Timeline

Jun 9, 2013:

11:25 PM Changeset in webkit [151364] by commit-queue@webkit.org

• 2 edits in trunk/Source/WebKit2

[CoordinatedGraphics] Typo in argument decoder for CoordinatedGraphicsState
​https://bugs.webkit.org/show_bug.cgi?id=117384

Patch by Jae Hyun Park <​jae.park@company100.net> on 2013-06-09
Reviewed by Noam Rosenthal.

For CSS Shaders, it must decode state.customFiltersToRemove instead of
state.updateAtlasesToRemove.

• Shared/CoordinatedGraphics/CoordinatedGraphicsArgumentCoders.cpp:

(CoreIPC::::decode):

10:45 PM Changeset in webkit [151363] by ggaren@apple.com

• 93 edits
  4 adds
  4 deletes in branches/dfgFourthTier

Re-worked non-local variable resolution
​https://bugs.webkit.org/show_bug.cgi?id=117375

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch has two goals:

(1) Simplicity.

• Net removes 15 opcodes.
• Net removes 2,000 lines of code.
• Removes setPair() from the DFG: All DFG nodes have 1 result register now.

(2) Performance.

• 2%-3% speedup on SunSpider (20% in LLInt and Baseline JIT)
• 2% speedup on v8-spider
• 10% speedup on js-regress-hashmap*
• Amusing 2X speedup on js-regress-poly-stricteq

The bytecode now separates the scope chain resolution opcode from the
scope access opcode.

OLD:

get_scoped_var r0, 1, 0
inc r0
put_scoped_var 1, 0, r0

NEW:

resolve_scope r0, x(@id0)
get_from_scope r1, r0, x(@id0)
inc r1
put_to_scope r0, x(@id0), r1

Also, we link non-local variable resolution opcodes at CodeBlock link
time instead of time of first opcode execution.

This means that we can represent all possible non-local variable
resolutions using just three opcodes, and any optimizations in these
opcodes naturally apply across-the-board.

• API/JSCTestRunnerUtils.cpp:

(JSC::numberOfDFGCompiles):

• GNUmakefile.list.am:
• JavaScriptCore.gypi:
• JavaScriptCore.order:
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Target.pri: Build!

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode): Updated for removed things.

(JSC::CodeBlock::CodeBlock): Always provide the full scope chain when
creating a CodeBlock, so we can perform non-local variable resolution.

Added code to perform linking for these opcodes. This is where we figure
out which non-local variable resolutions are optimizable, and how.

(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::noticeIncomingCall):
(JSC::CodeBlock::optimizeAfterWarmUp):
(JSC::CodeBlock::optimizeAfterLongWarmUp):
(JSC::CodeBlock::optimizeSoon): Updated for removed things.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::needsActivation):
(JSC::GlobalCodeBlock::GlobalCodeBlock):
(JSC::ProgramCodeBlock::ProgramCodeBlock):
(JSC::EvalCodeBlock::EvalCodeBlock):
(JSC::FunctionCodeBlock::FunctionCodeBlock):

• bytecode/EvalCodeCache.h:

(JSC::EvalCodeCache::getSlow): Updated for interface changes.

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFor): Treat global object access as
optimizable even though the global object has a custom property access
callback. This is what we've always done since, otherwise, we can't
optimize globals. (In future, we probably want to figure out a more
targeted policy than "any property access callback means no
optimization".)

• bytecode/GlobalResolveInfo.h: Removed.
• bytecode/Instruction.h:
• bytecode/Opcode.h:

(JSC::padOpcodeName):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeFor): Like GetByIdStatus.

• bytecode/ResolveGlobalStatus.cpp: Removed.
• bytecode/ResolveGlobalStatus.h: Removed.
• bytecode/ResolveOperation.h: Removed.

• bytecode/UnlinkedCodeBlock.cpp:

(JSC::generateFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::codeBlockFor):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):

• bytecode/UnlinkedCodeBlock.h: Don't provide a scope chain to unlinked

code blocks. Giving a scope to an unscoped compilation unit invites
programming errors.

