summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore
Commit message (Collapse)AuthorAgeFilesLines
* Use fixed executable allocator on x64Allan Sandfeld Jensen2014-11-071-9/+1
| | | | | | | | | | | Since the x86-64 assembler generator depends on jumps being expressable as 32bit offsets we need to use the fixed size executable allocator and not the on demand allocator. This patch removes its exclusion from being used on Windows. Task-number: QTBUG-42417 Change-Id: Ie6b127e9b4291869566fd99cc7efe05b566c8e66 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Merge remote-tracking branch 'origin/5.3' into 5.4Oswald Buddenhagen2014-10-311-0/+1
|\ | | | | | | Change-Id: I11f35f205d2ded597d54650a948bec3e1e52b419
| * Fix assert after makerope boundary check5.3Lucas Forschler2014-10-311-0/+1
| | | | | | | | | | | | | | | | | | | | The browser demo asserts on qt-project.org after the makerope security fix. Port of http://trac.webkit.org/changeset/169397 Change-Id: I19c98737735d9b17133742752928d4ce6349de13 Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Do not use unaligned access when disabledAllan Sandfeld Jensen2014-10-302-2/+2
| | | | | | | | | | | | | | | | | | | | Use the GCC feature defines to check for support for ARMv6 style unaligned access support. This fixes configurations where it was disabled and the ARMv6-M processors where it is not supported. Change-Id: I00c9bb19ba582b64ecb9eaa6da9887ba0df8fd3c Reviewed-by: Julien Brianceau <jbriance@cisco.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Use INLINE_ARM_FUNCTION in OFFLINE_ASM_GLOBAL_LABELAllan Sandfeld Jensen2014-10-241-9/+1
| | | | | | | | | | | | | | | | | | | | We can get rid of an ifdef in LowLevelInterpreter by reusing logic from InlineAsm.h. This also fixes ARM_TRADITIONAL when forced on when thumb2 is available to the compiler. Change-Id: Iac5ad22a4a41757fa03c3cbc2e8f68e44d085bae Reviewed-by: Julien Brianceau <jbriance@cisco.com> Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Do not use floating point instructions in float-abi=softAllan Sandfeld Jensen2014-10-231-0/+4
| | | | | | | | | | | | | | | | | | Pretend VFP doesn't exist when the ABI forbids floating point instructions. Task-number: QTBUG-38371 Change-Id: Id0552201e6bf98812198c0028e2c85107e967a81 Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Pop pack pragma on x86 QNXAllan Sandfeld Jensen2014-10-211-3/+3
| | | | | | | | | | | | | | A recent patch fixing QNX on x86 forgot to also pop the pragma it set. Change-Id: I9834c0b57a4409e8e80c29899e6f3989607fe22f Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Fix LLInt vector offsets on Windows 64Allan Sandfeld Jensen2014-10-153-1/+13
| | | | | | | | | | | | | | | | Derived classes on Windows x64 are 64bit aligned placing the m_size property of Vector slightly differently than on other platforms. Change-Id: I186de5ea200abfbdd3bdf7502f3f427cb6890f3c Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Merge remote-tracking branch 'origin/5.3' into 5.4Frederik Gladhorn2014-10-1410-23/+100
|\ \ | |/ | | | | Change-Id: I509f0440296df39aece8133382aacc43a4e05f99
| * Add missing branchAdd32 implementations to fix sh4 and mips buildsJulien Brianceau2014-09-302-0/+29
| | | | | | | | | | | | | | sh4 implementation has been taken from WebKit r173222. Change-Id: I1c188e88e9fd8772f97cac94d7ee31945b538b71 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
| * [ARM] Unreviewed build fix after r167336.Csaba Osztrogonác2014-09-261-0/+5
| | | | | | | | | | | | | | | | | | * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branchAdd32): Change-Id: I919df8301e69cca630f475afcc0c4311d713f10e git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167565 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
| * Unreviewed, ARMv7 build fix after r167336.Filip Pizlo2014-09-261-0/+6
| | | | | | | | | | | | | | | | | | * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::branchAdd32): Change-Id: Ia16f8dce00ce660cf5f7b9eb1c3496e08cbdb603 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167354 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
