Add finalizer to JSObject
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         Add finalizer to JSObject
4         https://bugs.webkit.org/show_bug.cgi?id=70336
5
6         Reviewed by Darin Adler.
7
8         * heap/MarkedBlock.cpp:
9         (JSC::MarkedBlock::callDestructor): Skip the call to the destructor 
10         if we're a JSFinalObject, since the finalizer takes care of things.
11         * runtime/JSCell.h:
12         (JSC::JSCell::~JSCell): Remove the GC validation due to a conflict with 
13         future changes and the fact that we no longer always call the destructor, making 
14         the information provided less useful.
15         * runtime/JSObject.cpp:
16         (JSC::JSObject::finalize): Add finalizer for JSObject.
17         (JSC::JSObject::allocatePropertyStorage): The first time we need to allocate out-of-line
18         property storage, we add a finalizer to ourself.
19         * runtime/JSObject.h:
20
21 2011-10-21  Simon Hausmann  <simon.hausmann@nokia.com>
22
23         Remove QtScript source code from WebKit.
24         https://bugs.webkit.org/show_bug.cgi?id=64088
25
26         Reviewed by Tor Arne Vestbø.
27
28         Removed dead code that isn't developed anymore.
29
30         * JavaScriptCore.gypi:
31         * JavaScriptCore.pri:
32         * qt/api/QtScript.pro: Removed.
33         * qt/api/qscriptconverter_p.h: Removed.
34         * qt/api/qscriptengine.cpp: Removed.
35         * qt/api/qscriptengine.h: Removed.
36         * qt/api/qscriptengine_p.cpp: Removed.
37         * qt/api/qscriptengine_p.h: Removed.
38         * qt/api/qscriptfunction.cpp: Removed.
39         * qt/api/qscriptfunction_p.h: Removed.
40         * qt/api/qscriptoriginalglobalobject_p.h: Removed.
41         * qt/api/qscriptprogram.cpp: Removed.
42         * qt/api/qscriptprogram.h: Removed.
43         * qt/api/qscriptprogram_p.h: Removed.
44         * qt/api/qscriptstring.cpp: Removed.
45         * qt/api/qscriptstring.h: Removed.
46         * qt/api/qscriptstring_p.h: Removed.
47         * qt/api/qscriptsyntaxcheckresult.cpp: Removed.
48         * qt/api/qscriptsyntaxcheckresult.h: Removed.
49         * qt/api/qscriptsyntaxcheckresult_p.h: Removed.
50         * qt/api/qscriptvalue.cpp: Removed.
51         * qt/api/qscriptvalue.h: Removed.
52         * qt/api/qscriptvalue_p.h: Removed.
53         * qt/api/qscriptvalueiterator.cpp: Removed.
54         * qt/api/qscriptvalueiterator.h: Removed.
55         * qt/api/qscriptvalueiterator_p.h: Removed.
56         * qt/api/qtscriptglobal.h: Removed.
57         * qt/benchmarks/benchmarks.pri: Removed.
58         * qt/benchmarks/benchmarks.pro: Removed.
59         * qt/benchmarks/qscriptengine/qscriptengine.pro: Removed.
60         * qt/benchmarks/qscriptengine/tst_qscriptengine.cpp: Removed.
61         * qt/benchmarks/qscriptvalue/qscriptvalue.pro: Removed.
62         * qt/benchmarks/qscriptvalue/tst_qscriptvalue.cpp: Removed.
63         * qt/tests/qscriptengine/qscriptengine.pro: Removed.
64         * qt/tests/qscriptengine/tst_qscriptengine.cpp: Removed.
65         * qt/tests/qscriptstring/qscriptstring.pro: Removed.
66         * qt/tests/qscriptstring/tst_qscriptstring.cpp: Removed.
67         * qt/tests/qscriptvalue/qscriptvalue.pro: Removed.
68         * qt/tests/qscriptvalue/tst_qscriptvalue.cpp: Removed.
69         * qt/tests/qscriptvalue/tst_qscriptvalue.h: Removed.
70         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_comparison.cpp: Removed.
71         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_init.cpp: Removed.
72         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_istype.cpp: Removed.
73         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_totype.cpp: Removed.
74         * qt/tests/qscriptvalueiterator/qscriptvalueiterator.pro: Removed.
75         * qt/tests/qscriptvalueiterator/tst_qscriptvalueiterator.cpp: Removed.
76         * qt/tests/tests.pri: Removed.
77         * qt/tests/tests.pro: Removed.
78
79 2011-10-21  Zheng Liu  <zheng.z.liu@intel.com>
80
81         bytecompiler sometimes generates incorrect bytecode for put_by_id
82         https://bugs.webkit.org/show_bug.cgi?id=70403
83
84         Reviewed by Filip Pizlo.
85
86         * bytecompiler/NodesCodegen.cpp:
87         (JSC::AssignDotNode::emitBytecode):
88         (JSC::AssignBracketNode::emitBytecode):
89
90 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
91
92         DFG should not try to predict argument types by looking at the values of
93         argument registers at the time of compilation
94         https://bugs.webkit.org/show_bug.cgi?id=70578
95
96         Reviewed by Oliver Hunt.
97
98         * bytecode/CodeBlock.cpp:
99         * dfg/DFGDriver.cpp:
100         (JSC::DFG::compile):
101         (JSC::DFG::tryCompile):
102         (JSC::DFG::tryCompileFunction):
103         * dfg/DFGDriver.h:
104         (JSC::DFG::tryCompileFunction):
105         * dfg/DFGGraph.cpp:
106         (JSC::DFG::Graph::predictArgumentTypes):
107         * dfg/DFGGraph.h:
108         * runtime/Executable.cpp:
109         (JSC::FunctionExecutable::compileOptimizedForCall):
110         (JSC::FunctionExecutable::compileOptimizedForConstruct):
111         (JSC::FunctionExecutable::compileForCallInternal):
112         (JSC::FunctionExecutable::compileForConstructInternal):
113         * runtime/Executable.h:
114         (JSC::FunctionExecutable::compileForCall):
115         (JSC::FunctionExecutable::compileForConstruct):
116         (JSC::FunctionExecutable::compileFor):
117         (JSC::FunctionExecutable::compileOptimizedFor):
118
119 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
120
121         DFG call optimization handling will fail if the call had been unlinked due
122         to the callee being optimized
123         https://bugs.webkit.org/show_bug.cgi?id=70468
124
125         Reviewed by Geoff Garen.
126         
127         If a call had ever been linked, we remember this fact as well as the function
128         to which it was linked even if unlinkIncomingCalls() or unlinkCalls() are
129         called.
130
131         * bytecode/CodeBlock.cpp:
132         (JSC::CodeBlock::visitAggregate):
133         * bytecode/CodeBlock.h:
134         * dfg/DFGByteCodeParser.cpp:
135         (JSC::DFG::ByteCodeParser::parseBlock):
136         * dfg/DFGRepatch.cpp:
137         (JSC::DFG::dfgLinkFor):
138         * jit/JIT.cpp:
139         (JSC::JIT::linkFor):
140
141 2011-10-20  Yuqiang Xian  <yuqiang.xian@intel.com>
142
143         DFG JIT 32_64 - Fix ByteArray speculation
144         https://bugs.webkit.org/show_bug.cgi?id=70571
145
146         Reviewed by Filip Pizlo.
147
148         * dfg/DFGSpeculativeJIT.h:
149         (JSC::DFG::ValueSource::forPrediction):
150         * dfg/DFGSpeculativeJIT32_64.cpp:
151         (JSC::DFG::SpeculativeJIT::compile):
152
153 2011-10-20  Vincent Scheib  <scheib@chromium.org>
154
155         MouseLock compile and run time flags.
156         https://bugs.webkit.org/show_bug.cgi?id=70530
157
158         Reviewed by Darin Fisher.
159
160         * wtf/Platform.h:
161
162 2011-10-20  Mark Hahnenberg  <mhahnenberg@apple.com>
163
164         Rename static deleteProperty to deletePropertyByIndex
165         https://bugs.webkit.org/show_bug.cgi?id=70257
166
167         Reviewed by Geoffrey Garen.
168
169         Renaming versions of deleteProperty that use an unsigned as the property
170         name to "deletePropertyByIndex" in preparation for adding them to the 
171         MethodTable, which requires unique names for each method.
172
173         * API/JSCallbackObject.h:
174         * API/JSCallbackObjectFunctions.h:
175         (JSC::::deletePropertyVirtual):
176         (JSC::::deletePropertyByIndex):
177         * runtime/Arguments.cpp:
178         (JSC::Arguments::deletePropertyVirtual):
179         (JSC::Arguments::deletePropertyByIndex):
180         * runtime/Arguments.h:
181         * runtime/JSArray.cpp:
182         (JSC::JSArray::deletePropertyVirtual):
183         (JSC::JSArray::deletePropertyByIndex):
184         * runtime/JSArray.h:
185         * runtime/JSCell.cpp:
186         (JSC::JSCell::deletePropertyVirtual):
187         (JSC::JSCell::deletePropertyByIndex):
188         * runtime/JSCell.h:
189         * runtime/JSNotAnObject.cpp:
190         (JSC::JSNotAnObject::deletePropertyVirtual):
191         (JSC::JSNotAnObject::deletePropertyByIndex):
192         * runtime/JSNotAnObject.h:
193         * runtime/JSObject.cpp:
194         (JSC::JSObject::deletePropertyVirtual):
195         (JSC::JSObject::deletePropertyByIndex):
196         * runtime/JSObject.h:
197         * runtime/RegExpMatchesArray.h:
198         (JSC::RegExpMatchesArray::deletePropertyVirtual):
199         (JSC::RegExpMatchesArray::deletePropertyByIndex):
200
201 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
202
203         https://bugs.webkit.org/show_bug.cgi?id=70482
204         DFG-related stubs in the old JIT should not be built if the DFG is disabled
205
206         Reviewed by Zoltan Herczeg.
207         
208         Aiming for a slight code size/build time reduction if the DFG is not in
209         play. This should also make further DFG development slightly easier since
210         the bodies of these JIT stubs can now safely refer to things that are only
211         declared when the DFG is enabled.
212
213         * jit/JITStubs.cpp:
214         * jit/JITStubs.h:
215
216 2011-10-19  Filip Pizlo  <fpizlo@apple.com>
217
218         DFG ConvertThis emits slow code when the source node is known to be,
219         but not predicted to be, a final object
220         https://bugs.webkit.org/show_bug.cgi?id=70466
221
222         Reviewed by Oliver Hunt.
223         
224         Added a new case in ConvertThis compilation.
225
226         * dfg/DFGSpeculativeJIT32_64.cpp:
227         (JSC::DFG::SpeculativeJIT::compile):
228         * dfg/DFGSpeculativeJIT64.cpp:
229         (JSC::DFG::SpeculativeJIT::compile):
230
231 2011-10-19  Filip Pizlo  <fpizlo@apple.com>
232
233         Optimization triggers in the old JIT may sometimes fire repeatedly even
234         though there is no optimization to be done
235         https://bugs.webkit.org/show_bug.cgi?id=70467
236
237         Reviewed by Oliver Hunt.
238         
239         If optimize_from_ret does nothing, it delays the next optimization trigger.
240         This is performance-neutral.
241
242         * jit/JITStubs.cpp:
243         (JSC::DEFINE_STUB_FUNCTION):
244         * runtime/Heuristics.cpp:
245         (JSC::Heuristics::initializeHeuristics):
246
247 2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>
248
249         DFG JIT 32_64 - remove unnecessary double unboxings in fillDouble/fillSpeculateDouble
250         https://bugs.webkit.org/show_bug.cgi?id=70460
251
252         Reviewed by Filip Pizlo.
253
254         As pointed out by Gavin in bug #70418, when a value is already in memory
255         we can avoid loading it to two GPRs at first and then unboxing them to a FPR.
256         This gives 9% improvement on Kraken if without the change in bug #70418,
257         and 1% if based on the code with bug #70418 change.
258         Performance is neutral in V8 and SunSpider.
259
260         * dfg/DFGJITCodeGenerator32_64.cpp:
261         (JSC::DFG::JITCodeGenerator::fillDouble):
262         * dfg/DFGSpeculativeJIT32_64.cpp:
263         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
264
265 2011-10-19  Gavin Barraclough  <barraclough@apple.com>
266
267         Poisoning of strict caller,arguments inappropriately poisoning "in"
268         https://bugs.webkit.org/show_bug.cgi?id=63398
269
270         Reviewed by Oliver Hunt.
271
272         This fixes the problem by correctly implementing the spec -
273         the error should actually be being thrown from a standard JS getter/setter.
274         This implements spec correct behaviour for strict mode JS functions & bound
275         functions, I'll follow up with a patch to do the same for arguments.
276
277         * runtime/JSBoundFunction.cpp:
278         (JSC::JSBoundFunction::finishCreation):
279             - Add the poisoned caller/arguments properties.
280         * runtime/JSBoundFunction.h:
281         * runtime/JSFunction.cpp:
282         (JSC::JSFunction::finishCreation):
283         (JSC::JSFunction::getOwnPropertySlot):
284         (JSC::JSFunction::getOwnPropertyDescriptor):
285         (JSC::JSFunction::put):
286             - If the caller/arguments are accessed on a strict mode function, lazily add the ThrowTypeError getter.
287         * runtime/JSFunction.h:
288         * runtime/JSGlobalObject.cpp:
289         (JSC::JSGlobalObject::createThrowTypeError):
290         (JSC::JSGlobalObject::visitChildren):
291         * runtime/JSGlobalObject.h:
292         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
293             - Add a ThrowTypeError type, per ES5 13.2.3.
294         * runtime/JSGlobalObjectFunctions.cpp:
295         (JSC::globalFuncThrowTypeError):
296         * runtime/JSGlobalObjectFunctions.h:
297             - Implementation of ThrowTypeError.
298         * runtime/JSObject.cpp:
299         (JSC::JSObject::initializeGetterSetterProperty):
300         * runtime/JSObject.h:
301             - This function adds a new property (must not exist already) that is an initialized getter/setter.
302
303 2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>
304
305         DFG JIT 32_64 - improve double boxing/unboxing
306         https://bugs.webkit.org/show_bug.cgi?id=70418
307
308         Reviewed by Gavin Barraclough.
309
310         Double boxing/unboxing in DFG JIT 32_64 is currently implemented inefficiently,
311         which tries to exchange data through memory.
312         On X86 some SSE instructions can help us on such operations with better performance.
313         This improves 32-bit DFG performance by 29% on Kraken, 7% on SunSpider,
314         and 2% on V8, tested on Linux X86 (Core i7 Nehalem).
315
316         * assembler/MacroAssemblerX86Common.h:
317         (JSC::MacroAssemblerX86Common::lshiftPacked):
318         (JSC::MacroAssemblerX86Common::rshiftPacked):
319         (JSC::MacroAssemblerX86Common::orPacked):
320         (JSC::MacroAssemblerX86Common::moveInt32ToPacked):
321         (JSC::MacroAssemblerX86Common::movePackedToInt32):
322         * assembler/X86Assembler.h:
323         (JSC::X86Assembler::movd_rr):
324         (JSC::X86Assembler::psllq_i8r):
325         (JSC::X86Assembler::psrlq_i8r):
326         (JSC::X86Assembler::por_rr):
327         * dfg/DFGJITCodeGenerator.h:
328         (JSC::DFG::JITCodeGenerator::boxDouble):
329         (JSC::DFG::JITCodeGenerator::unboxDouble):
330         * dfg/DFGJITCodeGenerator32_64.cpp:
331         (JSC::DFG::JITCodeGenerator::fillDouble):
332         (JSC::DFG::JITCodeGenerator::fillJSValue):
333         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
334         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
335         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
336         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
337         * dfg/DFGJITCompiler.h:
338         (JSC::DFG::JITCompiler::boxDouble):
339         (JSC::DFG::JITCompiler::unboxDouble):
340         * dfg/DFGSpeculativeJIT32_64.cpp:
341         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
342         (JSC::DFG::SpeculativeJIT::convertToDouble):
343         (JSC::DFG::SpeculativeJIT::compile):
344
345 2011-10-19  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
346
347         [EFL] Fix DSO linkage of wtf_efl.
348
349         Unreviewed build fix.
350
351         Need to add -ldl to jsc_efl (requested by dladdr).
352
353         * wtf/CMakeListsEfl.txt:
354
355 2011-10-19  Geoffrey Garen  <ggaren@apple.com>
356
357         Removed StringImplBase, fusing it into StringImpl
358         https://bugs.webkit.org/show_bug.cgi?id=70443
359
360         Reviewed by Gavin Barraclough.
361
362         * GNUmakefile.list.am:
363         * JavaScriptCore.gypi:
364         * JavaScriptCore.order:
365         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * wtf/CMakeLists.txt:
368         * wtf/text/StringImpl.h:
369         (WTF::StringImpl::StringImpl):
370         (WTF::StringImpl::ref):
371         (WTF::StringImpl::length):
372         * wtf/text/StringImplBase.h: Removed.
373         * wtf/wtf.pri: Removed!
374
375 2011-10-19  Mark Hahnenberg  <mhahnenberg@apple.com>
376
377         Add getConstructData to the MethodTable
378         https://bugs.webkit.org/show_bug.cgi?id=70163
379
380         Reviewed by Geoffrey Garen.
381
382         Adding getConstructData to the MethodTable in order to be able to 
383         remove all calls to getConstructDataVirtual soon.  Part of the process 
384         of de-virtualizing JSCell.
385
386         * JavaScriptCore.exp:
387         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
388         * runtime/ClassInfo.h:
389
390 2011-10-18  Oliver Hunt  <oliver@apple.com>
391
392         Support CanvasPixelArray in the DFG
393         https://bugs.webkit.org/show_bug.cgi?id=70384
394
395         Reviewed by Filip Pizlo.
396
397         Add support for the old CanvasPixelArray optimisations to the
398         DFG.  This removes the regression seen in the DFG when using
399         a CPA.
