<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[197549] trunk</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197549">197549</a></dd>

<dt>Author</dt> <dd>fpizlo@apple.com</dd>

<dt>Date</dt> <dd>2016-03-03 22:36:24 -0800 (Thu, 03 Mar 2016)</dd>

</dl>

<h3>Log Message</h3>

<pre>DFG/FTL should inline accesses to RegExpObject::m_lastIndex

https://bugs.webkit.org/show_bug.cgi?id=155003

Reviewed by Benjamin Poulain.

Source/JavaScriptCore:

The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being

something that people want to do. Right now, I'm not convinced that making the RegExp object

be more plain-JS would be a good idea considering that pretty much all uses of it will

require some special compiler magic. Also, it's good that this patch teaches the compiler

how to reason about lastIndex since some of my other plans for regexp involve having the

compiler treat more regexp stuff as intrinsic.

This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous

speed-up on the microbenchmarks attached to this patch.

* dfg/DFGAbstractHeap.h:

* dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):

* dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

* dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

* dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

* dfg/DFGHeapLocation.h:

* dfg/DFGNodeType.h:

* dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

* dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

* dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):

(JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):

(JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):

* dfg/DFGSpeculativeJIT.h:

* dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

* dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

* dfg/DFGStoreBarrierInsertionPhase.cpp:

* ftl/FTLAbstractHeapRepository.cpp:

* ftl/FTLAbstractHeapRepository.h:

* ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

* ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):

(JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):

(JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):

(JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):

(JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):

(JSC::FTL::DFG::LowerDFGToB3::lowObject):

(JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):

(JSC::FTL::DFG::LowerDFGToB3::lowString):

* runtime/RegExpObject.h:

(JSC::RegExpObject::createStructure):

(JSC::RegExpObject::offsetOfLastIndex):

LayoutTests:

* js/regress/regexp-last-index-expected.txt: Added.

* js/regress/regexp-last-index.html: Added.

* js/regress/regexp-set-last-index-expected.txt: Added.

* js/regress/regexp-set-last-index.html: Added.

* js/regress/script-tests/regexp-last-index.js: Added.

* js/regress/script-tests/regexp-set-last-index.js: Added.</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractHeaph">trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>

<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpObjecth">trunk/Source/JavaScriptCore/runtime/RegExpObject.h</a></li>

</ul>

<h3>Added Paths</h3>

<ul>

<li><a href="#trunkLayoutTestsjsregressregexplastindexexpectedtxt">trunk/LayoutTests/js/regress/regexp-last-index-expected.txt</a></li>

<li><a href="#trunkLayoutTestsjsregressregexplastindexhtml">trunk/LayoutTests/js/regress/regexp-last-index.html</a></li>

<li><a href="#trunkLayoutTestsjsregressregexpsetlastindexexpectedtxt">trunk/LayoutTests/js/regress/regexp-set-last-index-expected.txt</a></li>

<li><a href="#trunkLayoutTestsjsregressregexpsetlastindexhtml">trunk/LayoutTests/js/regress/regexp-set-last-index.html</a></li>

<li><a href="#trunkLayoutTestsjsregressscripttestsregexplastindexjs">trunk/LayoutTests/js/regress/script-tests/regexp-last-index.js</a></li>

<li><a href="#trunkLayoutTestsjsregressscripttestsregexpsetlastindexjs">trunk/LayoutTests/js/regress/script-tests/regexp-set-last-index.js</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="trunkLayoutTestsChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/ChangeLog        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/LayoutTests/ChangeLog        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,5 +1,19 @@

</span><span class="cx"> 2016-03-03  Filip Pizlo  &lt;fpizlo@apple.com&gt;

</span><span class="cx"> 

</span><ins>+        DFG/FTL should inline accesses to RegExpObject::m_lastIndex

+        https://bugs.webkit.org/show_bug.cgi?id=155003

+

+        Reviewed by Benjamin Poulain.

+

+        * js/regress/regexp-last-index-expected.txt: Added.

