Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (205507 => 205508)
--- trunk/Source/_javascript_Core/ChangeLog 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-09-06 21:43:08 UTC (rev 205508)
@@ -1,5 +1,19 @@
2016-09-06 Commit Queue <[email protected]>
+ Unreviewed, rolling out r205494.
+ https://bugs.webkit.org/show_bug.cgi?id=161646
+
+ This change broke the Windows build (Requested by ryanhaddad
+ on #webkit).
+
+ Reverted changeset:
+
+ "Typed arrays should use MarkedSpace instead of CopiedSpace"
+ https://bugs.webkit.org/show_bug.cgi?id=161100
+ http://trac.webkit.org/changeset/205494
+
+2016-09-06 Commit Queue <[email protected]>
+
Unreviewed, rolling out r205504.
https://bugs.webkit.org/show_bug.cgi?id=161645
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (205507 => 205508)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2016-09-06 21:43:08 UTC (rev 205508)
@@ -134,7 +134,7 @@
}
template<typename ViewClass>
-char* newTypedArrayWithSize(ExecState* exec, Structure* structure, int32_t size, char* vector)
+char* newTypedArrayWithSize(ExecState* exec, Structure* structure, int32_t size)
{
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
@@ -144,10 +144,6 @@
throwException(exec, scope, createRangeError(exec, ASCIILiteral("Requested length is negative")));
return 0;
}
-
- if (vector)
- return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector));
-
return bitwise_cast<char*>(ViewClass::create(exec, structure, size));
}
@@ -962,9 +958,9 @@
}
char* JIT_OPERATION operationNewInt8ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSInt8Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSInt8Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(
@@ -976,9 +972,9 @@
}
char* JIT_OPERATION operationNewInt16ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSInt16Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSInt16Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewInt16ArrayWithOneArgument(
@@ -990,9 +986,9 @@
}
char* JIT_OPERATION operationNewInt32ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSInt32Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSInt32Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewInt32ArrayWithOneArgument(
@@ -1004,9 +1000,9 @@
}
char* JIT_OPERATION operationNewUint8ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSUint8Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSUint8Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewUint8ArrayWithOneArgument(
@@ -1018,9 +1014,9 @@
}
char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSUint8ClampedArray>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSUint8ClampedArray>(exec, structure, length);
}
char* JIT_OPERATION operationNewUint8ClampedArrayWithOneArgument(
@@ -1032,9 +1028,9 @@
}
char* JIT_OPERATION operationNewUint16ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSUint16Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSUint16Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewUint16ArrayWithOneArgument(
@@ -1046,9 +1042,9 @@
}
char* JIT_OPERATION operationNewUint32ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSUint32Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSUint32Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewUint32ArrayWithOneArgument(
@@ -1060,9 +1056,9 @@
}
char* JIT_OPERATION operationNewFloat32ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSFloat32Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSFloat32Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewFloat32ArrayWithOneArgument(
@@ -1074,9 +1070,9 @@
}
char* JIT_OPERATION operationNewFloat64ArrayWithSize(
- ExecState* exec, Structure* structure, int32_t length, char* vector)
+ ExecState* exec, Structure* structure, int32_t length)
{
- return newTypedArrayWithSize<JSFloat64Array>(exec, structure, length, vector);
+ return newTypedArrayWithSize<JSFloat64Array>(exec, structure, length);
}
char* JIT_OPERATION operationNewFloat64ArrayWithOneArgument(
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.h (205507 => 205508)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -71,23 +71,23 @@
char* JIT_OPERATION operationNewArrayBuffer(ExecState*, Structure*, size_t, size_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
char* JIT_OPERATION operationNewArrayWithSize(ExecState*, Structure*, int32_t, Butterfly*) WTF_INTERNAL;
-char* JIT_OPERATION operationNewInt8ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewInt8ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewInt8ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewInt16ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewInt16ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewInt16ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewInt32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewInt32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewInt32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewUint8ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewUint8ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewUint8ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewUint8ClampedArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewUint8ClampedArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewUint16ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewUint16ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewUint16ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewUint32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewUint32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewUint32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewFloat32ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewFloat32ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewFloat32ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
