Always enable ENABLE(XPATH)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-18  Adam Barth  <abarth@webkit.org>
2
3         Always enable ENABLE(XPATH)
4         https://bugs.webkit.org/show_bug.cgi?id=70217
5
6         Reviewed by Eric Seidel.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
11
12         Indexed arguments on the Arguments object should be enumerable.
13         https://bugs.webkit.org/show_bug.cgi?id=70302
14
15         Reviewed by Sam Weinig.
16
17         See ECMA-262 5.1 chapter 10.6 step 11b.
18         This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in.
19
20         * runtime/Arguments.cpp:
21         (JSC::Arguments::getOwnPropertyDescriptor):
22             - The 'enumerable' property should be true for indexed arguments.
23         (JSC::Arguments::getOwnPropertyNames):
24             - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'.
25
26 2011-10-18  Gustavo Noronha Silva  <gns@gnome.org>
27
28         Fix distcheck.
29
30         * GNUmakefile.list.am: fix a typo and add a missing header to the
31         list.
32
33 2011-10-18  Balazs Kelemen  <kbalazs@webkit.org>
34
35         ParallelJobs: maximum number of threads should be determined dynamically
36         https://bugs.webkit.org/show_bug.cgi?id=68540
37
38         Reviewed by Zoltan Herczeg.
39
40         Add logic to determine the number of cores and use this as
41         the maximum number of threads. The implementation currently
42         covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD.
43         The patch was tested on Linux, Mac and Windows which was enough to
44         cover all code path. It should work on the rest accoring to the
45         documentation of those OS's. The hard coded constant is still used
46         on uncovered OS's which should be fixed in the future.
47
48         * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber
49         argument because clients should always fill it and the 0 default value
50         was incorrect anyway.
51         (WTF::ParallelJobs::ParallelJobs):
52         * wtf/ParallelJobsGeneric.cpp:
53         (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads):
54         * wtf/ParallelJobsGeneric.h:
55         (WTF::ParallelEnvironment::ParallelEnvironment):
56
57 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
58
59         Reverted r997709, this caused test failures.
60
61         * jit/JITStubs.cpp:
62         (JSC::DEFINE_STUB_FUNCTION):
63         * runtime/JSObject.cpp:
64         (JSC::JSObject::hasProperty):
65         (JSC::JSObject::hasOwnProperty):
66
67 2011-10-17  Ryosuke Niwa  <rniwa@webkit.org>
68
69         Rename deregister* to unregister*
70         https://bugs.webkit.org/show_bug.cgi?id=70272
71
72         Reviewed by Darin Adler.
73
74         Renamed deregisterWeakMap to unregisterWeakMap.
75
76         * runtime/JSGlobalObject.h:
77         (JSC::JSGlobalObject::unregisterWeakMap):
78
79 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
80
81         Poisoning of strict caller/arguments inappropriately poisoning "in"
82         https://bugs.webkit.org/show_bug.cgi?id=63398
83
84         Reviewed by Sam Weinig.
85
86         The problem here is that the has[Own]Property methods get the slot rather than
87         the descriptor, and getting the slot may cause the property to be eagerly accessed.
88
89         * jit/JITStubs.cpp:
90         (JSC::DEFINE_STUB_FUNCTION):
91             - We don't expect hasProperty to ever throw. If it does, it won't get caught
92               (since it is after the exception check), so ASSERT to guard against this.
93         * runtime/JSObject.cpp:
94         (JSC::JSObject::hasProperty):
95         (JSC::JSObject::hasOwnProperty):
96             - These methods should not check for the presence of the descriptor; never get the value.
97
98 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
99
100         Exception ordering in String.prototype.replace
101         https://bugs.webkit.org/show_bug.cgi?id=70290
102
103         If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called.
104
105         Reviewed by Oliver Hunt.
106
107         * runtime/StringPrototype.cpp:
108         (JSC::stringProtoFuncReplace):
109
110 2011-10-17  Filip Pizlo  <fpizlo@apple.com>
111
112         DFG bytecode parser should understand inline stacks
113         https://bugs.webkit.org/show_bug.cgi?id=70278
114
115         Reviewed by Oliver Hunt.
116         
117         The DFG bytecode parser is now capable of parsing multiple code blocks at
118         once. This remains turned off since not all inlining functionality is
119         implemented.       
120         
121         This required making a few changes elsewhere in the system. The bytecode
122         parser now may do some of the same things that the bytecode generator does,
123         like allocating constants and identifiers. Basic block linking relies on
124         bytecode indices, which are only meaningful within the context of one basic
125         block. This is fine, so long as linking is done eagerly whenever switching
126         from one code block to another.
127
128         * bytecode/CodeOrigin.h:
129         (JSC::CodeOrigin::CodeOrigin):
130         * bytecompiler/BytecodeGenerator.h:
131         * dfg/DFGBasicBlock.h:
132         * dfg/DFGByteCodeParser.cpp:
133         (JSC::DFG::ByteCodeParser::ByteCodeParser):
134         (JSC::DFG::ByteCodeParser::get):
135         (JSC::DFG::ByteCodeParser::set):
136         (JSC::DFG::ByteCodeParser::getThis):
137         (JSC::DFG::ByteCodeParser::setThis):
138         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
139         (JSC::DFG::ByteCodeParser::getPrediction):
140         (JSC::DFG::ByteCodeParser::makeSafe):
141         (JSC::DFG::ByteCodeParser::makeDivSafe):
142         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
143         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
144         (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
145         (JSC::DFG::ByteCodeParser::parseBlock):
146         (JSC::DFG::ByteCodeParser::linkBlock):
147         (JSC::DFG::ByteCodeParser::linkBlocks):
148         (JSC::DFG::ByteCodeParser::setupPredecessors):
149         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
150         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
151         (JSC::DFG::ByteCodeParser::parseCodeBlock):
152         (JSC::DFG::ByteCodeParser::parse):
153         * dfg/DFGGraph.h:
154         (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
155         (JSC::DFG::GetBytecodeBeginForBlock::operator()):
156         (JSC::DFG::Graph::blockIndexForBytecodeOffset):
157         * dfg/DFGNode.h:
158         * runtime/Identifier.h:
159         (JSC::IdentifierMapIndexHashTraits::emptyValue):
160         * runtime/JSValue.h:
161         * wtf/StdLibExtras.h:
162         (WTF::binarySearchWithFunctor):
163
164 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
165
166         Incorrect behavior from String match/search & undefined pattern
167         https://bugs.webkit.org/show_bug.cgi?id=70286
168
169         Reviewed by Sam weinig.
170
171         * runtime/StringPrototype.cpp:
172         (JSC::stringProtoFuncMatch):
173             - In case of undefined, pattern is "".
174         (JSC::stringProtoFuncSearch):
175             - In case of undefined, pattern is "".
176
177 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
178
179         https://bugs.webkit.org/show_bug.cgi?id=70207
180         After deleting __defineSetter__, it is absent but appears in name list
181
182         Reviewed by Darin Adler.
183
184         * runtime/JSObject.cpp:
185         (JSC::JSObject::getOwnPropertyNames):
186             - This should check whether static functions have been reified.
187
188 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
189
190         Mac build fix.
191
192         * JavaScriptCore.exp: Export!
193
194 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
195
196         Windows build fix.
197
198         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
199
200 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
201
202         Windows build fix.
203
204         * heap/HandleStack.cpp: Added a missing #include.
205
206 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
207
208         Windows build fix.
209
210         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no
211         longer existant symbol.
212
213         * heap/MarkStack.cpp:
214         (JSC::MarkStackArray::shrinkAllocation): Cast to the right type.
215
216 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
217
218         Simplified GC marking logic
219         https://bugs.webkit.org/show_bug.cgi?id=70258
220
221         Reviewed by Filip Pizlo.
222         
223         No perf. change.
224         
225         This is a first step toward GC allocating string backing stores, starting
226         with ropes. It also enables future simplifications and optimizations.
227         
228         - Replaced some complex mark stack logic with a simple linear stack of
229         JSCell pointers.
230         
231         - Replaced logic for short-circuiting marking based on JSType and/or
232         Structure flags with special cases for object, array, and string.
233         
234         - Fiddled with inlining for better codegen.
235
236         * JavaScriptCore.exp:
237         * heap/HandleStack.cpp: Build!
238
239         * heap/Heap.cpp:
240         (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking.
241
242         * heap/HeapRootVisitor.h: Removed unused functions that no longer build.
243
244         * heap/MarkStack.cpp:
245         (JSC::MarkStackArray::MarkStackArray):
246         (JSC::MarkStackArray::~MarkStackArray):
247         (JSC::MarkStackArray::expand):
248         (JSC::MarkStackArray::shrinkAllocation):
249         (JSC::MarkStack::reset):
250         (JSC::visitChildren):
251         (JSC::SlotVisitor::drain):
252         * heap/MarkStack.h:
253         (JSC::MarkStack::MarkStack):
254         (JSC::MarkStack::~MarkStack):
255         (JSC::MarkStackArray::append):
256         (JSC::MarkStackArray::removeLast):
257         (JSC::MarkStackArray::isEmpty):
258         (JSC::MarkStack::append):
259         (JSC::MarkStack::appendUnbarrieredPointer):
260         (JSC::MarkStack::internalAppend): Replaced complex mark set logic with
261         simple linear stack.
262
263         * heap/SlotVisitor.h:
264         (JSC::SlotVisitor::SlotVisitor): Updated for above changes.
265
266         * runtime/JSArray.cpp:
267         (JSC::JSArray::visitChildren):
268         * runtime/JSArray.h:
269         * runtime/JSObject.cpp:
270         (JSC::JSObject::visitChildren):
271         * runtime/JSObject.h: Don't inline visitChildren; it's too big.
272
273         * runtime/Structure.h:
274         (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType
275         because it prevented strings from owning GC pointers.
276
277         * runtime/WriteBarrier.h:
278         (JSC::MarkStack::appendValues): No need to validate; internalAppend will
279         do that for us.
280
281 2011-10-17  Adam Roben  <aroben@apple.com>
282
283         Windows build fix after r97536, part 3
284
285         * runtime/JSAPIValueWrapper.h:
286         * runtime/JSObject.h:
287         Use JS_EXPORTDATA to export the s_info members.
288
289 2011-10-17  Adam Roben  <aroben@apple.com>
290
291         Interpreter build fix after r97564
292
293         * runtime/Executable.cpp:
294         (JSC::FunctionExecutable::compileForCallInternal):
295         (JSC::FunctionExecutable::compileForConstructInternal):
296         Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used
297         there.
298
299 2011-10-17  Adam Roben  <aroben@apple.com>
300
301         Windows build fix after r97536, part 2
302
303         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back
304         JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I
305         was at it.
306
307 2011-10-17  Adam Roben  <aroben@apple.com>
308
309         Windows build fix after r97536
310
311         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of
312         JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of
313         s_info members, which need to be exported via JS_EXPORTDATA instead.
314
315 2011-10-17  Patrick Gansterer  <paroga@webkit.org>
316
317         Interpreter build fix after r97436, r97506, r97532 and r97537.
318
319         * interpreter/Interpreter.cpp:
320         (JSC::Interpreter::privateExecute):
321
322 2011-10-16  Adam Barth  <abarth@webkit.org>
323
324         Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code
325         https://bugs.webkit.org/show_bug.cgi?id=70216
326
327         Reviewed by Eric Seidel.
328
329         * wtf/Platform.h:
330
331 2011-10-16  Noel Gordon  <noel.gordon@gmail.com>
332
333         [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files
334         https://bugs.webkit.org/show_bug.cgi?id=70205
335
336         Reviewed by James Robinson.
337
338         wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557.
339         wtf/gtk/ThreadingGtk.cpp was removed in r97269.
340
341         * JavaScriptCore.gypi:
342
343 2011-10-16  Adam Barth  <abarth@webkit.org>
344
345         Always enable ENABLE(DOM_STORAGE)
346         https://bugs.webkit.org/show_bug.cgi?id=70189
347
348         Reviewed by Eric Seidel.
349
350         * Configurations/FeatureDefines.xcconfig:
351
352 2011-10-15  Dan Horák <dan@danny.cz>
353
354         The s390 and s390x architectures both use 64-bit double type
355         that conforms to the IEEE-754 standard.
356
357         https://bugs.webkit.org/show_bug.cgi?id=69940
358
359         Reviewed by Gavin Barraclough.
360
361         * wtf/dtoa/utils.h:
362
363 2011-10-14  Filip Pizlo  <fpizlo@apple.com>
364
365         FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks
366         https://bugs.webkit.org/show_bug.cgi?id=70157
367
368         Reviewed by Geoff Garen.
369         
370         Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal()
371         and compileForConstructInternal() to use this method. This required more cleanly
372         exposing some of CodeBlock's tiering functionality and moving the CompilationKind
373         enum to Executable.h, as this was the easiest way to make it available to the
374         declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator.
375
376         * bytecode/CodeBlock.cpp:
377         (JSC::CodeBlock::copyDataFrom):
378         (JSC::CodeBlock::copyDataFromAlternative):
379         * bytecode/CodeBlock.h:
380         (JSC::CodeBlock::setAlternative):
381         * bytecompiler/BytecodeGenerator.h:
382         * runtime/Executable.cpp:
383         (JSC::EvalExecutable::compileInternal):
384         (JSC::ProgramExecutable::compileInternal):
385         (JSC::FunctionExecutable::produceCodeBlockFor):
386         (JSC::FunctionExecutable::compileForCallInternal):
387         (JSC::FunctionExecutable::compileForConstructInternal):
388         * runtime/Executable.h:
389         (JSC::FunctionExecutable::codeBlockFor):
390
391 2011-10-15  Laszlo Gombos  <laszlo.1.gombos@nokia.com>
392
393         [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port
394         https://bugs.webkit.org/show_bug.cgi?id=69920
395
396         Reviewed by Kenneth Rohde Christiansen.
397
398         * JavaScriptCore.pri:
399         * JavaScriptCore.pro:
400         * heap/MarkStack.h:
401         (JSC::::shrinkAllocation):
402         * jit/ExecutableAllocator.cpp:
403         * jit/ExecutableAllocator.h:
404         (JSC::ExecutableAllocator::cacheFlush):
405         * jit/JITStubs.cpp:
406         * jsc.pro:
407         * runtime/ArrayPrototype.cpp:
408         (JSC::arrayProtoFuncToString):
409         * runtime/DatePrototype.cpp:
410         (JSC::formatLocaleDate):
411         * runtime/StringPrototype.cpp:
412         (JSC::stringProtoFuncLastIndexOf):
413         * runtime/TimeoutChecker.cpp:
414         (JSC::getCPUTime):
415         * wtf/Assertions.cpp:
416         * wtf/Assertions.h:
417         * wtf/Atomics.h:
418         * wtf/MathExtras.h:
419         * wtf/OSAllocator.h:
420         (WTF::OSAllocator::decommitAndRelease):
421         * wtf/OSAllocatorSymbian.cpp: Removed.
422         * wtf/OSRandomSource.cpp:
423         (WTF::cryptographicallyRandomValuesFromOS):
424         * wtf/PageAllocation.h:
425         * wtf/PageAllocatorSymbian.h: Removed.
426         * wtf/PageBlock.cpp:
427         * wtf/Platform.h:
428         * wtf/StackBounds.cpp:
429         * wtf/wtf.pri:
430
431 2011-10-15  Yuqiang Xian  <yuqiang.xian@intel.com>
432
433         Trivial fix for a missing change in r97512
434         https://bugs.webkit.org/show_bug.cgi?id=70166
435
436         Reviewed by Gavin Barraclough.
437
438         * dfg/DFGJITCompiler32_64.cpp:
439         (JSC::DFG::JITCompiler::link):
440
441 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
442
443         Rename getOwnPropertySlot to getOwnPropertySlotVirtual
444         https://bugs.webkit.org/show_bug.cgi?id=69810
445
446         Reviewed by Geoffrey Garen.
447
448         Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual
449         in preparation for when we add the static getOwnPropertySlot to the MethodTable 
450         in ClassInfo.
451
452         Also added a few static getOwnPropertySlot functions where they had been overlooked 
453         before (especially in CodeGeneratorJS.pm).