• bytecode/Watchpoint.h:

(JSC::WatchpointSet::addressOfIsInvalidated):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::resolveCallee):
(JSC::BytecodeGenerator::local):
(JSC::BytecodeGenerator::constLocal):
(JSC::BytecodeGenerator::resolveType):
(JSC::BytecodeGenerator::emitResolveScope):
(JSC::BytecodeGenerator::emitGetFromScope):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitInstanceOf):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPopScope):
(JSC::BytecodeGenerator::pushFinallyContext):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::popTryAndEmitCatch):
(JSC::BytecodeGenerator::emitPushNameScope):
(JSC::BytecodeGenerator::isArgumentNumber):

• bytecompiler/BytecodeGenerator.h:

(JSC::Local::Local):
(JSC::Local::operator bool):
(JSC::Local::get):
(JSC::Local::isReadOnly):
(JSC::BytecodeGenerator::scopeDepth):
(JSC::BytecodeGenerator::shouldOptimizeLocals):
(JSC::BytecodeGenerator::canOptimizeNonLocals): Refactored the bytecode
generator to resolve all variables within local scope, as if there
were no non-local scope. This helps provide a separation of concerns:
unlinked bytecode is always scope-free, and the linking stage links
in the provided scope.

• bytecompiler/NodesCodegen.cpp:

(JSC::ResolveNode::isPure):
(JSC::ResolveNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::DeleteResolveNode::emitBytecode):
(JSC::TypeOfResolveNode::emitBytecode):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode): A bunch of this codegen is no longer
necessary, since it's redundant with the linking stage.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock): Updated for interface changes.
Notably, we can reuse existing DFG nodes -- but the mapping between
bytecode and DFG nodes has changed, and some nodes and corner cases have
been removed.

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::varInjectionWatchpointElimination):
(JSC::DFG::CSEPhase::globalVarStoreElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):
(JSC::DFG::CSEPhase::getLocalLoadElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE): Added CSE for var injection
watchpoints. Even though watchpoints are "free", they're quite common
inside code that's subject to var injection, so I figured we'd save a
little memory.

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGCapabilities.h: Removed detection for old forms.

• dfg/DFGDriver.h:

(JSC::DFG::tryCompile):
(JSC::DFG::tryCompileFunction):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.h:
• dfg/DFGJITCode.cpp:
• dfg/DFGNode.h:

(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(JSC::DFG::Node::hasVarNumber):
(JSC::DFG::Node::hasIdentifierNumberForCheck):
(JSC::DFG::Node::hasRegisterPointer):
(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGRepatch.h:

(JSC::DFG::dfgResetGetByID):
(JSC::DFG::dfgResetPutByID):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation): Removed some unneeded things,
and updated for renames.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): The two primary changes here are:

(1) Use a watchpoint for var injection instead of looping over the scope
chain and checking. This is more efficient and much easier to model in
code generation.

(2) I've eliminated the notion of an optimized global assignment that
needs to check for whether it should fire a watchpiont. Instead, we
fire pre-emptively at the point of optimization. This removes a bunch
of edge cases, and it seems like a more honest representation of
the fact that our new optimization contradicts our old one.

• dfg/DFGTypeCheckHoistingPhase.cpp:

(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):

• heap/DFGCodeBlocks.cpp:

(JSC::DFGCodeBlocks::jettison):

• interpreter/CallFrame.h:

(JSC::ExecState::trueCallFrame): Removed stuff that's unused now, and
fixed the build.

• interpreter/Interpreter.cpp:

(JSC::eval):
(JSC::getBytecodeOffsetForCallFrame):
(JSC::getCallerInfo):
(JSC::Interpreter::throwException): Updated exception scope tracking
to match the rest of our linking strategy: The unlinked bytecode compiles
exception scope as if non-local scope did not exist, and we add in
non-local scope at link time. This means that we can restore the right
scope depth based on a simple number, without checking the contents of
the scope chain.