-char* JIT_OPERATION operationNewFloat64ArrayWithSize(ExecState*, Structure*, int32_t, char*) WTF_INTERNAL;
+char* JIT_OPERATION operationNewFloat64ArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewFloat64ArrayWithOneArgument(ExecState*, Structure*, EncodedJSValue) WTF_INTERNAL;
void JIT_OPERATION operationPutByValStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
void JIT_OPERATION operationPutByValNonStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
@@ -198,7 +198,7 @@
} // extern "C"
-inline P_JITOperation_EStZP operationNewTypedArrayWithSizeForType(TypedArrayType type)
+inline P_JITOperation_EStZ operationNewTypedArrayWithSizeForType(TypedArrayType type)
{
switch (type) {
case TypeInt8:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (205507 => 205508)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-09-06 21:43:08 UTC (rev 205508)
@@ -7180,8 +7180,6 @@
GPRReg scratchGPR2 = scratch2.gpr();
JITCompiler::JumpList slowCases;
-
- m_jit.move(TrustedImmPtr(0), storageGPR);
slowCases.append(m_jit.branch32(
MacroAssembler::Above, sizeGPR, TrustedImm32(JSArrayBufferView::fastSizeLimit)));
@@ -7193,10 +7191,26 @@
m_jit.add32(TrustedImm32(7), scratchGPR);
m_jit.and32(TrustedImm32(~7), scratchGPR);
}
- m_jit.emitAllocateVariableSized(
- storageGPR, m_jit.vm()->heap.subspaceForAuxiliaryData(), scratchGPR, scratchGPR,
- scratchGPR2, slowCases);
+ slowCases.append(
+ emitAllocateBasicStorage(scratchGPR, storageGPR));
+ m_jit.subPtr(scratchGPR, storageGPR);
+
+ emitAllocateJSObject<JSArrayBufferView>(
+ resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, scratchGPR2,
+ slowCases);
+
+ m_jit.storePtr(
+ storageGPR,
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
+ m_jit.store32(
+ sizeGPR,
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfLength()));
+ m_jit.store32(
+ TrustedImm32(FastTypedArray),
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfMode()));
+
+#if USE(JSVALUE32_64)
MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, sizeGPR);
m_jit.move(sizeGPR, scratchGPR);
if (elementSize(type) != 4) {
@@ -7216,24 +7230,11 @@
MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour));
m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
done.link(&m_jit);
+#endif // USE(JSVALUE32_64)
- emitAllocateJSObject<JSArrayBufferView>(
- resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, scratchGPR2,
- slowCases);
-
- m_jit.storePtr(
- storageGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
- m_jit.store32(
- sizeGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfLength()));
- m_jit.store32(
- TrustedImm32(FastTypedArray),
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfMode()));
-
addSlowPathGenerator(slowPathCall(
slowCases, this, operationNewTypedArrayWithSizeForType(type),
- resultGPR, structure, sizeGPR, storageGPR));
+ resultGPR, structure, sizeGPR));
cellResult(resultGPR, node);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (205507 => 205508)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -988,19 +988,19 @@
m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure));
return appendCallSetResult(operation, result);
}
- JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, Structure* structure, GPRReg arg2, GPRReg arg3)
+ JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, Structure* structure, GPRReg arg2)
{
- m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2, arg3);
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2);
return appendCallSetResult(operation, result);
}
- JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, Structure* structure, size_t arg2, GPRReg arg3)
+ JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, Structure* structure, size_t arg2)
{
- m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImm32(arg2), arg3);
+ m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImm32(arg2));
return appendCallSetResult(operation, result);
}
- JITCompiler::Call callOperation(P_JITOperation_EStZP operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ JITCompiler::Call callOperation(P_JITOperation_EStZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
{
- m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(P_JITOperation_EStZB operation, GPRReg result, Structure* structure, GPRReg arg2, GPRReg butterfly)
@@ -2550,6 +2550,31 @@
void moveFalseTo(GPRReg);
void blessBoolean(GPRReg);
+ // size can be an immediate or a register, and must be in bytes. If size is a register,
+ // it must be a different register than resultGPR. Emits code that place a pointer to
+ // the end of the allocation. The returned jump is the jump to the slow path.
