0fa5383dbc267f65cb9fc638926c22dfffb6f785
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-12-20  Oliver Hunt  <oliver@apple.com>
2
3         Finally found the problem.  Using the wrong JSContextGroup.
4
5         * API/tests/testapi.c:
6         (main):
7
8 2012-12-20  Oliver Hunt  <oliver@apple.com>
9
10         Try to convince bots to be happy with testapi.
11
12         * API/JSScriptRefPrivate.h:
13
14 2012-12-20  Michael Saboff  <msaboff@apple.com>
15
16         JIT: Change uninitialized pointer value -1 to constant
17         https://bugs.webkit.org/show_bug.cgi?id=105576
18
19         Rubber stamped by Gavin Barraclough.
20
21         Changed the use of -1 as a pointer value in the JITs to be the constant unusedPointer defined in the
22         new file jit/UnusedPointer.h.  Made it's value 0xd1e7beef, which is a bad pointer on most architectures
23         because it is odd, and to distinguish it from other common values.
24
25         * GNUmakefile.list.am:
26         * JavaScriptCore.xcodeproj/project.pbxproj:
27         * dfg/DFGRepatch.cpp:
28         (JSC::DFG::dfgResetGetByID):
29         (JSC::DFG::dfgResetPutByID):
30         * dfg/DFGSpeculativeJIT32_64.cpp:
31         (JSC::DFG::SpeculativeJIT::cachedGetById):
32         (JSC::DFG::SpeculativeJIT::cachedPutById):
33         * dfg/DFGSpeculativeJIT64.cpp:
34         (JSC::DFG::SpeculativeJIT::cachedGetById):
35         (JSC::DFG::SpeculativeJIT::cachedPutById):
36         * jit/JIT.h:
37         * jit/JITPropertyAccess.cpp:
38         (JSC::JIT::resetPatchGetById):
39         (JSC::JIT::resetPatchPutById):
40         * jit/JITPropertyAccess32_64.cpp:
41         (JSC::JIT::resetPatchGetById):
42         (JSC::JIT::resetPatchPutById):
43         * jit/JITWriteBarrier.h:
44         (JSC::JITWriteBarrierBase::clearToUnusedPointer):
45         (JSC::JITWriteBarrierBase::get):
46         * jit/UnusedPointer.h: Added.
47
48 2012-12-20  Filip Pizlo  <fpizlo@apple.com>
49
50         DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to
51         https://bugs.webkit.org/show_bug.cgi?id=105577
52
53         Reviewed by Mark Hahnenberg.
54         
55         I don't know why this wasn't there from the beginning.
56
57         * dfg/DFGByteCodeParser.cpp:
58         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
59
60 2012-12-19  Filip Pizlo  <fpizlo@apple.com>
61
62         DFG speculation checks that take JumpList should consolidate OSRExits
63         https://bugs.webkit.org/show_bug.cgi?id=105401
64
65         Reviewed by Oliver Hunt.
66
67         Change OSRExitCompilationInfo to always contain a JumpList, and change JumpList
68         to be more compact. This way, a speculationCheck that takes a JumpList only has
69         to emit one OSRExit structure, and one OSRExit landing pad.
70         
71         The downside is that we get less precise information about *where* we exited
72         from. So, this also includes changes to the profiler to be more relaxed about
73         what an ExitSite is.
74
75         * assembler/AbstractMacroAssembler.h:
76         (JumpList):
77         * dfg/DFGJITCompiler.cpp:
78         (JSC::DFG::JITCompiler::linkOSRExits):
79         (JSC::DFG::JITCompiler::link):
80         * dfg/DFGJITCompiler.h:
81         (DFG):
82         (JSC::DFG::JITCompiler::appendExitInfo):
83         (JITCompiler):
84         * dfg/DFGOSRExitCompilationInfo.h:
85         (OSRExitCompilationInfo):
86         * dfg/DFGSpeculativeJIT.cpp:
87         (JSC::DFG::SpeculativeJIT::speculationCheck):
88         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
89         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
90         * profiler/ProfilerCompilation.cpp:
91         (JSC::Profiler::Compilation::addOSRExitSite):
92         * profiler/ProfilerCompilation.h:
93         (Compilation):
94         * profiler/ProfilerOSRExitSite.cpp:
95         (JSC::Profiler::OSRExitSite::toJS):
96         * profiler/ProfilerOSRExitSite.h:
97         (JSC::Profiler::OSRExitSite::OSRExitSite):
98         (JSC::Profiler::OSRExitSite::codeAddress):
99         (OSRExitSite):
100
101 2012-12-19  Oliver Hunt  <oliver@apple.com>
102
103         Fix some incorrect tests in testapi.c
104
105         Reviewed by Simon Fraser.
106
107         * API/tests/testapi.c:
108         (main):
109
110 2012-12-19  Filip Pizlo  <fpizlo@apple.com>
111
112         JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object
113         https://bugs.webkit.org/show_bug.cgi?id=105468
114
115         Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough.
116
117         Changed JSObject::ensure<IndexingType> methods to gracefully handle
118         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning
119         null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it
120         by entering dictionary indexing mode, which forces the object to behave correctly even if there
121         is proxying or weird prototype stuff going on.
122         
123         Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal
124         with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case
125         since we'd try to resize a butterfly on a JSString, but JSString has something other than
126         m_butterfly at that offset.
127         
128         Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code
129         since those are now redundant.
130
131         * dfg/DFGOperations.cpp:
132         * dfg/DFGOperations.h:
133         * dfg/DFGSpeculativeJIT.cpp:
134         (JSC::DFG::SpeculativeJIT::arrayify):
135         * dfg/DFGSpeculativeJIT.h:
136         (JSC::DFG::SpeculativeJIT::callOperation):
137         * runtime/JSObject.cpp:
138         (JSC::JSObject::enterDictionaryIndexingMode):
139         (JSC::JSObject::ensureInt32Slow):
140         (JSC::JSObject::ensureDoubleSlow):
141         (JSC::JSObject::ensureContiguousSlow):
142         (JSC::JSObject::ensureArrayStorageSlow):
143         (JSC):
144         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
145         * runtime/JSObject.h:
146         (JSObject):
147
148 2012-12-19  Oliver Hunt  <oliver@apple.com>
149
150         Tidy up JSScriptRef API
151         https://bugs.webkit.org/show_bug.cgi?id=105470
152
153         Reviewed by Anders Carlsson.
154
155         People found the API's use of a context confusing, so we'll switch to a JSContextGroup based
156         API, and drop a number of the unnecessary uses of contexts.
157
158         * API/JSScriptRef.cpp:
159         (OpaqueJSScript::globalData):
160         (parseScript):
161         * API/JSScriptRefPrivate.h:
162         * API/tests/testapi.c:
163         (main):
164
165 2012-12-19  Alexis Menard  <alexis@webkit.org>
166
167         Implement CSS parsing for CSS transitions unprefixed.
168         https://bugs.webkit.org/show_bug.cgi?id=104804
169
170         Reviewed by Dean Jackson.
171
172         Add a new flag ENABLE_CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
173         to cover the work of unprefixing Transforms, Animations and 
174         Transitions. It will let the possibility of each ports to turn it off 
175         in their release branches until we're confident that these CSS 
176         properties are ready to be unprefixed.
177
178         * Configurations/FeatureDefines.xcconfig:
179
180 2012-12-18  Filip Pizlo  <fpizlo@apple.com>
181
182         Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
183         https://bugs.webkit.org/show_bug.cgi?id=105379
184
185         Reviewed by Gavin Barraclough.
186
187         Forgetting to set this flag led to the DFG trying to ensure array storage on a proxy. I've
188         now hardened the code with a release assertion as well as fixing the bug. A release assertion
189         is appropriate here since this is slow-path code.
190
191         * runtime/JSObject.cpp:
192         (JSC::JSObject::enterDictionaryIndexingMode):
193         (JSC::JSObject::ensureInt32Slow):
194         (JSC::JSObject::ensureDoubleSlow):
195         (JSC::JSObject::ensureContiguousSlow):
196         (JSC::JSObject::ensureArrayStorageSlowNoCheck):
197         (JSC::JSObject::ensureArrayStorageSlow):
198         (JSC):
199         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
200         * runtime/JSObject.h:
201         (JSObject):
202         * runtime/JSProxy.h:
203         (JSProxy):
204
205 2012-12-18  Oliver Hunt  <oliver@apple.com>
206
207         Add a JSScriptRef API to JSC so that we can allow API users to avoid the full cost of reparsing everytime the execute a script.
208         https://bugs.webkit.org/show_bug.cgi?id=105340
209
210         Reviewed by Gavin Barraclough.
211
212         This patch adds a (currently private) API to allow users of the JSC API to create a JSScript object
213         that references a reusable version of the script that they wish to evaluate.  This can help us avoid
214         numeorus copies that are otherwise induced by our existing API and gives us an opaque object that we
215         can hang various caches off.  Currently this is simply a simple SourceProvider, but in future we may
216         be able to add more caching without requiring new/replacement APIs. 
217
218         * API/JSScriptRef.cpp: Added.
219         * API/JSScriptRefPrivate.h: Added.
220         * API/tests/testapi.c:
221           Add tests for new APIs.
222         * JavaScriptCore.xcodeproj/project.pbxproj:
223
224 2012-12-18  Filip Pizlo  <fpizlo@apple.com>
225
226         DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when it should be checking for array array storage
227         https://bugs.webkit.org/show_bug.cgi?id=105365
228
229         Reviewed by Mark Hahnenberg.
230
231         * dfg/DFGSpeculativeJIT.cpp:
232         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
233
234 2012-12-18  Filip Pizlo  <fpizlo@apple.com>
235
236         SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time
237         https://bugs.webkit.org/show_bug.cgi?id=105335
238
239         Reviewed by Geoffrey Garen.
240
241         The first thing I did was restructure the logic of canInlineResolveOperations(),
242         because I didn't understand it. This was relevant because the OSR exits are
243         caused by a resolve that the DFG cannot handle.
244         
245         I was then going to make it so that we didn't compile the resolve at all, but
246         realized that this would not be the best fix: it didn't seem sensible to me to
247         be optimizing these evals after only 60 invocations. Evals should have a higher
248         threshold, since they often contain code for which the baseline JIT does a
249         pretty good job already (if all you've got is a single heap access or a single
250         hard-to-inline call, then the baseline JIT has got you covered), and typically
251         if we see one eval code block we expect to see more (from the same eval site):
252         so our typical low threshold could lead to a *lot* of compilation. As such, the
253         main effect of this patch is to introduce an evalThresholdMultiplier, which is
254         now set to 10.
255         
256         This is a ~5% speed-up on data-format-tofte. No regressions anywhere as far as
257         I can see.
258
259         * bytecode/CodeBlock.cpp:
260         (JSC::CodeBlock::codeTypeThresholdMultiplier):
261         (JSC):
262         (JSC::CodeBlock::optimizationThresholdScalingFactor):
263         (JSC::CodeBlock::exitCountThresholdForReoptimization):
264         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
265         * bytecode/CodeBlock.h:
266         (CodeBlock):
267         * dfg/DFGCapabilities.h:
268         (JSC::DFG::canInlineResolveOperations):
269         * dfg/DFGOSRExitCompiler.cpp:
270         * runtime/Options.h:
271         (JSC):
272
273 2012-12-18  Filip Pizlo  <fpizlo@apple.com>
274
275         Convert indexingTypeToString to IndexingTypeDump
276         https://bugs.webkit.org/show_bug.cgi?id=105351
277
278         Reviewed by Mark Hahnenberg.
279
280         This gets rid of another case of static char buffer[thingy].
281
282         * dfg/DFGGraph.cpp:
283         (JSC::DFG::Graph::dump):
284         * runtime/IndexingType.cpp:
285         (JSC::dumpIndexingType):
286         * runtime/IndexingType.h:
287         (JSC):
288         * runtime/JSValue.cpp:
289         (JSC::JSValue::dump):
290
291 2012-12-18  Beth Dakin  <bdakin@apple.com>
292
293         https://bugs.webkit.org/show_bug.cgi?id=102579
294         [mac] Enable scaled cursors
295
296         Reviewed by Dean Jackson.
297
298         * Configurations/FeatureDefines.xcconfig:
299
300 2012-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
301
302         Restrictions on oversize CopiedBlock allocations should be relaxed
303         https://bugs.webkit.org/show_bug.cgi?id=105339
304
305         Reviewed by Filip Pizlo.
306
307         Currently the DFG has a single branch in the inline allocation path for property/array storage where 
308         it checks to see if the number of bytes requested will fit in the current block. This does not match 
309         what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then 
310         if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations 
311         that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when 
312         the collector tries to perform some operation on a CopiedBlock.
313
314         To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that 
315         oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find 
316         the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and 
317         we should figure out if a block is oversize by some other method than just whatever the JSObject says 
318         it is. One way we could record this info Region of the block, since we allocate a one-off Region for 
319         oversize blocks.
320
321         * heap/BlockAllocator.h:
322         (JSC::Region::isCustomSize): 
323         (Region):
324         (JSC::Region::createCustomSize):
325         (JSC::Region::Region):
326         (JSC::BlockAllocator::deallocateCustomSize):
327         * heap/CopiedBlock.h:
328         (CopiedBlock):
329         (JSC::CopiedBlock::isOversize): 
330         (JSC):
331         * heap/CopiedSpace.cpp:
332         (JSC::CopiedSpace::tryAllocateOversize):
333         (JSC::CopiedSpace::tryReallocate):
334         (JSC::CopiedSpace::tryReallocateOversize):
335         * heap/CopiedSpace.h:
336         (CopiedSpace): 
337         * heap/CopiedSpaceInlines.h:
338         (JSC::CopiedSpace::contains):
339         (JSC::CopiedSpace::tryAllocate):
340         (JSC):
341         * heap/CopyVisitor.h:
342         (CopyVisitor):
343         * heap/CopyVisitorInlines.h:
344         (JSC::CopyVisitor::checkIfShouldCopy):
345         (JSC::CopyVisitor::didCopy):
346         * heap/SlotVisitorInlines.h:
347         (JSC::SlotVisitor::copyLater):
348         * runtime/JSObject.cpp:
349         (JSC::JSObject::copyButterfly):
350
351 2012-12-18  Joseph Pecoraro  <pecoraro@apple.com>
352
353         [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros)
354         https://bugs.webkit.org/show_bug.cgi?id=104279
355
356         Reviewed by David Kilzer.
357
358         Add a build phase to check the public JavaScriptCore headers for
359         inappropriate macros.
360
361         * JavaScriptCore.xcodeproj/project.pbxproj:
362
363 2012-12-18  Michael Saboff  <msaboff@apple.com>
364
365         [Qt] Fix the ARMv7 build after r137976
366         https://bugs.webkit.org/show_bug.cgi?id=105270
367
368         Reviewed by Csaba Osztrogonác.
369
370         Add default value for Jump parameter to fix build.
371
372         * assembler/AbstractMacroAssembler.h:
373         (JSC::AbstractMacroAssembler::Jump::Jump):
374
375 2012-12-17  Geoffrey Garen  <ggaren@apple.com>
376
377         Constant fold !{number} in the parser
378         https://bugs.webkit.org/show_bug.cgi?id=105232
379
380         Reviewed by Filip Pizlo.
381
382         Typically, we wait for hot execution and constant fold in the DFG.
383         However, !0 and !1 are common enough in minifiers that it can be good
384         to get them out of the way early, for faster/smaller parsing and startup.
385
386         * parser/ASTBuilder.h:
387         (JSC::ASTBuilder::createLogicalNot): !{literal} is super simple, especially
388         since there's no literal form of NaN or Inf.
389
390 2012-12-17  Filip Pizlo  <fpizlo@apple.com>
391
392         DFG is too aggressive eliding overflow checks for additions involving large constants
393         https://bugs.webkit.org/show_bug.cgi?id=105239
394
395         Reviewed by Gavin Barraclough.
396
397         If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate,
398         then make sure that the non-constant child of the addition knows that he's got to do an overflow
399         check, by flowing the UsedAsNumber property at him.
400
401         * dfg/DFGGraph.h:
402         (JSC::DFG::Graph::addSpeculationMode):
403         (Graph):
404         (JSC::DFG::Graph::addShouldSpeculateInteger):
405         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
406         * dfg/DFGPredictionPropagationPhase.cpp:
407         (JSC::DFG::PredictionPropagationPhase::propagate):
408
409 2012-12-17  Michael Saboff  <msaboff@apple.com>
410
411         DFG: Refactor DFGCorrectableJumpPoint to reduce size of OSRExit data
412         https://bugs.webkit.org/show_bug.cgi?id=105237
413
414         Reviewed by Filip Pizlo.
415
416         Replaced DFGCorrectableJumpPoint with OSRExitCompilationInfo which is used and kept alive only while we are
417         compiling in the DFG.  Moved the patchable branch offset directly into OSRExit.
418
419         * CMakeLists.txt:
420         * GNUmakefile.list.am:
421         * JavaScriptCore.xcodeproj/project.pbxproj:
422         * Target.pri:
423         * assembler/AbstractMacroAssembler.h:
424         * dfg/DFGCorrectableJumpPoint.cpp: Removed.
425         * dfg/DFGCorrectableJumpPoint.h: Removed.
426         * dfg/DFGJITCompiler.cpp:
427         (JSC::DFG::JITCompiler::linkOSRExits):
428         (JSC::DFG::JITCompiler::link):
429         * dfg/DFGJITCompiler.h:
430         (JSC::DFG::JITCompiler::appendExitJump):
431         (JITCompiler):
432         * dfg/DFGOSRExit.cpp:
433         (JSC::DFG::OSRExit::OSRExit):
434         (JSC::DFG::OSRExit::setPatchableCodeOffset):
435         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump):
436         (JSC::DFG::OSRExit::codeLocationForRepatch):
437         (JSC::DFG::OSRExit::correctJump):
438         * dfg/DFGOSRExit.h:
439         (OSRExit):
440         * dfg/DFGOSRExitCompilationInfo.h: Added.
441         (OSRExitCompilationInfo):
442         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
443         (JSC::DFG::OSRExitCompilationInfo::failureJump):
444         * dfg/DFGOSRExitCompiler.cpp:
445         * dfg/DFGSpeculativeJIT.cpp:
446         (JSC::DFG::SpeculativeJIT::speculationCheck):
447         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
448
449 2012-12-17  Filip Pizlo  <fpizlo@apple.com>
450
451         DFG is too aggressive with eliding overflow checks in loops
452         https://bugs.webkit.org/show_bug.cgi?id=105226
453
454         Reviewed by Mark Hahnenberg and Oliver Hunt.
455
456         If we see a variable's live range cross basic block boundaries, conservatively assume that it may
457         be part of a data-flow back-edge, and as a result, we may have entirely integer operations that
458         could lead to the creation of an integer that is out of range of 2^52 (the significand of a double
459         float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug.
460         
461         In future we may want to actually look at whether or not there was a data-flow back-edge instead
462         of being super conservative about it. But we have no evidence, yet, that this would help us on
463         real code.
464
465         * dfg/DFGNodeFlags.h:
466         (DFG):
467         * dfg/DFGPredictionPropagationPhase.cpp:
468         (JSC::DFG::PredictionPropagationPhase::propagate):
469
470 2012-12-17  Mark Hahnenberg  <mhahnenberg@apple.com>
471
472         Butterfly::growArrayRight shouldn't be called on null Butterfly objects
473         https://bugs.webkit.org/show_bug.cgi?id=105221
474
475         Reviewed by Filip Pizlo.
476
477         Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
478         objects purely by coincidence. We should add a new static function that null checks the old 
479         Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
480         use in the couple of places in JSObject that expect such behavior to work.
481
482         * runtime/Butterfly.h:
483         (Butterfly):
484         * runtime/ButterflyInlines.h:
485         (JSC::Butterfly::createOrGrowArrayRight):
486         (JSC):
487         * runtime/JSObject.cpp:
488         (JSC::JSObject::createInitialIndexedStorage):
489         (JSC::JSObject::createArrayStorage):
490
491 2012-12-17  Filip Pizlo  <fpizlo@apple.com>
492
493         javascript integer overflow
494         https://bugs.webkit.org/show_bug.cgi?id=104967
495
496         Reviewed by Mark Hahnenberg.
497
498         Fix PutScopedVar backward flow.
499
500         * dfg/DFGPredictionPropagationPhase.cpp:
501         (JSC::DFG::PredictionPropagationPhase::propagate):
502
503 2012-12-16  Filip Pizlo  <fpizlo@apple.com>
504
505         Rationalize array profiling for out-of-bounds and hole cases
506         https://bugs.webkit.org/show_bug.cgi?id=105139
507
508         Reviewed by Geoffrey Garen.
509
510         This makes ArrayProfile track whether or not we had out-of-bounds, which allows
511         for more precise decision-making in the DFG.
512         
513         Also cleaned up ExitKinds for out-of-bounds and hole cases to make it easier to
514         look at them in the profiler.
