<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[203808] trunk/Source/JavaScriptCore</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/203808">203808</a></dd>

<dt>Author</dt> <dd>commit-queue@webkit.org</dd>

<dt>Date</dt> <dd>2016-07-27 18:36:44 -0700 (Wed, 27 Jul 2016)</dd>

</dl>

<h3>Log Message</h3>

<pre>[JSC] DFG::Node should not have its own allocator

https://bugs.webkit.org/show_bug.cgi?id=160098

Patch by Benjamin Poulain &lt;bpoulain@apple.com&gt; on 2016-07-27

Reviewed by Geoffrey Garen.

We need some design changes for DFG::Node:

-Accessing the index must be fast. B3 uses indices for sets

 and maps, it is a lot faster than hashing pointers.

-We should be able to subclass DFG::Node to specialize it.

* CMakeLists.txt:

* JavaScriptCore.xcodeproj/project.pbxproj:

* dfg/DFGAllocator.h: Removed.

(JSC::DFG::Allocator::Region::size): Deleted.

(JSC::DFG::Allocator::Region::headerSize): Deleted.

(JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.

(JSC::DFG::Allocator::Region::data): Deleted.

(JSC::DFG::Allocator::Region::isInThisRegion): Deleted.

(JSC::DFG::Allocator::Region::regionFor): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::Allocator): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::~Allocator): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::allocate): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::free): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::freeAll): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::reset): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::indexOf): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::allocatorOf): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::bumpAllocate): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::freeListAllocate): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::allocateSlow): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::freeRegionsStartingAt): Deleted.

(JSC::DFG::Allocator&lt;T&gt;::startBumpingIn): Deleted.

* dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::addToGraph):

* dfg/DFGCPSRethreadingPhase.cpp:

(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):

(JSC::DFG::CPSRethreadingPhase::addPhiSilently):

* dfg/DFGCleanUpPhase.cpp:

(JSC::DFG::CleanUpPhase::run):

* dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::run):

* dfg/DFGConstantHoistingPhase.cpp:

* dfg/DFGDCEPhase.cpp:

(JSC::DFG::DCEPhase::fixupBlock):

* dfg/DFGDriver.cpp:

(JSC::DFG::compileImpl):

* dfg/DFGGraph.cpp:

(JSC::DFG::Graph::Graph):

(JSC::DFG::Graph::deleteNode):

(JSC::DFG::Graph::killBlockAndItsContents):

(JSC::DFG::Graph::~Graph): Deleted.

* dfg/DFGGraph.h:

(JSC::DFG::Graph::addNode):

* dfg/DFGLICMPhase.cpp:

(JSC::DFG::LICMPhase::attemptHoist):

* dfg/DFGLongLivedState.cpp: Removed.

(JSC::DFG::LongLivedState::LongLivedState): Deleted.

(JSC::DFG::LongLivedState::~LongLivedState): Deleted.

(JSC::DFG::LongLivedState::shrinkToFit): Deleted.

* dfg/DFGLongLivedState.h: Removed.

* dfg/DFGNode.cpp:

(JSC::DFG::Node::index): Deleted.

* dfg/DFGNode.h:

(JSC::DFG::Node::index):

* dfg/DFGNodeAllocator.h: Removed.

(operator new ): Deleted.

* dfg/DFGObjectAllocationSinkingPhase.cpp:

* dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThread):

(JSC::DFG::Plan::compileInThreadImpl):

* dfg/DFGPlan.h:

* dfg/DFGSSAConversionPhase.cpp:

(JSC::DFG::SSAConversionPhase::run):

* dfg/DFGWorklist.cpp:

(JSC::DFG::Worklist::runThread):

* runtime/VM.cpp:

(JSC::VM::VM): Deleted.

* runtime/VM.h:</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>

<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>

<li><a href="#trunkSourceJavaScriptCoreb3B3SparseCollectionh">trunk/Source/JavaScriptCore/b3/B3SparseCollection.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGCPSRethreadingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGCleanUpPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCleanUpPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantHoistingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantHoistingPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGDCEPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGDrivercpp">trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGLICMPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGNodecpp">trunk/Source/JavaScriptCore/dfg/DFGNode.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGPlanh">trunk/Source/JavaScriptCore/dfg/DFGPlan.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGSSAConversionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGWorklistcpp">trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>

</ul>

<h3>Removed Paths</h3>

<ul>

<li><a href="#trunkSourceJavaScriptCoredfgDFGAllocatorh">trunk/Source/JavaScriptCore/dfg/DFGAllocator.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGLongLivedStatecpp">trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGLongLivedStateh">trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.h</a></li>

<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeAllocatorh">trunk/Source/JavaScriptCore/dfg/DFGNodeAllocator.h</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/CMakeLists.txt        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -312,7 +312,6 @@

</span><span class="cx">     dfg/DFGLazyJSValue.cpp

</span><span class="cx">     dfg/DFGLazyNode.cpp

</span><span class="cx">     dfg/DFGLivenessAnalysisPhase.cpp

</span><del>-    dfg/DFGLongLivedState.cpp

</del><span class="cx">     dfg/DFGLoopPreHeaderCreationPhase.cpp

</span><span class="cx">     dfg/DFGMaximalFlushInsertionPhase.cpp

</span><span class="cx">     dfg/DFGMayExit.cpp

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/ChangeLog        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -1,5 +1,86 @@

</span><span class="cx"> 2016-07-27  Benjamin Poulain  &lt;bpoulain@apple.com&gt;

</span><span class="cx"> 

</span><ins>+        [JSC] DFG::Node should not have its own allocator

+        https://bugs.webkit.org/show_bug.cgi?id=160098

+

+        Reviewed by Geoffrey Garen.

+

+        We need some design changes for DFG::Node:

+        -Accessing the index must be fast. B3 uses indices for sets

+         and maps, it is a lot faster than hashing pointers.

+        -We should be able to subclass DFG::Node to specialize it.

+

+        * CMakeLists.txt:

+        * JavaScriptCore.xcodeproj/project.pbxproj:

+        * dfg/DFGAllocator.h: Removed.

+        (JSC::DFG::Allocator::Region::size): Deleted.

+        (JSC::DFG::Allocator::Region::headerSize): Deleted.

+        (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.

+        (JSC::DFG::Allocator::Region::data): Deleted.

+        (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.

+        (JSC::DFG::Allocator::Region::regionFor): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::Allocator): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::~Allocator): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::allocate): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::free): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::freeAll): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::reset): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::indexOf): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::allocatorOf): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::bumpAllocate): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::freeListAllocate): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::allocateSlow): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::freeRegionsStartingAt): Deleted.

+        (JSC::DFG::Allocator&lt;T&gt;::startBumpingIn): Deleted.

+        * dfg/DFGByteCodeParser.cpp:

+        (JSC::DFG::ByteCodeParser::addToGraph):

+        * dfg/DFGCPSRethreadingPhase.cpp:

+        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):

+        (JSC::DFG::CPSRethreadingPhase::addPhiSilently):

+        * dfg/DFGCleanUpPhase.cpp:

+        (JSC::DFG::CleanUpPhase::run):

+        * dfg/DFGConstantFoldingPhase.cpp:

+        (JSC::DFG::ConstantFoldingPhase::run):

+        * dfg/DFGConstantHoistingPhase.cpp:

+        * dfg/DFGDCEPhase.cpp:

+        (JSC::DFG::DCEPhase::fixupBlock):

+        * dfg/DFGDriver.cpp:

+        (JSC::DFG::compileImpl):

+        * dfg/DFGGraph.cpp:

+        (JSC::DFG::Graph::Graph):

+        (JSC::DFG::Graph::deleteNode):

+        (JSC::DFG::Graph::killBlockAndItsContents):

+        (JSC::DFG::Graph::~Graph): Deleted.

