<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[205730] releases/WebKitGTK/webkit-2.14</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/205730">205730</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-09-09 03:15:09 -0700 (Fri, 09 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/205520">r205520</a> - Make JSMap and JSSet faster
https://bugs.webkit.org/show_bug.cgi?id=160989
Reviewed by Filip Pizlo.
JSTests:
* microbenchmarks/dense-set.js: Added.
(bench):
* microbenchmarks/large-map-iteration-with-additions.js: Added.
(bar):
(foo):
* microbenchmarks/large-map-iteration-with-mutation.js: Added.
(bar):
(foo):
* microbenchmarks/large-map-iteration.js: Added.
(bar):
(foo):
* microbenchmarks/map-get-get-cse.js: Added.
(bar):
(foo):
* microbenchmarks/map-has-get-cse-opportunity.js: Added.
(bar):
(foo):
* microbenchmarks/sparse-set.js: Added.
(bench):
* stress/map-cse-correctness.js: Added.
(assert):
(testHas):
(testGet):
(foo):
* stress/map-iteration.js: Added.
(assert):
(test1):
(test2):
(test3):
(test4):
(test5):
(test6):
(test7):
(test8):
(test9):
(test10):
(test11):
(test12):
(test13):
(test14):
(test15):
(test16):
(test17):
(test18):
Source/JavaScriptCore:
This patch revamps how we implement Map and Set. It uses
a new hash map implementation. The hash map uses linear
probing and it uses Wang's 64 bit hash function for JSValues
that aren't strings. Strings use StringImpl's hash function.
The reason I wanted to roll our own HashTable is twofold:
I didn't want to inline WTF::HashMap's implementation into our
JIT, since that seems error prone and unmaintainable. Also, I wanted
a different structure for hash map buckets where buckets also exist in
a linked list.
The reason for making buckets part of a linked list is that iteration
is now simple. Iteration works by just traversing a linked list.
This design also allows for a simple implementation when doing iteration
while the hash table is mutating. Whenever we remove a bucket from
the hash table, it is removed from the list, meaning items in the
list don't point to it. However, the removed bucket will still point
to things that are either in the list, or have also been removed.
e.g, from a removed bucket, you can always follow pointers until you
either find an item in the list, or you find the tail of the list.
This is a really nice property because it means that a Map or Set
does not need to reason about the all the iterators that point
into its list. Also, whenever we add items to the Map or Set, we
hijack the tail as the new item, and make the new item point to a newly
created tail. This means that any iterator that pointed to the "tail" now
points to non-tail items. This makes the implementation of adding things
to the Map/Set while iterating easy.
I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
into intrinsics in the DFG. The IR can now reason about hash map
operations and can even do CSE over Wang's hash function, hash map
bucket lookups, hash map bucket loads, and testing if a key is in
the hash table. This makes code patterns for Map like so, super fast
in the FTL, since we will only be doing a single hash and hash bucket lookup:
```
function getKeyIfPresent(map, key) {
if (map.has(key))
return map.get(key);
}
```
This patch is roughly an 8% speedup on ES6SampleBench.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::not64):
* bytecode/SpeculatedType.cpp:
(JSC::speculationFromClassInfo):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::shift):
(JSC::DFG::Edge::makeWord):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateMapObject):
(JSC::DFG::SpeculativeJIT::speculateSetObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
(JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
(JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
(JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::wangsInt64Hash):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
* jit/JITOperations.h:
* parser/ModuleAnalyzer.cpp:
(JSC::ModuleAnalyzer::ModuleAnalyzer):
* runtime/HashMapImpl.cpp: Added.
(JSC::HashMapBucket<Data>::visitChildren):
(JSC::HashMapImpl<HashMapBucket>::visitChildren):
(JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
* runtime/HashMapImpl.h: Added.
(JSC::HashMapBucket::selectStructure):
(JSC::HashMapBucket::createStructure):
(JSC::HashMapBucket::create):
(JSC::HashMapBucket::HashMapBucket):
(JSC::HashMapBucket::setNext):
(JSC::HashMapBucket::setPrev):
(JSC::HashMapBucket::setKey):
(JSC::HashMapBucket::setValue):
(JSC::HashMapBucket::key):
(JSC::HashMapBucket::value):
(JSC::HashMapBucket::next):
(JSC::HashMapBucket::prev):
(JSC::HashMapBucket::deleted):
(JSC::HashMapBucket::setDeleted):
(JSC::HashMapBucket::offsetOfKey):
(JSC::HashMapBucket::offsetOfValue):
(JSC::HashMapBuffer::allocationSize):
(JSC::HashMapBuffer::buffer):
(JSC::HashMapBuffer::create):
(JSC::areKeysEqual):
(JSC::normalizeMapKey):
(JSC::jsMapHash):
(JSC::HashMapImpl::selectStructure):
(JSC::HashMapImpl::createStructure):
(JSC::HashMapImpl::create):
(JSC::HashMapImpl::HashMapImpl):
(JSC::HashMapImpl::buffer):
(JSC::HashMapImpl::finishCreation):
(JSC::HashMapImpl::emptyValue):
(JSC::HashMapImpl::isEmpty):
(JSC::HashMapImpl::deletedValue):
(JSC::HashMapImpl::isDeleted):
(JSC::HashMapImpl::findBucket):
(JSC::HashMapImpl::get):
(JSC::HashMapImpl::has):
(JSC::HashMapImpl::add):
(JSC::HashMapImpl::remove):
(JSC::HashMapImpl::size):
(JSC::HashMapImpl::clear):
(JSC::HashMapImpl::bufferSizeInBytes):
(JSC::HashMapImpl::offsetOfBuffer):
(JSC::HashMapImpl::offsetOfCapacity):
(JSC::HashMapImpl::head):
(JSC::HashMapImpl::tail):
(JSC::HashMapImpl::approximateSize):
(JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
(JSC::HashMapImpl::rehash):
(JSC::HashMapImpl::makeAndSetNewBuffer):
* runtime/Intrinsic.h:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::sameValue):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSMap.cpp:
(JSC::JSMap::destroy): Deleted.
(JSC::JSMap::estimatedSize): Deleted.
(JSC::JSMap::visitChildren): Deleted.
(JSC::JSMap::copyBackingStore): Deleted.
(JSC::JSMap::has): Deleted.
(JSC::JSMap::size): Deleted.
(JSC::JSMap::get): Deleted.
(JSC::JSMap::set): Deleted.
(JSC::JSMap::clear): Deleted.
(JSC::JSMap::remove): Deleted.
* runtime/JSMap.h:
(JSC::JSMap::createStructure):
(JSC::JSMap::create):
(JSC::JSMap::get):
(JSC::JSMap::set):
(JSC::JSMap::JSMap):
(JSC::JSMap::Entry::key): Deleted.
(JSC::JSMap::Entry::value): Deleted.
(JSC::JSMap::Entry::visitChildren): Deleted.
(JSC::JSMap::Entry::setKey): Deleted.
(JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
(JSC::JSMap::Entry::setValue): Deleted.
(JSC::JSMap::Entry::clear): Deleted.
* runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::finishCreation):
(JSC::JSMapIterator::visitChildren):
(JSC::JSMapIterator::clone):
* runtime/JSMapIterator.h:
(JSC::JSMapIterator::advanceIter):
(JSC::JSMapIterator::next):
(JSC::JSMapIterator::nextKeyValue):
(JSC::JSMapIterator::JSMapIterator):
(JSC::JSMapIterator::setIterator):
(JSC::JSMapIterator::finish): Deleted.
(JSC::JSMapIterator::iteratorData): Deleted.
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::finishCreation):
* runtime/JSModuleLoader.h:
(JSC::JSModuleLoader::create):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::finishCreation):
* runtime/JSModuleRecord.h:
(JSC::JSModuleRecord::create):
* runtime/JSSet.cpp:
(JSC::JSSet::destroy): Deleted.
(JSC::JSSet::estimatedSize): Deleted.
(JSC::JSSet::visitChildren): Deleted.
(JSC::JSSet::copyBackingStore): Deleted.
(JSC::JSSet::has): Deleted.
(JSC::JSSet::size): Deleted.
(JSC::JSSet::add): Deleted.
(JSC::JSSet::clear): Deleted.
(JSC::JSSet::remove): Deleted.
* runtime/JSSet.h:
(JSC::JSSet::createStructure):
(JSC::JSSet::create):
(JSC::JSSet::add):
(JSC::JSSet::JSSet):
(JSC::JSSet::Entry::key): Deleted.
(JSC::JSSet::Entry::value): Deleted.
(JSC::JSSet::Entry::visitChildren): Deleted.
(JSC::JSSet::Entry::setKey): Deleted.
(JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
(JSC::JSSet::Entry::setValue): Deleted.
(JSC::JSSet::Entry::clear): Deleted.
* runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::finishCreation):
(JSC::JSSetIterator::visitChildren):
(JSC::JSSetIterator::clone):
* runtime/JSSetIterator.h:
(JSC::JSSetIterator::advanceIter):
(JSC::JSSetIterator::next):
(JSC::JSSetIterator::JSSetIterator):
(JSC::JSSetIterator::setIterator):
(JSC::JSSetIterator::finish): Deleted.
(JSC::JSSetIterator::iteratorData): Deleted.
* runtime/JSType.h:
* runtime/MapBase.cpp: Added.
(JSC::MapBase<HashMapBucketType>::visitChildren):
(JSC::MapBase<HashMapBucketType>::estimatedSize):
* runtime/MapBase.h: Added.
(JSC::MapBase::size):
(JSC::MapBase::has):
(JSC::MapBase::clear):
(JSC::MapBase::remove):
(JSC::MapBase::findBucket):
(JSC::MapBase::offsetOfHashMapImpl):
(JSC::MapBase::impl):
(JSC::MapBase::finishCreation):
(JSC::MapBase::MapBase):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/MapIteratorPrototype.cpp:
(JSC::MapIteratorPrototypeFuncNext):
* runtime/MapPrototype.cpp:
(JSC::MapPrototype::finishCreation):
(JSC::getMap):
(JSC::privateFuncIsMap):
(JSC::privateFuncMapIteratorNext):
* runtime/PropertyDescriptor.cpp:
(JSC::sameValue): Deleted.
* runtime/PropertyDescriptor.h:
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/SetIteratorPrototype.cpp:
(JSC::SetIteratorPrototypeFuncNext):
* runtime/SetPrototype.cpp:
(JSC::SetPrototype::finishCreation):
(JSC::getSet):
(JSC::privateFuncSetIteratorNext):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
Source/WebCore:
* ForwardingHeaders/runtime/HashMapImpl.h: Added.
* ForwardingHeaders/runtime/MapBase.h: Added.
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Source/WTF:
I made s_flagCount public in StringImpl since JSC's JITs now use this field.
* wtf/text/StringImpl.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214JSTestsChangeLog">releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreCMakeListstxt">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreassemblerMacroAssemblerARM64h">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCorebytecodeSpeculatedTypecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCorebytecodeSpeculatedTypeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGByteCodeParsercpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGClobberizeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGDoesGCcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGEdgeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGEdge.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGFixupPhasecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGHeapLocationcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGHeapLocationh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGNodeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGNodeTypeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGOperationscpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGOperationsh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSafeToExecuteh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJITcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJITh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGUseKindcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGUseKindh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLCapabilitiescpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLLowerDFGToB3cpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCorejitAssemblyHelperscpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCorejitAssemblyHelpersh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCorejitJITOperationsh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreparserModuleAnalyzercpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeIntrinsich">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/Intrinsic.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSCJSValueh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValue.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSCJSValueInlinesh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValueInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSGlobalObjectcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMaph">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapIteratorcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapIteratorh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleLoadercpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleLoaderh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleRecordcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleRecordh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSeth">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetIteratorcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetIteratorh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSTypeh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSType.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapConstructorcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapConstructor.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapIteratorPrototypecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapPrototypecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimePropertyDescriptorcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimePropertyDescriptorh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetConstructorcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetConstructor.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetIteratorPrototypecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetPrototypecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetPrototype.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeVMcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeVMh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWTFChangeLog">releases/WebKitGTK/webkit-2.14/Source/WTF/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWTFwtftextStringImplh">releases/WebKitGTK/webkit-2.14/Source/WTF/wtf/text/StringImpl.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorebindingsjsSerializedScriptValuecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarksdensesetjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/dense-set.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationwithadditionsjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-additions.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationwithmutationjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-mutation.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarksmapgetgetcsejs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-get-get-cse.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarksmaphasgetcseopportunityjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-has-get-cse-opportunity.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsmicrobenchmarkssparsesetjs">releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/sparse-set.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsstressmapcsecorrectnessjs">releases/WebKitGTK/webkit-2.14/JSTests/stress/map-cse-correctness.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214JSTestsstressmapiterationjs">releases/WebKitGTK/webkit-2.14/JSTests/stress/map-iteration.js</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeHashMapImplcpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeHashMapImplh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapBasecpp">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapBaseh">releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreForwardingHeadersruntimeHashMapImplh">releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/HashMapImpl.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreForwardingHeadersruntimeMapBaseh">releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/MapBase.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit214JSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,3 +1,55 @@
</span><ins>+2016-09-06 Saam Barati <sbarati@apple.com>
+
+ Make JSMap and JSSet faster
+ https://bugs.webkit.org/show_bug.cgi?id=160989
+
+ Reviewed by Filip Pizlo.
+
+ * microbenchmarks/dense-set.js: Added.
+ (bench):
+ * microbenchmarks/large-map-iteration-with-additions.js: Added.
+ (bar):
+ (foo):
+ * microbenchmarks/large-map-iteration-with-mutation.js: Added.
+ (bar):
+ (foo):
+ * microbenchmarks/large-map-iteration.js: Added.
+ (bar):
+ (foo):
+ * microbenchmarks/map-get-get-cse.js: Added.
+ (bar):
+ (foo):
+ * microbenchmarks/map-has-get-cse-opportunity.js: Added.
+ (bar):
+ (foo):
+ * microbenchmarks/sparse-set.js: Added.
+ (bench):
+ * stress/map-cse-correctness.js: Added.
+ (assert):
+ (testHas):
+ (testGet):
+ (foo):
+ * stress/map-iteration.js: Added.
+ (assert):
+ (test1):
+ (test2):
+ (test3):
+ (test4):
+ (test5):
+ (test6):
+ (test7):
+ (test8):
+ (test9):
+ (test10):
+ (test11):
+ (test12):
+ (test13):
+ (test14):
+ (test15):
+ (test16):
+ (test17):
+ (test18):
+
</ins><span class="cx"> 2016-09-06 Benjamin Poulain <bpoulain@apple.com>
</span><span class="cx">
</span><span class="cx"> [JSC] Make ArithClz32 work with Cell arguments
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarksdensesetjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/dense-set.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/dense-set.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/dense-set.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+(function() {
+
+ function bench(name, f, arg) {
+ var start = new Date;
+ var result = f(arg);
+ var end = new Date;
+ const verbose = false;
+ if (verbose)
+ print(name + " " + result + " " + (end-start) + "ms");
+ }
+
+ var denseSet = new Set;
+ var excludeSet = [123, 1230, 12300, 123000, 234, 2340, 23400];
+ for (var idx = 0; idx < 5e6; ++idx) {
+ if (excludeSet.includes(idx))
+ continue;
+ denseSet.add(idx);
+ }
+
+ bench("Dense Set Property Existence", function(s) {
+ var count = 0;
+ for (var i = 0; i < 5e6; ++i)
+ if (s.has(i))
+ count++
+ return count;
+ }, denseSet);
+
+})();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationwithadditionsjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-additions.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-additions.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-additions.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+let counter = 0;
+function bar(map) {
+ for (let [key, value] of map) {
+ if (Math.random() > 0.95) {
+ map.set("" + counter, counter);
+ ++counter;
+ }
+ }
+}
+noInline(bar);
+
+function foo() {
+ let map = new Map;
+ for (let i = 0; i < 1000; i++)
+ map.set(i, i+1);
+
+ let start = Date.now();
+ for (let i = 0; i < 100; i++)
+ bar(map);
+ const verbose = false;
+ if (verbose)
+ print(Date.now() - start);
+
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationwithmutationjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-mutation.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-mutation.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration-with-mutation.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+function bar(map) {
+ for (let [key, value] of map) {
+ if (value - 1 !== key)
+ throw new Error("Bad iteration!");
+ if (Math.random() > 0.95) {
+ map.delete(key);
+ }
+ }
+}
+noInline(bar);
+
+function foo() {
+ let map = new Map;
+ for (let i = 0; i < 80000; i++)
+ map.set(i, i+1);
+
+ let start = Date.now();
+ for (let i = 0; i < 100; i++)
+ bar(map);
+ const verbose = false;
+ if (verbose)
+ print(Date.now() - start);
+
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarkslargemapiterationjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/large-map-iteration.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+function bar(map) {
+ for (let [key, value] of map) {
+ if (value - 1 !== key)
+ throw new Error("Bad iteration!");
+ }
+}
+noInline(bar);
+
+function foo() {
+ let map = new Map;
+ for (let i = 0; i < 10000; i++)
+ map.set(i, i+1);
+
+ let start = Date.now();
+ for (let i = 0; i < 100; i++)
+ bar(map);
+ const verbose = false;
+ if (verbose)
+ print(Date.now() - start);
+
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarksmapgetgetcsejs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-get-get-cse.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-get-get-cse.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-get-get-cse.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+function bar(map, p) {
+ return map.get(p) + map.get(p);
+}
+noInline(bar);
+
+function foo() {
+ let map = new Map;
+ let items = [
+ [10, 50],
+ ["450", 78],
+ [{}, {}],
+ [Symbol(), true],
+ [undefined, null],
+ [true, null],
+ [false, true],
+ [45.87, {}]
+ ];
+ for (let [key, value] of items)
+ map.set(key, value);
+ let start = Date.now();
+ for (let i = 0; i < 5000000; i++)
+ bar(map, items[i % items.length][0]);
+ const verbose = false;
+ if (verbose)
+ print(Date.now() - start);
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarksmaphasgetcseopportunityjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-has-get-cse-opportunity.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-has-get-cse-opportunity.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/map-has-get-cse-opportunity.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+function bar(map, p) {
+ if (map.has(p))
+ return map.get(p);
+}
+noInline(bar);
+
+function foo() {
+ let map = new Map;
+ let items = [
+ [10, 50],
+ ["450", 78],
+ [{}, {}],
+ [Symbol(), true],
+ [undefined, null],
+ [true, null],
+ [false, true],
+ [45.87, {}]
+ ];
+ for (let [key, value] of items)
+ map.set(key, value);
+ let start = Date.now();
+ for (let i = 0; i < 5000000; i++)
+ bar(map, items[i % items.length][0]);
+ const verbose = false;
+ if (verbose)
+ print(Date.now() - start);
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsmicrobenchmarkssparsesetjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/sparse-set.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/sparse-set.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/microbenchmarks/sparse-set.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+(function() {
+
+ function bench(name, f, arg) {
+ var start = new Date;
+ var result = f(arg);
+ var end = new Date;
+ const verbose = false;
+ if (verbose)
+ print(name + " " + result + " " + (end-start) + "ms");
+ }
+
+
+ var sparseSet = new Set;
+ for (var x of [123, 1230, 12300, 123000, 234, 2340, 23400]) {
+ sparseSet.add(x);
+ }
+
+ bench("Sparse Set Property Existence", function(s) {
+ var count = 0;
+ for (var i = 0; i < 5e6; ++i)
+ if (s.has(i))
+ count++
+ return count;
+ }, sparseSet);
+})();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsstressmapcsecorrectnessjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/stress/map-cse-correctness.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/stress/map-cse-correctness.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/stress/map-cse-correctness.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,66 @@
</span><ins>+function assert(b) {
+ if (!b)
+ throw new Error("Bad result!");
+}
+noInline(assert);
+
+function testHas(map, key, f) {
+ let first = map.has(key);
+ f();
+ let second = map.has(key);
+ return {first, second};
+}
+noInline(testHas);
+
+function testGet(map, key, f) {
+ let first = map.get(key);
+ f();
+ let second = map.get(key);
+ return {first, second};
+}
+noInline(testGet);
+
+function foo() {
+ let map = new Map;
+ for (let i = 0; i < 100000; i++) {
+ let key = i;
+ map.set(key, key);
+ let f = () => map.delete(key);
+ noInline(f);
+ let {first, second} = testHas(map, key, f);
+ assert(first);
+ assert(!second);
+ }
+ for (let i = 0; i < 100000; i++) {
+ let key = i;
+ map.set(key, key);
+ let f = () => {};
+ noInline(f);
+ let {first, second} = testHas(map, key, f);
+ assert(first);
+ assert(second);
+ }
+
+
+ for (let i = 0; i < 100000; i++) {
+ let key = i;
+ let value = {};
+ map.set(key, value);
+ let f = () => map.delete(key);
+ noInline(f);
+ let {first, second} = testGet(map, key, f);
+ assert(first === value);
+ assert(second === undefined);
+ }
+ for (let i = 0; i < 100000; i++) {
+ let key = i;
+ let value = {};
+ map.set(key, value);
+ let f = () => {};
+ noInline(f);
+ let {first, second} = testGet(map, key, f);
+ assert(first === value);
+ assert(second === value);
+ }
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214JSTestsstressmapiterationjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/JSTests/stress/map-iteration.js (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/JSTests/stress/map-iteration.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/stress/map-iteration.js 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,395 @@
</span><ins>+function assert(b) {
+ if (!b)
+ throw new Error("Bad result!");
+}
+noInline(assert);
+
+function test1() {
+ let map = new Map;
+ map.set(20, 30);
+ let iter = map[Symbol.iterator]();
+ let {value, done} = iter.next();
+ assert(value[0] === 20);
+ assert(value[1] === 30);
+ assert(!done);
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test1();
+
+function test2() {
+ let map = new Map;
+ map.set(20, 30);
+ let iter = map[Symbol.iterator]();
+ let {value, done} = iter.next();
+ assert(value[0] === 20);
+ assert(value[1] === 30);
+ assert(!done);
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+
+ map.set(40, 50);
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test2();
+
+function test3() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map[Symbol.iterator]();
+ let {value, done} = iter.next();
+ assert(value[0] === 20);
+ assert(value[1] === 30);
+ assert(!done);
+
+ ({value, done} = iter.next());
+ assert(!done);
+ assert(value[0] === 50);
+ assert(value[1] === 60);
+
+ map.set("foo", "bar");
+ ({value, done} = iter.next());
+ assert(!done);
+ assert(value[0] === "foo");
+ assert(value[1] === "bar");
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test3();
+
+function test4() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map[Symbol.iterator]();
+ let {value, done} = iter.next();
+ assert(value[0] === 20);
+ assert(value[1] === 30);
+ assert(!done);
+
+ map.clear();
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test4();
+
+function test5() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map[Symbol.iterator]();
+ let {value, done} = iter.next();
+ assert(value[0] === 20);
+ assert(value[1] === 30);
+ assert(!done);
+
+ map.clear();
+ map.set(50, 60);
+
+ ({value, done} = iter.next());
+ assert(!done);
+ assert(value[0] === 50);
+ assert(value[1] === 60);
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test5();
+
+function test6() {
+ let map = new Map;
+ map.set(20, 30);
+ let i = 0;
+ for (let [key, value] of map) {
+ map.delete(key);
+ map.set(key, value);
+ i++;
+ if (i === 1000)
+ break;
+ }
+ assert(i === 1000);
+}
+test6();
+
+function test7() {
+ let map = new Map;
+ map.set(20, 30);
+ let i = 0;
+ for (let [key, value] of map) {
+ map.clear();
+ map.set(key, value);
+ i++;
+ if (i === 1000)
+ break;
+ }
+ assert(i === 1000);
+}
+test7();
+
+function test8() {
+ let map = new Map;
+ map.set(20, 30);
+ for (let i = 0; i < 500; i++)
+ map.set(i, i);
+ let i = 0;
+ for (let [key, value] of map) {
+ assert(key === value);
+ i++;
+ if (key === 250)
+ break;
+ }
+ assert(i === 251);
+}
+test8();
+
+function test9() {
+ assert(1/(-0) === -Infinity);
+
+ let map = new Map;
+ map.set(-0, 50); // We should normalize -0 to +0 in the key.