+        * js/regress/regexp-last-index.html: Added.

+        * js/regress/regexp-set-last-index-expected.txt: Added.

+        * js/regress/regexp-set-last-index.html: Added.

+        * js/regress/script-tests/regexp-last-index.js: Added.

+        * js/regress/script-tests/regexp-set-last-index.js: Added.

+

+2016-03-03  Filip Pizlo  &lt;fpizlo@apple.com&gt;

+

</ins><span class="cx">         Unreviewed, remove test with flaky timeout that doesn't test anything anymore. This test

</span><span class="cx">         was relevant back when arguments got torn off; something that we don't do anymore. It

</span><span class="cx">         uses a loop that waits for the top-tier compiler to compile it. We don't write tests

</span></span></pre></div>

<a id="trunkLayoutTestsjsregressregexplastindexexpectedtxt"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/regexp-last-index-expected.txt (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/regexp-last-index-expected.txt                                (rev 0)

+++ trunk/LayoutTests/js/regress/regexp-last-index-expected.txt        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,10 @@

</span><ins>+JSRegress/regexp-last-index

+

+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.

+

+

+PASS no exception thrown

+PASS successfullyParsed is true

+

+TEST COMPLETE

+

</ins></span></pre></div>

<a id="trunkLayoutTestsjsregressregexplastindexhtml"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/regexp-last-index.html (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/regexp-last-index.html                                (rev 0)

+++ trunk/LayoutTests/js/regress/regexp-last-index.html        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,12 @@

</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;

+&lt;html&gt;

+&lt;head&gt;

+&lt;script src=&quot;../../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script src=&quot;../../resources/regress-pre.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;script-tests/regexp-last-index.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;../../resources/regress-post.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;../../resources/js-test-post.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="trunkLayoutTestsjsregressregexpsetlastindexexpectedtxt"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/regexp-set-last-index-expected.txt (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/regexp-set-last-index-expected.txt                                (rev 0)

+++ trunk/LayoutTests/js/regress/regexp-set-last-index-expected.txt        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,10 @@

</span><ins>+JSRegress/regexp-set-last-index

+

+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.

+

+

+PASS no exception thrown

+PASS successfullyParsed is true

+

+TEST COMPLETE

+

</ins></span></pre></div>

<a id="trunkLayoutTestsjsregressregexpsetlastindexhtml"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/regexp-set-last-index.html (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/regexp-set-last-index.html                                (rev 0)

+++ trunk/LayoutTests/js/regress/regexp-set-last-index.html        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,12 @@

</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;

+&lt;html&gt;

+&lt;head&gt;

+&lt;script src=&quot;../../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script src=&quot;../../resources/regress-pre.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;script-tests/regexp-set-last-index.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;../../resources/regress-post.js&quot;&gt;&lt;/script&gt;

+&lt;script src=&quot;../../resources/js-test-post.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="trunkLayoutTestsjsregressscripttestsregexplastindexjs"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/regexp-last-index.js (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/script-tests/regexp-last-index.js                                (rev 0)

+++ trunk/LayoutTests/js/regress/script-tests/regexp-last-index.js        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,10 @@

</span><ins>+(function() {

+    var re = /foo/g;

+    re.exec(&quot;bar foo bar&quot;);

+    var result = 0;

+    var n = 10000000;

+    for (var i = 0; i &lt; n; ++i)

+        result += re.lastIndex;

+    if (result != 7 * n)

+        throw &quot;Error: bad result: &quot; + result;

+})();

</ins></span></pre></div>

<a id="trunkLayoutTestsjsregressscripttestsregexpsetlastindexjs"></a>

<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/regexp-set-last-index.js (0 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/LayoutTests/js/regress/script-tests/regexp-set-last-index.js                                (rev 0)

+++ trunk/LayoutTests/js/regress/script-tests/regexp-set-last-index.js        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -0,0 +1,9 @@

</span><ins>+(function() {

+    var re = /foo/g;

+    var n = 10000000;