(JSC::Interpreter::execute): Make sure to establish the full scope chain
before linking eval code. We now require the full scope chain at link
time, in order to link non-local variable resolution opcodes.

• jit/JIT.cpp:

(JSC::JIT::JIT):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_add):

• jit/JITCode.cpp:
• jit/JITOpcodes.cpp:

(JSC::JIT::emitSlow_op_bitxor):
(JSC::JIT::emitSlow_op_bitor):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emitSlow_op_to_primitive):
(JSC::JIT::emit_op_strcat):
(JSC::JIT::emitSlow_op_create_this):
(JSC::JIT::emitSlow_op_to_this):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jit/JITStubs.h: Re-wrote baseline JIT codegen for our new variable

resolution model.

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LLIntSlowPaths.cpp:
• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter.cpp:

(JSC::CLoop::execute):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm: Ditto for LLInt.

• offlineasm/x86.rb: Fixed a pre-existing encoding bug for a syntactic

form that we never used before.

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value. Also, toLocaleString() is specified to accept non-array 'this'
values.

(Most other host functions don't need this fix because they perform
strict 'this' checking, which never coerces unexpected types.)

• runtime/CodeCache.cpp:

(JSC::CodeCache::getCodeBlock):
(JSC::CodeCache::getProgramCodeBlock):
(JSC::CodeCache::getEvalCodeBlock):

• runtime/CodeCache.h: Don't supply a scope to the unlinked code cache.

Unlinked code is supposed to be scope-free, so let's have the compiler
help verify that.

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/CommonSlowPaths.h:
• runtime/Executable.cpp:

(JSC::EvalExecutable::create):
(JSC::EvalExecutable::compileInternal):
(JSC::ProgramExecutable::compileInternal):
(JSC::FunctionExecutable::produceCodeBlockFor):
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):

• runtime/Executable.h:

(JSC::EvalExecutable::numVariables):
(JSC::EvalExecutable::numberOfFunctionDecls):

• runtime/ExecutionHarness.h:

(JSC::prepareForExecutionImpl):
(JSC::prepareFunctionForExecutionImpl):
(JSC::installOptimizedCode): Fiddled with executable initialization so
that we can always generate a full scope chain before we go to link a
code block. We need this because code block linking now depends on the
scope chain to link non-local variable resolution opcodes.

• runtime/JSActivation.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createEvalCodeBlock):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::varInjectionWatchpoint):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncEval):

• runtime/JSNameScope.h:
• runtime/JSScope.cpp:

(JSC::abstractAccess):
(JSC::JSScope::objectAtScope):
(JSC::JSScope::depth):
(JSC::JSScope::resolve):
(JSC::JSScope::abstractResolve): Updated to match changes explained above.

• runtime/JSScope.h:

(JSC::makeType):
(JSC::needsVarInjectionChecks):
(JSC::ResolveOp::ResolveOp):
(JSC::ResolveModeAndType::ResolveModeAndType):
(JSC::ResolveModeAndType::mode):
(JSC::ResolveModeAndType::type):
(JSC::ResolveModeAndType::operand): Removed the old variable resolution
state machine, since it's unused now. Added logic for performing abstract
variable resolution at link time. This is used by codeblock linking.

• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

• runtime/StringPrototype.cpp:

(JSC::checkObjectCoercible):
(JSC::stringProtoFuncReplace):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::stringProtoFuncMatch):
(JSC::stringProtoFuncSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplit):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

• runtime/StructureRareData.cpp:
• runtime/VM.cpp:

(JSC::VM::~VM):

• runtime/WriteBarrier.h:

(JSC::WriteBarrierBase::slot): Modified to reduce casting in client code.

LayoutTests:

This patch removed special-case 'this' resolution from bytecode, making
some pre-existing edge cases in 'this' value treatment much more common.

I updated the test results below, and added some tests, to match bug
fixes for these cases.

