<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[207787] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/207787">207787</a></dd>
<dt>Author</dt> <dd>utatane.tea@gmail.com</dd>
<dt>Date</dt> <dd>2016-10-24 16:34:32 -0700 (Mon, 24 Oct 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
https://bugs.webkit.org/show_bug.cgi?id=163657
Reviewed by Saam Barati.
Source/JavaScriptCore:
This patch introduces DOMJIT::Effect. It describes the side effects of
the DOMJIT::CallDOMPatchpoint. DOMJIT::CallDOMPatchpoint can use this
feature to teach the compilers about the effects. And the compilers
will perform CSE based on the reported effects.
As the same to B3's HeapRange, the effects are represented as a pair of
integers. [begin, end) pair will represents the range of the abstract
heap. We encode the abstract heap hierarchy into these pairs. Like,
Root: [0, 32)
Child1: [0, 20) Child2: [20, 32)
Child11: [0, 4) Child12: [4, 20)
This simplifies the representation of the abstract heap. And WebCore
just tells pairs of integers and it does not tell any detailed hierarchy.
So, DFG and FTL can optimize DOM operations without deep knowledge of
the DOM abstract heap hierarchy. For example, WebCore will tell that
firstChild will read Node_firstChild abstract heap. But this information
is encoded to the pair and DFG does not know the details. But still
DFG can understand the abstract heap hierarchy and can query whether the
given abstract heap overlaps with some abstract heap.
The heap range told by the WebCore is represented as DOMJIT::HeapRange.
DFG will handle this under the DOMState abstract heap. DOMJIT::HeapRange
is stored in DFG::AbstractHeap's Payload. We maintain the hierarchy by
DOMJIT::HeapRange in the DOMState abstract heap. We add a necessary
handling in DFG's AbstractHeap and ClobberSet.
And we also introduce DOMStateLoc for HeapLocation. It is combined with
DOMState AbstractHeap with DOMJIT::HeapRange. For example, we can
represent Node.firstChild as `read(DOMState:Node_firstChild)` and
`def(HeapLocation(node, DOMState:Node_firstChild))` thingy. This allows us
to perform CSE onto DOM getters that will read some of DOM heap!
For simplicity, we convert CallDOM from NodeVarArgs to the normal one.
CallDOM is now just used for DOMJIT getter. So its children is at most 2.
It may have either 1 or 2 children. If the global object is required
by CallDOMPatchpoint, it has 2 children. And we changed the order of
the children to further simplify the code. Before this change, the order
is 1: globalObject 2: base. After this patch, the order becomes 1: base,
and 2: globalObject. And the child2 may not exists if the global object
is not required. We changed all the existing DOMJIT patchpoint to this
form.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::emitDOMJITGetter):
* dfg/DFGAbstractHeap.cpp:
(JSC::DFG::AbstractHeap::dump):
* dfg/DFGAbstractHeap.h:
(JSC::DFG::AbstractHeap::isStrictSubtypeOf):
(JSC::DFG::AbstractHeap::overlaps):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::blessCallDOM):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
* dfg/DFGClobberSet.cpp:
(JSC::DFG::ClobberSet::overlaps):
* dfg/DFGClobberSet.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCallDOMData):
(JSC::DFG::Node::callDOMData):
(JSC::DFG::Node::hasCallDOMPatchpoint): Deleted.
(JSC::DFG::Node::callDOMPatchpoint): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
* domjit/DOMJITAbstractHeap.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::AbstractHeap::compute):
(JSC::DOMJIT::AbstractHeap::dump):
(JSC::DOMJIT::AbstractHeap::shallowDump):
(JSC::DOMJIT::AbstractHeap::deepDump):
* domjit/DOMJITAbstractHeap.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::AbstractHeap::AbstractHeap):
(JSC::DOMJIT::AbstractHeap::setParent):
(JSC::DOMJIT::AbstractHeap::isRoot):
(JSC::DOMJIT::AbstractHeap::isComputed):
(JSC::DOMJIT::AbstractHeap::range):
* domjit/DOMJITCallDOMPatchpoint.h:
* domjit/DOMJITEffect.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::Effect::forReadWrite):
(JSC::DOMJIT::Effect::forPure):
(JSC::DOMJIT::Effect::forDef):
(JSC::DOMJIT::Effect::mustGenerate):
* domjit/DOMJITHeapRange.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(JSC::DOMJIT::HeapRange::dump):
* domjit/DOMJITHeapRange.h: Added.
(JSC::DOMJIT::HeapRange::HeapRange):
(JSC::DOMJIT::HeapRange::fromRaw):
(JSC::DOMJIT::HeapRange::begin):
(JSC::DOMJIT::HeapRange::end):
(JSC::DOMJIT::HeapRange::rawRepresentation):
(JSC::DOMJIT::HeapRange::operator bool):
(JSC::DOMJIT::HeapRange::operator==):
(JSC::DOMJIT::HeapRange::top):
(JSC::DOMJIT::HeapRange::none):
(JSC::DOMJIT::HeapRange::isStrictSubtypeOf):
(JSC::DOMJIT::HeapRange::isSubtypeOf):
(JSC::DOMJIT::HeapRange::overlaps):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
* jsc.cpp:
Source/WebCore:
CallDOMPatchpoint now has the way to tell its effects to DFG and FTL compilers.
WebCore DOMJIT::AbstractHeapRepository will construct the hierarchy of the abstract
heap. And then it encodes these information into the pairs of the integers.
And this patch also changes the DOMJIT::PatchpointParams' parameter order.
So we change them in all the DOMJIT::CallDOMPatchpoint sites.
* CMakeLists.txt:
* ForwardingHeaders/domjit/DOMJITAbstractHeap.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
* ForwardingHeaders/domjit/DOMJITEffect.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
* ForwardingHeaders/domjit/DOMJITHeapRange.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
* WebCore.xcodeproj/project.pbxproj:
* domjit/DOMJITAbstractHeapRepository.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
(WebCore::DOMJIT::AbstractHeapRepository::AbstractHeapRepository):
(WebCore::DOMJIT::AbstractHeapRepository::instance):
* domjit/DOMJITAbstractHeapRepository.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
* domjit/DOMJITHelpers.h:
(WebCore::DOMJITHelpers::branchIfNotWorldIsNormal): Deleted.
(WebCore::DOMJITHelpers::branchIfNotWeakIsLive): Deleted.
(WebCore::DOMJITHelpers::tryLookUpWrapperCache): Deleted.
(WebCore::DOMJITHelpers::toWrapper): Deleted.
(WebCore::DOMJITHelpers::branchIfDOMWrapper): Deleted.
(WebCore::DOMJITHelpers::branchIfNotDOMWrapper): Deleted.
(WebCore::DOMJITHelpers::branchIfNode): Deleted.
(WebCore::DOMJITHelpers::branchIfNotNode): Deleted.
(WebCore::DOMJITHelpers::branchIfElement): Deleted.
(WebCore::DOMJITHelpers::branchIfNotElement): Deleted.
(WebCore::DOMJITHelpers::branchIfDocumentWrapper): Deleted.
(WebCore::DOMJITHelpers::branchIfNotDocumentWrapper): Deleted.
* domjit/JSNodeDOMJIT.cpp:
(WebCore::createCallDOMForOffsetAccess):
(WebCore::checkNode):
(WebCore::NodeFirstChildDOMJIT::checkDOM):
(WebCore::NodeFirstChildDOMJIT::callDOM):
(WebCore::NodeLastChildDOMJIT::checkDOM):
(WebCore::NodeLastChildDOMJIT::callDOM):
(WebCore::NodeNextSiblingDOMJIT::checkDOM):
(WebCore::NodeNextSiblingDOMJIT::callDOM):
(WebCore::NodePreviousSiblingDOMJIT::checkDOM):
(WebCore::NodePreviousSiblingDOMJIT::callDOM):
(WebCore::NodeParentNodeDOMJIT::checkDOM):
(WebCore::NodeParentNodeDOMJIT::callDOM):
(WebCore::NodeNodeTypeDOMJIT::checkDOM):
(WebCore::NodeNodeTypeDOMJIT::callDOM):
Source/WTF:
Simplify nonEmptyRangesOverlap.
* wtf/MathExtras.h:
(WTF::nonEmptyRangesOverlap):
LayoutTests:
* js/dom/domjit-accessor-different-effect-expected.txt: Added.
* js/dom/domjit-accessor-different-effect.html: Added.
* js/dom/domjit-accessor-effect-expected.txt: Added.
* js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt: Added.
* js/dom/domjit-accessor-effect-should-overlap-with-call.html: Added.
* js/dom/domjit-accessor-effect.html: Added.
* js/dom/domjit-accessor-licm-expected.txt: Added.
* js/dom/domjit-accessor-licm.html: Added.
* js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt: Added.
* js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp">trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractHeapcpp">trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractHeaph">trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberSetcpp">trunk/Source/JavaScriptCore/dfg/DFGClobberSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberSeth">trunk/Source/JavaScriptCore/dfg/DFGClobberSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh">trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFwtfMathExtrash">trunk/Source/WTF/wtf/MathExtras.h</a></li>
<li><a href="#trunkSourceWebCoreCMakeListstxt">trunk/Source/WebCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebCoredomjitDOMJITHelpersh">trunk/Source/WebCore/domjit/DOMJITHelpers.h</a></li>
<li><a href="#trunkSourceWebCoredomjitJSNodeDOMJITcpp">trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessordifferenteffectexpectedtxt">trunk/LayoutTests/js/dom/domjit-accessor-different-effect-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessordifferenteffecthtml">trunk/LayoutTests/js/dom/domjit-accessor-different-effect.html</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessoreffectexpectedtxt">trunk/LayoutTests/js/dom/domjit-accessor-effect-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessoreffectshouldoverlapwithcallexpectedtxt">trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessoreffectshouldoverlapwithcallhtml">trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call.html</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessoreffecthtml">trunk/LayoutTests/js/dom/domjit-accessor-effect.html</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessorlicmexpectedtxt">trunk/LayoutTests/js/dom/domjit-accessor-licm-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessorlicmhtml">trunk/LayoutTests/js/dom/domjit-accessor-licm.html</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessornodetypeeffectshouldnotoverlapwithcallsincepureexpectedtxt">trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsdomdomjitaccessornodetypeeffectshouldnotoverlapwithcallsincepurehtml">trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITAbstractHeapcpp">trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITAbstractHeaph">trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITEffecth">trunk/Source/JavaScriptCore/domjit/DOMJITEffect.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITHeapRangecpp">trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredomjitDOMJITHeapRangeh">trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersdomjitDOMJITAbstractHeaph">trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITAbstractHeap.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersdomjitDOMJITEffecth">trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITEffect.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersdomjitDOMJITHeapRangeh">trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITHeapRange.h</a></li>
<li><a href="#trunkSourceWebCoredomjitDOMJITAbstractHeapRepositorycpp">trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.cpp</a></li>
<li><a href="#trunkSourceWebCoredomjitDOMJITAbstractHeapRepositoryh">trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/LayoutTests/ChangeLog 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ [DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
+ https://bugs.webkit.org/show_bug.cgi?id=163657
+
+ Reviewed by Saam Barati.
