Created attachment 206832 [details] Work in progress Compiles and runs testapi with LLint with one exception error and with value profiling turned off. I'll fix those and then try running all of JS tests.

Created attachment 206929 [details] LLInt runs testapi cleanly Now on to JS tests

Created attachment 207346 [details] LLInt now passes all JS tests Bring on the baseline JIT

Created attachment 207406 [details] Passing JS tests with LLint + Baseline JIT Now will work through the fast/js Layout failures for the LLInt and baseline JIT

Created attachment 207491 [details] LLInt passes layout tests, Baseline JIT passed JS test and fails on 12 Layout/fast/js tests

Created attachment 208674 [details] Baseline JIT passes JS tests and Layout/fast/js tests Running with LLInt and DFG disabled. There are 4 failures in the fast/js layout tests: Regressions: Unexpected text-only failures (3) fast/js/exception-sequencing.html [ Failure ] fast/js/exception-thrown-from-new.html [ Failure ] fast/js/kde/Array.html [ Failure ] Regressions: Unexpected crashes (1) fast/js/global-recursion-on-full-stack.html [ Crash ] The three unexpected failures match without the changes. The crash is due to stack overflow checking. I'll address that later. Going on to DFG.

Created attachment 209241 [details] LLInt + Baseline JIT + DFG Passes testapi - working on JS tests

Created attachment 209686 [details] LLInt + Baseline JIT + DFG Passes all but one JS test

Created attachment 209690 [details] LLInt + Baseline JIT + DFG Passes all JS tests

(In reply to comment #9) > Created an attachment (id=209690) [details] > LLInt + Baseline JIT + DFG Passes all JS tests 32 and 64bit?

(In reply to comment #10) > (In reply to comment #9) > > Created an attachment (id=209690) [details] [details] > > LLInt + Baseline JIT + DFG Passes all JS tests > > 32 and 64bit? 64 bit only at this point.

Created attachment 209813 [details] LLInt/Baseline JIT/DFG 64 bit with all but 26 fast/js tests passing Can you say "Arguments"…. Regressions: Unexpected text-only failures (2) fast/js/regress/external-arguments-putbyval.html [ Failure ] fast/js/regress/inline-arguments-local-escape.html [ Failure ] Regressions: Unexpected crashes (24) fast/js/dfg-arguments-alias-activation.html [ Crash ] fast/js/dfg-arguments-alias-one-block-osr-exit.html [ Crash ] fast/js/dfg-arguments-alias-one-block-overwrite-arguments.html [ Crash ] fast/js/dfg-arguments-alias-one-block.html [ Crash ] fast/js/dfg-arguments-out-of-bounds.html [ Crash ] fast/js/dfg-arguments-unexpected-escape.html [ Crash ] fast/js/dfg-create-inlined-arguments-in-closure-inline.html [ Crash ] fast/js/dfg-inline-arguments-become-double.html [ Crash ] fast/js/dfg-inline-arguments-become-int32.html [ Crash ] fast/js/dfg-inline-arguments-int32.html [ Crash ] fast/js/dfg-inline-arguments-osr-exit-and-capture.html [ Crash ] fast/js/dfg-inline-arguments-reset-changetype.html [ Crash ] fast/js/dfg-inline-arguments-reset.html [ Crash ] fast/js/dfg-inline-arguments-simple.html [ Crash ] fast/js/dfg-inline-arguments-use-directly-from-inlined-code.html [ Crash ] fast/js/dfg-inline-arguments-use-from-uninlined-code.html [ Crash ] fast/js/global-recursion-on-full-stack.html [ Crash ] fast/js/regress/aliased-arguments-getbyval.html [ Crash ] fast/js/regress/delay-tear-off-arguments-strictmode.html [ Crash ] fast/js/regress/direct-arguments-getbyval.html [ Crash ] fast/js/regress/external-arguments-getbyval.html [ Crash ] fast/js/regress/tear-off-arguments-simple.html [ Crash ] fast/js/regress/tear-off-arguments.html [ Crash ] fast/js/stack-trace.html [ Crash ]

