[webkit-changes] [189409] trunk/Tools

[basile_clement]

Title: [189409] trunk/Tools








Revision 189409
Author basile_clem...@apple.com
Date 2015-09-04 17:46:06 -0700 (Fri, 04 Sep 2015)


Log Message
Unreviewed, change my email address.

* Scripts/webkitpy/common/config/contributors.json:

Modified Paths

trunk/Tools/ChangeLog
trunk/Tools/Scripts/webkitpy/common/config/contributors.json




Diff

Modified: trunk/Tools/ChangeLog (189408 => 189409)

--- trunk/Tools/ChangeLog	2015-09-05 00:34:08 UTC (rev 189408)
+++ trunk/Tools/ChangeLog	2015-09-05 00:46:06 UTC (rev 189409)
@@ -1,3 +1,9 @@
+2015-09-04  Basile Clement  
+
+Unreviewed, change my email address.
+
+* Scripts/webkitpy/common/config/contributors.json:
+
 2015-09-04  Beth Dakin  
 
 Should have a test to make sure links don't navigate after a cancelled force 


Modified: trunk/Tools/Scripts/webkitpy/common/config/contributors.json (189408 => 189409)

--- trunk/Tools/Scripts/webkitpy/common/config/contributors.json	2015-09-05 00:34:08 UTC (rev 189408)
+++ trunk/Tools/Scripts/webkitpy/common/config/contributors.json	2015-09-05 00:46:06 UTC (rev 189409)
@@ -350,7 +350,7 @@
   },
   "Basile Clement" : {
 "emails" : [
-"basile_clem...@apple.com"
+"cbasile06+web...@gmail.com"
 ],
 "nicks" : [
 "elarnon"






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189398] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189398] trunk/Source/_javascript_Core








Revision 189398
Author basile_clem...@apple.com
Date 2015-09-04 16:21:25 -0700 (Fri, 04 Sep 2015)


Log Message
Fix debug output for an eval call
https://bugs.webkit.org/show_bug.cgi?id=148839

Reviewed by Filip Pizlo.

* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189397 => 189398)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 23:07:22 UTC (rev 189397)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 23:21:25 UTC (rev 189398)
@@ -1,3 +1,13 @@
+2015-09-04  Basile Clement  
+
+Fix debug output for an eval call
+https://bugs.webkit.org/show_bug.cgi?id=148839
+
+Reviewed by Filip Pizlo.
+
+* jit/ThunkGenerators.cpp:
+(JSC::virtualThunkFor):
+
 2015-09-04  Sukolsak Sakshuwong  
 
 Implement the signed division instruction in WebAssembly


Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (189397 => 189398)

--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-09-04 23:07:22 UTC (rev 189397)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-09-04 23:21:25 UTC (rev 189398)
@@ -194,10 +194,9 @@
 LinkBuffer patchBuffer(*vm, jit, GLOBAL_THUNK_ID);
 return FINALIZE_CODE(
 patchBuffer,
-("Virtual %s%s slow path thunk at CodePtr(%p)",
+("Virtual %s%s slow path thunk",
 callLinkInfo.specializationKind() == CodeForCall ? "call" : "construct",
-callLinkInfo.registerPreservationMode() == MustPreserveRegisters ? " that preserves registers" : "",
-callLinkInfo.callReturnLocation().dataLocation()));
+callLinkInfo.registerPreservationMode() == MustPreserveRegisters ? " that preserves registers" : ""));
 }
 
 enum ThunkEntryType { EnterViaCall, EnterViaJump };






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189376] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189376] trunk/Source/_javascript_Core








Revision 189376
Author basile_clem...@apple.com
Date 2015-09-04 13:09:43 -0700 (Fri, 04 Sep 2015)


Log Message
Unreviewed, add missing copyright to file from r189336

* bytecompiler/SetForScope.h:

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/SetForScope.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189375 => 189376)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 20:00:22 UTC (rev 189375)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 20:09:43 UTC (rev 189376)
@@ -1,3 +1,9 @@
+2015-09-04  Basile Clement  
+
+Unreviewed, add missing copyright to file from r189336
+
+* bytecompiler/SetForScope.h:
+
 2015-09-04  Brian Burg  
 
 Web Inspector: InspectorController should support multiple frontend channels


Modified: trunk/Source/_javascript_Core/bytecompiler/SetForScope.h (189375 => 189376)

--- trunk/Source/_javascript_Core/bytecompiler/SetForScope.h	2015-09-04 20:00:22 UTC (rev 189375)
+++ trunk/Source/_javascript_Core/bytecompiler/SetForScope.h	2015-09-04 20:09:43 UTC (rev 189376)
@@ -1,3 +1,28 @@
+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
 #ifndef SetForScope_h
 #define SetForScope_h
 






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189362] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189362] trunk/Source/_javascript_Core








Revision 189362
Author basile_clem...@apple.com
Date 2015-09-04 11:24:38 -0700 (Fri, 04 Sep 2015)


Log Message
Get rid of FTLValueFormat
https://bugs.webkit.org/show_bug.cgi?id=148448

Reviewed by Michael Saboff.

FTL::ValueFormat is nothing more than DataFormat (and is actually
slightly less). Let's get rid of it.

* CMakeLists.txt:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* bytecode/DataFormat.cpp: Renamed from Source/_javascript_Core/ftl/FTLValueFormat.h.
(WTF::printInternal):
* bytecode/DataFormat.h:
* ftl/FTLAvailableRecovery.h:
(JSC::FTL::AvailableRecovery::AvailableRecovery):
(JSC::FTL::AvailableRecovery::format):
* ftl/FTLExitArgument.h:
(JSC::FTL::ExitArgument::ExitArgument):
(JSC::FTL::ExitArgument::operator!):
(JSC::FTL::ExitArgument::format):
(JSC::FTL::ExitArgument::withFormat):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dataFormat):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::recovery):
(JSC::FTL::ExitValue::recoveryFormat):
* ftl/FTLFormattedValue.h:
(JSC::FTL::FormattedValue::FormattedValue):
(JSC::FTL::FormattedValue::operator!):
(JSC::FTL::FormattedValue::format):
(JSC::FTL::int32Value):
(JSC::FTL::booleanValue):
(JSC::FTL::jsValueValue):
(JSC::FTL::doubleValue):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
(JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
(JSC::FTL::DFG::LowerDFGToLLVM::exitArgument):
(JSC::FTL::DFG::LowerDFGToLLVM::addAvailableRecovery):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::OSRExit):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::reboxAccordingToFormat):
(JSC::FTL::compileRecovery):
(JSC::FTL::compileStub):
* ftl/FTLValueFormat.cpp: Removed.

Modified Paths

trunk/Source/_javascript_Core/CMakeLists.txt
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/bytecode/DataFormat.h
trunk/Source/_javascript_Core/ftl/FTLAvailableRecovery.h
trunk/Source/_javascript_Core/ftl/FTLExitArgument.h
trunk/Source/_javascript_Core/ftl/FTLExitValue.cpp
trunk/Source/_javascript_Core/ftl/FTLExitValue.h
trunk/Source/_javascript_Core/ftl/FTLFormattedValue.h
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
trunk/Source/_javascript_Core/ftl/FTLOSRExit.cpp
trunk/Source/_javascript_Core/ftl/FTLOSRExit.h
trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp


Added Paths

trunk/Source/_javascript_Core/bytecode/DataFormat.cpp


Removed Paths

trunk/Source/_javascript_Core/ftl/FTLValueFormat.cpp
trunk/Source/_javascript_Core/ftl/FTLValueFormat.h




Diff

Modified: trunk/Source/_javascript_Core/CMakeLists.txt (189361 => 189362)

--- trunk/Source/_javascript_Core/CMakeLists.txt	2015-09-04 18:22:27 UTC (rev 189361)
+++ trunk/Source/_javascript_Core/CMakeLists.txt	2015-09-04 18:24:38 UTC (rev 189362)
@@ -87,6 +87,7 @@
 bytecode/CodeOrigin.cpp
 bytecode/CodeType.cpp
 bytecode/ComplexGetStatus.cpp
+bytecode/DataFormat.cpp
 bytecode/DFGExitProfile.cpp
 bytecode/DeferredCompilationCallback.cpp
 bytecode/DeferredSourceDump.cpp
@@ -908,7 +909,6 @@
 ftl/FTLState.cpp
 ftl/FTLThunks.cpp
 ftl/FTLUnwindInfo.cpp
-ftl/FTLValueFormat.cpp
 ftl/FTLValueRange.cpp
 
 llvm/InitializeLLVM.cpp


Modified: trunk/Source/_javascript_Core/ChangeLog (189361 => 189362)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 18:22:27 UTC (rev 189361)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 18:24:38 UTC (rev 189362)
@@ -1,3 +1,57 @@
+2015-08-25  Basile Clement  
+
+Get rid of FTLValueFormat
+https://bugs.webkit.org/show_bug.cgi?id=148448
+
+Reviewed by Michael Saboff.
+
+FTL::ValueFormat is nothing more than DataFormat (and is actually
+slightly less). Let's get rid of it.
+
+* CMakeLists.txt:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* bytecode/DataFormat.cpp: Renamed from Source/_javascript_Core/ftl/FTLValueFormat.h.
+(WTF::printInternal):
+* bytecode/DataFormat.h:
+* ftl/FTLAvailableRecovery.h:
+(JSC::FTL::AvailableRecovery::AvailableRecovery):
+(JSC::FTL::AvailableRecovery::format):
+* ftl/FTLExitArgument.h:
+(JSC::FTL::ExitArgument::ExitArgument):
+(JSC::FTL::ExitArgument::operator!):
+(JSC::FTL::ExitArgument::format):
+(JSC::FTL::ExitArgument::withFormat

[webkit-changes] [189361] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189361] trunk/Source/_javascript_Core








Revision 189361
Author basile_clem...@apple.com
Date 2015-09-04 11:22:27 -0700 (Fri, 04 Sep 2015)


Log Message
Introduce RegisterMap
https://bugs.webkit.org/show_bug.cgi?id=148335

Reviewed by Michael Saboff.

Introduce RegisterMap, GPRMap and FPRMap dense mappings for
Reg, GPRReg and FPRReg.

* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* jit/RegisterMap.h: Added.
(JSC::RegisterMap::operator[]):
(JSC::GPRMap::operator[]):
(JSC::FPRMap::operator[]):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj


Added Paths

trunk/Source/_javascript_Core/jit/RegisterMap.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189360 => 189361)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 18:14:58 UTC (rev 189360)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 18:22:27 UTC (rev 189361)
@@ -1,3 +1,21 @@
+2015-09-04  Basile Clement  
+
+Introduce RegisterMap
+https://bugs.webkit.org/show_bug.cgi?id=148335
+
+Reviewed by Michael Saboff.
+
+Introduce RegisterMap, GPRMap and FPRMap dense mappings for
+Reg, GPRReg and FPRReg.
+
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* jit/RegisterMap.h: Added.
+(JSC::RegisterMap::operator[]):
+(JSC::GPRMap::operator[]):
+(JSC::FPRMap::operator[]):
+
 2015-09-04  Andreas Kling  
 
 Remove some unused functions from MarkedBlock and MarkedSpace.


Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (189360 => 189361)

--- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-09-04 18:14:58 UTC (rev 189360)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-09-04 18:22:27 UTC (rev 189361)
@@ -1446,6 +1446,7 @@
 
 
 
+
 
 
 


Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters (189360 => 189361)

--- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-09-04 18:14:58 UTC (rev 189360)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-09-04 18:22:27 UTC (rev 189361)
@@ -3961,6 +3961,9 @@
 
   jit
 
+
+  jit
+
 
   jit
 


Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (189360 => 189361)

--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-09-04 18:14:58 UTC (rev 189360)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-09-04 18:22:27 UTC (rev 189361)
@@ -977,6 +977,7 @@
 		5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
 		5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
 		5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */ = {isa = PBXBuildFile; fileRef = F692A8540255597D01FF60F7 /* create_hash_table */; settings = {ATTRIBUTES = (); }; };
+		623A37EC1B87A7C000754209 /* RegisterMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 623A37EB1B87A7BD00754209 /* RegisterMap.h */; };
 		62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
 		62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */ = {isa = PBXBuildFile; fileRef = 62D2D38E1ADF103F000206C1 /* FunctionRareData.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		62F2AA371B0BEDE300610C7A /* DFGLazyNode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62A9A29E1B0BED4800BD54CA /* DFGLazyNode.cpp */; };
@@ -2778,6 +2779,7 @@
 		5DAFD6CB146B686300FBEFB4 /* JSC.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = JSC.xcconfig; sourceTree = ""; };
 		5DDDF44614FEE72200B4FB4D /* LLIntDesiredOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntDesiredOffsets.h; path = LLIntOffsets/LLIntDesiredOffsets.h; sourceTree = BUILT_PRODUCTS_DIR; };
 		5DE3D0F40DD8DDFB00468714 /* WebKitAvailability.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebKitAvailability.h; sourceTree = ""; };
+		623A37EB1B87A7BD00754209 /* RegisterMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastK

[webkit-changes] [189357] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189357] trunk/Source/_javascript_Core








Revision 189357
Author basile_clem...@apple.com
Date 2015-09-04 11:00:24 -0700 (Fri, 04 Sep 2015)


Log Message
Make a bunch of MacroAssembler operations constexpr
https://bugs.webkit.org/show_bug.cgi?id=148334

Reviewed by Saam Barati.

This is in preparation of https://bugs.webkit.org/show_bug.cgi?id=148335 .

* assembler/ARM64Assembler.h:
(JSC::ARM64Registers::isSp):
(JSC::ARM64Registers::isZr):
(JSC::ARM64Assembler::firstRegister):
(JSC::ARM64Assembler::lastRegister):
(JSC::ARM64Assembler::firstFPRegister):
(JSC::ARM64Assembler::lastFPRegister):
(JSC::ARM64Assembler::isSp):
(JSC::ARM64Assembler::isZr):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::firstRegister):
(JSC::ARMAssembler::lastRegister):
(JSC::ARMAssembler::firstFPRegister):
(JSC::ARMAssembler::lastFPRegister):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::firstRegister):
(JSC::AbstractMacroAssembler::lastRegister):
(JSC::AbstractMacroAssembler::firstFPRegister):
(JSC::AbstractMacroAssembler::lastFPRegister):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::firstRegister):
(JSC::MIPSAssembler::lastRegister):
(JSC::MIPSAssembler::firstFPRegister):
(JSC::MIPSAssembler::lastFPRegister):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::nextRegister):
(JSC::MacroAssembler::nextFPRegister):
(JSC::MacroAssembler::numberOfRegisters):
(JSC::MacroAssembler::registerIndex):
(JSC::MacroAssembler::numberOfFPRegisters):
(JSC::MacroAssembler::fpRegisterIndex):
(JSC::MacroAssembler::totalNumberOfRegisters):
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::firstRegister):
(JSC::SH4Assembler::lastRegister):
(JSC::SH4Assembler::firstFPRegister):
(JSC::SH4Assembler::lastFPRegister):
* assembler/X86Assembler.h:
(JSC::X86Assembler::firstRegister):
(JSC::X86Assembler::lastRegister):
(JSC::X86Assembler::firstFPRegister):
(JSC::X86Assembler::lastFPRegister):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/ARM64Assembler.h
trunk/Source/_javascript_Core/assembler/ARMAssembler.h
trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h
trunk/Source/_javascript_Core/assembler/MIPSAssembler.h
trunk/Source/_javascript_Core/assembler/MacroAssembler.h
trunk/Source/_javascript_Core/assembler/SH4Assembler.h
trunk/Source/_javascript_Core/assembler/X86Assembler.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189356 => 189357)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 17:43:49 UTC (rev 189356)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 18:00:24 UTC (rev 189357)
@@ -1,3 +1,55 @@
+2015-09-04  Basile Clement  
+
+Make a bunch of MacroAssembler operations constexpr
+https://bugs.webkit.org/show_bug.cgi?id=148334
+
+Reviewed by Saam Barati.
+
+This is in preparation of https://bugs.webkit.org/show_bug.cgi?id=148335 .
+
+* assembler/ARM64Assembler.h:
+(JSC::ARM64Registers::isSp):
+(JSC::ARM64Registers::isZr):
+(JSC::ARM64Assembler::firstRegister):
+(JSC::ARM64Assembler::lastRegister):
+(JSC::ARM64Assembler::firstFPRegister):
+(JSC::ARM64Assembler::lastFPRegister):
+(JSC::ARM64Assembler::isSp):
+(JSC::ARM64Assembler::isZr):
+* assembler/ARMAssembler.h:
+(JSC::ARMAssembler::firstRegister):
+(JSC::ARMAssembler::lastRegister):
+(JSC::ARMAssembler::firstFPRegister):
+(JSC::ARMAssembler::lastFPRegister):
+* assembler/AbstractMacroAssembler.h:
+(JSC::AbstractMacroAssembler::firstRegister):
+(JSC::AbstractMacroAssembler::lastRegister):
+(JSC::AbstractMacroAssembler::firstFPRegister):
+(JSC::AbstractMacroAssembler::lastFPRegister):
+* assembler/MIPSAssembler.h:
+(JSC::MIPSAssembler::firstRegister):
+(JSC::MIPSAssembler::lastRegister):
+(JSC::MIPSAssembler::firstFPRegister):
+(JSC::MIPSAssembler::lastFPRegister):
+* assembler/MacroAssembler.h:
+(JSC::MacroAssembler::nextRegister):
+(JSC::MacroAssembler::nextFPRegister):
+(JSC::MacroAssembler::numberOfRegisters):
+(JSC::MacroAssembler::registerIndex):
+(JSC::MacroAssembler::numberOfFPRegisters):
+(JSC::MacroAssembler::fpRegisterIndex):
+(JSC::MacroAssembler::totalNumberOfRegisters):
+* assembler/SH4Assembler.h:
+(JSC::SH4Assembler::firstRegister):
+(JSC::SH4Assembler::lastRegister):
+(JSC::SH4Assembler::firstFPRegister):
+(JSC::SH4Assembler::lastFPRegister):
+* assembler/X86Assembler.h:
+(JSC::X86Assembler::firstRegister):
+(JSC::X86Assembler::lastRegister):
+(JSC::X86Assembler::firstFPRegister):
+(JSC::X86Assembler::lastFPRegister):
+
 2015-08-24  Basile Clement  
 
 Add a bunch of operators


Modified: trunk/Source/_javascript_Core/assembler/ARM64Assembler.h (189356 => 189357)

--- trunk/Source/_javas

[webkit-changes] [189351] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189351] trunk/Source/_javascript_Core








Revision 189351
Author basile_clem...@apple.com
Date 2015-09-04 09:39:31 -0700 (Fri, 04 Sep 2015)


Log Message
Add a bunch of operators
https://bugs.webkit.org/show_bug.cgi?id=148337

Reviewed by Saam Barati.