+ for (let [key, value] of map) {
+ assert(1/key === Infinity);
+ }
+ assert(map.get(0.0) === 50);
+ assert(map.get(0) === 50);
+ assert(map.get(-0) === 50);
+ assert(map.get(+0) === 50);
+}
+for (let i = 0; i < 100; i++)
+ test9();
+
+function test10() {
+ let map = new Map;
+ map.set("negZero", -0); // We should *not* normalize -0 to +0 in the value.
+ for (let [key, value] of map) {
+ assert(1/value === -Infinity);
+ }
+}
+for (let i = 0; i < 100; i++)
+ test10();
+
+function test11() {
+ let map = new Map;
+ map.set(20, 30);
+ let iter = map.keys();
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 20);
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test11();
+
+function test12() {
+ let map = new Map;
+ map.set(20, 30);
+ let iter = map.values();
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 30);
+
+ ({value, done} = iter.next());
+ assert(done);
+ assert(value === undefined);
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test12();
+
+function test13() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.keys();
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 20);
+
+ map.clear();
+ map.set("foo", "bar");
+
+ ({value, done} = iter.next());
+ assert(!done);
+ assert(value === "foo");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test13();
+
+function test14() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.values();
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 30);
+
+ map.clear();
+ map.set("foo", "bar");
+
+ ;({value, done} = iter.next())
+ assert(!done);
+ assert(value === "bar");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test14();
+
+function test15() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.keys();
+
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 20);
+
+ ;({value, done} = iter.next())
+ assert(!done);
+ assert(value === 50);
+
+ map.clear();
+
+ map.set("foo", "bar");
+
+ ({value, done} = iter.next())
+ assert(!done);
+ assert(value === "foo");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test15();
+
+function test16() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.values();
+
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 30);
+
+ ;({value, done} = iter.next())
+ assert(!done);
+ assert(value === 60);
+
+ map.clear();
+
+ map.set("foo", "bar");
+
+ ({value, done} = iter.next())
+ assert(!done);
+ assert(value === "bar");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test16();
+
+function test17() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.keys();
+
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 20);
+
+ ;({value, done} = iter.next())
+ assert(!done);
+ assert(value === 50);
+
+ map.clear();
+
+ map.set("foo", "bar");
+
+ ({value, done} = iter.next())
+ assert(!done);
+ assert(value === "foo");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+
+ map.set("hello", "world");
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test17();
+
+function test18() {
+ let map = new Map;
+ map.set(20, 30);
+ map.set(50, 60);
+ let iter = map.values();
+
+ let {value, done} = iter.next();
+ assert(!done);
+ assert(value === 30);
+
+ ;({value, done} = iter.next())
+ assert(!done);
+ assert(value === 60);
+
+ map.clear();
+
+ map.set("foo", "bar");
+
+ ({value, done} = iter.next())
+ assert(!done);
+ assert(value === "bar");
+
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+
+ map.set("hello", "world");
+ ({value, done} = iter.next())
+ assert(done);
+ assert(value === undefined);
+}
+for (let i = 0; i < 100; i++)
+ test18();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/CMakeLists.txt (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/CMakeLists.txt 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/CMakeLists.txt 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -672,6 +672,7 @@
</span><span class="cx"> runtime/GeneratorFunctionPrototype.cpp
</span><span class="cx"> runtime/GeneratorPrototype.cpp
</span><span class="cx"> runtime/GetterSetter.cpp
</span><ins>+ runtime/HashMapImpl.cpp
</ins><span class="cx"> runtime/Identifier.cpp
</span><span class="cx"> runtime/IndexingType.cpp
</span><span class="cx"> runtime/InferredType.cpp
</span><span class="lines">@@ -757,6 +758,7 @@
</span><span class="cx"> runtime/LazyClassStructure.cpp
</span><span class="cx"> runtime/LiteralParser.cpp
</span><span class="cx"> runtime/Lookup.cpp
</span><ins>+ runtime/MapBase.cpp
</ins><span class="cx"> runtime/MapConstructor.cpp
</span><span class="cx"> runtime/MapIteratorPrototype.cpp
</span><span class="cx"> runtime/MapPrototype.cpp
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ChangeLog (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ChangeLog 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ChangeLog 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,3 +1,303 @@
</span><ins>+2016-09-06 Saam Barati <sbarati@apple.com>
+
+ Make JSMap and JSSet faster
+ https://bugs.webkit.org/show_bug.cgi?id=160989
+
+ Reviewed by Filip Pizlo.
+
+ This patch revamps how we implement Map and Set. It uses
+ a new hash map implementation. The hash map uses linear
+ probing and it uses Wang's 64 bit hash function for JSValues
+ that aren't strings. Strings use StringImpl's hash function.
+ The reason I wanted to roll our own HashTable is twofold:
+ I didn't want to inline WTF::HashMap's implementation into our
+ JIT, since that seems error prone and unmaintainable. Also, I wanted
+ a different structure for hash map buckets where buckets also exist in
+ a linked list.
+
+ The reason for making buckets part of a linked list is that iteration
+ is now simple. Iteration works by just traversing a linked list.
+ This design also allows for a simple implementation when doing iteration
+ while the hash table is mutating. Whenever we remove a bucket from
+ the hash table, it is removed from the list, meaning items in the
+ list don't point to it. However, the removed bucket will still point
+ to things that are either in the list, or have also been removed.
+ e.g, from a removed bucket, you can always follow pointers until you
+ either find an item in the list, or you find the tail of the list.
+ This is a really nice property because it means that a Map or Set
+ does not need to reason about the all the iterators that point
+ into its list. Also, whenever we add items to the Map or Set, we
+ hijack the tail as the new item, and make the new item point to a newly
+ created tail. This means that any iterator that pointed to the "tail" now
+ points to non-tail items. This makes the implementation of adding things
+ to the Map/Set while iterating easy.
+
+ I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
+ into intrinsics in the DFG. The IR can now reason about hash map
+ operations and can even do CSE over Wang's hash function, hash map
+ bucket lookups, hash map bucket loads, and testing if a key is in
+ the hash table. This makes code patterns for Map like so, super fast
+ in the FTL, since we will only be doing a single hash and hash bucket lookup:
+
+ ```
+ function getKeyIfPresent(map, key) {
+ if (map.has(key))
+ return map.get(key);
+ }
+ ```
+
+ This patch is roughly an 8% speedup on ES6SampleBench.
+
+
+ * CMakeLists.txt:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * assembler/MacroAssemblerARM64.h:
+ (JSC::MacroAssemblerARM64::not64):
+ * bytecode/SpeculatedType.cpp:
+ (JSC::speculationFromClassInfo):
+ * bytecode/SpeculatedType.h:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::shift):
+ (JSC::DFG::Edge::makeWord):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasHeapPrediction):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateMapObject):
+ (JSC::DFG::SpeculativeJIT::speculateSetObject):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::isCell):
+ * ftl/FTLAbstractHeapRepository.h:
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+ (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
+ (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
+ (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
+ (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
+ (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
+ (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
+ (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::wangsInt64Hash):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
+ * jit/JITOperations.h:
+ * parser/ModuleAnalyzer.cpp:
+ (JSC::ModuleAnalyzer::ModuleAnalyzer):
+ * runtime/HashMapImpl.cpp: Added.
+ (JSC::HashMapBucket<Data>::visitChildren):
+ (JSC::HashMapImpl<HashMapBucket>::visitChildren):
+ (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
+ * runtime/HashMapImpl.h: Added.
+ (JSC::HashMapBucket::selectStructure):
+ (JSC::HashMapBucket::createStructure):
+ (JSC::HashMapBucket::create):
+ (JSC::HashMapBucket::HashMapBucket):
+ (JSC::HashMapBucket::setNext):
+ (JSC::HashMapBucket::setPrev):
+ (JSC::HashMapBucket::setKey):
+ (JSC::HashMapBucket::setValue):
+ (JSC::HashMapBucket::key):
+ (JSC::HashMapBucket::value):
+ (JSC::HashMapBucket::next):
+ (JSC::HashMapBucket::prev):
+ (JSC::HashMapBucket::deleted):
+ (JSC::HashMapBucket::setDeleted):
+ (JSC::HashMapBucket::offsetOfKey):
+ (JSC::HashMapBucket::offsetOfValue):
+ (JSC::HashMapBuffer::allocationSize):
+ (JSC::HashMapBuffer::buffer):
+ (JSC::HashMapBuffer::create):
+ (JSC::areKeysEqual):
+ (JSC::normalizeMapKey):
+ (JSC::jsMapHash):
+ (JSC::HashMapImpl::selectStructure):
+ (JSC::HashMapImpl::createStructure):
+ (JSC::HashMapImpl::create):
+ (JSC::HashMapImpl::HashMapImpl):
+ (JSC::HashMapImpl::buffer):
+ (JSC::HashMapImpl::finishCreation):
+ (JSC::HashMapImpl::emptyValue):
+ (JSC::HashMapImpl::isEmpty):
+ (JSC::HashMapImpl::deletedValue):
+ (JSC::HashMapImpl::isDeleted):
+ (JSC::HashMapImpl::findBucket):
+ (JSC::HashMapImpl::get):
+ (JSC::HashMapImpl::has):
+ (JSC::HashMapImpl::add):
+ (JSC::HashMapImpl::remove):
+ (JSC::HashMapImpl::size):
+ (JSC::HashMapImpl::clear):
+ (JSC::HashMapImpl::bufferSizeInBytes):
+ (JSC::HashMapImpl::offsetOfBuffer):
+ (JSC::HashMapImpl::offsetOfCapacity):
+ (JSC::HashMapImpl::head):
+ (JSC::HashMapImpl::tail):
+ (JSC::HashMapImpl::approximateSize):
+ (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
+ (JSC::HashMapImpl::rehash):
+ (JSC::HashMapImpl::makeAndSetNewBuffer):
+ * runtime/Intrinsic.h:
+ * runtime/JSCJSValue.h:
+ * runtime/JSCJSValueInlines.h:
+ (JSC::sameValue):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ * runtime/JSMap.cpp:
+ (JSC::JSMap::destroy): Deleted.
+ (JSC::JSMap::estimatedSize): Deleted.
+ (JSC::JSMap::visitChildren): Deleted.
+ (JSC::JSMap::copyBackingStore): Deleted.
+ (JSC::JSMap::has): Deleted.
+ (JSC::JSMap::size): Deleted.
+ (JSC::JSMap::get): Deleted.
+ (JSC::JSMap::set): Deleted.
+ (JSC::JSMap::clear): Deleted.
+ (JSC::JSMap::remove): Deleted.
+ * runtime/JSMap.h:
+ (JSC::JSMap::createStructure):
+ (JSC::JSMap::create):
+ (JSC::JSMap::get):
+ (JSC::JSMap::set):
+ (JSC::JSMap::JSMap):
+ (JSC::JSMap::Entry::key): Deleted.
+ (JSC::JSMap::Entry::value): Deleted.
+ (JSC::JSMap::Entry::visitChildren): Deleted.
+ (JSC::JSMap::Entry::setKey): Deleted.
+ (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
+ (JSC::JSMap::Entry::setValue): Deleted.
+ (JSC::JSMap::Entry::clear): Deleted.
+ * runtime/JSMapIterator.cpp:
+ (JSC::JSMapIterator::finishCreation):
+ (JSC::JSMapIterator::visitChildren):
+ (JSC::JSMapIterator::clone):
+ * runtime/JSMapIterator.h:
+ (JSC::JSMapIterator::advanceIter):
+ (JSC::JSMapIterator::next):
+ (JSC::JSMapIterator::nextKeyValue):
+ (JSC::JSMapIterator::JSMapIterator):
+ (JSC::JSMapIterator::setIterator):
+ (JSC::JSMapIterator::finish): Deleted.
+ (JSC::JSMapIterator::iteratorData): Deleted.
+ * runtime/JSModuleLoader.cpp:
+ (JSC::JSModuleLoader::finishCreation):
+ * runtime/JSModuleLoader.h:
+ (JSC::JSModuleLoader::create):
+ * runtime/JSModuleRecord.cpp:
+ (JSC::JSModuleRecord::finishCreation):
+ * runtime/JSModuleRecord.h:
+ (JSC::JSModuleRecord::create):
+ * runtime/JSSet.cpp:
+ (JSC::JSSet::destroy): Deleted.
+ (JSC::JSSet::estimatedSize): Deleted.
+ (JSC::JSSet::visitChildren): Deleted.
+ (JSC::JSSet::copyBackingStore): Deleted.
+ (JSC::JSSet::has): Deleted.
+ (JSC::JSSet::size): Deleted.
+ (JSC::JSSet::add): Deleted.
+ (JSC::JSSet::clear): Deleted.
+ (JSC::JSSet::remove): Deleted.
+ * runtime/JSSet.h:
+ (JSC::JSSet::createStructure):
+ (JSC::JSSet::create):
+ (JSC::JSSet::add):
+ (JSC::JSSet::JSSet):
+ (JSC::JSSet::Entry::key): Deleted.
+ (JSC::JSSet::Entry::value): Deleted.
+ (JSC::JSSet::Entry::visitChildren): Deleted.
+ (JSC::JSSet::Entry::setKey): Deleted.
+ (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
+ (JSC::JSSet::Entry::setValue): Deleted.
+ (JSC::JSSet::Entry::clear): Deleted.
+ * runtime/JSSetIterator.cpp:
+ (JSC::JSSetIterator::finishCreation):
+ (JSC::JSSetIterator::visitChildren):
+ (JSC::JSSetIterator::clone):
+ * runtime/JSSetIterator.h:
+ (JSC::JSSetIterator::advanceIter):
+ (JSC::JSSetIterator::next):
+ (JSC::JSSetIterator::JSSetIterator):
+ (JSC::JSSetIterator::setIterator):
+ (JSC::JSSetIterator::finish): Deleted.
+ (JSC::JSSetIterator::iteratorData): Deleted.
+ * runtime/JSType.h:
+ * runtime/MapBase.cpp: Added.
+ (JSC::MapBase<HashMapBucketType>::visitChildren):
+ (JSC::MapBase<HashMapBucketType>::estimatedSize):
+ * runtime/MapBase.h: Added.
+ (JSC::MapBase::size):
+ (JSC::MapBase::has):
+ (JSC::MapBase::clear):
+ (JSC::MapBase::remove):
+ (JSC::MapBase::findBucket):
+ (JSC::MapBase::offsetOfHashMapImpl):
+ (JSC::MapBase::impl):
+ (JSC::MapBase::finishCreation):
+ (JSC::MapBase::MapBase):
+ * runtime/MapConstructor.cpp:
+ (JSC::constructMap):
+ * runtime/MapIteratorPrototype.cpp:
+ (JSC::MapIteratorPrototypeFuncNext):
+ * runtime/MapPrototype.cpp:
+ (JSC::MapPrototype::finishCreation):
+ (JSC::getMap):
+ (JSC::privateFuncIsMap):
+ (JSC::privateFuncMapIteratorNext):
+ * runtime/PropertyDescriptor.cpp:
+ (JSC::sameValue): Deleted.
+ * runtime/PropertyDescriptor.h:
+ * runtime/SetConstructor.cpp:
+ (JSC::constructSet):
+ * runtime/SetIteratorPrototype.cpp:
+ (JSC::SetIteratorPrototypeFuncNext):
+ * runtime/SetPrototype.cpp:
+ (JSC::SetPrototype::finishCreation):
+ (JSC::getSet):
+ (JSC::privateFuncSetIteratorNext):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
</ins><span class="cx"> 2016-09-06 Benjamin Poulain <bpoulain@apple.com>
</span><span class="cx">
</span><span class="cx"> [JSC] Make ArithClz32 work with Cell arguments
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1316,10 +1316,14 @@
</span><span class="cx"> 79233C2B1D34715700C5A834 /* JITMathIC.h in Headers */ = {isa = PBXBuildFile; fileRef = 79233C291D34715700C5A834 /* JITMathIC.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 792CB3491C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 792CB3471C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp */; };
</span><span class="cx"> 792CB34A1C4EED5C00D13AF3 /* PCToCodeOriginMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 792CB3481C4EED5C00D13AF3 /* PCToCodeOriginMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 795B19971D78BE3500262FA0 /* MapBase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 795B19951D78BE3500262FA0 /* MapBase.cpp */; };
+ 795B19981D78BE3500262FA0 /* MapBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 795B19961D78BE3500262FA0 /* MapBase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 7964656A1B952FF0003059EE /* GetPutInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 796465681B952FF0003059EE /* GetPutInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 797E07A91B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 797E07A71B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp */; };
</span><span class="cx"> 797E07AA1B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 797E07A81B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 799EF7C41C56ED96002B0534 /* B3PCToOriginMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 799EF7C31C56ED96002B0534 /* B3PCToOriginMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 79A0907F1D768465008B889B /* HashMapImpl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 79A0907D1D768465008B889B /* HashMapImpl.cpp */; };
+ 79A090801D768465008B889B /* HashMapImpl.h in Headers */ = {isa = PBXBuildFile; fileRef = 79A0907E1D768465008B889B /* HashMapImpl.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 79A228351D35D71E00D8E067 /* ArithProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 79A228331D35D71E00D8E067 /* ArithProfile.cpp */; };
</span><span class="cx"> 79A228361D35D71F00D8E067 /* ArithProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 79A228341D35D71E00D8E067 /* ArithProfile.h */; };
</span><span class="cx"> 79AF0BE41D3EFD4C00E95FA5 /* JITMathICInlineResult.h in Headers */ = {isa = PBXBuildFile; fileRef = 79AF0BE31D3EFD4C00E95FA5 /* JITMathICInlineResult.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -3565,10 +3569,14 @@
</span><span class="cx"> 79233C291D34715700C5A834 /* JITMathIC.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITMathIC.h; sourceTree = "<group>"; };
</span><span class="cx"> 792CB3471C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PCToCodeOriginMap.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 792CB3481C4EED5C00D13AF3 /* PCToCodeOriginMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PCToCodeOriginMap.h; sourceTree = "<group>"; };
</span><ins>+ 795B19951D78BE3500262FA0 /* MapBase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MapBase.cpp; sourceTree = "<group>"; };
+ 795B19961D78BE3500262FA0 /* MapBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapBase.h; sourceTree = "<group>"; };
</ins><span class="cx"> 796465681B952FF0003059EE /* GetPutInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetPutInfo.h; sourceTree = "<group>"; };
</span><span class="cx"> 797E07A71B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSGlobalLexicalEnvironment.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 797E07A81B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalLexicalEnvironment.h; sourceTree = "<group>"; };
</span><span class="cx"> 799EF7C31C56ED96002B0534 /* B3PCToOriginMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3PCToOriginMap.h; path = b3/B3PCToOriginMap.h; sourceTree = "<group>"; };
</span><ins>+ 79A0907D1D768465008B889B /* HashMapImpl.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HashMapImpl.cpp; sourceTree = "<group>"; };
+ 79A0907E1D768465008B889B /* HashMapImpl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HashMapImpl.h; sourceTree = "<group>"; };
</ins><span class="cx"> 79A228331D35D71E00D8E067 /* ArithProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArithProfile.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 79A228341D35D71E00D8E067 /* ArithProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArithProfile.h; sourceTree = "<group>"; };
</span><span class="cx"> 79A899FE1D38612E00D18C73 /* JITMathICForwards.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITMathICForwards.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5819,6 +5827,8 @@
</span><span class="cx"> 796465681B952FF0003059EE /* GetPutInfo.h */,
</span><span class="cx"> BC02E9B80E184545000F9297 /* GetterSetter.cpp */,
</span><span class="cx"> BC337BDE0E1AF0B80076918A /* GetterSetter.h */,
</span><ins>+ 79A0907D1D768465008B889B /* HashMapImpl.cpp */,
+ 79A0907E1D768465008B889B /* HashMapImpl.h */,
</ins><span class="cx"> 933A349D038AE80F008635CE /* Identifier.cpp */,
</span><span class="cx"> 933A349A038AE7C6008635CE /* Identifier.h */,
</span><span class="cx"> 8606DDE918DA44AB00A383D0 /* IdentifierInlines.h */,
</span><span class="lines">@@ -6029,6 +6039,8 @@
</span><span class="cx"> A7E2EA690FB460CF00601F06 /* LiteralParser.h */,
</span><span class="cx"> F692A8680255597D01FF60F7 /* Lookup.cpp */,
</span><span class="cx"> F692A8690255597D01FF60F7 /* Lookup.h */,
</span><ins>+ 795B19951D78BE3500262FA0 /* MapBase.cpp */,
+ 795B19961D78BE3500262FA0 /* MapBase.h */,
</ins><span class="cx"> A700873717CBE85300C3E643 /* MapConstructor.cpp */,
</span><span class="cx"> A700873817CBE85300C3E643 /* MapConstructor.h */,
</span><span class="cx"> A78507D517CBC6FD0011F6E7 /* MapData.h */,
</span><span class="lines">@@ -7320,6 +7332,7 @@
</span><span class="cx"> 0F64B27A1A7957B2006E4E66 /* CallEdge.h in Headers */,
</span><span class="cx"> 1429D8DE0ED2205B00B89619 /* CallFrame.h in Headers */,
</span><span class="cx"> 62EC9BB71B7EB07C00303AD1 /* CallFrameShuffleData.h in Headers */,
</span><ins>+ 795B19981D78BE3500262FA0 /* MapBase.h in Headers */,
</ins><span class="cx"> 62D755D71B84FB4A001801FA /* CallFrameShuffler.h in Headers */,
</span><span class="cx"> 0F0B83B114BCF71800885B4F /* CallLinkInfo.h in Headers */,
</span><span class="cx"> 0F93329E14CA7DC50085F3C6 /* CallLinkStatus.h in Headers */,
</span><span class="lines">@@ -7487,6 +7500,7 @@
</span><span class="cx"> 0F9D339717FFC4E60073C2BC /* DFGFlushedAt.h in Headers */,
</span><span class="cx"> A7D89CF817A0B8CC00773AD8 /* DFGFlushFormat.h in Headers */,
</span><span class="cx"> 0F2DD8151AB3D8BE00BBB8E8 /* DFGForAllKills.h in Headers */,
</span><ins>+ 79A090801D768465008B889B /* HashMapImpl.h in Headers */,
</ins><span class="cx"> 0F69CC89193AC60A0045759E /* DFGFrozenValue.h in Headers */,
</span><span class="cx"> 86EC9DC61328DF82002B2AD7 /* DFGGenerationInfo.h in Headers */,
</span><span class="cx"> 86EC9DC81328DF82002B2AD7 /* DFGGraph.h in Headers */,
</span><span class="lines">@@ -9217,6 +9231,7 @@
</span><span class="cx"> 0F0332C018ADFAE1005F979A /* ExitingJITType.cpp in Sources */,
</span><span class="cx"> 0FB105851675480F00F8AB6E /* ExitKind.cpp in Sources */,
</span><span class="cx"> 0FEA0A1C1708B00700BB722C /* FTLAbstractHeap.cpp in Sources */,
</span><ins>+ 79A0907F1D768465008B889B /* HashMapImpl.cpp in Sources */,
</ins><span class="cx"> 0FEA0A1E1708B00700BB722C /* FTLAbstractHeapRepository.cpp in Sources */,
</span><span class="cx"> 0F93274D1C1F66AA00CF6564 /* GPRInfo.cpp in Sources */,
</span><span class="cx"> 0F485327187DFDEC0083B687 /* FTLAvailableRecovery.cpp in Sources */,
</span><span class="lines">@@ -9261,6 +9276,7 @@
</span><span class="cx"> 52B310FD1974AE870080857C /* FunctionHasExecutedCache.cpp in Sources */,
</span><span class="cx"> FE4BFF2B1AD476E700088F87 /* FunctionOverrides.cpp in Sources */,
</span><span class="cx"> 147F39CC107EC37600427A48 /* FunctionPrototype.cpp in Sources */,
</span><ins>+ 795B19971D78BE3500262FA0 /* MapBase.cpp in Sources */,
</ins><span class="cx"> 62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */,
</span><span class="cx"> 2AACE63C18CA5A0300ED0191 /* GCActivityCallback.cpp in Sources */,
</span><span class="cx"> 0F766D2F15A8DCE0008F363E /* GCAwareJITStubRoutine.cpp in Sources */,
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreassemblerMacroAssemblerARM64h"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -943,6 +943,11 @@
</span><span class="cx"> m_assembler.mvn<64>(dest, src);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void not64(RegisterID srcDst)
+ {
+ m_assembler.mvn<64>(srcDst, srcDst);
+ }
+
</ins><span class="cx"> // Memory access operations:
</span><span class="cx">
</span><span class="cx"> void load64(ImplicitAddress address, RegisterID dest)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCorebytecodeSpeculatedTypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -30,9 +30,11 @@
</span><span class="cx"> #include "SpeculatedType.h"
</span><span class="cx">
</span><span class="cx"> #include "DirectArguments.h"
</span><ins>+#include "JSCInlines.h"
</ins><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSFunction.h"
</span><del>-#include "JSCInlines.h"
</del><ins>+#include "JSMap.h"
+#include "JSSet.h"
</ins><span class="cx"> #include "ScopedArguments.h"
</span><span class="cx"> #include "StringObject.h"
</span><span class="cx"> #include "ValueProfile.h"
</span><span class="lines">@@ -346,6 +348,12 @@
</span><span class="cx">
</span><span class="cx"> if (classInfo == RegExpObject::info())
</span><span class="cx"> return SpecRegExpObject;
</span><ins>+
+ if (classInfo == JSMap::info())
+ return SpecMapObject;
+
+ if (classInfo == JSSet::info())
+ return SpecSetObject;
</ins><span class="cx">
</span><span class="cx"> if (classInfo->isSubClassOf(JSFunction::info()))
</span><span class="cx"> return SpecFunction;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCorebytecodeSpeculatedTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/bytecode/SpeculatedType.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -39,41 +39,43 @@
</span><span class="cx">
</span><span class="cx"> typedef uint64_t SpeculatedType;
</span><span class="cx"> static const SpeculatedType SpecNone = 0; // We don't know anything yet.