Created attachment 209841 [details] LLInt/Baseline JIT/DFG 64 bit with all but 14 fast/js tests passing Still more argument / tear off work: fast/js/dfg-arguments-alias-activation.html [ Crash ] fast/js/dfg-arguments-alias-one-block-osr-exit.html [ Crash ] fast/js/dfg-arguments-alias-one-block.html [ Crash ] fast/js/dfg-arguments-out-of-bounds.html [ Crash ] fast/js/dfg-create-inlined-arguments-in-closure-inline.html [ Crash ] fast/js/global-recursion-on-full-stack.html [ Crash ] fast/js/regress/aliased-arguments-getbyval.html [ Crash ] fast/js/regress/delay-tear-off-arguments-strictmode.html [ Crash ] fast/js/regress/direct-arguments-getbyval.html [ Crash ] fast/js/regress/external-arguments-getbyval.html [ Crash ] fast/js/regress/external-arguments-putbyval.html [ Crash ] fast/js/regress/inline-arguments-local-escape.html [ Crash ] fast/js/regress/tear-off-arguments-simple.html [ Crash ] fast/js/regress/tear-off-arguments.html [ Crash ]

Created attachment 210319 [details] 64 Bit LLInt, Baseline JIT, DFG Passes all but one test DFG passes all DFG tests. Baseline JIT fails stack overflow check. LLint passes this test. Will investigate. fast/js/global-recursion-on-full-stack.html

(In reply to comment #14) > Created an attachment (id=210319) [details] > 64 Bit LLInt, Baseline JIT, DFG Passes all but one test > > DFG passes all DFG tests. Baseline JIT fails stack overflow check. LLint passes this test. Will investigate. That's awesome! > > fast/js/global-recursion-on-full-stack.html

Created attachment 210819 [details] LLInt/Baseline JIT/DFG 64 bit pass tests - LLInt/Baseline JIT 32 bit pass tests - 10 tests fail in 32 bit DFG

Created attachment 210822 [details] LLint/Baseline JIT/DFG 32&64 bit pass all JS tests 32bit WebKit tests next

(In reply to comment #17) > Created an attachment (id=210822) [details] > LLint/Baseline JIT/DFG 32&64 bit pass all JS tests > > 32bit WebKit tests next There are 3 WebKit tests failures running 32 bit: fast/js/invalid-syntax-for-function.html [ Crash ] fast/js/regress/function-dot-apply.html [ Crash ] fast/js/typed-array-access.html [ Crash ]

(In reply to comment #18) > (In reply to comment #17) > > Created an attachment (id=210822) [details] [details] > > LLint/Baseline JIT/DFG 32&64 bit pass all JS tests > > > > 32bit WebKit tests next > > There are 3 WebKit tests failures running 32 bit: > fast/js/invalid-syntax-for-function.html [ Crash ] > fast/js/regress/function-dot-apply.html [ Crash ] > fast/js/typed-array-access.html [ Crash ] Down to one failing test: fast/js/invalid-syntax-for-function.html [ Crash ] It only fails when run with a group of other tests and doesn't fail by itself. The crash is due to an ASSERT failure in void JSStack::disableErrorStackReserve() { char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + commitSize; m_useableEnd = reinterpret_cast_ptr<Register*>(useableEnd); // By the time we get here, we are guaranteed to be destructing the last // Interpreter::ErrorHandlingMode that enabled this reserve in the first // place. That means the stack space beyond m_useableEnd before we // enabled the reserve was not previously in use. Hence, it is safe to // shrink back to that m_useableEnd. if (m_end < m_useableEnd) { ASSERT(m_topCallFrame->frameExtent() >= m_useableEnd); <== shrink(m_useableEnd); } } m_topCallFrame is null, therefore the crash.

Created attachment 211338 [details] Patch I reverted the change made in XX to return a VirtualRegister from localToOperand(). I also changed stackOffset bit field in CodeOrigin to be "int" instead of "signed int". check-webkit-style doesn't like this, but I'll fix that separately.