+    for (var i = 0; i &lt; n; ++i)

+        re.lastIndex = 5;

+    re.exec(&quot;foo bar foo&quot;);

+    if (re.lastIndex != &quot;foo bar foo&quot;.length)

+        throw &quot;Error: bad value of lastIndx: &quot; + re.lastIndex;

+})();

</ins></span></pre></div>

<a id="trunkSourceJavaScriptCoreChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/ChangeLog        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,3 +1,62 @@

</span><ins>+2016-03-03  Filip Pizlo  &lt;fpizlo@apple.com&gt;

+

+        DFG/FTL should inline accesses to RegExpObject::m_lastIndex

+        https://bugs.webkit.org/show_bug.cgi?id=155003

+

+        Reviewed by Benjamin Poulain.

+

+        The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being

+        something that people want to do. Right now, I'm not convinced that making the RegExp object

+        be more plain-JS would be a good idea considering that pretty much all uses of it will

+        require some special compiler magic. Also, it's good that this patch teaches the compiler

+        how to reason about lastIndex since some of my other plans for regexp involve having the

+        compiler treat more regexp stuff as intrinsic.

+

+        This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous

+        speed-up on the microbenchmarks attached to this patch.

+

+        * dfg/DFGAbstractHeap.h:

+        * dfg/DFGAbstractInterpreterInlines.h:

+        (JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):

+        * dfg/DFGClobberize.h:

+        (JSC::DFG::clobberize):

+        * dfg/DFGDoesGC.cpp:

+        (JSC::DFG::doesGC):

+        * dfg/DFGFixupPhase.cpp:

+        (JSC::DFG::FixupPhase::fixupNode):

+        * dfg/DFGHeapLocation.h:

+        * dfg/DFGNodeType.h:

+        * dfg/DFGPredictionPropagationPhase.cpp:

+        (JSC::DFG::PredictionPropagationPhase::propagate):

+        * dfg/DFGSafeToExecute.h:

+        (JSC::DFG::safeToExecute):

+        * dfg/DFGSpeculativeJIT.cpp:

+        (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):

+        (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):

+        (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):

+        * dfg/DFGSpeculativeJIT.h:

+        * dfg/DFGSpeculativeJIT32_64.cpp:

+        (JSC::DFG::SpeculativeJIT::compile):

+        * dfg/DFGSpeculativeJIT64.cpp:

+        (JSC::DFG::SpeculativeJIT::compile):

+        * dfg/DFGStoreBarrierInsertionPhase.cpp:

+        * ftl/FTLAbstractHeapRepository.cpp:

+        * ftl/FTLAbstractHeapRepository.h:

+        * ftl/FTLCapabilities.cpp:

+        (JSC::FTL::canCompile):

+        * ftl/FTLLowerDFGToB3.cpp:

+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):

+        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):

+        (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):

+        (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):

+        (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):

+        (JSC::FTL::DFG::LowerDFGToB3::lowObject):

+        (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):

+        (JSC::FTL::DFG::LowerDFGToB3::lowString):

+        * runtime/RegExpObject.h:

+        (JSC::RegExpObject::createStructure):

+        (JSC::RegExpObject::offsetOfLastIndex):

+

</ins><span class="cx"> 2016-03-03  Chris Dumez  &lt;cdumez@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         Regression(r196770): Unable to use HipChat Mac app

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGAbstractHeaph"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,5 +1,5 @@

</span><span class="cx"> /*

</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.

</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.

