Unreviewed build fix attempt for Windows.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
2
3         Unreviewed build fix attempt for Windows.
4
5         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6         Renamed JSMapConstructor and JSMapPrototype.
7
8 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
9
10         Fix build break after r154861
11         https://bugs.webkit.org/show_bug.cgi?id=120503
12
13         Reviewed by Geoffrey Garen.
14
15         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
16
17         * CMakeLists.txt:
18         * GNUmakefile.list.am:
19         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
20         * Target.pri:
21         * runtime/MapData.h:
22         (JSC::MapData::KeyType::KeyType):
23
24 2013-08-29  Andreas Kling  <akling@apple.com>
25
26         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
27         <https://webkit.org/b/120487>
28
29         Reviewed by Oliver Hunt.
30
31         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
32         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
33         exact amount of space needed.
34
35         * bytecode/CodeBlock.h:
36         * bytecode/CodeBlock.cpp:
37         (JSC::CodeBlock::CodeBlock):
38         (JSC::CodeBlock::shrinkToFit):
39
40 2013-08-29  Oliver Hunt  <oliver@apple.com>
41
42         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
43
44         * runtime/MapData.h:
45         (JSC::MapData::KeyType::KeyType):
46
47 2013-08-29  Oliver Hunt  <oliver@apple.com>
48
49
50         Implement ES6 Map object
51         https://bugs.webkit.org/show_bug.cgi?id=120333
52
53         Reviewed by Geoffrey Garen.
54
55         Implement support for the ES6 Map type and related classes.
56
57         * JavaScriptCore.xcodeproj/project.pbxproj:
58         * heap/CopyToken.h: Add a new token to track copying the backing store
59         * runtime/CommonIdentifiers.h: Add new identifiers
60         * runtime/JSGlobalObject.cpp:
61         * runtime/JSGlobalObject.h:
62             Add new structures and prototypes
63
64         * runtime/JSMap.cpp: Added.
65         * runtime/JSMap.h: Added.
66             New JSMap class to represent a Map instance
67
68         * runtime/MapConstructor.cpp: Added.
69         * runtime/MapConstructor.h: Added.
70             The Map constructor
71
72         * runtime/MapData.cpp: Added.
73         * runtime/MapData.h: Added.
74             The most interesting data structure.  The roughly corresponds
75             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
76             map implementation.  We implement it using 2 hashtables and a flat
77             table.  Due to the different semantics of string comparisons vs.
78             all others we need have one map keyed by String and the other by
79             generic JSValue.  The actual table is represented more or less
80             exactly as described in the ES6 draft - a single contiguous list of
81             key/value pairs.  The entire map could be achieved with just this
82             table, however we need the HashMaps in order to maintain O(1) lookup.
83
84             Deleted values are simply cleared as the draft says, however the
85             implementation compacts the storage on copy as long as the are no
86             active iterators.
87
88         * runtime/MapPrototype.cpp: Added.
89         * runtime/MapPrototype.h: Added.
90             Implement Map prototype functions
91
92         * runtime/VM.cpp:
93             Add new structures.
94
95 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
96
97         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
98         https://bugs.webkit.org/show_bug.cgi?id=120489
99
100         Reviewed by Geoffrey Garen.
101         
102         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
103         DFG compilation but we've also started one or more FTL compilations, then we
104         shouldn't get confused. Previously we would have gotten confused because we would
105         see an in-process deferred compile (the FTL compile) and also an optimized
106         replacement (the DFG code).
107         
108         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
109         did two things in this order: triggered a tier-up compilation from the DFG into
110         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
111         shouldn't be confused by the presence of an in-process deferred compile (the FTL
112         compile). Previously we would have waited for that compile to finish; but the more
113         sensible thing to do is to let it complete and then invalidate it, while at the
114         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
115         
116         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
117         triggered an FTL compile for replacement, then it should fire off a second compile
118         instead of thinking that it can wait for that one to finish. Or vice-versa. We
119         need to allow for two FTL compiles to be enqueued at the same time (one for
120         replacement and one for OSR entry in a loop).
121         
122         Then there's also the problem that DFG::compile() is almost certainly going to be
123         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
124         right now there is no way to tell it which one you want.
125         
126         This fixes these problems and removes a bunch of potential confusion by making the
127         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
128         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
129         
130         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
131         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
132         possible. Fixing that is a bigger issue for a later changeset.
133
134         * CMakeLists.txt:
135         * GNUmakefile.list.am:
136         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
137         * JavaScriptCore.xcodeproj/project.pbxproj:
138         * Target.pri:
139         * bytecode/CodeBlock.cpp:
140         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
141         * dfg/DFGCompilationKey.cpp: Added.
142         (JSC::DFG::CompilationKey::dump):
143         * dfg/DFGCompilationKey.h: Added.
144         (JSC::DFG::CompilationKey::CompilationKey):
145         (JSC::DFG::CompilationKey::operator!):
146         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
147         (JSC::DFG::CompilationKey::profiledBlock):
148         (JSC::DFG::CompilationKey::mode):
149         (JSC::DFG::CompilationKey::operator==):
150         (JSC::DFG::CompilationKey::hash):
151         (JSC::DFG::CompilationKeyHash::hash):
152         (JSC::DFG::CompilationKeyHash::equal):
153         * dfg/DFGCompilationMode.cpp: Added.
154         (WTF::printInternal):
155         * dfg/DFGCompilationMode.h: Added.
156         * dfg/DFGDriver.cpp:
157         (JSC::DFG::compileImpl):
158         (JSC::DFG::compile):
159         * dfg/DFGDriver.h:
160         * dfg/DFGPlan.cpp:
161         (JSC::DFG::Plan::Plan):
162         (JSC::DFG::Plan::key):
163         * dfg/DFGPlan.h:
164         * dfg/DFGWorklist.cpp:
165         (JSC::DFG::Worklist::enqueue):
166         (JSC::DFG::Worklist::compilationState):
167         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
168         (JSC::DFG::Worklist::runThread):
169         * dfg/DFGWorklist.h:
170         * jit/JITStubs.cpp:
171         (JSC::DEFINE_STUB_FUNCTION):
172
173 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
174
175         [Windows] Unreviewed build fix after r154847.
176         If you are going to exclude promises, actually exclude the build components.
177
178         * interpreter/CallFrame.h: Exclude promise declarations
179         * runtime/JSGlobalObject.cpp:
180         (JSC::JSGlobalObject::reset): Exclude promise code.
181         (JSC::JSGlobalObject::visitChildren): Ditto.
182         * runtime/VM.cpp: Ditto.
183         (JSC::VM::VM):
184         (JSC::VM::~VM):
185         * runtime/VM.h:
186
187 2013-08-29  Sam Weinig  <sam@webkit.org>
188
189         Add ENABLE guards for Promises
190         https://bugs.webkit.org/show_bug.cgi?id=120488
191
192         Reviewed by Andreas Kling.
193
194         * Configurations/FeatureDefines.xcconfig:
195         * runtime/JSGlobalObject.cpp:
196         * runtime/JSGlobalObject.h:
197         * runtime/JSPromise.cpp:
198         * runtime/JSPromise.h:
199         * runtime/JSPromiseCallback.cpp:
200         * runtime/JSPromiseCallback.h:
201         * runtime/JSPromiseConstructor.cpp:
202         * runtime/JSPromiseConstructor.h:
203         * runtime/JSPromisePrototype.cpp:
204         * runtime/JSPromisePrototype.h:
205         * runtime/JSPromiseResolver.cpp:
206         * runtime/JSPromiseResolver.h:
207         * runtime/JSPromiseResolverConstructor.cpp:
208         * runtime/JSPromiseResolverConstructor.h:
209         * runtime/JSPromiseResolverPrototype.cpp:
210         * runtime/JSPromiseResolverPrototype.h:
211
212 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
213
214         Unreviewed, fix FTL build.
215
216         * ftl/FTLLowerDFGToLLVM.cpp:
217         (JSC::FTL::LowerDFGToLLVM::callCheck):
218
219 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
220
221         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
222         https://bugs.webkit.org/show_bug.cgi?id=120080
223
224         Reviewed by Michael Saboff.
225
226         * jit/JITOpcodes32_64.cpp:
227         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
228
229 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
230
231         Kill code that became dead after http://trac.webkit.org/changeset/154833
232
233         Rubber stamped by Oliver Hunt.
234
235         * dfg/DFGDriver.h:
236
237 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
238
239         CodeBlock's magic for scaling tier-up thresholds should be more reusable
240         https://bugs.webkit.org/show_bug.cgi?id=120486
241
242         Reviewed by Oliver Hunt.
243         
244         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
245         as a adjustedCounterValue() method.
246
247         * bytecode/CodeBlock.cpp:
248         (JSC::CodeBlock::adjustedCounterValue):
249         (JSC::CodeBlock::optimizeAfterWarmUp):
250         (JSC::CodeBlock::optimizeAfterLongWarmUp):
251         (JSC::CodeBlock::optimizeSoon):
252         * bytecode/CodeBlock.h:
253         * dfg/DFGOSRExitCompilerCommon.cpp:
254         (JSC::DFG::handleExitCounts):
255
256 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
257
258         CodeBlock::prepareForExecution() is silly
259         https://bugs.webkit.org/show_bug.cgi?id=120453
260
261         Reviewed by Oliver Hunt.
262         
263         Instead of saying:
264         
265             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
266         
267         we should just say:
268         
269             JIT::compile(stuff, codeBlock, more stuff);
270         
271         And similarly for the LLInt and DFG.
272         
273         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
274         wrapper that uses the JITType argument to call into the appropriate execution
275         engine, which is what the user wanted to do in the first place.
276
277         * CMakeLists.txt:
278         * GNUmakefile.list.am:
279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
280         * JavaScriptCore.xcodeproj/project.pbxproj:
281         * Target.pri:
282         * bytecode/CodeBlock.cpp:
283         * bytecode/CodeBlock.h:
284         * dfg/DFGDriver.cpp:
285         (JSC::DFG::compileImpl):
286         (JSC::DFG::compile):
287         * dfg/DFGDriver.h:
288         (JSC::DFG::tryCompile):
289         * dfg/DFGOSRExitPreparation.cpp:
290         (JSC::DFG::prepareCodeOriginForOSRExit):
291         * dfg/DFGWorklist.cpp:
292         (JSC::DFG::globalWorklist):
293         * dfg/DFGWorklist.h:
294         * jit/JIT.cpp:
295         (JSC::JIT::privateCompile):
296         * jit/JIT.h:
297         (JSC::JIT::compile):
298         * jit/JITStubs.cpp:
299         (JSC::DEFINE_STUB_FUNCTION):
300         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
301         (JSC::LLInt::setFunctionEntrypoint):
302         (JSC::LLInt::setEvalEntrypoint):
303         (JSC::LLInt::setProgramEntrypoint):
304         (JSC::LLInt::setEntrypoint):
305         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
306         * llint/LLIntEntrypoints.cpp: Removed.
307         * llint/LLIntEntrypoints.h: Removed.
308         * llint/LLIntSlowPaths.cpp:
309         (JSC::LLInt::jitCompileAndSetHeuristics):
310         * runtime/Executable.cpp:
311         (JSC::ScriptExecutable::prepareForExecutionImpl):
312
313 2013-08-29  Mark Lam  <mark.lam@apple.com>
314
315         Gardening: fixed broken non-DFG build.
316         https://bugs.webkit.org/show_bug.cgi?id=120481.
317
318         Not reviewed.
319
320         * interpreter/StackIterator.h:
321
322 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
323
324         CodeBlock compilation and installation should be simplified and rationalized
325         https://bugs.webkit.org/show_bug.cgi?id=120326
326
327         Reviewed by Oliver Hunt.
328         
329         Rolling r154804 back in after fixing no-LLInt build.
330         
331         Previously Executable owned the code for generating JIT code; you always had
332         to go through Executable. But often you also had to go through CodeBlock,
333         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
334         So you'd ask CodeBlock to do something, which would dispatch through a
335         virtual method that would select the appropriate Executable subtype's method.
336         This all meant that the same code would often be duplicated, because most of
337         the work needed to compile something was identical regardless of code type.
338         But then we tried to fix this, by having templatized helpers in
339         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
340         out what happened when you asked for something to be compiled, you'd go on a
341         wild ride that started with CodeBlock, touched upon Executable, and then
342         ricocheted into either ExecutionHarness or JITDriver (likely both).
343         
344         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
345         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
346         done once the compilation finished.
347         
348         Also, most of the DFG JIT drivers assumed that they couldn't install the
349         JITCode into the CodeBlock directly - instead they would return it via a
350         reference, which happened to be a reference to the JITCode pointer in
351         Executable. This was super weird.
352         
353         Finally, there was no notion of compiling code into a special CodeBlock that
354         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
355         entry.
356         
357         This patch solves these problems by reducing all of that complexity into just
358         three primitives:
359         
360         - Executable::newCodeBlock(). This gives you a new code block, either for call
361           or for construct, and either to serve as the baseline code or the optimized
362           code. The new code block is then owned by the caller; Executable doesn't
363           register it anywhere. The new code block has no JITCode and isn't callable,
364           but it has all of the bytecode.
365         
366         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
367           produces a JITCode, and then installs the JITCode into the CodeBlock. This
368           method takes a JITType, and always compiles with that JIT. If you ask for
369           JITCode::InterpreterThunk then you'll get JITCode that just points to the
370           LLInt entrypoints. Once this returns, it is possible to call into the
371           CodeBlock if you do so manually - but the Executable still won't know about
372           it so JS calls to that Executable will still be routed to whatever CodeBlock
373           is associated with the Executable.
374         
375         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
376           entry for that Executable. This involves unlinking the Executable's last
377           CodeBlock, if there was one. This also tells the GC about any effect on
378           memory usage and does a bunch of weird data structure rewiring, since
379           Executable caches some of CodeBlock's fields for the benefit of virtual call
380           fast paths.
381         
382         This functionality is then wrapped around three convenience methods:
383         
384         - Executable::prepareForExecution(). If there is no code block for that
385           Executable, then one is created (newCodeBlock()), compiled
386           (CodeBlock::prepareForExecution()) and installed (installCode()).
387         
388         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
389           can serve as an optimized replacement of the current one.
390         
391         - CodeBlock::install(). Asks the Executable to install this code block.
392         
393         This patch allows me to kill *a lot* of code and to remove a lot of
394         specializations for functions vs. not-functions, and a lot of places where we
395         pass around JITCode references and such. ExecutionHarness and JITDriver are
396         both gone. Overall this patch has more red than green.
397         
398         It also allows me to work on FTL OSR entry and tier-up:
399         
400         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
401           to do some compilation, but it will require the DFG::Worklist to do
402           something different than what JITStubs.cpp would want, once the compilation
403           finishes. This patch introduces a callback mechanism for that purpose.
404         
405         - FTL OSR entry: this will involve creating a special auto-jettisoned
406           CodeBlock that is used only for FTL OSR entry. The new set of primitives
407           allows for this: Executable can vend you a fresh new CodeBlock, and you can
408           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
409           can take that CodeBlock and compile it yourself. Previously the act of
410           producing a CodeBlock-for-optimization and the act of compiling code for it
411           were tightly coupled; now you can separate them and you can create such
412           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
413
414         * CMakeLists.txt:
415         * GNUmakefile.list.am:
416         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
417         * JavaScriptCore.xcodeproj/project.pbxproj:
418         * Target.pri:
419         * bytecode/CodeBlock.cpp:
420         (JSC::CodeBlock::unlinkIncomingCalls):
421         (JSC::CodeBlock::prepareForExecutionImpl):
422         (JSC::CodeBlock::prepareForExecution):
423         (JSC::CodeBlock::prepareForExecutionAsynchronously):
424         (JSC::CodeBlock::install):
425         (JSC::CodeBlock::newReplacement):
426         (JSC::FunctionCodeBlock::jettisonImpl):
427         * bytecode/CodeBlock.h:
428         (JSC::CodeBlock::hasBaselineJITProfiling):
429         * bytecode/DeferredCompilationCallback.cpp: Added.
430         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
431         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
432         * bytecode/DeferredCompilationCallback.h: Added.
433         * dfg/DFGDriver.cpp:
434         (JSC::DFG::tryCompile):
435         * dfg/DFGDriver.h:
436         (JSC::DFG::tryCompile):
437         * dfg/DFGFailedFinalizer.cpp:
438         (JSC::DFG::FailedFinalizer::finalize):
439         (JSC::DFG::FailedFinalizer::finalizeFunction):
440         * dfg/DFGFailedFinalizer.h:
441         * dfg/DFGFinalizer.h:
442         * dfg/DFGJITFinalizer.cpp:
443         (JSC::DFG::JITFinalizer::finalize):
444         (JSC::DFG::JITFinalizer::finalizeFunction):
445         * dfg/DFGJITFinalizer.h:
446         * dfg/DFGOSRExitPreparation.cpp:
447         (JSC::DFG::prepareCodeOriginForOSRExit):
448         * dfg/DFGOperations.cpp:
449         * dfg/DFGPlan.cpp:
450         (JSC::DFG::Plan::Plan):
451         (JSC::DFG::Plan::compileInThreadImpl):
452         (JSC::DFG::Plan::notifyReady):
453         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
454         (JSC::DFG::Plan::finalizeAndNotifyCallback):
455         * dfg/DFGPlan.h:
456         * dfg/DFGSpeculativeJIT32_64.cpp:
457         (JSC::DFG::SpeculativeJIT::compile):
458         * dfg/DFGWorklist.cpp:
459         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
460         (JSC::DFG::Worklist::runThread):
461         * ftl/FTLJITFinalizer.cpp:
462         (JSC::FTL::JITFinalizer::finalize):
463         (JSC::FTL::JITFinalizer::finalizeFunction):
464         * ftl/FTLJITFinalizer.h:
465         * heap/Heap.h:
466         (JSC::Heap::isDeferred):
467         * interpreter/Interpreter.cpp:
468         (JSC::Interpreter::execute):
469         (JSC::Interpreter::executeCall):
470         (JSC::Interpreter::executeConstruct):
471         (JSC::Interpreter::prepareForRepeatCall):
472         * jit/JITDriver.h: Removed.
473         * jit/JITStubs.cpp:
474         (JSC::DEFINE_STUB_FUNCTION):
475         (JSC::jitCompileFor):
476         (JSC::lazyLinkFor):
477         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
478         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
479         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
480         (JSC::JITToDFGDeferredCompilationCallback::create):
481         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
482         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
483         * jit/JITToDFGDeferredCompilationCallback.h: Added.
484         * llint/LLIntEntrypoints.cpp:
485         (JSC::LLInt::setFunctionEntrypoint):
486         (JSC::LLInt::setEvalEntrypoint):
487         (JSC::LLInt::setProgramEntrypoint):
488         * llint/LLIntEntrypoints.h:
489         * llint/LLIntSlowPaths.cpp:
490         (JSC::LLInt::jitCompileAndSetHeuristics):
491         (JSC::LLInt::setUpCall):
492         * runtime/ArrayPrototype.cpp:
493         (JSC::isNumericCompareFunction):
494         * runtime/CommonSlowPaths.cpp:
495         * runtime/CompilationResult.cpp:
496         (WTF::printInternal):
497         * runtime/CompilationResult.h:
498         * runtime/Executable.cpp:
499         (JSC::ScriptExecutable::installCode):
500         (JSC::ScriptExecutable::newCodeBlockFor):
501         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
502         (JSC::ScriptExecutable::prepareForExecutionImpl):
503         * runtime/Executable.h:
504         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
505         (JSC::ExecutableBase::offsetOfNumParametersFor):
506         (JSC::ScriptExecutable::prepareForExecution):
507         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
508         * runtime/ExecutionHarness.h: Removed.
509
510 2013-08-29  Mark Lam  <mark.lam@apple.com>
511
512         Change StackIterator to not require writes to the JS stack.
513         https://bugs.webkit.org/show_bug.cgi?id=119657.
514
515         Reviewed by Geoffrey Garen.
516
517         * GNUmakefile.list.am:
518         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
519         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
520         * JavaScriptCore.xcodeproj/project.pbxproj:
521         * interpreter/CallFrame.h:
522         - Removed references to StackIteratorPrivate.h.
523         * interpreter/StackIterator.cpp:
524         (JSC::StackIterator::numberOfFrames):
525         (JSC::StackIterator::gotoFrameAtIndex):
526         (JSC::StackIterator::gotoNextFrame):
527         (JSC::StackIterator::resetIterator):
528         (JSC::StackIterator::find):
529         (JSC::StackIterator::readFrame):
530         (JSC::StackIterator::readNonInlinedFrame):
531         - Reads in the current CallFrame's data for non-inlined frames.
532         (JSC::inlinedFrameOffset):
533         - Convenience function to compute the inlined frame offset based on the
534           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
535           Otherwise, it's an inlined frame.
536         (JSC::StackIterator::readInlinedFrame):
537         - Determines the inlined frame's caller frame. Will read in the caller
538           frame if it is also an inlined frame i.e. we haven't reached the
539           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
540           read on the outer most frame.
541           This is based on the old StackIterator::Frame::logicalFrame().
542         (JSC::StackIterator::updateFrame):
543         - Reads the data of the caller frame of the current one. This function
544           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
545           but is now simplified because it delegates to the readInlinedFrame()
546           to get the caller for inlined frames.
547         (JSC::StackIterator::Frame::arguments):
548         - Fixed to use the inlined frame versions of Arguments::create() and
549           Arguments::tearOff() when the frame is an inlined frame.
550         (JSC::StackIterator::Frame::print):
551         (debugPrintCallFrame):
552         (debugPrintStack):
553         - Because sometimes, we want to see the whole stack while debugging.
554         * interpreter/StackIterator.h:
555         (JSC::StackIterator::Frame::argumentCount):
556         (JSC::StackIterator::Frame::callerFrame):
557         (JSC::StackIterator::Frame::callee):
558         (JSC::StackIterator::Frame::scope):
559         (JSC::StackIterator::Frame::codeBlock):
560         (JSC::StackIterator::Frame::bytecodeOffset):
561         (JSC::StackIterator::Frame::inlinedFrameInfo):
562         (JSC::StackIterator::Frame::isJSFrame):
563         (JSC::StackIterator::Frame::isInlinedFrame):
564         (JSC::StackIterator::Frame::callFrame):
565         (JSC::StackIterator::Frame::Frame):
566         (JSC::StackIterator::Frame::~Frame):
567         - StackIterator::Frame now caches commonly used accessed values from
568           the CallFrame. It still delegates argument queries to the CallFrame.
569         (JSC::StackIterator::operator*):
570         (JSC::StackIterator::operator->):
571         (JSC::StackIterator::operator!=):
572         (JSC::StackIterator::operator++):
573         (JSC::StackIterator::end):
574         (JSC::StackIterator::operator==):
575         * interpreter/StackIteratorPrivate.h: Removed.
576
577 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
578
579         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
580         https://bugs.webkit.org/show_bug.cgi?id=120472
581
582         Reviewed by Filip Pizlo.
583         
584         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
585         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
586         throwException can be called when topCallFrame is set.
587         * llint/LLIntSlowPaths.cpp:
588         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
589         * runtime/CommonSlowPaths.cpp:
590         (JSC::SLOW_PATH_DECL):
591         * runtime/CommonSlowPathsExceptions.cpp:
592         (JSC::CommonSlowPaths::interpreterThrowInCaller):
593         * runtime/CommonSlowPathsExceptions.h:
594
595         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
596         to throw errors. It unwinds the stack in order to report them. 
597         * dfg/DFGOperations.cpp:
598         * jit/JITExceptions.cpp:
599         (JSC::genericUnwind):
600         (JSC::jitThrowNew):
601         (JSC::jitThrow):
602         * jit/JITExceptions.h:
603         * llint/LLIntExceptions.cpp:
604         (JSC::LLInt::doThrow):
605     
606 2013-08-29  Commit Queue  <commit-queue@webkit.org>
607
608         Unreviewed, rolling out r154804.
609         http://trac.webkit.org/changeset/154804
610         https://bugs.webkit.org/show_bug.cgi?id=120477
611
612         Broke Windows build (assumes LLInt features not enabled on
613         this build) (Requested by bfulgham on #webkit).
614
615         * CMakeLists.txt:
616         * GNUmakefile.list.am:
617         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
618         * JavaScriptCore.xcodeproj/project.pbxproj:
619         * Target.pri:
620         * bytecode/CodeBlock.cpp:
621         (JSC::CodeBlock::linkIncomingCall):
622         (JSC::CodeBlock::unlinkIncomingCalls):
623         (JSC::CodeBlock::reoptimize):
624         (JSC::ProgramCodeBlock::replacement):
625         (JSC::EvalCodeBlock::replacement):
626         (JSC::FunctionCodeBlock::replacement):
627         (JSC::ProgramCodeBlock::compileOptimized):
628         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
629         (JSC::EvalCodeBlock::compileOptimized):
630         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
631         (JSC::FunctionCodeBlock::compileOptimized):
632         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
633         (JSC::ProgramCodeBlock::jitCompileImpl):
634         (JSC::EvalCodeBlock::jitCompileImpl):
635         (JSC::FunctionCodeBlock::jitCompileImpl):
636         * bytecode/CodeBlock.h:
637         (JSC::CodeBlock::jitType):
638         (JSC::CodeBlock::jitCompile):
639         * bytecode/DeferredCompilationCallback.cpp: Removed.
640         * bytecode/DeferredCompilationCallback.h: Removed.
641         * dfg/DFGDriver.cpp:
642         (JSC::DFG::compile):
643         (JSC::DFG::tryCompile):
644         (JSC::DFG::tryCompileFunction):
645         (JSC::DFG::tryFinalizePlan):
646         * dfg/DFGDriver.h:
647         (JSC::DFG::tryCompile):
648         (JSC::DFG::tryCompileFunction):
649         (JSC::DFG::tryFinalizePlan):
650         * dfg/DFGFailedFinalizer.cpp:
651         (JSC::DFG::FailedFinalizer::finalize):
652         (JSC::DFG::FailedFinalizer::finalizeFunction):
653         * dfg/DFGFailedFinalizer.h:
654         * dfg/DFGFinalizer.h:
655         * dfg/DFGJITFinalizer.cpp:
656         (JSC::DFG::JITFinalizer::finalize):
657         (JSC::DFG::JITFinalizer::finalizeFunction):
658         * dfg/DFGJITFinalizer.h:
659         * dfg/DFGOSRExitPreparation.cpp:
660         (JSC::DFG::prepareCodeOriginForOSRExit):
661         * dfg/DFGOperations.cpp:
662         * dfg/DFGPlan.cpp:
663         (JSC::DFG::Plan::Plan):
664         (JSC::DFG::Plan::compileInThreadImpl):
665         (JSC::DFG::Plan::finalize):
666         * dfg/DFGPlan.h:
667         * dfg/DFGSpeculativeJIT32_64.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669         * dfg/DFGWorklist.cpp:
670         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
671         (JSC::DFG::Worklist::runThread):
672         * ftl/FTLJITFinalizer.cpp:
673         (JSC::FTL::JITFinalizer::finalize):
674         (JSC::FTL::JITFinalizer::finalizeFunction):
675         * ftl/FTLJITFinalizer.h:
676         * heap/Heap.h:
677         * interpreter/Interpreter.cpp:
678         (JSC::Interpreter::execute):
679         (JSC::Interpreter::executeCall):
680         (JSC::Interpreter::executeConstruct):
681         (JSC::Interpreter::prepareForRepeatCall):
682         * jit/JITDriver.h: Added.
683         (JSC::jitCompileIfAppropriateImpl):
684         (JSC::jitCompileFunctionIfAppropriateImpl):
685         (JSC::jitCompileIfAppropriate):
686         (JSC::jitCompileFunctionIfAppropriate):
687         * jit/JITStubs.cpp:
688         (JSC::DEFINE_STUB_FUNCTION):
689         (JSC::jitCompileFor):
690         (JSC::lazyLinkFor):
691         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
692         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
693         * llint/LLIntEntrypoints.cpp:
694         (JSC::LLInt::getFunctionEntrypoint):
695         (JSC::LLInt::getEvalEntrypoint):
696         (JSC::LLInt::getProgramEntrypoint):
697         * llint/LLIntEntrypoints.h:
698         (JSC::LLInt::getEntrypoint):
699         * llint/LLIntSlowPaths.cpp:
700         (JSC::LLInt::jitCompileAndSetHeuristics):
701         (JSC::LLInt::setUpCall):
702         * runtime/ArrayPrototype.cpp:
703         (JSC::isNumericCompareFunction):
704         * runtime/CommonSlowPaths.cpp:
705         * runtime/CompilationResult.cpp:
706         (WTF::printInternal):
707         * runtime/CompilationResult.h:
708         * runtime/Executable.cpp:
709         (JSC::EvalExecutable::compileOptimized):
710         (JSC::EvalExecutable::jitCompile):
711         (JSC::EvalExecutable::compileInternal):
712         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
713         (JSC::ProgramExecutable::compileOptimized):
714         (JSC::ProgramExecutable::jitCompile):
715         (JSC::ProgramExecutable::compileInternal):
716         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
717         (JSC::FunctionExecutable::compileOptimizedForCall):
718         (JSC::FunctionExecutable::compileOptimizedForConstruct):
719         (JSC::FunctionExecutable::jitCompileForCall):
720         (JSC::FunctionExecutable::jitCompileForConstruct):
721         (JSC::FunctionExecutable::produceCodeBlockFor):
722         (JSC::FunctionExecutable::compileForCallInternal):
723         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
724         (JSC::FunctionExecutable::compileForConstructInternal):
725         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
726         * runtime/Executable.h:
727         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
728         (JSC::ExecutableBase::offsetOfNumParametersFor):
729         (JSC::ExecutableBase::catchRoutineFor):
730         (JSC::EvalExecutable::compile):
731         (JSC::ProgramExecutable::compile):
732         (JSC::FunctionExecutable::compileForCall):
733         (JSC::FunctionExecutable::compileForConstruct):
734         (JSC::FunctionExecutable::compileFor):
735         (JSC::FunctionExecutable::compileOptimizedFor):
736         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
737         (JSC::FunctionExecutable::jitCompileFor):
738         * runtime/ExecutionHarness.h: Added.
739         (JSC::prepareForExecutionImpl):
740         (JSC::prepareFunctionForExecutionImpl):
741         (JSC::installOptimizedCode):
742         (JSC::prepareForExecution):
743         (JSC::prepareFunctionForExecution):
744         (JSC::replaceWithDeferredOptimizedCode):
745
746 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
747
748         CodeBlock compilation and installation should be simplified and rationalized
749         https://bugs.webkit.org/show_bug.cgi?id=120326
750
751         Reviewed by Oliver Hunt.
752         
753         Previously Executable owned the code for generating JIT code; you always had
754         to go through Executable. But often you also had to go through CodeBlock,
755         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
756         So you'd ask CodeBlock to do something, which would dispatch through a
757         virtual method that would select the appropriate Executable subtype's method.
758         This all meant that the same code would often be duplicated, because most of
759         the work needed to compile something was identical regardless of code type.
760         But then we tried to fix this, by having templatized helpers in
761         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
762         out what happened when you asked for something to be compiled, you'd go on a
763         wild ride that started with CodeBlock, touched upon Executable, and then
764         ricocheted into either ExecutionHarness or JITDriver (likely both).
765         
766         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
767         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
768         done once the compilation finished.
769         
770         Also, most of the DFG JIT drivers assumed that they couldn't install the
771         JITCode into the CodeBlock directly - instead they would return it via a
772         reference, which happened to be a reference to the JITCode pointer in
773         Executable. This was super weird.
774         
775         Finally, there was no notion of compiling code into a special CodeBlock that
776         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
777         entry.
778         
779         This patch solves these problems by reducing all of that complexity into just
780         three primitives:
781         
782         - Executable::newCodeBlock(). This gives you a new code block, either for call
783           or for construct, and either to serve as the baseline code or the optimized
784           code. The new code block is then owned by the caller; Executable doesn't
785           register it anywhere. The new code block has no JITCode and isn't callable,
786           but it has all of the bytecode.
787         
788         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
789           produces a JITCode, and then installs the JITCode into the CodeBlock. This
790           method takes a JITType, and always compiles with that JIT. If you ask for
791           JITCode::InterpreterThunk then you'll get JITCode that just points to the
792           LLInt entrypoints. Once this returns, it is possible to call into the
793           CodeBlock if you do so manually - but the Executable still won't know about
794           it so JS calls to that Executable will still be routed to whatever CodeBlock
795           is associated with the Executable.
796         
797         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
798           entry for that Executable. This involves unlinking the Executable's last
799           CodeBlock, if there was one. This also tells the GC about any effect on
800           memory usage and does a bunch of weird data structure rewiring, since
801           Executable caches some of CodeBlock's fields for the benefit of virtual call
802           fast paths.
803         
804         This functionality is then wrapped around three convenience methods:
805         
806         - Executable::prepareForExecution(). If there is no code block for that
807           Executable, then one is created (newCodeBlock()), compiled
808           (CodeBlock::prepareForExecution()) and installed (installCode()).
809         
810         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
811           can serve as an optimized replacement of the current one.
812         
813         - CodeBlock::install(). Asks the Executable to install this code block.
814         
815         This patch allows me to kill *a lot* of code and to remove a lot of
816         specializations for functions vs. not-functions, and a lot of places where we
817         pass around JITCode references and such. ExecutionHarness and JITDriver are
818         both gone. Overall this patch has more red than green.
819         
820         It also allows me to work on FTL OSR entry and tier-up:
821         
822         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
823           to do some compilation, but it will require the DFG::Worklist to do
824           something different than what JITStubs.cpp would want, once the compilation
825           finishes. This patch introduces a callback mechanism for that purpose.
826         
827         - FTL OSR entry: this will involve creating a special auto-jettisoned
828           CodeBlock that is used only for FTL OSR entry. The new set of primitives
829           allows for this: Executable can vend you a fresh new CodeBlock, and you can
830           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
831           can take that CodeBlock and compile it yourself. Previously the act of
832           producing a CodeBlock-for-optimization and the act of compiling code for it
833           were tightly coupled; now you can separate them and you can create such
834           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
835
836         * CMakeLists.txt:
837         * GNUmakefile.list.am:
838         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
839         * JavaScriptCore.xcodeproj/project.pbxproj:
840         * Target.pri:
841         * bytecode/CodeBlock.cpp:
842         (JSC::CodeBlock::prepareForExecution):
843         (JSC::CodeBlock::install):
844         (JSC::CodeBlock::newReplacement):
845         (JSC::FunctionCodeBlock::jettisonImpl):
846         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
847         * bytecode/CodeBlock.h:
848         (JSC::CodeBlock::hasBaselineJITProfiling):
849         * bytecode/DeferredCompilationCallback.cpp: Added.
850         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
851         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
852         * bytecode/DeferredCompilationCallback.h: Added.
853         * dfg/DFGDriver.cpp:
854         (JSC::DFG::tryCompile):
855         * dfg/DFGDriver.h:
856         (JSC::DFG::tryCompile):
857         * dfg/DFGFailedFinalizer.cpp:
858         (JSC::DFG::FailedFinalizer::finalize):
859         (JSC::DFG::FailedFinalizer::finalizeFunction):
860         * dfg/DFGFailedFinalizer.h:
861         * dfg/DFGFinalizer.h:
862         * dfg/DFGJITFinalizer.cpp:
863         (JSC::DFG::JITFinalizer::finalize):
864         (JSC::DFG::JITFinalizer::finalizeFunction):
865         * dfg/DFGJITFinalizer.h:
866         * dfg/DFGOSRExitPreparation.cpp:
867         (JSC::DFG::prepareCodeOriginForOSRExit):
868         * dfg/DFGOperations.cpp:
869         * dfg/DFGPlan.cpp:
870         (JSC::DFG::Plan::Plan):
871         (JSC::DFG::Plan::compileInThreadImpl):
872         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
873         (JSC::DFG::Plan::finalizeAndNotifyCallback):
874         * dfg/DFGPlan.h:
875         * dfg/DFGWorklist.cpp:
876         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
877         * ftl/FTLJITFinalizer.cpp:
878         (JSC::FTL::JITFinalizer::finalize):
879         (JSC::FTL::JITFinalizer::finalizeFunction):
880         * ftl/FTLJITFinalizer.h:
881         * heap/Heap.h:
882         (JSC::Heap::isDeferred):
883         * interpreter/Interpreter.cpp:
884         (JSC::Interpreter::execute):
885         (JSC::Interpreter::executeCall):
886         (JSC::Interpreter::executeConstruct):
887         (JSC::Interpreter::prepareForRepeatCall):
888         * jit/JITDriver.h: Removed.
889         * jit/JITStubs.cpp:
890         (JSC::DEFINE_STUB_FUNCTION):
891         (JSC::jitCompileFor):
892         (JSC::lazyLinkFor):
893         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
894         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
895         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
896         (JSC::JITToDFGDeferredCompilationCallback::create):
897         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
898         * jit/JITToDFGDeferredCompilationCallback.h: Added.
899         * llint/LLIntEntrypoints.cpp:
900         (JSC::LLInt::setFunctionEntrypoint):
901         (JSC::LLInt::setEvalEntrypoint):
902         (JSC::LLInt::setProgramEntrypoint):
903         * llint/LLIntEntrypoints.h:
904         * llint/LLIntSlowPaths.cpp:
905         (JSC::LLInt::jitCompileAndSetHeuristics):
906         (JSC::LLInt::setUpCall):
907         * runtime/ArrayPrototype.cpp:
908         (JSC::isNumericCompareFunction):
909         * runtime/CommonSlowPaths.cpp:
910         * runtime/CompilationResult.cpp:
911         (WTF::printInternal):
912         * runtime/CompilationResult.h:
913         * runtime/Executable.cpp:
914         (JSC::ScriptExecutable::installCode):
915         (JSC::ScriptExecutable::newCodeBlockFor):
916         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
917         (JSC::ScriptExecutable::prepareForExecutionImpl):
918         * runtime/Executable.h:
919         (JSC::ScriptExecutable::prepareForExecution):
920         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
921         * runtime/ExecutionHarness.h: Removed.
922
923 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
924
925         https://bugs.webkit.org/show_bug.cgi?id=119548
926         Refactoring Exception throws.
927         
928         Reviewed by Geoffrey Garen.
929         
930         Gardening of exception throws. The act of throwing an exception was being handled in 
931         different ways depending on whether the code was running in the LLint, Baseline JIT, 
932         or the DFG Jit. This made development in the vm exception and error objects difficult.
933         
934          * runtime/VM.cpp:
935         (JSC::appendSourceToError): 
936         This function moved from the interpreter into the VM. It views the developers code
937         (if there is a codeBlock) to extract what was trying to be evaluated when the error
938         occurred.
939         
940         (JSC::VM::throwException):
941         This function takes in the error object and sets the following:
942             1: The VM's exception stack
943             2: The VM's exception 
944             3: Appends extra information on the error message(via appendSourceToError)
945             4: The error object's line number
946             5: The error object's column number
947             6: The error object's sourceURL
948             7: The error object's stack trace (unless it already exists because the developer 
949                 created the error object). 
950
951         (JSC::VM::getExceptionInfo):
952         (JSC::VM::setExceptionInfo):
953         (JSC::VM::clearException):
954         (JSC::clearExceptionStack):
955         * runtime/VM.h:
956         (JSC::VM::exceptionOffset):
957         (JSC::VM::exception):
958         (JSC::VM::addressOfException):
959         (JSC::VM::exceptionStack):
960         VM exception and exceptionStack are now private data members.
961
962         * interpreter/Interpreter.h:
963         (JSC::ClearExceptionScope::ClearExceptionScope):
964         Created this structure to temporarily clear the exception within the VM. This 
965         needed to see if addition errors occur when setting the debugger as we are 
966         unwinding the stack.
967
968          * interpreter/Interpreter.cpp:
969         (JSC::Interpreter::unwind): 
970         Removed the code that would try to add error information if it did not exist. 
971         All of this functionality has moved into the VM and all error information is set 
972         at the time the error occurs. 
973
974         The rest of these functions reference the new calling convention to throw an error.
975
976         * API/APICallbackFunction.h:
977         (JSC::APICallbackFunction::call):
978         * API/JSCallbackConstructor.cpp:
979         (JSC::constructJSCallback):
980         * API/JSCallbackObjectFunctions.h:
981         (JSC::::getOwnPropertySlot):
982         (JSC::::defaultValue):
983         (JSC::::put):
984         (JSC::::putByIndex):
985         (JSC::::deleteProperty):
986         (JSC::::construct):
987         (JSC::::customHasInstance):
988         (JSC::::call):
989         (JSC::::getStaticValue):
990         (JSC::::staticFunctionGetter):
991         (JSC::::callbackGetter):
992         * debugger/Debugger.cpp:
993         (JSC::evaluateInGlobalCallFrame):
994         * debugger/DebuggerCallFrame.cpp:
995         (JSC::DebuggerCallFrame::evaluate):
996         * dfg/DFGAssemblyHelpers.h:
997         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
998         * dfg/DFGOperations.cpp:
999         (JSC::DFG::operationPutByValInternal):
1000         * ftl/FTLLowerDFGToLLVM.cpp:
1001         (JSC::FTL::LowerDFGToLLVM::callCheck):
1002         * heap/Heap.cpp:
1003         (JSC::Heap::markRoots):
1004         * interpreter/CallFrame.h:
1005         (JSC::ExecState::clearException):
1006         (JSC::ExecState::exception):
1007         (JSC::ExecState::hadException):
1008         * interpreter/Interpreter.cpp:
1009         (JSC::eval):
1010         (JSC::loadVarargs):
1011         (JSC::stackTraceAsString):
1012         (JSC::Interpreter::execute):
1013         (JSC::Interpreter::executeCall):
1014         (JSC::Interpreter::executeConstruct):
1015         (JSC::Interpreter::prepareForRepeatCall):
1016         * interpreter/Interpreter.h:
1017         (JSC::ClearExceptionScope::ClearExceptionScope):
1018         * jit/JITCode.cpp:
1019         (JSC::JITCode::execute):
1020         * jit/JITExceptions.cpp:
1021         (JSC::genericThrow):
1022         * jit/JITOpcodes.cpp:
1023         (JSC::JIT::emit_op_catch):
1024         * jit/JITOpcodes32_64.cpp:
1025         (JSC::JIT::privateCompileCTINativeCall):
1026         (JSC::JIT::emit_op_catch):
1027         * jit/JITStubs.cpp:
1028         (JSC::returnToThrowTrampoline):
1029         (JSC::throwExceptionFromOpCall):
1030         (JSC::DEFINE_STUB_FUNCTION):
1031         (JSC::jitCompileFor):
1032         (JSC::lazyLinkFor):
1033         (JSC::putByVal):
1034         (JSC::cti_vm_handle_exception):
1035         * jit/SlowPathCall.h:
1036         (JSC::JITSlowPathCall::call):
1037         * jit/ThunkGenerators.cpp:
1038         (JSC::nativeForGenerator):
1039         * jsc.cpp:
1040         (functionRun):
1041         (functionLoad):
1042         (functionCheckSyntax):
1043         * llint/LLIntExceptions.cpp:
1044         (JSC::LLInt::doThrow):
1045         (JSC::LLInt::returnToThrow):
1046         (JSC::LLInt::callToThrow):
1047         * llint/LLIntSlowPaths.cpp:
1048         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1049         * llint/LowLevelInterpreter.cpp:
1050         (JSC::CLoop::execute):
1051         * llint/LowLevelInterpreter32_64.asm:
1052         * llint/LowLevelInterpreter64.asm:
1053         * runtime/ArrayConstructor.cpp:
1054         (JSC::constructArrayWithSizeQuirk):
1055         * runtime/CommonSlowPaths.cpp:
1056         (JSC::SLOW_PATH_DECL):
1057         * runtime/CommonSlowPaths.h:
1058         (JSC::CommonSlowPaths::opIn):
1059         * runtime/CommonSlowPathsExceptions.cpp:
1060         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1061         * runtime/Completion.cpp:
1062         (JSC::evaluate):
1063         * runtime/Error.cpp:
1064         (JSC::addErrorInfo):
1065         (JSC::throwTypeError):
1066         (JSC::throwSyntaxError):
1067         * runtime/Error.h:
1068         (JSC::throwVMError):
1069         * runtime/ExceptionHelpers.cpp:
1070         (JSC::throwOutOfMemoryError):
1071         (JSC::throwStackOverflowError):
1072         (JSC::throwTerminatedExecutionException):
1073         * runtime/Executable.cpp:
1074         (JSC::EvalExecutable::create):
1075         (JSC::FunctionExecutable::produceCodeBlockFor):
1076         * runtime/FunctionConstructor.cpp:
1077         (JSC::constructFunction):
1078         (JSC::constructFunctionSkippingEvalEnabledCheck):
1079         * runtime/JSArray.cpp:
1080         (JSC::JSArray::defineOwnProperty):
1081         (JSC::JSArray::put):
1082         (JSC::JSArray::push):
1083         * runtime/JSCJSValue.cpp:
1084         (JSC::JSValue::toObjectSlowCase):
1085         (JSC::JSValue::synthesizePrototype):
1086         (JSC::JSValue::putToPrimitive):
1087         * runtime/JSFunction.cpp:
1088         (JSC::JSFunction::defineOwnProperty):
1089         * runtime/JSGenericTypedArrayViewInlines.h:
1090         (JSC::::create):
1091         (JSC::::createUninitialized):
1092         (JSC::::validateRange):
1093         (JSC::::setWithSpecificType):
1094         * runtime/JSGlobalObjectFunctions.cpp:
1095         (JSC::encode):
1096         (JSC::decode):
1097         (JSC::globalFuncProtoSetter):
1098         * runtime/JSNameScope.cpp:
1099         (JSC::JSNameScope::put):
1100         * runtime/JSONObject.cpp:
1101         (JSC::Stringifier::appendStringifiedValue):
1102         (JSC::Walker::walk):
1103         * runtime/JSObject.cpp:
1104         (JSC::JSObject::put):
1105         (JSC::JSObject::defaultValue):
1106         (JSC::JSObject::hasInstance):
1107         (JSC::JSObject::defaultHasInstance):
1108         (JSC::JSObject::defineOwnNonIndexProperty):
1109         (JSC::throwTypeError):
1110         * runtime/ObjectConstructor.cpp:
1111         (JSC::toPropertyDescriptor):
1112         * runtime/RegExpConstructor.cpp:
1113         (JSC::constructRegExp):
1114         * runtime/StringObject.cpp:
1115         (JSC::StringObject::defineOwnProperty):
1116         * runtime/StringRecursionChecker.cpp:
1117         (JSC::StringRecursionChecker::throwStackOverflowError):
1118
1119 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1120
1121         [GTK] Add support for building JSC with FTL JIT enabled
1122         https://bugs.webkit.org/show_bug.cgi?id=120270
1123
1124         Reviewed by Filip Pizlo.
1125
1126         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1127         compiler flags for the JSC library.
1128         * GNUmakefile.list.am: Add the missing build targets.
1129         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1130         failures when using the Clang compiler with the libstdc++ standard library.
1131         (JSC::FTL::mdKindID):
1132         (JSC::FTL::mdString):
1133
1134 2013-08-23  Andy Estes  <aestes@apple.com>
1135
1136         Fix issues found by the Clang Static Analyzer
1137         https://bugs.webkit.org/show_bug.cgi?id=120230
1138
1139         Reviewed by Darin Adler.
1140
1141         * API/JSValue.mm:
1142         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1143         * API/ObjCCallbackFunction.mm:
1144         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1145         release m_invocation's target since NSInvocation will do it for us on
1146         -dealloc.
1147         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1148         and -release our reference to the copied block.
1149         * API/tests/minidom.c:
1150         (createStringWithContentsOfFile): Free buffer before returning.
1151         * API/tests/testapi.c:
1152         (createStringWithContentsOfFile): Ditto.
1153
1154 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1155
1156         [Windows] Unreviewed build fix after r154629.
1157
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1160
1161 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1162
1163         Windows build fix attempt after r154629.
1164
1165         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1166
1167 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1168
1169         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1170         https://bugs.webkit.org/show_bug.cgi?id=120278
1171
1172         Reviewed by Geoffrey Garen.
1173
1174         * runtime/JSObject.cpp:
1175         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1176
1177 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1178
1179         Fix indention of Executable.h.
1180
1181         Rubber stamped by Mark Hahnenberg.
1182
1183         * runtime/Executable.h:
1184
1185 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1186
1187         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1188         https://bugs.webkit.org/show_bug.cgi?id=120314
1189
1190         Reviewed by Darin Adler.
1191
1192         Currently with the way that defineProperty works, we leave a stray low bit set in 
1193         PropertyDescriptor::m_attributes in the following code:
1194
1195         var o = {};
1196         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1197         
1198         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1199         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1200         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1201         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1202
1203         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1204         framework's public C API, it's safer to just change how we calculate the default value, which is
1205         where the weirdness was originating from in the first place.
1206
1207         * runtime/PropertyDescriptor.cpp:
1208
1209 2013-08-24  Sam Weinig  <sam@webkit.org>
1210
1211         Add support for Promises
1212         https://bugs.webkit.org/show_bug.cgi?id=120260
1213
1214         Reviewed by Darin Adler.
1215
1216         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1217         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1218           in preparation for the Promises eventually being defined in ECMAScript.
1219
1220         * CMakeLists.txt:
1221         * DerivedSources.make:
1222         * DerivedSources.pri:
1223         * GNUmakefile.list.am:
1224         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1225         * JavaScriptCore.xcodeproj/project.pbxproj:
1226         * Target.pri:
1227         Add new files.
1228
1229         * jsc.cpp:
1230         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1231         you can't quite use Promises with with the command line tool yet.
1232     
1233         * interpreter/CallFrame.h:
1234         (JSC::ExecState::promisePrototypeTable):
1235         (JSC::ExecState::promiseConstructorTable):
1236         (JSC::ExecState::promiseResolverPrototypeTable):
1237         * runtime/VM.cpp:
1238         (JSC::VM::VM):
1239         (JSC::VM::~VM):
1240         * runtime/VM.h:
1241         Add supporting code for the new static lookup tables.
1242
1243         * runtime/CommonIdentifiers.h:
1244         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1245
1246         * runtime/JSGlobalObject.cpp:
1247         (JSC::JSGlobalObject::reset):
1248         (JSC::JSGlobalObject::visitChildren):
1249         Add supporting code Promise and PromiseResolver's constructors and structures.
1250
1251         * runtime/JSGlobalObject.h:
1252         (JSC::TaskContext::~TaskContext):
1253         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1254
1255         (JSC::JSGlobalObject::promisePrototype):
1256         (JSC::JSGlobalObject::promiseResolverPrototype):
1257         (JSC::JSGlobalObject::promiseStructure):
1258         (JSC::JSGlobalObject::promiseResolverStructure):
1259         (JSC::JSGlobalObject::promiseCallbackStructure):
1260         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1261         Add supporting code Promise and PromiseResolver's constructors and structures.
1262
1263         * runtime/JSPromise.cpp: Added.
1264         * runtime/JSPromise.h: Added.
1265         * runtime/JSPromiseCallback.cpp: Added.
1266         * runtime/JSPromiseCallback.h: Added.
1267         * runtime/JSPromiseConstructor.cpp: Added.
1268         * runtime/JSPromiseConstructor.h: Added.
1269         * runtime/JSPromisePrototype.cpp: Added.
1270         * runtime/JSPromisePrototype.h: Added.
1271         * runtime/JSPromiseResolver.cpp: Added.
1272         * runtime/JSPromiseResolver.h: Added.
1273         * runtime/JSPromiseResolverConstructor.cpp: Added.
1274         * runtime/JSPromiseResolverConstructor.h: Added.
1275         * runtime/JSPromiseResolverPrototype.cpp: Added.
1276         * runtime/JSPromiseResolverPrototype.h: Added.
1277         Add Promise implementation.
1278
1279 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1280
1281         Plenty of -Wcast-align warnings in KeywordLookup.h
1282         https://bugs.webkit.org/show_bug.cgi?id=120316
1283
1284         Reviewed by Darin Adler.
1285
1286         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1287         the character pointers to types of larger size. This avoids spewing lots of warnings
1288         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1289
1290 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1291
1292         RegExpMatchesArray should not call [[put]]
1293         https://bugs.webkit.org/show_bug.cgi?id=120317
1294
1295         Reviewed by Oliver Hunt.
1296
1297         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1298         property called index or input to either of these prototypes will result in broken behavior.
1299
1300         * runtime/RegExpMatchesArray.cpp:
1301         (JSC::RegExpMatchesArray::reifyAllProperties):
1302             - put -> putDirect
1303
1304 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1305
1306         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1307         https://bugs.webkit.org/show_bug.cgi?id=120228
1308
1309         Reviewed by Oliver Hunt.
1310         
1311         It turns out that there were three problems:
1312         
1313         - Using jsNumber() meant that we were converting doubles to integers and then
1314           possibly back again whenever doing a set() between floating point arrays.
1315         
1316         - Slow-path accesses to double typed arrays were slower than necessary because
1317           of the to-int conversion attempt.
1318         
1319         - The use of JSValue as an intermediate for converting between differen types
1320           in typedArray.set() resulted in worse code than I had previously expected.
1321         
1322         This patch solves the problem by using template double-dispatch to ensure that
1323         that C++ compiler sees the simplest possible combination of casts between any
1324         combination of typed array types, while still preserving JS and typed array
1325         conversion semantics. Conversions are done as follows:
1326         
1327             SourceAdaptor::convertTo<TargetAdaptor>(value)
1328         
1329         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1330         with one method for each of int32_t, uint32_t, and double. This means that the
1331         C++ compiler will at worst see a widening cast to one of those types followed
1332         by a narrowing conversion (not necessarily a cast - may have clamping or the
1333         JS toInt32() function).
1334         
1335         This change doesn't just affect typedArray.set(); it also affects slow-path
1336         accesses to typed arrays as well. This patch also adds a bunch of new test
1337         coverage.
1338         
1339         This change is a ~50% speed-up on typedArray.set() involving floating point
1340         types.
1341
1342         * GNUmakefile.list.am:
1343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1344         * JavaScriptCore.xcodeproj/project.pbxproj:
1345         * runtime/GenericTypedArrayView.h:
1346         (JSC::GenericTypedArrayView::set):
1347         * runtime/JSDataViewPrototype.cpp:
1348         (JSC::setData):
1349         * runtime/JSGenericTypedArrayView.h:
1350         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1351         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1352         * runtime/JSGenericTypedArrayViewInlines.h:
1353         (JSC::::setWithSpecificType):
1354         (JSC::::set):
1355         * runtime/ToNativeFromValue.h: Added.
1356         (JSC::toNativeFromValue):
1357         * runtime/TypedArrayAdaptors.h:
1358         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1359         (JSC::IntegralTypedArrayAdaptor::toDouble):
1360         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1361         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1362         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1363         (JSC::IntegralTypedArrayAdaptor::convertTo):
1364         (JSC::FloatTypedArrayAdaptor::toJSValue):
1365         (JSC::FloatTypedArrayAdaptor::toDouble):
1366         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1367         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1368         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1369         (JSC::FloatTypedArrayAdaptor::convertTo):
1370         (JSC::Uint8ClampedAdaptor::toJSValue):
1371         (JSC::Uint8ClampedAdaptor::toDouble):
1372         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1373         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1374         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1375         (JSC::Uint8ClampedAdaptor::convertTo):
1376
1377 2013-08-24  Dan Bernstein  <mitz@apple.com>
1378
1379         [mac] link against libz in a more civilized manner
1380         https://bugs.webkit.org/show_bug.cgi?id=120258
1381
1382         Reviewed by Darin Adler.
1383
1384         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1385         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1386         Link Binary With Libraries build phase.
1387
1388 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1389
1390         Failure building with python3
1391         https://bugs.webkit.org/show_bug.cgi?id=106645
1392
1393         Reviewed by Benjamin Poulain.
1394
1395         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1396         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1397
1398         * disassembler/udis86/itab.py:
1399         (UdItabGenerator.genInsnTable):
1400         * disassembler/udis86/ud_opcode.py:
1401         (UdOpcodeTables.print_table):
1402         * disassembler/udis86/ud_optable.py:
1403         (UdOptableXmlParser.parseDef):
1404         (UdOptableXmlParser.parse):
1405         (printFn):
1406
1407 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1408
1409         Incorrect TypedArray#set behavior
1410         https://bugs.webkit.org/show_bug.cgi?id=83818
1411
1412         Reviewed by Oliver Hunt and Mark Hahnenberg.
1413         
1414         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1415         not smart enough to figure out optimal versions for *all* of the cases. But I
1416         did come up with optimal implementations for most of the cases, and I wrote
1417         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1418         enough to write optimal code for.
1419
1420         * runtime/JSArrayBufferView.h:
1421         (JSC::JSArrayBufferView::hasArrayBuffer):
1422         * runtime/JSArrayBufferViewInlines.h:
1423         (JSC::JSArrayBufferView::buffer):
1424         (JSC::JSArrayBufferView::existingBufferInButterfly):
1425         (JSC::JSArrayBufferView::neuter):
1426         (JSC::JSArrayBufferView::byteOffset):
1427         * runtime/JSGenericTypedArrayView.h:
1428         * runtime/JSGenericTypedArrayViewInlines.h:
1429         (JSC::::setWithSpecificType):
1430         (JSC::::set):
1431         (JSC::::existingBuffer):
1432
1433 2013-08-23  Alex Christensen  <achristensen@apple.com>
1434
1435         Re-separating Win32 and Win64 builds.
1436         https://bugs.webkit.org/show_bug.cgi?id=120178
1437
1438         Reviewed by Brent Fulgham.
1439
1440         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1441         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1442         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1443         Pass PlatformArchitecture as a command line parameter to bash scripts.
1444         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1445         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1446         * JavaScriptCore.vcxproj/build-generated-files.sh:
1447         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1448
1449 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1450
1451         build-jsc --ftl-jit should work
1452         https://bugs.webkit.org/show_bug.cgi?id=120194
1453
1454         Reviewed by Oliver Hunt.
1455
1456         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1457         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1458         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1459         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1460         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1461         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1462
1463 2013-08-23  Oliver Hunt  <oliver@apple.com>
1464
1465         Re-sort xcode project file
1466
1467         * JavaScriptCore.xcodeproj/project.pbxproj:
1468
1469 2013-08-23  Oliver Hunt  <oliver@apple.com>
1470
1471         Support in memory compression of rarely used data
1472         https://bugs.webkit.org/show_bug.cgi?id=120143
1473
1474         Reviewed by Gavin Barraclough.
1475
1476         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1477
1478         * Configurations/JavaScriptCore.xcconfig:
1479         * bytecode/UnlinkedCodeBlock.cpp:
1480         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1481         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1482         * bytecode/UnlinkedCodeBlock.h:
1483
1484 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1485
1486         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1487         https://bugs.webkit.org/show_bug.cgi?id=120179
1488
1489         Reviewed by Geoffrey Garen.
1490
1491         There are many places in the code for JSObject and JSArray where they are manipulating their 
1492         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1493         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1494         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1495         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1496         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1497         should not incur any additional overhead.
1498
1499         * heap/Heap.h:
1500         * runtime/JSArray.cpp:
1501         (JSC::JSArray::unshiftCountSlowCase):
1502         * runtime/JSObject.cpp:
1503         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1504         (JSC::JSObject::createInitialUndecided):
1505         (JSC::JSObject::createInitialInt32):
1506         (JSC::JSObject::createInitialDouble):
1507         (JSC::JSObject::createInitialContiguous):
1508         (JSC::JSObject::createArrayStorage):
1509         (JSC::JSObject::convertUndecidedToArrayStorage):
1510         (JSC::JSObject::convertInt32ToArrayStorage):
1511         (JSC::JSObject::convertDoubleToArrayStorage):
1512         (JSC::JSObject::convertContiguousToArrayStorage):
1513         (JSC::JSObject::increaseVectorLength):
1514         (JSC::JSObject::ensureLengthSlow):
1515         * runtime/JSObject.h:
1516         (JSC::JSObject::putDirectInternal):
1517         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1518         (JSC::JSObject::putDirectWithoutTransition):
1519
1520 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1521
1522         Update LLVM binary drops and scripts to the latest version from SVN
1523         https://bugs.webkit.org/show_bug.cgi?id=120184
1524
1525         Reviewed by Mark Hahnenberg.
1526
1527         * dfg/DFGPlan.cpp:
1528         (JSC::DFG::Plan::compileInThreadImpl):
1529
1530 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1531
1532         Don't leak registers for redeclared variables
1533         https://bugs.webkit.org/show_bug.cgi?id=120174
1534
1535         Reviewed by Geoff Garen.
1536
1537         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1538         Only allocate new registers when necessary.
1539
1540         No performance impact.
1541
1542         * interpreter/Interpreter.cpp:
1543         (JSC::Interpreter::execute):
1544         * runtime/Executable.cpp:
1545         (JSC::ProgramExecutable::initializeGlobalProperties):
1546             - Don't allocate the register here.
1547         * runtime/JSGlobalObject.cpp:
1548         (JSC::JSGlobalObject::addGlobalVar):
1549             - Allocate the register here instead.
1550
1551 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1552
1553         https://bugs.webkit.org/show_bug.cgi?id=120128
1554         Remove putDirectVirtual
1555
1556         Unreviewed, checked in commented out code. :-(
1557
1558         * interpreter/Interpreter.cpp:
1559         (JSC::Interpreter::execute):
1560             - delete commented out code
1561
1562 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1563
1564         Error.stack should not be enumerable
1565         https://bugs.webkit.org/show_bug.cgi?id=120171
1566
1567         Reviewed by Oliver Hunt.
1568
1569         Breaks ECMA tests.
1570
1571         * runtime/ErrorInstance.cpp:
1572         (JSC::ErrorInstance::finishCreation):
1573             - None -> DontEnum
1574
1575 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1576
1577         https://bugs.webkit.org/show_bug.cgi?id=120128
1578         Remove putDirectVirtual
1579
1580         Reviewed by Sam Weinig.
1581
1582         This could most generously be described as 'vestigial'.
1583         No performance impact.
1584
1585         * API/JSObjectRef.cpp:
1586         (JSObjectSetProperty):
1587             - changed to use defineOwnProperty
1588         * debugger/DebuggerActivation.cpp:
1589         * debugger/DebuggerActivation.h:
1590             - remove putDirectVirtual
1591         * interpreter/Interpreter.cpp:
1592         (JSC::Interpreter::execute):
1593             - changed to use defineOwnProperty
1594         * runtime/ClassInfo.h:
1595         * runtime/JSActivation.cpp:
1596         * runtime/JSActivation.h:
1597         * runtime/JSCell.cpp:
1598         * runtime/JSCell.h:
1599         * runtime/JSGlobalObject.cpp:
1600         * runtime/JSGlobalObject.h:
1601         * runtime/JSObject.cpp:
1602         * runtime/JSObject.h:
1603         * runtime/JSProxy.cpp:
1604         * runtime/JSProxy.h:
1605         * runtime/JSSymbolTableObject.cpp:
1606         * runtime/JSSymbolTableObject.h:
1607             - remove putDirectVirtual
1608         * runtime/PropertyDescriptor.h:
1609         (JSC::PropertyDescriptor::PropertyDescriptor):
1610             - added constructor for convenience
1611
1612 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1613
1614         errorDescriptionForValue() should not assume error value is an Object
1615         https://bugs.webkit.org/show_bug.cgi?id=119812
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1620         has no type, the function now returns the empty string. 
1621         * runtime/ExceptionHelpers.cpp:
1622         (JSC::errorDescriptionForValue):
1623
1624 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1625
1626         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1627         https://bugs.webkit.org/show_bug.cgi?id=120107
1628
1629         Reviewed by Yong Li.
1630
1631         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1632
1633         * dfg/DFGSpeculativeJIT.h:
1634         (JSC::DFG::SpeculativeJIT::callOperation):
1635
1636 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1637
1638         Unreviewed, rolling out r154416.
1639         http://trac.webkit.org/changeset/154416
1640         https://bugs.webkit.org/show_bug.cgi?id=120147
1641
1642         Broke Windows builds (Requested by rniwa on #webkit).
1643
1644         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1645         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1646         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1647         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1648         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1649         * JavaScriptCore.vcxproj/build-generated-files.sh:
1650
1651 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1652
1653         Clarify var/const/function declaration
1654         https://bugs.webkit.org/show_bug.cgi?id=120144
1655
1656         Reviewed by Sam Weinig.
1657
1658         Add methods to JSGlobalObject to declare vars, consts, and functions.
1659
1660         * runtime/Executable.cpp:
1661         (JSC::ProgramExecutable::initializeGlobalProperties):
1662         * runtime/Executable.h:
1663             - Moved declaration code to JSGlobalObject
1664         * runtime/JSGlobalObject.cpp:
1665         (JSC::JSGlobalObject::addGlobalVar):
1666             - internal implementation of addVar, addConst, addFunction
1667         * runtime/JSGlobalObject.h:
1668         (JSC::JSGlobalObject::addVar):
1669         (JSC::JSGlobalObject::addConst):
1670         (JSC::JSGlobalObject::addFunction):
1671             - Added methods to declare vars, consts, and functions
1672
1673 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1674
1675         https://bugs.webkit.org/show_bug.cgi?id=119900
1676         Exception in global setter doesn't unwind correctly
1677
1678         Reviewed by Geoffrey Garen.
1679
1680         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1681
1682         * jit/JITStubs.cpp:
1683         (JSC::DEFINE_STUB_FUNCTION):
1684
1685 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1686
1687         Rename/refactor setButterfly/setStructure
1688         https://bugs.webkit.org/show_bug.cgi?id=120138
1689
1690         Reviewed by Geoffrey Garen.
1691
1692         setButterfly becomes setStructureAndButterfly.
1693
1694         Also removed the Butterfly* argument from setStructure and just implicitly
1695         used m_butterfly internally since that's what every single client of setStructure
1696         was doing already.
1697
1698         * jit/JITStubs.cpp:
1699         (JSC::DEFINE_STUB_FUNCTION):
1700         * runtime/JSObject.cpp:
1701         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1702         (JSC::JSObject::createInitialUndecided):
1703         (JSC::JSObject::createInitialInt32):
1704         (JSC::JSObject::createInitialDouble):
1705         (JSC::JSObject::createInitialContiguous):
1706         (JSC::JSObject::createArrayStorage):
1707         (JSC::JSObject::convertUndecidedToInt32):
1708         (JSC::JSObject::convertUndecidedToDouble):
1709         (JSC::JSObject::convertUndecidedToContiguous):
1710         (JSC::JSObject::convertUndecidedToArrayStorage):
1711         (JSC::JSObject::convertInt32ToDouble):
1712         (JSC::JSObject::convertInt32ToContiguous):
1713         (JSC::JSObject::convertInt32ToArrayStorage):
1714         (JSC::JSObject::genericConvertDoubleToContiguous):
1715         (JSC::JSObject::convertDoubleToArrayStorage):
1716         (JSC::JSObject::convertContiguousToArrayStorage):
1717         (JSC::JSObject::switchToSlowPutArrayStorage):
1718         (JSC::JSObject::setPrototype):
1719         (JSC::JSObject::putDirectAccessor):
1720         (JSC::JSObject::seal):
1721         (JSC::JSObject::freeze):
1722         (JSC::JSObject::preventExtensions):
1723         (JSC::JSObject::reifyStaticFunctionsForDelete):
1724         (JSC::JSObject::removeDirect):
1725         * runtime/JSObject.h:
1726         (JSC::JSObject::setStructureAndButterfly):
1727         (JSC::JSObject::setStructure):
1728         (JSC::JSObject::putDirectInternal):
1729         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1730         (JSC::JSObject::putDirectWithoutTransition):
1731         * runtime/Structure.cpp:
1732         (JSC::Structure::flattenDictionaryStructure):
1733
1734 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1735
1736         https://bugs.webkit.org/show_bug.cgi?id=120127
1737         Remove JSObject::propertyIsEnumerable
1738
1739         Unreviewed typo fix
1740
1741         * runtime/JSObject.h:
1742             - fix typo
1743
1744 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1745
1746         https://bugs.webkit.org/show_bug.cgi?id=120139
1747         PropertyDescriptor argument to define methods should be const
1748
1749         Rubber stamped by Sam Weinig.
1750
1751         This should never be modified, and this way we can use rvalues.
1752
1753         * debugger/DebuggerActivation.cpp:
1754         (JSC::DebuggerActivation::defineOwnProperty):
1755         * debugger/DebuggerActivation.h:
1756         * runtime/Arguments.cpp:
1757         (JSC::Arguments::defineOwnProperty):
1758         * runtime/Arguments.h:
1759         * runtime/ClassInfo.h:
1760         * runtime/JSArray.cpp:
1761         (JSC::JSArray::defineOwnProperty):
1762         * runtime/JSArray.h:
1763         * runtime/JSArrayBuffer.cpp:
1764         (JSC::JSArrayBuffer::defineOwnProperty):
1765         * runtime/JSArrayBuffer.h:
1766         * runtime/JSArrayBufferView.cpp:
1767         (JSC::JSArrayBufferView::defineOwnProperty):
1768         * runtime/JSArrayBufferView.h:
1769         * runtime/JSCell.cpp:
1770         (JSC::JSCell::defineOwnProperty):
1771         * runtime/JSCell.h:
1772         * runtime/JSFunction.cpp:
1773         (JSC::JSFunction::defineOwnProperty):
1774         * runtime/JSFunction.h:
1775         * runtime/JSGenericTypedArrayView.h:
1776         * runtime/JSGenericTypedArrayViewInlines.h:
1777         (JSC::::defineOwnProperty):
1778         * runtime/JSGlobalObject.cpp:
1779         (JSC::JSGlobalObject::defineOwnProperty):
1780         * runtime/JSGlobalObject.h:
1781         * runtime/JSObject.cpp:
1782         (JSC::JSObject::putIndexedDescriptor):
1783         (JSC::JSObject::defineOwnIndexedProperty):
1784         (JSC::putDescriptor):
1785         (JSC::JSObject::defineOwnNonIndexProperty):
1786         (JSC::JSObject::defineOwnProperty):
1787         * runtime/JSObject.h:
1788         * runtime/JSProxy.cpp:
1789         (JSC::JSProxy::defineOwnProperty):
1790         * runtime/JSProxy.h:
1791         * runtime/RegExpMatchesArray.h:
1792         (JSC::RegExpMatchesArray::defineOwnProperty):
1793         * runtime/RegExpObject.cpp:
1794         (JSC::RegExpObject::defineOwnProperty):
1795         * runtime/RegExpObject.h:
1796         * runtime/StringObject.cpp:
1797         (JSC::StringObject::defineOwnProperty):
1798         * runtime/StringObject.h:
1799             - make PropertyDescriptor const
1800
1801 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1802
1803         REGRESSION: Crash under JITCompiler::link while loading Gmail
1804         https://bugs.webkit.org/show_bug.cgi?id=119872
1805
1806         Reviewed by Mark Hahnenberg.
1807         
1808         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1809
1810         * dfg/DFGByteCodeParser.cpp:
1811         (JSC::DFG::ByteCodeParser::parseBlock):
1812
1813 2013-08-21  Alex Christensen  <achristensen@apple.com>
1814
1815         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1816
1817         Reviewed by Brent Fulgham.
1818
1819         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1820         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1821         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1822         Pass PlatformArchitecture as a command line parameter to bash scripts.
1823         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1824         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1825         * JavaScriptCore.vcxproj/build-generated-files.sh:
1826         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1827
1828 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1829
1830         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1831         https://bugs.webkit.org/show_bug.cgi?id=120099
1832
1833         Reviewed by Mark Hahnenberg.
1834         
1835         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1836         JSDataView may have ordinary JS indexed properties.
1837
1838         * runtime/ClassInfo.h:
1839         * runtime/JSArrayBufferView.cpp:
1840         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1841         (JSC::JSArrayBufferView::finishCreation):
1842         * runtime/JSArrayBufferView.h:
1843         (JSC::hasArrayBuffer):
1844         * runtime/JSArrayBufferViewInlines.h:
1845         (JSC::JSArrayBufferView::buffer):
1846         (JSC::JSArrayBufferView::neuter):
1847         (JSC::JSArrayBufferView::byteOffset):
1848         * runtime/JSCell.cpp:
1849         (JSC::JSCell::slowDownAndWasteMemory):
1850         * runtime/JSCell.h:
1851         * runtime/JSDataView.cpp:
1852         (JSC::JSDataView::JSDataView):
1853         (JSC::JSDataView::create):
1854         (JSC::JSDataView::slowDownAndWasteMemory):
1855         * runtime/JSDataView.h:
1856         (JSC::JSDataView::buffer):
1857         * runtime/JSGenericTypedArrayView.h:
1858         * runtime/JSGenericTypedArrayViewInlines.h:
1859         (JSC::::visitChildren):
1860         (JSC::::slowDownAndWasteMemory):
1861
1862 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1863
1864         Remove incorrect ASSERT from CopyVisitor::visitItem
1865
1866         Rubber stamped by Filip Pizlo.
1867
1868         * heap/CopyVisitorInlines.h:
1869         (JSC::CopyVisitor::visitItem):
1870
1871 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1872
1873         https://bugs.webkit.org/show_bug.cgi?id=120127
1874         Remove JSObject::propertyIsEnumerable
1875
1876         Reviewed by Sam Weinig.
1877
1878         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1879
1880         * runtime/JSObject.cpp:
1881         * runtime/JSObject.h:
1882             - remove propertyIsEnumerable
1883         * runtime/ObjectPrototype.cpp:
1884         (JSC::objectProtoFuncPropertyIsEnumerable):
1885             - Move implementation here using getOwnPropertyDescriptor directly.
1886
1887 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1888
1889         DFG should inline new typedArray()
1890         https://bugs.webkit.org/show_bug.cgi?id=120022
1891
1892         Reviewed by Oliver Hunt.
1893         
1894         Adds inlining of typed array allocations in the DFG. Any operation of the
1895         form:
1896         
1897             new foo(blah)
1898         
1899         or:
1900         
1901             foo(blah)
1902         
1903         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1904         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1905         is predicted integer, we generate inline code for an allocation. Otherwise
1906         it turns into a call to an operation that behaves like the constructor would
1907         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1908         copy or another array, or it may allocate an array of that length).
1909
1910         * bytecode/SpeculatedType.cpp:
1911         (JSC::speculationFromTypedArrayType):
1912         (JSC::speculationFromClassInfo):
1913         * bytecode/SpeculatedType.h:
1914         * dfg/DFGAbstractInterpreterInlines.h:
1915         (JSC::DFG::::executeEffects):
1916         * dfg/DFGBackwardsPropagationPhase.cpp:
1917         (JSC::DFG::BackwardsPropagationPhase::propagate):
1918         * dfg/DFGByteCodeParser.cpp:
1919         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1920         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1921         * dfg/DFGCCallHelpers.h:
1922         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1923         * dfg/DFGCSEPhase.cpp:
1924         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1925         * dfg/DFGClobberize.h:
1926         (JSC::DFG::clobberize):
1927         * dfg/DFGFixupPhase.cpp:
1928         (JSC::DFG::FixupPhase::fixupNode):
1929         * dfg/DFGGraph.cpp:
1930         (JSC::DFG::Graph::dump):
1931         * dfg/DFGNode.h:
1932         (JSC::DFG::Node::hasTypedArrayType):
1933         (JSC::DFG::Node::typedArrayType):
1934         * dfg/DFGNodeType.h:
1935         * dfg/DFGOperations.cpp:
1936         (JSC::DFG::newTypedArrayWithSize):
1937         (JSC::DFG::newTypedArrayWithOneArgument):
1938         * dfg/DFGOperations.h:
1939         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1940         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1941         * dfg/DFGPredictionPropagationPhase.cpp:
1942         (JSC::DFG::PredictionPropagationPhase::propagate):
1943         * dfg/DFGSafeToExecute.h:
1944         (JSC::DFG::safeToExecute):
1945         * dfg/DFGSpeculativeJIT.cpp:
1946         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1947         * dfg/DFGSpeculativeJIT.h:
1948         (JSC::DFG::SpeculativeJIT::callOperation):
1949         * dfg/DFGSpeculativeJIT32_64.cpp:
1950         (JSC::DFG::SpeculativeJIT::compile):
1951         * dfg/DFGSpeculativeJIT64.cpp:
1952         (JSC::DFG::SpeculativeJIT::compile):
1953         * jit/JITOpcodes.cpp:
1954         (JSC::JIT::emit_op_new_object):
1955         * jit/JITOpcodes32_64.cpp:
1956         (JSC::JIT::emit_op_new_object):
1957         * runtime/JSArray.h:
1958         (JSC::JSArray::allocationSize):
1959         * runtime/JSArrayBufferView.h:
1960         (JSC::JSArrayBufferView::allocationSize):
1961         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1962         (JSC::constructGenericTypedArrayView):
1963         * runtime/JSObject.h:
1964         (JSC::JSFinalObject::allocationSize):
1965         * runtime/TypedArrayType.cpp:
1966         (JSC::constructorClassInfoForType):
1967         * runtime/TypedArrayType.h:
1968         (JSC::indexToTypedArrayType):
1969
1970 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1971
1972         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1973
1974         Reviewed by Geoffrey Garen.
1975
1976         * dfg/DFGOperations.h:
1977
1978 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1979
1980         https://bugs.webkit.org/show_bug.cgi?id=120093
1981         Remove getOwnPropertyDescriptor trap
1982
1983         Reviewed by Geoff Garen.
1984
1985         All implementations of this method are now called via the method table, and equivalent in behaviour.
1986         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1987
1988         * API/JSCallbackObject.h:
1989         * API/JSCallbackObjectFunctions.h:
1990         * debugger/DebuggerActivation.cpp:
1991         * debugger/DebuggerActivation.h:
1992         * runtime/Arguments.cpp:
1993         * runtime/Arguments.h:
1994         * runtime/ArrayConstructor.cpp:
1995         * runtime/ArrayConstructor.h:
1996         * runtime/ArrayPrototype.cpp:
1997         * runtime/ArrayPrototype.h:
1998         * runtime/BooleanPrototype.cpp:
1999         * runtime/BooleanPrototype.h:
2000             - remove getOwnPropertyDescriptor
2001         * runtime/ClassInfo.h:
2002             - remove getOwnPropertyDescriptor from MethodTable
2003         * runtime/DateConstructor.cpp:
2004         * runtime/DateConstructor.h:
2005         * runtime/DatePrototype.cpp:
2006         * runtime/DatePrototype.h:
2007         * runtime/ErrorPrototype.cpp:
2008         * runtime/ErrorPrototype.h:
2009         * runtime/JSActivation.cpp:
2010         * runtime/JSActivation.h:
2011         * runtime/JSArray.cpp:
2012         * runtime/JSArray.h:
2013         * runtime/JSArrayBuffer.cpp:
2014         * runtime/JSArrayBuffer.h:
2015         * runtime/JSArrayBufferView.cpp:
2016         * runtime/JSArrayBufferView.h:
2017         * runtime/JSCell.cpp:
2018         * runtime/JSCell.h:
2019         * runtime/JSDataView.cpp:
2020         * runtime/JSDataView.h:
2021         * runtime/JSDataViewPrototype.cpp:
2022         * runtime/JSDataViewPrototype.h:
2023         * runtime/JSFunction.cpp:
2024         * runtime/JSFunction.h:
2025         * runtime/JSGenericTypedArrayView.h:
2026         * runtime/JSGenericTypedArrayViewInlines.h:
2027         * runtime/JSGlobalObject.cpp:
2028         * runtime/JSGlobalObject.h:
2029         * runtime/JSNotAnObject.cpp:
2030         * runtime/JSNotAnObject.h:
2031         * runtime/JSONObject.cpp:
2032         * runtime/JSONObject.h:
2033             - remove getOwnPropertyDescriptor
2034         * runtime/JSObject.cpp:
2035         (JSC::JSObject::propertyIsEnumerable):
2036             - switch to call new getOwnPropertyDescriptor member function
2037         (JSC::JSObject::getOwnPropertyDescriptor):
2038             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2039         (JSC::JSObject::defineOwnNonIndexProperty):
2040             - switch to call new getOwnPropertyDescriptor member function
2041         * runtime/JSObject.h:
2042         * runtime/JSProxy.cpp:
2043         * runtime/JSProxy.h:
2044         * runtime/NamePrototype.cpp:
2045         * runtime/NamePrototype.h:
2046         * runtime/NumberConstructor.cpp:
2047         * runtime/NumberConstructor.h:
2048         * runtime/NumberPrototype.cpp:
2049         * runtime/NumberPrototype.h:
2050             - remove getOwnPropertyDescriptor
2051         * runtime/ObjectConstructor.cpp:
2052         (JSC::objectConstructorGetOwnPropertyDescriptor):
2053         (JSC::objectConstructorSeal):
2054         (JSC::objectConstructorFreeze):
2055         (JSC::objectConstructorIsSealed):
2056         (JSC::objectConstructorIsFrozen):
2057             - switch to call new getOwnPropertyDescriptor member function
2058         * runtime/ObjectConstructor.h:
2059             - remove getOwnPropertyDescriptor
2060         * runtime/PropertyDescriptor.h:
2061             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2062         * runtime/RegExpConstructor.cpp:
2063         * runtime/RegExpConstructor.h:
2064         * runtime/RegExpMatchesArray.cpp:
2065         * runtime/RegExpMatchesArray.h:
2066         * runtime/RegExpObject.cpp:
2067         * runtime/RegExpObject.h:
2068         * runtime/RegExpPrototype.cpp:
2069         * runtime/RegExpPrototype.h:
2070         * runtime/StringConstructor.cpp:
2071         * runtime/StringConstructor.h:
2072         * runtime/StringObject.cpp:
2073         * runtime/StringObject.h:
2074             - remove getOwnPropertyDescriptor
2075
2076 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2077
2078         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2079
2080         Reviewed by Oliver Hunt.
2081
2082         When we flatten an object in dictionary mode, we compact its properties. If the object 
2083         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2084         compaction its properties fit inline, the object's Structure "forgets" that the object 
2085         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2086         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2087
2088         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2089         Butterfly pointer so that the GC doesn't get confused later.
2090
2091         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2092         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2093         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2094         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2095
2096         * heap/SlotVisitorInlines.h:
2097         (JSC::SlotVisitor::copyLater):
2098         * runtime/JSObject.cpp:
2099         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2100         (JSC::JSObject::convertUndecidedToInt32):
2101         (JSC::JSObject::convertUndecidedToDouble):
2102         (JSC::JSObject::convertUndecidedToContiguous):
2103         (JSC::JSObject::convertInt32ToDouble):
2104         (JSC::JSObject::convertInt32ToContiguous):
2105         (JSC::JSObject::genericConvertDoubleToContiguous):
2106         (JSC::JSObject::switchToSlowPutArrayStorage):
2107         (JSC::JSObject::setPrototype):
2108         (JSC::JSObject::putDirectAccessor):
2109         (JSC::JSObject::seal):
2110         (JSC::JSObject::freeze):
2111         (JSC::JSObject::preventExtensions):
2112         (JSC::JSObject::reifyStaticFunctionsForDelete):
2113         (JSC::JSObject::removeDirect):
2114         * runtime/JSObject.h:
2115         (JSC::JSObject::setButterfly):
2116         (JSC::JSObject::putDirectInternal):
2117         (JSC::JSObject::setStructure):
2118         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2119         * runtime/Structure.cpp:
2120         (JSC::Structure::flattenDictionaryStructure):
2121
2122 2013-08-20  Alex Christensen  <achristensen@apple.com>
2123
2124         Compile fix for Win64 after r154156.
2125
2126         Rubber stamped by Oliver Hunt.
2127
2128         * jit/JITStubsMSVC64.asm:
2129         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2130         cti_vm_throw_slowpath to cti_vm_handle_exception.
2131
2132 2013-08-20  Alex Christensen  <achristensen@apple.com>
2133
2134         <https://webkit.org/b/120076> More work towards a Win64 build
2135
2136         Reviewed by Brent Fulgham.
2137
2138         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2139         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2140         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2141         * JavaScriptCore.vcxproj/copy-files.cmd:
2142         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2143         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2144         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2145
2146 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2147
2148         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2149
2150         Reviewed by Geoffrey Garen.
2151
2152         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2153         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2154
2155         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2156         and index when triggering the WriteBarrier at the end of compilation. 
2157
2158         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2159         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2160         little extra work that really shouldn't have been its responsibility.
2161
2162         * dfg/DFGByteCodeParser.cpp:
2163         (JSC::DFG::ByteCodeParser::addConstant):
2164         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2165         * dfg/DFGDesiredWriteBarriers.cpp:
2166         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2167         (JSC::DFG::DesiredWriteBarrier::trigger):
2168         * dfg/DFGDesiredWriteBarriers.h:
2169         (JSC::DFG::DesiredWriteBarriers::add):
2170         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2171         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2172         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2173         * dfg/DFGFixupPhase.cpp:
2174         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2175         * dfg/DFGGraph.h:
2176         (JSC::DFG::Graph::constantRegisterForConstant):
2177
2178 2013-08-20  Michael Saboff  <msaboff@apple.com>
2179
2180         https://bugs.webkit.org/show_bug.cgi?id=120075
2181         REGRESSION (r128400): BBC4 website not displaying pictures
2182
2183         Reviewed by Oliver Hunt.
2184
2185         * runtime/RegExpMatchesArray.h:
2186         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2187         so that the match results will be reified before any other modification to the results array.
2188
2189 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2190
2191         Incorrect behavior on emscripten-compiled cube2hash
2192         https://bugs.webkit.org/show_bug.cgi?id=120033
2193
2194         Reviewed by Mark Hahnenberg.
2195         
2196         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2197         then we should bail attempts to CSE.
2198
2199         * dfg/DFGCSEPhase.cpp:
2200         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2201         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2202
2203 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2204
2205         https://bugs.webkit.org/show_bug.cgi?id=120073
2206         Remove use of GOPD from JSFunction::defineProperty
2207
2208         Reviewed by Oliver Hunt.
2209
2210         Call getOwnPropertySlot to check for existing properties instead.
2211
2212         * runtime/JSFunction.cpp:
2213         (JSC::JSFunction::defineOwnProperty):
2214             - getOwnPropertyDescriptor -> getOwnPropertySlot
2215
2216 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2217
2218         https://bugs.webkit.org/show_bug.cgi?id=120067
2219         Remove getPropertyDescriptor
2220
2221         Reviewed by Oliver Hunt.
2222
2223         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2224         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2225
2226         * runtime/JSObject.cpp:
2227         * runtime/JSObject.h:
2228             - remove getPropertyDescriptor
2229         * runtime/ObjectPrototype.cpp:
2230         (JSC::objectProtoFuncLookupGetter):
2231         (JSC::objectProtoFuncLookupSetter):
2232             - replace call to getPropertyDescriptor with getPropertySlot
2233         * runtime/PropertyDescriptor.h:
2234         * runtime/PropertySlot.h:
2235         (JSC::PropertySlot::isAccessor):
2236         (JSC::PropertySlot::isCacheableGetter):
2237         (JSC::PropertySlot::getterSetter):
2238             - rename isGetter() to isAccessor()
2239
2240 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2241
2242         https://bugs.webkit.org/show_bug.cgi?id=120054
2243         Remove some dead code following getOwnPropertyDescriptor cleanup
2244
2245         Reviewed by Oliver Hunt.
2246
2247         * runtime/Lookup.h:
2248         (JSC::getStaticFunctionSlot):
2249             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2250
2251 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2252
2253         https://bugs.webkit.org/show_bug.cgi?id=120052
2254         Remove custom getOwnPropertyDescriptor for JSProxy
2255
2256         Reviewed by Geoff Garen.
2257
2258         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2259         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2260         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2261         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2262         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2263
2264         * runtime/JSProxy.cpp:
2265             - Remove custom getOwnPropertyDescriptor implementation.
2266         * runtime/PropertyDescriptor.h:
2267             - Modify own property access check to perform toThis conversion.
2268
2269 2013-08-20  Alex Christensen  <achristensen@apple.com>
2270
2271         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2272         https://bugs.webkit.org/show_bug.cgi?id=119512
2273
2274         Reviewed by Brent Fulgham.
2275
2276         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2277         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2278         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2279         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2280         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2281         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2282         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2283         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2284
2285 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2286
2287         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2288
2289         Reviewed by Allan Sandfeld Jensen.
2290
2291         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2292         instructions and two constants now DFG is enabled for sh4 architecture.
2293         These missing ensureSpace calls lead to random crashes.
2294
2295         * assembler/MacroAssemblerSH4.h:
2296         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2297
2298 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2299
2300         https://bugs.webkit.org/show_bug.cgi?id=120034
2301         Remove custom getOwnPropertyDescriptor for global objects
2302
2303         Reviewed by Geoff Garen.
2304
2305         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2306
2307         * runtime/JSGlobalObject.cpp:
2308             - Remove custom getOwnPropertyDescriptor implementation.
2309         * runtime/JSSymbolTableObject.h:
2310         (JSC::symbolTableGet):
2311             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2312         * runtime/PropertyDescriptor.h:
2313             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2314         * runtime/PropertySlot.h:
2315         (JSC::PropertySlot::setUndefined):
2316             - This is used by WebCore when blocking access to properties on cross-frame access.
2317               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2318
2319 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2320
2321         DFG should inline typedArray.byteOffset
2322         https://bugs.webkit.org/show_bug.cgi?id=119962
2323
2324         Reviewed by Oliver Hunt.
2325         
2326         This adds a new node, GetTypedArrayByteOffset, which inlines
2327         typedArray.byteOffset.
2328         
2329         Also, I improved a bunch of the clobbering logic related to typed arrays
2330         and clobbering in general. For example, PutByOffset/PutStructure are not
2331         clobber-world so they can be handled by most default cases in CSE. Also,
2332         It's better to use the 'Class_field' notation for typed arrays now that
2333         they no longer involve magical descriptor thingies.
2334
2335         * bytecode/SpeculatedType.h:
2336         * dfg/DFGAbstractHeap.h:
2337         * dfg/DFGAbstractInterpreterInlines.h:
2338         (JSC::DFG::::executeEffects):
2339         * dfg/DFGArrayMode.h:
2340         (JSC::DFG::neverNeedsStorage):
2341         * dfg/DFGCSEPhase.cpp:
2342         (JSC::DFG::CSEPhase::getByValLoadElimination):
2343         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2344         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2345         (JSC::DFG::CSEPhase::checkArrayElimination):
2346         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2347         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2348         (JSC::DFG::CSEPhase::performNodeCSE):
2349         * dfg/DFGClobberize.h:
2350         (JSC::DFG::clobberize):
2351         * dfg/DFGFixupPhase.cpp:
2352         (JSC::DFG::FixupPhase::fixupNode):
2353         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2354         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2355         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2356         * dfg/DFGNodeType.h:
2357         * dfg/DFGPredictionPropagationPhase.cpp:
2358         (JSC::DFG::PredictionPropagationPhase::propagate):
2359         * dfg/DFGSafeToExecute.h:
2360         (JSC::DFG::safeToExecute):
2361         * dfg/DFGSpeculativeJIT.cpp:
2362         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2363         * dfg/DFGSpeculativeJIT.h:
2364         * dfg/DFGSpeculativeJIT32_64.cpp:
2365         (JSC::DFG::SpeculativeJIT::compile):
2366         * dfg/DFGSpeculativeJIT64.cpp:
2367         (JSC::DFG::SpeculativeJIT::compile):
2368         * dfg/DFGTypeCheckHoistingPhase.cpp:
2369         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2370         * runtime/ArrayBuffer.h:
2371         (JSC::ArrayBuffer::offsetOfData):
2372         * runtime/Butterfly.h:
2373         (JSC::Butterfly::offsetOfArrayBuffer):
2374         * runtime/IndexingHeader.h:
2375         (JSC::IndexingHeader::offsetOfArrayBuffer):
2376
2377 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2378
2379         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2380
2381         Reviewed by Geoffrey Garen.
2382
2383         * dfg/DFGByteCodeParser.cpp:
2384         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2385
2386 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2387
2388         https://bugs.webkit.org/show_bug.cgi?id=119995
2389         Start removing custom implementations of getOwnPropertyDescriptor
2390
2391         Reviewed by Oliver Hunt.
2392
2393         This can now typically implemented in terms of getOwnPropertySlot.
2394         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2395         Switch over most classes in JSC & the WebCore bindings generator to use this.
2396
2397         * API/JSCallbackObjectFunctions.h:
2398         * debugger/DebuggerActivation.cpp:
2399         * runtime/Arguments.cpp:
2400         * runtime/ArrayConstructor.cpp:
2401         * runtime/ArrayPrototype.cpp:
2402         * runtime/BooleanPrototype.cpp:
2403         * runtime/DateConstructor.cpp:
2404         * runtime/DatePrototype.cpp:
2405         * runtime/ErrorPrototype.cpp:
2406         * runtime/JSActivation.cpp:
2407         * runtime/JSArray.cpp:
2408         * runtime/JSArrayBuffer.cpp:
2409         * runtime/JSArrayBufferView.cpp:
2410         * runtime/JSCell.cpp:
2411         * runtime/JSDataView.cpp:
2412         * runtime/JSDataViewPrototype.cpp:
2413         * runtime/JSFunction.cpp:
2414         * runtime/JSGenericTypedArrayViewInlines.h:
2415         * runtime/JSNotAnObject.cpp:
2416         * runtime/JSONObject.cpp:
2417         * runtime/JSObject.cpp:
2418         * runtime/NamePrototype.cpp:
2419         * runtime/NumberConstructor.cpp:
2420         * runtime/NumberPrototype.cpp:
2421         * runtime/ObjectConstructor.cpp:
2422             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2423         * runtime/PropertyDescriptor.h:
2424             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2425         * runtime/PropertySlot.h:
2426         (JSC::PropertySlot::isValue):
2427         (JSC::PropertySlot::isGetter):
2428         (JSC::PropertySlot::isCustom):
2429         (JSC::PropertySlot::isCacheableValue):
2430         (JSC::PropertySlot::isCacheableGetter):
2431         (JSC::PropertySlot::isCacheableCustom):
2432         (JSC::PropertySlot::attributes):
2433         (JSC::PropertySlot::getterSetter):
2434             - Add accessors necessary to convert PropertySlot to descriptor.
2435         * runtime/RegExpConstructor.cpp:
2436         * runtime/RegExpMatchesArray.cpp:
2437         * runtime/RegExpMatchesArray.h:
2438         * runtime/RegExpObject.cpp:
2439         * runtime/RegExpPrototype.cpp:
2440         * runtime/StringConstructor.cpp:
2441         * runtime/StringObject.cpp:
2442             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2443
2444 2013-08-19  Michael Saboff  <msaboff@apple.com>
2445
2446         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2447
2448         Reviewed by Sam Weinig.
2449
2450         * dfg/DFGSpeculativeJIT32_64.cpp:
2451         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2452         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2453         all versions of fillSpeculateBoolean().
2454
2455 2013-08-19  Michael Saboff  <msaboff@apple.com>
2456
2457         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2458
2459         Reviewed by Benjamin Poulain.
2460
2461         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2462         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2463
2464         * assembler/MacroAssemblerX86Common.h:
2465         (JSC::MacroAssemblerX86Common::branchTest32):
2466
2467 2013-08-16  Oliver Hunt  <oliver@apple.com>
2468
2469         <https://webkit.org/b/119860> Crash during exception unwinding
2470
2471         Reviewed by Filip Pizlo.
2472
2473         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2474         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2475
2476         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2477         terminals and the subsequent flush keeps the activation (and other registers) live.
2478
2479         * dfg/DFGAbstractInterpreterInlines.h:
2480         (JSC::DFG::::executeEffects):
2481         * dfg/DFGByteCodeParser.cpp:
2482         (JSC::DFG::ByteCodeParser::parseBlock):
2483         * dfg/DFGClobberize.h:
2484         (JSC::DFG::clobberize):
2485         * dfg/DFGFixupPhase.cpp:
2486         (JSC::DFG::FixupPhase::fixupNode):
2487         * dfg/DFGNode.h:
2488         (JSC::DFG::Node::isTerminal):
2489         * dfg/DFGNodeType.h:
2490         * dfg/DFGPredictionPropagationPhase.cpp:
2491         (JSC::DFG::PredictionPropagationPhase::propagate):
2492         * dfg/DFGSafeToExecute.h:
2493         (JSC::DFG::safeToExecute):
2494         * dfg/DFGSpeculativeJIT32_64.cpp:
2495         (JSC::DFG::SpeculativeJIT::compile):
2496         * dfg/DFGSpeculativeJIT64.cpp:
2497         (JSC::DFG::SpeculativeJIT::compile):
2498
2499 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2500
2501         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2502
2503         Reviewed by Oliver Hunt.
2504
2505         Guard the compilation of these files only if DFG_JIT is enabled.
2506
2507         * dfg/DFGDesiredTransitions.cpp:
2508         * dfg/DFGDesiredTransitions.h:
2509         * dfg/DFGDesiredWeakReferences.cpp:
2510         * dfg/DFGDesiredWeakReferences.h:
2511         * dfg/DFGDesiredWriteBarriers.cpp:
2512         * dfg/DFGDesiredWriteBarriers.h:
2513
2514 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2515
2516         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2517         https://bugs.webkit.org/show_bug.cgi?id=119961
2518
2519         Reviewed by Mark Hahnenberg.
2520
2521         * dfg/DFGFixupPhase.cpp:
2522         (JSC::DFG::FixupPhase::fixupNode):
2523
2524 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2525
2526         https://bugs.webkit.org/show_bug.cgi?id=119972
2527         Add attributes field to PropertySlot
2528
2529         Reviewed by Geoff Garen.
2530
2531         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2532         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2533         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2534
2535         No performance impact.
2536
2537         * runtime/PropertySlot.h:
2538         (JSC::PropertySlot::setValue):
2539         (JSC::PropertySlot::setCustom):
2540         (JSC::PropertySlot::setCacheableCustom):
2541         (JSC::PropertySlot::setCustomIndex):
2542         (JSC::PropertySlot::setGetterSlot):
2543         (JSC::PropertySlot::setCacheableGetterSlot):
2544             - These mathods now all require 'attributes'.
2545         * runtime/JSObject.h:
2546         (JSC::JSObject::getDirect):
2547         (JSC::JSObject::getDirectOffset):
2548         (JSC::JSObject::inlineGetOwnPropertySlot):
2549             - Added variants of getDirect, getDirectOffset that return the attributes.
2550         * API/JSCallbackObjectFunctions.h:
2551         (JSC::::getOwnPropertySlot):
2552         * runtime/Arguments.cpp:
2553         (JSC::Arguments::getOwnPropertySlotByIndex):
2554         (JSC::Arguments::getOwnPropertySlot):
2555         * runtime/JSActivation.cpp:
2556         (JSC::JSActivation::symbolTableGet):
2557         (JSC::JSActivation::getOwnPropertySlot):
2558         * runtime/JSArray.cpp:
2559         (JSC::JSArray::getOwnPropertySlot):
2560         * runtime/JSArrayBuffer.cpp:
2561         (JSC::JSArrayBuffer::getOwnPropertySlot):
2562         * runtime/JSArrayBufferView.cpp:
2563         (JSC::JSArrayBufferView::getOwnPropertySlot):
2564         * runtime/JSDataView.cpp:
2565         (JSC::JSDataView::getOwnPropertySlot):
2566         * runtime/JSFunction.cpp:
2567         (JSC::JSFunction::getOwnPropertySlot):
2568         * runtime/JSGenericTypedArrayViewInlines.h:
2569         (JSC::::getOwnPropertySlot):
2570         (JSC::::getOwnPropertySlotByIndex):
2571         * runtime/JSObject.cpp:
2572         (JSC::JSObject::getOwnPropertySlotByIndex):
2573         (JSC::JSObject::fillGetterPropertySlot):
2574         * runtime/JSString.h:
2575         (JSC::JSString::getStringPropertySlot):
2576         * runtime/JSSymbolTableObject.h:
2577         (JSC::symbolTableGet):
2578         * runtime/Lookup.cpp:
2579         (JSC::setUpStaticFunctionSlot):
2580         * runtime/Lookup.h:
2581         (JSC::getStaticPropertySlot):
2582         (JSC::getStaticPropertyDescriptor):
2583         (JSC::getStaticValueSlot):
2584         (JSC::getStaticValueDescriptor):
2585         * runtime/RegExpObject.cpp:
2586         (JSC::RegExpObject::getOwnPropertySlot):
2587         * runtime/SparseArrayValueMap.cpp:
2588         (JSC::SparseArrayEntry::get):
2589             - Pass attributes to PropertySlot::set* methods.
2590
2591 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2592
2593         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2594
2595         Reviewed by Filip Pizlo.
2596
2597         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2598         Vector of WriteBarriers rather than the specific address. The fact that we were 
2599         arbitrarily storing into a Vector's backing store for constants at the end of 
2600         compilation after the Vector could have resized was causing crashes.
2601
2602         * bytecode/CodeBlock.h:
2603         (JSC::CodeBlock::constants):
2604         (JSC::CodeBlock::addConstantLazily):
2605         * dfg/DFGByteCodeParser.cpp:
2606         (JSC::DFG::ByteCodeParser::addConstant):
2607         * dfg/DFGDesiredWriteBarriers.cpp:
2608         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2609         (JSC::DFG::DesiredWriteBarrier::trigger):
2610         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2611         * dfg/DFGDesiredWriteBarriers.h:
2612         (JSC::DFG::DesiredWriteBarriers::add):
2613         * dfg/DFGFixupPhase.cpp:
2614         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2615         * dfg/DFGGraph.h:
2616         (JSC::DFG::Graph::constantRegisterForConstant):
2617
2618 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2619
2620         DFG should optimize typedArray.byteLength
2621         https://bugs.webkit.org/show_bug.cgi?id=119909
2622
2623         Reviewed by Oliver Hunt.
2624         
2625         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2626         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2627         legal since the byteLength of a typed array cannot exceed
2628         numeric_limits<int32_t>::max().
2629
2630         * bytecode/SpeculatedType.cpp:
2631         (JSC::typedArrayTypeFromSpeculation):
2632         * bytecode/SpeculatedType.h:
2633         * dfg/DFGArrayMode.cpp:
2634         (JSC::DFG::toArrayType):
2635         * dfg/DFGArrayMode.h:
2636         * dfg/DFGFixupPhase.cpp:
2637         (JSC::DFG::FixupPhase::fixupNode):
2638         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2639         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2640         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2641         (JSC::DFG::FixupPhase::prependGetArrayLength):
2642         * dfg/DFGGraph.h:
2643         (JSC::DFG::Graph::constantRegisterForConstant):
2644         (JSC::DFG::Graph::convertToConstant):
2645         * runtime/TypedArrayType.h:
2646         (JSC::logElementSize):
2647         (JSC::elementSize):
2648
2649 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2650
2651         DFG optimizes out strict mode arguments tear off
2652         https://bugs.webkit.org/show_bug.cgi?id=119504
2653
2654         Reviewed by Mark Hahnenberg and Oliver Hunt.
2655         
2656         Don't do the optimization for strict mode.
2657
2658         * dfg/DFGArgumentsSimplificationPhase.cpp:
2659         (JSC::DFG::ArgumentsSimplificationPhase::run):
2660         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2661
2662 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2663
2664         [JSC] x86: improve code generation for xxxTest32
2665         https://bugs.webkit.org/show_bug.cgi?id=119876
2666
2667         Reviewed by Geoffrey Garen.
2668
2669         Try to use testb whenever possible when testing for an immediate value.
2670
2671         When the input is an address and an offset, we can tweak the mask
2672         and offset to be able to generate testb for any byte of the mask.
2673
2674         When the input is a register, we can use testb if we are only interested
2675         in testing the low bits.
2676
2677         * assembler/MacroAssemblerX86Common.h:
2678         (JSC::MacroAssemblerX86Common::branchTest32):
2679         (JSC::MacroAssemblerX86Common::test32):
2680         (JSC::MacroAssemblerX86Common::generateTest32):
2681
2682 2013-08-16  Mark Lam  <mark.lam@apple.com>
2683
2684         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2685         error message that an object is not a constructor though it expects a function
2686
2687         Reviewed by Michael Saboff.
2688
2689         * jit/JITStubs.cpp:
2690         (JSC::DEFINE_STUB_FUNCTION):
2691
2692 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2693
2694         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2695         https://bugs.webkit.org/show_bug.cgi?id=119897
2696
2697         Reviewed by Oliver Hunt.
2698         
2699         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2700         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2701         to turn objects into dictionaries when you're storing using bracket syntax or using
2702         eval is still in place.
2703
2704         * bytecode/CodeBlock.h:
2705         (JSC::CodeBlock::putByIdContext):
2706         * dfg/DFGOperations.cpp:
2707         * jit/JITStubs.cpp:
2708         (JSC::DEFINE_STUB_FUNCTION):
2709         * llint/LLIntSlowPaths.cpp:
2710         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2711         * runtime/JSObject.h:
2712         (JSC::JSObject::putDirectInternal):
2713         * runtime/PutPropertySlot.h:
2714         (JSC::PutPropertySlot::PutPropertySlot):
2715         (JSC::PutPropertySlot::context):
2716         * runtime/Structure.cpp:
2717         (JSC::Structure::addPropertyTransition):
2718         * runtime/Structure.h:
2719
2720 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2721
2722         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2723
2724         Reviewed by Allan Sandfeld Jensen.
2725
2726         ctiVMHandleException must jump/return using register ra (r31).
2727
2728         * jit/JITStubsMIPS.h:
2729
2730 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2731
2732         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2733
2734         Reviewed by Allan Sandfeld Jensen.
2735
2736         Fix typo in JITStubsSH4.h file.
2737
2738         * jit/JITStubsSH4.h:
2739
2740 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2741
2742         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2743
2744         Reviewed by Oliver Hunt.
2745
2746         The concurrent compilation thread should interact minimally with the Heap, including not 
2747         triggering WriteBarriers. This is a prerequisite for generational GC.
2748
2749         * JavaScriptCore.xcodeproj/project.pbxproj:
2750         * bytecode/CodeBlock.cpp:
2751         (JSC::CodeBlock::addOrFindConstant):
2752         (JSC::CodeBlock::findConstant):
2753         * bytecode/CodeBlock.h:
2754         (JSC::CodeBlock::addConstantLazily):
2755         * dfg/DFGByteCodeParser.cpp:
2756         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2757         (JSC::DFG::ByteCodeParser::constantUndefined):
2758         (JSC::DFG::ByteCodeParser::constantNull):
2759         (JSC::DFG::ByteCodeParser::one):
2760         (JSC::DFG::ByteCodeParser::constantNaN):
2761         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2762         * dfg/DFGCommonData.cpp:
2763         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2764         * dfg/DFGCommonData.h:
2765         * dfg/DFGDesiredTransitions.cpp: Added.
2766         (JSC::DFG::DesiredTransition::DesiredTransition):
2767         (JSC::DFG::DesiredTransition::reallyAdd):
2768         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2769         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2770         (JSC::DFG::DesiredTransitions::addLazily):
2771         (JSC::DFG::DesiredTransitions::reallyAdd):
2772         * dfg/DFGDesiredTransitions.h: Added.
2773         * dfg/DFGDesiredWeakReferences.cpp: Added.
2774         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2775         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2776         (JSC::DFG::DesiredWeakReferences::addLazily):
2777         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2778         * dfg/DFGDesiredWeakReferences.h: Added.
2779         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2780         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2781         (JSC::DFG::DesiredWriteBarrier::trigger):
2782         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2783         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2784         (JSC::DFG::DesiredWriteBarriers::addImpl):
2785         (JSC::DFG::DesiredWriteBarriers::trigger):
2786         * dfg/DFGDesiredWriteBarriers.h: Added.
2787         (JSC::DFG::DesiredWriteBarriers::add):
2788         (JSC::DFG::initializeLazyWriteBarrier):
2789         * dfg/DFGFixupPhase.cpp:
2790         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2791         * dfg/DFGGraph.h:
2792         (JSC::DFG::Graph::convertToConstant):
2793         * dfg/DFGJITCompiler.h:
2794         (JSC::DFG::JITCompiler::addWeakReference):
2795         * dfg/DFGPlan.cpp:
2796         (JSC::DFG::Plan::Plan):
2797         (JSC::DFG::Plan::reallyAdd):
2798         * dfg/DFGPlan.h:
2799         * dfg/DFGSpeculativeJIT32_64.cpp:
2800         (JSC::DFG::SpeculativeJIT::compile):
2801         * dfg/DFGSpeculativeJIT64.cpp:
2802         (JSC::DFG::SpeculativeJIT::compile):
2803         * runtime/WriteBarrier.h:
2804         (JSC::WriteBarrierBase::set):
2805         (JSC::WriteBarrier::WriteBarrier):
2806
2807 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2808
2809         Fix x86 32bits build after r154158
2810
2811         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2812
2813 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2814
2815         Build fix attempt after r154156.
2816
2817         * jit/JITStubs.cpp:
2818         (JSC::cti_vm_handle_exception): encode!
2819
2820 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2821
2822         [JSC] x86: Use inc and dec when possible
2823         https://bugs.webkit.org/show_bug.cgi?id=119831
2824
2825         Reviewed by Geoffrey Garen.
2826
2827         When incrementing or decrementing by an immediate of 1, use the insctructions
2828         inc and dec instead of add and sub.
2829         The instructions have good timing and their encoding is smaller.
2830
2831         * assembler/MacroAssemblerX86Common.h:
2832         (JSC::MacroAssemblerX86_64::add32):
2833         (JSC::MacroAssemblerX86_64::sub32):
2834         * assembler/MacroAssemblerX86_64.h:
2835         (JSC::MacroAssemblerX86_64::add64):
2836         (JSC::MacroAssemblerX86_64::sub64):
2837         * assembler/X86Assembler.h:
2838         (JSC::X86Assembler::dec_r):
2839         (JSC::X86Assembler::decq_r):
2840         (JSC::X86Assembler::inc_r):
2841         (JSC::X86Assembler::incq_r):
2842
2843 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2844
2845         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2846         https://bugs.webkit.org/show_bug.cgi?id=119874
2847
2848         Reviewed by Oliver Hunt and Mark Hahnenberg.
2849         
2850         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2851         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2852         sometimes for typed array length accesses, and the FixupPhase assuming that a
2853         ForceExit ArrayMode means that it should continue using a generic GetById.
2854
2855         This fixes the confusion.
2856
2857         * dfg/DFGFixupPhase.cpp:
2858         (JSC::DFG::FixupPhase::fixupNode):
2859
2860 2013-08-15  Mark Lam  <mark.lam@apple.com>
2861
2862         Fix crash when performing activation tearoff.
2863         https://bugs.webkit.org/show_bug.cgi?id=119848
2864
2865         Reviewed by Oliver Hunt.
2866
2867         The activation tearoff crash was due to a bug in the baseline JIT.
2868         If we have a scenario where the a baseline JIT frame calls a LLINT
2869         frame, an exception may be thrown while in the LLINT.
2870
2871         Interpreter::throwException() which handles the exception will unwind
2872         all frames until it finds a catcher or sees a host frame. When we
2873         return from the LLINT to the baseline JIT code, the baseline JIT code
2874         errorneously sets topCallFrame to the value in its call frame register,
2875         and starts unwinding the stack frames that have already been unwound.
2876
2877         The fix is:
2878         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2879            This is a more accurate description of what this runtime function
2880            is supposed to do i.e. it handles the exception which include doing
2881            nothing (if there are no more frames to unwind).
2882         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2883            set on it.
2884         3. Reloading the call frame register from topCallFrame when we're
2885            returning from a callee and detect exception handling in progress.
2886
2887         * interpreter/Interpreter.cpp:
2888         (JSC::Interpreter::unwindCallFrame):
2889         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2890         (JSC::Interpreter::getStackTrace):
2891         * interpreter/Interpreter.h:
2892         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2893         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2894         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2895         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2896         * jit/JIT.h:
2897         * jit/JITExceptions.cpp:
2898         (JSC::uncaughtExceptionHandler):
2899         - Convenience function to get the handler for uncaught exceptions.
2900         * jit/JITExceptions.h:
2901         * jit/JITInlines.h:
2902         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2903         * jit/JITOpcodes32_64.cpp:
2904         (JSC::JIT::privateCompileCTINativeCall):
2905         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2906         * jit/JITStubs.cpp:
2907         (JSC::throwExceptionFromOpCall):
2908         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2909         (JSC::cti_vm_handle_exception):
2910         - Check for the case when there are no more frames to unwind.
2911         * jit/JITStubs.h:
2912         * jit/JITStubsARM.h:
2913         * jit/JITStubsARMv7.h:
2914         * jit/JITStubsMIPS.h:
2915         * jit/JITStubsSH4.h:
2916         * jit/JITStubsX86.h:
2917         * jit/JITStubsX86_64.h:
2918         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2919         * jit/SlowPathCall.h:
2920         (JSC::JITSlowPathCall::call):
2921         - reload cfr from topcallFrame when handling an exception.
2922         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2923         * jit/ThunkGenerators.cpp:
2924         (JSC::nativeForGenerator):
2925         * llint/LowLevelInterpreter32_64.asm:
2926         * llint/LowLevelInterpreter64.asm:
2927         - reload cfr from topcallFrame when handling an exception.
2928         * runtime/VM.cpp:
2929         (JSC::VM::VM):
2930         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2931
2932 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2933
2934         Remove some code duplication.
2935         
2936         Rubber stamped by Mark Hahnenberg.
2937
2938         * runtime/JSDataViewPrototype.cpp:
2939         (JSC::getData):
2940         (JSC::setData):
2941
2942 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2943
2944         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2945         https://bugs.webkit.org/show_bug.cgi?id=119794
2946
2947         Reviewed by Filip Pizlo.
2948
2949         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2950
2951         * dfg/DFGUseKind.h:
2952         (JSC::DFG::isNumerical):
2953         (JSC::DFG::isDouble):
2954
2955 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2956
2957         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2958
2959         Rubber stamped by Oliver Hunt.
2960         
2961         This was causing some test crashes for me.
2962
2963         * dfg/DFGCapabilities.cpp:
2964         (JSC::DFG::capabilityLevel):
2965
2966 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2967
2968         [Windows] Clear up improper export declaration.
2969
2970         * runtime/ArrayBufferView.h:
2971
2972 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2973
2974         Unreviewed, remove some unnecessary periods from exceptions.
2975
2976         * runtime/JSDataViewPrototype.cpp:
2977         (JSC::getData):
2978         (JSC::setData):
2979
2980 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2981
2982         Unreviewed, fix 32-bit build.
2983
2984         * dfg/DFGSpeculativeJIT32_64.cpp:
2985         (JSC::DFG::SpeculativeJIT::compile):
2986
2987 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2988
2989         Typed arrays should be rewritten
2990         https://bugs.webkit.org/show_bug.cgi?id=119064
2991
2992         Reviewed by Oliver Hunt.
2993         
2994         Typed arrays were previously deficient in several major ways:
2995         
2996         - They were defined separately in WebCore and in the jsc shell. The two
2997           implementations were different, and the jsc shell one was basically wrong.
2998           The WebCore one was quite awful, also.
2999         
3000         - Typed arrays were not visible to the JIT except through some weird hooks.
3001           For example, the JIT could not ask "what is the Structure that this typed
3002           array would have if I just allocated it from this global object". Also,
3003           it was difficult to wire any of the typed array intrinsics, because most
3004           of the functionality wasn't visible anywhere in JSC.
3005         
3006         - Typed array allocation was brain-dead. Allocating a typed array involved
3007           two JS objects, two GC weak handles, and three malloc allocations.
3008         
3009         - Neutering. It involved keeping tabs on all native views but not the view
3010           wrappers, even though the native views can autoneuter just by asking the
3011           buffer if it was neutered anytime you touch them; while the JS view
3012           wrappers are the ones that you really want to reach out to.
3013         
3014         - Common case-ing. Most typed arrays have one buffer and one view, and
3015           usually nobody touches the buffer. Yet we created all of that stuff
3016           anyway, using data structures optimized for the case where you had a lot
3017           of views.
3018         
3019         - Semantic goofs. Typed arrays should, in the future, behave like ES
3020           features rather than DOM features, for example when it comes to exceptions.
3021           Firefox already does this and I agree with them.
3022         
3023         This patch cleanses our codebase of these sins:
3024         
3025         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3026           management of native references to buffers is left to WebCore.
3027         
3028         - Allocating a typed array requires either two GC allocations (a cell and a
3029           copied storage vector) or one GC allocation, a malloc allocation, and a
3030           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3031           latter). The latter is only used for oversize arrays. Remember that before
3032           it was 7 allocations no matter what.
3033         
3034         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3035           mode/length, void* vector. Before it was a lot more than that - remember,
3036           there were five additional objects that did absolutely nothing for anybody.
3037         
3038         - Native views aren't tracked by the buffer, or by the wrappers. They are
3039           transient. In the future we'll probably switch to not even having them be
3040           malloc'd.
3041         
3042         - Native array buffers have an efficient way of tracking all of their JS view
3043           wrappers, both for neutering, and for lifecycle management. The GC
3044           special-cases native array buffers. This saves a bunch of grief; for example
3045           it means that a JS view wrapper can refer to its buffer via the butterfly,
3046           which would be dead by the time we went to finalize.
3047         
3048         - Typed array semantics now match Firefox, which also happens to be where the
3049           standards are going. The discussion on webkit-dev seemed to confirm that
3050           Chrome is also heading in this direction. This includes making
3051           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3052           ArrayBufferView as a JS-visible construct.
3053         
3054         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3055         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3056         further typed array optimizations in the JSC JITs, including inlining typed
3057         array allocation, inlining more of the accessors, reducing the cost of type
3058         checks, etc.
3059         
3060         An additional property of this patch is that typed arrays are mostly
3061         implemented using templates. This deduplicates a bunch of code, but does mean
3062         that we need some hacks for exporting s_info's of template classes. See
3063         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3064         low-impact compared to code duplication.
3065         
3066         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3067
3068         * CMakeLists.txt:
3069         * DerivedSources.make:
3070         * GNUmakefile.list.am:
3071         * JSCTypedArrayStubs.h: Removed.
3072         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3073         * JavaScriptCore.xcodeproj/project.pbxproj:
3074         * Target.pri:
3075         * bytecode/ByValInfo.h:
3076         (JSC::hasOptimizableIndexingForClassInfo):
3077         (JSC::jitArrayModeForClassInfo):
3078         (JSC::typedArrayTypeForJITArrayMode):
3079         * bytecode/SpeculatedType.cpp:
3080         (JSC::speculationFromClassInfo):
3081         * dfg/DFGArrayMode.cpp:
3082         (JSC::DFG::toTypedArrayType):
3083         * dfg/DFGArrayMode.h:
3084         (JSC::DFG::ArrayMode::typedArrayType):
3085         * dfg/DFGSpeculativeJIT.cpp:
3086         (JSC::DFG::SpeculativeJIT::checkArray):
3087         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3088         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3089         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3090         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3091         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3092         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3093         * dfg/DFGSpeculativeJIT.h:
3094         * dfg/DFGSpeculativeJIT32_64.cpp:
3095         (JSC::DFG::SpeculativeJIT::compile):
3096         * dfg/DFGSpeculativeJIT64.cpp:
3097         (JSC::DFG::SpeculativeJIT::compile):
3098         * heap/CopyToken.h:
3099         * heap/DeferGC.h:
3100         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3101         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3102         * heap/GCIncomingRefCounted.h: Added.
3103         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3104         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3105         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3106         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3107         (JSC::GCIncomingRefCounted::singletonFlag):
3108         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3109         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3110         (JSC::GCIncomingRefCounted::hasSingleton):
3111         (JSC::GCIncomingRefCounted::singleton):
3112         (JSC::GCIncomingRefCounted::vectorOfCells):
3113         * heap/GCIncomingRefCountedInlines.h: Added.
3114         (JSC::::addIncomingReference):
3115         (JSC::::filterIncomingReferences):
3116         * heap/GCIncomingRefCountedSet.h: Added.
3117         (JSC::GCIncomingRefCountedSet::size):
3118         * heap/GCIncomingRefCountedSetInlines.h: Added.
3119         (JSC::::GCIncomingRefCountedSet):
3120         (JSC::::~GCIncomingRefCountedSet):
3121         (JSC::::addReference):
3122         (JSC::::sweep):
3123         (JSC::::removeAll):
3124         (JSC::::removeDead):
3125         * heap/Heap.cpp:
3126         (JSC::Heap::addReference):
3127         (JSC::Heap::extraSize):
3128         (JSC::Heap::size):
3129         (JSC::Heap::capacity):
3130         (JSC::Heap::collect):
3131         (JSC::Heap::decrementDeferralDepth):
3132         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3133         * heap/Heap.h:
3134         * interpreter/CallFrame.h:
3135         (JSC::ExecState::dataViewTable):
3136         * jit/JIT.h:
3137         * jit/JITPropertyAccess.cpp:
3138         (JSC::JIT::privateCompileGetByVal):
3139         (JSC::JIT::privateCompilePutByVal):
3140         (JSC::JIT::emitIntTypedArrayGetByVal):
3141         (JSC::JIT::emitFloatTypedArrayGetByVal):
3142         (JSC::JIT::emitIntTypedArrayPutByVal):
3143         (JSC::JIT::emitFloatTypedArrayPutByVal):
3144         * jsc.cpp:
3145         (GlobalObject::finishCreation):
3146         * runtime/ArrayBuffer.cpp:
3147         (JSC::ArrayBuffer::transfer):
3148         * runtime/ArrayBuffer.h:
3149         (JSC::ArrayBuffer::createAdopted):
3150         (JSC::ArrayBuffer::ArrayBuffer):
3151         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3152         (JSC::ArrayBuffer::pin):
3153         (JSC::ArrayBuffer::unpin):
3154         (JSC::ArrayBufferContents::tryAllocate):
3155         * runtime/ArrayBufferView.cpp:
3156         (JSC::ArrayBufferView::ArrayBufferView):
3157         (JSC::ArrayBufferView::~ArrayBufferView):
3158         (JSC::ArrayBufferView::setNeuterable):
3159         * runtime/ArrayBufferView.h:
3160         (JSC::ArrayBufferView::isNeutered):
3161         (JSC::ArrayBufferView::buffer):
3162         (JSC::ArrayBufferView::baseAddress):
3163         (JSC::ArrayBufferView::byteOffset):
3164         (JSC::ArrayBufferView::verifySubRange):
3165         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3166         (JSC::ArrayBufferView::calculateOffsetAndLength):
3167         * runtime/ClassInfo.h:
3168         * runtime/CommonIdentifiers.h:
3169         * runtime/DataView.cpp: Added.
3170         (JSC::DataView::DataView):
3171         (JSC::DataView::create):
3172         (JSC::DataView::wrap):
3173         * runtime/DataView.h: Added.
3174         (JSC::DataView::byteLength):
3175         (JSC::DataView::getType):
3176         (JSC::DataView::get):
3177         (JSC::DataView::set):
3178         * runtime/Float32Array.h:
3179         * runtime/Float64Array.h:
3180         * runtime/GenericTypedArrayView.h: Added.
3181         (JSC::GenericTypedArrayView::data):
3182         (JSC::GenericTypedArrayView::set):
3183         (JSC::GenericTypedArrayView::setRange):
3184         (JSC::GenericTypedArrayView::zeroRange):
3185         (JSC::GenericTypedArrayView::zeroFill):
3186         (JSC::GenericTypedArrayView::length):
3187         (JSC::GenericTypedArrayView::byteLength):
3188         (JSC::GenericTypedArrayView::item):
3189         (JSC::GenericTypedArrayView::checkInboundData):
3190         (JSC::GenericTypedArrayView::getType):
3191         * runtime/GenericTypedArrayViewInlines.h: Added.
3192         (JSC::::GenericTypedArrayView):
3193         (JSC::::create):
3194         (JSC::::createUninitialized):
3195         (JSC::::subarray):
3196         (JSC::::wrap):
3197         * runtime/IndexingHeader.h:
3198         (JSC::IndexingHeader::arrayBuffer):
3199         (JSC::IndexingHeader::setArrayBuffer):
3200         * runtime/Int16Array.h:
3201         * runtime/Int32Array.h:
3202         * runtime/Int8Array.h:
3203         * runtime/JSArrayBuffer.cpp: Added.
3204         (JSC::JSArrayBuffer::JSArrayBuffer):
3205         (JSC::JSArrayBuffer::finishCreation):
3206         (JSC::JSArrayBuffer::create):
3207         (JSC::JSArrayBuffer::createStructure):
3208         (JSC::JSArrayBuffer::getOwnPropertySlot):
3209         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3210         (JSC::JSArrayBuffer::put):
3211         (JSC::JSArrayBuffer::defineOwnProperty):
3212         (JSC::JSArrayBuffer::deleteProperty):
3213         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3214         * runtime/JSArrayBuffer.h: Added.
3215         (JSC::JSArrayBuffer::impl):
3216         (JSC::toArrayBuffer):
3217         * runtime/JSArrayBufferConstructor.cpp: Added.
3218         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3219         (JSC::JSArrayBufferConstructor::finishCreation):
3220         (JSC::JSArrayBufferConstructor::create):
3221         (JSC::JSArrayBufferConstructor::createStructure):
3222         (JSC::constructArrayBuffer):
3223         (JSC::JSArrayBufferConstructor::getConstructData):
3224         (JSC::JSArrayBufferConstructor::getCallData):
3225         * runtime/JSArrayBufferConstructor.h: Added.
3226         * runtime/JSArrayBufferPrototype.cpp: Added.
3227         (JSC::arrayBufferProtoFuncSlice):
3228         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3229         (JSC::JSArrayBufferPrototype::finishCreation):
3230         (JSC::JSArrayBufferPrototype::create):
3231         (JSC::JSArrayBufferPrototype::createStructure):
3232         * runtime/JSArrayBufferPrototype.h: Added.
3233         * runtime/JSArrayBufferView.cpp: Added.
3234         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3235         (JSC::JSArrayBufferView::JSArrayBufferView):
3236         (JSC::JSArrayBufferView::finishCreation):
3237         (JSC::JSArrayBufferView::getOwnPropertySlot):
3238         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3239         (JSC::JSArrayBufferView::put):
3240         (JSC::JSArrayBufferView::defineOwnProperty):
3241         (JSC::JSArrayBufferView::deleteProperty):
3242         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3243         (JSC::JSArrayBufferView::finalize):
3244         * runtime/JSArrayBufferView.h: Added.
3245         (JSC::JSArrayBufferView::sizeOf):
3246         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3247         (JSC::JSArrayBufferView::ConstructionContext::structure):
3248         (JSC::JSArrayBufferView::ConstructionContext::vector):
3249         (JSC::JSArrayBufferView::ConstructionContext::length):
3250         (JSC::JSArrayBufferView::ConstructionContext::mode):
3251         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3252         (JSC::JSArrayBufferView::mode):
3253         (JSC::JSArrayBufferView::vector):
3254         (JSC::JSArrayBufferView::length):
3255         (JSC::JSArrayBufferView::offsetOfVector):
3256         (JSC::JSArrayBufferView::offsetOfLength):
3257         (JSC::JSArrayBufferView::offsetOfMode):
3258         * runtime/JSArrayBufferViewInlines.h: Added.
3259         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3260         (JSC::JSArrayBufferView::buffer):
3261         (JSC::JSArrayBufferView::impl):
3262         (JSC::JSArrayBufferView::neuter):
3263         (JSC::JSArrayBufferView::byteOffset):
3264         * runtime/JSCell.cpp:
3265         (JSC::JSCell::slowDownAndWasteMemory):
3266         (JSC::JSCell::getTypedArrayImpl):
3267         * runtime/JSCell.h:
3268         * runtime/JSDataView.cpp: Added.
3269         (JSC::JSDataView::JSDataView):
3270         (JSC::JSDataView::create):
3271         (JSC::JSDataView::createUninitialized):
3272         (JSC::JSDataView::set):
3273         (JSC::JSDataView::typedImpl):
3274         (JSC::JSDataView::getOwnPropertySlot):
3275         (JSC::JSDataView::getOwnPropertyDescriptor):
3276         (JSC::JSDataView::slowDownAndWasteMemory):
3277         (JSC::JSDataView::getTypedArrayImpl):
3278         (JSC::JSDataView::createStructure):
3279         * runtime/JSDataView.h: Added.
3280         * runtime/JSDataViewPrototype.cpp: Added.
3281         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3282         (JSC::JSDataViewPrototype::create):
3283         (JSC::JSDataViewPrototype::createStructure):
3284         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3285         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3286         (JSC::getData):
3287         (JSC::setData):
3288         (JSC::dataViewProtoFuncGetInt8):
3289         (JSC::dataViewProtoFuncGetInt16):
3290         (JSC::dataViewProtoFuncGetInt32):
3291         (JSC::dataViewProtoFuncGetUint8):
3292         (JSC::dataViewProtoFuncGetUint16):
3293         (JSC::dataViewProtoFuncGetUint32):
3294         (JSC::dataViewProtoFuncGetFloat32):
3295         (JSC::dataViewProtoFuncGetFloat64):
3296         (JSC::dataViewProtoFuncSetInt8):
3297         (JSC::dataViewProtoFuncSetInt16):
3298         (JSC::dataViewProtoFuncSetInt32):
3299         (JSC::dataViewProtoFuncSetUint8):
3300         (JSC::dataViewProtoFuncSetUint16):
3301         (JSC::dataViewProtoFuncSetUint32):
3302         (JSC::dataViewProtoFuncSetFloat32):
3303         (JSC::dataViewProtoFuncSetFloat64):
3304         * runtime/JSDataViewPrototype.h: Added.
3305         * runtime/JSFloat32Array.h: Added.
3306         * runtime/JSFloat64Array.h: Added.
3307         * runtime/JSGenericTypedArrayView.h: Added.
3308         (JSC::JSGenericTypedArrayView::byteLength):
3309         (JSC::JSGenericTypedArrayView::byteSize):
3310         (JSC::JSGenericTypedArrayView::typedVector):
3311         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3312         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3313         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3314         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3315         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3316         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3317         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3318         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3319         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3320         (JSC::JSGenericTypedArrayView::typedImpl):
3321         (JSC::JSGenericTypedArrayView::createStructure):
3322         (JSC::JSGenericTypedArrayView::info):
3323         (JSC::toNativeTypedView):
3324         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3325         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3326         (JSC::::JSGenericTypedArrayViewConstructor):
3327         (JSC::::finishCreation):
3328         (JSC::::create):
3329         (JSC::::createStructure):
3330         (JSC::constructGenericTypedArrayView):
3331         (JSC::::getConstructData):
3332         (JSC::::getCallData):
3333         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3334         (JSC::::JSGenericTypedArrayView):
3335         (JSC::::create):
3336         (JSC::::createUninitialized):
3337         (JSC::::validateRange):
3338         (JSC::::setWithSpecificType):
3339         (JSC::::set):
3340         (JSC::::getOwnPropertySlot):
3341         (JSC::::getOwnPropertyDescriptor):
3342         (JSC::::put):
3343         (JSC::::defineOwnProperty):
3344         (JSC::::deleteProperty):
3345         (JSC::::getOwnPropertySlotByIndex):
3346         (JSC::::putByIndex):
3347         (JSC::::deletePropertyByIndex):
3348         (JSC::::getOwnNonIndexPropertyNames):
3349         (JSC::::getOwnPropertyNames):
3350         (JSC::::visitChildren):
3351         (JSC::::copyBackingStore):
3352         (JSC::::slowDownAndWasteMemory):
3353        &nbs