines">@@ -682,7 +709,7 @@
</span><span class="cx"> break;
</span><span class="cx"> case Array::Contiguous:
</span><span class="cx"> case Array::ArrayStorage:
</span><del>- insertStoreBarrier(m_indexInBlock, node->child1());
</del><ins>+ insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
</ins><span class="cx"> break;
</span><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="lines">@@ -854,7 +881,7 @@
</span><span class="cx">
</span><span class="cx"> case PutClosureVar: {
</span><span class="cx"> fixEdge<KnownCellUse>(node->child1());
</span><del>- insertStoreBarrier(m_indexInBlock, node->child1());
</del><ins>+ insertStoreBarrier(m_indexInBlock, node->child1(), node->child3());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -899,7 +926,7 @@
</span><span class="cx"> case PutByIdFlush:
</span><span class="cx"> case PutByIdDirect: {
</span><span class="cx"> fixEdge<CellUse>(node->child1());
</span><del>- insertStoreBarrier(m_indexInBlock, node->child1());
</del><ins>+ insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -942,13 +969,13 @@
</span><span class="cx"> if (!node->child1()->hasStorageResult())
</span><span class="cx"> fixEdge<KnownCellUse>(node->child1());
</span><span class="cx"> fixEdge<KnownCellUse>(node->child2());
</span><del>- insertStoreBarrier(m_indexInBlock, node->child2());
</del><ins>+ insertStoreBarrier(m_indexInBlock, node->child2(), node->child3());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case MultiPutByOffset: {
</span><span class="cx"> fixEdge<CellUse>(node->child1());
</span><del>- insertStoreBarrier(m_indexInBlock, node->child1());
</del><ins>+ insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1635,11 +1662,58 @@
</span><span class="cx"> edge.setUseKind(useKind);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void insertStoreBarrier(unsigned indexInBlock, Edge child1)
</del><ins>+ void insertStoreBarrier(unsigned indexInBlock, Edge base, Edge value = Edge())
</ins><span class="cx"> {
</span><del>- Node* barrierNode = m_graph.addNode(SpecNone, StoreBarrier, m_currentNode->origin, child1);
- m_insertionSet.insert(indexInBlock, barrierNode);
</del><ins>+ if (!!value) {
+ if (value->shouldSpeculateInt32()) {
+ insertCheck<Int32Use>(indexInBlock, value.node());
+ return;
+ }
+
+ if (value->shouldSpeculateBoolean()) {
+ insertCheck<BooleanUse>(indexInBlock, value.node());
+ return;
+ }
+
+ if (value->shouldSpeculateOther()) {
+ insertCheck<OtherUse>(indexInBlock, value.node());
+ return;
+ }
+
+ if (value->shouldSpeculateNumber()) {
+ insertCheck<NumberUse>(indexInBlock, value.node());
+ return;
+ }
+
+ if (value->shouldSpeculateNotCell()) {
+ insertCheck<NotCellUse>(indexInBlock, value.node());
+ return;
+ }
+ }
+
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, StoreBarrier, m_currentNode->origin, base);
</ins><span class="cx"> }
</span><ins>+
+ template<UseKind useKind>
+ void insertCheck(unsigned indexInBlock, Node* node)
+ {
+ observeUseKindOnNode<useKind>(node);
+ CodeOrigin& checkedNodeOrigin = node->origin.forExit;
+ CodeOrigin& currentNodeOrigin = m_currentNode->origin.forExit;
+ if (currentNodeOrigin == checkedNodeOrigin) {
+ // The checked node is within the same bytecode. Hence, the earliest
+ // position we can insert the check is right after the checked node.
+ indexInBlock = indexOfNode(node, indexInBlock) + 1;
+ } else {
+ // The checked node is from a preceding bytecode. Hence, the earliest
+ // position we can insert the check is at the start of the current
+ // bytecode.
+ indexInBlock = indexOfFirstNodeOfExitOrigin(currentNodeOrigin, indexInBlock);
+ }
+ m_insertionSet.insertOutOfOrderNode(
+ indexInBlock, SpecNone, Check, m_currentNode->origin, Edge(node, useKind));
+ }
</ins><span class="cx">
</span><span class="cx"> void fixIntConvertingEdge(Edge& edge)
</span><span class="cx"> {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGInsertionSeth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGInsertionSet.h (174933 => 174934)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-10-21 08:57:22 UTC (rev 174933)
+++ releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGInsertionSet.h 2014-10-21 09:08:41 UTC (rev 174934)
</span><span class="lines">@@ -114,6 +114,32 @@
</span><span class="cx"> return insertConstantForUse(index, NodeOrigin(origin), value, useKind);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ Node* insertOutOfOrder(const Insertion& insertion)
+ {
+ size_t targetIndex = insertion.index();
+ size_t entry = m_insertions.size();
+ while (entry) {
+ entry--;
+ if (m_insertions[entry].index() <= targetIndex) {
+ entry++;
+ break;
+ }
+ }
+ m_insertions.insert(entry, insertion);
+ return insertion.element();
+ }
+
+ Node* insertOutOfOrder(size_t index, Node* element)
+ {
+ return insertOutOfOrder(Insertion(index, element));
+ }
+
+ template<typename... Params>
+ Node* insertOutOfOrderNode(size_t index, SpeculatedType type, Params... params)
+ {
+ return insertOutOfOrder(index, m_graph.addNode(type, params...));
+ }
+
</ins><span class="cx"> void execute(BasicBlock* block)
</span><span class="cx"> {
</span><span class="cx"> executeInsertions(*block, m_insertions);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit26SourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGNode.h (174933 => 174934)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGNode.h 2014-10-21 08:57:22 UTC (rev 174933)
+++ releases/WebKitGTK/webkit-2.6/Source/JavaScriptCore/dfg/DFGNode.h 2014-10-21 09:08:41 UTC (rev 174934)
</span><span class="lines">@@ -1611,6 +1611,11 @@
</span><span class="cx"> return isCellSpeculation(prediction());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool shouldSpeculateNotCell()
+ {
+ return isNotCellSpeculation(prediction());
+ }
+
</ins><span class="cx"> static bool shouldSpeculateBoolean(Node* op1, Node* op2)
</span><span class="cx"> {
</span><span class="cx"> return op1->shouldSpeculateBoolean() && op2->shouldSpeculateBoolean();
</span></span></pre>
</div>
</div>
</body>
</html>