+
+ * js/dom/domjit-accessor-different-effect-expected.txt: Added.
+ * js/dom/domjit-accessor-different-effect.html: Added.
+ * js/dom/domjit-accessor-effect-expected.txt: Added.
+ * js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt: Added.
+ * js/dom/domjit-accessor-effect-should-overlap-with-call.html: Added.
+ * js/dom/domjit-accessor-effect.html: Added.
+ * js/dom/domjit-accessor-licm-expected.txt: Added.
+ * js/dom/domjit-accessor-licm.html: Added.
+ * js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt: Added.
+ * js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html: Added.
+
</ins><span class="cx"> 2016-10-24 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Font variations test gardening
</span></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessordifferenteffectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-different-effect-expected.txt (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-different-effect-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-different-effect-expected.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Test DOMJIT accessors will handle different heap accesses correctly.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS test() is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessordifferenteffecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-different-effect.html (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-different-effect.html (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-different-effect.html 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<div id="parentNode">
+<div id="previousSibling"></div><div id="target"><div id="firstChild"></div><div id="lastChild"></div></div><div id="nextSibling"></div>
+</div>
+
+<script>
+description('Test DOMJIT accessors will handle different heap accesses correctly.');
+
+function test()
+{
+ var target = document.getElementById('target');
+ var firstChild = document.getElementById('firstChild');
+ var lastChild = document.getElementById('lastChild');
+ for (var i = 0; i < 1e4; ++i) {
+ var ret = target.firstChild === firstChild;
+ ret &= target.lastChild === lastChild;
+ ret &= target.firstChild === firstChild;
+ ret &= target.lastChild === lastChild;
+ if (!ret)
+ return false;
+ }
+ return true;
+}
+
+shouldBeTrue(`test()`);
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessoreffectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-effect-expected.txt (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-effect-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-effect-expected.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+Test DOMJIT accessors will represent their heap accesses.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS func("firstChild", document.getElementById("target"), document.getElementById("firstChild")) is true
+PASS func("lastChild", document.getElementById("target"), document.getElementById("lastChild")) is true
+PASS func("nextSibling", document.getElementById("target"), document.getElementById("nextSibling")) is true
+PASS func("previousSibling", document.getElementById("target"), document.getElementById("previousSibling")) is true
+PASS func("parentNode", document.getElementById("target"), document.getElementById("parentNode")) is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessoreffectshouldoverlapwithcallexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call-expected.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Test function calls should overlap with effects of DOMJIT accessors.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS test() is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessoreffectshouldoverlapwithcallhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call.html (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call.html (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-effect-should-overlap-with-call.html 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<div id="parentNode">
+<div id="previousSibling"></div><div id="target"><div id="firstChild"></div><div id="lastChild"></div></div><div id="nextSibling"></div>
+</div>
+
+<script>
+description('Test function calls should overlap with effects of DOMJIT accessors.');
+
+function test()
+{
+ var target = document.getElementById('target');
+ var firstChild = document.getElementById('firstChild');
+ var lastChild = document.getElementById('lastChild');
+ for (var i = 0; i < 1e4; ++i) {
+ var ret = target.firstChild === firstChild;
+ target.appendChild(lastChild);
+ ret &= target.firstChild === firstChild;
+ if (!ret)
+ return false;
+ }
+ return true;
+}
+
+shouldBeTrue(`test()`);
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessoreffecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-effect.html (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-effect.html (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-effect.html 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,49 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<div id="parentNode">
+<div id="previousSibling"></div><div id="target"><div id="firstChild"></div><div id="lastChild"></div></div><div id="nextSibling"></div>
+</div>
+
+<script>
+description('Test DOMJIT accessors will represent their heap accesses.');
+var tests = [
+ "firstChild",
+ "lastChild",
+ "nextSibling",
+ "previousSibling",
+ "parentNode",
+].map(function (name) {
+ var func = `
+ return function ${name}(name, element, result) {
+ for (var i = 0; i < 1e4; ++i) {
+ if (element.${name} !== result)
+ return false;
+ if (element.${name} !== result)
+ return false;
+ if (element.${name} !== result)
+ return false;
+ if (element.${name} !== result)
+ return false;
+ if (element.${name} !== result)
+ return false;
+ }
+ return true;
+ };
+ `;
+ return [ name, Function(func)() ];
+});
+
+for (var [name, func] of tests) {
+ shouldBeTrue(`func("${name}", document.getElementById("target"), document.getElementById("${name}"))`);
+}
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessorlicmexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-licm-expected.txt (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-licm-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-licm-expected.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+Test DOMJIT accessor will be LICM-ed.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessorlicmhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-licm.html (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-licm.html (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-licm.html 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE HTML>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+</head>
+<body>
+<script>
+
+</script>
+</body>
+</html>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<div id="parentNode">
+<div id="previousSibling"></div><div id="target"><div id="firstChild"></div><div id="lastChild"></div></div><div id="nextSibling"></div>
+</div>
+
+<script>
+description('Test DOMJIT accessor will be LICM-ed.');
+
+function test() {
+ var div = document.createElement('div');
+ var ret = 0;
+ for (var i = 0; i < 1e4; ++i)
+ ret = div.nodeType;
+ return ret;
+}
+var result;
+(function () {
+ for (var i = 0; i < 100; ++i) {
+ result = test();
+ shouldBe(`result`, `Node.ELEMENT_NODE`, true);
+ }
+}());
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessornodetypeeffectshouldnotoverlapwithcallsincepureexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure-expected.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Test function calls should not overlap with effects of DOMJIT's nodeType accessor since it is pure.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS test() is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsdomdomjitaccessornodetypeeffectshouldnotoverlapwithcallsincepurehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html (rev 0)
+++ trunk/LayoutTests/js/dom/domjit-accessor-node-type-effect-should-not-overlap-with-call-since-pure.html 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<div id="parentNode">
+<div id="previousSibling"></div><div id="target"><div id="firstChild"></div><div id="lastChild"></div></div><div id="nextSibling"></div>
+</div>
+
+<script>
+description(`Test function calls should not overlap with effects of DOMJIT's nodeType accessor since it is pure.`);
+
+function test()
+{
+ var target = document.getElementById('target');
+ var firstChild = document.getElementById('firstChild');
+ var lastChild = document.getElementById('lastChild');
+ for (var i = 0; i < 1e4; ++i) {
+ var ret1 = target.nodeType;
+ target.appendChild(lastChild);
+ var ret2 = target.nodeType;
+ if (ret1 !== Node.ELEMENT_NODE || ret2 !== Node.ELEMENT_NODE)
+ return false;
+ }
+ return true;
+}
+
+shouldBeTrue(`test()`);
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -413,6 +413,9 @@
</span><span class="cx"> disassembler/udis86/udis86_syn-intel.c
</span><span class="cx"> disassembler/udis86/udis86_syn.c
</span><span class="cx">
</span><ins>+ domjit/DOMJITAbstractHeap.cpp
+ domjit/DOMJITHeapRange.cpp
+
</ins><span class="cx"> ftl/FTLAbstractHeap.cpp
</span><span class="cx"> ftl/FTLAbstractHeapRepository.cpp
</span><span class="cx"> ftl/FTLAvailableRecovery.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1,3 +1,125 @@
</span><ins>+2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ [DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
+ https://bugs.webkit.org/show_bug.cgi?id=163657
+
+ Reviewed by Saam Barati.
+
+ This patch introduces DOMJIT::Effect. It describes the side effects of
+ the DOMJIT::CallDOMPatchpoint. DOMJIT::CallDOMPatchpoint can use this
+ feature to teach the compilers about the effects. And the compilers
+ will perform CSE based on the reported effects.
+
+ As the same to B3's HeapRange, the effects are represented as a pair of
+ integers. [begin, end) pair will represents the range of the abstract
+ heap. We encode the abstract heap hierarchy into these pairs. Like,
+
+ Root: [0, 32)
+ Child1: [0, 20) Child2: [20, 32)
+ Child11: [0, 4) Child12: [4, 20)
+
+ This simplifies the representation of the abstract heap. And WebCore
+ just tells pairs of integers and it does not tell any detailed hierarchy.
+ So, DFG and FTL can optimize DOM operations without deep knowledge of
+ the DOM abstract heap hierarchy. For example, WebCore will tell that
+ firstChild will read Node_firstChild abstract heap. But this information
+ is encoded to the pair and DFG does not know the details. But still
+ DFG can understand the abstract heap hierarchy and can query whether the
+ given abstract heap overlaps with some abstract heap.
+
+ The heap range told by the WebCore is represented as DOMJIT::HeapRange.
+ DFG will handle this under the DOMState abstract heap. DOMJIT::HeapRange
+ is stored in DFG::AbstractHeap's Payload. We maintain the hierarchy by
+ DOMJIT::HeapRange in the DOMState abstract heap. We add a necessary
+ handling in DFG's AbstractHeap and ClobberSet.
+
+ And we also introduce DOMStateLoc for HeapLocation. It is combined with
+ DOMState AbstractHeap with DOMJIT::HeapRange. For example, we can
+ represent Node.firstChild as `read(DOMState:Node_firstChild)` and
+ `def(HeapLocation(node, DOMState:Node_firstChild))` thingy. This allows us
+ to perform CSE onto DOM getters that will read some of DOM heap!
+
+ For simplicity, we convert CallDOM from NodeVarArgs to the normal one.
+ CallDOM is now just used for DOMJIT getter. So its children is at most 2.
+ It may have either 1 or 2 children. If the global object is required
+ by CallDOMPatchpoint, it has 2 children. And we changed the order of
+ the children to further simplify the code. Before this change, the order
+ is 1: globalObject 2: base. After this patch, the order becomes 1: base,
+ and 2: globalObject. And the child2 may not exists if the global object
+ is not required. We changed all the existing DOMJIT patchpoint to this
+ form.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::AccessCase::emitDOMJITGetter):
+ * dfg/DFGAbstractHeap.cpp:
+ (JSC::DFG::AbstractHeap::dump):
+ * dfg/DFGAbstractHeap.h:
+ (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
+ (JSC::DFG::AbstractHeap::overlaps):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::blessCallDOM):
+ (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+ * dfg/DFGClobberSet.cpp:
+ (JSC::DFG::ClobberSet::overlaps):
+ * dfg/DFGClobberSet.h:
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.h:
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasCallDOMData):
+ (JSC::DFG::Node::callDOMData):
+ (JSC::DFG::Node::hasCallDOMPatchpoint): Deleted.