400
401         * assembler/MacroAssemblerX86Common.h:
402         (JSC::MacroAssemblerX86Common::store8):
403         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
404         * assembler/X86Assembler.h:
405         (JSC::X86Assembler::movb_rm):
406         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
407         * bytecode/PredictedType.cpp:
408         (JSC::predictionToString):
409         (JSC::predictionFromClassInfo):
410         * bytecode/PredictedType.h:
411         (JSC::isByteArrayPrediction):
412         * dfg/DFGAbstractState.cpp:
413         (JSC::DFG::AbstractState::initialize):
414         (JSC::DFG::AbstractState::execute):
415         * dfg/DFGNode.h:
416         (JSC::DFG::Node::shouldSpeculateByteArray):
417         * dfg/DFGPropagator.cpp:
418         (JSC::DFG::Propagator::propagateNodePredictions):
419         (JSC::DFG::Propagator::fixupNode):
420         (JSC::DFG::Propagator::performNodeCSE):
421         * dfg/DFGSpeculativeJIT.cpp:
422         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
423         (JSC::DFG::compileClampDoubleToByte):
424         (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
425         (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
426         * dfg/DFGSpeculativeJIT.h:
427         * dfg/DFGSpeculativeJIT32_64.cpp:
428         (JSC::DFG::SpeculativeJIT::compile):
429         * dfg/DFGSpeculativeJIT64.cpp:
430         (JSC::DFG::SpeculativeJIT::compile):
431         * runtime/JSByteArray.h:
432         (JSC::JSByteArray::offsetOfStorage):
433         * wtf/ByteArray.cpp:
434         * wtf/ByteArray.h:
435         (WTF::ByteArray::offsetOfSize):
436         (WTF::ByteArray::offsetOfData):
437
438 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
439
440         Some rope cleanup following r97827
441         https://bugs.webkit.org/show_bug.cgi?id=70398
442
443         Reviewed by Oliver Hunt.
444
445         9% speedup on date-format-xparb, neutral overall.
446         
447         - Removed RopeImpl*.
448         - Removed JSString::m_fiberCount, since this can be deduced from other data.
449         - Renamed a jsString() variant to jsStringFromArguments for clarity.
450
451         * CMakeLists.txt:
452         * GNUmakefile.list.am:
453         * JavaScriptCore.order:
454         * JavaScriptCore.pro:
455         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
456         * JavaScriptCore.xcodeproj/project.pbxproj: Removed RopeImpl*.
457
458         * dfg/DFGSpeculativeJIT.cpp:
459         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
460         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
461         * jit/JITInlineMethods.h:
462         (JSC::JIT::emitLoadCharacterString):
463         * jit/JITPropertyAccess.cpp:
464         (JSC::JIT::stringGetByValStubGenerator):
465         * jit/JITPropertyAccess32_64.cpp:
466         (JSC::JIT::stringGetByValStubGenerator):
467         * jit/SpecializedThunkJIT.h:
468         (JSC::SpecializedThunkJIT::loadJSStringArgument):
469         * jit/ThunkGenerators.cpp:
470         (JSC::stringCharLoad): Use a NULL m_value to signal rope-iness, instead
471         of testing m_fiberCount, since m_fiberCount is gone now.
472
473         * runtime/JSString.cpp:
474         (JSC::JSString::RopeBuilder::expand):
475         (JSC::JSString::visitChildren):
476         (JSC::JSString::resolveRope):
477         (JSC::JSString::resolveRopeSlowCase):
478         (JSC::JSString::outOfMemory): Use a NULL fiber to indicate "last fiber
479         in the vector" instead of testing m_fiberCount, since m_fiberCount is gone now.
480
481         * runtime/JSString.h:
482         (JSC::RopeBuilder::JSString):
483         (JSC::RopeBuilder::finishCreation):
484         (JSC::RopeBuilder::offsetOfLength):
485         (JSC::RopeBuilder::isRope):
486         (JSC::RopeBuilder::string): Removed m_fiberCount. Renamed
487         jsString => jsStringFromArguments for clarity.
488
489         * runtime/Operations.h:
490         (JSC::jsStringFromArguments): Renamed.
491
492         * runtime/RopeImpl.cpp: Removed.
493         * runtime/RopeImpl.h: Removed.
494
495         * runtime/SmallStrings.cpp:
496         (JSC::SmallStrings::createEmptyString): Switched to StringImpl::empty,
497         which is slightly faster.
498
499         * runtime/StringPrototype.cpp:
500         (JSC::stringProtoFuncConcat): Updated for rename.
501
502         * wtf/text/StringImplBase.h:
503         (WTF::StringImplBase::StringImplBase): Removed the concept of an invalid
504         StringImpl, since this was only used by RopeImpl, which is now gone.
505
506 2011-10-19  Rafael Antognolli  <antognolli@profusion.mobi>
507
508         [EFL] Fix DSO linkage of jsc_efl.
509         https://bugs.webkit.org/show_bug.cgi?id=70412
510
511         Unreviewed build fix.
512
513         Need to add -ldl to jsc_efl (requested by dladdr).
514
515         * shell/CMakeListsEfl.txt:
516
517 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
518
519         Rolled out last Windows build fix because it was wrong.
520
521 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
522
523         Rolled out last Windows build fix because it was wrong.
524
525 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
526
527         Try to fix part of the Windows build.
528         
529         Export!
530
531 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
532
533         Switched ropes from malloc memory to GC memory
534         https://bugs.webkit.org/show_bug.cgi?id=70364
535
536         Reviewed by Gavin Barraclough.
537
538         ~1% SunSpider speedup. Neutral elsewhere. Removes one cause for strings
539         having C++ destructors.
540
541         * heap/MarkStack.cpp:
542         (JSC::visitChildren): Call the JSString visitChildren function now,
543         since it's no longer a no-op.
544
545         * runtime/JSString.cpp:
546         (JSC::JSString::~JSString): Moved this destructor out of line because
547         it's called virtually, so there's no value to inlining.
548
549         (JSC::JSString::RopeBuilder::expand): Switched RopeBuilder to be a thin
550         initializing wrapper around JSString. JSString now represents ropes
551         directly, rather than relying on an underlying malloc object.
552
553         (JSC::JSString::visitChildren): Visit our rope fibers, since they're GC
554         objects now.
555
556         (JSC::JSString::resolveRope):
557         (JSC::JSString::resolveRopeSlowCase):
558         (JSC::JSString::outOfMemory): Updated for operating on JSStrings instead
559         of malloc objects.
560
561         (JSC::JSString::replaceCharacter): Removed optimizations for substringing
562         ropes and replacing subsections of ropes. We want to reimplement versions
563         of these optimizations in the future, but this patch already has good
564         performance without them.
565
566         * runtime/JSString.h:
567         (JSC::RopeBuilder::JSString):
568         (JSC::RopeBuilder::finishCreation):
569         (JSC::RopeBuilder::createNull):
570         (JSC::RopeBuilder::create):
571         (JSC::RopeBuilder::createHasOtherOwner):
572         (JSC::jsSingleCharacterString):
573         (JSC::jsSingleCharacterSubstring):
574         (JSC::jsNontrivialString):
575         (JSC::jsString):
576         (JSC::jsSubstring):
577         (JSC::jsOwnedString): Lots of mechanical changes here. The two important
578         things are: (1) The fibers in JSString::m_fibers are JSStrings now, not
579         malloc objects; (2) I simplified the JSString constructor interface to
580         only accept PassRefPtr<StringImpl>, instead of variations on that like
581         UString, reducing refcount churn.
582
583         * runtime/JSValue.h:
584         * runtime/JSValue.cpp:
585         (JSC::JSValue::toPrimitiveString): Updated this function to return a
586         JSString instead of a UString, since that's what clients want now.
587
588         * runtime/Operations.cpp:
589         (JSC::jsAddSlowCase):
590         * runtime/Operations.h:
591         (JSC::jsString):
592         * runtime/SmallStrings.cpp:
593         (JSC::SmallStrings::createEmptyString): Updated for interface changes above.
594
595         * runtime/StringConstructor.cpp:
596         (JSC::constructWithStringConstructor):
597         * runtime/StringObject.h:
598         (JSC::StringObject::create): Don't create a new JSString if we already
599         have a JSString.
600
601         * runtime/StringPrototype.cpp:
602         (JSC::stringProtoFuncConcat): Updated for interface changes above.
603
604 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
605
606         Errrk, fix partial commit of r97825!
607
608         * runtime/DatePrototype.cpp:
609         (JSC::dateProtoFuncToISOString):
610
611 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
612
613         Date.prototype.toISOString fails to throw exception
614         https://bugs.webkit.org/show_bug.cgi?id=70394
615
616         Reviewed by Sam Weinig.
617
618         * runtime/DatePrototype.cpp:
619         (JSC::dateProtoFuncToISOString):
620             - Should throw a range error if the internal value is not finite.
621
622 2011-10-18  Mark Hahnenberg  <mhahnenberg@apple.com>
623
624         Rename static put to putByIndex
625         https://bugs.webkit.org/show_bug.cgi?id=70281
626
627         Reviewed by Geoffrey Garen.
628
629         Renaming versions of deleteProperty that use an unsigned as the property
630         name to "deletePropertyByIndex" in preparation for adding them to the 
631         MethodTable, which requires unique names for each method.
632
633         * dfg/DFGOperations.cpp:
634         (JSC::DFG::putByVal):
635         * jit/JITStubs.cpp:
636         (JSC::DEFINE_STUB_FUNCTION):
637         * runtime/Arguments.cpp:
638         (JSC::Arguments::putVirtual):
639         (JSC::Arguments::putByIndex):
640         * runtime/Arguments.h:
641         * runtime/ArrayPrototype.cpp:
642         (JSC::arrayProtoFuncMap):
643         * runtime/JSArray.cpp:
644         (JSC::JSArray::put):
645         (JSC::JSArray::putVirtual):
646         (JSC::JSArray::putByIndex):
647         * runtime/JSArray.h:
648         * runtime/JSByteArray.cpp:
649         (JSC::JSByteArray::putVirtual):
650         (JSC::JSByteArray::putByIndex):
651         * runtime/JSByteArray.h:
652         * runtime/JSCell.cpp:
653         (JSC::JSCell::putVirtual):
654         (JSC::JSCell::putByIndex):
655         * runtime/JSCell.h:
656         * runtime/JSNotAnObject.cpp:
657         (JSC::JSNotAnObject::putVirtual):
658         (JSC::JSNotAnObject::putByIndex):
659         * runtime/JSNotAnObject.h:
660         * runtime/JSObject.cpp:
661         (JSC::JSObject::putVirtual):
662         (JSC::JSObject::putByIndex):
663         * runtime/JSObject.h:
664         * runtime/RegExpConstructor.cpp:
665         (JSC::RegExpMatchesArray::fillArrayInstance):
666         * runtime/RegExpMatchesArray.h:
667         (JSC::RegExpMatchesArray::putVirtual):
668         (JSC::RegExpMatchesArray::putByIndex):
669
670 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
671
672         Array.prototype methods missing exception checks
673         https://bugs.webkit.org/show_bug.cgi?id=70360
674
675         Reviewed by Geoff Garen.
676
677         Missing exception checks after calls to the static getProperty helper,
678         these may result in the wrong exception being thrown (or an ASSERT being hit,
679         as is currently the case running test-262).
680
681         No performance impact.
682
683         * runtime/ArrayPrototype.cpp:
684         (JSC::arrayProtoFuncConcat):
685         (JSC::arrayProtoFuncReverse):
686         (JSC::arrayProtoFuncShift):
687         (JSC::arrayProtoFuncSlice):
688         (JSC::arrayProtoFuncSplice):
689         (JSC::arrayProtoFuncUnShift):
690         (JSC::arrayProtoFuncReduce):
691         (JSC::arrayProtoFuncReduceRight):
692         (JSC::arrayProtoFuncIndexOf):
693         (JSC::arrayProtoFuncLastIndexOf):
694
695 2011-10-18  Adam Barth  <abarth@webkit.org>
696
697         Always enable ENABLE(XPATH)
698         https://bugs.webkit.org/show_bug.cgi?id=70217
699
700         Reviewed by Eric Seidel.
701
702         * Configurations/FeatureDefines.xcconfig:
703
704 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
705
706         Indexed arguments on the Arguments object should be enumerable.
707         https://bugs.webkit.org/show_bug.cgi?id=70302
708
709         Reviewed by Sam Weinig.
710
711         See ECMA-262 5.1 chapter 10.6 step 11b.
712         This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in.
713
714         * runtime/Arguments.cpp:
715         (JSC::Arguments::getOwnPropertyDescriptor):
716             - The 'enumerable' property should be true for indexed arguments.
717         (JSC::Arguments::getOwnPropertyNames):
718             - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'.
719
720 2011-10-18  Gustavo Noronha Silva  <gns@gnome.org>
721
722         Fix distcheck.
723
724         * GNUmakefile.list.am: fix a typo and add a missing header to the
725         list.
726
727 2011-10-18  Balazs Kelemen  <kbalazs@webkit.org>
728
729         ParallelJobs: maximum number of threads should be determined dynamically
730         https://bugs.webkit.org/show_bug.cgi?id=68540
731
732         Reviewed by Zoltan Herczeg.
733
734         Add logic to determine the number of cores and use this as
735         the maximum number of threads. The implementation currently
736         covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD.
737         The patch was tested on Linux, Mac and Windows which was enough to
738         cover all code path. It should work on the rest accoring to the
739         documentation of those OS's. The hard coded constant is still used
740         on uncovered OS's which should be fixed in the future.
741
742         * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber
743         argument because clients should always fill it and the 0 default value
744         was incorrect anyway.
745         (WTF::ParallelJobs::ParallelJobs):
746         * wtf/ParallelJobsGeneric.cpp:
747         (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads):
748         * wtf/ParallelJobsGeneric.h:
749         (WTF::ParallelEnvironment::ParallelEnvironment):
750
751 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
752
753         Reverted r997709, this caused test failures.
754
755         * jit/JITStubs.cpp:
756         (JSC::DEFINE_STUB_FUNCTION):
757         * runtime/JSObject.cpp:
758         (JSC::JSObject::hasProperty):
759         (JSC::JSObject::hasOwnProperty):
760
761 2011-10-17  Ryosuke Niwa  <rniwa@webkit.org>
762
763         Rename deregister* to unregister*
764         https://bugs.webkit.org/show_bug.cgi?id=70272
765
766         Reviewed by Darin Adler.
767
768         Renamed deregisterWeakMap to unregisterWeakMap.
769
770         * runtime/JSGlobalObject.h:
771         (JSC::JSGlobalObject::unregisterWeakMap):
772
773 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
774
775         Poisoning of strict caller/arguments inappropriately poisoning "in"
776         https://bugs.webkit.org/show_bug.cgi?id=63398
777
778         Reviewed by Sam Weinig.
779
780         The problem here is that the has[Own]Property methods get the slot rather than
781         the descriptor, and getting the slot may cause the property to be eagerly accessed.
782
783         * jit/JITStubs.cpp:
784         (JSC::DEFINE_STUB_FUNCTION):
785             - We don't expect hasProperty to ever throw. If it does, it won't get caught
786               (since it is after the exception check), so ASSERT to guard against this.
787         * runtime/JSObject.cpp:
788         (JSC::JSObject::hasProperty):
789         (JSC::JSObject::hasOwnProperty):
790             - These methods should not check for the presence of the descriptor; never get the value.
791
792 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
793
794         Exception ordering in String.prototype.replace
795         https://bugs.webkit.org/show_bug.cgi?id=70290
796
797         If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called.
798
799         Reviewed by Oliver Hunt.
800
801         * runtime/StringPrototype.cpp:
802         (JSC::stringProtoFuncReplace):
803
804 2011-10-17  Filip Pizlo  <fpizlo@apple.com>
805
806         DFG bytecode parser should understand inline stacks
807         https://bugs.webkit.org/show_bug.cgi?id=70278
808
809         Reviewed by Oliver Hunt.
810         
811         The DFG bytecode parser is now capable of parsing multiple code blocks at
812         once. This remains turned off since not all inlining functionality is
813         implemented.       
814         
815         This required making a few changes elsewhere in the system. The bytecode
816         parser now may do some of the same things that the bytecode generator does,
817         like allocating constants and identifiers. Basic block linking relies on
818         bytecode indices, which are only meaningful within the context of one basic
819         block. This is fine, so long as linking is done eagerly whenever switching
820         from one code block to another.
821
822         * bytecode/CodeOrigin.h:
823         (JSC::CodeOrigin::CodeOrigin):
824         * bytecompiler/BytecodeGenerator.h:
825         * dfg/DFGBasicBlock.h:
826         * dfg/DFGByteCodeParser.cpp:
827         (JSC::DFG::ByteCodeParser::ByteCodeParser):
828         (JSC::DFG::ByteCodeParser::get):
829         (JSC::DFG::ByteCodeParser::set):
830         (JSC::DFG::ByteCodeParser::getThis):
831         (JSC::DFG::ByteCodeParser::setThis):
832         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
833         (JSC::DFG::ByteCodeParser::getPrediction):
834         (JSC::DFG::ByteCodeParser::makeSafe):
835         (JSC::DFG::ByteCodeParser::makeDivSafe):
836         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
837         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
838         (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
839         (JSC::DFG::ByteCodeParser::parseBlock):
840         (JSC::DFG::ByteCodeParser::linkBlock):
841         (JSC::DFG::ByteCodeParser::linkBlocks):
842         (JSC::DFG::ByteCodeParser::setupPredecessors):
843         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
844         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
845         (JSC::DFG::ByteCodeParser::parseCodeBlock):
846         (JSC::DFG::ByteCodeParser::parse):
847         * dfg/DFGGraph.h:
848         (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
849         (JSC::DFG::GetBytecodeBeginForBlock::operator()):
850         (JSC::DFG::Graph::blockIndexForBytecodeOffset):
851         * dfg/DFGNode.h:
852         * runtime/Identifier.h:
853         (JSC::IdentifierMapIndexHashTraits::emptyValue):
854         * runtime/JSValue.h:
855         * wtf/StdLibExtras.h:
856         (WTF::binarySearchWithFunctor):
857
858 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
859
860         Incorrect behavior from String match/search & undefined pattern
861         https://bugs.webkit.org/show_bug.cgi?id=70286
862
863         Reviewed by Sam weinig.
864
865         * runtime/StringPrototype.cpp:
866         (JSC::stringProtoFuncMatch):
867             - In case of undefined, pattern is "".
