JavaScriptCore bytecompiler does not compute scope depth correctly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-08-20  Filip Pizlo  <fpizlo@apple.com>
2
3         JavaScriptCore bytecompiler does not compute scope depth correctly
4         in the case of constant declarations
5         https://bugs.webkit.org/show_bug.cgi?id=66572
6
7         Reviewed by Oliver Hunt.
8         
9         Changed the handling of const to add the dynamic scope depth.
10
11         * bytecompiler/NodesCodegen.cpp:
12         (JSC::ConstDeclNode::emitCodeSingle):
13
14 2011-08-19  Daniel Bates  <dbates@webkit.org>
15
16         Only #include <signal.h> and require SA_RESTART when building with JSC_MULTIPLE_THREADS
17         https://bugs.webkit.org/show_bug.cgi?id=66617
18
19         Both <signal.h> and SA_RESTART usage are guarded behind ENABLE(JSC_MULTIPLE_THREADS).
20         But we cause a compile error if the platform doesn't support SA_RESTART regardless of
21         whether JSC_MULTIPLE_THREADS is enabled for the port. Instead, we shouldn't require
22         SA_RESTART support unless we are building with JSC_MULTIPLE_THREADS enabled.
23
24         Reviewed by Antonio Gomes.
25
26         * heap/MachineStackMarker.cpp:
27
28 2011-08-19  Filip Pizlo  <fpizlo@apple.com>
29
30         The JSC JIT currently has no facility to profile and report
31         the types of values
32         https://bugs.webkit.org/show_bug.cgi?id=65901
33
34         Reviewed by Gavin Barraclough.
35         
36         Added the ability to profile the values seen at function calls (both
37         arguments and results) and heap loads.  This is done with emphasis
38         on performance.  A value profiling site consists of: add, and,
39         move, and store; no branching is necessary.  Each value profiling
40         site (called a ValueProfile) has a ring buffer of 8 recently-seen
41         values.  ValueProfiles are stored in the CodeBlock; there will be
42         one for each argument (excluding this) and each heap load or callsite.
43         Each time a value profiling site executes, it stores the value into
44         a pseudo-random element in the ValueProfile buffer.  The point is
45         that for frequently executed code, we will have 8 somewhat recent
46         values in the buffer and will be able to not only figure out what
47         type it is, but also to be able to reason about the actual values
48         if we wish to do so.
49         
50         This feature is currently disabled by default.  When enabled, it
51         results in a 3.7% slow-down on SunSpider.
52
53         * JavaScriptCore.xcodeproj/project.pbxproj:
54         * bytecode/CodeBlock.cpp:
55         (JSC::CodeBlock::~CodeBlock):
56         * bytecode/CodeBlock.h:
57         (JSC::CodeBlock::addValueProfile):
58         (JSC::CodeBlock::numberOfValueProfiles):
59         (JSC::CodeBlock::valueProfile):
60         (JSC::CodeBlock::valueProfileForBytecodeOffset):
61         * bytecode/ValueProfile.h: Added.
62         (JSC::ValueProfile::ValueProfile):
63         (JSC::ValueProfile::numberOfSamples):
64         (JSC::ValueProfile::computeProbability):
65         (JSC::ValueProfile::numberOfInt32s):
66         (JSC::ValueProfile::numberOfDoubles):
67         (JSC::ValueProfile::numberOfCells):
68         (JSC::ValueProfile::probabilityOfInt32):
69         (JSC::ValueProfile::probabilityOfDouble):
70         (JSC::ValueProfile::probabilityOfCell):
71         (JSC::getValueProfileBytecodeOffset):
72         * jit/JIT.cpp:
73         (JSC::JIT::privateCompileSlowCases):
74         (JSC::JIT::privateCompile):
75         * jit/JIT.h:
76         (JSC::JIT::emitValueProfilingSite):
77         * jit/JITCall.cpp:
78         (JSC::JIT::emit_op_call_put_result):
79         * jit/JITInlineMethods.h:
80         (JSC::JIT::emitValueProfilingSite):
81         * jit/JITPropertyAccess.cpp:
82         (JSC::JIT::emit_op_get_by_val):
83         (JSC::JIT::emitSlow_op_get_by_val):
84         (JSC::JIT::emit_op_method_check):
85         (JSC::JIT::emit_op_get_by_id):
86         (JSC::JIT::emitSlow_op_get_by_id):
87         * jit/JSInterfaceJIT.h:
88         * wtf/Platform.h:
89         * wtf/StdLibExtras.h:
90         (WTF::binarySearch):
91         (WTF::genericBinarySearch):
92
93 2011-08-19  Daniel Bates  <dbates@webkit.org>
94
95         Don't include DisallowCType.h when building on QNX
96         https://bugs.webkit.org/show_bug.cgi?id=66616
97
98         Reviewed by Antonio Gomes.
99
100         * config.h:
101
102 2011-08-19  Daniel Bates  <dbates@webkit.org>
103
104         Implement ExecutableAllocator::cacheFlush() for QNX
105         https://bugs.webkit.org/show_bug.cgi?id=66611
106
107         Reviewed by Antonio Gomes.
108
109         * jit/ExecutableAllocator.h:
110         (JSC::ExecutableAllocator::cacheFlush):
111
112 2011-08-19  Daniel Bates  <dbates@webkit.org>
113
114         Implement WTF::atomic{Increment, Decrement}() for QNX
115         https://bugs.webkit.org/show_bug.cgi?id=66605
116
117         Reviewed by Darin Adler.
118
119         * wtf/Atomics.h:
120         (WTF::atomicIncrement):
121         (WTF::atomicDecrement):
122
123 2011-08-19  Beth Dakin  <bdakin@apple.com>
124
125         https://bugs.webkit.org/show_bug.cgi?id=66590
126         Re-name scrollbar painter types
127
128         Reviewed by Sam Weinig.
129
130         WTF_USE_WK_SCROLLBAR_PAINTER is now WTF_USE_SCROLLBAR_PAINTER since WK no longer 
131         applies.
132         * wtf/Platform.h:
133
134 2011-08-18  Mark Hahnenberg  <mhahnenberg@apple.com>
135
136         Move allocation in constructors into separate constructorBody() methods
137         https://bugs.webkit.org/show_bug.cgi?id=66265
138
139         Reviewed by Oliver Hunt.
140
141         Refactoring to put all allocations that need to be done after the object's 
142         initialization list has executed but before the object is ready for use 
143         into a separate constructorBody() method.  This method is still called by the constructor, 
144         so the patch doesn't resolve any potential issues, it's just to set up the code for further refactoring.
145
146         * JavaScriptCore.exp:
147         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
148         * jsc.cpp:
149         (GlobalObject::constructorBody):
150         (GlobalObject::GlobalObject):
151         * runtime/ErrorInstance.cpp:
152         (JSC::ErrorInstance::ErrorInstance):
153         * runtime/ErrorInstance.h:
154         (JSC::ErrorInstance::constructorBody):
155         * runtime/ErrorPrototype.cpp:
156         (JSC::ErrorPrototype::ErrorPrototype):
157         (JSC::ErrorPrototype::constructorBody):
158         * runtime/ErrorPrototype.h:
159         * runtime/Executable.cpp:
160         (JSC::FunctionExecutable::FunctionExecutable):
161         * runtime/Executable.h:
162         (JSC::FunctionExecutable::constructorBody):
163         * runtime/InternalFunction.cpp:
164         (JSC::InternalFunction::InternalFunction):
165         * runtime/InternalFunction.h:
166         (JSC::InternalFunction::constructorBody):
167         * runtime/JSByteArray.cpp:
168         (JSC::JSByteArray::JSByteArray):
169         * runtime/JSByteArray.h:
170         (JSC::JSByteArray::constructorBody):
171         * runtime/JSFunction.cpp:
172         (JSC::JSFunction::JSFunction):
173         (JSC::JSFunction::constructorBody):
174         * runtime/JSFunction.h:
175         * runtime/JSGlobalObject.h:
176         (JSC::JSGlobalObject::JSGlobalObject):
177         (JSC::JSGlobalObject::constructorBody):
178         * runtime/JSPropertyNameIterator.cpp:
179         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
180         * runtime/JSPropertyNameIterator.h:
181         (JSC::JSPropertyNameIterator::constructorBody):
182         * runtime/JSString.h:
183         (JSC::RopeBuilder::JSString):
184         (JSC::RopeBuilder::constructorBody):
185         * runtime/NativeErrorConstructor.cpp:
186         (JSC::NativeErrorConstructor::NativeErrorConstructor):
187         * runtime/NativeErrorConstructor.h:
188         (JSC::NativeErrorConstructor::constructorBody):
189         * runtime/NativeErrorPrototype.cpp:
190         (JSC::NativeErrorPrototype::NativeErrorPrototype):
191         (JSC::NativeErrorPrototype::constructorBody):
192         * runtime/NativeErrorPrototype.h:
193         * runtime/StringObject.cpp:
194         * runtime/StringObject.h:
195         (JSC::StringObject::create):
196         * runtime/StringObjectThatMasqueradesAsUndefined.h:
197         (JSC::StringObjectThatMasqueradesAsUndefined::create):
198         (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
199         * runtime/StringPrototype.cpp:
200         (JSC::StringPrototype::StringPrototype):
201         * runtime/StringPrototype.h:
202         (JSC::StringPrototype::create):
203
204 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
205
206         DFG non-speculative JIT does not inline the double case of ValueAdd
207         https://bugs.webkit.org/show_bug.cgi?id=66025
208
209         Reviewed by Gavin Barraclough.
210         
211         This is a 1.3% win on Kraken overall, with >=8% speed-ups on a few
212         benchmarks (imaging-darkroom, stanford-crypto-pbkdf2,
213         stanford-crypto-sha256-iterative).  It looks like it might have
214         a speed-up in SunSpider (though not statistically significant or
215         particularly reproducible) and a slight slow-down in V8 (0.14%,
216         not statistically significant).  It does slow down v8-crypto by
217         1.5%.
218
219         * dfg/DFGJITCodeGenerator.cpp:
220         (JSC::DFG::JITCodeGenerator::isKnownInteger):
221         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
222         * dfg/DFGNonSpeculativeJIT.cpp:
223         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
224         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
225         * dfg/DFGOperations.cpp:
226
227 2011-08-18  Filip Pizlo  <fpizlo@apple.com>
228
229         [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
230         https://bugs.webkit.org/show_bug.cgi?id=66426
231
232         Reviewed by Oliver Hunt.
233         
234         Changed the branchTestPtr to branchTest32.
235
236         * dfg/DFGSpeculativeJIT.cpp:
237         (JSC::DFG::SpeculativeJIT::compile):
238
239 2011-08-17  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
240
241         https://bugs.webkit.org/show_bug.cgi?id=66379
242         implements load32WithCompactAddressOffsetPatch function 
243         and fixes store32 and moveWithPatch functions for SH4 platforms.
244
245         Reviewed by Gavin Barraclough.
246
247         * assembler/MacroAssemblerSH4.h:
248         (JSC::MacroAssemblerSH4::rshift32):
249         (JSC::MacroAssemblerSH4::store32):
250         (JSC::MacroAssemblerSH4::load32WithCompactAddressOffsetPatch):
251         (JSC::MacroAssemblerSH4::moveWithPatch):
252         * assembler/SH4Assembler.h:
253         (JSC::SH4Assembler::movlMemRegCompact):
254         (JSC::SH4Assembler::readPointer):
255         (JSC::SH4Assembler::repatchCompact):
256         * jit/JIT.h:
257
258 2011-08-17  Filip Pizlo  <fpizlo@apple.com>
259
260         JSC verbose debugging output sometimes doesn't work as expected.
261         https://bugs.webkit.org/show_bug.cgi?id=66107
262
263         Reviewed by Gavin Barraclough.
264         
265         Hardened the CodeBlock::dump() code so that it no longer crashes.  Improved
266         the DFG verbose code so that it prints slightly more useful information.
267
268         * assembler/LinkBuffer.h:
269         (JSC::LinkBuffer::debugSize):
270         * bytecode/CodeBlock.cpp:
271         (JSC::valueToSourceString):
272         (JSC::CodeBlock::dump):
273         * bytecode/CodeBlock.h:
274         (JSC::CodeBlock::numberOfRegExps):
275         * dfg/DFGJITCompiler.cpp:
276         (JSC::DFG::JITCompiler::link):
277
278 2011-08-16  Michael Saboff  <msaboff@apple.com>
279
280         Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure
281         https://bugs.webkit.org/show_bug.cgi?id=66351
282
283         JIT::privateCompilePutByIdTransition expects that regT0 and regT1
284         have the basePayload and baseTag respectively.  In some cases,
285         we may get to this generated code with one or both of these
286         registers trash.  One know case is that regT0 on ARM may be
287         trashed as regT0 (r0) is also arg0 and can be overrun with sp due
288         to calls to JIT::restoreReturnAddress().  This patch uses the
289         values on the stack.  A longer term solution is to work out all
290         cases so that the register entry assumptions can assured.
291
292         While fixing this, also determined that the additional stack offset
293         of sizeof(void*) is not needed for ARM.
294
295         Reviewed by Gavin Barraclough.
296
297         * jit/JITPropertyAccess32_64.cpp:
298         (JSC::JIT::privateCompilePutByIdTransition):
299
300 2011-08-15  Gavin Barraclough  <barraclough@apple.com>
301
302         https://bugs.webkit.org/show_bug.cgi?id=66263
303         DFG JIT does not always zero extend boolean result of DFG operations
304
305         Reviewed by Sam Weinig.
306
307         * dfg/DFGOperations.cpp:
308         * dfg/DFGOperations.h:
309             - Change bool return values to a 64-bit type.
310
311 2011-08-15  Gavin Barraclough  <barraclough@apple.com>
312
313         Crash accessing static property on sealed object
314         https://bugs.webkit.org/show_bug.cgi?id=66242
315
316         Reviewed by Sam Weinig.
317
318         * runtime/JSObject.h:
319         (JSC::JSObject::putDirectInternal):
320             - should only check isExtensible if checkReadOnly.
321
322 2011-08-15  Sam Weinig  <sam@webkit.org>
323
324         Fix release build when building with Clang.
325
326         Reviewed by Anders Carlsson.
327
328         * runtime/Identifier.cpp:
329         (JSC::Identifier::checkCurrentIdentifierTable):
330         Add NO_RETURN_DUE_TO_CRASH.
331
332 2011-08-15  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
333
334         Reviewed by Nikolas Zimmermann.
335
336         Speed up SVGSMILElement::findInstanceTime.
337         https://bugs.webkit.org/show_bug.cgi?id=61025
338
339         Add a new parameter to StdlibExtras.h::binarySerarch function
340         to also handle cases when the array does not contain the key value.
341         This is needed for an svg function.
342
343         * wtf/StdLibExtras.h:
344         (WTF::binarySearch):
345
346 2011-08-13  Sam Weinig  <sam@webkit.org>
347
348         Add back 0xbbadbeef to CRASH to allow for old habits
349         https://bugs.webkit.org/show_bug.cgi?id=66190
350
351         Reviewed by David Kilzer.
352
353         * wtf/Assertions.h:
354         Add back the assignment to the memory address 0xbbadbeef in the CRASH
355         macro, as it does not cause issue in the clang static analyzer and many
356         people use its presence in crash reports to easily identify ASSERTs. 
357
358 2011-08-13  Sam Weinig  <sam@webkit.org>
359
360         Fix a bunch of minor bugs caught by the clang static analyzer in JavaScriptCore
361         https://bugs.webkit.org/show_bug.cgi?id=66182
362
363         Reviewed by Dan Bernstein.
364
365         Fixes 10 warnings in JavaScriptCore and 2 in testapi.
366
367         * API/tests/testapi.c:
368         (main):
369         Remove dead variables.
370
371         * dfg/DFGGraph.cpp:
372         (JSC::DFG::Graph::dump):
373         Initialize hasPrinted and silence an unused warning by casting to void (Ok here
374         since it is debug code and I want to keep it clear that if other cases are added,
375         the hasPrinted flag would be needed).
376
377         * wtf/dtoa.cpp:
378         (WTF::d2b):
379         The variable "de" in the else block is always zero, so there is no reason to
380         use it.