+ (JSC::DFG::Node::callDOMPatchpoint): Deleted.
+ * dfg/DFGNodeType.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCallDOM):
+ * domjit/DOMJITAbstractHeap.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ (JSC::DOMJIT::AbstractHeap::compute):
+ (JSC::DOMJIT::AbstractHeap::dump):
+ (JSC::DOMJIT::AbstractHeap::shallowDump):
+ (JSC::DOMJIT::AbstractHeap::deepDump):
+ * domjit/DOMJITAbstractHeap.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ (JSC::DOMJIT::AbstractHeap::AbstractHeap):
+ (JSC::DOMJIT::AbstractHeap::setParent):
+ (JSC::DOMJIT::AbstractHeap::isRoot):
+ (JSC::DOMJIT::AbstractHeap::isComputed):
+ (JSC::DOMJIT::AbstractHeap::range):
+ * domjit/DOMJITCallDOMPatchpoint.h:
+ * domjit/DOMJITEffect.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ (JSC::DOMJIT::Effect::forReadWrite):
+ (JSC::DOMJIT::Effect::forPure):
+ (JSC::DOMJIT::Effect::forDef):
+ (JSC::DOMJIT::Effect::mustGenerate):
+ * domjit/DOMJITHeapRange.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ (JSC::DOMJIT::HeapRange::dump):
+ * domjit/DOMJITHeapRange.h: Added.
+ (JSC::DOMJIT::HeapRange::HeapRange):
+ (JSC::DOMJIT::HeapRange::fromRaw):
+ (JSC::DOMJIT::HeapRange::begin):
+ (JSC::DOMJIT::HeapRange::end):
+ (JSC::DOMJIT::HeapRange::rawRepresentation):
+ (JSC::DOMJIT::HeapRange::operator bool):
+ (JSC::DOMJIT::HeapRange::operator==):
+ (JSC::DOMJIT::HeapRange::top):
+ (JSC::DOMJIT::HeapRange::none):
+ (JSC::DOMJIT::HeapRange::isStrictSubtypeOf):
+ (JSC::DOMJIT::HeapRange::isSubtypeOf):
+ (JSC::DOMJIT::HeapRange::overlaps):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+ * jsc.cpp:
+
</ins><span class="cx"> 2016-10-24 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><span class="cx"> JSONParse should not crash with null Strings
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -2164,6 +2164,10 @@
</span><span class="cx"> E3555B8A1DAE03A500F36921 /* DOMJITCallDOMPatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> E355F3521B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E355F3501B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp */; };
</span><span class="cx"> E355F3531B7DC85300C50DC5 /* ModuleLoaderPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = E355F3511B7DC85300C50DC5 /* ModuleLoaderPrototype.h */; };
</span><ins>+ E35CA1531DBC3A5C00F83516 /* DOMJITHeapRange.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */; };
+ E35CA1541DBC3A5C00F83516 /* DOMJITHeapRange.h in Headers */ = {isa = PBXBuildFile; fileRef = E35CA1521DBC3A5600F83516 /* DOMJITHeapRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E35CA1551DBC3A5F00F83516 /* DOMJITAbstractHeap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */; };
+ E35CA1561DBC3A5F00F83516 /* DOMJITAbstractHeap.h in Headers */ = {isa = PBXBuildFile; fileRef = E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> E35E035F1B7AB43E0073AD2A /* InspectorInstrumentationObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E35E035D1B7AB43E0073AD2A /* InspectorInstrumentationObject.cpp */; };
</span><span class="cx"> E35E03601B7AB43E0073AD2A /* InspectorInstrumentationObject.h in Headers */ = {isa = PBXBuildFile; fileRef = E35E035E1B7AB43E0073AD2A /* InspectorInstrumentationObject.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> E3794E751B77EB97005543AE /* ModuleAnalyzer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3794E731B77EB97005543AE /* ModuleAnalyzer.cpp */; };
</span><span class="lines">@@ -2178,6 +2182,7 @@
</span><span class="cx"> E3BFD0BB1DAF80870065DEA2 /* DOMJITAccessCasePatchpointParams.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3BFD0B91DAF807C0065DEA2 /* DOMJITAccessCasePatchpointParams.cpp */; };
</span><span class="cx"> E3BFD0BC1DAF808E0065DEA2 /* DOMJITAccessCasePatchpointParams.h in Headers */ = {isa = PBXBuildFile; fileRef = E3BFD0BA1DAF807C0065DEA2 /* DOMJITAccessCasePatchpointParams.h */; };
</span><span class="cx"> E3C08E3C1DA41B810039478F /* DOMJITPatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = E3C08E3B1DA41B7B0039478F /* DOMJITPatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ E3C79CAB1DB9A4DC00D1ECA4 /* DOMJITEffect.h in Headers */ = {isa = PBXBuildFile; fileRef = E3C79CAA1DB9A4D600D1ECA4 /* DOMJITEffect.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> E3D239C81B829C1C00BBEF67 /* JSModuleEnvironment.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3D239C61B829C1C00BBEF67 /* JSModuleEnvironment.cpp */; };
</span><span class="cx"> E3D239C91B829C1C00BBEF67 /* JSModuleEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D239C71B829C1C00BBEF67 /* JSModuleEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> E3EF88741B66DF23003F26CB /* JSPropertyNameIterator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3EF88721B66DF23003F26CB /* JSPropertyNameIterator.cpp */; };
</span><span class="lines">@@ -4536,6 +4541,10 @@
</span><span class="cx"> E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITCallDOMPatchpoint.h; sourceTree = "<group>"; };
</span><span class="cx"> E355F3501B7DC85300C50DC5 /* ModuleLoaderPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ModuleLoaderPrototype.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E355F3511B7DC85300C50DC5 /* ModuleLoaderPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ModuleLoaderPrototype.h; sourceTree = "<group>"; };
</span><ins>+ E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAbstractHeap.cpp; sourceTree = "<group>"; };
+ E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAbstractHeap.h; sourceTree = "<group>"; };
+ E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITHeapRange.cpp; sourceTree = "<group>"; };
+ E35CA1521DBC3A5600F83516 /* DOMJITHeapRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITHeapRange.h; sourceTree = "<group>"; };
</ins><span class="cx"> E35E035D1B7AB43E0073AD2A /* InspectorInstrumentationObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InspectorInstrumentationObject.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E35E035E1B7AB43E0073AD2A /* InspectorInstrumentationObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InspectorInstrumentationObject.h; sourceTree = "<group>"; };
</span><span class="cx"> E35E03611B7AB4850073AD2A /* InspectorInstrumentationObject.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = InspectorInstrumentationObject.js; sourceTree = "<group>"; };
</span><span class="lines">@@ -4551,6 +4560,7 @@
</span><span class="cx"> E3BFD0B91DAF807C0065DEA2 /* DOMJITAccessCasePatchpointParams.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAccessCasePatchpointParams.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E3BFD0BA1DAF807C0065DEA2 /* DOMJITAccessCasePatchpointParams.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAccessCasePatchpointParams.h; sourceTree = "<group>"; };
</span><span class="cx"> E3C08E3B1DA41B7B0039478F /* DOMJITPatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITPatchpoint.h; sourceTree = "<group>"; };
</span><ins>+ E3C79CAA1DB9A4D600D1ECA4 /* DOMJITEffect.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITEffect.h; sourceTree = "<group>"; };
</ins><span class="cx"> E3CB1E241DA7540A00FA1E56 /* DOMJITSlowPathCalls.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITSlowPathCalls.h; sourceTree = "<group>"; };
</span><span class="cx"> E3D239C61B829C1C00BBEF67 /* JSModuleEnvironment.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSModuleEnvironment.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E3D239C71B829C1C00BBEF67 /* JSModuleEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSModuleEnvironment.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -7408,8 +7418,13 @@
</span><span class="cx"> E3FF752D1D9CE9EA00C7E16D /* domjit */ = {
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><ins>+ E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */,
+ E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */,
</ins><span class="cx"> E3555B891DAE03A200F36921 /* DOMJITCallDOMPatchpoint.h */,
</span><ins>+ E3C79CAA1DB9A4D600D1ECA4 /* DOMJITEffect.h */,
</ins><span class="cx"> E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */,
</span><ins>+ E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */,
+ E35CA1521DBC3A5600F83516 /* DOMJITHeapRange.h */,
</ins><span class="cx"> E3C08E3B1DA41B7B0039478F /* DOMJITPatchpoint.h */,
</span><span class="cx"> E37AD83A1DA4928000F3D412 /* DOMJITPatchpointParams.h */,
</span><span class="cx"> E37AD83B1DA4928000F3D412 /* DOMJITReg.h */,
</span><span class="lines">@@ -7637,6 +7652,7 @@
</span><span class="cx"> 0F96EBB316676EF6008BADE3 /* CodeBlockWithJITType.h in Headers */,
</span><span class="cx"> A77F1822164088B200640A47 /* CodeCache.h in Headers */,
</span><span class="cx"> 99CC0B6318BE9950006CEBCC /* CodeGeneratorReplayInputs.py in Headers */,
</span><ins>+ E3C79CAB1DB9A4DC00D1ECA4 /* DOMJITEffect.h in Headers */,
</ins><span class="cx"> 99CC0B6218BE9946006CEBCC /* CodeGeneratorReplayInputsTemplates.py in Headers */,
</span><span class="cx"> 86E116B10FE75AC800B512BC /* CodeLocation.h in Headers */,
</span><span class="cx"> 0FBD7E691447999600481315 /* CodeOrigin.h in Headers */,
</span><span class="lines">@@ -8304,6 +8320,7 @@
</span><span class="cx"> AD2FCC1F1DB59CB200B3E736 /* WebAssemblyRuntimeErrorPrototype.lut.h in Headers */,
</span><span class="cx"> A552C3801ADDB8FE00139726 /* JSRemoteInspector.h in Headers */,
</span><span class="cx"> 9928FF3C18AC4AEC00B8CF12 /* JSReplayInputs.h in Headers */,
</span><ins>+ E35CA1561DBC3A5F00F83516 /* DOMJITAbstractHeap.h in Headers */,
</ins><span class="cx"> BC18C4260E16F5CD00B34460 /* JSRetainPtr.h in Headers */,
</span><span class="cx"> 14874AE615EBDE4A002E3587 /* JSScope.h in Headers */,