868         (JSC::stringProtoFuncSearch):
869             - In case of undefined, pattern is "".
870
871 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
872
873         https://bugs.webkit.org/show_bug.cgi?id=70207
874         After deleting __defineSetter__, it is absent but appears in name list
875
876         Reviewed by Darin Adler.
877
878         * runtime/JSObject.cpp:
879         (JSC::JSObject::getOwnPropertyNames):
880             - This should check whether static functions have been reified.
881
882 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
883
884         Mac build fix.
885
886         * JavaScriptCore.exp: Export!
887
888 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
889
890         Windows build fix.
891
892         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
893
894 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
895
896         Windows build fix.
897
898         * heap/HandleStack.cpp: Added a missing #include.
899
900 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
901
902         Windows build fix.
903
904         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no
905         longer existant symbol.
906
907         * heap/MarkStack.cpp:
908         (JSC::MarkStackArray::shrinkAllocation): Cast to the right type.
909
910 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
911
912         Simplified GC marking logic
913         https://bugs.webkit.org/show_bug.cgi?id=70258
914
915         Reviewed by Filip Pizlo.
916         
917         No perf. change.
918         
919         This is a first step toward GC allocating string backing stores, starting
920         with ropes. It also enables future simplifications and optimizations.
921         
922         - Replaced some complex mark stack logic with a simple linear stack of
923         JSCell pointers.
924         
925         - Replaced logic for short-circuiting marking based on JSType and/or
926         Structure flags with special cases for object, array, and string.
927         
928         - Fiddled with inlining for better codegen.
929
930         * JavaScriptCore.exp:
931         * heap/HandleStack.cpp: Build!
932
933         * heap/Heap.cpp:
934         (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking.
935
936         * heap/HeapRootVisitor.h: Removed unused functions that no longer build.
937
938         * heap/MarkStack.cpp:
939         (JSC::MarkStackArray::MarkStackArray):
940         (JSC::MarkStackArray::~MarkStackArray):
941         (JSC::MarkStackArray::expand):
942         (JSC::MarkStackArray::shrinkAllocation):
943         (JSC::MarkStack::reset):
944         (JSC::visitChildren):
945         (JSC::SlotVisitor::drain):
946         * heap/MarkStack.h:
947         (JSC::MarkStack::MarkStack):
948         (JSC::MarkStack::~MarkStack):
949         (JSC::MarkStackArray::append):
950         (JSC::MarkStackArray::removeLast):
951         (JSC::MarkStackArray::isEmpty):
952         (JSC::MarkStack::append):
953         (JSC::MarkStack::appendUnbarrieredPointer):
954         (JSC::MarkStack::internalAppend): Replaced complex mark set logic with
955         simple linear stack.
956
957         * heap/SlotVisitor.h:
958         (JSC::SlotVisitor::SlotVisitor): Updated for above changes.
959
960         * runtime/JSArray.cpp:
961         (JSC::JSArray::visitChildren):
962         * runtime/JSArray.h:
963         * runtime/JSObject.cpp:
964         (JSC::JSObject::visitChildren):
965         * runtime/JSObject.h: Don't inline visitChildren; it's too big.
966
967         * runtime/Structure.h:
968         (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType
969         because it prevented strings from owning GC pointers.
970
971         * runtime/WriteBarrier.h:
972         (JSC::MarkStack::appendValues): No need to validate; internalAppend will
973         do that for us.
974
975 2011-10-17  Adam Roben  <aroben@apple.com>
976
977         Windows build fix after r97536, part 3
978
979         * runtime/JSAPIValueWrapper.h:
980         * runtime/JSObject.h:
981         Use JS_EXPORTDATA to export the s_info members.
982
983 2011-10-17  Adam Roben  <aroben@apple.com>
984
985         Interpreter build fix after r97564
986
987         * runtime/Executable.cpp:
988         (JSC::FunctionExecutable::compileForCallInternal):
989         (JSC::FunctionExecutable::compileForConstructInternal):
990         Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used
991         there.
992
993 2011-10-17  Adam Roben  <aroben@apple.com>
994
995         Windows build fix after r97536, part 2
996
997         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back
998         JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I
999         was at it.
1000
1001 2011-10-17  Adam Roben  <aroben@apple.com>
1002
1003         Windows build fix after r97536
1004
1005         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of
1006         JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of
1007         s_info members, which need to be exported via JS_EXPORTDATA instead.
1008
1009 2011-10-17  Patrick Gansterer  <paroga@webkit.org>
1010
1011         Interpreter build fix after r97436, r97506, r97532 and r97537.
1012
1013         * interpreter/Interpreter.cpp:
1014         (JSC::Interpreter::privateExecute):
1015
1016 2011-10-16  Adam Barth  <abarth@webkit.org>
1017
1018         Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code
1019         https://bugs.webkit.org/show_bug.cgi?id=70216
1020
1021         Reviewed by Eric Seidel.
1022
1023         * wtf/Platform.h:
1024
1025 2011-10-16  Noel Gordon  <noel.gordon@gmail.com>
1026
1027         [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files
1028         https://bugs.webkit.org/show_bug.cgi?id=70205
1029
1030         Reviewed by James Robinson.
1031
1032         wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557.
1033         wtf/gtk/ThreadingGtk.cpp was removed in r97269.
1034
1035         * JavaScriptCore.gypi:
1036
1037 2011-10-16  Adam Barth  <abarth@webkit.org>
1038
1039         Always enable ENABLE(DOM_STORAGE)
1040         https://bugs.webkit.org/show_bug.cgi?id=70189
1041
1042         Reviewed by Eric Seidel.
1043
1044         * Configurations/FeatureDefines.xcconfig:
1045
1046 2011-10-15  Dan Horák <dan@danny.cz>
1047
1048         The s390 and s390x architectures both use 64-bit double type
1049         that conforms to the IEEE-754 standard.
1050
1051         https://bugs.webkit.org/show_bug.cgi?id=69940
1052
1053         Reviewed by Gavin Barraclough.
1054
1055         * wtf/dtoa/utils.h:
1056
1057 2011-10-14  Filip Pizlo  <fpizlo@apple.com>
1058
1059         FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks
1060         https://bugs.webkit.org/show_bug.cgi?id=70157
1061
1062         Reviewed by Geoff Garen.
1063         
1064         Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal()
1065         and compileForConstructInternal() to use this method. This required more cleanly
1066         exposing some of CodeBlock's tiering functionality and moving the CompilationKind
1067         enum to Executable.h, as this was the easiest way to make it available to the
1068         declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator.
1069
1070         * bytecode/CodeBlock.cpp:
1071         (JSC::CodeBlock::copyDataFrom):
1072         (JSC::CodeBlock::copyDataFromAlternative):
1073         * bytecode/CodeBlock.h:
1074         (JSC::CodeBlock::setAlternative):
1075         * bytecompiler/BytecodeGenerator.h:
1076         * runtime/Executable.cpp:
1077         (JSC::EvalExecutable::compileInternal):
1078         (JSC::ProgramExecutable::compileInternal):
1079         (JSC::FunctionExecutable::produceCodeBlockFor):
1080         (JSC::FunctionExecutable::compileForCallInternal):
1081         (JSC::FunctionExecutable::compileForConstructInternal):
1082         * runtime/Executable.h:
1083         (JSC::FunctionExecutable::codeBlockFor):
1084
1085 2011-10-15  Laszlo Gombos  <laszlo.1.gombos@nokia.com>
1086
1087         [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port
1088         https://bugs.webkit.org/show_bug.cgi?id=69920
1089
1090         Reviewed by Kenneth Rohde Christiansen.
1091
1092         * JavaScriptCore.pri:
1093         * JavaScriptCore.pro:
1094         * heap/MarkStack.h:
1095         (JSC::::shrinkAllocation):
1096         * jit/ExecutableAllocator.cpp:
1097         * jit/ExecutableAllocator.h:
1098         (JSC::ExecutableAllocator::cacheFlush):
1099         * jit/JITStubs.cpp:
1100         * jsc.pro:
1101         * runtime/ArrayPrototype.cpp:
1102         (JSC::arrayProtoFuncToString):
1103         * runtime/DatePrototype.cpp:
1104         (JSC::formatLocaleDate):
1105         * runtime/StringPrototype.cpp:
1106         (JSC::stringProtoFuncLastIndexOf):
1107         * runtime/TimeoutChecker.cpp:
1108         (JSC::getCPUTime):
1109         * wtf/Assertions.cpp:
1110         * wtf/Assertions.h:
1111         * wtf/Atomics.h:
1112         * wtf/MathExtras.h:
1113         * wtf/OSAllocator.h:
1114         (WTF::OSAllocator::decommitAndRelease):
1115         * wtf/OSAllocatorSymbian.cpp: Removed.
1116         * wtf/OSRandomSource.cpp:
1117         (WTF::cryptographicallyRandomValuesFromOS):
1118         * wtf/PageAllocation.h:
1119         * wtf/PageAllocatorSymbian.h: Removed.
1120         * wtf/PageBlock.cpp:
1121         * wtf/Platform.h:
1122         * wtf/StackBounds.cpp:
1123         * wtf/wtf.pri:
1124
1125 2011-10-15  Yuqiang Xian  <yuqiang.xian@intel.com>
1126
1127         Trivial fix for a missing change in r97512
1128         https://bugs.webkit.org/show_bug.cgi?id=70166
1129
1130         Reviewed by Gavin Barraclough.
1131
1132         * dfg/DFGJITCompiler32_64.cpp:
1133         (JSC::DFG::JITCompiler::link):
1134
1135 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1136
1137         Rename getOwnPropertySlot to getOwnPropertySlotVirtual
1138         https://bugs.webkit.org/show_bug.cgi?id=69810
1139
1140         Reviewed by Geoffrey Garen.
1141
1142         Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual
1143         in preparation for when we add the static getOwnPropertySlot to the MethodTable 
1144         in ClassInfo.
1145
1146         Also added a few static getOwnPropertySlot functions where they had been overlooked 
1147         before (especially in CodeGeneratorJS.pm).
1148
1149         * API/JSCallbackObject.h:
1150         * API/JSCallbackObjectFunctions.h:
1151         (JSC::::getOwnPropertySlotVirtual):
1152         (JSC::::getOwnPropertySlot):
1153         (JSC::::getOwnPropertyDescriptor):
1154         (JSC::::staticFunctionGetter):
1155         * JavaScriptCore.exp:
1156         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1157         * debugger/DebuggerActivation.cpp:
1158         (JSC::DebuggerActivation::getOwnPropertySlotVirtual):
1159         (JSC::DebuggerActivation::getOwnPropertySlot):
1160         * debugger/DebuggerActivation.h:
1161         * runtime/Arguments.cpp:
1162         (JSC::Arguments::getOwnPropertySlotVirtual):
1163         (JSC::Arguments::getOwnPropertySlot):
1164         * runtime/Arguments.h:
1165         * runtime/ArrayConstructor.cpp:
1166         (JSC::ArrayConstructor::getOwnPropertySlotVirtual):
1167         (JSC::ArrayConstructor::getOwnPropertySlot):
1168         * runtime/ArrayConstructor.h:
1169         * runtime/ArrayPrototype.cpp:
1170         (JSC::ArrayPrototype::getOwnPropertySlotVirtual):
1171         * runtime/ArrayPrototype.h:
1172         * runtime/BooleanPrototype.cpp:
1173         (JSC::BooleanPrototype::getOwnPropertySlotVirtual):
1174         * runtime/BooleanPrototype.h:
1175         * runtime/DateConstructor.cpp:
1176         (JSC::DateConstructor::getOwnPropertySlotVirtual):
1177         * runtime/DateConstructor.h:
1178         * runtime/DatePrototype.cpp:
1179         (JSC::DatePrototype::getOwnPropertySlotVirtual):
1180         * runtime/DatePrototype.h:
1181         * runtime/ErrorPrototype.cpp:
1182         (JSC::ErrorPrototype::getOwnPropertySlotVirtual):
1183         * runtime/ErrorPrototype.h:
1184         * runtime/JSActivation.cpp:
1185         (JSC::JSActivation::getOwnPropertySlotVirtual):
1186         * runtime/JSActivation.h:
1187         * runtime/JSArray.cpp:
1188         (JSC::JSArray::getOwnPropertySlotVirtual):
1189         (JSC::JSArray::getOwnPropertySlot):
1190         * runtime/JSArray.h:
1191         * runtime/JSBoundFunction.cpp:
1192         (JSC::JSBoundFunction::getOwnPropertySlotVirtual):
1193         * runtime/JSBoundFunction.h:
1194         * runtime/JSByteArray.cpp:
1195         (JSC::JSByteArray::getOwnPropertySlotVirtual):
1196         * runtime/JSByteArray.h:
1197         * runtime/JSCell.cpp:
1198         (JSC::JSCell::getOwnPropertySlotVirtual):
1199         * runtime/JSCell.h:
1200         * runtime/JSFunction.cpp:
1201         (JSC::JSFunction::getOwnPropertySlotVirtual):
1202         (JSC::JSFunction::getOwnPropertyDescriptor):
1203         (JSC::JSFunction::getOwnPropertyNames):
1204         (JSC::JSFunction::put):
1205         * runtime/JSFunction.h:
1206         * runtime/JSGlobalObject.cpp:
1207         (JSC::JSGlobalObject::getOwnPropertySlotVirtual):
1208         * runtime/JSGlobalObject.h:
1209         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1210         * runtime/JSNotAnObject.cpp:
1211         (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
1212         * runtime/JSNotAnObject.h:
1213         * runtime/JSONObject.cpp:
1214         (JSC::Stringifier::Holder::appendNextProperty):
1215         (JSC::JSONObject::getOwnPropertySlotVirtual):
1216         (JSC::Walker::walk):
1217         * runtime/JSONObject.h:
1218         * runtime/JSObject.cpp:
1219         (JSC::JSObject::getOwnPropertySlotVirtual):
1220         (JSC::JSObject::getOwnPropertySlot):
1221         (JSC::JSObject::hasOwnProperty):
1222         * runtime/JSObject.h:
1223         (JSC::JSObject::getOwnPropertySlotVirtual):
1224         (JSC::JSCell::fastGetOwnPropertySlot):
1225         (JSC::JSObject::getPropertySlot):
1226         (JSC::JSValue::get):
1227         * runtime/JSStaticScopeObject.cpp:
1228         (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual):
1229         * runtime/JSStaticScopeObject.h:
1230         * runtime/JSString.cpp:
1231         (JSC::JSString::getOwnPropertySlotVirtual):
1232         (JSC::JSString::getOwnPropertySlot):
1233         * runtime/JSString.h:
1234         * runtime/Lookup.h:
1235         (JSC::getStaticPropertySlot):
1236         (JSC::getStaticFunctionSlot):
1237         (JSC::getStaticValueSlot):
1238         * runtime/MathObject.cpp:
1239         (JSC::MathObject::getOwnPropertySlotVirtual):
1240         * runtime/MathObject.h:
1241         * runtime/NumberConstructor.cpp:
1242         (JSC::NumberConstructor::getOwnPropertySlotVirtual):
1243         * runtime/NumberConstructor.h:
1244         * runtime/NumberPrototype.cpp:
1245         (JSC::NumberPrototype::getOwnPropertySlotVirtual):
1246         * runtime/NumberPrototype.h:
1247         * runtime/ObjectConstructor.cpp:
1248         (JSC::ObjectConstructor::getOwnPropertySlotVirtual):
1249         * runtime/ObjectConstructor.h:
1250         * runtime/ObjectPrototype.cpp:
1251         (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
1252         * runtime/ObjectPrototype.h:
1253         * runtime/RegExpConstructor.cpp:
1254         (JSC::RegExpConstructor::getOwnPropertySlotVirtual):
1255         * runtime/RegExpConstructor.h:
1256         * runtime/RegExpMatchesArray.h:
1257         (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
1258         * runtime/RegExpObject.cpp:
1259         (JSC::RegExpObject::getOwnPropertySlotVirtual):
1260         * runtime/RegExpObject.h:
1261         * runtime/RegExpPrototype.cpp:
1262         (JSC::RegExpPrototype::getOwnPropertySlotVirtual):
1263         * runtime/RegExpPrototype.h:
1264         * runtime/StringConstructor.cpp:
1265         (JSC::StringConstructor::getOwnPropertySlotVirtual):
1266         * runtime/StringConstructor.h:
1267         * runtime/StringObject.cpp:
1268         (JSC::StringObject::getOwnPropertySlotVirtual):
1269         * runtime/StringObject.h:
1270         * runtime/StringPrototype.cpp:
1271         (JSC::StringPrototype::getOwnPropertySlotVirtual):
1272         * runtime/StringPrototype.h:
1273
1274 2011-10-14  Gavin Barraclough  <baraclough@apple.com>
1275
1276         Most built-in properties are not deletable
1277         https://bugs.webkit.org/show_bug.cgi?id=61014
1278
1279         Reviewed by Filip Pizlo.
1280
1281         Our static hash tables don't allow for deleting properties.
1282         This is the cause of a bunch of expected failures in LayoutTests/sputnik.
1283
1284         This fixes the problem by reifying all static functions immediately prior
1285         to the first deletion.  Reification is tracked by a flag on the structure,
1286         so properties will no longer 'bounce-back' on later access.
1287
1288         Theoretically there could probably also be an issue with custom accessor
1289         properties, but we probably do not really require any of these to be
1290         Configurable anyway. I'll follow up with a separate patch to address this.
1291
1292         * runtime/ClassInfo.h:
1293         (JSC::ClassInfo::hasStaticProperties):
1294             - detects static property tables.
1295         * runtime/JSObject.cpp:
1296         (JSC::JSObject::deleteProperty):
1297             - call reifyStaticFunctions before deletion.
1298         (JSC::JSObject::reifyStaticFunctions):
1299             - If the class has static functions, set them up now.
1300         * runtime/JSObject.h:
1301         (JSC::JSObject::staticFunctionsReified):
1302             - returns true if static functions have been reified,
1303               and as such should no longer be added.
1304         * runtime/Lookup.cpp:
1305         (JSC::setUpStaticFunctionSlot):
1306             - If static functions have been reified do not add.