Attachment 211338 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/assembler/MacroAssembler.h', u'Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h', u'Source/JavaScriptCore/assembler/X86Assembler.h', u'Source/JavaScriptCore/bytecode/CodeBlock.cpp', u'Source/JavaScriptCore/bytecode/CodeBlock.h', u'Source/JavaScriptCore/bytecode/CodeOrigin.h', u'Source/JavaScriptCore/bytecode/Operands.h', u'Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp', u'Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h', u'Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGJITCompiler.cpp', u'Source/JavaScriptCore/dfg/DFGOSREntry.cpp', u'Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp', u'Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp', u'Source/JavaScriptCore/dfg/DFGOperations.cpp', u'Source/JavaScriptCore/dfg/DFGScoreBoard.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp', u'Source/JavaScriptCore/ftl/FTLLink.cpp', u'Source/JavaScriptCore/heap/ConservativeRoots.cpp', u'Source/JavaScriptCore/interpreter/CallFrame.cpp', u'Source/JavaScriptCore/interpreter/CallFrame.h', u'Source/JavaScriptCore/interpreter/Interpreter.cpp', u'Source/JavaScriptCore/interpreter/JSStack.cpp', u'Source/JavaScriptCore/interpreter/JSStack.h', u'Source/JavaScriptCore/interpreter/JSStackInlines.h', u'Source/JavaScriptCore/jit/JIT.cpp', u'Source/JavaScriptCore/jit/JITCall.cpp', u'Source/JavaScriptCore/jit/JITCall32_64.cpp', u'Source/JavaScriptCore/jit/JITOpcodes.cpp', u'Source/JavaScriptCore/jit/JITOpcodes32_64.cpp', u'Source/JavaScriptCore/jit/JITStubs.cpp', u'Source/JavaScriptCore/jit/ThunkGenerators.cpp', u'Source/JavaScriptCore/llint/LLIntData.cpp', u'Source/JavaScriptCore/llint/LLIntSlowPaths.cpp', u'Source/JavaScriptCore/llint/LowLevelInterpreter.asm', u'Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm', u'Source/JavaScriptCore/llint/LowLevelInterpreter64.asm', u'Source/JavaScriptCore/runtime/ArgList.cpp', u'Source/JavaScriptCore/runtime/ArgList.h', u'Source/JavaScriptCore/runtime/Arguments.cpp', u'Source/JavaScriptCore/runtime/ArrayConstructor.cpp', u'Source/JavaScriptCore/runtime/CommonSlowPaths.cpp', u'Source/JavaScriptCore/runtime/JSActivation.h', u'Source/JavaScriptCore/runtime/JSArray.h', u'Source/JavaScriptCore/runtime/JSGlobalObject.cpp', u'Source/JavaScriptCore/runtime/JSGlobalObject.h', u'Source/JavaScriptCore/runtime/JSString.h', u'Source/JavaScriptCore/runtime/Operations.h', u'Source/JavaScriptCore/runtime/SymbolTable.h', u'Source/WTF/wtf/DataLog.cpp']" exit_code: 1 Source/JavaScriptCore/bytecode/CodeOrigin.h:100: Please declare integral type bitfields with either signed or unsigned. [runtime/bitfields] [5] Total errors found: 1 in 53 files If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 211338 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=211338&action=review > Source/JavaScriptCore/bytecode/CodeBlock.cpp:3434 > + if (symbolTable()) { > + ConcurrentJITLocker locker(symbolTable()->m_lock); > + SymbolTable::Map::iterator end = symbolTable()->end(locker); > + for (SymbolTable::Map::iterator ptr = symbolTable()->begin(locker); ptr != end; ++ptr) { > + if (ptr->value.getIndex() == registerNumber) { > + // FIXME: This won't work from the compilation thread. > + // https://bugs.webkit.org/show_bug.cgi?id=115300 > + return String(ptr->key); > + } Why is this change necessary in this patch? > Source/JavaScriptCore/runtime/JSArray.h:312 > - > + grrrr > Source/JavaScriptCore/runtime/JSArray.h:317 > - > + grrrrr > Source/JavaScriptCore/runtime/Operations.h:90 > + for (int i = 0; i < static_cast<int>(count); ++i) { > + JSValue v = strings[-i].jsValue(); I would rather i remain an unsigned, and the strings[-i] be strings[-static_cat<int>(i)] > Source/WTF/wtf/DataLog.cpp:43 > -#define DATA_LOG_TO_FILE 0 > +#define DATA_LOG_TO_FILE 1 Whoops :D

Comment on attachment 211338 [details] Patch Attachment 211338 [details] did not pass qt-ews (qt): Output: http://webkit-queues.appspot.com/results/1743623

Comment on attachment 211338 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=211338&action=review >> Source/JavaScriptCore/bytecode/CodeBlock.cpp:3434 >> + } > > Why is this change necessary in this patch? When is symbolTable() null? This seems like a bug. > Source/JavaScriptCore/jit/JITOpcodes.cpp:-848 > - emitPutVirtualRegister(dst); Why is it OK not to store the activation to the stack here? This seems like a bug. > Source/JavaScriptCore/jit/JITOpcodes.cpp:-1119 > - signExtend32ToPtr(regT1, regT1); Does add32 automatically zero the high bits in regT1? If not, we still need to sign-extend.