454
455         * API/JSCallbackObject.h:
456         * API/JSCallbackObjectFunctions.h:
457         (JSC::::getOwnPropertySlotVirtual):
458         (JSC::::getOwnPropertySlot):
459         (JSC::::getOwnPropertyDescriptor):
460         (JSC::::staticFunctionGetter):
461         * JavaScriptCore.exp:
462         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
463         * debugger/DebuggerActivation.cpp:
464         (JSC::DebuggerActivation::getOwnPropertySlotVirtual):
465         (JSC::DebuggerActivation::getOwnPropertySlot):
466         * debugger/DebuggerActivation.h:
467         * runtime/Arguments.cpp:
468         (JSC::Arguments::getOwnPropertySlotVirtual):
469         (JSC::Arguments::getOwnPropertySlot):
470         * runtime/Arguments.h:
471         * runtime/ArrayConstructor.cpp:
472         (JSC::ArrayConstructor::getOwnPropertySlotVirtual):
473         (JSC::ArrayConstructor::getOwnPropertySlot):
474         * runtime/ArrayConstructor.h:
475         * runtime/ArrayPrototype.cpp:
476         (JSC::ArrayPrototype::getOwnPropertySlotVirtual):
477         * runtime/ArrayPrototype.h:
478         * runtime/BooleanPrototype.cpp:
479         (JSC::BooleanPrototype::getOwnPropertySlotVirtual):
480         * runtime/BooleanPrototype.h:
481         * runtime/DateConstructor.cpp:
482         (JSC::DateConstructor::getOwnPropertySlotVirtual):
483         * runtime/DateConstructor.h:
484         * runtime/DatePrototype.cpp:
485         (JSC::DatePrototype::getOwnPropertySlotVirtual):
486         * runtime/DatePrototype.h:
487         * runtime/ErrorPrototype.cpp:
488         (JSC::ErrorPrototype::getOwnPropertySlotVirtual):
489         * runtime/ErrorPrototype.h:
490         * runtime/JSActivation.cpp:
491         (JSC::JSActivation::getOwnPropertySlotVirtual):
492         * runtime/JSActivation.h:
493         * runtime/JSArray.cpp:
494         (JSC::JSArray::getOwnPropertySlotVirtual):
495         (JSC::JSArray::getOwnPropertySlot):
496         * runtime/JSArray.h:
497         * runtime/JSBoundFunction.cpp:
498         (JSC::JSBoundFunction::getOwnPropertySlotVirtual):
499         * runtime/JSBoundFunction.h:
500         * runtime/JSByteArray.cpp:
501         (JSC::JSByteArray::getOwnPropertySlotVirtual):
502         * runtime/JSByteArray.h:
503         * runtime/JSCell.cpp:
504         (JSC::JSCell::getOwnPropertySlotVirtual):
505         * runtime/JSCell.h:
506         * runtime/JSFunction.cpp:
507         (JSC::JSFunction::getOwnPropertySlotVirtual):
508         (JSC::JSFunction::getOwnPropertyDescriptor):
509         (JSC::JSFunction::getOwnPropertyNames):
510         (JSC::JSFunction::put):
511         * runtime/JSFunction.h:
512         * runtime/JSGlobalObject.cpp:
513         (JSC::JSGlobalObject::getOwnPropertySlotVirtual):
514         * runtime/JSGlobalObject.h:
515         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
516         * runtime/JSNotAnObject.cpp:
517         (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
518         * runtime/JSNotAnObject.h:
519         * runtime/JSONObject.cpp:
520         (JSC::Stringifier::Holder::appendNextProperty):
521         (JSC::JSONObject::getOwnPropertySlotVirtual):
522         (JSC::Walker::walk):
523         * runtime/JSONObject.h:
524         * runtime/JSObject.cpp:
525         (JSC::JSObject::getOwnPropertySlotVirtual):
526         (JSC::JSObject::getOwnPropertySlot):
527         (JSC::JSObject::hasOwnProperty):
528         * runtime/JSObject.h:
529         (JSC::JSObject::getOwnPropertySlotVirtual):
530         (JSC::JSCell::fastGetOwnPropertySlot):
531         (JSC::JSObject::getPropertySlot):
532         (JSC::JSValue::get):
533         * runtime/JSStaticScopeObject.cpp:
534         (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual):
535         * runtime/JSStaticScopeObject.h:
536         * runtime/JSString.cpp:
537         (JSC::JSString::getOwnPropertySlotVirtual):
538         (JSC::JSString::getOwnPropertySlot):
539         * runtime/JSString.h:
540         * runtime/Lookup.h:
541         (JSC::getStaticPropertySlot):
542         (JSC::getStaticFunctionSlot):
543         (JSC::getStaticValueSlot):
544         * runtime/MathObject.cpp:
545         (JSC::MathObject::getOwnPropertySlotVirtual):
546         * runtime/MathObject.h:
547         * runtime/NumberConstructor.cpp:
548         (JSC::NumberConstructor::getOwnPropertySlotVirtual):
549         * runtime/NumberConstructor.h:
550         * runtime/NumberPrototype.cpp:
551         (JSC::NumberPrototype::getOwnPropertySlotVirtual):
552         * runtime/NumberPrototype.h:
553         * runtime/ObjectConstructor.cpp:
554         (JSC::ObjectConstructor::getOwnPropertySlotVirtual):
555         * runtime/ObjectConstructor.h:
556         * runtime/ObjectPrototype.cpp:
557         (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
558         * runtime/ObjectPrototype.h:
559         * runtime/RegExpConstructor.cpp:
560         (JSC::RegExpConstructor::getOwnPropertySlotVirtual):
561         * runtime/RegExpConstructor.h:
562         * runtime/RegExpMatchesArray.h:
563         (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
564         * runtime/RegExpObject.cpp:
565         (JSC::RegExpObject::getOwnPropertySlotVirtual):
566         * runtime/RegExpObject.h:
567         * runtime/RegExpPrototype.cpp:
568         (JSC::RegExpPrototype::getOwnPropertySlotVirtual):
569         * runtime/RegExpPrototype.h:
570         * runtime/StringConstructor.cpp:
571         (JSC::StringConstructor::getOwnPropertySlotVirtual):
572         * runtime/StringConstructor.h:
573         * runtime/StringObject.cpp:
574         (JSC::StringObject::getOwnPropertySlotVirtual):
575         * runtime/StringObject.h:
576         * runtime/StringPrototype.cpp:
577         (JSC::StringPrototype::getOwnPropertySlotVirtual):
578         * runtime/StringPrototype.h:
579
580 2011-10-14  Gavin Barraclough  <baraclough@apple.com>
581
582         Most built-in properties are not deletable
583         https://bugs.webkit.org/show_bug.cgi?id=61014
584
585         Reviewed by Filip Pizlo.
586
587         Our static hash tables don't allow for deleting properties.
588         This is the cause of a bunch of expected failures in LayoutTests/sputnik.
589
590         This fixes the problem by reifying all static functions immediately prior
591         to the first deletion.  Reification is tracked by a flag on the structure,
592         so properties will no longer 'bounce-back' on later access.
593
594         Theoretically there could probably also be an issue with custom accessor
595         properties, but we probably do not really require any of these to be
596         Configurable anyway. I'll follow up with a separate patch to address this.
597
598         * runtime/ClassInfo.h:
599         (JSC::ClassInfo::hasStaticProperties):
600             - detects static property tables.
601         * runtime/JSObject.cpp:
602         (JSC::JSObject::deleteProperty):
603             - call reifyStaticFunctions before deletion.
604         (JSC::JSObject::reifyStaticFunctions):
605             - If the class has static functions, set them up now.
606         * runtime/JSObject.h:
607         (JSC::JSObject::staticFunctionsReified):
608             - returns true if static functions have been reified,
609               and as such should no longer be added.
610         * runtime/Lookup.cpp:
611         (JSC::setUpStaticFunctionSlot):
612             - If static functions have been reified do not add.
613         * runtime/Lookup.h:
614         (JSC::HashTable::ConstIterator::ConstIterator):
615         (JSC::HashTable::ConstIterator::operator->):
616         (JSC::HashTable::ConstIterator::operator*):
617         (JSC::HashTable::ConstIterator::operator!=):
618         (JSC::HashTable::ConstIterator::operator++):
619         (JSC::HashTable::ConstIterator::skipInvalidKeys):
620         (JSC::HashTable::begin):
621         (JSC::HashTable::end):
622         (JSC::getStaticPropertySlot):
623         (JSC::getStaticPropertyDescriptor):
624         (JSC::getStaticFunctionSlot):
625         (JSC::getStaticFunctionDescriptor):
626             - setUpStaticFunctionSlot may not add, returns a bool.
627         (JSC::lookupPut):
628             - remove redundant branch.
629         * runtime/Structure.cpp:
630         (JSC::Structure::Structure):
631             - initialize new flag in constructors.
632         * runtime/Structure.h:
633         (JSC::Structure::staticFunctionsReified):
634         (JSC::Structure::setStaticFunctionsReified):
635             - added flag
636
637 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
638
639         Rename virtual put to putVirtual
640         https://bugs.webkit.org/show_bug.cgi?id=69851
641
642         Reviewed by Darin Adler.
643
644         Renamed virtual versions of put to putVirtual in prepration for 
645         adding the static put to the MethodTable in ClassInfo since the 
646         compiler gets mad if the virtual and static versions have the same 
647         name.
648
649         * API/JSCallbackObject.h:
650         * API/JSCallbackObjectFunctions.h:
651         (JSC::::putVirtual):
652         * API/JSObjectRef.cpp:
653         (JSObjectSetProperty):
654         (JSObjectSetPropertyAtIndex):
655         * JavaScriptCore.exp:
656         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
657         * debugger/DebuggerActivation.cpp:
658         (JSC::DebuggerActivation::putVirtual):
659         (JSC::DebuggerActivation::put):
660         * debugger/DebuggerActivation.h:
661         * dfg/DFGOperations.cpp:
662         (JSC::DFG::putByVal):
663         * interpreter/Interpreter.cpp:
664         (JSC::Interpreter::execute):
665         * jit/JITStubs.cpp:
666         (JSC::DEFINE_STUB_FUNCTION):
667         * jsc.cpp:
668         (GlobalObject::finishCreation):
669         * runtime/Arguments.cpp:
670         (JSC::Arguments::putVirtual):
671         * runtime/Arguments.h:
672         * runtime/ArrayPrototype.cpp:
673         (JSC::putProperty):
674         (JSC::arrayProtoFuncConcat):
675         (JSC::arrayProtoFuncPush):
676         (JSC::arrayProtoFuncReverse):
677         (JSC::arrayProtoFuncShift):
678         (JSC::arrayProtoFuncSlice):
679         (JSC::arrayProtoFuncSort):
680         (JSC::arrayProtoFuncSplice):
681         (JSC::arrayProtoFuncUnShift):
682         (JSC::arrayProtoFuncFilter):
683         (JSC::arrayProtoFuncMap):
684         * runtime/JSActivation.cpp:
685         (JSC::JSActivation::putVirtual):
686         * runtime/JSActivation.h:
687         * runtime/JSArray.cpp:
688         (JSC::JSArray::putVirtual):
689         (JSC::JSArray::putSlowCase):
690         (JSC::JSArray::push):
691         (JSC::JSArray::shiftCount):
692         (JSC::JSArray::unshiftCount):
693         * runtime/JSArray.h:
694         * runtime/JSByteArray.cpp:
695         (JSC::JSByteArray::putVirtual):
696         * runtime/JSByteArray.h:
697         * runtime/JSCell.cpp:
698         (JSC::JSCell::putVirtual):
699         (JSC::JSCell::put):
700         * runtime/JSCell.h:
701         * runtime/JSFunction.cpp:
702         (JSC::JSFunction::putVirtual):
703         * runtime/JSFunction.h:
704         * runtime/JSGlobalObject.cpp:
705         (JSC::JSGlobalObject::putVirtual):
706         (JSC::JSGlobalObject::putWithAttributes):
707         * runtime/JSGlobalObject.h:
708         * runtime/JSNotAnObject.cpp:
709         (JSC::JSNotAnObject::putVirtual):
710         * runtime/JSNotAnObject.h:
711         * runtime/JSONObject.cpp:
712         (JSC::Walker::walk):
713         * runtime/JSObject.cpp:
714         (JSC::JSObject::putVirtual):
715         (JSC::JSObject::put):
716         (JSC::JSObject::defineOwnProperty):
717         * runtime/JSObject.h:
718         (JSC::JSValue::put):
719         * runtime/JSStaticScopeObject.cpp:
720         (JSC::JSStaticScopeObject::putVirtual):
721         * runtime/JSStaticScopeObject.h:
722         * runtime/Lookup.h:
723         (JSC::lookupPut):
724         * runtime/ObjectPrototype.cpp:
725         (JSC::ObjectPrototype::putVirtual):
726         * runtime/ObjectPrototype.h:
727         * runtime/RegExpConstructor.cpp:
728         (JSC::RegExpMatchesArray::fillArrayInstance):
729         (JSC::RegExpConstructor::putVirtual):
730         * runtime/RegExpConstructor.h:
731         * runtime/RegExpMatchesArray.h:
732         (JSC::RegExpMatchesArray::putVirtual):
733         * runtime/RegExpObject.cpp:
734         (JSC::RegExpObject::putVirtual):
735         * runtime/RegExpObject.h:
736         * runtime/StringObject.cpp:
737         (JSC::StringObject::putVirtual):
738         * runtime/StringObject.h:
739         * runtime/StringPrototype.cpp:
740         (JSC::stringProtoFuncSplit):
741
742 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
743
744         Reflective Arguments retrieval should be hardened for the
745         possibility of inlining
746         https://bugs.webkit.org/show_bug.cgi?id=70068
747
748         Reviewed by Oliver Hunt.
749         
750         CodeBlock can now track, as part of its RareData, the virtual inline
751         stack at callsites. CallFrame walking can now rematerialize "inline"
752         CallFrames by combining the meta-data in CodeBlock with the information
753         already in the JS stack. Arguments can now safely retrieve the
754         arguments from inline CallFrames.
755         
756         The DFG already had the notion of a "CodeOrigin" in preparation for
757         inlining. This notion will now be saved into the CodeBlock, if the DFG
758         had done inlining. So, CodeOrigin has been moved to bytecode/ and has
759         been changed to behave more like a struct since that is how it's
760         meant to be used.
761
762         * GNUmakefile.list.am:
763         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
764         * JavaScriptCore.xcodeproj/project.pbxproj:
765         * bytecode/CodeBlock.h:
766         (JSC::CodeBlock::inlineCallFrames):
767         (JSC::CodeBlock::codeOrigins):
768         (JSC::CodeBlock::hasCodeOrigins):
769         (JSC::CodeBlock::codeOriginForReturn):
770         * bytecode/CodeOrigin.h: Added.
771         (JSC::CodeOrigin::CodeOrigin):
772         (JSC::CodeOrigin::isSet):
773         (JSC::getCallReturnOffsetForCodeOrigin):
774         * dfg/DFGJITCompiler.cpp:
775         (JSC::DFG::JITCompiler::link):
776         * dfg/DFGNode.h:
777         * dfg/DFGSpeculativeJIT.cpp:
778         (JSC::DFG::SpeculativeJIT::compile):
779         * dfg/DFGSpeculativeJIT32_64.cpp:
780         (JSC::DFG::SpeculativeJIT::compile):
781         * dfg/DFGSpeculativeJIT64.cpp:
782         (JSC::DFG::SpeculativeJIT::compile):
783         * interpreter/CallFrame.cpp:
784         (JSC::CallFrame::isInlineCallFrame):
785         (JSC::CallFrame::trueCallerFrame):
786         * interpreter/CallFrame.h:
787         (JSC::ExecState::inlineCallFrame):
788         (JSC::ExecState::setInlineCallFrame):
789         (JSC::ExecState::isInlineCallFrame):
790         (JSC::ExecState::trueCallerFrame):
791         * interpreter/Interpreter.cpp:
792         (JSC::Interpreter::findFunctionCallFrame):
793         * interpreter/Register.h:
794         (JSC::Register::operator=):
795         (JSC::Register::inlineCallFrame):
796         * runtime/Arguments.h:
797         (JSC::Arguments::getArgumentsData):
798         (JSC::Arguments::finishCreationButDontCopyRegisters):
799         (JSC::Arguments::finishCreation):
800         (JSC::Arguments::finishCreationAndCopyRegisters):
801         * runtime/Executable.h:
802         (JSC::FunctionExecutable::parameterCount):
803
804 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
805
806         Rename virtual deleteProperty to deletePropertyVirtual
807         https://bugs.webkit.org/show_bug.cgi?id=69884
808
809         Reviewed by Darin Adler.
810
811         Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for 
812         adding the static deleteProperty to the MethodTable in ClassInfo since the 
813         compiler gets mad if the virtual and static versions have the same name.
814
815         * API/JSCallbackObject.h:
816         * API/JSCallbackObjectFunctions.h:
817         (JSC::::deletePropertyVirtual):
818         (JSC::::deleteProperty):
819         * API/JSObjectRef.cpp:
820         (JSObjectDeleteProperty):
821         * JavaScriptCore.exp:
822         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
823         * debugger/DebuggerActivation.cpp:
824         (JSC::DebuggerActivation::deletePropertyVirtual):
825         (JSC::DebuggerActivation::deleteProperty):
826         * debugger/DebuggerActivation.h:
827         * jit/JITStubs.cpp:
828         (JSC::DEFINE_STUB_FUNCTION):
829         * runtime/Arguments.cpp:
830         (JSC::Arguments::deletePropertyVirtual):
831         * runtime/Arguments.h:
832         * runtime/ArrayPrototype.cpp:
833         (JSC::arrayProtoFuncPop):
834         (JSC::arrayProtoFuncReverse):
835         (JSC::arrayProtoFuncShift):
836         (JSC::arrayProtoFuncSplice):
837         (JSC::arrayProtoFuncUnShift):
838         * runtime/JSActivation.cpp:
839         (JSC::JSActivation::deletePropertyVirtual):
840         * runtime/JSActivation.h:
841         * runtime/JSArray.cpp:
842         (JSC::JSArray::deletePropertyVirtual):
843         (JSC::JSArray::deleteProperty):
844         * runtime/JSArray.h:
845         * runtime/JSCell.cpp:
846         (JSC::JSCell::deletePropertyVirtual):
847         (JSC::JSCell::deleteProperty):
848         * runtime/JSCell.h:
849         * runtime/JSFunction.cpp:
850         (JSC::JSFunction::deletePropertyVirtual):
851         * runtime/JSFunction.h:
852         * runtime/JSNotAnObject.cpp:
853         (JSC::JSNotAnObject::deletePropertyVirtual):
854         * runtime/JSNotAnObject.h:
855         * runtime/JSONObject.cpp:
856         (JSC::Walker::walk):
857         * runtime/JSObject.cpp:
858         (JSC::JSObject::deletePropertyVirtual):
859         (JSC::JSObject::deleteProperty):
860         (JSC::JSObject::defineOwnProperty):
861         * runtime/JSObject.h:
862         * runtime/JSVariableObject.cpp:
863         (JSC::JSVariableObject::deletePropertyVirtual):
864         * runtime/JSVariableObject.h:
865         * runtime/RegExpMatchesArray.h:
866         (JSC::RegExpMatchesArray::deletePropertyVirtual):
867         * runtime/StrictEvalActivation.cpp:
868         (JSC::StrictEvalActivation::deletePropertyVirtual):
869         * runtime/StrictEvalActivation.h:
870         * runtime/StringObject.cpp:
871         (JSC::StringObject::deletePropertyVirtual):
872         * runtime/StringObject.h:
873
874 2011-10-14  Peter Beverloo  <peter@chromium.org>
875
876         [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo
877         https://bugs.webkit.org/show_bug.cgi?id=70028
878
879         Reviewed by Adam Barth.
880
881         * JavaScriptCore.gyp/JavaScriptCore.gyp:
882
883 2011-10-14  Yuqiang Xian  <yuqiang.xian@intel.com>
884
885         DFG JIT 32_64 - Performance fix for ResolveGlobal
886         https://bugs.webkit.org/show_bug.cgi?id=70096
887
888         Reviewed by Gavin Barraclough.
889
890         Structure check of global object should be a pointer comparison
891         instead of a tag and payload pair comparison. This fix improves
892         SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X.
893         Also two trivial fixes for successful 32-bit build are included.
894
895         * dfg/DFGSpeculativeJIT.cpp:
896         * dfg/DFGSpeculativeJIT32_64.cpp:
897         (JSC::DFG::SpeculativeJIT::compile):
898
899 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
900
901         Speculation failures in ValueToInt32 are causing a 2x slow-down
902         in Kraken/stanford-crypto-pbkdf2
903         https://bugs.webkit.org/show_bug.cgi?id=70089
904
905         Reviewed by Gavin Barraclough.
906         
907         If we can't truncate to Int32 using machine code, then don't fail
908         speculation. Just call JSC::toInt32.