• fast/js/script-tests/array-functions-non-arrays.js:
• fast/js/array-functions-non-arrays-expected.txt: As specified, it's

not an error to pass a non-array to toLocaleString. Our new result
matches Firefox and Chrome.

• fast/js/array-prototype-properties-expected.txt: Updated for slightly

clearer error message.

• fast/js/basic-strict-mode-expected.txt: Updated for slightly more

standard error message.

• fast/js/object-prototype-toString-expected.txt: Added.
• fast/js/object-prototype-toString.html: Added. This test demonstrates

why we now fail a Sputnik test below, while Firefox and Chrome pass it.
(The test doesn't test what it thinks it tests, and this test verifies
that we get right what it does think it tests.)

• fast/js/string-prototype-function-this-expected.txt: Added.
• fast/js/string-prototype-function-this.html: Added. This test shows

that we CheckObjectCoercible in string prototype functions. (We used
to get this wrong, but Sputnik tests made it seem like we got it right
because they didn't test the dynamic scope case.)

• sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.3_Array_prototype_toLocaleString/S15.4.4.3_A2_T1-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:

Updated to show failing results. Firefox and Chrome also fail these
tests, and the ES5 spec seems to mandate failure. Because these tests
resolve a String.prototype function at global scope, the 'this' value
for the call is an environment record. Logically, an environment record
converts to 'undefined' at the call site, and should then fail the
CheckObjectCoercible test.

10:15 PM Changeset in webkit [151362] by ggaren@apple.com

• 28 edits
  2 adds in branches/dfgFourthTier/Source/JavaScriptCore

Unreviewed, rolled back in ​http://trac.webkit.org/changeset/151342.

I filled in the missing return register loads, and tests
seem to pass now.

2013-06-07 Michael Saboff <​msaboff@apple.com>

fourthTier: The baseline jit and LLint should use common slow paths
​https://bugs.webkit.org/show_bug.cgi?id=116889

8:08 PM Changeset in webkit [151361] by Brent Fulgham

• 2 edits in trunk/Tools

[Windows] Unreviewed test correction: Prevent DumpRenderTree crashes

• DumpRenderTree/win/AccessibilityUIElementWin.cpp:

(AccessibilityUIElement::role): Prevent crashes when m_element is null. This
happends in some of the 'accessibility' test cases.

2:22 PM Changeset in webkit [151360] by roger_fong@apple.com

• 8 edits
  2 adds in trunk

Layout info should never be cleared before delayed scroll information updates.
​https://bugs.webkit.org/show_bug.cgi?id=116689.

Reviewed by Darin Adler.

Test: fast/flexbox/clear-overflow-before-scroll-update.html

Make sure that clearLayoutOverflow only gets called after layer()->updateScrollInfoAfterLayout().
Also move clearLayoutOverflow to RenderBlock so we can keep all the delayed scroll update logic in RenderBlock.

• rendering/RenderBlock.cpp:

(WebCore::RenderBlock::finishDelayUpdateScrollInfo): Call clearLayoutOverflow here.
(WebCore::RenderBlock::layout): Only call clearLayoutOverflow here if scrolling isn't being delayed.
(WebCore::RenderBlock::clearLayoutOverflow): Remove clearLayoutOverflow, move into RenderBlock to keep delayed scrolling logic in the same file.

• rendering/RenderBlock.h:
• rendering/RenderBox.cpp:
• rendering/RenderBox.h:
• rendering/RenderDeprecatedFlexibleBox.cpp: Should call updateScrollInfoAfterLayout, not layer()->updateScrollInfoAfterLayout(), so that it takes delayed scrolling logic into account.

(WebCore::RenderDeprecatedFlexibleBox::layoutBlock):

• rendering/RenderGrid.cpp: Ditto

(WebCore::RenderGrid::layoutBlock):

1:57 PM Changeset in webkit [151359] by benjamin@webkit.org

• 3 edits in trunk/Source/WebCore

Split the 3 paths of SelectorDataList::execute() into 3 separate functions
​https://bugs.webkit.org/show_bug.cgi?id=117378

Patch by Benjamin Poulain <​bpoulain@apple.com> on 2013-06-09
Reviewed by Ryosuke Niwa.