</span><span class="cx"> 0F33FCFB1C1625BE00323F67 /* B3CFG.h in Headers */,
</span><span class="lines">@@ -8422,6 +8439,7 @@
</span><span class="cx"> 7C008CE7187631B600955C24 /* Microtask.h in Headers */,
</span><span class="cx"> DC0184191D10C1890057B053 /* JITWorklist.h in Headers */,
</span><span class="cx"> 86C568E211A213EE0007F7F0 /* MIPSAssembler.h in Headers */,
</span><ins>+ E35CA1541DBC3A5C00F83516 /* DOMJITHeapRange.h in Headers */,
</ins><span class="cx"> C4703CD7192844CC0013FBEA /* models.py in Headers */,
</span><span class="cx"> E3794E761B77EB97005543AE /* ModuleAnalyzer.h in Headers */,
</span><span class="cx"> E355F3531B7DC85300C50DC5 /* ModuleLoaderPrototype.h in Headers */,
</span><span class="lines">@@ -9930,6 +9948,7 @@
</span><span class="cx"> 0F61832B1C45BF070072450B /* AirCustom.cpp in Sources */,
</span><span class="cx"> 0F13912B16771C3A009CCB07 /* ProfilerProfiledBytecodes.cpp in Sources */,
</span><span class="cx"> 0FD3E40D1B618B6600C80E1E /* PropertyCondition.cpp in Sources */,
</span><ins>+ E35CA1531DBC3A5C00F83516 /* DOMJITHeapRange.cpp in Sources */,
</ins><span class="cx"> A7FB60A4103F7DC20017A286 /* PropertyDescriptor.cpp in Sources */,
</span><span class="cx"> 14469DE8107EC7E700650446 /* PropertySlot.cpp in Sources */,
</span><span class="cx"> ADE39FFF16DD144B0003CD4A /* PropertyTable.cpp in Sources */,
</span><span class="lines">@@ -9948,6 +9967,7 @@
</span><span class="cx"> 8642C512151C083D0046D4EF /* RegExpMatchesArray.cpp in Sources */,
</span><span class="cx"> 14280843107EC0930013E7B2 /* RegExpObject.cpp in Sources */,
</span><span class="cx"> 14280844107EC0930013E7B2 /* RegExpPrototype.cpp in Sources */,
</span><ins>+ E35CA1551DBC3A5F00F83516 /* DOMJITAbstractHeap.cpp in Sources */,
</ins><span class="cx"> 6540C7A01B82E1C3000F6B79 /* RegisterAtOffset.cpp in Sources */,
</span><span class="cx"> 6540C7A11B82E1C3000F6B79 /* RegisterAtOffsetList.cpp in Sources */,
</span><span class="cx"> 0FC3141518146D7000033232 /* RegisterSet.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1471,11 +1471,11 @@
</span><span class="cx"> JSGlobalObject* globalObjectForDOMJIT = structure()->globalObject();
</span><span class="cx">
</span><span class="cx"> regs.append(paramValueRegs);
</span><ins>+ regs.append(paramBaseGPR);
</ins><span class="cx"> if (patchpoint->requireGlobalObject) {
</span><span class="cx"> ASSERT(paramGlobalObjectGPR != InvalidGPRReg);
</span><span class="cx"> regs.append(DOMJIT::Value(paramGlobalObjectGPR, globalObjectForDOMJIT));
</span><span class="cx"> }
</span><del>- regs.append(paramBaseGPR);
</del><span class="cx">
</span><span class="cx"> if (patchpoint->numGPScratchRegisters) {
</span><span class="cx"> unsigned i = 0;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -45,6 +45,10 @@
</span><span class="cx"> out.print(kind());
</span><span class="cx"> if (kind() == InvalidAbstractHeap || kind() == World || kind() == Heap || payload().isTop())
</span><span class="cx"> return;
</span><ins>+ if (kind() == DOMState) {
+ out.print("(", DOMJIT::HeapRange::fromRaw(payload().value32()), ")");
+ return;
+ }
</ins><span class="cx"> out.print("(", payload(), ")");
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">
</span><ins>+#include "DOMJITHeapRange.h"
</ins><span class="cx"> #include "VirtualRegister.h"
</span><span class="cx"> #include <wtf/HashMap.h>
</span><span class="cx"> #include <wtf/PrintStream.h>
</span><span class="lines">@@ -73,6 +74,8 @@
</span><span class="cx"> macro(MathDotRandomState) \
</span><span class="cx"> macro(InternalState) \
</span><span class="cx"> macro(Absolute) \
</span><ins>+ /* DOMJIT tells the heap range with the pair of integers. */\
+ macro(DOMState) \
</ins><span class="cx"> /* Use this for writes only, to indicate that this may fire watchpoints. Usually this is never directly written but instead we test to see if a node clobbers this; it just so happens that you have to write world to clobber it. */\
</span><span class="cx"> macro(Watchpoint_fire) \
</span><span class="cx"> /* Use these for reads only, just to indicate that if the world got clobbered, then this operation will not work. */\
</span><span class="lines">@@ -233,6 +236,15 @@
</span><span class="cx"> bool isStrictSubtypeOf(const AbstractHeap& other) const
</span><span class="cx"> {
</span><span class="cx"> AbstractHeap current = *this;
</span><ins>+ if (current.kind() == DOMState && other.kind() == DOMState) {
+ Payload currentPayload = current.payload();
+ Payload otherPayload = other.payload();
+ if (currentPayload.isTop())
+ return false;
+ if (otherPayload.isTop())
+ return true;
+ return DOMJIT::HeapRange::fromRaw(currentPayload.value32()).isStrictSubtypeOf(DOMJIT::HeapRange::fromRaw(otherPayload.value32()));
+ }
</ins><span class="cx"> while (current.kind() != World) {
</span><span class="cx"> current = current.supertype();
</span><span class="cx"> if (current == other)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -2289,10 +2289,13 @@
</span><span class="cx"> filterClassInfo(value, node->classInfo());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case CallDOM:
- clobberWorld(node->origin.semantic, clobberLimit);
</del><ins>+ case CallDOM: {
+ DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMData()->patchpoint;
+ if (patchpoint->effect.writes)
+ clobberWorld(node->origin.semantic, clobberLimit);
</ins><span class="cx"> forNode(node).makeBytecodeTop();
</span><span class="cx"> break;
</span><ins>+ }
</ins><span class="cx"> case CheckArray: {
</span><span class="cx"> if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
</span><span class="cx"> m_state.setFoundConstants(true);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -2673,6 +2673,13 @@
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static void blessCallDOM(Node* node)
+{
+ DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMData()->patchpoint;
+ if (!patchpoint->effect.mustGenerate())
+ node->clearFlags(NodeMustGenerate);
+}
+
</ins><span class="cx"> bool ByteCodeParser::handleDOMJITGetter(int resultOperand, const GetByIdVariant& variant, Node* thisNode, SpeculatedType prediction)
</span><span class="cx"> {
</span><span class="cx"> if (!variant.domJIT())
</span><span class="lines">@@ -2691,14 +2698,22 @@
</span><span class="cx"> // We do not need to emit CheckCell thingy here. When the custom accessor is replaced to different one, Structure transition occurs.
</span><span class="cx"> addToGraph(CheckDOM, OpInfo(checkDOMPatchpoint.ptr()), OpInfo(domJIT->thisClassInfo()), thisNode);
</span><span class="cx">
</span><ins>+ CallDOMData* callDOMData = m_graph.m_callDOMData.add();
</ins><span class="cx"> Ref<DOMJIT::CallDOMPatchpoint> callDOMPatchpoint = domJIT->callDOM();
</span><span class="cx"> m_graph.m_domJITPatchpoints.append(callDOMPatchpoint.ptr());
</span><ins>+
+ callDOMData->domJIT = domJIT;
+ callDOMData->patchpoint = callDOMPatchpoint.ptr();
+
+ Node* callDOMNode = nullptr;
+ // GlobalObject of thisNode is always used to create a DOMWrapper.
</ins><span class="cx"> if (callDOMPatchpoint->requireGlobalObject) {
</span><span class="cx"> Node* globalObject = addToGraph(GetGlobalObject, thisNode);
</span><del>- addVarArgChild(globalObject); // GlobalObject of thisNode is always used to create a DOMWrapper.
- }
- addVarArgChild(thisNode);
- set(VirtualRegister(resultOperand), addToGraph(Node::VarArg, CallDOM, OpInfo(callDOMPatchpoint.ptr()), OpInfo(prediction)));
</del><ins>+ callDOMNode = addToGraph(CallDOM, OpInfo(callDOMData), OpInfo(prediction), thisNode, globalObject);
+ } else
+ callDOMNode = addToGraph(CallDOM, OpInfo(callDOMData), OpInfo(prediction), thisNode);
+ blessCallDOM(callDOMNode);
+ set(VirtualRegister(resultOperand), callDOMNode);
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberSet.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberSet.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberSet.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -81,6 +81,23 @@
</span><span class="cx"> {
</span><span class="cx"> if (m_clobbers.find(heap) != m_clobbers.end())
</span><span class="cx"> return true;
</span><ins>+ if (heap.kind() == DOMState && !heap.payload().isTop()) {
+ // DOMState heap has its own hierarchy. For direct heap clobbers that payload is not Top,
+ // we should query whether the clobber overlaps with the given heap.
+ DOMJIT::HeapRange range = DOMJIT::HeapRange::fromRaw(heap.payload().value32());
+ for (auto pair : m_clobbers) {
+ bool direct = pair.value;
+ if (!direct)
+ continue;
+ AbstractHeap clobber = pair.key;
+ if (clobber.kind() != DOMState)
+ continue;
+ if (clobber.payload().isTop())
+ return true;
+ if (DOMJIT::HeapRange::fromRaw(clobber.payload().value32()).overlaps(range))
+ return true;
+ }
+ }
</ins><span class="cx"> while (heap.kind() != World) {
</span><span class="cx"> heap = heap.supertype();
</span><span class="cx"> if (contains(heap))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberSet.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberSet.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberSet.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -52,11 +52,11 @@
</span><span class="cx">
</span><span class="cx"> void add(AbstractHeap);
</span><span class="cx"> void addAll(const ClobberSet&);
</span><del>- bool contains(AbstractHeap) const;
</del><span class="cx"> bool overlaps(AbstractHeap) const;
</span><span class="cx"> void clear();
</span><span class="cx">
</span><span class="cx"> // Calls useful for debugging the ClobberSet.
</span><ins>+ // Do not call for non debugging purpose. Otherwise, you must handle DOMState hierarchy carefully.