909
910         * dfg/DFGJITCodeGenerator.h:
911         (JSC::DFG::callOperation):
912         * dfg/DFGOperations.h:
913         * dfg/DFGSpeculativeJIT.cpp:
914         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
915         * dfg/DFGSpeculativeJIT64.cpp:
916         (JSC::DFG::SpeculativeJIT::compile):
917
918 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
919
920         Rename virtual getConstructData to getConstructDataVirtual
921         https://bugs.webkit.org/show_bug.cgi?id=69872
922
923         Reviewed by Geoffrey Garen.
924
925         Renamed virtual getConstructData functions to getConstructDataVirtual to 
926         avoid conflicts when we add static getConstructData to the MethodTable.
927
928         * API/JSCallbackConstructor.cpp:
929         (JSC::JSCallbackConstructor::getConstructDataVirtual):
930         * API/JSCallbackConstructor.h:
931         * API/JSCallbackObject.h:
932         * API/JSCallbackObjectFunctions.h:
933         (JSC::::getConstructDataVirtual):
934         * API/JSObjectRef.cpp:
935         (JSObjectIsConstructor):
936         (JSObjectCallAsConstructor):
937         * JavaScriptCore.exp:
938         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
939         * dfg/DFGOperations.cpp:
940         * jit/JITStubs.cpp:
941         (JSC::DEFINE_STUB_FUNCTION):
942         * runtime/ArrayConstructor.cpp:
943         (JSC::ArrayConstructor::getConstructDataVirtual):
944         * runtime/ArrayConstructor.h:
945         * runtime/BooleanConstructor.cpp:
946         (JSC::BooleanConstructor::getConstructDataVirtual):
947         * runtime/BooleanConstructor.h:
948         * runtime/DateConstructor.cpp:
949         (JSC::DateConstructor::getConstructDataVirtual):
950         * runtime/DateConstructor.h:
951         * runtime/Error.h:
952         (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual):
953         * runtime/ErrorConstructor.cpp:
954         (JSC::ErrorConstructor::getConstructDataVirtual):
955         * runtime/ErrorConstructor.h:
956         * runtime/FunctionConstructor.cpp:
957         (JSC::FunctionConstructor::getConstructDataVirtual):
958         * runtime/FunctionConstructor.h:
959         * runtime/JSCell.cpp:
960         (JSC::JSCell::getConstructDataVirtual):
961         * runtime/JSCell.h:
962         (JSC::getConstructData):
963         * runtime/JSFunction.cpp:
964         (JSC::JSFunction::getConstructDataVirtual):
965         * runtime/JSFunction.h:
966         * runtime/NativeErrorConstructor.cpp:
967         (JSC::NativeErrorConstructor::getConstructDataVirtual):
968         * runtime/NativeErrorConstructor.h:
969         * runtime/NumberConstructor.cpp:
970         (JSC::NumberConstructor::getConstructDataVirtual):
971         * runtime/NumberConstructor.h:
972         * runtime/ObjectConstructor.cpp:
973         (JSC::ObjectConstructor::getConstructDataVirtual):
974         * runtime/ObjectConstructor.h:
975         * runtime/RegExpConstructor.cpp:
976         (JSC::RegExpConstructor::getConstructDataVirtual):
977         * runtime/RegExpConstructor.h:
978         * runtime/StringConstructor.cpp:
979         (JSC::StringConstructor::getConstructDataVirtual):
980         * runtime/StringConstructor.h:
981
982 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
983
984         Rubber stamped Stephanie Lewis.
985         
986         DFG_ENABLE() macro was always returning false.
987
988         * dfg/DFGNode.h:
989
990 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
991
992         Speculative build fix for !DFG builds.
993
994         * jit/JIT.cpp:
995         (JSC::JIT::privateCompile):
996
997 2011-10-13  Oliver Hunt  <oliver@apple.com>
998
999         Fix performance of ValueToInt32 node when predicting double
1000         https://bugs.webkit.org/show_bug.cgi?id=70063
1001
1002         Reviewed by Filip Pizlo.
1003
1004         Currently we fail to inline double to int conversion when
1005         performing a ValueToInt32 operation on a value we predict
1006         to be a double.
1007
1008         * dfg/DFGAbstractState.cpp:
1009         (JSC::DFG::AbstractState::execute):
1010            Apply correct filter for the double prediction path
1011         * dfg/DFGJITCodeGenerator32_64.cpp:
1012         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1013         * dfg/DFGJITCodeGenerator64.cpp:
1014         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1015            Support double parameters even when value has been spilled.
1016         * dfg/DFGSpeculativeJIT.cpp:
1017         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1018            Moved old valueToInt32 code to this function, and added
1019            path for double prediction
1020         * dfg/DFGSpeculativeJIT.h:
1021         * dfg/DFGSpeculativeJIT32_64.cpp:
1022         (JSC::DFG::SpeculativeJIT::compile):
1023         * dfg/DFGSpeculativeJIT64.cpp:
1024         (JSC::DFG::SpeculativeJIT::compile):
1025            Made the two implementations of ValueToInt32 call a single
1026            shared compileValueToInt32 function.
1027
1028 2011-10-13  Chris Marrin  <cmarrin@apple.com>
1029
1030         Sync requestAnimationFrame callback to CVDisplayLink on Mac
1031         https://bugs.webkit.org/show_bug.cgi?id=68911
1032
1033         Reviewed by Simon Fraser.
1034
1035         Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations
1036         that use the DisplayRefreshMonitor logic.
1037
1038         * wtf/Platform.h:
1039
1040 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1041
1042         DFG JIT should not be using ENABLE macro to enable features
1043         https://bugs.webkit.org/show_bug.cgi?id=70060
1044
1045         Reviewed by Oliver Hunt.
1046
1047         The ENABLE macro is only intended to be used to detect features that are configured
1048         in Platform.h. Using its to detect settings defined in other headers is an error.
1049
1050         The problem is that the ENABLE macro checks if the value is defined, so will silently
1051         return false if you fail to include the header defining the switch. This is not a problem
1052         if (1) the settings are defined in the same header that defines the macro that tests them,
1053         or (2) the header is included everywhere.  In the case of ENABLE settings defined in
1054         Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro.
1055
1056         * bytecode/CodeBlock.cpp:
1057         * dfg/DFGByteCodeParser.cpp:
1058         (JSC::DFG::ByteCodeParser::getPrediction):
1059         (JSC::DFG::ByteCodeParser::makeSafe):
1060         * dfg/DFGCapabilities.h:
1061         (JSC::DFG::canCompileOpcode):
1062         * dfg/DFGGraph.cpp:
1063         (JSC::DFG::Graph::predictArgumentTypes):
1064         * dfg/DFGJITCodeGenerator.cpp:
1065         * dfg/DFGJITCodeGenerator.h:
1066         * dfg/DFGJITCompiler.cpp:
1067         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1068         (JSC::DFG::JITCompiler::compileBody):
1069         (JSC::DFG::JITCompiler::link):
1070         * dfg/DFGJITCompiler.h:
1071         (JSC::DFG::JITCompiler::noticeOSREntry):
1072         * dfg/DFGJITCompiler32_64.cpp:
1073         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1074         (JSC::DFG::JITCompiler::compileBody):
1075         (JSC::DFG::JITCompiler::link):
1076         * dfg/DFGNode.h:
1077         * dfg/DFGOSREntry.cpp:
1078         (JSC::DFG::prepareOSREntry):
1079         * dfg/DFGOperations.cpp:
1080         * dfg/DFGOperations.h:
1081         * dfg/DFGPropagator.cpp:
1082         (JSC::DFG::Propagator::fixpoint):
1083         (JSC::DFG::Propagator::propagateArithNodeFlags):
1084         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1085         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1086         (JSC::DFG::Propagator::propagateNodePredictions):
1087         (JSC::DFG::Propagator::propagatePredictionsForward):
1088         (JSC::DFG::Propagator::propagatePredictionsBackward):
1089         (JSC::DFG::Propagator::propagatePredictions):
1090         (JSC::DFG::Propagator::toDouble):
1091         (JSC::DFG::Propagator::fixupNode):
1092         (JSC::DFG::Propagator::fixup):
1093         (JSC::DFG::Propagator::startIndexForChildren):
1094         (JSC::DFG::Propagator::endIndexForPureCSE):
1095         (JSC::DFG::Propagator::setReplacement):
1096         (JSC::DFG::Propagator::eliminate):
1097         (JSC::DFG::Propagator::performNodeCSE):
1098         (JSC::DFG::Propagator::localCSE):
1099         (JSC::DFG::Propagator::allocateVirtualRegisters):
1100         (JSC::DFG::Propagator::performBlockCFA):
1101         (JSC::DFG::Propagator::performForwardCFA):
1102         (JSC::DFG::Propagator::globalCFA):
1103         * dfg/DFGScoreBoard.h:
1104         * dfg/DFGSpeculativeJIT.cpp:
1105         (JSC::DFG::SpeculativeJIT::compile):
1106         * dfg/DFGSpeculativeJIT.h:
1107         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1108         * dfg/DFGSpeculativeJIT32_64.cpp:
1109         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1110         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1111         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1112         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1113         (JSC::DFG::SpeculativeJIT::compile):
1114         * dfg/DFGSpeculativeJIT64.cpp:
1115         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1116         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1117         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1118         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1119         (JSC::DFG::SpeculativeJIT::compile):
1120         * jit/JIT.cpp:
1121         (JSC::JIT::privateCompile):
1122
1123 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1124
1125         terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell
1126
1127         Rubber stamped by Filip Pizlo
1128
1129         This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT.
1130
1131         * dfg/DFGSpeculativeJIT32_64.cpp:
1132         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1133         * dfg/DFGSpeculativeJIT64.cpp:
1134         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1135
1136 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1137
1138         De-virtualized JSCell::toNumber
1139         https://bugs.webkit.org/show_bug.cgi?id=69858
1140
1141         Reviewed by Sam Weinig.
1142
1143
1144         Removed JSCallbackObject::toNumber because its no longer necessary since 
1145         JSObject::toNumber now suffices since we implicitly add valueOf to an object's
1146         prototype whenever a convertToType callback is provided.
1147         * API/JSCallbackObject.h:
1148         * API/JSCallbackObjectFunctions.h:
1149         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1150
1151         De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber.
1152         * runtime/JSCell.cpp:
1153         (JSC::JSCell::toNumber):
1154         * runtime/JSCell.h:
1155         * runtime/JSObject.h:
1156         * runtime/JSString.h:
1157
1158         Removed JSNotAnObject::toNumber because its result doesn't matter and it implements 
1159         defaultValue, therefore JSObject::toNumber can cover its case.
1160         * runtime/JSNotAnObject.cpp:
1161         * runtime/JSNotAnObject.h:
1162
1163 2011-10-13  Xianzhu Wang  <wangxianzhu@chromium.org>
1164
1165         Use realloc() to expand/shrink StringBuilder buffer
1166         https://bugs.webkit.org/show_bug.cgi?id=69913
1167
1168         Reviewed by Darin Adler.
1169
1170         * wtf/text/StringBuilder.cpp:
1171         (WTF::StringBuilder::reserveCapacity):
1172         (WTF::StringBuilder::reallocateBuffer):
1173         (WTF::StringBuilder::appendUninitialized):
1174         (WTF::StringBuilder::shrinkToFit):
1175         * wtf/text/StringBuilder.h:
1176         * wtf/text/StringImpl.cpp:
1177         (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer.
1178         * wtf/text/StringImpl.h:
1179
1180 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1181
1182         If an Arguments object is being used to copy the arguments, then
1183         make this explicit
1184         https://bugs.webkit.org/show_bug.cgi?id=69995
1185
1186         Reviewed by Sam Weinig.
1187
1188         * interpreter/Interpreter.cpp:
1189         (JSC::Interpreter::retrieveArguments):
1190         * runtime/Arguments.h:
1191         (JSC::Arguments::createAndCopyRegisters):
1192         (JSC::Arguments::finishCreationButDontCopyRegisters):
1193         (JSC::Arguments::finishCreation):
1194         (JSC::Arguments::finishCreationAndCopyRegisters):
1195
1196 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1197
1198         DFG CFA does not filter structures aggressively enough.
1199         https://bugs.webkit.org/show_bug.cgi?id=69989
1200
1201         Reviewed by Oliver Hunt.
1202
1203         * dfg/DFGAbstractValue.h:
1204         (JSC::DFG::AbstractValue::clear):
1205         (JSC::DFG::AbstractValue::makeTop):
1206         (JSC::DFG::AbstractValue::clobberStructures):
1207         (JSC::DFG::AbstractValue::set):
1208         (JSC::DFG::AbstractValue::merge):
1209         (JSC::DFG::AbstractValue::filter):
1210         (JSC::DFG::AbstractValue::checkConsistency):
1211
1212 2011-10-12  Adam Barth  <abarth@webkit.org>
1213
1214         Remove ENABLE(XHTMLMP) and associated code
1215         https://bugs.webkit.org/show_bug.cgi?id=69729
1216
1217         Reviewed by David Levin.
1218
1219         * Configurations/FeatureDefines.xcconfig:
1220
1221 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1222
1223         MacroAssemblerX86 8-bit register ops unsafe on CPU(X86)
1224         https://bugs.webkit.org/show_bug.cgi?id=69978
1225
1226         Reviewed by Filip Pizlo.
1227
1228         Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ).
1229
1230         compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding
1231         a couple of xchg instructions.
1232
1233         branchTest8 with a register argument is also affected. In all cases this is currently used
1234         this is testing a value that is correct to 32 or more bits, so we can simply switch these
1235         to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the
1236         32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction).
1237
1238         This fixes the remaining fast/js failures with the DFG JIT 32_64.
1239
1240         * assembler/MacroAssemblerARMv7.h
1241             - removed branchTest8.
1242         * assembler/MacroAssemblerX86Common.h:
1243         (JSC::MacroAssemblerX86Common::compare32):
1244         (JSC::MacroAssemblerX86Common::test8):
1245         (JSC::MacroAssemblerX86Common::test32):
1246         (JSC::MacroAssemblerX86Common::set32):
1247             - added set32 helper that is 'h' register safe.
1248             - removed branchTest8.
1249         * dfg/DFGJITCodeGenerator32_64.cpp:
1250         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1251         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1252             - switch uses of branchTest8 to branchTest32.
1253         * dfg/DFGJITCodeGenerator64.cpp:
1254         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1255         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1256             - switch uses of branchTest8 to branchTest32.
1257         * dfg/DFGSpeculativeJIT32_64.cpp:
1258         (JSC::DFG::SpeculativeJIT::emitBranch):
1259             - switch uses of branchTest8 to branchTest32.
1260         * dfg/DFGSpeculativeJIT64.cpp:
1261         (JSC::DFG::SpeculativeJIT::emitBranch):
1262             - switch uses of branchTest8 to branchTest32.
1263
1264 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1265
1266         Errrk, revert accidental commit!
1267
1268         * wtf/Platform.h:
1269
1270 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1271
1272         Unreviewed, re-land changes from #69890, #69903.
1273
1274         These were reverted due to bug #69897, but #69903 fixed this problem.
1275
1276         * dfg/DFGJITCodeGenerator.h:
1277         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1278
1279 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1280
1281         ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly
1282         https://bugs.webkit.org/show_bug.cgi?id=69906
1283
1284         Reviewed by Gavin Barraclough.
1285         
1286         It turns out that the simplest fix is to switch computeUpdatedPredictions()
1287         to using predictionFromValue() combined with mergePrediction(). Doing so
1288         allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
1289         not only fixes a performance bug but kills off a lot of code that I never
1290         liked to begin with.
1291         
1292         This appears to be a 1% win on V8.
1293
1294         * bytecode/CodeBlock.cpp:
1295         (JSC::CodeBlock::visitAggregate):
1296         * bytecode/CodeBlock.h:
1297         * bytecode/PredictedType.cpp:
1298         (JSC::predictionFromValue):
1299         * bytecode/ValueProfile.cpp:
1300         (JSC::ValueProfile::computeStatistics):
1301         (JSC::ValueProfile::computeUpdatedPrediction):
1302         * bytecode/ValueProfile.h:
1303         (JSC::ValueProfile::classInfo):
1304         (JSC::ValueProfile::numberOfSamples):
1305         (JSC::ValueProfile::isLive):
1306         (JSC::ValueProfile::dump):
1307
1308 2011-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1309
1310         De-virtualize JSCell::toString
1311         https://bugs.webkit.org/show_bug.cgi?id=69677
1312
1313         Reviewed by Sam Weinig.
1314
1315         Removed toString from JSCallbackObject, since it is no 
1316         longer necessary since we now implicitly add toString and valueOf
1317         functions to object prototypes when a convertToType callback 
1318         is provided, which is now the standard way to override toString 
1319         and valueOf in the JSC C API.