</ins><span class="cx">  *

</span><span class="cx">  * Redistribution and use in source and binary forms, with or without

</span><span class="cx">  * modification, are permitted provided that the following conditions

</span><span class="lines">@@ -58,6 +58,7 @@

</span><span class="cx">     macro(JSCell_typeInfoType) \

</span><span class="cx">     macro(JSObject_butterfly) \

</span><span class="cx">     macro(JSPropertyNameEnumerator_cachedPropertyNames) \

</span><ins>+    macro(RegExpObject_lastIndex) \

</ins><span class="cx">     macro(NamedProperties) \

</span><span class="cx">     macro(IndexedInt32Properties) \

</span><span class="cx">     macro(IndexedDoubleProperties) \

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1882,6 +1882,13 @@

</span><span class="cx">             

</span><span class="cx">     case PutClosureVar:

</span><span class="cx">         break;

</span><ins>+

+    case GetRegExpObjectLastIndex:

+        forNode(node).makeHeapTop();

+        break;

+

+    case SetRegExpObjectLastIndex:

+        break;

</ins><span class="cx">         

</span><span class="cx">     case GetFromArguments:

</span><span class="cx">         forNode(node).makeHeapTop();

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -908,6 +908,16 @@

</span><span class="cx">         write(AbstractHeap(ScopeProperties, node-&gt;scopeOffset().offset()));

</span><span class="cx">         def(HeapLocation(ClosureVariableLoc, AbstractHeap(ScopeProperties, node-&gt;scopeOffset().offset()), node-&gt;child1()), LazyNode(node-&gt;child2().node()));

</span><span class="cx">         return;

</span><ins>+

+    case GetRegExpObjectLastIndex:

+        read(RegExpObject_lastIndex);

+        def(HeapLocation(RegExpObjectLastIndexLoc, RegExpObject_lastIndex, node-&gt;child1()), LazyNode(node));

+        return;

+

+    case SetRegExpObjectLastIndex:

+        write(RegExpObject_lastIndex);

+        def(HeapLocation(RegExpObjectLastIndexLoc, RegExpObject_lastIndex, node-&gt;child1()), LazyNode(node-&gt;child2().node()));

+        return;

</ins><span class="cx">         

</span><span class="cx">     case GetFromArguments: {

</span><span class="cx">         AbstractHeap heap(DirectArgumentsProperties, node-&gt;capturedArgumentsOffset().offset());

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -113,6 +113,8 @@

</span><span class="cx">     case SkipScope:

</span><span class="cx">     case GetClosureVar:

</span><span class="cx">     case PutClosureVar:

</span><ins>+    case GetRegExpObjectLastIndex:

+    case SetRegExpObjectLastIndex:

</ins><span class="cx">     case GetGlobalVar:

</span><span class="cx">     case GetGlobalLexicalVariable:

</span><span class="cx">     case PutGlobalVariable:

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1072,11 +1072,21 @@

</span><span class="cx">                 &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, BadCache)

</span><span class="cx">                 &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, BadIndexingType)

</span><span class="cx">                 &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, ExoticObjectMode)) {

</span><ins>+                

</ins><span class="cx">                 auto uid = m_graph.identifiers()[node-&gt;identifierNumber()];

</span><ins>+                

</ins><span class="cx">                 if (uid == vm().propertyNames-&gt;length.impl()) {

</span><span class="cx">                     attemptToMakeGetArrayLength(node);

</span><span class="cx">                     break;

</span><span class="cx">                 }

</span><ins>+

+                if (uid == vm().propertyNames-&gt;lastIndex.impl()

+                    &amp;&amp; node-&gt;child1()-&gt;shouldSpeculateRegExpObject()) {

+                    node-&gt;setOp(GetRegExpObjectLastIndex);

+                    node-&gt;clearFlags(NodeMustGenerate);

+                    fixEdge&lt;RegExpObjectUse&gt;(node-&gt;child1());

+                    break;

+                }

</ins><span class="cx">             }

</span><span class="cx"> 

</span><span class="cx">             if (node-&gt;child1()-&gt;shouldSpeculateCell())

</span><span class="lines">@@ -1087,6 +1097,23 @@

</span><span class="cx">         case PutById:

</span><span class="cx">         case PutByIdFlush:

</span><span class="cx">         case PutByIdDirect: {

</span><ins>+            if (node-&gt;child1()-&gt;shouldSpeculateCellOrOther()

+                &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, BadType)

+                &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, BadCache)

+                &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, BadIndexingType)