* jit/GPRInfo.h:
(JSC::JSValueRegs::operator bool):
(JSC::JSValueRegs::operator==):
(JSC::JSValueRegs::operator!=):
(JSC::JSValueSource::operator bool):
(JSC::JSValueRegs::operator!):
(JSC::JSValueSource::operator!):
* jit/Reg.h:
(JSC::Reg::operator bool):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/GPRInfo.h
trunk/Source/_javascript_Core/jit/Reg.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189350 => 189351)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 16:32:34 UTC (rev 189350)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 16:39:31 UTC (rev 189351)
@@ -1,3 +1,20 @@
+2015-08-24  Basile Clement  
+
+Add a bunch of operators
+https://bugs.webkit.org/show_bug.cgi?id=148337
+
+Reviewed by Saam Barati.
+
+* jit/GPRInfo.h:
+(JSC::JSValueRegs::operator bool):
+(JSC::JSValueRegs::operator==):
+(JSC::JSValueRegs::operator!=):
+(JSC::JSValueSource::operator bool):
+(JSC::JSValueRegs::operator!):
+(JSC::JSValueSource::operator!):
+* jit/Reg.h:
+(JSC::Reg::operator bool):
+
 2015-09-04  Basile Clement  
 
 Since r189341, es6.yaml/es6/arrow_functions_no_prototype_property.js is expected to succeed


Modified: trunk/Source/_javascript_Core/jit/GPRInfo.h (189350 => 189351)

--- trunk/Source/_javascript_Core/jit/GPRInfo.h	2015-09-04 16:32:34 UTC (rev 189350)
+++ trunk/Source/_javascript_Core/jit/GPRInfo.h	2015-09-04 16:39:31 UTC (rev 189351)
@@ -65,6 +65,10 @@
 }
 
 bool operator!() const { return m_gpr == InvalidGPRReg; }
+explicit operator bool() const { return m_gpr != InvalidGPRReg; }
+
+bool operator==(JSValueRegs other) { return m_gpr == other.m_gpr; }
+bool operator!=(JSValueRegs other) { return !(*this == other); }
 
 GPRReg gpr() const { return m_gpr; }
 GPRReg tagGPR() const { return InvalidGPRReg; }
@@ -110,6 +114,7 @@
 }
 
 bool operator!() const { return m_base == InvalidGPRReg; }
+explicit operator bool() const { return m_base != InvalidGPRReg; }
 
 bool isAddress() const { return m_offset != notAddress(); }
 
@@ -166,11 +171,19 @@
 return JSValueRegs(InvalidGPRReg, gpr);
 }
 
-bool operator!() const
+bool operator!() const { return !static_cast(*this); }
+explicit operator bool() const
 {
-return static_cast(m_tagGPR) == InvalidGPRReg
-&& static_cast(m_payloadGPR) == InvalidGPRReg;
+return static_cast(m_tagGPR) != InvalidGPRReg
+|| static_cast(m_payloadGPR) != InvalidGPRReg;
 }
+
+bool operator==(JSValueRegs other) const
+{
+return m_tagGPR == other.m_tagGPR
+&& m_payloadGPR == other.m_payloadGPR;
+}
+bool operator!=(JSValueRegs other) const { return !(*this == other); }
 
 GPRReg tagGPR() const { return static_cast(m_tagGPR); }
 GPRReg payloadGPR() const { return static_cast(m_payloadGPR); }
@@ -238,11 +251,12 @@
 result.m_tagType = static_cast(JSValue::CellTag);
 return result;
 }
-
-bool operator!() const
+
+bool operator!() const { return !static_cast(*this); }
+explicit operator bool() const
 {
-return static_cast(m_baseOrTag) == InvalidGPRReg
-&& static_cast(m_payload) == InvalidGPRReg;
+return static_cast(m_baseOrTag) != InvalidGPRReg
+|| static_cast(m_payload) != InvalidGPRReg;
 }
 
 bool isAddress() const


Modified: trunk/Source/_javascript_Core/jit/Reg.h (189350 => 189351)

--- trunk/Source/_javascript_Core/jit/Reg.h	2015-09-04 16:32:34 UTC (rev 189350)
+++ trunk/Source/_javascript_Core/jit/Reg.h	2015-09-04 16:39:31 UTC (rev 189351)
@@ -101,6 +101,7 @@
 
 bool isSet() const { return m_index != invalid(); }
 bool operator!() const { return !isSet(); }
+explicit operator bool() const { return isSet(); }
 
 bool isGPR() const
 {






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189350] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189350] trunk/Source/_javascript_Core








Revision 189350
Author basile_clem...@apple.com
Date 2015-09-04 09:32:34 -0700 (Fri, 04 Sep 2015)


Log Message
Since r189341, es6.yaml/es6/arrow_functions_no_prototype_property.js is expected to succeed

Rubber stamped by Michael Saboff.

* tests/es6.yaml:

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/tests/es6.yaml




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189349 => 189350)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 16:31:55 UTC (rev 189349)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 16:32:34 UTC (rev 189350)
@@ -1,3 +1,11 @@
+2015-09-04  Basile Clement  
+
+Since r189341, es6.yaml/es6/arrow_functions_no_prototype_property.js is expected to succeed
+
+Rubber stamped by Michael Saboff.
+
+* tests/es6.yaml:
+
 2015-09-04  Csaba Osztrogonác  
 
 [ARM] Fix the ARM Traditional build after r189288


Modified: trunk/Source/_javascript_Core/tests/es6.yaml (189349 => 189350)

--- trunk/Source/_javascript_Core/tests/es6.yaml	2015-09-04 16:31:55 UTC (rev 189349)
+++ trunk/Source/_javascript_Core/tests/es6.yaml	2015-09-04 16:32:34 UTC (rev 189350)
@@ -719,7 +719,7 @@
 - path: es6/arrow_functions_lexical_super_binding.js
   cmd: runES6 :fail
 - path: es6/arrow_functions_no_prototype_property.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/block-level_function_declaration.js
   cmd: runES6 :fail
 - path: es6/class_class_name_is_lexically_scoped.js






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189336] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189336] trunk/Source/_javascript_Core








Revision 189336
Author basile_clem...@apple.com
Date 2015-09-03 20:05:46 -0700 (Thu, 03 Sep 2015)


Log Message
[ES6] Recognize calls in tail position
https://bugs.webkit.org/show_bug.cgi?id=148665

Reviewed by Saam Barati.

This patch adds the capability for the bytecode generator to recognize
and dispatch tail calls, as per ES6 spec:
http://www.ecma-international.org/ecma-262/6.0/#sec-isintailposition

This does not change the generated bytecode, but merely provides the
hook for generating tail calls in subsequent patches toward
https://bugs.webkit.org/show_bug.cgi?id=146477

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitCallInTailPosition):
(JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitNode):
(JSC::BytecodeGenerator::emitNodeInTailPosition):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::LogicalOpNode::emitBytecode):
(JSC::ConditionalNode::emitBytecode):
(JSC::CommaNode::emitBytecode):
(JSC::SourceElements::emitBytecode):
(JSC::IfElseNode::emitBytecode):
(JSC::DoWhileNode::emitBytecode):
(JSC::WhileNode::emitBytecode):
(JSC::ForNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::WithNode::emitBytecode):
(JSC::TryNode::emitBytecode):
* bytecompiler/SetForScope.h: Added.
(JSC::SetForScope::SetForScope):
(JSC::SetForScope::~SetForScope):
* runtime/Options.h:

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h
trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp
trunk/Source/_javascript_Core/runtime/Options.h


Added Paths

trunk/Source/_javascript_Core/bytecompiler/SetForScope.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189335 => 189336)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 02:43:41 UTC (rev 189335)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 03:05:46 UTC (rev 189336)
@@ -1,3 +1,48 @@
+2015-09-03  Basile Clement  
+
+[ES6] Recognize calls in tail position
+https://bugs.webkit.org/show_bug.cgi?id=148665
+
+Reviewed by Saam Barati.
+
+This patch adds the capability for the bytecode generator to recognize
+and dispatch tail calls, as per ES6 spec:
+http://www.ecma-international.org/ecma-262/6.0/#sec-isintailposition
+
+This does not change the generated bytecode, but merely provides the
+hook for generating tail calls in subsequent patches toward
+https://bugs.webkit.org/show_bug.cgi?id=146477
+
+* bytecompiler/BytecodeGenerator.cpp:
+(JSC::BytecodeGenerator::BytecodeGenerator):
+(JSC::BytecodeGenerator::emitCallInTailPosition):
+(JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
+* bytecompiler/BytecodeGenerator.h:
+(JSC::BytecodeGenerator::emitNode):
+(JSC::BytecodeGenerator::emitNodeInTailPosition):
+* bytecompiler/NodesCodegen.cpp:
+(JSC::FunctionCallValueNode::emitBytecode):
+(JSC::FunctionCallResolveNode::emitBytecode):
+(JSC::FunctionCallBracketNode::emitBytecode):
+(JSC::FunctionCallDotNode::emitBytecode):
+(JSC::CallFunctionCallDotNode::emitBytecode):
+(JSC::ApplyFunctionCallDotNode::emitBytecode):
+(JSC::LogicalOpNode::emitBytecode):
+(JSC::ConditionalNode::emitBytecode):
+(JSC::CommaNode::emitBytecode):
+(JSC::SourceElements::emitBytecode):
+(JSC::IfElseNode::emitBytecode):
+(JSC::DoWhileNode::emitBytecode):
+(JSC::WhileNode::emitBytecode):
+(JSC::ForNode::emitBytecode):
+(JSC::ReturnNode::emitBytecode):
+(JSC::WithNode::emitBytecode):
+(JSC::TryNode::emitBytecode):
+* bytecompiler/SetForScope.h: Added.
+(JSC::SetForScope::SetForScope):
+(JSC::SetForScope::~SetForScope):
+* runtime/Options.h:
+
 2015-08-11  Basile Clement  
 
 Add more strict mode tests


Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (189335 => 189336)

--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2015-09-04 02:43:41 UTC (rev 189335)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2015-09-04 03:05:46 UTC (rev 189336)
@@ -191,6 +191,7 @@
 , m_vm(&vm)
 , m_isBuiltinFunction(codeBlock->isBuiltinFunction())
 , m_usesNonStrictEval(codeBlock->usesEval() && !codeBlock->isStrictMode())
+, m_inTailPosition(Options::enableTailCalls() && constructorKind() == ConstructorKind::None && isStrictMode())

[webkit-changes] [189325] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189325] trunk/Source/_javascript_Core








Revision 189325
Author basile_clem...@apple.com
Date 2015-09-03 17:25:19 -0700 (Thu, 03 Sep 2015)


Log Message
_javascript_ functions should restore the stack pointer after a call
https://bugs.webkit.org/show_bug.cgi?id=148659

Reviewed by Michael Saboff.

This patch makes it so that the various places where we are making a
JS-to-JS call restore the stack pointer afterwards. This allows us to
no longer rely on the stack pointer still being valid after a call, and
is a prerequisite for getting rid of the arity fixup return thunk.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateDataSection):
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfCall):
* ftl/FTLJSCall.cpp:
(JSC::FTL::JSCall::emit):
* ftl/FTLJSCall.h:
* ftl/FTLStackMaps.h:
(JSC::FTL::StackMaps::stackSizeForLocals):
* jit/Repatch.cpp:
(JSC::generateByIdStub):
* tests/stress/tail-call-in-inline-cache.js: Added.
(tail):
(obj.get x):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/ftl/FTLCompile.cpp
trunk/Source/_javascript_Core/ftl/FTLInlineCacheSize.cpp
trunk/Source/_javascript_Core/ftl/FTLJSCall.cpp
trunk/Source/_javascript_Core/ftl/FTLJSCall.h
trunk/Source/_javascript_Core/ftl/FTLStackMaps.h
trunk/Source/_javascript_Core/jit/Repatch.cpp


Added Paths

trunk/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189324 => 189325)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-04 00:09:00 UTC (rev 189324)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-04 00:25:19 UTC (rev 189325)
@@ -1,3 +1,34 @@
+2015-09-03  Basile Clement  
+
+_javascript_ functions should restore the stack pointer after a call
+https://bugs.webkit.org/show_bug.cgi?id=148659
+
+Reviewed by Michael Saboff.
+
+This patch makes it so that the various places where we are making a
+JS-to-JS call restore the stack pointer afterwards. This allows us to
+no longer rely on the stack pointer still being valid after a call, and
+is a prerequisite for getting rid of the arity fixup return thunk.
+
+* dfg/DFGSpeculativeJIT32_64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+* ftl/FTLCompile.cpp:
+(JSC::FTL::mmAllocateDataSection):
+* ftl/FTLInlineCacheSize.cpp:
+(JSC::FTL::sizeOfCall):
+* ftl/FTLJSCall.cpp:
+(JSC::FTL::JSCall::emit):
+* ftl/FTLJSCall.h:
+* ftl/FTLStackMaps.h:
+(JSC::FTL::StackMaps::stackSizeForLocals):
+* jit/Repatch.cpp:
+(JSC::generateByIdStub):
+* tests/stress/tail-call-in-inline-cache.js: Added.
+(tail):
+(obj.get x):
+
 2015-09-03  Filip Pizlo  
 
 StructureStubInfo should be able to reset itself without going through CodeBlock


Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (189324 => 189325)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-09-04 00:09:00 UTC (rev 189324)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-09-04 00:25:19 UTC (rev 189325)
@@ -821,9 +821,10 @@
 info->setUpCall(callType, node->origin.semantic, calleePayloadGPR);
 m_jit.addJSCall(fastCall, slowCall, targetToCheck, info);
 
-// If we were varargs, then after the calls are done, we need to reestablish our stack pointer.
-if (isVarargs || isForwardVarargs)
-m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
+// After the calls are done, we need to reestablish our stack
+// pointer. We rely on this for varargs calls, calls with arity
+// mismatch (the callframe is slided) and tail calls.
+m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
 }
 
 template


Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (189324 => 189325)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-09-04 00:09:00 UTC (rev 189324)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-09-04 00:25:19 UTC (rev 189325)
@@ -776,10 +776,11 @@
 
 callLinkInfo->setUpCall(callType, m_currentNode->origin.semantic,  calleeGPR);
 m_jit.addJSCall(fastCall, slowCall, targetToCheck, callLinkInfo);
-
-// If we were varargs, then after the calls are done, we need to reestablish our stack pointer.
-if (isVarargs || isForwardVarargs)
-m_jit.addPtr(TrustedImm32(m_jit.graph

[webkit-changes] [189194] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189194] trunk/Source/_javascript_Core








Revision 189194
Author basile_clem...@apple.com
Date 2015-08-31 16:30:10 -0700 (Mon, 31 Aug 2015)


Log Message
Unreviewed, build fix after r189292

* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::jsValueRegs): Deleted.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/ValueRecovery.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189193 => 189194)

--- trunk/Source/_javascript_Core/ChangeLog	2015-08-31 23:27:20 UTC (rev 189193)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-08-31 23:30:10 UTC (rev 189194)
@@ -1,3 +1,10 @@
+2015-08-31  Basile Clement  
+
+Unreviewed, build fix after r189292
+
+* bytecode/ValueRecovery.h:
+(JSC::ValueRecovery::jsValueRegs): Deleted.
+
 2015-08-24  Basile Clement  
 
 ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR


Modified: trunk/Source/_javascript_Core/bytecode/ValueRecovery.h (189193 => 189194)

--- trunk/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-31 23:27:20 UTC (rev 189193)
+++ trunk/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-31 23:30:10 UTC (rev 189194)
@@ -300,23 +300,11 @@
 {
 return m_technique == InPair;
 }
-
-JSValueRegs jsValueRegs() const
-{
-ASSERT(isInJSValueRegs());
-return JSValueRegs(tagGPR(), payloadGPR());
-}
 #else
 bool isInJSValueRegs() const
 {
 return isInGPR();
 }
-
-JSValueRegs jsValueRegs() const
-{
-ASSERT(isInGPR());
-return JSValueRegs(gpr());
-}
 #endif
 
 MacroAssembler::FPRegisterID fpr() const






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189192] trunk/Source/JavaScriptCore

[basile_clement]

Title: [189192] trunk/Source/_javascript_Core








Revision 189192
Author basile_clem...@apple.com
Date 2015-08-31 16:13:13 -0700 (Mon, 31 Aug 2015)


Log Message
ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR
https://bugs.webkit.org/show_bug.cgi?id=148336

Reviewed by Michael Saboff.

Currently, ValueRecovery::InFPR means "this is a *double* value in an
FPR". Let's change the semantics to be "this is a *JSValue* in an FPR"
(to match ValueRecovery::InGPR), and introduce
ValueRecovery::UnboxedDoubleInFPR to mean "this is a double value in an
FPR".

