<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197679] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197679">197679</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-07 04:12:38 -0800 (Mon, 07 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/197408">r197408</a> - Turn String.prototype.replace into an intrinsic
https://bugs.webkit.org/show_bug.cgi?id=154835
Reviewed by Michael Saboff.
Source/JavaScriptCore:
Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
of checks to see if the parameters are what they are likely to often be (a string, a
regexp, and a string). The intuition of this patch is that it's good to remove those checks
and it's good to call the native function as directly as possible.
This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
It also improves Octane/jquery.
This is only the beginning of what I want to do with replace optimizations. The other
optimizations will rely on StringReplace being revealed as a construct in DFG IR.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromClassInfo):
* bytecode/SpeculatedType.h:
(JSC::isStringOrStringObjectSpeculation):
(JSC::isRegExpObjectSpeculation):
(JSC::isBoolInt32Speculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateStringOrStringObject):
(JSC::DFG::Node::shouldSpeculateRegExpObject):
(JSC::DFG::Node::shouldSpeculateSymbol):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateFinalObject):
(JSC::DFG::SpeculativeJIT::speculateRegExpObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
(JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateString):
* jit/JITOperations.h:
* runtime/Intrinsic.h:
* runtime/JSType.h:
* runtime/RegExpObject.h:
(JSC::RegExpObject::createStructure):
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::removeUsingRegExpSearch):
(JSC::replaceUsingRegExpSearch):
(JSC::operationStringProtoFuncReplaceRegExpString):
(JSC::replaceUsingStringSearch):
(JSC::stringProtoFuncRepeat):
(JSC::replace):
(JSC::stringProtoFuncReplace):
(JSC::operationStringProtoFuncReplaceGeneric):
(JSC::stringProtoFuncToString):
* runtime/StringPrototype.h:
LayoutTests:
* js/regress/script-tests/string-replace.js: Added.
* js/regress/string-replace-expected.txt: Added.
* js/regress/string-replace.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCorebytecodeSpeculatedTypecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCorebytecodeSpeculatedTypeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGByteCodeParsercpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGClobberizeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGDoesGCcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGFixupPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeTypeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSafeToExecuteh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGUseKindcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGUseKindh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLCapabilitiescpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLLowerDFGToB3cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCorejitJITOperationsh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeIntrinsich">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Intrinsic.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSTypeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjecth">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressscripttestsstringreplacejs">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/string-replace.js</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressstringreplaceexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressstringreplacehtml">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-02-29 Filip Pizlo <fpizlo@apple.com>
+
+ Turn String.prototype.replace into an intrinsic
+ https://bugs.webkit.org/show_bug.cgi?id=154835
+
+ Reviewed by Michael Saboff.
+
+ * js/regress/script-tests/string-replace.js: Added.
+ * js/regress/string-replace-expected.txt: Added.
+ * js/regress/string-replace.html: Added.
+
</ins><span class="cx"> 2016-02-28 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> B3 should have global store elimination
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressscripttestsstringreplacejs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/string-replace.js (0 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/string-replace.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/string-replace.js 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+(function() {
+ var result;
+ for (var i = 0; i < 400000; ++i) {
+ result = "foo".replace(/f/, "b");
+ }
+ if (result != "boo")
+ throw "Error: bad result: "+ result;
+})();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressstringreplaceexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace-expected.txt (0 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace-expected.txt 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/string-replace
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressstringreplacehtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace.html (0 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/string-replace.html 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/string-replace.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,96 @@
</span><span class="cx"> 2016-02-29 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><ins>+ Turn String.prototype.replace into an intrinsic
+ https://bugs.webkit.org/show_bug.cgi?id=154835
+
+ Reviewed by Michael Saboff.
+
+ Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
+ of checks to see if the parameters are what they are likely to often be (a string, a
+ regexp, and a string). The intuition of this patch is that it's good to remove those checks
+ and it's good to call the native function as directly as possible.
+
+ This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
+ It also improves Octane/jquery.