+ template<typename SizeType>
+ MacroAssembler::Jump emitAllocateBasicStorage(SizeType size, GPRReg resultGPR)
+ {
+ CopiedAllocator* copiedAllocator = &m_jit.vm()->heap.storageAllocator();
+
+ // It's invalid to allocate zero bytes in CopiedSpace.
+#ifndef NDEBUG
+ m_jit.move(size, resultGPR);
+ MacroAssembler::Jump nonZeroSize = m_jit.branchTest32(MacroAssembler::NonZero, resultGPR);
+ m_jit.abortWithReason(DFGBasicStorageAllocatorZeroSize);
+ nonZeroSize.link(&m_jit);
+#endif
+
+ m_jit.loadPtr(&copiedAllocator->m_currentRemaining, resultGPR);
+ MacroAssembler::Jump slowPath = m_jit.branchSubPtr(JITCompiler::Signed, size, resultGPR);
+ m_jit.storePtr(resultGPR, &copiedAllocator->m_currentRemaining);
+ m_jit.negPtr(resultGPR);
+ m_jit.addPtr(JITCompiler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), resultGPR);
+
+ return slowPath;
+ }
+
// Allocator for a cell of a specific size.
template <typename StructureType> // StructureType can be GPR or ImmPtr.
void emitAllocateJSCell(
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (205507 => 205508)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-09-06 21:43:08 UTC (rev 205508)
@@ -4132,8 +4132,6 @@
LBasicBlock nonZeroCase = m_out.newBlock();
LBasicBlock slowCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
-
- ValueFromBlock noStorage = m_out.anchor(m_out.intPtrZero);
m_out.branch(
m_out.above(size, m_out.constInt32(JSArrayBufferView::fastSizeLimit)),
@@ -4153,19 +4151,8 @@
m_out.constIntPtr(~static_cast<intptr_t>(7)));
}
- LValue allocator = allocatorForSize(
- vm().heap.subspaceForAuxiliaryData(), byteSize, slowCase);
- LValue storage = allocateHeapCell(allocator, slowCase);
-
- splatWords(
- storage,
- m_out.int32Zero,
- m_out.castToInt32(m_out.lShr(byteSize, m_out.constIntPtr(3))),
- m_out.int64Zero,
- m_heaps.typedArrayProperties);
+ LValue storage = allocateBasicStorage(byteSize, slowCase);
- ValueFromBlock haveStorage = m_out.anchor(storage);
-
LValue fastResultValue =
allocateObject<JSArrayBufferView>(structure, m_out.intPtrZero, slowCase);
@@ -4172,21 +4159,19 @@
m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_vector);
m_out.store32(size, fastResultValue, m_heaps.JSArrayBufferView_length);
m_out.store32(m_out.constInt32(FastTypedArray), fastResultValue, m_heaps.JSArrayBufferView_mode);
-
+
ValueFromBlock fastResult = m_out.anchor(fastResultValue);
m_out.jump(continuation);
m_out.appendTo(slowCase, continuation);
- LValue storageValue = m_out.phi(pointerType(), noStorage, haveStorage);
LValue slowResultValue = lazySlowPath(
[=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
return createLazyCallGenerator(
operationNewTypedArrayWithSizeForType(type), locations[0].directGPR(),
- CCallHelpers::TrustedImmPtr(structure), locations[1].directGPR(),
- locations[2].directGPR());
+ CCallHelpers::TrustedImmPtr(structure), locations[1].directGPR());
},
- size, storageValue);
+ size);
ValueFromBlock slowResult = m_out.anchor(slowResultValue);
m_out.jump(continuation);
@@ -7800,11 +7785,6 @@
else
hole = m_out.constInt64(JSValue::encode(JSValue()));
- splatWords(butterfly, begin, end, hole, heap->atAnyIndex());
- }
-
- void splatWords(LValue base, LValue begin, LValue end, LValue value, const AbstractHeap& heap)
- {
const uint64_t unrollingLimit = 10;
if (begin->hasInt() && end->hasInt()) {
uint64_t beginConst = static_cast<uint64_t>(begin->asInt());
@@ -7811,28 +7791,25 @@
uint64_t endConst = static_cast<uint64_t>(end->asInt());
if (endConst - beginConst <= unrollingLimit) {
- for (uint64_t i = beginConst; i < endConst; ++i) {
- LValue pointer = m_out.add(base, m_out.constIntPtr(i * sizeof(uint64_t)));
- m_out.store64(value, TypedPointer(heap, pointer));
- }
+ for (uint64_t i = beginConst; i < endConst; ++i)
+ m_out.store64(hole, butterfly, heap->at(i));
return;
}
}
+ // Doubles must be initialized to PNaN.