515         
516         Slight speed-up (5-8%) on SunSpider/crypto-md5.
517
518         * bytecode/ArrayProfile.cpp:
519         (JSC::ArrayProfile::computeUpdatedPrediction):
520         (JSC::ArrayProfile::briefDescription):
521         * bytecode/ArrayProfile.h:
522         (JSC::ArrayProfile::ArrayProfile):
523         (JSC::ArrayProfile::addressOfOutOfBounds):
524         (JSC::ArrayProfile::expectedStructure):
525         (JSC::ArrayProfile::structureIsPolymorphic):
526         (JSC::ArrayProfile::outOfBounds):
527         (JSC::ArrayProfile::polymorphicStructure):
528         * bytecode/CodeBlock.cpp:
529         (JSC::dumpChain):
530         * bytecode/ExitKind.cpp:
531         (JSC::exitKindToString):
532         (JSC::exitKindIsCountable):
533         * bytecode/ExitKind.h:
534         * dfg/DFGByteCodeParser.cpp:
535         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
536         * dfg/DFGSpeculativeJIT.cpp:
537         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
538         * dfg/DFGSpeculativeJIT32_64.cpp:
539         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
540         (JSC::DFG::SpeculativeJIT::compile):
541         * dfg/DFGSpeculativeJIT64.cpp:
542         (JSC::DFG::SpeculativeJIT::compile):
543         * jit/JIT.h:
544         * jit/JITInlines.h:
545         (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
546         * jit/JITPropertyAccess.cpp:
547         (JSC::JIT::emitSlow_op_get_by_val):
548         (JSC::JIT::emitSlow_op_put_by_val):
549         * jit/JITPropertyAccess32_64.cpp:
550         (JSC::JIT::emitSlow_op_get_by_val):
551         (JSC::JIT::emitSlow_op_put_by_val):
552         * llint/LowLevelInterpreter32_64.asm:
553         * llint/LowLevelInterpreter64.asm:
554
555 2012-12-17  Balazs Kilvady  <kilvadyb@homejinni.com>
556
557         Implement add64 for MIPS assembler after r136601
558         https://bugs.webkit.org/show_bug.cgi?id=104106
559
560         Reviewed by Zoltan Herczeg.
561
562         Added add64 function to MacroAssebler of MIPS.
563
564         * assembler/MacroAssemblerMIPS.h:
565         (JSC::MacroAssemblerMIPS::add32):
566         (JSC::MacroAssemblerMIPS::add64):
567         (MacroAssemblerMIPS):
568
569 2012-12-17  Jonathan Liu  <net147@gmail.com>
570
571         Fix Math.pow implementation with MinGW-w64
572         https://bugs.webkit.org/show_bug.cgi?id=105087
573
574         Reviewed by Simon Hausmann.
575
576         The MinGW-w64 runtime has different behaviour for pow()
577         compared to other C runtimes. This results in the following
578         test262 tests failing with the latest MinGW-w64 runtime:
579         - S15.8.2.13_A14
580         - S15.8.2.13_A16
581         - S15.8.2.13_A20
582         - S15.8.2.13_A22
583
584         Handle the special cases that are different with MinGW-w64.
585
586         * runtime/MathObject.cpp:
587         (JSC::mathPow):
588
589 2012-12-16  Filip Pizlo  <fpizlo@apple.com>
590
591         Bytecode dumping should show rare case profiles
592         https://bugs.webkit.org/show_bug.cgi?id=105133
593
594         Reviewed by Geoffrey Garen.
595
596         Refactored the dumper to call dumpBytecodeCommandAndNewLine in just one place,
597         rather than in all of the places. Changed the rare case profile getters to use
598         tryBinarySearch rather than binarySearch, so that they can be used speculatively
599         even if you don't know that the bytecode has rare case profiles. This actually
600         increases our assertion level, since it means that in release builds we will get
601         null and crash rather than getting some random adjacent profile. And then this
602         adds some printing of the rare case profiles.
603
604         * bytecode/CodeBlock.cpp:
605         (JSC::CodeBlock::printUnaryOp):
606         (JSC::CodeBlock::printBinaryOp):
607         (JSC::CodeBlock::printConditionalJump):
608         (JSC::CodeBlock::printCallOp):
609         (JSC::CodeBlock::printPutByIdOp):
610         (JSC::CodeBlock::beginDumpProfiling):
611         (JSC):
612         (JSC::CodeBlock::dumpValueProfiling):
613         (JSC::CodeBlock::dumpArrayProfiling):
614         (JSC::CodeBlock::dumpRareCaseProfile):
615         (JSC::CodeBlock::dumpBytecode):
616         * bytecode/CodeBlock.h:
617         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
618         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):
619
620 2012-12-13  Filip Pizlo  <fpizlo@apple.com>
621
622         Attempt to rationalize and simplify WTF::binarySearch
623         https://bugs.webkit.org/show_bug.cgi?id=104890
624
625         Reviewed by Maciej Stachowiak.
626
627         Switch to using the new binarySearch() API. No change in behavior.
628
629         * bytecode/CodeBlock.cpp:
630         (JSC::CodeBlock::bytecodeOffset):
631         (JSC::CodeBlock::codeOriginForReturn):
632         * bytecode/CodeBlock.h:
633         (JSC::CodeBlock::getStubInfo):
634         (JSC::CodeBlock::getByValInfo):
635         (JSC::CodeBlock::getCallLinkInfo):
636         (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
637         (JSC::CodeBlock::valueProfileForBytecodeOffset):
638         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
639         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):
640         * dfg/DFGGraph.h:
641         (JSC::DFG::Graph::blockIndexForBytecodeOffset):
642         * dfg/DFGMinifiedGraph.h:
643         (JSC::DFG::MinifiedGraph::at):
644         * dfg/DFGOSRExitCompiler32_64.cpp:
645         (JSC::DFG::OSRExitCompiler::compileExit):
646         * dfg/DFGOSRExitCompiler64.cpp:
647         (JSC::DFG::OSRExitCompiler::compileExit):
648         * llint/LLIntSlowPaths.cpp:
649         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
650         * profiler/ProfilerBytecodeSequence.cpp:
651         (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
652
653 2012-12-13  Filip Pizlo  <fpizlo@apple.com>
654
655         Don't assert that flags <= 0x3ff in JSTypeInfo
656         https://bugs.webkit.org/show_bug.cgi?id=104988
657
658         Reviewed by Sam Weinig.
659
660         This assertion doesn't accomplish anything other than crashes.
661
662         * runtime/JSTypeInfo.h:
663         (JSC::TypeInfo::TypeInfo):
664
665 2012-12-13  Filip Pizlo  <fpizlo@apple.com>
666
667         Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings
668         https://bugs.webkit.org/show_bug.cgi?id=104623
669
670         Reviewed by Geoffrey Garen.
671
672         Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
673         in some cases. This appears to be perf-neutral on benchmarks that we track.
674
675         * dfg/DFGRepatch.cpp:
676         (JSC::DFG::tryCacheGetByID):
677         (JSC::DFG::tryBuildGetByIDProtoList):
678         * jit/JITStubs.cpp:
679         (JSC::JITThunks::tryCacheGetByID):
680         (JSC::DEFINE_STUB_FUNCTION):
681         * runtime/JSTypeInfo.h:
682         (JSC):
683         (JSC::TypeInfo::hasImpureGetOwnPropertySlot):
684         * runtime/Operations.h:
685         (JSC::normalizePrototypeChainForChainAccess):
686
687 2012-12-13  Filip Pizlo  <fpizlo@apple.com>
688
689         Unreviewed, roll out http://trac.webkit.org/changeset/137683.
690         It broke gmail.
691
692         * dfg/DFGAbstractState.cpp:
693         (JSC::DFG::AbstractState::execute):
694         * dfg/DFGByteCodeParser.cpp:
695         (JSC::DFG::ByteCodeParser::parseBlock):
696         * dfg/DFGCSEPhase.cpp:
697         (JSC::DFG::CSEPhase::putStructureStoreElimination):
698         (JSC::DFG::CSEPhase::performNodeCSE):
699         * dfg/DFGCapabilities.h:
700         (JSC::DFG::canCompileOpcode):
701         * dfg/DFGNodeType.h:
702         (DFG):
703         * dfg/DFGOperations.cpp:
704         * dfg/DFGOperations.h:
705         * dfg/DFGPredictionPropagationPhase.cpp:
706         (JSC::DFG::PredictionPropagationPhase::propagate):
707         * dfg/DFGSpeculativeJIT32_64.cpp:
708         (JSC::DFG::SpeculativeJIT::compile):
709         * dfg/DFGSpeculativeJIT64.cpp:
710         (JSC::DFG::SpeculativeJIT::compile):
711         * runtime/Operations.cpp:
712         (JSC::jsTypeStringForValue):
713         (JSC):
714         * runtime/Operations.h:
715         (JSC):
716
717 2012-13-11  Oliver Hunt  <oliver@apple.com>
718
719         Support op_typeof in the DFG
720         https://bugs.webkit.org/show_bug.cgi?id=98898
721
722         Reviewed by Filip Pizlo.
723
724         Adds a TypeOf node to the DFG to support op_typeof. 
725
726         * dfg/DFGAbstractState.cpp:
727         (JSC::DFG::AbstractState::execute):
728           We try to determine the result early here, and substitute in a constant.
729           Otherwise we leave the node intact, and set the result type to SpecString.
730         * dfg/DFGByteCodeParser.cpp:
731         (JSC::DFG::ByteCodeParser::parseBlock):
732           Parse op_typeof
733         * dfg/DFGCSEPhase.cpp:
734         (JSC::DFG::CSEPhase::performNodeCSE):
735           TypeOf nodes can be subjected to pure CSE
736         * dfg/DFGCapabilities.h:
737         (JSC::DFG::canCompileOpcode):
738           We can handle typeof.
739         * dfg/DFGNodeType.h:
740         (DFG):
741           Define the node.
742         * dfg/DFGOperations.cpp:
743         * dfg/DFGOperations.h:
744           Add operationTypeOf to support the non-trivial cases.
745         * dfg/DFGPredictionPropagationPhase.cpp:
746         (JSC::DFG::PredictionPropagationPhase::propagate):
747         * dfg/DFGSpeculativeJIT32_64.cpp:
748         (JSC::DFG::SpeculativeJIT::compile):
749         * dfg/DFGSpeculativeJIT64.cpp:
750         (JSC::DFG::SpeculativeJIT::compile):
751           Actual codegen
752         * runtime/Operations.cpp:
753         (JSC::jsTypeStringForValue):
754         (JSC):
755         * runtime/Operations.h:
756         (JSC):
757           Some refactoring to allow us to get the type string for an
758           object without needing a callframe.
759
760 2012-12-12  Filip Pizlo  <fpizlo@apple.com>
761
762         OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp
763         https://bugs.webkit.org/show_bug.cgi?id=104791
764
765         Reviewed by Oliver Hunt.
766
767         The OSR exit compiler wants to make it so that every OSR exit does the equivalent
768         of:
769         
770         codeBlock->m_jitExecuteCounter.setNewThreshold(
771             codeBlock->counterValueForOptimizeAfterLongWarmUp());
772         
773         This logically involves:
774         
775         - Resetting the counter to zero.
776         - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
777         - Figuring out the scaled threshold, subtracting the count so far (which is zero,
778           so this part is a no-op), and clipping (ExecuteCounter::clippedThreshold()).
779         - Setting m_counter to the negated clipped threshold.
780         - Setting m_totalCount to the previous count so far (which is zero) plus the
781           clipped threshold.
782         
783         Because of the reset, which sets the count-so-far to zero, this amounts to:
784         
785         - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
786         - Figuring out the clipped scaled threshold.
787         - Setting m_counter to the negated clipped scaled threshold.
788         - Setting m_totalCount to the (positive) clipped scaled threshold.
789         
790         The code was previously not doing this, but now is. This is performance neutral.
791         The only change in behavior over what the code was previously doing (setting the
792         m_counter to the negated scaled threshold, without clipping, and then setting
793         the m_totalCount to the clipped scaled threshold) is that this will respond more
794         gracefully under memory pressure and will ensure that we get more value profile
795         LUBing before triggering recompilation. More LUBing is almost always a good
796         thing.
797
798         * dfg/DFGOSRExitCompiler.cpp:
799         (JSC::DFG::OSRExitCompiler::handleExitCounts):
800
801 2012-12-12  Ilya Tikhonovsky  <loislo@chromium.org>
802
803         Web Inspector: Native Memory Instrumentation: remove fake root MemoryObjectInfo.
804         https://bugs.webkit.org/show_bug.cgi?id=104796
805
806         Reviewed by Yury Semikhatsky.
807
808         It was not a good idea to introduce a fake root MemoryObjectInfo.
809         It makes a problem when we visit an object without its own MemoryObjectType.
810
811         Example: RenderBox has a global pointer to a hash map.
812         HashMap doesn't have its own object type because it is a generic container.
813         It will inherit object type from the fake root memory object info.
814         The same could happen for another container in another class with other MemoryObjectType.
815
816         This fact forces me to create custom process method for root objects
817         because they need to have their own MemoryObjectInfo with customisable memory object type.
818
819         Drive by fix: InstrumentedPointer* was replaced with Wrapper* because actually it is using
820         for instrumented and not instrumented object classes.
821
822         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
823
824 2012-12-11  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
825
826         Implement add64 for ARM traditional assembler after r136601
827         https://bugs.webkit.org/show_bug.cgi?id=104103
828
829         Reviewed by Zoltan Herczeg.
830
831         Implement add64 function for ARM traditional macroassembler.
832
833         * assembler/MacroAssemblerARM.h:
834         (JSC::MacroAssemblerARM::add64):
835         (MacroAssemblerARM):
836
837 2012-12-11  Filip Pizlo  <fpizlo@apple.com>
838
839         Unreviewed. Fix build with DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE).
840
841         * bytecode/CodeBlock.cpp:
842         (JSC::CodeBlock::tallyFrequentExitSites):
843
844 2012-12-11  Filip Pizlo  <fpizlo@apple.com>
845
846         Profiler should show bytecode dumps as they would have been visible to the JITs, including the profiling data that the JITs would see
847         https://bugs.webkit.org/show_bug.cgi?id=104647
848
849         Reviewed by Oliver Hunt.
850
851         Adds more profiling data to bytecode dumps, and adds the ability to do a secondary
852         bytecode dump for each JIT compilation of a code block. This is relevant because both
853         the bytecodes, and the profiling data, may change after some number of executions.
854         
855         Also fixes some random dumping code to use PrintStream& rather than
856         static const char[thingy].
857
858         * CMakeLists.txt:
859         * GNUmakefile.list.am:
860         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
861         * JavaScriptCore.xcodeproj/project.pbxproj:
862         * Target.pri:
863         * bytecode/ArrayProfile.cpp:
864         (JSC::dumpArrayModes):
865         (JSC::ArrayProfile::briefDescription):
866         * bytecode/ArrayProfile.h:
867         * bytecode/CodeBlock.cpp:
868         (JSC::CodeBlock::printGetByIdOp):
869         (JSC::CodeBlock::printGetByIdCacheStatus):
870         (JSC::CodeBlock::printCallOp):
871         (JSC::CodeBlock::dumpValueProfiling):
872         (JSC::CodeBlock::dumpArrayProfiling):
873         (JSC::CodeBlock::dumpBytecode):
874         * bytecode/CodeBlock.h:
875         * bytecode/ValueProfile.h:
876         (JSC::ValueProfileBase::briefDescription):
877         * dfg/DFGAbstractValue.h:
878         (JSC::DFG::AbstractValue::dump):
879         * dfg/DFGByteCodeParser.cpp:
880         (JSC::DFG::ByteCodeParser::parseCodeBlock):
881         * jit/JIT.cpp:
882         (JSC::JIT::privateCompile):
883         * profiler/ProfilerBytecodeSequence.cpp: Added.
884         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
885         (JSC::Profiler::BytecodeSequence::~BytecodeSequence):
886         (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
887         (JSC::Profiler::BytecodeSequence::forBytecodeIndex):
888         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
889         * profiler/ProfilerBytecodeSequence.h: Added.
890         (JSC::Profiler::BytecodeSequence::size):
891         (JSC::Profiler::BytecodeSequence::at):
892         * profiler/ProfilerBytecodes.cpp:
893         (JSC::Profiler::Bytecodes::Bytecodes):
894         (JSC::Profiler::Bytecodes::toJS):
895         * profiler/ProfilerBytecodes.h:
896         (JSC::Profiler::Bytecodes::instructionCount):
897         * profiler/ProfilerCompilation.cpp:
898         (JSC::Profiler::Compilation::addProfiledBytecodes):
899         (JSC::Profiler::Compilation::toJS):
900         * profiler/ProfilerCompilation.h:
901         (JSC::Profiler::Compilation::profiledBytecodesSize):
902         (JSC::Profiler::Compilation::profiledBytecodesAt):
903         * profiler/ProfilerDatabase.cpp:
904         (JSC::Profiler::Database::ensureBytecodesFor):
905         * profiler/ProfilerDatabase.h:
906         * profiler/ProfilerProfiledBytecodes.cpp: Added.
907         (JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes):
908         (JSC::Profiler::ProfiledBytecodes::~ProfiledBytecodes):
909         (JSC::Profiler::ProfiledBytecodes::toJS):
910         * profiler/ProfilerProfiledBytecodes.h: Added.
911         (JSC::Profiler::ProfiledBytecodes::bytecodes):
912         * runtime/CommonIdentifiers.h:
913
914 2012-12-11  Oswald Buddenhagen  <oswald.buddenhagen@digia.com>
915
916         [Qt] delete dead include paths
917
918         Reviewed by Simon Hausmann.
919
920         followup to https://bugs.webkit.org/show_bug.cgi?id=93446
921
922         * JavaScriptCore.pri:
923
924 2012-12-11  Julien BRIANCEAU   <jbrianceau@nds.com>
925
926         Implement add64 for SH4 assembler to fix build after r136601
927         https://bugs.webkit.org/show_bug.cgi?id=104377
928
929         Reviewed by Zoltan Herczeg.
930
931         * assembler/MacroAssemblerSH4.h:
932         (JSC::MacroAssemblerSH4::add64):
933         (MacroAssemblerSH4):
934
935 2012-12-10  Yury Semikhatsky  <yurys@chromium.org>
936
937         Memory instrumentation: make sure each edge is reported only once
938         https://bugs.webkit.org/show_bug.cgi?id=104630
939
940         Reviewed by Pavel Feldman.
941
942         Changed exported symbols for MemoryInstrumentation.
943
944         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
945
946 2012-12-10  Filip Pizlo  <fpizlo@apple.com>
947
948         Don't OSR exit just because a string is a rope
949         https://bugs.webkit.org/show_bug.cgi?id=104621
950
951         Reviewed by Michael Saboff.
952
953         Slight SunSpider speed-up at around the 0.7% level. This patch does the obvious
954         thing of calling a slow path to resolve ropes rather than OSR exiting if the
955         string is a rope.
956
957         * dfg/DFGAbstractState.cpp:
958         (JSC::DFG::AbstractState::execute):
959         * dfg/DFGArrayMode.h:
960         (JSC::DFG::ArrayMode::getIndexedPropertyStorageMayTriggerGC):
961         (ArrayMode):
962         * dfg/DFGCSEPhase.cpp:
963         (JSC::DFG::CSEPhase::putStructureStoreElimination):
964         * dfg/DFGOperations.cpp:
965         * dfg/DFGOperations.h:
966         * dfg/DFGSpeculativeJIT.cpp:
967         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
968         * dfg/DFGSpeculativeJIT.h:
969         (JSC::DFG::SpeculativeJIT::callOperation):
970
971 2012-12-10  Gustavo Noronha Silva  <gns@gnome.org>
972
973         Unreviewed distcheck fix.
974
975         * GNUmakefile.list.am:
976
977 2012-12-10  Filip Pizlo  <fpizlo@apple.com>
978
979         JSC profiling and debug dump code should use inferred names when possible
980         https://bugs.webkit.org/show_bug.cgi?id=104519
981
982         Reviewed by Oliver Hunt.
983
984         This does as advertised: the profiler now knows the inferred name of all code blocks,
985         and all uses of CodeBlock::dump() dump it along with the hash.
986         
987         * bytecode/CodeBlock.cpp:
988         (JSC::CodeBlock::inferredName):
989         (JSC::CodeBlock::dumpAssumingJITType):
990         * bytecode/CodeBlock.h:
991         * profiler/ProfilerBytecodes.cpp:
992         (JSC::Profiler::Bytecodes::Bytecodes):
993         (JSC::Profiler::Bytecodes::toJS):
994         * profiler/ProfilerBytecodes.h:
995         (JSC::Profiler::Bytecodes::inferredName):
996         * profiler/ProfilerDatabase.cpp:
997         (JSC::Profiler::Database::addBytecodes):
998         (JSC::Profiler::Database::ensureBytecodesFor):
999         * profiler/ProfilerDatabase.h:
1000         * runtime/CommonIdentifiers.h:
1001
1002 2012-12-09  Filip Pizlo  <fpizlo@apple.com>
1003
1004         Profiler should say things about OSR exits
1005         https://bugs.webkit.org/show_bug.cgi?id=104497
1006
1007         Reviewed by Oliver Hunt.
1008
1009         This adds support for profiling OSR exits. For each exit that is taken, the profiler
1010         records the machine code address that the exit occurred on, the exit kind, the origin
1011         stack, and the number of times that it happened.