</span><del>-static const SpeculatedType SpecFinalObject = 1u << 0; // It's definitely a JSFinalObject.
-static const SpeculatedType SpecArray = 1u << 1; // It's definitely a JSArray.
-static const SpeculatedType SpecFunction = 1u << 2; // It's definitely a JSFunction.
-static const SpeculatedType SpecInt8Array = 1u << 3; // It's definitely an Int8Array or one of its subclasses.
-static const SpeculatedType SpecInt16Array = 1u << 4; // It's definitely an Int16Array or one of its subclasses.
-static const SpeculatedType SpecInt32Array = 1u << 5; // It's definitely an Int32Array or one of its subclasses.
-static const SpeculatedType SpecUint8Array = 1u << 6; // It's definitely an Uint8Array or one of its subclasses.
-static const SpeculatedType SpecUint8ClampedArray = 1u << 7; // It's definitely an Uint8ClampedArray or one of its subclasses.
-static const SpeculatedType SpecUint16Array = 1u << 8; // It's definitely an Uint16Array or one of its subclasses.
-static const SpeculatedType SpecUint32Array = 1u << 9; // It's definitely an Uint32Array or one of its subclasses.
-static const SpeculatedType SpecFloat32Array = 1u << 10; // It's definitely an Uint16Array or one of its subclasses.
-static const SpeculatedType SpecFloat64Array = 1u << 11; // It's definitely an Uint16Array or one of its subclasses.
</del><ins>+static const SpeculatedType SpecFinalObject = 1ull << 0; // It's definitely a JSFinalObject.
+static const SpeculatedType SpecArray = 1ull << 1; // It's definitely a JSArray.
+static const SpeculatedType SpecFunction = 1ull << 2; // It's definitely a JSFunction.
+static const SpeculatedType SpecInt8Array = 1ull << 3; // It's definitely an Int8Array or one of its subclasses.
+static const SpeculatedType SpecInt16Array = 1ull << 4; // It's definitely an Int16Array or one of its subclasses.
+static const SpeculatedType SpecInt32Array = 1ull << 5; // It's definitely an Int32Array or one of its subclasses.
+static const SpeculatedType SpecUint8Array = 1ull << 6; // It's definitely an Uint8Array or one of its subclasses.
+static const SpeculatedType SpecUint8ClampedArray = 1ull << 7; // It's definitely an Uint8ClampedArray or one of its subclasses.
+static const SpeculatedType SpecUint16Array = 1ull << 8; // It's definitely an Uint16Array or one of its subclasses.
+static const SpeculatedType SpecUint32Array = 1ull << 9; // It's definitely an Uint32Array or one of its subclasses.
+static const SpeculatedType SpecFloat32Array = 1ull << 10; // It's definitely an Uint16Array or one of its subclasses.
+static const SpeculatedType SpecFloat64Array = 1ull << 11; // It's definitely an Uint16Array or one of its subclasses.
</ins><span class="cx"> static const SpeculatedType SpecTypedArrayView = SpecInt8Array | SpecInt16Array | SpecInt32Array | SpecUint8Array | SpecUint8ClampedArray | SpecUint16Array | SpecUint32Array | SpecFloat32Array | SpecFloat64Array;
</span><del>-static const SpeculatedType SpecDirectArguments = 1u << 12; // It's definitely a DirectArguments object.
-static const SpeculatedType SpecScopedArguments = 1u << 13; // It's definitely a ScopedArguments object.
-static const SpeculatedType SpecStringObject = 1u << 14; // It's definitely a StringObject.
-static const SpeculatedType SpecRegExpObject = 1u << 15; // It's definitely a RegExpObject (and not any subclass of RegExpObject).
-static const SpeculatedType SpecObjectOther = 1u << 16; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
-static const SpeculatedType SpecObject = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
-static const SpeculatedType SpecStringIdent = 1u << 17; // It's definitely a JSString, and it's an identifier.
-static const SpeculatedType SpecStringVar = 1u << 18; // It's definitely a JSString, and it's not an identifier.
</del><ins>+static const SpeculatedType SpecDirectArguments = 1ull << 12; // It's definitely a DirectArguments object.
+static const SpeculatedType SpecScopedArguments = 1ull << 13; // It's definitely a ScopedArguments object.
+static const SpeculatedType SpecStringObject = 1ull << 14; // It's definitely a StringObject.
+static const SpeculatedType SpecRegExpObject = 1ull << 15; // It's definitely a RegExpObject (and not any subclass of RegExpObject).
+static const SpeculatedType SpecMapObject = 1ull << 16; // It's definitely Map object (can it be a subclass? FIXME).
+static const SpeculatedType SpecSetObject = 1ull << 17; // It's definitely s Set object (can it be a subclass? FIXME).
+static const SpeculatedType SpecObjectOther = 1ull << 18; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
+static const SpeculatedType SpecObject = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecMapObject | SpecSetObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
+static const SpeculatedType SpecStringIdent = 1ull << 19; // It's definitely a JSString, and it's an identifier.
+static const SpeculatedType SpecStringVar = 1ull << 20; // It's definitely a JSString, and it's not an identifier.
</ins><span class="cx"> static const SpeculatedType SpecString = SpecStringIdent | SpecStringVar; // It's definitely a JSString.
</span><del>-static const SpeculatedType SpecSymbol = 1u << 19; // It's definitely a Symbol.
-static const SpeculatedType SpecCellOther = 1u << 20; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
</del><ins>+static const SpeculatedType SpecSymbol = 1ull << 21; // It's definitely a Symbol.
+static const SpeculatedType SpecCellOther = 1ull << 22; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
</ins><span class="cx"> static const SpeculatedType SpecCell = SpecObject | SpecString | SpecSymbol | SpecCellOther; // It's definitely a JSCell.
</span><del>-static const SpeculatedType SpecBoolInt32 = 1u << 21; // It's definitely an Int32 with value 0 or 1.
-static const SpeculatedType SpecNonBoolInt32 = 1u << 22; // It's definitely an Int32 with value other than 0 or 1.
</del><ins>+static const SpeculatedType SpecBoolInt32 = 1ull << 23; // It's definitely an Int32 with value 0 or 1.
+static const SpeculatedType SpecNonBoolInt32 = 1ull << 24; // It's definitely an Int32 with value other than 0 or 1.
</ins><span class="cx"> static const SpeculatedType SpecInt32Only = SpecBoolInt32 | SpecNonBoolInt32; // It's definitely an Int32.
</span><del>-static const SpeculatedType SpecInt52Only = 1u << 23; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
</del><ins>+static const SpeculatedType SpecInt52Only = 1ull << 25; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
</ins><span class="cx"> static const SpeculatedType SpecAnyInt = SpecInt32Only | SpecInt52Only; // It's something that we can do machine int arithmetic on.
</span><del>-static const SpeculatedType SpecAnyIntAsDouble = 1u << 24; // It's definitely an Int52 and it's inside a double.
-static const SpeculatedType SpecNonIntAsDouble = 1u << 25; // It's definitely not an Int52 but it's a real number and it's a double.
</del><ins>+static const SpeculatedType SpecAnyIntAsDouble = 1ull << 26; // It's definitely an Int52 and it's inside a double.
+static const SpeculatedType SpecNonIntAsDouble = 1ull << 27; // It's definitely not an Int52 but it's a real number and it's a double.
</ins><span class="cx"> static const SpeculatedType SpecDoubleReal = SpecNonIntAsDouble | SpecAnyIntAsDouble; // It's definitely a non-NaN double.
</span><del>-static const SpeculatedType SpecDoublePureNaN = 1u << 26; // It's definitely a NaN that is sae to tag (i.e. pure).
-static const SpeculatedType SpecDoubleImpureNaN = 1u << 27; // It's definitely a NaN that is unsafe to tag (i.e. impure).
</del><ins>+static const SpeculatedType SpecDoublePureNaN = 1ull << 28; // It's definitely a NaN that is sae to tag (i.e. pure).
+static const SpeculatedType SpecDoubleImpureNaN = 1ull << 29; // It's definitely a NaN that is unsafe to tag (i.e. impure).
</ins><span class="cx"> static const SpeculatedType SpecDoubleNaN = SpecDoublePureNaN | SpecDoubleImpureNaN; // It's definitely some kind of NaN.
</span><span class="cx"> static const SpeculatedType SpecBytecodeDouble = SpecDoubleReal | SpecDoublePureNaN; // It's either a non-NaN or a NaN double, but it's definitely not impure NaN.
</span><span class="cx"> static const SpeculatedType SpecFullDouble = SpecDoubleReal | SpecDoubleNaN; // It's either a non-NaN or a NaN double.
</span><span class="lines">@@ -81,12 +83,12 @@
</span><span class="cx"> static const SpeculatedType SpecFullRealNumber = SpecAnyInt | SpecDoubleReal; // It's either an Int32 or a DoubleReal, or a Int52.
</span><span class="cx"> static const SpeculatedType SpecBytecodeNumber = SpecInt32Only | SpecBytecodeDouble; // It's either an Int32 or a Double, and the Double cannot be an impure NaN.
</span><span class="cx"> static const SpeculatedType SpecFullNumber = SpecAnyInt | SpecFullDouble; // It's either an Int32, Int52, or a Double, and the Double can be impure NaN.
</span><del>-static const SpeculatedType SpecBoolean = 1u << 28; // It's definitely a Boolean.
-static const SpeculatedType SpecOther = 1u << 29; // It's definitely either Null or Undefined.
</del><ins>+static const SpeculatedType SpecBoolean = 1ull << 30; // It's definitely a Boolean.
+static const SpeculatedType SpecOther = 1ull << 31; // It's definitely either Null or Undefined.
</ins><span class="cx"> static const SpeculatedType SpecMisc = SpecBoolean | SpecOther; // It's definitely either a boolean, Null, or Undefined.
</span><span class="cx"> static const SpeculatedType SpecHeapTop = SpecCell | SpecBytecodeNumber | SpecMisc; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN.
</span><span class="cx"> static const SpeculatedType SpecPrimitive = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc; // It's any non-Object JSValue.
</span><del>-static const SpeculatedType SpecEmpty = 1u << 30; // It's definitely an empty value marker.
</del><ins>+static const SpeculatedType SpecEmpty = 1ull << 32; // It's definitely an empty value marker.
</ins><span class="cx"> static const SpeculatedType SpecBytecodeTop = SpecHeapTop | SpecEmpty; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN. Corresponds to what could be found in a bytecode local.
</span><span class="cx"> static const SpeculatedType SpecFullTop = SpecBytecodeTop | SpecFullNumber; // It can be anything that bytecode could see plus exotic encodings of numbers.
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -977,6 +977,22 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case MapHash:
+ forNode(node).setType(SpecInt32Only);
+ break;
+
+ case LoadFromJSMapBucket:
+ forNode(node).makeHeapTop();
+ break;
+
+ case GetMapBucket:
+ forNode(node).setType(m_graph, SpecCellOther);
+ break;
+
+ case IsNonEmptyMapBucket:
+ forNode(node).setType(SpecBoolean);
+ break;
+
</ins><span class="cx"> case IsEmpty:
</span><span class="cx"> case IsJSArray:
</span><span class="cx"> case IsUndefined:
</span><span class="lines">@@ -2883,7 +2899,7 @@
</span><span class="cx"> bool AbstractInterpreter<AbstractStateType>::execute(unsigned indexInBlock)
</span><span class="cx"> {
</span><span class="cx"> Node* node = m_state.block()->at(indexInBlock);
</span><del>-
</del><ins>+
</ins><span class="cx"> startExecuting();
</span><span class="cx"> executeEdges(node);
</span><span class="cx"> return executeEffects(indexInBlock, node);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -2538,7 +2538,37 @@
</span><span class="cx"> set(VirtualRegister(resultOperand), get(operand));
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><del>-
</del><ins>+
+ case JSMapGetIntrinsic: {
+ if (argumentCountIncludingThis != 2)
+ return false;
+
+ insertChecks();
+ Node* map = get(virtualRegisterForArgument(0, registerOffset));
+ Node* key = get(virtualRegisterForArgument(1, registerOffset));
+ Node* hash = addToGraph(MapHash, key);
+ Node* bucket = addToGraph(GetMapBucket, Edge(map, MapObjectUse), Edge(key), Edge(hash));
+ Node* result = addToGraph(LoadFromJSMapBucket, OpInfo(), OpInfo(prediction), bucket);
+ set(VirtualRegister(resultOperand), result);
+ return true;
+ }
+
+ case JSSetHasIntrinsic:
+ case JSMapHasIntrinsic: {
+ if (argumentCountIncludingThis != 2)
+ return false;
+
+ insertChecks();
+ Node* mapOrSet = get(virtualRegisterForArgument(0, registerOffset));
+ Node* key = get(virtualRegisterForArgument(1, registerOffset));
+ Node* hash = addToGraph(MapHash, key);
+ UseKind useKind = intrinsic == JSSetHasIntrinsic ? SetObjectUse : MapObjectUse;
+ Node* bucket = addToGraph(GetMapBucket, OpInfo(0), Edge(mapOrSet, useKind), Edge(key), Edge(hash));
+ Node* result = addToGraph(IsNonEmptyMapBucket, bucket);
+ set(VirtualRegister(resultOperand), result);
+ return true;
+ }
+
</ins><span class="cx"> default:
</span><span class="cx"> return false;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGClobberize.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1251,6 +1251,27 @@
</span><span class="cx"> case LogShadowChickenTail:
</span><span class="cx"> write(SideState);
</span><span class="cx"> return;
</span><ins>+
+ case MapHash:
+ def(PureValue(node));
+ return;
+ case GetMapBucket: {
+ read(MiscFields);
+ Edge& mapEdge = node->child1();
+ Edge& keyEdge = node->child2();
+ def(HeapLocation(MapBucketLoc, MiscFields, mapEdge, keyEdge), LazyNode(node));
+ return;
+ }
+ case LoadFromJSMapBucket: {
+ read(MiscFields);
+ Edge& bucketEdge = node->child1();
+ def(HeapLocation(JSMapGetLoc, MiscFields, bucketEdge), LazyNode(node));
+ return;
+ }
+ case IsNonEmptyMapBucket:
+ read(MiscFields);
+ def(HeapLocation(MapHasLoc, MiscFields, node->child1()), LazyNode(node));
+ return;
</ins><span class="cx">
</span><span class="cx"> case LastNodeType:
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -185,6 +185,10 @@
</span><span class="cx"> case ForceOSRExit:
</span><span class="cx"> case CheckWatchdogTimer:
</span><span class="cx"> case StringFromCharCode:
</span><ins>+ case MapHash:
+ case GetMapBucket:
+ case LoadFromJSMapBucket:
+ case IsNonEmptyMapBucket:
</ins><span class="cx"> case Unreachable:
</span><span class="cx"> case ExtractOSREntryLocal:
</span><span class="cx"> case CheckTierUpInLoop:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGEdgeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGEdge.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGEdge.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGEdge.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -189,7 +189,7 @@
</span><span class="cx"> friend class AdjacencyList;
</span><span class="cx">
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>- static uint32_t shift() { return 7; }
</del><ins>+ static constexpr uint32_t shift() { return 8; }
</ins><span class="cx">
</span><span class="cx"> static uintptr_t makeWord(Node* node, UseKind useKind, ProofStatus proofStatus, KillStatus killStatus)
</span><span class="cx"> {
</span><span class="lines">@@ -197,8 +197,21 @@
</span><span class="cx"> uintptr_t shiftedValue = bitwise_cast<uintptr_t>(node) << shift();
</span><span class="cx"> ASSERT((shiftedValue >> shift()) == bitwise_cast<uintptr_t>(node));
</span><span class="cx"> ASSERT(useKind >= 0 && useKind < LastUseKind);
</span><del>- ASSERT((static_cast<uintptr_t>(LastUseKind) << 2) <= (static_cast<uintptr_t>(2) << shift()));
- return shiftedValue | (static_cast<uintptr_t>(useKind) << 2) | (DFG::doesKill(killStatus) << 1) | static_cast<uintptr_t>(DFG::isProved(proofStatus));
</del><ins>+ static_assert((static_cast<uintptr_t>(LastUseKind) << 2) < (static_cast<uintptr_t>(1) << shift()), "We rely on this being true to not clobber the node pointer.");
+ uintptr_t result = shiftedValue | (static_cast<uintptr_t>(useKind) << 2) | (DFG::doesKill(killStatus) << 1) | static_cast<uintptr_t>(DFG::isProved(proofStatus));
+ if (!ASSERT_DISABLED) {
+ union U {
+ U() { word = 0; }
+ uintptr_t word;
+ Edge edge;
+ } u;
+ u.word = result;
+ ASSERT(u.edge.useKindUnchecked() == useKind);
+ ASSERT(u.edge.node() == node);
+ ASSERT(u.edge.proofStatusUnchecked() == proofStatus);
+ ASSERT(u.edge.killStatusUnchecked() == killStatus);
+ }
+ return result;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #else
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1548,6 +1548,29 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case GetMapBucket:
+ if (node->child1().useKind() == MapObjectUse)
+ fixEdge<MapObjectUse>(node->child1());
+ else if (node->child1().useKind() == SetObjectUse)
+ fixEdge<SetObjectUse>(node->child1());
+ else
+ RELEASE_ASSERT_NOT_REACHED();
+ fixEdge<UntypedUse>(node->child2());
+ fixEdge<Int32Use>(node->child3());
+ break;
+
+ case LoadFromJSMapBucket:
+ fixEdge<KnownCellUse>(node->child1());
+ break;
+
+ case IsNonEmptyMapBucket:
+ fixEdge<KnownCellUse>(node->child1());
+ break;
+
+ case MapHash:
+ fixEdge<UntypedUse>(node->child1());
+ break;
+
</ins><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx"> // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
</span><span class="cx"> case SetArgument:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -143,6 +143,15 @@
</span><span class="cx"> case RegExpObjectLastIndexLoc:
</span><span class="cx"> out.print("RegExpObjectLastIndexLoc");
</span><span class="cx"> return;
</span><ins>+ case MapBucketLoc:
+ out.print("MapBucketLoc");
+ return;
+ case JSMapGetLoc:
+ out.print("JSMapGetLoc");
+ return;
+ case MapHasLoc:
+ out.print("MapHasLoc");
+ return;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -58,7 +58,10 @@
</span><span class="cx"> StructureLoc,
</span><span class="cx"> TypedArrayByteOffsetLoc,
</span><span class="cx"> StackLoc,
</span><del>- StackPayloadLoc
</del><ins>+ StackPayloadLoc,
+ MapBucketLoc,
+ JSMapGetLoc,
+ MapHasLoc
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class HeapLocation {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNode.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNode.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNode.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1421,6 +1421,7 @@
</span><span class="cx"> case StringReplace:
</span><span class="cx"> case StringReplaceRegExp:
</span><span class="cx"> case ToNumber:
</span><ins>+ case LoadFromJSMapBucket:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNodeType.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -388,7 +388,12 @@
</span><span class="cx"> macro(GetPropertyEnumerator, NodeMustGenerate | NodeResultJS) \
</span><span class="cx"> macro(GetEnumeratorStructurePname, NodeMustGenerate | NodeResultJS) \
</span><span class="cx"> macro(GetEnumeratorGenericPname, NodeMustGenerate | NodeResultJS) \