1320         * API/JSCallbackObject.h:
1321         * API/JSCallbackObjectFunctions.h:
1322         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1323
1324         Removed toString from InterruptedExecutionError and 
1325         TerminatedExecutionError and replaced it with defaultValue,
1326         which JSObject::toString calls.  We'll probably have to de-virtualize 
1327         defaultValue eventually, but we'll cross that bridge when we 
1328         come to it.
1329         * runtime/ExceptionHelpers.cpp:
1330         (JSC::InterruptedExecutionError::defaultValue):
1331         (JSC::TerminatedExecutionError::defaultValue):
1332         * runtime/ExceptionHelpers.h:
1333
1334         Removed toString from JSNotAnObject, since its return value doesn't
1335         actually matter and JSObject::toString can cover it.
1336         * runtime/JSNotAnObject.cpp:
1337         * runtime/JSNotAnObject.h:
1338
1339         De-virtualized JSCell::toString, JSObject::toString and JSString::toString.
1340         Added handling of all cases for JSCell to JSCell::toString.
1341         * runtime/JSObject.h:
1342         * runtime/JSString.h:
1343         * runtime/JSCell.cpp:
1344         (JSC::JSCell::toString):
1345         * runtime/JSCell.h:
1346
1347 2011-10-12  Oliver Hunt  <oliver@apple.com>
1348
1349         Global stringStructure caches its prototype chain, abandoning a web page
1350         https://bugs.webkit.org/show_bug.cgi?id=69952
1351
1352         Reviewed by Filip Pizlo.
1353
1354         When visiting a structure, we don't keep the prototype chain
1355         alive if we're not the structure for an object type.
1356
1357         * runtime/Structure.cpp:
1358         (JSC::Structure::visitChildren):
1359
1360 2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
1361
1362         DFG JIT 32_64 - Fix ArrayPop
1363         https://bugs.webkit.org/show_bug.cgi?id=69918
1364
1365         Reviewed by Filip Pizlo.
1366
1367         The storageLengthGPR is polluted by EmptyValueTag and later used to
1368         index the array, which results in abnormal behaviors in execution.
1369         This fix makes 32_64 DFG pass v8-deltablue and kraken
1370         crypto-sha256-iterative on Linux ia32.
1371
1372         * assembler/MacroAssemblerX86Common.h:
1373         (JSC::MacroAssemblerX86Common::store32):
1374         * assembler/X86Assembler.h:
1375         (JSC::X86Assembler::movl_i32m):
1376         * dfg/DFGSpeculativeJIT32_64.cpp:
1377         (JSC::DFG::SpeculativeJIT::compile):
1378
1379 2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
1380
1381         Fix build with GLib 2.31
1382         https://bugs.webkit.org/show_bug.cgi?id=69840
1383
1384         Reviewed by Martin Robinson.
1385
1386         * GNUmakefile.list.am: removed ThreadingGtk.cpp.
1387         * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions.
1388         * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations.
1389         * wtf/gobject/GOwnPtr.h: ditto.
1390         * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations.
1391         * wtf/gtk/ThreadingGtk.cpp: Removed.
1392
1393 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1394
1395         Layout tests crashing in DFG JIT code
1396         https://bugs.webkit.org/show_bug.cgi?id=69897
1397
1398         Reviewed by Gavin Barraclough.
1399         
1400         Abstract value filtration didn't take into account cases where a structure
1401         set filter, combined with predicted type knowledge, could lead to a stronger
1402         filter for the structure abstract value.
1403         
1404         This bug would have been benign in release builds; it would have just meant
1405         that the analysis was less precise and some optimization opportunities would
1406         be missed. I have an ASSERT that is meant to catch such cases, and it was
1407         triggering sporadically in one of the LayoutTests.
1408
1409         * dfg/DFGAbstractValue.h:
1410         (JSC::DFG::AbstractValue::filter):
1411
1412 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1413
1414         Unreviewed, temporarily reverted r97216 due to bug #69897.
1415
1416         * dfg/DFGJITCodeGenerator.h:
1417         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1418
1419 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
1420
1421         DFG 32_64 - fix silentFillGPR
1422         https://bugs.webkit.org/show_bug.cgi?id=69903
1423
1424         Reviewed by Filip Pizlo.
1425
1426         Fix a small bug in silentFillGPR,
1427         and add the newly introduced DFG file to CMakeListsEfl.
1428
1429         * CMakeListsEfl.txt:
1430         * dfg/DFGJITCodeGenerator.h:
1431         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1432
1433 2011-10-08  Filip Pizlo  <fpizlo@apple.com>
1434
1435         DFG does not have flow-sensitive intraprocedural control flow analysis
1436         https://bugs.webkit.org/show_bug.cgi?id=69690
1437
1438         Reviewed by Gavin Barraclough.
1439
1440         Implemented a control flow analysis (CFA). It currently propagates type
1441         proofs only. For example, if all predecessors to a basic block have
1442         checks that variable X is a JSFinalObject with structure 0xabcdef, then
1443         this basic block will now know this fact and will know that it does not
1444         have to emit either JSFinalObject checks or any structure checks since
1445         the structure is precisely known. The CFA takes heap side-effects into
1446         account (though somewhat conservatively), so that if the object pointed
1447         to by variable X could have possibly undergone a structure transition
1448         then this is reflected: the analysis may simply say that X's structure
1449         is unknown.
1450         
1451         This also propagates a wealth of other type information which is
1452         currently not being used. For example, we now know when a variable can
1453         only hold doubles. Even if a variable may hold other types at different
1454         points in its live range, we can still prove exactly when it will only
1455         be double.
1456         
1457         There's a bunch of stuff that the CFA could do that it still does not
1458         do, like precise handling of PutStructure (i.e. structure transitions),
1459         precise handling of CheckFunction and CheckMethod, etc. So this is
1460         very much intended to be a starting point rather than an end unto
1461         itself.
1462         
1463         This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
1464         and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
1465         Neutral on SunSpider.
1466
1467         * GNUmakefile.list.am:
1468         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1469         * JavaScriptCore.xcodeproj/project.pbxproj:
1470         * bytecode/ActionablePrediction.h: Removed.
1471         * bytecode/PredictedType.cpp:
1472         (JSC::predictionToString):
1473         * bytecode/PredictedType.h:
1474         * dfg/DFGAbstractState.cpp: Added.
1475         (JSC::DFG::AbstractState::AbstractState):
1476         (JSC::DFG::AbstractState::~AbstractState):
1477         (JSC::DFG::AbstractState::beginBasicBlock):
1478         (JSC::DFG::AbstractState::initialize):
1479         (JSC::DFG::AbstractState::endBasicBlock):
1480         (JSC::DFG::AbstractState::reset):
1481         (JSC::DFG::AbstractState::execute):
1482         (JSC::DFG::AbstractState::clobberStructures):
1483         (JSC::DFG::AbstractState::mergeStateAtTail):
1484         (JSC::DFG::AbstractState::merge):
1485         (JSC::DFG::AbstractState::mergeToSuccessors):
1486         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
1487         (JSC::DFG::AbstractState::dump):
1488         * dfg/DFGAbstractState.h: Added.
1489         (JSC::DFG::AbstractState::forNode):
1490         (JSC::DFG::AbstractState::isValid):
1491         * dfg/DFGAbstractValue.h: Added.
1492         (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
1493         (JSC::DFG::StructureAbstractValue::clear):
1494         (JSC::DFG::StructureAbstractValue::makeTop):
1495         (JSC::DFG::StructureAbstractValue::top):
1496         (JSC::DFG::StructureAbstractValue::add):
1497         (JSC::DFG::StructureAbstractValue::addAll):
1498         (JSC::DFG::StructureAbstractValue::contains):
1499         (JSC::DFG::StructureAbstractValue::isSubsetOf):
1500         (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
1501         (JSC::DFG::StructureAbstractValue::isSupersetOf):
1502         (JSC::DFG::StructureAbstractValue::filter):
1503         (JSC::DFG::StructureAbstractValue::isClear):
1504         (JSC::DFG::StructureAbstractValue::isTop):
1505         (JSC::DFG::StructureAbstractValue::size):
1506         (JSC::DFG::StructureAbstractValue::at):
1507         (JSC::DFG::StructureAbstractValue::operator[]):
1508         (JSC::DFG::StructureAbstractValue::last):
1509         (JSC::DFG::StructureAbstractValue::predictionFromStructures):
1510         (JSC::DFG::StructureAbstractValue::operator==):
1511         (JSC::DFG::StructureAbstractValue::dump):
1512         (JSC::DFG::AbstractValue::AbstractValue):
1513         (JSC::DFG::AbstractValue::clear):
1514         (JSC::DFG::AbstractValue::isClear):
1515         (JSC::DFG::AbstractValue::makeTop):
1516         (JSC::DFG::AbstractValue::clobberStructures):
1517         (JSC::DFG::AbstractValue::isTop):
1518         (JSC::DFG::AbstractValue::top):
1519         (JSC::DFG::AbstractValue::set):
1520         (JSC::DFG::AbstractValue::operator==):
1521         (JSC::DFG::AbstractValue::merge):
1522         (JSC::DFG::AbstractValue::filter):
1523         (JSC::DFG::AbstractValue::validate):
1524         (JSC::DFG::AbstractValue::dump):
1525         * dfg/DFGBasicBlock.h: Added.
1526         (JSC::DFG::BasicBlock::BasicBlock):
1527         (JSC::DFG::BasicBlock::getBytecodeBegin):
1528         * dfg/DFGByteCodeParser.cpp:
1529         (JSC::DFG::ByteCodeParser::getLocal):
1530         (JSC::DFG::ByteCodeParser::setLocal):
1531         (JSC::DFG::ByteCodeParser::getArgument):
1532         (JSC::DFG::ByteCodeParser::setArgument):
1533         (JSC::DFG::ByteCodeParser::parseBlock):
1534         (JSC::DFG::ByteCodeParser::processPhiStack):
1535         (JSC::DFG::ByteCodeParser::setupPredecessors):
1536         * dfg/DFGGraph.cpp:
1537         (JSC::DFG::Graph::dump):
1538         * dfg/DFGGraph.h:
1539         * dfg/DFGJITCodeGenerator.h:
1540         (JSC::DFG::block):
1541         * dfg/DFGJITCodeGenerator32_64.cpp:
1542         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
1543         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1544         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1545         * dfg/DFGJITCodeGenerator64.cpp:
1546         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
1547         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1548         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1549         * dfg/DFGJITCompiler.h:
1550         (JSC::DFG::JITCompiler::noticeOSREntry):
1551         * dfg/DFGNode.h:
1552         (JSC::DFG::NodeIndexTraits::defaultValue):
1553         (JSC::DFG::Node::variableAccessData):
1554         (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
1555         (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
1556         (JSC::DFG::Node::setTakenBlockIndex):
1557         (JSC::DFG::Node::setNotTakenBlockIndex):
1558         (JSC::DFG::Node::takenBlockIndex):
1559         (JSC::DFG::Node::notTakenBlockIndex):
1560         * dfg/DFGOSREntry.cpp:
1561         (JSC::DFG::prepareOSREntry):
1562         * dfg/DFGOSREntry.h:
1563         * dfg/DFGOperands.h: Added.
1564         (JSC::DFG::operandIsArgument):
1565         (JSC::DFG::OperandValueTraits::defaultValue):
1566         (JSC::DFG::Operands::Operands):
1567         (JSC::DFG::Operands::numberOfArguments):
1568         (JSC::DFG::Operands::numberOfLocals):
1569         (JSC::DFG::Operands::argument):
1570         (JSC::DFG::Operands::local):
1571         (JSC::DFG::Operands::setLocal):
1572         (JSC::DFG::Operands::setArgumentFirstTime):
1573         (JSC::DFG::Operands::setLocalFirstTime):
1574         (JSC::DFG::Operands::operand):
1575         (JSC::DFG::Operands::setOperand):
1576         (JSC::DFG::Operands::clear):
1577         (JSC::DFG::dumpOperands):
1578         * dfg/DFGPropagator.cpp:
1579         (JSC::DFG::Propagator::fixpoint):
1580         (JSC::DFG::Propagator::propagateArithNodeFlags):
1581         (JSC::DFG::Propagator::propagateNodePredictions):
1582         (JSC::DFG::Propagator::propagatePredictions):
1583         (JSC::DFG::Propagator::performBlockCFA):
1584         (JSC::DFG::Propagator::performForwardCFA):
1585         (JSC::DFG::Propagator::globalCFA):
1586         * dfg/DFGSpeculativeJIT.cpp:
1587         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1588         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1589         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1590         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1591         (JSC::DFG::SpeculativeJIT::compile):
1592         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1593         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1594         * dfg/DFGSpeculativeJIT.h:
1595         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1596         * dfg/DFGSpeculativeJIT32_64.cpp:
1597         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1598         (JSC::DFG::SpeculativeJIT::compare):
1599         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1600         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1601         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1602         (JSC::DFG::SpeculativeJIT::emitBranch):
1603         (JSC::DFG::SpeculativeJIT::compile):
1604         * dfg/DFGSpeculativeJIT64.cpp:
1605         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1606         (JSC::DFG::SpeculativeJIT::compare):
1607         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1608         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1609         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1610         (JSC::DFG::SpeculativeJIT::emitBranch):
1611         (JSC::DFG::SpeculativeJIT::compile):
1612         * dfg/DFGStructureSet.h:
1613         (JSC::DFG::StructureSet::clear):
1614         (JSC::DFG::StructureSet::predictionFromStructures):
1615         (JSC::DFG::StructureSet::operator==):
1616         (JSC::DFG::StructureSet::dump):
1617         * dfg/DFGVariableAccessData.h: Added.
1618
1619 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1620
1621         DFG JIT 32_64 - Fix silentFillGPR for non-integer constants.
1622         https://bugs.webkit.org/show_bug.cgi?id=69890
1623
1624         Reviewed by Oliver Hunt.
1625
1626         Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues.
1627
1628         * dfg/DFGJITCodeGenerator.h:
1629         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1630
1631 2011-10-11  Ryosuke Niwa  <rniwa@webkit.org>
1632
1633         GTK build fix attempt after r97197.
1634
1635         * wtf/BitVector.h:
1636
1637 2011-10-11  Oliver Hunt  <oliver@apple.com>
1638
1639         Remove unintentional logging.
1640
1641         * heap/Heap.cpp:
1642
1643 2011-10-11  Oliver Hunt  <oliver@apple.com>
1644
1645         Tidy up card walking logic
1646         https://bugs.webkit.org/show_bug.cgi?id=69883
1647
1648         Reviewed by Gavin Barraclough.
1649
1650         Special case common cell sizes when walking a block's
1651         cards.
1652
1653         * heap/CardSet.h:
1654         (JSC::::testAndClear):
1655         * heap/Heap.cpp:
1656         (JSC::GCTimer::GCCounter::GCCounter):
1657         (JSC::GCTimer::GCCounter::count):
1658         (JSC::GCTimer::GCCounter::~GCCounter):
1659         (JSC::Heap::markRoots):
1660         * heap/MarkStack.cpp:
1661         (JSC::MarkStack::reset):
1662         * heap/MarkStack.h:
1663         (JSC::MarkStack::visitCount):
1664         (JSC::MarkStack::MarkStack):
1665         (JSC::MarkStack::append):
1666         * heap/MarkedBlock.h:
1667         (JSC::MarkedBlock::gatherDirtyCellsWithSize):
1668         (JSC::MarkedBlock::gatherDirtyCells):
1669         * runtime/Structure.h:
1670         (JSC::MarkStack::internalAppend):
1671
1672 2011-10-11  Filip Pizlo  <fpizlo@apple.com>
1673
1674         DFG virtual register allocator should be more aggressive in
1675         reusing temporary slots
1676         https://bugs.webkit.org/show_bug.cgi?id=69868
1677
1678         Reviewed by Oliver Hunt.
1679         
1680         1.2% win on V8, neutral elsewhere. The win is probably because it
1681         increases precision of GC conservative scans.
1682         
1683         This required making the DFG::ScoreBoard operate over a bitvector
1684         of preserved variables, rather than just a preserved variable
1685         threshold. To do this, I improved the WTF::BitVector class to make
1686         it more user-friendly. It still retains all previous functionality.
1687         Also made changes to PackedIntVector to accomodate those changes.
1688         Finally, this adds more debugging to the virtual register allocator
1689         and to the OSR exit code, as this was necessary to track down bugs
1690         in an earlier version of this patch.
1691
1692         * dfg/DFGByteCodeParser.cpp:
1693         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1694         (JSC::DFG::ByteCodeParser::getLocal):
1695         * dfg/DFGGraph.h:
1696         * dfg/DFGJITCompiler.cpp:
1697         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1698         * dfg/DFGPropagator.cpp:
1699         (JSC::DFG::Propagator::allocateVirtualRegisters):
1700         * dfg/DFGScoreBoard.h:
1701         (JSC::DFG::ScoreBoard::ScoreBoard):
1702         (JSC::DFG::ScoreBoard::~ScoreBoard):
1703         (JSC::DFG::ScoreBoard::allocate):
1704         (JSC::DFG::ScoreBoard::use):
1705         (JSC::DFG::ScoreBoard::highWatermark):
1706         (JSC::DFG::ScoreBoard::dump):
1707         (JSC::DFG::ScoreBoard::max):
1708         * dfg/DFGSpeculativeJIT.cpp:
1709         (JSC::DFG::ValueRecovery::dump):
1710         * wtf/BitVector.cpp:
1711         (WTF::BitVector::setSlow):
1712         (WTF::BitVector::resizeOutOfLine):
1713         (WTF::BitVector::dump):
1714         * wtf/BitVector.h:
1715         (WTF::BitVector::BitVector):
1716         (WTF::BitVector::operator=):
1717         (WTF::BitVector::quickGet):
1718         (WTF::BitVector::quickSet):
1719         (WTF::BitVector::quickClear):
1720         (WTF::BitVector::get):
1721         (WTF::BitVector::set):
1722         (WTF::BitVector::clear):
1723         * wtf/PackedIntVector.h:
1724         (WTF::PackedIntVector::get):
1725         (WTF::PackedIntVector::set):
1726
1727 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1728
1729         DFG JIT 32_64 - Switch to cdecl calling convention.
1730         https://bugs.webkit.org/show_bug.cgi?id=69863
1731
1732         Reviewed by Oliver Hunt.
1733
1734         This makes it easier to keep the stack correctly aligned, which is required on OS X.
1735
1736         * assembler/MacroAssemblerCodeRef.h:
1737         (JSC::FunctionPtr::FunctionPtr):
1738             - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms.