Comment on attachment 211338 [details] Patch Attachment 211338 [details] did not pass qt-wk2-ews (qt-wk2): Output: http://webkit-queues.appspot.com/results/1743622

> > Source/JavaScriptCore/jit/JITOpcodes.cpp:-848 > > - emitPutVirtualRegister(dst); > > Why is it OK not to store the activation to the stack here? This seems like a bug. I see: the above instruction stores to dst, too. Can you edit the instruction to use "dst"? Then the change will be clearer.

Comment on attachment 211338 [details] Patch Attachment 211338 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/1790062 New failing tests: js/regress/inline-arguments-local-escape.html js/dfg-inline-arguments-reset.html js/dfg-inline-arguments-int32.html js/dfg-inline-arguments-simple.html js/dfg-inline-arguments-use-directly-from-inlined-code.html js/dfg-inline-arguments-use-from-uninlined-code.html js/dfg-inline-arguments-become-double.html js/dfg-inline-arguments-become-int32.html js/js-correct-exception-handler.html js/dfg-inline-arguments-use-from-all-the-places-broken.html js/dfg-inline-arguments-use-from-all-the-places.html js/dfg-create-inlined-arguments-in-closure-inline.html js/regress/external-arguments-getbyval.html js/dfg-inline-arguments-use-from-getter.html js/dfg-inline-arguments-osr-exit-and-capture.html js/dfg-inline-arguments-reset-changetype.html

Created attachment 211343 [details] Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-16 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4

Created attachment 211359 [details] Patch addressing review and ewe bot issues Removed the "if (symbolTable())" check in CodeBlock.cpp. Have speculative fixes for Qt compile failure (moved definition of trustedImm32ForShift() up in the file). Have speculative fix for failure found in mac-wk2-ews - Made stackOffset int in CodeOrigin::stackOffset() and inlinedFrameOffset in StackVisitor.cpp.