</span><del>- macro(ToIndexString, NodeResultJS)
</del><ins>+ macro(ToIndexString, NodeResultJS) \
+ /* Nodes for JSMap and JSSet */ \
+ macro(MapHash, NodeResultInt32) \
+ macro(GetMapBucket, NodeResultJS) \
+ macro(LoadFromJSMapBucket, NodeResultJS) \
+ macro(IsNonEmptyMapBucket, NodeResultBoolean) \
</ins><span class="cx">
</span><span class="cx"> // This enum generates a monotonically increasing id for all Node types,
</span><span class="cx"> // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -50,6 +50,8 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSGenericTypedArrayViewConstructorInlines.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><ins>+#include "JSMap.h"
+#include "JSSet.h"
</ins><span class="cx"> #include "ObjectConstructor.h"
</span><span class="cx"> #include "Repatch.h"
</span><span class="cx"> #include "ScopedArguments.h"
</span><span class="lines">@@ -1823,6 +1825,34 @@
</span><span class="cx"> scope->methodTable()->put(scope, exec, ident, JSValue::decode(value), slot);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+int32_t JIT_OPERATION operationMapHash(ExecState* exec, EncodedJSValue input)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ return jsMapHash(exec, vm, normalizeMapKey(JSValue::decode(input)));
+}
+
+JSCell* JIT_OPERATION operationJSMapFindBucket(ExecState* exec, JSCell* map, EncodedJSValue key, int32_t hash)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSMap::BucketType** bucket = jsCast<JSMap*>(map)->findBucket(exec, normalizeMapKey(JSValue::decode(key)), hash);
+ if (!bucket)
+ return nullptr;
+ return *bucket;
+}
+
+JSCell* JIT_OPERATION operationJSSetFindBucket(ExecState* exec, JSCell* map, EncodedJSValue key, int32_t hash)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSSet::BucketType** bucket = jsCast<JSSet*>(map)->findBucket(exec, normalizeMapKey(JSValue::decode(key)), hash);
+ if (!bucket)
+ return nullptr;
+ return *bucket;
+}
+
</ins><span class="cx"> extern "C" void JIT_OPERATION triggerReoptimizationNow(CodeBlock* codeBlock, OSRExitBase* exit)
</span><span class="cx"> {
</span><span class="cx"> // It's sort of preferable that we don't GC while in here. Anyways, doing so wouldn't
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGOperations.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -143,6 +143,10 @@
</span><span class="cx"> StringImpl* JIT_OPERATION operationResolveRope(ExecState*, JSString*);
</span><span class="cx"> JSString* JIT_OPERATION operationSingleCharacterString(ExecState*, int32_t);
</span><span class="cx">
</span><ins>+int32_t JIT_OPERATION operationMapHash(ExecState*, EncodedJSValue input);
+JSCell* JIT_OPERATION operationJSMapFindBucket(ExecState*, JSCell*, EncodedJSValue, int32_t);
+JSCell* JIT_OPERATION operationJSSetFindBucket(ExecState*, JSCell*, EncodedJSValue, int32_t);
+
</ins><span class="cx"> JSCell* JIT_OPERATION operationNewStringObject(ExecState*, JSString*, Structure*);
</span><span class="cx"> JSCell* JIT_OPERATION operationToStringOnCell(ExecState*, JSCell*);
</span><span class="cx"> JSCell* JIT_OPERATION operationToString(ExecState*, EncodedJSValue);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -708,6 +708,7 @@
</span><span class="cx"> case GetGlobalLexicalVariable:
</span><span class="cx"> case GetClosureVar:
</span><span class="cx"> case GetFromArguments:
</span><ins>+ case LoadFromJSMapBucket:
</ins><span class="cx"> case ToNumber: {
</span><span class="cx"> setPrediction(m_currentNode->getHeapPrediction());
</span><span class="cx"> break;
</span><span class="lines">@@ -738,6 +739,16 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case MapHash:
+ setPrediction(SpecInt32Only);
+ break;
+ case GetMapBucket:
+ setPrediction(SpecCellOther);
+ break;
+ case IsNonEmptyMapBucket:
+ setPrediction(SpecBoolean);
+ break;
+
</ins><span class="cx"> case GetRestLength: {
</span><span class="cx"> setPrediction(SpecInt32Only);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -58,6 +58,8 @@
</span><span class="cx"> case FunctionUse:
</span><span class="cx"> case FinalObjectUse:
</span><span class="cx"> case RegExpObjectUse:
</span><ins>+ case MapObjectUse:
+ case SetObjectUse:
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> case StringIdentUse:
</span><span class="cx"> case StringUse:
</span><span class="lines">@@ -355,6 +357,10 @@
</span><span class="cx"> case GetDynamicVar:
</span><span class="cx"> case PutDynamicVar:
</span><span class="cx"> case ResolveScope:
</span><ins>+ case MapHash:
+ case GetMapBucket:
+ case LoadFromJSMapBucket:
+ case IsNonEmptyMapBucket:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case BottomValue:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -7418,6 +7418,34 @@
</span><span class="cx"> speculateRegExpObject(edge, operand.gpr());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::speculateMapObject(Edge edge, GPRReg cell)
+{
+ speculateCellType(edge, cell, SpecMapObject, JSMapType);
+}
+
+void SpeculativeJIT::speculateMapObject(Edge edge)
+{
+ if (!needsTypeCheck(edge, SpecMapObject))
+ return;
+
+ SpeculateCellOperand operand(this, edge);
+ speculateMapObject(edge, operand.gpr());
+}
+
+void SpeculativeJIT::speculateSetObject(Edge edge, GPRReg cell)
+{
+ speculateCellType(edge, cell, SpecSetObject, JSSetType);
+}
+
+void SpeculativeJIT::speculateSetObject(Edge edge)
+{
+ if (!needsTypeCheck(edge, SpecSetObject))
+ return;
+
+ SpeculateCellOperand operand(this, edge);
+ speculateSetObject(edge, operand.gpr());
+}
+
</ins><span class="cx"> void SpeculativeJIT::speculateObjectOrOther(Edge edge)
</span><span class="cx"> {
</span><span class="cx"> if (!needsTypeCheck(edge, SpecObject | SpecOther))
</span><span class="lines">@@ -7705,6 +7733,12 @@
</span><span class="cx"> case RegExpObjectUse:
</span><span class="cx"> speculateRegExpObject(edge);
</span><span class="cx"> break;
</span><ins>+ case MapObjectUse:
+ speculateMapObject(edge);
+ break;
+ case SetObjectUse:
+ speculateSetObject(edge);
+ break;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> speculateObjectOrOther(edge);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1311,6 +1311,12 @@
</span><span class="cx">
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(C_JITOperation_ECJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJJMic operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr mathIC)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1.gpr(), arg2.gpr(), mathIC);
</span><span class="lines">@@ -1745,6 +1751,12 @@
</span><span class="cx"> }
</span><span class="cx"> #else // USE(JSVALUE32_64)
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(C_JITOperation_ECJZ operation, GPRReg result, GPRReg arg1, JSValueRegs arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2.payloadGPR(), arg2.tagGPR(), arg3);
+ return appendCallSetResult(operation, result);
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJJMic operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr mathIC)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR(), arg2.payloadGPR(), arg2.tagGPR(), mathIC);
</span><span class="lines">@@ -2689,6 +2701,10 @@
</span><span class="cx"> void speculateFinalObject(Edge);
</span><span class="cx"> void speculateRegExpObject(Edge, GPRReg cell);
</span><span class="cx"> void speculateRegExpObject(Edge);
</span><ins>+ void speculateMapObject(Edge);
+ void speculateMapObject(Edge, GPRReg cell);
+ void speculateSetObject(Edge);
+ void speculateSetObject(Edge, GPRReg cell);
</ins><span class="cx"> void speculateObjectOrOther(Edge);
</span><span class="cx"> void speculateString(Edge edge, GPRReg cell);
</span><span class="cx"> void speculateStringIdentAndLoadStorage(Edge edge, GPRReg string, GPRReg storage);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include "DFGSlowPathGenerator.h"
</span><span class="cx"> #include "DirectArguments.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><ins>+#include "HashMapImpl.h"
</ins><span class="cx"> #include "JSEnvironmentRecord.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><span class="cx"> #include "JSPropertyNameEnumerator.h"
</span><span class="lines">@@ -4719,6 +4720,82 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case MapHash: {
+ JSValueOperand input(this, node->child1());
+
+ JSValueRegs inputRegs = input.jsValueRegs();
+
+ GPRFlushedCallResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationMapHash, resultGPR, inputRegs);
+ m_jit.exceptionCheck();
+ int32Result(resultGPR, node);
+ break;
+ }
+
+ case GetMapBucket: {
+ SpeculateCellOperand map(this, node->child1());
+ JSValueOperand key(this, node->child2());
+ SpeculateInt32Operand hash(this, node->child3());
+ GPRFlushedCallResult result(this);
+
+ GPRReg mapGPR = map.gpr();
+ JSValueRegs keyRegs = key.jsValueRegs();
+ GPRReg hashGPR = hash.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ if (node->child1().useKind() == MapObjectUse)
+ speculateMapObject(node->child1(), mapGPR);
+ else if (node->child1().useKind() == SetObjectUse)
+ speculateSetObject(node->child1(), mapGPR);
+ else
+ RELEASE_ASSERT_NOT_REACHED();
+
+ flushRegisters();
+ if (node->child1().useKind() == MapObjectUse)
+ callOperation(operationJSMapFindBucket, resultGPR, mapGPR, keyRegs, hashGPR);
+ else
+ callOperation(operationJSSetFindBucket, resultGPR, mapGPR, keyRegs, hashGPR);
+ m_jit.exceptionCheck();
+ cellResult(resultGPR, node);
+ break;
+ }
+
+ case LoadFromJSMapBucket: {
+ SpeculateCellOperand bucket(this, node->child1());
+ GPRTemporary resultPayload(this);
+ GPRTemporary resultTag(this);
+
+ GPRReg bucketGPR = bucket.gpr();
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ auto notBucket = m_jit.branchTestPtr(MacroAssembler::Zero, bucketGPR);
+ m_jit.loadValue(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()), JSValueRegs(resultTagGPR, resultPayloadGPR));
+ auto done = m_jit.jump();
+
+ notBucket.link(&m_jit);
+ m_jit.move(TrustedImm32(JSValue::UndefinedTag), resultTagGPR);
+ m_jit.move(TrustedImm32(0), resultPayloadGPR);
+ done.link(&m_jit);
+ jsValueResult(resultTagGPR, resultPayloadGPR, node);
+ break;
+ }
+
+ case IsNonEmptyMapBucket: {
+ SpeculateCellOperand bucket(this, node->child1());
+ GPRTemporary result(this);
+
+ GPRReg bucketGPR = bucket.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ m_jit.comparePtr(MacroAssembler::NotEqual, bucketGPR, TrustedImm32(0), resultGPR);
+ booleanResult(resultGPR, node);
+ break;
+ }
+
</ins><span class="cx"> case Flush:
</span><span class="cx"> break;
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -39,7 +39,9 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSEnvironmentRecord.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><ins>+#include "JSMap.h"
</ins><span class="cx"> #include "JSPropertyNameEnumerator.h"
</span><ins>+#include "JSSet.h"
</ins><span class="cx"> #include "ObjectPrototype.h"
</span><span class="cx"> #include "SetupVarargsFrame.h"
</span><span class="cx"> #include "SpillRegistersMode.h"
</span><span class="lines">@@ -4615,6 +4617,168 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case MapHash: {
+ JSValueOperand input(this, node->child1());
+ GPRTemporary temp(this);
+ GPRTemporary result(this);
+
+ GPRReg inputGPR = input.gpr();
+ GPRReg resultGPR = result.gpr();
+ GPRReg tempGPR = temp.gpr();
+
+ MacroAssembler::JumpList straightHash;
+ MacroAssembler::JumpList done;
+ auto isNotCell = m_jit.branchIfNotCell(inputGPR);
+ MacroAssembler::JumpList slowPath;
+ straightHash.append(m_jit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(inputGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+ m_jit.loadPtr(MacroAssembler::Address(inputGPR, JSString::offsetOfValue()), resultGPR);
+ slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, resultGPR));
+ m_jit.load32(MacroAssembler::Address(resultGPR, StringImpl::flagsOffset()), resultGPR);
+ m_jit.urshift64(MacroAssembler::TrustedImm32(StringImpl::s_flagCount), resultGPR);
+ slowPath.append(m_jit.branchTest32(MacroAssembler::Zero, resultGPR));
+ done.append(m_jit.jump());
+
+ isNotCell.link(&m_jit);
+ straightHash.append(m_jit.branchIfNotNumber(inputGPR));
+ straightHash.append(m_jit.branchIfInt32(JSValueRegs(inputGPR)));
+ slowPath.append(m_jit.jump());
+
+ straightHash.link(&m_jit);
+ m_jit.move(inputGPR, resultGPR);
+ m_jit.wangsInt64Hash(resultGPR, tempGPR);
+ done.append(m_jit.jump());
+
+ slowPath.link(&m_jit);
+ silentSpillAllRegisters(resultGPR);
+ callOperation(operationMapHash, resultGPR, JSValueRegs(inputGPR));
+ silentFillAllRegisters(resultGPR);
+ m_jit.exceptionCheck();
+
+ done.link(&m_jit);
+ int32Result(resultGPR, node);
+ break;
+ }
+ case GetMapBucket: {
+ SpeculateCellOperand map(this, node->child1());
+ JSValueOperand key(this, node->child2());
+ SpeculateInt32Operand hash(this, node->child3());
+ GPRTemporary mask(this);
+ GPRTemporary index(this);
+ GPRTemporary buffer(this);
+ GPRTemporary bucket(this);
+ GPRTemporary result(this);
+
+ GPRReg hashGPR = hash.gpr();
+ GPRReg mapGPR = map.gpr();
+ GPRReg maskGPR = mask.gpr();
+ GPRReg indexGPR = index.gpr();
+ GPRReg bufferGPR = buffer.gpr();
+ GPRReg bucketGPR = bucket.gpr();
+ GPRReg keyGPR = key.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ if (node->child1().useKind() == MapObjectUse)
+ speculateMapObject(node->child1(), mapGPR);
+ else if (node->child1().useKind() == SetObjectUse)
+ speculateSetObject(node->child1(), mapGPR);
+ else
+ RELEASE_ASSERT_NOT_REACHED();
+
+ m_jit.loadPtr(MacroAssembler::Address(mapGPR, node->child1().useKind() == MapObjectUse ? JSMap::offsetOfHashMapImpl() : JSSet::offsetOfHashMapImpl()), bufferGPR);
+ m_jit.load32(MacroAssembler::Address(bufferGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()), maskGPR);
+ m_jit.loadPtr(MacroAssembler::Address(bufferGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()), bufferGPR);
+ m_jit.sub32(TrustedImm32(1), maskGPR);
+ m_jit.move(hashGPR, indexGPR);
+
+ MacroAssembler::Label loop = m_jit.label();
+ MacroAssembler::JumpList done;
+ MacroAssembler::JumpList slowPathCases;
+ MacroAssembler::JumpList loopAround;
+
+ m_jit.and32(maskGPR, indexGPR);
+ m_jit.loadPtr(MacroAssembler::BaseIndex(bufferGPR, indexGPR, MacroAssembler::TimesEight), bucketGPR);
+ m_jit.move(bucketGPR, resultGPR);
+ auto notPresentInTable = m_jit.branchPtr(MacroAssembler::Equal,
+ bucketGPR, TrustedImmPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue()));
+ loopAround.append(m_jit.branchPtr(MacroAssembler::Equal,
+ bucketGPR, TrustedImmPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::deletedValue())));
+
+ m_jit.load64(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKey>::offsetOfKey()), bucketGPR);
+
+ // Perform Object.is()
+ done.append(m_jit.branch64(MacroAssembler::Equal, bucketGPR, keyGPR)); // They're definitely the same value, we found the bucket we were looking for!
+ auto oneIsntCell = m_jit.branchIfNotCell(JSValueRegs(bucketGPR));
+ // first is a cell here.
+ loopAround.append(m_jit.branchIfNotCell(JSValueRegs(keyGPR)));
+ // Both are cells here.
+ loopAround.append(m_jit.branch8(JITCompiler::NotEqual,
+ JITCompiler::Address(bucketGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+ // The first is a string here.
+ slowPathCases.append(m_jit.branch8(JITCompiler::Equal,
+ JITCompiler::Address(keyGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+ // The first is a string, but the second is not, we continue to loop around.
+ loopAround.append(m_jit.jump());
+
+ oneIsntCell.link(&m_jit);
+ // We've already done a 64-bit compare at this point, so if one is not a number, they're definitely not equal.
+ loopAround.append(m_jit.branchIfNotNumber(bucketGPR));
+ loopAround.append(m_jit.branchIfNotNumber(keyGPR));
+ // Both are definitely numbers. If we see a double, we go to the slow path.
+ slowPathCases.append(m_jit.branchIfNotInt32(bucketGPR));
+ slowPathCases.append(m_jit.branchIfNotInt32(keyGPR));
+
+ loopAround.link(&m_jit);
+ m_jit.add32(TrustedImm32(1), indexGPR);
+ m_jit.jump().linkTo(loop, &m_jit);
+
+ slowPathCases.link(&m_jit);
+ silentSpillAllRegisters(indexGPR);
+ if (node->child1().useKind() == MapObjectUse)
+ callOperation(operationJSMapFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
+ else
+ callOperation(operationJSSetFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
+ silentFillAllRegisters(indexGPR);
+ m_jit.exceptionCheck();
+ done.append(m_jit.jump());
+
+ notPresentInTable.link(&m_jit);
+ m_jit.move(TrustedImmPtr(nullptr), resultGPR);
+ done.link(&m_jit);
+ cellResult(resultGPR, node);
+ break;
+ }
+
+ case LoadFromJSMapBucket: {
+ SpeculateCellOperand bucket(this, node->child1());
+ GPRTemporary result(this);
+
+ GPRReg bucketGPR = bucket.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ auto notBucket = m_jit.branchTestPtr(MacroAssembler::Zero, bucketGPR);
+ m_jit.load64(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()), resultGPR);
+ auto done = m_jit.jump();
+
+ notBucket.link(&m_jit);
+ m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsUndefined())), resultGPR);
+ done.link(&m_jit);
+ jsValueResult(resultGPR, node);
+ break;
+ }
+
+ case IsNonEmptyMapBucket: {
+ SpeculateCellOperand bucket(this, node->child1());
+ GPRTemporary result(this);
+
+ GPRReg bucketGPR = bucket.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ m_jit.comparePtr(MacroAssembler::NotEqual, bucketGPR, TrustedImm32(0), resultGPR);
+ m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
+ break;
+ }
+
</ins><span class="cx"> case IsObject: {
</span><span class="cx"> JSValueOperand value(this, node->child1());
</span><span class="cx"> GPRTemporary result(this, Reuse, value);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGUseKindcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -94,6 +94,12 @@
</span><span class="cx"> case RegExpObjectUse:
</span><span class="cx"> out.print("RegExpObject");
</span><span class="cx"> return;
</span><ins>+ case MapObjectUse:
+ out.print("MapObjectUse");
+ return;
+ case SetObjectUse:
+ out.print("SetObjectUse");
+ return;
</ins><span class="cx"> case ObjectOrOtherUse:
</span><span class="cx"> out.print("ObjectOrOther");
</span><span class="cx"> return;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoredfgDFGUseKindh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/dfg/DFGUseKind.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -63,6 +63,8 @@
</span><span class="cx"> KnownStringUse,
</span><span class="cx"> KnownPrimitiveUse, // This bizarre type arises for op_strcat, which has a bytecode guarantee that it will only see primitives (i.e. not objects).