+
+ This is only the beginning of what I want to do with replace optimizations. The other
+ optimizations will rely on StringReplace being revealed as a construct in DFG IR.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/SpeculatedType.cpp:
+ (JSC::dumpSpeculation):
+ (JSC::speculationToAbbreviatedString):
+ (JSC::speculationFromClassInfo):
+ * bytecode/SpeculatedType.h:
+ (JSC::isStringOrStringObjectSpeculation):
+ (JSC::isRegExpObjectSpeculation):
+ (JSC::isBoolInt32Speculation):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
+ (JSC::DFG::Node::shouldSpeculateRegExpObject):
+ (JSC::DFG::Node::shouldSpeculateSymbol):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateFinalObject):
+ (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
+ (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::isCell):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+ (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
+ (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateString):
+ * jit/JITOperations.h:
+ * runtime/Intrinsic.h:
+ * runtime/JSType.h:
+ * runtime/RegExpObject.h:
+ (JSC::RegExpObject::createStructure):
+ * runtime/StringPrototype.cpp:
+ (JSC::StringPrototype::finishCreation):
+ (JSC::removeUsingRegExpSearch):
+ (JSC::replaceUsingRegExpSearch):
+ (JSC::operationStringProtoFuncReplaceRegExpString):
+ (JSC::replaceUsingStringSearch):
+ (JSC::stringProtoFuncRepeat):
+ (JSC::replace):
+ (JSC::stringProtoFuncReplace):
+ (JSC::operationStringProtoFuncReplaceGeneric):
+ (JSC::stringProtoFuncToString):
+ * runtime/StringPrototype.h:
+
+2016-02-29 Filip Pizlo <fpizlo@apple.com>
+
</ins><span class="cx"> regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=154841
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx"> 0F24E54317EA9F5900ABB217 /* FPRInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E53E17EA9F5900ABB217 /* FPRInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F24E54417EA9F5900ABB217 /* GPRInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E53F17EA9F5900ABB217 /* GPRInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F24E54C17EE274900ABB217 /* JITOperations.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F24E54517EE274900ABB217 /* JITOperations.cpp */; };
</span><del>- 0F24E54D17EE274900ABB217 /* JITOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E54617EE274900ABB217 /* JITOperations.h */; };
</del><ins>+ 0F24E54D17EE274900ABB217 /* JITOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E54617EE274900ABB217 /* JITOperations.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F24E54F17EE274900ABB217 /* TempRegisterSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E54817EE274900ABB217 /* TempRegisterSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F24E55017EE274900ABB217 /* Repatch.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F24E54917EE274900ABB217 /* Repatch.cpp */; };
</span><span class="cx"> 0F24E55117EE274900ABB217 /* Repatch.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F24E54A17EE274900ABB217 /* Repatch.h */; };
</span><span class="lines">@@ -403,7 +403,7 @@
</span><span class="cx"> 0F5A52D017ADD717008ECB2D /* CopyToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A52CF17ADD717008ECB2D /* CopyToken.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F5A6283188C98D40072C9DF /* FTLValueRange.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5A6281188C98D40072C9DF /* FTLValueRange.cpp */; };
</span><span class="cx"> 0F5A6284188C98D40072C9DF /* FTLValueRange.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A6282188C98D40072C9DF /* FTLValueRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>- 0F5B4A331C84F0D600F1B17E /* SlowPathReturnType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5B4A321C84F0D600F1B17E /* SlowPathReturnType.h */; };
</del><ins>+ 0F5B4A331C84F0D600F1B17E /* SlowPathReturnType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5B4A321C84F0D600F1B17E /* SlowPathReturnType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F5D085D1B8CF99D001143B4 /* DFGNodeOrigin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5D085C1B8CF99D001143B4 /* DFGNodeOrigin.cpp */; };
</span><span class="cx"> 0F5EF91E16878F7A003E5C25 /* JITThunks.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5EF91B16878F78003E5C25 /* JITThunks.cpp */; };
</span><span class="cx"> 0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5EF91C16878F78003E5C25 /* JITThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCorebytecodeSpeculatedTypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2013, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2013, 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -141,6 +141,11 @@
</span><span class="cx"> myOut.print("Stringobject");
</span><span class="cx"> else
</span><span class="cx"> isTop = false;
</span><ins>+
+ if (value & SpecRegExpObject)
+ myOut.print("Regexpobject");
+ else
+ isTop = false;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ((value & SpecString) == SpecString)
</span><span class="lines">@@ -257,6 +262,8 @@
</span><span class="cx"> return "<ScopedArguments>";
</span><span class="cx"> if (isStringObjectSpeculation(prediction))
</span><span class="cx"> return "<StringObject>";
</span><ins>+ if (isRegExpObjectSpeculation(prediction))
+ return "<RegExpObject>";
</ins><span class="cx"> if (isStringOrStringObjectSpeculation(prediction))
</span><span class="cx"> return "<StringOrStringObject>";
</span><span class="cx"> if (isObjectSpeculation(prediction))
</span><span class="lines">@@ -336,6 +343,9 @@
</span><span class="cx">
</span><span class="cx"> if (classInfo == StringObject::info())
</span><span class="cx"> return SpecStringObject;
</span><ins>+
+ if (classInfo == RegExpObject::info())
+ return SpecRegExpObject;
</ins><span class="cx">
</span><span class="cx"> if (classInfo->isSubClassOf(JSFunction::info()))
</span><span class="cx"> return SpecFunction;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCorebytecodeSpeculatedTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/bytecode/SpeculatedType.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -55,25 +55,26 @@
</span><span class="cx"> static const SpeculatedType SpecDirectArguments = 1u << 12; // It's definitely a DirectArguments object.
</span><span class="cx"> static const SpeculatedType SpecScopedArguments = 1u << 13; // It's definitely a ScopedArguments object.
</span><span class="cx"> static const SpeculatedType SpecStringObject = 1u << 14; // It's definitely a StringObject.
</span><del>-static const SpeculatedType SpecObjectOther = 1u << 15; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
-static const SpeculatedType SpecObject = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
-static const SpeculatedType SpecStringIdent = 1u << 16; // It's definitely a JSString, and it's an identifier.