| * compileMakeRope does not emit necessary bounds checksFilip Pizlo2014-09-266-23/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=130684 <rdar://problem/16398388> Reviewed by Oliver Hunt. Add string length bounds checks in a bunch of places. We should never allow a string to have a length greater than 2^31-1 because it's not clear that the language has semantics for it and because there is code that assumes that this cannot happen. Also add a bunch of tests to that effect to cover the various ways in which this was previously allowed to happen. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMakeRope): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMakeRope): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): * runtime/JSString.h: (JSC::JSString::create): (JSC::JSRopeString::RopeBuilder::append): (JSC::JSRopeString::RopeBuilder::release): (JSC::JSRopeString::append): * runtime/Operations.h: (JSC::jsString): (JSC::jsStringFromRegisterArray): (JSC::jsStringFromArguments): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncIndexOf): (JSC::stringProtoFuncSlice): (JSC::stringProtoFuncSubstring): (JSC::stringProtoFuncToLowerCase): * tests/stress/make-large-string-jit-strcat.js: Added. (foo): * tests/stress/make-large-string-jit.js: Added. (foo): * tests/stress/make-large-string-strcat.js: Added. * tests/stress/make-large-string.js: Added. Change-Id: If01dd2a2d2daa3d209eddf0213d2b391e94f54a0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167336 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Fix CLoop on big-endian machinesAllan Sandfeld Jensen2014-10-132-11/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callee and ScopeChain are JSObject pointers and saved in the 64bit structure for JS registers. On a 32bit big-endian machine the actual pointer is offset by the PayloadOffset of 4 bytes, but on little-endian and 64bit architectures there is no offset. This patch fixes four places the payloadOffset was not correctly added on 32bit big-endian, and six places it was added on 64big big-endian when it shouldn't. Task-number: QTBUG-41896 Change-Id: I46b474bee9822b8040d1b7b2e8f31ce42e0adefe Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Fix uninitialized accessAllan Sandfeld Jensen2014-10-101-0/+8
| | | | | | | | | | | | | | | | | | | | When an identifier is made from an empty string, the constructor still tries accessing the first character to populate a cache. This leads to access of uninitialized data, and wrong data in the cache. This causes no wrong behavior though except unuseful data in the cache. Change-Id: Ice9f10b08306799b160f8b95b76bd056f29d228d Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Fix valgrind warning about uninitialized accessAllan Sandfeld Jensen2014-10-061-3/+3
| | | | | | | | | | | | | | | | A default cache-entry has a null String and an uninitialized key. We should therefore only try to use the key if the String is not null. Change-Id: Icd6819b96b9b650305cf0611b6b2978c07dc9196 Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | (un)shiftCountWithAnyIndexingType will start over in the middle of copying ↵Mark Hahnenberg2014-09-301-23/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if it sees a hole https://bugs.webkit.org/show_bug.cgi?id=121717 Reviewed by Oliver Hunt. Source/JavaScriptCore: This bug caused the array to become corrupted. We now check for holes before we start moving things, and start moving things only once we've determined that there are none. * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): Change-Id: I9948bfa2c9b4a345076f7f2b4e50a566f521b6fe git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156214 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG 32Bit: Crash loading "Classic" site @ translate.google.comMichael Saboff2014-09-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=120015 Reviewed by Sam Weinig. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in all versions of fillSpeculateBoolean(). Change-Id: I4de21707f00c1538b82b9bee6b2acc2903611983 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace ↵Mark Hahnenberg2014-09-254-18/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | corruption Reviewed by Oliver Hunt. When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace. Instead, after we flatten a dictionary, if properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later. This patch does this clearing, and it also adds JSObject::checkStructure, which overrides JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check that the number of bytes reported to SlotVisitor::copyLater is non-zero. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::genericConvertDoubleToContiguous): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::setPrototype): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::reifyStaticFunctionsForDelete): (JSC::JSObject::removeDirect): * runtime/JSObject.h: (JSC::JSObject::setButterfly): (JSC::JSObject::putDirectInternal): (JSC::JSObject::setStructure): (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs ↵Geoffrey Garen2014-09-252-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "wrong!", shouldn't! https://bugs.webkit.org/show_bug.cgi?id=123179 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: * parser/NodeConstructors.h: (JSC::LogicalOpNode::LogicalOpNode): * parser/ResultType.h: (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean. This is JavaScript (aka Sparta). LayoutTests: * js/dom/branch-fold-correctness.html: Added a test for this case. Change-Id: I72f81f31d88dee306428dd5eab9d40fcec009042 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157830 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | REGRESSION: Crash when opening Facebook.comOliver Hunt2014-09-252-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119155 Reviewed by Andreas Kling. Scope nodes are always objects, so we should be using SpecObjectOther rather than SpecCellOther. Marking Scopes as CellOther leads to a contradiction in the CFA, resulting in bogus codegen. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): Change-Id: Ic083c04b9351c904ea4b5ee41bcc98c7d66d757d git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153410 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Incorrect behavior on emscripten-compiled cube2hashFilip Pizlo2014-09-241-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=120033 Source/JavaScriptCore: Reviewed by Mark Hahnenberg. If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar then we should bail attempts to CSE. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::scopedVarLoadElimination): (JSC::DFG::CSEPhase::scopedVarStoreElimination): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154344 268f45cc-cd09-0410-ab3c-d52691b4dbfc Task-number: QTBUG-41500 Change-Id: Ia6bd7b09b20a99d5f4b5a14bf58737bc4b8c6a2b Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS.commit-queue@webkit.org2014-09-191-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=121439 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-09-16 Reviewed by Geoffrey Garen. Missing implementations of setupArgumentsWithExecState added. Change-Id: Ief1b1505d6c20b091ae0fcc24d7c21f50fcc712a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155884 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | ARM EABI hardfp buildfix after r155675ossy@webkit.org2014-09-181-2/+3
| | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=121287 Reviewed by Geoffrey Garen. Change-Id: I03c086a652b501c5424a6de6763fed1c88466e3a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155705 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Fixed crash in V8 benchmark suite in ARM,softp,EABI environment.commit-queue@webkit.org2014-09-182-13/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=117281 Patch by Youngho Yoo <youngho33.yoo@lge.com> on 2013-09-13 Reviewed by Michael Saboff. Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function. Change-Id: I77e7e7a37ada9d33574949220d109e8b5f2392b2 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155675 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Fix building QtWebKit for QNXAllan Sandfeld Jensen2014-09-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | Fix method now available in QNX 6.6, lack of std::move even with C++11 enabled, binary structure of stack frames on QNX x86 and the wrongly advertised existence of MADV_FREE and MADV_REUSE. Change-Id: I0dacbd19ed932ec6b3b2cc1d625a347e169615a5 Reviewed-by: Milian Wolff <milian.wolff@kdab.com> Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | [mips] Fix unaligned access in Low Level Interpreter (LLINT).Julien Brianceau2014-09-051-1/+6
| | | | | | | | | | | | | | | | Address loads used with btbxx opcodes were wrongly converted to lw instruction instead of lbu, leading to unaligned access on mips platforms. Change-Id: I7b14aa40215affe582bcadade2f783769a97a7d3 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | [mips] Handle properly halfword load in JavaScriptCore.Julien Brianceau2014-09-031-1/+47
| | | | | | | | | | | | | | | | This patch improves YarrJIT efficiency on mips platforms. SunSpider's regexp-dna test can be used to monitor performance impact. Change-Id: I28d99fb01628bc72f29c120caf8bc53c5d06e3ff Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Correct GC length unit and prevent division by 0 in showObjectStatistics.Julien Brianceau2014-08-281-13/+14
| | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=136340 Reviewed by Mark Hahnenberg. Change-Id: I20483be1225d674160bbdab183bc52121fe4411c git-svn-id: http://svn.webkit.org/repository/webkit/trunk@173062 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Take advantage of 3 parameters or32() callsJulien Brianceau2014-08-281-12/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=136287 Reviewed by Michael Saboff. For specific architectures (arm and mips for instance), or32() calls with 3 parameters are likely to produce a single instruction. Change-Id: I1c56f5b8229dd2d82d96c56cb10b1ac8dc9ba0b0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@173006 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | [mips] Use shorter j <address> jump in MacroAssembler::replaceWithJumpBalazs Kilvady2014-08-253-45/+20
| | | | | | | | | | | | | | Patch taken from https://bugs.webkit.org/show_bug.cgi?id=125920 Change-Id: I6583ea37e00f4dff80971bd44906936229540171 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | [mips] Take advantage of integer divide instruction for ArithDiv and ArithMod.Julien Brianceau2014-08-235-1/+75
|/ | | | | | | Added MIPS integer divide path for ArithDiv and ArithMod where operands and results are integer. Change-Id: I00d5b58e6e0be39f083676fb0c435b3545d3aca1 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Crash during exception unwindingOliver Hunt2014-07-089-12/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://webkit.org/b/119860 Reviewed by Filip Pizlo. Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node. We need this so that Throw and ThrowReferenceError no longer need to be treated as terminals and the subsequent flush keeps the activation (and other registers) live. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::isTerminal): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Idb894e780cd3ebe15515d1796c58a339ae54d55f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Fix android build error about already defined struct.Sergio Martins2014-06-271-8/+0
| | | | | | | | | | Minimum API version is 9, which already defines this struct in elf.h Also see qtscript/49ab1bd9838dc3c069be780ff6d69a2543c06ed6 which does the same thing there. Change-Id: Ia56f8399156a93edc569e7bb982bd7186a16a445 Reviewed-by: BogDan Vatra <bogdan@kde.org>
* Fix SpeculateCellOperand ASSERT failure in DFG for 32-bit builds.Julien Brianceau2014-06-261-18/+27
| | | | | | | | | | Original patch by Filip Pizlo <fpizlo@apple.com> on 2013-08-28 taken from WebKit r154804 (http://trac.webkit.org/changeset/154804). Task-number: QTBUG-39768 Change-Id: I239f2ee2ec5d1c21f7e50709b8989e744fd87995 Reviewed-by: Zhang Zengbo <zengbo.zhang@gmail.com> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* [mips] Add floating point absolute support in JavaScriptCore.Julien Brianceau2014-06-102-3/+16
| | | | | Change-Id: I8b03fb0380fa444a6da239d8ddb19bdbe6b3d061 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Prevent register clobbering to fix negative zero check in SoftModulo.Julien Brianceau2014-06-061-1/+7
| | | | | | | | This fix is not relevant for x86 architectures. Covered by integer-division-neg2tothe32-by-neg1 JavaScript test. Change-Id: I8ffd1280063305bc98c564f5df57c76cc5b1d7a6 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler.Julien Brianceau2014-06-051-1/+1
| | | | | | | Test dfg-uint32array-overflow-values fails without this patch. Change-Id: Ia186ab5c3fbc19fd7621f5cc60678b82a6424641 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Fix problems with divot and lineStart mismatches.Mark Lam2014-05-0613-589/+529
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=118662. Reviewed by Oliver Hunt. Source/JavaScriptCore: r152494 added the recording of lineStart values for divot positions. This is needed for the computation of column numbers. Similarly, it also added the recording of line numbers for the divot positions. One problem with the approach taken was that the line and lineStart values were recorded independently, and hence were not always guaranteed to be sampled at the same place that the divot position is recorded. This resulted in potential mismatches that cause some assertions to fail. The solution is to introduce a JSTextPosition abstraction that records the divot position, line, and lineStart as a single quantity. Wherever we record the divot position as an unsigned int previously, we now record its JSTextPosition which captures all 3 values in one go. This ensures that the captured line and lineStart will always match the captured divot position. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitCallEval): (JSC::BytecodeGenerator::emitCallVarargs): (JSC::BytecodeGenerator::emitConstruct): (JSC::BytecodeGenerator::emitDebugHook): - Use JSTextPosition instead of passing line and lineStart explicitly. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitExpressionInfo): - Use JSTextPosition instead of passing line and lineStart explicitly. * bytecompiler/NodesCodegen.cpp: (JSC::ThrowableExpressionData::emitThrowReferenceError): (JSC::ResolveNode::emitBytecode): (JSC::BracketAccessorNode::emitBytecode): (JSC::DotAccessorNode::emitBytecode): (JSC::NewExprNode::emitBytecode): (JSC::EvalFunctionCallNode::emitBytecode): (JSC::FunctionCallValueNode::emitBytecode): (JSC::FunctionCallResolveNode::emitBytecode): (JSC::FunctionCallBracketNode::emitBytecode): (JSC::FunctionCallDotNode::emitBytecode): (JSC::CallFunctionCallDotNode::emitBytecode): (JSC::ApplyFunctionCallDotNode::emitBytecode): (JSC::PostfixNode::emitResolve): (JSC::PostfixNode::emitBracket): (JSC::PostfixNode::emitDot): (JSC::DeleteResolveNode::emitBytecode): (JSC::DeleteBracketNode::emitBytecode): (JSC::DeleteDotNode::emitBytecode): (JSC::PrefixNode::emitResolve): (JSC::PrefixNode::emitBracket): (JSC::PrefixNode::emitDot): (JSC::UnaryOpNode::emitBytecode): (JSC::BinaryOpNode::emitStrcat): (JSC::BinaryOpNode::emitBytecode): (JSC::ThrowableBinaryOpNode::emitBytecode): (JSC::InstanceOfNode::emitBytecode): (JSC::emitReadModifyAssignment): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::AssignDotNode::emitBytecode): (JSC::ReadModifyDotNode::emitBytecode): (JSC::AssignBracketNode::emitBytecode): (JSC::ReadModifyBracketNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::WithNode::emitBytecode): (JSC::ThrowNode::emitBytecode): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/ASTBuilder.h: - Replaced ASTBuilder::PositionInfo with JSTextPosition. (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo): (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo): (JSC::ASTBuilder::createResolve): (JSC::ASTBuilder::createBracketAccess): (JSC::ASTBuilder::createDotAccess): (JSC::ASTBuilder::createRegExp): (JSC::ASTBuilder::createNewExpr): (JSC::ASTBuilder::createAssignResolve): (JSC::ASTBuilder::createExprStatement): (JSC::ASTBuilder::createForInLoop): (JSC::ASTBuilder::createReturnStatement): (JSC::ASTBuilder::createBreakStatement): (JSC::ASTBuilder::createContinueStatement): (JSC::ASTBuilder::createLabelStatement): (JSC::ASTBuilder::createWithStatement): (JSC::ASTBuilder::createThrowStatement): (JSC::ASTBuilder::appendBinaryExpressionInfo): (JSC::ASTBuilder::appendUnaryToken): (JSC::ASTBuilder::unaryTokenStackLastStart): (JSC::ASTBuilder::assignmentStackAppend): (JSC::ASTBuilder::createAssignment): (JSC::ASTBuilder::setExceptionLocation): (JSC::ASTBuilder::makeDeleteNode): (JSC::ASTBuilder::makeFunctionCallNode): (JSC::ASTBuilder::makeBinaryNode): (JSC::ASTBuilder::makeAssignNode): (JSC::ASTBuilder::makePrefixNode): (JSC::ASTBuilder::makePostfixNode): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/Lexer.cpp: (JSC::::lex): - Added support for capturing the appropriate JSTextPositions instead of just the character offset. * parser/Lexer.h: (JSC::Lexer::currentPosition): (JSC::::lexExpectIdentifier): - Added support for capturing the appropriate JSTextPositions instead of just the character offset. * parser/NodeConstructors.h: (JSC::Node::Node): (JSC::ResolveNode::ResolveNode): (JSC::EvalFunctionCallNode::EvalFunctionCallNode): (JSC::FunctionCallValueNode::FunctionCallValueNode): (JSC::FunctionCallResolveNode::FunctionCallResolveNode): (JSC::FunctionCallBracketNode::FunctionCallBracketNode): (JSC::FunctionCallDotNode::FunctionCallDotNode): (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): (JSC::PostfixNode::PostfixNode): (JSC::DeleteResolveNode::DeleteResolveNode): (JSC::DeleteBracketNode::DeleteBracketNode): (JSC::DeleteDotNode::DeleteDotNode): (JSC::PrefixNode::PrefixNode): (JSC::ReadModifyResolveNode::ReadModifyResolveNode): (JSC::ReadModifyBracketNode::ReadModifyBracketNode): (JSC::AssignBracketNode::AssignBracketNode): (JSC::AssignDotNode::AssignDotNode): (JSC::ReadModifyDotNode::ReadModifyDotNode): (JSC::AssignErrorNode::AssignErrorNode): (JSC::WithNode::WithNode): (JSC::ForInNode::ForInNode): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/Nodes.cpp: (JSC::StatementNode::setLoc): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/Nodes.h: (JSC::Node::lineNo): (JSC::Node::startOffset): (JSC::Node::lineStartOffset): (JSC::Node::position): (JSC::ThrowableExpressionData::ThrowableExpressionData): (JSC::ThrowableExpressionData::setExceptionSourceCode): (JSC::ThrowableExpressionData::divot): (JSC::ThrowableExpressionData::divotStart): (JSC::ThrowableExpressionData::divotEnd): (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData): (JSC::ThrowableSubExpressionData::setSubexpressionInfo): (JSC::ThrowableSubExpressionData::subexpressionDivot): (JSC::ThrowableSubExpressionData::subexpressionStart): (JSC::ThrowableSubExpressionData::subexpressionEnd): (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData): (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo): (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot): (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart): (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/Parser.cpp: (JSC::::Parser): (JSC::::parseInner): - Use JSTextPosition instead of passing line and lineStart explicitly. (JSC::::didFinishParsing): - Remove setting of m_lastLine value. We always pass in the value from m_lastLine anyway. So, this assignment is effectively a nop. (JSC::::parseVarDeclaration): (JSC::::parseVarDeclarationList): (JSC::::parseForStatement): (JSC::::parseBreakStatement): (JSC::::parseContinueStatement): (JSC::::parseReturnStatement): (JSC::::parseThrowStatement): (JSC::::parseWithStatement): (JSC::::parseTryStatement): (JSC::::parseBlockStatement): (JSC::::parseFunctionDeclaration): (JSC::LabelInfo::LabelInfo): (JSC::::parseExpressionOrLabelStatement): (JSC::::parseExpressionStatement): (JSC::::parseAssignmentExpression): (JSC::::parseBinaryExpression): (JSC::::parseProperty): (JSC::::parsePrimaryExpression): (JSC::::parseMemberExpression): (JSC::::parseUnaryExpression): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/Parser.h: (JSC::Parser::next): (JSC::Parser::nextExpectIdentifier): (JSC::Parser::getToken): (JSC::Parser::tokenStartPosition): (JSC::Parser::tokenEndPosition): (JSC::Parser::lastTokenEndPosition): (JSC::::parse): - Use JSTextPosition instead of passing line and lineStart explicitly. * parser/ParserTokens.h: (JSC::JSTextPosition::JSTextPosition): (JSC::JSTextPosition::operator+): (JSC::JSTextPosition::operator-): (JSC::JSTextPosition::operator int): - Added JSTextPosition. * parser/SyntaxChecker.h: (JSC::SyntaxChecker::makeFunctionCallNode): (JSC::SyntaxChecker::makeAssignNode): (JSC::SyntaxChecker::makePrefixNode): (JSC::SyntaxChecker::makePostfixNode): (JSC::SyntaxChecker::makeDeleteNode): (JSC::SyntaxChecker::createResolve): (JSC::SyntaxChecker::createBracketAccess): (JSC::SyntaxChecker::createDotAccess): (JSC::SyntaxChecker::createRegExp): (JSC::SyntaxChecker::createNewExpr): (JSC::SyntaxChecker::createAssignResolve): (JSC::SyntaxChecker::createForInLoop): (JSC::SyntaxChecker::createReturnStatement): (JSC::SyntaxChecker::createBreakStatement): (JSC::SyntaxChecker::createContinueStatement): (JSC::SyntaxChecker::createWithStatement): (JSC::SyntaxChecker::createLabelStatement): (JSC::SyntaxChecker::createThrowStatement): (JSC::SyntaxChecker::appendBinaryExpressionInfo): (JSC::SyntaxChecker::operatorStackPop): - Use JSTextPosition instead of passing line and lineStart explicitly. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153477 268f45cc-cd09-0410-ab3c-d52691b4dbfc Task-number: QTBUG-38708 Change-Id: Ic6a65e8915c634dffe76b7181b38d6be0ab4a45d Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* [mips] Fix or32 implementation in macro assembler.Julien Brianceau2014-04-081-1/+3
| | | | | | | | This patch fixes JavaScript issues for the mips backend, especially in the DFG stage when using (x|0) expressions. Change-Id: I4c7c7280735481dc06ca24745d2e42b2d8e13ef5 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Fix compiler warnings when building Qt WebKitAllan Sandfeld Jensen2014-03-181-4/+4
| | | | | | | | Fix warnings about C++11 violating syntax, unused variables in leveldb and non anynomous classes deriving from anonymous ones. Change-Id: I39326eed03fabe2856f1ea7c93eff65f30ee78ee Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Fix build: LLIntAssembly.h is in a subdir of generated/Thiago Macieira2014-03-171-1/+2
| | | | | | | | | ruby /home/thiago/src/qt/qt5/qtwebkit/Source/JavaScriptCore/offlineasm/asm.rb /home/thiago/src/qt/qt5/qtwebkit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm LLIntOffsetsExtractor generated/LLIntOffsetsExtractor/LLIntAssembly.h offlineasm: Parsing /home/thiago/src/qt/qt5/qtwebkit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm and LLIntOffsetsExtractor and creating assembly file generated/LLIntOffsetsExtractor/LLIntAssembly.h. Change-Id: If12f1476de74c3feeb5c6d6e2e115829e1106581 Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Use qmake optimize_fullAllan Sandfeld Jensen2014-03-101-4/+1