</span><span class="cx"> SymbolUse,
</span><ins>+ MapObjectUse,
+ SetObjectUse,
</ins><span class="cx"> StringObjectUse,
</span><span class="cx"> StringOrStringObjectUse,
</span><span class="cx"> NotStringVarUse,
</span><span class="lines">@@ -134,6 +136,10 @@
</span><span class="cx"> return SpecHeapTop & ~SpecObject;
</span><span class="cx"> case SymbolUse:
</span><span class="cx"> return SpecSymbol;
</span><ins>+ case MapObjectUse:
+ return SpecMapObject;
+ case SetObjectUse:
+ return SpecSetObject;
</ins><span class="cx"> case StringObjectUse:
</span><span class="cx"> return SpecStringObject;
</span><span class="cx"> case StringOrStringObjectUse:
</span><span class="lines">@@ -221,6 +227,8 @@
</span><span class="cx"> case SymbolUse:
</span><span class="cx"> case StringObjectUse:
</span><span class="cx"> case StringOrStringObjectUse:
</span><ins>+ case MapObjectUse:
+ case SetObjectUse:
</ins><span class="cx"> return true;
</span><span class="cx"> default:
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -32,6 +32,8 @@
</span><span class="cx"> #include "DFGArrayMode.h"
</span><span class="cx"> #include "FTLAbstractHeap.h"
</span><span class="cx"> #include "IndexingType.h"
</span><ins>+#include "JSMap.h"
+#include "JSSet.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace FTL {
</span><span class="cx">
</span><span class="lines">@@ -101,7 +103,13 @@
</span><span class="cx"> macro(Structure_classInfo, Structure::classInfoOffset()) \
</span><span class="cx"> macro(Structure_globalObject, Structure::globalObjectOffset()) \
</span><span class="cx"> macro(Structure_prototype, Structure::prototypeOffset()) \
</span><del>- macro(Structure_structureID, Structure::structureIDOffset())
</del><ins>+ macro(Structure_structureID, Structure::structureIDOffset()) \
+ macro(JSMap_hashMapImpl, JSMap::offsetOfHashMapImpl()) \
+ macro(JSSet_hashMapImpl, JSSet::offsetOfHashMapImpl()) \
+ macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \
+ macro(HashMapImpl_buffer, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \
+ macro(HashMapBucket_value, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()) \
+ macro(HashMapBucket_key, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfKey()) \
</ins><span class="cx">
</span><span class="cx"> #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \
</span><span class="cx"> macro(DirectArguments_storage, DirectArguments::storageOffset(), sizeof(EncodedJSValue)) \
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -181,6 +181,10 @@
</span><span class="cx"> case Unreachable:
</span><span class="cx"> case In:
</span><span class="cx"> case IsJSArray:
</span><ins>+ case MapHash:
+ case GetMapBucket:
+ case LoadFromJSMapBucket:
+ case IsNonEmptyMapBucket:
</ins><span class="cx"> case IsEmpty:
</span><span class="cx"> case IsUndefined:
</span><span class="cx"> case IsBoolean:
</span><span class="lines">@@ -425,6 +429,8 @@
</span><span class="cx"> case StringObjectUse:
</span><span class="cx"> case StringOrStringObjectUse:
</span><span class="cx"> case SymbolUse:
</span><ins>+ case MapObjectUse:
+ case SetObjectUse:
</ins><span class="cx"> case FinalObjectUse:
</span><span class="cx"> case RegExpObjectUse:
</span><span class="cx"> case NotCellUse:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -70,6 +70,7 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSGeneratorFunction.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><ins>+#include "JSMap.h"
</ins><span class="cx"> #include "OperandsInlines.h"
</span><span class="cx"> #include "ScopedArguments.h"
</span><span class="cx"> #include "ScopedArgumentsTable.h"
</span><span class="lines">@@ -898,6 +899,18 @@
</span><span class="cx"> case IsJSArray:
</span><span class="cx"> compileIsJSArray();
</span><span class="cx"> break;
</span><ins>+ case MapHash:
+ compileMapHash();
+ break;
+ case GetMapBucket:
+ compileGetMapBucket();
+ break;
+ case LoadFromJSMapBucket:
+ compileLoadFromJSMapBucket();
+ break;
+ case IsNonEmptyMapBucket:
+ compileIsNonEmptyMapBucket();
+ break;
</ins><span class="cx"> case IsObject:
</span><span class="cx"> compileIsObject();
</span><span class="cx"> break;
</span><span class="lines">@@ -6281,6 +6294,229 @@
</span><span class="cx"> setBoolean(m_out.phi(Int32, notCellResult, cellResult));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void compileMapHash()
+ {
+ LValue value = lowJSValue(m_node->child1());
+
+ LBasicBlock isCellCase = m_out.newBlock();
+ LBasicBlock notCell = m_out.newBlock();
+ LBasicBlock slowCase = m_out.newBlock();
+ LBasicBlock straightHash = m_out.newBlock();
+ LBasicBlock isNumberCase = m_out.newBlock();
+ LBasicBlock isStringCase = m_out.newBlock();
+ LBasicBlock nonEmptyStringCase = m_out.newBlock();
+ LBasicBlock continuation = m_out.newBlock();
+
+ m_out.branch(
+ isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(notCell));
+
+ LBasicBlock lastNext = m_out.appendTo(isCellCase, isStringCase);
+ LValue isString = m_out.equal(m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType), m_out.constInt32(StringType));
+ m_out.branch(
+ isString, unsure(isStringCase), unsure(straightHash));
+
+ m_out.appendTo(isStringCase, nonEmptyStringCase);
+ LValue stringImpl = m_out.loadPtr(value, m_heaps.JSString_value);
+ m_out.branch(
+ m_out.equal(stringImpl, m_out.constIntPtr(0)), rarely(slowCase), usually(nonEmptyStringCase));
+
+ m_out.appendTo(nonEmptyStringCase, notCell);
+ LValue hash = m_out.lShr(m_out.load32(stringImpl, m_heaps.StringImpl_hashAndFlags), m_out.constInt32(StringImpl::s_flagCount));
+ ValueFromBlock nonEmptyStringHashResult = m_out.anchor(hash);
+ m_out.branch(m_out.equal(hash, m_out.constInt32(0)),
+ rarely(slowCase), usually(continuation));
+
+ m_out.appendTo(notCell, isNumberCase);
+ m_out.branch(
+ isNumber(value), unsure(isNumberCase), unsure(straightHash));
+
+ m_out.appendTo(isNumberCase, straightHash);
+ m_out.branch(
+ isInt32(value), unsure(straightHash), unsure(slowCase));
+
+ m_out.appendTo(straightHash, slowCase);
+ // key += ~(key << 32);
+ LValue key = value;
+ LValue temp = key;
+ temp = m_out.shl(temp, m_out.constInt32(32));
+ temp = m_out.bitNot(temp);
+ key = m_out.add(key, temp);
+ // key ^= (key >> 22);
+ temp = key;
+ temp = m_out.lShr(temp, m_out.constInt32(22));
+ key = m_out.bitXor(key, temp);
+ // key += ~(key << 13);
+ temp = key;
+ temp = m_out.shl(temp, m_out.constInt32(13));
+ temp = m_out.bitNot(temp);
+ key = m_out.add(key, temp);
+ // key ^= (key >> 8);
+ temp = key;
+ temp = m_out.lShr(temp, m_out.constInt32(8));
+ key = m_out.bitXor(key, temp);
+ // key += (key << 3);
+ temp = key;
+ temp = m_out.shl(temp, m_out.constInt32(3));
+ key = m_out.add(key, temp);
+ // key ^= (key >> 15);
+ temp = key;
+ temp = m_out.lShr(temp, m_out.constInt32(15));
+ key = m_out.bitXor(key, temp);
+ // key += ~(key << 27);
+ temp = key;
+ temp = m_out.shl(temp, m_out.constInt32(27));
+ temp = m_out.bitNot(temp);
+ key = m_out.add(key, temp);
+ // key ^= (key >> 31);
+ temp = key;
+ temp = m_out.lShr(temp, m_out.constInt32(31));
+ key = m_out.bitXor(key, temp);
+ key = m_out.castToInt32(key);
+
+ ValueFromBlock fastResult = m_out.anchor(key);
+ m_out.jump(continuation);
+
+ m_out.appendTo(slowCase, continuation);
+ ValueFromBlock slowResult = m_out.anchor(
+ vmCall(Int32, m_out.operation(operationMapHash), m_callFrame, value));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setInt32(m_out.phi(Int32, fastResult, slowResult, nonEmptyStringHashResult));
+ }
+
+ void compileGetMapBucket()
+ {
+ LBasicBlock loopStart = m_out.newBlock();
+ LBasicBlock loopAround = m_out.newBlock();
+ LBasicBlock slowPath = m_out.newBlock();
+ LBasicBlock notPresentInTable = m_out.newBlock();
+ LBasicBlock notEmptyValue = m_out.newBlock();
+ LBasicBlock notDeletedValue = m_out.newBlock();
+ LBasicBlock notBitEqual = m_out.newBlock();
+ LBasicBlock bucketKeyNotCell = m_out.newBlock();
+ LBasicBlock bucketKeyIsCell = m_out.newBlock();
+ LBasicBlock bothAreCells = m_out.newBlock();
+ LBasicBlock bucketKeyIsString = m_out.newBlock();
+ LBasicBlock bucketKeyIsNumber = m_out.newBlock();
+ LBasicBlock bothAreNumbers = m_out.newBlock();
+ LBasicBlock bucketKeyIsInt32 = m_out.newBlock();
+ LBasicBlock continuation = m_out.newBlock();
+
+ LBasicBlock lastNext = m_out.insertNewBlocksBefore(loopStart);
+
+ LValue map;
+ if (m_node->child1().useKind() == MapObjectUse)
+ map = lowMapObject(m_node->child1());
+ else if (m_node->child1().useKind() == SetObjectUse)
+ map = lowSetObject(m_node->child1());
+ else
+ RELEASE_ASSERT_NOT_REACHED();
+
+ LValue key = lowJSValue(m_node->child2());
+ LValue hash = lowInt32(m_node->child3());
+
+ LValue hashMapImpl = m_out.loadPtr(map, m_node->child1().useKind() == MapObjectUse ? m_heaps.JSMap_hashMapImpl : m_heaps.JSSet_hashMapImpl);
+ LValue buffer = m_out.loadPtr(hashMapImpl, m_heaps.HashMapImpl_buffer);
+ LValue mask = m_out.sub(m_out.load32(hashMapImpl, m_heaps.HashMapImpl_capacity), m_out.int32One);
+
+ ValueFromBlock indexStart = m_out.anchor(hash);
+ m_out.jump(loopStart);
+
+ m_out.appendTo(loopStart, notEmptyValue);
+ LValue unmaskedIndex = m_out.phi(Int32, indexStart);
+ LValue index = m_out.bitAnd(mask, unmaskedIndex);
+ LValue hashMapBucket = m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), buffer, m_out.zeroExt(index, Int64), ScaleEight));
+ ValueFromBlock bucketResult = m_out.anchor(hashMapBucket);
+ m_out.branch(m_out.equal(hashMapBucket, m_out.constIntPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue())),
+ unsure(notPresentInTable), unsure(notEmptyValue));
+
+ m_out.appendTo(notEmptyValue, notDeletedValue);
+ m_out.branch(m_out.equal(hashMapBucket, m_out.constIntPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::deletedValue())),
+ unsure(loopAround), unsure(notDeletedValue));
+
+ m_out.appendTo(notDeletedValue, notBitEqual);
+ LValue bucketKey = m_out.load64(hashMapBucket, m_heaps.HashMapBucket_key);
+ // Perform Object.is()
+ m_out.branch(m_out.equal(key, bucketKey),
+ unsure(continuation), unsure(notBitEqual));
+
+ m_out.appendTo(notBitEqual, bucketKeyIsCell);
+ m_out.branch(isCell(bucketKey),
+ unsure(bucketKeyIsCell), unsure(bucketKeyNotCell));
+
+ m_out.appendTo(bucketKeyIsCell, bothAreCells);
+ m_out.branch(isCell(key),
+ unsure(bothAreCells), unsure(loopAround));
+
+ m_out.appendTo(bothAreCells, bucketKeyIsString);
+ m_out.branch(isString(bucketKey),
+ unsure(bucketKeyIsString), unsure(loopAround));
+
+ m_out.appendTo(bucketKeyIsString, bucketKeyNotCell);
+ m_out.branch(isString(key),
+ unsure(slowPath), unsure(loopAround));
+
+ m_out.appendTo(bucketKeyNotCell, bucketKeyIsNumber);
+ m_out.branch(isNotNumber(bucketKey),
+ unsure(loopAround), unsure(bucketKeyIsNumber));
+
+ m_out.appendTo(bucketKeyIsNumber, bothAreNumbers);
+ m_out.branch(isNotNumber(key),
+ unsure(loopAround), unsure(bothAreNumbers));
+
+ m_out.appendTo(bothAreNumbers, bucketKeyIsInt32);
+ m_out.branch(isNotInt32(bucketKey),
+ unsure(slowPath), unsure(bucketKeyIsInt32));
+
+ m_out.appendTo(bucketKeyIsInt32, loopAround);
+ m_out.branch(isNotInt32(key),
+ unsure(slowPath), unsure(loopAround));
+
+ m_out.appendTo(loopAround, slowPath);
+ m_out.addIncomingToPhi(unmaskedIndex, m_out.anchor(m_out.add(index, m_out.int32One)));
+ m_out.jump(loopStart);
+
+ m_out.appendTo(slowPath, notPresentInTable);
+ ValueFromBlock slowPathResult = m_out.anchor(vmCall(pointerType(),
+ m_out.operation(m_node->child1().useKind() == MapObjectUse ? operationJSMapFindBucket : operationJSSetFindBucket), m_callFrame, map, key, hash));
+ m_out.jump(continuation);
+
+ m_out.appendTo(notPresentInTable, continuation);
+ ValueFromBlock notPresentResult = m_out.anchor(m_out.constIntPtr(0));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setMapBucket(m_out.phi(pointerType(), bucketResult, slowPathResult, notPresentResult));
+ }
+
+ void compileLoadFromJSMapBucket()
+ {
+ LValue mapBucket = lowMapBucket(m_node->child1());
+
+ LBasicBlock continuation = m_out.newBlock();
+ LBasicBlock hasBucket = m_out.newBlock();
+
+ ValueFromBlock noBucketResult = m_out.anchor(m_out.constInt64(JSValue::encode(jsUndefined())));
+
+ m_out.branch(m_out.equal(mapBucket, m_out.constIntPtr(0)),
+ unsure(continuation), unsure(hasBucket));
+
+ LBasicBlock lastNext = m_out.appendTo(hasBucket, continuation);
+ ValueFromBlock bucketResult = m_out.anchor(m_out.load64(mapBucket, m_heaps.HashMapBucket_value));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setJSValue(m_out.phi(Int64, noBucketResult, bucketResult));
+ }
+
+ void compileIsNonEmptyMapBucket()
+ {
+ LValue bucket = lowMapBucket(m_node->child1());
+ LValue result = m_out.notEqual(bucket, m_out.constIntPtr(0));
+ setBoolean(result);
+ }
+
</ins><span class="cx"> void compileIsObjectOrNull()
</span><span class="cx"> {
</span><span class="cx"> JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
</span><span class="lines">@@ -9989,6 +10225,20 @@
</span><span class="cx"> speculateRegExpObject(edge, result);
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><ins>+
+ LValue lowMapObject(Edge edge)
+ {
+ LValue result = lowCell(edge);
+ speculateMapObject(edge, result);
+ return result;
+ }
+
+ LValue lowSetObject(Edge edge)
+ {
+ LValue result = lowCell(edge);
+ speculateSetObject(edge, result);
+ return result;
+ }
</ins><span class="cx">
</span><span class="cx"> LValue lowString(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
</span><span class="cx"> {
</span><span class="lines">@@ -10112,6 +10362,17 @@
</span><span class="cx"> setStorage(edge.node(), result);
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><ins>+
+ LValue lowMapBucket(Edge edge)
+ {
+ LoweredNodeValue value = m_mapBucketValues.get(edge.node());
+ if (isValid(value))
+ return value.value();
+
+ LValue result = lowCell(edge);
+ setStorage(edge.node(), result);
+ return result;
+ }
</ins><span class="cx">
</span><span class="cx"> LValue strictInt52ToInt32(Edge edge, LValue value)
</span><span class="cx"> {
</span><span class="lines">@@ -10415,6 +10676,12 @@
</span><span class="cx"> case RegExpObjectUse:
</span><span class="cx"> speculateRegExpObject(edge);
</span><span class="cx"> break;
</span><ins>+ case MapObjectUse:
+ speculateMapObject(edge);
+ break;
+ case SetObjectUse:
+ speculateSetObject(edge);
+ break;
</ins><span class="cx"> case StringUse:
</span><span class="cx"> speculateString(edge);
</span><span class="cx"> break;
</span><span class="lines">@@ -10743,6 +11010,28 @@
</span><span class="cx"> {
</span><span class="cx"> speculateRegExpObject(edge, lowCell(edge));
</span><span class="cx"> }
</span><ins>+
+ void speculateMapObject(Edge edge, LValue cell)
+ {
+ FTL_TYPE_CHECK(
+ jsValueValue(cell), edge, SpecMapObject, isNotType(cell, JSMapType));
+ }
+
+ void speculateMapObject(Edge edge)
+ {
+ speculateMapObject(edge, lowCell(edge));
+ }
+
+ void speculateSetObject(Edge edge, LValue cell)
+ {
+ FTL_TYPE_CHECK(
+ jsValueValue(cell), edge, SpecSetObject, isNotType(cell, JSSetType));
+ }
+
+ void speculateSetObject(Edge edge)
+ {
+ speculateSetObject(edge, lowCell(edge));
+ }
</ins><span class="cx">
</span><span class="cx"> void speculateString(Edge edge, LValue cell)
</span><span class="cx"> {
</span><span class="lines">@@ -11511,6 +11800,10 @@
</span><span class="cx"> {
</span><span class="cx"> m_storageValues.set(node, LoweredNodeValue(value, m_highBlock));
</span><span class="cx"> }
</span><ins>+ void setMapBucket(Node* node, LValue value)
+ {
+ m_mapBucketValues.set(node, LoweredNodeValue(value, m_highBlock));
+ }
</ins><span class="cx"> void setDouble(Node* node, LValue value)
</span><span class="cx"> {
</span><span class="cx"> m_doubleValues.set(node, LoweredNodeValue(value, m_highBlock));
</span><span class="lines">@@ -11544,6 +11837,10 @@
</span><span class="cx"> {
</span><span class="cx"> setStorage(m_node, value);
</span><span class="cx"> }
</span><ins>+ void setMapBucket(LValue value)
+ {
+ setMapBucket(m_node, value);
+ }
</ins><span class="cx"> void setDouble(LValue value)
</span><span class="cx"> {
</span><span class="cx"> setDouble(m_node, value);
</span><span class="lines">@@ -11727,6 +12024,7 @@
</span><span class="cx"> HashMap<Node*, LoweredNodeValue> m_jsValueValues;
</span><span class="cx"> HashMap<Node*, LoweredNodeValue> m_booleanValues;
</span><span class="cx"> HashMap<Node*, LoweredNodeValue> m_storageValues;
</span><ins>+ HashMap<Node*, LoweredNodeValue> m_mapBucketValues;
</ins><span class="cx"> HashMap<Node*, LoweredNodeValue> m_doubleValues;
</span><span class="cx">
</span><span class="cx"> // This is a bit of a hack. It prevents B3 from having to do CSE on loading of arguments.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCorejitAssemblyHelperscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -626,6 +626,52 @@
</span><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+#if USE(JSVALUE64)
+void AssemblyHelpers::wangsInt64Hash(GPRReg inputAndResult, GPRReg scratch)
+{
+ GPRReg input = inputAndResult;
+ // key += ~(key << 32);
+ move(input, scratch);
+ lshift64(TrustedImm32(32), scratch);
+ not64(scratch);
+ add64(scratch, input);
+ // key ^= (key >> 22);
+ move(input, scratch);
+ urshift64(TrustedImm32(22), scratch);
+ xor64(scratch, input);
+ // key += ~(key << 13);
+ move(input, scratch);
+ lshift64(TrustedImm32(13), scratch);
+ not64(scratch);
+ add64(scratch, input);
+ // key ^= (key >> 8);
+ move(input, scratch);
+ urshift64(TrustedImm32(8), scratch);
+ xor64(scratch, input);
+ // key += (key << 3);
+ move(input, scratch);
+ lshift64(TrustedImm32(3), scratch);
+ add64(scratch, input);
+ // key ^= (key >> 15);
+ move(input, scratch);
+ urshift64(TrustedImm32(15), scratch);
+ xor64(scratch, input);
+ // key += ~(key << 27);
+ move(input, scratch);
+ lshift64(TrustedImm32(27), scratch);
+ not64(scratch);
+ add64(scratch, input);
+ // key ^= (key >> 31);
+ move(input, scratch);
+ urshift64(TrustedImm32(31), scratch);
+ xor64(scratch, input);
+
+ // return static_cast<unsigned>(result)
+ void* mask = bitwise_cast<void*>(static_cast<uintptr_t>(UINT_MAX));
+ and64(TrustedImmPtr(mask), inputAndResult);
+}
+#endif // USE(JSVALUE64)
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(JIT)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/AssemblyHelpers.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> ASSERT(m_baselineCodeBlock->jitType() == JITCode::None || JITCode::isBaselineCode(m_baselineCodeBlock->jitType()));
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> CodeBlock* codeBlock() { return m_codeBlock; }
</span><span class="cx"> VM* vm() { return m_vm; }
</span><span class="cx"> AssemblerType_T& assembler() { return m_assembler; }
</span><span class="lines">@@ -1528,6 +1528,10 @@
</span><span class="cx"> emitAllocateJSObject<ClassType>(resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR1, scratchGPR2, slowPath);
</span><span class="cx"> storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
</span><span class="cx"> }
</span><ins>+
+#if USE(JSVALUE64)
+ void wangsInt64Hash(GPRReg inputAndResult, GPRReg scratch);
+#endif
</ins><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> VM* m_vm;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/JITOperations.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/JITOperations.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/jit/JITOperations.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -205,6 +205,7 @@