</ins><span class="cx">
</span><span class="cx"> HashSet<AbstractHeap> direct() const;
</span><span class="cx"> HashSet<AbstractHeap> super() const;
</span><span class="lines">@@ -64,6 +64,8 @@
</span><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ bool contains(AbstractHeap) const;
+
</ins><span class="cx"> HashSet<AbstractHeap> setOf(bool direct) const;
</span><span class="cx">
</span><span class="cx"> // Maps heap to:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "DFGHeapLocation.h"
</span><span class="cx"> #include "DFGLazyNode.h"
</span><span class="cx"> #include "DFGPureValue.h"
</span><ins>+#include "DOMJITCallDOMPatchpoint.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><span class="lines">@@ -907,10 +908,34 @@
</span><span class="cx"> def(PureValue(node, node->classInfo()));
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- case CallDOM:
- read(World);
- write(Heap);
</del><ins>+ case CallDOM: {
+ DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMData()->patchpoint;
+ DOMJIT::Effect effect = patchpoint->effect;
+ if (effect.reads) {
+ if (effect.reads == DOMJIT::HeapRange::top())
+ read(World);
+ else
+ read(AbstractHeap(DOMState, effect.reads.rawRepresentation()));
+ }
+ if (effect.writes) {
+ if (effect.writes == DOMJIT::HeapRange::top())
+ write(World);
+ else
+ write(AbstractHeap(DOMState, effect.writes.rawRepresentation()));
+ }
+ if (effect.def) {
+ DOMJIT::HeapRange range = effect.def.value();
+ if (range == DOMJIT::HeapRange::none())
+ def(PureValue(node, node->callDOMData()->domJIT));
+ else {
+ // Def with heap location. We do not include "GlobalObject" for that since this information is included in the base node.
+ // FIXME: When supporting the other nodes like getElementById("string"), we should include the base and the id string.
+ // Currently, we only see the DOMJIT getter here. So just including "base" is ok.
+ def(HeapLocation(DOMStateLoc, AbstractHeap(DOMState, range.rawRepresentation()), node->child1()), LazyNode(node));
+ }
+ }
</ins><span class="cx"> return;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> case Arrayify:
</span><span class="cx"> case ArrayifyToStructure:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -118,7 +118,6 @@
</span><span class="cx"> case CheckStructure:
</span><span class="cx"> case GetExecutable:
</span><span class="cx"> case GetButterfly:
</span><del>- case CallDOM:
</del><span class="cx"> case CheckDOM:
</span><span class="cx"> case CheckArray:
</span><span class="cx"> case GetScope:
</span><span class="lines">@@ -299,6 +298,7 @@
</span><span class="cx"> case StringReplaceRegExp:
</span><span class="cx"> case CreateRest:
</span><span class="cx"> case ToLowerCase:
</span><ins>+ case CallDOM:
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> case MultiPutByOffset:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1711,11 +1711,10 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CallDOM: {
</span><del>- int childIndex = 0;
- DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMPatchpoint();
</del><ins>+ DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMData()->patchpoint;
+ fixEdge<CellUse>(node->child1()); // DOM.
</ins><span class="cx"> if (patchpoint->requireGlobalObject)
</span><del>- fixEdge<KnownCellUse>(m_graph.varArgChild(node, childIndex++)); // GlobalObject.
- fixEdge<CellUse>(m_graph.varArgChild(node, childIndex++)); // DOM.
</del><ins>+ fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -901,6 +901,7 @@
</span><span class="cx"> Bag<LoadVarargsData> m_loadVarargsData;
</span><span class="cx"> Bag<StackAccessData> m_stackAccessData;
</span><span class="cx"> Bag<LazyJSValue> m_lazyJSValues;
</span><ins>+ Bag<CallDOMData> m_callDOMData;
</ins><span class="cx"> Vector<InlineVariableData, 4> m_inlineVariableData;
</span><span class="cx"> HashMap<CodeBlock*, std::unique_ptr<FullBytecodeLiveness>> m_bytecodeLiveness;
</span><span class="cx"> HashMap<CodeBlock*, std::unique_ptr<BytecodeKills>> m_bytecodeKills;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -152,6 +152,9 @@
</span><span class="cx"> case MapHasLoc:
</span><span class="cx"> out.print("MapHasLoc");
</span><span class="cx"> return;
</span><ins>+ case DOMStateLoc:
+ out.print("DOMStateLoc");
+ return;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -60,7 +60,8 @@
</span><span class="cx"> StackPayloadLoc,
</span><span class="cx"> MapBucketLoc,
</span><span class="cx"> JSMapGetLoc,
</span><del>- MapHasLoc
</del><ins>+ MapHasLoc,
+ DOMStateLoc,
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class HeapLocation {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -59,6 +59,7 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><span class="cx"> namespace DOMJIT {
</span><ins>+class GetterSetter;
</ins><span class="cx"> class Patchpoint;
</span><span class="cx"> class CallDOMPatchpoint;
</span><span class="cx"> }
</span><span class="lines">@@ -231,6 +232,11 @@
</span><span class="cx"> FlushedAt flushedAt() { return FlushedAt(format, machineLocal); }
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+struct CallDOMData {
+ DOMJIT::GetterSetter* domJIT { nullptr };
+ DOMJIT::CallDOMPatchpoint* patchpoint { nullptr };
+};
+
</ins><span class="cx"> // === Node ===
</span><span class="cx"> //
</span><span class="cx"> // Node represents a single operation in the data flow graph.
</span><span class="lines">@@ -2336,15 +2342,15 @@
</span><span class="cx"> return m_opInfo.as<DOMJIT::Patchpoint*>();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool hasCallDOMPatchpoint() const
</del><ins>+ bool hasCallDOMData() const
</ins><span class="cx"> {
</span><span class="cx"> return op() == CallDOM;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- DOMJIT::CallDOMPatchpoint* callDOMPatchpoint()
</del><ins>+ CallDOMData* callDOMData()
</ins><span class="cx"> {
</span><del>- ASSERT(hasCallDOMPatchpoint());
- return m_opInfo.as<DOMJIT::CallDOMPatchpoint*>();
</del><ins>+ ASSERT(hasCallDOMData());
+ return m_opInfo.as<CallDOMData*>();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool hasClassInfo() const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -404,7 +404,7 @@
</span><span class="cx"> macro(ToLowerCase, NodeResultJS) \
</span><span class="cx"> /* Nodes for DOM JIT */\
</span><span class="cx"> macro(CheckDOM, NodeMustGenerate) \
</span><del>- macro(CallDOM, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \
</del><ins>+ macro(CallDOM, NodeResultJS | NodeMustGenerate) \
</ins><span class="cx">
</span><span class="cx"> // This enum generates a monotonically increasing id for all Node types,
</span><span class="cx"> // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask).
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -7225,7 +7225,7 @@
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::compileCallDOM(Node* node)
</span><span class="cx"> {
</span><del>- DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMPatchpoint();
</del><ins>+ DOMJIT::CallDOMPatchpoint* patchpoint = node->callDOMData()->patchpoint;
</ins><span class="cx">
</span><span class="cx"> Vector<GPRReg> gpScratch;
</span><span class="cx"> Vector<FPRReg> fpScratch;
</span><span class="lines">@@ -7234,19 +7234,17 @@
</span><span class="cx"> JSValueRegsTemporary result(this);
</span><span class="cx"> regs.append(result.regs());
</span><span class="cx">
</span><del>- int childIndex = 0;
</del><ins>+ Edge& baseEdge = node->child1();
+ SpeculateCellOperand base(this, baseEdge);
+ regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(baseEdge).value()));
</ins><span class="cx">
</span><span class="cx"> Optional<SpeculateCellOperand> globalObject;
</span><span class="cx"> if (patchpoint->requireGlobalObject) {
</span><del>- Edge& globalObjectEdge = m_jit.graph().varArgChild(node, childIndex++);
</del><ins>+ Edge& globalObjectEdge = node->child2();
</ins><span class="cx"> globalObject = SpeculateCellOperand(this, globalObjectEdge);
</span><span class="cx"> regs.append(DOMJIT::Value(globalObject->gpr(), m_state.forNode(globalObjectEdge).value()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Edge& baseEdge = m_jit.graph().varArgChild(node, childIndex++);
- SpeculateCellOperand base(this, baseEdge);
- regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(baseEdge).value()));
-
</del><span class="cx"> Vector<GPRTemporary> gpTempraries;
</span><span class="cx"> Vector<FPRTemporary> fpTempraries;
</span><span class="cx"> allocateTemporaryRegistersForPatchpoint(this, gpTempraries, fpTempraries, gpScratch, fpScratch, *patchpoint);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITAbstractHeapcppfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.cpp (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,84 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DOMJITAbstractHeap.h"
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+void AbstractHeap::compute(unsigned begin)
+{
+ unsigned current = begin;
+ // Increment the end of the range.