1012
1013         * CMakeLists.txt:
1014         * GNUmakefile.list.am:
1015         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1016         * JavaScriptCore.xcodeproj/project.pbxproj:
1017         * Target.pri:
1018         * assembler/AbstractMacroAssembler.h:
1019         (Jump):
1020         (JSC::AbstractMacroAssembler::Jump::label):
1021         * bytecode/CodeBlock.h:
1022         (JSC::CodeBlock::saveCompilation):
1023         (CodeBlock):
1024         (JSC::CodeBlock::compilation):
1025         (DFGData):
1026         * bytecode/DFGExitProfile.h:
1027         (DFG):
1028         * bytecode/ExitKind.cpp: Added.
1029         (JSC):
1030         (JSC::exitKindToString):
1031         (JSC::exitKindIsCountable):
1032         (WTF):
1033         (WTF::printInternal):
1034         * bytecode/ExitKind.h: Added.
1035         (JSC):
1036         (WTF):
1037         * dfg/DFGGraph.h:
1038         (Graph):
1039         * dfg/DFGJITCompiler.cpp:
1040         (JSC::DFG::JITCompiler::linkOSRExits):
1041         (JSC::DFG::JITCompiler::link):
1042         (JSC::DFG::JITCompiler::compile):
1043         (JSC::DFG::JITCompiler::compileFunction):
1044         * dfg/DFGJITCompiler.h:
1045         (JITCompiler):
1046         * dfg/DFGOSRExitCompiler.cpp:
1047         * jit/JIT.cpp:
1048         (JSC::JIT::JIT):
1049         (JSC::JIT::privateCompile):
1050         * jit/JIT.h:
1051         (JIT):
1052         * jit/JumpReplacementWatchpoint.h:
1053         (JSC::JumpReplacementWatchpoint::sourceLabel):
1054         (JumpReplacementWatchpoint):
1055         * profiler/ProfilerCompilation.cpp:
1056         (JSC::Profiler::Compilation::addOSRExitSite):
1057         (Profiler):
1058         (JSC::Profiler::Compilation::addOSRExit):
1059         (JSC::Profiler::Compilation::toJS):
1060         * profiler/ProfilerCompilation.h:
1061         (Compilation):
1062         * profiler/ProfilerDatabase.cpp:
1063         (JSC::Profiler::Database::newCompilation):
1064         * profiler/ProfilerDatabase.h:
1065         (Database):
1066         * profiler/ProfilerOSRExit.cpp: Added.
1067         (Profiler):
1068         (JSC::Profiler::OSRExit::OSRExit):
1069         (JSC::Profiler::OSRExit::~OSRExit):
1070         (JSC::Profiler::OSRExit::toJS):
1071         * profiler/ProfilerOSRExit.h: Added.
1072         (Profiler):
1073         (OSRExit):
1074         (JSC::Profiler::OSRExit::id):
1075         (JSC::Profiler::OSRExit::origin):
1076         (JSC::Profiler::OSRExit::exitKind):
1077         (JSC::Profiler::OSRExit::isWatchpoint):
1078         (JSC::Profiler::OSRExit::counterAddress):
1079         (JSC::Profiler::OSRExit::count):
1080         * profiler/ProfilerOSRExitSite.cpp: Added.
1081         (Profiler):
1082         (JSC::Profiler::OSRExitSite::toJS):
1083         * profiler/ProfilerOSRExitSite.h: Added.
1084         (Profiler):
1085         (OSRExitSite):
1086         (JSC::Profiler::OSRExitSite::OSRExitSite):
1087         (JSC::Profiler::OSRExitSite::codeAddress):
1088         * runtime/CommonIdentifiers.h:
1089
1090 2012-12-10  Alexis Menard  <alexis@webkit.org>
1091
1092         [CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag.
1093         https://bugs.webkit.org/show_bug.cgi?id=104539
1094
1095         Reviewed by Antonio Gomes.
1096
1097         As discussed on webkit-dev it is not needed to keep this feature flag 
1098         as support for <position> type is a small feature that is already 
1099         implemented by three other UAs. It was useful while landing this 
1100         feature as partial bits were landed one after one.
1101
1102         * Configurations/FeatureDefines.xcconfig:
1103
1104 2012-12-09  Filip Pizlo  <fpizlo@apple.com>
1105
1106         DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation()
1107         https://bugs.webkit.org/show_bug.cgi?id=104500
1108
1109         Reviewed by Oliver Hunt.
1110
1111         Slight across-the-board speed-up.
1112
1113         * dfg/DFGAbstractState.cpp:
1114         (JSC::DFG::AbstractState::execute):
1115         * dfg/DFGFixupPhase.cpp:
1116         (JSC::DFG::FixupPhase::fixupNode):
1117
1118 2012-12-08  Filip Pizlo  <fpizlo@apple.com>
1119
1120         JSC should scale the optimization threshold for a code block according to the cost of compiling it
1121         https://bugs.webkit.org/show_bug.cgi?id=104406
1122
1123         Reviewed by Oliver Hunt.
1124
1125         We've long known that we want to scale the execution count threshold needed for the DFG
1126         to kick in to scale according to some estimate of the cost of compiling that code block.
1127         This institutes a relationship like this:
1128         
1129         threshold = thresholdSetting * (a * sqrt(instructionCount + b) + abs(c * instructionCount) + d
1130         
1131         Where a, b, c, d are coefficients derived from fitting the above expression to various
1132         data points, which I chose based on looking at one benchmark (3d-cube) and from my
1133         own intuitions.
1134         
1135         Making this work well also required changing the thresholdForOptimizeAfterLongWarmUp
1136         from 5000 to 1000.
1137         
1138         This is a >1% speed-up on SunSpider, a >3% speed-up on V8Spider, ~1% speed-up on V8v7,
1139         neutral on Octane, and neutral on Kraken.
1140         
1141         I also out-of-lined a bunch of methods related to these heuristics, because I couldn't
1142         stand having them defined in the header anymore. I also made improvements to debugging
1143         code because I needed it for tuning this change.
1144
1145         * CMakeLists.txt:
1146         * GNUmakefile.list.am:
1147         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1148         * JavaScriptCore.xcodeproj/project.pbxproj:
1149         * Target.pri:
1150         * bytecode/CodeBlock.cpp:
1151         (JSC::CodeBlock::sourceCodeForTools):
1152         (JSC::CodeBlock::sourceCodeOnOneLine):
1153         (JSC::CodeBlock::dumpBytecode):
1154         (JSC::CodeBlock::CodeBlock):
1155         (JSC::CodeBlock::reoptimizationRetryCounter):
1156         (JSC::CodeBlock::countReoptimization):
1157         (JSC::CodeBlock::optimizationThresholdScalingFactor):
1158         (JSC::clipThreshold):
1159         (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
1160         (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
1161         (JSC::CodeBlock::counterValueForOptimizeSoon):
1162         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
1163         (JSC::CodeBlock::optimizeNextInvocation):
1164         (JSC::CodeBlock::dontOptimizeAnytimeSoon):
1165         (JSC::CodeBlock::optimizeAfterWarmUp):
1166         (JSC::CodeBlock::optimizeAfterLongWarmUp):
1167         (JSC::CodeBlock::optimizeSoon):
1168         (JSC::CodeBlock::adjustedExitCountThreshold):
1169         (JSC::CodeBlock::exitCountThresholdForReoptimization):
1170         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
1171         (JSC::CodeBlock::shouldReoptimizeNow):
1172         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
1173         * bytecode/CodeBlock.h:
1174         * bytecode/ExecutionCounter.cpp:
1175         (JSC::ExecutionCounter::hasCrossedThreshold):
1176         * bytecode/ReduceWhitespace.cpp: Added.
1177         (JSC::reduceWhitespace):
1178         * bytecode/ReduceWhitespace.h: Added.
1179         * dfg/DFGCapabilities.cpp:
1180         (JSC::DFG::mightCompileEval):
1181         (JSC::DFG::mightCompileProgram):
1182         (JSC::DFG::mightCompileFunctionForCall):
1183         (JSC::DFG::mightCompileFunctionForConstruct):
1184         (JSC::DFG::mightInlineFunctionForCall):
1185         (JSC::DFG::mightInlineFunctionForConstruct):
1186         * dfg/DFGCapabilities.h:
1187         * dfg/DFGDisassembler.cpp:
1188         (JSC::DFG::Disassembler::dumpHeader):
1189         * dfg/DFGOSREntry.cpp:
1190         (JSC::DFG::prepareOSREntry):
1191         * jit/JITDisassembler.cpp:
1192         (JSC::JITDisassembler::dumpHeader):
1193         * jit/JITStubs.cpp:
1194         (JSC::DEFINE_STUB_FUNCTION):
1195         * llint/LLIntSlowPaths.cpp:
1196         (JSC::LLInt::entryOSR):
1197         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1198         * profiler/ProfilerDatabase.cpp:
1199         (JSC::Profiler::Database::ensureBytecodesFor):
1200         * runtime/Options.h:
1201
1202 2012-12-07  Jonathan Liu  <net147@gmail.com>
1203
1204         Add missing forward declaration for JSC::ArrayAllocationProfile
1205         https://bugs.webkit.org/show_bug.cgi?id=104425
1206
1207         Reviewed by Kentaro Hara.
1208
1209         The header for the JSC::ArrayConstructor class is missing a forward
1210         declaration for the JSC::ArrayAllocationProfile class which causes
1211         compilation to fail when compiling with MinGW-w64.
1212
1213         * runtime/ArrayConstructor.h:
1214         (JSC):
1215
1216 2012-12-07  Jonathan Liu  <net147@gmail.com>
1217
1218         Add missing const qualifier to JSC::CodeBlock::getJITType()
1219         https://bugs.webkit.org/show_bug.cgi?id=104424
1220
1221         Reviewed by Laszlo Gombos.
1222
1223         JSC::CodeBlock::getJITType() has the const qualifier when JIT is
1224         enabled but is missing the const qualifier when JIT is disabled.
1225
1226         * bytecode/CodeBlock.h:
1227         (JSC::CodeBlock::getJITType):
1228
1229 2012-12-07  Oliver Hunt  <oliver@apple.com>
1230
1231         Make function code cache proportional to main codeblock cache
1232         https://bugs.webkit.org/show_bug.cgi?id=104420
1233
1234         Reviewed by Geoffrey Garen.
1235
1236         Makes the constants determining the recently used function cache proportional
1237         to the number of root codeblocks in the cache.  Also renames the constants to
1238         make them more clear.
1239      
1240         * runtime/CodeCache.h:
1241
1242 2012-12-06  Filip Pizlo  <fpizlo@apple.com>
1243
1244         Strange results calculating a square root in a loop
1245         https://bugs.webkit.org/show_bug.cgi?id=104247
1246         <rdar://problem/12826880>
1247
1248         Reviewed by Oliver Hunt.
1249
1250         Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks
1251         under the merge. This fixes the assertion, and is also cleaner: our general rule is
1252         to not "revive" things that we've already proved to be dead.
1253         
1254         Also fixed some rotted debug code.
1255
1256         * dfg/DFGCFGSimplificationPhase.cpp:
1257         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1258         * dfg/DFGStructureCheckHoistingPhase.cpp:
1259         (JSC::DFG::StructureCheckHoistingPhase::run):
1260
1261 2012-12-07  Geoffrey Garen  <ggaren@apple.com>
1262
1263         Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
1264         https://bugs.webkit.org/show_bug.cgi?id=104321
1265         <rdar://problem/12770497>
1266
1267         Reviewed by Sam Weinig.
1268
1269         Work around a JSValueUnprotect(NULL) in Evernote.
1270
1271         * API/JSValueRef.cpp:
1272         (evernoteHackNeeded):
1273         (JSValueUnprotect):
1274
1275 2012-12-06  Filip Pizlo  <fpizlo@apple.com>
1276
1277         Incorrect inequality for checking whether a statement is within bounds of a handler
1278         https://bugs.webkit.org/show_bug.cgi?id=104313
1279         <rdar://problem/12808934>
1280
1281         Reviewed by Geoffrey Garen.
1282
1283         The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
1284         used for checking whether a handler is pertinent to the current instruction. '<' is
1285         correct, but '<=' isn't, since the 'end' is not inclusive.
1286         
1287         Also found, and addressed, a benign goof in how the finally inliner works: sometimes
1288         we will have end > start. This falls out naturally from how the inliner works and how
1289         we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
1290         future confusion, I added a comment and some code to prune those handlers out. Because
1291         of how the handler resolution works, these handlers would have been skipped anyway.
1292         
1293         Also made various fixes to debugging code, which was necessary for tracking this down.
1294
1295         * bytecode/CodeBlock.cpp:
1296         (JSC::CodeBlock::dumpBytecode):
1297         (JSC::CodeBlock::handlerForBytecodeOffset):
1298         * bytecompiler/BytecodeGenerator.cpp:
1299         (JSC::BytecodeGenerator::generate):
1300         * bytecompiler/Label.h:
1301         (JSC::Label::bind):
1302         * interpreter/Interpreter.cpp:
1303         (JSC::Interpreter::throwException):
1304         * llint/LLIntExceptions.cpp:
1305         (JSC::LLInt::interpreterThrowInCaller):
1306         (JSC::LLInt::returnToThrow):
1307         (JSC::LLInt::callToThrow):
1308         * llint/LLIntSlowPaths.cpp:
1309         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1310         (JSC::LLInt::handleHostCall):
1311
1312 2012-12-06  Rick Byers  <rbyers@chromium.org>
1313
1314         CSS cursor property should support webkit-image-set
1315         https://bugs.webkit.org/show_bug.cgi?id=99493
1316
1317         Reviewed by Beth Dakin.
1318
1319         Add ENABLE_MOUSE_CURSOR_SCALE (disabled by default)
1320
1321         * Configurations/FeatureDefines.xcconfig:
1322
1323 2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>
1324
1325         [CMake] Consolidate list of files to build for JavaScriptCore
1326         https://bugs.webkit.org/show_bug.cgi?id=104287
1327
1328         Reviewed by Gyuyoung Kim.
1329
1330         Add MemoryStatistics.cpp and ExecutableAllocator.cpp to the common
1331         list of files and remove them from the port specific lists.
1332
1333         * CMakeLists.txt:
1334         * PlatformBlackBerry.cmake:
1335         * PlatformEfl.cmake:
1336         * PlatformWinCE.cmake:
1337
1338 2012-12-06  Oliver Hunt  <oliver@apple.com>
1339
1340         Tell heap that we've released all the compiled code.
1341
1342         Reviewed by Geoff Garen.
1343
1344         When we discard compiled code, inform the heap that we've
1345         released an entire object graph.  This informs the heap that
1346         it might want to perform a GC soon.
1347
1348         * runtime/JSGlobalData.cpp:
1349         (JSC::JSGlobalData::discardAllCode):
1350
1351 2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>
1352
1353         [EFL] Remove ENABLE_GLIB_SUPPORT CMake variable
1354         https://bugs.webkit.org/show_bug.cgi?id=104278
1355
1356         Reviewed by Brent Fulgham.
1357
1358         The conditional is not required as it is always set for EFL.
1359
1360         * PlatformEfl.cmake:
1361
1362 2012-12-06  Oliver Hunt  <oliver@apple.com>
1363
1364         Build fix, last patch rolled out logic that is now needed on ToT.
1365
1366         * parser/ASTBuilder.h:
1367         (ASTBuilder):
1368         (JSC::ASTBuilder::setFunctionStart):
1369         * parser/Nodes.h:
1370         (JSC::FunctionBodyNode::setFunctionStart):
1371         (JSC::FunctionBodyNode::functionStart):
1372         (FunctionBodyNode):
1373         * parser/Parser.cpp:
1374         (JSC::::parseFunctionInfo):
1375         * parser/SyntaxChecker.h:
1376         (JSC::SyntaxChecker::setFunctionStart):
1377
1378 2012-12-05  Oliver Hunt  <oliver@apple.com>
1379
1380         Remove harmful string->function cache
1381         https://bugs.webkit.org/show_bug.cgi?id=104193
1382
1383         Reviewed by Alexey Proskuryakov.
1384
1385         Remove the string->function code cache that turned out to actually
1386         be quite harmful.
1387
1388         * runtime/CodeCache.cpp:
1389         (JSC::CodeCache::getFunctionCodeBlock):
1390         * runtime/CodeCache.h:
1391         (JSC::CodeCache::clear):
1392
1393 2012-12-05  Halton Huo  <halton.huo@intel.com>
1394
1395         [CMake] Unify coding style for CMake files
1396         https://bugs.webkit.org/show_bug.cgi?id=103605
1397
1398         Reviewed by Laszlo Gombos.
1399
1400         Update cmake files(.cmake, CMakeLists.txt) with following style rules:
1401         1. Indentation
1402         1.1 Use spaces, not tabs.
1403         1.2 Four spaces as indent.
1404         2. Spacing
1405         2.1 Place one space between control statements and their parentheses.
1406             For eg, if (), else (), elseif (), endif (), foreach (),
1407             endforeach (), while (), endwhile (), break ().
1408         2.2 Do not place spaces between function and macro statements and
1409             their parentheses. For eg, macro(), endmacro(), function(),
1410             endfunction().
1411         2.3 Do not place spaces between a command or function or macro and its
1412             parentheses, or between a parenthesis and its content. For eg,
1413             message("testing") not message( "testing") or message ("testing" )
1414         2.4 No space at line ending.
1415         3. Lowercase when call commands macros and functions. For eg,
1416            add_executable() not ADD_EXECUTABLE(), set() not SET().
1417
1418         * CMakeLists.txt:
1419         * PlatformBlackBerry.cmake:
1420         * PlatformEfl.cmake:
1421         * PlatformWinCE.cmake:
1422         * shell/CMakeLists.txt:
1423         * shell/PlatformBlackBerry.cmake:
1424         * shell/PlatformEfl.cmake:
1425         * shell/PlatformWinCE.cmake:
1426
1427 2012-12-05  Oliver Hunt  <oliver@apple.com>
1428
1429         Empty parse cache when receiving a low memory warning
1430         https://bugs.webkit.org/show_bug.cgi?id=104161
1431
1432         Reviewed by Filip Pizlo.
1433
1434         This adds a function to the globaldata to empty all code related data
1435         structures (code in the heap and the code cache).
1436         It also adds a function to allow the CodeCache to actually be cleared
1437         at all. 
1438
1439         * runtime/CodeCache.h:
1440         (CacheMap):
1441         (JSC::CacheMap::clear):
1442         (JSC::CodeCache::clear):
1443         (CodeCache):
1444         * runtime/JSGlobalData.cpp:
1445         (JSC::JSGlobalData::discardAllCode):
1446         (JSC):
1447         * runtime/JSGlobalData.h:
1448         (JSGlobalData):
1449
1450 2012-12-05  Filip Pizlo  <fpizlo@apple.com>
1451
1452         JSC profiler should not count executions of op_call_put_result because doing so changes DFG codegen
1453         https://bugs.webkit.org/show_bug.cgi?id=104102
1454
1455         Reviewed by Oliver Hunt.
1456
1457         This removes op_call_put_result from profiling, since profiling it has an effect on
1458         codegen. This fix enables all of SunSpider, V8, and Kraken to be profiled with the
1459         new profiler.
1460         
1461         To make this all fit together, the profiler now also reports in its output the exact
1462         bytecode opcode name for each instruction (in addition to the stringified dump of that
1463         bytecode), so that tools that grok the output can take note of op_call_put_result and
1464         work around the fact that it has no counts.
1465
1466         * dfg/DFGByteCodeParser.cpp:
1467         (JSC::DFG::ByteCodeParser::parseBlock):
1468         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1469         * dfg/DFGDriver.cpp:
1470         (JSC::DFG::compile):
1471         * jit/JIT.cpp:
1472         (JSC::JIT::privateCompileMainPass):
1473         * profiler/ProfilerBytecode.cpp:
1474         (JSC::Profiler::Bytecode::toJS):
1475         * profiler/ProfilerBytecode.h:
1476         (JSC::Profiler::Bytecode::Bytecode):
1477         (JSC::Profiler::Bytecode::opcodeID):
1478         (Bytecode):
1479         * profiler/ProfilerDatabase.cpp:
1480         (JSC::Profiler::Database::ensureBytecodesFor):
1481         * runtime/CommonIdentifiers.h:
1482
1483 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
1484
1485         display-profiler-output should be able to show source code
1486         https://bugs.webkit.org/show_bug.cgi?id=104073
1487
1488         Reviewed by Oliver Hunt.
1489
1490         Modify the profiler database to store source code. For functions, we store the
1491         function including the function signature.