1739         * dfg/DFGJITCodeGenerator.h:
1740         (JSC::DFG::callOperation):
1741             - Switch calls to poke arguments rather than pushing them.
1742         (JSC::DFG::resetCallArguments):
1743         (JSC::DFG::addCallArgument):
1744         (JSC::DFG::addCallArgumentBoxed):
1745             - Helper functions to stack up call arguments on X86.
1746         * dfg/DFGJITCodeGenerator32_64.cpp:
1747         (JSC::DFG::JITCodeGenerator::emitCall):
1748             - Don't push, poke!
1749         * dfg/DFGJITCompiler32_64.cpp:
1750         (JSC::DFG::JITCompiler::compileBody):
1751             - Don't push, poke!
1752         * dfg/DFGOperations.cpp:
1753             - Switch ReturnAddress wrappers to push return address last, update asm trampolines.
1754         * dfg/DFGOperations.h:
1755             - switch DFG_OPERATION to assert CDECL on STDCALL platforms.
1756         * dfg/DFGSpeculativeJIT32_64.cpp:
1757         (JSC::DFG::fmodWithCDecl):
1758         (JSC::DFG::SpeculativeJIT::compile):
1759             - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL.
1760
1761 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1762
1763         Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t
1764         https://bugs.webkit.org/show_bug.cgi?id=69821
1765
1766         Reviewed by Filip Pizlo.
1767
1768         Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an
1769         intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building.
1770
1771         dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for
1772         JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary
1773         move), so by switching all associated operations to return a size_t we can fix the type
1774         problem on Linux & make it a small tweak that removes an unnecessary instruction.
1775
1776         * dfg/DFGJITCodeGenerator.cpp:
1777         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
1778             - comparisons now return a size_t.
1779         * dfg/DFGJITCodeGenerator.h:
1780         (JSC::DFG::callOperation):
1781             - Removed Z_DFGOperation_EJ form.
1782         * dfg/DFGJITCodeGenerator32_64.cpp:
1783         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1784         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1785             - comparisons now return a size_t.
1786         * dfg/DFGJITCodeGenerator64.cpp:
1787         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1788         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1789         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1790             - comparisons now return a size_t.
1791         * dfg/DFGOperations.cpp:
1792         * dfg/DFGOperations.h:
1793             - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t,
1794               Both need to return values zero extended to fill a register.
1795         * dfg/DFGSpeculativeJIT.cpp:
1796         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1797             - comparisons now return a size_t.
1798         * dfg/DFGSpeculativeJIT.h:
1799         * dfg/DFGSpeculativeJIT32_64.cpp:
1800         (JSC::DFG::SpeculativeJIT::compare):
1801             - comparisons now return a size_t.
1802         * dfg/DFGSpeculativeJIT64.cpp:
1803         (JSC::DFG::SpeculativeJIT::compare):
1804             - comparisons now return a size_t.
1805
1806 2011-10-11  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
1807
1808         [Qt] Remove all references to QTDIR_build and standalone_package
1809
1810         Qt is now modularized, which means we no longer import WebKit into
1811         the Qt source tree. Instead we use git submodules, and building
1812         QtWebKit as "part of Qt" is really building QtWebKit as from trunk.
1813
1814         To decrease the number of buildsystem configurations we also remove
1815         the standalone_package code-path used when we were providing tarballs
1816         with the derived sources pre-generated.
1817
1818         Reviewed by Simon Hausmann.
1819
1820         * DerivedSources.pro:
1821         * JavaScriptCore.pri:
1822         * JavaScriptCore.pro:
1823
1824 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
1825
1826         Add missing copyright notice in DFG JIT files
1827         https://bugs.webkit.org/show_bug.cgi?id=69809
1828
1829         Reviewed by Gavin Barraclough.
1830
1831         * dfg/DFGJITCodeGenerator32_64.cpp:
1832         * dfg/DFGJITCompiler32_64.cpp:
1833         * dfg/DFGJITCompilerInlineMethods.h:
1834         * dfg/DFGSpeculativeJIT32_64.cpp:
1835
1836 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
1837
1838         DFG JSVALUE64 spill/fill code should not box integers and doubles
1839         https://bugs.webkit.org/show_bug.cgi?id=69782
1840
1841         Reviewed by Oliver Hunt.
1842         
1843         Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat.
1844         This required changing all of the places that spill registers (both silently
1845         and not) and filling registers (both silently and on demand). It also required
1846         changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile)
1847         may have the wrong format for the old JIT (unboxed int or double).
1848         
1849         This is a slight win on Kraken (0.25%) and neutral elsewhere.
1850
1851         * dfg/DFGGenerationInfo.h:
1852         (JSC::DFG::GenerationInfo::spill):
1853         * dfg/DFGJITCodeGenerator.h:
1854         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1855         (JSC::DFG::JITCodeGenerator::spill):
1856         * dfg/DFGJITCodeGenerator64.cpp:
1857         (JSC::DFG::JITCodeGenerator::fillInteger):
1858         (JSC::DFG::JITCodeGenerator::fillDouble):
1859         (JSC::DFG::JITCodeGenerator::fillJSValue):
1860         * dfg/DFGJITCompiler.cpp:
1861         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1862         * dfg/DFGSpeculativeJIT.cpp:
1863         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1864         * dfg/DFGSpeculativeJIT.h:
1865         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
1866         (JSC::DFG::ValueRecovery::virtualRegister):
1867         * dfg/DFGSpeculativeJIT64.cpp:
1868         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1869         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1870         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1871         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1872
1873 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1874
1875         DFG JIT switch dfgConvert methods to use callOperation
1876         https://bugs.webkit.org/show_bug.cgi?id=69806
1877
1878         Reviewed by Filip Pizlo.
1879
1880         * dfg/DFGJITCodeGenerator.h:
1881         (JSC::DFG::callOperation):
1882         * dfg/DFGJITCodeGenerator32_64.cpp:
1883         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1884         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1885         * dfg/DFGJITCodeGenerator64.cpp:
1886         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1887         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1888         * dfg/DFGOperations.h:
1889
1890 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1891
1892         Remove some unused methods from the DFG JIT.
1893
1894         Rubber stamped by Oliver Hunt
1895
1896         Thee methods were only used by the non-speculative JIT, and can be removed.
1897
1898         * dfg/DFGJITCodeGenerator.h:
1899         * dfg/DFGJITCodeGenerator32_64.cpp:
1900         * dfg/DFGJITCodeGenerator64.cpp:
1901             - removed:
1902                 nonSpeculativeAdd
1903                 nonSpeculativeArithSub
1904                 nonSpeculativeArithMod
1905                 nonSpeculativeCheckHasInstance
1906                 nonSpeculativeInstanceOf
1907         * dfg/DFGOperations.cpp:
1908         * dfg/DFGOperations.h:
1909             - removed:
1910                 operationArithMod
1911                 operationInstanceOf
1912                 operationThrowHasInstanceError
1913
1914 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1915
1916         Switch most calls in DFGJITCodeGenerator to use callOperation.
1917         https://bugs.webkit.org/show_bug.cgi?id=69802
1918
1919         Reviewed by Oliver Hunt.
1920
1921         Compares, add, mod are the easy cases.
1922
1923         * dfg/DFGJITCodeGenerator.h:
1924         (JSC::DFG::callOperation):
1925         * dfg/DFGJITCodeGenerator32_64.cpp:
1926         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1927         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1928         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
1929         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1930         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1931         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1932         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
1933         * dfg/DFGJITCodeGenerator64.cpp:
1934         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1935         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1936         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1937         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1938         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1939         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
1940         * dfg/DFGOperations.cpp:
1941         * dfg/DFGOperations.h:
1942
1943 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1944
1945         DFG: Switch GetById / PutById to use callOperation
1946         https://bugs.webkit.org/show_bug.cgi?id=69795
1947
1948         Reviewed by Oliver Hunt.
1949
1950         Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag.
1951
1952         * dfg/DFGJITCodeGenerator.h:
1953         (JSC::DFG::callOperation):
1954         * dfg/DFGJITCodeGenerator32_64.cpp:
1955         (JSC::DFG::JITCodeGenerator::cachedGetById):
1956         (JSC::DFG::JITCodeGenerator::cachedPutById):
1957         * dfg/DFGJITCodeGenerator64.cpp:
1958         (JSC::DFG::JITCodeGenerator::cachedGetById):
1959         (JSC::DFG::JITCodeGenerator::cachedPutById):
1960         * dfg/DFGOperations.cpp:
1961         * dfg/DFGOperations.h:
1962         * dfg/DFGRepatch.cpp:
1963         (JSC::DFG::appropriatePutByIdFunction):
1964
1965 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
1966
1967         REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs
1968         https://bugs.webkit.org/show_bug.cgi?id=69412
1969
1970         Reviewed by Oliver Hunt.
1971
1972         * dfg/DFGSpeculativeJIT32_64.cpp:
1973         (JSC::DFG::SpeculativeJIT::compile):
1974         * dfg/DFGSpeculativeJIT64.cpp:
1975         (JSC::DFG::SpeculativeJIT::compile):
1976         * jit/JIT.cpp:
1977         (JSC::JIT::privateCompile):
1978         * jit/JIT.h:
1979
1980 2011-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1981
1982         Remove getCallDataVirtual methods
1983         https://bugs.webkit.org/show_bug.cgi?id=69186
1984
1985         Reviewed by Geoffrey Garen.
1986
1987         Removed all getCallDataVirtual methods and replaced their call sites 
1988         with an explicit lookup in the MethodTable.
1989
1990         * API/JSCallbackFunction.cpp:
1991         * API/JSCallbackFunction.h:
1992         * API/JSCallbackObject.h:
1993         * API/JSCallbackObjectFunctions.h:
1994         * API/JSObjectRef.cpp:
1995         (JSObjectIsFunction):
1996         (JSObjectCallAsFunction):
1997         * JavaScriptCore.exp:
1998         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1999         * interpreter/Interpreter.cpp:
2000         (JSC::Interpreter::privateExecute):
2001         * jit/JITStubs.cpp:
2002         (JSC::DEFINE_STUB_FUNCTION):
2003         * runtime/ArrayConstructor.cpp:
2004         * runtime/ArrayConstructor.h:
2005         * runtime/BooleanConstructor.cpp:
2006         * runtime/BooleanConstructor.h:
2007         * runtime/DateConstructor.cpp:
2008         * runtime/DateConstructor.h:
2009
2010         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2011         the class definition in JSGlobalObject.cpp.
2012         * runtime/Error.cpp:
2013         (JSC::createTypeErrorFunction):
2014         * runtime/Error.h:
2015         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2016         (JSC::StrictModeTypeErrorFunction::create):
2017         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2018         (JSC::StrictModeTypeErrorFunction::getConstructData):
2019         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2020         (JSC::StrictModeTypeErrorFunction::getCallData):
2021         (JSC::StrictModeTypeErrorFunction::createStructure):
2022         * runtime/ErrorConstructor.cpp:
2023         * runtime/ErrorConstructor.h:
2024         * runtime/FunctionConstructor.cpp:
2025         * runtime/FunctionConstructor.h:
2026         * runtime/FunctionPrototype.cpp:
2027         * runtime/FunctionPrototype.h:
2028
2029         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2030         to declare their own ClassInfo if they don't override getCallData, provided 
2031         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2032         functionality as of the pure virtual method InternalFunction used to have.
2033         Also made this new implementation protected rather than private for the same reason.
2034         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2035         object is being created provides their own implementation of getCallData.  This 
2036         just makes execution fail earlier in a place where the source of the error is 
2037         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2038         they appear much more intentional to anybody who fails to provide their own 
2039         implementation or who tries to explicitly call InternalFunction::getCallData.
2040         * runtime/InternalFunction.cpp:
2041         (JSC::InternalFunction::finishCreation):
2042         (JSC::InternalFunction::getCallData):
2043         * runtime/InternalFunction.h:
2044         * runtime/JSCell.cpp:
2045         * runtime/JSCell.h:
2046         * runtime/JSFunction.cpp:
2047         * runtime/JSFunction.h:
2048
2049         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2050         it to be reused rather than creating a new Structure every time we instantiate it.
2051         * runtime/JSGlobalObject.cpp:
2052         (JSC::JSGlobalObject::reset):
2053         (JSC::JSGlobalObject::visitChildren):
2054         * runtime/JSGlobalObject.h:
2055         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2056         * runtime/JSONObject.cpp:
2057         (JSC::Stringifier::Stringifier):
2058         (JSC::Stringifier::toJSON):
2059         (JSC::Stringifier::appendStringifiedValue):
2060         * runtime/JSObject.cpp:
2061         (JSC::JSObject::put):
2062         * runtime/JSObject.h:
2063         (JSC::getCallData):
2064         * runtime/NativeErrorConstructor.cpp:
2065         * runtime/NativeErrorConstructor.h:
2066         * runtime/NumberConstructor.cpp:
2067         * runtime/NumberConstructor.h:
2068         * runtime/ObjectConstructor.cpp:
2069         * runtime/ObjectConstructor.h:
2070         * runtime/Operations.cpp:
2071         (JSC::jsTypeStringForValue):
2072         (JSC::jsIsObjectType):
2073         (JSC::jsIsFunctionType):
2074         * runtime/PropertySlot.cpp:
2075         (JSC::PropertySlot::functionGetter):
2076         * runtime/RegExpConstructor.cpp:
2077         * runtime/RegExpConstructor.h:
2078         * runtime/StringConstructor.cpp:
2079         * runtime/StringConstructor.h:
2080         * runtime/Structure.h:
2081
2082 2011-10-10  Gavin Barraclough  <barraclough@apple.com>
2083
2084         Switch last calls from DFGSpeculativeJIT to use callOperation.
2085         https://bugs.webkit.org/show_bug.cgi?id=69780
2086
2087         Reviewed by Oliver Hunt.
2088
2089         Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers.
2090
2091         * dfg/DFGJITCodeGenerator.cpp:
2092         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2093         * dfg/DFGJITCodeGenerator.h:
2094         (JSC::DFG::callOperation):
2095         * dfg/DFGJITCodeGenerator32_64.cpp:
2096         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2097         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2098         * dfg/DFGJITCodeGenerator64.cpp:
2099         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2100         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2101         * dfg/DFGOperations.h:
2102         * dfg/DFGSpeculativeJIT.cpp:
2103         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2104         * dfg/DFGSpeculativeJIT.h:
2105         * dfg/DFGSpeculativeJIT32_64.cpp:
2106         (JSC::DFG::SpeculativeJIT::compare):
2107         (JSC::DFG::SpeculativeJIT::compile):
2108         * dfg/DFGSpeculativeJIT64.cpp:
2109         (JSC::DFG::SpeculativeJIT::compare):
2110         (JSC::DFG::SpeculativeJIT::compile):
2111         * wtf/Platform.h:
2112
2113 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2114
2115         JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace"
2116         https://bugs.webkit.org/show_bug.cgi?id=69748
2117
2118         Reviewed by Filip Pizlo.
2119
2120         * dfg/DFGJITCodeGenerator32_64.cpp:
2121         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2122         * dfg/DFGSpeculativeJIT32_64.cpp:
2123         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2124
2125 2011-10-10  Adam Roben  <aroben@apple.com>
2126
2127         Build fix
2128
2129         * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros.
2130
2131 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2132
2133         JSVALUE32_64 DFG JIT - Bug fix for BranchNull
2134         https://bugs.webkit.org/show_bug.cgi?id=69743
2135
2136         Reviewed by Darin Adler.
2137
2138         This fixes the error in access-binary-trees. All SunSpider cases passed.
2139
2140         * dfg/DFGJITCodeGenerator32_64.cpp:
2141         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2142
2143 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2144
2145         DFG JIT: callOperation should return the Call.
2146         https://bugs.webkit.org/show_bug.cgi?id=69682
2147
2148         Reviewed by Oliver Hunt.
2149
2150         * dfg/DFGJITCodeGenerator.h:
2151         (JSC::DFG::callOperation):
2152         (JSC::DFG::appendCallWithExceptionCheckSetResult):
2153         * dfg/DFGJITCompiler.h:
2154         (JSC::DFG::JITCompiler::appendCall):
2155         * wtf/Platform.h:
2156
2157 2011-10-10  Sheriff Bot  <webkit.review.bot@gmail.com>
2158
2159         Unreviewed, rolling out r97045.
2160         http://trac.webkit.org/changeset/97045
2161         https://bugs.webkit.org/show_bug.cgi?id=69746
2162
2163         makes apple bots very crashy :( (Requested by kling on
2164         #webkit).
2165
2166         * config.h:
2167
2168 2011-10-10  Andreas Kling  <kling@webkit.org>
2169
2170         Shrink BorderValue.
2171         https://bugs.webkit.org/show_bug.cgi?id=69521
2172
2173         Reviewed by Antti Koivisto.
2174
2175         * config.h: Touch to force full rebuild.
2176
2177 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2178
2179         Improve Null or Undefined test in 32_64 DFG
2180         https://bugs.webkit.org/show_bug.cgi?id=69734
2181
2182         Reviewed by Darin Adler.
2183
2184         Currently Null or Undefined value test in 32_64 DFG will check
2185         Null and Undefined tag separately and introduce one more branch.
2186         It can be improved in the way how the baseline JIT is doing - by
2187         relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".