+        * dfg/DFGGraph.h:

+        (JSC::DFG::Graph::addNode):

+        * dfg/DFGLICMPhase.cpp:

+        (JSC::DFG::LICMPhase::attemptHoist):

+        * dfg/DFGLongLivedState.cpp: Removed.

+        (JSC::DFG::LongLivedState::LongLivedState): Deleted.

+        (JSC::DFG::LongLivedState::~LongLivedState): Deleted.

+        (JSC::DFG::LongLivedState::shrinkToFit): Deleted.

+        * dfg/DFGLongLivedState.h: Removed.

+        * dfg/DFGNode.cpp:

+        (JSC::DFG::Node::index): Deleted.

+        * dfg/DFGNode.h:

+        (JSC::DFG::Node::index):

+        * dfg/DFGNodeAllocator.h: Removed.

+        (operator new ): Deleted.

+        * dfg/DFGObjectAllocationSinkingPhase.cpp:

+        * dfg/DFGPlan.cpp:

+        (JSC::DFG::Plan::compileInThread):

+        (JSC::DFG::Plan::compileInThreadImpl):

+        * dfg/DFGPlan.h:

+        * dfg/DFGSSAConversionPhase.cpp:

+        (JSC::DFG::SSAConversionPhase::run):

+        * dfg/DFGWorklist.cpp:

+        (JSC::DFG::Worklist::runThread):

+        * runtime/VM.cpp:

+        (JSC::VM::VM): Deleted.

+        * runtime/VM.h:

+

+2016-07-27  Benjamin Poulain  &lt;bpoulain@apple.com&gt;

+

</ins><span class="cx">         [JSC] Fix a bunch of use-after-free of DFG::Node

</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=160228

</span><span class="cx"> 

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -884,8 +884,6 @@

</span><span class="cx">                 0FEFC9AB1681A3B600567F53 /* DFGOSRExitJumpPlaceholder.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FEFC9A81681A3B000567F53 /* DFGOSRExitJumpPlaceholder.h */; };

</span><span class="cx">                 0FF054F91AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FF054F71AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp */; };

</span><span class="cx">                 0FF054FA1AC35B4400E5BE57 /* ExecutableAllocationFuzz.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FF054F81AC35B4400E5BE57 /* ExecutableAllocationFuzz.h */; settings = {ATTRIBUTES = (Private, ); }; };

</span><del>-                0FF0F19916B729F6005DF95B /* DFGLongLivedState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51C16B62772003F696B /* DFGLongLivedState.cpp */; };

-                0FF0F19B16B729FA005DF95B /* DFGLongLivedState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FB4B51D16B62772003F696B /* DFGLongLivedState.h */; };

</del><span class="cx">                 0FF0F19C16B72A03005DF95B /* DFGNode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51E16B62772003F696B /* DFGNode.cpp */; };

</span><span class="cx">                 0FF0F19D16B72A08005DF95B /* DFGCommon.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51A16B62772003F696B /* DFGCommon.cpp */; };

</span><span class="cx">                 0FF0F19E16B72A0B005DF95B /* DFGEdge.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51B16B62772003F696B /* DFGEdge.cpp */; };

</span><span class="lines">@@ -938,9 +936,7 @@

</span><span class="cx">                 0FFA549816B8835300B3A982 /* A64DOpcode.h in Headers */ = {isa = PBXBuildFile; fileRef = 652A3A231651C69700A80AFE /* A64DOpcode.h */; settings = {ATTRIBUTES = (Private, ); }; };

</span><span class="cx">                 0FFB6C381AF48DDC00DB1BF7 /* TypeofType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FFB6C361AF48DDC00DB1BF7 /* TypeofType.cpp */; };

</span><span class="cx">                 0FFB6C391AF48DDC00DB1BF7 /* TypeofType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFB6C371AF48DDC00DB1BF7 /* TypeofType.h */; settings = {ATTRIBUTES = (Private, ); }; };

</span><del>-                0FFB921816D02EB20055A5DB /* DFGAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FB4B51916B62772003F696B /* DFGAllocator.h */; };

</del><span class="cx">                 0FFB921A16D02EC50055A5DB /* DFGBasicBlockInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD5652216AB780A00197653 /* DFGBasicBlockInlines.h */; };

</span><del>-                0FFB921B16D02F010055A5DB /* DFGNodeAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FB4B51F16B62772003F696B /* DFGNodeAllocator.h */; };

</del><span class="cx">                 0FFB921C16D02F110055A5DB /* DFGOSRExitCompilationInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 65987F2C167FE84B003C2F8D /* DFGOSRExitCompilationInfo.h */; };

</span><span class="cx">                 0FFB921D16D02F300055A5DB /* DFGSlowPathGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F1E3A501537C2CB000F9456 /* DFGSlowPathGenerator.h */; };

</span><span class="cx">                 0FFB922016D033B70055A5DB /* NodeConstructors.h in Headers */ = {isa = PBXBuildFile; fileRef = 930DAD030FB1EB1A0082D205 /* NodeConstructors.h */; settings = {ATTRIBUTES = (Private, ); }; };

</span><span class="lines">@@ -2791,13 +2787,9 @@

</span><span class="cx">                 0FB387911BFD31A100E3AB1E /* FTLCompile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLCompile.cpp; path = ftl/FTLCompile.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="cx">                 0FB438A219270B1D00E1FBC9 /* StructureSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StructureSet.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="cx">                 0FB4B51016B3A964003F696B /* DFGMinifiedID.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGMinifiedID.h; path = dfg/DFGMinifiedID.h; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><del>-                0FB4B51916B62772003F696B /* DFGAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAllocator.h; path = dfg/DFGAllocator.h; sourceTree = &quot;&lt;group&gt;&quot;; };

</del><span class="cx">                 0FB4B51A16B62772003F696B /* DFGCommon.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCommon.cpp; path = dfg/DFGCommon.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="cx">                 0FB4B51B16B62772003F696B /* DFGEdge.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGEdge.cpp; path = dfg/DFGEdge.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><del>-                0FB4B51C16B62772003F696B /* DFGLongLivedState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGLongLivedState.cpp; path = dfg/DFGLongLivedState.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

-                0FB4B51D16B62772003F696B /* DFGLongLivedState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGLongLivedState.h; path = dfg/DFGLongLivedState.h; sourceTree = &quot;&lt;group&gt;&quot;; };

</del><span class="cx">                 0FB4B51E16B62772003F696B /* DFGNode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGNode.cpp; path = dfg/DFGNode.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><del>-                0FB4B51F16B62772003F696B /* DFGNodeAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGNodeAllocator.h; path = dfg/DFGNodeAllocator.h; sourceTree = &quot;&lt;group&gt;&quot;; };

</del><span class="cx">                 0FB4B52116B6278D003F696B /* FunctionExecutableDump.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FunctionExecutableDump.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="cx">                 0FB4B52216B6278D003F696B /* FunctionExecutableDump.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FunctionExecutableDump.h; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="cx">                 0FB4FB701BC843140025CA5A /* FTLLazySlowPath.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLLazySlowPath.cpp; path = ftl/FTLLazySlowPath.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };

</span><span class="lines">@@ -6195,7 +6187,6 @@

</span><span class="cx">                                 0F18D3CD1B55A6E0002C5C9F /* DFGAdaptiveStructureWatchpoint.cpp */,

</span><span class="cx">                                 0F18D3CE1B55A6E0002C5C9F /* DFGAdaptiveStructureWatchpoint.h */,

</span><span class="cx">                                 0F66E16814DF3F1300B7B2E4 /* DFGAdjacencyList.h */,

</span><del>-                                0FB4B51916B62772003F696B /* DFGAllocator.h */,

</del><span class="cx">                                 0F1E3A431534CBAD000F9456 /* DFGArgumentPosition.h */,