LBasicBlock initLoop = m_out.newBlock();
LBasicBlock initDone = m_out.newBlock();
- LBasicBlock lastNext = m_out.insertNewBlocksBefore(initLoop);
-
ValueFromBlock originalIndex = m_out.anchor(end);
- ValueFromBlock originalPointer = m_out.anchor(base);
+ ValueFromBlock originalPointer = m_out.anchor(butterfly);
m_out.branch(m_out.notEqual(end, begin), unsure(initLoop), unsure(initDone));
- m_out.appendTo(initLoop, initDone);
+ LBasicBlock initLastNext = m_out.appendTo(initLoop, initDone);
LValue index = m_out.phi(Int32, originalIndex);
LValue pointer = m_out.phi(pointerType(), originalPointer);
- m_out.store64(value, TypedPointer(heap, pointer));
+ m_out.store64(hole, TypedPointer(heap->atAnyIndex(), pointer));
LValue nextIndex = m_out.sub(index, m_out.int32One);
m_out.addIncomingToPhi(index, m_out.anchor(nextIndex));
@@ -7840,7 +7817,7 @@
m_out.branch(
m_out.notEqual(nextIndex, begin), unsure(initLoop), unsure(initDone));
- m_out.appendTo(initDone, lastNext);
+ m_out.appendTo(initDone, initLastNext);
}
LValue allocatePropertyStorage(LValue object, Structure* previousStructure)
@@ -8618,6 +8595,32 @@
return allocateObject(allocator, structure, butterfly, slowPath);
}
+ // Returns a pointer to the end of the allocation.
+ LValue allocateBasicStorageAndGetEnd(LValue size, LBasicBlock slowPath)
+ {
+ CopiedAllocator& allocator = vm().heap.storageAllocator();
+
+ LBasicBlock success = m_out.newBlock();
+
+ LValue remaining = m_out.loadPtr(m_out.absolute(&allocator.m_currentRemaining));
+ LValue newRemaining = m_out.sub(remaining, size);
+
+ m_out.branch(
+ m_out.lessThan(newRemaining, m_out.intPtrZero),
+ rarely(slowPath), usually(success));
+
+ m_out.appendTo(success);
+
+ m_out.storePtr(newRemaining, m_out.absolute(&allocator.m_currentRemaining));
+ return m_out.sub(
+ m_out.loadPtr(m_out.absolute(&allocator.m_currentPayloadEnd)), newRemaining);
+ }
+
+ LValue allocateBasicStorage(LValue size, LBasicBlock slowPath)
+ {
+ return m_out.sub(allocateBasicStorageAndGetEnd(size, slowPath), size);
+ }
+
LValue allocateObject(Structure* structure)
{
size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
Modified: trunk/Source/_javascript_Core/heap/CopyToken.h (205507 => 205508)
--- trunk/Source/_javascript_Core/heap/CopyToken.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/heap/CopyToken.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -29,6 +29,7 @@
namespace JSC {
enum CopyToken {
+ TypedArrayVectorCopyToken,
MapBackingStoreCopyToken,
DirectArgumentsOverridesCopyToken
};
Modified: trunk/Source/_javascript_Core/heap/SlotVisitor.cpp (205507 => 205508)
--- trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2016-09-06 21:43:08 UTC (rev 205508)
@@ -247,8 +247,6 @@
{
HeapCell* cell = bitwise_cast<HeapCell*>(base);
- ASSERT(cell->heap() == heap());
-
if (Heap::testAndSetMarked(m_version, cell)) {
RELEASE_ASSERT(Heap::isMarked(cell));
return;
Modified: trunk/Source/_javascript_Core/jit/JITOperations.h (205507 => 205508)