* bytecode/ValueRecovery.cpp:
(JSC::ValueRecovery::dumpInContext):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::operator bool):
(JSC::ValueRecovery::inFPR):
(JSC::ValueRecovery::isInGPR):
(JSC::ValueRecovery::isInFPR):
(JSC::ValueRecovery::isInRegisters):
(JSC::ValueRecovery::isInJSStack):
(JSC::ValueRecovery::dataFormat):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::isInJSValueRegs):
(JSC::ValueRecovery::jsValueRegs):
(JSC::ValueRecovery::fpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::constant):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/ValueRecovery.cpp
trunk/Source/_javascript_Core/bytecode/ValueRecovery.h
trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp
trunk/Source/_javascript_Core/dfg/DFGVariableEventStream.cpp




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189191 => 189192)

--- trunk/Source/_javascript_Core/ChangeLog	2015-08-31 22:53:50 UTC (rev 189191)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-08-31 23:13:13 UTC (rev 189192)
@@ -1,3 +1,39 @@
+2015-08-24  Basile Clement  
+
+ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR
+https://bugs.webkit.org/show_bug.cgi?id=148336
+
+Reviewed by Michael Saboff.
+
+Currently, ValueRecovery::InFPR means "this is a *double* value in an
+FPR". Let's change the semantics to be "this is a *JSValue* in an FPR"
+(to match ValueRecovery::InGPR), and introduce
+ValueRecovery::UnboxedDoubleInFPR to mean "this is a double value in an
+FPR".
+
+* bytecode/ValueRecovery.cpp:
+(JSC::ValueRecovery::dumpInContext):
+* bytecode/ValueRecovery.h:
+(JSC::ValueRecovery::operator bool):
+(JSC::ValueRecovery::inFPR):
+(JSC::ValueRecovery::isInGPR):
+(JSC::ValueRecovery::isInFPR):
+(JSC::ValueRecovery::isInRegisters):
+(JSC::ValueRecovery::isInJSStack):
+(JSC::ValueRecovery::dataFormat):
+(JSC::ValueRecovery::gpr):
+(JSC::ValueRecovery::isInJSValueRegs):
+(JSC::ValueRecovery::jsValueRegs):
+(JSC::ValueRecovery::fpr):
+(JSC::ValueRecovery::virtualRegister):
+(JSC::ValueRecovery::constant):
+* dfg/DFGOSRExitCompiler32_64.cpp:
+(JSC::DFG::OSRExitCompiler::compileExit):
+* dfg/DFGOSRExitCompiler64.cpp:
+(JSC::DFG::OSRExitCompiler::compileExit):
+* dfg/DFGVariableEventStream.cpp:
+(JSC::DFG::VariableEventStream::reconstruct):
+
 2015-08-31  Chris Dumez  
 
 NodeFilter.SHOW_ALL has wrong value on 32-bit


Modified: trunk/Source/_javascript_Core/bytecode/ValueRecovery.cpp (189191 => 189192)

--- trunk/Source/_javascript_Core/bytecode/ValueRecovery.cpp	2015-08-31 22:53:50 UTC (rev 189191)
+++ trunk/Source/_javascript_Core/bytecode/ValueRecovery.cpp	2015-08-31 23:13:13 UTC (rev 189192)
@@ -86,6 +86,9 @@
 case InFPR:
 out.print(fpr());
 return;
+case UnboxedDoubleInFPR:
+out.print("double(", fpr(), ")");
+return;
 #if USE(JSVALUE32_64)
 case InPair:
 out.print("pair(", tagGPR(), ", ", payloadGPR(), ")");


Modified: trunk/Source/_javascript_Core/bytecode/ValueRecovery.h (189191 => 189192)

--- trunk/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-31 22:53:50 UTC (rev 189191)
+++ trunk/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-31 23:13:13 UTC (rev 189192)
@@ -55,6 +55,7 @@
 InPair,
 #endif
 InFPR,
+UnboxedDoubleInFPR,
 // It's in the stack, but at a different location.
 DisplacedInJSStack,
 // It's in the stack, at a different location, and it's unboxed.
@@ -82,6 +83,7 @@
 
 bool isSet() const { return m_technique != DontKnow; }
 bool operator!() const { return !isSet(); }
+explicit operator bool() const { return isSet(); }
 
 static ValueRecovery inGPR(MacroAssembler::RegisterID gpr, DataFormat dataFormat)
 {
@@ -117,10 +119,14 @@
 }
 #endif
 
-static ValueRecovery inFPR(MacroAssembler::FPRegisterID fpr)
+  

[webkit-changes] [189061] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [189061] branches/jsc-tailcall/Source/_javascript_Core








Revision 189061
Author basile_clem...@apple.com
Date 2015-08-27 15:31:04 -0700 (Thu, 27 Aug 2015)


Log Message
Unreviewed, revert r189049 which should never have been committed.

* _javascript_Core.xcodeproj/project.pbxproj:
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::inGPR): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::targetBytecodeOffsetDuringParsing): Deleted.
(JSC::DFG::Node::targetBlock): Deleted.
(JSC::DFG::Node::branchData): Deleted.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateDataSection): Deleted.
* ftl/FTLJSCall.cpp:
(JSC::FTL::JSCall::JSCall):
* ftl/FTLJSCallBase.cpp:
(JSC::FTL::JSCallBase::link):
(JSC::FTL::JSCallBase::emit): Deleted.
* ftl/FTLJSCallBase.h:
* ftl/FTLJSCallVarargs.cpp:
(JSC::FTL::JSCallVarargs::JSCallVarargs): Deleted.
(JSC::FTL::JSCallVarargs::emit): Deleted.
* ftl/FTLJSTailCall.cpp: Removed.
* ftl/FTLJSTailCall.h: Removed.
* ftl/FTLLocation.h:
(JSC::FTL::Location::operator!):
(JSC::FTL::Location::isHashTableDeletedValue): Deleted.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setStrictInt52): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setInt52): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setJSValue): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setBoolean): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setStorage): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setDouble): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::setInt32): Deleted.
* ftl/FTLState.h:
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::spill):
(JSC::CallFrameShuffler::emitDeltaCheck): Deleted.
(JSC::CallFrameShuffler::prepareForSlowPath): Deleted.
(JSC::CallFrameShuffler::prepareForTailCall): Deleted.
* jit/CallFrameShuffler.h:
(JSC::CallFrameShuffler::addNew):
(JSC::CallFrameShuffler::snapshot): Deleted.
(JSC::CallFrameShuffler::assumeCalleeIsCell): Deleted.
(JSC::CallFrameShuffler::newAsOld): Deleted.
(JSC::CallFrameShuffler::ensureRegister): Deleted.
(JSC::CallFrameShuffler::addressForOld): Deleted.
(JSC::CallFrameShuffler::isDangerNew): Deleted.
(JSC::CallFrameShuffler::updateDangerFrontier): Deleted.
* jit/CallFrameShuffler64.cpp:
(JSC::CallFrameShuffler::emitDisplace):
* jit/Reg.h:
(JSC::Reg::Reg): Deleted.
(JSC::Reg::isFPR): Deleted.

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLCapabilities.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLCompile.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallBase.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallBase.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallVarargs.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLocation.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLState.h
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler.h
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler64.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h


Removed Paths

branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSTailCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSTailCall.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (189060 => 189061)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-27 22:12:12 UTC (rev 189060)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-27 22:31:04 UTC (rev 189061)
@@ -1,5 +1,70 @@
 2015-08-27  Basile Clement  
 
+Unreviewed, revert r189049 which should never have been committed.
+
+* _javascript_Core.xcodeproj/project.pbxproj:
+* bytecode/ValueRecovery.h:
+(JSC::ValueRecovery::inGPR): Deleted.
+* dfg/DFGNode.h:
+(JSC::DFG::Node::targetBytecodeOffsetDuringParsing): Deleted.
+(JSC::DFG::Node::targetBlock): Deleted.
+(JSC::DFG::Node::branchData): Deleted.
+* dfg/DFGTierUpCheckInjectionPhase.cpp:
+(JSC::DFG::TierUpCheckInjectionPhase::run):
+* ftl/FTLCapabilities.cpp:
+(JSC::FTL::canCompile):
+ 

[webkit-changes] [189049] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [189049] branches/jsc-tailcall/Source/_javascript_Core








Revision 189049
Author basile_clem...@apple.com
Date 2015-08-27 14:13:37 -0700 (Thu, 27 Aug 2015)


Log Message
WIP

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLCapabilities.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLCompile.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallBase.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallBase.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallVarargs.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLocation.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLState.h
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler.h
branches/jsc-tailcall/Source/_javascript_Core/jit/CallFrameShuffler64.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSTailCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSTailCall.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (189048 => 189049)

--- branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-27 21:02:39 UTC (rev 189048)
+++ branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-27 21:13:37 UTC (rev 189049)
@@ -961,6 +961,8 @@
 		623A37EC1B87A7C000754209 /* RegisterMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 623A37EB1B87A7BD00754209 /* RegisterMap.h */; };
 		627673231B680C1E00FD9F2E /* CallMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 627673211B680C1E00FD9F2E /* CallMode.cpp */; };
 		627673241B680C1E00FD9F2E /* CallMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 627673221B680C1E00FD9F2E /* CallMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
+		62774DAA1B8D4B190006F05A /* FTLJSTailCall.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */; };
+		62774DAB1B8D4B190006F05A /* FTLJSTailCall.h in Headers */ = {isa = PBXBuildFile; fileRef = 62774DA91B8D4B190006F05A /* FTLJSTailCall.h */; };
 		62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
 		62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */ = {isa = PBXBuildFile; fileRef = 62D2D38E1ADF103F000206C1 /* FunctionRareData.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		62D755D41B84FB3D001801FA /* CallFrameShuffler64.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D755D31B84FB39001801FA /* CallFrameShuffler64.cpp */; };
@@ -2683,6 +2685,8 @@
 		623A37EB1B87A7BD00754209 /* RegisterMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RegisterMap.h; sourceTree = ""; };
 		627673211B680C1E00FD9F2E /* CallMode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallMode.cpp; sourceTree = ""; };
 		627673221B680C1E00FD9F2E /* CallMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallMode.h; sourceTree = ""; };
+		62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLJSTailCall.cpp; path = ftl/FTLJSTailCall.cpp; sourceTree = ""; };
+		62774DA91B8D4B190006F05A /* FTLJSTailCall.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLJSTailCall.h; path = ftl/FTLJSTailCall.h; sourceTree = ""; };
 		62A9A29E1B0BED4800BD54CA /* DFGLazyNode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGLazyNode.cpp; path = dfg/DFGLazyNode.cpp; sourceTree = ""; };
 		62A9A29F1B0BED4800BD54CA /* DFGLazyNode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGLazyNode.h; path = dfg/DFGLazyNode.h; sourceTree = ""; };
 		62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FunctionRareData.cpp; sourceTree = ""; };
@@ -3767,6 +3771,8 @@
 0FD1202E1A8AED12000F5280 /* FTLJSCallBase.h */,
 0FD120311A8C85BD000F5280 /* FTLJSCallVarargs.cpp */,
 0FD120321A8C85BD000F5280 /* FTLJSCallVarargs.h */,
+62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */,
+62774DA91B8D4B1

[webkit-changes] [189050] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [189050] branches/jsc-tailcall/Source/_javascript_Core








Revision 189050
Author basile_clem...@apple.com
Date 2015-08-27 14:13:39 -0700 (Thu, 27 Aug 2015)


Log Message
Unreviewed, re-enable the FTL
https://bugs.webkit.org/show_bug.cgi?id=146942

We are not using the register preservation thunk anymore, so we can
have both the FTL and tail calls!

* runtime/Options.h:

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (189049 => 189050)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-27 21:13:37 UTC (rev 189049)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-27 21:13:39 UTC (rev 189050)
@@ -1,3 +1,13 @@
+2015-08-27  Basile Clement  
+
+Unreviewed, re-enable the FTL
+https://bugs.webkit.org/show_bug.cgi?id=146942
+
+We are not using the register preservation thunk anymore, so we can
+have both the FTL and tail calls!
+
+* runtime/Options.h:
+
 2015-08-27  Michael Saboff  
 
 jsc-tailcall: Test failures with FTL enabled after r188986


Modified: branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h (189049 => 189050)

--- branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h	2015-08-27 21:13:37 UTC (rev 189049)
+++ branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h	2015-08-27 21:13:39 UTC (rev 189050)
@@ -157,7 +157,7 @@
 v(bool, enableOSREntryToDFG, true, nullptr) \
 v(bool, enableOSREntryToFTL, true, nullptr) \
 \
-v(bool, useFTLJIT, false, "allows the FTL JIT to be used if true") \
+v(bool, useFTLJIT, true, "allows the FTL JIT to be used if true") \
 v(bool, useFTLTBAA, true, nullptr) \
 v(bool, enableLLVMFastISel, false, nullptr) \
 v(bool, useLLVMSmallCodeModel, false, nullptr) \






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [189046] trunk

[basile_clement]

Title: [189046] trunk








Revision 189046
Author basile_clem...@apple.com
Date 2015-08-27 12:40:09 -0700 (Thu, 27 Aug 2015)


Log Message
REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
https://bugs.webkit.org/show_bug.cgi?id=148411

Reviewed by Geoffrey Garen and Filip Pizlo.

Source/_javascript_Core:

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

LayoutTests:

* js/regress-148411-expected.txt: Added.
* js/regress-148411.html: Added.
* js/script-tests/regress-148411.js: Added.
(foo):

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGClobberize.h


Added Paths

trunk/LayoutTests/js/regress-148411-expected.txt
trunk/LayoutTests/js/regress-148411.html
trunk/LayoutTests/js/script-tests/regress-148411.js




Diff

Modified: trunk/LayoutTests/ChangeLog (189045 => 189046)

--- trunk/LayoutTests/ChangeLog	2015-08-27 19:36:02 UTC (rev 189045)
+++ trunk/LayoutTests/ChangeLog	2015-08-27 19:40:09 UTC (rev 189046)
@@ -1,3 +1,15 @@
+2015-08-27  Basile Clement  
+
+REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
+https://bugs.webkit.org/show_bug.cgi?id=148411
+
+Reviewed by Geoffrey Garen and Filip Pizlo.
+
+* js/regress-148411-expected.txt: Added.
+* js/regress-148411.html: Added.
+* js/script-tests/regress-148411.js: Added.
+(foo):
+
 2015-08-27  Nan Wang  
 
 AX: Remove accessibility/mac/change-notification-on-scroll.html test


Added: trunk/LayoutTests/js/regress-148411-expected.txt (0 => 189046)

--- trunk/LayoutTests/js/regress-148411-expected.txt	(rev 0)
+++ trunk/LayoutTests/js/regress-148411-expected.txt	2015-08-27 19:40:09 UTC (rev 189046)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/148411. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+


Added: trunk/LayoutTests/js/regress-148411.html (0 => 189046)

--- trunk/LayoutTests/js/regress-148411.html	(rev 0)
+++ trunk/LayoutTests/js/regress-148411.html	2015-08-27 19:40:09 UTC (rev 189046)
@@ -0,0 +1,10 @@
+
+
+
+

[webkit-changes] [188936] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188936] branches/jsc-tailcall/Source/_javascript_Core








Revision 188936
Author basile_clem...@apple.com
Date 2015-08-25 15:50:15 -0700 (Tue, 25 Aug 2015)


Log Message
jsc-tailcall: Get rid of FTLValueFormat
https://bugs.webkit.org/show_bug.cgi?id=148448

Reviewed by Michael Saboff.

FTL::ValueFormat is nothing more than DataFormat (and is actually
slightly less). Let's get rid of it.

* CMakeLists.txt:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* bytecode/DataFormat.cpp: Renamed from Source/_javascript_Core/ftl/FTLValueFormat.h.
(WTF::printInternal):
* bytecode/DataFormat.h:
* ftl/FTLAvailableRecovery.h:
(JSC::FTL::AvailableRecovery::AvailableRecovery):
(JSC::FTL::AvailableRecovery::format):
* ftl/FTLExitArgument.h:
(JSC::FTL::ExitArgument::ExitArgument):
(JSC::FTL::ExitArgument::operator!):
(JSC::FTL::ExitArgument::format):
(JSC::FTL::ExitArgument::withFormat):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dataFormat):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::recovery):
(JSC::FTL::ExitValue::recoveryFormat):
* ftl/FTLFormattedValue.h:
(JSC::FTL::FormattedValue::FormattedValue):
(JSC::FTL::FormattedValue::operator!):
(JSC::FTL::FormattedValue::format):
(JSC::FTL::int32Value):
(JSC::FTL::booleanValue):
(JSC::FTL::jsValueValue):
(JSC::FTL::doubleValue):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
(JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
(JSC::FTL::DFG::LowerDFGToLLVM::exitArgument):
(JSC::FTL::DFG::LowerDFGToLLVM::addAvailableRecovery):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::OSRExit):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::reboxAccordingToFormat):
(JSC::FTL::compileRecovery):
(JSC::FTL::compileStub):
* ftl/FTLValueFormat.cpp: Removed.

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt
branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
branches/jsc-tailcall/Source/_javascript_Core/bytecode/DataFormat.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLAvailableRecovery.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLExitArgument.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLExitValue.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLExitValue.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLFormattedValue.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLOSRExit.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLOSRExit.h
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/bytecode/DataFormat.cpp


Removed Paths

branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLValueFormat.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLValueFormat.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt (188935 => 188936)

--- branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt	2015-08-25 22:44:45 UTC (rev 188935)
+++ branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt	2015-08-25 22:50:15 UTC (rev 188936)
@@ -85,6 +85,7 @@
 bytecode/CodeType.cpp
 bytecode/ComplexGetStatus.cpp
 bytecode/ConstantStructureCheck.cpp
+bytecode/DataFormat.cpp
 bytecode/DFGExitProfile.cpp
 bytecode/DeferredCompilationCallback.cpp
 bytecode/DeferredSourceDump.cpp
@@ -895,7 +896,6 @@
 ftl/FTLState.cpp
 ftl/FTLThunks.cpp
 ftl/FTLUnwindInfo.cpp
-ftl/FTLValueFormat.cpp
 ftl/FTLValueRange.cpp
 
 llvm/InitializeLLVM.cpp


Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188935 => 188936)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-25 22:44:45 UTC (rev 188935)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-25 22:50:15 UTC (rev 188936)
@@ -1,5 +1,59 @@
 2015-08-25  Basile Clement  
 
+jsc-tailcall: Get rid of FTLValueFormat
+https://bugs.webkit.org/show_bug.cgi?id=148448
+
+Reviewed by Michael Saboff.
+
+FTL::ValueFormat is nothing more than DataFormat (and is actually
+slightly less). Let's get rid of it.
+
+* CMakeLists.txt:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* bytecode/DataFormat.cpp: Renamed from Source/_javascript_Core/ftl/FTLVa

[webkit-changes] [188934] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188934] branches/jsc-tailcall/Source/_javascript_Core








Revision 188934
Author basile_clem...@apple.com
Date 2015-08-25 15:09:26 -0700 (Tue, 25 Aug 2015)


Log Message
jsc-tailcall: Add an option to disable tail calls
https://bugs.webkit.org/show_bug.cgi?id=148447

Reviewed by Michael Saboff.

* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionNode::emitBytecode):
* runtime/Options.h:

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp
branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188933 => 188934)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-25 22:01:18 UTC (rev 188933)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-25 22:09:26 UTC (rev 188934)
@@ -1,3 +1,14 @@
+2015-08-25  Basile Clement  
+
+jsc-tailcall: Add an option to disable tail calls
+https://bugs.webkit.org/show_bug.cgi?id=148447
+
+Reviewed by Michael Saboff.
+
+* bytecompiler/NodesCodegen.cpp:
+(JSC::FunctionNode::emitBytecode):
+* runtime/Options.h:
+
 2015-08-24  Michael Saboff  
 
 jsc-tailcall: Specialized thunks need to save / restore callee save "tag" registers


Modified: branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (188933 => 188934)

--- branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2015-08-25 22:01:18 UTC (rev 188933)
+++ branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2015-08-25 22:09:26 UTC (rev 188934)
@@ -3044,7 +3044,7 @@
 
 generator.emitProfileControlFlow(startStartOffset());
 generator.emitDebugHook(DidEnterCallFrame, startLine(), startStartOffset(), startLineStartOffset());
-if (isStrictMode() && generator.constructorKind() == ConstructorKind::None)
+if (Options::enableTailCalls() && isStrictMode() && generator.constructorKind() == ConstructorKind::None)
 emitStatementsBytecode(generator, generator.ignoredResult(), CanHaveTailCalls);
 else
 emitStatementsBytecode(generator, generator.ignoredResult());


Modified: branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h (188933 => 188934)

--- branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h	2015-08-25 22:01:18 UTC (rev 188933)
+++ branches/jsc-tailcall/Source/_javascript_Core/runtime/Options.h	2015-08-25 22:09:26 UTC (rev 188934)
@@ -117,6 +117,7 @@
 v(bool, forceProfilerBytecodeGeneration, false, nullptr) \
 \
 v(bool, enableFunctionDotArguments, true, nullptr) \
+v(bool, enableTailCalls, true, nullptr) \
 \
 /* showDisassembly implies showDFGDisassembly. */ \
 v(bool, showDisassembly, false, "dumps disassembly of all JIT compiled code upon compilation") \






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188888] trunk/Source/JavaScriptCore

[basile_clement]

Title: [18] trunk/Source/_javascript_Core








Revision 18
Author basile_clem...@apple.com
Date 2015-08-24 14:56:38 -0700 (Mon, 24 Aug 2015)


Log Message
REPTACH is not a word
https://bugs.webkit.org/show_bug.cgi?id=148401

Reviewed by Saam Barati.

* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::tailRecursiveCall):
(JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
(JSC::MacroAssemblerX86_64::readCallTarget):
(JSC::MacroAssemblerX86_64::linkCall):
(JSC::MacroAssemblerX86_64::repatchCall):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/MacroAssemblerX86_64.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (17 => 18)

--- trunk/Source/_javascript_Core/ChangeLog	2015-08-24 21:51:26 UTC (rev 17)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-08-24 21:56:38 UTC (rev 18)
@@ -1,3 +1,19 @@
+2015-08-24  Basile Clement  
+
+REPTACH is not a word
+https://bugs.webkit.org/show_bug.cgi?id=148401
+
+Reviewed by Saam Barati.
+
+* assembler/MacroAssemblerX86_64.h:
+(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
+(JSC::MacroAssemblerX86_64::call):
+(JSC::MacroAssemblerX86_64::tailRecursiveCall):
+(JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
+(JSC::MacroAssemblerX86_64::readCallTarget):
+(JSC::MacroAssemblerX86_64::linkCall):
+(JSC::MacroAssemblerX86_64::repatchCall):
+
 2015-08-24  Mark Lam  
 
 Add support for setting JSC options from a file.


Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86_64.h (17 => 18)

--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86_64.h	2015-08-24 21:51:26 UTC (rev 17)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86_64.h	2015-08-24 21:56:38 UTC (rev 18)
@@ -30,7 +30,7 @@
 
 #include "MacroAssemblerX86Common.h"
 
-#define REPTACH_OFFSET_CALL_R11 3
+#define REPATCH_OFFSET_CALL_R11 3
 
 inline bool CAN_SIGN_EXTEND_32_64(int64_t value) { return value == (int64_t)(int32_t)value; }
 
@@ -181,7 +181,7 @@
 load64(Address(X86Registers::eax, sizeof(int64_t)), X86Registers::edx);
 load64(Address(X86Registers::eax), X86Registers::eax);
 
-ASSERT_UNUSED(label, differenceBetween(label, result) == REPTACH_OFFSET_CALL_R11);
+ASSERT_UNUSED(label, differenceBetween(label, result) == REPATCH_OFFSET_CALL_R11);
 return result;
 }
 #endif
@@ -215,7 +215,7 @@
 #if OS(WINDOWS)
 add64(TrustedImm32(8 * sizeof(int64_t)), X86Registers::esp);
 #endif
-ASSERT_UNUSED(label, differenceBetween(label, result) == REPTACH_OFFSET_CALL_R11);
+ASSERT_UNUSED(label, differenceBetween(label, result) == REPATCH_OFFSET_CALL_R11);
 return result;
 }
 
@@ -230,7 +230,7 @@
 {
 DataLabelPtr label = moveWithPatch(TrustedImmPtr(0), scratchRegister);
 Jump newJump = Jump(m_assembler.jmp_r(scratchRegister));
-ASSERT_UNUSED(label, differenceBetween(label, newJump) == REPTACH_OFFSET_CALL_R11);
+ASSERT_UNUSED(label, differenceBetween(label, newJump) == REPATCH_OFFSET_CALL_R11);
 return Call::fromTailJump(newJump);
 }
 
@@ -239,7 +239,7 @@
 oldJump.link(this);
 DataLabelPtr label = moveWithPatch(TrustedImmPtr(0), scratchRegister);
 Jump newJump = Jump(m_assembler.jmp_r(scratchRegister));
-ASSERT_UNUSED(label, differenceBetween(label, newJump) == REPTACH_OFFSET_CALL_R11);
+ASSERT_UNUSED(label, differenceBetween(label, newJump) == REPATCH_OFFSET_CALL_R11);
 return Call::fromTailJump(newJump);
 }
 
@@ -800,7 +800,7 @@
 
 static FunctionPtr readCallTarget(CodeLocationCall call)
 {
-return FunctionPtr(X86Assembler::readPointer(call.dataLabelPtrAtOffset(-REPTACH_OFFSET_CALL_R11).dataLocation()));
+return FunctionPtr(X86Assembler::readPointer(call.dataLabelPtrAtOffset(-REPATCH_OFFSET_CALL_R11).dataLocation()));
 }
 
 static bool haveScratchRegisterForBlinding() { return true; }
@@ -861,19 +861,19 @@
 static void linkCall(void* code, Call call, FunctionPtr function)
 {
 if (!call.isFlagSet(Call::Near))
-X86Assembler::linkPointer(code, call.m_label.labelAtOffset(-REPTACH_OFFSET_CALL_R11), function.value());
+X86Assembler::linkPointer(code, call.m_label.labelAtOffset(-REPATCH_OFFSET_CALL_R11), function.value());
 else
 X86Assembler::linkCall(code, call.m_label, function.value());
 }
 
 static void repatchCall(CodeLocationCall call, CodeLocationLabel destination)
 {
-X86Assembler::repatchPointer(call.dataLabelPtrAtOffset(-REPTACH_OFFSET_CALL_R11).dataLocation(), destination.executableAddress());
+X86Assembler::repatchPointer(call.dataLabelPtrAtOffset(-REPATCH_OFFSET_CALL_R11).dataLocation(), de

[webkit-changes] [188883] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [13] branches/jsc-tailcall/Source/_javascript_Core








Revision 13
Author basile_clem...@apple.com
Date 2015-08-24 14:41:37 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: We can't assert that registers are flushed when making a tail call
https://bugs.webkit.org/show_bug.cgi?id=148396

Reviewed by Michael Saboff.

We should be able to assert that registers are flushed when making a
tail call, since no additional code should ever be executed after the
tail call. However, because we can have Phantom() nodes keeping values
alive across a tail call, this assertion can (and does) fail in some
cases - even though those nodes are dead nodes that will not actually
generate any code. So we can't have the assertion.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (12 => 13)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 21:39:54 UTC (rev 12)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 21:41:37 UTC (rev 13)
@@ -1,5 +1,24 @@
 2015-08-24  Basile Clement  
 
+jsc-tailcall: We can't assert that registers are flushed when making a tail call
+https://bugs.webkit.org/show_bug.cgi?id=148396
+
+Reviewed by Michael Saboff.
+
+We should be able to assert that registers are flushed when making a
+tail call, since no additional code should ever be executed after the
+tail call. However, because we can have Phantom() nodes keeping values
+alive across a tail call, this assertion can (and does) fail in some
+cases - even though those nodes are dead nodes that will not actually
+generate any code. So we can't have the assertion.
+
+* dfg/DFGSpeculativeJIT32_64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+
+2015-08-24  Basile Clement  
+
 jsc-tailcall: TailCallForwardVarargs must be considered as a terminal node
 https://bugs.webkit.org/show_bug.cgi?id=148395
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (12 => 13)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-08-24 21:39:54 UTC (rev 12)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-08-24 21:41:37 UTC (rev 13)
@@ -819,9 +819,7 @@
 // their target stack position instead of building then memmoving
 // the callee frame.
 // https://bugs.webkit.org/show_bug.cgi?id=147508
-if (isTail)
-ASSERT(isFlushed());
-else
+if (!isTail)
 flushRegisters();
 
 GPRFlushedCallResult resultPayload(this);


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (12 => 13)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-08-24 21:39:54 UTC (rev 12)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-08-24 21:41:37 UTC (rev 13)
@@ -796,9 +796,7 @@
 // their target stack position instead of building then memmoving
 // the callee frame.
 // https://bugs.webkit.org/show_bug.cgi?id=147508
-if (isTail)
-ASSERT(isFlushed());
-else
+if (!isTail)
 flushRegisters();
 
 GPRFlushedCallResult result(this);






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188882] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [12] branches/jsc-tailcall/Source/_javascript_Core








Revision 12
Author basile_clem...@apple.com
Date 2015-08-24 14:39:54 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: TailCallForwardVarargs must be considered as a terminal node
https://bugs.webkit.org/show_bug.cgi?id=148395

Reviewed by Michael Saboff.

* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
* dfg/DFGNode.h:
(JSC::DFG::Node::isTerminal):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGBasicBlock.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (11 => 12)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 21:31:13 UTC (rev 11)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 21:39:54 UTC (rev 12)
@@ -1,5 +1,19 @@
 2015-08-24  Basile Clement  
 
+jsc-tailcall: TailCallForwardVarargs must be considered as a terminal node
+https://bugs.webkit.org/show_bug.cgi?id=148395
+
+Reviewed by Michael Saboff.
+
+* dfg/DFGBasicBlock.h:
+(JSC::DFG::BasicBlock::findTerminal):
+* dfg/DFGInPlaceAbstractState.cpp:
+(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+* dfg/DFGNode.h:
+(JSC::DFG::Node::isTerminal):
+
+2015-08-24  Basile Clement  
+
 jsc-tailcall: Add a bunch of operators
 https://bugs.webkit.org/show_bug.cgi?id=148337
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGBasicBlock.h (11 => 12)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGBasicBlock.h	2015-08-24 21:31:13 UTC (rev 11)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGBasicBlock.h	2015-08-24 21:39:54 UTC (rev 12)
@@ -94,6 +94,7 @@
 case Return:
 case TailCall:
 case TailCallVarargs:
+case TailCallForwardVarargs:
 case Unreachable:
 return NodeAndIndex(node, i);
 // The bitter end can contain Phantoms and the like. There will probably only be one or two nodes after the terminal. They are all no-ops and will not have any checked children.


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp (11 => 12)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2015-08-24 21:31:13 UTC (rev 11)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2015-08-24 21:39:54 UTC (rev 12)
@@ -395,6 +395,7 @@
 case Return:
 case TailCall:
 case TailCallVarargs:
+case TailCallForwardVarargs:
 case Unreachable:
 ASSERT(basicBlock->cfaBranchDirection == InvalidBranchDirection);
 return false;


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h (11 => 12)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h	2015-08-24 21:31:13 UTC (rev 11)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGNode.h	2015-08-24 21:39:54 UTC (rev 12)
@@ -1098,6 +1098,7 @@
 case Return:
 case TailCall:
 case TailCallVarargs:
+case TailCallForwardVarargs:
 case Unreachable:
 return true;
 default:






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188870] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188870] branches/jsc-tailcall/Source/_javascript_Core








Revision 188870
Author basile_clem...@apple.com
Date 2015-08-24 11:07:48 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: Add a bunch of operators
https://bugs.webkit.org/show_bug.cgi?id=148337

Reviewed by Saam Barati.

* jit/GPRInfo.h:
(JSC::JSValueRegs::operator bool):
(JSC::JSValueRegs::operator==):
(JSC::JSValueRegs::operator!=):
(JSC::JSValueSource::operator bool):
(JSC::JSValueRegs::operator!):
(JSC::JSValueSource::operator!):
* jit/Reg.h:
(JSC::Reg::operator bool):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/GPRInfo.h
branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188869 => 188870)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:38:23 UTC (rev 188869)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 18:07:48 UTC (rev 188870)
@@ -1,5 +1,22 @@
 2015-08-24  Basile Clement  
 
+jsc-tailcall: Add a bunch of operators
+https://bugs.webkit.org/show_bug.cgi?id=148337
+
+Reviewed by Saam Barati.
+
+* jit/GPRInfo.h:
+(JSC::JSValueRegs::operator bool):
+(JSC::JSValueRegs::operator==):
+(JSC::JSValueRegs::operator!=):
+(JSC::JSValueSource::operator bool):
+(JSC::JSValueRegs::operator!):
+(JSC::JSValueSource::operator!):
+* jit/Reg.h:
+(JSC::Reg::operator bool):
+
+2015-08-24  Basile Clement  
+
 jsc-tailcall: ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR
 https://bugs.webkit.org/show_bug.cgi?id=148336
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/GPRInfo.h (188869 => 188870)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/GPRInfo.h	2015-08-24 17:38:23 UTC (rev 188869)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/GPRInfo.h	2015-08-24 18:07:48 UTC (rev 188870)
@@ -65,6 +65,10 @@
 }
 
 bool operator!() const { return m_gpr == InvalidGPRReg; }
+explicit operator bool() const { return m_gpr != InvalidGPRReg; }
+
+bool operator==(JSValueRegs other) { return m_gpr == other.m_gpr; }
+bool operator!=(JSValueRegs other) { return !(*this == other); }
 
 GPRReg gpr() const { return m_gpr; }
 GPRReg tagGPR() const { return InvalidGPRReg; }
@@ -110,6 +114,7 @@
 }
 
 bool operator!() const { return m_base == InvalidGPRReg; }
+explicit operator bool() const { return m_base != InvalidGPRReg; }
 
 bool isAddress() const { return m_offset != notAddress(); }
 
@@ -166,11 +171,19 @@
 return JSValueRegs(InvalidGPRReg, gpr);
 }
 
-bool operator!() const
+bool operator!() const { return !static_cast(*this); }
+explicit operator bool() const
 {
-return static_cast(m_tagGPR) == InvalidGPRReg
-&& static_cast(m_payloadGPR) == InvalidGPRReg;
+return static_cast(m_tagGPR) != InvalidGPRReg
+|| static_cast(m_payloadGPR) != InvalidGPRReg;
 }
+
+bool operator==(JSValueRegs other) const
+{
+return m_tagGPR == other.m_tagGPR
+&& m_payloadGPR == other.m_payloadGPR;
+}
+bool operator!=(JSValueRegs other) const { return !(*this == other); }
 
 GPRReg tagGPR() const { return static_cast(m_tagGPR); }
 GPRReg payloadGPR() const { return static_cast(m_payloadGPR); }
@@ -238,11 +251,12 @@
 result.m_tagType = static_cast(JSValue::CellTag);
 return result;
 }
-
-bool operator!() const
+
+bool operator!() const { return !static_cast(*this); }
+explicit operator bool() const
 {
-return static_cast(m_baseOrTag) == InvalidGPRReg
-&& static_cast(m_payload) == InvalidGPRReg;
+return static_cast(m_baseOrTag) != InvalidGPRReg
+|| static_cast(m_payload) != InvalidGPRReg;
 }
 
 bool isAddress() const


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h (188869 => 188870)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h	2015-08-24 17:38:23 UTC (rev 188869)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/Reg.h	2015-08-24 18:07:48 UTC (rev 188870)
@@ -101,6 +101,7 @@
 
 bool isSet() const { return m_index != invalid(); }
 bool operator!() const { return !isSet(); }
+explicit operator bool() const { return isSet(); }
 
 bool isGPR() const
 {






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188868] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188868] branches/jsc-tailcall/Source/_javascript_Core








Revision 188868
Author basile_clem...@apple.com
Date 2015-08-24 10:31:36 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR
https://bugs.webkit.org/show_bug.cgi?id=148336

Reviewed by Michael Saboff.

Currently, ValueRecovery::InFPR means "this is a *double* value in an
FPR". Let's change the semantics to be "this is a *JSVAlue* in an FPR"
(to match ValueRecovery::InGPR), and introduce
ValueRecovery::UnboxedDoubleInFPR to mean "this is a double value in an
FPR".

* bytecode/ValueRecovery.cpp:
(JSC::ValueRecovery::dumpInContext):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::operator bool):
(JSC::ValueRecovery::inFPR):
(JSC::ValueRecovery::isInGPR):
(JSC::ValueRecovery::isInFPR):
(JSC::ValueRecovery::isInRegisters):
(JSC::ValueRecovery::isInJSStack):
(JSC::ValueRecovery::dataFormat):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::isInJSValueRegs):
(JSC::ValueRecovery::jsValueRegs):
(JSC::ValueRecovery::fpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::constant):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.cpp
branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGVariableEventStream.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188867 => 188868)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:25:57 UTC (rev 188867)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:31:36 UTC (rev 188868)
@@ -1,5 +1,41 @@
 2015-08-24  Basile Clement  
 
+jsc-tailcall: ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR
+https://bugs.webkit.org/show_bug.cgi?id=148336
+
+Reviewed by Michael Saboff.
+
+Currently, ValueRecovery::InFPR means "this is a *double* value in an
+FPR". Let's change the semantics to be "this is a *JSVAlue* in an FPR"
+(to match ValueRecovery::InGPR), and introduce
+ValueRecovery::UnboxedDoubleInFPR to mean "this is a double value in an
+FPR".
+
+* bytecode/ValueRecovery.cpp:
+(JSC::ValueRecovery::dumpInContext):
+* bytecode/ValueRecovery.h:
+(JSC::ValueRecovery::operator bool):
+(JSC::ValueRecovery::inFPR):
+(JSC::ValueRecovery::isInGPR):
+(JSC::ValueRecovery::isInFPR):
+(JSC::ValueRecovery::isInRegisters):
+(JSC::ValueRecovery::isInJSStack):
+(JSC::ValueRecovery::dataFormat):
+(JSC::ValueRecovery::gpr):
+(JSC::ValueRecovery::isInJSValueRegs):
+(JSC::ValueRecovery::jsValueRegs):
+(JSC::ValueRecovery::fpr):
+(JSC::ValueRecovery::virtualRegister):
+(JSC::ValueRecovery::constant):
+* dfg/DFGOSRExitCompiler32_64.cpp:
+(JSC::DFG::OSRExitCompiler::compileExit):
+* dfg/DFGOSRExitCompiler64.cpp:
+(JSC::DFG::OSRExitCompiler::compileExit):
+* dfg/DFGVariableEventStream.cpp:
+(JSC::DFG::VariableEventStream::reconstruct):
+
+2015-08-24  Basile Clement  
+
 jsc-tailcall: Introduce RegisterMap
 https://bugs.webkit.org/show_bug.cgi?id=148335
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.cpp (188867 => 188868)

--- branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.cpp	2015-08-24 17:25:57 UTC (rev 188867)
+++ branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.cpp	2015-08-24 17:31:36 UTC (rev 188868)
@@ -86,6 +86,9 @@
 case InFPR:
 out.print(fpr());
 return;
+case UnboxedDoubleInFPR:
+out.print("double(", fpr(), ")");
+return;
 #if USE(JSVALUE32_64)
 case InPair:
 out.print("pair(", tagGPR(), ", ", payloadGPR(), ")");


Modified: branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h (188867 => 188868)

--- branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-24 17:25:57 UTC (rev 188867)
+++ branches/jsc-tailcall/Source/_javascript_Core/bytecode/ValueRecovery.h	2015-08-24 17:31:36 UTC (rev 188868)
@@ -55,6 +55,7 @@
 InPair,
 #endif
 InFPR,
+UnboxedDoubleInFPR,
 // It's in the stack, but at a different location.
 DisplacedInJSStack,
 // It's in the stack, at a different location, and it's unboxed.
@@ -82,6 +83,7 @@
 
 bool isSet() const { return m_tec

[webkit-changes] [188867] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188867] branches/jsc-tailcall/Source/_javascript_Core








Revision 188867
Author basile_clem...@apple.com
Date 2015-08-24 10:25:57 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: Introduce RegisterMap
https://bugs.webkit.org/show_bug.cgi?id=148335

Reviewed by Michael Saboff.