1307         * runtime/Lookup.h:
1308         (JSC::HashTable::ConstIterator::ConstIterator):
1309         (JSC::HashTable::ConstIterator::operator->):
1310         (JSC::HashTable::ConstIterator::operator*):
1311         (JSC::HashTable::ConstIterator::operator!=):
1312         (JSC::HashTable::ConstIterator::operator++):
1313         (JSC::HashTable::ConstIterator::skipInvalidKeys):
1314         (JSC::HashTable::begin):
1315         (JSC::HashTable::end):
1316         (JSC::getStaticPropertySlot):
1317         (JSC::getStaticPropertyDescriptor):
1318         (JSC::getStaticFunctionSlot):
1319         (JSC::getStaticFunctionDescriptor):
1320             - setUpStaticFunctionSlot may not add, returns a bool.
1321         (JSC::lookupPut):
1322             - remove redundant branch.
1323         * runtime/Structure.cpp:
1324         (JSC::Structure::Structure):
1325             - initialize new flag in constructors.
1326         * runtime/Structure.h:
1327         (JSC::Structure::staticFunctionsReified):
1328         (JSC::Structure::setStaticFunctionsReified):
1329             - added flag
1330
1331 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1332
1333         Rename virtual put to putVirtual
1334         https://bugs.webkit.org/show_bug.cgi?id=69851
1335
1336         Reviewed by Darin Adler.
1337
1338         Renamed virtual versions of put to putVirtual in prepration for 
1339         adding the static put to the MethodTable in ClassInfo since the 
1340         compiler gets mad if the virtual and static versions have the same 
1341         name.
1342
1343         * API/JSCallbackObject.h:
1344         * API/JSCallbackObjectFunctions.h:
1345         (JSC::::putVirtual):
1346         * API/JSObjectRef.cpp:
1347         (JSObjectSetProperty):
1348         (JSObjectSetPropertyAtIndex):
1349         * JavaScriptCore.exp:
1350         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1351         * debugger/DebuggerActivation.cpp:
1352         (JSC::DebuggerActivation::putVirtual):
1353         (JSC::DebuggerActivation::put):
1354         * debugger/DebuggerActivation.h:
1355         * dfg/DFGOperations.cpp:
1356         (JSC::DFG::putByVal):
1357         * interpreter/Interpreter.cpp:
1358         (JSC::Interpreter::execute):
1359         * jit/JITStubs.cpp:
1360         (JSC::DEFINE_STUB_FUNCTION):
1361         * jsc.cpp:
1362         (GlobalObject::finishCreation):
1363         * runtime/Arguments.cpp:
1364         (JSC::Arguments::putVirtual):
1365         * runtime/Arguments.h:
1366         * runtime/ArrayPrototype.cpp:
1367         (JSC::putProperty):
1368         (JSC::arrayProtoFuncConcat):
1369         (JSC::arrayProtoFuncPush):
1370         (JSC::arrayProtoFuncReverse):
1371         (JSC::arrayProtoFuncShift):
1372         (JSC::arrayProtoFuncSlice):
1373         (JSC::arrayProtoFuncSort):
1374         (JSC::arrayProtoFuncSplice):
1375         (JSC::arrayProtoFuncUnShift):
1376         (JSC::arrayProtoFuncFilter):
1377         (JSC::arrayProtoFuncMap):
1378         * runtime/JSActivation.cpp:
1379         (JSC::JSActivation::putVirtual):
1380         * runtime/JSActivation.h:
1381         * runtime/JSArray.cpp:
1382         (JSC::JSArray::putVirtual):
1383         (JSC::JSArray::putSlowCase):
1384         (JSC::JSArray::push):
1385         (JSC::JSArray::shiftCount):
1386         (JSC::JSArray::unshiftCount):
1387         * runtime/JSArray.h:
1388         * runtime/JSByteArray.cpp:
1389         (JSC::JSByteArray::putVirtual):
1390         * runtime/JSByteArray.h:
1391         * runtime/JSCell.cpp:
1392         (JSC::JSCell::putVirtual):
1393         (JSC::JSCell::put):
1394         * runtime/JSCell.h:
1395         * runtime/JSFunction.cpp:
1396         (JSC::JSFunction::putVirtual):
1397         * runtime/JSFunction.h:
1398         * runtime/JSGlobalObject.cpp:
1399         (JSC::JSGlobalObject::putVirtual):
1400         (JSC::JSGlobalObject::putWithAttributes):
1401         * runtime/JSGlobalObject.h:
1402         * runtime/JSNotAnObject.cpp:
1403         (JSC::JSNotAnObject::putVirtual):
1404         * runtime/JSNotAnObject.h:
1405         * runtime/JSONObject.cpp:
1406         (JSC::Walker::walk):
1407         * runtime/JSObject.cpp:
1408         (JSC::JSObject::putVirtual):
1409         (JSC::JSObject::put):
1410         (JSC::JSObject::defineOwnProperty):
1411         * runtime/JSObject.h:
1412         (JSC::JSValue::put):
1413         * runtime/JSStaticScopeObject.cpp:
1414         (JSC::JSStaticScopeObject::putVirtual):
1415         * runtime/JSStaticScopeObject.h:
1416         * runtime/Lookup.h:
1417         (JSC::lookupPut):
1418         * runtime/ObjectPrototype.cpp:
1419         (JSC::ObjectPrototype::putVirtual):
1420         * runtime/ObjectPrototype.h:
1421         * runtime/RegExpConstructor.cpp:
1422         (JSC::RegExpMatchesArray::fillArrayInstance):
1423         (JSC::RegExpConstructor::putVirtual):
1424         * runtime/RegExpConstructor.h:
1425         * runtime/RegExpMatchesArray.h:
1426         (JSC::RegExpMatchesArray::putVirtual):
1427         * runtime/RegExpObject.cpp:
1428         (JSC::RegExpObject::putVirtual):
1429         * runtime/RegExpObject.h:
1430         * runtime/StringObject.cpp:
1431         (JSC::StringObject::putVirtual):
1432         * runtime/StringObject.h:
1433         * runtime/StringPrototype.cpp:
1434         (JSC::stringProtoFuncSplit):
1435
1436 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1437
1438         Reflective Arguments retrieval should be hardened for the
1439         possibility of inlining
1440         https://bugs.webkit.org/show_bug.cgi?id=70068
1441
1442         Reviewed by Oliver Hunt.
1443         
1444         CodeBlock can now track, as part of its RareData, the virtual inline
1445         stack at callsites. CallFrame walking can now rematerialize "inline"
1446         CallFrames by combining the meta-data in CodeBlock with the information
1447         already in the JS stack. Arguments can now safely retrieve the
1448         arguments from inline CallFrames.
1449         
1450         The DFG already had the notion of a "CodeOrigin" in preparation for
1451         inlining. This notion will now be saved into the CodeBlock, if the DFG
1452         had done inlining. So, CodeOrigin has been moved to bytecode/ and has
1453         been changed to behave more like a struct since that is how it's
1454         meant to be used.
1455
1456         * GNUmakefile.list.am:
1457         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1458         * JavaScriptCore.xcodeproj/project.pbxproj:
1459         * bytecode/CodeBlock.h:
1460         (JSC::CodeBlock::inlineCallFrames):
1461         (JSC::CodeBlock::codeOrigins):
1462         (JSC::CodeBlock::hasCodeOrigins):
1463         (JSC::CodeBlock::codeOriginForReturn):
1464         * bytecode/CodeOrigin.h: Added.
1465         (JSC::CodeOrigin::CodeOrigin):
1466         (JSC::CodeOrigin::isSet):
1467         (JSC::getCallReturnOffsetForCodeOrigin):
1468         * dfg/DFGJITCompiler.cpp:
1469         (JSC::DFG::JITCompiler::link):
1470         * dfg/DFGNode.h:
1471         * dfg/DFGSpeculativeJIT.cpp:
1472         (JSC::DFG::SpeculativeJIT::compile):
1473         * dfg/DFGSpeculativeJIT32_64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compile):
1475         * dfg/DFGSpeculativeJIT64.cpp:
1476         (JSC::DFG::SpeculativeJIT::compile):
1477         * interpreter/CallFrame.cpp:
1478         (JSC::CallFrame::isInlineCallFrame):
1479         (JSC::CallFrame::trueCallerFrame):
1480         * interpreter/CallFrame.h:
1481         (JSC::ExecState::inlineCallFrame):
1482         (JSC::ExecState::setInlineCallFrame):
1483         (JSC::ExecState::isInlineCallFrame):
1484         (JSC::ExecState::trueCallerFrame):
1485         * interpreter/Interpreter.cpp:
1486         (JSC::Interpreter::findFunctionCallFrame):
1487         * interpreter/Register.h:
1488         (JSC::Register::operator=):
1489         (JSC::Register::inlineCallFrame):
1490         * runtime/Arguments.h:
1491         (JSC::Arguments::getArgumentsData):
1492         (JSC::Arguments::finishCreationButDontCopyRegisters):
1493         (JSC::Arguments::finishCreation):
1494         (JSC::Arguments::finishCreationAndCopyRegisters):
1495         * runtime/Executable.h:
1496         (JSC::FunctionExecutable::parameterCount):
1497
1498 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1499
1500         Rename virtual deleteProperty to deletePropertyVirtual
1501         https://bugs.webkit.org/show_bug.cgi?id=69884
1502
1503         Reviewed by Darin Adler.
1504
1505         Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for 
1506         adding the static deleteProperty to the MethodTable in ClassInfo since the 
1507         compiler gets mad if the virtual and static versions have the same name.
1508
1509         * API/JSCallbackObject.h:
1510         * API/JSCallbackObjectFunctions.h:
1511         (JSC::::deletePropertyVirtual):
1512         (JSC::::deleteProperty):
1513         * API/JSObjectRef.cpp:
1514         (JSObjectDeleteProperty):
1515         * JavaScriptCore.exp:
1516         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1517         * debugger/DebuggerActivation.cpp:
1518         (JSC::DebuggerActivation::deletePropertyVirtual):
1519         (JSC::DebuggerActivation::deleteProperty):
1520         * debugger/DebuggerActivation.h:
1521         * jit/JITStubs.cpp:
1522         (JSC::DEFINE_STUB_FUNCTION):
1523         * runtime/Arguments.cpp:
1524         (JSC::Arguments::deletePropertyVirtual):
1525         * runtime/Arguments.h:
1526         * runtime/ArrayPrototype.cpp:
1527         (JSC::arrayProtoFuncPop):
1528         (JSC::arrayProtoFuncReverse):
1529         (JSC::arrayProtoFuncShift):
1530         (JSC::arrayProtoFuncSplice):
1531         (JSC::arrayProtoFuncUnShift):
1532         * runtime/JSActivation.cpp:
1533         (JSC::JSActivation::deletePropertyVirtual):
1534         * runtime/JSActivation.h:
1535         * runtime/JSArray.cpp:
1536         (JSC::JSArray::deletePropertyVirtual):
1537         (JSC::JSArray::deleteProperty):
1538         * runtime/JSArray.h:
1539         * runtime/JSCell.cpp:
1540         (JSC::JSCell::deletePropertyVirtual):
1541         (JSC::JSCell::deleteProperty):
1542         * runtime/JSCell.h:
1543         * runtime/JSFunction.cpp:
1544         (JSC::JSFunction::deletePropertyVirtual):
1545         * runtime/JSFunction.h:
1546         * runtime/JSNotAnObject.cpp:
1547         (JSC::JSNotAnObject::deletePropertyVirtual):
1548         * runtime/JSNotAnObject.h:
1549         * runtime/JSONObject.cpp:
1550         (JSC::Walker::walk):
1551         * runtime/JSObject.cpp:
1552         (JSC::JSObject::deletePropertyVirtual):
1553         (JSC::JSObject::deleteProperty):
1554         (JSC::JSObject::defineOwnProperty):
1555         * runtime/JSObject.h:
1556         * runtime/JSVariableObject.cpp:
1557         (JSC::JSVariableObject::deletePropertyVirtual):
1558         * runtime/JSVariableObject.h:
1559         * runtime/RegExpMatchesArray.h:
1560         (JSC::RegExpMatchesArray::deletePropertyVirtual):
1561         * runtime/StrictEvalActivation.cpp:
1562         (JSC::StrictEvalActivation::deletePropertyVirtual):
1563         * runtime/StrictEvalActivation.h:
1564         * runtime/StringObject.cpp:
1565         (JSC::StringObject::deletePropertyVirtual):
1566         * runtime/StringObject.h:
1567
1568 2011-10-14  Peter Beverloo  <peter@chromium.org>
1569
1570         [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo
1571         https://bugs.webkit.org/show_bug.cgi?id=70028
1572
1573         Reviewed by Adam Barth.
1574
1575         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1576
1577 2011-10-14  Yuqiang Xian  <yuqiang.xian@intel.com>
1578
1579         DFG JIT 32_64 - Performance fix for ResolveGlobal
1580         https://bugs.webkit.org/show_bug.cgi?id=70096
1581
1582         Reviewed by Gavin Barraclough.
1583
1584         Structure check of global object should be a pointer comparison
1585         instead of a tag and payload pair comparison. This fix improves
1586         SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X.
1587         Also two trivial fixes for successful 32-bit build are included.
1588
1589         * dfg/DFGSpeculativeJIT.cpp:
1590         * dfg/DFGSpeculativeJIT32_64.cpp:
1591         (JSC::DFG::SpeculativeJIT::compile):
1592
1593 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1594
1595         Speculation failures in ValueToInt32 are causing a 2x slow-down
1596         in Kraken/stanford-crypto-pbkdf2
1597         https://bugs.webkit.org/show_bug.cgi?id=70089
1598
1599         Reviewed by Gavin Barraclough.
1600         
1601         If we can't truncate to Int32 using machine code, then don't fail
1602         speculation. Just call JSC::toInt32.
1603
1604         * dfg/DFGJITCodeGenerator.h:
1605         (JSC::DFG::callOperation):
1606         * dfg/DFGOperations.h:
1607         * dfg/DFGSpeculativeJIT.cpp:
1608         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1609         * dfg/DFGSpeculativeJIT64.cpp:
1610         (JSC::DFG::SpeculativeJIT::compile):
1611
1612 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1613
1614         Rename virtual getConstructData to getConstructDataVirtual
1615         https://bugs.webkit.org/show_bug.cgi?id=69872
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         Renamed virtual getConstructData functions to getConstructDataVirtual to 
1620         avoid conflicts when we add static getConstructData to the MethodTable.
1621
1622         * API/JSCallbackConstructor.cpp:
1623         (JSC::JSCallbackConstructor::getConstructDataVirtual):
1624         * API/JSCallbackConstructor.h:
1625         * API/JSCallbackObject.h:
1626         * API/JSCallbackObjectFunctions.h:
1627         (JSC::::getConstructDataVirtual):
1628         * API/JSObjectRef.cpp:
1629         (JSObjectIsConstructor):
1630         (JSObjectCallAsConstructor):
1631         * JavaScriptCore.exp:
1632         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1633         * dfg/DFGOperations.cpp:
1634         * jit/JITStubs.cpp:
1635         (JSC::DEFINE_STUB_FUNCTION):
1636         * runtime/ArrayConstructor.cpp:
1637         (JSC::ArrayConstructor::getConstructDataVirtual):
1638         * runtime/ArrayConstructor.h:
1639         * runtime/BooleanConstructor.cpp:
1640         (JSC::BooleanConstructor::getConstructDataVirtual):
1641         * runtime/BooleanConstructor.h:
1642         * runtime/DateConstructor.cpp:
1643         (JSC::DateConstructor::getConstructDataVirtual):
1644         * runtime/DateConstructor.h:
1645         * runtime/Error.h:
1646         (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual):
1647         * runtime/ErrorConstructor.cpp:
1648         (JSC::ErrorConstructor::getConstructDataVirtual):
1649         * runtime/ErrorConstructor.h:
1650         * runtime/FunctionConstructor.cpp:
1651         (JSC::FunctionConstructor::getConstructDataVirtual):
1652         * runtime/FunctionConstructor.h:
1653         * runtime/JSCell.cpp:
1654         (JSC::JSCell::getConstructDataVirtual):
1655         * runtime/JSCell.h:
1656         (JSC::getConstructData):
1657         * runtime/JSFunction.cpp:
1658         (JSC::JSFunction::getConstructDataVirtual):
1659         * runtime/JSFunction.h:
1660         * runtime/NativeErrorConstructor.cpp:
1661         (JSC::NativeErrorConstructor::getConstructDataVirtual):
1662         * runtime/NativeErrorConstructor.h:
1663         * runtime/NumberConstructor.cpp:
1664         (JSC::NumberConstructor::getConstructDataVirtual):
1665         * runtime/NumberConstructor.h:
1666         * runtime/ObjectConstructor.cpp:
1667         (JSC::ObjectConstructor::getConstructDataVirtual):
1668         * runtime/ObjectConstructor.h:
1669         * runtime/RegExpConstructor.cpp:
1670         (JSC::RegExpConstructor::getConstructDataVirtual):
1671         * runtime/RegExpConstructor.h:
1672         * runtime/StringConstructor.cpp:
1673         (JSC::StringConstructor::getConstructDataVirtual):
1674         * runtime/StringConstructor.h:
1675
1676 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1677
1678         Rubber stamped Stephanie Lewis.
1679         
1680         DFG_ENABLE() macro was always returning false.
1681
1682         * dfg/DFGNode.h:
1683
1684 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1685
1686         Speculative build fix for !DFG builds.
1687
1688         * jit/JIT.cpp:
1689         (JSC::JIT::privateCompile):
1690
1691 2011-10-13  Oliver Hunt  <oliver@apple.com>
1692
1693         Fix performance of ValueToInt32 node when predicting double
1694         https://bugs.webkit.org/show_bug.cgi?id=70063
1695
1696         Reviewed by Filip Pizlo.
1697
1698         Currently we fail to inline double to int conversion when
1699         performing a ValueToInt32 operation on a value we predict
1700         to be a double.
1701
1702         * dfg/DFGAbstractState.cpp:
1703         (JSC::DFG::AbstractState::execute):
1704            Apply correct filter for the double prediction path
1705         * dfg/DFGJITCodeGenerator32_64.cpp:
1706         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1707         * dfg/DFGJITCodeGenerator64.cpp:
1708         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1709            Support double parameters even when value has been spilled.