1492
1493         * bytecode/CodeBlock.h:
1494         (JSC::CodeBlock::unlinkedCodeBlock):
1495         (CodeBlock):
1496         * profiler/ProfilerBytecodes.cpp:
1497         (JSC::Profiler::Bytecodes::Bytecodes):
1498         (JSC::Profiler::Bytecodes::toJS):
1499         * profiler/ProfilerBytecodes.h:
1500         (Bytecodes):
1501         (JSC::Profiler::Bytecodes::sourceCode):
1502         * profiler/ProfilerDatabase.cpp:
1503         (JSC::Profiler::Database::addBytecodes):
1504         (JSC::Profiler::Database::ensureBytecodesFor):
1505         * profiler/ProfilerDatabase.h:
1506         (Database):
1507         * runtime/CommonIdentifiers.h:
1508         * runtime/Executable.h:
1509         (FunctionExecutable):
1510         (JSC::FunctionExecutable::unlinkedExecutable):
1511
1512 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
1513
1514         JSC should be able to report profiling data associated with the IR dumps and disassembly
1515         https://bugs.webkit.org/show_bug.cgi?id=102999
1516
1517         Reviewed by Gavin Barraclough.
1518
1519         Added a new profiler to JSC. It's simply called "Profiler" in anticipation of it
1520         ultimately replacing the previous profiling infrastructure. This profiler counts the
1521         number of times that a bytecode executes in various engines, and will record both the
1522         counts and all disassembly and bytecode dumps, into a database that can be at any
1523         time turned into either a JS object using any global object or global data of your
1524         choice, or can be turned into a JSON string, or saved to a file.
1525         
1526         Currently the only use of this is the new '-p <file>' flag to the jsc command-line.
1527         
1528         The profiler is always compiled in and normally incurs no execution time cost, but is
1529         only activated when you create a Profiler::Database and install it in
1530         JSGlobalData::m_perBytecodeProfiler. From that point on, all code blocks will be
1531         compiled along with disassembly and bytecode dumps stored into the Profiler::Database,
1532         and all code blocks will have execution counts, which are also stored in the database.
1533         The database will continue to keep information about code blocks alive even after they
1534         are otherwise GC'd.
1535         
1536         This currently still has some glitches, like the fact that it only counts executions
1537         in the JITs. Doing execution counting in the LLInt might require a bit of a rethink
1538         about how the counting is expressed - currently it is implicit in bytecode, so there
1539         is no easy way to "turn it on" in the LLInt. Also, right now there is no information
1540         recorded about OSR exits or out-of-line stubs. But, even so, it's quite cool, and
1541         gives you a peek into what JSC is doing that would otherwise not be possible.
1542
1543         * CMakeLists.txt:
1544         * GNUmakefile.list.am:
1545         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1546         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1547         * JavaScriptCore.xcodeproj/project.pbxproj:
1548         * Target.pri:
1549         * bytecode/CodeBlock.cpp:
1550         (JSC::CodeBlock::~CodeBlock):
1551         * bytecode/CodeBlock.h:
1552         (CodeBlock):
1553         (JSC::CodeBlock::baselineVersion):
1554         * bytecode/CodeOrigin.cpp:
1555         (JSC::InlineCallFrame::baselineCodeBlock):
1556         (JSC):
1557         * bytecode/CodeOrigin.h:
1558         (InlineCallFrame):
1559         * dfg/DFGAbstractState.cpp:
1560         (JSC::DFG::AbstractState::execute):
1561         * dfg/DFGByteCodeParser.cpp:
1562         (JSC::DFG::ByteCodeParser::parseBlock):
1563         * dfg/DFGDisassembler.cpp:
1564         (JSC::DFG::Disassembler::dump):
1565         (DFG):
1566         (JSC::DFG::Disassembler::reportToProfiler):
1567         (JSC::DFG::Disassembler::dumpHeader):
1568         (JSC::DFG::Disassembler::append):
1569         (JSC::DFG::Disassembler::createDumpList):
1570         * dfg/DFGDisassembler.h:
1571         (Disassembler):
1572         (JSC::DFG::Disassembler::DumpedOp::DumpedOp):
1573         (DumpedOp):
1574         * dfg/DFGGraph.cpp:
1575         (JSC::DFG::Graph::Graph):
1576         (JSC::DFG::Graph::dumpCodeOrigin):
1577         (JSC::DFG::Graph::dump):
1578         * dfg/DFGGraph.h:
1579         (Graph):
1580         * dfg/DFGJITCompiler.cpp:
1581         (JSC::DFG::JITCompiler::JITCompiler):
1582         (JSC::DFG::JITCompiler::compile):
1583         (JSC::DFG::JITCompiler::compileFunction):
1584         * dfg/DFGNode.h:
1585         (Node):
1586         (JSC::DFG::Node::hasExecutionCounter):
1587         (JSC::DFG::Node::executionCounter):
1588         * dfg/DFGNodeType.h:
1589         (DFG):
1590         * dfg/DFGPredictionPropagationPhase.cpp:
1591         (JSC::DFG::PredictionPropagationPhase::propagate):
1592         * dfg/DFGSpeculativeJIT32_64.cpp:
1593         (JSC::DFG::SpeculativeJIT::compile):
1594         * dfg/DFGSpeculativeJIT64.cpp:
1595         (JSC::DFG::SpeculativeJIT::compile):
1596         * jit/JIT.cpp:
1597         (JSC::JIT::JIT):
1598         (JSC::JIT::privateCompileMainPass):
1599         (JSC::JIT::privateCompile):
1600         * jit/JIT.h:
1601         (JIT):
1602         * jit/JITDisassembler.cpp:
1603         (JSC::JITDisassembler::dump):
1604         (JSC::JITDisassembler::reportToProfiler):
1605         (JSC):
1606         (JSC::JITDisassembler::dumpHeader):
1607         (JSC::JITDisassembler::firstSlowLabel):
1608         (JSC::JITDisassembler::dumpVectorForInstructions):
1609         (JSC::JITDisassembler::dumpForInstructions):
1610         (JSC::JITDisassembler::reportInstructions):
1611         * jit/JITDisassembler.h:
1612         (JITDisassembler):
1613         (DumpedOp):
1614         * jsc.cpp:
1615         (CommandLine::CommandLine):
1616         (CommandLine):
1617         (printUsageStatement):
1618         (CommandLine::parseArguments):
1619         (jscmain):
1620         * profiler/ProfilerBytecode.cpp: Added.
1621         (Profiler):
1622         (JSC::Profiler::Bytecode::toJS):
1623         * profiler/ProfilerBytecode.h: Added.
1624         (Profiler):
1625         (Bytecode):
1626         (JSC::Profiler::Bytecode::Bytecode):
1627         (JSC::Profiler::Bytecode::bytecodeIndex):
1628         (JSC::Profiler::Bytecode::description):
1629         (JSC::Profiler::getBytecodeIndexForBytecode):
1630         * profiler/ProfilerBytecodes.cpp: Added.
1631         (Profiler):
1632         (JSC::Profiler::Bytecodes::Bytecodes):
1633         (JSC::Profiler::Bytecodes::~Bytecodes):
1634         (JSC::Profiler::Bytecodes::indexForBytecodeIndex):
1635         (JSC::Profiler::Bytecodes::forBytecodeIndex):
1636         (JSC::Profiler::Bytecodes::dump):
1637         (JSC::Profiler::Bytecodes::toJS):
1638         * profiler/ProfilerBytecodes.h: Added.
1639         (Profiler):
1640         (Bytecodes):
1641         (JSC::Profiler::Bytecodes::append):
1642         (JSC::Profiler::Bytecodes::id):
1643         (JSC::Profiler::Bytecodes::hash):
1644         (JSC::Profiler::Bytecodes::size):
1645         (JSC::Profiler::Bytecodes::at):
1646         * profiler/ProfilerCompilation.cpp: Added.
1647         (Profiler):
1648         (JSC::Profiler::Compilation::Compilation):
1649         (JSC::Profiler::Compilation::~Compilation):
1650         (JSC::Profiler::Compilation::addDescription):
1651         (JSC::Profiler::Compilation::executionCounterFor):
1652         (JSC::Profiler::Compilation::toJS):
1653         * profiler/ProfilerCompilation.h: Added.
1654         (Profiler):
1655         (Compilation):
1656         (JSC::Profiler::Compilation::bytecodes):
1657         (JSC::Profiler::Compilation::kind):
1658         * profiler/ProfilerCompilationKind.cpp: Added.
1659         (WTF):
1660         (WTF::printInternal):
1661         * profiler/ProfilerCompilationKind.h: Added.
1662         (Profiler):
1663         (WTF):
1664         * profiler/ProfilerCompiledBytecode.cpp: Added.
1665         (Profiler):
1666         (JSC::Profiler::CompiledBytecode::CompiledBytecode):
1667         (JSC::Profiler::CompiledBytecode::~CompiledBytecode):
1668         (JSC::Profiler::CompiledBytecode::toJS):
1669         * profiler/ProfilerCompiledBytecode.h: Added.
1670         (Profiler):
1671         (CompiledBytecode):
1672         (JSC::Profiler::CompiledBytecode::originStack):
1673         (JSC::Profiler::CompiledBytecode::description):
1674         * profiler/ProfilerDatabase.cpp: Added.
1675         (Profiler):
1676         (JSC::Profiler::Database::Database):
1677         (JSC::Profiler::Database::~Database):
1678         (JSC::Profiler::Database::addBytecodes):
1679         (JSC::Profiler::Database::ensureBytecodesFor):
1680         (JSC::Profiler::Database::notifyDestruction):
1681         (JSC::Profiler::Database::newCompilation):
1682         (JSC::Profiler::Database::toJS):
1683         (JSC::Profiler::Database::toJSON):
1684         (JSC::Profiler::Database::save):
1685         * profiler/ProfilerDatabase.h: Added.
1686         (Profiler):
1687         (Database):
1688         * profiler/ProfilerExecutionCounter.h: Added.
1689         (Profiler):
1690         (ExecutionCounter):
1691         (JSC::Profiler::ExecutionCounter::ExecutionCounter):
1692         (JSC::Profiler::ExecutionCounter::address):
1693         (JSC::Profiler::ExecutionCounter::count):
1694         * profiler/ProfilerOrigin.cpp: Added.
1695         (Profiler):
1696         (JSC::Profiler::Origin::Origin):
1697         (JSC::Profiler::Origin::dump):
1698         (JSC::Profiler::Origin::toJS):
1699         * profiler/ProfilerOrigin.h: Added.
1700         (JSC):
1701         (Profiler):
1702         (Origin):
1703         (JSC::Profiler::Origin::Origin):
1704         (JSC::Profiler::Origin::operator!):
1705         (JSC::Profiler::Origin::bytecodes):
1706         (JSC::Profiler::Origin::bytecodeIndex):
1707         (JSC::Profiler::Origin::operator!=):
1708         (JSC::Profiler::Origin::operator==):
1709         (JSC::Profiler::Origin::hash):
1710         (JSC::Profiler::Origin::isHashTableDeletedValue):
1711         (JSC::Profiler::OriginHash::hash):
1712         (JSC::Profiler::OriginHash::equal):
1713         (OriginHash):
1714         (WTF):
1715         * profiler/ProfilerOriginStack.cpp: Added.
1716         (Profiler):
1717         (JSC::Profiler::OriginStack::OriginStack):
1718         (JSC::Profiler::OriginStack::~OriginStack):
1719         (JSC::Profiler::OriginStack::append):
1720         (JSC::Profiler::OriginStack::operator==):
1721         (JSC::Profiler::OriginStack::hash):
1722         (JSC::Profiler::OriginStack::dump):
1723         (JSC::Profiler::OriginStack::toJS):
1724         * profiler/ProfilerOriginStack.h: Added.
1725         (JSC):
1726         (Profiler):
1727         (OriginStack):
1728         (JSC::Profiler::OriginStack::OriginStack):
1729         (JSC::Profiler::OriginStack::operator!):
1730         (JSC::Profiler::OriginStack::size):
1731         (JSC::Profiler::OriginStack::fromBottom):
1732         (JSC::Profiler::OriginStack::fromTop):
1733         (JSC::Profiler::OriginStack::isHashTableDeletedValue):
1734         (JSC::Profiler::OriginStackHash::hash):
1735         (JSC::Profiler::OriginStackHash::equal):
1736         (OriginStackHash):
1737         (WTF):
1738         * runtime/CommonIdentifiers.h:
1739         * runtime/ExecutionHarness.h:
1740         (JSC::prepareForExecution):
1741         (JSC::prepareFunctionForExecution):
1742         * runtime/JSGlobalData.cpp:
1743         (JSC::JSGlobalData::JSGlobalData):
1744         (JSC::JSGlobalData::~JSGlobalData):
1745         * runtime/JSGlobalData.h:
1746         (JSGlobalData):
1747         * runtime/Options.h:
1748         (JSC):
1749
1750 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
1751
1752         Rename Profiler to LegacyProfiler
1753         https://bugs.webkit.org/show_bug.cgi?id=104031
1754
1755         Rubber stamped by Mark Hahnenberg
1756
1757         Make room in the namespace for https://bugs.webkit.org/show_bug.cgi?id=102999.
1758
1759         * API/JSProfilerPrivate.cpp:
1760         (JSStartProfiling):
1761         (JSEndProfiling):
1762         * CMakeLists.txt:
1763         * GNUmakefile.list.am:
1764         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1765         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1766         * JavaScriptCore.xcodeproj/project.pbxproj:
1767         * Target.pri:
1768         * interpreter/Interpreter.cpp:
1769         (JSC::Interpreter::throwException):
1770         (JSC::Interpreter::execute):
1771         (JSC::Interpreter::executeCall):
1772         (JSC::Interpreter::executeConstruct):
1773         * jit/JIT.h:
1774         * jit/JITCode.h:
1775         * jit/JITStubs.cpp:
1776         (JSC::DEFINE_STUB_FUNCTION):
1777         * jit/JITStubs.h:
1778         (JSC):
1779         * llint/LLIntSlowPaths.cpp:
1780         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1781         * profiler/LegacyProfiler.cpp: Added.
1782         (JSC):
1783         (JSC::LegacyProfiler::profiler):
1784         (JSC::LegacyProfiler::startProfiling):
1785         (JSC::LegacyProfiler::stopProfiling):
1786         (JSC::dispatchFunctionToProfiles):
1787         (JSC::LegacyProfiler::willExecute):
1788         (JSC::LegacyProfiler::didExecute):
1789         (JSC::LegacyProfiler::exceptionUnwind):
1790         (JSC::LegacyProfiler::createCallIdentifier):
1791         (JSC::createCallIdentifierFromFunctionImp):
1792         * profiler/LegacyProfiler.h: Added.
1793         (JSC):
1794         (LegacyProfiler):
1795         (JSC::LegacyProfiler::currentProfiles):
1796         * profiler/ProfileGenerator.cpp:
1797         (JSC::ProfileGenerator::addParentForConsoleStart):
1798         * profiler/ProfileNode.cpp:
1799         * profiler/Profiler.cpp: Removed.
1800         * profiler/Profiler.h: Removed.
1801         * runtime/JSGlobalData.h:
1802         (JSC):
1803         (JSC::JSGlobalData::enabledProfiler):
1804         (JSGlobalData):
1805         * runtime/JSGlobalObject.cpp:
1806         (JSC::JSGlobalObject::~JSGlobalObject):
1807
1808 2012-12-03  Filip Pizlo  <fpizlo@apple.com>
1809
1810         DFG should inline code blocks that use scoped variable access
1811         https://bugs.webkit.org/show_bug.cgi?id=103974
1812
1813         Reviewed by Oliver Hunt.
1814
1815         This mostly just turns on something we could have done all along, but also adds a few key
1816         necessities to make this right:
1817         
1818         1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the
1819            scope is constant.
1820         
1821         2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar.
1822         
1823         This is not meant to be a speed-up on major benchmarks since we don't yet inline most
1824         closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster.
1825
1826         * dfg/DFGAbstractState.cpp:
1827         (JSC::DFG::AbstractState::execute):
1828         * dfg/DFGByteCodeParser.cpp:
1829         (JSC::DFG::ByteCodeParser::getScope):
1830         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1831         * dfg/DFGCSEPhase.cpp:
1832         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1833         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1834         (JSC::DFG::CSEPhase::getLocalLoadElimination):
1835         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1836         * dfg/DFGCapabilities.h:
1837         (JSC::DFG::canInlineResolveOperations):
1838
1839 2012-12-03  Filip Pizlo  <fpizlo@apple.com>
1840
1841         Replace JSValue::description() with JSValue::dump(PrintStream&)
1842         https://bugs.webkit.org/show_bug.cgi?id=103866
1843
1844         Reviewed by Darin Adler.
1845
1846         JSValue now has a dump() method. Anywhere that you would have wanted to use
1847         description(), you can either do toCString(value).data(), or if the callee
1848         is a print()/dataLog() method then you just pass the value directly.
1849
1850         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1851         * bytecode/CodeBlock.cpp:
1852         (JSC::valueToSourceString):
1853         (JSC::CodeBlock::finalizeUnconditionally):
1854         * bytecode/ValueProfile.h:
1855         (JSC::ValueProfileBase::dump):
1856         * bytecode/ValueRecovery.h:
1857         (JSC::ValueRecovery::dump):
1858         * dfg/DFGAbstractValue.h:
1859         (JSC::DFG::AbstractValue::dump):
1860         * dfg/DFGGraph.cpp:
1861         (JSC::DFG::Graph::dump):
1862         * interpreter/Interpreter.cpp:
1863         (JSC::Interpreter::dumpRegisters):
1864         * jsc.cpp:
1865         (functionDescribe):
1866         * llint/LLIntSlowPaths.cpp:
1867         (JSC::LLInt::llint_trace_value):
1868         * runtime/JSValue.cpp:
1869         (JSC::JSValue::dump):
1870         * runtime/JSValue.h:
1871
1872 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
1873
1874         jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
1875         https://bugs.webkit.org/show_bug.cgi?id=104020
1876         <rdar://problem/12802478>
1877
1878         Reviewed by Mark Hahnenberg.
1879
1880         Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
1881         and that is indeed the contract of ArrayBuffer and TypedArrayBase.
1882
1883         * JSCTypedArrayStubs.h:
1884         (JSC):
1885
1886 2012-12-03  Peter Rybin  <prybin@chromium.org>
1887
1888         Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
1889         https://bugs.webkit.org/show_bug.cgi?id=103254
1890
1891         Reviewed by Pavel Feldman.
1892
1893         Missing symbol WTFReportFatalError is added to the linker list.
1894
1895         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1896
1897 2012-12-03  Alexis Menard  <alexis@webkit.org>
1898
1899         [Mac] Enable CSS3 background-position offset by default.
1900         https://bugs.webkit.org/show_bug.cgi?id=103905
1901
1902         Reviewed by Simon Fraser.
1903
1904         Turn the flag on by default.
1905
1906         * Configurations/FeatureDefines.xcconfig:
1907
1908 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
1909
1910         DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
1911         https://bugs.webkit.org/show_bug.cgi?id=103858
1912
1913         Reviewed by Gavin Barraclough.
1914
1915         A rage conversion from double to contiguous is one where you try to convert each
1916         double to an int32.
1917
1918         This is probably not the last we'll hear of rage conversion from double to contiguous.
1919         It may be better to do this right during parsing, which will result in fewer cases of
1920         Arrayification. But even so, this looks like a straight win already - 1% speed-up on
1921         Kraken, no major regression anywhere else.
1922
1923         * dfg/DFGAbstractState.cpp:
1924         (JSC::DFG::AbstractState::execute):
1925         * dfg/DFGArrayMode.cpp:
1926         (JSC::DFG::ArrayMode::refine):
1927         (JSC::DFG::arrayConversionToString):
1928         (JSC::DFG::ArrayMode::dump):
1929         (WTF):
1930         (WTF::printInternal):
1931         * dfg/DFGArrayMode.h:
1932         (JSC::DFG::ArrayMode::withConversion):
1933         (ArrayMode):
1934         (JSC::DFG::ArrayMode::doesConversion):
1935         (WTF):
1936         * dfg/DFGFixupPhase.cpp:
1937         (JSC::DFG::FixupPhase::fixupBlock):
1938         (JSC::DFG::FixupPhase::fixupNode):
1939         (JSC::DFG::FixupPhase::checkArray):
1940         (FixupPhase):
1941         * dfg/DFGGraph.cpp:
1942         (JSC::DFG::Graph::dump):
1943         * dfg/DFGNodeFlags.h:
1944         (DFG):
1945         * dfg/DFGOperations.cpp:
1946         * dfg/DFGOperations.h:
1947         * dfg/DFGPredictionPropagationPhase.cpp:
1948         (JSC::DFG::PredictionPropagationPhase::propagate):
1949         * dfg/DFGSpeculativeJIT.cpp:
1950         (JSC::DFG::SpeculativeJIT::arrayify):
1951         * dfg/DFGStructureCheckHoistingPhase.cpp:
1952         (JSC::DFG::StructureCheckHoistingPhase::run):
1953         * runtime/JSObject.cpp:
1954         (JSC):
1955         (JSC::JSObject::genericConvertDoubleToContiguous):
1956         (JSC::JSObject::convertDoubleToContiguous):
1957         (JSC::JSObject::rageConvertDoubleToContiguous):
1958         (JSC::JSObject::ensureContiguousSlow):
1959         (JSC::JSObject::rageEnsureContiguousSlow):
1960         * runtime/JSObject.h:
1961         (JSObject):
1962         (JSC::JSObject::rageEnsureContiguous):
1963
1964 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
1965
1966         DFG CSE should not keep alive things that aren't relevant to OSR
1967         https://bugs.webkit.org/show_bug.cgi?id=103849
1968
1969         Reviewed by Oliver Hunt.
1970
1971         Most Phantom nodes are inserted by CSE, and by default have the same children as the
1972         node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
1973         those it creates and those that were created by other phases) to see if they have
1974         children that are redundant - i.e. children that are not interesting to OSR, which
1975         is the only reason why Phantoms exist in the first place. Being relevant to OSR is
1976         defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
1977         your definition and the Phantom there was a SetLocal that referred to you.