+ if (m_children.isEmpty()) {
+ m_range = HeapRange(begin, current + 1);
+ return;
+ }
+ for (auto& child : m_children) {
+ child->compute(current);
+ current = child->range().end();
+ }
+ ASSERT(begin < UINT16_MAX);
+ ASSERT(current <= UINT16_MAX);
+ m_range = HeapRange(begin, current);
+}
+
+void AbstractHeap::dump(PrintStream& out) const
+{
+ shallowDump(out);
+ if (m_parent)
+ out.print("->", *m_parent);
+}
+
+void AbstractHeap::shallowDump(PrintStream& out) const
+{
+ out.print(m_name, "<", m_range, ">");
+}
+
+void AbstractHeap::deepDump(PrintStream& out, unsigned indent) const
+{
+ auto printIndent = [&] () {
+ for (unsigned i = indent; i--;)
+ out.print(" ");
+ };
+
+ printIndent();
+ shallowDump(out);
+
+ if (m_children.isEmpty()) {
+ out.print("\n");
+ return;
+ }
+
+ out.print(":\n");
+ for (auto* child : m_children)
+ child->deepDump(out, indent + 1);
+}
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITAbstractHeaphfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.h (rev 0)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITAbstractHeap.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,70 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "DOMJITHeapRange.h"
+#include <wtf/Vector.h>
+#include <wtf/text/WTFString.h>
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+class AbstractHeap {
+public:
+ AbstractHeap(const String& name)
+ : m_name(name)
+ {
+ }
+
+ void setParent(AbstractHeap* parent)
+ {
+ ASSERT(!m_parent);
+ parent->m_children.append(this);
+ m_parent = parent;
+ }
+
+ bool isRoot() const { return !m_parent; }
+
+ JS_EXPORT_PRIVATE void compute(unsigned begin);
+
+ bool isComputed() const { return !!m_range; }
+ HeapRange range() const { return m_range; }
+
+ JS_EXPORT_PRIVATE void dump(PrintStream&) const;
+ JS_EXPORT_PRIVATE void shallowDump(PrintStream&) const;
+ JS_EXPORT_PRIVATE void deepDump(PrintStream&, unsigned indent = 0) const;
+
+private:
+ String m_name;
+ AbstractHeap* m_parent { nullptr };
+ Vector<AbstractHeap*> m_children { };
+ HeapRange m_range;
+};
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx">
</span><ins>+#include "DOMJITEffect.h"
</ins><span class="cx"> #include "DOMJITPatchpoint.h"
</span><span class="cx"> #include "RegisterSet.h"
</span><span class="cx">
</span><span class="lines">@@ -45,6 +46,8 @@
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=162980
</span><span class="cx"> bool requireGlobalObject { true };
</span><span class="cx">
</span><ins>+ Effect effect { };
+
</ins><span class="cx"> private:
</span><span class="cx"> CallDOMPatchpoint() = default;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITEffecthfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/domjit/DOMJITEffect.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITEffect.h (rev 0)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITEffect.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,83 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "DOMJITHeapRange.h"
+#include <wtf/Optional.h>
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+struct Effect {
+ HeapRange reads { HeapRange::top() };
+ HeapRange writes { HeapRange::top() };
+ Optional<HeapRange> def;
+
+ static Effect forReadWrite(HeapRange readRange, HeapRange writeRange)
+ {
+ Effect effect;
+ effect.reads = readRange;
+ effect.writes = writeRange;
+ return effect;
+ }
+
+ static Effect forPure()
+ {
+ Effect effect;
+ effect.reads = HeapRange::none();
+ effect.writes = HeapRange::none();
+ effect.def = HeapRange::none();
+ return effect;
+ }
+
+ static Effect forDef(HeapRange def)
+ {
+ Effect effect;
+ effect.reads = def;
+ effect.writes = HeapRange::none();
+ effect.def = def;
+ return effect;
+ }
+
+ static Effect forDef(HeapRange def, HeapRange readRange, HeapRange writeRange)
+ {
+ Effect effect;
+ effect.reads = readRange;
+ effect.writes = writeRange;
+ effect.def = def;
+ return effect;
+ }
+
+ bool mustGenerate() const
+ {
+ return !!writes;
+ }
+};
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITHeapRangecppfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.cpp (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DOMJITHeapRange.h"
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+void HeapRange::dump(PrintStream& out) const
+{
+ out.printf("0x%x-0x%x", static_cast<unsigned>(begin()), static_cast<unsigned>(end()));
+}
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredomjitDOMJITHeapRangeh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.h (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.h (rev 0)
+++ trunk/Source/JavaScriptCore/domjit/DOMJITHeapRange.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,131 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <wtf/MathExtras.h>
+#include <wtf/PrintStream.h>
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+class HeapRange {
+public:
+ constexpr HeapRange()
+ : m_begin(UINT16_MAX)
+ , m_end(UINT16_MAX)
+ {
+ }
+
+ HeapRange(uint16_t begin, uint16_t end)
+ : m_begin(begin)
+ , m_end(end)
+ {
+ ASSERT_WITH_MESSAGE(begin <= end, "begin <= end is the invariant of this HeapRange.");
+ }
+
+private:
+ enum ConstExprTag { ConstExpr };
+ constexpr HeapRange(ConstExprTag, uint16_t begin, uint16_t end)
+ : m_begin(begin)
+ , m_end(end)
+ {
+ }
+
+ template<uint16_t begin, uint16_t end>
+ static constexpr HeapRange fromConstant()
+ {
+ static_assert(begin <= end, "begin <= end is the invariant of this HeapRange.");
+ return HeapRange(ConstExpr, begin, end);
+ }
+
+public:
+ enum RawRepresentationTag { RawRepresentation };
+ explicit constexpr HeapRange(RawRepresentationTag, uint32_t value)
+ : m_raw(value)
+ {
+ }
+
+ static HeapRange fromRaw(uint32_t value)
+ {
+ return HeapRange(RawRepresentation, value);
+ }
+
+ uint16_t begin() const { return m_begin; }
+ uint16_t end() const { return m_end; }
+ uint32_t rawRepresentation() { return m_raw; }
+
+ explicit operator bool() const
+ {
+ return m_begin != m_end;
+ }
+
+ bool operator==(const HeapRange& other) const
+ {
+ return m_begin == other.m_begin && m_end == other.m_end;
+ }
+
+ static constexpr HeapRange top() { return fromConstant<0, UINT16_MAX>(); }
+ static constexpr HeapRange none() { return fromConstant<UINT16_MAX, UINT16_MAX>(); } // Empty range.
+
+ bool isStrictSubtypeOf(const HeapRange& other) const
+ {
+ if (!*this || !other)
+ return false;
+ if (*this == other)
+ return false;
+ return other.m_begin <= m_begin && m_end <= other.m_end;
+ }
+
+ bool isSubtypeOf(const HeapRange& other) const
+ {
+ if (!*this || !other)
+ return false;
+ if (*this == other)
+ return true;
+ return isStrictSubtypeOf(other);
+ }
+
+ bool overlaps(const HeapRange& other) const
+ {
+ return WTF::rangesOverlap(m_begin, m_end, other.m_begin, other.m_end);
+ }
+
+ JS_EXPORT_PRIVATE void dump(PrintStream&) const;
+
+private:
+ union {
+ struct {
+ uint16_t m_begin;
+ uint16_t m_end;
+ };
+ uint32_t m_raw;
+ };
+};
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -9064,25 +9064,24 @@
</span><span class="cx">
</span><span class="cx"> void compileCallDOM()
</span><span class="cx"> {
</span><del>- DOMJIT::CallDOMPatchpoint* domJIT = m_node->callDOMPatchpoint();
- int childIndex = 0;
</del><ins>+ DOMJIT::CallDOMPatchpoint* domJIT = m_node->callDOMData()->patchpoint;
</ins><span class="cx">
</span><ins>+ Edge& baseEdge = m_node->child1();
+ LValue base = lowCell(baseEdge);
+ JSValue baseConstant = m_state.forNode(baseEdge).value();
+
</ins><span class="cx"> LValue globalObject;
</span><span class="cx"> JSValue globalObjectConstant;
</span><span class="cx"> if (domJIT->requireGlobalObject) {
</span><del>- Edge& globalObjectEdge = m_graph.varArgChild(m_node, childIndex++);
</del><ins>+ Edge& globalObjectEdge = m_node->child2();
</ins><span class="cx"> globalObject = lowCell(globalObjectEdge);
</span><span class="cx"> globalObjectConstant = m_state.forNode(globalObjectEdge).value();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Edge& baseEdge = m_graph.varArgChild(m_node, childIndex++);
- LValue base = lowCell(baseEdge);
- JSValue baseConstant = m_state.forNode(baseEdge).value();
-
</del><span class="cx"> PatchpointValue* patchpoint = m_out.patchpoint(Int64);
</span><ins>+ patchpoint->appendSomeRegister(base);
</ins><span class="cx"> if (domJIT->requireGlobalObject)
</span><span class="cx"> patchpoint->appendSomeRegister(globalObject);
</span><del>- patchpoint->appendSomeRegister(base);
</del><span class="cx"> patchpoint->append(m_tagMask, ValueRep::reg(GPRInfo::tagMaskRegister));
</span><span class="cx"> patchpoint->append(m_tagTypeNumber, ValueRep::reg(GPRInfo::tagTypeNumberRegister));
</span><span class="cx"> RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
</span><span class="lines">@@ -9101,11 +9100,10 @@
</span><span class="cx"> Vector<FPRReg> fpScratch;
</span><span class="cx"> Vector<DOMJIT::Value> regs;
</span><span class="cx">
</span><del>- int childIndex = 1;
</del><span class="cx"> regs.append(JSValueRegs(params[0].gpr()));
</span><ins>+ regs.append(DOMJIT::Value(params[1].gpr(), baseConstant));
</ins><span class="cx"> if (domJIT->requireGlobalObject)
</span><del>- regs.append(DOMJIT::Value(params[childIndex++].gpr(), globalObjectConstant));
- regs.append(DOMJIT::Value(params[childIndex++].gpr(), baseConstant));
</del><ins>+ regs.append(DOMJIT::Value(params[2].gpr(), globalObjectConstant));
</ins><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
</span><span class="cx"> gpScratch.append(params.gpScratch(i));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/JavaScriptCore/jsc.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -733,7 +733,7 @@
</span><span class="cx"> patchpoint->numFPScratchRegisters = 3;
</span><span class="cx"> patchpoint->setGenerator([=](CCallHelpers& jit, DOMJIT::PatchpointParams& params) {
</span><span class="cx"> JSValueRegs results = params[0].jsValueRegs();
</span><del>- GPRReg domGPR = params[2].gpr();
</del><ins>+ GPRReg domGPR = params[1].gpr();
</ins><span class="cx"> for (unsigned i = 0; i < patchpoint->numGPScratchRegisters; ++i)
</span><span class="cx"> jit.move(CCallHelpers::TrustedImm32(42), params.gpScratch(i));
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WTF/ChangeLog 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ [DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
+ https://bugs.webkit.org/show_bug.cgi?id=163657
+
+ Reviewed by Saam Barati.
+
+ Simplify nonEmptyRangesOverlap.
+
+ * wtf/MathExtras.h:
+ (WTF::nonEmptyRangesOverlap):
+
</ins><span class="cx"> 2016-10-23 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Another unreviewed attempt to fix the WatchOS / TvOS build after r207585.
</span></span></pre></div>
<a id="trunkSourceWTFwtfMathExtrash"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/MathExtras.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/MathExtras.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WTF/wtf/MathExtras.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -444,12 +444,8 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(leftMin < leftMax);
</span><span class="cx"> ASSERT(rightMin < rightMax);
</span><del>-
- if (leftMin <= rightMin && leftMax > rightMin)
- return true;
- if (rightMin <= leftMin && rightMax > leftMin)
- return true;
- return false;
</del><ins>+
+ return leftMax > rightMin && rightMax > leftMin;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Pass ranges with the min being inclusive and the max being exclusive. For example, this should
</span></span></pre></div>
<a id="trunkSourceWebCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/CMakeLists.txt (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/CMakeLists.txt 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WebCore/CMakeLists.txt 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1536,6 +1536,7 @@
</span><span class="cx">
</span><span class="cx"> dom/default/PlatformMessagePortChannel.cpp
</span><span class="cx">
</span><ins>+ domjit/DOMJITAbstractHeapRepository.cpp
</ins><span class="cx"> domjit/JSNodeDOMJIT.cpp
</span><span class="cx">
</span><span class="cx"> editing/AlternativeTextController.cpp
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WebCore/ChangeLog 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -1,3 +1,55 @@
</span><ins>+2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
+
+ [DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
+ https://bugs.webkit.org/show_bug.cgi?id=163657
+
+ Reviewed by Saam Barati.
+
+ CallDOMPatchpoint now has the way to tell its effects to DFG and FTL compilers.
+ WebCore DOMJIT::AbstractHeapRepository will construct the hierarchy of the abstract
+ heap. And then it encodes these information into the pairs of the integers.
+
+ And this patch also changes the DOMJIT::PatchpointParams' parameter order.
+ So we change them in all the DOMJIT::CallDOMPatchpoint sites.