Split those to have several small execute() fucntions instead of a giant one.

• dom/SelectorQuery.cpp:

(WebCore::selectorForIdLookup):
(WebCore::isTreeScopeRoot):
(WebCore::SelectorDataList::executeFastPathForIdSelector):
(WebCore::SelectorDataList::executeSingleSelectorData):
(WebCore::SelectorDataList::executeSingleMultiSelectorData):
(WebCore::SelectorDataList::execute):

• dom/SelectorQuery.h:

1:56 PM Changeset in webkit [151358] by fpizlo@apple.com

• 2 edits in branches/dfgFourthTier/Tools

Unreviewed, fix minor goof in profiling output layout. We weren't accounting
for the "/" that is printed between engine counts.

• Scripts/display-profiler-output:

1:04 PM Changeset in webkit [151357] by fpizlo@apple.com

• 4 edits in branches/dfgFourthTier/Source

Source/WebCore: Unreviewed, fix build. Use at() instead of operator[] because of ambiguity on some compilers.

• page/CaptionUserPreferencesMac.mm:

(WebCore::languageIdentifier):

Source/WTF: Unreviewed, fix build. On some compilers the automatic coercion from WTF::String to NSString*
causes operator[] to appear ambiguous. One way around this is to make WTF::String behave like
most of our other classes: at(unsigned) is always a valid synonym for operator[](unsigned).

• wtf/text/WTFString.h:

(WTF::String::at):
(WTF::String::operator[]):

12:52 PM Changeset in webkit [151356] by benjamin@webkit.org

• 3 edits in trunk/Source/WebCore

Scrolling with platformWidget and delegateScrolling is incorrectly clamped
​https://bugs.webkit.org/show_bug.cgi?id=117369
<rdar://problem/13985064>

Patch by Benjamin Poulain <​bpoulain@apple.com> on 2013-06-09
Reviewed by Darin Adler.

The patch ​http://trac.webkit.org/changeset/142526 clamps the input position
in the ScrollView scroll range. This was done for the path to the ScrollingCoordinator.

The problem with that change is ScrollView::setScrollPosition() can delegate the scrolling
to either a platformWidget, or through delegateScrolling. After r142526, the position is clamped,
and we do not let those external scrolling mechanims handle the out-of-bound scrolling.

This patch fixes the issue by moving the threaded scrolling call to ScrollView,
after the delegate handling code.

• page/FrameView.cpp:

(WebCore::FrameView::setScrollPosition):
(WebCore::FrameView::requestScrollPositionUpdate):

12:19 PM Changeset in webkit [151355] by fpizlo@apple.com

• 7 edits
  6 adds in branches/dfgFourthTier

fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists
​https://bugs.webkit.org/show_bug.cgi?id=117377

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Previously if you did self accesses and then wanted to do a prototype access, you'd
have a bad time: the prototype accesses would be forced to take slow path because
the self list wouldn't allow prototype accesses. Likewise if you did prototype (or
chain) accesses and then wanted to do a self access, similar stupidity would ensue.

This fixes the stupidity.

I believe that this was introduced way back in the days of the old interpreter,
where distinguishing between self lists, proto lists, and chain lists was meaningful
for interpreter performance: it meant fewer branches to evaluate those lists. Then
it got mostly carried over to the old JIT since the old JIT was just initially an
optimized version of the old interpreter, and then later it got carried over to the
DFG because I didn't know any better at the time. Now I do know better and I'm
fixing it.