1710         * dfg/DFGSpeculativeJIT.cpp:
1711         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1712            Moved old valueToInt32 code to this function, and added
1713            path for double prediction
1714         * dfg/DFGSpeculativeJIT.h:
1715         * dfg/DFGSpeculativeJIT32_64.cpp:
1716         (JSC::DFG::SpeculativeJIT::compile):
1717         * dfg/DFGSpeculativeJIT64.cpp:
1718         (JSC::DFG::SpeculativeJIT::compile):
1719            Made the two implementations of ValueToInt32 call a single
1720            shared compileValueToInt32 function.
1721
1722 2011-10-13  Chris Marrin  <cmarrin@apple.com>
1723
1724         Sync requestAnimationFrame callback to CVDisplayLink on Mac
1725         https://bugs.webkit.org/show_bug.cgi?id=68911
1726
1727         Reviewed by Simon Fraser.
1728
1729         Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations
1730         that use the DisplayRefreshMonitor logic.
1731
1732         * wtf/Platform.h:
1733
1734 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1735
1736         DFG JIT should not be using ENABLE macro to enable features
1737         https://bugs.webkit.org/show_bug.cgi?id=70060
1738
1739         Reviewed by Oliver Hunt.
1740
1741         The ENABLE macro is only intended to be used to detect features that are configured
1742         in Platform.h. Using its to detect settings defined in other headers is an error.
1743
1744         The problem is that the ENABLE macro checks if the value is defined, so will silently
1745         return false if you fail to include the header defining the switch. This is not a problem
1746         if (1) the settings are defined in the same header that defines the macro that tests them,
1747         or (2) the header is included everywhere.  In the case of ENABLE settings defined in
1748         Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro.
1749
1750         * bytecode/CodeBlock.cpp:
1751         * dfg/DFGByteCodeParser.cpp:
1752         (JSC::DFG::ByteCodeParser::getPrediction):
1753         (JSC::DFG::ByteCodeParser::makeSafe):
1754         * dfg/DFGCapabilities.h:
1755         (JSC::DFG::canCompileOpcode):
1756         * dfg/DFGGraph.cpp:
1757         (JSC::DFG::Graph::predictArgumentTypes):
1758         * dfg/DFGJITCodeGenerator.cpp:
1759         * dfg/DFGJITCodeGenerator.h:
1760         * dfg/DFGJITCompiler.cpp:
1761         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1762         (JSC::DFG::JITCompiler::compileBody):
1763         (JSC::DFG::JITCompiler::link):
1764         * dfg/DFGJITCompiler.h:
1765         (JSC::DFG::JITCompiler::noticeOSREntry):
1766         * dfg/DFGJITCompiler32_64.cpp:
1767         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1768         (JSC::DFG::JITCompiler::compileBody):
1769         (JSC::DFG::JITCompiler::link):
1770         * dfg/DFGNode.h:
1771         * dfg/DFGOSREntry.cpp:
1772         (JSC::DFG::prepareOSREntry):
1773         * dfg/DFGOperations.cpp:
1774         * dfg/DFGOperations.h:
1775         * dfg/DFGPropagator.cpp:
1776         (JSC::DFG::Propagator::fixpoint):
1777         (JSC::DFG::Propagator::propagateArithNodeFlags):
1778         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1779         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1780         (JSC::DFG::Propagator::propagateNodePredictions):
1781         (JSC::DFG::Propagator::propagatePredictionsForward):
1782         (JSC::DFG::Propagator::propagatePredictionsBackward):
1783         (JSC::DFG::Propagator::propagatePredictions):
1784         (JSC::DFG::Propagator::toDouble):
1785         (JSC::DFG::Propagator::fixupNode):
1786         (JSC::DFG::Propagator::fixup):
1787         (JSC::DFG::Propagator::startIndexForChildren):
1788         (JSC::DFG::Propagator::endIndexForPureCSE):
1789         (JSC::DFG::Propagator::setReplacement):
1790         (JSC::DFG::Propagator::eliminate):
1791         (JSC::DFG::Propagator::performNodeCSE):
1792         (JSC::DFG::Propagator::localCSE):
1793         (JSC::DFG::Propagator::allocateVirtualRegisters):
1794         (JSC::DFG::Propagator::performBlockCFA):
1795         (JSC::DFG::Propagator::performForwardCFA):
1796         (JSC::DFG::Propagator::globalCFA):
1797         * dfg/DFGScoreBoard.h:
1798         * dfg/DFGSpeculativeJIT.cpp:
1799         (JSC::DFG::SpeculativeJIT::compile):
1800         * dfg/DFGSpeculativeJIT.h:
1801         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1802         * dfg/DFGSpeculativeJIT32_64.cpp:
1803         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1804         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1805         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1806         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1807         (JSC::DFG::SpeculativeJIT::compile):
1808         * dfg/DFGSpeculativeJIT64.cpp:
1809         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1810         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1811         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1812         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1813         (JSC::DFG::SpeculativeJIT::compile):
1814         * jit/JIT.cpp:
1815         (JSC::JIT::privateCompile):
1816
1817 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1818
1819         terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell
1820
1821         Rubber stamped by Filip Pizlo
1822
1823         This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT.
1824
1825         * dfg/DFGSpeculativeJIT32_64.cpp:
1826         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1827         * dfg/DFGSpeculativeJIT64.cpp:
1828         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1829
1830 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1831
1832         De-virtualized JSCell::toNumber
1833         https://bugs.webkit.org/show_bug.cgi?id=69858
1834
1835         Reviewed by Sam Weinig.
1836
1837
1838         Removed JSCallbackObject::toNumber because its no longer necessary since 
1839         JSObject::toNumber now suffices since we implicitly add valueOf to an object's
1840         prototype whenever a convertToType callback is provided.
1841         * API/JSCallbackObject.h:
1842         * API/JSCallbackObjectFunctions.h:
1843         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1844
1845         De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber.
1846         * runtime/JSCell.cpp:
1847         (JSC::JSCell::toNumber):
1848         * runtime/JSCell.h:
1849         * runtime/JSObject.h:
1850         * runtime/JSString.h:
1851
1852         Removed JSNotAnObject::toNumber because its result doesn't matter and it implements 
1853         defaultValue, therefore JSObject::toNumber can cover its case.
1854         * runtime/JSNotAnObject.cpp:
1855         * runtime/JSNotAnObject.h:
1856
1857 2011-10-13  Xianzhu Wang  <wangxianzhu@chromium.org>
1858
1859         Use realloc() to expand/shrink StringBuilder buffer
1860         https://bugs.webkit.org/show_bug.cgi?id=69913
1861
1862         Reviewed by Darin Adler.
1863
1864         * wtf/text/StringBuilder.cpp:
1865         (WTF::StringBuilder::reserveCapacity):
1866         (WTF::StringBuilder::reallocateBuffer):
1867         (WTF::StringBuilder::appendUninitialized):
1868         (WTF::StringBuilder::shrinkToFit):
1869         * wtf/text/StringBuilder.h:
1870         * wtf/text/StringImpl.cpp:
1871         (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer.
1872         * wtf/text/StringImpl.h:
1873
1874 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1875
1876         If an Arguments object is being used to copy the arguments, then
1877         make this explicit
1878         https://bugs.webkit.org/show_bug.cgi?id=69995
1879
1880         Reviewed by Sam Weinig.
1881
1882         * interpreter/Interpreter.cpp:
1883         (JSC::Interpreter::retrieveArguments):
1884         * runtime/Arguments.h:
1885         (JSC::Arguments::createAndCopyRegisters):
1886         (JSC::Arguments::finishCreationButDontCopyRegisters):
1887         (JSC::Arguments::finishCreation):
1888         (JSC::Arguments::finishCreationAndCopyRegisters):
1889
1890 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1891
1892         DFG CFA does not filter structures aggressively enough.
1893         https://bugs.webkit.org/show_bug.cgi?id=69989
1894
1895         Reviewed by Oliver Hunt.
1896
1897         * dfg/DFGAbstractValue.h:
1898         (JSC::DFG::AbstractValue::clear):
1899         (JSC::DFG::AbstractValue::makeTop):
1900         (JSC::DFG::AbstractValue::clobberStructures):
1901         (JSC::DFG::AbstractValue::set):
1902         (JSC::DFG::AbstractValue::merge):
1903         (JSC::DFG::AbstractValue::filter):
1904         (JSC::DFG::AbstractValue::checkConsistency):
1905
1906 2011-10-12  Adam Barth  <abarth@webkit.org>
1907
1908         Remove ENABLE(XHTMLMP) and associated code
1909         https://bugs.webkit.org/show_bug.cgi?id=69729
1910
1911         Reviewed by David Levin.
1912
1913         * Configurations/FeatureDefines.xcconfig:
1914
1915 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1916
1917         MacroAssemblerX86 8-bit register ops unsafe on CPU(X86)
1918         https://bugs.webkit.org/show_bug.cgi?id=69978
1919
1920         Reviewed by Filip Pizlo.
1921
1922         Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ).
1923
1924         compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding
1925         a couple of xchg instructions.
1926
1927         branchTest8 with a register argument is also affected. In all cases this is currently used
1928         this is testing a value that is correct to 32 or more bits, so we can simply switch these
1929         to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the
1930         32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction).
1931
1932         This fixes the remaining fast/js failures with the DFG JIT 32_64.
1933
1934         * assembler/MacroAssemblerARMv7.h
1935             - removed branchTest8.
1936         * assembler/MacroAssemblerX86Common.h:
1937         (JSC::MacroAssemblerX86Common::compare32):
1938         (JSC::MacroAssemblerX86Common::test8):
1939         (JSC::MacroAssemblerX86Common::test32):
1940         (JSC::MacroAssemblerX86Common::set32):
1941             - added set32 helper that is 'h' register safe.
1942             - removed branchTest8.
1943         * dfg/DFGJITCodeGenerator32_64.cpp:
1944         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1945         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1946             - switch uses of branchTest8 to branchTest32.
1947         * dfg/DFGJITCodeGenerator64.cpp:
1948         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1949         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1950             - switch uses of branchTest8 to branchTest32.
1951         * dfg/DFGSpeculativeJIT32_64.cpp:
1952         (JSC::DFG::SpeculativeJIT::emitBranch):
1953             - switch uses of branchTest8 to branchTest32.
1954         * dfg/DFGSpeculativeJIT64.cpp:
1955         (JSC::DFG::SpeculativeJIT::emitBranch):
1956             - switch uses of branchTest8 to branchTest32.
1957
1958 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1959
1960         Errrk, revert accidental commit!
1961
1962         * wtf/Platform.h:
1963
1964 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1965
1966         Unreviewed, re-land changes from #69890, #69903.
1967
1968         These were reverted due to bug #69897, but #69903 fixed this problem.
1969
1970         * dfg/DFGJITCodeGenerator.h:
1971         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1972
1973 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1974
1975         ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly
1976         https://bugs.webkit.org/show_bug.cgi?id=69906
1977
1978         Reviewed by Gavin Barraclough.
1979         
1980         It turns out that the simplest fix is to switch computeUpdatedPredictions()
1981         to using predictionFromValue() combined with mergePrediction(). Doing so
1982         allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
1983         not only fixes a performance bug but kills off a lot of code that I never
1984         liked to begin with.
1985         
1986         This appears to be a 1% win on V8.
1987
1988         * bytecode/CodeBlock.cpp:
1989         (JSC::CodeBlock::visitAggregate):
1990         * bytecode/CodeBlock.h:
1991         * bytecode/PredictedType.cpp:
1992         (JSC::predictionFromValue):
1993         * bytecode/ValueProfile.cpp:
1994         (JSC::ValueProfile::computeStatistics):
1995         (JSC::ValueProfile::computeUpdatedPrediction):
1996         * bytecode/ValueProfile.h:
1997         (JSC::ValueProfile::classInfo):
1998         (JSC::ValueProfile::numberOfSamples):
1999         (JSC::ValueProfile::isLive):
2000         (JSC::ValueProfile::dump):
2001
2002 2011-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2003
2004         De-virtualize JSCell::toString
2005         https://bugs.webkit.org/show_bug.cgi?id=69677
2006
2007         Reviewed by Sam Weinig.
2008
2009         Removed toString from JSCallbackObject, since it is no 
2010         longer necessary since we now implicitly add toString and valueOf
2011         functions to object prototypes when a convertToType callback 
2012         is provided, which is now the standard way to override toString 
2013         and valueOf in the JSC C API.
2014         * API/JSCallbackObject.h:
2015         * API/JSCallbackObjectFunctions.h:
2016         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2017
2018         Removed toString from InterruptedExecutionError and 
2019         TerminatedExecutionError and replaced it with defaultValue,
2020         which JSObject::toString calls.  We'll probably have to de-virtualize 
2021         defaultValue eventually, but we'll cross that bridge when we 
2022         come to it.
2023         * runtime/ExceptionHelpers.cpp:
2024         (JSC::InterruptedExecutionError::defaultValue):
2025         (JSC::TerminatedExecutionError::defaultValue):
2026         * runtime/ExceptionHelpers.h:
2027
2028         Removed toString from JSNotAnObject, since its return value doesn't
2029         actually matter and JSObject::toString can cover it.
2030         * runtime/JSNotAnObject.cpp:
2031         * runtime/JSNotAnObject.h:
2032
2033         De-virtualized JSCell::toString, JSObject::toString and JSString::toString.
2034         Added handling of all cases for JSCell to JSCell::toString.
2035         * runtime/JSObject.h:
2036         * runtime/JSString.h:
2037         * runtime/JSCell.cpp:
2038         (JSC::JSCell::toString):
2039         * runtime/JSCell.h:
2040
2041 2011-10-12  Oliver Hunt  <oliver@apple.com>
2042
2043         Global stringStructure caches its prototype chain, abandoning a web page
2044         https://bugs.webkit.org/show_bug.cgi?id=69952
2045
2046         Reviewed by Filip Pizlo.
2047
2048         When visiting a structure, we don't keep the prototype chain
2049         alive if we're not the structure for an object type.
2050
2051         * runtime/Structure.cpp:
2052         (JSC::Structure::visitChildren):
2053
2054 2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
2055
2056         DFG JIT 32_64 - Fix ArrayPop
2057         https://bugs.webkit.org/show_bug.cgi?id=69918
2058
2059         Reviewed by Filip Pizlo.
2060
2061         The storageLengthGPR is polluted by EmptyValueTag and later used to
2062         index the array, which results in abnormal behaviors in execution.
2063         This fix makes 32_64 DFG pass v8-deltablue and kraken
2064         crypto-sha256-iterative on Linux ia32.
2065
2066         * assembler/MacroAssemblerX86Common.h:
2067         (JSC::MacroAssemblerX86Common::store32):
2068         * assembler/X86Assembler.h:
2069         (JSC::X86Assembler::movl_i32m):
2070         * dfg/DFGSpeculativeJIT32_64.cpp:
2071         (JSC::DFG::SpeculativeJIT::compile):
2072
2073 2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
2074
2075         Fix build with GLib 2.31
2076         https://bugs.webkit.org/show_bug.cgi?id=69840
2077
2078         Reviewed by Martin Robinson.
2079
2080         * GNUmakefile.list.am: removed ThreadingGtk.cpp.
2081         * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions.
2082         * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations.
2083         * wtf/gobject/GOwnPtr.h: ditto.
2084         * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations.
2085         * wtf/gtk/ThreadingGtk.cpp: Removed.
2086
2087 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
2088
2089         Layout tests crashing in DFG JIT code
2090         https://bugs.webkit.org/show_bug.cgi?id=69897
2091
2092         Reviewed by Gavin Barraclough.
2093         
2094         Abstract value filtration didn't take into account cases where a structure
2095         set filter, combined with predicted type knowledge, could lead to a stronger
2096         filter for the structure abstract value.
2097         
2098         This bug would have been benign in release builds; it would have just meant
2099         that the analysis was less precise and some optimization opportunities would
2100         be missed. I have an ASSERT that is meant to catch such cases, and it was
2101         triggering sporadically in one of the LayoutTests.
2102
2103         * dfg/DFGAbstractValue.h:
2104         (JSC::DFG::AbstractValue::filter):
2105
2106 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2107
2108         Unreviewed, temporarily reverted r97216 due to bug #69897.
2109
2110         * dfg/DFGJITCodeGenerator.h:
2111         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2112
2113 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
2114
2115         DFG 32_64 - fix silentFillGPR
2116         https://bugs.webkit.org/show_bug.cgi?id=69903
2117
2118         Reviewed by Filip Pizlo.
2119
2120         Fix a small bug in silentFillGPR,
2121         and add the newly introduced DFG file to CMakeListsEfl.
2122
2123         * CMakeListsEfl.txt:
2124         * dfg/DFGJITCodeGenerator.h:
2125         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2126
2127 2011-10-08  Filip Pizlo  <fpizlo@apple.com>
2128
2129         DFG does not have flow-sensitive intraprocedural control flow analysis
2130         https://bugs.webkit.org/show_bug.cgi?id=69690
2131
2132         Reviewed by Gavin Barraclough.
2133
2134         Implemented a control flow analysis (CFA). It currently propagates type
2135         proofs only. For example, if all predecessors to a basic block have
2136         checks that variable X is a JSFinalObject with structure 0xabcdef, then
2137         this basic block will now know this fact and will know that it does not
2138         have to emit either JSFinalObject checks or any structure checks since
2139         the structure is precisely known. The CFA takes heap side-effects into
2140         account (though somewhat conservatively), so that if the object pointed
2141         to by variable X could have possibly undergone a structure transition
2142         then this is reflected: the analysis may simply say that X's structure
2143         is unknown.
2144         
2145         This also propagates a wealth of other type information which is
2146         currently not being used. For example, we now know when a variable can
2147         only hold doubles. Even if a variable may hold other types at different
2148         points in its live range, we can still prove exactly when it will only
2149         be double.
2150         
2151         There's a bunch of stuff that the CFA could do that it still does not
2152         do, like precise handling of PutStructure (i.e. structure transitions),
2153         precise handling of CheckFunction and CheckMethod, etc. So this is
2154         very much intended to be a starting point rather than an end unto
2155         itself.