</span><span class="cx">                                 0F2DD80C1AB3D8BE00BBB8E8 /* DFGArgumentsEliminationPhase.cpp */,

</span><span class="cx">                                 0F2DD80D1AB3D8BE00BBB8E8 /* DFGArgumentsEliminationPhase.h */,

</span><span class="lines">@@ -6345,8 +6336,6 @@

</span><span class="cx">                                 79C4B15C1BA2158F00FD592E /* DFGLiveCatchVariablePreservationPhase.h */,

</span><span class="cx">                                 A7D89CEC17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.cpp */,

</span><span class="cx">                                 A7D89CED17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h */,

</span><del>-                                0FB4B51C16B62772003F696B /* DFGLongLivedState.cpp */,

-                                0FB4B51D16B62772003F696B /* DFGLongLivedState.h */,

</del><span class="cx">                                 A767B5B317A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.cpp */,

</span><span class="cx">                                 A767B5B417A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h */,

</span><span class="cx">                                 79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */,

</span><span class="lines">@@ -6366,7 +6355,6 @@

</span><span class="cx">                                 A737810B1799EA2E00817533 /* DFGNaturalLoops.h */,

</span><span class="cx">                                 0FB4B51E16B62772003F696B /* DFGNode.cpp */,

</span><span class="cx">                                 86ECA3E9132DEF1C002B2AD7 /* DFGNode.h */,

</span><del>-                                0FB4B51F16B62772003F696B /* DFGNodeAllocator.h */,

</del><span class="cx">                                 0FA581B7150E952A00B9A2D9 /* DFGNodeFlags.cpp */,

</span><span class="cx">                                 0FA581B8150E952A00B9A2D9 /* DFGNodeFlags.h */,

</span><span class="cx">                                 0F5D085C1B8CF99D001143B4 /* DFGNodeOrigin.cpp */,

</span><span class="lines">@@ -7304,7 +7292,6 @@

</span><span class="cx">                                 998ED6751BED768C00DD8017 /* RemoteControllableTarget.h in Headers */,

</span><span class="cx">                                 0F33FCF81C136E2500323F67 /* B3StackmapGenerationParams.h in Headers */,

</span><span class="cx">                                 0F66E16B14DF3F1600B7B2E4 /* DFGAdjacencyList.h in Headers */,

</span><del>-                                0FFB921816D02EB20055A5DB /* DFGAllocator.h in Headers */,

</del><span class="cx">                                 0F1E3A461534CBAF000F9456 /* DFGArgumentPosition.h in Headers */,

</span><span class="cx">                                 0F2DD8121AB3D8BE00BBB8E8 /* DFGArgumentsEliminationPhase.h in Headers */,

</span><span class="cx">                                 0F2DD8141AB3D8BE00BBB8E8 /* DFGArgumentsUtilities.h in Headers */,

</span><span class="lines">@@ -7401,7 +7388,6 @@

</span><span class="cx">                                 99D6A1161BEAD34D00E25C37 /* RemoteAutomationTarget.h in Headers */,

</span><span class="cx">                                 79C4B15E1BA2158F00FD592E /* DFGLiveCatchVariablePreservationPhase.h in Headers */,

</span><span class="cx">                                 A7D89CFC17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h in Headers */,

</span><del>-                                0FF0F19B16B729FA005DF95B /* DFGLongLivedState.h in Headers */,

</del><span class="cx">                                 0F338DF21BE93AD10013C88F /* B3StackmapValue.h in Headers */,

</span><span class="cx">                                 A767B5B617A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h in Headers */,

</span><span class="cx">                                 79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */,

</span><span class="lines">@@ -7414,7 +7400,6 @@

</span><span class="cx">                                 0FF2CD5C1B61A4F8004955A8 /* DFGMultiGetByOffsetData.h in Headers */,

</span><span class="cx">                                 A737810E1799EA2E00817533 /* DFGNaturalLoops.h in Headers */,

</span><span class="cx">                                 86ECA3EA132DEF1C002B2AD7 /* DFGNode.h in Headers */,

</span><del>-                                0FFB921B16D02F010055A5DB /* DFGNodeAllocator.h in Headers */,

</del><span class="cx">                                 70B791931C024A28002481E2 /* GeneratorFrame.h in Headers */,

</span><span class="cx">                                 0FA581BB150E953000B9A2D9 /* DFGNodeFlags.h in Headers */,

</span><span class="cx">                                 0F300B7818AB051100A6D72E /* DFGNodeOrigin.h in Headers */,

</span><span class="lines">@@ -8960,7 +8945,6 @@

</span><span class="cx">                                 A7D9A29717A0BC7400EE2618 /* DFGLICMPhase.cpp in Sources */,

</span><span class="cx">                                 79C4B15D1BA2158F00FD592E /* DFGLiveCatchVariablePreservationPhase.cpp in Sources */,

</span><span class="cx">                                 A7D89CFB17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.cpp in Sources */,

</span><del>-                                0FF0F19916B729F6005DF95B /* DFGLongLivedState.cpp in Sources */,

</del><span class="cx">                                 A767B5B517A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.cpp in Sources */,

</span><span class="cx">                                 79F8FC1E1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp in Sources */,

</span><span class="cx">                                 0F5874ED194FEB1200AAB2C1 /* DFGMayExit.cpp in Sources */,

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreb3B3SparseCollectionh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3SparseCollection.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/b3/B3SparseCollection.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/b3/B3SparseCollection.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -26,8 +26,6 @@

</span><span class="cx"> #ifndef B3SparseCollection_h

</span><span class="cx"> #define B3SparseCollection_h

</span><span class="cx"> 

</span><del>-#if ENABLE(B3_JIT)

-

</del><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;

</span><span class="cx"> #include &lt;wtf/Vector.h&gt;

</span><span class="cx"> 

</span><span class="lines">@@ -140,7 +138,5 @@

</span><span class="cx"> 

</span><span class="cx"> } } // namespace JSC::B3

</span><span class="cx"> 

</span><del>-#endif // ENABLE(B3_JIT)

-

</del><span class="cx"> #endif // B3SparseCollection_h

</span><span class="cx"> 

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGAllocatorh"></a>

<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGAllocator.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAllocator.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGAllocator.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -1,239 +0,0 @@

</span><del>-/*

- * Copyright (C) 2013 Apple Inc. All rights reserved.

- *

- * Redistribution and use in source and binary forms, with or without

- * modification, are permitted provided that the following conditions

- * are met:

- * 1. Redistributions of source code must retain the above copyright

- *    notice, this list of conditions and the following disclaimer.

- * 2. Redistributions in binary form must reproduce the above copyright

- *    notice, this list of conditions and the following disclaimer in the

- *    documentation and/or other materials provided with the distribution.

- *

- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY

- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR

- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

- */

-

-#ifndef DFGAllocator_h

-#define DFGAllocator_h

-

-#if ENABLE(DFG_JIT)

-

-#include &quot;DFGCommon.h&quot;

-#include &lt;wtf/StdLibExtras.h&gt;

-

-namespace JSC { namespace DFG {

-

-// Custom pool allocator for exactly one type (type T). It has fast (O(1), only a few

-// instructions) allocator, and a similarly fast free(). Recycling works if either of

-// the following is true:

-// - T has a trivial destructor. In that case you don't have to ever call free() on

-//   anything. You can just call freeAll() instead.

-// - You call free() on all T's that you allocated, and never use freeAll().

-

-template&lt;typename T&gt;

-class Allocator {

-public:

-    Allocator();

-    ~Allocator();

-    

-    void* allocate(); // Use placement new to allocate, and avoid using this method.

-    void free(T*); // Call this method to delete; never use 'delete' directly.

-    

-    void freeAll(); // Only call this if you've either freed everything or if T has a trivial destructor.

-    void reset(); // Like freeAll(), but also returns all memory to the OS.