+                &amp;&amp; !m_graph.hasExitSite(node-&gt;origin.semantic, ExoticObjectMode)) {

+                

+                auto uid = m_graph.identifiers()[node-&gt;identifierNumber()];

+                

+                if (uid == vm().propertyNames-&gt;lastIndex.impl()

+                    &amp;&amp; node-&gt;child1()-&gt;shouldSpeculateRegExpObject()) {

+                    node-&gt;setOp(SetRegExpObjectLastIndex);

+                    fixEdge&lt;RegExpObjectUse&gt;(node-&gt;child1());

+                    speculateForBarrier(node-&gt;child2());

+                    break;

+                }

+            }

+            

</ins><span class="cx">             fixEdge&lt;CellUse&gt;(node-&gt;child1());

</span><span class="cx">             break;

</span><span class="cx">         }

</span><span class="lines">@@ -1267,6 +1294,8 @@

</span><span class="cx">         case KillStack:

</span><span class="cx">         case GetStack:

</span><span class="cx">         case StoreBarrier:

</span><ins>+        case GetRegExpObjectLastIndex:

+        case SetRegExpObjectLastIndex:

</ins><span class="cx">             // These are just nodes that we don't currently expect to see during fixup.

</span><span class="cx">             // If we ever wanted to insert them prior to fixup, then we just have to create

</span><span class="cx">             // fixup rules for them.

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,5 +1,5 @@

</span><span class="cx"> /*

</span><del>- * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.

</del><ins>+ * Copyright (C) 2014-2016 Apple Inc. All rights reserved.

</ins><span class="cx">  *

</span><span class="cx">  * Redistribution and use in source and binary forms, with or without

</span><span class="cx">  * modification, are permitted provided that the following conditions

</span><span class="lines">@@ -147,6 +147,10 @@

</span><span class="cx">     case StructureLoc:

</span><span class="cx">         out.print(&quot;StructureLoc&quot;);

</span><span class="cx">         return;

</span><ins>+

+    case RegExpObjectLastIndexLoc:

+        out.print(&quot;RegExpObjectLastIndexLoc&quot;);

+        return;

</ins><span class="cx">     }

</span><span class="cx">     

</span><span class="cx">     RELEASE_ASSERT_NOT_REACHED();

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,5 +1,5 @@

</span><span class="cx"> /*

</span><del>- * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.

</del><ins>+ * Copyright (C) 2014-2016 Apple Inc. All rights reserved.

</ins><span class="cx">  *

</span><span class="cx">  * Redistribution and use in source and binary forms, with or without

</span><span class="cx">  * modification, are permitted provided that the following conditions

</span><span class="lines">@@ -54,6 +54,7 @@

</span><span class="cx">     IsFunctionLoc,

</span><span class="cx">     IsObjectOrNullLoc,

</span><span class="cx">     NamedPropertyLoc,

</span><ins>+    RegExpObjectLastIndexLoc,

</ins><span class="cx">     SetterLoc,

</span><span class="cx">     StructureLoc,

</span><span class="cx">     TypedArrayByteOffsetLoc,

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -219,6 +219,8 @@

</span><span class="cx">     macro(PutGlobalVariable, NodeMustGenerate) \

</span><span class="cx">     macro(NotifyWrite, NodeMustGenerate) \

</span><span class="cx">     macro(VarInjectionWatchpoint, NodeMustGenerate) \

</span><ins>+    macro(GetRegExpObjectLastIndex, NodeResultJS) \

+    macro(SetRegExpObjectLastIndex, NodeMustGenerate) \

</ins><span class="cx">     macro(CheckCell, NodeMustGenerate) \

</span><span class="cx">     macro(CheckNotEmpty, NodeMustGenerate) \

</span><span class="cx">     macro(CheckBadCell, NodeMustGenerate) \

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -665,7 +665,9 @@

</span><span class="cx">         case PutStack:

</span><span class="cx">         case KillStack:

</span><span class="cx">         case StoreBarrier:

</span><del>-        case GetStack: {

</del><ins>+        case GetStack:

+        case GetRegExpObjectLastIndex:

+        case SetRegExpObjectLastIndex: {

</ins><span class="cx">             // This node should never be visible at this stage of compilation. It is

</span><span class="cx">             // inserted by fixup(), which follows this phase.