2156         
2157         This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
2158         and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
2159         Neutral on SunSpider.
2160
2161         * GNUmakefile.list.am:
2162         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2163         * JavaScriptCore.xcodeproj/project.pbxproj:
2164         * bytecode/ActionablePrediction.h: Removed.
2165         * bytecode/PredictedType.cpp:
2166         (JSC::predictionToString):
2167         * bytecode/PredictedType.h:
2168         * dfg/DFGAbstractState.cpp: Added.
2169         (JSC::DFG::AbstractState::AbstractState):
2170         (JSC::DFG::AbstractState::~AbstractState):
2171         (JSC::DFG::AbstractState::beginBasicBlock):
2172         (JSC::DFG::AbstractState::initialize):
2173         (JSC::DFG::AbstractState::endBasicBlock):
2174         (JSC::DFG::AbstractState::reset):
2175         (JSC::DFG::AbstractState::execute):
2176         (JSC::DFG::AbstractState::clobberStructures):
2177         (JSC::DFG::AbstractState::mergeStateAtTail):
2178         (JSC::DFG::AbstractState::merge):
2179         (JSC::DFG::AbstractState::mergeToSuccessors):
2180         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
2181         (JSC::DFG::AbstractState::dump):
2182         * dfg/DFGAbstractState.h: Added.
2183         (JSC::DFG::AbstractState::forNode):
2184         (JSC::DFG::AbstractState::isValid):
2185         * dfg/DFGAbstractValue.h: Added.
2186         (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
2187         (JSC::DFG::StructureAbstractValue::clear):
2188         (JSC::DFG::StructureAbstractValue::makeTop):
2189         (JSC::DFG::StructureAbstractValue::top):
2190         (JSC::DFG::StructureAbstractValue::add):
2191         (JSC::DFG::StructureAbstractValue::addAll):
2192         (JSC::DFG::StructureAbstractValue::contains):
2193         (JSC::DFG::StructureAbstractValue::isSubsetOf):
2194         (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
2195         (JSC::DFG::StructureAbstractValue::isSupersetOf):
2196         (JSC::DFG::StructureAbstractValue::filter):
2197         (JSC::DFG::StructureAbstractValue::isClear):
2198         (JSC::DFG::StructureAbstractValue::isTop):
2199         (JSC::DFG::StructureAbstractValue::size):
2200         (JSC::DFG::StructureAbstractValue::at):
2201         (JSC::DFG::StructureAbstractValue::operator[]):
2202         (JSC::DFG::StructureAbstractValue::last):
2203         (JSC::DFG::StructureAbstractValue::predictionFromStructures):
2204         (JSC::DFG::StructureAbstractValue::operator==):
2205         (JSC::DFG::StructureAbstractValue::dump):
2206         (JSC::DFG::AbstractValue::AbstractValue):
2207         (JSC::DFG::AbstractValue::clear):
2208         (JSC::DFG::AbstractValue::isClear):
2209         (JSC::DFG::AbstractValue::makeTop):
2210         (JSC::DFG::AbstractValue::clobberStructures):
2211         (JSC::DFG::AbstractValue::isTop):
2212         (JSC::DFG::AbstractValue::top):
2213         (JSC::DFG::AbstractValue::set):
2214         (JSC::DFG::AbstractValue::operator==):
2215         (JSC::DFG::AbstractValue::merge):
2216         (JSC::DFG::AbstractValue::filter):
2217         (JSC::DFG::AbstractValue::validate):
2218         (JSC::DFG::AbstractValue::dump):
2219         * dfg/DFGBasicBlock.h: Added.
2220         (JSC::DFG::BasicBlock::BasicBlock):
2221         (JSC::DFG::BasicBlock::getBytecodeBegin):
2222         * dfg/DFGByteCodeParser.cpp:
2223         (JSC::DFG::ByteCodeParser::getLocal):
2224         (JSC::DFG::ByteCodeParser::setLocal):
2225         (JSC::DFG::ByteCodeParser::getArgument):
2226         (JSC::DFG::ByteCodeParser::setArgument):
2227         (JSC::DFG::ByteCodeParser::parseBlock):
2228         (JSC::DFG::ByteCodeParser::processPhiStack):
2229         (JSC::DFG::ByteCodeParser::setupPredecessors):
2230         * dfg/DFGGraph.cpp:
2231         (JSC::DFG::Graph::dump):
2232         * dfg/DFGGraph.h:
2233         * dfg/DFGJITCodeGenerator.h:
2234         (JSC::DFG::block):
2235         * dfg/DFGJITCodeGenerator32_64.cpp:
2236         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2237         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2238         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2239         * dfg/DFGJITCodeGenerator64.cpp:
2240         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2241         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2242         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2243         * dfg/DFGJITCompiler.h:
2244         (JSC::DFG::JITCompiler::noticeOSREntry):
2245         * dfg/DFGNode.h:
2246         (JSC::DFG::NodeIndexTraits::defaultValue):
2247         (JSC::DFG::Node::variableAccessData):
2248         (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
2249         (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
2250         (JSC::DFG::Node::setTakenBlockIndex):
2251         (JSC::DFG::Node::setNotTakenBlockIndex):
2252         (JSC::DFG::Node::takenBlockIndex):
2253         (JSC::DFG::Node::notTakenBlockIndex):
2254         * dfg/DFGOSREntry.cpp:
2255         (JSC::DFG::prepareOSREntry):
2256         * dfg/DFGOSREntry.h:
2257         * dfg/DFGOperands.h: Added.
2258         (JSC::DFG::operandIsArgument):
2259         (JSC::DFG::OperandValueTraits::defaultValue):
2260         (JSC::DFG::Operands::Operands):
2261         (JSC::DFG::Operands::numberOfArguments):
2262         (JSC::DFG::Operands::numberOfLocals):
2263         (JSC::DFG::Operands::argument):
2264         (JSC::DFG::Operands::local):
2265         (JSC::DFG::Operands::setLocal):
2266         (JSC::DFG::Operands::setArgumentFirstTime):
2267         (JSC::DFG::Operands::setLocalFirstTime):
2268         (JSC::DFG::Operands::operand):
2269         (JSC::DFG::Operands::setOperand):
2270         (JSC::DFG::Operands::clear):
2271         (JSC::DFG::dumpOperands):
2272         * dfg/DFGPropagator.cpp:
2273         (JSC::DFG::Propagator::fixpoint):
2274         (JSC::DFG::Propagator::propagateArithNodeFlags):
2275         (JSC::DFG::Propagator::propagateNodePredictions):
2276         (JSC::DFG::Propagator::propagatePredictions):
2277         (JSC::DFG::Propagator::performBlockCFA):
2278         (JSC::DFG::Propagator::performForwardCFA):
2279         (JSC::DFG::Propagator::globalCFA):
2280         * dfg/DFGSpeculativeJIT.cpp:
2281         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2282         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2283         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
2284         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2285         (JSC::DFG::SpeculativeJIT::compile):
2286         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2287         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2288         * dfg/DFGSpeculativeJIT.h:
2289         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2290         * dfg/DFGSpeculativeJIT32_64.cpp:
2291         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2292         (JSC::DFG::SpeculativeJIT::compare):
2293         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2294         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2295         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2296         (JSC::DFG::SpeculativeJIT::emitBranch):
2297         (JSC::DFG::SpeculativeJIT::compile):
2298         * dfg/DFGSpeculativeJIT64.cpp:
2299         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2300         (JSC::DFG::SpeculativeJIT::compare):
2301         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2302         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2303         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2304         (JSC::DFG::SpeculativeJIT::emitBranch):
2305         (JSC::DFG::SpeculativeJIT::compile):
2306         * dfg/DFGStructureSet.h:
2307         (JSC::DFG::StructureSet::clear):
2308         (JSC::DFG::StructureSet::predictionFromStructures):
2309         (JSC::DFG::StructureSet::operator==):
2310         (JSC::DFG::StructureSet::dump):
2311         * dfg/DFGVariableAccessData.h: Added.
2312
2313 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2314
2315         DFG JIT 32_64 - Fix silentFillGPR for non-integer constants.
2316         https://bugs.webkit.org/show_bug.cgi?id=69890
2317
2318         Reviewed by Oliver Hunt.
2319
2320         Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues.
2321
2322         * dfg/DFGJITCodeGenerator.h:
2323         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2324
2325 2011-10-11  Ryosuke Niwa  <rniwa@webkit.org>
2326
2327         GTK build fix attempt after r97197.
2328
2329         * wtf/BitVector.h:
2330
2331 2011-10-11  Oliver Hunt  <oliver@apple.com>
2332
2333         Remove unintentional logging.
2334
2335         * heap/Heap.cpp:
2336
2337 2011-10-11  Oliver Hunt  <oliver@apple.com>
2338
2339         Tidy up card walking logic
2340         https://bugs.webkit.org/show_bug.cgi?id=69883
2341
2342         Reviewed by Gavin Barraclough.
2343
2344         Special case common cell sizes when walking a block's
2345         cards.
2346
2347         * heap/CardSet.h:
2348         (JSC::::testAndClear):
2349         * heap/Heap.cpp:
2350         (JSC::GCTimer::GCCounter::GCCounter):
2351         (JSC::GCTimer::GCCounter::count):
2352         (JSC::GCTimer::GCCounter::~GCCounter):
2353         (JSC::Heap::markRoots):
2354         * heap/MarkStack.cpp:
2355         (JSC::MarkStack::reset):
2356         * heap/MarkStack.h:
2357         (JSC::MarkStack::visitCount):
2358         (JSC::MarkStack::MarkStack):
2359         (JSC::MarkStack::append):
2360         * heap/MarkedBlock.h:
2361         (JSC::MarkedBlock::gatherDirtyCellsWithSize):
2362         (JSC::MarkedBlock::gatherDirtyCells):
2363         * runtime/Structure.h:
2364         (JSC::MarkStack::internalAppend):
2365
2366 2011-10-11  Filip Pizlo  <fpizlo@apple.com>
2367
2368         DFG virtual register allocator should be more aggressive in
2369         reusing temporary slots
2370         https://bugs.webkit.org/show_bug.cgi?id=69868
2371
2372         Reviewed by Oliver Hunt.
2373         
2374         1.2% win on V8, neutral elsewhere. The win is probably because it
2375         increases precision of GC conservative scans.
2376         
2377         This required making the DFG::ScoreBoard operate over a bitvector
2378         of preserved variables, rather than just a preserved variable
2379         threshold. To do this, I improved the WTF::BitVector class to make
2380         it more user-friendly. It still retains all previous functionality.
2381         Also made changes to PackedIntVector to accomodate those changes.
2382         Finally, this adds more debugging to the virtual register allocator
2383         and to the OSR exit code, as this was necessary to track down bugs
2384         in an earlier version of this patch.
2385
2386         * dfg/DFGByteCodeParser.cpp:
2387         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2388         (JSC::DFG::ByteCodeParser::getLocal):
2389         * dfg/DFGGraph.h:
2390         * dfg/DFGJITCompiler.cpp:
2391         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2392         * dfg/DFGPropagator.cpp:
2393         (JSC::DFG::Propagator::allocateVirtualRegisters):
2394         * dfg/DFGScoreBoard.h:
2395         (JSC::DFG::ScoreBoard::ScoreBoard):
2396         (JSC::DFG::ScoreBoard::~ScoreBoard):
2397         (JSC::DFG::ScoreBoard::allocate):
2398         (JSC::DFG::ScoreBoard::use):
2399         (JSC::DFG::ScoreBoard::highWatermark):
2400         (JSC::DFG::ScoreBoard::dump):
2401         (JSC::DFG::ScoreBoard::max):
2402         * dfg/DFGSpeculativeJIT.cpp:
2403         (JSC::DFG::ValueRecovery::dump):
2404         * wtf/BitVector.cpp:
2405         (WTF::BitVector::setSlow):
2406         (WTF::BitVector::resizeOutOfLine):
2407         (WTF::BitVector::dump):
2408         * wtf/BitVector.h:
2409         (WTF::BitVector::BitVector):
2410         (WTF::BitVector::operator=):
2411         (WTF::BitVector::quickGet):
2412         (WTF::BitVector::quickSet):
2413         (WTF::BitVector::quickClear):
2414         (WTF::BitVector::get):
2415         (WTF::BitVector::set):
2416         (WTF::BitVector::clear):
2417         * wtf/PackedIntVector.h:
2418         (WTF::PackedIntVector::get):
2419         (WTF::PackedIntVector::set):
2420
2421 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2422
2423         DFG JIT 32_64 - Switch to cdecl calling convention.
2424         https://bugs.webkit.org/show_bug.cgi?id=69863
2425
2426         Reviewed by Oliver Hunt.
2427
2428         This makes it easier to keep the stack correctly aligned, which is required on OS X.
2429
2430         * assembler/MacroAssemblerCodeRef.h:
2431         (JSC::FunctionPtr::FunctionPtr):
2432             - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms.
2433         * dfg/DFGJITCodeGenerator.h:
2434         (JSC::DFG::callOperation):
2435             - Switch calls to poke arguments rather than pushing them.
2436         (JSC::DFG::resetCallArguments):
2437         (JSC::DFG::addCallArgument):
2438         (JSC::DFG::addCallArgumentBoxed):
2439             - Helper functions to stack up call arguments on X86.
2440         * dfg/DFGJITCodeGenerator32_64.cpp:
2441         (JSC::DFG::JITCodeGenerator::emitCall):
2442             - Don't push, poke!
2443         * dfg/DFGJITCompiler32_64.cpp:
2444         (JSC::DFG::JITCompiler::compileBody):
2445             - Don't push, poke!
2446         * dfg/DFGOperations.cpp:
2447             - Switch ReturnAddress wrappers to push return address last, update asm trampolines.
2448         * dfg/DFGOperations.h:
2449             - switch DFG_OPERATION to assert CDECL on STDCALL platforms.
2450         * dfg/DFGSpeculativeJIT32_64.cpp:
2451         (JSC::DFG::fmodWithCDecl):
2452         (JSC::DFG::SpeculativeJIT::compile):
2453             - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL.
2454
2455 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2456
2457         Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t
2458         https://bugs.webkit.org/show_bug.cgi?id=69821
2459
2460         Reviewed by Filip Pizlo.
2461
2462         Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an
2463         intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building.
2464
2465         dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for
2466         JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary
2467         move), so by switching all associated operations to return a size_t we can fix the type
2468         problem on Linux & make it a small tweak that removes an unnecessary instruction.
2469
2470         * dfg/DFGJITCodeGenerator.cpp:
2471         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2472             - comparisons now return a size_t.
2473         * dfg/DFGJITCodeGenerator.h:
2474         (JSC::DFG::callOperation):
2475             - Removed Z_DFGOperation_EJ form.
2476         * dfg/DFGJITCodeGenerator32_64.cpp:
2477         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2478         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2479             - comparisons now return a size_t.
2480         * dfg/DFGJITCodeGenerator64.cpp:
2481         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2482         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2483         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2484             - comparisons now return a size_t.
2485         * dfg/DFGOperations.cpp:
2486         * dfg/DFGOperations.h:
2487             - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t,
2488               Both need to return values zero extended to fill a register.
2489         * dfg/DFGSpeculativeJIT.cpp:
2490         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2491             - comparisons now return a size_t.
2492         * dfg/DFGSpeculativeJIT.h:
2493         * dfg/DFGSpeculativeJIT32_64.cpp:
2494         (JSC::DFG::SpeculativeJIT::compare):
2495             - comparisons now return a size_t.
2496         * dfg/DFGSpeculativeJIT64.cpp:
2497         (JSC::DFG::SpeculativeJIT::compare):
2498             - comparisons now return a size_t.
2499
2500 2011-10-11  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
2501
2502         [Qt] Remove all references to QTDIR_build and standalone_package
2503
2504         Qt is now modularized, which means we no longer import WebKit into
2505         the Qt source tree. Instead we use git submodules, and building
2506         QtWebKit as "part of Qt" is really building QtWebKit as from trunk.
2507
2508         To decrease the number of buildsystem configurations we also remove
2509         the standalone_package code-path used when we were providing tarballs
2510         with the derived sources pre-generated.
2511
2512         Reviewed by Simon Hausmann.
2513
2514         * DerivedSources.pro:
2515         * JavaScriptCore.pri:
2516         * JavaScriptCore.pro:
2517
2518 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
2519
2520         Add missing copyright notice in DFG JIT files
2521         https://bugs.webkit.org/show_bug.cgi?id=69809
2522
2523         Reviewed by Gavin Barraclough.
2524
2525         * dfg/DFGJITCodeGenerator32_64.cpp:
2526         * dfg/DFGJITCompiler32_64.cpp:
2527         * dfg/DFGJITCompilerInlineMethods.h:
2528         * dfg/DFGSpeculativeJIT32_64.cpp:
2529
2530 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
2531
2532         DFG JSVALUE64 spill/fill code should not box integers and doubles
2533         https://bugs.webkit.org/show_bug.cgi?id=69782
2534
2535         Reviewed by Oliver Hunt.
2536         
2537         Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat.
2538         This required changing all of the places that spill registers (both silently
2539         and not) and filling registers (both silently and on demand). It also required
2540         changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile)
2541         may have the wrong format for the old JIT (unboxed int or double).