Attachment 211359 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/assembler/MacroAssembler.h', u'Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h', u'Source/JavaScriptCore/assembler/X86Assembler.h', u'Source/JavaScriptCore/bytecode/CodeBlock.cpp', u'Source/JavaScriptCore/bytecode/CodeBlock.h', u'Source/JavaScriptCore/bytecode/CodeOrigin.h', u'Source/JavaScriptCore/bytecode/Operands.h', u'Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp', u'Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h', u'Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGJITCompiler.cpp', u'Source/JavaScriptCore/dfg/DFGOSREntry.cpp', u'Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp', u'Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp', u'Source/JavaScriptCore/dfg/DFGOperations.cpp', u'Source/JavaScriptCore/dfg/DFGScoreBoard.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp', u'Source/JavaScriptCore/ftl/FTLLink.cpp', u'Source/JavaScriptCore/heap/ConservativeRoots.cpp', u'Source/JavaScriptCore/interpreter/CallFrame.cpp', u'Source/JavaScriptCore/interpreter/CallFrame.h', u'Source/JavaScriptCore/interpreter/Interpreter.cpp', u'Source/JavaScriptCore/interpreter/JSStack.cpp', u'Source/JavaScriptCore/interpreter/JSStack.h', u'Source/JavaScriptCore/interpreter/JSStackInlines.h', u'Source/JavaScriptCore/interpreter/StackVisitor.cpp', u'Source/JavaScriptCore/jit/JIT.cpp', u'Source/JavaScriptCore/jit/JITCall.cpp', u'Source/JavaScriptCore/jit/JITCall32_64.cpp', u'Source/JavaScriptCore/jit/JITOpcodes.cpp', u'Source/JavaScriptCore/jit/JITOpcodes32_64.cpp', u'Source/JavaScriptCore/jit/JITStubs.cpp', u'Source/JavaScriptCore/jit/ThunkGenerators.cpp', u'Source/JavaScriptCore/llint/LLIntData.cpp', u'Source/JavaScriptCore/llint/LLIntSlowPaths.cpp', u'Source/JavaScriptCore/llint/LowLevelInterpreter.asm', u'Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm', u'Source/JavaScriptCore/llint/LowLevelInterpreter64.asm', u'Source/JavaScriptCore/runtime/ArgList.cpp', u'Source/JavaScriptCore/runtime/ArgList.h', u'Source/JavaScriptCore/runtime/Arguments.cpp', u'Source/JavaScriptCore/runtime/ArrayConstructor.cpp', u'Source/JavaScriptCore/runtime/CommonSlowPaths.cpp', u'Source/JavaScriptCore/runtime/JSActivation.h', u'Source/JavaScriptCore/runtime/JSArray.h', u'Source/JavaScriptCore/runtime/JSGlobalObject.cpp', u'Source/JavaScriptCore/runtime/JSGlobalObject.h', u'Source/JavaScriptCore/runtime/JSString.h', u'Source/JavaScriptCore/runtime/Operations.h', u'Source/JavaScriptCore/runtime/SymbolTable.h']" exit_code: 1 Source/JavaScriptCore/bytecode/CodeOrigin.h:100: Please declare integral type bitfields with either signed or unsigned. [runtime/bitfields] [5] Total errors found: 1 in 54 files If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 211359 [details] Patch addressing review and ewe bot issues Attachment 211359 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/1815007 New failing tests: js/regress/inline-arguments-local-escape.html js/dfg-inline-arguments-reset.html js/dfg-inline-arguments-int32.html js/dfg-inline-arguments-simple.html js/dfg-inline-arguments-use-directly-from-inlined-code.html js/dfg-inline-arguments-use-from-uninlined-code.html js/dfg-inline-arguments-become-double.html js/dfg-inline-arguments-become-int32.html js/dfg-inline-arguments-osr-exit-and-capture.html js/dfg-inline-arguments-use-from-all-the-places-broken.html js/dfg-inline-arguments-use-from-all-the-places.html js/dfg-create-inlined-arguments-in-closure-inline.html js/regress/external-arguments-getbyval.html js/dfg-inline-arguments-use-from-getter.html js/dfg-inline-arguments-reset-changetype.html

Created attachment 211368 [details] Archive of layout-test-results from webkit-ews-15 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-15 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4

Comment on attachment 211359 [details] Patch addressing review and ewe bot issues Attachment 211359 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/1806045

Comment on attachment 211359 [details] Patch addressing review and ewe bot issues Attachment 211359 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/1828029 New failing tests: js/regress/inline-arguments-local-escape.html js/dfg-inline-arguments-reset.html js/dfg-inline-arguments-int32.html js/dfg-inline-arguments-simple.html js/dfg-inline-arguments-use-directly-from-inlined-code.html js/dfg-inline-arguments-use-from-uninlined-code.html js/dfg-inline-arguments-become-double.html js/dfg-inline-arguments-become-int32.html js/dfg-inline-arguments-osr-exit-and-capture.html js/dfg-inline-arguments-use-from-all-the-places-broken.html js/dfg-inline-arguments-use-from-all-the-places.html js/dfg-create-inlined-arguments-in-closure-inline.html js/regress/external-arguments-getbyval.html js/dfg-inline-arguments-use-from-getter.html js/dfg-inline-arguments-reset-changetype.html

Created attachment 211404 [details] Archive of layout-test-results from webkit-ews-08 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-08 Port: mac-mountainlion Platform: Mac OS X 10.8.4

Created attachment 211446 [details] Another Patch with speculative build / test fixes

Created attachment 211490 [details] Patch with final fix Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly. The calculation for the non-inline case was correct.

> Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly. Can we improve the disassembly diff-er to catch the cases you've been fixing?

(In reply to comment #38) > > Fixed a bug in Arguments::tearOff() for the inlined call frame case where the Register* for the torn off arguments wasn't being calculated correctly. > > Can we improve the disassembly diff-er to catch the cases you've been fixing? The fixes I made yesterday and today aren't in code that generates instructions. I believe that this is the final patch.

Committed r155711: <http://trac.webkit.org/changeset/155711>