</span><span class="cx">             DFG_CRASH(m_graph, node, &quot;Unexpected node during prediction propagation&quot;);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -332,6 +332,8 @@

</span><span class="cx">     case ForwardVarargs:

</span><span class="cx">     case CopyRest:

</span><span class="cx">     case StringReplace:

</span><ins>+    case GetRegExpObjectLastIndex:

+    case SetRegExpObjectLastIndex:

</ins><span class="cx">         return true;

</span><span class="cx"> 

</span><span class="cx">     case BottomValue:

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -7518,6 +7518,33 @@

</span><span class="cx">     noResult(node);

</span><span class="cx"> }

</span><span class="cx"> 

</span><ins>+void SpeculativeJIT::compileGetRegExpObjectLastIndex(Node* node)

+{

+    SpeculateCellOperand regExp(this, node-&gt;child1());

+    JSValueRegsTemporary result(this);

+    GPRReg regExpGPR = regExp.gpr();

+    JSValueRegs resultRegs = result.regs();

+    speculateRegExpObject(node-&gt;child1(), regExpGPR);

+    m_jit.loadValue(JITCompiler::Address(regExpGPR, RegExpObject::offsetOfLastIndex()), resultRegs);

+    jsValueResult(resultRegs, node);

+}

+

+void SpeculativeJIT::compileSetRegExpObjectLastIndex(Node* node)

+{

+    SpeculateCellOperand regExp(this, node-&gt;child1());

+    JSValueOperand value(this, node-&gt;child2());

+    GPRReg regExpGPR = regExp.gpr();

+    JSValueRegs valueRegs = value.jsValueRegs();

+    speculateRegExpObject(node-&gt;child1(), regExpGPR);

+    speculationCheck(

+        ExoticObjectMode, JSValueRegs(), nullptr,

+        m_jit.branchTest8(

+            JITCompiler::Zero,

+            JITCompiler::Address(regExpGPR, RegExpObject::offsetOfLastIndexIsWritable())));

+    m_jit.storeValue(valueRegs, JITCompiler::Address(regExpGPR, RegExpObject::offsetOfLastIndex()));

+    noResult(node);

+}

+

</ins><span class="cx"> } } // namespace JSC::DFG

</span><span class="cx"> 

</span><span class="cx"> #endif

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -2333,6 +2333,8 @@

</span><span class="cx">     void compilePutAccessorById(Node*);

</span><span class="cx">     void compilePutGetterSetterById(Node*);

</span><span class="cx">     void compilePutAccessorByVal(Node*);

</span><ins>+    void compileGetRegExpObjectLastIndex(Node*);

+    void compileSetRegExpObjectLastIndex(Node*);

</ins><span class="cx">     

</span><span class="cx">     void moveTrueTo(GPRReg);

</span><span class="cx">     void moveFalseTo(GPRReg);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -2970,7 +2970,17 @@

</span><span class="cx">         cellResult(resultPayload.gpr(), node);

</span><span class="cx">         break;

</span><span class="cx">     }

</span><ins>+

+    case GetRegExpObjectLastIndex: {

+        compileGetRegExpObjectLastIndex(node);

+        break;

+    }

</ins><span class="cx">         

</span><ins>+    case SetRegExpObjectLastIndex: {

+        compileSetRegExpObjectLastIndex(node);

+        break;

+    }

+        

</ins><span class="cx">     case ArrayPush: {

</span><span class="cx">         ASSERT(node-&gt;arrayMode().isJSArray());

</span><span class="cx">         

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -3088,6 +3088,16 @@

</span><span class="cx">         break;

</span><span class="cx">     }

</span><span class="cx">         

</span><ins>+    case GetRegExpObjectLastIndex: {

+        compileGetRegExpObjectLastIndex(node);

+        break;

+    }

+        

+    case SetRegExpObjectLastIndex: {

+        compileSetRegExpObjectLastIndex(node);

+        break;

+    }

+        

</ins><span class="cx">     case ArrayPush: {

</span><span class="cx">         ASSERT(node-&gt;arrayMode().isJSArray());

</span><span class="cx">         

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -1,5 +1,5 @@

</span><span class="cx"> /*

</del><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.