Introduce RegisterMap, GPRMap and FPRMap dense mappings for
Reg, GPRReg and FPRReg.

* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* jit/RegisterMap.h: Added.
(JSC::RegisterMap::operator[]):
(JSC::GPRMap::operator[]):
(JSC::FPRMap::operator[]):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/jit/RegisterMap.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188866 => 188867)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:24:08 UTC (rev 188866)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:25:57 UTC (rev 188867)
@@ -1,5 +1,23 @@
 2015-08-24  Basile Clement  
 
+jsc-tailcall: Introduce RegisterMap
+https://bugs.webkit.org/show_bug.cgi?id=148335
+
+Reviewed by Michael Saboff.
+
+Introduce RegisterMap, GPRMap and FPRMap dense mappings for
+Reg, GPRReg and FPRReg.
+
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* jit/RegisterMap.h: Added.
+(JSC::RegisterMap::operator[]):
+(JSC::GPRMap::operator[]):
+(JSC::FPRMap::operator[]):
+
+2015-08-24  Basile Clement  
+
 jsc-tailcall: Make a bunch of MacroAssembler operations constexpr
 https://bugs.webkit.org/show_bug.cgi?id=148334
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (188866 => 188867)

--- branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-08-24 17:24:08 UTC (rev 188866)
+++ branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-08-24 17:25:57 UTC (rev 188867)
@@ -1400,6 +1400,7 @@
 
 
 
+
 
 
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters (188866 => 188867)

--- branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-08-24 17:24:08 UTC (rev 188866)
+++ branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-08-24 17:25:57 UTC (rev 188867)
@@ -3784,6 +3784,9 @@
 
   jit
 
+
+  jit
+
 
   jit
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (188866 => 188867)

--- branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-24 17:24:08 UTC (rev 188866)
+++ branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-24 17:25:57 UTC (rev 188867)
@@ -960,6 +960,7 @@
 		5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
 		5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
 		5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */ = {isa = PBXBuildFile; fileRef = F692A8540255597D01FF60F7 /* create_hash_table */; settings = {ATTRIBUTES = (); }; };
+		623A37EC1B87A7C000754209 /* RegisterMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 623A37EB1B87A7BD00754209 /* RegisterMap.h */; };
 		627673231B680C1E00FD9F2E /* CallMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 627673211B680C1E00FD9F2E /* CallMode.cpp */; };
 		627673241B680C1E00FD9F2E /* CallMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 627673221B680C1E00FD9F2E /* CallMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
@@ -2676,6 +2677,7 @@
 		5DAFD6CB146B686300FBEFB4 /* JSC.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = JSC.xcconfig; sourceTree = ""; };
 		5DDDF44614FEE72200B4FB4D /* LLIntDesiredOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntDesiredOffsets.h; path =

[webkit-changes] [188866] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188866] branches/jsc-tailcall/Source/_javascript_Core








Revision 188866
Author basile_clem...@apple.com
Date 2015-08-24 10:24:08 -0700 (Mon, 24 Aug 2015)


Log Message
jsc-tailcall: Make a bunch of MacroAssembler operations constexpr
https://bugs.webkit.org/show_bug.cgi?id=148334

Reviewed by Saam Barati.

This is in preparation of https://bugs.webkit.org/show_bug.cgi?id=148335 .

* assembler/ARM64Assembler.h:
(JSC::ARM64Registers::isSp):
(JSC::ARM64Registers::isZr):
(JSC::ARM64Assembler::firstRegister):
(JSC::ARM64Assembler::lastRegister):
(JSC::ARM64Assembler::firstFPRegister):
(JSC::ARM64Assembler::lastFPRegister):
(JSC::ARM64Assembler::isSp):
(JSC::ARM64Assembler::isZr):
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::firstRegister):
(JSC::ARMAssembler::lastRegister):
(JSC::ARMAssembler::firstFPRegister):
(JSC::ARMAssembler::lastFPRegister):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::firstRegister):
(JSC::AbstractMacroAssembler::lastRegister):
(JSC::AbstractMacroAssembler::firstFPRegister):
(JSC::AbstractMacroAssembler::lastFPRegister):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::firstRegister):
(JSC::MIPSAssembler::lastRegister):
(JSC::MIPSAssembler::firstFPRegister):
(JSC::MIPSAssembler::lastFPRegister):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::nextRegister):
(JSC::MacroAssembler::nextFPRegister):
(JSC::MacroAssembler::numberOfRegisters):
(JSC::MacroAssembler::registerIndex):
(JSC::MacroAssembler::numberOfFPRegisters):
(JSC::MacroAssembler::fpRegisterIndex):
(JSC::MacroAssembler::totalNumberOfRegisters):
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::firstRegister):
(JSC::SH4Assembler::lastRegister):
(JSC::SH4Assembler::firstFPRegister):
(JSC::SH4Assembler::lastFPRegister):
* assembler/X86Assembler.h:
(JSC::X86Assembler::firstRegister):
(JSC::X86Assembler::lastRegister):
(JSC::X86Assembler::firstFPRegister):
(JSC::X86Assembler::lastFPRegister):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/assembler/ARM64Assembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/ARMAssembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/AbstractMacroAssembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/MIPSAssembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/MacroAssembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/SH4Assembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/X86Assembler.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188865 => 188866)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:16:47 UTC (rev 188865)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-24 17:24:08 UTC (rev 188866)
@@ -1,3 +1,55 @@
+2015-08-24  Basile Clement  
+
+jsc-tailcall: Make a bunch of MacroAssembler operations constexpr
+https://bugs.webkit.org/show_bug.cgi?id=148334
+
+Reviewed by Saam Barati.
+
+This is in preparation of https://bugs.webkit.org/show_bug.cgi?id=148335 .
+
+* assembler/ARM64Assembler.h:
+(JSC::ARM64Registers::isSp):
+(JSC::ARM64Registers::isZr):
+(JSC::ARM64Assembler::firstRegister):
+(JSC::ARM64Assembler::lastRegister):
+(JSC::ARM64Assembler::firstFPRegister):
+(JSC::ARM64Assembler::lastFPRegister):
+(JSC::ARM64Assembler::isSp):
+(JSC::ARM64Assembler::isZr):
+* assembler/ARMAssembler.h:
+(JSC::ARMAssembler::firstRegister):
+(JSC::ARMAssembler::lastRegister):
+(JSC::ARMAssembler::firstFPRegister):
+(JSC::ARMAssembler::lastFPRegister):
+* assembler/AbstractMacroAssembler.h:
+(JSC::AbstractMacroAssembler::firstRegister):
+(JSC::AbstractMacroAssembler::lastRegister):
+(JSC::AbstractMacroAssembler::firstFPRegister):
+(JSC::AbstractMacroAssembler::lastFPRegister):
+* assembler/MIPSAssembler.h:
+(JSC::MIPSAssembler::firstRegister):
+(JSC::MIPSAssembler::lastRegister):
+(JSC::MIPSAssembler::firstFPRegister):
+(JSC::MIPSAssembler::lastFPRegister):
+* assembler/MacroAssembler.h:
+(JSC::MacroAssembler::nextRegister):
+(JSC::MacroAssembler::nextFPRegister):
+(JSC::MacroAssembler::numberOfRegisters):
+(JSC::MacroAssembler::registerIndex):
+(JSC::MacroAssembler::numberOfFPRegisters):
+(JSC::MacroAssembler::fpRegisterIndex):
+(JSC::MacroAssembler::totalNumberOfRegisters):
+* assembler/SH4Assembler.h:
+(JSC::SH4Assembler::firstRegister):
+(JSC::SH4Assembler::lastRegister):
+(JSC::SH4Assembler::firstFPRegister):
+(JSC::SH4Assembler::lastFPRegister):
+* assembler/X86Assembler.h:
+(JSC::X86Assembler::firstRegister):
+(JSC::X86Assembler::lastRegister):
+(JSC::X86Assembler::firstFPRegister):
+ 

[webkit-changes] [188796] trunk/Source/JavaScriptCore

[basile_clement]

Title: [188796] trunk/Source/_javascript_Core








Revision 188796
Author basile_clem...@apple.com
Date 2015-08-21 16:30:40 -0700 (Fri, 21 Aug 2015)


Log Message
Remove unused code relative to allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=148342

Reviewed by Mark Lam.

This removes two things:

 - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
   phase and is no longer used (it has been subsumed by
   ObjectAllocationSinking::promoteLocalHeap)

 - Code in the allocation sinking phase for sinking
   MaterializeCreateActivation and MaterializeNewObject. Handling those
   is no longer necessary since the phase no longer runs in a fixpoint
   and thus will never see those nodes, since no other phase creates
   them.

* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPromoteHeapAccess.h: Removed.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp


Removed Paths

trunk/Source/_javascript_Core/dfg/DFGPromoteHeapAccess.h




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (188795 => 188796)

--- trunk/Source/_javascript_Core/ChangeLog	2015-08-21 23:28:08 UTC (rev 188795)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-08-21 23:30:40 UTC (rev 188796)
@@ -1,3 +1,28 @@
+2015-08-21  Basile Clement  
+
+Remove unused code relative to allocation sinking
+https://bugs.webkit.org/show_bug.cgi?id=148342
+
+Reviewed by Mark Lam.
+
+This removes two things:
+
+ - The DFGPromoteHeapAccess.h file which is a relic of the old sinking
+   phase and is no longer used (it has been subsumed by
+   ObjectAllocationSinking::promoteLocalHeap)
+
+ - Code in the allocation sinking phase for sinking
+   MaterializeCreateActivation and MaterializeNewObject. Handling those
+   is no longer necessary since the phase no longer runs in a fixpoint
+   and thus will never see those nodes, since no other phase creates
+   them.
+
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* dfg/DFGObjectAllocationSinkingPhase.cpp:
+* dfg/DFGPromoteHeapAccess.h: Removed.
+
 2015-08-21  Geoffrey Garen  
 
 Unify code paths for manually deleting all code


Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (188795 => 188796)

--- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-08-21 23:28:08 UTC (rev 188795)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj	2015-08-21 23:30:40 UTC (rev 188796)
@@ -1197,7 +1197,6 @@
 
 
 
-
 
 
 


Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters (188795 => 188796)

--- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-08-21 23:28:08 UTC (rev 188795)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters	2015-08-21 23:30:40 UTC (rev 188796)
@@ -4369,9 +4369,6 @@
 
   dfg
 
-
-  dfg
-
 
   ftl
 
@@ -4641,4 +4638,4 @@
   jit
 
   
-
\ No newline at end of file
+


Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (188795 => 188796)

--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-21 23:28:08 UTC (rev 188795)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-21 23:30:40 UTC (rev 188796)
@@ -482,7 +482,6 @@
 		0FA7A8EB18B413C80052371D /* Reg.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8E918B413C80052371D /* Reg.cpp */; };
 		0FA7A8EC18B413C80052371D /* Reg.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FA7A8EA18B413C80052371D /* Reg.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		0FA7A8EE18CE4FD80052371D /* ScratchRegisterAllocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8ED18CE4FD80052371D /* ScratchRegisterAllocator.cpp */; };
-		0FAA3E0919D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FAA3E0819D0C2CB00FAC9E2 /* DFGPromoteHeapAccess.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		0FAF7EFD165BA91B000C8455 /* JITDisassembler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FAF7EFA165BA919000C8455 /* JITDisassembler.cpp */; };
 		0FAF7EFE165BA91F000C8455 /* JITDisassemb

[webkit-changes] [188773] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188773] branches/jsc-tailcall/Source/_javascript_Core








Revision 188773
Author basile_clem...@apple.com
Date 2015-08-21 14:35:51 -0700 (Fri, 21 Aug 2015)


Log Message
jsc-tailcall: We should not assume that only the baseline JIT can have ById accesses
https://bugs.webkit.org/show_bug.cgi?id=148330

Reviewed by Michael Saboff.

We currently restore the stack pointer after a ById access by using
JIT::stackPointerOffsetFor, which will compute the *baseline* stack
pointer offset. Let's use CodeBlock::stackPointerOffset instead, so
that we have the correct result for non-baseline JIT tiers as well.

* jit/Repatch.cpp:
(JSC::generateByIdStub):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188772 => 188773)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-21 20:50:59 UTC (rev 188772)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-21 21:35:51 UTC (rev 188773)
@@ -1,5 +1,20 @@
 2015-08-21  Basile Clement  
 
+jsc-tailcall: We should not assume that only the baseline JIT can have ById accesses
+https://bugs.webkit.org/show_bug.cgi?id=148330
+
+Reviewed by Michael Saboff.
+
+We currently restore the stack pointer after a ById access by using
+JIT::stackPointerOffsetFor, which will compute the *baseline* stack
+pointer offset. Let's use CodeBlock::stackPointerOffset instead, so
+that we have the correct result for non-baseline JIT tiers as well.
+
+* jit/Repatch.cpp:
+(JSC::generateByIdStub):
+
+2015-08-21  Basile Clement  
+
 Unreviewed, fixes the build.
 https://bugs.webkit.org/show_bug.cgi?id=148316
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp (188772 => 188773)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-21 20:50:59 UTC (rev 188772)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-21 21:35:51 UTC (rev 188773)
@@ -515,7 +515,7 @@
 fastPathCall = stubJit.nearCall();
 
 stubJit.addPtr(
-MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+MacroAssembler::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),
 GPRInfo::callFrameRegister,
 MacroAssembler::stackPointerRegister);
 if (kind == CallGetter)
@@ -532,7 +532,7 @@
 slowPathCall = stubJit.nearCall();
 
 stubJit.addPtr(
-MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+MacroAssembler::TrustedImm32(codeBlock->stackPointerOffset() * sizeof(Register)),
 GPRInfo::callFrameRegister,
 MacroAssembler::stackPointerRegister);
 if (kind == CallGetter)






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188763] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188763] branches/jsc-tailcall/Source/_javascript_Core








Revision 188763
Author basile_clem...@apple.com
Date 2015-08-21 11:48:51 -0700 (Fri, 21 Aug 2015)


Log Message
Unreviewed, fixes the build.
https://bugs.webkit.org/show_bug.cgi?id=148316

* _javascript_Core.xcodeproj/project.pbxproj:

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188762 => 188763)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-21 18:39:27 UTC (rev 188762)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-21 18:48:51 UTC (rev 188763)
@@ -1,3 +1,10 @@
+2015-08-21  Basile Clement  
+
+Unreviewed, fixes the build.
+https://bugs.webkit.org/show_bug.cgi?id=148316
+
+* _javascript_Core.xcodeproj/project.pbxproj:
+
 2015-08-20  Michael Saboff  
 
 jsc-tailcall: Stack pointer should be moved to protect saving callee saves in LLInt


Modified: branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (188762 => 188763)

--- branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-21 18:39:27 UTC (rev 188762)
+++ branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj	2015-08-21 18:48:51 UTC (rev 188763)
@@ -961,7 +961,7 @@
 		5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
 		5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */ = {isa = PBXBuildFile; fileRef = F692A8540255597D01FF60F7 /* create_hash_table */; settings = {ATTRIBUTES = (); }; };
 		627673231B680C1E00FD9F2E /* CallMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 627673211B680C1E00FD9F2E /* CallMode.cpp */; };
-		627673241B680C1E00FD9F2E /* CallMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 627673221B680C1E00FD9F2E /* CallMode.h */; };
+		627673241B680C1E00FD9F2E /* CallMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 627673221B680C1E00FD9F2E /* CallMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
 		62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */ = {isa = PBXBuildFile; fileRef = 62D2D38E1ADF103F000206C1 /* FunctionRareData.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		62F2AA371B0BEDE300610C7A /* DFGLazyNode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62A9A29E1B0BED4800BD54CA /* DFGLazyNode.cpp */; };






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [188507] trunk/Source/JavaScriptCore

[basile_clement]

Title: [188507] trunk/Source/_javascript_Core








Revision 188507
Author basile_clem...@apple.com
Date 2015-08-14 22:00:57 -0700 (Fri, 14 Aug 2015)


Log Message
Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
https://bugs.webkit.org/show_bug.cgi?id=147165

Reviewed by Saam Barati.

The object allocation sinking phase was not properly checking that a
MultiGetByOffset was safe to lower before lowering it.
This makes it so that we only lower MultiGetByOffset if it only loads
from direct properties of the object, and considers it as an escape in
any other case (e.g. a load from the prototype).

It also ensure proper conversion of MultiGetByOffset into
CheckStructureImmediate when needed.