• bytecode/PolymorphicAccessStructureList.h:

(JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):

• bytecode/StructureStubInfo.h:

(JSC::StructureStubInfo::initGetByIdSelfList):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGRepatch.cpp:

(JSC::DFG::tryCacheGetByID):
(JSC::DFG::getPolymorphicStructureList):
(DFG):
(JSC::DFG::patchJumpToGetByIdStub):
(JSC::DFG::tryBuildGetByIDList):
(JSC::DFG::dfgBuildGetByIDList):

LayoutTests:

Reviewed by Geoffrey Garen.

Add tests that show why this is important. These tests speed up by more than 3x.

• fast/js/regress/get-by-id-proto-or-self-expected.txt: Added.
• fast/js/regress/get-by-id-proto-or-self.html: Added.
• fast/js/regress/get-by-id-self-or-proto-expected.txt: Added.
• fast/js/regress/get-by-id-self-or-proto.html: Added.
• fast/js/regress/script-tests/get-by-id-proto-or-self.js: Added.

(foo):
(bar):
(Foo):

• fast/js/regress/script-tests/get-by-id-self-or-proto.js: Added.

(foo):
(bar):
(Foo):

12:04 PM Changeset in webkit [151354] by mark.lam@apple.com

• 14 edits in branches/dfgFourthTier/Source/JavaScriptCore

Fix broken no-DFG build.
​https://bugs.webkit.org/show_bug.cgi?id=117381.

Reviewed by Geoffrey Garen.

• bytecode/CodeBlock.cpp:
• bytecode/CodeBlock.h:

(CodeBlock):
(ProgramCodeBlock):
(EvalCodeBlock):
(FunctionCodeBlock):

• dfg/DFGCapabilities.h:
• dfg/DFGDriver.h:

(JSC::DFG::tryCompile):
(JSC::DFG::tryCompileFunction):

• dfg/DFGJITCode.cpp:
• dfg/DFGRepatch.h:

(JSC::DFG::dfgResetGetByID):
(JSC::DFG::dfgResetPutByID):

• heap/DFGCodeBlocks.cpp:

(JSC::DFGCodeBlocks::jettison):

• interpreter/CallFrame.h:

(ExecState):
(JSC::ExecState::trueCallFrame):

• interpreter/Interpreter.cpp:

(JSC::getCallerInfo):

• runtime/Executable.cpp:
• runtime/Executable.h:

(EvalExecutable):
(ProgramExecutable):
(FunctionExecutable):

• runtime/ExecutionHarness.h:
• runtime/VM.cpp:

(JSC::VM::~VM):

Jun 8, 2013:

11:36 PM Changeset in webkit [151353] by commit-queue@webkit.org

• 2 edits in trunk/Source/WebKit2

[Coordinated Graphics] Pass the ownership of GraphicsSurface explicitly
​https://bugs.webkit.org/show_bug.cgi?id=117379

Patch by Jae Hyun Park <​jae.park@company100.net> on 2013-06-08
Reviewed by Noam Rosenthal.

When creating WebCoordinatedSurface with GraphicsSurface, it is clearer
to pass the ownership of the created GraphicsSurface explicitly.

• Shared/CoordinatedGraphics/WebCoordinatedSurface.cpp:

(WebKit::WebCoordinatedSurface::create):

10:38 PM Changeset in webkit [151352] by fpizlo@apple.com

• 4 edits in branches/dfgFourthTier/Source

fourthTier: Recursive deadlock in DFG::ByteCodeParser
​https://bugs.webkit.org/show_bug.cgi?id=117376

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Leave the lock early to prevent a deadlock beneath get().

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

Source/WTF:

Reviewed by Mark Hahnenberg.

I've often wanted to leave a lock early. Now I have that power!

• wtf/Locker.h:

(WTF::Locker::Locker):
(WTF::Locker::~Locker):
(Locker):
(WTF::Locker::unlockEarly):
(WTF::Locker::lock):

7:43 PM Changeset in webkit [151351] by igor.o@sisa.samsung.com

• 4 edits
  3 adds in trunk

before/after generated content is not working with HTMLSummaryElement and HTMLDetailsElement.
​https://bugs.webkit.org/show_bug.cgi?id=117374

Source/WebCore:

Allow before/after pseudo generated content be added in HTMLDetailsElement and HTMLSumamaryElement.