2188
2189         * dfg/DFGJITCodeGenerator32_64.cpp:
2190         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2191         * dfg/DFGSpeculativeJIT32_64.cpp:
2192         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2193         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2194
2195 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2196
2197         JSVALUE32_64 DFG JIT - Bug fix for ConvertThis
2198         https://bugs.webkit.org/show_bug.cgi?id=69721
2199
2200         Reviewed by Darin Adler.
2201
2202         * dfg/DFGSpeculativeJIT32_64.cpp:
2203         (JSC::DFG::SpeculativeJIT::compile):
2204
2205 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2206
2207         Remove unused callOperation code of DFG JIT on X86
2208         https://bugs.webkit.org/show_bug.cgi?id=69722
2209
2210         Reviewed by Filip Pizlo.
2211
2212         * dfg/DFGJITCodeGenerator.h:
2213         (JSC::DFG::callOperation):
2214
2215 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2216
2217         JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble
2218         https://bugs.webkit.org/show_bug.cgi?id=69720
2219
2220         Reviewed by Filip Pizlo.
2221
2222         In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by
2223         a FPR and will be used for further optimizations, though we currently
2224         don't fully utilize it. For now when filling a JS value which was
2225         spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat
2226         to DataFormatJS to avoid compilation errors.
2227
2228         * dfg/DFGJITCodeGenerator32_64.cpp:
2229         (JSC::DFG::JITCodeGenerator::fillJSValue):
2230
2231 2011-10-09  Filip Pizlo  <fpizlo@apple.com>
2232
2233         DFG should not always speculate that a ByVal access has an integer index
2234         https://bugs.webkit.org/show_bug.cgi?id=69716
2235
2236         Reviewed by Oliver Hunt.
2237         
2238         1% win on SunSpider, neutral elsewhere.
2239
2240         * dfg/DFGJITCodeGenerator.h:
2241         (JSC::DFG::callOperation):
2242         * dfg/DFGNode.h:
2243         * dfg/DFGOperations.cpp:
2244         * dfg/DFGOperations.h:
2245         * dfg/DFGPropagator.cpp:
2246         (JSC::DFG::Propagator::byValHasIntBase):
2247         (JSC::DFG::Propagator::clobbersWorld):
2248         (JSC::DFG::Propagator::getMethodLoadElimination):
2249         (JSC::DFG::Propagator::checkStructureLoadElimination):
2250         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2251         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
2252         (JSC::DFG::Propagator::performNodeCSE):
2253         * dfg/DFGSpeculativeJIT32_64.cpp:
2254         (JSC::DFG::SpeculativeJIT::compile):
2255         * dfg/DFGSpeculativeJIT64.cpp:
2256         (JSC::DFG::SpeculativeJIT::compile):
2257
2258 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2259
2260         Fix value profiling in 32_64 JIT
2261         https://bugs.webkit.org/show_bug.cgi?id=69717
2262
2263         Reviewed by Filip Pizlo.
2264
2265         Current value profiling for 32_64 JIT is broken and cannot record
2266         correct predicated types, which results in many speculation failures
2267         in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations
2268         again and again. 
2269         With this fix 32_64 DFG JIT can demonstrate real performance gains.
2270
2271         * bytecode/ValueProfile.cpp:
2272         (JSC::ValueProfile::computeStatistics):
2273         * bytecode/ValueProfile.h:
2274         (JSC::ValueProfile::classInfo):
2275         (JSC::ValueProfile::numberOfSamples):
2276         (JSC::ValueProfile::isLive):
2277         (JSC::ValueProfile::numberOfInt32s):
2278         (JSC::ValueProfile::numberOfDoubles):
2279         (JSC::ValueProfile::numberOfBooleans):
2280         (JSC::ValueProfile::dump):
2281             Empty value check should be performed on decoded JSValue,
2282             as for 32_64 empty value is not identical to encoded 0.
2283         * jit/JIT.cpp:
2284         (JSC::JIT::privateCompile):
2285         * jit/JITInlineMethods.h:
2286         (JSC::JIT::emitValueProfilingSite):
2287         * jit/JITStubCall.h:
2288         (JSC::JITStubCall::callWithValueProfiling):
2289             Record the right profiling result for 32_64.
2290
2291 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2292
2293         Remove 32 bit restrictions in DFG JIT
2294         https://bugs.webkit.org/show_bug.cgi?id=69711
2295
2296         Reviewed by Filip Pizlo.
2297
2298         op_call/op_construct support was disabled for 32 bit DFG JIT because
2299         there was regression in javascriptcore tests. Now the bugs are fixed
2300         and there should be no regression. This makes 32 bit DFG have the same
2301         capability as 64 bit DFG, and improves the coverage.
2302
2303         * dfg/DFGCapabilities.h:
2304         (JSC::DFG::canCompileOpcode):
2305
2306 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2307
2308         Add static version of JSCell::getConstructData
2309         https://bugs.webkit.org/show_bug.cgi?id=69673
2310
2311         Reviewed by Geoffrey Garen.
2312
2313         Added static version of getConstructData to all classes that 
2314         override it and changed the virtual versions to call the static 
2315         versions.  This is the first step in de-virtualizing JSCell::getConstructData.
2316
2317         * API/JSCallbackConstructor.cpp:
2318         (JSC::JSCallbackConstructor::getConstructData):
2319         * API/JSCallbackConstructor.h:
2320         * API/JSCallbackObject.h:
2321         * API/JSCallbackObjectFunctions.h:
2322         (JSC::::getConstructData):
2323         * runtime/ArrayConstructor.cpp:
2324         (JSC::ArrayConstructor::getConstructData):
2325         * runtime/ArrayConstructor.h:
2326         * runtime/BooleanConstructor.cpp:
2327         (JSC::BooleanConstructor::getConstructData):
2328         * runtime/BooleanConstructor.h:
2329         * runtime/DateConstructor.cpp:
2330         (JSC::DateConstructor::getConstructData):
2331         * runtime/DateConstructor.h:
2332         * runtime/ErrorConstructor.cpp:
2333         (JSC::ErrorConstructor::getConstructData):
2334         * runtime/ErrorConstructor.h:
2335         * runtime/FunctionConstructor.cpp:
2336         (JSC::FunctionConstructor::getConstructData):
2337         * runtime/FunctionConstructor.h:
2338         * runtime/JSCell.cpp:
2339         (JSC::JSCell::getConstructData):
2340         * runtime/JSCell.h:
2341         * runtime/JSFunction.cpp:
2342         (JSC::JSFunction::getConstructData):
2343         * runtime/JSFunction.h:
2344         * runtime/NativeErrorConstructor.cpp:
2345         (JSC::NativeErrorConstructor::getConstructData):
2346         * runtime/NativeErrorConstructor.h:
2347         * runtime/NumberConstructor.cpp:
2348         (JSC::NumberConstructor::getConstructData):
2349         * runtime/NumberConstructor.h:
2350         * runtime/ObjectConstructor.cpp:
2351         (JSC::ObjectConstructor::getConstructData):
2352         * runtime/ObjectConstructor.h:
2353         * runtime/RegExpConstructor.cpp:
2354         (JSC::RegExpConstructor::getConstructData):
2355         * runtime/RegExpConstructor.h:
2356         * runtime/StringConstructor.cpp:
2357         (JSC::StringConstructor::getConstructData):
2358         * runtime/StringConstructor.h:
2359
2360 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2361
2362         Add static version of JSCell::getOwnPropertySlot
2363         https://bugs.webkit.org/show_bug.cgi?id=69593
2364
2365         Reviewed by Geoffrey Garen.
2366
2367         Added static version of getOwnPropertySlot to every class that overrides
2368         JSCell::getOwnPropertySlot.  The virtual versions now call the static versions.
2369         This is the first step in de-virtualizing JSCell::getOwnPropertySlot.
2370
2371         * JavaScriptCore.exp:
2372         * debugger/DebuggerActivation.cpp:
2373         (JSC::DebuggerActivation::getOwnPropertySlot):
2374         * debugger/DebuggerActivation.h:
2375         * runtime/Arguments.cpp:
2376         (JSC::Arguments::getOwnPropertySlot):
2377         * runtime/Arguments.h:
2378         * runtime/ArrayConstructor.h:
2379         * runtime/ArrayPrototype.cpp:
2380         (JSC::ArrayPrototype::getOwnPropertySlot):
2381         * runtime/ArrayPrototype.h:
2382         * runtime/BooleanPrototype.cpp:
2383         (JSC::BooleanPrototype::getOwnPropertySlot):
2384         * runtime/BooleanPrototype.h:
2385         * runtime/DateConstructor.cpp:
2386         (JSC::DateConstructor::getOwnPropertySlot):
2387         * runtime/DateConstructor.h:
2388         * runtime/DatePrototype.cpp:
2389         (JSC::DatePrototype::getOwnPropertySlot):
2390         * runtime/DatePrototype.h:
2391         * runtime/ErrorPrototype.cpp:
2392         (JSC::ErrorPrototype::getOwnPropertySlot):
2393         * runtime/ErrorPrototype.h:
2394         * runtime/JSActivation.cpp:
2395         (JSC::JSActivation::getOwnPropertySlot):
2396         * runtime/JSActivation.h:
2397         * runtime/JSArray.cpp:
2398         (JSC::JSArray::getOwnPropertySlot):
2399         * runtime/JSArray.h:
2400         * runtime/JSBoundFunction.cpp:
2401         (JSC::JSBoundFunction::getOwnPropertySlot):
2402         * runtime/JSBoundFunction.h:
2403         * runtime/JSByteArray.cpp:
2404         (JSC::JSByteArray::getOwnPropertySlot):
2405         * runtime/JSByteArray.h:
2406         * runtime/JSCell.cpp:
2407         (JSC::JSCell::getOwnPropertySlot):
2408         * runtime/JSCell.h:
2409         * runtime/JSFunction.cpp:
2410         (JSC::JSFunction::getOwnPropertySlot):
2411         * runtime/JSFunction.h:
2412         * runtime/JSGlobalObject.cpp:
2413         (JSC::JSGlobalObject::getOwnPropertySlot):
2414         * runtime/JSGlobalObject.h:
2415         * runtime/JSNotAnObject.cpp:
2416         (JSC::JSNotAnObject::getOwnPropertySlot):
2417         * runtime/JSNotAnObject.h:
2418         * runtime/JSONObject.cpp:
2419         (JSC::JSONObject::getOwnPropertySlot):
2420         * runtime/JSONObject.h:
2421         * runtime/JSObject.cpp:
2422         (JSC::JSObject::getOwnPropertySlot):
2423         * runtime/JSObject.h:
2424         (JSC::JSObject::getOwnPropertySlot):
2425         * runtime/JSStaticScopeObject.cpp:
2426         (JSC::JSStaticScopeObject::getOwnPropertySlot):
2427         * runtime/JSStaticScopeObject.h:
2428         * runtime/JSString.cpp:
2429         (JSC::JSString::getOwnPropertySlot):
2430         * runtime/JSString.h:
2431         * runtime/MathObject.cpp:
2432         (JSC::MathObject::getOwnPropertySlot):
2433         * runtime/MathObject.h:
2434         * runtime/NumberConstructor.cpp:
2435         (JSC::NumberConstructor::getOwnPropertySlot):
2436         * runtime/NumberConstructor.h:
2437         * runtime/NumberPrototype.cpp:
2438         (JSC::NumberPrototype::getOwnPropertySlot):
2439         * runtime/NumberPrototype.h:
2440         * runtime/ObjectConstructor.cpp:
2441         (JSC::ObjectConstructor::getOwnPropertySlot):
2442         * runtime/ObjectConstructor.h:
2443         * runtime/ObjectPrototype.cpp:
2444         (JSC::ObjectPrototype::getOwnPropertySlot):
2445         * runtime/ObjectPrototype.h:
2446         * runtime/RegExpConstructor.cpp:
2447         (JSC::RegExpConstructor::getOwnPropertySlot):
2448         * runtime/RegExpConstructor.h:
2449         * runtime/RegExpMatchesArray.h:
2450         (JSC::RegExpMatchesArray::getOwnPropertySlot):
2451         * runtime/RegExpObject.cpp:
2452         (JSC::RegExpObject::getOwnPropertySlot):
2453         * runtime/RegExpObject.h:
2454         * runtime/RegExpPrototype.cpp:
2455         (JSC::RegExpPrototype::getOwnPropertySlot):
2456         * runtime/RegExpPrototype.h:
2457         * runtime/StringConstructor.cpp:
2458         (JSC::StringConstructor::getOwnPropertySlot):
2459         * runtime/StringConstructor.h:
2460         * runtime/StringObject.cpp:
2461         (JSC::StringObject::getOwnPropertySlot):
2462         * runtime/StringObject.h:
2463         * runtime/StringPrototype.cpp:
2464         (JSC::StringPrototype::getOwnPropertySlot):
2465         * runtime/StringPrototype.h:
2466
2467 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2468
2469         JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions
2470         https://bugs.webkit.org/show_bug.cgi?id=69699
2471
2472         Reviewed by Filip Pizlo.
2473
2474         It should match SetLocal where only payload is stored for array predictions.
2475
2476         * dfg/DFGSpeculativeJIT32_64.cpp:
2477         (JSC::DFG::SpeculativeJIT::compile):
2478
2479 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2480
2481         JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
2482         https://bugs.webkit.org/show_bug.cgi?id=69702
2483
2484         Reviewed by Filip Pizlo.
2485
2486         There are some errors in generating code for Branch and LogicalNot,
2487         when the operand is predicted as ObjectOrOther.
2488
2489         * dfg/DFGSpeculativeJIT32_64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2491         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2492
2493 2011-10-08  Sheriff Bot  <webkit.review.bot@gmail.com>
2494
2495         Unreviewed, rolling out r96996.
2496         http://trac.webkit.org/changeset/96996
2497         https://bugs.webkit.org/show_bug.cgi?id=69697
2498
2499         It broke all tests on the Qt bot (Requested by Ossy_night on
2500         #webkit).
2501
2502         * API/JSCallbackFunction.cpp:
2503         (JSC::JSCallbackFunction::getCallDataVirtual):
2504         * API/JSCallbackFunction.h:
2505         * API/JSCallbackObject.h:
2506         * API/JSCallbackObjectFunctions.h:
2507         (JSC::::getCallDataVirtual):
2508         * API/JSObjectRef.cpp:
2509         (JSObjectIsFunction):
2510         (JSObjectCallAsFunction):
2511         * JavaScriptCore.exp:
2512         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2513         * interpreter/Interpreter.cpp:
2514         (JSC::Interpreter::privateExecute):
2515         * jit/JITStubs.cpp:
2516         (JSC::DEFINE_STUB_FUNCTION):
2517         * runtime/ArrayConstructor.cpp:
2518         (JSC::ArrayConstructor::getCallDataVirtual):
2519         * runtime/ArrayConstructor.h:
2520         * runtime/BooleanConstructor.cpp:
2521         (JSC::BooleanConstructor::getCallDataVirtual):
2522         * runtime/BooleanConstructor.h:
2523         * runtime/DateConstructor.cpp:
2524         (JSC::DateConstructor::getCallDataVirtual):
2525         * runtime/DateConstructor.h:
2526         * runtime/Error.cpp:
2527         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2528         (JSC::StrictModeTypeErrorFunction::create):
2529         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2530         (JSC::StrictModeTypeErrorFunction::getConstructData):
2531         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2532         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
2533         (JSC::StrictModeTypeErrorFunction::getCallData):
2534         (JSC::StrictModeTypeErrorFunction::createStructure):
2535         (JSC::createTypeErrorFunction):
2536         * runtime/Error.h:
2537         * runtime/ErrorConstructor.cpp:
2538         (JSC::ErrorConstructor::getCallDataVirtual):
2539         * runtime/ErrorConstructor.h:
2540         * runtime/FunctionConstructor.cpp:
2541         (JSC::FunctionConstructor::getCallDataVirtual):
2542         * runtime/FunctionConstructor.h:
2543         * runtime/FunctionPrototype.cpp:
2544         (JSC::FunctionPrototype::getCallDataVirtual):
2545         * runtime/FunctionPrototype.h:
2546         * runtime/InternalFunction.cpp:
2547         (JSC::InternalFunction::finishCreation):
2548         * runtime/InternalFunction.h:
2549         * runtime/JSCell.cpp:
2550         (JSC::JSCell::getCallDataVirtual):
2551         * runtime/JSCell.h:
2552         (JSC::getCallData):
2553         * runtime/JSFunction.cpp:
2554         (JSC::JSFunction::getCallDataVirtual):
2555         * runtime/JSFunction.h:
2556         * runtime/JSGlobalObject.cpp:
2557         (JSC::JSGlobalObject::reset):
2558         (JSC::JSGlobalObject::visitChildren):
2559         * runtime/JSGlobalObject.h:
2560         * runtime/JSONObject.cpp:
2561         (JSC::Stringifier::Stringifier):
2562         (JSC::Stringifier::toJSON):
2563         (JSC::Stringifier::appendStringifiedValue):
2564         * runtime/JSObject.cpp:
2565         (JSC::JSObject::put):
2566         * runtime/JSObject.h:
2567         * runtime/NativeErrorConstructor.cpp:
2568         (JSC::NativeErrorConstructor::getCallDataVirtual):
2569         * runtime/NativeErrorConstructor.h:
2570         * runtime/NumberConstructor.cpp:
2571         (JSC::NumberConstructor::getCallDataVirtual):
2572         * runtime/NumberConstructor.h:
2573         * runtime/ObjectConstructor.cpp:
2574         (JSC::ObjectConstructor::getCallDataVirtual):
2575         * runtime/ObjectConstructor.h:
2576         * runtime/Operations.cpp:
2577         (JSC::jsTypeStringForValue):
2578         (JSC::jsIsObjectType):
2579         (JSC::jsIsFunctionType):
2580         * runtime/PropertySlot.cpp:
2581         (JSC::PropertySlot::functionGetter):
2582         * runtime/RegExpConstructor.cpp:
2583         (JSC::RegExpConstructor::getCallDataVirtual):
2584         * runtime/RegExpConstructor.h:
2585         * runtime/StringConstructor.cpp:
2586         (JSC::StringConstructor::getCallDataVirtual):
2587         * runtime/StringConstructor.h:
2588         * runtime/Structure.h:
2589
2590 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2591
2592         DFG JIT - only Array predictions can result in unboxed cells in register file
2593         https://bugs.webkit.org/show_bug.cgi?id=69695
2594
2595         Reviewed by Filip Pizlo.
2596
2597         In current DFG JIT, only array predictions can result in unboxed cells
2598         in register file, not for the other cell predictions.