</ins><span class="cx">  *

</span><span class="cx">  * Redistribution and use in source and binary forms, with or without

</span><span class="cx">  * modification, are permitted provided that the following conditions

</span><span class="lines">@@ -260,6 +260,7 @@

</span><span class="cx">                 

</span><span class="cx">             case PutClosureVar:

</span><span class="cx">             case PutToArguments:

</span><ins>+            case SetRegExpObjectLastIndex:

</ins><span class="cx">             case MultiPutByOffset: {

</span><span class="cx">                 considerBarrier(m_node-&gt;child1(), m_node-&gt;child2());

</span><span class="cx">                 break;

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -39,6 +39,7 @@

</span><span class="cx"> #include &quot;JSPropertyNameEnumerator.h&quot;

</span><span class="cx"> #include &quot;JSScope.h&quot;

</span><span class="cx"> #include &quot;JSCInlines.h&quot;

</span><ins>+#include &quot;RegExpObject.h&quot;

</ins><span class="cx"> #include &quot;ScopedArguments.h&quot;

</span><span class="cx"> #include &quot;ScopedArgumentsTable.h&quot;

</span><span class="cx"> 

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -77,6 +77,8 @@

</span><span class="cx">     macro(JSSymbolTableObject_symbolTable, JSSymbolTableObject::offsetOfSymbolTable()) \

</span><span class="cx">     macro(JSWrapperObject_internalValue, JSWrapperObject::internalValueOffset()) \

</span><span class="cx">     macro(MarkedAllocator_freeListHead, MarkedAllocator::offsetOfFreeListHead()) \

</span><ins>+    macro(RegExpObject_lastIndex, RegExpObject::offsetOfLastIndex()) \

+    macro(RegExpObject_lastIndexIsWritable, RegExpObject::offsetOfLastIndexIsWritable()) \

</ins><span class="cx">     macro(ScopedArguments_overrodeThings, ScopedArguments::offsetOfOverrodeThings()) \

</span><span class="cx">     macro(ScopedArguments_scope, ScopedArguments::offsetOfScope()) \

</span><span class="cx">     macro(ScopedArguments_table, ScopedArguments::offsetOfTable()) \

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -224,6 +224,8 @@

</span><span class="cx">     case RegExpTest:

</span><span class="cx">     case NewRegexp:

</span><span class="cx">     case StringReplace:

</span><ins>+    case GetRegExpObjectLastIndex:

+    case SetRegExpObjectLastIndex:

</ins><span class="cx">         // These are OK.

</span><span class="cx">         break;

</span><span class="cx"> 

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -926,6 +926,12 @@

</span><span class="cx">         case StringReplace:

</span><span class="cx">             compileStringReplace();

</span><span class="cx">             break;

</span><ins>+        case GetRegExpObjectLastIndex:

+            compileGetRegExpObjectLastIndex();

+            break;

+        case SetRegExpObjectLastIndex:

+            compileSetRegExpObjectLastIndex();

+            break;

</ins><span class="cx"> 

</span><span class="cx">         case PhantomLocal:

</span><span class="cx">         case LoopHint:

</span><span class="lines">@@ -6489,8 +6495,7 @@

</span><span class="cx">             if (JSString* replace = m_node-&gt;child3()-&gt;dynamicCastConstant&lt;JSString*&gt;()) {

</span><span class="cx">                 if (!replace-&gt;length()) {

</span><span class="cx">                     LValue string = lowString(m_node-&gt;child1());