</span><span class="cx"> typedef JSCell* (JIT_OPERATION *C_JITOperation_EStZZ)(ExecState*, Structure*, int32_t, int32_t);
</span><span class="cx"> typedef JSCell* (JIT_OPERATION *C_JITOperation_EZ)(ExecState*, int32_t);
</span><span class="cx"> typedef JSCell* (JIT_OPERATION *C_JITOperation_EJscI)(ExecState*, JSScope*, UniquedStringImpl*);
</span><ins>+typedef JSCell* (JIT_OPERATION *C_JITOperation_ECJZ)(ExecState*, JSCell*, EncodedJSValue, int32_t);
</ins><span class="cx"> typedef double (JIT_OPERATION *D_JITOperation_D)(double);
</span><span class="cx"> typedef double (JIT_OPERATION *D_JITOperation_G)(JSGlobalObject*);
</span><span class="cx"> typedef double (JIT_OPERATION *D_JITOperation_DD)(double, double);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreparserModuleAnalyzercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -37,7 +37,7 @@
</span><span class="cx">
</span><span class="cx"> ModuleAnalyzer::ModuleAnalyzer(ExecState* exec, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
</span><span class="cx"> : m_vm(&exec->vm())
</span><del>- , m_moduleRecord(exec->vm(), JSModuleRecord::create(exec->vm(), exec->lexicalGlobalObject()->moduleRecordStructure(), moduleKey, sourceCode, declaredVariables, lexicalVariables))
</del><ins>+ , m_moduleRecord(exec->vm(), JSModuleRecord::create(exec, exec->vm(), exec->lexicalGlobalObject()->moduleRecordStructure(), moduleKey, sourceCode, declaredVariables, lexicalVariables))
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeHashMapImplcpp"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.cpp (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.cpp (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,93 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "HashMapImpl.h"
+
+#include "CopiedBlockInlines.h"
+#include "CopyVisitorInlines.h"
+
+namespace JSC {
+
+template<>
+const JS_EXPORTDATA ClassInfo HashMapBucket<HashMapBucketDataKey>::s_info =
+ { "HashMapBucket", nullptr, 0, CREATE_METHOD_TABLE(HashMapBucket<HashMapBucketDataKey>) };
+
+template<>
+const JS_EXPORTDATA ClassInfo HashMapBucket<HashMapBucketDataKeyValue>::s_info =
+ { "HashMapBucket", nullptr, 0, CREATE_METHOD_TABLE(HashMapBucket<HashMapBucketDataKeyValue>) };
+
+template <typename Data>
+void HashMapBucket<Data>::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+ HashMapBucket* thisObject = jsCast<HashMapBucket*>(cell);
+ ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+ Base::visitChildren(thisObject, visitor);
+
+ visitor.append(&thisObject->m_next);
+ visitor.append(&thisObject->m_prev);
+
+ static_assert(sizeof(Data) % sizeof(WriteBarrier<Unknown>) == 0, "We assume that these are filled with WriteBarrier<Unknown> members only.");
+ visitor.appendValues(bitwise_cast<WriteBarrier<Unknown>*>(&thisObject->m_data), sizeof(Data) / sizeof(WriteBarrier<Unknown>));
+}
+
+template<>
+const JS_EXPORTDATA ClassInfo HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::s_info =
+ { "HashMapImpl", nullptr, 0, CREATE_METHOD_TABLE(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>) };
+
+template<>
+const JS_EXPORTDATA ClassInfo HashMapImpl<HashMapBucket<HashMapBucketDataKeyValue>>::s_info =
+ { "HashMapImpl", nullptr, 0, CREATE_METHOD_TABLE(HashMapImpl<HashMapBucket<HashMapBucketDataKeyValue>>) };
+
+template <typename HashMapBucket>
+void HashMapImpl<HashMapBucket>::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+ HashMapImpl* thisObject = jsCast<HashMapImpl*>(cell);
+ ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+ Base::visitChildren(thisObject, visitor);
+
+ visitor.append(&thisObject->m_head);
+ visitor.append(&thisObject->m_tail);
+
+ visitor.copyLater(thisObject, MapBackingStoreCopyToken, thisObject->m_buffer.get(), thisObject->bufferSizeInBytes());
+}
+
+template <typename HashMapBucket>
+void HashMapImpl<HashMapBucket>::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
+{
+ Base::copyBackingStore(cell, visitor, token);
+
+ HashMapImpl* thisObject = jsCast<HashMapImpl*>(cell);
+ if (token == MapBackingStoreCopyToken && visitor.checkIfShouldCopy(thisObject->m_buffer.get())) {
+ HashMapBufferType* oldBuffer = thisObject->m_buffer.get();
+ size_t bufferSizeInBytes = thisObject->bufferSizeInBytes();
+ HashMapBufferType* newBuffer = static_cast<HashMapBufferType*>(visitor.allocateNewSpace(bufferSizeInBytes));
+ memcpy(newBuffer, oldBuffer, bufferSizeInBytes);
+ thisObject->m_buffer.setWithoutBarrier(newBuffer);
+ visitor.didCopy(oldBuffer, bufferSizeInBytes);
+ }
+}
+
+} // namespace JSC
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeHashMapImplh"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.h (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.h (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/HashMapImpl.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,524 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "JSCInlines.h"
+#include "JSObject.h"
+
+namespace JSC {
+
+struct HashMapBucketDataKey {
+ WriteBarrier<Unknown> key;
+};
+
+struct HashMapBucketDataKeyValue {
+ WriteBarrier<Unknown> key;
+ WriteBarrier<Unknown> value;
+};
+
+template <typename Data>
+class HashMapBucket : public JSCell {
+ typedef JSCell Base;
+
+ template <typename T = Data>
+ static typename std::enable_if<std::is_same<T, HashMapBucketDataKey>::value, Structure*>::type selectStructure(VM& vm)
+ {
+ return vm.hashMapBucketSetStructure.get();
+ }
+
+ template <typename T = Data>
+ static typename std::enable_if<std::is_same<T, HashMapBucketDataKeyValue>::value, Structure*>::type selectStructure(VM& vm)
+ {
+ return vm.hashMapBucketMapStructure.get();
+ }
+
+public:
+ DECLARE_EXPORT_INFO;
+
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+ {
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
+ }
+
+ static HashMapBucket* create(VM& vm)
+ {
+ HashMapBucket* bucket = new (NotNull, allocateCell<HashMapBucket<Data>>(vm.heap)) HashMapBucket(vm, selectStructure(vm));
+ bucket->finishCreation(vm);
+ ASSERT(!bucket->next());
+ ASSERT(!bucket->prev());
+ return bucket;
+ }
+
+ HashMapBucket(VM& vm, Structure* structure)
+ : Base(vm, structure)
+ { }
+
+ ALWAYS_INLINE void setNext(VM& vm, HashMapBucket* bucket)
+ {
+ m_next.set(vm, this, bucket);
+ }
+ ALWAYS_INLINE void setPrev(VM& vm, HashMapBucket* bucket)
+ {
+ m_prev.set(vm, this, bucket);
+ }
+
+ ALWAYS_INLINE void setKey(VM& vm, JSValue key)
+ {
+ m_data.key.set(vm, this, key);
+ }
+
+ template <typename T = Data>
+ ALWAYS_INLINE typename std::enable_if<std::is_same<T, HashMapBucketDataKeyValue>::value>::type setValue(VM& vm, JSValue value)
+ {
+ m_data.value.set(vm, this, value);
+ }
+ template <typename T = Data>
+ ALWAYS_INLINE typename std::enable_if<std::is_same<T, HashMapBucketDataKey>::value>::type setValue(VM&, JSValue) { }
+
+ ALWAYS_INLINE JSValue key() const { return m_data.key.get(); }
+
+ template <typename T = Data>
+ ALWAYS_INLINE typename std::enable_if<std::is_same<T, HashMapBucketDataKeyValue>::value, JSValue>::type value() const
+ {
+ return m_data.value.get();
+ }
+
+ static void visitChildren(JSCell*, SlotVisitor&);
+
+ ALWAYS_INLINE HashMapBucket* next() const { return m_next.get(); }
+ ALWAYS_INLINE HashMapBucket* prev() const { return m_prev.get(); }
+
+ ALWAYS_INLINE bool deleted() const { return m_deleted; }
+ ALWAYS_INLINE void setDeleted(bool deleted) { m_deleted = deleted; }
+
+ static ptrdiff_t offsetOfKey()
+ {
+ return OBJECT_OFFSETOF(HashMapBucket, m_data) + OBJECT_OFFSETOF(Data, key);
+ }
+
+ template <typename T = Data>
+ static typename std::enable_if<std::is_same<T, HashMapBucketDataKeyValue>::value, ptrdiff_t>::type offsetOfValue()
+ {
+ return OBJECT_OFFSETOF(HashMapBucket, m_data) + OBJECT_OFFSETOF(Data, value);
+ }
+
+private:
+ Data m_data;
+ WriteBarrier<HashMapBucket> m_next;
+ WriteBarrier<HashMapBucket> m_prev;
+ bool m_deleted { false };
+};
+
+template <typename BucketType>
+class HashMapBuffer {
+public:
+ HashMapBuffer() = delete;
+
+ static size_t allocationSize(uint32_t capacity)
+ {
+ return capacity * sizeof(BucketType*);
+ }
+
+ ALWAYS_INLINE BucketType** buffer() const
+ {
+ return bitwise_cast<BucketType**>(this);
+ }
+
+ static HashMapBuffer* create(ExecState* exec, VM& vm, JSCell* owner, uint32_t capacity)
+ {
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ size_t allocationSize = HashMapBuffer::allocationSize(capacity);
+ void* data = nullptr;
+ DeferGCForAWhile defer(vm.heap);
+ if (!vm.heap.tryAllocateStorage(owner, allocationSize, &data)) {
+ throwOutOfMemoryError(exec, scope);
+ return nullptr;
+ }
+
+ HashMapBuffer* buffer = static_cast<HashMapBuffer*>(data);
+ memset(buffer, -1, allocationSize);
+ return buffer;
+ }
+};
+
+ALWAYS_INLINE static bool areKeysEqual(ExecState* exec, JSValue a, JSValue b)
+{
+ // We want +0 and -0 to be compared to true here. sameValue() itself doesn't
+ // guarantee that, however, we normalize all keys before comparing and storing
+ // them in the map. The normalization will convert -0.0 and 0.0 to the integer
+ // representation for 0.
+ return sameValue(exec, a, b);
+}
+
+ALWAYS_INLINE JSValue normalizeMapKey(JSValue key)
+{
+ if (!key.isNumber())
+ return key;
+
+ if (key.isInt32())
+ return key;
+
+ double d = key.asDouble();
+ if (std::isnan(d))
+ return key;
+
+ int i = static_cast<int>(d);
+ if (i == d) {
+ // When a key is -0, we convert it to positive zero.
+ // When a key is the double representation for an integer, we convert it to an integer.
+ return jsNumber(i);
+ }
+ // This means key is definitely not negative zero, and it's definitely not a double representation of an integer.
+ return key;
+}
+
+ALWAYS_INLINE uint32_t jsMapHash(ExecState* exec, VM& vm, JSValue value)
+{
+ ASSERT_WITH_MESSAGE(normalizeMapKey(value) == value, "We expect normalized values flowing into this function.");
+
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
+ if (value.isString()) {
+ JSString* string = asString(value);
+ const String& wtfString = string->value(exec);
+ if (UNLIKELY(scope.exception()))
+ return UINT_MAX;
+ return wtfString.impl()->hash();
+ }
+
+ auto wangsInt64Hash = [] (uint64_t key) -> uint32_t {
+ key += ~(key << 32);
+ key ^= (key >> 22);
+ key += ~(key << 13);
+ key ^= (key >> 8);
+ key += (key << 3);
+ key ^= (key >> 15);
+ key += ~(key << 27);
+ key ^= (key >> 31);
+ return static_cast<unsigned>(key);
+ };
+ uint64_t rawValue = JSValue::encode(value);
+ return wangsInt64Hash(rawValue);
+}
+
+template <typename HashMapBucketType>
+class HashMapImpl : public JSCell {
+ typedef JSCell Base;
+ typedef HashMapBuffer<HashMapBucketType> HashMapBufferType;
+
+ template <typename T = HashMapBucketType>
+ static typename std::enable_if<std::is_same<T, HashMapBucket<HashMapBucketDataKey>>::value, Structure*>::type selectStructure(VM& vm)
+ {
+ return vm.hashMapImplSetStructure.get();
+ }
+
+ template <typename T = HashMapBucketType>
+ static typename std::enable_if<std::is_same<T, HashMapBucket<HashMapBucketDataKeyValue>>::value, Structure*>::type selectStructure(VM& vm)
+ {
+ return vm.hashMapImplMapStructure.get();
+ }
+
+public:
+ DECLARE_EXPORT_INFO;
+
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+ {
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
+ }
+
+ static HashMapImpl* create(ExecState* exec, VM& vm)
+ {
+ ASSERT_WITH_MESSAGE(HashMapBucket<HashMapBucketDataKey>::offsetOfKey() == HashMapBucket<HashMapBucketDataKeyValue>::offsetOfKey(), "We assume this to be true in the DFG and FTL JIT.");
+
+ HashMapImpl* impl = new (NotNull, allocateCell<HashMapImpl>(vm.heap)) HashMapImpl(vm, selectStructure(vm));
+ impl->finishCreation(exec, vm);
+ return impl;
+ }
+
+ static void visitChildren(JSCell*, SlotVisitor&);
+ static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
+
+ HashMapImpl(VM& vm, Structure* structure)
+ : Base(vm, structure)
+ , m_size(0)
+ , m_deleteCount(0)
+ , m_capacity(4)
+ {
+ }
+
+ ALWAYS_INLINE HashMapBucketType** buffer() const
+ {
+ return m_buffer.get()->buffer();
+ }
+
+ void finishCreation(ExecState* exec, VM& vm)
+ {
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ Base::finishCreation(vm);
+
+ makeAndSetNewBuffer(exec, vm);
+ if (UNLIKELY(scope.exception()))
+ return;
+
+ m_head.set(vm, this, HashMapBucketType::create(vm));
+ m_tail.set(vm, this, HashMapBucketType::create(vm));
+
+ m_head->setNext(vm, m_tail.get());
+ m_tail->setPrev(vm, m_head.get());
+ m_head->setDeleted(true);
+ m_tail->setDeleted(true);
+
+ }
+
+ static HashMapBucketType* emptyValue()
+ {
+ return bitwise_cast<HashMapBucketType*>(static_cast<uintptr_t>(-1));
+ }
+
+ static ALWAYS_INLINE bool isEmpty(HashMapBucketType* bucket)
+ {
+ return bucket == emptyValue();
+ }
+
+ static HashMapBucketType* deletedValue()
+ {
+ return bitwise_cast<HashMapBucketType*>(static_cast<uintptr_t>(-3));
+ }
+
+ static ALWAYS_INLINE bool isDeleted(HashMapBucketType* bucket)
+ {
+ return bucket == deletedValue();
+ }
+
+ ALWAYS_INLINE HashMapBucketType** findBucket(ExecState* exec, JSValue key)
+ {
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ key = normalizeMapKey(key);
+ uint32_t hash = jsMapHash(exec, vm, key);
+ if (UNLIKELY(scope.exception()))
+ return nullptr;
+ return findBucket(exec, key, hash);
+ }
+
+ ALWAYS_INLINE HashMapBucketType** findBucket(ExecState* exec, JSValue key, uint32_t hash)
+ {
+ ASSERT_WITH_MESSAGE(normalizeMapKey(key) == key, "We expect normalized values flowing into this function.");
+ return findBucketAlreadyHashedAndNormalized(exec, key, hash);
+ }
+
+ ALWAYS_INLINE JSValue get(ExecState* exec, JSValue key)
+ {
+ if (HashMapBucketType** bucket = findBucket(exec, key))
+ return (*bucket)->value();
+ return jsUndefined();
+ }
+
+ ALWAYS_INLINE bool has(ExecState* exec, JSValue key)
+ {
+ return !!findBucket(exec, key);
+ }
+
+ ALWAYS_INLINE void add(ExecState* exec, JSValue key, JSValue value = JSValue())
+ {
+ key = normalizeMapKey(key);
+
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
+ const uint32_t mask = m_capacity - 1;
+ uint32_t index = jsMapHash(exec, vm, key) & mask;
+ if (UNLIKELY(scope.exception()))
+ return;
+ HashMapBucketType** buffer = this->buffer();
+ HashMapBucketType* bucket = buffer[index];
+ while (!isEmpty(bucket)) {
+ if (!isDeleted(bucket) && areKeysEqual(exec, key, bucket->key())) {
+ bucket->setValue(vm, value);
+ return;
+ }
+ index = (index + 1) & mask;
+ bucket = buffer[index];
+ }
+
+ HashMapBucketType* newEntry = m_tail.get();
+ buffer[index] = newEntry;
+ newEntry->setKey(vm, key);
+ newEntry->setValue(vm, value);
+ newEntry->setDeleted(false);
+ HashMapBucketType* newTail = HashMapBucketType::create(vm);
+ m_tail.set(vm, this, newTail);
+ newTail->setPrev(vm, newEntry);
+ newTail->setDeleted(true);
+ newEntry->setNext(vm, newTail);
+ uint32_t newSize = ++m_size;
+ if (2*newSize > m_capacity)
+ rehash(exec);
+ }
+
+ ALWAYS_INLINE bool remove(ExecState* exec, JSValue key)
+ {
+ HashMapBucketType** bucket = findBucket(exec, key);
+ if (!bucket)
+ return false;
+
+ VM& vm = exec->vm();
+ HashMapBucketType* impl = *bucket;
+ impl->next()->setPrev(vm, impl->prev());
+ impl->prev()->setNext(vm, impl->next());
+ impl->setDeleted(true);
+
+ *bucket = deletedValue();
+
+ m_deleteCount++;
+
+ return true;
+ }
+
+ ALWAYS_INLINE uint32_t size() const
+ {
+ RELEASE_ASSERT(m_size >= m_deleteCount);
+ return m_size - m_deleteCount;
+ }
+
+ ALWAYS_INLINE void clear(ExecState* exec)
+ {
+ VM& vm = exec->vm();
+ m_size = 0;
+ m_deleteCount = 0;
+ HashMapBucketType* head = m_head.get();
+ HashMapBucketType* bucket = m_head->next();
+ HashMapBucketType* tail = m_tail.get();
+ while (bucket != tail) {
+ HashMapBucketType* next = bucket->next();
+ // We restart each iterator by pointing it to the head of the list.
+ bucket->setNext(vm, head);
+ bucket = next;
+ }
+ m_head->setNext(vm, m_tail.get());
+ m_tail->setPrev(vm, m_head.get());
+ m_capacity = 4;
+ makeAndSetNewBuffer(exec, vm);
+ }
+
+ ALWAYS_INLINE size_t bufferSizeInBytes() const
+ {
+ return m_capacity * sizeof(HashMapBucketType*);
+ }
+
+ static ptrdiff_t offsetOfBuffer()
+ {
+ return OBJECT_OFFSETOF(HashMapImpl<HashMapBucketType>, m_buffer);
+ }
+
+ static ptrdiff_t offsetOfCapacity()
+ {
+ return OBJECT_OFFSETOF(HashMapImpl<HashMapBucketType>, m_capacity);
+ }
+
+ HashMapBucketType* head() { return m_head.get(); }
+ HashMapBucketType* tail() { return m_tail.get(); }
+
+ size_t approximateSize() const
+ {
+ size_t size = sizeof(HashMapImpl);
+ size += bufferSizeInBytes();
+ size += 2 * sizeof(HashMapBucketType); // Head and tail members.
+ size += (m_deleteCount + m_size) * sizeof(HashMapBucketType); // Number of members on the list.
+ return size;
+ }
+
+private:
+ ALWAYS_INLINE HashMapBucketType** findBucketAlreadyHashedAndNormalized(ExecState* exec, JSValue key, uint32_t hash)
+ {
+ const uint32_t mask = m_capacity - 1;
+ uint32_t index = hash & mask;
+ HashMapBucketType** buffer = this->buffer();
+ HashMapBucketType* bucket = buffer[index];
+
+ while (!isEmpty(bucket)) {
+ if (!isDeleted(bucket) && areKeysEqual(exec, key, bucket->key()))
+ return buffer + index;
+ index = (index + 1) & mask;
+ bucket = buffer[index];
+ }
+ return nullptr;
+ }
+
+ void rehash(ExecState* exec)
+ {
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
+ m_capacity = m_capacity * 2;
+ makeAndSetNewBuffer(exec, vm);
+ if (UNLIKELY(scope.exception()))
+ return;
+
+ HashMapBucketType* iter = m_head->next();
+ HashMapBucketType* end = m_tail.get();
+ const uint32_t mask = m_capacity - 1;
+ RELEASE_ASSERT(!(m_capacity & (m_capacity - 1)));
+ HashMapBucketType** buffer = this->buffer();
+ while (iter != end) {
+ uint32_t index = jsMapHash(exec, vm, iter->key()) & mask;
+ ASSERT_WITH_MESSAGE(!scope.exception(), "All keys should already be hashed before, so this should not throw because it won't resolve ropes.");
+ {
+ HashMapBucketType* bucket = buffer[index];
+ while (!isEmpty(bucket)) {
+ index = (index + 1) & mask;
+ bucket = buffer[index];
+ }
+ }
+ buffer[index] = iter;
+ iter = iter->next();
+ }
+ }
+
+ void makeAndSetNewBuffer(ExecState* exec, VM& vm)
+ {
+ ASSERT(!(m_capacity & (m_capacity - 1)));
+
+ HashMapBufferType* buffer = HashMapBufferType::create(exec, vm, this, m_capacity);
+ if (UNLIKELY(!buffer))
+ return;
+
+ m_buffer.set(vm, this, buffer);
+ if (!ASSERT_DISABLED) {
+ for (unsigned i = 0; i < m_capacity; i++)
+ ASSERT(isEmpty(this->buffer()[i]));
+ }
+ }
+
+ WriteBarrier<HashMapBucketType> m_head;
+ WriteBarrier<HashMapBucketType> m_tail;
+ CopyBarrier<HashMapBufferType> m_buffer;
+ uint32_t m_size;
+ uint32_t m_deleteCount;
+ uint32_t m_capacity;
+};
+
+} // namespace JSC
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeIntrinsich"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/Intrinsic.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/Intrinsic.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/Intrinsic.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -62,6 +62,9 @@
</span><span class="cx"> IsRegExpObjectIntrinsic,
</span><span class="cx"> IsTypedArrayViewIntrinsic,
</span><span class="cx"> BoundThisNoArgsFunctionCallIntrinsic,
</span><ins>+ JSMapGetIntrinsic,
+ JSMapHasIntrinsic,
+ JSSetHasIntrinsic,
</ins><span class="cx">
</span><span class="cx"> // Getter intrinsics.