-static const SpeculatedType SpecStringVar = 1u << 17; // It's definitely a JSString, and it's not an identifier.
</del><ins>+static const SpeculatedType SpecRegExpObject = 1u << 15; // It's definitely a RegExpObject (and not any subclass of RegExpObject).
+static const SpeculatedType SpecObjectOther = 1u << 16; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
+static const SpeculatedType SpecObject = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
+static const SpeculatedType SpecStringIdent = 1u << 17; // It's definitely a JSString, and it's an identifier.
+static const SpeculatedType SpecStringVar = 1u << 18; // It's definitely a JSString, and it's not an identifier.
</ins><span class="cx"> static const SpeculatedType SpecString = SpecStringIdent | SpecStringVar; // It's definitely a JSString.
</span><del>-static const SpeculatedType SpecSymbol = 1u << 18; // It's definitely a Symbol.
-static const SpeculatedType SpecCellOther = 1u << 19; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
</del><ins>+static const SpeculatedType SpecSymbol = 1u << 19; // It's definitely a Symbol.
+static const SpeculatedType SpecCellOther = 1u << 20; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
</ins><span class="cx"> static const SpeculatedType SpecCell = SpecObject | SpecString | SpecSymbol | SpecCellOther; // It's definitely a JSCell.
</span><del>-static const SpeculatedType SpecBoolInt32 = 1u << 20; // It's definitely an Int32 with value 0 or 1.
-static const SpeculatedType SpecNonBoolInt32 = 1u << 21; // It's definitely an Int32 with value other than 0 or 1.
</del><ins>+static const SpeculatedType SpecBoolInt32 = 1u << 21; // It's definitely an Int32 with value 0 or 1.
+static const SpeculatedType SpecNonBoolInt32 = 1u << 22; // It's definitely an Int32 with value other than 0 or 1.
</ins><span class="cx"> static const SpeculatedType SpecInt32 = SpecBoolInt32 | SpecNonBoolInt32; // It's definitely an Int32.
</span><del>-static const SpeculatedType SpecInt52 = 1u << 22; // It's definitely an Int52 and we intend it to unbox it.
</del><ins>+static const SpeculatedType SpecInt52 = 1u << 23; // It's definitely an Int52 and we intend it to unbox it.
</ins><span class="cx"> static const SpeculatedType SpecMachineInt = SpecInt32 | SpecInt52; // It's something that we can do machine int arithmetic on.
</span><del>-static const SpeculatedType SpecInt52AsDouble = 1u << 23; // It's definitely an Int52 and it's inside a double.
</del><ins>+static const SpeculatedType SpecInt52AsDouble = 1u << 24; // It's definitely an Int52 and it's inside a double.
</ins><span class="cx"> static const SpeculatedType SpecInteger = SpecMachineInt | SpecInt52AsDouble; // It's definitely some kind of integer.
</span><del>-static const SpeculatedType SpecNonIntAsDouble = 1u << 24; // It's definitely not an Int52 but it's a real number and it's a double.
</del><ins>+static const SpeculatedType SpecNonIntAsDouble = 1u << 25; // It's definitely not an Int52 but it's a real number and it's a double.
</ins><span class="cx"> static const SpeculatedType SpecDoubleReal = SpecNonIntAsDouble | SpecInt52AsDouble; // It's definitely a non-NaN double.
</span><del>-static const SpeculatedType SpecDoublePureNaN = 1u << 25; // It's definitely a NaN that is sae to tag (i.e. pure).
-static const SpeculatedType SpecDoubleImpureNaN = 1u << 26; // It's definitely a NaN that is unsafe to tag (i.e. impure).
</del><ins>+static const SpeculatedType SpecDoublePureNaN = 1u << 26; // It's definitely a NaN that is sae to tag (i.e. pure).
+static const SpeculatedType SpecDoubleImpureNaN = 1u << 27; // It's definitely a NaN that is unsafe to tag (i.e. impure).
</ins><span class="cx"> static const SpeculatedType SpecDoubleNaN = SpecDoublePureNaN | SpecDoubleImpureNaN; // It's definitely some kind of NaN.
</span><span class="cx"> static const SpeculatedType SpecBytecodeDouble = SpecDoubleReal | SpecDoublePureNaN; // It's either a non-NaN or a NaN double, but it's definitely not impure NaN.
</span><span class="cx"> static const SpeculatedType SpecFullDouble = SpecDoubleReal | SpecDoubleNaN; // It's either a non-NaN or a NaN double.
</span><span class="lines">@@ -81,12 +82,12 @@
</span><span class="cx"> static const SpeculatedType SpecFullRealNumber = SpecMachineInt | SpecDoubleReal; // It's either an Int32 or a DoubleReal, or a Int52.
</span><span class="cx"> static const SpeculatedType SpecBytecodeNumber = SpecInt32 | SpecBytecodeDouble; // It's either an Int32 or a Double, and the Double cannot be an impure NaN.