+
+ * CMakeLists.txt:
+ * ForwardingHeaders/domjit/DOMJITAbstractHeap.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ * ForwardingHeaders/domjit/DOMJITEffect.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ * ForwardingHeaders/domjit/DOMJITHeapRange.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ * WebCore.xcodeproj/project.pbxproj:
+ * domjit/DOMJITAbstractHeapRepository.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ (WebCore::DOMJIT::AbstractHeapRepository::AbstractHeapRepository):
+ (WebCore::DOMJIT::AbstractHeapRepository::instance):
+ * domjit/DOMJITAbstractHeapRepository.h: Copied from Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h.
+ * domjit/DOMJITHelpers.h:
+ (WebCore::DOMJITHelpers::branchIfNotWorldIsNormal): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNotWeakIsLive): Deleted.
+ (WebCore::DOMJITHelpers::tryLookUpWrapperCache): Deleted.
+ (WebCore::DOMJITHelpers::toWrapper): Deleted.
+ (WebCore::DOMJITHelpers::branchIfDOMWrapper): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNotDOMWrapper): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNode): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNotNode): Deleted.
+ (WebCore::DOMJITHelpers::branchIfElement): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNotElement): Deleted.
+ (WebCore::DOMJITHelpers::branchIfDocumentWrapper): Deleted.
+ (WebCore::DOMJITHelpers::branchIfNotDocumentWrapper): Deleted.
+ * domjit/JSNodeDOMJIT.cpp:
+ (WebCore::createCallDOMForOffsetAccess):
+ (WebCore::checkNode):
+ (WebCore::NodeFirstChildDOMJIT::checkDOM):
+ (WebCore::NodeFirstChildDOMJIT::callDOM):
+ (WebCore::NodeLastChildDOMJIT::checkDOM):
+ (WebCore::NodeLastChildDOMJIT::callDOM):
+ (WebCore::NodeNextSiblingDOMJIT::checkDOM):
+ (WebCore::NodeNextSiblingDOMJIT::callDOM):
+ (WebCore::NodePreviousSiblingDOMJIT::checkDOM):
+ (WebCore::NodePreviousSiblingDOMJIT::callDOM):
+ (WebCore::NodeParentNodeDOMJIT::checkDOM):
+ (WebCore::NodeParentNodeDOMJIT::callDOM):
+ (WebCore::NodeNodeTypeDOMJIT::checkDOM):
+ (WebCore::NodeNodeTypeDOMJIT::callDOM):
+
</ins><span class="cx"> 2016-10-24 Dave Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSS Parser] Fix :lang argument parsing
</span></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersdomjitDOMJITAbstractHeaphfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITAbstractHeap.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITAbstractHeap.h (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITAbstractHeap.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef WebCore_FWD_DOMJITAbstractHeap_h
+#define WebCore_FWD_DOMJITAbstractHeap_h
+#include <JavaScriptCore/DOMJITAbstractHeap.h>
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersdomjitDOMJITEffecthfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITEffect.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITEffect.h (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITEffect.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef WebCore_FWD_DOMJITEffect_h
+#define WebCore_FWD_DOMJITEffect_h
+#include <JavaScriptCore/DOMJITEffect.h>
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersdomjitDOMJITHeapRangehfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITHeapRange.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITHeapRange.h (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/domjit/DOMJITHeapRange.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef WebCore_FWD_DOMJITHeapRange_h
+#define WebCore_FWD_DOMJITHeapRange_h
+#include <JavaScriptCore/DOMJITHeapRange.h>
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -6167,6 +6167,8 @@
</span><span class="cx"> E1FF8F6D180DB5BE00132674 /* CryptoAlgorithmRegistry.h in Headers */ = {isa = PBXBuildFile; fileRef = E1FF8F6B180DB5BE00132674 /* CryptoAlgorithmRegistry.h */; };
</span><span class="cx"> E3150EA61DA7219000194012 /* JSNodeDOMJIT.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3AFA9641DA6E908002861BD /* JSNodeDOMJIT.cpp */; };
</span><span class="cx"> E3150EA71DA7219300194012 /* DOMJITHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = E3150EA51DA7218D00194012 /* DOMJITHelpers.h */; };
</span><ins>+ E35CA14D1DBC3A3F00F83516 /* DOMJITAbstractHeapRepository.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E35CA14B1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.cpp */; };
+ E35CA14E1DBC3A4200F83516 /* DOMJITAbstractHeapRepository.h in Headers */ = {isa = PBXBuildFile; fileRef = E35CA14C1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.h */; };
</ins><span class="cx"> E377FE4D1DADE16500CDD025 /* NodeConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D049931DADC04500718F3C /* NodeConstants.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> E38838981BAD145F00D62EE3 /* ScriptModuleLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E38838941BAD145F00D62EE3 /* ScriptModuleLoader.cpp */; };
</span><span class="cx"> E38838991BAD145F00D62EE3 /* ScriptModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = E38838951BAD145F00D62EE3 /* ScriptModuleLoader.h */; };
</span><span class="lines">@@ -13948,6 +13950,8 @@
</span><span class="cx"> E1FF8F6A180DB5BE00132674 /* CryptoAlgorithmRegistry.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptoAlgorithmRegistry.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E1FF8F6B180DB5BE00132674 /* CryptoAlgorithmRegistry.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptoAlgorithmRegistry.h; sourceTree = "<group>"; };
</span><span class="cx"> E3150EA51DA7218D00194012 /* DOMJITHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITHelpers.h; sourceTree = "<group>"; };
</span><ins>+ E35CA14B1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAbstractHeapRepository.cpp; sourceTree = "<group>"; };
+ E35CA14C1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAbstractHeapRepository.h; sourceTree = "<group>"; };
</ins><span class="cx"> E38838941BAD145F00D62EE3 /* ScriptModuleLoader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScriptModuleLoader.cpp; sourceTree = "<group>"; };
</span><span class="cx"> E38838951BAD145F00D62EE3 /* ScriptModuleLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScriptModuleLoader.h; sourceTree = "<group>"; };
</span><span class="cx"> E3AFA9641DA6E908002861BD /* JSNodeDOMJIT.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNodeDOMJIT.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -22683,6 +22687,8 @@
</span><span class="cx"> E3AFA9631DA6E8AF002861BD /* domjit */ = {
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><ins>+ E35CA14B1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.cpp */,
+ E35CA14C1DBC3A3C00F83516 /* DOMJITAbstractHeapRepository.h */,
</ins><span class="cx"> E3150EA51DA7218D00194012 /* DOMJITHelpers.h */,
</span><span class="cx"> E3AFA9641DA6E908002861BD /* JSNodeDOMJIT.cpp */,
</span><span class="cx"> );
</span><span class="lines">@@ -26621,6 +26627,7 @@
</span><span class="cx"> 439046E812DA25E800AF80A2 /* RenderMathMLScripts.h in Headers */,
</span><span class="cx"> 439046EC12DA25E800AF80A9 /* RenderMathMLToken.h in Headers */,
</span><span class="cx"> 439046EA12DA25E800AF80A2 /* RenderMathMLUnderOver.h in Headers */,
</span><ins>+ E35CA14E1DBC3A4200F83516 /* DOMJITAbstractHeapRepository.h in Headers */,
</ins><span class="cx"> E4C279590CF9741900E97B98 /* RenderMedia.h in Headers */,
</span><span class="cx"> DEBCCDD216646E8200A452E1 /* RenderMediaControlElements.h in Headers */,
</span><span class="cx"> 41FA303F1316C29C00C0BFC5 /* RenderMediaControls.h in Headers */,
</span><span class="lines">@@ -28722,6 +28729,7 @@
</span><span class="cx"> B2C3DA620D006CD600EF6F26 /* FontCache.cpp in Sources */,
</span><span class="cx"> 1C3969D01B74211E002BCFA7 /* FontCacheCoreText.cpp in Sources */,
</span><span class="cx"> 3727DFD5142AAE4500D449CB /* FontCacheIOS.mm in Sources */,
</span><ins>+ E35CA14D1DBC3A3F00F83516 /* DOMJITAbstractHeapRepository.cpp in Sources */,
</ins><span class="cx"> B2AFFC7C0D00A5C10030074D /* FontCacheMac.mm in Sources */,
</span><span class="cx"> B2C3DA600D006CD600EF6F26 /* FontCascade.cpp in Sources */,
</span><span class="cx"> B2AFFC800D00A5C10030074D /* FontCascadeCocoa.mm in Sources */,
</span></span></pre></div>
<a id="trunkSourceWebCoredomjitDOMJITAbstractHeapRepositorycppfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.cpp (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.cpp (rev 0)
+++ trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,70 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DOMJITAbstractHeapRepository.h"
+
+#include <domjit/DOMJITAbstractHeap.h>
+#include <wtf/DataLog.h>
+#include <wtf/NeverDestroyed.h>
+
+#if ENABLE(JIT)
+
+namespace WebCore { namespace DOMJIT {
+
+static const bool verbose = false;
+
+AbstractHeapRepository::AbstractHeapRepository()
+{
+ JSC::DOMJIT::AbstractHeap DOMHeap("DOM");
+#define DOMJIT_DEFINE_HEAP(name, parent) JSC::DOMJIT::AbstractHeap name##Heap(#name);
+ DOMJIT_ABSTRACT_HEAP_LIST(DOMJIT_DEFINE_HEAP)
+#undef DOMJIT_DEFINE_HEAP
+
+#define DOMJIT_INITIALIZE_HEAP(name, parent) name##Heap.setParent(&parent##Heap);
+ DOMJIT_ABSTRACT_HEAP_LIST(DOMJIT_INITIALIZE_HEAP)
+#undef DOMJIT_INITIALIZE_HEAP
+
+ DOMHeap.compute(0);
+
+#define DOMJIT_INITIALIZE_MEMBER(name, parent) name = name##Heap.range();
+ DOMJIT_ABSTRACT_HEAP_LIST(DOMJIT_INITIALIZE_MEMBER)
+#undef DOMJIT_INITIALIZE_MEMBER
+
+ if (verbose) {
+ dataLog("DOMJIT Heap Repository:\n");
+ DOMHeap.deepDump(WTF::dataFile());
+ }
+}
+
+const AbstractHeapRepository& AbstractHeapRepository::instance()
+{
+ static NeverDestroyed<AbstractHeapRepository> repository;
+ return repository.get();
+}
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoredomjitDOMJITAbstractHeapRepositoryhfromrev207786trunkSourceJavaScriptCoredomjitDOMJITCallDOMPatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.h (from rev 207786, trunk/Source/JavaScriptCore/domjit/DOMJITCallDOMPatchpoint.h) (0 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.h (rev 0)
+++ trunk/Source/WebCore/domjit/DOMJITAbstractHeapRepository.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -0,0 +1,65 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <domjit/DOMJITHeapRange.h>
+#include <wtf/NeverDestroyed.h>
+#include <wtf/Noncopyable.h>
+
+#if ENABLE(JIT)
+
+namespace WebCore { namespace DOMJIT {
+
+// Describe your abstract heap hierarchy here.