Reviewed by Ryosuke Niwa.

Test: fast/css-generated-content/details-summary-before-after.html

• html/HTMLDetailsElement.cpp:

(WebCore::HTMLDetailsElement::childShouldCreateRenderer):

• html/HTMLSummaryElement.cpp:

(WebCore::HTMLSummaryElement::childShouldCreateRenderer):

LayoutTests:

Reviewed by Ryosuke Niwa.

• fast/css-generated-content/details-summary-before-after.html: Added.
• platform/mac/fast/css-generated-content/details-summary-before-after-expected.txt: Added.
• platform/mac/fast/css-generated-content/details-summary-before-after-expected.png: Added

4:58 PM Changeset in webkit [151350] by kalyan.kondapally@intel.com

• 2 edits
  2 adds in trunk/LayoutTests

[EFL][WebGL] Enable webgl-background-color test.
​https://bugs.webkit.org/show_bug.cgi?id=111428

Reviewed by Christophe Dumez.

This patch adds platform specific test expectation files for the
test and enables it for efl port.

• platform/efl/TestExpectations:
• platform/efl/compositing/webgl/webgl-background-color-expected.png: Added.
• platform/efl/compositing/webgl/webgl-background-color-expected.txt: Added.

2:42 PM Changeset in webkit [151349] by commit-queue@webkit.org

• 2 edits in trunk/Tools

[WinCairo] TestWebKitAPI fails to link.
​https://bugs.webkit.org/show_bug.cgi?id=117345

Patch by ​peavo@outlook.com <​peavo@outlook.com> on 2013-06-08
Reviewed by Brent Fulgham.

Need to link with WTF.lib.

• TestWebKitAPI/TestWebKitAPI.vcxproj/TestWebKitAPICommonWinCairo.props: Link with WTF.lib.

2:33 PM Changeset in webkit [151348] by commit-queue@webkit.org

• 2 edits in trunk/Source/WebCore

[curl] Allow headers with empty value
​https://bugs.webkit.org/show_bug.cgi?id=117344

Patch by Peter Gal <​galpeter@inf.u-szeged.hu> on 2013-06-08
Reviewed by Brent Fulgham.

No new tests, already covered by:
http/tests/xmlhttprequest/xmlhttprequest-setrequestheader-no-value.html
http/tests/xmlhttprequest/post-blob-content-type-sync.html

• platform/network/curl/ResourceHandleManager.cpp:

(WebCore::ResourceHandleManager::initializeHandle):

1:36 PM Changeset in webkit [151347] by mark.lam@apple.com

• 2 edits in branches/dfgFourthTier/Source/JavaScriptCore

Removed bogus assertion in CallFrame::setLocationAsBytecodeOffset().
​https://bugs.webkit.org/show_bug.cgi?id=117373.

Reviewed by Oliver Hunt.

The assertion wrongly assumes that the incoming offset argument is in
units of bytes. This is not true. It is in units of Instruction*. Hence,
the assertion which checks for the low 2 bits to be clear can fail.

• interpreter/CallFrame.cpp:

(JSC::CallFrame::setLocationAsBytecodeOffset):

4:34 AM Changeset in webkit [151346] by commit-queue@webkit.org

• 2 edits in trunk/Source/WebCore

[curl] Handling of blob elements is incorrect
​https://bugs.webkit.org/show_bug.cgi?id=117301

Patch by Peter Gal <​galpeter@inf.u-szeged.hu> on 2013-06-08
Reviewed by Kenneth Rohde Christiansen.

No new tests, covered by existing ones:
http/tests/fileapi/xhr-send-form-data-filename-escaping.html
http/tests/fileapi/xhr-send-form-data-mimetype-normalization.html

• platform/network/curl/ResourceHandleManager.cpp:

(WebCore::getFormElementsCount): Resolve Blob elements.