</span><span class="cx"> static const SpeculatedType SpecFullNumber = SpecMachineInt | SpecFullDouble; // It's either an Int32, Int52, or a Double, and the Double can be impure NaN.
</span><del>-static const SpeculatedType SpecBoolean = 1u << 27; // It's definitely a Boolean.
-static const SpeculatedType SpecOther = 1u << 28; // It's definitely either Null or Undefined.
</del><ins>+static const SpeculatedType SpecBoolean = 1u << 28; // It's definitely a Boolean.
+static const SpeculatedType SpecOther = 1u << 29; // It's definitely either Null or Undefined.
</ins><span class="cx"> static const SpeculatedType SpecMisc = SpecBoolean | SpecOther; // It's definitely either a boolean, Null, or Undefined.
</span><span class="cx"> static const SpeculatedType SpecHeapTop = SpecCell | SpecBytecodeNumber | SpecMisc; // It can be any of the above, except for SpecInt52 and SpecDoubleImpureNaN.
</span><del>-static const SpeculatedType SpecPrimitive = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc; // It's any non-Object JSValue. This is (~SpecObject & SpecHeapTop)
-static const SpeculatedType SpecEmpty = 1u << 29; // It's definitely an empty value marker.
</del><ins>+static const SpeculatedType SpecPrimitive = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc; // It's any non-Object JSValue.
+static const SpeculatedType SpecEmpty = 1u << 30; // It's definitely an empty value marker.
</ins><span class="cx"> static const SpeculatedType SpecBytecodeTop = SpecHeapTop | SpecEmpty; // It can be any of the above, except for SpecInt52 and SpecDoubleImpureNaN. Corresponds to what could be found in a bytecode local.
</span><span class="cx"> static const SpeculatedType SpecFullTop = SpecBytecodeTop | SpecFullNumber; // It can be anything that bytecode could see plus exotic encodings of numbers.
</span><span class="cx">
</span><span class="lines">@@ -265,6 +266,11 @@
</span><span class="cx"> return !!value && !(value & ~(SpecString | SpecStringObject));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline bool isRegExpObjectSpeculation(SpeculatedType value)
+{
+ return value == SpecRegExpObject;
+}
+
</ins><span class="cx"> inline bool isBoolInt32Speculation(SpeculatedType value)
</span><span class="cx"> {
</span><span class="cx"> return value == SpecBoolInt32;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -1561,6 +1561,16 @@
</span><span class="cx"> forNode(node).setType(SpecBoolean);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case StringReplace:
+ if (node->child1().useKind() == StringUse
+ && node->child2().useKind() == RegExpObjectUse
+ && node->child3().useKind() == StringUse) {
+ // This doesn't clobber the world. It just reads and writes regexp state.
+ } else
+ clobberWorld(node->origin.semantic, clobberLimit);
+ forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
+ break;
+
</ins><span class="cx"> case Jump:
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1693,7 +1703,7 @@
</span><span class="cx"> m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructure(
</span><span class="cx"> node->typedArrayType()));
</span><span class="cx"> break;
</span><del>-
</del><ins>+
</ins><span class="cx"> case NewRegexp:
</span><span class="cx"> forNode(node).set(m_graph, m_graph.globalObjectFor(node->origin.semantic)->regExpStructure());
</span><span class="cx"> break;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -2188,6 +2188,23 @@
</span><span class="cx">
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><ins>+
+ case StringPrototypeReplaceIntrinsic: {
+ if (!isFTL(m_graph.m_plan.mode)) {
+ // This is a marginally profitable intrinsic. We've only the work to make it an
+ // intrinsic on the fourth tier.