2542         
2543         This is a slight win on Kraken (0.25%) and neutral elsewhere.
2544
2545         * dfg/DFGGenerationInfo.h:
2546         (JSC::DFG::GenerationInfo::spill):
2547         * dfg/DFGJITCodeGenerator.h:
2548         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2549         (JSC::DFG::JITCodeGenerator::spill):
2550         * dfg/DFGJITCodeGenerator64.cpp:
2551         (JSC::DFG::JITCodeGenerator::fillInteger):
2552         (JSC::DFG::JITCodeGenerator::fillDouble):
2553         (JSC::DFG::JITCodeGenerator::fillJSValue):
2554         * dfg/DFGJITCompiler.cpp:
2555         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2556         * dfg/DFGSpeculativeJIT.cpp:
2557         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2558         * dfg/DFGSpeculativeJIT.h:
2559         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
2560         (JSC::DFG::ValueRecovery::virtualRegister):
2561         * dfg/DFGSpeculativeJIT64.cpp:
2562         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2563         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2564         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2565         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2566
2567 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2568
2569         DFG JIT switch dfgConvert methods to use callOperation
2570         https://bugs.webkit.org/show_bug.cgi?id=69806
2571
2572         Reviewed by Filip Pizlo.
2573
2574         * dfg/DFGJITCodeGenerator.h:
2575         (JSC::DFG::callOperation):
2576         * dfg/DFGJITCodeGenerator32_64.cpp:
2577         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2578         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2579         * dfg/DFGJITCodeGenerator64.cpp:
2580         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2581         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2582         * dfg/DFGOperations.h:
2583
2584 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2585
2586         Remove some unused methods from the DFG JIT.
2587
2588         Rubber stamped by Oliver Hunt
2589
2590         Thee methods were only used by the non-speculative JIT, and can be removed.
2591
2592         * dfg/DFGJITCodeGenerator.h:
2593         * dfg/DFGJITCodeGenerator32_64.cpp:
2594         * dfg/DFGJITCodeGenerator64.cpp:
2595             - removed:
2596                 nonSpeculativeAdd
2597                 nonSpeculativeArithSub
2598                 nonSpeculativeArithMod
2599                 nonSpeculativeCheckHasInstance
2600                 nonSpeculativeInstanceOf
2601         * dfg/DFGOperations.cpp:
2602         * dfg/DFGOperations.h:
2603             - removed:
2604                 operationArithMod
2605                 operationInstanceOf
2606                 operationThrowHasInstanceError
2607
2608 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2609
2610         Switch most calls in DFGJITCodeGenerator to use callOperation.
2611         https://bugs.webkit.org/show_bug.cgi?id=69802
2612
2613         Reviewed by Oliver Hunt.
2614
2615         Compares, add, mod are the easy cases.
2616
2617         * dfg/DFGJITCodeGenerator.h:
2618         (JSC::DFG::callOperation):
2619         * dfg/DFGJITCodeGenerator32_64.cpp:
2620         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2621         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2622         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2623         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2624         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2625         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2626         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2627         * dfg/DFGJITCodeGenerator64.cpp:
2628         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2629         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2630         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2631         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2632         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2633         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2634         * dfg/DFGOperations.cpp:
2635         * dfg/DFGOperations.h:
2636
2637 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2638
2639         DFG: Switch GetById / PutById to use callOperation
2640         https://bugs.webkit.org/show_bug.cgi?id=69795
2641
2642         Reviewed by Oliver Hunt.
2643
2644         Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag.
2645
2646         * dfg/DFGJITCodeGenerator.h:
2647         (JSC::DFG::callOperation):
2648         * dfg/DFGJITCodeGenerator32_64.cpp:
2649         (JSC::DFG::JITCodeGenerator::cachedGetById):
2650         (JSC::DFG::JITCodeGenerator::cachedPutById):
2651         * dfg/DFGJITCodeGenerator64.cpp:
2652         (JSC::DFG::JITCodeGenerator::cachedGetById):
2653         (JSC::DFG::JITCodeGenerator::cachedPutById):
2654         * dfg/DFGOperations.cpp:
2655         * dfg/DFGOperations.h:
2656         * dfg/DFGRepatch.cpp:
2657         (JSC::DFG::appropriatePutByIdFunction):
2658
2659 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
2660
2661         REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs
2662         https://bugs.webkit.org/show_bug.cgi?id=69412
2663
2664         Reviewed by Oliver Hunt.
2665
2666         * dfg/DFGSpeculativeJIT32_64.cpp:
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         * dfg/DFGSpeculativeJIT64.cpp:
2669         (JSC::DFG::SpeculativeJIT::compile):
2670         * jit/JIT.cpp:
2671         (JSC::JIT::privateCompile):
2672         * jit/JIT.h:
2673
2674 2011-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2675
2676         Remove getCallDataVirtual methods
2677         https://bugs.webkit.org/show_bug.cgi?id=69186
2678
2679         Reviewed by Geoffrey Garen.
2680
2681         Removed all getCallDataVirtual methods and replaced their call sites 
2682         with an explicit lookup in the MethodTable.
2683
2684         * API/JSCallbackFunction.cpp:
2685         * API/JSCallbackFunction.h:
2686         * API/JSCallbackObject.h:
2687         * API/JSCallbackObjectFunctions.h:
2688         * API/JSObjectRef.cpp:
2689         (JSObjectIsFunction):
2690         (JSObjectCallAsFunction):
2691         * JavaScriptCore.exp:
2692         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2693         * interpreter/Interpreter.cpp:
2694         (JSC::Interpreter::privateExecute):
2695         * jit/JITStubs.cpp:
2696         (JSC::DEFINE_STUB_FUNCTION):
2697         * runtime/ArrayConstructor.cpp:
2698         * runtime/ArrayConstructor.h:
2699         * runtime/BooleanConstructor.cpp:
2700         * runtime/BooleanConstructor.h:
2701         * runtime/DateConstructor.cpp:
2702         * runtime/DateConstructor.h:
2703
2704         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2705         the class definition in JSGlobalObject.cpp.
2706         * runtime/Error.cpp:
2707         (JSC::createTypeErrorFunction):
2708         * runtime/Error.h:
2709         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2710         (JSC::StrictModeTypeErrorFunction::create):
2711         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2712         (JSC::StrictModeTypeErrorFunction::getConstructData):
2713         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2714         (JSC::StrictModeTypeErrorFunction::getCallData):
2715         (JSC::StrictModeTypeErrorFunction::createStructure):
2716         * runtime/ErrorConstructor.cpp:
2717         * runtime/ErrorConstructor.h:
2718         * runtime/FunctionConstructor.cpp:
2719         * runtime/FunctionConstructor.h:
2720         * runtime/FunctionPrototype.cpp:
2721         * runtime/FunctionPrototype.h:
2722
2723         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2724         to declare their own ClassInfo if they don't override getCallData, provided 
2725         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2726         functionality as of the pure virtual method InternalFunction used to have.
2727         Also made this new implementation protected rather than private for the same reason.
2728         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2729         object is being created provides their own implementation of getCallData.  This 
2730         just makes execution fail earlier in a place where the source of the error is 
2731         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2732         they appear much more intentional to anybody who fails to provide their own 
2733         implementation or who tries to explicitly call InternalFunction::getCallData.
2734         * runtime/InternalFunction.cpp:
2735         (JSC::InternalFunction::finishCreation):
2736         (JSC::InternalFunction::getCallData):
2737         * runtime/InternalFunction.h:
2738         * runtime/JSCell.cpp:
2739         * runtime/JSCell.h:
2740         * runtime/JSFunction.cpp:
2741         * runtime/JSFunction.h:
2742
2743         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2744         it to be reused rather than creating a new Structure every time we instantiate it.
2745         * runtime/JSGlobalObject.cpp:
2746         (JSC::JSGlobalObject::reset):
2747         (JSC::JSGlobalObject::visitChildren):
2748         * runtime/JSGlobalObject.h:
2749         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2750         * runtime/JSONObject.cpp:
2751         (JSC::Stringifier::Stringifier):
2752         (JSC::Stringifier::toJSON):
2753         (JSC::Stringifier::appendStringifiedValue):
2754         * runtime/JSObject.cpp:
2755         (JSC::JSObject::put):
2756         * runtime/JSObject.h:
2757         (JSC::getCallData):
2758         * runtime/NativeErrorConstructor.cpp:
2759         * runtime/NativeErrorConstructor.h:
2760         * runtime/NumberConstructor.cpp:
2761         * runtime/NumberConstructor.h:
2762         * runtime/ObjectConstructor.cpp:
2763         * runtime/ObjectConstructor.h:
2764         * runtime/Operations.cpp:
2765         (JSC::jsTypeStringForValue):
2766         (JSC::jsIsObjectType):
2767         (JSC::jsIsFunctionType):
2768         * runtime/PropertySlot.cpp:
2769         (JSC::PropertySlot::functionGetter):
2770         * runtime/RegExpConstructor.cpp:
2771         * runtime/RegExpConstructor.h:
2772         * runtime/StringConstructor.cpp:
2773         * runtime/StringConstructor.h:
2774         * runtime/Structure.h:
2775
2776 2011-10-10  Gavin Barraclough  <barraclough@apple.com>
2777
2778         Switch last calls from DFGSpeculativeJIT to use callOperation.
2779         https://bugs.webkit.org/show_bug.cgi?id=69780
2780
2781         Reviewed by Oliver Hunt.
2782
2783         Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers.
2784
2785         * dfg/DFGJITCodeGenerator.cpp:
2786         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2787         * dfg/DFGJITCodeGenerator.h:
2788         (JSC::DFG::callOperation):
2789         * dfg/DFGJITCodeGenerator32_64.cpp:
2790         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2791         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2792         * dfg/DFGJITCodeGenerator64.cpp:
2793         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2794         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2795         * dfg/DFGOperations.h:
2796         * dfg/DFGSpeculativeJIT.cpp:
2797         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2798         * dfg/DFGSpeculativeJIT.h:
2799         * dfg/DFGSpeculativeJIT32_64.cpp:
2800         (JSC::DFG::SpeculativeJIT::compare):
2801         (JSC::DFG::SpeculativeJIT::compile):
2802         * dfg/DFGSpeculativeJIT64.cpp:
2803         (JSC::DFG::SpeculativeJIT::compare):
2804         (JSC::DFG::SpeculativeJIT::compile):
2805         * wtf/Platform.h:
2806
2807 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2808
2809         JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace"
2810         https://bugs.webkit.org/show_bug.cgi?id=69748
2811
2812         Reviewed by Filip Pizlo.
2813
2814         * dfg/DFGJITCodeGenerator32_64.cpp:
2815         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2816         * dfg/DFGSpeculativeJIT32_64.cpp:
2817         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2818
2819 2011-10-10  Adam Roben  <aroben@apple.com>
2820
2821         Build fix
2822
2823         * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros.
2824
2825 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2826
2827         JSVALUE32_64 DFG JIT - Bug fix for BranchNull
2828         https://bugs.webkit.org/show_bug.cgi?id=69743
2829
2830         Reviewed by Darin Adler.
2831
2832         This fixes the error in access-binary-trees. All SunSpider cases passed.
2833
2834         * dfg/DFGJITCodeGenerator32_64.cpp:
2835         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2836
2837 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2838
2839         DFG JIT: callOperation should return the Call.
2840         https://bugs.webkit.org/show_bug.cgi?id=69682
2841
2842         Reviewed by Oliver Hunt.
2843
2844         * dfg/DFGJITCodeGenerator.h:
2845         (JSC::DFG::callOperation):
2846         (JSC::DFG::appendCallWithExceptionCheckSetResult):
2847         * dfg/DFGJITCompiler.h:
2848         (JSC::DFG::JITCompiler::appendCall):
2849         * wtf/Platform.h:
2850
2851 2011-10-10  Sheriff Bot  <webkit.review.bot@gmail.com>
2852
2853         Unreviewed, rolling out r97045.
2854         http://trac.webkit.org/changeset/97045
2855         https://bugs.webkit.org/show_bug.cgi?id=69746
2856
2857         makes apple bots very crashy :( (Requested by kling on
2858         #webkit).
2859
2860         * config.h:
2861
2862 2011-10-10  Andreas Kling  <kling@webkit.org>
2863
2864         Shrink BorderValue.
2865         https://bugs.webkit.org/show_bug.cgi?id=69521
2866
2867         Reviewed by Antti Koivisto.
2868
2869         * config.h: Touch to force full rebuild.
2870
2871 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2872
2873         Improve Null or Undefined test in 32_64 DFG
2874         https://bugs.webkit.org/show_bug.cgi?id=69734
2875
2876         Reviewed by Darin Adler.
2877
2878         Currently Null or Undefined value test in 32_64 DFG will check
2879         Null and Undefined tag separately and introduce one more branch.
2880         It can be improved in the way how the baseline JIT is doing - by
2881         relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".
2882
2883         * dfg/DFGJITCodeGenerator32_64.cpp:
2884         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2885         * dfg/DFGSpeculativeJIT32_64.cpp:
2886         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2887         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2888
2889 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2890
2891         JSVALUE32_64 DFG JIT - Bug fix for ConvertThis
2892         https://bugs.webkit.org/show_bug.cgi?id=69721
2893
2894         Reviewed by Darin Adler.
2895
2896         * dfg/DFGSpeculativeJIT32_64.cpp:
2897         (JSC::DFG::SpeculativeJIT::compile):
2898
2899 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2900
2901         Remove unused callOperation code of DFG JIT on X86
2902         https://bugs.webkit.org/show_bug.cgi?id=69722
2903
2904         Reviewed by Filip Pizlo.
2905
2906         * dfg/DFGJITCodeGenerator.h:
2907         (JSC::DFG::callOperation):
2908
2909 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2910
2911         JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble
2912         https://bugs.webkit.org/show_bug.cgi?id=69720
2913
2914         Reviewed by Filip Pizlo.
2915
2916         In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by
2917         a FPR and will be used for further optimizations, though we currently
2918         don't fully utilize it. For now when filling a JS value which was
2919         spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat
2920         to DataFormatJS to avoid compilation errors.
2921
2922         * dfg/DFGJITCodeGenerator32_64.cpp:
2923         (JSC::DFG::JITCodeGenerator::fillJSValue):
2924
2925 2011-10-09  Filip Pizlo  <fpizlo@apple.com>
2926
2927         DFG should not always speculate that a ByVal access has an integer index
2928         https://bugs.webkit.org/show_bug.cgi?id=69716
2929
2930         Reviewed by Oliver Hunt.
2931         
2932         1% win on SunSpider, neutral elsewhere.
2933
2934         * dfg/DFGJITCodeGenerator.h:
2935         (JSC::DFG::callOperation):
2936         * dfg/DFGNode.h:
2937         * dfg/DFGOperations.cpp:
2938         * dfg/DFGOperations.h:
2939         * dfg/DFGPropagator.cpp:
2940         (JSC::DFG::Propagator::byValHasIntBase):
2941         (JSC::DFG::Propagator::clobbersWorld):
2942         (JSC::DFG::Propagator::getMethodLoadElimination):
2943         (JSC::DFG::Propagator::checkStructureLoadElimination):
2944         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2945         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
2946         (JSC::DFG::Propagator::performNodeCSE):
2947         * dfg/DFGSpeculativeJIT32_64.cpp:
2948         (JSC::DFG::SpeculativeJIT::compile):
2949         * dfg/DFGSpeculativeJIT64.cpp:
2950         (JSC::DFG::SpeculativeJIT::compile):
2951
2952 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2953
2954         Fix value profiling in 32_64 JIT
2955         https://bugs.webkit.org/show_bug.cgi?id=69717
2956
2957         Reviewed by Filip Pizlo.
2958
2959         Current value profiling for 32_64 JIT is broken and cannot record
2960         correct predicated types, which results in many speculation failures
2961         in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations
2962         again and again. 
2963         With this fix 32_64 DFG JIT can demonstrate real performance gains.
2964
2965         * bytecode/ValueProfile.cpp:
2966         (JSC::ValueProfile::computeStatistics):
2967         * bytecode/ValueProfile.h:
2968         (JSC::ValueProfile::classInfo):
2969         (JSC::ValueProfile::numberOfSamples):
2970         (JSC::ValueProfile::isLive):
2971         (JSC::ValueProfile::numberOfInt32s):
2972         (JSC::ValueProfile::numberOfDoubles):
2973         (JSC::ValueProfile::numberOfBooleans):
2974         (JSC::ValueProfile::dump):
2975             Empty value check should be performed on decoded JSValue,
2976             as for 32_64 empty value is not identical to encoded 0.
2977         * jit/JIT.cpp:
2978         (JSC::JIT::privateCompile):
2979         * jit/JITInlineMethods.h:
2980         (JSC::JIT::emitValueProfilingSite):
2981         * jit/JITStubCall.h:
2982         (JSC::JITStubCall::callWithValueProfiling):
2983             Record the right profiling result for 32_64.
2984
2985 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2986
2987         Remove 32 bit restrictions in DFG JIT
2988         https://bugs.webkit.org/show_bug.cgi?id=69711
2989
2990         Reviewed by Filip Pizlo.
2991
2992         op_call/op_construct support was disabled for 32 bit DFG JIT because
2993         there was regression in javascriptcore tests. Now the bugs are fixed
2994         and there should be no regression. This makes 32 bit DFG have the same
2995         capability as 64 bit DFG, and improves the coverage.
2996
2997         * dfg/DFGCapabilities.h:
2998         (JSC::DFG::canCompileOpcode):
2999
3000 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3001
3002         Add static version of JSCell::getConstructData
3003         https://bugs.webkit.org/show_bug.cgi?id=69673
3004
3005         Reviewed by Geoffrey Garen.
3006
3007         Added static version of getConstructData to all classes that 
3008         override it and changed the virtual versions to call the static 
3009         versions.  This is the first step in de-virtualizing JSCell::getConstructData.