2599
2600         * dfg/DFGSpeculativeJIT.h:
2601         (JSC::DFG::ValueSource::forPrediction):
2602
2603 2011-10-07  Yuqiang Xian  <yuqiang.xian@intel.com>
2604
2605         bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT
2606         https://bugs.webkit.org/show_bug.cgi?id=69696
2607
2608         Reviewed by Filip Pizlo.
2609
2610         On 32-bit, we should use TimesEight (8) instead of ScalePtr (4)
2611         to compute the address of a JS array element.
2612
2613         * dfg/DFGSpeculativeJIT32_64.cpp:
2614         (JSC::DFG::SpeculativeJIT::compile):
2615
2616 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2617
2618         Add static version of JSCell::deleteProperty
2619         https://bugs.webkit.org/show_bug.cgi?id=69659
2620
2621         Reviewed by Geoffrey Garen.
2622
2623         Added static version of both versions of put to all classes that 
2624         override them and changed the virtual versions to call the static 
2625         versions.  This is the first step in de-virtualizing JSCell::deleteProperty.
2626
2627         * API/JSCallbackObject.h:
2628         * API/JSCallbackObjectFunctions.h:
2629         (JSC::::deleteProperty):
2630         * debugger/DebuggerActivation.cpp:
2631         (JSC::DebuggerActivation::deleteProperty):
2632         * debugger/DebuggerActivation.h:
2633         * runtime/Arguments.cpp:
2634         (JSC::Arguments::deleteProperty):
2635         * runtime/Arguments.h:
2636         * runtime/JSActivation.cpp:
2637         (JSC::JSActivation::deleteProperty):
2638         * runtime/JSActivation.h:
2639         * runtime/JSArray.cpp:
2640         (JSC::JSArray::deleteProperty):
2641         * runtime/JSArray.h:
2642         * runtime/JSCell.cpp:
2643         (JSC::JSCell::deleteProperty):
2644         * runtime/JSCell.h:
2645         * runtime/JSFunction.cpp:
2646         (JSC::JSFunction::deleteProperty):
2647         * runtime/JSFunction.h:
2648         * runtime/JSNotAnObject.cpp:
2649         (JSC::JSNotAnObject::deleteProperty):
2650         * runtime/JSNotAnObject.h:
2651         * runtime/JSObject.cpp:
2652         (JSC::JSObject::deleteProperty):
2653         * runtime/JSObject.h:
2654         * runtime/JSVariableObject.cpp:
2655         (JSC::JSVariableObject::deleteProperty):
2656         * runtime/JSVariableObject.h:
2657         * runtime/RegExpMatchesArray.h:
2658         (JSC::RegExpMatchesArray::deleteProperty):
2659         * runtime/StrictEvalActivation.cpp:
2660         (JSC::StrictEvalActivation::deleteProperty):
2661         * runtime/StrictEvalActivation.h:
2662         * runtime/StringObject.cpp:
2663         (JSC::StringObject::deleteProperty):
2664         * runtime/StringObject.h:
2665
2666 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2667
2668         Remove getCallDataVirtual methods
2669         https://bugs.webkit.org/show_bug.cgi?id=69186
2670
2671         Reviewed by Geoffrey Garen.
2672
2673         Removed all getCallDataVirtual methods and replaced their call sites 
2674         with an explicit lookup in the MethodTable.
2675
2676         * API/JSCallbackFunction.cpp:
2677         * API/JSCallbackFunction.h:
2678         * API/JSCallbackObject.h:
2679         * API/JSCallbackObjectFunctions.h:
2680         * API/JSObjectRef.cpp:
2681         (JSObjectIsFunction):
2682         (JSObjectCallAsFunction):
2683         * JavaScriptCore.exp:
2684         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2685         * interpreter/Interpreter.cpp:
2686         (JSC::Interpreter::privateExecute):
2687         * jit/JITStubs.cpp:
2688         (JSC::DEFINE_STUB_FUNCTION):
2689         * runtime/ArrayConstructor.cpp:
2690         * runtime/ArrayConstructor.h:
2691         * runtime/BooleanConstructor.cpp:
2692         * runtime/BooleanConstructor.h:
2693         * runtime/DateConstructor.cpp:
2694         * runtime/DateConstructor.h:
2695         * runtime/Error.cpp:
2696         (JSC::createTypeErrorFunction):
2697
2698         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2699         the class definition in JSGlobalObject.cpp.
2700         * runtime/Error.h:
2701         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2702         (JSC::StrictModeTypeErrorFunction::create):
2703         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2704         (JSC::StrictModeTypeErrorFunction::getConstructData):
2705         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2706         (JSC::StrictModeTypeErrorFunction::getCallData):
2707         (JSC::StrictModeTypeErrorFunction::createStructure):
2708         * runtime/ErrorConstructor.cpp:
2709         * runtime/ErrorConstructor.h:
2710         * runtime/FunctionConstructor.cpp:
2711         * runtime/FunctionConstructor.h:
2712         * runtime/FunctionPrototype.cpp:
2713         * runtime/FunctionPrototype.h:
2714
2715         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2716         to declare their own ClassInfo if they don't override getCallData, provided 
2717         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2718         functionality as of the pure virtual method InternalFunction used to have.
2719         Also made this new implementation protected rather than private for the same reason.
2720         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2721         object is being created provides their own implementation of getCallData.  This 
2722         just makes execution fail earlier in a place where the source of the error is 
2723         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2724         they appear much more intentional to anybody who fails to provide their own 
2725         implementation or who tries to explicitly call InternalFunction::getCallData.
2726         * runtime/InternalFunction.cpp:
2727         (JSC::InternalFunction::finishCreation):
2728         (JSC::InternalFunction::getCallData):
2729         * runtime/InternalFunction.h:
2730         * runtime/JSCell.cpp:
2731         * runtime/JSCell.h:
2732         * runtime/JSFunction.cpp:
2733         * runtime/JSFunction.h:
2734
2735         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2736         it to be reused rather than creating a new Structure every time we instantiate it.
2737         * runtime/JSGlobalObject.cpp:
2738         (JSC::JSGlobalObject::reset):
2739         (JSC::JSGlobalObject::visitChildren):
2740         * runtime/JSGlobalObject.h:
2741         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2742         * runtime/JSONObject.cpp:
2743         (JSC::Stringifier::Stringifier):
2744         (JSC::Stringifier::toJSON):
2745         (JSC::Stringifier::appendStringifiedValue):
2746         * runtime/JSObject.cpp:
2747         (JSC::JSObject::put):
2748         * runtime/JSObject.h:
2749         (JSC::getCallData):
2750         * runtime/NativeErrorConstructor.cpp:
2751         * runtime/NativeErrorConstructor.h:
2752         * runtime/NumberConstructor.cpp:
2753         * runtime/NumberConstructor.h:
2754         * runtime/ObjectConstructor.cpp:
2755         * runtime/ObjectConstructor.h:
2756         * runtime/Operations.cpp:
2757         (JSC::jsTypeStringForValue):
2758         (JSC::jsIsObjectType):
2759         (JSC::jsIsFunctionType):
2760         * runtime/PropertySlot.cpp:
2761         (JSC::PropertySlot::functionGetter):
2762         * runtime/RegExpConstructor.cpp:
2763         * runtime/RegExpConstructor.h:
2764         * runtime/StringConstructor.cpp:
2765         * runtime/StringConstructor.h:
2766         * runtime/Structure.h:
2767
2768 2011-10-07  Oliver Hunt  <oliver@apple.com>
2769
2770         Add missing break statement.
2771
2772         Reviewed by Gavin Barraclough.
2773
2774         * dfg/DFGPropagator.cpp:
2775         (JSC::DFG::Propagator::propagateNodePredictions):
2776
2777 2011-10-07  Oliver Hunt  <oliver@apple.com>
2778
2779         Support some string intrinsics in the DFG JIT
2780         https://bugs.webkit.org/show_bug.cgi?id=69678
2781
2782         Reviewed by Gavin Barraclough.
2783
2784         Add support for charAt and charCodeAt intrinsics in the DFG.
2785
2786         * create_hash_table:
2787         * dfg/DFGByteCodeParser.cpp:
2788         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2789         * dfg/DFGIntrinsic.h:
2790         * dfg/DFGNode.h:
2791         * dfg/DFGPropagator.cpp:
2792         (JSC::DFG::Propagator::propagateNodePredictions):
2793         (JSC::DFG::Propagator::performNodeCSE):
2794         * dfg/DFGSpeculativeJIT.cpp:
2795         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2796         * dfg/DFGSpeculativeJIT.h:
2797         * dfg/DFGSpeculativeJIT32_64.cpp:
2798         (JSC::DFG::SpeculativeJIT::compile):
2799         * dfg/DFGSpeculativeJIT64.cpp:
2800         (JSC::DFG::SpeculativeJIT::compile):
2801
2802 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2803
2804         Add static version of JSCell::put
2805         https://bugs.webkit.org/show_bug.cgi?id=69382
2806
2807         Reviewed by Geoffrey Garen.
2808
2809         Added static version of both versions of put to all classes that 
2810         override them and changed the virtual versions to call the static 
2811         versions.
2812
2813         * API/JSCallbackObject.h:
2814         * API/JSCallbackObjectFunctions.h:
2815         (JSC::::put):
2816         * JavaScriptCore.exp:
2817         * debugger/DebuggerActivation.cpp:
2818         (JSC::DebuggerActivation::put):
2819         * debugger/DebuggerActivation.h:
2820         * runtime/Arguments.cpp:
2821         (JSC::Arguments::put):
2822         * runtime/Arguments.h:
2823         * runtime/JSActivation.cpp:
2824         (JSC::JSActivation::put):
2825         * runtime/JSActivation.h:
2826         * runtime/JSArray.cpp:
2827         (JSC::JSArray::put):
2828         * runtime/JSArray.h:
2829         * runtime/JSByteArray.cpp:
2830         (JSC::JSByteArray::put):
2831         * runtime/JSByteArray.h:
2832         * runtime/JSCell.cpp:
2833         (JSC::JSCell::put):
2834         * runtime/JSCell.h:
2835         * runtime/JSFunction.cpp:
2836         (JSC::JSFunction::put):
2837         * runtime/JSFunction.h:
2838         * runtime/JSGlobalObject.cpp:
2839         (JSC::JSGlobalObject::put):
2840         * runtime/JSGlobalObject.h:
2841         * runtime/JSNotAnObject.cpp:
2842         (JSC::JSNotAnObject::put):
2843         * runtime/JSNotAnObject.h:
2844         * runtime/JSObject.cpp:
2845         (JSC::JSObject::put):
2846         * runtime/JSObject.h:
2847         * runtime/JSStaticScopeObject.cpp:
2848         (JSC::JSStaticScopeObject::put):
2849         * runtime/JSStaticScopeObject.h:
2850         * runtime/ObjectPrototype.cpp:
2851         (JSC::ObjectPrototype::put):
2852         * runtime/ObjectPrototype.h:
2853         * runtime/RegExpConstructor.cpp:
2854         (JSC::RegExpConstructor::put):
2855         * runtime/RegExpConstructor.h:
2856         * runtime/RegExpMatchesArray.h:
2857         (JSC::RegExpMatchesArray::put):
2858         * runtime/RegExpObject.cpp:
2859         (JSC::RegExpObject::put):
2860         * runtime/RegExpObject.h:
2861         * runtime/StringObject.cpp:
2862         (JSC::StringObject::put):
2863         * runtime/StringObject.h:
2864
2865 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2866
2867         Refactor DFG to make for use of callOperation
2868         https://bugs.webkit.org/show_bug.cgi?id=69672
2869
2870         Reviewed by Oliver Hunt.
2871
2872         * dfg/DFGJITCodeGenerator.h:
2873         (JSC::DFG::callOperation):
2874             - Added new callOperation calls, don't ASSERT flushed (use helpers for unexpected calls, too).
2875         * dfg/DFGOperations.cpp:
2876         * dfg/DFGOperations.h:
2877             - Switch operationNewObject/operationCreateThis to return Cells,
2878             - Added C_DFGOperation_E/C_DFGOperation_EC/J_DFGOperation_EA/J_DFGOperation_EJA call types.
2879         * dfg/DFGSpeculativeJIT32_64.cpp:
2880         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2881         (JSC::DFG::SpeculativeJIT::emitBranch):
2882         (JSC::DFG::SpeculativeJIT::compile):
2883             - Replace code plating calls to operations to with calls to callOperation.
2884         * dfg/DFGSpeculativeJIT64.cpp:
2885         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2886         (JSC::DFG::SpeculativeJIT::emitBranch):
2887         (JSC::DFG::SpeculativeJIT::compile):
2888             - Replace code plating calls to operations to with calls to callOperation.
2889
2890 2011-10-07  Oliver Hunt  <oliver@apple.com>
2891
2892         Support string indexing in the DFG
2893         https://bugs.webkit.org/show_bug.cgi?id=69671
2894
2895         Reviewed by Gavin Barraclough.
2896
2897         Emit code to support inline indexing of strings 
2898
2899         * dfg/DFGSpeculativeJIT.cpp:
2900         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2901             Shared code to perform string indexing.
2902         * dfg/DFGSpeculativeJIT.h:
2903         * dfg/DFGSpeculativeJIT32_64.cpp:
2904         (JSC::DFG::SpeculativeJIT::compile):
2905         * dfg/DFGSpeculativeJIT64.cpp:
2906         (JSC::DFG::SpeculativeJIT::compile):
2907             Use compileGetByValOnString if we predict that the base object
2908             is a string in GetByVal.
2909         * runtime/JSString.h:
2910         (JSC::JSString::offsetOfFiberCount):
2911         (JSC::JSString::offsetOfValue):
2912
2913 2011-10-07  Filip Pizlo  <fpizlo@apple.com>
2914
2915         DFG ConvertThis speculation logic is wrong
2916         https://bugs.webkit.org/show_bug.cgi?id=69663
2917
2918         Reviewed by Oliver Hunt.
2919
2920         * dfg/DFGPropagator.cpp:
2921         (JSC::DFG::Propagator::fixupNode):
2922         * dfg/DFGSpeculativeJIT32_64.cpp:
2923         (JSC::DFG::SpeculativeJIT::compile):
2924         * dfg/DFGSpeculativeJIT64.cpp:
2925         (JSC::DFG::SpeculativeJIT::compile):
2926
2927 2011-10-07  Oliver Hunt  <oliver@apple.com>
2928
2929         Verify that our call speculation is valid.
2930
2931         Reviewed by Filip Pizlo.
2932
2933         Before specialising an intrinsic we need to verify that
2934         we our speculation is correct.
2935
2936         * dfg/DFGByteCodeParser.cpp:
2937         (JSC::DFG::ByteCodeParser::parseBlock):
2938
2939 2011-10-07  Brent Fulgham  <bfulgham@webkit.org>
2940
2941         [WinCairo] Unreviewed build correction for the build bot.
2942
2943         * JavaScriptCore.vcproj/JavaScriptCore.sln: Add the missing
2944         Release_Cairo_CFLite and Debug_Cairo_CFLite targets so that
2945         build-jsc can find the target it needs to run the JSC tests.
2946
2947 2011-10-07  Oliver Hunt  <oliver@apple.com>
2948
2949         Fix 32-bit build.
2950
2951         * jit/JITCall32_64.cpp:
2952         (JSC::JIT::compileOpCall):
2953
2954 2011-10-07  Oliver Hunt  <oliver@apple.com>
2955
2956         Support direct calls to intrinsic functions
2957         https://bugs.webkit.org/show_bug.cgi?id=69646
2958
2959         Reviewed by Gavin Barraclough.
2960
2961         Add support for optimising non-method_check calls
2962         to intrinsic functions (eg. when Math.abs, etc are
2963         cached in local variables). 
2964
2965         * bytecode/CodeBlock.h:
2966         (JSC::getCallLinkInfoBytecodeIndex):
2967             Support searching CallLinkInfos by bytecode index
2968         * dfg/DFGByteCodeParser.cpp:
2969         (JSC::DFG::ByteCodeParser::parseBlock):
2970             Add support for linked calls in addition to method_check
2971             when searching for intrinsics
2972         * dfg/DFGNode.h:
2973         (JSC::DFG::Node::hasFunctionCheckData):
2974         (JSC::DFG::Node::function):
2975             Add ability to store a JSFunction* in a node - this is safe
2976             as the function will be marked by the codeblock we're compiling
2977         * dfg/DFGPropagator.cpp:
2978         (JSC::DFG::Propagator::propagateNodePredictions):
2979         (JSC::DFG::Propagator::checkFunctionElimination):
2980         (JSC::DFG::Propagator::performNodeCSE):
2981             Add support for new CheckFunction node, and implement CSE pass.
2982         * dfg/DFGSpeculativeJIT32_64.cpp:
2983         (JSC::DFG::SpeculativeJIT::compile):
2984         * dfg/DFGSpeculativeJIT64.cpp:
2985         (JSC::DFG::SpeculativeJIT::compile):
2986             Rather trivial implementation of CheckFunction
2987         * jit/JIT.cpp:
2988         (JSC::JIT::privateCompile):
2989         * jit/JIT.h:
2990         * jit/JITCall.cpp:
2991         (JSC::JIT::compileOpCall):
2992         * jit/JITCall32_64.cpp:
2993         (JSC::JIT::compileOpCall):
2994             Need to propagate bytecode index for calls now.
2995
2996 2011-10-07  Dominic Cooney  <dominicc@chromium.org>
2997
2998         [JSC] Disable ThreadRestrictionVerifier for JIT ExecutableMemoryHandles
2999         https://bugs.webkit.org/show_bug.cgi?id=69599
3000
3001         Reviewed by Sam Weinig.
3002
3003         DFG JIT manipulates MetaAllocatorHandles across threads, eg in
3004         allocating JITCode buffers on a background thread to execute a
3005         proxy autoconfiguration PAC file but garbage collecting it in
3006         response to allocation on the main thread. Disabling
3007         ThreadRestrictionVerification until there is a verification scheme
3008         that understands this handoff.