--- trunk/Source/_javascript_Core/jit/JITOperations.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/jit/JITOperations.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -291,7 +291,6 @@
typedef char* (JIT_OPERATION *P_JITOperation_EStSS)(ExecState*, Structure*, size_t, size_t);
typedef char* (JIT_OPERATION *P_JITOperation_EStZ)(ExecState*, Structure*, int32_t);
typedef char* (JIT_OPERATION *P_JITOperation_EStZB)(ExecState*, Structure*, int32_t, Butterfly*);
-typedef char* (JIT_OPERATION *P_JITOperation_EStZP)(ExecState*, Structure*, int32_t, char*);
typedef char* (JIT_OPERATION *P_JITOperation_EZZ)(ExecState*, int32_t, int32_t);
typedef SlowPathReturnType (JIT_OPERATION *Sprt_JITOperation_ECli)(ExecState*, CallLinkInfo*);
typedef StringImpl* (JIT_OPERATION *T_JITOperation_EJss)(ExecState*, JSString*);
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp (205507 => 205508)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2016-09-06 21:43:08 UTC (rev 205508)
@@ -42,17 +42,6 @@
}
JSArrayBufferView::ConstructionContext::ConstructionContext(
- Structure* structure, uint32_t length, void* vector)
- : m_structure(structure)
- , m_vector(vector)
- , m_length(length)
- , m_mode(FastTypedArray)
- , m_butterfly(nullptr)
-{
- RELEASE_ASSERT(length <= fastSizeLimit);
-}
-
-JSArrayBufferView::ConstructionContext::ConstructionContext(
VM& vm, Structure* structure, uint32_t length, uint32_t elementSize,
InitializationMode mode)
: m_structure(0)
@@ -61,24 +50,23 @@
{
if (length <= fastSizeLimit) {
// Attempt GC allocation.
- void* temp;
+ void* temp = 0;
size_t size = sizeOf(length, elementSize);
- if (size) {
- temp = vm.heap.tryAllocateAuxiliary(nullptr, size);
- if (!temp)
- return;
- } else
- temp = nullptr;
+ // CopiedSpace only allows non-zero size allocations.
+ if (size && !vm.heap.tryAllocateStorage(0, size, &temp))
+ return;
m_structure = structure;
m_vector = temp;
m_mode = FastTypedArray;
+#if USE(JSVALUE32_64)
if (mode == ZeroFill) {
uint64_t* asWords = static_cast<uint64_t*>(m_vector);
for (unsigned i = size / sizeof(uint64_t); i--;)
asWords[i] = 0;
}
+#endif // USE(JSVALUE32_64)
return;
}
@@ -130,7 +118,7 @@
, m_length(context.length())
, m_mode(context.mode())
{
- m_vector.setWithoutBarrier(context.vector());
+ m_vector.setWithoutBarrier(static_cast<char*>(context.vector()));
}
void JSArrayBufferView::finishCreation(VM& vm)
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (205507 => 205508)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -26,7 +26,7 @@
#ifndef JSArrayBufferView_h
#define JSArrayBufferView_h
-#include "AuxiliaryBarrier.h"
+#include "CopyBarrier.h"
#include "JSObject.h"
namespace JSC {
@@ -119,9 +119,6 @@
JS_EXPORT_PRIVATE ConstructionContext(VM&, Structure*, uint32_t length, uint32_t elementSize, InitializationMode = ZeroFill);
- // This is only for constructing fast typed arrays. It's used by the JIT's slow path.