+ return false;
+ }
+
+ if (argumentCountIncludingThis != 3)
+ return false;
+
+ insertChecks();
+ Node* result = addToGraph(StringReplace, OpInfo(0), OpInfo(prediction), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)), get(virtualRegisterForArgument(2, registerOffset)));
+ set(VirtualRegister(resultOperand), result);
+ return true;
+ }
+
</ins><span class="cx"> case RoundIntrinsic:
</span><span class="cx"> case FloorIntrinsic:
</span><span class="cx"> case CeilIntrinsic: {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -1072,6 +1072,18 @@
</span><span class="cx"> write(RegExpState);
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ case StringReplace:
+ if (node->child1().useKind() == StringUse
+ && node->child2().useKind() == RegExpObjectUse
+ && node->child3().useKind() == StringUse) {
+ read(RegExpState);
+ write(RegExpState);
+ return;
+ }
+ read(World);
+ write(Heap);
+ return;
+
</ins><span class="cx"> case StringCharAt:
</span><span class="cx"> if (node->arrayMode().isOutOfBounds()) {
</span><span class="cx"> read(World);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -262,6 +262,7 @@
</span><span class="cx"> case MaterializeNewObject:
</span><span class="cx"> case MaterializeCreateActivation:
</span><span class="cx"> case StrCat:
</span><ins>+ case StringReplace:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case MultiPutByOffset:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -883,6 +883,18 @@
</span><span class="cx"> fixEdge<CellUse>(node->child2());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case StringReplace: {
+ if (node->child1()->shouldSpeculateString()
+ && node->child2()->shouldSpeculateRegExpObject()
+ && node->child3()->shouldSpeculateString()) {
+ fixEdge<StringUse>(node->child1());
+ fixEdge<RegExpObjectUse>(node->child2());
+ fixEdge<StringUse>(node->child3());
+ break;
+ }
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> case Branch: {
</span><span class="cx"> if (node->child1()->shouldSpeculateBoolean()) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNode.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNode.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNode.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -1358,6 +1358,7 @@
</span><span class="cx"> case RegExpTest:
</span><span class="cx"> case GetGlobalVar:
</span><span class="cx"> case GetGlobalLexicalVariable:
</span><ins>+ case StringReplace:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span><span class="lines">@@ -1966,6 +1967,11 @@
</span><span class="cx"> return isStringOrStringObjectSpeculation(prediction());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool shouldSpeculateRegExpObject()
+ {
+ return isRegExpObjectSpeculation(prediction());
+ }
+
</ins><span class="cx"> bool shouldSpeculateSymbol()
</span><span class="cx"> {
</span><span class="cx"> return isSymbolSpeculation(prediction());
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -233,6 +233,7 @@
</span><span class="cx"> /* Optimizations for regular expression matching. */\
</span><span class="cx"> macro(RegExpExec, NodeResultJS | NodeMustGenerate) \
</span><span class="cx"> macro(RegExpTest, NodeResultJS | NodeMustGenerate) \
</span><ins>+ macro(StringReplace, NodeResultJS | NodeMustGenerate) \
</ins><span class="cx"> \
</span><span class="cx"> /* Optimizations for string access */ \
</span><span class="cx"> macro(StringCharCodeAt, NodeResultInt32) \
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -177,6 +177,7 @@
</span><span class="cx"> case ArrayPush:
</span><span class="cx"> case RegExpExec:
</span><span class="cx"> case RegExpTest:
</span><ins>+ case StringReplace:
</ins><span class="cx"> case GetById:
</span><span class="cx"> case GetByIdFlush:
</span><span class="cx"> case GetByOffset:
</span><span class="lines">@@ -572,7 +573,11 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case NewRegexp:
</del><ins>+ case NewRegexp: {
+ changed |= setPrediction(SpecRegExpObject);
+ break;
+ }
+
</ins><span class="cx"> case CreateActivation: {
</span><span class="cx"> changed |= setPrediction(SpecObjectOther);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -57,6 +57,7 @@
</span><span class="cx"> case ObjectUse:
</span><span class="cx"> case FunctionUse:
</span><span class="cx"> case FinalObjectUse:
</span><ins>+ case RegExpObjectUse:
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> case StringIdentUse:
</span><span class="cx"> case StringUse:
</span><span class="lines">@@ -330,6 +331,7 @@
</span><span class="cx"> case GetMyArgumentByVal:
</span><span class="cx"> case ForwardVarargs:
</span><span class="cx"> case CopyRest:
</span><ins>+ case StringReplace:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case BottomValue:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -6623,6 +6623,15 @@
</span><span class="cx"> speculateCellType(edge, operand.gpr(), SpecFinalObject, FinalObjectType);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::speculateRegExpObject(Edge edge)
+{
+ if (!needsTypeCheck(edge, SpecRegExpObject))
+ return;
+
+ SpeculateCellOperand operand(this, edge);
+ speculateCellType(edge, operand.gpr(), SpecRegExpObject, RegExpObjectType);
+}
+
</ins><span class="cx"> void SpeculativeJIT::speculateObjectOrOther(Edge edge)
</span><span class="cx"> {
</span><span class="cx"> if (!needsTypeCheck(edge, SpecObject | SpecOther))
</span><span class="lines">@@ -6886,6 +6895,9 @@
</span><span class="cx"> case FinalObjectUse:
</span><span class="cx"> speculateFinalObject(edge);
</span><span class="cx"> break;
</span><ins>+ case RegExpObjectUse:
+ speculateRegExpObject(edge);
+ break;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> speculateObjectOrOther(edge);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -2470,6 +2470,7 @@
</span><span class="cx"> void speculateObject(Edge);
</span><span class="cx"> void speculateFunction(Edge);
</span><span class="cx"> void speculateFinalObject(Edge);
</span><ins>+ void speculateRegExpObject(Edge);
</ins><span class="cx"> void speculateObjectOrOther(Edge);
</span><span class="cx"> void speculateString(Edge edge, GPRReg cell);
</span><span class="cx"> void speculateStringIdentAndLoadStorage(Edge edge, GPRReg string, GPRReg storage);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -4826,6 +4826,7 @@
</span><span class="cx"> case KillStack:
</span><span class="cx"> case GetStack:
</span><span class="cx"> case GetMyArgumentByVal:
</span><ins>+ case StringReplace:
</ins><span class="cx"> DFG_CRASH(m_jit.graph(), node, "unexpected node in DFG backend");
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -4880,6 +4880,7 @@
</span><span class="cx"> case PutStack:
</span><span class="cx"> case KillStack:
</span><span class="cx"> case GetStack:
</span><ins>+ case StringReplace:
</ins><span class="cx"> DFG_CRASH(m_jit.graph(), node, "Unexpected node");
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGUseKindcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -91,6 +91,9 @@
</span><span class="cx"> case FinalObjectUse:
</span><span class="cx"> out.print("FinalObject");
</span><span class="cx"> return;
</span><ins>+ case RegExpObjectUse:
+ out.print("RegExpObject");
+ return;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> out.print("ObjectOrOther");
</span><span class="cx"> return;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGUseKindh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGUseKind.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -55,6 +55,7 @@
</span><span class="cx"> ObjectUse,
</span><span class="cx"> FunctionUse,
</span><span class="cx"> FinalObjectUse,
</span><ins>+ RegExpObjectUse,
</ins><span class="cx"> ObjectOrOtherUse,
</span><span class="cx"> StringIdentUse,
</span><span class="cx"> StringUse,
</span><span class="lines">@@ -117,6 +118,8 @@
</span><span class="cx"> return SpecFunction;
</span><span class="cx"> case FinalObjectUse:
</span><span class="cx"> return SpecFinalObject;
</span><ins>+ case RegExpObjectUse:
+ return SpecRegExpObject;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> return SpecObject | SpecOther;
</span><span class="cx"> case StringIdentUse:
</span><span class="lines">@@ -208,6 +211,7 @@
</span><span class="cx"> case ObjectUse:
</span><span class="cx"> case FunctionUse:
</span><span class="cx"> case FinalObjectUse:
</span><ins>+ case RegExpObjectUse:
</ins><span class="cx"> case StringIdentUse:
</span><span class="cx"> case StringUse:
</span><span class="cx"> case KnownStringUse:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -223,6 +223,7 @@
</span><span class="cx"> case RegExpExec:
</span><span class="cx"> case RegExpTest:
</span><span class="cx"> case NewRegexp:
</span><ins>+ case StringReplace:
</ins><span class="cx"> // These are OK.
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -465,6 +466,7 @@
</span><span class="cx"> case StringOrStringObjectUse:
</span><span class="cx"> case SymbolUse:
</span><span class="cx"> case FinalObjectUse:
</span><ins>+ case RegExpObjectUse:
</ins><span class="cx"> case NotCellUse:
</span><span class="cx"> case OtherUse:
</span><span class="cx"> case MiscUse:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -923,6 +923,9 @@
</span><span class="cx"> case NewRegexp:
</span><span class="cx"> compileNewRegexp();
</span><span class="cx"> break;
</span><ins>+ case StringReplace:
+ compileStringReplace();
+ break;
</ins><span class="cx">
</span><span class="cx"> case PhantomLocal:
</span><span class="cx"> case LoopHint:
</span><span class="lines">@@ -6459,6 +6462,33 @@
</span><span class="cx"> setJSValue(result);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void compileStringReplace()
+ {
+ if (m_node->child1().useKind() == StringUse
+ && m_node->child2().useKind() == RegExpObjectUse
+ && m_node->child3().useKind() == StringUse) {
+
+ LValue string = lowString(m_node->child1());
+ LValue regExp = lowCell(m_node->child2());
+ speculateRegExpObject(m_node->child2(), regExp);
+ LValue replace = lowString(m_node->child3());
+
+ LValue result = vmCall(
+ Int64, m_out.operation(operationStringProtoFuncReplaceRegExpString),
+ m_callFrame, string, regExp, replace);
+
+ setJSValue(result);
+ return;
+ }
+
+ LValue result = vmCall(
+ Int64, m_out.operation(operationStringProtoFuncReplaceGeneric), m_callFrame,
+ lowJSValue(m_node->child1()), lowJSValue(m_node->child2()),
+ lowJSValue(m_node->child3()));
+
+ setJSValue(result);
+ }
+
</ins><span class="cx"> LValue didOverflowStack()
</span><span class="cx"> {
</span><span class="cx"> // This does a very simple leaf function analysis. The invariant of FTL call
</span><span class="lines">@@ -9285,6 +9315,9 @@
</span><span class="cx"> case FinalObjectUse:
</span><span class="cx"> speculateFinalObject(edge);
</span><span class="cx"> break;
</span><ins>+ case RegExpObjectUse:
+ speculateRegExpObject(edge);
+ break;
</ins><span class="cx"> case StringUse:
</span><span class="cx"> speculateString(edge);
</span><span class="cx"> break;