* dfg/DFGObjectAllocationSinkingPhase.cpp:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
We were not compiling properly CheckStructure and
CheckStructureImmediate nodes with an empty StructureSet.
* tests/stress/sink-multigetbyoffset.js: Regression test.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp


Added Paths

trunk/Source/_javascript_Core/tests/stress/sink-multigetbyoffset.js




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (188506 => 188507)

--- trunk/Source/_javascript_Core/ChangeLog	2015-08-15 03:47:04 UTC (rev 188506)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-08-15 05:00:57 UTC (rev 188507)
@@ -1,3 +1,26 @@
+2015-08-14  Basile Clement  
+
+Occasional failure in v8-v6/v8-raytrace.js.ftl-eager
+https://bugs.webkit.org/show_bug.cgi?id=147165
+
+Reviewed by Saam Barati.
+
+The object allocation sinking phase was not properly checking that a
+MultiGetByOffset was safe to lower before lowering it.
+This makes it so that we only lower MultiGetByOffset if it only loads
+from direct properties of the object, and considers it as an escape in
+any other case (e.g. a load from the prototype).
+
+It also ensure proper conversion of MultiGetByOffset into
+CheckStructureImmediate when needed.
+
+* dfg/DFGObjectAllocationSinkingPhase.cpp:
+* ftl/FTLLowerDFGToLLVM.cpp:
+(JSC::FTL::DFG::LowerDFGToLLVM::checkStructure):
+We were not compiling properly CheckStructure and
+CheckStructureImmediate nodes with an empty StructureSet.
+* tests/stress/sink-multigetbyoffset.js: Regression test.
+
 2015-08-14  Filip Pizlo  
 
 Use WTF::Lock and WTF::Condition instead of WTF::Mutex, WTF::ThreadCondition, std::mutex, and std::condition_variable


Modified: trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp (188506 => 188507)

--- trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp	2015-08-15 03:47:04 UTC (rev 188506)
+++ trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp	2015-08-15 05:00:57 UTC (rev 188507)
@@ -921,14 +921,67 @@
 }
 break;
 
-case MultiGetByOffset:
-target = m_heap.onlyLocalAllocation(node->child1().node());
-if (target && target->isObjectAllocation()) {
-unsigned identifierNumber = node->multiGetByOffsetData().identifierNumber;
-exactRead = PromotedLocationDescriptor(NamedPropertyPLoc, identifierNumber);
+case MultiGetByOffset: {
+Allocation* allocation = m_heap.onlyLocalAllocation(node->child1().node());
+if (allocation && allocation->isObjectAllocation()) {
+MultiGetByOffsetData& data = ""
+StructureSet validStructures;
+bool hasInvalidStructures = false;
+for (const auto& multiGetByOffsetCase : data.cases) {
+if (!allocation->structures().overlaps(multiGetByOffsetCase.set()))
+continue;
+
+switch (multiGetByOffsetCase.method().kind()) {
+case GetByOffsetMethod::LoadFromPrototype: // We need to escape those
+case GetByOffsetMethod::Constant: // We don't really have a way of expressing this
+hasInvalidStructures = true;
+break;
+
+case GetByOffsetMethod::Load: // We're good
+validStructures.merge(multiGetByOffsetCase.set());
+break;
+
+default:
+RELEASE_ASSERT_NOT_REACHED();
+}
+}
+if (hasInvalidStructures) {
+m_heap.escape(node->child1().node());
+break;
+}
+unsigned identifierNumber = data.identifierNumber;
+PromotedHeapLocation location(NamedPropertyPLoc, allocation->identifier(), identifierNumber);
+if (Node* value = heapResolve(locat

[webkit-changes] [188318] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188318] branches/jsc-tailcall/Source/_javascript_Core








Revision 188318
Author basile_clem...@apple.com
Date 2015-08-11 18:59:31 -0700 (Tue, 11 Aug 2015)


Log Message
jsc-tailcall: Arity fixup should make use of the possible extra empty slots at top of the frame
https://bugs.webkit.org/show_bug.cgi?id=147893

Reviewed by Michael Saboff.

This changes the way arity fixup is performed. Since r187767, we always
ensure that the total amount of space reserved for a call frame is
stack-aligned, which means that for a non-aligned call frame size, we
have an additional "free" slot at the top of the frame. This makes it
so that when performing arity fixup, we first use that space if
necessary before moving the frame down.

This ensures that the total stack space used by a frame is always
max(argCount, numParameters) + JSStack::CallFrameHeaderSize, rounded up
to be a multiple of 2.

* jit/CCallHelpers.h:
* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor): Returns the padding in amount of slots instead of aligned stack units

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp
branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm
branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm
branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter64.asm
branches/jsc-tailcall/Source/_javascript_Core/runtime/CommonSlowPaths.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188317 => 188318)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-12 01:46:06 UTC (rev 188317)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-12 01:59:31 UTC (rev 188318)
@@ -1,5 +1,32 @@
 2015-08-11  Basile Clement  
 
+jsc-tailcall: Arity fixup should make use of the possible extra empty slots at top of the frame
+https://bugs.webkit.org/show_bug.cgi?id=147893
+
+Reviewed by Michael Saboff.
+
+This changes the way arity fixup is performed. Since r187767, we always
+ensure that the total amount of space reserved for a call frame is
+stack-aligned, which means that for a non-aligned call frame size, we
+have an additional "free" slot at the top of the frame. This makes it
+so that when performing arity fixup, we first use that space if
+necessary before moving the frame down.
+
+This ensures that the total stack space used by a frame is always
+max(argCount, numParameters) + JSStack::CallFrameHeaderSize, rounded up
+to be a multiple of 2.
+
+* jit/CCallHelpers.h:
+* jit/ThunkGenerators.cpp:
+(JSC::arityFixupGenerator):
+* llint/LowLevelInterpreter.asm:
+* llint/LowLevelInterpreter32_64.asm:
+* llint/LowLevelInterpreter64.asm:
+* runtime/CommonSlowPaths.h:
+(JSC::CommonSlowPaths::arityCheckFor): Returns the padding in amount of slots instead of aligned stack units
+
+2015-08-11  Basile Clement  
+
 jsc-tailcall: Make tail call tests run in all tiers
 https://bugs.webkit.org/show_bug.cgi?id=147895
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h (188317 => 188318)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-08-12 01:46:06 UTC (rev 188317)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-08-12 01:59:31 UTC (rev 188318)
@@ -2047,10 +2047,7 @@
 loadPtr(Address(GPRInfo::callFrameRegister, JSStack::CodeBlock * static_cast(sizeof(Register))), temp2);
 load32(Address(temp2, CodeBlock::offsetOfNumParameters()), temp2);
 MacroAssembler::Jump argumentCountWasNotFixedUp = branch32(BelowOrEqual, temp2, temp1);
-sub32(temp1, temp2);
-add32(TrustedImm32(stackAlignmentRegisters() - 1), temp2);
-and32(TrustedImm32(-stackAlignmentRegisters()), temp2);
-add32(temp2, temp1);
+move(temp2, temp1);
 argumentCountWasNotFixedUp.link(this);
 
 add32(TrustedImm32(stackAlignmentRegisters() + JSStack::CallFrameHeaderSize - 1), temp1);


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp (188317 => 188318)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-08-12 01:46:06 UTC (rev 188317)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-08-12 01:59:31 UTC (rev 188318)
@@ -367,7 +367,7 @@
 {
 JSInterfaceJIT jit(vm);
 
-// We enter with fixup count, in aligned stack units, in argumentGPR0 and the return thunk in argumentGPR1
+// We enter with fixup count in argumentGPR0
 // We have 

[webkit-changes] [188289] branches/jsc-tailcall

[basile_clement]

Title: [188289] branches/jsc-tailcall








Revision 188289
Author basile_clem...@apple.com
Date 2015-08-11 13:47:08 -0700 (Tue, 11 Aug 2015)


Log Message
jsc-tailcall: Make tail call tests run in all tiers
https://bugs.webkit.org/show_bug.cgi?id=147895

Reviewed by Michael Saboff.

Source/_javascript_Core:

Make the test checking that tail calls are correctly performed
when we have a syntaxic tail call run enough to get compiled to the
upper tiers.

Also remove a bogus file that contained a duplicate of those tests.

* tests/stress/tail-call-recognize.js:
* tests/stress/tail-call-trigger.js: Removed.

Tools:

Add a runNoInline function to jsc-stress-tests to force a test to run
globally without inlining.

* Scripts/run-jsc-stress-tests:

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-recognize.js
branches/jsc-tailcall/Tools/ChangeLog
branches/jsc-tailcall/Tools/Scripts/run-jsc-stress-tests


Removed Paths

branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-trigger.js




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188288 => 188289)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-11 20:47:02 UTC (rev 188288)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-11 20:47:08 UTC (rev 188289)
@@ -1,5 +1,21 @@
 2015-08-11  Basile Clement  
 
+jsc-tailcall: Make tail call tests run in all tiers
+https://bugs.webkit.org/show_bug.cgi?id=147895
+
+Reviewed by Michael Saboff.
+
+Make the test checking that tail calls are correctly performed
+when we have a syntaxic tail call run enough to get compiled to the
+upper tiers.
+
+Also remove a bogus file that contained a duplicate of those tests.
+
+* tests/stress/tail-call-recognize.js:
+* tests/stress/tail-call-trigger.js: Removed.
+
+2015-08-11  Basile Clement  
+
 jsc-tailcall: REGRESSION: DFGByteCodeParser fails when a tail call is inside a ternary
 https://bugs.webkit.org/show_bug.cgi?id=147849
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-recognize.js (188288 => 188289)

--- branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-recognize.js	2015-08-11 20:47:02 UTC (rev 188288)
+++ branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-recognize.js	2015-08-11 20:47:08 UTC (rev 188289)
@@ -1,3 +1,5 @@
+//@ runNoInline
+
 function callerMustBeRun() {
 if (!Object.is(callerMustBeRun.caller, runTests))
 throw Error("Wrong caller, expected run but got ", callerMustBeRun.caller);
@@ -174,4 +176,5 @@
 })();
 }
 
-runTests();
+for (var i = 0; i < 1; ++i)
+runTests();


Deleted: branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-trigger.js (188288 => 188289)

--- branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-trigger.js	2015-08-11 20:47:02 UTC (rev 188288)
+++ branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-trigger.js	2015-08-11 20:47:08 UTC (rev 188289)
@@ -1,177 +0,0 @@
-function callerMustBeRun() {
-if (!Object.is(callerMustBeRun.caller, runTests))
-throw Error("Wrong caller, expected run but got ", callerMustBeRun.caller);
-}
-
-function callerMustBeStrict() {
-var errorThrown = false;
-try {
-callerMustBeStrict.caller;
-} catch (e) {
-errorThrown = true;
-}
-if (!errorThrown)
-throw Error("Wrong caller, expected strict caller but got ", callerMustBeStrict.caller);
-}
-
-function runTests() {
-// Statement tests
-(function simpleTailCall() {
-"use strict";
-return callerMustBeRun();
-})();
-
-(function noTailCallInTry() {
-"use strict";
-try {
-return callerMustBeStrict();
-} catch (e) {
-throw e;
-}
-})();
-
-(function tailCallInCatch() {
-"use strict";
-try { } catch (e) { return callerMustBeRun(); }
-})();
-
-(function tailCallInFinally() {
-"use strict";
-try { } finally { return callerMustBeRun(); }
-})();
-
-(function tailCallInFinallyWithCatch() {
-"use strict";
-try { } catch (e) { } finally { return callerMustBeRun(); }
-})();
-
-(function tailCallInFinallyWithCatchTaken() {
-"use strict";
-try { throw null; } catch (e) { } finally { return callerMustBeRun(); }
-})();
-
-(function noTailCallInCatchIfFinally() {
-"use strict";
-try { throw null; } catch (e) { return callerMustBeStrict(); } finally { }
-})();
-
-(function tailCallInFor() {
-"use strict";
-for (var i = 0; i < 10; ++i)
-return callerMustBeRun();
-})();
-
-(function tailCallInWhile() {
-"use strict";
-while (true)
-return callerMustBeRun();
-})();
-
-

[webkit-changes] [188282] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [188282] branches/jsc-tailcall/Source/_javascript_Core








Revision 188282
Author basile_clem...@apple.com
Date 2015-08-11 13:08:56 -0700 (Tue, 11 Aug 2015)


Log Message
jsc-tailcall: REGRESSION: DFGByteCodeParser fails when a tail call is inside a ternary
https://bugs.webkit.org/show_bug.cgi?id=147849

Reviewed by Michael Saboff.

We were assuming that a tail call could only be followed by a return.
But it could also be followed by a jump to a return when the tail call
is inside a ternary _expression_.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (188281 => 188282)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-11 20:06:34 UTC (rev 188281)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-11 20:08:56 UTC (rev 188282)
@@ -1,5 +1,19 @@
 2015-08-11  Basile Clement  
 
+jsc-tailcall: REGRESSION: DFGByteCodeParser fails when a tail call is inside a ternary
+https://bugs.webkit.org/show_bug.cgi?id=147849
+
+Reviewed by Michael Saboff.
+
+We were assuming that a tail call could only be followed by a return.
+But it could also be followed by a jump to a return when the tail call
+is inside a ternary _expression_.
+
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::parseBlock):
+
+2015-08-11  Basile Clement  
+
 jsc-tailcall: Add more strict mode tests
 https://bugs.webkit.org/show_bug.cgi?id=147850
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (188281 => 188282)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2015-08-11 20:06:34 UTC (rev 188281)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2015-08-11 20:08:56 UTC (rev 188282)
@@ -2694,7 +2694,11 @@
 // logic relies on every bytecode resulting in one or more nodes, which would
 // be true anyway except for op_loop_hint, which emits a Phantom to force this
 // to be true.
-if (!m_currentBlock->isEmpty())
+// We also don't insert a jump if the block already has a terminal,
+// which could happen after a tail call.
+ASSERT(m_currentBlock->isEmpty() || !m_currentBlock->terminal()
+|| m_currentBlock->terminal()->op() == TailCall || m_currentBlock->terminal()->op() == TailCallVarargs);
+if (!m_currentBlock->isEmpty() && !m_currentBlock->terminal())
 addToGraph(Jump, OpInfo(m_currentIndex));
 return shouldContinueParsing;
 }
@@ -3256,6 +3260,12 @@
 // === Block terminators. ===
 
 case op_jmp: {
+if (m_currentBlock->terminal()) {
+// We could be the dummy jump to a return after a non-inlined, non-emulated tail call in a ternary operator
+Node* terminal = m_currentBlock->terminal();
+ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+LAST_OPCODE(op_ret);
+}
 int relativeOffset = currentInstruction[1].u.operand;
 addToGraph(Jump, OpInfo(m_currentIndex + relativeOffset));
 if (relativeOffset <= 0)
@@ -3428,7 +3438,7 @@
 if (m_currentBlock->terminal()) {
 // We could be the dummy return after a non-inlined, non-emulated tail call
 Node* terminal = m_currentBlock->terminal();
-ASSERT_UNUSED(terminal, terminal->op() == Return || terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
 LAST_OPCODE(op_ret);
 }
 if (inlineCallFrame()) {






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [187868] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187868] branches/jsc-tailcall/Source/_javascript_Core








Revision 187868
Author basile_clem...@apple.com
Date 2015-08-04 11:30:20 -0700 (Tue, 04 Aug 2015)


Log Message
jsc-tailcall: We should abortWithReason() if we ever return from a tail call
https://bugs.webkit.org/show_bug.cgi?id=147634

Reviewed by Michael Saboff.

Previously, we were using a breakpoint in that case, but it really
should be an abortWithReason(). Note that this is mostly useful for the
slow path, since the fast path is always a jump - if we ever have a
slow path that does not perform the tail call, we have no idea in what
state the stack will be when we return here, and it would be dangerous
to continue executing (especially since the next instruction is
guaranteed to be a return).

* assembler/AbortReason.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCallSlowCase):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/assembler/AbortReason.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187867 => 187868)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-04 18:03:30 UTC (rev 187867)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-04 18:30:20 UTC (rev 187868)
@@ -1,3 +1,28 @@
+2015-08-04  Basile Clement  
+
+jsc-tailcall: We should abortWithReason() if we ever return from a tail call
+https://bugs.webkit.org/show_bug.cgi?id=147634
+
+Reviewed by Michael Saboff.
+
+Previously, we were using a breakpoint in that case, but it really
+should be an abortWithReason(). Note that this is mostly useful for the
+slow path, since the fast path is always a jump - if we ever have a
+slow path that does not perform the tail call, we have no idea in what
+state the stack will be when we return here, and it would be dangerous
+to continue executing (especially since the next instruction is
+guaranteed to be a return).
+
+* assembler/AbortReason.h:
+* dfg/DFGSpeculativeJIT32_64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::emitCall):
+* jit/JITCall.cpp:
+(JSC::JIT::compileOpCallSlowCase):
+* jit/JITCall32_64.cpp:
+(JSC::JIT::compileOpCallSlowCase):
+
 2015-07-31  Basile Clement  
 
 jsc-tailcall: Implement the tail call opcodes in the DFG


Modified: branches/jsc-tailcall/Source/_javascript_Core/assembler/AbortReason.h (187867 => 187868)

--- branches/jsc-tailcall/Source/_javascript_Core/assembler/AbortReason.h	2015-08-04 18:03:30 UTC (rev 187867)
+++ branches/jsc-tailcall/Source/_javascript_Core/assembler/AbortReason.h	2015-08-04 18:30:20 UTC (rev 187868)
@@ -58,6 +58,7 @@
 DFGUnreachableBasicBlock  = 220,
 DFGUnreasonableOSREntryJumpDestination= 230,
 DFGVarargsThrowingPathDidNotThrow = 235,
+JITDidReturnFromTailCall  = 237,
 JITDivOperandsAreNotNumbers   = 240,
 JITGetByValResultIsNotEmpty   = 250,
 JITNotSupported   = 260,


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (187867 => 187868)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-08-04 18:03:30 UTC (rev 187867)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2015-08-04 18:30:20 UTC (rev 187868)
@@ -878,7 +878,7 @@
 done.link(&m_jit);
 
 if (isTail)
-m_jit.breakpoint();
+m_jit.abortWithReason(JITDidReturnFromTailCall);
 else {
 m_jit.setupResults(resultPayloadGPR, resultTagGPR);
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (187867 => 187868)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-08-04 18:03:30 UTC (rev 187867)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2015-08-04 18:30:20 UTC (rev 187868)
@@ -839,7 +839,7 @@
 done.link(&m_jit);
 
 if (isTail)
-m_jit.breakpoint();
+m_jit.abortWithReason(JITDidReturnFromTailCall);
 else {
 m_jit.move(GPRInfo::returnValueGPR, resultGPR);
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp (187867 => 187868)

--- branches/jsc-tailcall/Sour

[webkit-changes] [187791] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187791] branches/jsc-tailcall/Source/_javascript_Core








Revision 187791
Author basile_clem...@apple.com
Date 2015-08-03 17:39:19 -0700 (Mon, 03 Aug 2015)


Log Message
jsc-tailcall: Implement the tail call opcodes in the DFG
https://bugs.webkit.org/show_bug.cgi?id=146850

Reviewed by Michael Saboff.

This patch adds support for tail calls in the DFG. This requires a slightly high number of nodes:

 - TailCall and TailCallVarargs are straightforward. They are terminal
   nodes and have the semantics of an actual tail call.

 - TailCallInlinedCaller and TailCallVarargsInlinedCaller are here to perform a
   tail call inside an inlined function. They are non terminal nodes,
   and are performing the call as a regular call after popping an
   appropriate number of inlined tail call frames.

 - TailCallForwardVarargs and TailCallForwardVarargsInlinedCaller are the
   extension of TailCallVarargs and TailCallVarargsInlinedCaller to enable
   the varargs forwarding optimization so that we don't lose
   performance with a tail call instead of a regular call.

This also required two broad kind of changes:

 - Changes in the JIT itself (DFGSpeculativeJIT) are pretty
   straightforward since they are just an extension of the baseline JIT
   changes introduced previously.

 - Changes in the runtime are mostly related with handling inline call
   frames. The idea here is that we have a special TailCall type for
   call frames that indicates to the various pieces of code walking the
   inline call frame that they should (recursively) skip the caller in
   their analysis.