- ConstructionContext(Structure*, uint32_t length, void* vector);
-
JS_EXPORT_PRIVATE ConstructionContext(
VM&, Structure*, PassRefPtr<ArrayBuffer>,
unsigned byteOffset, unsigned length);
@@ -185,7 +182,7 @@
static String toStringName(const JSObject*, ExecState*);
- AuxiliaryBarrier<void*> m_vector;
+ CopyBarrier<char> m_vector; // this is really a void*, but void would not work here.
uint32_t m_length;
TypedArrayMode m_mode;
};
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayView.h (205507 => 205508)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayView.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayView.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -106,7 +106,6 @@
public:
static JSGenericTypedArrayView* create(ExecState*, Structure*, unsigned length);
- static JSGenericTypedArrayView* createWithFastVector(ExecState*, Structure*, unsigned length, void* vector);
static JSGenericTypedArrayView* createUninitialized(ExecState*, Structure*, unsigned length);
static JSGenericTypedArrayView* create(ExecState*, Structure*, PassRefPtr<ArrayBuffer>, unsigned byteOffset, unsigned length);
static JSGenericTypedArrayView* create(VM&, Structure*, PassRefPtr<typename Adaptor::ViewType> impl);
@@ -288,6 +287,7 @@
static size_t estimatedSize(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
+ static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
// Allocates the full-on native buffer and moves data into the C heap if
// necessary. Note that this never allocates in the GC heap.
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (205507 => 205508)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-09-06 21:35:24 UTC (rev 205507)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-09-06 21:43:08 UTC (rev 205508)
@@ -63,20 +63,6 @@
}
template<typename Adaptor>
-JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createWithFastVector(
- ExecState* exec, Structure* structure, unsigned length, void* vector)
-{
- VM& vm = exec->vm();
- ConstructionContext context(structure, length, vector);
- RELEASE_ASSERT(context);
- JSGenericTypedArrayView* result =
- new (NotNull, allocateCell<JSGenericTypedArrayView>(vm.heap))
- JSGenericTypedArrayView(vm, context);
- result->finishCreation(vm);
- return result;
-}
-
-template<typename Adaptor>
JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized(
ExecState* exec, Structure* structure, unsigned length)
{
@@ -477,7 +463,7 @@
switch (thisObject->m_mode) {
case FastTypedArray: {
if (thisObject->m_vector)
- visitor.markAuxiliary(thisObject->m_vector.get());
+ visitor.copyLater(thisObject, TypedArrayVectorCopyToken, thisObject->m_vector.get(), thisObject->byteSize());
break;
}
@@ -498,6 +484,25 @@
}
template<typename Adaptor>
+void JSGenericTypedArrayView<Adaptor>::copyBackingStore(
+ JSCell* cell, CopyVisitor& visitor, CopyToken token)
+{
+ JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
+
+ if (token == TypedArrayVectorCopyToken
+ && visitor.checkIfShouldCopy(thisObject->m_vector.get())) {
+ ASSERT(thisObject->m_vector);
+ void* oldVector = thisObject->vector();
+ void* newVector = visitor.allocateNewSpace(thisObject->byteSize());
+ memcpy(newVector, oldVector, thisObject->byteSize());
+ thisObject->m_vector.setWithoutBarrier(static_cast<char*>(newVector));
+ visitor.didCopy(oldVector, thisObject->byteSize());
+ }
+
+ Base::copyBackingStore(thisObject, visitor, token);
+}
+
+template<typename Adaptor>
ArrayBuffer* JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory(JSArrayBufferView* object)
{
JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
@@ -545,7 +550,7 @@
}
thisObject->butterfly()->indexingHeader()->setArrayBuffer(buffer.get());
- thisObject->m_vector.setWithoutBarrier(buffer->data());
+ thisObject->m_vector.setWithoutBarrier(static_cast<char*>(buffer->data()));
thisObject->m_mode = WastefulTypedArray;
heap->addReference(thisObject, buffer.get());