1978         
1979         This is a slight speed-up in a few places.
1980
1981         * dfg/DFGCSEPhase.cpp:
1982         (JSC::DFG::CSEPhase::CSEPhase):
1983         (JSC::DFG::CSEPhase::run):
1984         (JSC::DFG::CSEPhase::performSubstitution):
1985         (CSEPhase):
1986         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1987         (JSC::DFG::CSEPhase::setReplacement):
1988         (JSC::DFG::CSEPhase::eliminate):
1989         (JSC::DFG::CSEPhase::performNodeCSE):
1990         (JSC::DFG::CSEPhase::performBlockCSE):
1991
1992 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
1993
1994         It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
1995         https://bugs.webkit.org/show_bug.cgi?id=103848
1996
1997         Reviewed by Sam Weinig.
1998
1999         Fix random dataLog() and print() statements.
2000
2001         * dfg/DFGArgumentsSimplificationPhase.cpp:
2002         (JSC::DFG::ArgumentsSimplificationPhase::run):
2003         * dfg/DFGByteCodeParser.cpp:
2004         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2005         * dfg/DFGGraph.cpp:
2006         (JSC::DFG::Graph::dumpBlockHeader):
2007         * dfg/DFGPredictionPropagationPhase.cpp:
2008         (JSC::DFG::PredictionPropagationPhase::propagate):
2009         * dfg/DFGStructureCheckHoistingPhase.cpp:
2010         (JSC::DFG::StructureCheckHoistingPhase::run):
2011
2012 2012-12-01  Filip Pizlo  <fpizlo@apple.com>
2013
2014         CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
2015         https://bugs.webkit.org/show_bug.cgi?id=103832
2016
2017         Reviewed by Oliver Hunt.
2018
2019         Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.
2020
2021         * bytecode/CodeBlock.cpp:
2022         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
2023         (JSC::CodeBlock::printUnaryOp):
2024         (JSC::CodeBlock::printBinaryOp):
2025         (JSC::CodeBlock::printConditionalJump):
2026         (JSC::CodeBlock::printGetByIdOp):
2027         (JSC::dumpStructure):
2028         (JSC::dumpChain):
2029         (JSC::CodeBlock::printGetByIdCacheStatus):
2030         (JSC::CodeBlock::printCallOp):
2031         (JSC::CodeBlock::printPutByIdOp):
2032         (JSC::CodeBlock::printStructure):
2033         (JSC::CodeBlock::printStructures):
2034         (JSC::CodeBlock::dumpBytecode):
2035         * bytecode/CodeBlock.h:
2036         (CodeBlock):
2037         * jit/JITDisassembler.cpp:
2038         (JSC::JITDisassembler::dumpForInstructions):
2039
2040 2012-11-30  Pierre Rossi  <pierre.rossi@gmail.com>
2041
2042         [Qt] Unreviewed speculative Mac build fix after r136232
2043
2044         Update the include path so that LLIntAssembly.h is picked up.
2045         The bot didn't break until later when a clean build was triggered.
2046
2047         * JavaScriptCore.pri:
2048
2049 2012-11-30  Oliver Hunt  <oliver@apple.com>
2050
2051         Optimise more cases of op_typeof
2052         https://bugs.webkit.org/show_bug.cgi?id=103783
2053
2054         Reviewed by Mark Hahnenberg.
2055
2056         Increase our coverage of typeof based typechecks by
2057         making sure that the codegenerators always uses
2058         consistent operand ordering when feeding typeof operations
2059         into equality operations.
2060
2061         * bytecompiler/NodesCodegen.cpp:
2062         (JSC::BinaryOpNode::emitBytecode):
2063         (JSC::EqualNode::emitBytecode):
2064         (JSC::StrictEqualNode::emitBytecode):
2065
2066 2012-11-30  Filip Pizlo  <fpizlo@apple.com>
2067
2068         Rationalize and clean up DFG handling of scoped accesses
2069         https://bugs.webkit.org/show_bug.cgi?id=103715
2070
2071         Reviewed by Oliver Hunt.
2072
2073         Previously, we had a GetScope node that specified the depth to which you wanted
2074         to travel to get a JSScope, and the backend implementation of the node would
2075         perform all of the necessary footwork, including potentially skipping the top
2076         scope if necessary, and doing however many loads were needed. But there were
2077         strange things. First, if you had accesses at different scope depths, then the
2078         loads to get to the common depth could not be CSE'd - CSE would match only
2079         GetScope's that had identical depth. Second, GetScope would be emitted even if
2080         we already had the scope, for example in put_to_base. And finally, even though
2081         the ResolveOperations could tell us whether or not we had to skip the top scope,
2082         the backend would recompute this information itself, often pessimistically.
2083         
2084         This eliminates GetScope and replaces it with the following:
2085         
2086         GetMyScope: just get the JSScope from the call frame header. This will forever
2087         mean getting the JSScope associated with the machine call frame; it will not
2088         mean getting the scope of an inlined function. Or at least that's the intent.
2089         
2090         SkipTopScope: check if there is an activation, and if so, skip a scope. This
2091         takes a scope as a child and returns a scope.
2092         
2093         SkipScope: skip one scope level.
2094         
2095         The bytecode parser now emits the right combination of the above, and
2096         potentially emits multiple SkipScope's, based on the ResolveOperations.
2097         
2098         This change also includes some fixups to debug logging. We now always print
2099         the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
2100         and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
2101         
2102         This is performance-neutral. It's just meant to be a clean-up.
2103
2104         * bytecode/CodeBlock.cpp:
2105         (JSC::CodeBlock::dumpAssumingJITType):
2106         * bytecode/CodeOrigin.cpp:
2107         (JSC::CodeOrigin::inlineStack):
2108         (JSC::CodeOrigin::dump):
2109         (JSC):
2110         (JSC::InlineCallFrame::dump):
2111         * bytecode/CodeOrigin.h:
2112         (CodeOrigin):
2113         (InlineCallFrame):
2114         * dfg/DFGAbstractState.cpp:
2115         (JSC::DFG::AbstractState::execute):
2116         * dfg/DFGByteCodeParser.cpp:
2117         (ByteCodeParser):
2118         (JSC::DFG::ByteCodeParser::getScope):
2119         (DFG):
2120         (JSC::DFG::ByteCodeParser::parseResolveOperations):
2121         (JSC::DFG::ByteCodeParser::parseBlock):
2122         * dfg/DFGCSEPhase.cpp:
2123         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2124         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2125         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
2126         (JSC::DFG::CSEPhase::setLocalStoreElimination):
2127         (JSC::DFG::CSEPhase::performNodeCSE):
2128         * dfg/DFGDisassembler.cpp:
2129         (JSC::DFG::Disassembler::dump):
2130         * dfg/DFGGraph.cpp:
2131         (JSC::DFG::Graph::dumpCodeOrigin):
2132         (JSC::DFG::Graph::dumpBlockHeader):
2133         * dfg/DFGNode.h:
2134         (Node):
2135         * dfg/DFGNodeType.h:
2136         (DFG):
2137         * dfg/DFGPredictionPropagationPhase.cpp:
2138         (JSC::DFG::PredictionPropagationPhase::propagate):
2139         * dfg/DFGSpeculativeJIT32_64.cpp:
2140         (JSC::DFG::SpeculativeJIT::compile):
2141         * dfg/DFGSpeculativeJIT64.cpp:
2142         (JSC::DFG::SpeculativeJIT::compile):
2143         * jit/JITDisassembler.cpp:
2144         (JSC::JITDisassembler::dump):
2145
2146 2012-11-30  Oliver Hunt  <oliver@apple.com>
2147
2148         Add direct string->function code cache
2149         https://bugs.webkit.org/show_bug.cgi?id=103764
2150
2151         Reviewed by Michael Saboff.
2152
2153         A fairly logically simple patch.  We now track the start of the
2154         unique portion of a functions body, and use that as our key for
2155         unlinked function code.  This allows us to cache identical code
2156         in different contexts, leading to a small but consistent improvement
2157         on the benchmarks we track.
2158
2159         * bytecode/UnlinkedCodeBlock.cpp:
2160         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2161         * bytecode/UnlinkedCodeBlock.h:
2162         (JSC::UnlinkedFunctionExecutable::functionStartOffset):
2163         (UnlinkedFunctionExecutable):
2164         * parser/ASTBuilder.h:
2165         (ASTBuilder):
2166         (JSC::ASTBuilder::setFunctionStart):
2167         * parser/Nodes.cpp:
2168         * parser/Nodes.h:
2169         (JSC::FunctionBodyNode::setFunctionStart):
2170         (JSC::FunctionBodyNode::functionStart):
2171         (FunctionBodyNode):
2172         * parser/Parser.cpp:
2173         (JSC::::parseFunctionInfo):
2174         * parser/Parser.h:
2175         (JSC::Parser::findCachedFunctionInfo):
2176         * parser/SyntaxChecker.h:
2177         (JSC::SyntaxChecker::setFunctionStart):
2178         * runtime/CodeCache.cpp:
2179         (JSC::CodeCache::generateFunctionCodeBlock):
2180         (JSC::CodeCache::getFunctionCodeBlock):
2181         (JSC::CodeCache::usedFunctionCode):
2182         * runtime/CodeCache.h:
2183
2184 2012-11-30  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2185
2186         Crash in conversion of empty OpaqueJSString to Identifier 
2187         https://bugs.webkit.org/show_bug.cgi?id=101867
2188
2189         Reviewed by Michael Saboff.
2190
2191         The constructor call used for both null and empty OpaqueJSStrings results
2192         in an assertion voilation and crash. This patch instead uses the Identifier
2193         constructors which are specifically for null and empty Identifier.
2194
2195         * API/OpaqueJSString.cpp:
2196         (OpaqueJSString::identifier):
2197
2198 2012-11-30  Tor Arne Vestbø  <tor.arne.vestbo@digia.com>
2199
2200         [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac
2201
2202         Otherwise we'll end up using the same LLIntAssembly.h for both build
2203         configs of JavaScriptCore -- one of them which will be for the wrong
2204         config.
2205
2206         Reviewed by Simon Hausmann.
2207
2208         * LLIntOffsetsExtractor.pro:
2209
2210 2012-11-30  Julien BRIANCEAU   <jbrianceau@nds.com>
2211
2212         [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
2213         https://bugs.webkit.org/show_bug.cgi?id=103378
2214
2215         Reviewed by Filip Pizlo.
2216
2217         * assembler/MacroAssemblerSH4.h:
2218         (JSC::MacroAssemblerSH4::branchTest32):
2219         (JSC::MacroAssemblerSH4::branchAdd32):
2220         (JSC::MacroAssemblerSH4::branchMul32):
2221         (JSC::MacroAssemblerSH4::branchSub32):
2222         (JSC::MacroAssemblerSH4::branchOr32):
2223
2224 2012-11-29  Rafael Weinstein  <rafaelw@chromium.org>
2225
2226         [HTMLTemplateElement] Add feature flag
2227         https://bugs.webkit.org/show_bug.cgi?id=103694
2228
2229         Reviewed by Adam Barth.
2230
2231         This flag will guard the implementation of the HTMLTemplateElement.
2232         http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html
2233
2234         * Configurations/FeatureDefines.xcconfig:
2235
2236 2012-11-29  Filip Pizlo  <fpizlo@apple.com>
2237
2238         It should be easy to find code blocks in debug dumps
2239         https://bugs.webkit.org/show_bug.cgi?id=103623
2240
2241         Reviewed by Goeffrey Garen.
2242
2243         This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
2244         it lazily so that it only impacts run-time when debug support is enabled. We stringify
2245         it smartly so that it's short and easy to type. We base it on the source code so that
2246         the optimization level is irrelevant. And, we use SHA1 since it's already in our code
2247         base. Now, when a piece of code wants to print some debugging to say that it's operating
2248         on some code block, it can use this CodeBlockHash instead of memory addresses.
2249
2250         This also takes CodeBlock debugging into the new world of print() and dataLog(). In
2251         particular, CodeBlock::dump() corresponds to the thing you want printed if you do:
2252
2253         dataLog("I heart ", *myCodeBlock);
2254
2255         Probably, you want to just print some identifying information at this point rather than
2256         the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
2257         CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
2258         a few little tidbits.
2259         
2260         Here's an example of CodeBlock::dump() output:
2261         
2262         EkILzr:[0x103883a00, BaselineFunctionCall]
2263         
2264         EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
2265         part is self-explanatory.
2266
2267         Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
2268         breakage. As such CodeBlockHash has all of the comparison operator overloads. When
2269         bisecting in DFGDriver.cpp, you can now say things like:
2270         
2271         if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
2272             return false;
2273         
2274         And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
2275         is life when you use base 62 to encode a 32-bit number.
2276
2277         * CMakeLists.txt:
2278         * GNUmakefile.list.am:
2279         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2280         * JavaScriptCore.xcodeproj/project.pbxproj:
2281         * Target.pri:
2282         * bytecode/CallLinkInfo.h:
2283         (CallLinkInfo):
2284         (JSC::CallLinkInfo::specializationKind):
2285         * bytecode/CodeBlock.cpp:
2286         (JSC::CodeBlock::hash):
2287         (JSC):
2288         (JSC::CodeBlock::dumpAssumingJITType):
2289         (JSC::CodeBlock::dump):
2290         (JSC::CodeBlock::dumpBytecode):
2291         (JSC::CodeBlock::CodeBlock):
2292         (JSC::CodeBlock::finalizeUnconditionally):
2293         (JSC::CodeBlock::resetStubInternal):
2294         (JSC::CodeBlock::reoptimize):
2295         (JSC::ProgramCodeBlock::jettison):
2296         (JSC::EvalCodeBlock::jettison):
2297         (JSC::FunctionCodeBlock::jettison):
2298         (JSC::CodeBlock::shouldOptimizeNow):
2299         (JSC::CodeBlock::tallyFrequentExitSites):
2300         (JSC::CodeBlock::dumpValueProfiles):
2301         * bytecode/CodeBlock.h:
2302         (JSC::CodeBlock::specializationKind):
2303         (CodeBlock):
2304         (JSC::CodeBlock::getJITType):
2305         * bytecode/CodeBlockHash.cpp: Added.
2306         (JSC):
2307         (JSC::CodeBlockHash::CodeBlockHash):
2308         (JSC::CodeBlockHash::dump):
2309         * bytecode/CodeBlockHash.h: Added.
2310         (JSC):
2311         (CodeBlockHash):
2312         (JSC::CodeBlockHash::CodeBlockHash):
2313         (JSC::CodeBlockHash::hash):
2314         (JSC::CodeBlockHash::operator==):
2315         (JSC::CodeBlockHash::operator!=):
2316         (JSC::CodeBlockHash::operator<):
2317         (JSC::CodeBlockHash::operator>):
2318         (JSC::CodeBlockHash::operator<=):
2319         (JSC::CodeBlockHash::operator>=):
2320         * bytecode/CodeBlockWithJITType.h: Added.
2321         (JSC):
2322         (CodeBlockWithJITType):
2323         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
2324         (JSC::CodeBlockWithJITType::dump):
2325         * bytecode/CodeOrigin.cpp: Added.
2326         (JSC):
2327         (JSC::CodeOrigin::inlineDepthForCallFrame):
2328         (JSC::CodeOrigin::inlineDepth):
2329         (JSC::CodeOrigin::inlineStack):
2330         (JSC::InlineCallFrame::hash):
2331         * bytecode/CodeOrigin.h:
2332         (InlineCallFrame):
2333         (JSC::InlineCallFrame::specializationKind):
2334         (JSC):
2335         * bytecode/CodeType.cpp: Added.
2336         (WTF):
2337         (WTF::printInternal):
2338         * bytecode/CodeType.h:
2339         (WTF):
2340         * bytecode/ExecutionCounter.cpp:
2341         (JSC::ExecutionCounter::dump):
2342         * bytecode/ExecutionCounter.h:
2343         (ExecutionCounter):
2344         * dfg/DFGByteCodeParser.cpp:
2345         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2346         * dfg/DFGDisassembler.cpp:
2347         (JSC::DFG::Disassembler::dump):
2348         * dfg/DFGGraph.cpp:
2349         (JSC::DFG::Graph::dumpCodeOrigin):
2350         * dfg/DFGOSRExitCompiler.cpp:
2351         * dfg/DFGOperations.cpp:
2352         * dfg/DFGRepatch.cpp:
2353         (JSC::DFG::generateProtoChainAccessStub):
2354         (JSC::DFG::tryCacheGetByID):
2355         (JSC::DFG::tryBuildGetByIDList):
2356         (JSC::DFG::emitPutReplaceStub):
2357         (JSC::DFG::emitPutTransitionStub):
2358         (JSC::DFG::dfgLinkClosureCall):
2359         * interpreter/Interpreter.cpp:
2360         (JSC::Interpreter::dumpCallFrame):
2361         * jit/JITCode.cpp: Added.
2362         (WTF):
2363         (WTF::printInternal):
2364         * jit/JITCode.h:
2365         (JSC::JITCode::jitType):
2366         (WTF):
2367         * jit/JITDisassembler.cpp:
2368         (JSC::JITDisassembler::dump):
2369         (JSC::JITDisassembler::dumpForInstructions):
2370         * jit/JITPropertyAccess.cpp:
2371         (JSC::JIT::privateCompilePutByIdTransition):
2372         (JSC::JIT::privateCompilePatchGetArrayLength):
2373         (JSC::JIT::privateCompileGetByIdProto):
2374         (JSC::JIT::privateCompileGetByIdSelfList):
2375         (JSC::JIT::privateCompileGetByIdProtoList):
2376         (JSC::JIT::privateCompileGetByIdChainList):
2377         (JSC::JIT::privateCompileGetByIdChain):
2378         (JSC::JIT::privateCompileGetByVal):
2379         (JSC::JIT::privateCompilePutByVal):
2380         * jit/JITPropertyAccess32_64.cpp:
2381         (JSC::JIT::privateCompilePutByIdTransition):
2382         (JSC::JIT::privateCompilePatchGetArrayLength):
2383         (JSC::JIT::privateCompileGetByIdProto):
2384         (JSC::JIT::privateCompileGetByIdSelfList):
2385         (JSC::JIT::privateCompileGetByIdProtoList):
2386         (JSC::JIT::privateCompileGetByIdChainList):
2387         (JSC::JIT::privateCompileGetByIdChain):
2388         * jit/JITStubs.cpp:
2389         (JSC::DEFINE_STUB_FUNCTION):
2390         * runtime/CodeSpecializationKind.cpp: Added.
2391         (WTF):
2392         (WTF::printInternal):
2393         * runtime/CodeSpecializationKind.h:
2394         (JSC::specializationFromIsCall):
2395         (JSC):
2396         (JSC::specializationFromIsConstruct):
2397         (WTF):
2398         * runtime/Executable.cpp:
2399         (JSC::ExecutableBase::hashFor):
2400         (JSC):
2401         (JSC::NativeExecutable::hashFor):
2402         (JSC::ScriptExecutable::hashFor):
2403         * runtime/Executable.h:
2404         (ExecutableBase):
2405         (NativeExecutable):
2406         (ScriptExecutable):
2407         (JSC::ScriptExecutable::source):
2408
2409 2012-11-29  Michael Saboff  <msaboff@apple.com>
2410
2411         Speculative Windows build fix after r136086.
2412
2413         Unreviewed build fix.
2414
2415         Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
2416         export list since the symbol was removed in r136086.
2417
2418         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2419
2420 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
2421
2422         SpeculatedType dumping should not use the static char buffer[thingy] idiom
2423         https://bugs.webkit.org/show_bug.cgi?id=103584
2424
2425         Reviewed by Michael Saboff.
2426
2427         Changed SpeculatedType to be "dumpable" by saying things like:
2428         
2429         dataLog("thingy = ", SpeculationDump(thingy))
2430         
2431         Removed the old stringification functions, and changed all code that referred to them
2432         to use the new dataLog()/print() style.