</span><span class="cx"> TypedArrayLengthIntrinsic,
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSCJSValueh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValue.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValue.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValue.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -606,6 +606,9 @@
</span><span class="cx">
</span><span class="cx"> bool isThisValueAltered(const PutPropertySlot&, JSObject* baseObject);
</span><span class="cx">
</span><ins>+// See section 7.2.9: https://tc39.github.io/ecma262/#sec-samevalue
+bool sameValue(ExecState*, JSValue a, JSValue b);
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // JSCJSValue_h
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSCJSValueInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValueInlines.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1058,6 +1058,22 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+// See section 7.2.9: https://tc39.github.io/ecma262/#sec-samevalue
+ALWAYS_INLINE bool sameValue(ExecState* exec, JSValue a, JSValue b)
+{
+ if (!a.isNumber())
+ return JSValue::strictEqual(exec, a, b);
+ if (!b.isNumber())
+ return false;
+ double x = a.asNumber();
+ double y = b.asNumber();
+ bool xIsNaN = std::isnan(x);
+ bool yIsNaN = std::isnan(y);
+ if (xIsNaN || yIsNaN)
+ return xIsNaN && yIsNaN;
+ return bitwise_cast<uint64_t>(x) == bitwise_cast<uint64_t>(y);
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span><span class="cx"> #endif // JSValueInlines_h
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -641,7 +641,7 @@
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->Reflect, reflectObject, DontEnum);
</span><span class="cx">
</span><span class="cx"> m_moduleLoaderStructure.set(vm, this, JSModuleLoader::createStructure(vm, this, m_moduleLoaderPrototype.get()));
</span><del>- m_moduleLoader.set(vm, this, JSModuleLoader::create(vm, this, m_moduleLoaderStructure.get()));
</del><ins>+ m_moduleLoader.set(vm, this, JSModuleLoader::create(globalExec(), vm, this, m_moduleLoaderStructure.get()));
</ins><span class="cx"> if (Options::exposeInternalModuleLoader())
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->Loader, m_moduleLoader.get(), DontEnum);
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,78 +26,15 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "JSMap.h"
</span><span class="cx">
</span><del>-#include "CopiedBlockInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSMapIterator.h"
-#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
</del><ins>+#include "JSCInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> const ClassInfo JSMap::s_info = { "Map", &Base::s_info, 0, CREATE_METHOD_TABLE(JSMap) };
</span><span class="cx">
</span><del>-void JSMap::destroy(JSCell* cell)
-{
- JSMap* thisObject = jsCast<JSMap*>(cell);
- thisObject->JSMap::~JSMap();
-}
-
-size_t JSMap::estimatedSize(JSCell* cell)
-{
- JSMap* thisObject = jsCast<JSMap*>(cell);
- size_t mapDataSize = thisObject->m_mapData.capacityInBytes();
- return Base::estimatedSize(cell) + mapDataSize;
-}
-
</del><span class="cx"> String JSMap::toStringName(const JSObject*, ExecState*)
</span><span class="cx"> {
</span><span class="cx"> return ASCIILiteral("Object");
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JSMap::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
- Base::visitChildren(cell, visitor);
- jsCast<JSMap*>(cell)->m_mapData.visitChildren(cell, visitor);
</del><span class="cx"> }
</span><del>-
-void JSMap::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
- Base::copyBackingStore(cell, visitor, token);
- jsCast<JSMap*>(cell)->m_mapData.copyBackingStore(visitor, token);
-}
-
-bool JSMap::has(ExecState* exec, JSValue key)
-{
- return m_mapData.contains(exec, key);
-}
-
-size_t JSMap::size(ExecState* exec)
-{
- return m_mapData.size(exec);
-}
-
-JSValue JSMap::get(ExecState* exec, JSValue key)
-{
- JSValue result = m_mapData.get(exec, key);
- if (!result)
- return jsUndefined();
- return result;
-}
-
-void JSMap::set(ExecState* exec, JSValue key, JSValue value)
-{
- m_mapData.set(exec, this, key, value);
-}
-
-void JSMap::clear(ExecState*)
-{
- m_mapData.clear();
-}
-
-bool JSMap::remove(ExecState* exec, JSValue key)
-{
- return m_mapData.remove(exec, key);
-}
-
-}
</del></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMaph"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMap.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,108 +26,49 @@
</span><span class="cx"> #ifndef JSMap_h
</span><span class="cx"> #define JSMap_h
</span><span class="cx">
</span><del>-#include "JSDestructibleObject.h"
</del><span class="cx"> #include "JSObject.h"
</span><del>-#include "MapData.h"
</del><ins>+#include "MapBase.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class JSMapIterator;
</span><span class="cx">
</span><del>-class JSMap : public JSDestructibleObject {
</del><ins>+class JSMap : public MapBase<HashMapBucket<HashMapBucketDataKeyValue>> {
+ typedef MapBase<HashMapBucket<HashMapBucketDataKeyValue>> Base;
</ins><span class="cx"> public:
</span><del>- typedef JSDestructibleObject Base;
-
</del><span class="cx"> friend class JSMapIterator;
</span><span class="cx">
</span><del>- // Our marking functions expect Entry to maintain this layout, and have all
- // fields be WriteBarrier<Unknown>
- class Entry {
- private:
- WriteBarrier<Unknown> m_key;
- WriteBarrier<Unknown> m_value;
-
- public:
- const WriteBarrier<Unknown>& key() const
- {
- return m_key;
- }
-
- const WriteBarrier<Unknown>& value() const
- {
- return m_value;
- }
-
- void visitChildren(SlotVisitor& visitor)
- {
- visitor.append(&m_key);
- visitor.append(&m_value);
- }
-
- void setKey(VM& vm, const JSCell* owner, JSValue key)
- {
- m_key.set(vm, owner, key);
- }
-
- void setKeyWithoutWriteBarrier(JSValue key)
- {
- m_key.setWithoutWriteBarrier(key);
- }
-
- void setValue(VM& vm, const JSCell* owner, JSValue value)
- {
- m_value.set(vm, owner, value);
- }
-
- void clear()
- {
- m_key.clear();
- m_value.clear();
- }
- };
-
- typedef MapDataImpl<Entry, JSMapIterator> MapData;
-
</del><span class="cx"> DECLARE_EXPORT_INFO;
</span><span class="cx">
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx"> {
</span><del>- return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
</del><ins>+ return Structure::create(vm, globalObject, prototype, TypeInfo(JSMapType, StructureFlags), info());
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- static JSMap* create(VM& vm, Structure* structure)
</del><ins>+ static JSMap* create(ExecState* exec, VM& vm, Structure* structure)
</ins><span class="cx"> {
</span><span class="cx"> JSMap* instance = new (NotNull, allocateCell<JSMap>(vm.heap)) JSMap(vm, structure);
</span><del>- instance->finishCreation(vm);
</del><ins>+ instance->finishCreation(exec, vm);
</ins><span class="cx"> return instance;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static JSMap* create(ExecState* exec, Structure* structure)
</del><ins>+ ALWAYS_INLINE JSValue get(ExecState* exec, JSValue key)
</ins><span class="cx"> {
</span><del>- return create(exec->vm(), structure);
</del><ins>+ return m_map->get(exec, key);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool has(ExecState*, JSValue);
- size_t size(ExecState*);
- JSValue get(ExecState*, JSValue);
- JS_EXPORT_PRIVATE void set(ExecState*, JSValue key, JSValue value);
- void clear(ExecState*);
- bool remove(ExecState*, JSValue);
</del><ins>+ ALWAYS_INLINE void set(ExecState* exec, JSValue key, JSValue value)
+ {
+ m_map->add(exec, key, value);
+ }
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> JSMap(VM& vm, Structure* structure)
</span><span class="cx"> : Base(vm, structure)
</span><del>- , m_mapData(vm, this)
</del><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static void destroy(JSCell*);
- static size_t estimatedSize(JSCell*);
- static void visitChildren(JSCell*, SlotVisitor&);
- static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
</del><span class="cx"> static String toStringName(const JSObject*, ExecState*);
</span><del>-
- MapData m_mapData;
</del><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapIteratorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> m_map.set(vm, this, iteratedObject);
</span><ins>+ setIterator(vm, m_map->impl()->head());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSMapIterator::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span><span class="lines">@@ -46,6 +47,7 @@
</span><span class="cx"> ASSERT_GC_OBJECT_INHERITS(thisObject, info());
</span><span class="cx"> Base::visitChildren(thisObject, visitor);
</span><span class="cx"> visitor.append(&thisObject->m_map);
</span><ins>+ visitor.append(&thisObject->m_iter);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue JSMapIterator::createPair(CallFrame* callFrame, JSValue key, JSValue value)
</span><span class="lines">@@ -59,8 +61,9 @@
</span><span class="cx">
</span><span class="cx"> JSMapIterator* JSMapIterator::clone(ExecState* exec)
</span><span class="cx"> {
</span><del>- auto clone = JSMapIterator::create(exec->vm(), exec->callee()->globalObject()->mapIteratorStructure(), m_map.get(), m_kind);
- clone->m_iterator = m_iterator;
</del><ins>+ VM& vm = exec->vm();
+ auto clone = JSMapIterator::create(vm, exec->callee()->globalObject()->mapIteratorStructure(), m_map.get(), m_kind);
+ clone->setIterator(vm, m_iter.get());
</ins><span class="cx"> return clone;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapIteratorh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -34,6 +34,7 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class JSMapIterator : public JSNonFinalObject {
</span><ins>+ typedef HashMapBucket<HashMapBucketDataKeyValue> HashMapBucketType;
</ins><span class="cx"> public:
</span><span class="cx"> typedef JSNonFinalObject Base;
</span><span class="cx">
</span><span class="lines">@@ -51,52 +52,62 @@
</span><span class="cx"> return instance;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool next(CallFrame* callFrame, JSValue& value)
</del><ins>+ ALWAYS_INLINE HashMapBucketType* advanceIter(ExecState* exec)
</ins><span class="cx"> {
</span><del>- WTF::KeyValuePair<JSValue, JSValue> pair;
- if (!m_iterator.next(pair))
</del><ins>+ HashMapBucketType* prev = m_iter.get();
+ if (!prev)
+ return nullptr;
+ HashMapBucketType* bucket = m_iter->next();
+ while (bucket && bucket->deleted()) {
+ prev = bucket;
+ bucket = bucket->next();
+ }
+ if (!bucket) {
+ setIterator(exec->vm(), nullptr);
+ return nullptr;
+ }
+ setIterator(exec->vm(), bucket); // We keep m_iter on the last value since the first thing we do in this function is call next().
+ return bucket;
+ }
+ bool next(ExecState* exec, JSValue& value)
+ {
+ HashMapBucketType* bucket = advanceIter(exec);
+ if (!bucket)
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> if (m_kind == IterateValue)
</span><del>- value = pair.value;
</del><ins>+ value = bucket->value();
</ins><span class="cx"> else if (m_kind == IterateKey)
</span><del>- value = pair.key;
</del><ins>+ value = bucket->key();
</ins><span class="cx"> else
</span><del>- value = createPair(callFrame, pair.key, pair.value);
</del><ins>+ value = createPair(exec, bucket->key(), bucket->value());
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool nextKeyValue(JSValue& key, JSValue& value)
</del><ins>+ bool nextKeyValue(ExecState* exec, JSValue& key, JSValue& value)
</ins><span class="cx"> {
</span><del>- WTF::KeyValuePair<JSValue, JSValue> pair;
- if (!m_iterator.next(pair))
</del><ins>+ HashMapBucketType* bucket = advanceIter(exec);
+ if (!bucket)
</ins><span class="cx"> return false;
</span><span class="cx">
</span><del>- key = pair.key;
- value = pair.value;
</del><ins>+ key = bucket->key();
+ value = bucket->value();
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void finish()
- {
- m_iterator.finish();
- }
-
</del><span class="cx"> IterationKind kind() const { return m_kind; }
</span><span class="cx"> JSValue iteratedValue() const { return m_map.get(); }
</span><span class="cx"> JSMapIterator* clone(ExecState*);
</span><span class="cx">
</span><del>- JSMap::MapData::IteratorData* iteratorData()
- {
- return &m_iterator;
- }
-
</del><span class="cx"> private:
</span><del>- JSMapIterator(VM& vm, Structure* structure, JSMap* iteratedObject, IterationKind kind)
</del><ins>+ JSMapIterator(VM& vm, Structure* structure, JSMap*, IterationKind kind)
</ins><span class="cx"> : Base(vm, structure)
</span><del>- , m_iterator(iteratedObject->m_mapData.createIteratorData(this))
</del><span class="cx"> , m_kind(kind)
</span><ins>+ { }
+
+ void setIterator(VM& vm, HashMapBucketType* bucket)
</ins><span class="cx"> {
</span><ins>+ m_iter.setMayBeNull(vm, this, bucket);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE void finishCreation(VM&, JSMap*);
</span><span class="lines">@@ -104,7 +115,7 @@
</span><span class="cx"> static void visitChildren(JSCell*, SlotVisitor&);
</span><span class="cx">
</span><span class="cx"> WriteBarrier<JSMap> m_map;
</span><del>- JSMap::MapData::IteratorData m_iterator;
</del><ins>+ WriteBarrier<HashMapBucketType> m_iter;
</ins><span class="cx"> IterationKind m_kind;
</span><span class="cx"> };
</span><span class="cx"> STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSMapIterator);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -55,11 +55,14 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JSModuleLoader::finishCreation(VM& vm, JSGlobalObject* globalObject)
</del><ins>+void JSModuleLoader::finishCreation(ExecState* exec, VM& vm, JSGlobalObject* globalObject)
</ins><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> ASSERT(inherits(info()));
</span><del>- putDirect(vm, Identifier::fromString(&vm, "registry"), JSMap::create(vm, globalObject->mapStructure()));
</del><ins>+ auto scope = DECLARE_THROW_SCOPE(vm);
+ JSMap* map = JSMap::create(exec, vm, globalObject->mapStructure());
+ RELEASE_ASSERT(!scope.exception());
+ putDirect(vm, Identifier::fromString(&vm, "registry"), map);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // ------------------------------ Functions --------------------------------
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleLoaderh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleLoader.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -47,10 +47,10 @@
</span><span class="cx"> Ready = 6,
</span><span class="cx"> };
</span><span class="cx">
</span><del>- static JSModuleLoader* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
</del><ins>+ static JSModuleLoader* create(ExecState* exec, VM& vm, JSGlobalObject* globalObject, Structure* structure)
</ins><span class="cx"> {
</span><span class="cx"> JSModuleLoader* object = new (NotNull, allocateCell<JSModuleLoader>(vm.heap)) JSModuleLoader(vm, structure);
</span><del>- object->finishCreation(vm, globalObject);
</del><ins>+ object->finishCreation(exec, vm, globalObject);
</ins><span class="cx"> return object;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx"> JSValue evaluate(ExecState*, JSValue key, JSValue moduleRecord, JSValue initiator);
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- void finishCreation(VM&, JSGlobalObject*);
</del><ins>+ void finishCreation(ExecState*, VM&, JSGlobalObject*);
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -44,7 +44,7 @@
</span><span class="cx"> thisObject->JSModuleRecord::~JSModuleRecord();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JSModuleRecord::finishCreation(VM& vm)
</del><ins>+void JSModuleRecord::finishCreation(ExecState* exec, VM& vm)
</ins><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> ASSERT(inherits(info()));
</span><span class="lines">@@ -51,7 +51,10 @@
</span><span class="cx"> putDirect(vm, Identifier::fromString(&vm, ASCIILiteral("registryEntry")), jsUndefined());
</span><span class="cx"> putDirect(vm, Identifier::fromString(&vm, ASCIILiteral("evaluated")), jsBoolean(false));
</span><span class="cx">
</span><del>- m_dependenciesMap.set(vm, this, JSMap::create(vm, globalObject()->mapStructure()));
</del><ins>+ auto scope = DECLARE_THROW_SCOPE(vm);
+ JSMap* map = JSMap::create(exec, vm, globalObject()->mapStructure());
+ RELEASE_ASSERT(!scope.exception());
+ m_dependenciesMap.set(vm, this, map);
</ins><span class="cx"> putDirect(vm, Identifier::fromString(&vm, ASCIILiteral("dependenciesMap")), m_dependenciesMap.get());
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSModuleRecordh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSModuleRecord.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -87,10 +87,10 @@
</span><span class="cx"> return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static JSModuleRecord* create(VM& vm, Structure* structure, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
</del><ins>+ static JSModuleRecord* create(ExecState* exec, VM& vm, Structure* structure, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
</ins><span class="cx"> {
</span><span class="cx"> JSModuleRecord* instance = new (NotNull, allocateCell<JSModuleRecord>(vm.heap)) JSModuleRecord(vm, structure, moduleKey, sourceCode, declaredVariables, lexicalVariables);
</span><del>- instance->finishCreation(vm);
</del><ins>+ instance->finishCreation(exec, vm);
</ins><span class="cx"> return instance;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -152,7 +152,7 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void finishCreation(VM&);
</del><ins>+ void finishCreation(ExecState*, VM&);
</ins><span class="cx">
</span><span class="cx"> JSModuleNamespaceObject* getModuleNamespace(ExecState*);
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,70 +26,15 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "JSSet.h"
</span><span class="cx">
</span><del>-#include "CopiedBlockInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSSetIterator.h"
-#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
</del><ins>+#include "JSCInlines.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> const ClassInfo JSSet::s_info = { "Set", &Base::s_info, 0, CREATE_METHOD_TABLE(JSSet) };
</span><span class="cx">
</span><del>-void JSSet::destroy(JSCell* cell)
-{
- JSSet* thisObject = jsCast<JSSet*>(cell);
- thisObject->JSSet::~JSSet();
-}
-
</del><span class="cx"> String JSSet::toStringName(const JSObject*, ExecState*)
</span><span class="cx"> {
</span><span class="cx"> return ASCIILiteral("Object");
</span><span class="cx"> }
</span><span class="cx">
</span><del>-size_t JSSet::estimatedSize(JSCell* cell)
-{
- JSSet* thisObject = jsCast<JSSet*>(cell);
- size_t setDataSize = thisObject->m_setData.capacityInBytes();
- return Base::estimatedSize(cell) + setDataSize;
</del><span class="cx"> }
</span><del>-
-void JSSet::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
- Base::visitChildren(cell, visitor);
- jsCast<JSSet*>(cell)->m_setData.visitChildren(cell, visitor);
-}
-
-void JSSet::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
- Base::copyBackingStore(cell, visitor, token);
- jsCast<JSSet*>(cell)->m_setData.copyBackingStore(visitor, token);
-}
-
-bool JSSet::has(ExecState* exec, JSValue value)
-{
- return m_setData.contains(exec, value);
-}
-
-size_t JSSet::size(ExecState* exec)
-{
- return m_setData.size(exec);
-}
-
-void JSSet::add(ExecState* exec, JSValue value)
-{
- m_setData.set(exec, this, value, value);
-}
-
-void JSSet::clear(ExecState*)
-{
- m_setData.clear();
-}
-
-bool JSSet::remove(ExecState* exec, JSValue value)
-{
- return m_setData.remove(exec, value);
-}
-
-}
</del></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSeth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSet.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,103 +26,45 @@
</span><span class="cx"> #ifndef JSSet_h
</span><span class="cx"> #define JSSet_h
</span><span class="cx">
</span><del>-#include "JSDestructibleObject.h"
</del><span class="cx"> #include "JSObject.h"
</span><del>-#include "MapData.h"
</del><ins>+#include "MapBase.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class JSSetIterator;
</span><span class="cx">
</span><del>-class JSSet : public JSDestructibleObject {
</del><ins>+class JSSet : public MapBase<HashMapBucket<HashMapBucketDataKey>> {
+ typedef MapBase<HashMapBucket<HashMapBucketDataKey>> Base;
</ins><span class="cx"> public:
</span><del>- typedef JSDestructibleObject Base;
</del><span class="cx">
</span><span class="cx"> friend class JSSetIterator;
</span><span class="cx">
</span><del>- // Our marking functions expect Entry to maintain this layout, and have all
- // fields be WriteBarrier<Unknown>
- class Entry {
- private:
- WriteBarrier<Unknown> m_key;
-
- public:
- const WriteBarrier<Unknown>& key() const
- {
- return m_key;
- }
-
- const WriteBarrier<Unknown>& value() const
- {
- return m_key;
- }
-
- void visitChildren(SlotVisitor& visitor)
- {
- visitor.append(&m_key);
- }
-
- void setKey(VM& vm, const JSCell* owner, JSValue key)
- {
- m_key.set(vm, owner, key);
- }
-
- void setKeyWithoutWriteBarrier(JSValue key)
- {
- m_key.setWithoutWriteBarrier(key);
- }
-
- void setValue(VM&, const JSCell*, JSValue)
- {
- }
-
- void clear()
- {
- m_key.clear();
- }
- };
-
- typedef MapDataImpl<Entry, JSSetIterator> SetData;
-
</del><span class="cx"> DECLARE_EXPORT_INFO;
</span><span class="cx">
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx"> {
</span><del>- return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
</del><ins>+ return Structure::create(vm, globalObject, prototype, TypeInfo(JSSetType, StructureFlags), info());
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- static JSSet* create(VM& vm, Structure* structure)
</del><ins>+ static JSSet* create(ExecState* exec, VM& vm, Structure* structure)
</ins><span class="cx"> {
</span><span class="cx"> JSSet* instance = new (NotNull, allocateCell<JSSet>(vm.heap)) JSSet(vm, structure);
</span><del>- instance->finishCreation(vm);
</del><ins>+ instance->finishCreation(exec, vm);
</ins><span class="cx"> return instance;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static JSSet* create(ExecState* exec, Structure* structure)
</del><ins>+ ALWAYS_INLINE void add(ExecState* exec, JSValue key)
</ins><span class="cx"> {
</span><del>- return create(exec->vm(), structure);
</del><ins>+ m_map->add(exec, key);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- bool has(ExecState*, JSValue);
- size_t size(ExecState*);
- JS_EXPORT_PRIVATE void add(ExecState*, JSValue);
- void clear(ExecState*);
- bool remove(ExecState*, JSValue);
-
</del><span class="cx"> private:
</span><span class="cx"> JSSet(VM& vm, Structure* structure)
</span><span class="cx"> : Base(vm, structure)
</span><del>- , m_setData(vm, this)
</del><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static void destroy(JSCell*);
- static size_t estimatedSize(JSCell*);
- static void visitChildren(JSCell*, SlotVisitor&);
- static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
</del><span class="cx"> static String toStringName(const JSObject*, ExecState*);
</span><del>-
- SetData m_setData;
</del><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetIteratorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> {
</span><span class="cx"> Base::finishCreation(vm);
</span><span class="cx"> m_set.set(vm, this, iteratedObject);
</span><ins>+ setIterator(vm, m_set->impl()->head());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSSetIterator::visitChildren(JSCell* cell, SlotVisitor& visitor)
</span><span class="lines">@@ -46,6 +47,7 @@
</span><span class="cx"> ASSERT_GC_OBJECT_INHERITS(thisObject, info());
</span><span class="cx"> Base::visitChildren(thisObject, visitor);
</span><span class="cx"> visitor.append(&thisObject->m_set);
</span><ins>+ visitor.append(&thisObject->m_iter);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue JSSetIterator::createPair(CallFrame* callFrame, JSValue key, JSValue value)
</span><span class="lines">@@ -59,8 +61,9 @@
</span><span class="cx">
</span><span class="cx"> JSSetIterator* JSSetIterator::clone(ExecState* exec)
</span><span class="cx"> {
</span><del>- auto clone = JSSetIterator::create(exec->vm(), exec->callee()->globalObject()->setIteratorStructure(), m_set.get(), m_kind);
- clone->m_iterator = m_iterator;
</del><ins>+ VM& vm = exec->vm();
+ auto clone = JSSetIterator::create(vm, exec->callee()->globalObject()->setIteratorStructure(), m_set.get(), m_kind);
+ clone->setIterator(vm, m_iter.get());
</ins><span class="cx"> return clone;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSSetIteratorh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSSetIterator.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -35,6 +35,7 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> class JSSetIterator : public JSNonFinalObject {
</span><ins>+ typedef HashMapBucket<HashMapBucketDataKey> HashMapBucketType;
</ins><span class="cx"> public:
</span><span class="cx"> typedef JSNonFinalObject Base;
</span><span class="cx">
</span><span class="lines">@@ -52,46 +53,59 @@
</span><span class="cx"> return instance;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool next(CallFrame* callFrame, JSValue& value)
</del><ins>+ ALWAYS_INLINE HashMapBucketType* advanceIter(ExecState* exec)
</ins><span class="cx"> {
</span><del>- WTF::KeyValuePair<JSValue, JSValue> pair;
- if (!m_iterator.next(pair))
</del><ins>+ HashMapBucketType* prev = m_iter.get();
+ if (!prev)
+ return nullptr;
+ HashMapBucketType* bucket = m_iter->next();
+ while (bucket && bucket->deleted()) {
+ prev = bucket;
+ bucket = bucket->next();
+ }
+ if (!bucket) {
+ setIterator(exec->vm(), nullptr);
+ return nullptr;
+ }
+ setIterator(exec->vm(), bucket); // We keep m_iter on the last value since the first thing we do in this function is call next().