</span><del>-                    LValue regExp = lowCell(m_node-&gt;child2());

-                    speculateRegExpObject(m_node-&gt;child2(), regExp);

</del><ins>+                    LValue regExp = lowRegExpObject(m_node-&gt;child2());

</ins><span class="cx"> 

</span><span class="cx">                     LValue result = vmCall(

</span><span class="cx">                         Int64, m_out.operation(operationStringProtoFuncReplaceRegExpEmptyStr),

</span><span class="lines">@@ -6502,8 +6507,7 @@

</span><span class="cx">             }

</span><span class="cx">             

</span><span class="cx">             LValue string = lowString(m_node-&gt;child1());

</span><del>-            LValue regExp = lowCell(m_node-&gt;child2());

-            speculateRegExpObject(m_node-&gt;child2(), regExp);

</del><ins>+            LValue regExp = lowRegExpObject(m_node-&gt;child2());

</ins><span class="cx">             LValue replace = lowString(m_node-&gt;child3());

</span><span class="cx"> 

</span><span class="cx">             LValue result = vmCall(

</span><span class="lines">@@ -6522,6 +6526,23 @@

</span><span class="cx">         setJSValue(result);

</span><span class="cx">     }

</span><span class="cx"> 

</span><ins>+    void compileGetRegExpObjectLastIndex()

+    {

+        setJSValue(m_out.load64(lowRegExpObject(m_node-&gt;child1()), m_heaps.RegExpObject_lastIndex));

+    }

+

+    void compileSetRegExpObjectLastIndex()

+    {

+        LValue regExp = lowRegExpObject(m_node-&gt;child1());

+        LValue value = lowJSValue(m_node-&gt;child2());

+

+        speculate(

+            ExoticObjectMode, noValue(), nullptr,

+            m_out.isZero32(m_out.load8ZeroExt32(regExp, m_heaps.RegExpObject_lastIndexIsWritable)));

+        

+        m_out.store64(value, regExp, m_heaps.RegExpObject_lastIndex);

+    }

+

</ins><span class="cx">     LValue didOverflowStack()

</span><span class="cx">     {

</span><span class="cx">         // This does a very simple leaf function analysis. The invariant of FTL call

</span><span class="lines">@@ -8925,6 +8946,13 @@

</span><span class="cx">         speculateObject(edge, result);

</span><span class="cx">         return result;

</span><span class="cx">     }

</span><ins>+

+    LValue lowRegExpObject(Edge edge)

+    {

+        LValue result = lowCell(edge);

+        speculateRegExpObject(edge, result);

+        return result;

+    }

</ins><span class="cx">     

</span><span class="cx">     LValue lowString(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)

</span><span class="cx">     {

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreruntimeRegExpObjecth"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpObject.h (197548 => 197549)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpObject.h        2016-03-04 06:00:02 UTC (rev 197548)

+++ trunk/Source/JavaScriptCore/runtime/RegExpObject.h        2016-03-04 06:36:24 UTC (rev 197549)

</span><span class="lines">@@ -74,6 +74,16 @@

</span><span class="cx">         return Structure::create(vm, globalObject, prototype, TypeInfo(RegExpObjectType, StructureFlags), info());

</span><span class="cx">     }

</span><span class="cx"> 

</span><ins>+    static ptrdiff_t offsetOfLastIndex()

+    {

+        return OBJECT_OFFSETOF(RegExpObject, m_lastIndex);

+    }

+

+    static ptrdiff_t offsetOfLastIndexIsWritable()

+    {

+        return OBJECT_OFFSETOF(RegExpObject, m_lastIndexIsWritable);

+    }

+

</ins><span class="cx"> protected:

</span><span class="cx">     JS_EXPORT_PRIVATE RegExpObject(VM&amp;, Structure*, RegExp*);

</span><span class="cx">     JS_EXPORT_PRIVATE void finishCreation(VM&amp;);

</span></span></pre>

</div>

</div>

</body>

</html>