* bytecode/CallMode.h:
(JSC::specializationKindFor):
* bytecode/CodeOrigin.cpp:
(JSC::CodeOrigin::inlineDepthForCallFrame):
(JSC::CodeOrigin::isApproximatelyEqualTo):
(JSC::CodeOrigin::approximateHash):
(JSC::CodeOrigin::inlineStack):
(JSC::InlineCallFrame::dumpInContext):
(WTF::printInternal):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::callModeFor):
(JSC::InlineCallFrame::kindFor):
(JSC::InlineCallFrame::varargsKindFor):
(JSC::InlineCallFrame::specializationKindFor):
(JSC::InlineCallFrame::isVarargs):
(JSC::InlineCallFrame::isTail):
(JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::isLiveInBytecode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::forAllLocalsLiveInBytecode):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCallVarargsData):
(JSC::DFG::Node::isTerminal):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGOSRExitPreparation.cpp:
(JSC::DFG::prepareCodeOriginForOSRExit):
* dfg/DFGOperations.cpp:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVarargsForwardingPhase.cpp:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::gotoNextFrame):
* jit/CCallHelpers.h:
* tests/stress/dfg-tail-calls.js: Added.

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallMode.h
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CodeOrigin.cpp
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CodeOrigin.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGArgumentsEliminat

[webkit-changes] [187767] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187767] branches/jsc-tailcall/Source/_javascript_Core








Revision 187767
Author basile_clem...@apple.com
Date 2015-08-03 14:39:27 -0700 (Mon, 03 Aug 2015)


Log Message
jsc-tailcall: Kraken/stanford-crypto-ccm crashes
https://bugs.webkit.org/show_bug.cgi?id=147561

Reviewed by Michael Saboff.

When performing a tail call, we assume that if the top of the tail
caller's frame is not stack-aligned, we can use the stack slot above it
in case we need to move the top of the frame. However, we don't enforce
this when actually performing a call, which leads to interesting (and
crashing) situations. We are already enforcing this in the "special
call" cases (calls from native code, inlined cache calls, etc.), so
this is just a matter of making sure the bytecode generator, DFG and
FTL ensure proper padding.

* bytecompiler/NodesCodegen.cpp:
(JSC::CallArguments::CallArguments):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
* tests/stress/mutual-tail-call-no-stack-overflow.js:
(odd):
(even):
* tests/stress/tail-calls-dont-overwrite-live-stack.js: Added.
(tail):
(obj.method):
(obj.get fromNative):
(getThis):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
branches/jsc-tailcall/Source/_javascript_Core/tests/stress/mutual-tail-call-no-stack-overflow.js


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-calls-dont-overwrite-live-stack.js




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187766 => 187767)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 21:37:36 UTC (rev 187766)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 21:39:27 UTC (rev 187767)
@@ -1,5 +1,36 @@
 2015-08-03  Basile Clement  
 
+jsc-tailcall: Kraken/stanford-crypto-ccm crashes
+https://bugs.webkit.org/show_bug.cgi?id=147561
+
+Reviewed by Michael Saboff.
+
+When performing a tail call, we assume that if the top of the tail
+caller's frame is not stack-aligned, we can use the stack slot above it
+in case we need to move the top of the frame. However, we don't enforce
+this when actually performing a call, which leads to interesting (and
+crashing) situations. We are already enforcing this in the "special
+call" cases (calls from native code, inlined cache calls, etc.), so
+this is just a matter of making sure the bytecode generator, DFG and
+FTL ensure proper padding.
+
+* bytecompiler/NodesCodegen.cpp:
+(JSC::CallArguments::CallArguments):
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
+* ftl/FTLLowerDFGToLLVM.cpp:
+(JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
+* tests/stress/mutual-tail-call-no-stack-overflow.js:
+(odd):
+(even):
+* tests/stress/tail-calls-dont-overwrite-live-stack.js: Added.
+(tail):
+(obj.method):
+(obj.get fromNative):
+(getThis):
+
+2015-08-03  Basile Clement  
+
 jsc-tailcall: Get and put inline caches are not properly restoring the stack pointer
 https://bugs.webkit.org/show_bug.cgi?id=147583
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (187766 => 187767)

--- branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2015-08-03 21:37:36 UTC (rev 187766)
+++ branches/jsc-tailcall/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2015-08-03 21:39:27 UTC (rev 187767)
@@ -675,6 +675,12 @@
 m_argv[i] = generator.newTemporary();
 ASSERT(static_cast(i) == m_argv.size() - 1 || m_argv[i]->index() == m_argv[i + 1]->index() - 1);
 }
+
+// We need to ensure that the frame size is stack-aligned
+while ((JSStack::CallFrameHeaderSize + m_argv.size()) % stackAlignmentRegisters()) {
+m_argv.insert(0, generator.newTemporary());
+m_padding++;
+}
 
 while (stackOffset() % stackAlignmentRegisters()) {
 m_argv.insert(0, generator.newTemporary());


Modified: branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (187766 => 187767)

--- branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2015-08-03 21:37:36 UTC (rev 187766)
+++ branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2015-08-03 21:39:27 UTC (rev 187767)
@@ -683,7 +683,10 @@
 SpeculatedType prediction)
 {
 addVarArgChild(callee);
-size_t parameterSlots = JSStack::CallFrameHeaderSize - JSStack::CallerFrameAndPCSize + argCount;
+size

[webkit-changes] [187761] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187761] branches/jsc-tailcall/Source/_javascript_Core








Revision 187761
Author basile_clem...@apple.com
Date 2015-08-03 13:56:15 -0700 (Mon, 03 Aug 2015)


Log Message
jsc-tailcall: Get and put inline caches are not properly restoring the stack pointer
https://bugs.webkit.org/show_bug.cgi?id=147583

Reviewed by Michael Saboff.

If there is a tail call in a getter, we can't rely on the stack pointer
being valid after returning from the call.

* jit/Repatch.cpp:
(JSC::generateByIdStub):
* tests/stress/tail-call-in-inline-cache.js: Added.
(tail):
(obj.get x):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187760 => 187761)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 20:47:54 UTC (rev 187760)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-08-03 20:56:15 UTC (rev 187761)
@@ -1,3 +1,19 @@
+2015-08-03  Basile Clement  
+
+jsc-tailcall: Get and put inline caches are not properly restoring the stack pointer
+https://bugs.webkit.org/show_bug.cgi?id=147583
+
+Reviewed by Michael Saboff.
+
+If there is a tail call in a getter, we can't rely on the stack pointer
+being valid after returning from the call.
+
+* jit/Repatch.cpp:
+(JSC::generateByIdStub):
+* tests/stress/tail-call-in-inline-cache.js: Added.
+(tail):
+(obj.get x):
+
 2015-08-03  Michael Saboff  
 
 jsc-tailcall: Callee save registers should be saved after the stack pointer is set up


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp (187760 => 187761)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-03 20:47:54 UTC (rev 187760)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp	2015-08-03 20:56:15 UTC (rev 187761)
@@ -513,9 +513,10 @@
 MacroAssembler::TrustedImmPtr(0));
 
 fastPathCall = stubJit.nearCall();
-
+
 stubJit.addPtr(
-MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
+MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+GPRInfo::callFrameRegister,
 MacroAssembler::stackPointerRegister);
 if (kind == CallGetter)
 stubJit.setupResults(valueRegs);
@@ -531,7 +532,8 @@
 slowPathCall = stubJit.nearCall();
 
 stubJit.addPtr(
-MacroAssembler::TrustedImm32(alignedNumberOfBytesForCall),
+MacroAssembler::TrustedImm32(JIT::stackPointerOffsetFor(codeBlock) * sizeof(Register)),
+GPRInfo::callFrameRegister,
 MacroAssembler::stackPointerRegister);
 if (kind == CallGetter)
 stubJit.setupResults(valueRegs);


Added: branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js (0 => 187761)

--- branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js	(rev 0)
+++ branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-in-inline-cache.js	2015-08-03 20:56:15 UTC (rev 187761)
@@ -0,0 +1,10 @@
+"use strict";
+
+function tail() { }
+
+var obj = {
+get x() { return tail(0); }
+};
+
+for (var i = 0; i < 10; ++i)
+obj.x;






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [187678] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187678] branches/jsc-tailcall/Source/_javascript_Core








Revision 187678
Author basile_clem...@apple.com
Date 2015-07-31 13:36:19 -0700 (Fri, 31 Jul 2015)


Log Message
jsc-tailcall: Emit a single callee-save restoration for fast and slow tail call paths
https://bugs.webkit.org/show_bug.cgi?id=147501

Reviewed by Michael Saboff.

We are currently emitting this twice for no reason.

* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187677 => 187678)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 20:34:50 UTC (rev 187677)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 20:36:19 UTC (rev 187678)
@@ -1,5 +1,19 @@
 2015-07-31  Basile Clement  
 
+jsc-tailcall: Emit a single callee-save restoration for fast and slow tail call paths
+https://bugs.webkit.org/show_bug.cgi?id=147501
+
+Reviewed by Michael Saboff.
+
+We are currently emitting this twice for no reason.
+
+* jit/JITCall.cpp:
+(JSC::JIT::compileOpCall):
+* jit/JITCall32_64.cpp:
+(JSC::JIT::compileOpCall):
+
+2015-07-31  Basile Clement  
+
 jsc-tailcall: Don't waste stack space when arity fixup was performed
 https://bugs.webkit.org/show_bug.cgi?id=147447
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp (187677 => 187678)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp	2015-07-31 20:34:50 UTC (rev 187677)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp	2015-07-31 20:36:19 UTC (rev 187678)
@@ -181,6 +181,9 @@
 return;
 }
 
+if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs)
+emitRestoreCalleeSaves();
+
 DataLabelPtr addressOfLinkedFunctionCheck;
 Jump slowCase = branchPtrWithPatch(NotEqual, regT0, addressOfLinkedFunctionCheck, TrustedImmPtr(0));
 addSlowCase(slowCase);
@@ -192,7 +195,6 @@
 m_callCompilationInfo[callLinkInfoIndex].callLinkInfo = info;
 
 if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs) {
-emitRestoreCalleeSaves();
 prepareForTailCallSlow();
 m_callCompilationInfo[callLinkInfoIndex].hotPathOther = emitNakedTailCall();
 // We must never come back here
@@ -221,9 +223,6 @@
 
 move(TrustedImmPtr(m_callCompilationInfo[callLinkInfoIndex].callLinkInfo), regT2);
 
-if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs)
-emitRestoreCalleeSaves();
-
 m_callCompilationInfo[callLinkInfoIndex].callReturnLocation = emitNakedCall(m_vm->getCTIStub(linkCallThunkGenerator).code());
 
 if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs) {


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp (187677 => 187678)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp	2015-07-31 20:34:50 UTC (rev 187677)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp	2015-07-31 20:36:19 UTC (rev 187678)
@@ -262,6 +262,9 @@
 return;
 }
 
+if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs)
+emitRestoreCalleeSaves();
+
 addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
 
 DataLabelPtr addressOfLinkedFunctionCheck;
@@ -277,7 +280,6 @@
 
 checkStackPointerAlignment();
 if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs) {
-emitRestoreCalleeSaves();
 prepareForTailCallSlow();
 m_callCompilationInfo[callLinkInfoIndex].hotPathOther = emitNakedTailCall();
 // We must never come back here
@@ -306,9 +308,6 @@
 
 move(TrustedImmPtr(m_callCompilationInfo[callLinkInfoIndex].callLinkInfo), regT2);
 
-if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs)
-emitRestoreCalleeSaves();
-
 m_callCompilationInfo[callLinkInfoIndex].callReturnLocation = emitNakedCall(m_vm->getCTIStub(linkCallThunkGenerator).code());
 
 if (opcodeID == op_tail_call || opcodeID == op_tail_call_varargs) {






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [187676] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187676] branches/jsc-tailcall/Source/_javascript_Core








Revision 187676
Author basile_clem...@apple.com
Date 2015-07-31 13:31:39 -0700 (Fri, 31 Jul 2015)


Log Message
jsc-tailcall: Don't waste stack space when arity fixup was performed
https://bugs.webkit.org/show_bug.cgi?id=147447

Reviewed by Michael Saboff.

r187618 tried to handle this, but did not include the LLInt and did it
wrong anyway. When making a call, the caller first aligns the callee's
frame, then makes the call. If the callee later performs arity fixup,
it does not try to reuse the potential slot left empty by the caller's
frame alignment: instead, it aligns the parameters - arguments delta.
So when trying to find out where our frame starts, we should replicate
this behavior, which we were previously not doing and was the cause of
https://bugs.webkit.org/show_bug.cgi?id=147491.

While here, I also removed the extra slot that used to save the
returnPC for the arity fixup return thunk (that we got rid of in
https://bugs.webkit.org/show_bug.cgi?id=146847) and was now just
wasting stack space.

* jit/CCallHelpers.h:
* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
* tests/stress/tail-call-no-stack-overflow.js:
(strictLoopArityFixup1):
(strictLoopArityFixup2):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp
branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm
branches/jsc-tailcall/Source/_javascript_Core/runtime/CommonSlowPaths.h
branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-no-stack-overflow.js




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187675 => 187676)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 20:21:15 UTC (rev 187675)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 20:31:39 UTC (rev 187676)
@@ -1,3 +1,34 @@
+2015-07-31  Basile Clement  
+
+jsc-tailcall: Don't waste stack space when arity fixup was performed
+https://bugs.webkit.org/show_bug.cgi?id=147447
+
+Reviewed by Michael Saboff.
+
+r187618 tried to handle this, but did not include the LLInt and did it
+wrong anyway. When making a call, the caller first aligns the callee's
+frame, then makes the call. If the callee later performs arity fixup,
+it does not try to reuse the potential slot left empty by the caller's
+frame alignment: instead, it aligns the parameters - arguments delta.
+So when trying to find out where our frame starts, we should replicate
+this behavior, which we were previously not doing and was the cause of
+https://bugs.webkit.org/show_bug.cgi?id=147491.
+
+While here, I also removed the extra slot that used to save the
+returnPC for the arity fixup return thunk (that we got rid of in
+https://bugs.webkit.org/show_bug.cgi?id=146847) and was now just
+wasting stack space.
+
+* jit/CCallHelpers.h:
+* jit/ThunkGenerators.cpp:
+(JSC::arityFixupGenerator):
+* llint/LowLevelInterpreter.asm:
+* runtime/CommonSlowPaths.h:
+(JSC::CommonSlowPaths::arityCheckFor):
+* tests/stress/tail-call-no-stack-overflow.js:
+(strictLoopArityFixup1):
+(strictLoopArityFixup2):
+
 2015-07-31  Michael Saboff  
 
 jsc-tailcall: REGRESSION(r187639): Need to restore callee saves in LLInt before tail call


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h (187675 => 187676)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-07-31 20:21:15 UTC (rev 187675)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-07-31 20:31:39 UTC (rev 187676)
@@ -2047,7 +2047,10 @@
 loadPtr(Address(GPRInfo::callFrameRegister, JSStack::CodeBlock * static_cast(sizeof(Register))), temp2);
 load32(Address(temp2, CodeBlock::offsetOfNumParameters()), temp2);
 MacroAssembler::Jump argumentCountWasNotFixedUp = branch32(BelowOrEqual, temp2, temp1);
-move(temp2, temp1);
+sub32(temp1, temp2);
+add32(TrustedImm32(stackAlignmentRegisters() - 1), temp2);
+and32(TrustedImm32(-stackAlignmentRegisters()), temp2);
+add32(temp2, temp1);
 argumentCountWasNotFixedUp.link(this);
 
 add32(TrustedImm32(stackAlignmentRegisters() + JSStack::CallFrameHeaderSize - 1), temp1);


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp (187675 => 187676)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-07-31 20:21:15 UTC (rev 187675)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-07-31 20:31:39 UTC (rev 187676)
@@ 

[webkit-changes] [187629] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187629] branches/jsc-tailcall/Source/_javascript_Core








Revision 187629
Author basile_clem...@apple.com
Date 2015-07-30 17:43:25 -0700 (Thu, 30 Jul 2015)


Log Message
jsc-tailcall: Add enums for type-safety
https://bugs.webkit.org/show_bug.cgi?id=147475

Reviewed by Michael Saboff.

This adds:

 - A CallMode enum to distinguish tail calls from regular calls from construct

 - A FrameAction enum to indicate whether to keep or reuse the call
   frame. It also changes JITOperations.h to correctly use this to tell
   slowPathFor to *not* trash the frame on a regular call (before
   r187505, this was statically known in slowPathFor).

* CMakeLists.txt:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
* _javascript_Core.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall):
* assembler/CodeLocation.h:
(JSC::CodeLocationNearCall::CodeLocationNearCall):
(JSC::CodeLocationNearCall::callMode):
(JSC::CodeLocationCommon::nearCallAtOffset):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::locationOfNearCall):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::callModeFor):
(JSC::CallLinkInfo::callMode):
(JSC::CallLinkInfo::isTailCall):
(JSC::CallLinkInfo::isVarargs):
* bytecode/CallMode.cpp: Added.
(WTF::printInternal):
* bytecode/CallMode.h: Added.
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::slowPathFor):
(JSC::virtualThunkFor):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt
branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters
branches/jsc-tailcall/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
branches/jsc-tailcall/Source/_javascript_Core/assembler/AbstractMacroAssembler.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/CodeLocation.h
branches/jsc-tailcall/Source/_javascript_Core/assembler/LinkBuffer.h
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallLinkInfo.h
branches/jsc-tailcall/Source/_javascript_Core/jit/JITOperations.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp


Added Paths

branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallMode.cpp
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallMode.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt (187628 => 187629)

--- branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt	2015-07-31 00:37:38 UTC (rev 187628)
+++ branches/jsc-tailcall/Source/_javascript_Core/CMakeLists.txt	2015-07-31 00:43:25 UTC (rev 187629)
@@ -76,6 +76,7 @@
 bytecode/CallEdge.cpp
 bytecode/CallLinkInfo.cpp
 bytecode/CallLinkStatus.cpp
+bytecode/CallMode.cpp
 bytecode/CallVariant.cpp
 bytecode/CodeBlock.cpp
 bytecode/CodeBlockHash.cpp


Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187628 => 187629)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 00:37:38 UTC (rev 187628)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-31 00:43:25 UTC (rev 187629)
@@ -1,5 +1,48 @@
 2015-07-30  Basile Clement  
 
+jsc-tailcall: Add enums for type-safety
+https://bugs.webkit.org/show_bug.cgi?id=147475
+
+Reviewed by Michael Saboff.
+
+This adds:
+
+ - A CallMode enum to distinguish tail calls from regular calls from construct
+
+ - A FrameAction enum to indicate whether to keep or reuse the call
+   frame. It also changes JITOperations.h to correctly use this to tell
+   slowPathFor to *not* trash the frame on a regular call (before
+   r187505, this was statically known in slowPathFor).
+
+* CMakeLists.txt:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters:
+* _javascript_Core.xcodeproj/project.pbxproj:
+* assembler/AbstractMacroAssembler.h:
+(JSC::AbstractMacroAssembler::repatchNearCall):
+* assembler/CodeLocation.h:
+(JSC::CodeLocationNearCall::CodeLocationNearCall):
+(JSC::CodeLocationNearCall::callMode):
+(JSC::CodeLocationCommon::nearCallAtOffset):
+* assembler/LinkBuffer.h:
+(JSC::LinkBuffer::locationOfNearCall):
+* bytecode/CallLinkInfo.h:
+(JSC::CallLinkInfo::callModeFor):
+(JSC::CallLinkInfo::callMode):
+(JSC::CallLinkInfo::isTailCall):
+(JSC::CallLinkInfo::isVarargs):
+* bytecode/CallMode.cpp: Added.
+(WTF::printInternal):
+* bytecode/CallMode.h: Added.
+* jit/JITOperations.cpp:
+* jit/Repatch.cpp:
+(JSC

[webkit-changes] [187618] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187618] branches/jsc-tailcall/Source/_javascript_Core








Revision 187618
Author basile_clem...@apple.com
Date 2015-07-30 16:19:30 -0700 (Thu, 30 Jul 2015)


Log Message
jsc-tailcall: Don't waste stack space when arity fixup was performed
https://bugs.webkit.org/show_bug.cgi?id=147447

Reviewed by Michael Saboff.