| | | | | | | | | | Qmake now has new config optimize_full that replaces -O2 with -O3. We should use that in QtWebKit instead of trying to do the same ourselves. This makes clang now use -O3 like gcc does. Change-Id: I3db6167833c579bdea941d3ad1b3636cbad62475 Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* Compile fix for Win64 with jit disabled.achristensen@apple.com2014-03-071-1/+1
| | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119804 Reviewed by Michael Saboff. * offlineasm/cloop.rb: Added std:: before isnan. Change-Id: Ie7d922b7d6a0f45619a77029b07804aef5d01076 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154066 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on ↵Mark Hahnenberg2014-03-071-2/+2
| | | | | | | | | | | | | | | | | the length of the ArrayStorage after possible reallocing it https://bugs.webkit.org/show_bug.cgi?id=120278 Reviewed by Geoffrey Garen. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Setting a large numeric property on an object causes it to allocate a huge ↵Mark Hahnenberg2014-03-072-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | backing store https://bugs.webkit.org/show_bug.cgi?id=118914 Reviewed by Geoffrey Garen. Source/JavaScriptCore: There are two distinct actions that we're trying to optimize for: new Array(100000); and: a = []; a[100000] = 42; In the first case, the programmer has indicated that they expect this Array to be very big, so they should get a contiguous array up until some threshold, above which we perform density calculations to see if it is indeed dense enough to warrant being contiguous. In the second case, the programmer hasn't indicated anything about the size of the Array, so we should be more conservative and assume it should be sparse until we've proven otherwise. Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish between them for the purposes of not over-allocating large backing stores like we see on http://www.peekanalytics.com/burgerjoints/ The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and introduce a new heuristic for the second case. If we are putting to an index above a certain threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse map instead. So for example, in the second case above the empty array has a blank indexing type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map. This fix is ~800x speedup on the accompanying regression test :-o * runtime/ArrayConventions.h: (JSC::indexIsSufficientlyBeyondLengthForSparseMap): * runtime/JSObject.cpp: (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153374 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I1c29992d6e09c9d523a8093e76e3848a9581ce45 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 ↵Julien Brianceau2014-03-031-0/+5
| | | | | | | | | | | | | | | | | | | | JSVALUE32_64 ports. https://bugs.webkit.org/show_bug.cgi?id=124936 Patch by Julien Brianceau <jbriance@cisco.com> on 2013-11-29 Reviewed by Zoltan Herczeg. The moveDoubleToInts implementations in ARM, MIPS and SH4 macro assemblers do not clobber src FPRegister and are likely to be more efficient than the current generic implementation using the stack. * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::returnDouble): Change-Id: Ie3b6516a4047717212521315e85f5e2094373cbc git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159873 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Fix build on x32v5.3.0-alpha1Allan Sandfeld Jensen2014-02-251-1/+1
| | | | | | | Recognize x32 and disable JIT and native LLINT in this configuration. Change-Id: I1576e38ffcff92495c4c108f66f2df17de9a5e9c Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Fix Qt WebKit build on architectures without JIT supportAllan Sandfeld Jensen2014-02-211-0/+4
| | | | | | | | | | | | | The fallback LLINT interpreter was triggering YARR JIT which would fail to compile and also trigger ENABLE_ASSEMBLER which would trigger even more not to compile. YARR JIT is only supported on platforms with valid JIT or native LLINT support. So we must avoid it when the fallback is used Task-number: QTBUG-36969 Change-Id: Ie94bcb316e192feb33ab528ddc3a328af154cebf Reviewed-by: Michael Bruning <michael.bruning@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Merge remote-tracking branch 'origin/stable' into devFrederik Gladhorn2014-02-122-52/+115
|\ | | | | | | Change-Id: Iea6cf3f34fb33f2d138b72243b0e688958d9424e
View Lorry Controller Status