3009
3010         * wtf/MetaAllocator.cpp:
3011         (WTF::MetaAllocator::allocate):
3012
3013 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3014
3015         DFG should not always speculate that ConvertThis is operating on an object
3016         https://bugs.webkit.org/show_bug.cgi?id=69570
3017
3018         Reviewed by Oliver Hunt.
3019         
3020         Mostly neutral, but with a slight regression in Kraken since it increases
3021         coverage in DFG and thus reveals some performance pathologies (which I
3022         prefer to think of as performance opportunities, in a good way).
3023
3024         * bytecode/PredictedType.cpp:
3025         (JSC::predictionToString):
3026         * bytecode/PredictedType.h:
3027         (JSC::isOtherPrediction):
3028         (JSC::mergePredictions):
3029         * dfg/DFGPropagator.cpp:
3030         (JSC::DFG::Propagator::propagateNodePredictions):
3031         * dfg/DFGSpeculativeJIT32_64.cpp:
3032         (JSC::DFG::SpeculativeJIT::compile):
3033         * dfg/DFGSpeculativeJIT64.cpp:
3034         (JSC::DFG::SpeculativeJIT::compile):
3035
3036 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3037
3038         Windows build fix
3039
3040         Unreviewed build fix.  Weird runtime failures on Windows due to 
3041         linking issues caused by the ClassInfo struct in JSByteArray not 
3042         being declared with JS_EXPORTDATA.
3043
3044         * runtime/JSByteArray.h:
3045
3046 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3047
3048         Structure does not reset m_previous when pinning the property map
3049         https://bugs.webkit.org/show_bug.cgi?id=69583
3050
3051         Reviewed by Gavin Barraclough.
3052         
3053         This is an 0.6% performance improvement in V8, and 0.2% overall.
3054
3055         * runtime/Structure.cpp:
3056         (JSC::Structure::changePrototypeTransition):
3057         (JSC::Structure::despecifyFunctionTransition):
3058         (JSC::Structure::getterSetterTransition):
3059         (JSC::Structure::toDictionaryTransition):
3060         (JSC::Structure::preventExtensionsTransition):
3061         (JSC::Structure::addPropertyWithoutTransition):
3062         (JSC::Structure::removePropertyWithoutTransition):
3063         (JSC::Structure::pin):
3064         * runtime/Structure.h:
3065
3066 2011-10-06  Anders Carlsson  <andersca@apple.com>
3067
3068         When building with clang, enable -Wglobal-constructors and -Wexit-time-destructors
3069         https://bugs.webkit.org/show_bug.cgi?id=69586
3070
3071         Reviewed by Darin Adler.
3072
3073         * Configurations/Base.xcconfig:
3074         Add -Wglobal-constructors and -Wexit-time-destructors when building with clang.
3075
3076         * JavaScriptCore.xcodeproj/project.pbxproj:
3077         When building with clang, we don't need to run the check-for-global-initializers and
3078         check-for-exit-time-destructors anymore.
3079
3080         * jsc.cpp:
3081         (runInteractive):
3082         Move interpreterName into runInteractive.
3083
3084         * wtf/StdLibExtras.h:
3085         When building with clang, disable the -Wglobal-constructors and -Wexit-time-destructors
3086         warnings around the variable declaration.
3087
3088 2011-10-06  Anders Carlsson  <andersca@apple.com>
3089
3090         Add DEFINE_DEBUG_ONLY_GLOBAL for globals that should be defined in debug builds
3091         https://bugs.webkit.org/show_bug.cgi?id=69584
3092
3093         Reviewed by Darin Adler.
3094
3095         Add DEFINE_DEBUG_ONLY_GLOBAL macro.
3096
3097         * wtf/StdLibExtras.h:
3098
3099 2011-10-06  Oliver Hunt  <oliver@apple.com>
3100
3101         Write barrier shouldn't allocate temporaries inside control flow
3102         https://bugs.webkit.org/show_bug.cgi?id=69582
3103
3104         Reviewed by Gavin Barraclough.
3105
3106         Reorder the code to avoid spill-related badness.
3107
3108         * dfg/DFGJITCodeGenerator.cpp:
3109         (JSC::DFG::JITCodeGenerator::writeBarrier):
3110
3111 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3112
3113         DFG::shouldSpeculate methods are too complicated
3114         https://bugs.webkit.org/show_bug.cgi?id=69560
3115
3116         Reviewed by Geoffrey Garen.
3117         
3118         Moved shouldSpeculate methods to DFG::Node, and cleaned them up to
3119         just use node predictions.
3120         
3121         By itself this would have meant that SpeculativeJIT code would have
3122         had to say things like m_jit.graph()[nodeIndex].shouldSpeculateXYZ().
3123         So this adds an at(NodeIndex) method to JITCodeGenerator. I replaced
3124         all uses of the m_jit.graph()[nodeIndex] idiom with at(nodeIndex).
3125         
3126         This is an 0.4% progression overall that shows up in all benchmarks,
3127         for reasons unknown.
3128
3129         * dfg/DFGJITCodeGenerator.h:
3130         (JSC::DFG::JITCodeGenerator::at):
3131         (JSC::DFG::JITCodeGenerator::canReuse):
3132         (JSC::DFG::JITCodeGenerator::isFilled):
3133         (JSC::DFG::JITCodeGenerator::isFilledDouble):
3134         (JSC::DFG::JITCodeGenerator::use):
3135         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
3136         (JSC::DFG::JITCodeGenerator::silentFillGPR):
3137         (JSC::DFG::JITCodeGenerator::silentFillFPR):
3138         (JSC::DFG::detectPeepHoleBranch):
3139         (JSC::DFG::integerResult):
3140         (JSC::DFG::noResult):
3141         (JSC::DFG::cellResult):
3142         (JSC::DFG::jsValueResult):
3143         (JSC::DFG::storageResult):
3144         (JSC::DFG::doubleResult):
3145         (JSC::DFG::initConstantInfo):
3146         (JSC::DFG::appendCallWithExceptionCheck):
3147         * dfg/DFGJITCodeGenerator32_64.cpp:
3148         (JSC::DFG::JITCodeGenerator::fillInteger):
3149         (JSC::DFG::JITCodeGenerator::fillDouble):
3150         (JSC::DFG::JITCodeGenerator::fillJSValue):
3151         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
3152         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3153         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
3154         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
3155         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
3156         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3157         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3158         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3159         (JSC::DFG::JITCodeGenerator::emitCall):
3160         * dfg/DFGJITCodeGenerator64.cpp:
3161         (JSC::DFG::JITCodeGenerator::fillInteger):
3162         (JSC::DFG::JITCodeGenerator::fillDouble):
3163         (JSC::DFG::JITCodeGenerator::fillJSValue):
3164         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3165         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3166         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3167         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3168         (JSC::DFG::JITCodeGenerator::emitCall):
3169         * dfg/DFGNode.h:
3170         (JSC::DFG::Node::shouldSpeculateInteger):
3171         (JSC::DFG::Node::shouldSpeculateDouble):
3172         (JSC::DFG::Node::shouldSpeculateNumber):
3173         (JSC::DFG::Node::shouldNotSpeculateInteger):
3174         (JSC::DFG::Node::shouldSpeculateFinalObject):
3175         (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
3176         (JSC::DFG::Node::shouldSpeculateArray):
3177         (JSC::DFG::Node::shouldSpeculateArrayOrOther):
3178         (JSC::DFG::Node::shouldSpeculateObject):
3179         (JSC::DFG::Node::shouldSpeculateCell):
3180         (JSC::DFG::Node::canSpeculateInteger):
3181         * dfg/DFGSpeculativeJIT.cpp:
3182         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
3183         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3184         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
3185         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3186         (JSC::DFG::SpeculativeJIT::compile):
3187         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3188         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3189         * dfg/DFGSpeculativeJIT.h:
3190         (JSC::DFG::SpeculativeJIT::isInteger):
3191         (JSC::DFG::SpeculativeJIT::isKnownArray):
3192         (JSC::DFG::SpeculativeJIT::isKnownString):
3193         * dfg/DFGSpeculativeJIT32_64.cpp:
3194         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3195         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3196         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3197         (JSC::DFG::SpeculativeJIT::convertToDouble):
3198         (JSC::DFG::SpeculativeJIT::compare):
3199         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3200         (JSC::DFG::SpeculativeJIT::emitBranch):
3201         (JSC::DFG::SpeculativeJIT::compile):
3202         * dfg/DFGSpeculativeJIT64.cpp:
3203         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3204         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3205         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3206         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3207         (JSC::DFG::SpeculativeJIT::compare):
3208         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3209         (JSC::DFG::SpeculativeJIT::emitBranch):
3210         (JSC::DFG::SpeculativeJIT::compile):
3211
3212 2011-10-06  Gavin Peters  <gavinp@chromium.org>
3213
3214         REGRESSION (r96595): First frame in assertion backtraces is no longer labeled "1"
3215         https://bugs.webkit.org/show_bug.cgi?id=69556
3216
3217         Reviewed by Adam Roben.
3218
3219         * wtf/Assertions.cpp:
3220
3221 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3222
3223         DFG implementation of UInt32ToNumber is missing a break statement
3224         https://bugs.webkit.org/show_bug.cgi?id=69552
3225
3226         Reviewed by Oliver Hunt.
3227
3228         * dfg/DFGSpeculativeJIT32_64.cpp:
3229         (JSC::DFG::SpeculativeJIT::compile):
3230         * dfg/DFGSpeculativeJIT64.cpp:
3231         (JSC::DFG::SpeculativeJIT::compile):
3232
3233 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3234
3235         Unreviewed build fix for DFG JIT 32_64 release builds.
3236
3237         * dfg/DFGJITCompiler.cpp:
3238         * dfg/DFGJITCompiler.h:
3239         * dfg/DFGJITCompiler32_64.cpp:
3240             - Remove three unused methods.
3241
3242 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3243
3244         DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
3245         https://bugs.webkit.org/show_bug.cgi?id=69549
3246
3247         Reviewed by Oliver Hunt.
3248
3249         This breaks sunspider/3d-cube.
3250
3251         * dfg/DFGSpeculativeJIT32_64.cpp:
3252         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3253             - Speculation check on the tag. 
3254
3255 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3256
3257         Snow Leopard build fix
3258
3259         Unreviewed build fix
3260
3261         * JavaScriptCore.exp:
3262
3263 2011-10-05  Gavin Barraclough  <barraclough@apple.com>
3264
3265         Add explicit JSGlobalThis type.
3266         https://bugs.webkit.org/show_bug.cgi?id=69478
3267
3268         Reviewed by Darin Adler.
3269
3270         JSC supports a split global object, as used by WebCore for the Window. As a stage
3271         of making this visible to JSC, make it so that if the global this value is not the
3272         global object itself, it must be a subclass of JSGlobalThis.
3273
3274         * API/JSCallbackObjectFunctions.h:
3275         (JSC::::finishCreation):
3276             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3277         * JavaScriptCore.xcodeproj/project.pbxproj:
3278             - Added JSGlobalThis.h
3279         * jsc.cpp:
3280         (GlobalObject::finishCreation):
3281             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3282         * runtime/JSGlobalObject.h:
3283         (JSC::JSGlobalObject::create):
3284         (JSC::JSGlobalObject::finishCreation):
3285             - finishCreation takes a JSGlobalThis, or thisValue is implicit.
3286         * runtime/JSGlobalThis.h: Added.
3287         (JSC::JSGlobalThis::create):
3288         (JSC::JSGlobalThis::JSGlobalThis):
3289         (JSC::JSGlobalThis::finishCreation):
3290             - Thin wrapper on JSNonFinalObject to allow type checking.
3291         * testRegExp.cpp:
3292         (GlobalObject::finishCreation):
3293             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3294
3295 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3296
3297         JSC objects need to know their own cell size at runtime.
3298         https://bugs.webkit.org/show_bug.cgi?id=69390
3299
3300         Reviewed by Geoffrey Garen.
3301
3302         Added the cellSize field to ClassInfo and the static calculation of 
3303         size of each class to the CREATE_METHOD_TABLE macro, which will be 
3304         renamed in a followup patch to make its name match its broader use.
3305
3306         Also added a few ClassInfo structs so that each object that is allocated has its 
3307         correct size.  
3308
3309         * JavaScriptCore.exp:
3310         * runtime/ClassInfo.h:
3311
3312         Changed JSByteArray s_defaultInfo to s_info so that the template will get the 
3313         correct ClassInfo struct from it when it's allocated.
3314         * runtime/JSByteArray.cpp:
3315         * runtime/JSByteArray.h:
3316         * runtime/JSCell.h:
3317         (JSC::allocateCell):
3318         * runtime/JSNotAnObject.cpp:
3319         * runtime/JSNotAnObject.h:
3320         * runtime/JSObject.cpp:
3321         * runtime/JSObject.h:
3322         (JSC::JSCell::cellSize):
3323         * runtime/JSStaticScopeObject.cpp:
3324         * runtime/JSStaticScopeObject.h:
3325         * runtime/StrictEvalActivation.cpp:
3326         * runtime/StrictEvalActivation.h:
3327
3328 2011-10-06  Gavin Peters  <gavinp@chromium.org>
3329
3330         export new stack dumping method
3331         https://bugs.webkit.org/show_bug.cgi?id=69018
3332
3333         The original landing of bug 69018 didn't export WTFGetBacktrace, so that when bug 69453 landed, the first use
3334         of this function, many builds broke.  So here we add the exports, so that the function is usable.
3335
3336         Reviewed by Adam Roben.
3337
3338         * JavaScriptCore.exp:
3339         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3340
3341 2011-10-06  Csaba Osztrogonác  <ossy@webkit.org>
3342
3343         REGRESSION(r96347): Build is broken with MSVC compiler if !PLATFORM(WINDOWS)
3344         https://bugs.webkit.org/show_bug.cgi?id=69413
3345
3346         Reviewed by Darin Adler.
3347
3348         * assembler/MacroAssemblerCodeRef.h: Define STDCALL for MSVC in a proper way.
3349
3350 2011-10-05  Filip Pizlo  <fpizlo@apple.com>
3351
3352         SpeculativeJIT::isKnownString() is wrong
3353         https://bugs.webkit.org/show_bug.cgi?id=69501
3354
3355         Reviewed by Oliver Hunt.
3356         
3357         Removed the wrong case (GetLocal predicted String) and added a case that
3358         works (StrCat).
3359
3360         * dfg/DFGSpeculativeJIT.h:
3361         (JSC::DFG::SpeculativeJIT::isKnownString):
3362
3363 2011-10-05  Ryosuke Niwa  <rniwa@webkit.org>
3364
3365         Windows build fix attempt after r96760.
3366
3367         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3368
3369 2011-10-05  Chris Rogers  <crogers@google.com>
3370
3371         Define a log2f() function for Windows in wtf/MathExtras.h
3372         https://bugs.webkit.org/show_bug.cgi?id=69491
3373
3374         Reviewed by Darin Adler.
3375
3376         * wtf/MathExtras.h:
3377         (log2f):
3378
3379 2011-10-05  Jer Noble  <jer.noble@apple.com>
3380
3381         Enable WEB_AUDIO by default in the WebKit/mac port.
3382         https://bugs.webkit.org/show_bug.cgi?id=68587
3383
3384         Reviewed by Simon Fraser.
3385
3386         * Configurations/FeatureDefines.xcconfig:
3387         * wtf/Platform.h:
3388
3389 2011-10-05  Filip Pizlo  <fpizlo@apple.com>
3390
3391         Assertion hit in JSC::DFG::SpeculativeJIT::compile on SL bots
3392         https://bugs.webkit.org/show_bug.cgi?id=69346
3393
3394         Reviewed by Oliver Hunt.
3395         
3396         Removed the assertion, since it was completely wrong for op_post_inc.
3397         Short of having specialized PostInc nodes in the DFG, there is no
3398         robust way of asserting what this assertion was trying to assert while
3399         also supporting op_post_inc.
3400
3401         * dfg/DFGByteCodeParser.cpp:
3402         (JSC::DFG::ByteCodeParser::parseBlock):
3403         * dfg/DFGSpeculativeJIT64.cpp:
3404         (JSC::DFG::SpeculativeJIT::compile):
3405         * dfg/DFGSpeculativeJIT32_64.cpp:
3406         (JSC::DFG::SpeculativeJIT::compile):
3407
3408 2011-10-05  Geoffrey Garen  <ggaren@apple.com>
3409
3410         Added a simpler mechanism for registering one-off finalizers
3411         https://bugs.webkit.org/show_bug.cgi?id=69466
3412
3413         Reviewed by Oliver Hunt.
3414
3415         * heap/Heap.cpp:
3416         (JSC::Heap::addFinalizer):
3417         (JSC::Heap::FinalizerOwner::finalize):
3418         * heap/Heap.h: New function for adding an arbitrary finalizer for an
3419         arbitrary cell without declaring any special classes or Handles yourself.
3420
3421         * JavaScriptCore.exp: Fix build.
3422
3423         * runtime/Executable.cpp:
3424         (JSC::ExecutableBase::clearCode):
3425         (JSC::ExecutableBase::clearCodeVirtual):
3426         (JSC::EvalExecutable::clearCodeVirtual):
3427         (JSC::ProgramExecutable::clearCodeVirtual):
3428         (JSC::FunctionExecutable::discardCode):
3429         (JSC::FunctionExecutable::clearCodeVirtual):
3430         * runtime/Executable.h:
3431         (JSC::ExecutableBase::finishCreation): Use the new mechanism for eager
3432         finalization of executables.
3433
3434         * runtime/JSGlobalObject.cpp:
3435         (JSC::JSGlobalObject::clearRareData):
3436         * runtime/JSGlobalObject.h:
3437         (JSC::JSGlobalObject::createRareDataIfNeeded):