</span><span class="lines">@@ -9561,6 +9594,17 @@
</span><span class="cx"> speculateFinalObject(edge, lowCell(edge));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void speculateRegExpObject(Edge edge, LValue cell)
+ {
+ FTL_TYPE_CHECK(
+ jsValueValue(cell), edge, SpecRegExpObject, isNotType(cell, RegExpObjectType));
+ }
+
+ void speculateRegExpObject(Edge edge)
+ {
+ speculateRegExpObject(edge, lowCell(edge));
+ }
+
</ins><span class="cx"> void speculateString(Edge edge, LValue cell)
</span><span class="cx"> {
</span><span class="cx"> FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecString | ~SpecCell, isNotString(cell));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -254,6 +254,7 @@
</span><span class="cx"> typedef SlowPathReturnType JIT_OPERATION (*Sprt_JITOperation_ECli)(ExecState*, CallLinkInfo*);
</span><span class="cx"> typedef StringImpl* JIT_OPERATION (*T_JITOperation_EJss)(ExecState*, JSString*);
</span><span class="cx"> typedef JSString* JIT_OPERATION (*Jss_JITOperation_EZ)(ExecState*, int32_t);
</span><ins>+typedef JSString* JIT_OPERATION (*Jss_JITOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
</ins><span class="cx">
</span><span class="cx"> // This method is used to lookup an exception hander, keyed by faultLocation, which is
</span><span class="cx"> // the return location from one of the calls out to one of the helper operations above.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeIntrinsich"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Intrinsic.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Intrinsic.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Intrinsic.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -52,6 +52,7 @@
</span><span class="cx"> RegExpExecIntrinsic,
</span><span class="cx"> RegExpTestIntrinsic,
</span><span class="cx"> StringPrototypeValueOfIntrinsic,
</span><ins>+ StringPrototypeReplaceIntrinsic,
</ins><span class="cx"> IMulIntrinsic,
</span><span class="cx"> RandomIntrinsic,
</span><span class="cx"> FRoundIntrinsic,
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSType.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSType.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSType.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2011, 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -78,7 +78,9 @@
</span><span class="cx"> GlobalObjectType,
</span><span class="cx"> ClosureObjectType,
</span><span class="cx">
</span><del>- LastJSCObjectType = ClosureObjectType,
</del><ins>+ RegExpObjectType,
+
+ LastJSCObjectType = RegExpObjectType,
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> COMPILE_ASSERT(sizeof(JSType) == sizeof(uint8_t), sizeof_jstype_is_one_byte);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjecth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2007, 2008, 2012 Apple Inc. All Rights Reserved.
</del><ins>+ * Copyright (C) 2003, 2007, 2008, 2012, 2016 Apple Inc. All Rights Reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -71,7 +71,7 @@
</span><span class="cx">
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx"> {
</span><del>- return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
</del><ins>+ return Structure::create(vm, globalObject, prototype, TypeInfo(RegExpObjectType, StructureFlags), info());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> protected:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("lastIndexOf", stringProtoFuncLastIndexOf, DontEnum, 1);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("match", stringProtoFuncMatch, DontEnum, 1);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("repeat", stringProtoFuncRepeat, DontEnum, 1);
</span><del>- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("replace", stringProtoFuncReplace, DontEnum, 2);
</del><ins>+ JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION("replace", stringProtoFuncReplace, DontEnum, 2, StringPrototypeReplaceIntrinsic);
</ins><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("slice", stringProtoFuncSlice, DontEnum, 2);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("split", stringProtoFuncSplit, DontEnum, 2);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("substr", stringProtoFuncSubstr, DontEnum, 2);
</span><span class="lines">@@ -484,18 +484,10 @@
</span><span class="cx"> return JSValue::encode(jsSpliceSubstrings(exec, string, source, sourceRanges.data(), sourceRanges.size()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static NEVER_INLINE EncodedJSValue replaceUsingRegExpSearch(ExecState* exec, JSString* string, JSValue searchValue)
</del><ins>+static ALWAYS_INLINE EncodedJSValue replaceUsingRegExpSearch(
+ ExecState* exec, JSString* string, JSValue searchValue, CallData& callData, CallType callType,
+ String& replacementString, JSValue replaceValue)
</ins><span class="cx"> {
</span><del>- JSValue replaceValue = exec->argument(1);
- String replacementString;
- CallData callData;
- CallType callType = getCallData(replaceValue, callData);
- if (callType == CallTypeNone) {
- replacementString = replaceValue.toString(exec)->value(exec);
- if (exec->hadException())
- return JSValue::encode(jsUndefined());
- }
-
</del><span class="cx"> const String& source = string->value(exec);
</span><span class="cx"> unsigned sourceLen = source.length();
</span><span class="cx"> if (exec->hadException())
</span><span class="lines">@@ -672,8 +664,32 @@