+ return bucket;
+ }
+
+ bool next(ExecState* exec, JSValue& value)
+ {
+ HashMapBucketType* bucket = advanceIter(exec);
+ if (!bucket)
</ins><span class="cx"> return false;
</span><ins>+
</ins><span class="cx"> if (m_kind == IterateValue || m_kind == IterateKey)
</span><del>- value = pair.key;
</del><ins>+ value = bucket->key();
</ins><span class="cx"> else
</span><del>- value = createPair(callFrame, pair.key, pair.key);
</del><ins>+ value = createPair(exec, bucket->key(), bucket->key());
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void finish()
- {
- m_iterator.finish();
- }
-
</del><span class="cx"> IterationKind kind() const { return m_kind; }
</span><span class="cx"> JSValue iteratedValue() const { return m_set.get(); }
</span><span class="cx"> JSSetIterator* clone(ExecState*);
</span><span class="cx">
</span><del>- JSSet::SetData::IteratorData* iteratorData()
- {
- return &m_iterator;
- }
-
</del><span class="cx"> private:
</span><del>- JSSetIterator(VM& vm, Structure* structure, JSSet* iteratedObject, IterationKind kind)
</del><ins>+ JSSetIterator(VM& vm, Structure* structure, JSSet*, IterationKind kind)
</ins><span class="cx"> : Base(vm, structure)
</span><del>- , m_iterator(iteratedObject->m_setData.createIteratorData(this))
</del><span class="cx"> , m_kind(kind)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ void setIterator(VM& vm, HashMapBucketType* bucket)
+ {
+ m_iter.setMayBeNull(vm, this, bucket);
+ }
+
</ins><span class="cx"> JS_EXPORT_PRIVATE void finishCreation(VM&, JSSet*);
</span><span class="cx"> JS_EXPORT_PRIVATE JSValue createPair(CallFrame*, JSValue, JSValue);
</span><span class="cx"> static void visitChildren(JSCell*, SlotVisitor&);
</span><span class="cx">
</span><span class="cx"> WriteBarrier<JSSet> m_set;
</span><del>- JSSet::SetData::IteratorData m_iterator;
</del><ins>+ WriteBarrier<HashMapBucketType> m_iter;
</ins><span class="cx"> IterationKind m_kind;
</span><span class="cx"> };
</span><span class="cx"> STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSSetIterator);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSTypeh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSType.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSType.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSType.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -82,8 +82,10 @@
</span><span class="cx"> ModuleEnvironmentType,
</span><span class="cx"> RegExpObjectType,
</span><span class="cx"> ProxyObjectType,
</span><ins>+ JSMapType,
+ JSSetType,
</ins><span class="cx">
</span><del>- LastJSCObjectType = ProxyObjectType,
</del><ins>+ LastJSCObjectType = JSSetType,
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> COMPILE_ASSERT(sizeof(JSType) == sizeof(uint8_t), sizeof_jstype_is_one_byte);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapBasecppfromrev205728releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeJSMapIteratorcpp"></a>
<div class="copfile"><h4>Copied: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.cpp (from rev 205728, releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/JSMapIterator.cpp) (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.cpp (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,50 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "MapBase.h"
+
+#include "SlotVisitorInlines.h"
+
+namespace JSC {
+
+template <typename HashMapBucketType>
+void MapBase<HashMapBucketType>::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+ MapBase* thisObject = static_cast<MapBase*>(cell);
+ Base::visitChildren(thisObject, visitor);
+ visitor.append(&thisObject->m_map);
+}
+
+template <typename HashMapBucketType>
+size_t MapBase<HashMapBucketType>::estimatedSize(JSCell* cell)
+{
+ return Base::estimatedSize(cell) + static_cast<MapBase*>(cell)->m_map->approximateSize();
+}
+
+template class MapBase<HashMapBucket<HashMapBucketDataKeyValue>>;
+template class MapBase<HashMapBucket<HashMapBucketDataKey>>;
+
+} // namespace JSC
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapBaseh"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.h (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.h (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapBase.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,95 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "HashMapImpl.h"
+#include "JSObject.h"
+
+namespace JSC {
+
+template <typename HashMapBucketType>
+class MapBase : public JSNonFinalObject {
+ typedef HashMapImpl<HashMapBucketType> HashMapImplType;
+ typedef JSNonFinalObject Base;
+public:
+
+ typedef HashMapBucketType BucketType;
+
+ ALWAYS_INLINE size_t size(ExecState*)
+ {
+ return m_map->size();
+ }
+
+ ALWAYS_INLINE bool has(ExecState* exec, JSValue key)
+ {
+ return m_map->has(exec, key);
+ }
+
+ ALWAYS_INLINE void clear(ExecState* exec)
+ {
+ m_map->clear(exec);
+ }
+
+ ALWAYS_INLINE bool remove(ExecState* exec, JSValue key)
+ {
+ return m_map->remove(exec, key);
+ }
+
+ ALWAYS_INLINE HashMapBucketType** findBucket(ExecState* exec, JSValue key, uint32_t hash)
+ {
+ return m_map->findBucket(exec, key, hash);
+ }
+
+ static ptrdiff_t offsetOfHashMapImpl()
+ {
+ return OBJECT_OFFSETOF(MapBase<HashMapBucketType>, m_map);
+ }
+
+ ALWAYS_INLINE HashMapImplType* impl() { return m_map.get(); }
+
+ void finishCreation(ExecState* exec, VM& vm)
+ {
+ Base::finishCreation(vm);
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ HashMapImplType* impl = HashMapImplType::create(exec, vm);
+ if (UNLIKELY(scope.exception()))
+ return;
+ m_map.set(vm, this, impl);
+ }
+
+protected:
+ MapBase(VM& vm, Structure* structure)
+ : Base(vm, structure)
+ {
+ }
+
+ static size_t estimatedSize(JSCell*);
+ static void visitChildren(JSCell*, SlotVisitor&);
+
+ WriteBarrier<HashMapImplType> m_map;
+};
+
+} // namespace JSC
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapConstructor.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -61,9 +61,11 @@
</span><span class="cx">
</span><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><span class="cx"> Structure* mapStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->mapStructure());
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(scope.exception()))
</ins><span class="cx"> return JSValue::encode(JSValue());
</span><del>- JSMap* map = JSMap::create(exec, mapStructure);
</del><ins>+ JSMap* map = JSMap::create(exec, vm, mapStructure);
+ if (UNLIKELY(scope.exception()))
+ return JSValue::encode(JSValue());
</ins><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span><span class="cx"> return JSValue::encode(map);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -58,7 +58,6 @@
</span><span class="cx"> JSValue result;
</span><span class="cx"> if (iterator->next(callFrame, result))
</span><span class="cx"> return JSValue::encode(createIteratorResultObject(callFrame, result, false));
</span><del>- iterator->finish();
</del><span class="cx"> return JSValue::encode(createIteratorResultObject(callFrame, jsUndefined(), true));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeMapPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapPrototype.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapPrototype.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/MapPrototype.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -68,14 +68,13 @@
</span><span class="cx">
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->clear, mapProtoFuncClear, DontEnum, 0);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->deleteKeyword, mapProtoFuncDelete, DontEnum, 1);
</span><del>- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->get, mapProtoFuncGet, DontEnum, 1);
- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, mapProtoFuncHas, DontEnum, 1);
</del><ins>+ JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->get, mapProtoFuncGet, DontEnum, 1, JSMapGetIntrinsic);
+ JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, mapProtoFuncHas, DontEnum, 1, JSMapHasIntrinsic);
</ins><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->set, mapProtoFuncSet, DontEnum, 2);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().keysPublicName(), mapProtoFuncKeys, DontEnum, 0);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().valuesPublicName(), mapProtoFuncValues, DontEnum, 0);
</span><span class="cx">
</span><del>- // Private get / set operations.
- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getPrivateName(), mapProtoFuncGet, DontEnum, 1);
</del><ins>+ JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getPrivateName(), mapProtoFuncGet, DontEnum, 1, JSMapGetIntrinsic);
</ins><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().setPrivateName(), mapProtoFuncSet, DontEnum, 2);
</span><span class="cx">
</span><span class="cx"> JSFunction* entries = JSFunction::create(vm, globalObject, 0, vm.propertyNames->builtinNames().entriesPublicName().string(), mapProtoFuncEntries);
</span><span class="lines">@@ -91,18 +90,23 @@
</span><span class="cx"> VM& vm = callFrame->vm();
</span><span class="cx"> auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx">
</span><del>- if (!thisValue.isObject()) {
</del><ins>+ if (UNLIKELY(!thisValue.isCell())) {
</ins><span class="cx"> throwVMError(callFrame, scope, createNotAnObjectError(callFrame, thisValue));
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><del>- JSMap* map = jsDynamicCast<JSMap*>(thisValue);
- if (!map) {
- throwTypeError(callFrame, scope, ASCIILiteral("Map operation called on non-Map object"));
- return nullptr;
- }
- return map;
</del><ins>+
+ if (LIKELY(thisValue.asCell()->type() == JSMapType))
+ return jsCast<JSMap*>(thisValue);
+ throwTypeError(callFrame, scope, ASCIILiteral("Map operation called on non-Map object"));
+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+EncodedJSValue JSC_HOST_CALL privateFuncIsMap(ExecState* exec)
+{
+ JSValue value = exec->uncheckedArgument(0);
+ return JSValue::encode(jsBoolean(value.isCell() && value.asCell()->type() == JSMapType));
+}
+
</ins><span class="cx"> EncodedJSValue JSC_HOST_CALL mapProtoFuncClear(CallFrame* callFrame)
</span><span class="cx"> {
</span><span class="cx"> JSMap* map = getMap(callFrame, callFrame->thisValue());
</span><span class="lines">@@ -187,11 +191,6 @@
</span><span class="cx"> return JSValue::encode(JSMapIterator::create(vm, callFrame->callee()->globalObject()->mapIteratorStructure(), thisObj, IterateKey));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JSC_HOST_CALL privateFuncIsMap(ExecState* exec)
-{
- return JSValue::encode(jsBoolean(jsDynamicCast<JSMap*>(exec->uncheckedArgument(0))));
-}
-
</del><span class="cx"> EncodedJSValue JSC_HOST_CALL privateFuncMapIterator(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(jsDynamicCast<JSMap*>(exec->uncheckedArgument(0)));
</span><span class="lines">@@ -204,13 +203,12 @@
</span><span class="cx"> ASSERT(jsDynamicCast<JSMapIterator*>(exec->thisValue()));
</span><span class="cx"> JSMapIterator* iterator = jsCast<JSMapIterator*>(exec->thisValue());
</span><span class="cx"> JSValue key, value;
</span><del>- if (iterator->nextKeyValue(key, value)) {
</del><ins>+ if (iterator->nextKeyValue(exec, key, value)) {
</ins><span class="cx"> JSArray* resultArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
</span><span class="cx"> resultArray->putDirectIndex(exec, 0, key);
</span><span class="cx"> resultArray->putDirectIndex(exec, 1, value);
</span><span class="cx"> return JSValue::encode(jsBoolean(false));
</span><span class="cx"> }
</span><del>- iterator->finish();
</del><span class="cx"> return JSValue::encode(jsBoolean(true));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimePropertyDescriptorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -191,22 +191,6 @@
</span><span class="cx"> m_attributes &= ~ReadOnly;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-// See ES5.1 9.12
-bool sameValue(ExecState* exec, JSValue a, JSValue b)
-{
- if (!a.isNumber())
- return JSValue::strictEqual(exec, a, b);
- if (!b.isNumber())
- return false;
- double x = a.asNumber();
- double y = b.asNumber();
- bool xIsNaN = std::isnan(x);
- bool yIsNaN = std::isnan(y);
- if (xIsNaN || yIsNaN)
- return xIsNaN && yIsNaN;
- return bitwise_cast<uint64_t>(x) == bitwise_cast<uint64_t>(y);
-}
-
</del><span class="cx"> bool PropertyDescriptor::equalTo(ExecState* exec, const PropertyDescriptor& other) const
</span><span class="cx"> {
</span><span class="cx"> if (other.m_value.isEmpty() != m_value.isEmpty()
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimePropertyDescriptorh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/PropertyDescriptor.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -32,9 +32,6 @@
</span><span class="cx">
</span><span class="cx"> class GetterSetter;
</span><span class="cx">
</span><del>-// See ES5.1 9.12
-bool sameValue(ExecState*, JSValue, JSValue);
-
</del><span class="cx"> class PropertyDescriptor {
</span><span class="cx"> public:
</span><span class="cx"> PropertyDescriptor()
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetConstructor.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -62,9 +62,11 @@
</span><span class="cx">
</span><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><span class="cx"> Structure* setStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->setStructure());
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(scope.exception()))
</ins><span class="cx"> return JSValue::encode(JSValue());
</span><del>- JSSet* set = JSSet::create(exec, setStructure);
</del><ins>+ JSSet* set = JSSet::create(exec, vm, setStructure);
+ if (UNLIKELY(scope.exception()))
+ return JSValue::encode(JSValue());
</ins><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span><span class="cx"> return JSValue::encode(set);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -58,7 +58,6 @@
</span><span class="cx">
</span><span class="cx"> if (iterator->next(callFrame, result))
</span><span class="cx"> return JSValue::encode(createIteratorResultObject(callFrame, result, false));
</span><del>- iterator->finish();
</del><span class="cx"> return JSValue::encode(createIteratorResultObject(callFrame, jsUndefined(), true));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeSetPrototypecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetPrototype.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetPrototype.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/SetPrototype.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -68,7 +68,7 @@
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->add, setProtoFuncAdd, DontEnum, 1);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->clear, setProtoFuncClear, DontEnum, 0);
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->deleteKeyword, setProtoFuncDelete, DontEnum, 1);
</span><del>- JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, setProtoFuncHas, DontEnum, 1);
</del><ins>+ JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, setProtoFuncHas, DontEnum, 1, JSSetHasIntrinsic);
</ins><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().entriesPublicName(), setProtoFuncEntries, DontEnum, 0);
</span><span class="cx">
</span><span class="cx"> JSFunction* values = JSFunction::create(vm, globalObject, 0, vm.propertyNames->builtinNames().valuesPublicName().string(), setProtoFuncValues);
</span><span class="lines">@@ -85,16 +85,14 @@
</span><span class="cx"> VM& vm = callFrame->vm();
</span><span class="cx"> auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx">
</span><del>- if (!thisValue.isObject()) {
</del><ins>+ if (UNLIKELY(!thisValue.isCell())) {
</ins><span class="cx"> throwVMError(callFrame, scope, createNotAnObjectError(callFrame, thisValue));
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><del>- JSSet* set = jsDynamicCast<JSSet*>(thisValue);
- if (!set) {
- throwTypeError(callFrame, scope, ASCIILiteral("Set operation called on non-Set object"));
- return nullptr;
- }
- return set;
</del><ins>+ if (LIKELY(thisValue.asCell()->type() == JSSetType))
+ return jsCast<JSSet*>(thisValue);
+ throwTypeError(callFrame, scope, ASCIILiteral("Set operation called on non-Set object"));
+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL setProtoFuncAdd(CallFrame* callFrame)
</span><span class="lines">@@ -184,7 +182,6 @@
</span><span class="cx"> resultArray->putDirectIndex(exec, 0, result);
</span><span class="cx"> return JSValue::encode(jsBoolean(false));
</span><span class="cx"> }
</span><del>- iterator->finish();
</del><span class="cx"> return JSValue::encode(jsBoolean(true));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -65,6 +65,7 @@
</span><span class="cx"> #include "JSInternalPromiseDeferred.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><span class="cx"> #include "JSLock.h"
</span><ins>+#include "JSMap.h"
</ins><span class="cx"> #include "JSPromiseDeferred.h"
</span><span class="cx"> #include "JSPropertyNameEnumerator.h"
</span><span class="cx"> #include "JSTemplateRegistryKey.h"
</span><span class="lines">@@ -253,6 +254,10 @@
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><span class="cx"> webAssemblyCodeBlockStructure.set(*this, WebAssemblyCodeBlock::createStructure(*this, 0, jsNull()));
</span><span class="cx"> #endif
</span><ins>+ hashMapBucketSetStructure.set(*this, HashMapBucket<HashMapBucketDataKey>::createStructure(*this, 0, jsNull()));
+ hashMapBucketMapStructure.set(*this, HashMapBucket<HashMapBucketDataKeyValue>::createStructure(*this, 0, jsNull()));
+ hashMapImplSetStructure.set(*this, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::createStructure(*this, 0, jsNull()));
+ hashMapImplMapStructure.set(*this, HashMapImpl<HashMapBucket<HashMapBucketDataKeyValue>>::createStructure(*this, 0, jsNull()));
</ins><span class="cx">
</span><span class="cx"> iterationTerminator.set(*this, JSFinalObject::create(*this, JSFinalObject::createStructure(*this, 0, jsNull(), 1)));
</span><span class="cx"> nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull()));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore/runtime/VM.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -334,6 +334,10 @@
</span><span class="cx"> Strong<Structure> evalCodeBlockStructure;
</span><span class="cx"> Strong<Structure> functionCodeBlockStructure;
</span><span class="cx"> Strong<Structure> webAssemblyCodeBlockStructure;
</span><ins>+ Strong<Structure> hashMapBucketSetStructure;
+ Strong<Structure> hashMapBucketMapStructure;
+ Strong<Structure> hashMapImplSetStructure;
+ Strong<Structure> hashMapImplMapStructure;
</ins><span class="cx">
</span><span class="cx"> Strong<JSCell> iterationTerminator;
</span><span class="cx"> Strong<JSCell> emptyPropertyNameEnumerator;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WTF/ChangeLog (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WTF/ChangeLog 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/WTF/ChangeLog 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-09-06 Saam Barati <sbarati@apple.com>
+
+ Make JSMap and JSSet faster
+ https://bugs.webkit.org/show_bug.cgi?id=160989
+
+ Reviewed by Filip Pizlo.
+
+ I made s_flagCount public in StringImpl since JSC's JITs now use this field.
+
+ * wtf/text/StringImpl.h:
+
</ins><span class="cx"> 2016-08-31 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWTFwtftextStringImplh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WTF/wtf/text/StringImpl.h (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WTF/wtf/text/StringImpl.h 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/WTF/wtf/text/StringImpl.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -148,7 +148,9 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> // The bottom 6 bits in the hash are flags.
</span><ins>+public:
</ins><span class="cx"> static const unsigned s_flagCount = 6;
</span><ins>+private:
</ins><span class="cx"> static const unsigned s_flagMask = (1u << s_flagCount) - 1;
</span><span class="cx"> COMPILE_ASSERT(s_flagCount <= StringHasher::flagCount, StringHasher_reserves_enough_bits_for_StringImpl_flags);
</span><span class="cx"> static const unsigned s_flagStringKindCount = 4;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-09-06 Saam Barati <sbarati@apple.com>
+
+ Make JSMap and JSSet faster
+ https://bugs.webkit.org/show_bug.cgi?id=160989
+
+ Reviewed by Filip Pizlo.
+
+ * ForwardingHeaders/runtime/HashMapImpl.h: Added.
+ * ForwardingHeaders/runtime/MapBase.h: Added.
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneSerializer::serialize):
+ (WebCore::CloneDeserializer::deserialize):
+
</ins><span class="cx"> 2016-09-06 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Strikethrough positions are erroneously snapped twice
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreForwardingHeadersruntimeHashMapImplh"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/HashMapImpl.h (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/HashMapImpl.h (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/HashMapImpl.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+#ifndef WebCore_FWD_HashMapImpl_h
+#define WebCore_FWD_HashMapImpl_h
+#include <JavaScriptCore/HashMapImpl.h>
+#endif
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreForwardingHeadersruntimeMapBaseh"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/MapBase.h (0 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/MapBase.h (rev 0)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ForwardingHeaders/runtime/MapBase.h 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+#ifndef WebCore_FWD_MapBase_h
+#define WebCore_FWD_MapBase_h
+#include <JavaScriptCore/MapBase.h>
+#endif
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorebindingsjsSerializedScriptValuecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp (205729 => 205730)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-09-09 09:47:55 UTC (rev 205729)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-09-09 10:15:09 UTC (rev 205730)
</span><span class="lines">@@ -1368,7 +1368,7 @@
</span><span class="cx"> case MapDataStartVisitEntry: {
</span><span class="cx"> JSMapIterator* iterator = mapIteratorStack.last();
</span><span class="cx"> JSValue key, value;
</span><del>- if (!iterator->nextKeyValue(key, value)) {
</del><ins>+ if (!iterator->nextKeyValue(m_exec, key, value)) {
</ins><span class="cx"> mapIteratorStack.removeLast();
</span><span class="cx"> JSObject* object = inputObjectStack.last();
</span><span class="cx"> ASSERT(jsDynamicCast<JSMap*>(object));
</span><span class="lines">@@ -2545,7 +2545,9 @@
</span><span class="cx"> mapObjectStartState: {
</span><span class="cx"> if (outputObjectStack.size() > maximumFilterRecursion)
</span><span class="cx"> return std::make_pair(JSValue(), StackOverflowError);
</span><del>- JSMap* map = JSMap::create(m_exec->vm(), m_globalObject->mapStructure());
</del><ins>+ JSMap* map = JSMap::create(m_exec, m_exec->vm(), m_globalObject->mapStructure());
+ if (UNLIKELY(m_exec->hadException()))
+ goto error;
</ins><span class="cx"> m_gcBuffer.append(map);
</span><span class="cx"> outputObjectStack.append(map);
</span><span class="cx"> mapStack.append(map);
</span><span class="lines">@@ -2574,7 +2576,9 @@
</span><span class="cx"> setObjectStartState: {
</span><span class="cx"> if (outputObjectStack.size() > maximumFilterRecursion)
</span><span class="cx"> return std::make_pair(JSValue(), StackOverflowError);
</span><del>- JSSet* set = JSSet::create(m_exec->vm(), m_globalObject->setStructure());
</del><ins>+ JSSet* set = JSSet::create(m_exec, m_exec->vm(), m_globalObject->setStructure());
+ if (UNLIKELY(m_exec->hadException()))
+ goto error;
</ins><span class="cx"> m_gcBuffer.append(set);
</span><span class="cx"> outputObjectStack.append(set);
</span><span class="cx"> setStack.append(set);
</span></span></pre>
</div>
</div>
</body>
</html>