When doing a tail call, we overwrite an amount of stack space based on
the number of arguments in the call frame. If we entered the tail
caller by performing an arity fixup, this is incorrect and leads to
wasted stack space - we must use the CodeBlock's number of parameters
instead in that case.

This patch is also moving the prepareForTailCall() function from
jit/ThunkGenerators.h to the place where it should have always been,
namely jit/CCallHelpers.h

* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareForTailCallSlow):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::slowPathFor):
(JSC::virtualThunkFor):
* jit/ThunkGenerators.h:
* tests/stress/tail-call-no-stack-overflow.js:
(strictLoopArityFixup):

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.h
branches/jsc-tailcall/Source/_javascript_Core/tests/stress/tail-call-no-stack-overflow.js




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187617 => 187618)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 23:17:45 UTC (rev 187617)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 23:19:30 UTC (rev 187618)
@@ -1,5 +1,35 @@
 2015-07-30  Basile Clement  
 
+jsc-tailcall: Don't waste stack space when arity fixup was performed
+https://bugs.webkit.org/show_bug.cgi?id=147447
+
+Reviewed by Michael Saboff.
+
+When doing a tail call, we overwrite an amount of stack space based on
+the number of arguments in the call frame. If we entered the tail
+caller by performing an arity fixup, this is incorrect and leads to
+wasted stack space - we must use the CodeBlock's number of parameters
+instead in that case.
+
+This patch is also moving the prepareForTailCall() function from
+jit/ThunkGenerators.h to the place where it should have always been,
+namely jit/CCallHelpers.h
+
+* jit/CCallHelpers.h:
+(JSC::CCallHelpers::prepareForTailCallSlow):
+* jit/JITCall.cpp:
+(JSC::JIT::compileOpCall):
+* jit/Repatch.cpp:
+(JSC::linkPolymorphicCall):
+* jit/ThunkGenerators.cpp:
+(JSC::slowPathFor):
+(JSC::virtualThunkFor):
+* jit/ThunkGenerators.h:
+* tests/stress/tail-call-no-stack-overflow.js:
+(strictLoopArityFixup):
+
+2015-07-30  Basile Clement  
+
 jsc-tailcall: We should consider a tail call as an exit in the LLInt for the purpose of switching to the JIT
 https://bugs.webkit.org/show_bug.cgi?id=147449
 


Modified: branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h (187617 => 187618)

--- branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-07-30 23:17:45 UTC (rev 187617)
+++ branches/jsc-tailcall/Source/_javascript_Core/jit/CCallHelpers.h	2015-07-30 23:19:30 UTC (rev 187618)
@@ -30,6 +30,7 @@
 
 #include "AssemblyHelpers.h"
 #include "GPRInfo.h"
+#include "StackAlignment.h"
 
 namespace JSC {
 
@@ -2020,6 +2021,70 @@
 loadPtr(&vm()->targetMachinePCForThrow, GPRInfo::regT1);
 jump(GPRInfo::regT1);
 }
+
+void prepareForTailCallSlow(const TempRegisterSet& usedRegisters = { RegisterSet::specialRegisters() })
+{
+GPRReg temp1 = usedRegisters.getFreeGPR(0);
+GPRReg temp2 = usedRegisters.getFreeGPR(1);
+ASSERT(temp2 != InvalidGPRReg);
+
+subPtr(TrustedImm32(sizeof(CallerFrameAndPC)), stackPointerRegister);
+loadPtr(Address(GPRInfo::callFrameRegister), temp1);
+storePtr(temp1, Address(stackPointerRegister));
+loadPtr(Address(GPRInfo::callFrameRegister, sizeof(void*)), temp1);
+storePtr(temp1, Address(stackPointerRegister, sizeof(void*)));
+
+// Now stackPointerRegister points to a valid call frame for the callee
+// and callFrameRegister points to our own call frame.
+// We now slide the callee's call frame over our own call frame,
+// starting with the top to avoid unwanted overwrites
+
+// Move the callFrameRegister to the top of our (trashed) call frame
+load32(Address(GPRInfo::callFrameRegister, JSStack::ArgumentCount * static_cast(sizeof(Regi

[webkit-changes] [187616] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187616] branches/jsc-tailcall/Source/_javascript_Core








Revision 187616
Author basile_clem...@apple.com
Date 2015-07-30 16:08:56 -0700 (Thu, 30 Jul 2015)


Log Message
jsc-tailcall: We should consider a tail call as an exit in the LLInt for the purpose of switching to the JIT
https://bugs.webkit.org/show_bug.cgi?id=147449

Reviewed by Michael Saboff.

* llint/LowLevelInterpreter.asm:

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187615 => 187616)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 23:07:09 UTC (rev 187615)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 23:08:56 UTC (rev 187616)
@@ -1,3 +1,12 @@
+2015-07-30  Basile Clement  
+
+jsc-tailcall: We should consider a tail call as an exit in the LLInt for the purpose of switching to the JIT
+https://bugs.webkit.org/show_bug.cgi?id=147449
+
+Reviewed by Michael Saboff.
+
+* llint/LowLevelInterpreter.asm:
+
 2015-07-23  Basile Clement  
 
 Merged r187505 from trunk.


Modified: branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm (187615 => 187616)

--- branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2015-07-30 23:07:09 UTC (rev 187615)
+++ branches/jsc-tailcall/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2015-07-30 23:08:56 UTC (rev 187616)
@@ -1312,6 +1312,7 @@
 _llint_op_tail_call:
 traceExecution()
 arrayProfileForCall()
+checkSwitchToJITForEpilogue()
 doCall(_llint_slow_path_call, prepareForTailCall)
 
 _llint_op_construct:
@@ -1342,6 +1343,7 @@
 
 _llint_op_tail_call_varargs:
 traceExecution()
+checkSwitchToJITForEpilogue()
 # We lie and perform the tail call instead of preparing it since we can't
 # prepare the frame for a call opcode
 doCallVarargs(_llint_slow_path_call_varargs, prepareForTailCall)






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [187590] branches/jsc-tailcall/Source/JavaScriptCore

[basile_clement]

Title: [187590] branches/jsc-tailcall/Source/_javascript_Core








Revision 187590
Author basile_clem...@apple.com
Date 2015-07-30 11:21:36 -0700 (Thu, 30 Jul 2015)


Log Message
Merged r187505 from trunk.

Simplify call linking
https://bugs.webkit.org/show_bug.cgi?id=147363

Reviewed by Filip Pizlo.

Previously, we were passing both the CallLinkInfo and a
(CodeSpecializationKind, RegisterPreservationMode) pair to the
different call linking slow paths. However, the CallLinkInfo already
has all of that information, and we don't gain anything by having them
in additional static parameters - except possibly a very small
performance gain in presence of inlining. However since those are
already slow paths, this performance loss (if it exists) will not be
visible in practice.

This patch removes the various specialized thunks and JIT operations
for regular and polymorphic call linking with a single thunk and
operation for each case. Moreover, it removes the four specialized
virtual call thunks and operations with one virtual call thunk for each
call link info, allowing for better branch prediction by the CPU and
fixing a pre-existing FIXME.

* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::unlink):
(JSC::CallLinkInfo::dummy): Deleted.
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::CallLinkInfo):
(JSC::CallLinkInfo::registerPreservationMode):
(JSC::CallLinkInfo::setUpCallFromFTL):
(JSC::CallLinkInfo::setSlowStub):
(JSC::CallLinkInfo::clearSlowStub):
(JSC::CallLinkInfo::slowStub):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* ftl/FTLJSCallBase.cpp:
(JSC::FTL::JSCallBase::link):
* jit/JITCall.cpp:
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
(JSC::operationLinkFor): Deleted.
(JSC::operationVirtualFor): Deleted.
(JSC::operationLinkPolymorphicCallFor): Deleted.
* jit/Repatch.cpp:
(JSC::generateByIdStub):
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* jit/Repatch.h:
* jit/ThunkGenerators.cpp:
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::linkForThunkGenerator): Deleted.
(JSC::linkConstructThunkGenerator): Deleted.
(JSC::linkCallThatPreservesRegsThunkGenerator): Deleted.
(JSC::linkConstructThatPreservesRegsThunkGenerator): Deleted.
(JSC::linkPolymorphicCallForThunkGenerator): Deleted.
(JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): Deleted.
(JSC::virtualForThunkGenerator): Deleted.
(JSC::virtualCallThunkGenerator): Deleted.
(JSC::virtualConstructThunkGenerator): Deleted.
(JSC::virtualCallThatPreservesRegsThunkGenerator): Deleted.
(JSC::virtualConstructThatPreservesRegsThunkGenerator): Deleted.
* jit/ThunkGenerators.h:
(JSC::linkThunkGeneratorFor): Deleted.
(JSC::linkPolymorphicCallThunkGeneratorFor): Deleted.
(JSC::virtualThunkGeneratorFor): Deleted.

Modified Paths

branches/jsc-tailcall/Source/_javascript_Core/ChangeLog
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallLinkInfo.cpp
branches/jsc-tailcall/Source/_javascript_Core/bytecode/CallLinkInfo.h
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGDriver.cpp
branches/jsc-tailcall/Source/_javascript_Core/dfg/DFGJITCompiler.cpp
branches/jsc-tailcall/Source/_javascript_Core/ftl/FTLJSCallBase.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITCall32_64.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITOperations.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/JITOperations.h
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/Repatch.h
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.cpp
branches/jsc-tailcall/Source/_javascript_Core/jit/ThunkGenerators.h




Diff

Modified: branches/jsc-tailcall/Source/_javascript_Core/ChangeLog (187589 => 187590)

--- branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 17:19:47 UTC (rev 187589)
+++ branches/jsc-tailcall/Source/_javascript_Core/ChangeLog	2015-07-30 18:21:36 UTC (rev 187590)
@@ -1,5 +1,88 @@
 2015-07-23  Basile Clement  
 
+Merged r187505 from trunk.
+
+Simplify call linking
+https://bugs.webkit.org/show_bug.cgi?id=147363
+
+Reviewed by Filip Pizlo.
+
+Previously, we were passing both the CallLinkInfo and a
+(CodeSpecializationKind, RegisterPreservationMod

[webkit-changes] [187555] trunk

[basile_clement]

Title: [187555] trunk








Revision 187555
Author basile_clem...@apple.com
Date 2015-07-29 13:30:08 -0700 (Wed, 29 Jul 2015)


Log Message
Remove native call inlining
https://bugs.webkit.org/show_bug.cgi?id=147417

.:

Rubber-stamped by Filip Pizlo.

* Source/cmake/OptionsEfl.cmake:
* Source/cmake/WebKitFeatures.cmake:

Source/_javascript_Core:

Rubber Stamped by Filip Pizlo.


* CMakeLists.txt:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): Deleted.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC): Deleted.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction): Deleted.
(JSC::DFG::Node::hasCellOperand): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Deleted.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): Deleted.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::lower): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileNativeCallOrConstruct): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::didOverflowStack): Deleted.
* ftl/FTLState.cpp:
(JSC::FTL::State::State): Deleted.
* ftl/FTLState.h:
* runtime/BundlePath.cpp: Removed.
(JSC::bundlePath): Deleted.
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
* runtime/Options.h:

Source/WTF:

Rubber-stamped by Filip Pizlo.

* wtf/Platform.h:

Modified Paths

trunk/ChangeLog
trunk/Source/_javascript_Core/CMakeLists.txt
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/dfg/DFGClobberize.h
trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp
trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGNode.h
trunk/Source/_javascript_Core/dfg/DFGNodeType.h
trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp
trunk/Source/_javascript_Core/ftl/FTLState.cpp
trunk/Source/_javascript_Core/ftl/FTLState.h
trunk/Source/_javascript_Core/runtime/JSDataViewPrototype.cpp
trunk/Source/_javascript_Core/runtime/Options.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/Platform.h
trunk/Source/cmake/OptionsEfl.cmake
trunk/Source/cmake/WebKitFeatures.cmake


Removed Paths

trunk/Source/_javascript_Core/runtime/BundlePath.cpp




Diff

Modified: trunk/ChangeLog (187554 => 187555)

--- trunk/ChangeLog	2015-07-29 20:10:54 UTC (rev 187554)
+++ trunk/ChangeLog	2015-07-29 20:30:08 UTC (rev 187555)
@@ -1,3 +1,13 @@
+2015-07-29  Basile Clement  
+
+Remove native call inlining
+https://bugs.webkit.org/show_bug.cgi?id=147417
+
+Rubber-stamped by Filip Pizlo.
+
+* Source/cmake/OptionsEfl.cmake:
+* Source/cmake/WebKitFeatures.cmake:
+
 2015-07-28  Yusuke Suzuki  
 
 [ES6] Add ENABLE_ES6_MODULES compile time flag with the default value "false"


Modified: trunk/Source/_javascript_Core/CMakeLists.txt (187554 => 187555)

--- trunk/Source/_javascript_Core/CMakeLists.txt	2015-07-29 20:10:54 UTC (rev 187554)
+++ trunk/Source/_javascript_Core/CMakeLists.txt	2015-07-29 20:30:08 UTC (rev 187555)
@@ -434,7 +434,6 @@
 runtime/BooleanConstructor.cpp
 runtime/BooleanObject.cpp
 runtime/BooleanPrototype.cpp
-runtime/BundlePath.cpp
 runtime/CallData.cpp
 runtime/ClonedArguments.cpp
 runtime/CodeCache.cpp
@@ -809,43 +808,6 @@
 COMMAND ${CMAKE_COMMAND} -E touch ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/WebKitLLVMLibraryToken.h
 VERBATIM)
 
-if (ENABLE_FTL_NATIVE_CALL_INLINING)
-function(JOIN VALUES GLUE OUTPUT)
-string(REPLACE ";" "${GLUE}" _TMP_STR "${VALUES}")
-set(${OUTPUT} "${_TMP_STR}" PARENT_SCOPE)
-endfunction()
-
-JOIN("${_javascript_Core_INCLUDE_DIRECTORIES}" " -I" JSC_INCLUDES)
-
-set(LLVM_BITCODE_FILES)
-
-foreach (_file ${_javascript_Core_RUNTIME_SOURCES})
-get_filename_component(_name ${_file} NAME_WE)
-add_custom_command(
-OUTPUT ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/runtime/${_name}.bc
-COMMAND ${PYTHON_EXECUTABLE} $

[webkit-changes] [187551] trunk/Source/JavaScriptCore

[basile_clement]

Title: [187551] trunk/Source/_javascript_Core








Revision 187551
Author basile_clem...@apple.com
Date 2015-07-29 12:20:35 -0700 (Wed, 29 Jul 2015)


Log Message
Unreviewed, skipping a test that is too complex for its own good
https://bugs.webkit.org/show_bug.cgi?id=147167

* tests/stress/math-pow-coherency.js:

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/tests/stress/math-pow-coherency.js




Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (187550 => 187551)

--- trunk/Source/_javascript_Core/ChangeLog	2015-07-29 19:03:34 UTC (rev 187550)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-07-29 19:20:35 UTC (rev 187551)
@@ -1,3 +1,10 @@
+2015-07-29  Basile Clement  
+
+Unreviewed, skipping a test that is too complex for its own good
+https://bugs.webkit.org/show_bug.cgi?id=147167
+
+* tests/stress/math-pow-coherency.js:
+
 2015-07-29  Sukolsak Sakshuwong  
 
 Implement WebAssembly module parser


Modified: trunk/Source/_javascript_Core/tests/stress/math-pow-coherency.js (187550 => 187551)

--- trunk/Source/_javascript_Core/tests/stress/math-pow-coherency.js	2015-07-29 19:03:34 UTC (rev 187550)
+++ trunk/Source/_javascript_Core/tests/stress/math-pow-coherency.js	2015-07-29 19:20:35 UTC (rev 187551)
@@ -1,3 +1,5 @@
+//@ skip
+
 // This test checks that the pow function returns coherent results:
 // (a) Across different compilation tiers
 // (b) With integer exponents represented as int32 or as double






___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [187549] trunk/LayoutTests

[basile_clement]

Title: [187549] trunk/LayoutTests








Revision 187549
Author basile_clem...@apple.com
Date 2015-07-29 10:52:44 -0700 (Wed, 29 Jul 2015)


Log Message
Unreviewed, remove a .orig file.
https://bugs.webkit.org/show_bug.cgi?id=113610

* fast/css-intrinsic-dimensions/height-property-value.html.orig: Removed.

Modified Paths

trunk/LayoutTests/ChangeLog


Removed Paths

trunk/LayoutTests/fast/css-intrinsic-dimensions/height-property-value.html.orig




Diff

Modified: trunk/LayoutTests/ChangeLog (187548 => 187549)

--- trunk/LayoutTests/ChangeLog	2015-07-29 17:44:16 UTC (rev 187548)
+++ trunk/LayoutTests/ChangeLog	2015-07-29 17:52:44 UTC (rev 187549)
@@ -1,3 +1,10 @@
+2015-07-29  Basile Clement  
+
+Unreviewed, remove a .orig file.
+https://bugs.webkit.org/show_bug.cgi?id=113610
+
+* fast/css-intrinsic-dimensions/height-property-value.html.orig: Removed.
+
 2015-07-28  Benjamin Poulain  
 
 Speed up the Stringifier::toJSON() fast case


Deleted: trunk/LayoutTests/fast/css-intrinsic-dimensions/height-property-value.html.orig (187548 => 187549)

--- trunk/LayoutTests/fast/css-intrinsic-dimensions/height-property-value.html.orig	2015-07-29 17:44:16 UTC (rev 187548)
+++ trunk/LayoutTests/fast/css-intrinsic-dimensions/height-property-value.html.orig	2015-07-29 17:52:44 UTC (rev 187549)
@@ -1,37 +0,0 @@
-
-
-