</span><span class="cx"> return JSValue::encode(jsSpliceSubstringsWithSeparators(exec, string, source, sourceRanges.data(), sourceRanges.size(), replacements.data(), replacements.size()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static inline EncodedJSValue replaceUsingStringSearch(ExecState* exec, JSString* jsString, JSValue searchValue)
</del><ins>+EncodedJSValue JIT_OPERATION operationStringProtoFuncReplaceRegExpString(
+ ExecState* exec, JSString* thisValue, RegExpObject* searchValue, JSString* replaceString)
</ins><span class="cx"> {
</span><ins>+ CallData callData;
+ String replacementString = replaceString->value(exec);
+ return replaceUsingRegExpSearch(
+ exec, thisValue, searchValue, callData, CallTypeNone, replacementString, replaceString);
+}
+
+static ALWAYS_INLINE EncodedJSValue replaceUsingRegExpSearch(ExecState* exec, JSString* string, JSValue searchValue, JSValue replaceValue)
+{
+ String replacementString;
+ CallData callData;
+ CallType callType = getCallData(replaceValue, callData);
+ if (callType == CallTypeNone) {
+ replacementString = replaceValue.toString(exec)->value(exec);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
+ }
+
+ return replaceUsingRegExpSearch(
+ exec, string, searchValue, callData, callType, replacementString, replaceValue);
+}
+
+static ALWAYS_INLINE EncodedJSValue replaceUsingStringSearch(ExecState* exec, JSString* jsString, JSValue searchValue, JSValue replaceValue)
+{
</ins><span class="cx"> const String& string = jsString->value(exec);
</span><span class="cx"> String searchString = searchValue.toString(exec)->value(exec);
</span><span class="cx"> if (exec->hadException())
</span><span class="lines">@@ -684,7 +700,6 @@
</span><span class="cx"> if (matchStart == notFound)
</span><span class="cx"> return JSValue::encode(jsString);
</span><span class="cx">
</span><del>- JSValue replaceValue = exec->argument(1);
</del><span class="cx"> CallData callData;
</span><span class="cx"> CallType callType = getCallData(replaceValue, callData);
</span><span class="cx"> if (callType != CallTypeNone) {
</span><span class="lines">@@ -787,19 +802,39 @@
</span><span class="cx"> return JSValue::encode(ropeBuilder.release());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JSC_HOST_CALL stringProtoFuncReplace(ExecState* exec)
</del><ins>+ALWAYS_INLINE EncodedJSValue replace(
+ ExecState* exec, JSString* string, JSValue searchValue, JSValue replaceValue)
</ins><span class="cx"> {
</span><del>- JSValue thisValue = exec->thisValue();
</del><ins>+ if (searchValue.inherits(RegExpObject::info()))
+ return replaceUsingRegExpSearch(exec, string, searchValue, replaceValue);
+ return replaceUsingStringSearch(exec, string, searchValue, replaceValue);
+}
+
+ALWAYS_INLINE EncodedJSValue replace(
+ ExecState* exec, JSValue thisValue, JSValue searchValue, JSValue replaceValue)
+{
</ins><span class="cx"> if (!checkObjectCoercible(thisValue))
</span><span class="cx"> return throwVMTypeError(exec);
</span><span class="cx"> JSString* string = thisValue.toString(exec);
</span><del>- JSValue searchValue = exec->argument(0);
</del><ins>+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
+ return replace(exec, string, searchValue, replaceValue);
+}
</ins><span class="cx">
</span><del>- if (searchValue.inherits(RegExpObject::info()))
- return replaceUsingRegExpSearch(exec, string, searchValue);
- return replaceUsingStringSearch(exec, string, searchValue);
</del><ins>+EncodedJSValue JSC_HOST_CALL stringProtoFuncReplace(ExecState* exec)
+{
+ return replace(exec, exec->thisValue(), exec->argument(0), exec->argument(1));
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+EncodedJSValue JIT_OPERATION operationStringProtoFuncReplaceGeneric(
+ ExecState* exec, EncodedJSValue thisValue, EncodedJSValue searchValue,
+ EncodedJSValue replaceValue)
+{
+ return replace(
+ exec, JSValue::decode(thisValue), JSValue::decode(searchValue),
+ JSValue::decode(replaceValue));
+}
+
</ins><span class="cx"> EncodedJSValue JSC_HOST_CALL stringProtoFuncToString(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue thisValue = exec->thisValue();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.h (197678 => 197679)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.h 2016-03-07 12:07:34 UTC (rev 197678)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.h 2016-03-07 12:12:38 UTC (rev 197679)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2007, 2008, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -21,11 +21,13 @@
</span><span class="cx"> #ifndef StringPrototype_h
</span><span class="cx"> #define StringPrototype_h
</span><span class="cx">
</span><ins>+#include "JITOperations.h"
</ins><span class="cx"> #include "StringObject.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class ObjectPrototype;
</span><ins>+class RegExpObject;
</ins><span class="cx">
</span><span class="cx"> class StringPrototype : public StringObject {
</span><span class="cx"> private:
</span><span class="lines">@@ -51,6 +53,13 @@
</span><span class="cx"> static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+EncodedJSValue JIT_OPERATION operationStringProtoFuncReplaceGeneric(
+ ExecState* exec, EncodedJSValue thisValue, EncodedJSValue searchValue,
+ EncodedJSValue replaceValue);
+
+EncodedJSValue JIT_OPERATION operationStringProtoFuncReplaceRegExpString(
+ ExecState* exec, JSString* thisValue, RegExpObject* searchValue, JSString* replaceValue);
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // StringPrototype_h
</span></span></pre>
</div>
</div>
</body>
</html>