-    

-    unsigned indexOf(const T*);

-    

-    static Allocator* allocatorOf(const T*);

-    

-private:

-    void* bumpAllocate();

-    void* freeListAllocate();

-    void* allocateSlow();

-

-    struct Region {

-        static size_t size() { return 64 * KB; }

-        static size_t headerSize() { return std::max(sizeof(Region), sizeof(T)); }

-        static unsigned numberOfThingsPerRegion() { return (size() - headerSize()) / sizeof(T); }

-        T* data() { return bitwise_cast&lt;T*&gt;(bitwise_cast&lt;char*&gt;(this) + headerSize()); }

-        bool isInThisRegion(const T* pointer) { return static_cast&lt;unsigned&gt;(pointer - data()) &lt; numberOfThingsPerRegion(); }

-        static Region* regionFor(const T* pointer) { return bitwise_cast&lt;Region*&gt;(bitwise_cast&lt;uintptr_t&gt;(pointer) &amp; ~(size() - 1)); }

-        

-        void* m_allocation;

-        Allocator* m_allocator;

-        Region* m_next;

-    };

-    

-    void freeRegionsStartingAt(Region*);

-    void startBumpingIn(Region*);

-    

-    Region* m_regionHead;

-    void** m_freeListHead;

-    T* m_bumpEnd;

-    unsigned m_bumpRemaining;

-};

-

-template&lt;typename T&gt;

-inline Allocator&lt;T&gt;::Allocator()

-    : m_regionHead(0)

-    , m_freeListHead(0)

-    , m_bumpRemaining(0)

-{

-}

-

-template&lt;typename T&gt;

-inline Allocator&lt;T&gt;::~Allocator()

-{

-    reset();

-}

-

-template&lt;typename T&gt;

-ALWAYS_INLINE void* Allocator&lt;T&gt;::allocate()

-{

-    void* result = bumpAllocate();

-    if (LIKELY(!!result))

-        return result;

-    return freeListAllocate();

-}

-

-template&lt;typename T&gt;

-void Allocator&lt;T&gt;::free(T* object)

-{

-    object-&gt;~T();

-    

-    void** cell = bitwise_cast&lt;void**&gt;(object);

-    *cell = m_freeListHead;

-    m_freeListHead = cell;

-}

-

-template&lt;typename T&gt;

-void Allocator&lt;T&gt;::freeAll()

-{

-    if (!m_regionHead) {

-        ASSERT(!m_bumpRemaining);

-        ASSERT(!m_freeListHead);

-        return;

-    }

-    

-    // Since the caller is opting out of calling the destructor for any allocated thing,

-    // we have two choices, plus a continuum between: we can either just delete all regions

-    // (i.e. call reset()), or we can make all regions available for reuse. We do something

-    // that optimizes for (a) speed of freeAll(), (b) the assumption that if the user calls

-    // freeAll() then they will probably be calling allocate() in the near future. Namely,

-    // we free all but one region, and make the remaining region a bump allocation region.

-    

-    freeRegionsStartingAt(m_regionHead-&gt;m_next);

-    

-    m_regionHead-&gt;m_next = 0;

-    m_freeListHead = 0;

-    startBumpingIn(m_regionHead);

-}

-

-template&lt;typename T&gt;

-void Allocator&lt;T&gt;::reset()

-{

-    freeRegionsStartingAt(m_regionHead);

-    

-    m_regionHead = 0;

-    m_freeListHead = 0;

-    m_bumpRemaining = 0;

-}

-

-template&lt;typename T&gt;

-unsigned Allocator&lt;T&gt;::indexOf(const T* object)

-{

-    unsigned numRegions = 0;

-    for (Region* region = m_regionHead; region; region = region-&gt;m_next)

-        numRegions++;

-    unsigned regionIndex = 0;

-    for (Region* region = m_regionHead; region; region = region-&gt;m_next) {

-        if (region-&gt;isInThisRegion(object))

-            return (numRegions - 1 - regionIndex) * Region::numberOfThingsPerRegion() + (object - region-&gt;data());

-        regionIndex++;

-    }

-    CRASH();

-    return 0;

-}

-

-template&lt;typename T&gt;

-Allocator&lt;T&gt;* Allocator&lt;T&gt;::allocatorOf(const T* object)

-{

-    return Region::regionFor(object)-&gt;m_allocator;

-}

-

-template&lt;typename T&gt;

-ALWAYS_INLINE void* Allocator&lt;T&gt;::bumpAllocate()

-{

-    if (unsigned remaining = m_bumpRemaining) {

-        remaining--;

-        m_bumpRemaining = remaining;

-        return m_bumpEnd - (remaining + 1);

-    }

-    return 0;

-}

-

-template&lt;typename T&gt;

-void* Allocator&lt;T&gt;::freeListAllocate()

-{

-    void** result = m_freeListHead;

-    if (UNLIKELY(!result))

-        return allocateSlow();

-    m_freeListHead = bitwise_cast&lt;void**&gt;(*result);

-    return result;

-}

-

-template&lt;typename T&gt;

-void* Allocator&lt;T&gt;::allocateSlow()

-{

-    ASSERT(!m_freeListHead);

-    ASSERT(!m_bumpRemaining);

-    

-    if (logCompilationChanges())

-        dataLog(&quot;Allocating another allocator region.\n&quot;);

-

-    void* allocation = fastAlignedMalloc(Region::size(), Region::size());

-    Region* region = static_cast&lt;Region*&gt;(allocation);

-    region-&gt;m_allocation = allocation;

-    region-&gt;m_allocator = this;

-    startBumpingIn(region);

-    region-&gt;m_next = m_regionHead;

-    m_regionHead = region;

-    

-    void* result = bumpAllocate();

-    ASSERT(result);

-    return result;

-}

-

-template&lt;typename T&gt;

-void Allocator&lt;T&gt;::freeRegionsStartingAt(typename Allocator&lt;T&gt;::Region* region)

-{

-    while (region) {

-        Region* nextRegion = region-&gt;m_next;

-        fastAlignedFree(region-&gt;m_allocation);

-        region = nextRegion;

-    }

-}

-

-template&lt;typename T&gt;

-void Allocator&lt;T&gt;::startBumpingIn(typename Allocator&lt;T&gt;::Region* region)

-{

-    m_bumpEnd = region-&gt;data() + Region::numberOfThingsPerRegion();

-    m_bumpRemaining = Region::numberOfThingsPerRegion();

-}

-

-} } // namespace JSC::DFG

-

-#endif // ENABLE(DFG_JIT)

-

-#endif // DFGAllocator_h

-

</del></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -712,7 +712,7 @@

</span><span class="cx">     Node* addToGraph(NodeType op, Node* child1 = 0, Node* child2 = 0, Node* child3 = 0)

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, op, currentNodeOrigin(), Edge(child1), Edge(child2),

</del><ins>+            op, currentNodeOrigin(), Edge(child1), Edge(child2),

</ins><span class="cx">             Edge(child3));

</span><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="lines">@@ -719,25 +719,25 @@

</span><span class="cx">     Node* addToGraph(NodeType op, Edge child1, Edge child2 = Edge(), Edge child3 = Edge())

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, op, currentNodeOrigin(), child1, child2, child3);

</del><ins>+            op, currentNodeOrigin(), child1, child2, child3);

</ins><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="cx">     Node* addToGraph(NodeType op, OpInfo info, Node* child1 = 0, Node* child2 = 0, Node* child3 = 0)

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, op, currentNodeOrigin(), info, Edge(child1), Edge(child2),

</del><ins>+            op, currentNodeOrigin(), info, Edge(child1), Edge(child2),

</ins><span class="cx">             Edge(child3));

</span><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="cx">     Node* addToGraph(NodeType op, OpInfo info, Edge child1, Edge child2 = Edge(), Edge child3 = Edge())

</span><span class="cx">     {

</span><del>-        Node* result = m_graph.addNode(SpecNone, op, currentNodeOrigin(), info, child1, child2, child3);

</del><ins>+        Node* result = m_graph.addNode(op, currentNodeOrigin(), info, child1, child2, child3);

</ins><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="cx">     Node* addToGraph(NodeType op, OpInfo info1, OpInfo info2, Node* child1 = 0, Node* child2 = 0, Node* child3 = 0)

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, op, currentNodeOrigin(), info1, info2,

</del><ins>+            op, currentNodeOrigin(), info1, info2,

</ins><span class="cx">             Edge(child1), Edge(child2), Edge(child3));

</span><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="lines">@@ -744,7 +744,7 @@

</span><span class="cx">     Node* addToGraph(NodeType op, OpInfo info1, OpInfo info2, Edge child1, Edge child2 = Edge(), Edge child3 = Edge())

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, op, currentNodeOrigin(), info1, info2, child1, child2, child3);

</del><ins>+            op, currentNodeOrigin(), info1, info2, child1, child2, child3);

</ins><span class="cx">         return addToGraph(result);

</span><span class="cx">     }

</span><span class="cx">     

</span><span class="lines">@@ -751,7 +751,7 @@

</span><span class="cx">     Node* addToGraph(Node::VarArgTag, NodeType op, OpInfo info1, OpInfo info2)

</span><span class="cx">     {

</span><span class="cx">         Node* result = m_graph.addNode(

</span><del>-            SpecNone, Node::VarArg, op, currentNodeOrigin(), info1, info2,

</del><ins>+            Node::VarArg, op, currentNodeOrigin(), info1, info2,

</ins><span class="cx">             m_graph.m_varArgChildren.size() - m_numPassedVarArgs, m_numPassedVarArgs);

</span><span class="cx">         addToGraph(result);

</span><span class="cx">         

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGCPSRethreadingPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -90,7 +90,7 @@

</span><span class="cx">                     break;

</span><span class="cx">                 case Phantom:

</span><span class="cx">                     if (!node-&gt;child1()) {

</span><del>-                        m_graph.m_allocator.free(node);

</del><ins>+                        m_graph.deleteNode(node);

</ins><span class="cx">                         continue;

</span><span class="cx">                     }

</span><span class="cx">                     switch (node-&gt;child1()-&gt;op()) {

</span><span class="lines">@@ -112,7 +112,7 @@

</span><span class="cx">             block-&gt;resize(toIndex);

</span><span class="cx">             

</span><span class="cx">             for (unsigned phiIndex = block-&gt;phis.size(); phiIndex--;)

</span><del>-                m_graph.m_allocator.free(block-&gt;phis[phiIndex]);

</del><ins>+                m_graph.deleteNode(block-&gt;phis[phiIndex]);

</ins><span class="cx">             block-&gt;phis.resize(0);

</span><span class="cx">         }

</span><span class="cx">     }

</span><span class="lines">@@ -132,7 +132,7 @@

</span><span class="cx">     

</span><span class="cx">     ALWAYS_INLINE Node* addPhiSilently(BasicBlock* block, const NodeOrigin&amp; origin, VariableAccessData* variable)

</span><span class="cx">     {

</span><del>-        Node* result = m_graph.addNode(SpecNone, Phi, origin, OpInfo(variable));

</del><ins>+        Node* result = m_graph.addNode(Phi, origin, OpInfo(variable));

</ins><span class="cx">         block-&gt;phis.append(result);

</span><span class="cx">         return result;

</span><span class="cx">     }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGCleanUpPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCleanUpPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCleanUpPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGCleanUpPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -69,7 +69,7 @@

</span><span class="cx">                 }

</span><span class="cx">                 

</span><span class="cx">                 if (kill)

</span><del>-                    m_graph.m_allocator.free(node);

</del><ins>+                    m_graph.deleteNode(node);

</ins><span class="cx">                 else

</span><span class="cx">                     block-&gt;at(targetIndex++) = node;

</span><span class="cx">             }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -101,7 +101,7 @@

</span><span class="cx">                 m_graph.invalidateNodeLiveness();

</span><span class="cx"> 

</span><span class="cx">                 for (Node* node : nodesToDelete)

</span><del>-                    m_graph.m_allocator.free(node);

</del><ins>+                    m_graph.deleteNode(node);

</ins><span class="cx"> 

</span><span class="cx">                 m_graph.invalidateCFG();

</span><span class="cx">                 m_graph.resetReachability();

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGConstantHoistingPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantHoistingPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantHoistingPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGConstantHoistingPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -130,7 +130,7 @@

<span class="cx">         // And finally free the constants that we removed.

</span><span class="cx">         m_graph.invalidateNodeLiveness();

</span><span class="cx">         for (Node* node : toFree)

</span><del>-            m_graph.m_allocator.free(node);

</del><ins>+            m_graph.deleteNode(node);

</ins><span class="cx">         

</span><span class="cx">         return true;

</span><span class="cx">     }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGDCEPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -93,7 +93,7 @@

</span><span class="cx">             for (unsigned phiIndex = 0; phiIndex &lt; block-&gt;phis.size(); ++phiIndex) {

</span><span class="cx">                 Node* phi = block-&gt;phis[phiIndex];

</span><span class="cx">                 if (!phi-&gt;shouldGenerate()) {

</span><del>-                    m_graph.m_allocator.free(phi);

</del><ins>+                    m_graph.deleteNode(phi);

</ins><span class="cx">                     block-&gt;phis[phiIndex--] = block-&gt;phis.last();

</span><span class="cx">                     block-&gt;phis.removeLast();

</span><span class="cx">                 }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGDrivercpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -108,7 +108,7 @@

</span><span class="cx">         return CompilationDeferred;

</span><span class="cx">     }

</span><span class="cx">     

</span><del>-    plan-&gt;compileInThread(*vm.dfgState, 0);

</del><ins>+    plan-&gt;compileInThread(nullptr);

</ins><span class="cx">     return plan-&gt;finalizeWithoutNotifyingCallback();

</span><span class="cx"> }

</span><span class="cx"> #else // ENABLE(DFG_JIT)

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -66,12 +66,11 @@

</span><span class="cx"> #undef STRINGIZE_DFG_OP_ENUM

</span><span class="cx"> };

</span><span class="cx"> 

</span><del>-Graph::Graph(VM&amp; vm, Plan&amp; plan, LongLivedState&amp; longLivedState)

</del><ins>+Graph::Graph(VM&amp; vm, Plan&amp; plan)

</ins><span class="cx">     : m_vm(vm)

</span><span class="cx">     , m_plan(plan)

</span><span class="cx">     , m_codeBlock(m_plan.codeBlock)

</span><span class="cx">     , m_profiledBlock(m_codeBlock-&gt;alternative())

</span><del>-    , m_allocator(longLivedState.m_allocator)

</del><span class="cx">     , m_cfg(std::make_unique&lt;CFG&gt;(*this))

</span><span class="cx">     , m_nextMachineLocal(0)

</span><span class="cx">     , m_fixpointState(BeforeFixpoint)

</span><span class="lines">@@ -87,17 +86,6 @@

</span><span class="cx"> 

</span><span class="cx"> Graph::~Graph()

</span><span class="cx"> {

</span><del>-    for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {

-        BasicBlock* block = this-&gt;block(blockIndex);

-        if (!block)

-            continue;

-

-        for (unsigned phiIndex = block-&gt;phis.size(); phiIndex--;)

-            m_allocator.free(block-&gt;phis[phiIndex]);

-        for (unsigned nodeIndex = block-&gt;size(); nodeIndex--;)

-            m_allocator.free(block-&gt;at(nodeIndex));

-    }

-    m_allocator.freeAll();

</del><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> const char *Graph::opName(NodeType op)

</span><span class="lines">@@ -579,6 +567,17 @@

</span><span class="cx">     }

</span><span class="cx"> }

</span><span class="cx"> 

</span><ins>+void Graph::deleteNode(Node* node)

+{

+    if (validationEnabled() &amp;&amp; m_form == SSA) {

+        for (BasicBlock* block : blocksInNaturalOrder()) {

+            DFG_ASSERT(*this, node, !block-&gt;ssa-&gt;liveAtHead.contains(node));

+            DFG_ASSERT(*this, node, !block-&gt;ssa-&gt;liveAtTail.contains(node));

+        }

+    }

+    m_nodes.remove(node);

+}

+

</ins><span class="cx"> void Graph::dethread()

</span><span class="cx"> {

</span><span class="cx">     if (m_form == LoadStore || m_form == SSA)

</span><span class="lines">@@ -747,9 +746,9 @@

</span><span class="cx">     if (auto&amp; ssaData = block-&gt;ssa)

</span><span class="cx">         ssaData-&gt;invalidate();

</span><span class="cx">     for (unsigned phiIndex = block-&gt;phis.size(); phiIndex--;)

</span><del>-        m_allocator.free(block-&gt;phis[phiIndex]);

-    for (unsigned nodeIndex = block-&gt;size(); nodeIndex--;)

-        m_allocator.free(block-&gt;at(nodeIndex));

</del><ins>+        deleteNode(block-&gt;phis[phiIndex]);

+    for (Node* node : *block)

+        deleteNode(node);

</ins><span class="cx">     

</span><span class="cx">     killBlock(block);

</span><span class="cx"> }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -29,14 +29,13 @@

</span><span class="cx"> #if ENABLE(DFG_JIT)

</span><span class="cx"> 

</span><span class="cx"> #include &quot;AssemblyHelpers.h&quot;

</span><ins>+#include &quot;B3SparseCollection.h&quot;

</ins><span class="cx"> #include &quot;BytecodeLivenessAnalysisInlines.h&quot;

</span><span class="cx"> #include &quot;CodeBlock.h&quot;

</span><span class="cx"> #include &quot;DFGArgumentPosition.h&quot;

</span><span class="cx"> #include &quot;DFGBasicBlock.h&quot;

</span><span class="cx"> #include &quot;DFGFrozenValue.h&quot;

</span><del>-#include &quot;DFGLongLivedState.h&quot;

</del><span class="cx"> #include &quot;DFGNode.h&quot;

</span><del>-#include &quot;DFGNodeAllocator.h&quot;

</del><span class="cx"> #include &quot;DFGPlan.h&quot;

</span><span class="cx"> #include &quot;DFGPropertyTypeKey.h&quot;

</span><span class="cx"> #include &quot;DFGScannable.h&quot;

</span><span class="lines">@@ -124,7 +123,7 @@

<span class="cx"> // Nodes that are 'dead' remain in the vector with refCount 0.

</span><span class="cx"> class Graph : public virtual Scannable {

</span><span class="cx"> public:

</span><del>-    Graph(VM&amp;, Plan&amp;, LongLivedState&amp;);

</del><ins>+    Graph(VM&amp;, Plan&amp;);

</ins><span class="cx">     ~Graph();

</span><span class="cx">     

</span><span class="cx">     void changeChild(Edge&amp; edge, Node* newNode)

</span><span class="lines">@@ -182,12 +181,20 @@

</span><span class="cx">     }

</span><span class="cx">     

</span><span class="cx">     template&lt;typename... Params&gt;

</span><ins>+    Node* addNode(Params... params)

+    {

+        Node* node = new Node(params...);

+        m_nodes.add(std::unique_ptr&lt;Node&gt;(node));

+        return node;

+    }

+    template&lt;typename... Params&gt;

</ins><span class="cx">     Node* addNode(SpeculatedType type, Params... params)

</span><span class="cx">     {

</span><del>-        Node* node = new (m_allocator) Node(params...);

</del><ins>+        Node* node = addNode(params...);

</ins><span class="cx">         node-&gt;predict(type);

</span><span class="cx">         return node;

</span><span class="cx">     }

</span><ins>+    void deleteNode(Node*);

</ins><span class="cx"> 

</span><span class="cx">     void dethread();

</span><span class="cx">     

</span><span class="lines">@@ -822,8 +829,6 @@

</span><span class="cx">     Plan&amp; m_plan;

</span><span class="cx">     CodeBlock* m_codeBlock;

</span><span class="cx">     CodeBlock* m_profiledBlock;

</span><del>-    

-    NodeAllocator&amp; m_allocator;

</del><span class="cx"> 

</span><span class="cx">     Vector&lt; RefPtr&lt;BasicBlock&gt; , 8&gt; m_blocks;

</span><span class="cx">     Vector&lt;Edge, 16&gt; m_varArgChildren;

</span><span class="lines">@@ -912,6 +917,7 @@

</span><span class="cx">     bool m_hasDebuggerEnabled;

</span><span class="cx">     bool m_hasExceptionHandlers { false };

</span><span class="cx"> private:

</span><ins>+    void adoptNodeOutOfLine(Node&amp;);

</ins><span class="cx"> 

</span><span class="cx">     bool isStringPrototypeMethodSane(JSGlobalObject*, UniquedStringImpl*);

</span><span class="cx"> 

</span><span class="lines">@@ -944,6 +950,8 @@

</span><span class="cx">         

</span><span class="cx">         return bytecodeCanTruncateInteger(add-&gt;arithNodeFlags()) ? SpeculateInt32AndTruncateConstants : DontSpeculateInt32;

</span><span class="cx">     }

</span><ins>+

+    B3::SparseCollection&lt;Node&gt; m_nodes;

</ins><span class="cx"> };

</span><span class="cx"> 

</span><span class="cx"> } } // namespace JSC::DFG

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGLICMPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -341,7 +341,7 @@

<span class="cx">         // code. But for now we just assert that's the case.

</span><span class="cx">         DFG_ASSERT(m_graph, node, !(node-&gt;flags() &amp; NodeHasVarArgs));

</span><span class="cx">         

</span><del>-        nodeRef = m_graph.addNode(SpecNone, Check, originalOrigin, node-&gt;children);

</del><ins>+        nodeRef = m_graph.addNode(Check, originalOrigin, node-&gt;children);

</ins><span class="cx">         

</span><span class="cx">         return true;

</span><span class="cx">     }

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGLongLivedStatecpp"></a>

<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -1,51 +0,0 @@

</span><del>-/*

- * Copyright (C) 2013 Apple Inc. All rights reserved.

- *

- * Redistribution and use in source and binary forms, with or without

- * modification, are permitted provided that the following conditions

- * are met:

- * 1. Redistributions of source code must retain the above copyright

- *    notice, this list of conditions and the following disclaimer.

- * 2. Redistributions in binary form must reproduce the above copyright

- *    notice, this list of conditions and the following disclaimer in the

- *    documentation and/or other materials provided with the distribution.

- *

- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY

- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR

- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

- */

-

-#include &quot;config.h&quot;

-#include &quot;DFGLongLivedState.h&quot;

-

-#if ENABLE(DFG_JIT)

-

-#include &quot;JSCInlines.h&quot;

-

-namespace JSC { namespace DFG {

-

-LongLivedState::LongLivedState()

-{

-}

-

-LongLivedState::~LongLivedState()

-{

-}

-

-void LongLivedState::shrinkToFit()

-{

-    m_allocator.reset();

-}

-

-} } // namespace JSC::DFG

-

-#endif // ENABLE(DFG_JIT)

-

</del></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGLongLivedStateh"></a>

<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGLongLivedState.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -1,53 +0,0 @@

</span><del>-/*

- * Copyright (C) 2013 Apple Inc. All rights reserved.

- *

- * Redistribution and use in source and binary forms, with or without

- * modification, are permitted provided that the following conditions

- * are met:

- * 1. Redistributions of source code must retain the above copyright

- *    notice, this list of conditions and the following disclaimer.

- * 2. Redistributions in binary form must reproduce the above copyright

- *    notice, this list of conditions and the following disclaimer in the

- *    documentation and/or other materials provided with the distribution.

- *

- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY

- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR

- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

- */

-

-#ifndef DFGLongLivedState_h

-#define DFGLongLivedState_h

-

-#if ENABLE(DFG_JIT)

-

-#include &quot;DFGNodeAllocator.h&quot;

-#include &lt;wtf/FastMalloc.h&gt;

-#include &lt;wtf/Noncopyable.h&gt;

-

-namespace JSC { namespace DFG {

-

-class LongLivedState {

-    WTF_MAKE_FAST_ALLOCATED; WTF_MAKE_NONCOPYABLE(LongLivedState);

-public:

-    LongLivedState();

-    ~LongLivedState();

-    

-    void shrinkToFit();

-    

-    NodeAllocator m_allocator;

-};

-

-} } // namespace JSC::DFG

-

-#endif // ENABLE(DFG_JIT)

-

-#endif // DFGLongLivedState_h

-

</del></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGNodecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGNode.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -29,7 +29,6 @@

</span><span class="cx"> #if ENABLE(DFG_JIT)

</span><span class="cx"> 

</span><span class="cx"> #include &quot;DFGGraph.h&quot;

</span><del>-#include &quot;DFGNodeAllocator.h&quot;

</del><span class="cx"> #include &quot;DFGPromotedHeapLocation.h&quot;

</span><span class="cx"> #include &quot;JSCInlines.h&quot;

</span><span class="cx"> 

</span><span class="lines">@@ -64,11 +63,6 @@

</span><span class="cx">         out.print(&quot;/w:&quot;, count);

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-unsigned Node::index() const

-{

-    return NodeAllocator::allocatorOf(this)-&gt;indexOf(this);

-}

-

</del><span class="cx"> bool Node::hasVariableAccessData(Graph&amp; graph)

</span><span class="cx"> {

</span><span class="cx">     switch (op()) {

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -28,6 +28,7 @@

</span><span class="cx"> 

</span><span class="cx"> #if ENABLE(DFG_JIT)

</span><span class="cx"> 

</span><ins>+#include &quot;B3SparseCollection.h&quot;

</ins><span class="cx"> #include &quot;BasicBlockLocation.h&quot;

</span><span class="cx"> #include &quot;CodeBlock.h&quot;

</span><span class="cx"> #include &quot;DFGAbstractValue.h&quot;

</span><span class="lines">@@ -230,6 +231,8 @@

</span><span class="cx"> //

<span class="cx"> // Node represents a single operation in the data flow graph.

</span><span class="cx"> struct Node {

</span><ins>+    WTF_MAKE_FAST_ALLOCATED;

+public:

</ins><span class="cx">     enum VarArgTag { VarArg };

</span><span class="cx">     

</span><span class="cx">     Node() { }

</span><span class="lines">@@ -346,10 +349,9 @@

</span><span class="cx">     

</span><span class="cx">     NodeType op() const { return static_cast&lt;NodeType&gt;(m_op); }

</span><span class="cx">     NodeFlags flags() const { return m_flags; }

</span><ins>+

+    unsigned index() const { return m_index; }

</ins><span class="cx">     

<del>-    // This is not a fast method.

-    unsigned index() const;

-    

</del><span class="cx">     void setOp(NodeType op)

</span><span class="cx">     {

</span><span class="cx">         m_op = op;

</span><span class="lines">@@ -2344,6 +2346,9 @@

</span><span class="cx">     AdjacencyList children;

</span><span class="cx"> 

</span><span class="cx"> private:

</span><ins>+    friend class B3::SparseCollection&lt;Node&gt;;

+

+    unsigned m_index { std::numeric_limits&lt;unsigned&gt;::max() };

</ins><span class="cx">     unsigned m_op : 10; // real type is NodeType

</span><span class="cx">     unsigned m_flags : 20;

<span class="cx">     // The virtual register number (spill location) associated with this .

</span><span class="lines">@@ -2351,7 +2356,7 @@

<span class="cx">     // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects).

</span><span class="cx">     unsigned m_refCount;

<span class="cx">     // The prediction ascribed to this node after propagation.

</span><del>-    SpeculatedType m_prediction;

</del><ins>+    SpeculatedType m_prediction { SpecNone };

</ins><span class="cx">     // Immediate values, accesses type-checked via accessors above. The first one is

<span class="cx">     // big enough to store a pointer.

</span><span class="cx">     uintptr_t m_opInfo;

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGNodeAllocatorh"></a>

<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/dfg/DFGNodeAllocator.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeAllocator.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGNodeAllocator.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -1,49 +0,0 @@

</span><del>-/*

- * Copyright (C) 2013 Apple Inc. All rights reserved.

- *

- * Redistribution and use in source and binary forms, with or without

- * modification, are permitted provided that the following conditions

- * are met:

- * 1. Redistributions of source code must retain the above copyright

- *    notice, this list of conditions and the following disclaimer.

- * 2. Redistributions in binary form must reproduce the above copyright

- *    notice, this list of conditions and the following disclaimer in the

- *    documentation and/or other materials provided with the distribution.

- *

- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY

- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR

- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

- */

-

-#ifndef DFGNodeAllocator_h

-#define DFGNodeAllocator_h

-

-#if ENABLE(DFG_JIT)

-

-#include &quot;DFGAllocator.h&quot;

-#include &quot;DFGNode.h&quot;

-

-namespace JSC { namespace DFG {

-

-typedef Allocator&lt;Node&gt; NodeAllocator;

-

-} } // namespace JSC::DFG

-

-inline void* operator new (size_t size, JSC::DFG::NodeAllocator&amp; allocator)

-{

-    ASSERT_UNUSED(size, size == sizeof(JSC::DFG::Node));

-    return allocator.allocate();

-}

-

-#endif // ENABLE(DFG_JIT)

-

-#endif // DFGNodeAllocator_h

-

</del></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -2102,7 +2102,6 @@

</span><span class="cx">                 data-&gt;identifierNumber = identifierNumber;

</span><span class="cx"> 

</span><span class="cx">                 return m_graph.addNode(

</span><del>-                    SpecNone,

</del><span class="cx">                     PutByOffset,

</span><span class="cx">                     origin.takeValidExit(canExit),

</span><span class="cx">                     OpInfo(data),

</span><span class="lines">@@ -2137,7 +2136,6 @@

</span><span class="cx">             }

</span><span class="cx"> 

</span><span class="cx">             return m_graph.addNode(

</span><del>-                SpecNone,

</del><span class="cx">                 MultiPutByOffset,

</span><span class="cx">                 origin.takeValidExit(canExit),

</span><span class="cx">                 OpInfo(data),

</span><span class="lines">@@ -2148,7 +2146,6 @@

</span><span class="cx"> 

</span><span class="cx">         case ClosureVarPLoc: {

</span><span class="cx">             return m_graph.addNode(

</span><del>-                SpecNone,

</del><span class="cx">                 PutClosureVar,

</span><span class="cx">                 origin.takeValidExit(canExit),

</span><span class="cx">                 OpInfo(location.info()),

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -170,7 +170,7 @@

</span><span class="cx">         || (Options::reportFTLCompileTimes() &amp;&amp; isFTL(mode));

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-void Plan::compileInThread(LongLivedState&amp; longLivedState, ThreadData* threadData)

</del><ins>+void Plan::compileInThread(ThreadData* threadData)

</ins><span class="cx"> {

</span><span class="cx">     this-&gt;threadData = threadData;

</span><span class="cx">     

</span><span class="lines">@@ -186,7 +186,7 @@

</span><span class="cx">     if (logCompilationChanges(mode))

</span><span class="cx">         dataLog(&quot;DFG(Plan) compiling &quot;, *codeBlock, &quot; with &quot;, mode, &quot;, number of instructions = &quot;, codeBlock-&gt;instructionCount(), &quot;\n&quot;);

</span><span class="cx"> 

</span><del>-    CompilationPath path = compileInThreadImpl(longLivedState);

</del><ins>+    CompilationPath path = compileInThreadImpl();

</ins><span class="cx"> 

</span><span class="cx">     RELEASE_ASSERT(path == CancelPath || finalizer);

</span><span class="cx">     RELEASE_ASSERT((path == CancelPath) == (stage == Cancelled));

</span><span class="lines">@@ -236,7 +236,7 @@

</span><span class="cx">     }

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-Plan::CompilationPath Plan::compileInThreadImpl(LongLivedState&amp; longLivedState)

</del><ins>+Plan::CompilationPath Plan::compileInThreadImpl()

</ins><span class="cx"> {

</span><span class="cx">     cleanMustHandleValuesIfNecessary();

</span><span class="cx">     

</span><span class="lines">@@ -246,7 +246,7 @@

</span><span class="cx">         dataLog(&quot;\n&quot;);

</span><span class="cx">     }

</span><span class="cx">     

</span><del>-    Graph dfg(*vm, *this, longLivedState);

</del><ins>+    Graph dfg(*vm, *this);

</ins><span class="cx">     

</span><span class="cx">     if (!parse(dfg)) {

</span><span class="cx">         finalizer = std::make_unique&lt;FailedFinalizer&gt;(*this);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGPlanh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -48,7 +48,6 @@

</span><span class="cx"> 

</span><span class="cx"> namespace DFG {

</span><span class="cx"> 

</span><del>-class LongLivedState;

</del><span class="cx"> class ThreadData;

</span><span class="cx"> 

</span><span class="cx"> #if ENABLE(DFG_JIT)

</span><span class="lines">@@ -60,7 +59,7 @@

</span><span class="cx">         const Operands&lt;JSValue&gt;&amp; mustHandleValues);

</span><span class="cx">     ~Plan();

</span><span class="cx"> 

</span><del>-    void compileInThread(LongLivedState&amp;, ThreadData*);

</del><ins>+    void compileInThread(ThreadData*);

</ins><span class="cx">     

</span><span class="cx">     CompilationResult finalizeWithoutNotifyingCallback();

</span><span class="cx">     void finalizeAndNotifyCallback();

</span><span class="lines">@@ -121,7 +120,7 @@

</span><span class="cx">     bool reportCompileTimes() const;

</span><span class="cx">     

</span><span class="cx">     enum CompilationPath { FailPath, DFGPath, FTLPath, CancelPath };

</span><del>-    CompilationPath compileInThreadImpl(LongLivedState&amp;);

</del><ins>+    CompilationPath compileInThreadImpl();

</ins><span class="cx">     

</span><span class="cx">     bool isStillValid();

</span><span class="cx">     void reallyAdd(CommonData*);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGSSAConversionPhasecpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -373,7 +373,7 @@

</span><span class="cx">             if (!block)

</span><span class="cx">                 continue;

</span><span class="cx">             for (unsigned phiIndex = block-&gt;phis.size(); phiIndex--;)

</span><del>-                m_graph.m_allocator.free(block-&gt;phis[phiIndex]);

</del><ins>+                m_graph.deleteNode(block-&gt;phis[phiIndex]);

</ins><span class="cx">             block-&gt;phis.clear();

</span><span class="cx">             block-&gt;variablesAtHead.clear();

</span><span class="cx">             block-&gt;variablesAtTail.clear();

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoredfgDFGWorklistcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -30,7 +30,6 @@

</span><span class="cx"> 

</span><span class="cx"> #include &quot;CodeBlock.h&quot;

</span><span class="cx"> #include &quot;DeferGC.h&quot;

</span><del>-#include &quot;DFGLongLivedState.h&quot;

</del><span class="cx"> #include &quot;DFGSafepoint.h&quot;

</span><span class="cx"> #include &quot;JSCInlines.h&quot;

</span><span class="cx"> #include &lt;mutex&gt;

</span><span class="lines">@@ -362,8 +361,6 @@

</span><span class="cx">     if (Options::verboseCompilationQueue())

</span><span class="cx">         dataLog(*this, &quot;: Thread started\n&quot;);

</span><span class="cx">     

</span><del>-    LongLivedState longLivedState;

-    

</del><span class="cx">     for (;;) {

</span><span class="cx">         RefPtr&lt;Plan&gt; plan;

</span><span class="cx">         {

</span><span class="lines">@@ -399,7 +396,7 @@

</span><span class="cx">                 dataLog(*this, &quot;: Compiling &quot;, plan-&gt;key(), &quot; asynchronously\n&quot;);

</span><span class="cx">         

</span><span class="cx">             RELEASE_ASSERT(!plan-&gt;vm-&gt;heap.isCollecting());

</span><del>-            plan-&gt;compileInThread(longLivedState, data);

</del><ins>+            plan-&gt;compileInThread(data);

</ins><span class="cx">             RELEASE_ASSERT(plan-&gt;stage == Plan::Cancelled || !plan-&gt;vm-&gt;heap.isCollecting());

</span><span class="cx">             

</span><span class="cx">             {

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/runtime/VM.cpp        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -38,7 +38,6 @@

</span><span class="cx"> #include &quot;CommonIdentifiers.h&quot;

</span><span class="cx"> #include &quot;CommonSlowPaths.h&quot;

</span><span class="cx"> #include &quot;CustomGetterSetter.h&quot;

</span><del>-#include &quot;DFGLongLivedState.h&quot;

</del><span class="cx"> #include &quot;DFGWorklist.h&quot;

</span><span class="cx"> #include &quot;Disassembler.h&quot;

</span><span class="cx"> #include &quot;ErrorInstance.h&quot;

</span><span class="lines">@@ -290,11 +289,6 @@

</span><span class="cx">     }

</span><span class="cx"> 

</span><span class="cx">     callFrameForCatch = nullptr;

</span><del>-

-#if ENABLE(DFG_JIT)

-    if (canUseJIT())

-        dfgState = std::make_unique&lt;DFG::LongLivedState&gt;();

-#endif

</del><span class="cx">     

</span><span class="cx">     // Initialize this last, as a free way of asserting that VM initialization itself

<span class="cx">     // won't use this.

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (203807 => 203808)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h        2016-07-27 23:54:44 UTC (rev 203807)

+++ trunk/Source/JavaScriptCore/runtime/VM.h        2016-07-28 01:36:44 UTC (rev 203808)

</span><span class="lines">@@ -119,11 +119,6 @@

</span><span class="cx"> class Watchpoint;

</span><span class="cx"> class WatchpointSet;

</span><span class="cx"> 

</span><del>-#if ENABLE(DFG_JIT)

-namespace DFG {

-class LongLivedState;

-}

-#endif // ENABLE(DFG_JIT)

</del><span class="cx"> #if ENABLE(FTL_JIT)

</span><span class="cx"> namespace FTL {

</span><span class="cx"> class Thunks;

</span><span class="lines">@@ -271,10 +266,6 @@

<span class="cx">     // destructed after all the objects that reference it.

</span><span class="cx">     Heap heap;

</span><span class="cx"> 

</span><del>-#if ENABLE(DFG_JIT)

-    std::unique_ptr&lt;DFG::LongLivedState&gt; dfgState;

-#endif // ENABLE(DFG_JIT)

-

</del><span class="cx">     VMType vmType;

</span><span class="cx">     ClientData* clientData;

</span><span class="cx">     VMEntryFrame* topVMEntryFrame;

</span></span></pre>

</div>

</div>

</body>

</html>