+// V(AbstractHeapName, Parent)
+#define DOMJIT_ABSTRACT_HEAP_LIST(V) \
+ V(Node, DOM) \
+ V(Node_firstChild, Node) \
+ V(Node_lastChild, Node) \
+ V(Node_parentNode, Node) \
+ V(Node_nextSibling, Node) \
+ V(Node_previousSibling, Node) \
+
+
+class AbstractHeapRepository {
+WTF_MAKE_NONCOPYABLE(AbstractHeapRepository);
+public:
+ friend class NeverDestroyed<AbstractHeapRepository>;
+ static const AbstractHeapRepository& instance();
+
+ JSC::DOMJIT::HeapRange DOM;
+
+#define DOMJIT_DEFINE_MEMBER(name, parent) JSC::DOMJIT::HeapRange name;
+ DOMJIT_ABSTRACT_HEAP_LIST(DOMJIT_DEFINE_MEMBER)
+#undef DOMJIT_DEFINE_MEMBER
+
+private:
+ AbstractHeapRepository();
+};
+
+} }
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoredomjitDOMJITHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/domjit/DOMJITHelpers.h (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/domjit/DOMJITHelpers.h 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WebCore/domjit/DOMJITHelpers.h 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -32,8 +32,7 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx">
</span><del>-namespace WebCore {
-namespace DOMJITHelpers {
</del><ins>+namespace WebCore { namespace DOMJIT {
</ins><span class="cx">
</span><span class="cx"> using JSC::CCallHelpers;
</span><span class="cx"> using JSC::GPRReg;
</span></span></pre></div>
<a id="trunkSourceWebCoredomjitJSNodeDOMJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp (207786 => 207787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp 2016-10-24 23:12:15 UTC (rev 207786)
+++ trunk/Source/WebCore/domjit/JSNodeDOMJIT.cpp 2016-10-24 23:34:32 UTC (rev 207787)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx">
</span><ins>+#include "DOMJITAbstractHeapRepository.h"
</ins><span class="cx"> #include "DOMJITHelpers.h"
</span><span class="cx"> #include "JSDOMWrapper.h"
</span><span class="cx"> #include "Node.h"
</span><span class="lines">@@ -52,15 +53,16 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename WrappedNode>
</span><del>-static Ref<DOMJIT::CallDOMPatchpoint> createCallDOMForOffsetAccess(ptrdiff_t offset, IsContainerGuardRequirement isContainerGuardRequirement)
</del><ins>+static Ref<JSC::DOMJIT::CallDOMPatchpoint> createCallDOMForOffsetAccess(ptrdiff_t offset, IsContainerGuardRequirement isContainerGuardRequirement)
</ins><span class="cx"> {
</span><del>- Ref<DOMJIT::CallDOMPatchpoint> patchpoint = DOMJIT::CallDOMPatchpoint::create();
</del><ins>+ Ref<JSC::DOMJIT::CallDOMPatchpoint> patchpoint = JSC::DOMJIT::CallDOMPatchpoint::create();
</ins><span class="cx"> patchpoint->numGPScratchRegisters = 1;
</span><del>- patchpoint->setGenerator([=](CCallHelpers& jit, DOMJIT::PatchpointParams& params) {
</del><ins>+ patchpoint->setGenerator([=](CCallHelpers& jit, JSC::DOMJIT::PatchpointParams& params) {
</ins><span class="cx"> JSValueRegs result = params[0].jsValueRegs();
</span><del>- GPRReg globalObject = params[1].gpr();
- GPRReg node = params[2].gpr();
</del><ins>+ GPRReg node = params[1].gpr();
+ GPRReg globalObject = params[2].gpr();
</ins><span class="cx"> GPRReg scratch = params.gpScratch(0);
</span><ins>+ JSValue globalObjectValue = params[2].value();
</ins><span class="cx">
</span><span class="cx"> CCallHelpers::JumpList nullCases;
</span><span class="cx"> // Load a wrapped object. "node" should be already type checked by CheckDOM.
</span><span class="lines">@@ -72,7 +74,7 @@
</span><span class="cx"> jit.loadPtr(CCallHelpers::Address(scratch, offset), scratch);
</span><span class="cx"> nullCases.append(jit.branchTestPtr(CCallHelpers::Zero, scratch));
</span><span class="cx">
</span><del>- DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>, params[1].value());
</del><ins>+ DOMJIT::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>, globalObjectValue);
</ins><span class="cx"> CCallHelpers::Jump done = jit.jump();
</span><span class="cx">
</span><span class="cx"> nullCases.link(&jit);
</span><span class="lines">@@ -83,12 +85,12 @@
</span><span class="cx"> return patchpoint;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static Ref<DOMJIT::Patchpoint> checkNode()
</del><ins>+static Ref<JSC::DOMJIT::Patchpoint> checkNode()
</ins><span class="cx"> {
</span><del>- Ref<DOMJIT::Patchpoint> patchpoint = DOMJIT::Patchpoint::create();
- patchpoint->setGenerator([=](CCallHelpers& jit, DOMJIT::PatchpointParams& params) {
</del><ins>+ Ref<JSC::DOMJIT::Patchpoint> patchpoint = JSC::DOMJIT::Patchpoint::create();
+ patchpoint->setGenerator([=](CCallHelpers& jit, JSC::DOMJIT::PatchpointParams& params) {
</ins><span class="cx"> CCallHelpers::JumpList failureCases;
</span><del>- failureCases.append(DOMJITHelpers::branchIfNotNode(jit, params[0].gpr()));
</del><ins>+ failureCases.append(DOMJIT::branchIfNotNode(jit, params[0].gpr()));
</ins><span class="cx"> return failureCases;
</span><span class="cx"> });
</span><span class="cx"> return patchpoint;
</span><span class="lines">@@ -95,71 +97,87 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#firstChild.
</span><del>-Ref<DOMJIT::Patchpoint> NodeFirstChildDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodeFirstChildDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodeFirstChildDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodeFirstChildDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- return createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::firstChildMemoryOffset(), IsContainerGuardRequirement::Required);
</del><ins>+ const auto& heap = DOMJIT::AbstractHeapRepository::instance();
+ auto patchpoint = createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::firstChildMemoryOffset(), IsContainerGuardRequirement::Required);
+ patchpoint->effect = JSC::DOMJIT::Effect::forDef(heap.Node_firstChild);
+ return patchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#lastChild.
</span><del>-Ref<DOMJIT::Patchpoint> NodeLastChildDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodeLastChildDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodeLastChildDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodeLastChildDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- return createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::lastChildMemoryOffset(), IsContainerGuardRequirement::Required);
</del><ins>+ const auto& heap = DOMJIT::AbstractHeapRepository::instance();
+ auto patchpoint = createCallDOMForOffsetAccess<Node>(CAST_OFFSET(Node*, ContainerNode*) + ContainerNode::lastChildMemoryOffset(), IsContainerGuardRequirement::Required);
+ patchpoint->effect = JSC::DOMJIT::Effect::forDef(heap.Node_lastChild);
+ return patchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#nextSibling.
</span><del>-Ref<DOMJIT::Patchpoint> NodeNextSiblingDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodeNextSiblingDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodeNextSiblingDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodeNextSiblingDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- return createCallDOMForOffsetAccess<Node>(Node::nextSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
</del><ins>+ const auto& heap = DOMJIT::AbstractHeapRepository::instance();
+ auto patchpoint = createCallDOMForOffsetAccess<Node>(Node::nextSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
+ patchpoint->effect = JSC::DOMJIT::Effect::forDef(heap.Node_nextSibling);
+ return patchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#previousSibling.
</span><del>-Ref<DOMJIT::Patchpoint> NodePreviousSiblingDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodePreviousSiblingDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodePreviousSiblingDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodePreviousSiblingDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- return createCallDOMForOffsetAccess<Node>(Node::previousSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
</del><ins>+ const auto& heap = DOMJIT::AbstractHeapRepository::instance();
+ auto patchpoint = createCallDOMForOffsetAccess<Node>(Node::previousSiblingMemoryOffset(), IsContainerGuardRequirement::NotRequired);
+ patchpoint->effect = JSC::DOMJIT::Effect::forDef(heap.Node_previousSibling);
+ return patchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#parentNode.
</span><del>-Ref<DOMJIT::Patchpoint> NodeParentNodeDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodeParentNodeDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodeParentNodeDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodeParentNodeDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- return createCallDOMForOffsetAccess<ContainerNode>(Node::parentNodeMemoryOffset(), IsContainerGuardRequirement::NotRequired);
</del><ins>+ const auto& heap = DOMJIT::AbstractHeapRepository::instance();
+ auto patchpoint = createCallDOMForOffsetAccess<ContainerNode>(Node::parentNodeMemoryOffset(), IsContainerGuardRequirement::NotRequired);
+ patchpoint->effect = JSC::DOMJIT::Effect::forDef(heap.Node_parentNode);
+ return patchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Node#nodeType.
</span><del>-Ref<DOMJIT::Patchpoint> NodeNodeTypeDOMJIT::checkDOM()
</del><ins>+Ref<JSC::DOMJIT::Patchpoint> NodeNodeTypeDOMJIT::checkDOM()
</ins><span class="cx"> {
</span><span class="cx"> return checkNode();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<DOMJIT::CallDOMPatchpoint> NodeNodeTypeDOMJIT::callDOM()
</del><ins>+Ref<JSC::DOMJIT::CallDOMPatchpoint> NodeNodeTypeDOMJIT::callDOM()
</ins><span class="cx"> {
</span><del>- Ref<DOMJIT::CallDOMPatchpoint> patchpoint = DOMJIT::CallDOMPatchpoint::create();
</del><ins>+ Ref<JSC::DOMJIT::CallDOMPatchpoint> patchpoint = JSC::DOMJIT::CallDOMPatchpoint::create();
+ patchpoint->effect = JSC::DOMJIT::Effect::forPure();
</ins><span class="cx"> patchpoint->requireGlobalObject = false;
</span><del>- patchpoint->setGenerator([=](CCallHelpers& jit, DOMJIT::PatchpointParams& params) {
</del><ins>+ patchpoint->setGenerator([=](CCallHelpers& jit, JSC::DOMJIT::PatchpointParams& params) {
</ins><span class="cx"> JSValueRegs result = params[0].jsValueRegs();
</span><span class="cx"> GPRReg node = params[1].gpr();
</span><span class="cx"> jit.load8(CCallHelpers::Address(node, JSC::JSCell::typeInfoTypeOffset()), result.payloadGPR());
</span></span></pre>
</div>
</div>
</body>
</html>