2433
2434         * CMakeLists.txt:
2435         * GNUmakefile.list.am:
2436         * JavaScriptCore.xcodeproj/project.pbxproj:
2437         * Target.pri:
2438         * bytecode/SpeculatedType.cpp:
2439         (JSC::dumpSpeculation):
2440         (JSC::speculationToAbbreviatedString):
2441         (JSC::dumpSpeculationAbbreviated):
2442         * bytecode/SpeculatedType.h:
2443         * bytecode/ValueProfile.h:
2444         (JSC::ValueProfileBase::dump):
2445         * bytecode/VirtualRegister.h:
2446         (WTF::printInternal):
2447         * dfg/DFGAbstractValue.h:
2448         (JSC::DFG::AbstractValue::dump):
2449         * dfg/DFGByteCodeParser.cpp:
2450         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
2451         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2452         * dfg/DFGGraph.cpp:
2453         (JSC::DFG::Graph::dump):
2454         (JSC::DFG::Graph::predictArgumentTypes):
2455         * dfg/DFGGraph.h:
2456         (Graph):
2457         * dfg/DFGStructureAbstractValue.h:
2458         * dfg/DFGVariableAccessDataDump.cpp: Added.
2459         (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
2460         (JSC::DFG::VariableAccessDataDump::dump):
2461         * dfg/DFGVariableAccessDataDump.h: Added.
2462         (VariableAccessDataDump):
2463
2464 2012-11-28  Michael Saboff  <msaboff@apple.com>
2465
2466         Change Bytecompiler s_dumpsGeneratedCode to an Options value
2467         https://bugs.webkit.org/show_bug.cgi?id=103588
2468
2469         Reviewed by Filip Pizlo.
2470
2471         Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.
2472
2473         * bytecode/CodeBlock.cpp:
2474         (JSC::CodeBlock::CodeBlock):
2475         * bytecompiler/BytecodeGenerator.cpp:
2476         * bytecompiler/BytecodeGenerator.h:
2477         * jsc.cpp:
2478         (runWithScripts):
2479         * runtime/Options.h:
2480
2481 2012-11-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2482
2483         Copying phase should use work lists
2484         https://bugs.webkit.org/show_bug.cgi?id=101390
2485
2486         Reviewed by Filip Pizlo.
2487
2488         * JavaScriptCore.xcodeproj/project.pbxproj:
2489         * heap/BlockAllocator.cpp:
2490         (JSC::BlockAllocator::BlockAllocator):
2491         * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
2492         (BlockAllocator):
2493         (JSC::CopyWorkListSegment):
2494         * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
2495         phase to copy their backing stores.
2496         (CopiedBlock):
2497         (JSC::CopiedBlock::CopiedBlock): 
2498         (JSC::CopiedBlock::didSurviveGC):
2499         (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're 
2500         responsible for evacuating, we no longer need any of that fancy compare and swap stuff. 
2501         (JSC::CopiedBlock::pin):
2502         (JSC::CopiedBlock::hasWorkList): 
2503         (JSC::CopiedBlock::workList):
2504         * heap/CopiedBlockInlines.h: Added.
2505         (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
2506         we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
2507         * heap/CopiedSpace.h:
2508         (CopiedSpace):
2509         * heap/CopiedSpaceInlines.h:
2510         (JSC::CopiedSpace::pin):
2511         * heap/CopyVisitor.cpp:
2512         (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
2513         blocks' CopyWorkLists.
2514         * heap/CopyVisitor.h:
2515         (CopyVisitor):
2516         * heap/CopyVisitorInlines.h:
2517         (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from 
2518         a CopiedBlock's CopyWorkList.
2519         (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done 
2520         evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
2521         * heap/CopyWorkList.h: Added.
2522         (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
2523         (JSC::CopyWorkListSegment::create):
2524         (JSC::CopyWorkListSegment::size):
2525         (JSC::CopyWorkListSegment::isFull):
2526         (JSC::CopyWorkListSegment::get):
2527         (JSC::CopyWorkListSegment::append):
2528         (JSC::CopyWorkListSegment::CopyWorkListSegment):
2529         (JSC::CopyWorkListSegment::data):
2530         (JSC::CopyWorkListSegment::endOfBlock):
2531         (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
2532         that make up each CopyWorkList.
2533         (JSC::CopyWorkListIterator::get):
2534         (JSC::CopyWorkListIterator::operator*):
2535         (JSC::CopyWorkListIterator::operator->):
2536         (JSC::CopyWorkListIterator::operator++):
2537         (JSC::CopyWorkListIterator::operator==):
2538         (JSC::CopyWorkListIterator::operator!=):
2539         (JSC::CopyWorkListIterator::CopyWorkListIterator):
2540         (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
2541         (JSC::CopyWorkList::CopyWorkList):
2542         (JSC::CopyWorkList::~CopyWorkList):
2543         (JSC::CopyWorkList::append):
2544         (JSC::CopyWorkList::begin):
2545         (JSC::CopyWorkList::end):
2546         * heap/GCThreadSharedData.cpp:
2547         (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
2548         (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for 
2549         iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and 
2550         recycled throughout the copying phase.
2551         * heap/GCThreadSharedData.h:
2552         (GCThreadSharedData): 
2553         * heap/Heap.h:
2554         (Heap):
2555         * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it 
2556         in a CopyWorkList to revisit later during the copying phase.
2557         * heap/SlotVisitorInlines.h:
2558         (JSC::SlotVisitor::copyLater):
2559         * runtime/JSObject.cpp:
2560         (JSC::JSObject::visitButterfly):
2561
2562 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
2563
2564         Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
2565         https://bugs.webkit.org/show_bug.cgi?id=103492
2566
2567         Reviewed by Mark Hahnenberg.
2568
2569         Switched disassembly code to use PrintStream&, and to use print() rather than printf().
2570
2571         * dfg/DFGDisassembler.cpp:
2572         (JSC::DFG::Disassembler::dump):
2573         (DFG):
2574         (JSC::DFG::Disassembler::dumpDisassembly):
2575         * dfg/DFGDisassembler.h:
2576         (Disassembler):
2577         * dfg/DFGGraph.cpp:
2578         (JSC::DFG::printWhiteSpace):
2579         (JSC::DFG::Graph::dumpCodeOrigin):
2580         (JSC::DFG::Graph::printNodeWhiteSpace):
2581         (JSC::DFG::Graph::dump):
2582         (DFG):
2583         (JSC::DFG::Graph::dumpBlockHeader):
2584         * dfg/DFGGraph.h:
2585         (Graph):
2586         * jit/JITDisassembler.cpp:
2587         (JSC::JITDisassembler::dump):
2588         (JSC::JITDisassembler::dumpForInstructions):
2589         (JSC::JITDisassembler::dumpDisassembly):
2590         * jit/JITDisassembler.h:
2591         (JITDisassembler):
2592
2593 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
2594
2595         It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
2596         https://bugs.webkit.org/show_bug.cgi?id=103009
2597
2598         Reviewed by Michael Saboff.
2599
2600         Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
2601         one place: dumping of abstract values. This is mainly just to ensure that the code I
2602         added to WTF is actually doing things.
2603
2604         * bytecode/CodeBlock.cpp:
2605         (JSC::CodeBlock::dump):
2606         * dfg/DFGAbstractValue.h:
2607         (JSC::DFG::AbstractValue::dump):
2608         (WTF):
2609         (WTF::printInternal):
2610         * dfg/DFGStructureAbstractValue.h:
2611         (JSC::DFG::StructureAbstractValue::dump):
2612         (WTF):
2613         (WTF::printInternal):
2614
2615 2012-11-28  Oliver Hunt  <oliver@apple.com>
2616
2617         Make source cache include more information about the function extent.
2618         https://bugs.webkit.org/show_bug.cgi?id=103552
2619
2620         Reviewed by Gavin Barraclough.
2621
2622         Add a bit more information to the source cache.
2623
2624         * parser/Parser.cpp:
2625         (JSC::::parseFunctionInfo):
2626            Store the function start offset
2627         * parser/SourceProviderCacheItem.h:
2628         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2629         (SourceProviderCacheItem):
2630            Add additional field for the start of the real function string, and re-arrange
2631            fields to avoid growing the struct.
2632
2633 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
2634
2635         Convert some remaining uses of FILE* to PrintStream&.
2636
2637         Rubber stamped by Mark Hahnenberg.
2638
2639         * bytecode/ValueProfile.h:
2640         (JSC::ValueProfileBase::dump):
2641         * bytecode/ValueRecovery.h:
2642         (JSC::ValueRecovery::dump):
2643         * dfg/DFGByteCodeParser.cpp:
2644         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2645         * dfg/DFGNode.h:
2646         (JSC::DFG::Node::dumpChildren):
2647
2648 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
2649
2650         Fix indentation in JSValue.h
2651
2652         Rubber stamped by Mark Hahnenberg.
2653
2654         * runtime/JSValue.h:
2655
2656 2012-11-26  Filip Pizlo  <fpizlo@apple.com>
2657
2658         DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
2659         https://bugs.webkit.org/show_bug.cgi?id=103353
2660
2661         Reviewed by Oliver Hunt and Gavin Barraclough.
2662
2663         Made it possible to use forward speculations for most of the operand classes. Changed the conditional
2664         direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
2665         to use forward speculations and got rid of its half-baked version of same.
2666         
2667         Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.
2668
2669         * dfg/DFGByteCodeParser.cpp:
2670         (JSC::DFG::ByteCodeParser::parseBlock):
2671         * dfg/DFGDisassembler.cpp:
2672         (JSC::DFG::Disassembler::dump):
2673         * dfg/DFGDriver.cpp:
2674         (JSC::DFG::compile):
2675         * dfg/DFGSpeculativeJIT.cpp:
2676         (JSC::DFG::SpeculativeJIT::speculationCheck):
2677         (DFG):
2678         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
2679         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2680         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2681         (JSC::DFG::SpeculativeJIT::fillStorage):
2682         * dfg/DFGSpeculativeJIT.h:
2683         (SpeculativeJIT):
2684         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
2685         (JSC::DFG::SpeculateIntegerOperand::gpr):
2686         (SpeculateIntegerOperand):
2687         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2688         (JSC::DFG::SpeculateDoubleOperand::fpr):
2689         (SpeculateDoubleOperand):
2690         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
2691         (JSC::DFG::SpeculateCellOperand::gpr):
2692         (SpeculateCellOperand):
2693         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
2694         (JSC::DFG::SpeculateBooleanOperand::gpr):
2695         (SpeculateBooleanOperand):
2696         * dfg/DFGSpeculativeJIT32_64.cpp:
2697         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2698         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2699         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2700         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2701         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2702         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2703         (JSC::DFG::SpeculativeJIT::compile):
2704         * dfg/DFGSpeculativeJIT64.cpp:
2705         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2706         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2707         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2708         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2709         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2710         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2711         (JSC::DFG::SpeculativeJIT::compile):
2712         * runtime/Options.h:
2713         (JSC):
2714
2715 2012-11-26  Daniel Bates  <dbates@webkit.org>
2716
2717         Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
2718         <https://bugs.webkit.org/show_bug.cgi?id=103303>
2719
2720         Reviewed by Simon Fraser.
2721
2722         Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().
2723
2724         * runtime/StringPrototype.cpp:
2725         (JSC::jsSpliceSubstringsWithSeparators):
2726
2727 2012-11-26  Daniel Bates  <dbates@webkit.org>
2728
2729         JavaScript fails to handle String.replace() with large replacement string
2730         https://bugs.webkit.org/show_bug.cgi?id=102956
2731         <rdar://problem/12738012>
2732
2733         Reviewed by Oliver Hunt.
2734
2735         Fix an issue where we didn't check for overflow when computing the length
2736         of the result of String.replace() with a large replacement string.
2737
2738         * runtime/StringPrototype.cpp:
2739         (JSC::jsSpliceSubstringsWithSeparators):
2740
2741 2012-11-26  Zeno Albisser  <zeno@webkit.org>
2742
2743         [Qt] Fix the LLInt build on Mac
2744         https://bugs.webkit.org/show_bug.cgi?id=97587
2745
2746         Reviewed by Simon Hausmann.
2747
2748         * DerivedSources.pri:
2749         * JavaScriptCore.pro:
2750
2751 2012-11-26  Oliver Hunt  <oliver@apple.com>
2752
2753         32-bit build fix.  Move the method decalration outside of the X86_64 only section.
2754
2755         * assembler/MacroAssembler.h:
2756         (MacroAssembler):
2757         (JSC::MacroAssembler::shouldConsiderBlinding):
2758
2759 2012-11-26  Oliver Hunt  <oliver@apple.com>
2760
2761         Don't blind all the things.
2762         https://bugs.webkit.org/show_bug.cgi?id=102572
2763
2764         Reviewed by Gavin Barraclough.
2765
2766         No longer blind all the constants in the instruction stream.  We use a
2767         simple non-deterministic filter to avoid blinding everything.  Also modified
2768         the basic integer blinding logic to avoid blinding small negative values.
2769
2770         * assembler/MacroAssembler.h:
2771         (MacroAssembler):
2772         (JSC::MacroAssembler::shouldConsiderBlinding):
2773         (JSC::MacroAssembler::shouldBlind):
2774
2775 2012-11-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2776
2777         JSObject::copyButterfly doesn't handle undecided indexing types correctly
2778         https://bugs.webkit.org/show_bug.cgi?id=102573
2779
2780         Reviewed by Filip Pizlo.
2781
2782         We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 
2783         during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 
2784         types. We should just do the actual memcpy from the old block to the new one. 
2785
2786         * runtime/JSObject.cpp:
2787         (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
2788
2789 2012-11-26  Julien BRIANCEAU   <jbrianceau@nds.com>
2790
2791         [sh4] JavaScriptCore JIT build is broken since r135330
2792         Add missing implementation for sh4 arch.
2793         https://bugs.webkit.org/show_bug.cgi?id=103145
2794
2795         Reviewed by Oliver Hunt.
2796
2797         * assembler/MacroAssemblerSH4.h:
2798         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
2799         (MacroAssemblerSH4):
2800         (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
2801         (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
2802         (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
2803         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
2804         * assembler/SH4Assembler.h:
2805         (JSC::SH4Assembler::revertJump):
2806         (SH4Assembler):
2807         (JSC::SH4Assembler::printInstr):
2808
2809 2012-11-26  Yuqiang Xian  <yuqiang.xian@intel.com>
2810
2811         Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
2812         https://bugs.webkit.org/show_bug.cgi?id=100909
2813
2814         Reviewed by Brent Fulgham.
2815
2816         This is a (trivial) fix after r132701.
2817
2818         * dfg/DFGOSRExitCompiler64.cpp:
2819         (JSC::DFG::OSRExitCompiler::compileExit):
2820
2821 2012-11-26  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
2822
2823         [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
2824         https://bugs.webkit.org/show_bug.cgi?id=98857
2825
2826         Reviewed by Zoltan Herczeg.
2827
2828         Implement a new version of patchableBranch32 to fix crashing JSC
2829         tests.
2830
2831         * assembler/MacroAssembler.h:
2832         (MacroAssembler):
2833         * assembler/MacroAssemblerARM.h:
2834         (JSC::MacroAssemblerARM::patchableBranch32):
2835         (MacroAssemblerARM):
2836
2837 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
2838
2839         Any function that can log things should be able to easily log them to a memory buffer as well
2840         https://bugs.webkit.org/show_bug.cgi?id=103000
2841
2842         Reviewed by Sam Weinig.
2843
2844         Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.
2845
2846         * bytecode/Operands.h:
2847         (JSC::OperandValueTraits::dump):
2848         (JSC::dumpOperands):
2849         (JSC):
2850         * dfg/DFGAbstractState.cpp:
2851         (JSC::DFG::AbstractState::dump):
2852         * dfg/DFGAbstractState.h:
2853         (AbstractState):
2854         * dfg/DFGAbstractValue.h:
2855         (JSC::DFG::AbstractValue::dump):
2856         * dfg/DFGCommon.h:
2857         (JSC::DFG::NodeIndexTraits::dump):
2858         * dfg/DFGStructureAbstractValue.h:
2859         (JSC::DFG::StructureAbstractValue::dump):
2860         * dfg/DFGVariableEvent.cpp:
2861         (JSC::DFG::VariableEvent::dump):
2862         (JSC::DFG::VariableEvent::dumpFillInfo):
2863         (JSC::DFG::VariableEvent::dumpSpillInfo):
2864         * dfg/DFGVariableEvent.h:
2865         (VariableEvent):
2866         * disassembler/Disassembler.h:
2867         (JSC):
2868         (JSC::tryToDisassemble):
2869         * disassembler/UDis86Disassembler.cpp:
2870         (JSC::tryToDisassemble):
2871
2872 2012-11-23  Alexis Menard  <alexis@webkit.org>
2873
2874         [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
2875         https://bugs.webkit.org/show_bug.cgi?id=102104
2876
2877         Reviewed by Julien Chaffraix.
2878
2879         Protect the new feature behind a feature flag.
2880
2881         * Configurations/FeatureDefines.xcconfig:
2882
2883 2012-11-23  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
2884
2885         Fix the ARM traditional build after r135330
2886         https://bugs.webkit.org/show_bug.cgi?id=102871
2887
2888         Reviewed by Zoltan Herczeg.
2889
2890         Added missing functionality to traditional ARM architecture.
2891
2892         * assembler/ARMAssembler.h:
2893         (JSC::ARMAssembler::revertJump):
2894         (ARMAssembler):
2895         * assembler/MacroAssemblerARM.h:
2896         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
2897         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
2898         (MacroAssemblerARM):
2899         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
2900
2901 2012-11-16  Yury Semikhatsky  <yurys@chromium.org>
2902
2903         Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
2904         https://bugs.webkit.org/show_bug.cgi?id=102510
2905
2906         Reviewed by Pavel Feldman.
2907
2908         Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp
2909
2910         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2911
2912 2012-11-23  Julien BRIANCEAU   <jbrianceau@nds.com>
2913
2914         [sh4] JavaScriptCore JIT build is broken since r130839
2915         Add missing implementation for sh4 arch.
2916         https://bugs.webkit.org/show_bug.cgi?id=101479
2917
2918         Reviewed by Filip Pizlo.
2919
2920         * assembler/MacroAssemblerSH4.h:
2921         (JSC::MacroAssemblerSH4::load8Signed):
2922         (MacroAssemblerSH4):
2923         (JSC::MacroAssemblerSH4::load16Signed):
2924         (JSC::MacroAssemblerSH4::store8):
2925         (JSC::MacroAssemblerSH4::store16):
2926         (JSC::MacroAssemblerSH4::moveDoubleToInts):
2927         (JSC::MacroAssemblerSH4::moveIntsToDouble):
2928         (JSC::MacroAssemblerSH4::loadFloat):
2929         (JSC::MacroAssemblerSH4::loadDouble):
2930         (JSC::MacroAssemblerSH4::storeFloat):
2931         (JSC::MacroAssemblerSH4::storeDouble):
2932         (JSC::MacroAssemblerSH4::addDouble):
2933         (JSC::MacroAssemblerSH4::convertFloatToDouble):
2934         (JSC::MacroAssemblerSH4::convertDoubleToFloat):
2935         (JSC::MacroAssemblerSH4::urshift32):
2936         * assembler/SH4Assembler.h:
2937         (JSC::SH4Assembler::sublRegReg):
2938         (JSC::SH4Assembler::subvlRegReg):
2939         (JSC::SH4Assembler::floatfpulfrn):
2940         (JSC::SH4Assembler::fldsfpul):
2941         (JSC::SH4Assembler::fstsfpul):
2942         (JSC::SH4Assembler::dcnvsd):
2943         (SH4Assembler):
2944         (JSC::SH4Assembler::movbRegMem):
2945         (JSC::SH4Assembler::sizeOfConstantPool):
2946         (JSC::SH4Assembler::linkJump):
2947         (JSC::SH4Assembler::printInstr):
2948         (JSC::SH4Assembler::printBlockInstr):
2949
2950 2012-11-22  Balazs Kilvady  <kilvadyb@homejinni.com>
2951
2952         Fix the MIPS build after r135330
2953         https://bugs.webkit.org/show_bug.cgi?id=102872
2954
2955         Reviewed by Gavin Barraclough.
2956
2957         Revert/replace functions added to MIPS port.
2958
2959         * assembler/MIPSAssembler.h:
2960         (JSC::MIPSAssembler::revertJumpToMove):
2961         (MIPSAssembler):
2962         (JSC::MIPSAssembler::replaceWithJump):
2963         * assembler/MacroAssemblerMIPS.h:
2964         (MacroAssemblerMIPS):
2965         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
2966         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
2967         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
2968
2969 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
2970
2971         Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
2972         https://bugs.webkit.org/show_bug.cgi?id=103001
2973
2974         Rubber stamped by Dan Bernstein.
2975
2976         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2977         * assembler/LinkBuffer.cpp:
2978         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2979         (JSC::LinkBuffer::dumpLinkStatistics):
2980         (JSC::LinkBuffer::dumpCode):
2981         * assembler/LinkBuffer.h:
2982         (JSC):
2983         * assembler/SH4Assembler.h:
2984         (JSC::SH4Assembler::vprintfStdoutInstr):
2985         * bytecode/CodeBlock.cpp:
2986         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
2987         (JSC::CodeBlock::printUnaryOp):
2988         (JSC::CodeBlock::printBinaryOp):
2989         (JSC::CodeBlock::printConditionalJump):
2990         (JSC::CodeBlock::printGetByIdOp):
2991         (JSC::dumpStructure):
2992         (JSC::dumpChain):
2993         (JSC::CodeBlock::printGetByIdCacheStatus):
2994         (JSC::CodeBlock::printCallOp):
2995         (JSC::CodeBlock::printPutByIdOp):
2996         (JSC::CodeBlock::printStructure):
2997         (JSC::CodeBlock::printStructures):
2998         (JSC::CodeBlock::dump):
2999         (JSC::CodeBlock::dumpStatistics):
3000         (JSC::CodeBlock::finalizeUnconditionally):
3001         (JSC::CodeBlock::resetStubInternal):
3002         (JSC::CodeBlock::reoptimize):
3003         (JSC::ProgramCodeBlock::jettison):
3004         (JSC::EvalCodeBlock::jettison):
3005         (JSC::FunctionCodeBlock::jettison):
3006         (JSC::CodeBlock::shouldOptimizeNow):
3007         (JSC::CodeBlock::tallyFrequentExitSites):
3008         (JSC::CodeBlock::dumpValueProfiles):
3009         * bytecode/Opcode.cpp:
3010         (JSC::OpcodeStats::~OpcodeStats):
3011         * bytecode/SamplingTool.cpp:
3012         (JSC::SamplingFlags::stop):
3013         (JSC::SamplingRegion::dumpInternal):
3014         (JSC::SamplingTool::dump):
3015         * dfg/DFGAbstractState.cpp:
3016         (JSC::DFG::AbstractState::initialize):
3017         (JSC::DFG::AbstractState::endBasicBlock):
3018         (JSC::DFG::AbstractState::mergeStateAtTail):
3019         (JSC::DFG::AbstractState::mergeToSuccessors):
3020         * dfg/DFGAbstractValue.h:
3021         (JSC::DFG::AbstractValue::dump):
3022         * dfg/DFGArgumentsSimplificationPhase.cpp:
3023         (JSC::DFG::ArgumentsSimplificationPhase::run):
3024         * dfg/DFGByteCodeParser.cpp:
3025         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3026         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3027         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
3028         (JSC::DFG::ByteCodeParser::makeSafe):
3029         (JSC::DFG::ByteCodeParser::makeDivSafe):
3030         (JSC::DFG::ByteCodeParser::handleCall):
3031         (JSC::DFG::ByteCodeParser::handleInlining):
3032         (JSC::DFG::ByteCodeParser::parseBlock):
3033         (JSC::DFG::ByteCodeParser::processPhiStack):
3034         (JSC::DFG::ByteCodeParser::linkBlock):
3035         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3036         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3037         (JSC::DFG::ByteCodeParser::parse):
3038         * dfg/DFGCFAPhase.cpp:
3039         (JSC::DFG::CFAPhase::performBlockCFA):
3040         (JSC::DFG::CFAPhase::performForwardCFA):
3041         * dfg/DFGCFGSimplificationPhase.cpp:
3042         (JSC::DFG::CFGSimplificationPhase::run):
3043         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3044         (JSC::DFG::CFGSimplificationPhase::fixPhis):
3045         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
3046         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
3047         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3048         * dfg/DFGCSEPhase.cpp:
3049         (JSC::DFG::CSEPhase::endIndexForPureCSE):
3050         (JSC::DFG::CSEPhase::setReplacement):
3051         (JSC::DFG::CSEPhase::eliminate):
3052         (JSC::DFG::CSEPhase::performNodeCSE):
3053         * dfg/DFGCapabilities.cpp:
3054         (JSC::DFG::debugFail):
3055         * dfg/DFGConstantFoldingPhase.cpp:
3056         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3057         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
3058         * dfg/DFGDisassembler.cpp:
3059         (JSC::DFG::Disassembler::dump):
3060         * dfg/DFGDriver.cpp:
3061         (JSC::DFG::compile):
3062         * dfg/DFGFixupPhase.cpp:
3063         (JSC::DFG::FixupPhase::fixupNode):
3064         (JSC::DFG::FixupPhase::fixDoubleEdge):
3065         * dfg/DFGGraph.cpp:
3066         (JSC::DFG::printWhiteSpace):
3067         (JSC::DFG::Graph::dumpCodeOrigin):
3068         (JSC::DFG::Graph::dump):
3069         (JSC::DFG::Graph::dumpBlockHeader):
3070         (JSC::DFG::Graph::predictArgumentTypes):
3071         * dfg/DFGJITCompiler.cpp:
3072         (JSC::DFG::JITCompiler::link):
3073         * dfg/DFGOSREntry.cpp:
3074         (JSC::DFG::prepareOSREntry):
3075         * dfg/DFGOSRExitCompiler.cpp:
3076         * dfg/DFGOSRExitCompiler32_64.cpp:
3077         (JSC::DFG::OSRExitCompiler::compileExit):
3078         * dfg/DFGOSRExitCompiler64.cpp:
3079         (JSC::DFG::OSRExitCompiler::compileExit):
3080         * dfg/DFGOperations.cpp:
3081         * dfg/DFGPhase.cpp:
3082         (JSC::DFG::Phase::beginPhase):
3083         * dfg/DFGPhase.h:
3084         (JSC::DFG::runAndLog):
3085         * dfg/DFGPredictionPropagationPhase.cpp:
3086         (JSC::DFG::PredictionPropagationPhase::propagate):
3087         (JSC::DFG::PredictionPropagationPhase::propagateForward):
3088         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
3089         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3090         * dfg/DFGRegisterBank.h:
3091         (JSC::DFG::RegisterBank::dump):
3092         * dfg/DFGScoreBoard.h:
3093         (JSC::DFG::ScoreBoard::use):
3094         (JSC::DFG::ScoreBoard::dump):
3095         * dfg/DFGSlowPathGenerator.h:
3096         (JSC::DFG::SlowPathGenerator::generate):
3097         * dfg/DFGSpeculativeJIT.cpp:
3098         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3099         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
3100         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
3101         (JSC::DFG::SpeculativeJIT::dump):
3102         (JSC::DFG::SpeculativeJIT::checkConsistency):
3103         (JSC::DFG::SpeculativeJIT::compile):
3104         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3105         * dfg/DFGSpeculativeJIT32_64.cpp:
3106         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3107         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3108         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3109         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3110         * dfg/DFGSpeculativeJIT64.cpp:
3111         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3112         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3113         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3114         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3115         * dfg/DFGStructureCheckHoistingPhase.cpp:
3116         (JSC::DFG::StructureCheckHoistingPhase::run):
3117         * dfg/DFGValidate.cpp:
3118         (Validate):
3119         (JSC::DFG::Validate::reportValidationContext):
3120         (JSC::DFG::Validate::dumpData):
3121         (JSC::DFG::Validate::dumpGraphIfAppropriate):
3122         * dfg/DFGVariableEventStream.cpp:
3123         (JSC::DFG::VariableEventStream::logEvent):
3124         (JSC::DFG::VariableEventStream::reconstruct):
3125         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3126         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3127         * heap/Heap.cpp:
3128         * heap/HeapStatistics.cpp:
3129         (JSC::HeapStatistics::logStatistics):
3130         (JSC::HeapStatistics::showObjectStatistics):
3131         * heap/MarkStack.h:
3132         * heap/MarkedBlock.h:
3133         * heap/SlotVisitor.cpp:
3134         (JSC::SlotVisitor::validate):
3135         * interpreter/CallFrame.cpp:
3136         (JSC::CallFrame::dumpCaller):
3137         * interpreter/Interpreter.cpp:
3138         (JSC::Interpreter::dumpRegisters):
3139         * jit/JIT.cpp:
3140         (JSC::JIT::privateCompileMainPass):
3141         (JSC::JIT::privateCompileSlowCases):
3142         (JSC::JIT::privateCompile):
3143         * jit/JITDisassembler.cpp:
3144         (JSC::JITDisassembler::dump):
3145         (JSC::JITDisassembler::dumpForInstructions):
3146         * jit/JITStubRoutine.h:
3147         (JSC):
3148         * jit/JITStubs.cpp:
3149         (JSC::DEFINE_STUB_FUNCTION):
3150         * jit/JumpReplacementWatchpoint.cpp:
3151         (JSC::JumpReplacementWatchpoint::fireInternal):
3152         * llint/LLIntExceptions.cpp:
3153         (JSC::LLInt::interpreterThrowInCaller):
3154         (JSC::LLInt::returnToThrow):
3155         (JSC::LLInt::callToThrow):
3156         * llint/LLIntSlowPaths.cpp:
3157         (JSC::LLInt::llint_trace_operand):
3158         (JSC::LLInt::llint_trace_value):
3159         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3160         (JSC::LLInt::traceFunctionPrologue):
3161         (JSC::LLInt::jitCompileAndSetHeuristics):
3162         (JSC::LLInt::entryOSR):
3163         (JSC::LLInt::handleHostCall):
3164         (JSC::LLInt::setUpCall):
3165         * profiler/Profile.cpp:
3166         (JSC::Profile::debugPrintData):
3167         (JSC::Profile::debugPrintDataSampleStyle):
3168         * profiler/ProfileNode.cpp:
3169         (JSC::ProfileNode::debugPrintData):
3170         (JSC::ProfileNode::debugPrintDataSampleStyle):
3171         * runtime/JSGlobalData.cpp:
3172         (JSC::JSGlobalData::dumpRegExpTrace):
3173         * runtime/RegExp.cpp:
3174         (JSC::RegExp::matchCompareWithInterpreter):
3175         * runtime/SamplingCounter.cpp:
3176         (JSC::AbstractSamplingCounter::dump):
3177         * runtime/Structure.cpp:
3178         (JSC::Structure::dumpStatistics):
3179         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
3180         * tools/CodeProfile.cpp:
3181         (JSC::CodeProfile::report):
3182         * tools/ProfileTreeNode.h:
3183         (JSC::ProfileTreeNode::dumpInternal):
3184         * yarr/YarrInterpreter.cpp:
3185         (JSC::Yarr::ByteCompiler::dumpDisjunction):
3186
3187 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
3188
3189         It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
3190         https://bugs.webkit.org/show_bug.cgi?id=103010
3191
3192         Reviewed by Anders Carlsson.
3193
3194         You can still say tryToDisassemble(), which will tell you if it failed; you can then
3195         decide what to do instead. But it's better to say disassemble(), which will just print
3196         the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
3197         since that's what all previous users of tryToDisassemble() would have done in some
3198         form or another.
3199
3200         * CMakeLists.txt:
3201         * GNUmakefile.list.am:
3202         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3203         * JavaScriptCore.xcodeproj/project.pbxproj:
3204         * Target.pri:
3205         * assembler/LinkBuffer.cpp:
3206         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3207         * dfg/DFGDisassembler.cpp:
3208         (JSC::DFG::Disassembler::dumpDisassembly):
3209         * disassembler/Disassembler.cpp: Added.
3210         (JSC):
3211         (JSC::disassemble):
3212         * disassembler/Disassembler.h:
3213         (JSC):
3214         * jit/JITDisassembler.cpp:
3215         (JSC::JITDisassembler::dumpDisassembly):
3216
3217 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
3218
3219         dumpOperands() claims that it needs a non-const Operands& when that is completely false
3220         https://bugs.webkit.org/show_bug.cgi?id=103005
3221
3222         Reviewed by Eric Carlson.
3223
3224         * bytecode/Operands.h:
3225         (JSC::dumpOperands):
3226         (JSC):
3227
3228 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
3229
3230         Baseline JIT's disassembly should be just as pretty as the DFG's
3231         https://bugs.webkit.org/show_bug.cgi?id=102873
3232
3233         Reviewed by Sam Weinig.
3234
3235         Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
3236         some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
3237         iterator makes no sense) and stream-lined some things (you don't actually need a
3238         full-fledged ExecState* to dump bytecode).
3239
3240         * CMakeLists.txt:
3241         * GNUmakefile.list.am:
3242         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3243         * JavaScriptCore.xcodeproj/project.pbxproj:
3244         * Target.pri:
3245         * bytecode/CodeBlock.cpp:
3246         (JSC::CodeBlock::printUnaryOp):
3247         (JSC::CodeBlock::printBinaryOp):
3248         (JSC::CodeBlock::printConditionalJump):
3249         (JSC::CodeBlock::printGetByIdOp):
3250         (JSC::CodeBlock::printCallOp):
3251         (JSC::CodeBlock::printPutByIdOp):
3252         (JSC::CodeBlock::dump):
3253         (JSC):
3254         (JSC::CodeBlock::CodeBlock):
3255         * bytecode/CodeBlock.h:
3256         (CodeBlock):
3257         * interpreter/Interpreter.cpp:
3258         (JSC::Interpreter::dumpCallFrame):
3259         * jit/JIT.cpp:
3260         (JSC::JIT::privateCompileMainPass):
3261         (JSC::JIT::privateCompileSlowCases):
3262         (JSC::JIT::privateCompile):
3263         * jit/JIT.h:
3264         (JIT):
3265         * jit/JITDisassembler.cpp: Added.
3266         (JSC):
3267         (JSC::JITDisassembler::JITDisassembler):
3268         (JSC::JITDisassembler::~JITDisassembler):
3269         (JSC::JITDisassembler::dump):
3270         (JSC::JITDisassembler::dumpForInstructions):
3271         (JSC::JITDisassembler::dumpDisassembly):
3272         * jit/JITDisassembler.h: Added.
3273         (JSC):
3274         (JITDisassembler):
3275         (JSC::JITDisassembler::setStartOfCode):
3276         (JSC::JITDisassembler::setForBytecodeMainPath):
3277         (JSC::JITDisassembler::setForBytecodeSlowPath):
3278         (JSC::JITDisassembler::setEndOfSlowPath):
3279         (JSC::JITDisassembler::setEndOfCode):
3280
3281 2012-11-21  Daniel Bates  <dbates@webkit.org>
3282
3283         JavaScript fails to concatenate large strings
3284         <https://bugs.webkit.org/show_bug.cgi?id=102963>
3285
3286         Reviewed by Michael Saboff.
3287
3288         Fixes an issue where we inadvertently didn't check the length of
3289         a JavaScript string for overflow.
3290
3291         * runtime/Operations.h:
3292         (JSC::jsString):
3293         (JSC::jsStringFromArguments):
3294
3295 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
3296
3297         DFG should be able to cache closure calls (part 2/2)
3298         https://bugs.webkit.org/show_bug.cgi?id=102662
3299
3300         Reviewed by Gavin Barraclough.
3301
3302         Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
3303         stay the same. This is accomplished by replacing the branch that compares against a constant
3304         JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
3305         and jumps slow directly to the virtual call thunk.
3306
3307         Looks like a 1% win on V8v7.
3308
3309         * CMakeLists.txt:
3310         * GNUmakefile.list.am:
3311         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3312         * JavaScriptCore.xcodeproj/project.pbxproj:
3313         * Target.pri:
3314         * bytecode/CallLinkInfo.cpp:
3315         (JSC::CallLinkInfo::unlink):
3316         * bytecode/CallLinkInfo.h:
3317         (CallLinkInfo):
3318         (JSC::CallLinkInfo::isLinked):
3319         (JSC::getCallLinkInfoBytecodeIndex):
3320         * bytecode/CodeBlock.cpp:
3321         (JSC::CodeBlock::finalizeUnconditionally):
3322         (JSC):
3323         (JSC::CodeBlock::findClosureCallForReturnPC):
3324         (JSC::CodeBlock::bytecodeOffset):
3325         (JSC::CodeBlock::codeOriginForReturn):
3326         * bytecode/CodeBlock.h:
3327         (JSC::CodeBlock::getCallLinkInfo):
3328         (CodeBlock):
3329         (JSC::CodeBlock::isIncomingCallAlreadyLinked):
3330         * dfg/DFGJITCompiler.cpp:
3331         (JSC::DFG::JITCompiler::link):
3332         * dfg/DFGJITCompiler.h:
3333         (JSC::DFG::JITCompiler::addJSCall):
3334         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
3335         (JSCallRecord):
3336         * dfg/DFGOperations.cpp:
3337         * dfg/DFGOperations.h:
3338         * dfg/DFGRepatch.cpp:
3339         (JSC::DFG::linkSlowFor):
3340         (DFG):
3341         (JSC::DFG::dfgLinkFor):
3342         (JSC::DFG::dfgLinkSlowFor):
3343         (JSC::DFG::dfgLinkClosureCall):
3344         * dfg/DFGRepatch.h:
3345         (DFG):
3346         * dfg/DFGSpeculativeJIT32_64.cpp:
3347         (JSC::DFG::SpeculativeJIT::emitCall):
3348         * dfg/DFGSpeculativeJIT64.cpp:
3349         (JSC::DFG::SpeculativeJIT::emitCall):
3350         * dfg/DFGThunks.cpp:
3351         (DFG):
3352         (JSC::DFG::linkClosureCallThunkGenerator):
3353         * dfg/DFGThunks.h:
3354         (DFG):
3355         * heap/Heap.h:
3356         (Heap):
3357         (JSC::Heap::jitStubRoutines):
3358         * heap/JITStubRoutineSet.h:
3359         (JSC::JITStubRoutineSet::size):
3360         (JSC::JITStubRoutineSet::at):
3361         (JITStubRoutineSet):
3362         * jit/ClosureCallStubRoutine.cpp: Added.
3363         (JSC):
3364         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
3365         (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
3366         (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
3367         * jit/ClosureCallStubRoutine.h: Added.
3368         (JSC):
3369         (ClosureCallStubRoutine):
3370         (JSC::ClosureCallStubRoutine::structure):
3371         (JSC::ClosureCallStubRoutine::executable):
3372         (JSC::ClosureCallStubRoutine::codeOrigin):
3373         * jit/GCAwareJITStubRoutine.cpp:
3374         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3375         * jit/GCAwareJITStubRoutine.h:
3376         (GCAwareJITStubRoutine):
3377         (JSC::GCAwareJITStubRoutine::isClosureCall):
3378         * jit/JIT.cpp:
3379         (JSC::JIT::privateCompile):
3380
3381 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
3382
3383         DFG should be able to cache closure calls (part 1/2)
3384         https://bugs.webkit.org/show_bug.cgi?id=102662
3385
3386         Reviewed by Gavin Barraclough.
3387
3388         Add ability to revert a jump replacement back to
3389         branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
3390         a mandatory piece of functionality for all assemblers. I also renamed some of
3391         the functions for reverting jump replacements back to
3392         patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
3393         confusion.
3394
3395         * assembler/ARMv7Assembler.h:
3396         (JSC::ARMv7Assembler::BadReg):
3397         (ARMv7Assembler):
3398         (JSC::ARMv7Assembler::revertJumpTo_movT3):
3399         * assembler/LinkBuffer.h:
3400         (JSC):
3401         * assembler/MacroAssemblerARMv7.h:
3402         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
3403         (MacroAssemblerARMv7):
3404         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
3405         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
3406         * assembler/MacroAssemblerX86.h:
3407         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
3408         (MacroAssemblerX86):
3409         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
3410         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
3411         * assembler/MacroAssemblerX86_64.h:
3412         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
3413         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
3414         (MacroAssemblerX86_64):
3415         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
3416         * assembler/RepatchBuffer.h:
3417         (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
3418         (RepatchBuffer):
3419         (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
3420         (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
3421         * assembler/X86Assembler.h:
3422         (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
3423         (X86Assembler):
3424         * dfg/DFGRepatch.cpp:
3425         (JSC::DFG::replaceWithJump):
3426         (JSC::DFG::dfgResetGetByID):
3427         (JSC::DFG::dfgResetPutByID):
3428
3429 2012-11-20  Yong Li  <yoli@rim.com>
3430
3431         [ARMv7] Neither linkCall() nor linkPointer() should flush code.
3432         https://bugs.webkit.org/show_bug.cgi?id=99213
3433
3434         Reviewed by George Staikos.
3435
3436         LinkBuffer doesn't need to flush code during linking. It will
3437         eventually flush the whole executable. Fixing this gives >%5
3438         sunspider boost (on QNX).
3439
3440         Also make replaceWithLoad() and replaceWithAddressComputation() flush
3441         only when necessary.
3442
3443         * assembler/ARMv7Assembler.h:
3444         (JSC::ARMv7Assembler::linkCall):
3445         (JSC::ARMv7Assembler::linkPointer):
3446         (JSC::ARMv7Assembler::relinkCall):
3447         (JSC::ARMv7Assembler::repatchInt32):
3448         (JSC::ARMv7Assembler::repatchPointer):
3449         (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
3450         (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
3451         (JSC::ARMv7Assembler::setInt32):
3452         (JSC::ARMv7Assembler::setPointer):
3453
3454 2012-11-19  Filip Pizlo  <fpizlo@apple.com>
3455
3456         Remove support for ARMv7 errata from the jump code
3457         https://bugs.webkit.org/show_bug.cgi?id=102759
3458
3459         Reviewed by Oliver Hunt.
3460
3461         The jump replacement code was wrong to begin with since it wasn't doing
3462         a cache flush on the inserted padding. And, to my knowledge, we don't need
3463         this anymore, so this patch removes all errata code from the ARMv7 port.
3464
3465         * assembler/ARMv7Assembler.h:
3466         (JSC::ARMv7Assembler::computeJumpType):
3467         (JSC::ARMv7Assembler::replaceWithJump):
3468         (JSC::ARMv7Assembler::maxJumpReplacementSize):
3469         (JSC::ARMv7Assembler::canBeJumpT3):
3470         (JSC::ARMv7Assembler::canBeJumpT4):
3471
3472 2012-11-19  Patrick Gansterer  <paroga@webkit.org>
3473
3474         [CMake] Create JavaScriptCore ForwardingHeaders
3475         https://bugs.webkit.org/show_bug.cgi?id=92665
3476
3477         Reviewed by Brent Fulgham.
3478
3479         When using CMake to build the Windows port, we need
3480         to generate the forwarding headers with it too.
3481
3482         * CMakeLists.txt:
3483
3484 2012-11-19  Kihong Kwon  <kihong.kwon@samsung.com>
3485
3486         Add PROXIMITY_EVENTS feature
3487         https://bugs.webkit.org/show_bug.cgi?id=102658
3488
3489         Reviewed by Kentaro Hara.
3490
3491         Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.
3492
3493         * Configurations/FeatureDefines.xcconfig:
3494
3495 2012-11-18  Dan Bernstein  <mitz@apple.com>
3496
3497         Try to fix the DFG build after r135099.
3498
3499         * dfg/DFGCommon.h:
3500         (JSC::DFG::shouldShowDisassembly):
3501
3502 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
3503
3504         Unreviewed, build fix for !ENABLE(DFG_JIT).
3505
3506         * dfg/DFGCommon.h:
3507         (JSC::DFG::shouldShowDisassembly):
3508         (DFG):
3509
3510 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
3511
3512         JSC should have more logging in structure-related code
3513         https://bugs.webkit.org/show_bug.cgi?id=102630
3514
3515         Reviewed by Simon Fraser.
3516
3517         - JSValue::description() now tells you if something is a structure, and if so,
3518           what kind of structure it is.
3519         
3520         - Jettisoning logic now tells you why things are being jettisoned.
3521         
3522         - It's now possible to turn off GC-triggered jettisoning entirely.
3523
3524         * bytecode/CodeBlock.cpp:
3525         (JSC::CodeBlock::finalizeUnconditionally):
3526         (JSC::CodeBlock::reoptimize):
3527         (JSC::ProgramCodeBlock::jettison):
3528         (JSC::EvalCodeBlock::jettison):
3529         (JSC::FunctionCodeBlock::jettison):
3530         * bytecode/CodeBlock.h:
3531         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
3532         * runtime/JSValue.cpp:
3533         (JSC::JSValue::description):
3534         * runtime/Options.h:
3535         (JSC):
3536
3537 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
3538
3539         DFG constant folding phase should say 'changed = true' whenever it changes the graph
3540         https://bugs.webkit.org/show_bug.cgi?id=102550
3541
3542         Rubber stamped by Mark Hahnenberg.
3543
3544         * dfg/DFGConstantFoldingPhase.cpp:
3545         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3546
3547 2012-11-17  Elliott Sprehn  <esprehn@chromium.org>
3548
3549         Expose JSObject removeDirect and PrivateName to WebCore
3550         https://bugs.webkit.org/show_bug.cgi?id=102546
3551
3552         Reviewed by Geoffrey Garen.
3553
3554         Export removeDirect for use in WebCore so JSDependentRetained works.
3555
3556         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3557
3558 2012-11-16  Filip Pizlo  <fpizlo@apple.com>
3559
3560         Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
3561         https://bugs.webkit.org/show_bug.cgi?id=102327
3562
3563         Reviewed by Mark Hahnenberg.
3564
3565         If the profiler tells us that a GetById or PutById may be polymorphic but our
3566         control flow analysis proves that it isn't, we should trust the control flow
3567         analysis over the profiler. This arises in cases where GetById or PutById were
3568         inlined: the inlined function may have been called from other places that led
3569         to polymorphism, but in the current inlined context, there is no polymorphism.
3570
3571         * bytecode/CodeBlock.cpp:
3572         (JSC::CodeBlock::dump):
3573         * bytecode/GetByIdStatus.cpp:
3574         (JSC::GetByIdStatus::computeFor):
3575         (JSC):
3576         * bytecode/GetByIdStatus.h:
3577         (JSC::GetByIdStatus::GetByIdStatus):
3578         (GetByIdStatus):
3579         * bytecode/PutByIdStatus.cpp:
3580         (JSC::PutByIdStatus::computeFor):
3581         (JSC):
3582         * bytecode/PutByIdStatus.h:
3583         (JSC):
3584         (JSC::PutByIdStatus::PutByIdStatus):
3585         (PutByIdStatus):
3586         * dfg/DFGAbstractState.cpp:
3587         (JSC::DFG::AbstractState::execute):
3588         * dfg/DFGAbstractValue.h:
3589         (JSC::DFG::AbstractValue::bestProvenStructure):
3590         (AbstractValue):
3591         * dfg/DFGConstantFoldingPhase.cpp:
3592         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3593         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3594         (ConstantFoldingPhase):
3595         * dfg/DFGNode.h:
3596         (JSC::DFG::Node::convertToGetByOffset):
3597         (Node):
3598         (JSC::DFG::Node::convertToPutByOffset):
3599         (JSC::DFG::Node::hasStorageResult):
3600         * runtime/JSGlobalObject.h:
3601         (JSC::Structure::prototypeChain):
3602         (JSC):
3603         (JSC::Structure::isValid):
3604         * runtime/Operations.h:
3605         (JSC::isPrototypeChainNormalized):
3606         (JSC):
3607         * runtime/Structure.h:
3608         (Structure):
3609         (JSC::Structure::transitionDidInvolveSpecificValue):
3610
3611 2012-11-16  Tony Chang  <tony@chromium.org>
3612
3613         Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
3614         https://bugs.webkit.org/show_bug.cgi?id=102554
3615
3616         Reviewed by Andreas Kling.
3617
3618         As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
3619         we're going to revist this feature once additional vendor support is
3620         achieved.
3621
3622         * Configurations/FeatureDefines.xcconfig:
3623
3624 2012-11-16  Patrick Gansterer  <paroga@webkit.org>
3625
3626         Build fix for WinCE after r133688.
3627
3628         Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.
3629
3630         * runtime/CodeCache.h:
3631         (JSC::CacheMap::CacheMap):
3632
3633 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
3634
3635         ClassInfo.h should have correct indentation.
3636
3637         Rubber stamped by Mark Hahnenberg.
3638
3639         ClassInfo.h had some true creativity in its use of whitespace. Some things within
3640         the namespace were indented four spaces and others where not. One #define had its
3641         contents indented four spaces, while another didn't. I applied the following rule:
3642         
3643         - Non-macro things in the namespace should not be indented (that's our current
3644           accepted practice).
3645         
3646         - Macros should never be indented but if they are multi-line then their subsequent
3647           bodies should be indented four spaces. I believe that is consistent with what we
3648           do elsewhere.
3649
3650         * runtime/ClassInfo.h:
3651         (JSC):
3652         (MethodTable):
3653         (ClassInfo):
3654         (JSC::ClassInfo::propHashTable):
3655         (JSC::ClassInfo::isSubClassOf):
3656         (JSC::ClassInfo::hasStaticProperties):
3657
3658 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
3659
3660         DFG should copy propagate trivially no-op ConvertThis
3661         https://bugs.webkit.org/show_bug.cgi?id=102445
3662
3663         Reviewed by Oliver Hunt.
3664
3665         Copy propagation is always a good thing, since it reveals must-alias relationships
3666         to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
3667         converting it to an Identity node (which is done by the constant folder since it
3668         has access to CFA results) and then performing substitution of references to
3669         Identity with references to Identity's child in the CSE.
3670         
3671         I'm not aiming for a big speed-up here; I just think that this will be useful for
3672         the work on https://bugs.webkit.org/show_bug.cgi?id=102327.
3673
3674         * dfg/DFGAbstractState.cpp:
3675         (JSC::DFG::AbstractState::execute):
3676         * dfg/DFGCSEPhase.cpp:
3677         (JSC::DFG::CSEPhase::performNodeCSE):
3678         * dfg/DFGConstantFoldingPhase.cpp:
3679         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3680         * dfg/DFGNodeType.h:
3681         (DFG):
3682         * dfg/DFGPredictionPropagationPhase.cpp:
3683         (JSC::DFG::PredictionPropagationPhase::propagate):
3684         * dfg/DFGSpeculativeJIT32_64.cpp:
3685         (JSC::DFG::SpeculativeJIT::compile):
3686         * dfg/DFGSpeculativeJIT64.cpp:
3687         (JSC::DFG::SpeculativeJIT::compile):
3688
3689 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
3690
3691         CallData.h should have correct indentation.
3692
3693         Rubber stamped by Mark Hahneberg.
3694
3695         * runtime/CallData.h:
3696         (JSC):
3697
3698 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
3699
3700         Remove methodCallDummy since it is not used anymore.
3701
3702         Rubber stamped by Mark Hahnenberg.
3703
3704         * runtime/JSGlobalObject.cpp:
3705         (JSC::JSGlobalObject::reset):
3706         (JSC):
3707         (JSC::JSGlobalObject::visitChildren):
3708         * runtime/JSGlobalObject.h:
3709         (JSGlobalObject):
3710
3711 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
3712
3713         Structure should be able to easily tell if the prototype chain might intercept a store
3714         https://bugs.webkit.org/show_bug.cgi?id=102326
3715
3716         Reviewed by Geoffrey Garen.
3717
3718         This improves our ability to reason about the correctness of the more optimized
3719         prototype chain walk in JSObject::put(), while also making it straight forward to
3720         check if the prototype chain will do strange things to a property store by just
3721         looking at the structure.
3722
3723         * runtime/JSObject.cpp:
3724         (JSC::JSObject::put):
3725         * runtime/Structure.cpp:
3726         (JSC::Structure::prototypeChainMayInterceptStoreTo):
3727         (JSC):
3728         * runtime/Structure.h:
3729         (Structure):
3730
3731 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
3732
3733         [CMake] Do not regenerate LLIntAssembly.h on every incremental build
3734         https://bugs.webkit.org/show_bug.cgi?id=102248
3735
3736         Reviewed by Kenneth Rohde Christiansen.
3737
3738         Update LLIntAssembly.h's mtime after running asm.rb to make the build
3739         system dependency tracking consistent.
3740
3741         * CMakeLists.txt:
3742
3743 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
3744
3745         Fix compiler warnings about signed/unsigned comparison on i386
3746         https://bugs.webkit.org/show_bug.cgi?id=102249
3747
3748         Reviewed by Kenneth Rohde Christiansen.
3749
3750         Add casting to unsigned to shut up gcc warnings. Build was broken on
3751         JSVALUE32_64 ports compiling with -Werror.
3752
3753         * llint/LLIntData.cpp:
3754         (JSC::LLInt::Data::performAssertions):
3755
3756 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
3757
3758         [Windows, WinCairo] Unreviewed build fix.
3759
3760         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3761         Missed one of the exports that was part of the WebKit2.def.
3762
3763 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
3764
3765         [Windows, WinCairo] Correct build failure.
3766         https://bugs.webkit.org/show_bug.cgi?id=102302
3767
3768         WebCore symbols were mistakenly added to the JavaScriptCore
3769         library definition file.
3770
3771         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
3772         WebCore symbols that were incorrectly added to the export file.
3773
3774 2012-11-14  Mark Lam  <mark.lam@apple.com>
3775
3776         Change JSEventListener::m_jsFunction to be a weak ref.
3777         https://bugs.webkit.org/show_bug.cgi?id=101989.
3778
3779         Reviewed by Geoffrey Garen.
3780
3781         Added infrastructure for scanning weak ref slots.
3782
3783         * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
3784         * heap/SlotVisitor.h:
3785         (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
3786         * heap/SlotVisitorInlines.h: Added #include "Weak.h".
3787         (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
3788         * heap/Weak.h:
3789         (JSC::operator==): Added operator==() for Weak.
3790         * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
3791         * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".
3792
3793 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
3794
3795         Read-only properties created with putDirect() should tell the structure that there are read-only properties
3796         https://bugs.webkit.org/show_bug.cgi?id=102292
3797
3798         Reviewed by Gavin Barraclough.
3799
3800         This mostly affects things like function.length.
3801
3802         * runtime/JSObject.h:
3803         (JSC::JSObject::putDirectInternal):
3804
3805 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
3806
3807         Don't access Node& after adding nodes to the graph.
3808         https://bugs.webkit.org/show_bug.cgi?id=102005
3809
3810         Reviewed by Oliver Hunt.
3811
3812         * dfg/DFGFixupPhase.cpp:
3813         (JSC::DFG::FixupPhase::fixupNode):
3814
3815 2012-11-14  Valery Ignatyev  <valery.ignatyev@ispras.ru>
3816
3817         Replace (typeof(x) != <"object", "undefined", ...>) with
3818         !(typeof(x) == <"object",..>). Later is_object, is_<...>  bytecode operation
3819         will be used.
3820
3821         https://bugs.webkit.org/show_bug.cgi?id=98893
3822
3823         Reviewed by Filip Pizlo.
3824
3825         This eliminates expensive  typeof implementation and
3826         allows to use DFG optimizations, which doesn't support 'typeof'.
3827
3828         * bytecompiler/NodesCodegen.cpp:
3829         (JSC::BinaryOpNode::emitBytecode):
3830
3831 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
3832
3833         [Qt][ARM]REGRESSION(r133985): It broke the build
3834         https://bugs.webkit.org/show_bug.cgi?id=101740
3835
3836         Reviewed by Csaba Osztrogonác.
3837
3838         Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
3839         This information was passed as a template parameter.        
3840
3841         * jit/JIT.h:
3842         (JSC::JIT::emitInt32PutByVal):
3843         (JSC::JIT::emitDoublePutByVal):
3844         (JSC::JIT::emitContiguousPutByVal):
3845         (JIT):
3846         * jit/JITPropertyAccess.cpp:
3847         (JSC::JIT::emitGenericContiguousPutByVal):
3848         * jit/JITPropertyAccess32_64.cpp:
3849         (JSC::JIT::emitGenericContiguousPutByVal):
3850
3851 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
3852
3853         Fix the MIPS build after r134332
3854         https://bugs.webkit.org/show_bug.cgi?id=102227
3855
3856         Reviewed by Csaba Osztrogonác.
3857
3858         Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.
3859
3860         * assembler/MacroAssemblerMIPS.h:
3861         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
3862         (MacroAssemblerMIPS):
3863         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
3864         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
3865
3866 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
3867
3868         Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
3869         https://bugs.webkit.org/show_bug.cgi?id=102206
3870
3871         Reviewed by Csaba Osztrogonác.
3872
3873         Add a return value for the function to suppress the warning.
3874
3875         * assembler/MacroAssemblerARM.h:
3876         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
3877
3878 2012-11-14  Sheriff Bot  <webkit.review.bot@gmail.com>
3879
3880         Unreviewed, rolling out r134599.
3881         http://trac.webkit.org/changeset/134599
3882         https://bugs.webkit.org/show_bug.cgi?id=102225
3883
3884         It broke the 32 bit EFL build (Requested by Ossy on #webkit).
3885
3886         * jit/JITPropertyAccess.cpp:
3887         * jit/JITPropertyAccess32_64.cpp:
3888         (JSC):
3889         (JSC::JIT::emitGenericContiguousPutByVal):
3890
3891 2012-11-14  Balazs Kilvady  <kilvadyb@homejinni.com>
3892
3893         [Qt][ARM]REGRESSION(r133985): It broke the build
3894         https://bugs.webkit.org/show_bug.cgi?id=101740
3895
3896         Reviewed by Csaba Osztrogonác.
3897
3898         Template function body moved to fix VALUE_PROFILER disabled case.
3899
3900         * jit/JITPropertyAccess.cpp:
3901         (JSC):
3902         (JSC::JIT::emitGenericContiguousPutByVal):
3903         * jit/JITPropertyAccess32_64.cpp:
3904
3905 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
3906
3907         DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
3908         https://bugs.webkit.org/show_bug.cgi?id=102017
3909
3910         Reviewed by Geoffrey Garen.
3911
3912         This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
3913         NewObject to take a structure as an operand (previously it implicitly used the owning
3914         global object's empty object structure). Any GetCallee where the callee is predictable
3915         is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
3916         where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
3917         followed by a NewObject. NewObject already accounts for the structure it uses for object
3918         creation in the CFA.
3919
3920         * dfg/DFGAbstractState.cpp:
3921         (JSC::DFG::AbstractState::execute):
3922         * dfg/DFGByteCodeParser.cpp:
3923         (JSC::DFG::ByteCodeParser::parseBlock):
3924         * dfg/DFGCSEPhase.cpp:
3925         (JSC::DFG::CSEPhase::checkFunctionElimination):
3926         * dfg/DFGGraph.cpp:
3927         (JSC::DFG::Graph::dump):
3928         * dfg/DFGNode.h:
3929         (JSC::DFG::Node::hasFunction):
3930         (JSC::DFG::Node::function):
3931         (JSC::DFG::Node::hasStructure):
3932         * dfg/DFGNodeType.h:
3933         (DFG):
3934         * dfg/DFGOperations.cpp:
3935         * dfg/DFGOperations.h:
3936         * dfg/DFGPredictionPropagationPhase.cpp:
3937         (JSC::DFG::PredictionPropagationPhase::propagate):
3938         * dfg/DFGSpeculativeJIT.h:
3939         (JSC::DFG::SpeculativeJIT::callOperation):
3940         * dfg/DFGSpeculativeJIT32_64.cpp:
3941         (JSC::DFG::SpeculativeJIT::compile):
3942         * dfg/DFGSpeculativeJIT64.cpp:
3943         (JSC::DFG::SpeculativeJIT::compile):
3944         * runtime/Executable.h:
3945         (JSC::JSFunction::JSFunction):
3946         * runtime/JSBoundFunction.cpp:
3947         (JSC):
3948         * runtime/JSFunction.cpp:
3949         (JSC::JSFunction::JSFunction):
3950         (JSC::JSFunction::put):
3951         (JSC::JSFunction::defineOwnProperty):
3952         * runtime/JSFunction.h:
3953         (JSC::JSFunction::tryGetKnownInheritorID):
3954         (JSFunction):
3955         (JSC::JSFunction::addInheritorIDWatchpoint):
3956
3957 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
3958
3959         JSFunction and its descendants should be destructible
3960         https://bugs.webkit.org/show_bug.cgi?id=102062
3961
3962         Reviewed by Mark Hahnenberg.
3963
3964         This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
3965         future, we could make JSFunction non-destructible again by making a version of
3966         WatchpointSet that is entirely GC'd, but this seems like overkill for now.
3967         
3968         This is performance-neutral.
3969
3970         * runtime/JSBoundFunction.cpp:
3971         (JSC::JSBoundFunction::destroy):
3972         (JSC):
3973         * runtime/JSBoundFunction.h:
3974         (JSBoundFunction):
3975         * runtime/JSFunction.cpp:
3976         (JSC):
3977         (JSC::JSFunction::destroy):
3978         * runtime/JSFunction.h:
3979         (JSFunction):
3980
3981 2012-11-13  Cosmin Truta  <ctruta@rim.com>
3982
3983         Uninitialized fields in class JSLock
3984         https://bugs.webkit.org/show_bug.cgi?id=101695
3985
3986         Reviewed by Mark Hahnenberg.
3987
3988         Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.
3989
3990         * runtime/JSLock.cpp:
3991         (JSC::JSLock::JSLock):
3992
3993 2012-11-13  Peter Gal  <galpeter@inf.u-szeged.hu>
3994
3995         Fix the ARM traditional build after r134332
3996         https://bugs.webkit.org/show_bug.cgi?id=102044
3997
3998         Reviewed by Zoltan Herczeg.
3999
4000         Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.
4001
4002         * assembler/MacroAssemblerARM.h:
4003         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
4004         (MacroAssemblerARM):
4005         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
4006         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
4007
4008 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
4009
4010         op_get_callee should have value profiling
4011         https://bugs.webkit.org/show_bug.cgi?id=102047
4012
4013         Reviewed by Sam Weinig.
4014
4015         This will allow us to detect if the callee is always the same, which is probably
4016         the common case for a lot of constructors.
4017
4018         * bytecode/CodeBlock.cpp:
4019    &