<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197848] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197848">197848</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-09 01:35:05 -0800 (Wed, 09 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/197641">r197641</a> - RegExpMatchesArray doesn't know how to have a bad time
https://bugs.webkit.org/show_bug.cgi?id=155069
Reviewed by Yusuke Suzuki.
Source/JavaScriptCore:
In trunk if we are having a bad time, the regexp matches array is still allocated with a
non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
the prototype chain.
Getting this to work right requires introducing bad time code paths into the regexp matches
array. It also requires something more drastic: making this code not play games with the
global object. The code that creates the matches array needs to have the actual global
object of the regexp native function that it's logically created by.
This is totally different from how we've handled global objects in the past because it means
that the global object is not a constant. Normally we can make it a constant because a
script executable will know its global object. But with native functions, it's the function
instance that knows the global object - not the native executable. When we inline a native
intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
the functon instance. This means that the global object may be a variable that gets computed
by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
take a global object child. That also meant adding a new node type, GetGlobalObject, which
does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
turns out that this really isn't so bad because usually it's constant-folded anyway, since
although the intrinsic code supports executable-based inlining (which leaves the callee
instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
via a child isn't any worse than conveying it via meta-data, and it's probably better than
telling the inliner not to do executable-based inlining of native intrinsics. That would
have been a confusing special-case.
This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
possibilities. For example, RegExpExec can now make a firm promise about the type of array
it's creating.
This also contains some other changes:
- We are now using Structure::addPropertyTransition() in a lot of places even though it was
meant to be an internal method with a quirky contract - for example if only works if you
know that there is not existing transition. This relaxes this constraint.
- Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
references pointed at with "&", since we don't currently do that anywhere. The fact that
it was using the wrong reference type also meant that the code couldn't elegantly make use
of some our GC pointer helpers like jsCast<>.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleMinMax):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSkipScope):
(JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
(JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
(JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* jit/JITOperations.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::haveABadTime):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):
* runtime/JSString.h:
(JSC::jsString):
(JSC::jsSubstring):
* runtime/RegExpCachedResult.cpp:
(JSC::RegExpCachedResult::lastResult):
* runtime/RegExpMatchesArray.cpp:
(JSC::tryCreateUninitializedRegExpMatchesArray):
(JSC::createRegExpMatchesArray):
(JSC::createStructureImpl):
(JSC::createRegExpMatchesArrayStructure):
(JSC::createRegExpMatchesArraySlowPutStructure):
* runtime/RegExpMatchesArray.h:
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
(JSC::RegExpObject::exec):
(JSC::RegExpObject::match):
* runtime/RegExpObject.h:
(JSC::RegExpObject::getLastIndex):
(JSC::RegExpObject::test):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncTest):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncCompile):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncMatch):
* runtime/Structure.cpp:
(JSC::Structure::suggestedArrayStorageTransition):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::addNewPropertyTransition):
* runtime/Structure.h:
* tests/stress/regexp-matches-array-bad-time.js: Added.
* tests/stress/regexp-matches-array-slow-put.js: Added.
LayoutTests:
* js/regress/regexp-exec-expected.txt: Added.
* js/regress/regexp-exec.html: Added.
* js/regress/script-tests/regexp-exec.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGByteCodeParsercpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGClobberizeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGDoesGCcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGFixupPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeTypeh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGOperationscpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGOperationsh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSafeToExecuteh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGStructureRegistrationPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLCapabilitiescpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLLowerDFGToB3cpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCorejitJITOperationsh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSGlobalObjectcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSGlobalObjecth">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSObjecth">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSStringh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSString.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpCachedResultcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpCachedResult.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpMatchesArraycpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpMatchesArrayh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjectcpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjecth">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpPrototypecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStructurecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStructureh">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressregexpexecexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressregexpexechtml">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsregressscripttestsregexpexecjs">releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/regexp-exec.js</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoretestsstressregexpmatchesarraybadtimejs">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-bad-time.js</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoretestsstressregexpmatchesarrayslowputjs">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ RegExpMatchesArray doesn't know how to have a bad time
+ https://bugs.webkit.org/show_bug.cgi?id=155069
+
+ Reviewed by Yusuke Suzuki.
+
+ * js/regress/regexp-exec-expected.txt: Added.
+ * js/regress/regexp-exec.html: Added.
+ * js/regress/script-tests/regexp-exec.js: Added.
+
</ins><span class="cx"> 2016-03-04 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Location.reload should not be writable
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressregexpexecexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec-expected.txt (0 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec-expected.txt 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/regexp-exec
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressregexpexechtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec.html (0 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/regexp-exec.html 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/regexp-exec.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsregressscripttestsregexpexecjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/regexp-exec.js (0 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/regexp-exec.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/regress/script-tests/regexp-exec.js 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+(function() {
+ var result = 0;
+ var n = 1000000;
+ var re = /foo/;
+ for (var i = 0; i < n; ++i)
+ result += re.exec("foo").length;
+ if (result != n)
+ throw "Error: bad result: " + result;
+})();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,3 +1,131 @@
</span><ins>+2016-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ RegExpMatchesArray doesn't know how to have a bad time
+ https://bugs.webkit.org/show_bug.cgi?id=155069
+
+ Reviewed by Yusuke Suzuki.
+
+ In trunk if we are having a bad time, the regexp matches array is still allocated with a
+ non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
+ the prototype chain.
+
+ Getting this to work right requires introducing bad time code paths into the regexp matches
+ array. It also requires something more drastic: making this code not play games with the
+ global object. The code that creates the matches array needs to have the actual global
+ object of the regexp native function that it's logically created by.
+
+ This is totally different from how we've handled global objects in the past because it means
+ that the global object is not a constant. Normally we can make it a constant because a
+ script executable will know its global object. But with native functions, it's the function
+ instance that knows the global object - not the native executable. When we inline a native
+ intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
+ the functon instance. This means that the global object may be a variable that gets computed
+ by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
+ take a global object child. That also meant adding a new node type, GetGlobalObject, which
+ does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
+ Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
+ turns out that this really isn't so bad because usually it's constant-folded anyway, since
+ although the intrinsic code supports executable-based inlining (which leaves the callee
+ instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
+ via a child isn't any worse than conveying it via meta-data, and it's probably better than
+ telling the inliner not to do executable-based inlining of native intrinsics. That would
+ have been a confusing special-case.
+
+ This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
+ possibilities. For example, RegExpExec can now make a firm promise about the type of array
+ it's creating.
+
+ This also contains some other changes:
+
+ - We are now using Structure::addPropertyTransition() in a lot of places even though it was
+ meant to be an internal method with a quirky contract - for example if only works if you
+ know that there is not existing transition. This relaxes this constraint.
+
+ - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
+ references pointed at with "&", since we don't currently do that anywhere. The fact that
+ it was using the wrong reference type also meant that the code couldn't elegantly make use
+ of some our GC pointer helpers like jsCast<>.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileSkipScope):
+ (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
+ (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
+ (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+ * jit/JITOperations.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::haveABadTime):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ * runtime/JSObject.h:
+ (JSC::JSObject::putDirectInternal):
+ * runtime/JSString.h:
+ (JSC::jsString):
+ (JSC::jsSubstring):
+ * runtime/RegExpCachedResult.cpp:
+ (JSC::RegExpCachedResult::lastResult):
+ * runtime/RegExpMatchesArray.cpp:
+ (JSC::tryCreateUninitializedRegExpMatchesArray):
+ (JSC::createRegExpMatchesArray):
+ (JSC::createStructureImpl):
+ (JSC::createRegExpMatchesArrayStructure):
+ (JSC::createRegExpMatchesArraySlowPutStructure):
+ * runtime/RegExpMatchesArray.h:
+ * runtime/RegExpObject.cpp:
+ (JSC::RegExpObject::put):
+ (JSC::RegExpObject::exec):
+ (JSC::RegExpObject::match):
+ * runtime/RegExpObject.h:
+ (JSC::RegExpObject::getLastIndex):
+ (JSC::RegExpObject::test):
+ * runtime/RegExpPrototype.cpp:
+ (JSC::regExpProtoFuncTest):
+ (JSC::regExpProtoFuncExec):
+ (JSC::regExpProtoFuncCompile):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncMatch):
+ * runtime/Structure.cpp:
+ (JSC::Structure::suggestedArrayStorageTransition):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::addNewPropertyTransition):
+ * runtime/Structure.h:
+ * tests/stress/regexp-matches-array-bad-time.js: Added.
+ * tests/stress/regexp-matches-array-slow-put.js: Added.
+
</ins><span class="cx"> 2016-03-06 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1554,17 +1554,29 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case RegExpExec:
</span><del>- if (node->child1().useKind() == RegExpObjectUse
- && node->child2().useKind() == StringUse) {
</del><ins>+ if (node->child2().useKind() == RegExpObjectUse
+ && node->child3().useKind() == StringUse) {
</ins><span class="cx"> // This doesn't clobber the world since there are no conversions to perform.
</span><span class="cx"> } else
</span><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><del>- forNode(node).makeHeapTop();
</del><ins>+ if (JSValue globalObjectValue = forNode(node->child1()).m_value) {
+ if (JSGlobalObject* globalObject = jsDynamicCast<JSGlobalObject*>(globalObjectValue)) {
+ if (!globalObject->isHavingABadTime()) {
+ m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
+ Structure* structure = globalObject->regExpMatchesArrayStructure();
+ m_graph.registerStructure(structure);
+ forNode(node).set(m_graph, structure);
+ forNode(node).merge(SpecOther);
+ break;
+ }
+ }
+ }
+ forNode(node).setType(m_graph, SpecOther | SpecArray);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case RegExpTest:
</span><del>- if (node->child1().useKind() == RegExpObjectUse
- && node->child2().useKind() == StringUse) {
</del><ins>+ if (node->child2().useKind() == RegExpObjectUse
+ && node->child3().useKind() == StringUse) {
</ins><span class="cx"> // This doesn't clobber the world since there are no conversions to perform.
</span><span class="cx"> } else
</span><span class="cx"> clobberWorld(node->origin.semantic, clobberLimit);
</span><span class="lines">@@ -1882,6 +1894,33 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case GetGlobalObject: {
+ JSValue child = forNode(node->child1()).value();
+ if (child) {
+ setConstant(node, *m_graph.freeze(JSValue(asObject(child)->globalObject())));
+ break;
+ }
+
+ if (forNode(node->child1()).m_structure.isFinite()) {
+ JSGlobalObject* globalObject = nullptr;
+ bool ok = true;
+ forNode(node->child1()).m_structure.forEach(
+ [&] (Structure* structure) {
+ if (!globalObject)
+ globalObject = structure->globalObject();
+ else if (globalObject != structure->globalObject())
+ ok = false;
+ });
+ if (globalObject && ok) {
+ setConstant(node, *m_graph.freeze(JSValue(globalObject)));
+ break;
+ }
+ }
+
+ forNode(node).setType(m_graph, SpecObjectOther);
+ break;
+ }
+
</ins><span class="cx"> case GetClosureVar:
</span><span class="cx"> if (JSValue value = m_graph.tryGetConstantClosureVar(forNode(node->child1()), node->scopeOffset())) {
</span><span class="cx"> setConstant(node, *m_graph.freeze(value));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -202,7 +202,7 @@
</span><span class="cx"> void cancelLinkingForBlock(InlineStackEntry*, BasicBlock*); // Only works when the given block is the last one to have been added for that inline stack entry.
</span><span class="cx"> // Handle intrinsic functions. Return true if it succeeded, false if we need to plant a call.
</span><span class="cx"> template<typename ChecksFunctor>
</span><del>- bool handleIntrinsicCall(int resultOperand, Intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks);
</del><ins>+ bool handleIntrinsicCall(Node* callee, int resultOperand, Intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks);
</ins><span class="cx"> template<typename ChecksFunctor>
</span><span class="cx"> bool handleIntrinsicGetter(int resultOperand, const GetByIdVariant& intrinsicVariant, Node* thisNode, const ChecksFunctor& insertChecks);
</span><span class="cx"> template<typename ChecksFunctor>
</span><span class="lines">@@ -1601,7 +1601,7 @@
</span><span class="cx">
</span><span class="cx"> Intrinsic intrinsic = callee.intrinsicFor(specializationKind);
</span><span class="cx"> if (intrinsic != NoIntrinsic) {
</span><del>- if (handleIntrinsicCall(resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction, insertChecksWithAccounting)) {
</del><ins>+ if (handleIntrinsicCall(callTargetNode, resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction, insertChecksWithAccounting)) {
</ins><span class="cx"> RELEASE_ASSERT(didInsertChecks);
</span><span class="cx"> addToGraph(Phantom, callTargetNode);
</span><span class="cx"> emitArgumentPhantoms(registerOffset, argumentCountIncludingThis);
</span><span class="lines">@@ -1991,7 +1991,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ChecksFunctor>
</span><del>-bool ByteCodeParser::handleIntrinsicCall(int resultOperand, Intrinsic intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks)
</del><ins>+bool ByteCodeParser::handleIntrinsicCall(Node* callee, int resultOperand, Intrinsic intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks)
</ins><span class="cx"> {
</span><span class="cx"> switch (intrinsic) {
</span><span class="cx">
</span><span class="lines">@@ -2172,7 +2172,7 @@
</span><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> insertChecks();
</span><del>- Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));
</del><ins>+ Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));
</ins><span class="cx"> set(VirtualRegister(resultOperand), regExpExec);
</span><span class="cx">
</span><span class="cx"> return true;
</span><span class="lines">@@ -2183,7 +2183,7 @@
</span><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> insertChecks();
</span><del>- Node* regExpExec = addToGraph(RegExpTest, OpInfo(0), OpInfo(prediction), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));
</del><ins>+ Node* regExpExec = addToGraph(RegExpTest, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));
</ins><span class="cx"> set(VirtualRegister(resultOperand), regExpExec);
</span><span class="cx">
</span><span class="cx"> return true;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -134,6 +134,7 @@
</span><span class="cx"> case ArithLog:
</span><span class="cx"> case GetScope:
</span><span class="cx"> case SkipScope:
</span><ins>+ case GetGlobalObject:
</ins><span class="cx"> case StringCharCodeAt:
</span><span class="cx"> case CompareStrictEq:
</span><span class="cx"> case IsUndefined:
</span><span class="lines">@@ -1078,8 +1079,8 @@
</span><span class="cx">
</span><span class="cx"> case RegExpExec:
</span><span class="cx"> case RegExpTest:
</span><del>- if (node->child1().useKind() == RegExpObjectUse
- && node->child2().useKind() == StringUse) {
</del><ins>+ if (node->child2().useKind() == RegExpObjectUse
+ && node->child3().useKind() == StringUse) {
</ins><span class="cx"> read(RegExpState);
</span><span class="cx"> write(RegExpState);
</span><span class="cx"> return;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -111,6 +111,7 @@
</span><span class="cx"> case CheckArray:
</span><span class="cx"> case GetScope:
</span><span class="cx"> case SkipScope:
</span><ins>+ case GetGlobalObject:
</ins><span class="cx"> case GetClosureVar:
</span><span class="cx"> case PutClosureVar:
</span><span class="cx"> case GetRegExpObjectLastIndex:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -879,11 +879,13 @@
</span><span class="cx">
</span><span class="cx"> case RegExpExec:
</span><span class="cx"> case RegExpTest: {
</span><del>- if (node->child1()->shouldSpeculateRegExpObject()) {
- fixEdge<RegExpObjectUse>(node->child1());
</del><ins>+ fixEdge<KnownCellUse>(node->child1());
+
+ if (node->child2()->shouldSpeculateRegExpObject()) {
+ fixEdge<RegExpObjectUse>(node->child2());
</ins><span class="cx">
</span><del>- if (node->child2()->shouldSpeculateString())
- fixEdge<StringUse>(node->child2());
</del><ins>+ if (node->child3()->shouldSpeculateString())
+ fixEdge<StringUse>(node->child3());
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -1049,7 +1051,8 @@
</span><span class="cx"> case SkipScope:
</span><span class="cx"> case GetScope:
</span><span class="cx"> case GetGetter:
</span><del>- case GetSetter: {
</del><ins>+ case GetSetter:
+ case GetGlobalObject: {
</ins><span class="cx"> fixEdge<KnownCellUse>(node->child1());
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -212,6 +212,7 @@
</span><span class="cx"> macro(GetTypedArrayByteOffset, NodeResultInt32) \
</span><span class="cx"> macro(GetScope, NodeResultJS) \
</span><span class="cx"> macro(SkipScope, NodeResultJS) \
</span><ins>+ macro(GetGlobalObject, NodeResultJS) \
</ins><span class="cx"> macro(GetClosureVar, NodeResultJS) \
</span><span class="cx"> macro(PutClosureVar, NodeMustGenerate) \
</span><span class="cx"> macro(GetGlobalVar, NodeResultJS) \
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -612,17 +612,17 @@
</span><span class="cx"> return JSValue::encode(array->pop(exec));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JIT_OPERATION operationRegExpExecString(ExecState* exec, RegExpObject* regExpObject, JSString* argument)
</del><ins>+EncodedJSValue JIT_OPERATION operationRegExpExecString(ExecState* exec, JSGlobalObject* globalObject, RegExpObject* regExpObject, JSString* argument)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><del>- return JSValue::encode(regExpObject->exec(exec, argument));
</del><ins>+ return JSValue::encode(regExpObject->exec(exec, globalObject, argument));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JIT_OPERATION operationRegExpExec(ExecState* exec, RegExpObject* regExpObject, EncodedJSValue encodedArgument)
</del><ins>+EncodedJSValue JIT_OPERATION operationRegExpExec(ExecState* exec, JSGlobalObject* globalObject, RegExpObject* regExpObject, EncodedJSValue encodedArgument)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSValue argument = JSValue::decode(encodedArgument);
</span><span class="lines">@@ -630,12 +630,12 @@
</span><span class="cx"> JSString* input = argument.toStringOrNull(exec);
</span><span class="cx"> if (!input)
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(regExpObject->exec(exec, input));
</del><ins>+ return JSValue::encode(regExpObject->exec(exec, globalObject, input));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JIT_OPERATION operationRegExpExecGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedArgument)
</del><ins>+EncodedJSValue JIT_OPERATION operationRegExpExecGeneric(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedBase, EncodedJSValue encodedArgument)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSValue base = JSValue::decode(encodedBase);
</span><span class="lines">@@ -647,20 +647,20 @@
</span><span class="cx"> JSString* input = argument.toStringOrNull(exec);
</span><span class="cx"> if (!input)
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(asRegExpObject(base)->exec(exec, input));
</del><ins>+ return JSValue::encode(asRegExpObject(base)->exec(exec, globalObject, input));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-size_t JIT_OPERATION operationRegExpTestString(ExecState* exec, RegExpObject* regExpObject, JSString* input)
</del><ins>+size_t JIT_OPERATION operationRegExpTestString(ExecState* exec, JSGlobalObject* globalObject, RegExpObject* regExpObject, JSString* input)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><del>- return regExpObject->test(exec, input);
</del><ins>+ return regExpObject->test(exec, globalObject, input);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-size_t JIT_OPERATION operationRegExpTest(ExecState* exec, RegExpObject* regExpObject, EncodedJSValue encodedArgument)
</del><ins>+size_t JIT_OPERATION operationRegExpTest(ExecState* exec, JSGlobalObject* globalObject, RegExpObject* regExpObject, EncodedJSValue encodedArgument)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSValue argument = JSValue::decode(encodedArgument);
</span><span class="lines">@@ -668,12 +668,12 @@
</span><span class="cx"> JSString* input = argument.toStringOrNull(exec);
</span><span class="cx"> if (!input)
</span><span class="cx"> return false;
</span><del>- return regExpObject->test(exec, input);
</del><ins>+ return regExpObject->test(exec, globalObject, input);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-size_t JIT_OPERATION operationRegExpTestGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedArgument)
</del><ins>+size_t JIT_OPERATION operationRegExpTestGeneric(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedBase, EncodedJSValue encodedArgument)
</ins><span class="cx"> {
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSValue base = JSValue::decode(encodedBase);
</span><span class="lines">@@ -687,7 +687,7 @@
</span><span class="cx"> JSString* input = argument.toStringOrNull(exec);
</span><span class="cx"> if (!input)
</span><span class="cx"> return false;
</span><del>- return asRegExpObject(base)->test(exec, input);
</del><ins>+ return asRegExpObject(base)->test(exec, globalObject, input);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> size_t JIT_OPERATION operationCompareStrictEqCell(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGOperations.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -101,13 +101,13 @@
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationArrayPushDouble(ExecState*, double value, JSArray*) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationArrayPop(ExecState*, JSArray*) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationArrayPopAndRecoverLength(ExecState*, JSArray*) WTF_INTERNAL;
</span><del>-EncodedJSValue JIT_OPERATION operationRegExpExecString(ExecState*, RegExpObject*, JSString*) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationRegExpExec(ExecState*, RegExpObject*, EncodedJSValue) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationRegExpExecGeneric(ExecState*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
</del><ins>+EncodedJSValue JIT_OPERATION operationRegExpExecString(ExecState*, JSGlobalObject*, RegExpObject*, JSString*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationRegExpExec(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationRegExpExecGeneric(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
</ins><span class="cx"> // These comparisons return a boolean within a size_t such that the value is zero extended to fill the register.
</span><del>-size_t JIT_OPERATION operationRegExpTestString(ExecState*, RegExpObject*, JSString*) WTF_INTERNAL;
-size_t JIT_OPERATION operationRegExpTest(ExecState*, RegExpObject*, EncodedJSValue) WTF_INTERNAL;
-size_t JIT_OPERATION operationRegExpTestGeneric(ExecState*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
</del><ins>+size_t JIT_OPERATION operationRegExpTestString(ExecState*, JSGlobalObject*, RegExpObject*, JSString*) WTF_INTERNAL;
+size_t JIT_OPERATION operationRegExpTest(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue) WTF_INTERNAL;
+size_t JIT_OPERATION operationRegExpTestGeneric(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
</ins><span class="cx"> size_t JIT_OPERATION operationCompareStrictEqCell(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
</span><span class="cx"> size_t JIT_OPERATION operationCompareStrictEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
</span><span class="cx"> JSCell* JIT_OPERATION operationCreateActivationDirect(ExecState*, Structure*, JSScope*, SymbolTable*, EncodedJSValue);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -550,7 +550,8 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case SkipScope: {
</del><ins>+ case SkipScope:
+ case GetGlobalObject: {
</ins><span class="cx"> changed |= setPrediction(SpecObjectOther);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -207,6 +207,7 @@
</span><span class="cx"> case ArrayifyToStructure:
</span><span class="cx"> case GetScope:
</span><span class="cx"> case SkipScope:
</span><ins>+ case GetGlobalObject:
</ins><span class="cx"> case GetClosureVar:
</span><span class="cx"> case PutClosureVar:
</span><span class="cx"> case GetGlobalVar:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -5342,6 +5342,16 @@
</span><span class="cx"> cellResult(result.gpr(), node);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::compileGetGlobalObject(Node* node)
+{
+ SpeculateCellOperand object(this, node->child1());
+ GPRTemporary result(this);
+ GPRTemporary scratch(this);
+ m_jit.emitLoadStructure(object.gpr(), result.gpr(), scratch.gpr());
+ m_jit.loadPtr(JITCompiler::Address(result.gpr(), Structure::globalObjectOffset()), result.gpr());
+ cellResult(result.gpr(), node);
+}
+
</ins><span class="cx"> void SpeculativeJIT::compileGetArrayLength(Node* node)
</span><span class="cx"> {
</span><span class="cx"> switch (node->arrayMode().type()) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1217,15 +1217,15 @@
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JITCompiler::Call callOperation(J_JITOperation_EReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JITCompiler::Call callOperation(J_JITOperation_EReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1446,16 +1446,21 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(S_JITOperation_EReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGJJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(S_JITOperation_EReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
</ins><span class="cx">
</span><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EPP operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</span><span class="cx"> {
</span><span class="lines">@@ -1467,6 +1472,11 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGJJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg result, GPRReg arg1, int32_t imm)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, MacroAssembler::TrustedImm64(JSValue::encode(jsNumber(imm))));
</span><span class="lines">@@ -1722,14 +1732,14 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr(cell), EABI_32BIT_DUMMY_ARG arg2Payload, arg2Tag);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(J_JITOperation_EReoJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload)
</del><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGReoJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3Payload, arg3Tag);
</ins><span class="cx"> return appendCallSetResult(operation, resultPayload, resultTag);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(J_JITOperation_EReoJss operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGReoJss operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, resultPayload, resultTag);
</span><span class="cx"> }
</span><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_ESsiCI operation, GPRReg resultTag, GPRReg resultPayload, StructureStubInfo* stubInfo, GPRReg arg1, const UniquedStringImpl* uid)
</span><span class="lines">@@ -1829,21 +1839,31 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, SH4_32BIT_DUMMY_ARG arg2Payload, arg2Tag);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(S_JITOperation_EReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload)
</del><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGJJ operation, GPRReg result, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag, SH4_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(S_JITOperation_EReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGReoJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3Payload, arg3Tag);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(S_JITOperation_EGReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, SH4_32BIT_DUMMY_ARG arg2Payload, arg2Tag);
</span><span class="cx"> return appendCallSetResult(operation, resultPayload, resultTag);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_EGJJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag, SH4_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+ return appendCallSetResult(operation, resultPayload, resultTag);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, MacroAssembler::TrustedImm32 imm)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, SH4_32BIT_DUMMY_ARG imm, TrustedImm32(JSValue::Int32Tag));
</span><span class="lines">@@ -2309,6 +2329,7 @@
</span><span class="cx">
</span><span class="cx"> void compileGetScope(Node*);
</span><span class="cx"> void compileSkipScope(Node*);
</span><ins>+ void compileGetGlobalObject(Node*);
</ins><span class="cx">
</span><span class="cx"> void compileGetArrayLength(Node*);
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -2836,48 +2836,51 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case RegExpExec: {
</span><del>- if (node->child1().useKind() == RegExpObjectUse) {
- if (node->child2().useKind() == StringUse) {
- SpeculateCellOperand base(this, node->child1());
- SpeculateCellOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand globalObject(this, node->child1());
+ GPRReg globalObjectGPR = globalObject.gpr();
+
+ if (node->child2().useKind() == RegExpObjectUse) {
+ if (node->child3().useKind() == StringUse) {
+ SpeculateCellOperand base(this, node->child2());
+ SpeculateCellOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
- speculateString(node->child2(), argumentGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
+ speculateString(node->child3(), argumentGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult2 resultTag(this);
</span><span class="cx"> GPRFlushedCallResult resultPayload(this);
</span><span class="cx"> callOperation(
</span><del>- operationRegExpExecString, resultTag.gpr(), resultPayload.gpr(), baseGPR,
- argumentGPR);
</del><ins>+ operationRegExpExecString, resultTag.gpr(), resultPayload.gpr(),
+ globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(resultTag.gpr(), resultPayload.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentTagGPR = argument.tagGPR();
</span><span class="cx"> GPRReg argumentPayloadGPR = argument.payloadGPR();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult2 resultTag(this);
</span><span class="cx"> GPRFlushedCallResult resultPayload(this);
</span><span class="cx"> callOperation(
</span><del>- operationRegExpExec, resultTag.gpr(), resultPayload.gpr(), baseGPR, argumentTagGPR,
- argumentPayloadGPR);
</del><ins>+ operationRegExpExec, resultTag.gpr(), resultPayload.gpr(), globalObjectGPR, baseGPR,
+ argumentTagGPR, argumentPayloadGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(resultTag.gpr(), resultPayload.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValueOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ JSValueOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseTagGPR = base.tagGPR();
</span><span class="cx"> GPRReg basePayloadGPR = base.payloadGPR();
</span><span class="cx"> GPRReg argumentTagGPR = argument.tagGPR();
</span><span class="lines">@@ -2886,7 +2889,9 @@
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult2 resultTag(this);
</span><span class="cx"> GPRFlushedCallResult resultPayload(this);
</span><del>- callOperation(operationRegExpExecGeneric, resultTag.gpr(), resultPayload.gpr(), baseTagGPR, basePayloadGPR, argumentTagGPR, argumentPayloadGPR);
</del><ins>+ callOperation(
+ operationRegExpExecGeneric, resultTag.gpr(), resultPayload.gpr(), globalObjectGPR,
+ baseTagGPR, basePayloadGPR, argumentTagGPR, argumentPayloadGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(resultTag.gpr(), resultPayload.gpr(), node);
</span><span class="lines">@@ -2894,43 +2899,48 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case RegExpTest: {
</span><del>- if (node->child1().useKind() == RegExpObjectUse) {
- if (node->child2().useKind() == StringUse) {
- SpeculateCellOperand base(this, node->child1());
- SpeculateCellOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand globalObject(this, node->child1());
+ GPRReg globalObjectGPR = globalObject.gpr();
+
+ if (node->child2().useKind() == RegExpObjectUse) {
+ if (node->child3().useKind() == StringUse) {
+ SpeculateCellOperand base(this, node->child2());
+ SpeculateCellOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
- speculateString(node->child2(), argumentGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
+ speculateString(node->child3(), argumentGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpTestString, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(
+ operationRegExpTestString, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> booleanResult(result.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentTagGPR = argument.tagGPR();
</span><span class="cx"> GPRReg argumentPayloadGPR = argument.payloadGPR();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><span class="cx"> callOperation(
</span><del>- operationRegExpTest, result.gpr(), baseGPR, argumentTagGPR, argumentPayloadGPR);
</del><ins>+ operationRegExpTest, result.gpr(), globalObjectGPR, baseGPR, argumentTagGPR,
+ argumentPayloadGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> booleanResult(result.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValueOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ JSValueOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseTagGPR = base.tagGPR();
</span><span class="cx"> GPRReg basePayloadGPR = base.payloadGPR();
</span><span class="cx"> GPRReg argumentTagGPR = argument.tagGPR();
</span><span class="lines">@@ -2938,7 +2948,9 @@
</span><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpTestGeneric, result.gpr(), baseTagGPR, basePayloadGPR, argumentTagGPR, argumentPayloadGPR);
</del><ins>+ callOperation(
+ operationRegExpTestGeneric, result.gpr(), globalObjectGPR, baseTagGPR, basePayloadGPR,
+ argumentTagGPR, argumentPayloadGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> booleanResult(result.gpr(), node);
</span><span class="lines">@@ -3899,6 +3911,10 @@
</span><span class="cx"> compileSkipScope(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case GetGlobalObject:
+ compileGetGlobalObject(node);
+ break;
+
</ins><span class="cx"> case GetClosureVar: {
</span><span class="cx"> SpeculateCellOperand base(this, node->child1());
</span><span class="cx"> GPRTemporary resultTag(this);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -2962,47 +2962,50 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case RegExpExec: {
</span><del>- if (node->child1().useKind() == RegExpObjectUse) {
- if (node->child2().useKind() == StringUse) {
- SpeculateCellOperand base(this, node->child1());
- SpeculateCellOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand globalObject(this, node->child1());
+ GPRReg globalObjectGPR = globalObject.gpr();
+
+ if (node->child2().useKind() == RegExpObjectUse) {
+ if (node->child3().useKind() == StringUse) {
+ SpeculateCellOperand base(this, node->child2());
+ SpeculateCellOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
- speculateString(node->child2(), argumentGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
+ speculateString(node->child3(), argumentGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpExecString, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpExecString, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(result.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpExec, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpExec, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(result.gpr(), node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValueOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ JSValueOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpExecGeneric, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpExecGeneric, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> jsValueResult(result.gpr(), node);
</span><span class="lines">@@ -3010,18 +3013,21 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case RegExpTest: {
</span><del>- if (node->child1().useKind() == RegExpObjectUse) {
- if (node->child2().useKind() == StringUse) {
- SpeculateCellOperand base(this, node->child1());
- SpeculateCellOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand globalObject(this, node->child1());
+ GPRReg globalObjectGPR = globalObject.gpr();
+
+ if (node->child2().useKind() == RegExpObjectUse) {
+ if (node->child3().useKind() == StringUse) {
+ SpeculateCellOperand base(this, node->child2());
+ SpeculateCellOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
- speculateString(node->child2(), argumentGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
+ speculateString(node->child3(), argumentGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpTestString, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpTestString, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
</span><span class="lines">@@ -3029,15 +3035,15 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ SpeculateCellOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><del>- speculateRegExpObject(node->child1(), baseGPR);
</del><ins>+ speculateRegExpObject(node->child2(), baseGPR);
</ins><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpTest, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpTest, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
</span><span class="lines">@@ -3045,14 +3051,14 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValueOperand base(this, node->child1());
- JSValueOperand argument(this, node->child2());
</del><ins>+ JSValueOperand base(this, node->child2());
+ JSValueOperand argument(this, node->child3());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx"> GPRReg argumentGPR = argument.gpr();
</span><span class="cx">
</span><span class="cx"> flushRegisters();
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationRegExpTestGeneric, result.gpr(), baseGPR, argumentGPR);
</del><ins>+ callOperation(operationRegExpTestGeneric, result.gpr(), globalObjectGPR, baseGPR, argumentGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
</span><span class="lines">@@ -3928,6 +3934,10 @@
</span><span class="cx"> case SkipScope:
</span><span class="cx"> compileSkipScope(node);
</span><span class="cx"> break;
</span><ins>+
+ case GetGlobalObject:
+ compileGetGlobalObject(node);
+ break;
</ins><span class="cx">
</span><span class="cx"> case GetClosureVar: {
</span><span class="cx"> SpeculateCellOperand base(this, node->child1());
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGStructureRegistrationPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -149,7 +149,7 @@
</span><span class="cx"> case NewGeneratorFunction:
</span><span class="cx"> registerStructure(m_graph.globalObjectFor(node->origin.semantic)->generatorFunctionStructure());
</span><span class="cx"> break;
</span><del>-
</del><ins>+
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -111,6 +111,7 @@
</span><span class="cx"> case ExtractOSREntryLocal:
</span><span class="cx"> case LoopHint:
</span><span class="cx"> case SkipScope:
</span><ins>+ case GetGlobalObject:
</ins><span class="cx"> case CreateActivation:
</span><span class="cx"> case NewArrowFunction:
</span><span class="cx"> case NewFunction:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -748,6 +748,9 @@
</span><span class="cx"> case SkipScope:
</span><span class="cx"> compileSkipScope();
</span><span class="cx"> break;
</span><ins>+ case GetGlobalObject:
+ compileGetGlobalObject();
+ break;
</ins><span class="cx"> case GetClosureVar:
</span><span class="cx"> compileGetClosureVar();
</span><span class="cx"> break;
</span><span class="lines">@@ -4475,6 +4478,12 @@
</span><span class="cx"> {
</span><span class="cx"> setJSValue(m_out.loadPtr(lowCell(m_node->child1()), m_heaps.JSScope_next));
</span><span class="cx"> }
</span><ins>+
+ void compileGetGlobalObject()
+ {
+ LValue structure = loadStructure(lowCell(m_node->child1()));
+ setJSValue(m_out.loadPtr(structure, m_heaps.Structure_globalObject));
+ }
</ins><span class="cx">
</span><span class="cx"> void compileGetClosureVar()
</span><span class="cx"> {
</span><span class="lines">@@ -6440,52 +6449,66 @@
</span><span class="cx">
</span><span class="cx"> void compileRegExpExec()
</span><span class="cx"> {
</span><del>- if (m_node->child1().useKind() == RegExpObjectUse) {
- LValue base = lowRegExpObject(m_node->child1());
</del><ins>+ LValue globalObject = lowCell(m_node->child1());
+
+ if (m_node->child2().useKind() == RegExpObjectUse) {
+ LValue base = lowRegExpObject(m_node->child2());
</ins><span class="cx">
</span><del>- if (m_node->child2().useKind() == StringUse) {
- LValue argument = lowString(m_node->child2());
</del><ins>+ if (m_node->child3().useKind() == StringUse) {
+ LValue argument = lowString(m_node->child3());
</ins><span class="cx"> LValue result = vmCall(
</span><del>- Int64, m_out.operation(operationRegExpExecString), m_callFrame, base, argument);
</del><ins>+ Int64, m_out.operation(operationRegExpExecString), m_callFrame, globalObject,
+ base, argument);
</ins><span class="cx"> setJSValue(result);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue argument = lowJSValue(m_node->child2());
- setJSValue(
- vmCall(Int64, m_out.operation(operationRegExpExec), m_callFrame, base, argument));
</del><ins>+ LValue argument = lowJSValue(m_node->child3());
+ LValue result = vmCall(
+ Int64, m_out.operation(operationRegExpExec), m_callFrame, globalObject, base,
+ argument);
+ setJSValue(result);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue base = lowJSValue(m_node->child1());
- LValue argument = lowJSValue(m_node->child2());
- setJSValue(
- vmCall(Int64, m_out.operation(operationRegExpExecGeneric), m_callFrame, base, argument));
</del><ins>+ LValue base = lowJSValue(m_node->child2());
+ LValue argument = lowJSValue(m_node->child3());
+ LValue result = vmCall(
+ Int64, m_out.operation(operationRegExpExecGeneric), m_callFrame, globalObject, base,
+ argument);
+ setJSValue(result);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileRegExpTest()
</span><span class="cx"> {
</span><del>- if (m_node->child1().useKind() == RegExpObjectUse) {
- LValue base = lowRegExpObject(m_node->child1());
</del><ins>+ LValue globalObject = lowCell(m_node->child1());
+
+ if (m_node->child2().useKind() == RegExpObjectUse) {
+ LValue base = lowRegExpObject(m_node->child2());
</ins><span class="cx">
</span><del>- if (m_node->child2().useKind() == StringUse) {
- LValue argument = lowString(m_node->child2());
</del><ins>+ if (m_node->child3().useKind() == StringUse) {
+ LValue argument = lowString(m_node->child3());
</ins><span class="cx"> LValue result = vmCall(
</span><del>- Int32, m_out.operation(operationRegExpTestString), m_callFrame, base, argument);
</del><ins>+ Int32, m_out.operation(operationRegExpTestString), m_callFrame, globalObject,
+ base, argument);
</ins><span class="cx"> setBoolean(result);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue argument = lowJSValue(m_node->child2());
- setBoolean(
- vmCall(Int32, m_out.operation(operationRegExpTest), m_callFrame, base, argument));
</del><ins>+ LValue argument = lowJSValue(m_node->child3());
+ LValue result = vmCall(
+ Int32, m_out.operation(operationRegExpTest), m_callFrame, globalObject, base,
+ argument);
+ setBoolean(result);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue base = lowJSValue(m_node->child1());
- LValue argument = lowJSValue(m_node->child2());
- setBoolean(
- vmCall(Int32, m_out.operation(operationRegExpTestGeneric), m_callFrame, base, argument));
</del><ins>+ LValue base = lowJSValue(m_node->child2());
+ LValue argument = lowJSValue(m_node->child3());
+ LValue result = vmCall(
+ Int32, m_out.operation(operationRegExpTestGeneric), m_callFrame, globalObject, base,
+ argument);
+ setBoolean(result);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileNewRegexp()
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/jit/JITOperations.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -122,6 +122,9 @@
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_ECZ)(ExecState*, JSCell*, int32_t);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EDA)(ExecState*, double, JSArray*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EE)(ExecState*, ExecState*);
</span><ins>+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EGReoJ)(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue);
+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EGReoJss)(ExecState*, JSGlobalObject*, RegExpObject*, JSString*);
+typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EGJJ)(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue);
</ins><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EI)(ExecState*, UniquedStringImpl*);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><span class="cx"> typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
</span><span class="lines">@@ -201,6 +204,9 @@
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZZ)(ExecState*, EncodedJSValue, int32_t, int32_t);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EGC)(ExecState*, JSGlobalObject*, JSCell*);
</span><ins>+typedef size_t JIT_OPERATION (*S_JITOperation_EGJJ)(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue);
+typedef size_t JIT_OPERATION (*S_JITOperation_EGReoJ)(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue);
+typedef size_t JIT_OPERATION (*S_JITOperation_EGReoJss)(ExecState*, JSGlobalObject*, RegExpObject*, JSString*);
</ins><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_EOJss)(ExecState*, JSObject*, JSString*);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2007, 2008, 2009, 2014, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2009, 2014-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -364,7 +364,8 @@
</span><span class="cx">
</span><span class="cx"> m_regExpPrototype.set(vm, this, RegExpPrototype::create(vm, this, RegExpPrototype::createStructure(vm, this, m_objectPrototype.get()), emptyRegex));
</span><span class="cx"> m_regExpStructure.set(vm, this, RegExpObject::createStructure(vm, this, m_regExpPrototype.get()));
</span><del>- m_regExpMatchesArrayStructure.set(vm, this, createRegExpMatchesArrayStructure(vm, *this));
</del><ins>+ m_regExpMatchesArrayStructure.set(vm, this, createRegExpMatchesArrayStructure(vm, this));
+ m_regExpMatchesArraySlowPutStructure.set(vm, this, createRegExpMatchesArraySlowPutStructure(vm, this));
</ins><span class="cx">
</span><span class="cx"> m_moduleRecordStructure.set(vm, this, JSModuleRecord::createStructure(vm, this, m_objectPrototype.get()));
</span><span class="cx"> m_moduleNamespaceObjectStructure.set(vm, this, JSModuleNamespaceObject::createStructure(vm, this, jsNull()));
</span><span class="lines">@@ -757,6 +758,9 @@
</span><span class="cx"> // this object now load a structure that uses SlowPut.
</span><span class="cx"> for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
</span><span class="cx"> m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage));
</span><ins>+
+ // Same for any special array structures.
+ m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get());
</ins><span class="cx">
</span><span class="cx"> // Make sure that all objects that have indexed storage switch to the slow kind of
</span><span class="cx"> // indexed storage.
</span><span class="lines">@@ -896,6 +900,7 @@
</span><span class="cx"> visitor.append(&thisObject->m_generatorFunctionStructure);
</span><span class="cx"> visitor.append(&thisObject->m_iteratorResultObjectStructure);
</span><span class="cx"> visitor.append(&thisObject->m_regExpMatchesArrayStructure);
</span><ins>+ visitor.append(&thisObject->m_regExpMatchesArraySlowPutStructure);
</ins><span class="cx"> visitor.append(&thisObject->m_moduleRecordStructure);
</span><span class="cx"> visitor.append(&thisObject->m_moduleNamespaceObjectStructure);
</span><span class="cx"> visitor.append(&thisObject->m_consoleStructure);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSGlobalObjecth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSGlobalObject.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2007 Eric Seidel <eric@webkit.org>
</span><del>- * Copyright (C) 2007, 2008, 2009, 2014, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2007, 2008, 2009, 2014-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -275,6 +275,7 @@
</span><span class="cx"> WriteBarrier<Structure> m_internalFunctionStructure;
</span><span class="cx"> WriteBarrier<Structure> m_iteratorResultObjectStructure;
</span><span class="cx"> WriteBarrier<Structure> m_regExpMatchesArrayStructure;
</span><ins>+ WriteBarrier<Structure> m_regExpMatchesArraySlowPutStructure;
</ins><span class="cx"> WriteBarrier<Structure> m_moduleRecordStructure;
</span><span class="cx"> WriteBarrier<Structure> m_moduleNamespaceObjectStructure;
</span><span class="cx"> WriteBarrier<Structure> m_proxyObjectStructure;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1342,7 +1342,7 @@
</span><span class="cx"> // we want.
</span><span class="cx"> DeferredStructureTransitionWatchpointFire deferredWatchpointFire;
</span><span class="cx">
</span><del>- newStructure = Structure::addPropertyTransition(
</del><ins>+ newStructure = Structure::addNewPropertyTransition(
</ins><span class="cx"> vm, structure, propertyName, attributes, offset, slot.context(), &deferredWatchpointFire);
</span><span class="cx"> newStructure->willStoreValueForNewTransition(
</span><span class="cx"> vm, propertyName, value, slot.context() == PutPropertySlot::PutById);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSStringh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSString.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSString.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSString.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2014, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -293,28 +293,27 @@
</span><span class="cx"> fiber(2).set(vm, this, s3);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void finishCreation(ExecState& exec, JSString& base, unsigned offset, unsigned length)
</del><ins>+ void finishCreation(VM& vm, ExecState* exec, JSString* base, unsigned offset, unsigned length)
</ins><span class="cx"> {
</span><del>- VM& vm = exec.vm();
</del><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> ASSERT(!sumOverflows<int32_t>(offset, length));
</span><del>- ASSERT(offset + length <= base.length());
</del><ins>+ ASSERT(offset + length <= base->length());
</ins><span class="cx"> m_length = length;
</span><del>- setIs8Bit(base.is8Bit());
</del><ins>+ setIs8Bit(base->is8Bit());
</ins><span class="cx"> setIsSubstring(true);
</span><del>- if (base.isSubstring()) {
- JSRopeString& baseRope = static_cast<JSRopeString&>(base);
- substringBase().set(vm, this, baseRope.substringBase().get());
- substringOffset() = baseRope.substringOffset() + offset;
</del><ins>+ if (base->isSubstring()) {
+ JSRopeString* baseRope = jsCast<JSRopeString*>(base);
+ substringBase().set(vm, this, baseRope->substringBase().get());
+ substringOffset() = baseRope->substringOffset() + offset;
</ins><span class="cx"> } else {
</span><del>- substringBase().set(vm, this, &base);
</del><ins>+ substringBase().set(vm, this, base);
</ins><span class="cx"> substringOffset() = offset;
</span><span class="cx">
</span><span class="cx"> // For now, let's not allow substrings with a rope base.
</span><span class="cx"> // Resolve non-substring rope bases so we don't have to deal with it.
</span><span class="cx"> // FIXME: Evaluate if this would be worth adding more branches.
</span><del>- if (base.isRope())
- static_cast<JSRopeString&>(base).resolveRope(&exec);
</del><ins>+ if (base->isRope())
+ jsCast<JSRopeString*>(base)->resolveRope(exec);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -356,10 +355,10 @@
</span><span class="cx"> return newString;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static JSString* create(ExecState& exec, JSString& base, unsigned offset, unsigned length)
</del><ins>+ static JSString* create(VM& vm, ExecState* exec, JSString* base, unsigned offset, unsigned length)
</ins><span class="cx"> {
</span><del>- JSRopeString* newString = new (NotNull, allocateCell<JSRopeString>(exec.vm().heap)) JSRopeString(exec.vm());
- newString->finishCreation(exec, base, offset, length);
</del><ins>+ JSRopeString* newString = new (NotNull, allocateCell<JSRopeString>(vm.heap)) JSRopeString(vm);
+ newString->finishCreation(vm, exec, base, offset, length);
</ins><span class="cx"> return newString;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -542,19 +541,23 @@
</span><span class="cx"> return JSString::create(*vm, s.impl());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-inline JSString* jsSubstring(ExecState* exec, JSString* s, unsigned offset, unsigned length)
</del><ins>+inline JSString* jsSubstring(VM& vm, ExecState* exec, JSString* s, unsigned offset, unsigned length)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(offset <= static_cast<unsigned>(s->length()));
</span><span class="cx"> ASSERT(length <= static_cast<unsigned>(s->length()));
</span><span class="cx"> ASSERT(offset + length <= static_cast<unsigned>(s->length()));
</span><del>- VM& vm = exec->vm();
</del><span class="cx"> if (!length)
</span><span class="cx"> return vm.smallStrings.emptyString();
</span><span class="cx"> if (!offset && length == s->length())
</span><span class="cx"> return s;
</span><del>- return JSRopeString::create(*exec, *s, offset, length);
</del><ins>+ return JSRopeString::create(vm, exec, s, offset, length);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+inline JSString* jsSubstring(ExecState* exec, JSString* s, unsigned offset, unsigned length)
+{
+ return jsSubstring(exec->vm(), exec, s, offset, length);
+}
+
</ins><span class="cx"> inline JSString* jsSubstring(VM* vm, const String& s, unsigned offset, unsigned length)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(offset <= static_cast<unsigned>(s.length()));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpCachedResultcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpCachedResult.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpCachedResult.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpCachedResult.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx"> {
</span><span class="cx"> if (!m_reified) {
</span><span class="cx"> m_reifiedInput.set(exec->vm(), owner, m_lastInput.get());
</span><del>- m_reifiedResult.set(exec->vm(), owner, createRegExpMatchesArray(exec, m_lastInput.get(), m_lastRegExp.get(), m_result));
</del><ins>+ m_reifiedResult.set(exec->vm(), owner, createRegExpMatchesArray(exec, exec->lexicalGlobalObject(), m_lastInput.get(), m_lastRegExp.get(), m_result));
</ins><span class="cx"> m_reified = true;
</span><span class="cx"> }
</span><span class="cx"> return m_reifiedResult.get();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpMatchesArraycpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -50,31 +50,57 @@
</span><span class="cx"> return JSArray::createWithButterfly(vm, structure, butterfly);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSArray* createRegExpMatchesArray(ExecState* exec, JSString* input, RegExp* regExp, MatchResult result)
</del><ins>+JSArray* createRegExpMatchesArray(
+ ExecState* exec, JSGlobalObject* globalObject, JSString* input, RegExp* regExp,
+ MatchResult result)
</ins><span class="cx"> {
</span><ins>+ SamplingRegion samplingRegion("createRegExpMatchesArray");
+
</ins><span class="cx"> ASSERT(result);
</span><del>- VM& vm = exec->vm();
- JSArray* array = tryCreateUninitializedRegExpMatchesArray(vm, exec->lexicalGlobalObject()->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
- RELEASE_ASSERT(array);
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx">
</span><del>- SamplingRegion samplingRegion("Reifying substring properties");
-
- array->initializeIndex(vm, 0, jsSubstring(exec, input, result.start, result.end - result.start), ArrayWithContiguous);
-
- if (unsigned numSubpatterns = regExp->numSubpatterns()) {
- Vector<int, 32> subpatternResults;
- int position = regExp->match(vm, input->value(exec), result.start, subpatternResults);
- ASSERT_UNUSED(position, position >= 0 && static_cast<size_t>(position) == result.start);
- ASSERT(result.start == static_cast<size_t>(subpatternResults[0]));
- ASSERT(result.end == static_cast<size_t>(subpatternResults[1]));
-
- for (unsigned i = 1; i <= numSubpatterns; ++i) {
- int start = subpatternResults[2 * i];
- if (start >= 0)
- array->initializeIndex(vm, i, jsSubstring(exec, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
- else
- array->initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
</del><ins>+ JSArray* array;
+ if (UNLIKELY(globalObject->isHavingABadTime())) {
+ array = JSArray::tryCreateUninitialized(vm, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
+
+ array->initializeIndex(vm, 0, jsSubstring(vm, exec, input, result.start, result.end - result.start));
+
+ if (unsigned numSubpatterns = regExp->numSubpatterns()) {
+ Vector<int, 32> subpatternResults;
+ int position = regExp->match(vm, input->value(exec), result.start, subpatternResults);
+ ASSERT_UNUSED(position, position >= 0 && static_cast<size_t>(position) == result.start);
+ ASSERT(result.start == static_cast<size_t>(subpatternResults[0]));
+ ASSERT(result.end == static_cast<size_t>(subpatternResults[1]));
+
+ for (unsigned i = 1; i <= numSubpatterns; ++i) {
+ int start = subpatternResults[2 * i];
+ if (start >= 0)
+ array->initializeIndex(vm, i, jsSubstring(vm, exec, input, start, subpatternResults[2 * i + 1] - start));
+ else
+ array->initializeIndex(vm, i, jsUndefined());
+ }
</ins><span class="cx"> }
</span><ins>+ } else {
+ array = tryCreateUninitializedRegExpMatchesArray(vm, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
+ RELEASE_ASSERT(array);
+
+ array->initializeIndex(vm, 0, jsSubstring(vm, exec, input, result.start, result.end - result.start), ArrayWithContiguous);
+
+ if (unsigned numSubpatterns = regExp->numSubpatterns()) {
+ Vector<int, 32> subpatternResults;
+ int position = regExp->match(vm, input->value(exec), result.start, subpatternResults);
+ ASSERT_UNUSED(position, position >= 0 && static_cast<size_t>(position) == result.start);
+ ASSERT(result.start == static_cast<size_t>(subpatternResults[0]));
+ ASSERT(result.end == static_cast<size_t>(subpatternResults[1]));
+
+ for (unsigned i = 1; i <= numSubpatterns; ++i) {
+ int start = subpatternResults[2 * i];
+ if (start >= 0)
+ array->initializeIndex(vm, i, jsSubstring(vm, exec, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
+ else
+ array->initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
+ }
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> array->putDirect(vm, indexPropertyOffset, jsNumber(result.start));
</span><span class="lines">@@ -83,15 +109,25 @@
</span><span class="cx"> return array;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Structure* createRegExpMatchesArrayStructure(VM& vm, JSGlobalObject& globalObject)
</del><ins>+static Structure* createStructureImpl(VM& vm, JSGlobalObject* globalObject, IndexingType indexingType)
</ins><span class="cx"> {
</span><del>- Structure* structure = globalObject.arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
</del><ins>+ Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType);
</ins><span class="cx"> PropertyOffset offset;
</span><del>- structure = structure->addPropertyTransition(vm, structure, vm.propertyNames->index, 0, offset);
</del><ins>+ structure = Structure::addPropertyTransition(vm, structure, vm.propertyNames->index, 0, offset);
</ins><span class="cx"> ASSERT(offset == indexPropertyOffset);
</span><del>- structure = structure->addPropertyTransition(vm, structure, vm.propertyNames->input, 0, offset);
</del><ins>+ structure = Structure::addPropertyTransition(vm, structure, vm.propertyNames->input, 0, offset);
</ins><span class="cx"> ASSERT(offset == inputPropertyOffset);
</span><span class="cx"> return structure;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+Structure* createRegExpMatchesArrayStructure(VM& vm, JSGlobalObject* globalObject)
+{
+ return createStructureImpl(vm, globalObject, ArrayWithContiguous);
+}
+
+Structure* createRegExpMatchesArraySlowPutStructure(VM& vm, JSGlobalObject* globalObject)
+{
+ return createStructureImpl(vm, globalObject, ArrayWithSlowPutArrayStorage);
+}
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpMatchesArrayh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpMatchesArray.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
</del><ins>+ * Copyright (C) 2008, 2016 Apple Inc. All Rights Reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -26,8 +26,9 @@
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><del>-JSArray* createRegExpMatchesArray(ExecState*, JSString*, RegExp*, MatchResult);
-Structure* createRegExpMatchesArrayStructure(VM&, JSGlobalObject&);
</del><ins>+JSArray* createRegExpMatchesArray(ExecState*, JSGlobalObject*, JSString*, RegExp*, MatchResult);
+Structure* createRegExpMatchesArrayStructure(VM&, JSGlobalObject*);
+Structure* createRegExpMatchesArraySlowPutStructure(VM&, JSGlobalObject*);
</ins><span class="cx">
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjectcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2007, 2008, 2012 Apple Inc. All Rights Reserved.
</del><ins>+ * Copyright (C) 2003, 2007, 2008, 2012, 2016 Apple Inc. All Rights Reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -159,20 +159,20 @@
</span><span class="cx"> Base::put(cell, exec, propertyName, value, slot);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSValue RegExpObject::exec(ExecState* exec, JSString* string)
</del><ins>+JSValue RegExpObject::exec(ExecState* exec, JSGlobalObject* globalObject, JSString* string)
</ins><span class="cx"> {
</span><del>- if (MatchResult result = match(exec, string))
- return createRegExpMatchesArray(exec, string, regExp(), result);
</del><ins>+ if (MatchResult result = match(exec, globalObject, string))
+ return createRegExpMatchesArray(exec, globalObject, string, regExp(), result);
</ins><span class="cx"> return jsNull();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Shared implementation used by test and exec.
</span><del>-MatchResult RegExpObject::match(ExecState* exec, JSString* string)
</del><ins>+MatchResult RegExpObject::match(ExecState* exec, JSGlobalObject* globalObject, JSString* string)
</ins><span class="cx"> {
</span><span class="cx"> RegExp* regExp = this->regExp();
</span><del>- RegExpConstructor* regExpConstructor = exec->lexicalGlobalObject()->regExpConstructor();
</del><ins>+ RegExpConstructor* regExpConstructor = globalObject->regExpConstructor();
</ins><span class="cx"> String input = string->value(exec);
</span><del>- VM& vm = exec->vm();
</del><ins>+ VM& vm = globalObject->vm();
</ins><span class="cx"> if (!regExp->global())
</span><span class="cx"> return regExpConstructor->performMatch(vm, regExp, string, input, 0);
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpObjecth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpObject.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -66,8 +66,8 @@
</span><span class="cx"> return m_lastIndex.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool test(ExecState* exec, JSString* string) { return match(exec, string); }
- JSValue exec(ExecState*, JSString*);
</del><ins>+ bool test(ExecState* exec, JSGlobalObject* globalObject, JSString* string) { return match(exec, globalObject, string); }
+ JSValue exec(ExecState*, JSGlobalObject*, JSString*);
</ins><span class="cx">
</span><span class="cx"> static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
</span><span class="cx"> static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
</span><span class="lines">@@ -102,7 +102,7 @@
</span><span class="cx"> JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- MatchResult match(ExecState*, JSString*);
</del><ins>+ MatchResult match(ExecState*, JSGlobalObject*, JSString*);
</ins><span class="cx">
</span><span class="cx"> WriteBarrier<RegExp> m_regExp;
</span><span class="cx"> WriteBarrier<Unknown> m_lastIndex;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeRegExpPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpPrototype.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpPrototype.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/RegExpPrototype.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2007, 2008 Apple Inc. All Rights Reserved.
</del><ins>+ * Copyright (C) 2003, 2007, 2008, 2016 Apple Inc. All Rights Reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -100,7 +100,7 @@
</span><span class="cx"> JSString* string = exec->argument(0).toStringOrNull(exec);
</span><span class="cx"> if (!string)
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(jsBoolean(asRegExpObject(thisValue)->test(exec, string)));
</del><ins>+ return JSValue::encode(jsBoolean(asRegExpObject(thisValue)->test(exec, exec->lexicalGlobalObject(), string)));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL regExpProtoFuncExec(ExecState* exec)
</span><span class="lines">@@ -111,7 +111,7 @@
</span><span class="cx"> JSString* string = exec->argument(0).toStringOrNull(exec);
</span><span class="cx"> if (!string)
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(asRegExpObject(thisValue)->exec(exec, string));
</del><ins>+ return JSValue::encode(asRegExpObject(thisValue)->exec(exec, exec->lexicalGlobalObject(), string));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL regExpProtoFuncCompile(ExecState* exec)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStringPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1035,7 +1035,8 @@
</span><span class="cx"> return throwVMTypeError(exec);
</span><span class="cx"> JSString* string = thisValue.toString(exec);
</span><span class="cx"> String s = string->value(exec);
</span><del>- VM* vm = &exec->vm();
</del><ins>+ JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+ VM* vm = &globalObject->vm();
</ins><span class="cx">
</span><span class="cx"> JSValue a0 = exec->argument(0);
</span><span class="cx">
</span><span class="lines">@@ -1067,11 +1068,11 @@
</span><span class="cx"> if (!regExp->isValid())
</span><span class="cx"> return throwVMError(exec, createSyntaxError(exec, regExp->errorMessage()));
</span><span class="cx"> }
</span><del>- RegExpConstructor* regExpConstructor = exec->lexicalGlobalObject()->regExpConstructor();
</del><ins>+ RegExpConstructor* regExpConstructor = globalObject->regExpConstructor();
</ins><span class="cx"> MatchResult result = regExpConstructor->performMatch(*vm, regExp, string, s, 0);
</span><span class="cx"> // case without 'g' flag is handled like RegExp.prototype.exec
</span><span class="cx"> if (!global)
</span><del>- return JSValue::encode(result ? createRegExpMatchesArray(exec, string, regExp, result) : jsNull());
</del><ins>+ return JSValue::encode(result ? createRegExpMatchesArray(exec, globalObject, string, regExp, result) : jsNull());
</ins><span class="cx">
</span><span class="cx"> // return array of matches
</span><span class="cx"> MarkedArgumentBuffer list;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.cpp (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.cpp 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.cpp 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2009, 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -443,8 +443,19 @@
</span><span class="cx"> return AllocateArrayStorage;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset, PutPropertySlot::Context context, DeferredStructureTransitionWatchpointFire* deferred)
</del><ins>+Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset)
</ins><span class="cx"> {
</span><ins>+ Structure* newStructure = addPropertyTransitionToExistingStructure(
+ structure, propertyName, attributes, offset);
+ if (newStructure)
+ return newStructure;
+
+ return addNewPropertyTransition(
+ vm, structure, propertyName, attributes, offset, PutPropertySlot::UnknownContext);
+}
+
+Structure* Structure::addNewPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, PropertyOffset& offset, PutPropertySlot::Context context, DeferredStructureTransitionWatchpointFire* deferred)
+{
</ins><span class="cx"> ASSERT(!structure->isDictionary());
</span><span class="cx"> ASSERT(structure->isObject());
</span><span class="cx"> ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.h (197847 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.h 2016-03-09 08:54:56 UTC (rev 197847)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/Structure.h 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -168,7 +168,8 @@
</span><span class="cx">
</span><span class="cx"> static void dumpStatistics();
</span><span class="cx">
</span><del>- JS_EXPORT_PRIVATE static Structure* addPropertyTransition(VM&, Structure*, PropertyName, unsigned attributes, PropertyOffset&, PutPropertySlot::Context = PutPropertySlot::UnknownContext, DeferredStructureTransitionWatchpointFire* = nullptr);
</del><ins>+ JS_EXPORT_PRIVATE static Structure* addPropertyTransition(VM&, Structure*, PropertyName, unsigned attributes, PropertyOffset&);
+ JS_EXPORT_PRIVATE static Structure* addNewPropertyTransition(VM&, Structure*, PropertyName, unsigned attributes, PropertyOffset&, PutPropertySlot::Context = PutPropertySlot::UnknownContext, DeferredStructureTransitionWatchpointFire* = nullptr);
</ins><span class="cx"> static Structure* addPropertyTransitionToExistingStructureConcurrently(Structure*, UniquedStringImpl* uid, unsigned attributes, PropertyOffset&);
</span><span class="cx"> JS_EXPORT_PRIVATE static Structure* addPropertyTransitionToExistingStructure(Structure*, PropertyName, unsigned attributes, PropertyOffset&);
</span><span class="cx"> static Structure* removePropertyTransition(VM&, Structure*, PropertyName, PropertyOffset&);
</span><span class="lines">@@ -245,6 +246,9 @@
</span><span class="cx"> NonPropertyTransition suggestedArrayStorageTransition() const;
</span><span class="cx">
</span><span class="cx"> JSGlobalObject* globalObject() const { return m_globalObject.get(); }
</span><ins>+
+ // NOTE: This method should only be called during the creation of structures, since the global
+ // object of a structure is presumed to be immutable in a bunch of places.
</ins><span class="cx"> void setGlobalObject(VM& vm, JSGlobalObject* globalObject) { m_globalObject.set(vm, this, globalObject); }
</span><span class="cx">
</span><span class="cx"> JSValue storedPrototype() const { return m_prototype.get(); }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoretestsstressregexpmatchesarraybadtimejs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-bad-time.js (0 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-bad-time.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-bad-time.js 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+(function() {
+ var count = 11;
+
+ var array;
+ for (var i = 0; i < 10000; ++i) {
+ array = /foo/.exec("foo");
+ if (array[0] != "foo")
+ throw "Error: bad result: " + array[0];
+ }
+
+ delete array[0];
+
+ Array.prototype.__defineSetter__("0", function(value) { count += value; });
+
+ array[0] = 42;
+ if (count != 53)
+ throw "Error: bad count: " + count;
+})();
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoretestsstressregexpmatchesarrayslowputjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js (0 => 197848)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js 2016-03-09 09:35:05 UTC (rev 197848)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+(function() {
+ var count = 0;
+ Array.prototype.__defineSetter__("0", function(value) { count += value; });
+
+ for (var i = 0; i < 10000; ++i) {
+ var array = /foo/.exec("foo");
+ if (array[0] != "foo")
+ throw "Error: bad result: " + array[0];
+ delete array[0];
+ array[0] = 42;
+ if (count != (i + 1) * 42)
+ throw "Error: bad count at i = " + i + ": " + count;
+ }
+})();
+
</ins></span></pre>
</div>
</div>
</body>
</html>