3010
3011         * API/JSCallbackConstructor.cpp:
3012         (JSC::JSCallbackConstructor::getConstructData):
3013         * API/JSCallbackConstructor.h:
3014         * API/JSCallbackObject.h:
3015         * API/JSCallbackObjectFunctions.h:
3016         (JSC::::getConstructData):
3017         * runtime/ArrayConstructor.cpp:
3018         (JSC::ArrayConstructor::getConstructData):
3019         * runtime/ArrayConstructor.h:
3020         * runtime/BooleanConstructor.cpp:
3021         (JSC::BooleanConstructor::getConstructData):
3022         * runtime/BooleanConstructor.h:
3023         * runtime/DateConstructor.cpp:
3024         (JSC::DateConstructor::getConstructData):
3025         * runtime/DateConstructor.h:
3026         * runtime/ErrorConstructor.cpp:
3027         (JSC::ErrorConstructor::getConstructData):
3028         * runtime/ErrorConstructor.h:
3029         * runtime/FunctionConstructor.cpp:
3030         (JSC::FunctionConstructor::getConstructData):
3031         * runtime/FunctionConstructor.h:
3032         * runtime/JSCell.cpp:
3033         (JSC::JSCell::getConstructData):
3034         * runtime/JSCell.h:
3035         * runtime/JSFunction.cpp:
3036         (JSC::JSFunction::getConstructData):
3037         * runtime/JSFunction.h:
3038         * runtime/NativeErrorConstructor.cpp:
3039         (JSC::NativeErrorConstructor::getConstructData):
3040         * runtime/NativeErrorConstructor.h:
3041         * runtime/NumberConstructor.cpp:
3042         (JSC::NumberConstructor::getConstructData):
3043         * runtime/NumberConstructor.h:
3044         * runtime/ObjectConstructor.cpp:
3045         (JSC::ObjectConstructor::getConstructData):
3046         * runtime/ObjectConstructor.h:
3047         * runtime/RegExpConstructor.cpp:
3048         (JSC::RegExpConstructor::getConstructData):
3049         * runtime/RegExpConstructor.h:
3050         * runtime/StringConstructor.cpp:
3051         (JSC::StringConstructor::getConstructData):
3052         * runtime/StringConstructor.h:
3053
3054 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3055
3056         Add static version of JSCell::getOwnPropertySlot
3057         https://bugs.webkit.org/show_bug.cgi?id=69593
3058
3059         Reviewed by Geoffrey Garen.
3060
3061         Added static version of getOwnPropertySlot to every class that overrides
3062         JSCell::getOwnPropertySlot.  The virtual versions now call the static versions.
3063         This is the first step in de-virtualizing JSCell::getOwnPropertySlot.
3064
3065         * JavaScriptCore.exp:
3066         * debugger/DebuggerActivation.cpp:
3067         (JSC::DebuggerActivation::getOwnPropertySlot):
3068         * debugger/DebuggerActivation.h:
3069         * runtime/Arguments.cpp:
3070         (JSC::Arguments::getOwnPropertySlot):
3071         * runtime/Arguments.h:
3072         * runtime/ArrayConstructor.h:
3073         * runtime/ArrayPrototype.cpp:
3074         (JSC::ArrayPrototype::getOwnPropertySlot):
3075         * runtime/ArrayPrototype.h:
3076         * runtime/BooleanPrototype.cpp:
3077         (JSC::BooleanPrototype::getOwnPropertySlot):
3078         * runtime/BooleanPrototype.h:
3079         * runtime/DateConstructor.cpp:
3080         (JSC::DateConstructor::getOwnPropertySlot):
3081         * runtime/DateConstructor.h:
3082         * runtime/DatePrototype.cpp:
3083         (JSC::DatePrototype::getOwnPropertySlot):
3084         * runtime/DatePrototype.h:
3085         * runtime/ErrorPrototype.cpp:
3086         (JSC::ErrorPrototype::getOwnPropertySlot):
3087         * runtime/ErrorPrototype.h:
3088         * runtime/JSActivation.cpp:
3089         (JSC::JSActivation::getOwnPropertySlot):
3090         * runtime/JSActivation.h:
3091         * runtime/JSArray.cpp:
3092         (JSC::JSArray::getOwnPropertySlot):
3093         * runtime/JSArray.h:
3094         * runtime/JSBoundFunction.cpp:
3095         (JSC::JSBoundFunction::getOwnPropertySlot):
3096         * runtime/JSBoundFunction.h:
3097         * runtime/JSByteArray.cpp:
3098         (JSC::JSByteArray::getOwnPropertySlot):
3099         * runtime/JSByteArray.h:
3100         * runtime/JSCell.cpp:
3101         (JSC::JSCell::getOwnPropertySlot):
3102         * runtime/JSCell.h:
3103         * runtime/JSFunction.cpp:
3104         (JSC::JSFunction::getOwnPropertySlot):
3105         * runtime/JSFunction.h:
3106         * runtime/JSGlobalObject.cpp:
3107         (JSC::JSGlobalObject::getOwnPropertySlot):
3108         * runtime/JSGlobalObject.h:
3109         * runtime/JSNotAnObject.cpp:
3110         (JSC::JSNotAnObject::getOwnPropertySlot):
3111         * runtime/JSNotAnObject.h:
3112         * runtime/JSONObject.cpp:
3113         (JSC::JSONObject::getOwnPropertySlot):
3114         * runtime/JSONObject.h:
3115         * runtime/JSObject.cpp:
3116         (JSC::JSObject::getOwnPropertySlot):
3117         * runtime/JSObject.h:
3118         (JSC::JSObject::getOwnPropertySlot):
3119         * runtime/JSStaticScopeObject.cpp:
3120         (JSC::JSStaticScopeObject::getOwnPropertySlot):
3121         * runtime/JSStaticScopeObject.h:
3122         * runtime/JSString.cpp:
3123         (JSC::JSString::getOwnPropertySlot):
3124         * runtime/JSString.h:
3125         * runtime/MathObject.cpp:
3126         (JSC::MathObject::getOwnPropertySlot):
3127         * runtime/MathObject.h:
3128         * runtime/NumberConstructor.cpp:
3129         (JSC::NumberConstructor::getOwnPropertySlot):
3130         * runtime/NumberConstructor.h:
3131         * runtime/NumberPrototype.cpp:
3132         (JSC::NumberPrototype::getOwnPropertySlot):
3133         * runtime/NumberPrototype.h:
3134         * runtime/ObjectConstructor.cpp:
3135         (JSC::ObjectConstructor::getOwnPropertySlot):
3136         * runtime/ObjectConstructor.h:
3137         * runtime/ObjectPrototype.cpp:
3138         (JSC::ObjectPrototype::getOwnPropertySlot):
3139         * runtime/ObjectPrototype.h:
3140         * runtime/RegExpConstructor.cpp:
3141         (JSC::RegExpConstructor::getOwnPropertySlot):
3142         * runtime/RegExpConstructor.h:
3143         * runtime/RegExpMatchesArray.h:
3144         (JSC::RegExpMatchesArray::getOwnPropertySlot):
3145         * runtime/RegExpObject.cpp:
3146         (JSC::RegExpObject::getOwnPropertySlot):
3147         * runtime/RegExpObject.h:
3148         * runtime/RegExpPrototype.cpp:
3149         (JSC::RegExpPrototype::getOwnPropertySlot):
3150         * runtime/RegExpPrototype.h:
3151         * runtime/StringConstructor.cpp:
3152         (JSC::StringConstructor::getOwnPropertySlot):
3153         * runtime/StringConstructor.h:
3154         * runtime/StringObject.cpp:
3155         (JSC::StringObject::getOwnPropertySlot):
3156         * runtime/StringObject.h:
3157         * runtime/StringPrototype.cpp:
3158         (JSC::StringPrototype::getOwnPropertySlot):
3159         * runtime/StringPrototype.h:
3160
3161 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3162
3163         JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions
3164         https://bugs.webkit.org/show_bug.cgi?id=69699
3165
3166         Reviewed by Filip Pizlo.
3167
3168         It should match SetLocal where only payload is stored for array predictions.
3169
3170         * dfg/DFGSpeculativeJIT32_64.cpp:
3171         (JSC::DFG::SpeculativeJIT::compile):
3172
3173 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3174
3175         JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
3176         https://bugs.webkit.org/show_bug.cgi?id=69702
3177
3178         Reviewed by Filip Pizlo.
3179
3180         There are some errors in generating code for Branch and LogicalNot,
3181         when the operand is predicted as ObjectOrOther.
3182
3183         * dfg/DFGSpeculativeJIT32_64.cpp:
3184         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3185         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3186
3187 2011-10-08  Sheriff Bot  <webkit.review.bot@gmail.com>
3188
3189         Unreviewed, rolling out r96996.
3190         http://trac.webkit.org/changeset/96996
3191         https://bugs.webkit.org/show_bug.cgi?id=69697
3192
3193         It broke all tests on the Qt bot (Requested by Ossy_night on
3194         #webkit).
3195
3196         * API/JSCallbackFunction.cpp:
3197         (JSC::JSCallbackFunction::getCallDataVirtual):
3198         * API/JSCallbackFunction.h:
3199         * API/JSCallbackObject.h:
3200         * API/JSCallbackObjectFunctions.h:
3201         (JSC::::getCallDataVirtual):
3202         * API/JSObjectRef.cpp:
3203         (JSObjectIsFunction):
3204         (JSObjectCallAsFunction):
3205         * JavaScriptCore.exp:
3206         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3207         * interpreter/Interpreter.cpp:
3208         (JSC::Interpreter::privateExecute):
3209         * jit/JITStubs.cpp:
3210         (JSC::DEFINE_STUB_FUNCTION):
3211         * runtime/ArrayConstructor.cpp:
3212         (JSC::ArrayConstructor::getCallDataVirtual):
3213         * runtime/ArrayConstructor.h:
3214         * runtime/BooleanConstructor.cpp:
3215         (JSC::BooleanConstructor::getCallDataVirtual):
3216         * runtime/BooleanConstructor.h:
3217         * runtime/DateConstructor.cpp:
3218         (JSC::DateConstructor::getCallDataVirtual):
3219         * runtime/DateConstructor.h:
3220         * runtime/Error.cpp:
3221         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3222         (JSC::StrictModeTypeErrorFunction::create):
3223         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
3224         (JSC::StrictModeTypeErrorFunction::getConstructData):
3225         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
3226         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
3227         (JSC::StrictModeTypeErrorFunction::getCallData):
3228         (JSC::StrictModeTypeErrorFunction::createStructure):
3229         (JSC::createTypeErrorFunction):
3230         * runtime/Error.h:
3231         * runtime/ErrorConstructor.cpp:
3232         (JSC::ErrorConstructor::getCallDataVirtual):
3233         * runtime/ErrorConstructor.h:
3234         * runtime/FunctionConstructor.cpp:
3235         (JSC::FunctionConstructor::getCallDataVirtual):
3236         * runtime/FunctionConstructor.h:
3237         * runtime/FunctionPrototype.cpp:
3238         (JSC::FunctionPrototype::getCallDataVirtual):
3239         * runtime/FunctionPrototype.h:
3240         * runtime/InternalFunction.cpp:
3241         (JSC::InternalFunction::finishCreation):
3242         * runtime/InternalFunction.h:
3243         * runtime/JSCell.cpp:
3244         (JSC::JSCell::getCallDataVirtual):
3245         * runtime/JSCell.h:
3246         (JSC::getCallData):
3247         * runtime/JSFunction.cpp:
3248         (JSC::JSFunction::getCallDataVirtual):
3249         * runtime/JSFunction.h:
3250         * runtime/JSGlobalObject.cpp:
3251         (JSC::JSGlobalObject::reset):
3252         (JSC::JSGlobalObject::visitChildren):
3253         * runtime/JSGlobalObject.h:
3254         * runtime/JSONObject.cpp:
3255         (JSC::Stringifier::Stringifier):
3256         (JSC::Stringifier::toJSON):
3257         (JSC::Stringifier::appendStringifiedValue):
3258         * runtime/JSObject.cpp:
3259         (JSC::JSObject::put):
3260         * runtime/JSObject.h:
3261         * runtime/NativeErrorConstructor.cpp:
3262         (JSC::NativeErrorConstructor::getCallDataVirtual):
3263         * runtime/NativeErrorConstructor.h:
3264         * runtime/NumberConstructor.cpp:
3265         (JSC::NumberConstructor::getCallDataVirtual):
3266         * runtime/NumberConstructor.h:
3267         * runtime/ObjectConstructor.cpp:
3268         (JSC::ObjectConstructor::getCallDataVirtual):
3269         * runtime/ObjectConstructor.h:
3270         * runtime/Operations.cpp:
3271         (JSC::jsTypeStringForValue):
3272         (JSC::jsIsObjectType):
3273         (JSC::jsIsFunctionType):
3274         * runtime/PropertySlot.cpp:
3275         (JSC::PropertySlot::functionGetter):
3276         * runtime/RegExpConstructor.cpp:
3277         (JSC::RegExpConstructor::getCallDataVirtual):
3278         * runtime/RegExpConstructor.h:
3279         * runtime/StringConstructor.cpp:
3280         (JSC::StringConstructor::getCallDataVirtual):
3281         * runtime/StringConstructor.h:
3282         * runtime/Structure.h:
3283
3284 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3285
3286         DFG JIT - only Array predictions can result in unboxed cells in register file
3287         https://bugs.webkit.org/show_bug.cgi?id=69695
3288
3289         Reviewed by Filip Pizlo.
3290
3291         In current DFG JIT, only array predictions can result in unboxed cells
3292         in register file, not for the other cell predictions.
3293
3294         * dfg/DFGSpeculativeJIT.h:
3295         (JSC::DFG::ValueSource::forPrediction):
3296
3297 2011-10-07  Yuqiang Xian  <yuqiang.xian@intel.com>
3298
3299         bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT
3300         https://bugs.webkit.org/show_bug.cgi?id=69696
3301
3302         Reviewed by Filip Pizlo.
3303
3304         On 32-bit, we should use TimesEight (8) instead of ScalePtr (4)
3305         to compute the address of a JS array element.
3306
3307         * dfg/DFGSpeculativeJIT32_64.cpp:
3308         (JSC::DFG::SpeculativeJIT::compile):
3309
3310 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3311
3312         Add static version of JSCell::deleteProperty
3313         https://bugs.webkit.org/show_bug.cgi?id=69659
3314
3315         Reviewed by Geoffrey Garen.
3316
3317         Added static version of both versions of put to all classes that 
3318         override them and changed the virtual versions to call the static 
3319         versions.  This is the first step in de-virtualizing JSCell::deleteProperty.
3320
3321         * API/JSCallbackObject.h:
3322         * API/JSCallbackObjectFunctions.h:
3323         (JSC::::deleteProperty):
3324         * debugger/DebuggerActivation.cpp:
3325         (JSC::DebuggerActivation::deleteProperty):
3326         * debugger/DebuggerActivation.h:
3327         * runtime/Arguments.cpp:
3328         (JSC::Arguments::deleteProperty):
3329         * runtime/Arguments.h:
3330         * runtime/JSActivation.cpp:
3331         (JSC::JSActivation::deleteProperty):
3332         * runtime/JSActivation.h:
3333         * runtime/JSArray.cpp:
3334         (JSC::JSArray::deleteProperty):
3335         * runtime/JSArray.h:
3336         * runtime/JSCell.cpp:
3337         (JSC::JSCell::deleteProperty):
3338         * runtime/JSCell.h:
3339         * runtime/JSFunction.cpp:
3340         (JSC::JSFunction::deleteProperty):
3341         * runtime/JSFunction.h:
3342         * runtime/JSNotAnObject.cpp:
3343         (JSC::JSNotAnObject::deleteProperty):
3344         * runtime/JSNotAnObject.h:
3345         * runtime/JSObject.cpp:
3346         (JSC::JSObject::deleteProperty):
3347         * runtime/JSObject.h:
3348         * runtime/JSVariableObject.cpp:
3349         (JSC::JSVariableObject::deleteProperty):
3350         * runtime/JSVariableObject.h:
3351         * runtime/RegExpMatchesArray.h:
3352         (JSC::RegExpMatchesArray::deleteProperty):
3353         * runtime/StrictEvalActivation.cpp:
3354         (JSC::StrictEvalActivation::deleteProperty):
3355         * runtime/StrictEvalActivation.h:
3356         * runtime/StringObject.cpp:
3357         (JSC::StringObject::deleteProperty):
3358         * runtime/StringObject.h:
3359
3360 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3361
3362         Remove getCallDataVirtual methods
3363         https://bugs.webkit.org/show_bug.cgi?id=69186
3364
3365         Reviewed by Geoffrey Garen.
3366
3367         Removed all getCallDataVirtual methods and replaced their call sites 
3368         with an explicit lookup in the MethodTable.
3369
3370         * API/JSCallbackFunction.cpp:
3371         * API/JSCallbackFunction.h:
3372         * API/JSCallbackObject.h:
3373         * API/JSCallbackObjectFunctions.h:
3374         * API/JSObjectRef.cpp:
3375         (JSObjectIsFunction):
3376         (JSObjectCallAsFunction):
3377         * JavaScriptCore.exp:
3378         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3379         * interpreter/Interpreter.cpp:
3380         (JSC::Interpreter::privateExecute):
3381         * jit/JITStubs.cpp:
3382         (JSC::DEFINE_STUB_FUNCTION):
3383         * runtime/ArrayConstructor.cpp:
3384         * runtime/ArrayConstructor.h:
3385         * runtime/BooleanConstructor.cpp:
3386         * runtime/BooleanConstructor.h:
3387         * runtime/DateConstructor.cpp:
3388         * runtime/DateConstructor.h:
3389         * runtime/Error.cpp:
3390         (JSC::createTypeErrorFunction):
3391
3392         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
3393         the class definition in JSGlobalObject.cpp.
3394         * runtime/Error.h:
3395         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3396         (JSC::StrictModeTypeErrorFunction::create):
3397         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
3398         (JSC::StrictModeTypeErrorFunction::getConstructData):
3399         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
3400         (JSC::StrictModeTypeErrorFunction::getCallData):
3401         (JSC::StrictModeTypeErrorFunction::createStructure):
3402         * runtime/ErrorConstructor.cpp:
3403         * runtime/ErrorConstructor.h:
3404         * runtime/FunctionConstructor.cpp:
3405         * runtime/FunctionConstructor.h:
3406         * runtime/FunctionPrototype.cpp:
3407         * runtime/FunctionPrototype.h:
3408
3409         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
3410         to declare their own ClassInfo if they don't override getCallData, provided 
3411         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
3412         functionality as of the pure virtual method InternalFunction used to have.
3413         Also made this new implementation protected rather than private for the same reason.
3414         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
3415         object is being created provides their own implementation of getCallData.  This 
3416         just makes execution fail earlier in a place where the source of the error is 
3417         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
3418         they appear much more intentional to anybody who fails to provide their own 
3419         implementation or who tries to explicitly call InternalFunction::getCallData.
3420         * runtime/InternalFunction.cpp:
3421         (JSC::InternalFunction::finishCreation):
3422         (JSC::InternalFunction::getCallData):
3423         * runtime/InternalFunction.h:
3424         * runtime/JSCell.cpp:
3425         * runtime/JSCell.h:
3426         * runtime/JSFunction.cpp:
3427         * runtime/JSFunction.h:
3428
3429         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
3430         it to be reused rather than creating a new Structure every time we instantiate it.
3431         * runtime/JSGlobalObject.cpp: