<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[205494] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/205494">205494</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-09-06 11:18:10 -0700 (Tue, 06 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Typed arrays should use MarkedSpace instead of CopiedSpace
https://bugs.webkit.org/show_bug.cgi?id=161100
Reviewed by Geoffrey Garen.
This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
everything that typed arrays want.
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* dfg/DFGOperations.h:
(JSC::DFG::operationNewTypedArrayWithSizeForType):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArray):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
(JSC::FTL::DFG::LowerDFGToB3::splatWords):
(JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
* heap/CopyToken.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::markAuxiliary):
* jit/JITOperations.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
* runtime/JSArrayBufferView.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
(JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationsh">trunk/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCopyTokenh">trunk/Source/JavaScriptCore/heap/CopyToken.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSlotVisitorcpp">trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2016-09-06 Filip Pizlo <fpizlo@apple.com>
+
+ Typed arrays should use MarkedSpace instead of CopiedSpace
+ https://bugs.webkit.org/show_bug.cgi?id=161100
+
+ Reviewed by Geoffrey Garen.
+
+ This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
+
+ This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
+ everything that typed arrays want.
+
+ * dfg/DFGOperations.cpp:
+ (JSC::DFG::newTypedArrayWithSize):
+ * dfg/DFGOperations.h:
+ (JSC::DFG::operationNewTypedArrayWithSizeForType):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+ (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
+ (JSC::FTL::DFG::LowerDFGToB3::splatWords):
+ (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
+ * heap/CopyToken.h:
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::markAuxiliary):
+ * jit/JITOperations.h:
+ * runtime/JSArrayBufferView.cpp:
+ (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+ (JSC::JSArrayBufferView::JSArrayBufferView):
+ * runtime/JSArrayBufferView.h:
+ * runtime/JSGenericTypedArrayView.h:
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
+ (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
+ (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
+ (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
+
</ins><span class="cx"> 2016-09-06 Michael Catanzaro <mcatanzaro@igalia.com>
</span><span class="cx">
</span><span class="cx"> Silence GCC warning spam introduced in r205462
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -134,7 +134,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename ViewClass>
</span><del>-char* newTypedArrayWithSize(ExecState* exec, Structure* structure, int32_t size)
</del><ins>+char* newTypedArrayWithSize(ExecState* exec, Structure* structure, int32_t size, char* vector)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="lines">@@ -144,6 +144,10 @@
</span><span class="cx"> throwException(exec, scope, createRangeError(exec, ASCIILiteral("Requested length is negative")));
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><ins>+
+ if (vector)
+ return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector));
+
</ins><span class="cx"> return bitwise_cast<char*>(ViewClass::create(exec, structure, size));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -958,9 +962,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt8ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSInt8Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSInt8Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(
</span><span class="lines">@@ -972,9 +976,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt16ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSInt16Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSInt16Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt16ArrayWithOneArgument(
</span><span class="lines">@@ -986,9 +990,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt32ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSInt32Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSInt32Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewInt32ArrayWithOneArgument(
</span><span class="lines">@@ -1000,9 +1004,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSUint8Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSUint8Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ArrayWithOneArgument(
</span><span class="lines">@@ -1014,9 +1018,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSUint8ClampedArray>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSUint8ClampedArray>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint8ClampedArrayWithOneArgument(
</span><span class="lines">@@ -1028,9 +1032,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint16ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSUint16Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSUint16Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint16ArrayWithOneArgument(
</span><span class="lines">@@ -1042,9 +1046,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint32ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSUint32Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSUint32Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewUint32ArrayWithOneArgument(
</span><span class="lines">@@ -1056,9 +1060,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat32ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSFloat32Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSFloat32Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat32ArrayWithOneArgument(
</span><span class="lines">@@ -1070,9 +1074,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat64ArrayWithSize(
</span><del>- ExecState* exec, Structure* structure, int32_t length)
</del><ins>+ ExecState* exec, Structure* structure, int32_t length, char* vector)
</ins><span class="cx"> {
</span><del>- return newTypedArrayWithSize<JSFloat64Array>(exec, structure, length);
</del><ins>+ return newTypedArrayWithSize<JSFloat64Array>(exec, structure, length, vector);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationNewFloat64ArrayWithOneArgument(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -71,23 +71,23 @@
</span><span class="cx"> char* JIT_OPERATION operationNewArrayBuffer(ExecState*, Structure*, size_t, size_t) WTF_INTERNAL;
</span><span class="cx"> char* JIT_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
</span><span class="cx"> char* JIT_OPERATION operationNewArrayWithSize(ExecState*, Structure*, int32_t, Butterfly*) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewInt8ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewInt8ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewInt16ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewInt16ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewInt16ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewInt32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewInt32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewInt32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewUint8ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewUint8ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewUint8ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewUint8ClampedArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewUint16ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewUint16ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewUint16ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewUint32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewUint32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewUint32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewFloat32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewFloat32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewFloat32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationNewFloat64ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationNewFloat64ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationNewFloat64ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationPutByValStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationPutByValNonStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
</span><span class="lines">@@ -198,7 +198,7 @@
</span><span class="cx">
</span><span class="cx"> } // extern "C"
</span><span class="cx">
</span><del>-inline P_JITOperation_EStZ operationNewTypedArrayWithSizeForType(TypedArrayType type)
</del><ins>+inline P_JITOperation_EStZP operationNewTypedArrayWithSizeForType(TypedArrayType type)
</ins><span class="cx"> {
</span><span class="cx"> switch (type) {
</span><span class="cx"> case TypeInt8:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -7180,6 +7180,8 @@
</span><span class="cx"> GPRReg scratchGPR2 = scratch2.gpr();
</span><span class="cx">
</span><span class="cx"> JITCompiler::JumpList slowCases;
</span><ins>+
+ m_jit.move(TrustedImmPtr(0), storageGPR);
</ins><span class="cx">
</span><span class="cx"> slowCases.append(m_jit.branch32(
</span><span class="cx"> MacroAssembler::Above, sizeGPR, TrustedImm32(JSArrayBufferView::fastSizeLimit)));
</span><span class="lines">@@ -7191,26 +7193,10 @@
</span><span class="cx"> m_jit.add32(TrustedImm32(7), scratchGPR);
</span><span class="cx"> m_jit.and32(TrustedImm32(~7), scratchGPR);
</span><span class="cx"> }
</span><del>- slowCases.append(
- emitAllocateBasicStorage(scratchGPR, storageGPR));
</del><ins>+ m_jit.emitAllocateVariableSized(
+ storageGPR, m_jit.vm()->heap.subspaceForAuxiliaryData(), scratchGPR, scratchGPR,
+ scratchGPR2, slowCases);
</ins><span class="cx">
</span><del>- m_jit.subPtr(scratchGPR, storageGPR);
-
- emitAllocateJSObject<JSArrayBufferView>(
- resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, scratchGPR2,
- slowCases);
-
- m_jit.storePtr(
- storageGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
- m_jit.store32(
- sizeGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfLength()));
- m_jit.store32(
- TrustedImm32(FastTypedArray),
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfMode()));
-
-#if USE(JSVALUE32_64)
</del><span class="cx"> MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, sizeGPR);
</span><span class="cx"> m_jit.move(sizeGPR, scratchGPR);
</span><span class="cx"> if (elementSize(type) != 4) {
</span><span class="lines">@@ -7230,11 +7216,24 @@
</span><span class="cx"> MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour));
</span><span class="cx"> m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
</span><span class="cx"> done.link(&m_jit);
</span><del>-#endif // USE(JSVALUE32_64)
</del><span class="cx">
</span><ins>+ emitAllocateJSObject<JSArrayBufferView>(
+ resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, scratchGPR2,
+ slowCases);
+
+ m_jit.storePtr(
+ storageGPR,
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
+ m_jit.store32(
+ sizeGPR,
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfLength()));
+ m_jit.store32(
+ TrustedImm32(FastTypedArray),
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfMode()));
+
</ins><span class="cx"> addSlowPathGenerator(slowPathCall(
</span><span class="cx"> slowCases, this, operationNewTypedArrayWithSizeForType(type),
</span><del>- resultGPR, structure, sizeGPR));
</del><ins>+ resultGPR, structure, sizeGPR, storageGPR));
</ins><span class="cx">
</span><span class="cx"> cellResult(resultGPR, node);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -988,19 +988,19 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure));
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, Structure* structure, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, Structure* structure, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, Structure* structure, size_t arg2)
</del><ins>+ JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, Structure* structure, size_t arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImm32(arg2));
</del><ins>+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImm32(arg2), arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><del>- JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
</del><ins>+ JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
</ins><span class="cx"> {
</span><del>- m_jit.setupArgumentsWithExecState(arg1, arg2);
</del><ins>+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
</ins><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><span class="cx"> JITCompiler::Call callOperation(P_JITOperation_EStZB operation, GPRReg result, Structure* structure, GPRReg arg2, GPRReg butterfly)
</span><span class="lines">@@ -2550,31 +2550,6 @@
</span><span class="cx"> void moveFalseTo(GPRReg);
</span><span class="cx"> void blessBoolean(GPRReg);
</span><span class="cx">
</span><del>- // size can be an immediate or a register, and must be in bytes. If size is a register,
- // it must be a different register than resultGPR. Emits code that place a pointer to
- // the end of the allocation. The returned jump is the jump to the slow path.
- template<typename SizeType>
- MacroAssembler::Jump emitAllocateBasicStorage(SizeType size, GPRReg resultGPR)
- {
- CopiedAllocator* copiedAllocator = &m_jit.vm()->heap.storageAllocator();
-
- // It's invalid to allocate zero bytes in CopiedSpace.
-#ifndef NDEBUG
- m_jit.move(size, resultGPR);
- MacroAssembler::Jump nonZeroSize = m_jit.branchTest32(MacroAssembler::NonZero, resultGPR);
- m_jit.abortWithReason(DFGBasicStorageAllocatorZeroSize);
- nonZeroSize.link(&m_jit);
-#endif
-
- m_jit.loadPtr(&copiedAllocator->m_currentRemaining, resultGPR);
- MacroAssembler::Jump slowPath = m_jit.branchSubPtr(JITCompiler::Signed, size, resultGPR);
- m_jit.storePtr(resultGPR, &copiedAllocator->m_currentRemaining);
- m_jit.negPtr(resultGPR);
- m_jit.addPtr(JITCompiler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), resultGPR);
-
- return slowPath;
- }
-
</del><span class="cx"> // Allocator for a cell of a specific size.
</span><span class="cx"> template <typename StructureType> // StructureType can be GPR or ImmPtr.
</span><span class="cx"> void emitAllocateJSCell(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -4132,6 +4132,8 @@
</span><span class="cx"> LBasicBlock nonZeroCase = m_out.newBlock();
</span><span class="cx"> LBasicBlock slowCase = m_out.newBlock();
</span><span class="cx"> LBasicBlock continuation = m_out.newBlock();
</span><ins>+
+ ValueFromBlock noStorage = m_out.anchor(m_out.intPtrZero);
</ins><span class="cx">
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.above(size, m_out.constInt32(JSArrayBufferView::fastSizeLimit)),
</span><span class="lines">@@ -4151,8 +4153,19 @@
</span><span class="cx"> m_out.constIntPtr(~static_cast<intptr_t>(7)));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LValue storage = allocateBasicStorage(byteSize, slowCase);
</del><ins>+ LValue allocator = allocatorForSize(
+ vm().heap.subspaceForAuxiliaryData(), byteSize, slowCase);
+ LValue storage = allocateHeapCell(allocator, slowCase);
+
+ splatWords(
+ storage,
+ m_out.int32Zero,
+ m_out.castToInt32(m_out.lShr(byteSize, m_out.constIntPtr(3))),
+ m_out.int64Zero,
+ m_heaps.typedArrayProperties);
</ins><span class="cx">
</span><ins>+ ValueFromBlock haveStorage = m_out.anchor(storage);
+
</ins><span class="cx"> LValue fastResultValue =
</span><span class="cx"> allocateObject<JSArrayBufferView>(structure, m_out.intPtrZero, slowCase);
</span><span class="cx">
</span><span class="lines">@@ -4159,19 +4172,21 @@
</span><span class="cx"> m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_vector);
</span><span class="cx"> m_out.store32(size, fastResultValue, m_heaps.JSArrayBufferView_length);
</span><span class="cx"> m_out.store32(m_out.constInt32(FastTypedArray), fastResultValue, m_heaps.JSArrayBufferView_mode);
</span><del>-
</del><ins>+
</ins><span class="cx"> ValueFromBlock fastResult = m_out.anchor(fastResultValue);
</span><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><span class="cx"> m_out.appendTo(slowCase, continuation);
</span><ins>+ LValue storageValue = m_out.phi(pointerType(), noStorage, haveStorage);
</ins><span class="cx">
</span><span class="cx"> LValue slowResultValue = lazySlowPath(
</span><span class="cx"> [=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
</span><span class="cx"> return createLazyCallGenerator(
</span><span class="cx"> operationNewTypedArrayWithSizeForType(type), locations[0].directGPR(),
</span><del>- CCallHelpers::TrustedImmPtr(structure), locations[1].directGPR());
</del><ins>+ CCallHelpers::TrustedImmPtr(structure), locations[1].directGPR(),
+ locations[2].directGPR());
</ins><span class="cx"> },
</span><del>- size);
</del><ins>+ size, storageValue);
</ins><span class="cx"> ValueFromBlock slowResult = m_out.anchor(slowResultValue);
</span><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><span class="lines">@@ -7785,6 +7800,11 @@
</span><span class="cx"> else
</span><span class="cx"> hole = m_out.constInt64(JSValue::encode(JSValue()));
</span><span class="cx">
</span><ins>+ splatWords(butterfly, begin, end, hole, heap->atAnyIndex());
+ }
+
+ void splatWords(LValue base, LValue begin, LValue end, LValue value, const AbstractHeap& heap)
+ {
</ins><span class="cx"> const uint64_t unrollingLimit = 10;
</span><span class="cx"> if (begin->hasInt() && end->hasInt()) {
</span><span class="cx"> uint64_t beginConst = static_cast<uint64_t>(begin->asInt());
</span><span class="lines">@@ -7791,25 +7811,28 @@
</span><span class="cx"> uint64_t endConst = static_cast<uint64_t>(end->asInt());
</span><span class="cx">
</span><span class="cx"> if (endConst - beginConst <= unrollingLimit) {
</span><del>- for (uint64_t i = beginConst; i < endConst; ++i)
- m_out.store64(hole, butterfly, heap->at(i));
</del><ins>+ for (uint64_t i = beginConst; i < endConst; ++i) {
+ LValue pointer = m_out.add(base, m_out.constIntPtr(i * sizeof(uint64_t)));
+ m_out.store64(value, TypedPointer(heap, pointer));
+ }
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // Doubles must be initialized to PNaN.
</del><span class="cx"> LBasicBlock initLoop = m_out.newBlock();
</span><span class="cx"> LBasicBlock initDone = m_out.newBlock();
</span><span class="cx">
</span><ins>+ LBasicBlock lastNext = m_out.insertNewBlocksBefore(initLoop);
+
</ins><span class="cx"> ValueFromBlock originalIndex = m_out.anchor(end);
</span><del>- ValueFromBlock originalPointer = m_out.anchor(butterfly);
</del><ins>+ ValueFromBlock originalPointer = m_out.anchor(base);
</ins><span class="cx"> m_out.branch(m_out.notEqual(end, begin), unsure(initLoop), unsure(initDone));
</span><span class="cx">
</span><del>- LBasicBlock initLastNext = m_out.appendTo(initLoop, initDone);
</del><ins>+ m_out.appendTo(initLoop, initDone);
</ins><span class="cx"> LValue index = m_out.phi(Int32, originalIndex);
</span><span class="cx"> LValue pointer = m_out.phi(pointerType(), originalPointer);
</span><span class="cx">
</span><del>- m_out.store64(hole, TypedPointer(heap->atAnyIndex(), pointer));
</del><ins>+ m_out.store64(value, TypedPointer(heap, pointer));
</ins><span class="cx">
</span><span class="cx"> LValue nextIndex = m_out.sub(index, m_out.int32One);
</span><span class="cx"> m_out.addIncomingToPhi(index, m_out.anchor(nextIndex));
</span><span class="lines">@@ -7817,7 +7840,7 @@
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.notEqual(nextIndex, begin), unsure(initLoop), unsure(initDone));
</span><span class="cx">
</span><del>- m_out.appendTo(initDone, initLastNext);
</del><ins>+ m_out.appendTo(initDone, lastNext);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LValue allocatePropertyStorage(LValue object, Structure* previousStructure)
</span><span class="lines">@@ -8595,32 +8618,6 @@
</span><span class="cx"> return allocateObject(allocator, structure, butterfly, slowPath);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // Returns a pointer to the end of the allocation.
- LValue allocateBasicStorageAndGetEnd(LValue size, LBasicBlock slowPath)
- {
- CopiedAllocator& allocator = vm().heap.storageAllocator();
-
- LBasicBlock success = m_out.newBlock();
-
- LValue remaining = m_out.loadPtr(m_out.absolute(&allocator.m_currentRemaining));
- LValue newRemaining = m_out.sub(remaining, size);
-
- m_out.branch(
- m_out.lessThan(newRemaining, m_out.intPtrZero),
- rarely(slowPath), usually(success));
-
- m_out.appendTo(success);
-
- m_out.storePtr(newRemaining, m_out.absolute(&allocator.m_currentRemaining));
- return m_out.sub(
- m_out.loadPtr(m_out.absolute(&allocator.m_currentPayloadEnd)), newRemaining);
- }
-
- LValue allocateBasicStorage(LValue size, LBasicBlock slowPath)
- {
- return m_out.sub(allocateBasicStorageAndGetEnd(size, slowPath), size);
- }
-
</del><span class="cx"> LValue allocateObject(Structure* structure)
</span><span class="cx"> {
</span><span class="cx"> size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyTokenh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CopyToken.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyToken.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/heap/CopyToken.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> enum CopyToken {
</span><del>- TypedArrayVectorCopyToken,
</del><span class="cx"> MapBackingStoreCopyToken,
</span><span class="cx"> DirectArgumentsOverridesCopyToken
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSlotVisitorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -247,6 +247,8 @@
</span><span class="cx"> {
</span><span class="cx"> HeapCell* cell = bitwise_cast<HeapCell*>(base);
</span><span class="cx">
</span><ins>+ ASSERT(cell->heap() == heap());
+
</ins><span class="cx"> if (Heap::testAndSetMarked(m_version, cell)) {
</span><span class="cx"> RELEASE_ASSERT(Heap::isMarked(cell));
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -291,6 +291,7 @@
</span><span class="cx"> typedef char* (JIT_OPERATION *P_JITOperation_EStSS)(ExecState*, Structure*, size_t, size_t);
</span><span class="cx"> typedef char* (JIT_OPERATION *P_JITOperation_EStZ)(ExecState*, Structure*, int32_t);
</span><span class="cx"> typedef char* (JIT_OPERATION *P_JITOperation_EStZB)(ExecState*, Structure*, int32_t, Butterfly*);
</span><ins>+typedef char* (JIT_OPERATION *P_JITOperation_EStZP)(ExecState*, Structure*, int32_t, char*);
</ins><span class="cx"> typedef char* (JIT_OPERATION *P_JITOperation_EZZ)(ExecState*, int32_t, int32_t);
</span><span class="cx"> typedef SlowPathReturnType (JIT_OPERATION *Sprt_JITOperation_ECli)(ExecState*, CallLinkInfo*);
</span><span class="cx"> typedef StringImpl* (JIT_OPERATION *T_JITOperation_EJss)(ExecState*, JSString*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -42,6 +42,17 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSArrayBufferView::ConstructionContext::ConstructionContext(
</span><ins>+ Structure* structure, uint32_t length, void* vector)
+ : m_structure(structure)
+ , m_vector(vector)
+ , m_length(length)
+ , m_mode(FastTypedArray)
+ , m_butterfly(nullptr)
+{
+ RELEASE_ASSERT(length <= fastSizeLimit);
+}
+
+JSArrayBufferView::ConstructionContext::ConstructionContext(
</ins><span class="cx"> VM& vm, Structure* structure, uint32_t length, uint32_t elementSize,
</span><span class="cx"> InitializationMode mode)
</span><span class="cx"> : m_structure(0)
</span><span class="lines">@@ -50,23 +61,24 @@
</span><span class="cx"> {
</span><span class="cx"> if (length <= fastSizeLimit) {
</span><span class="cx"> // Attempt GC allocation.
</span><del>- void* temp = 0;
</del><ins>+ void* temp;
</ins><span class="cx"> size_t size = sizeOf(length, elementSize);
</span><del>- // CopiedSpace only allows non-zero size allocations.
- if (size && !vm.heap.tryAllocateStorage(0, size, &temp))
- return;
</del><ins>+ if (size) {
+ temp = vm.heap.tryAllocateAuxiliary(nullptr, size);
+ if (!temp)
+ return;
+ } else
+ temp = nullptr;
</ins><span class="cx">
</span><span class="cx"> m_structure = structure;
</span><span class="cx"> m_vector = temp;
</span><span class="cx"> m_mode = FastTypedArray;
</span><span class="cx">
</span><del>-#if USE(JSVALUE32_64)
</del><span class="cx"> if (mode == ZeroFill) {
</span><span class="cx"> uint64_t* asWords = static_cast<uint64_t*>(m_vector);
</span><span class="cx"> for (unsigned i = size / sizeof(uint64_t); i--;)
</span><span class="cx"> asWords[i] = 0;
</span><span class="cx"> }
</span><del>-#endif // USE(JSVALUE32_64)
</del><span class="cx">
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="lines">@@ -118,7 +130,7 @@
</span><span class="cx"> , m_length(context.length())
</span><span class="cx"> , m_mode(context.mode())
</span><span class="cx"> {
</span><del>- m_vector.setWithoutBarrier(static_cast<char*>(context.vector()));
</del><ins>+ m_vector.setWithoutBarrier(context.vector());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSArrayBufferView::finishCreation(VM& vm)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -26,7 +26,7 @@
</span><span class="cx"> #ifndef JSArrayBufferView_h
</span><span class="cx"> #define JSArrayBufferView_h
</span><span class="cx">
</span><del>-#include "CopyBarrier.h"
</del><ins>+#include "AuxiliaryBarrier.h"
</ins><span class="cx"> #include "JSObject.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -119,6 +119,9 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE ConstructionContext(VM&, Structure*, uint32_t length, uint32_t elementSize, InitializationMode = ZeroFill);
</span><span class="cx">
</span><ins>+ // This is only for constructing fast typed arrays. It's used by the JIT's slow path.
+ ConstructionContext(Structure*, uint32_t length, void* vector);
+
</ins><span class="cx"> JS_EXPORT_PRIVATE ConstructionContext(
</span><span class="cx"> VM&, Structure*, PassRefPtr<ArrayBuffer>,
</span><span class="cx"> unsigned byteOffset, unsigned length);
</span><span class="lines">@@ -182,7 +185,7 @@
</span><span class="cx">
</span><span class="cx"> static String toStringName(const JSObject*, ExecState*);
</span><span class="cx">
</span><del>- CopyBarrier<char> m_vector; // this is really a void*, but void would not work here.
</del><ins>+ AuxiliaryBarrier<void*> m_vector;
</ins><span class="cx"> uint32_t m_length;
</span><span class="cx"> TypedArrayMode m_mode;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -106,6 +106,7 @@
</span><span class="cx">
</span><span class="cx"> public:
</span><span class="cx"> static JSGenericTypedArrayView* create(ExecState*, Structure*, unsigned length);
</span><ins>+ static JSGenericTypedArrayView* createWithFastVector(ExecState*, Structure*, unsigned length, void* vector);
</ins><span class="cx"> static JSGenericTypedArrayView* createUninitialized(ExecState*, Structure*, unsigned length);
</span><span class="cx"> static JSGenericTypedArrayView* create(ExecState*, Structure*, PassRefPtr<ArrayBuffer>, unsigned byteOffset, unsigned length);
</span><span class="cx"> static JSGenericTypedArrayView* create(VM&, Structure*, PassRefPtr<typename Adaptor::ViewType> impl);
</span><span class="lines">@@ -287,7 +288,6 @@
</span><span class="cx">
</span><span class="cx"> static size_t estimatedSize(JSCell*);
</span><span class="cx"> static void visitChildren(JSCell*, SlotVisitor&);
</span><del>- static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
</del><span class="cx">
</span><span class="cx"> // Allocates the full-on native buffer and moves data into the C heap if
</span><span class="cx"> // necessary. Note that this never allocates in the GC heap.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (205493 => 205494)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2016-09-06 18:16:07 UTC (rev 205493)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h 2016-09-06 18:18:10 UTC (rev 205494)
</span><span class="lines">@@ -63,6 +63,20 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename Adaptor>
</span><ins>+JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createWithFastVector(
+ ExecState* exec, Structure* structure, unsigned length, void* vector)
+{
+ VM& vm = exec->vm();
+ ConstructionContext context(structure, length, vector);
+ RELEASE_ASSERT(context);
+ JSGenericTypedArrayView* result =
+ new (NotNull, allocateCell<JSGenericTypedArrayView>(vm.heap))
+ JSGenericTypedArrayView(vm, context);
+ result->finishCreation(vm);
+ return result;
+}
+
+template<typename Adaptor>
</ins><span class="cx"> JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized(
</span><span class="cx"> ExecState* exec, Structure* structure, unsigned length)
</span><span class="cx"> {
</span><span class="lines">@@ -463,7 +477,7 @@
</span><span class="cx"> switch (thisObject->m_mode) {
</span><span class="cx"> case FastTypedArray: {
</span><span class="cx"> if (thisObject->m_vector)
</span><del>- visitor.copyLater(thisObject, TypedArrayVectorCopyToken, thisObject->m_vector.get(), thisObject->byteSize());
</del><ins>+ visitor.markAuxiliary(thisObject->m_vector.get());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -484,25 +498,6 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename Adaptor>
</span><del>-void JSGenericTypedArrayView<Adaptor>::copyBackingStore(
- JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
- JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
-
- if (token == TypedArrayVectorCopyToken
- && visitor.checkIfShouldCopy(thisObject->m_vector.get())) {
- ASSERT(thisObject->m_vector);
- void* oldVector = thisObject->vector();
- void* newVector = visitor.allocateNewSpace(thisObject->byteSize());
- memcpy(newVector, oldVector, thisObject->byteSize());
- thisObject->m_vector.setWithoutBarrier(static_cast<char*>(newVector));
- visitor.didCopy(oldVector, thisObject->byteSize());
- }
-
- Base::copyBackingStore(thisObject, visitor, token);
-}
-
-template<typename Adaptor>
</del><span class="cx"> ArrayBuffer* JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory(JSArrayBufferView* object)
</span><span class="cx"> {
</span><span class="cx"> JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
</span><span class="lines">@@ -550,7 +545,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> thisObject->butterfly()->indexingHeader()->setArrayBuffer(buffer.get());
</span><del>- thisObject->m_vector.setWithoutBarrier(static_cast<char*>(buffer->data()));
</del><ins>+ thisObject->m_vector.setWithoutBarrier(buffer->data());
</ins><span class="cx"> thisObject->m_mode = WastefulTypedArray;
</span><span class="cx"> heap->addReference(thisObject, buffer.get());
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>