381
382 2011-08-12  Sam Weinig  <sam@webkit.org>
383
384         Use __builtin_trap() for CRASH when building with clang
385         https://bugs.webkit.org/show_bug.cgi?id=66152
386
387         Reviewed by Anders Carlsson.
388
389         * wtf/Assertions.h:
390         Add Clang specific CRASH macro that calls __builtin_trap() instead
391         of silly techniques to crash. This allows the static analyzer to understand
392         that we are intentionally crashing. As a result, we need to mark some functions
393         as not returning.
394
395         Also adds a macros that annotates a function as never returning due to ASSERT or CRASH.
396
397         * wtf/Compiler.h:
398         Add COMPILIER(CLANG) and fix some formatting and spelling mistakes.
399
400         * wtf/FastMalloc.cpp:
401         (WTF::Internal::fastMallocMatchFailed):
402         Add NO_RETURN_DUE_TO_CRASH.
403
404         * yarr/YarrParser.h:
405         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
406         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
407         Add NO_RETURN_DUE_TO_ASSERT.
408
409 2011-08-12  Filip Pizlo  <fpizlo@apple.com>
410
411         DFG JIT has inconsistent use of boxDouble and unboxDouble,
412         inconsistent use of assertions regarding doubles, and those
413         assertions are not turned on in debug builds
414         https://bugs.webkit.org/show_bug.cgi?id=66160
415
416         Reviewed by Gavin Barraclough.
417         
418         JIT assertions are now turned on in debug builds.  JIT
419         assertions are now used for boxing and unboxing doubles, and boxing
420         and unboxing no longer involves code duplication.
421
422         * dfg/DFGJITCodeGenerator.cpp:
423         (JSC::DFG::JITCodeGenerator::fillDouble):
424         * dfg/DFGJITCodeGenerator.h:
425         (JSC::DFG::JITCodeGenerator::boxDouble):
426         (JSC::DFG::JITCodeGenerator::unboxDouble):
427         * dfg/DFGJITCompiler.cpp:
428         (JSC::DFG::JITCompiler::fillNumericToDouble):
429         (JSC::DFG::GeneralizedRegister::moveTo):
430         (JSC::DFG::GeneralizedRegister::swapWith):
431         * dfg/DFGJITCompiler.h:
432         (JSC::DFG::JITCompiler::boxDouble):
433         (JSC::DFG::JITCompiler::unboxDouble):
434         * dfg/DFGNode.h:
435         * dfg/DFGNonSpeculativeJIT.cpp:
436         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
437         (JSC::DFG::NonSpeculativeJIT::compile):
438         * dfg/DFGSpeculativeJIT.cpp:
439         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
440         (JSC::DFG::SpeculativeJIT::convertToDouble):
441
442 2011-08-12  Mark Rowe  <mrowe@apple.com>
443
444         Be more forward-looking in the choice of compiler.
445
446         Rubber-stamped by Jon Honeycutt.
447
448         * Configurations/CompilerVersion.xcconfig:
449
450 2011-08-12  Kalev Lember  <kalevlember@gmail.com>
451
452         [GTK] Fix non-pthreads build after r91906.
453         https://bugs.webkit.org/show_bug.cgi?id=66151
454
455         Reviewed by David Levin.
456
457         r91906 broke the non-pthreads GTK+ build by including a header which
458         doesn't exist. Fix it by including DateMath.h instead of DateMap.h.
459
460         * wtf/gtk/ThreadingGtk.cpp:
461
462 2011-08-12  Mark Rowe  <mrowe@apple.com>
463
464         Update some configuration settings that were missed back in r92432.
465
466         * Configurations/CompilerVersion.xcconfig:
467
468 2011-08-12  Filip Pizlo  <fpizlo@apple.com>
469
470         REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation:
471         Matrix3D.invert)
472         https://bugs.webkit.org/show_bug.cgi?id=66038
473
474         Reviewed by Gavin Barraclough.
475         
476         Simplest and lowest-impact fix for the case where the spilled format
477         of a DFG node differs from the register format: if the format is
478         converted then indicate that the spilled value is no longer valid
479         ("kill the spill").
480
481         * dfg/DFGGenerationInfo.h:
482         (JSC::DFG::GenerationInfo::killSpilled):
483         * dfg/DFGJITCodeGenerator.cpp:
484         (JSC::DFG::JITCodeGenerator::fillDouble):
485         * dfg/DFGSpeculativeJIT.cpp:
486         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
487
488 2011-08-12  Sam Weinig  <sam@webkit.org>
489
490         Move compiler specific macros to their own header
491         https://bugs.webkit.org/show_bug.cgi?id=66119
492
493         Reviewed by Anders Carlsson.
494
495         * JavaScriptCore.gypi:
496         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
497         * JavaScriptCore.xcodeproj/project.pbxproj:
498         * wtf/CMakeLists.txt:
499         Add Compiler.h
500
501         * wtf/AlwaysInline.h:
502         Move the contents of this file (which no longer was just about ALWAYS_INLINE) to
503         Compiler.h.  We can remove this file in a later commit.
504
505         * wtf/Compiler.h: Added.
506         Put all compiler specific checks and features in this file.
507
508         * wtf/Platform.h:
509         Move COMPILER macro and definitions (and the odd WARN_UNUSED_RETURN compiler feature)
510         to Compiler.h.  Include Compiler.h since it is necessary.
511
512 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
513
514         DFG JIT-specific structure stub info code offset fields are signed
515         8-bit, but it is possible for the offsets to be greater than 127
516         https://bugs.webkit.org/show_bug.cgi?id=66122
517
518         Reviewed by Gavin Barraclough.
519
520         * bytecode/StructureStubInfo.h:
521         * dfg/DFGJITCodeGenerator.cpp:
522         (JSC::DFG::JITCodeGenerator::cachedGetById):
523         (JSC::DFG::JITCodeGenerator::cachedPutById):
524
525 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
526
527         DFG JIT speculation failure code sometimes picks the wrong register
528         as a scratch register.
529         https://bugs.webkit.org/show_bug.cgi?id=66104
530
531         Reviewed by Gavin Barraclough.
532         
533         Hardened the code with more assertions and fixed the bug.  Now a
534         spilled register is only used for scratch if it also isn't being
535         used for shuffling.
536
537         * dfg/DFGJITCompiler.cpp:
538         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
539         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
540
541 2011-08-11  Sheriff Bot  <webkit.review.bot@gmail.com>
542
543         Unreviewed, rolling out r92880.
544         http://trac.webkit.org/changeset/92880
545         https://bugs.webkit.org/show_bug.cgi?id=66123
546
547         Breaks compile in VS2010 (Requested by jamesr_ on #webkit).
548
549         * wtf/PassRefPtr.h:
550
551 2011-08-11  Mark Rowe  <mrowe@apple.com>
552
553         Don't conditionalize the use of -fomit-frame-pointer on compiler version as
554         all of our supported compilers are now new enough to have the same, sane behavior.
555
556         Rubber-stamped by Sam Weinig.
557
558         * Configurations/JavaScriptCore.xcconfig:
559
560 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
561
562         DFG JIT verbose mode does not report the generated types of nodes
563         https://bugs.webkit.org/show_bug.cgi?id=65830
564
565         Reviewed by Sam Weinig.
566         
567         Added code that prints the type selected for each node's result.
568
569         * dfg/DFGGenerationInfo.h:
570         (JSC::DFG::dataFormatToString):
571         * dfg/DFGNonSpeculativeJIT.cpp:
572         (JSC::DFG::NonSpeculativeJIT::compile):
573         * dfg/DFGSpeculativeJIT.cpp:
574         (JSC::DFG::SpeculativeJIT::compile):
575
576 2011-08-11  James Robinson  <jamesr@chromium.org>
577
578         nullptr can't be used for PassRefPtr
579         https://bugs.webkit.org/show_bug.cgi?id=66024
580
581         Reviewed by Anders Carlsson.
582
583         * wtf/PassRefPtr.h:
584         (WTF::PassRefPtr::PassRefPtr):
585
586 2011-08-11  Daniel Bates  <dbates@rim.com>
587
588         Removed unused variable in StackBounds::initialize() to resolve
589         compiler warning when building on QNX.
590         https://bugs.webkit.org/show_bug.cgi?id=66072
591
592         Reviewed by Antonio Gomes.
593
594         * wtf/StackBounds.cpp:
595         (WTF::StackBounds::initialize):
596
597 2011-08-11  Devdatta Deshpande  <pwjd73@motorola.com>
598
599         Implementation of monotonically increasing clock on GTK
600         https://bugs.webkit.org/show_bug.cgi?id=62175
601
602         Reviewed by Martin Robinson.
603
604         * wtf/CurrentTime.cpp:
605         (WTF::monotonicallyIncreasingTime):
606         The default implementation of monotonicallyIncreasingTime only
607         guarantees the result to be non-decreasing.
608         If the system time is changed to past then default implementation will
609         still fail and WebCore timers will not fire.
610
611 2011-08-10  Geoffrey Garen  <ggaren@apple.com>
612
613         Removed some incorrect code that was dead.
614
615         Reviewed by Oliver Hunt.
616
617         clearSingleTransition() wasn't resetting m_data. Luckily,
618         no one cares, because its caller was unused. Removed both.
619
620         * runtime/Structure.cpp:
621         * runtime/StructureTransitionTable.h:
622         (JSC::StructureTransitionTable::~StructureTransitionTable):
623
624 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
625
626         REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
627         https://bugs.webkit.org/show_bug.cgi?id=66010
628
629         Reviewed by Oliver Hunt.
630         
631         Made sure that Construct calls use() on the this argument.
632
633         * dfg/DFGJITCodeGenerator.cpp:
634         (JSC::DFG::JITCodeGenerator::emitCall):
635
636 2011-08-10  Mark Hahnenberg  <mhahnenberg@apple.com>
637
638         JSC should always throw when function arg list is too long
639         https://bugs.webkit.org/show_bug.cgi?id=65869
640
641         Reviewed by Oliver Hunt.
642
643         Changed the behavior of the interpreter and JIT to throw an exception 
644         when too many arguments are passed rather than truncating the list.  Added 
645         a new method to create a "Too many arguments." exception used by this 
646         new functionality.
647
648         * interpreter/Interpreter.cpp:
649         (JSC::Interpreter::privateExecute):
650         * jit/JITStubs.cpp:
651         (JSC::DEFINE_STUB_FUNCTION):
652         * runtime/ExceptionHelpers.cpp:
653         (JSC::createTooManyParamsError):
654         * runtime/ExceptionHelpers.h:
655
656 2011-08-10  Oliver Hunt  <oliver@apple.com>
657
658         Make GC checks more aggressive in release builds
659         https://bugs.webkit.org/show_bug.cgi?id=66001
660
661         Reviewed by Gavin Barraclough.
662
663         * heap/HandleHeap.cpp:
664         (JSC::HandleHeap::visitStrongHandles):
665         (JSC::HandleHeap::visitWeakHandles):
666         (JSC::HandleHeap::finalizeWeakHandles):
667         (JSC::HandleHeap::writeBarrier):
668         (JSC::HandleHeap::isLiveNode):
669         (JSC::HandleHeap::isValidWeakNode):
670            Increase handle heap validation logic, and make some of
671            the crashes trigger in release builds as well as debug.
672         * heap/HandleHeap.h:
673         (JSC::HandleHeap::allocate):
674         (JSC::HandleHeap::makeWeak):
675            Ditto
676         * runtime/JSGlobalData.cpp:
677         (WTF::Recompiler::operator()):
678         * runtime/JSGlobalObject.cpp:
679         (JSC::JSGlobalObject::visitChildren):
680            Fix GC bugs found while testing this patch
681
682 2011-08-10  Oliver Hunt  <oliver@apple.com>
683
684         JSEvaluteScript does not return the correct object when given JSONP data
685         https://bugs.webkit.org/show_bug.cgi?id=66003
686
687         Reviewed by Gavin Barraclough.
688
689         Make sure we propagate the result of the function call rather than the
690         argument.
691
692         * interpreter/Interpreter.cpp:
693         (JSC::Interpreter::execute):
694
695 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
696
697         DFG JIT heap prediction causes regressions when combined with
698         aggressive integer prediction
699         https://bugs.webkit.org/show_bug.cgi?id=65954
700
701         Reviewed by Gavin Barraclough.
702         
703         Disabled heap prediction, but did not remove the capability.
704         This improves V8 crypto performance by 20%.
705
706         * dfg/DFGGraph.h:
707         (JSC::DFG::Graph::predict):
708
709 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
710
711         DFG JIT does not speculative integers as aggressively as it should
712         https://bugs.webkit.org/show_bug.cgi?id=65949
713
714         Reviewed by Gavin Barraclough.
715         
716         Added a tree walk to propagate integer predictions through arithmetic
717         expressions.
718         
719         This is a 71% speed-up on Kraken's imaging-gaussian-blur, which
720         translates to a 19% speed-up on Kraken overall.  It's neutral on
721         other benchmarks.
722
723         * dfg/DFGByteCodeParser.cpp:
724         (JSC::DFG::ByteCodeParser::predictInt32):
725
726 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
727
728         DFG JIT has no way of propagating predictions to loads and calls
729         https://bugs.webkit.org/show_bug.cgi?id=65883
730
731         Reviewed by Gavin Barraclough.
732         
733         This introduces the capability to store predictions on graph
734         nodes.  To save space while being somewhat consistent, the
735         prediction is always stored in the second OpInfo slot (since
736         a GetById will use the first one for the identifier).  This
737         change is a natural extension of r92593 (global variable
738         prediction).
739         
740         This is a 1.5% win on V8 in the arithmetic mean, and a 0.6%
741         win on V8 in the geometric mean.  It is neutral on SunSpider
742         and Kraken.  Interestingly, on V8 it regresses crypto by 3%
743         while progressing deltablue and richards by 2.6% and 4.3%,
744         respectively.
745
746         * dfg/DFGByteCodeParser.cpp:
747         (JSC::DFG::ByteCodeParser::addToGraph):
748         (JSC::DFG::ByteCodeParser::addCall):
749         (JSC::DFG::ByteCodeParser::parseBlock):
750         * dfg/DFGGraph.cpp:
751         (JSC::DFG::Graph::dump):
752         * dfg/DFGGraph.h:
753         (JSC::DFG::Graph::predict):
754         (JSC::DFG::Graph::getPrediction):
755         * dfg/DFGNode.h:
756         (JSC::DFG::isCellPrediction):
757         (JSC::DFG::isArrayPrediction):
758         (JSC::DFG::isInt32Prediction):
759         (JSC::DFG::isDoublePrediction):
760         (JSC::DFG::isNumberPrediction):
761         (JSC::DFG::predictionToString):
762         (JSC::DFG::Node::Node):
763         (JSC::DFG::Node::hasPrediction):
764         (JSC::DFG::Node::getPrediction):
765         (JSC::DFG::Node::predict):
766
767 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
768
769         DFG JIT passes the this argument to constructors even though
770         it's not necessary
771         https://bugs.webkit.org/show_bug.cgi?id=65943
772
773         Reviewed by Gavin Barraclough.
774
775         * dfg/DFGJITCodeGenerator.cpp:
776         (JSC::DFG::JITCodeGenerator::emitCall):
777
778 2011-08-09  Chao-ying Fu  <fu@mips.com>
779
780         Fix one MIPS instruction to call JITStubThunked_##op
781         https://bugs.webkit.org/show_bug.cgi?id=65942
782
783         Reviewed by Gavin Barraclough.
784
785         Changed "bal" to "jalr" for a possible processor mode change from
786         MIPS32 to MIPS16.
787
788         * jit/JITStubs.cpp:
789
790 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
791
792         DFG JIT failure loading web site
793         https://bugs.webkit.org/show_bug.cgi?id=65930
794
795         Reviewed by Oliver Hunt.
796         
797         Put the use() call after the fpr()/gpr() calls, since doing otherwise
798         breaks the register allocator.
799
800         * dfg/DFGNonSpeculativeJIT.cpp:
801         (JSC::DFG::NonSpeculativeJIT::compile):
802
803 2011-08-09  Mark Hahnenberg  <mhahnenberg@apple.com>
804
805         Add ParentClass typedef in all JSC classes
806         https://bugs.webkit.org/show_bug.cgi?id=65731
807
808         Reviewed by Oliver Hunt.
809
810         Just added the Base typedefs in all the classes that are a subclass of JSCell 
811         to point at their parent classes.  This is a change to support future changes to the way
812         constructors and destructors are implemented in JS objects, among other things.
813
814         * API/JSCallbackConstructor.h:
815         * API/JSCallbackFunction.h:
816         * API/JSCallbackObject.h:
817         (JSC::JSCallbackObject::createStructure):
818         (JSC::JSCallbackObject::visitChildren):
819         * API/JSCallbackObjectFunctions.h:
820         (JSC::::asCallbackObject):
821         (JSC::::JSCallbackObject):
822         (JSC::::init):
823         (JSC::::className):
824         (JSC::::getOwnPropertySlot):
825         (JSC::::getOwnPropertyDescriptor):
826         (JSC::::put):
827         (JSC::::deleteProperty):
828         (JSC::::getConstructData):
829         (JSC::::construct):
830         (JSC::::hasInstance):
831         (JSC::::getCallData):
832         (JSC::::call):
833         (JSC::::getOwnPropertyNames):
834         (JSC::::toNumber):
835         (JSC::::toString):
836         (JSC::::setPrivate):
837         (JSC::::getPrivate):
838         (JSC::::inherits):
839         (JSC::::getStaticValue):
840         (JSC::::staticFunctionGetter):
841         (JSC::::callbackGetter):
842         * debugger/DebuggerActivation.h:
843         * jsc.cpp:
844         * runtime/Arguments.h:
845         * runtime/ArrayConstructor.h:
846         * runtime/ArrayPrototype.h:
847         * runtime/BooleanConstructor.h:
848         * runtime/BooleanObject.h:
849         * runtime/BooleanPrototype.h:
850         * runtime/DateConstructor.h:
851         * runtime/DateInstance.h:
852         * runtime/DatePrototype.h:
853         * runtime/Error.cpp:
854         * runtime/ErrorConstructor.h:
855         * runtime/ErrorInstance.h:
856         * runtime/ErrorPrototype.h:
857         * runtime/ExceptionHelpers.cpp:
858         * runtime/Executable.h:
859         * runtime/FunctionConstructor.h:
860         * runtime/FunctionPrototype.h:
861         * runtime/GetterSetter.h:
862         * runtime/InternalFunction.h:
863         * runtime/JSAPIValueWrapper.h:
864         * runtime/JSActivation.h:
865         * runtime/JSArray.h:
866         * runtime/JSFunction.h:
867         * runtime/JSGlobalObject.h:
868         * runtime/JSNotAnObject.h:
869         * runtime/JSONObject.h:
870         * runtime/JSObject.h:
871         * runtime/JSPropertyNameIterator.h:
872         * runtime/JSStaticScopeObject.h:
873         * runtime/JSString.h:
874         * runtime/JSVariableObject.h:
875         * runtime/JSWrapperObject.h:
876         * runtime/MathObject.h:
877         * runtime/NativeErrorConstructor.h:
878         * runtime/NativeErrorPrototype.h:
879         * runtime/NumberConstructor.h:
880         * runtime/NumberObject.h:
881         * runtime/NumberPrototype.h:
882         * runtime/ObjectConstructor.h:
883         * runtime/ObjectPrototype.h:
884         * runtime/RegExp.h:
885         * runtime/RegExpConstructor.h:
886         * runtime/RegExpMatchesArray.h:
887         * runtime/RegExpObject.h:
888         (JSC::RegExpObject::create):
889         * runtime/RegExpPrototype.h:
890         * runtime/ScopeChain.h:
891         * runtime/StrictEvalActivation.h:
892         * runtime/StringConstructor.h:
893         * runtime/StringObject.h:
894         * runtime/StringObjectThatMasqueradesAsUndefined.h:
895         * runtime/StringPrototype.h:
896         * runtime/Structure.h:
897         * runtime/StructureChain.h:
898
899 2011-08-08  Oliver Hunt  <oliver@apple.com>
900
901         Using mprotect to create guard pages breaks our use of madvise to release executable memory
902         https://bugs.webkit.org/show_bug.cgi?id=65870
903
904         Reviewed by Gavin Barraclough.
905
906         Use mmap rather than mprotect to clear guard page permissions.
907
908         * wtf/OSAllocatorPosix.cpp:
909         (WTF::OSAllocator::reserveAndCommit):
910
911 2011-08-08  Oliver Hunt  <oliver@apple.com>
912
913         Non-extensibility does not prevent mutating [[Prototype]]
914         https://bugs.webkit.org/show_bug.cgi?id=65832
915
916         Reviewed by Gavin Barraclough.
917
918         Disallow mutation of __proto__ on objects that are not extensible.
919
920         * runtime/JSObject.cpp:
921         (JSC::JSObject::put):
922
923 2011-08-08  Filip Pizlo  <fpizlo@apple.com>
924
925         DFG JIT does not track speculation decisions for global variables
926         https://bugs.webkit.org/show_bug.cgi?id=65825
927
928         Reviewed by Gavin Barraclough.
929         
930         Added the capability to track predictions for global variables, and
931         ensured that code can abstract over the source of prediction (local
932         versus global variable) wherever it is appropriate to do so.  Also
933         cleaned up the code in SpeculativeJIT that decides how to speculate
934         based on recorded predictions (for example instead of using isInteger,
935         which makes sense for local predictions where the GetLocal would
936         return an integer value, we now tend to use shouldSpeculateInteger,
937         which checks if the value is either already an integer or should be
938         speculated to be an integer).
939         
940         This is an 0.8% win on SunSpider, almost entirely thanks to a 25%
941         win on controlflow-recursive.  It's also a 4.8% win on v8-crypto.
942
943         * dfg/DFGByteCodeParser.cpp:
944         (JSC::DFG::ByteCodeParser::predictArray):
945         (JSC::DFG::ByteCodeParser::predictInt32):
946         (JSC::DFG::ByteCodeParser::parseBlock):
947         * dfg/DFGGraph.cpp:
948         (JSC::DFG::Graph::dump):
949         * dfg/DFGGraph.h:
950         (JSC::DFG::Graph::predictGlobalVar):
951         (JSC::DFG::Graph::predict):
952         (JSC::DFG::Graph::getGlobalVarPrediction):
953         (JSC::DFG::Graph::getPrediction):
954         * dfg/DFGSpeculativeJIT.cpp:
955         (JSC::DFG::SpeculativeJIT::compile):
956         * dfg/DFGSpeculativeJIT.h:
957         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
958         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
959
960 2011-08-07  Martin Robinson  <mrobinson@igalia.com>
961
962         Distribution fix for GTK+.
963
964         * GNUmakefile.list.am: Strip removed files from the source list.
965
966 2011-08-06  Gavin Barraclough  <barraclough@apple.com>
967
968         https://bugs.webkit.org/show_bug.cgi?id=65821
969         Don't form identifiers the first time a string is used as a property name.
970
971         Reviewed by Oliver Hunt.
972
973         This is a 1% win on SunSpider.
974
975         * dfg/DFGOperations.cpp:
976             - Use fastGetOwnProperty.
977         * jit/JITStubs.cpp:
978         (JSC::DEFINE_STUB_FUNCTION):
979             - Use fastGetOwnProperty.
980         * runtime/JSCell.h:
981         * runtime/JSObject.h:
982         (JSC::JSCell::fastGetOwnProperty):
983             - Fast call to get a property without creating an identifier the first time.
984         * runtime/PropertyMapHashTable.h:
985         (JSC::PropertyTable::find):
986         (JSC::PropertyTable::findWithString):
987             - Add interface to look up by either strinsg or identifiers.
988         * runtime/Structure.h:
989         (JSC::Structure::get):
990             - Add a get() call that takes a UString, not an Identifier.
991         * wtf/text/StringImpl.h:
992         (WTF::StringImpl::hasHash):
993             - Add a call to check if the has has been set (to detect the first use as a property name).
994
995 2011-08-06  Aron Rosenberg  <arosenberg@logitech.com>
996
997         Reviewed by Benjamin Poulain.
998
999         [Qt] Fix build with Intel compiler on Windows
1000         https://bugs.webkit.org/show_bug.cgi?id=65088
1001
1002         Intel compiler needs .lib suffixes instead of .a
1003         Intel compiler doesn't support nullptr
1004         Intel compiler supports unsized arrays
1005
1006         * JavaScriptCore.pri:
1007         * jsc.cpp:
1008         * wtf/ByteArray.h:
1009         * wtf/NullPtr.h:
1010
1011 2011-08-05  Gavin Barraclough  <barraclough@apple.com>
1012
1013         String replace with the empty string means string removal
1014         https://bugs.webkit.org/show_bug.cgi?id=65799
1015
1016         Reviewed by Sam Weinig.
1017
1018         Optimization for String.prototype.replace([RegExp], ""), this improves v8-regexp by ~3%.
1019
1020         * runtime/StringPrototype.cpp:
1021         (JSC::jsSpliceSubstrings):
1022         (JSC::stringProtoFuncReplace):
1023
1024 2011-08-05  Noel Gordon  <noel.gordon@gmail.com>
1025
1026         [Chromium] Remove JSZombie references from gyp project files.
1027         https://bugs.webkit.org/show_bug.cgi?id=65798
1028
1029         JSC runtime/JSZombie.{cpp,h} were removed in r92046.  Remove references to these
1030         file names from the gyp projects.
1031
1032         Reviewed by Darin Adler.
1033
1034         * JavaScriptCore.gypi: zombies be gone.
1035
1036 2011-08-05  Mark Rowe  <mrowe@apple.com>
1037
1038         <http://webkit.org/b/65785> ThreadRestrictionVerifier needs a mode where an object
1039         is tied to a particular dispatch queue
1040
1041         A RefCounted object can be opted in to this mode by calling setDispatchQueueForVerifier
1042         with the dispatch queue it will be tied to. This will cause ThreadRestrictionVerifier
1043         to ensure that all operations are performed on the given dispatch queue.
1044
1045         Reviewed by Anders Carlsson.
1046
1047         * wtf/RefCounted.h:
1048         (WTF::RefCountedBase::setDispatchQueueForVerifier):
1049         * wtf/ThreadRestrictionVerifier.h:
1050         (WTF::ThreadRestrictionVerifier::ThreadRestrictionVerifier):
1051         (WTF::ThreadRestrictionVerifier::~ThreadRestrictionVerifier):
1052         (WTF::ThreadRestrictionVerifier::setDispatchQueueMode):
1053         (WTF::ThreadRestrictionVerifier::setShared):
1054         (WTF::ThreadRestrictionVerifier::isSafeToUse):
1055
1056 2011-08-05  Oliver Hunt  <oliver@apple.com>
1057
1058         Inline allocation of function objects
1059         https://bugs.webkit.org/show_bug.cgi?id=65779
1060
1061         Reviewed by Gavin Barraclough.
1062
1063         Inline allocation and initilisation of function objects
1064         in generated code.  This ended up being a 60-70% improvement
1065         in function allocation performance.  This improvement shows
1066         up as a ~2% improvement in 32bit sunspider and V8, but is a
1067         wash on 64-bit.
1068
1069         We currently don't inline the allocation of named function
1070         expressions, as that requires being able to gc allocate a
1071         variable object.
1072
1073         * jit/JIT.cpp:
1074         (JSC::JIT::privateCompileSlowCases):
1075         * jit/JIT.h:
1076         (JSC::JIT::emitStoreCell):
1077         * jit/JITInlineMethods.h:
1078         (JSC::JIT::emitAllocateBasicJSObject):
1079         (JSC::JIT::emitAllocateJSFinalObject):
1080         (JSC::JIT::emitAllocateJSFunction):
1081         * jit/JITOpcodes.cpp:
1082         (JSC::JIT::emit_op_new_func):
1083         (JSC::JIT::emitSlow_op_new_func):
1084         (JSC::JIT::emit_op_new_func_exp):
1085         (JSC::JIT::emitSlow_op_new_func_exp):
1086         * jit/JITOpcodes32_64.cpp:
1087             Removed duplicate implementation of op_new_func and op_new_func_exp
1088         * runtime/JSFunction.h:
1089         (JSC::JSFunction::offsetOfScopeChain):
1090         (JSC::JSFunction::offsetOfExecutable):
1091
1092 2011-08-04  David Levin  <levin@chromium.org>
1093
1094         CStringBuffer should have thread safety checks turned on.
1095         https://bugs.webkit.org/show_bug.cgi?id=58093
1096
1097         Reviewed by Dmitry Titov.
1098
1099         * wtf/text/CString.h:
1100         (WTF::CStringBuffer::CStringBuffer): Removed the ifdef that
1101         turned this off for Chromium.
1102
1103 2011-08-04  Mark Rowe  <mrowe@apple.com>
1104
1105         Future-proof Xcode configuration settings.
1106
1107         * Configurations/Base.xcconfig:
1108         * Configurations/DebugRelease.xcconfig:
1109         * Configurations/JavaScriptCore.xcconfig:
1110         * Configurations/Version.xcconfig:
1111
1112 2011-08-04  Mark Hahnenberg  <mhahnenberg@apple.com>
1113
1114         Interpreter can potentially GC in the middle of initializing a structure chain
1115         https://bugs.webkit.org/show_bug.cgi?id=65638
1116
1117         Reviewed by Oliver Hunt.
1118
1119         Moved the allocation of a prototype StructureChain before the initialization of 
1120         the structure chain within the interpreter that was causing intermittent GC crashes.
1121
1122         * interpreter/Interpreter.cpp:
1123         (JSC::Interpreter::tryCachePutByID):
1124         * wtf/Platform.h:
1125
1126 2011-08-04  Filip Pizlo  <fpizlo@apple.com>
1127
1128         Eval handling attempts literal parsing even when the eval
1129         string is in the cache
1130         https://bugs.webkit.org/show_bug.cgi?id=65675
1131
1132         Reviewed by Oliver Hunt.
1133         
1134         This is a 25% speed-up on date-format-tofte and a 1.5% speed-up overall
1135         in SunSpider.  It's neutral on V8.
1136
1137         * bytecode/EvalCodeCache.h:
1138         (JSC::EvalCodeCache::tryGet):
1139         (JSC::EvalCodeCache::getSlow):
1140         (JSC::EvalCodeCache::get):
1141         * interpreter/Interpreter.cpp:
1142         (JSC::Interpreter::callEval):
1143
1144 2011-08-03  Mark Rowe  <mrowe@apple.com>
1145
1146         Bring some order to FeatureDefines.xcconfig to make it easier to follow.
1147
1148         Reviewed by Sam Weinig.
1149
1150         * Configurations/FeatureDefines.xcconfig:
1151
1152 2011-08-03  Mark Rowe  <mrowe@apple.com>
1153
1154         Clean up FeatureDefines.xcconfig to remove some unnecessary conditional settings
1155
1156         Reviewed by Dave Kilzer.
1157
1158         * Configurations/FeatureDefines.xcconfig:
1159
1160 2011-08-03  Filip Pizlo  <fpizlo@apple.com>
1161
1162         JSC GC heap size improvement breaks build on some platforms due to
1163         unused parameter
1164         https://bugs.webkit.org/show_bug.cgi?id=65641
1165
1166         Reviewed by Darin Adler.
1167         
1168         Fix build on non-x86 platforms, by ensuring that the relevant
1169         parameter always appears to be used even when it isn't.
1170
1171         * heap/Heap.cpp:
1172
1173 2011-08-03  Carlos Garcia Campos  <cgarcia@igalia.com>
1174
1175         [GTK] Reorganize pkg-config files
1176         https://bugs.webkit.org/show_bug.cgi?id=65548
1177
1178         Reviewed by Martin Robinson.
1179
1180         * GNUmakefile.am:
1181         * javascriptcoregtk.pc.in: Renamed from Source/WebKit/gtk/javascriptcoregtk.pc.in.
1182
1183 2011-08-01  David Levin  <levin@chromium.org>
1184
1185         Add asserts to RefCounted to make sure ref/deref happens on the right thread.
1186         https://bugs.webkit.org/show_bug.cgi?id=31639
1187
1188         Reviewed by Dmitry Titov.
1189
1190         * GNUmakefile.list.am: Added new files to the build.
1191         * JavaScriptCore.gypi: Ditto.
1192         * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto.
1193         * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
1194         * jit/ExecutableAllocator.h:
1195         (JSC::ExecutablePool::ExecutablePool): Turned off checks for this
1196         due to not being able to figure out what was guarding it (bug 58091).
1197         * parser/SourceProvider.h:
1198         (JSC::SourceProvider::SourceProvider): Ditto.
1199         * wtf/CMakeLists.txt: Added new files to the build.
1200         * wtf/ThreadRestrictionVerifier.h: Added.
1201         Everything is done in the header to avoid the issue with exports
1202         that are only useful in debug but still needing to export them.
1203         * wtf/RefCounted.h:
1204         (WTF::RefCountedBase::ref): Added checks using the non thread safe verifier.
1205         and filed bug 58171 about making it stricter.
1206         (WTF::RefCountedBase::hasOneRef): Ditto.
1207         (WTF::RefCountedBase::refCount): Ditto.
1208         (WTF::RefCountedBase::setMutexForVerifier): Expose a way to change the checks to be based
1209         on a mutex. This is in the header to avoid adding more exports from JavaScriptCore.
1210         (WTF::RefCountedBase::deprecatedTurnOffVerifier): Temporary way to turn off verification.
1211         Filed bug 58174 to remove this method.
1212         (WTF::RefCountedBase::derefBase):
1213         * wtf/SizeLimits.cpp: Adjusted the debug size check for RefCounted.
1214         * wtf/text/CString.h:
1215         (WTF::CStringBuffer::CStringBuffer): Turned off checks for this while a fix is being
1216         done in Chromium (bug 58093).
1217
1218 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1219
1220         JSC GC may not be able to reuse partially-free blocks after a
1221         full collection
1222         https://bugs.webkit.org/show_bug.cgi?id=65585
1223
1224         Reviewed by Darin Adler.
1225         
1226         This fixes the linked list management bug.  This fix is performance
1227         neutral on SunSpider.
1228
1229         * heap/NewSpace.cpp:
1230         (JSC::NewSpace::removeBlock):
1231
1232 2011-07-30  Oliver Hunt  <oliver@apple.com>
1233
1234         Simplify JSFunction creation for functions written in JS
1235         https://bugs.webkit.org/show_bug.cgi?id=65422
1236
1237         Reviewed by Gavin Barraclough.
1238
1239         Remove hash lookups used to write name property and transition
1240         function structure by caching the resultant structure and property
1241         offset in JSGlobalObject.  This doesn't impact performance, but
1242         we can use this change to make other improvements later.
1243
1244         * runtime/Executable.cpp:
1245         (JSC::FunctionExecutable::FunctionExecutable):
1246         * runtime/Executable.h:
1247         (JSC::ScriptExecutable::ScriptExecutable):
1248         (JSC::FunctionExecutable::jsName):
1249         * runtime/JSFunction.cpp:
1250         (JSC::JSFunction::JSFunction):
1251         * runtime/JSGlobalObject.cpp:
1252         (JSC::JSGlobalObject::reset):
1253         * runtime/JSGlobalObject.h:
1254         (JSC::JSGlobalObject::namedFunctionStructure):
1255         (JSC::JSGlobalObject::functionNameOffset):
1256
1257 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1258
1259         JSC GC uses dummy cells to avoid having to remember which cells
1260         it has already destroyed
1261         https://bugs.webkit.org/show_bug.cgi?id=65556
1262
1263         Reviewed by Oliver Hunt.
1264         
1265         This gets rid of dummy cells, and ensures that it's not necessary
1266         to invoke a destructor on cells that have already been swept.  In
1267         the common case, a block knows that either all of its free cells
1268         still need to have destructors called, or none of them do, which
1269         minimizes the amount of branching that needs to happen per cell
1270         when performing a sweep.
1271         
1272         This is performance neutral on SunSpider and V8.  It is meant as
1273         a stepping stone to simplify the implementation of more
1274         sophisticated sweeping algorithms.
1275
1276         * heap/Heap.cpp:
1277         (JSC::CountFunctor::ClearMarks::operator()):
1278         * heap/MarkedBlock.cpp:
1279         (JSC::MarkedBlock::initForCellSize):
1280         (JSC::MarkedBlock::callDestructor):
1281         (JSC::MarkedBlock::specializedReset):
1282         (JSC::MarkedBlock::reset):
1283         (JSC::MarkedBlock::specializedSweep):
1284         (JSC::MarkedBlock::sweep):
1285         (JSC::MarkedBlock::produceFreeList):
1286         (JSC::MarkedBlock::lazySweep):
1287         (JSC::MarkedBlock::blessNewBlockForFastPath):
1288         (JSC::MarkedBlock::blessNewBlockForSlowPath):
1289         (JSC::MarkedBlock::canonicalizeBlock):
1290         * heap/MarkedBlock.h:
1291         (JSC::MarkedBlock::FreeCell::setNoObject):
1292         (JSC::MarkedBlock::setDestructorState):
1293         (JSC::MarkedBlock::destructorState):
1294         (JSC::MarkedBlock::notifyMayHaveFreshFreeCells):
1295         * runtime/JSCell.cpp:
1296         * runtime/JSCell.h:
1297         (JSC::JSCell::JSCell::JSCell):
1298         * runtime/JSGlobalData.cpp:
1299         (JSC::JSGlobalData::JSGlobalData):
1300         (JSC::JSGlobalData::clearBuiltinStructures):
1301         * runtime/JSGlobalData.h:
1302         * runtime/Structure.h:
1303
1304 2011-08-01  Michael Saboff  <msaboff@apple.com>
1305
1306         Virtual copying of FastMalloc allocated memory causes madvise MADV_FREE_REUSABLE errors
1307         https://bugs.webkit.org/show_bug.cgi?id=65502
1308
1309         Reviewed by Anders Carlsson.
1310
1311         With the fix of the issues causing madvise MADV_FREE_REUSABLE to fail,
1312         added an assert to the return code of madvise to catch any regressions.
1313
1314         * wtf/TCSystemAlloc.cpp:
1315         (TCMalloc_SystemRelease):
1316
1317 2011-08-02  Anders Carlsson  <andersca@apple.com>
1318
1319         Fix Windows build.
1320
1321         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1322
1323 2011-08-02  Anders Carlsson  <andersca@apple.com>
1324
1325         Fix a Windows build error.
1326
1327         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1328
1329 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1330
1331         JSC GC is far too conservative about growing the heap size, particularly
1332         on desktop platforms
1333         https://bugs.webkit.org/show_bug.cgi?id=65438
1334
1335         Reviewed by Oliver Hunt.
1336
1337         The minimum heap size is now 16MB instead of 512KB, provided all of the
1338         following are true:
1339         a) ENABLE(LARGE_HEAP) is set, which currently only happens on
1340            x86 targets, but could reasonably happen on any platform that is
1341            known to have a decent amount of RAM.
1342         b) JSGlobalData is initialized with HeapSize = LargeHeap, which
1343            currently only happens when it's the JSDOMWindowBase in WebCore or
1344            in the jsc command-line tool.
1345            
1346         This is a 4.1% speed-up on SunSpider.
1347
1348         * JavaScriptCore.exp:
1349         * heap/Heap.cpp:
1350         (JSC::Heap::Heap):
1351         (JSC::Heap::collect):
1352         * heap/Heap.h:
1353         * jsc.cpp:
1354         (main):
1355         * runtime/JSGlobalData.cpp:
1356         (JSC::JSGlobalData::JSGlobalData):
1357         (JSC::JSGlobalData::createContextGroup):
1358         (JSC::JSGlobalData::create):
1359         (JSC::JSGlobalData::createLeaked):
1360         (JSC::JSGlobalData::sharedInstance):
1361         * runtime/JSGlobalData.h:
1362         * wtf/Platform.h:
1363
1364 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1365
1366         JSC does a GC even when the heap still has free pages
1367         https://bugs.webkit.org/show_bug.cgi?id=65445
1368
1369         Reviewed by Oliver Hunt.
1370         
1371         If the high watermark is not reached, then we allocate new blocks as
1372         before.  If the current watermark does reach (or exceed) the high
1373         watermark, then we check if there is a block on the free block pool.
1374         If there is, we simply allocation from it.  If there isn't, we
1375         invoke a collectin as before.  This effectively couples the elastic
1376         scavenging to the collector's decision function.  That is, if an
1377         application rapidly varies its heap usage (sometimes using more and
1378         sometimes less) then the collector will not thrash as it used to.
1379         But if heap usage drops and stays low then the scavenger thread and
1380         the GC will eventually reach a kind of consensus: the GC will set
1381         the watermark low because of low heap usage, and the scavenger thread
1382         will steadily eliminate pages from the free page pool, until the size
1383         of the free pool is below the high watermark.
1384         
1385         On command-line, this is neutral on SunSpider and Kraken and a 3% win
1386         on V8.  In browser, this is a 1% win on V8 and neutral on the other
1387         two.
1388
1389         * heap/Heap.cpp:
1390         (JSC::Heap::allocateSlowCase):
1391         (JSC::Heap::allocateBlock):
1392         * heap/Heap.h:
1393
1394 2011-08-02  Jeff Miller  <jeffm@apple.com>
1395
1396         Move WTF_USE_AVFOUNDATION from JavaScriptCore/wtf/platform.h to WebCore/config.h
1397         https://bugs.webkit.org/show_bug.cgi?id=65552
1398         
1399         Since this is a WebCore feature, there's no need to define it in JavaScriptCore/wtf/platform.h.
1400
1401         Reviewed by Adam Roben.
1402
1403         * wtf/Platform.h: Removed WTF_USE_AVFOUNDATION.
1404
1405 2011-08-01  Jean-luc Brouillet  <jeanluc@chromium.org>
1406
1407         Removing old source files in gyp files that slow build
1408         https://bugs.webkit.org/show_bug.cgi?id=65503
1409
1410         Reviewed by Adam Barth.
1411
1412         A number of stale files are listed in the gyp files. These slow the
1413         build on Visual Studio 2010. Removing them.
1414
1415         * JavaScriptCore.gypi:
1416
1417 2011-07-14  David Levin  <levin@chromium.org>
1418
1419         currentThread is too slow!
1420         https://bugs.webkit.org/show_bug.cgi?id=64577
1421
1422         Reviewed by Darin Adler and Dmitry Titov.
1423
1424         The problem is that currentThread results in a pthread_once call which always takes a lock.
1425         With this change, currentThread is 10% faster than isMainThread in release mode and only
1426         5% slower than isMainThread in debug.
1427
1428         * wtf/ThreadIdentifierDataPthreads.cpp:
1429         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
1430         which is no longer needed because this is called from initializeThreading().
1431         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
1432         intialization of the pthread key should already be done.
1433         (WTF::ThreadIdentifierData::initialize): Ditto.
1434         * wtf/ThreadIdentifierDataPthreads.h:
1435         * wtf/ThreadingPthreads.cpp:
1436         (WTF::initializeThreading): Acquire the pthread key here.
1437
1438 2011-08-01  Filip Pizlo  <fpizlo@apple.com>
1439
1440         DFG JIT sometimes creates speculation check data structures that have
1441         invalid information about the format of a register
1442         https://bugs.webkit.org/show_bug.cgi?id=65490
1443
1444         Reviewed by Gavin Barraclough.
1445         
1446         The code now makes sure to (1) always have correct and up-to-date
1447         information about register format at the time that a speculation
1448         check is emitted, (2) assert that speculation data is correct
1449         inside the speculation check implementation, and (3) avoid creating
1450         speculation data altogether if compilation has already failed, since
1451         at that point the format data is almost guaranteed to be bogus.
1452
1453         * dfg/DFGNonSpeculativeJIT.cpp:
1454         (JSC::DFG::EntryLocation::EntryLocation):
1455         * dfg/DFGSpeculativeJIT.cpp:
1456         (JSC::DFG::SpeculationCheck::SpeculationCheck):
1457         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1458         (JSC::DFG::SpeculativeJIT::compile):
1459         * dfg/DFGSpeculativeJIT.h:
1460         (JSC::DFG::SpeculativeJIT::speculationCheck):
1461
1462 2011-08-01  Filip Pizlo  <fpizlo@apple.com>
1463
1464         REGRESSION(r92092): Build fails on 64 bit
1465         https://bugs.webkit.org/show_bug.cgi?id=65458
1466
1467         Reviewed by Oliver Hunt.
1468         
1469         The build was broken because some compilers were smart enough to see
1470         an array index out of bounds due to the decision fuction for when to
1471         go from precise size classes to imprecise size classes being broken:
1472         it would assume that sizes in the range 97..128 belonged to a precise
1473         size class when in fact they belonged to an imprecise one.
1474         
1475         In fact, the code would have run correctly, by way of a fluke, because
1476         though the 4th precise size class (for 97..128) didn't exist, the next
1477         array over from m_preciseSizeClasses was m_impreciseSizeClasses, and
1478         its first entry would have been a size class that is appropriate for
1479         allocations in the range 97..128.  However, this relies on specific
1480         ordering of fields in NewSpace, so it's still a bug.
1481         
1482         This fixes the bug by ensuring that allocations larger than 96 use
1483         the imprecise size classes.
1484
1485         * heap/NewSpace.h:
1486         (JSC::NewSpace::sizeClassFor):
1487
1488 2011-07-31  Gavin Barraclough  <barraclough@apple.com>
1489
1490         https://bugs.webkit.org/show_bug.cgi?id=64679
1491         Fix bugs in Array.prototype this handling.
1492
1493         Unreviewed - rolling out r91290.
1494
1495         Looks like the wild wild web isn't ready for this yet.
1496
1497         This change broke http://slides.html5rocks.com/#landing-slide.
1498         Interestingly, this might only be due to our lack of bind support -
1499         it looks like this site is calling  Array.prototype.slice as a part
1500         of its bind implementation.
1501
1502         * runtime/ArrayPrototype.cpp:
1503         (JSC::arrayProtoFuncJoin):
1504         (JSC::arrayProtoFuncConcat):
1505         (JSC::arrayProtoFuncPop):
1506         (JSC::arrayProtoFuncPush):
1507         (JSC::arrayProtoFuncReverse):
1508         (JSC::arrayProtoFuncShift):
1509         (JSC::arrayProtoFuncSlice):
1510         (JSC::arrayProtoFuncSort):
1511         (JSC::arrayProtoFuncSplice):
1512         (JSC::arrayProtoFuncUnShift):
1513         (JSC::arrayProtoFuncFilter):
1514         (JSC::arrayProtoFuncMap):
1515         (JSC::arrayProtoFuncEvery):
1516         (JSC::arrayProtoFuncForEach):
1517         (JSC::arrayProtoFuncSome):
1518         (JSC::arrayProtoFuncReduce):
1519         (JSC::arrayProtoFuncReduceRight):
1520         (JSC::arrayProtoFuncIndexOf):
1521         (JSC::arrayProtoFuncLastIndexOf):
1522
1523 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1524
1525         JSC GC lays out size classes under wrong assumptions about expected
1526         object size.
1527         https://bugs.webkit.org/show_bug.cgi?id=65437
1528
1529         Reviewed by Oliver Hunt.
1530         
1531         Changed the atom size - which is both the smallest allocation size and
1532         the smallest possible stepping unit for size class spacing - from
1533         8 bytes to 4 pointer-size words.  This is a 1% win on SunSpider.
1534
1535         * heap/MarkedBlock.h:
1536
1537 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1538
1539         DFG non-speculative JIT does not optimize PutByVal
1540         https://bugs.webkit.org/show_bug.cgi?id=65424
1541
1542         Reviewed by Gavin Barraclough.
1543         
1544         Added code to emit PutByVal inline fast path.
1545
1546         * dfg/DFGNonSpeculativeJIT.cpp:
1547         (JSC::DFG::NonSpeculativeJIT::compile):
1548
1549 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1550
1551         The JSC garbage collector returns memory to the operating system too
1552         eagerly.
1553         https://bugs.webkit.org/show_bug.cgi?id=65382
1554
1555         Reviewed by Oliver Hunt.
1556         
1557         This introduces a memory reuse model similar to the one in FastMalloc.
1558         A periodic scavenger thread runs in the background and returns half the
1559         free memory to the OS on each timer fire.  New block allocations first
1560         attempt to get the memory from the collector's internal pool, reverting
1561         to OS allocation only when this pool is empty.
1562
1563         * heap/Heap.cpp:
1564         (JSC::Heap::Heap):
1565         (JSC::Heap::~Heap):
1566         (JSC::Heap::destroy):
1567         (JSC::Heap::waitForRelativeTimeWhileHoldingLock):
1568         (JSC::Heap::waitForRelativeTime):
1569         (JSC::Heap::blockFreeingThreadStartFunc):
1570         (JSC::Heap::blockFreeingThreadMain):
1571         (JSC::Heap::allocateBlock):
1572         (JSC::Heap::freeBlocks):
1573         (JSC::Heap::releaseFreeBlocks):
1574         * heap/Heap.h:
1575         * heap/MarkedBlock.cpp:
1576         (JSC::MarkedBlock::destroy):
1577         (JSC::MarkedBlock::MarkedBlock):
1578         (JSC::MarkedBlock::initForCellSize):
1579         (JSC::MarkedBlock::reset):
1580         * heap/MarkedBlock.h:
1581         * wtf/Platform.h:
1582
1583 2011-07-30  Filip Pizlo  <fpizlo@apple.com>
1584
1585         DFG JIT speculation failure pass sometimes forgets to emit code to
1586         move certain registers.
1587         https://bugs.webkit.org/show_bug.cgi?id=65421
1588
1589         Reviewed by Oliver Hunt.
1590         
1591         Restructured the offending loops (for gprs and fprs).  It's once again
1592         possible to use spreadsheets on docs.google.com.
1593
1594         * dfg/DFGJITCompiler.cpp:
1595         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
1596
1597 2011-07-30  Patrick Gansterer  <paroga@webkit.org>
1598
1599         Remove inclusion of MainThread.h from Threading.h
1600         https://bugs.webkit.org/show_bug.cgi?id=65081
1601
1602         Reviewed by Darin Adler.
1603
1604         Add missing and remove unneeded include statements for MainThread.
1605
1606         * wtf/CryptographicallyRandomNumber.cpp:
1607         * wtf/Threading.h:
1608         * wtf/ThreadingPthreads.cpp:
1609         * wtf/text/StringStatics.cpp:
1610
1611 2011-07-30  Oliver Hunt  <oliver@apple.com>
1612
1613         Reduce the size of JSGlobalObject slightly
1614         https://bugs.webkit.org/show_bug.cgi?id=65417
1615
1616         Reviewed by Dan Bernstein.
1617
1618         Push a few members that either aren't commonly used,
1619         or aren't frequently accessed into a separate struct.
1620
1621         * runtime/JSGlobalObject.cpp:
1622         (JSC::JSGlobalObject::init):
1623         (JSC::JSGlobalObject::WeakMapsFinalizer::finalize):
1624         * runtime/JSGlobalObject.h:
1625         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1626         (JSC::JSGlobalObject::createRareDataIfNeeded):
1627         (JSC::JSGlobalObject::setProfileGroup):
1628         (JSC::JSGlobalObject::profileGroup):
1629         (JSC::JSGlobalObject::registerWeakMap):
1630         (JSC::JSGlobalObject::deregisterWeakMap):
1631
1632 2011-07-30  Balazs Kelemen  <kbalazs@webkit.org>
1633
1634         MessageQueue::waitForMessageFilteredWithTimeout can triggers an assertion
1635         https://bugs.webkit.org/show_bug.cgi?id=65263
1636
1637         Reviewed by Dmitry Titov.
1638
1639         * wtf/Deque.h:
1640         (WTF::::operator): Don't check the validity of an iterator
1641         that will be reassigned right now.
1642         * wtf/MessageQueue.h:
1643         (WTF::::removeIf): Revert r51198 as I beleave this is the better
1644         solution for the problem that was solved by that.
1645
1646 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1647
1648         JSC GC zombie support no longer works, and is likely no longer needed.
1649         https://bugs.webkit.org/show_bug.cgi?id=65404
1650
1651         Reviewed by Darin Adler.
1652         
1653         This removes zombies, because they no longer work, are not tested, are
1654         probably not needed, and are getting in the way of GC optimization
1655         work.
1656
1657         * JavaScriptCore.xcodeproj/project.pbxproj:
1658         * heap/Handle.h:
1659         (JSC::HandleConverter::operator->):
1660         (JSC::HandleConverter::operator*):
1661         * heap/HandleHeap.cpp:
1662         (JSC::HandleHeap::isValidWeakNode):
1663         * heap/Heap.cpp:
1664         (JSC::Heap::destroy):
1665         (JSC::Heap::collect):
1666         * heap/MarkedBlock.cpp:
1667         (JSC::MarkedBlock::sweep):
1668         * heap/MarkedBlock.h:
1669         (JSC::MarkedBlock::clearMarks):
1670         * interpreter/Register.h:
1671         (JSC::Register::Register):
1672         (JSC::Register::operator=):
1673         * runtime/ArgList.h:
1674         (JSC::MarkedArgumentBuffer::append):
1675         (JSC::ArgList::ArgList):
1676         * runtime/JSCell.cpp:
1677         (JSC::isZombie):
1678         * runtime/JSCell.h:
1679         * runtime/JSGlobalData.cpp:
1680         (JSC::JSGlobalData::JSGlobalData):
1681         (JSC::JSGlobalData::clearBuiltinStructures):
1682         * runtime/JSGlobalData.h:
1683         * runtime/JSValue.h:
1684         * runtime/JSValueInlineMethods.h:
1685         (JSC::JSValue::JSValue):
1686         * runtime/JSZombie.cpp: Removed.
1687         * runtime/JSZombie.h: Removed.
1688         * runtime/WriteBarrier.h:
1689         (JSC::WriteBarrierBase::setEarlyValue):
1690         (JSC::WriteBarrierBase::operator*):
1691         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
1692         * wtf/Platform.h:
1693
1694 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1695
1696         DFG JIT verbose mode provides no details about predictions
1697         https://bugs.webkit.org/show_bug.cgi?id=65389
1698
1699         Reviewed by Darin Adler.
1700         
1701         Added a print-out of the predictions to the IR dump, with names as follows:
1702         "p-bottom" = the parser made no predictions
1703         "p-int32" = the parser predicted int32
1704         ... (same for array, cell, double, number)
1705         "p-top" = the parser made conflicting predictions which will be ignored.
1706
1707         * dfg/DFGGraph.cpp:
1708         (JSC::DFG::Graph::dump):
1709         * dfg/DFGGraph.h:
1710         (JSC::DFG::predictionToString):
1711
1712 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1713
1714         DFG JIT does not have any way of undoing double speculation.
1715         https://bugs.webkit.org/show_bug.cgi?id=65334
1716
1717         Reviewed by Gavin Barraclough.
1718         
1719         This adds code to do a branchConvertDoubleToInt on specualtion failure.
1720         This is performance-neutral on most benchmarks but does result in
1721         a slight improvement in Kraken.
1722
1723         * dfg/DFGJITCompiler.cpp:
1724         (JSC::DFG::GeneralizedRegister::moveTo):
1725         (JSC::DFG::GeneralizedRegister::swapWith):
1726         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
1727         (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
1728         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
1729
1730 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1731
1732         Crash when opening docs.google.com
1733         https://bugs.webkit.org/show_bug.cgi?id=65327
1734
1735         Reviewed by Gavin Barraclough.
1736         
1737         The speculative JIT was only checking whether a value is an array when
1738         we had already checked that it was, rather then when we hadn't.
1739
1740         * dfg/DFGSpeculativeJIT.cpp:
1741         (JSC::DFG::SpeculativeJIT::compile):
1742
1743 2011-07-28  Oliver Hunt  <oliver@apple.com>
1744
1745         *_list instructions are only used in one place, where the code is wrong.
1746         https://bugs.webkit.org/show_bug.cgi?id=65348
1747
1748         Reviewed by Darin Adler.
1749
1750         Simply remove the instructions and all users.  Speeds up the interpreter
1751         slightly due to code motion, but otherwise has no effect (because none
1752         of the _list instructions are ever used).
1753
1754         * bytecode/CodeBlock.cpp:
1755         (JSC::isPropertyAccess):
1756         (JSC::CodeBlock::dump):
1757         (JSC::CodeBlock::visitStructures):
1758         * bytecode/Instruction.h:
1759         * bytecode/Opcode.h:
1760         * interpreter/Interpreter.cpp:
1761         (JSC::Interpreter::privateExecute):
1762         * jit/JIT.cpp:
1763         (JSC::JIT::privateCompileMainPass):
1764
1765 2011-07-28  Gavin Barraclough  <barraclough@apple.com>
1766
1767         https://bugs.webkit.org/show_bug.cgi?id=65325
1768         Performance tweak to parseInt
1769
1770         Reviewed by Oliver Hunt.
1771
1772         * runtime/JSGlobalObjectFunctions.cpp:
1773         (JSC::globalFuncParseInt):
1774             - This change may an existing optimization redundant,
1775               cleanup from Darin's comments, plus fix existing bugs.
1776
1777 2011-07-28  Gavin Barraclough  <barraclough@apple.com>
1778
1779         https://bugs.webkit.org/show_bug.cgi?id=65325
1780         Performance tweak to parseInt
1781
1782         Reviewed by Oliver Hunt.
1783
1784         * runtime/JSGlobalObjectFunctions.cpp:
1785         (JSC::globalFuncParseInt):
1786             - parseInt applied to small positive numbers = floor.
1787
1788 2011-07-28  Dan Bernstein  <mitz@apple.com>
1789
1790         Build fix.
1791
1792         * runtime/Executable.cpp:
1793         (JSC::FunctionExecutable::compileForCallInternal):
1794
1795 2011-07-28  Kent Tamura  <tkent@chromium.org>
1796
1797         Improve StringImpl::stripWhiteSpace() and simplifyWhiteSpace().
1798         https://bugs.webkit.org/show_bug.cgi?id=65300
1799
1800         Reviewed by Darin Adler.
1801
1802         r91837 had performance regression of StringImpl::stripWhiteSpace()
1803         and simplifyWhiteSpace(). This changes the code so that compilers
1804         generates code equivalent to r91836 or piror.
1805
1806         * wtf/text/StringImpl.cpp:
1807         (WTF::StringImpl::stripMatchedCharacters):
1808         A template member function for stripWhiteSpace(). This function takes a functor.
1809         (WTF::UCharPredicate):
1810         A functor for generic predicate for single UChar argument.
1811         (WTF::SpaceOrNewlinePredicate):
1812         A special functor for isSpaceOrNewline().
1813         (WTF::StringImpl::stripWhiteSpace):
1814         Use stripmatchedCharacters().
1815         (WTF::StringImpl::simplifyMatchedCharactersToSpace):
1816         A template member function for simplifyWhiteSpace().
1817         (WTF::StringImpl::simplifyWhiteSpace):
1818         Use simplifyMatchedCharactersToSpace().
1819         * wtf/text/StringImpl.h:
1820
1821 2011-07-27  Dmitry Lomov  <dslomov@google.com>
1822
1823         [chromium] Turn on WTF_MULTIPLE_THREADS.
1824         https://bugs.webkit.org/show_bug.cgi?id=61017
1825         The patch turns on WTF_MULTIPLE_THREADS in chromium and 
1826         pushes some relevant initializations from JSC::initializeThreading
1827         to WTF::initializeThreading.
1828
1829         Reviewed by David Levin.
1830
1831         * runtime/InitializeThreading.cpp:
1832         (JSC::initializeThreadingOnce):
1833         * wtf/FastMalloc.cpp:
1834         (WTF::isForbidden):
1835         (WTF::fastMallocForbid):
1836         (WTF::fastMallocAllow):
1837         * wtf/Platform.h:
1838         * wtf/ThreadingPthreads.cpp:
1839         (WTF::initializeThreading):
1840         * wtf/ThreadingWin.cpp:
1841         (WTF::initializeThreading):
1842         * wtf/gtk/ThreadingGtk.cpp:
1843         (WTF::initializeThreading):
1844         * wtf/qt/ThreadingQt.cpp:
1845         (WTF::initializeThreading):
1846
1847 2011-07-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1848
1849         Remove operator new from JSCell
1850         https://bugs.webkit.org/show_bug.cgi?id=64999
1851
1852         Reviewed by Oliver Hunt.
1853
1854         Removed the implementation of operator new in JSCell, so any further uses
1855         will not successfully link.  Also removed any remaining uses of operator new.
1856
1857         * API/JSContextRef.cpp:
1858         * debugger/DebuggerActivation.h:
1859         (JSC::DebuggerActivation::create):
1860         * interpreter/Interpreter.cpp:
1861         (JSC::Interpreter::execute):
1862         (JSC::Interpreter::createExceptionScope):
1863         (JSC::Interpreter::privateExecute):
1864         * jit/JITStubs.cpp:
1865         (JSC::DEFINE_STUB_FUNCTION):
1866         * runtime/JSCell.h:
1867         * runtime/JSGlobalObject.h:
1868         (JSC::JSGlobalObject::create):
1869         * runtime/JSStaticScopeObject.h:
1870         (JSC::JSStaticScopeObject::create):
1871         (JSC::JSStaticScopeObject::JSStaticScopeObject):
1872         * runtime/StrictEvalActivation.h:
1873         (JSC::StrictEvalActivation::create):
1874
1875 2011-07-27  Filip Pizlo  <fpizlo@apple.com>
1876
1877         DFG graph has no notion of double prediction.
1878         https://bugs.webkit.org/show_bug.cgi?id=65234
1879
1880         Reviewed by Gavin Barraclough.
1881         
1882         Added the notion of PredictDouble, and PredictNumber, which is the least
1883         upper bound of PredictInt32 and PredictDouble.  Least upper bound is
1884         defined as the bitwise-or of two predictions.  Bottom is defined as 0,
1885         and Top is defined as all bits being set.  Added the ability to explicitly
1886         distinguish between a node having had a prediction associated with it,
1887         and that prediction still being valid (i.e. no conflicting predictions
1888         have also been added).  Used this to guard the speculative JIT from
1889         speculating Int32 in cases where the graph knows that the value is
1890         double, which currently only happens for GetLocal nodes on arguments
1891         which were double at compile-time.
1892
1893         * dfg/DFGGraph.cpp:
1894         (JSC::DFG::Graph::predictArgumentTypes):
1895         * dfg/DFGGraph.h:
1896         (JSC::DFG::isCellPrediction):
1897         (JSC::DFG::isArrayPrediction):
1898         (JSC::DFG::isInt32Prediction):
1899         (JSC::DFG::isDoublePrediction):
1900         (JSC::DFG::isNumberPrediction):
1901         * dfg/DFGSpeculativeJIT.cpp:
1902         (JSC::DFG::SpeculativeJIT::compile):
1903         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1904         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
1905         * dfg/DFGSpeculativeJIT.h:
1906         (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):
1907
1908 2011-07-27  Gavin Barraclough  <barraclough@apple.com>
1909
1910         https://bugs.webkit.org/show_bug.cgi?id=65294
1911         DFG JIT - may speculate based on wrong arguments.
1912
1913         Reviewed by Oliver Hunt
1914
1915         In the case of a DFG compiled function calling to and compiling a second function that
1916         also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp),
1917         we call compileFor passing the caller functions exec state, rather than the callee's.
1918         This may lead to mis-optimization, since the DFG compiler will example the exec state's
1919         arguments on the assumption that these will be passed to the callee - it is wanting the
1920         callee exec state, not the caller's exec state.
1921
1922         Fixing this for all cases of compilation is tricksy, due to the way the numeric sort
1923         function is compiled, & the structure of the calls in the Interpreter::execute methods.
1924         Only fix for compilation from the JIT, in other calls don't speculate based on arguments
1925         for now.
1926
1927         * dfg/DFGOperations.cpp:
1928         * runtime/Executable.cpp:
1929         (JSC::tryDFGCompile):
1930         (JSC::tryDFGCompileFunction):
1931         (JSC::FunctionExecutable::compileForCallInternal):
1932         * runtime/Executable.h:
1933         (JSC::FunctionExecutable::compileForCall):
1934         (JSC::FunctionExecutable::compileFor):
1935
1936 2011-07-27  Oliver Hunt  <oliver@apple.com>
1937
1938         Handle callback oriented JSONP
1939         https://bugs.webkit.org/show_bug.cgi?id=65271
1940
1941         Reviewed by Gavin Barraclough.
1942
1943         Handle the callback oriented versions of JSONP.  The Literal parser
1944         now handles <Identifier> (. <Identifier>)* (jsonData).
1945
1946         * interpreter/Interpreter.cpp:
1947         (JSC::Interpreter::execute):
1948         * runtime/LiteralParser.cpp:
1949         (JSC::LiteralParser::tryJSONPParse):
1950         (JSC::LiteralParser::Lexer::lex):
1951         * runtime/LiteralParser.h:
1952
1953 2011-07-27  Stephanie Lewis  <slewis@apple.com>
1954
1955         Revert http://trac.webkit.org/changeset/90415.
1956         Caused a 5% sunspider regression in-browser.
1957
1958         Unreviewed rollout.
1959
1960         * bytecode/CodeBlock.cpp:
1961         (JSC::CodeBlock::visitAggregate):
1962         * heap/Heap.cpp:
1963         (JSC::Heap::collectAllGarbage):
1964         * heap/MarkStack.h:
1965         (JSC::MarkStack::MarkStack):
1966         * runtime/JSGlobalData.cpp:
1967         (JSC::JSGlobalData::releaseExecutableMemory):
1968         * runtime/RegExp.cpp:
1969         (JSC::RegExp::compile):
1970         (JSC::RegExp::invalidateCode):
1971         * runtime/RegExp.h:
1972
1973 2011-07-27  Shinya Kawanaka  <shinyak@google.com>
1974
1975         Added an interface to take IsWhiteSpaceFunctionPtr.
1976         https://bugs.webkit.org/show_bug.cgi?id=57746
1977
1978         Reviewed by Kent Tamura.
1979
1980         * wtf/text/StringImpl.cpp:
1981         (WTF::StringImpl::stripWhiteSpace):
1982           Added an interface to take IsWhiteSpaceFunctionPtr.
1983         (WTF::StringImpl::simplifyWhiteSpace): ditto.
1984         * wtf/text/StringImpl.h:
1985         * wtf/text/WTFString.cpp:
1986         (WTF::String::stripWhiteSpace): ditto.
1987         (WTF::String::simplifyWhiteSpace): ditto.
1988         * wtf/text/WTFString.h:
1989
1990 2011-07-27  Filip Pizlo  <fpizlo@apple.com>
1991
1992         DFG JIT speculation failure code performs incorrect conversions in
1993         the case where two registers need to be swapped.
1994         https://bugs.webkit.org/show_bug.cgi?id=65233
1995
1996         Reviewed by Gavin Barraclough.
1997         
1998         * dfg/DFGJITCompiler.cpp:
1999         (JSC::DFG::GeneralizedRegister::swapWith):
2000
2001 2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2002
2003         reduce and reduceRight bind callback's this to null rather than undefined
2004         https://bugs.webkit.org/show_bug.cgi?id=62264
2005
2006         Reviewed by Oliver Hunt.
2007
2008         Fixed Array.prototype.reduce and Array.prototype.reduceRight so that they behave correctly
2009         when calling the callback function without an argument for this, which means it should 
2010         be undefined according to ES 15.4.4.21 and 15.4.4.22.
2011
2012         * runtime/ArrayPrototype.cpp:
2013         (JSC::arrayProtoFuncReduce):
2014         (JSC::arrayProtoFuncReduceRight):
2015
2016 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
2017
2018         JSC command-line tool does not come with any facility for
2019         measuring time precisely.
2020         https://bugs.webkit.org/show_bug.cgi?id=65223
2021
2022         Reviewed by Gavin Barraclough.
2023         
2024         Exposed WTF::currentTime() as currentTimePrecise().
2025
2026         * jsc.cpp:
2027         (GlobalObject::GlobalObject):
2028         (functionPreciseTime):
2029
2030 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
2031
2032         DFG speculative JIT never emits inline double comparisons, even when it
2033         would be obvious more efficient to do so.
2034         https://bugs.webkit.org/show_bug.cgi?id=65212
2035
2036         Reviewed by Gavin Barraclough.
2037         
2038         This handles the obvious case of inlining double comparisons: it only addresses
2039         the speculative JIT, and only for fused compare/branch sequences.  But it does
2040         handle the case where both operands are double (and there is no slow path),
2041         or where one operand is double and the other is unknown type (in which case it
2042         attempts to unbox the double, otherwise taking slow path).  This is an 0.8%
2043         speed-up on SunSpider.
2044
2045         * dfg/DFGSpeculativeJIT.cpp:
2046         (JSC::DFG::SpeculativeJIT::convertToDouble):
2047         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2048         (JSC::DFG::SpeculativeJIT::compare):
2049         (JSC::DFG::SpeculativeJIT::compile):
2050         * dfg/DFGSpeculativeJIT.h:
2051         (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):
2052         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
2053
2054 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
2055
2056         https://bugs.webkit.org/show_bug.cgi?id=64969
2057         DFG JIT generates inefficient code for speculation failures.
2058
2059         Reviewed by Gavin Barraclough.
2060         
2061         This implements a speculation failure strategy where (1) values spilled on
2062         non-speculative but not spilled on speculative are spilled, (2) values that
2063         are in registers on both paths are rearranged without ever touching memory,
2064         and (3) values spilled on speculative but not spilled on non-speculative are
2065         filled.
2066         
2067         The register shuffling is the most interesting part of this patch.  It
2068         constructs a permutation graph for registers.  Each node represents a
2069         register, and each directed edge corresponds to the register's value having
2070         to be moved to a different register as part of the shuffling.  This is a
2071         directed graph where each node may only have 0 or 1 incoming edges, and
2072         0 or 1 outgoing edges.  The algorithm then first finds maximal non-cyclic
2073         subgraphs where all nodes in the subgraph are reachable from a start node.
2074         Such subgraphs always resemble linked lists, and correspond to simply
2075         moving the value in the second-to-last register into the last register, and
2076         then moving the value in the third-to-last register into the second-to-last
2077         register, and so on.  Once these subgraphs are taken care of, the remaining
2078         subgraphs are cycles, and are handled using either (a) conversion or no-op
2079         if the cycle involves one node, (b) swap if it involves two nodes, or (c)
2080         a cyclic shuffle involving a scratch register if there are three or more
2081         nodes.
2082         
2083         * dfg/DFGGenerationInfo.h:
2084         (JSC::DFG::needDataFormatConversion):
2085         * dfg/DFGJITCompiler.cpp:
2086         (JSC::DFG::GeneralizedRegister::GeneralizedRegister):
2087         (JSC::DFG::GeneralizedRegister::createGPR):
2088         (JSC::DFG::GeneralizedRegister::createFPR):
2089         (JSC::DFG::GeneralizedRegister::dump):
2090         (JSC::DFG::GeneralizedRegister::findInSpeculationCheck):
2091         (JSC::DFG::GeneralizedRegister::findInEntryLocation):
2092         (JSC::DFG::GeneralizedRegister::previousDataFormat):
2093         (JSC::DFG::GeneralizedRegister::nextDataFormat):
2094         (JSC::DFG::GeneralizedRegister::convert):
2095         (JSC::DFG::GeneralizedRegister::moveTo):
2096         (JSC::DFG::GeneralizedRegister::swapWith):
2097         (JSC::DFG::ShuffledRegister::ShuffledRegister):
2098         (JSC::DFG::ShuffledRegister::isEndOfNonCyclingPermutation):
2099         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
2100         (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
2101         (JSC::DFG::ShuffledRegister::lookup):
2102         (JSC::DFG::lookupForRegister):
2103         (JSC::DFG::NodeToRegisterMap::Tuple::Tuple):
2104         (JSC::DFG::NodeToRegisterMap::NodeToRegisterMap):
2105         (JSC::DFG::NodeToRegisterMap::set):
2106         (JSC::DFG::NodeToRegisterMap::end):
2107         (JSC::DFG::NodeToRegisterMap::find):
2108         (JSC::DFG::NodeToRegisterMap::clear):
2109         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
2110         (JSC::DFG::JITCompiler::linkSpeculationChecks):
2111         * dfg/DFGJITCompiler.h:
2112         * dfg/DFGNonSpeculativeJIT.cpp:
2113         (JSC::DFG::EntryLocation::EntryLocation):
2114         * dfg/DFGNonSpeculativeJIT.h:
2115         * dfg/DFGSpeculativeJIT.cpp:
2116         (JSC::DFG::SpeculationCheck::SpeculationCheck):
2117         * dfg/DFGSpeculativeJIT.h:
2118
2119 2011-07-26  Oliver Hunt  <oliver@apple.com>
2120
2121         Buffer overflow creating error messages for JSON.parse
2122         https://bugs.webkit.org/show_bug.cgi?id=65211
2123
2124         Reviewed by Darin Adler.
2125
2126         Parse string length to the UString constructor.
2127
2128         * runtime/LiteralParser.cpp:
2129         (JSC::LiteralParser::parse):
2130
2131 2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2132
2133         Refactor automatically generated JS DOM bindings to replace operator new with static create methods
2134         https://bugs.webkit.org/show_bug.cgi?id=64732
2135
2136         Reviewed by Oliver Hunt.
2137
2138         Replacing the public constructors in the automatically generated JS DOM bindings with static 
2139         create methods.  JSByteArray is used by several of these bindings in WebCore.
2140
2141         * JavaScriptCore.exp:
2142         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2143         * runtime/JSByteArray.cpp:
2144         (JSC::JSByteArray::create):
2145         * runtime/JSByteArray.h:
2146
2147 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
2148
2149         Unreviewed build fix for Qt/Linux.
2150
2151         On platforms with no glib and gstreamer we should not build javascriptcore
2152         with the Glib support. This is related to http://trac.webkit.org/changeset/91752.
2153
2154         * wtf/wtf.pri:
2155
2156 2011-07-26  Juan C. Montemayor  <jmont@apple.com>
2157
2158         JSON errors should be informative
2159         https://bugs.webkit.org/show_bug.cgi?id=63339
2160
2161         Added error messages to the JSON Parser.
2162
2163         Reviewed by Oliver Hunt.
2164
2165         * runtime/JSONObject.cpp:
2166         (JSC::JSONProtoFuncParse):
2167         * runtime/LiteralParser.cpp:
2168         (JSC::LiteralParser::Lexer::lex):
2169         (JSC::LiteralParser::Lexer::lexString):
2170         (JSC::LiteralParser::Lexer::lexNumber):
2171         (JSC::LiteralParser::parse):
2172         * runtime/LiteralParser.h:
2173         (JSC::LiteralParser::getErrorMessage):
2174         (JSC::LiteralParser::Lexer::sawError):
2175         (JSC::LiteralParser::Lexer::getErrorMessage):
2176
2177 2011-07-26  Sheriff Bot  <webkit.review.bot@gmail.com>
2178
2179         Unreviewed, rolling out r91746.
2180         http://trac.webkit.org/changeset/91746
2181         https://bugs.webkit.org/show_bug.cgi?id=65180
2182
2183         It broke SL build (Requested by Ossy on #webkit).
2184
2185         * wtf/text/StringImpl.cpp:
2186         (WTF::StringImpl::stripWhiteSpace):
2187         (WTF::StringImpl::simplifyWhiteSpace):
2188         * wtf/text/StringImpl.h:
2189         * wtf/text/WTFString.cpp:
2190         * wtf/text/WTFString.h:
2191
2192 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
2193
2194         Reviewed by Andreas Kling.
2195
2196         [Qt] Change default backend to use GStreamer on Linux and QuickTime on Mac.
2197         https://bugs.webkit.org/show_bug.cgi?id=63472
2198
2199         Enable the bits needed for GStreamer only when QtMultimedia is not used.
2200
2201         * wtf/wtf.pri:
2202
2203 2011-07-26  Shinya Kawanaka  <shinyak@google.com>
2204
2205         Added an interface to take IsWhiteSpaceFunctionPtr.
2206         https://bugs.webkit.org/show_bug.cgi?id=57746
2207
2208         Reviewed by Kent Tamura.
2209
2210         * wtf/text/StringImpl.cpp:
2211         (WTF::StringImpl::stripWhiteSpace):
2212           Added an interface to take IsWhiteSpaceFunctionPtr.
2213         (WTF::StringImpl::simplifyWhiteSpace): ditto.
2214         * wtf/text/StringImpl.h:
2215         * wtf/text/WTFString.cpp:
2216         (WTF::String::stripWhiteSpace): ditto.
2217         (WTF::String::simplifyWhiteSpace): ditto.
2218         * wtf/text/WTFString.h:
2219
2220 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2221
2222         DFG non-speculative JIT emits inefficient code for arithmetic
2223         involving two registers
2224         https://bugs.webkit.org/show_bug.cgi?id=65160
2225
2226         Reviewed by Gavin Barraclough.
2227         
2228         The non-speculative JIT now emits inline code for double arithmetic, but
2229         still attempts integer arithmetic first.  This is a speed-up on SunSpider
2230         (albeit a small one), and a large speed-up on Kraken.
2231
2232         * dfg/DFGNonSpeculativeJIT.cpp:
2233         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2234
2235 2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2236
2237         [EFL] Build break with --debug after r89153.
2238         https://bugs.webkit.org/show_bug.cgi?id=65150
2239
2240         Unreviewed build fix.
2241
2242         * wtf/CMakeListsEfl.txt: Add missing libraries.
2243
2244 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2245
2246         DFG non-speculative JIT emits obviously inefficient code for arithmetic
2247         where one operand is a constant.
2248         https://bugs.webkit.org/show_bug.cgi?id=65146
2249
2250         Reviewed by Gavin Barraclough.
2251         
2252         Changed the code to emit double arithmetic inline.
2253
2254         * dfg/DFGNonSpeculativeJIT.cpp:
2255         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2256
2257 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2258
2259         DFG JIT bytecode parser misuses pointers into objects allocated as part of a
2260         WTF::Vector.
2261         https://bugs.webkit.org/show_bug.cgi?id=65128
2262
2263         Reviewed by Gavin Barraclough.
2264         
2265         The bytecode parser code seems to be right to have a DFGNode& phiNode reference
2266         into the graph, since this makes the code greatly more readable.  This patch
2267         thus makes the minimal change necessary to make the code right: it uses a
2268         pointer (to disambiguate between reloading the pointer and performing a
2269         copy from one location of the vector to another) and reloads it after the
2270         calls to addToGraph().
2271
2272         * dfg/DFGByteCodeParser.cpp:
2273         (JSC::DFG::ByteCodeParser::processPhiStack):
2274
2275 2011-07-25  Sheriff Bot  <webkit.review.bot@gmail.com>
2276
2277         Unreviewed, rolling out r91686.
2278         http://trac.webkit.org/changeset/91686
2279         https://bugs.webkit.org/show_bug.cgi?id=65144
2280
2281         1.5% regression in JSC (Requested by jmontemayor on #webkit).
2282
2283         * runtime/JSONObject.cpp:
2284         (JSC::JSONProtoFuncParse):
2285         * runtime/LiteralParser.cpp:
2286         (JSC::LiteralParser::Lexer::lex):
2287         (JSC::LiteralParser::Lexer::lexString):
2288         (JSC::LiteralParser::Lexer::lexNumber):
2289         (JSC::LiteralParser::parse):
2290         * runtime/LiteralParser.h:
2291
2292 2011-07-25  Jon Lee  <jonlee@apple.com>
2293
2294         Assertion called in ExecutableBase::generatedJITCodeForCall() when JIT is not available
2295         https://bugs.webkit.org/show_bug.cgi?id=65132
2296         <rdar://problem/9836297>
2297         
2298         Reviewed by Oliver Hunt.
2299         
2300         Make sure the JIT is available to use before running the following calls:
2301
2302         * bytecode/CodeBlock.cpp:
2303         (JSC::CodeBlock::unlinkCalls): Added check, return early if JIT is not available.
2304         * bytecode/CodeBlock.h:
2305         (JSC::CodeBlock::addMethodCallLinkInfos): Added assertion.
2306
2307 2011-07-25  Juan C. Montemayor  <jmont@apple.com>
2308
2309         JSON errors should be informative
2310         https://bugs.webkit.org/show_bug.cgi?id=63339
2311
2312         Added error messages to the JSON Parser.
2313
2314         Reviewed by Oliver Hunt.
2315
2316         * runtime/JSONObject.cpp:
2317         (JSC::JSONProtoFuncParse):
2318         * runtime/LiteralParser.cpp:
2319         (JSC::LiteralParser::Lexer::lex):
2320         (JSC::LiteralParser::Lexer::lexString):
2321         (JSC::LiteralParser::Lexer::lexNumber):
2322         (JSC::LiteralParser::parse):
2323         * runtime/LiteralParser.h:
2324         (JSC::LiteralParser::getErrorMessage):
2325         (JSC::LiteralParser::Lexer::sawError):
2326         (JSC::LiteralParser::Lexer::getErrorMessage):
2327
2328 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2329
2330         X86-64 assembler emits three instructions instead of two for certain
2331         loads and stores.
2332         https://bugs.webkit.org/show_bug.cgi?id=65095
2333
2334         Reviewed by Gavin Barraclough.
2335         
2336         Simply made these four methods in the assembler use the scratch register,
2337         which they were previously avoiding.  It still optimizes for the case where
2338         an absolute address memory accesses is using EAX.  This results in a slight
2339         performance improvement.
2340
2341         * assembler/MacroAssemblerX86_64.h:
2342         (JSC::MacroAssemblerX86_64::load32):
2343         (JSC::MacroAssemblerX86_64::store32):
2344         (JSC::MacroAssemblerX86_64::loadPtr):
2345         (JSC::MacroAssemblerX86_64::storePtr):
2346
2347 2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2348
2349         [EFL] Implement EFL-specific current time and monotonicallyIncreasingTime.
2350         https://bugs.webkit.org/show_bug.cgi?id=64354
2351
2352         Use ecore_time_unix_get which returns unix time as double type for currentTime
2353         and ecore_time_get which uses monotonic clock for monotonicallyIncreasingTime.
2354
2355         Reviewed by Kent Tamura.
2356
2357         * wtf/CurrentTime.cpp:
2358         (WTF::currentTime):
2359         (WTF::monotonicallyIncreasingTime):
2360
2361 2011-07-22  Sommer Panage  <panage@apple.com>
2362
2363         Reviewed by Oliver Hunt.
2364
2365         export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h
2366         https://bugs.webkit.org/show_bug.cgi?id=64981
2367
2368         UIAutomation for iOS would like to support a Javascript backtrace in our error logs.
2369         Currently, the C API does not provide the tools to do this. However, the private API
2370         does expose the necessary functionality to get a backtrace
2371         (via Interpreter::retrieveLastCaller). We recognize this information may result in
2372         failure in the cases of programs run by 'eval', stack frames beneath host function
2373         call frames, and in programs run from other programs. Thus, we propose exporting our
2374         JSContextCreateBacktrace in JSContextRefPrivate.h. This will provide us with the tools
2375         we need while not advertising an API that isn't really ready for full use.
2376
2377         * API/JSContextRef.cpp:
2378         * API/JSContextRefPrivate.h:
2379         * JavaScriptCore.exp:
2380
2381
2382 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2383
2384         https://bugs.webkit.org/show_bug.cgi?id=65051
2385         DFG JIT - Enable by default for mac platform on x86-64.
2386
2387         Rubber Stamped by Geoff Garen.
2388
2389         This is now a performance progression.
2390
2391         * wtf/Platform.h:
2392             - Removed definition of ENABLE_DFG_JIT_RESTRICTIONS.
2393
2394 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2395
2396         https://bugs.webkit.org/show_bug.cgi?id=65047
2397         DFG JIT - Add support for op_resolve/op_resolve_base
2398
2399         Reviewed by Sam Weinig.
2400
2401         These are necessary for any significant eval code coverage
2402         (and as such increase LayoutTest coverage).
2403
2404         * dfg/DFGAliasTracker.h:
2405         (JSC::DFG::AliasTracker::recordResolve):
2406             - Conservatively blow aliasing optimizations for now.
2407         * dfg/DFGByteCodeParser.cpp:
2408         (JSC::DFG::ByteCodeParser::parseBlock):
2409             - Add support for op_resolve/op_resolve_base.
2410         * dfg/DFGJITCodeGenerator.h:
2411         (JSC::DFG::JITCodeGenerator::callOperation):
2412             - Add call with exec, identifer aguments.
2413         * dfg/DFGNode.h:
2414             - Add new node types.
2415         (JSC::DFG::Node::hasIdentifier):
2416             - Resolve nodes have identifiers, too!
2417         * dfg/DFGNonSpeculativeJIT.cpp:
2418         (JSC::DFG::NonSpeculativeJIT::compile):
2419             - Add generation for new Nodes.
2420         * dfg/DFGOperations.cpp:
2421         * dfg/DFGOperations.h:
2422             - Added new operations.
2423         * dfg/DFGSpeculativeJIT.cpp:
2424         (JSC::DFG::SpeculativeJIT::compile):
2425             - Add generation for new Nodes.
2426
2427 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2428
2429         https://bugs.webkit.org/show_bug.cgi?id=65036
2430         Messing with the register allocation within flow control = badness.
2431
2432         Reviewed by Sam Weinig.
2433
2434         * dfg/DFGNonSpeculativeJIT.cpp:
2435         (JSC::DFG::NonSpeculativeJIT::compile):
2436             - Fix register allocation.
2437
2438 2011-07-22  Mark Hahnenberg  <mhahnenberg@apple.com>
2439
2440         Date.prototype.toISOString doesn't handle negative years or years > 9999 correctly.
2441         https://bugs.webkit.org/show_bug.cgi?id=63986
2442
2443         Reviewed by Geoffrey Garen.
2444
2445         Changed the implementation of Date.prototype.toISOString() to use the extended year
2446         format (+/-yyyyyy) for years outside of [0,9999] to be in compliance with ES 15.9.1.15.1.
2447
2448         * runtime/DatePrototype.cpp:
2449         (JSC::dateProtoFuncToISOString):
2450
2451 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2452
2453         Windows build fix
2454
2455         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2456
2457 2011-07-21  Ryosuke Niwa  <rniwa@webkit.org>
2458
2459         Build fix after r91555.
2460
2461         * JavaScriptCore.exp:
2462
2463 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2464
2465         https://bugs.webkit.org/show_bug.cgi?id=19271
2466         eliminate PIC branches by changing NaN handling in JSValue::toNumber
2467
2468         Reviewed by Sam Weinig.
2469
2470         Moving the non-numeric cases out of line seems to be a consistent
2471         win on SunSpider for me, to the order of about 0.5%.
2472
2473         * runtime/JSCell.h:
2474         (JSC::JSCell::JSValue::toNumber):
2475             - Changed to only handle values that are already numbers, moce non-numeric cases out of line.
2476         * runtime/JSValue.cpp:
2477         (JSC::JSValue::toNumberSlowCase):
2478             - Added toNumberSlowCase, handling non-numeric cases.
2479         * runtime/JSValue.h:
2480             - Add declaration of toNumberSlowCase.
2481
2482 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2483
2484         https://bugs.webkit.org/show_bug.cgi?id=64875
2485         Use of `yield` keyword is broken
2486
2487         Reviewed by Sam Weinig.
2488
2489         * parser/Lexer.cpp:
2490         (JSC::Lexer::parseIdentifier):
2491             - The bug here is that a successful match of a RESERVED_IF_STRICT token from
2492               parseKeyword is being nullified back to IDENT. The problem is that in the
2493               case of IDENT matches parseKeyword should not move the lexer's input
2494               position, but in the case of RESERVED_IF_STRICT it has done so.
2495
2496 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2497
2498         https://bugs.webkit.org/show_bug.cgi?id=64900
2499         Function.prototype.apply should accept an array-like object as its second argument
2500
2501         Reviewed by Sam Weinig.
2502
2503         * interpreter/Interpreter.cpp:
2504         (JSC::Interpreter::privateExecute):
2505         * jit/JITStubs.cpp:
2506         (JSC::DEFINE_STUB_FUNCTION):
2507         * runtime/FunctionPrototype.cpp:
2508         (JSC::functionProtoFuncApply):
2509             - Remove the type error if object is not an array.
2510
2511 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2512
2513         https://bugs.webkit.org/show_bug.cgi?id=64964
2514         DFG JIT - Enable support for eval code
2515
2516         Reviewed by Sam Weinig.
2517
2518         This is basically the same as program code, to the JIT!
2519
2520         * bytecode/Opcode.cpp:
2521         * bytecode/Opcode.h:
2522             - Enable opcodeNames in !NDEBUG builds.
2523         * dfg/DFGOperations.cpp:
2524             - Fix a bug exposed by eval support, throw correct type error for new.
2525         * runtime/Executable.cpp:
2526         (JSC::EvalExecutable::compileInternal):
2527             - Enable DFG JIT for eval code.
2528
2529 2011-07-20  Sheriff Bot  <webkit.review.bot@gmail.com>
2530
2531         Unreviewed, rolling out r91380.
2532         http://trac.webkit.org/changeset/91380
2533         https://bugs.webkit.org/show_bug.cgi?id=64924
2534
2535         Caused assertion failures in Chromium's IndexedDB tests
2536         (Requested by rniwa on #webkit).
2537
2538         * wtf/ThreadIdentifierDataPthreads.cpp:
2539         (WTF::ThreadIdentifierData::identifier):
2540         (WTF::ThreadIdentifierData::initialize):
2541         (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
2542         (WTF::ThreadIdentifierData::initializeKeyOnce):
2543         * wtf/ThreadIdentifierDataPthreads.h:
2544         * wtf/ThreadingPthreads.cpp:
2545         (WTF::initializeThreading):
2546
2547 2011-07-20  Filip Pizlo  <fpizlo@apple.com>
2548
2549         DFG non-speculative JIT does not use() the aliased GetByVal,
2550         resulting in bloated use counts.
2551         https://bugs.webkit.org/show_bug.cgi?id=64911
2552
2553         Reviewed by Gavin Barraclough.
2554         
2555         Inserted a call to use() for the aliased GetByVal.
2556
2557         * dfg/DFGNonSpeculativeJIT.cpp:
2558         (JSC::DFG::NonSpeculativeJIT::compile):
2559
2560 2011-07-20  Gavin Barraclough  <barraclough@apple.com>
2561
2562         https://bugs.webkit.org/show_bug.cgi?id=64909
2563         DFG JIT - Missing ToInt32 conversions for double constants.
2564
2565         Reviewed by Sam Weinig.
2566
2567         * dfg/DFGByteCodeParser.cpp:
2568         (JSC::DFG::ByteCodeParser::toInt32):
2569             - We cannot trivially omit ToInt32 conversions on double constants.
2570
2571 2011-07-20  Filip Pizlo  <fpizlo@apple.com>
2572
2573         DFG speculative JIT sometimes claims to use compare operands twice, leading to
2574         use count corruption.
2575         https://bugs.webkit.org/show_bug.cgi?id=64903
2576
2577         Reviewed by Gavin Barraclough.
2578         
2579         Move the calls to use() in SpeculativeJIT::compare() so that they only happen
2580         if the JITCodeGenerator's helper method (which also calls use()) is not called.
2581
2582         * dfg/DFGSpeculativeJIT.cpp:
2583         (JSC::DFG::SpeculativeJIT::compare):
2584
2585 2011-07-20  Oliver Hunt  <oliver@apple.com>
2586
2587         Don't throw away code when JSGarbageCollect API is called
2588         https://bugs.webkit.org/show_bug.cgi?id=64894
2589
2590         Reviewed by Sam Weinig.
2591
2592         Just call collectAllGarbage.  That will clean up all unneeded
2593         code without causing any pathological recompilation problems.
2594
2595         * API/JSBase.cpp:
2596         (JSGarbageCollect):
2597
2598 2011-07-20  Oliver Hunt  <oliver@apple.com>
2599
2600         Codeblock doesn't visit cached structures in global resolve instructions
2601         https://bugs.webkit.org/show_bug.cgi?id=64889
2602
2603         Reviewed by Sam Weinig.
2604
2605         Visit the global resolve instructions.  This fixes a couple
2606         of random crashes seen in the jquery tests when using the
2607         interpreter.
2608
2609         * bytecode/CodeBlock.cpp:
2610         (JSC::CodeBlock::visitAggregate):
2611
2612 2011-07-20  James Robinson  <jamesr@chromium.org>
2613
2614         Revert worker and WebKit2 runloops to use currentTime() for scheduling instead of the monotonic clock
2615         https://bugs.webkit.org/show_bug.cgi?id=64841
2616
2617         Reviewed by Mark Rowe.
2618
2619         http://trac.webkit.org/changeset/91206 converted most of WebKit's deferred work scheduling to using the
2620         monotonic clock instead of WTF::currentTime().  This broke many plugin tests on WebKit2 for reasons that are
2621         unclear.  This reverts everything except for WebCore::ThreadTimers back to the previous behavior.
2622
2623         * wtf/ThreadingPthreads.cpp:
2624         (WTF::ThreadCondition::timedWait):
2625         * wtf/ThreadingWin.cpp:
2626         (WTF::absoluteTimeToWaitTimeoutInterval):
2627         * wtf/gtk/ThreadingGtk.cpp:
2628         (WTF::ThreadCondition::timedWait):
2629         * wtf/qt/ThreadingQt.cpp:
2630         (WTF::ThreadCondition::timedWait):
2631
2632 2011-07-14  David Levin  <levin@chromium.org>
2633
2634         currentThread is too slow!
2635         https://bugs.webkit.org/show_bug.cgi?id=64577
2636
2637         Reviewed by Darin Adler and Dmitry Titov.
2638
2639         The problem is that currentThread results in a pthread_once call which always takes a lock.
2640         With this change, currentThread is 10% faster than isMainThread in release mode and only
2641         5% slower than isMainThread in debug.
2642
2643         * wtf/ThreadIdentifierDataPthreads.cpp:
2644         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
2645         which is no longer needed because this is called from initializeThreading().
2646         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
2647         intialization of the pthread key should already be done.
2648         (WTF::ThreadIdentifierData::initialize): Ditto.
2649         * wtf/ThreadIdentifierDataPthreads.h:
2650         * wtf/ThreadingPthreads.cpp:
2651         (WTF::initializeThreading): Acquire the pthread key here.
2652
2653 2011-07-20  Mark Rowe  <mrowe@apple.com>
2654
2655         Fix the 32-bit build.
2656
2657         * runtime/ObjectPrototype.cpp:
2658         (JSC::objectProtoFuncToString):
2659
2660 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2661
2662         https://bugs.webkit.org/show_bug.cgi?id=64678
2663         Fix bugs in Object.prototype this handling.
2664
2665         Reviewed by Darin Adler.
2666
2667         Fix ES5.1 correctness issues identified by Mads Ager.
2668
2669         * runtime/ObjectPrototype.cpp:
2670         (JSC::objectProtoFuncToString):
2671             - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]".
2672
2673 2011-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2674
2675         [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
2676         https://bugs.webkit.org/show_bug.cgi?id=63918
2677
2678         Reviewed by Darin Adler.
2679
2680         When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
2681         method due to additional string copying within several of the constructors when dealing with 
2682         UStrings.  This has been added to the UString version of the appendStringInConstruct method 
2683         within the JSString class.
2684
2685         * runtime/JSString.h:
2686         (JSC::RopeBuilder::JSString):
2687         (JSC::RopeBuilder::appendStringInConstruct):
2688
2689 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2690
2691         https://bugs.webkit.org/show_bug.cgi?id=64679
2692         Fix bugs in Array.prototype this handling.
2693
2694         Reviewed by Oliver Hunt.
2695
2696         * runtime/ArrayPrototype.cpp:
2697         (JSC::arrayProtoFuncJoin):
2698         (JSC::arrayProtoFuncConcat):
2699         (JSC::arrayProtoFuncPop):
2700         (JSC::arrayProtoFuncPush):
2701         (JSC::arrayProtoFuncReverse):
2702         (JSC::arrayProtoFuncShift):
2703         (JSC::arrayProtoFuncSlice):
2704         (JSC::arrayProtoFuncSort):
2705         (JSC::arrayProtoFuncSplice):
2706         (JSC::arrayProtoFuncUnShift):
2707         (JSC::arrayProtoFuncFilter):
2708         (JSC::arrayProtoFuncMap):
2709         (JSC::arrayProtoFuncEvery):
2710         (JSC::arrayProtoFuncForEach):
2711         (JSC::arrayProtoFuncSome):
2712         (JSC::arrayProtoFuncReduce):
2713         (JSC::arrayProtoFuncReduceRight):
2714         (JSC::arrayProtoFuncIndexOf):
2715         (JSC::arrayProtoFuncLastIndexOf):
2716             - These methods should throw if this value is undefined.
2717
2718 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2719
2720         https://bugs.webkit.org/show_bug.cgi?id=64677
2721         Fix bugs in String.prototype this handling.
2722
2723         Reviewed by Oliver Hunt.
2724
2725         undefined/null this values should throw TypeErrors, not convert to
2726         the global object, and primitive values should not be converted via
2727         object types.
2728
2729         * runtime/StringPrototype.cpp:
2730         (JSC::stringProtoFuncReplace):
2731         (JSC::stringProtoFuncCharAt):
2732         (JSC::stringProtoFuncCharCodeAt):
2733         (JSC::stringProtoFuncIndexOf):
2734         (JSC::stringProtoFuncLastIndexOf):
2735         (JSC::stringProtoFuncMatch):
2736         (JSC::stringProtoFuncSearch):
2737         (JSC::stringProtoFuncSlice):
2738         (JSC::stringProtoFuncSplit):
2739         (JSC::stringProtoFuncSubstr):
2740         (JSC::stringProtoFuncSubstring):
2741         (JSC::stringProtoFuncToLowerCase):
2742         (JSC::stringProtoFuncToUpperCase):
2743         (JSC::stringProtoFuncLocaleCompare):
2744         (JSC::stringProtoFuncBig):
2745         (JSC::stringProtoFuncSmall):
2746         (JSC::stringProtoFuncBlink):
2747         (JSC::stringProtoFuncBold):
2748         (JSC::stringProtoFuncFixed):
2749         (JSC::stringProtoFuncItalics):
2750         (JSC::stringProtoFuncStrike):
2751         (JSC::stringProtoFuncSub):
2752         (JSC::stringProtoFuncSup):
2753         (JSC::stringProtoFuncFontcolor):
2754         (JSC::stringProtoFuncFontsize):
2755         (JSC::stringProtoFuncAnchor):
2756         (JSC::stringProtoFuncLink):
2757         (JSC::trimString):
2758             - These methods should throw if this value is undefined,
2759               convert ToString directly, not via ToObject.
2760
2761 2011-07-19  Filip Pizlo  <fpizlo@apple.com>
2762
2763         DFG JIT sometimes emits spill code even when the respective values
2764         are never needed.
2765         https://bugs.webkit.org/show_bug.cgi?id=64774
2766
2767         Reviewed by Gavin Barraclough.
2768         
2769         The main high-level change is that it is now easier to call use() on a
2770         virtual register.  JSValueOperand and its other-typed relatives now have
2771         a handy use() method, and jsValueResult() and friends now make it easier to
2772         pass UseChildrenCalledExplicitly.
2773         
2774         The rest of this patch hoists the call to use() as high as possible for
2775         all of those cases where either flushRegisters() or silentSpillAllRegisters()
2776         may be called.
2777
2778         * dfg/DFGJITCodeGenerator.cpp:
2779         (JSC::DFG::JITCodeGenerator::cachedGetById):
2780         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2781         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2782         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2783         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2784         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2785         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2786         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2787         (JSC::DFG::JITCodeGenerator::emitBranch):
2788         * dfg/DFGJITCodeGenerator.h:
2789         (JSC::DFG::JITCodeGenerator::use):
2790         (JSC::DFG::JITCodeGenerator::integerResult):
2791         (JSC::DFG::JITCodeGenerator::jsValueResult):
2792         (JSC::DFG::IntegerOperand::use):
2793         (JSC::DFG::DoubleOperand::use):
2794         (JSC::DFG::JSValueOperand::use):
2795         * dfg/DFGNonSpeculativeJIT.cpp:
2796         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
2797         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
2798         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2799         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2800         (JSC::DFG::NonSpeculativeJIT::compile):
2801         * dfg/DFGSpeculativeJIT.cpp:
2802         (JSC::DFG::SpeculativeJIT::compile):
2803         * dfg/DFGSpeculativeJIT.h:
2804         (JSC::DFG::SpeculateStrictInt32Operand::use):
2805         (JSC::DFG::SpeculateCellOperand::use):
2806
2807 2011-07-19  Xan Lopez  <xlopez@igalia.com>
2808
2809         ARMv7 backend broken, lacks 3 parameter rshift32 method
2810         https://bugs.webkit.org/show_bug.cgi?id=64571
2811
2812         Reviewed by Zoltan Herczeg.
2813
2814         * assembler/MacroAssemblerARMv7.h:
2815         (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method.
2816
2817 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2818
2819         DFG JIT does not optimize strict equality as effectively as the old JIT does.
2820         https://bugs.webkit.org/show_bug.cgi?id=64759
2821
2822         Reviewed by Gavin Barraclough.
2823         
2824         This adds a more complete set of strict equality optimizations.  If either
2825         operand is known numeric, then the code reverts to the old style of optimizing
2826         (first try integer comparison).  Otherwise it uses the old JIT's trick of
2827         first simultaneously checking if both operands are either numbers or cells;
2828         if not then a fast path is taken.
2829
2830         * dfg/DFGJITCodeGenerator.cpp:
2831         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2832         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2833         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2834         * dfg/DFGJITCodeGenerator.h:
2835         * dfg/DFGNonSpeculativeJIT.cpp:
2836         (JSC::DFG::NonSpeculativeJIT::compile):
2837         * dfg/DFGOperations.cpp:
2838         * dfg/DFGOperations.h:
2839         * dfg/DFGSpeculativeJIT.cpp:
2840         (JSC::DFG::SpeculativeJIT::compile):
2841
2842 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
2843
2844         https://bugs.webkit.org/show_bug.cgi?id=64760
2845         DFG JIT - Should be able to compile program code.
2846
2847         Reviewed by Geoff Garen.
2848
2849         Add support for op_end, hooks to compile program code in Executable.cpp.
2850
2851         * dfg/DFGByteCodeParser.cpp:
2852         (JSC::DFG::ByteCodeParser::parseBlock):
2853             - Add support for op_end
2854         * dfg/DFGJITCompiler.cpp:
2855         (JSC::DFG::JITCompiler::compileEntry):
2856         (JSC::DFG::JITCompiler::compileBody):
2857         (JSC::DFG::JITCompiler::link):
2858             - Added, separate out steps of compileFunction.
2859         (JSC::DFG::JITCompiler::compile):
2860             - Added, compile program code.
2861         (JSC::DFG::JITCompiler::compileFunction):
2862             - Sections separated out to helper functions.
2863         * dfg/DFGJITCompiler.h:
2864         (JSC::DFG::JITCompiler::JITCompiler):
2865             - Added m_exceptionCheckCount.
2866         * runtime/Executable.cpp:
2867         (JSC::tryDFGCompile):
2868         (JSC::tryDFGCompileFunction):
2869         (JSC::ProgramExecutable::compileInternal):
2870         (JSC::FunctionExecutable::compileForCallInternal):
2871             - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code.
2872
2873 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
2874
2875         https://bugs.webkit.org/show_bug.cgi?id=64678
2876         Fix bugs in Object.prototype this handling.
2877
2878         Reviewed by Oliver Hunt.
2879
2880         undefined/null this values should throw TypeErrors, not convert to the global object,
2881         also, to toLocaleString should be calling the ToObject & invoking the object's toString
2882         function, even for values that are already strings.
2883
2884         * runtime/ObjectPrototype.cpp:
2885         (JSC::objectProtoFuncValueOf):
2886         (JSC::objectProtoFuncHasOwnProperty):
2887         (JSC::objectProtoFuncIsPrototypeOf):
2888         (JSC::objectProtoFuncPropertyIsEnumerable):
2889         (JSC::objectProtoFuncToLocaleString):
2890         (JSC::objectProtoFuncToString):
2891
2892 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2893
2894         JSC GC lazy sweep does not inline the common cases of cell destruction.
2895         https://bugs.webkit.org/show_bug.cgi?id=64745
2896
2897         Reviewed by Oliver Hunt.
2898         
2899         This inlines the case of JSFinalObject destruction.
2900
2901         * heap/MarkedBlock.cpp:
2902         (JSC::MarkedBlock::lazySweep):
2903
2904 2011-07-18  Oliver Hunt  <oliver@apple.com>
2905
2906         Interpreter build-fix
2907
2908         * interpreter/Interpreter.cpp:
2909         (JSC::Interpreter::privateExecute):
2910
2911 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2912
2913         DFG JIT does not optimize equal-null comparisons and branches.
2914         https://bugs.webkit.org/show_bug.cgi?id=64659
2915
2916         Reviewed by Gavin Barraclough.
2917         
2918         Added a peephole-aware compare-to-null implementation to JITCodeGenerator,
2919         which is used by both the speculative and non-speculative JIT.  Through
2920         the use of the new isNullConstant helper, the two JITs invoke the
2921         nonSpecualtiveCompareNull() helper instead of their regular comparison
2922         helpers when compiling CompareEq.  Through the use of the new isKnownCell
2923         helper, the compare-null code will skip the is-a-cell check if the
2924         speculative JIT had been speculating cell.
2925
2926         * dfg/DFGJITCodeGenerator.cpp:
2927         (JSC::DFG::JITCodeGenerator::isKnownCell):
2928         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2929         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2930         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
2931         * dfg/DFGJITCodeGenerator.h:
2932         (JSC::DFG::JITCodeGenerator::isNullConstant):
2933         * dfg/DFGNonSpeculativeJIT.cpp:
2934         (JSC::DFG::NonSpeculativeJIT::compile):
2935         * dfg/DFGOperations.cpp:
2936         * dfg/DFGSpeculativeJIT.cpp:
2937         (JSC::DFG::SpeculativeJIT::compile):
2938
2939 2011-07-18  James Robinson  <jamesr@chromium.org>
2940
2941         Timer scheduling should be based off the monotonic clock
2942         https://bugs.webkit.org/show_bug.cgi?id=64544
2943
2944         Reviewed by Darin Adler.
2945
2946         Switches ThreadCondition::timedWait and related utility functions from currentTime() to
2947         monotonicallyIncreasingTime().
2948
2949         Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit.
2950
2951         * JavaScriptCore.exp:
2952         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2953         * wtf/ThreadingPthreads.cpp:
2954         (WTF::ThreadCondition::timedWait):
2955         * wtf/ThreadingWin.cpp:
2956         (WTF::absoluteTimeToWaitTimeoutInterval):
2957         * wtf/gtk/ThreadingGtk.cpp:
2958         (WTF::ThreadCondition::timedWait):
2959         * wtf/qt/ThreadingQt.cpp:
2960         (WTF::ThreadCondition::timedWait):
2961
2962 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2963
2964         JSC JIT does not inline GC allocation fast paths
2965         https://bugs.webkit.org/show_bug.cgi?id=64582
2966
2967         Reviewed by Oliver Hunt.
2968
2969         This addresses inlining allocation for the easiest-to-allocate cases:
2970         op_new_object and op_create_this.  Inlining GC allocation fast paths
2971         required three changes.  First, the JSGlobalData now saves the vtable
2972         pointer of JSFinalObject, since that's what op_new_object and
2973         op_create_this allocate.  Second, the Heap exposes a reference to
2974         the appropriate SizeClass, so that the JIT may inline accesses
2975         directly to the SizeClass for JSFinalObject allocations.  And third,
2976         the JIT is extended with code to emit inline fast paths for GC
2977         allocation.  A stub call is emitted in the case where the inline fast
2978         path fails.
2979
2980         * heap/Heap.h:
2981         (JSC::Heap::sizeClassFor):
2982         (JSC::Heap::allocate):
2983         * jit/JIT.cpp:
2984         (JSC::JIT::privateCompileSlowCases):
2985         * jit/JIT.h:
2986         * jit/JITInlineMethods.h:
2987         (JSC::JIT::emitAllocateJSFinalObject):
2988         * jit/JITOpcodes.cpp:
2989         (JSC::JIT::emit_op_new_object):
2990         (JSC::JIT::emitSlow_op_new_object):
2991         (JSC::JIT::emit_op_create_this):
2992         (JSC::JIT::emitSlow_op_create_this):
2993         * jit/JITOpcodes32_64.cpp:
2994         (JSC::JIT::emit_op_new_object):
2995         (JSC::JIT::emitSlow_op_new_object):
2996         (JSC::JIT::emit_op_create_this):
2997         (JSC::JIT::emitSlow_op_create_this):
2998         * runtime/JSGlobalData.cpp:
2999         (JSC::JSGlobalData::storeVPtrs):
3000         * runtime/JSGlobalData.h:
3001         * runtime/JSObject.h:
3002         (JSC::JSFinalObject::JSFinalObject):
3003         (JSC::JSObject::offsetOfInheritorID):
3004
3005 2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>
3006
3007         Refactor JSC to replace JSCell::operator new with static create method
3008         https://bugs.webkit.org/show_bug.cgi?id=64466
3009
3010         Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com).
3011
3012         First step in a longer refactoring process to remove the use of
3013         operator new overloading in order to allocate GC objects and to replace
3014         this method with static create methods for each individual type of heap-allocated
3015         JS object.  This particular patch only deals with replacing uses of
3016         operator new within JSC proper.  Future patches will remove it from the
3017         parts that interface with the DOM.  Due to the DOM's continued dependence
3018         on it, operator new has not actually been removed from JSCell.
3019
3020         * API/JSCallbackConstructor.h:
3021         (JSC::JSCallbackConstructor::create):
3022         * API/JSCallbackFunction.h:
3023         (JSC::JSCallbackFunction::create):
3024         * API/JSCallbackObject.h:
3025         (JSC::JSCallbackObject::operator new):
3026         (JSC::JSCallbackObject::create):
3027         * API/JSCallbackObjectFunctions.h:
3028         (JSC::::staticFunctionGetter):
3029         * API/JSClassRef.cpp:
3030         (OpaqueJSClass::prototype):
3031         * API/JSContextRef.cpp:
3032         * API/JSObjectRef.cpp:
3033         (JSObjectMake):
3034         (JSObjectMakeFunctionWithCallback):
3035         (JSObjectMakeConstructor):
3036         * JavaScriptCore.exp:
3037         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3038         * bytecode/CodeBlock.cpp:
3039         (JSC::CodeBlock::createActivation):
3040         * bytecompiler/BytecodeGenerator.cpp:
3041         (JSC::BytecodeGenerator::BytecodeGenerator):
3042         * bytecompiler/BytecodeGenerator.h:
3043         (JSC::BytecodeGenerator::makeFunction):
3044         * bytecompiler/NodesCodegen.cpp:
3045         (JSC::RegExpNode::emitBytecode):
3046         * interpreter/Interpreter.cpp:
3047         (JSC::Interpreter::privateExecute):
3048         (JSC::Interpreter::retrieveArguments):
3049         * jit/JITStubs.cpp:
3050         (JSC::DEFINE_STUB_FUNCTION):
3051         * jsc.cpp:
3052         (GlobalObject::create):
3053         (GlobalObject::GlobalObject):
3054         (functionRun):
3055         (jscmain):
3056         * runtime/Arguments.h:
3057         (JSC::Arguments::create):
3058         (JSC::Arguments::createNoParameters):
3059         * runtime/ArrayConstructor.cpp:
3060         (JSC::constructArrayWithSizeQuirk):
3061         * runtime/ArrayConstructor.h:
3062         (JSC::ArrayConstructor::create):
3063         * runtime/ArrayPrototype.cpp:
3064         (JSC::arrayProtoFuncSplice):
3065         * runtime/ArrayPrototype.h:
3066         (JSC::ArrayPrototype::create):
3067         * runtime/BooleanConstructor.cpp:
3068         (JSC::constructBoolean):
3069         (JSC::constructBooleanFromImmediateBoolean):
3070         * runtime/BooleanConstructor.h:
3071         (JSC::BooleanConstructor::create):
3072         * runtime/BooleanObject.h:
3073         (JSC::BooleanObject::create):
3074         * runtime/BooleanPrototype.h:
3075         (JSC::BooleanPrototype::create):
3076         * runtime/DateConstructor.cpp:
3077         (JSC::constructDate):
3078         * runtime/DateConstructor.h:
3079         (JSC::DateConstructor::create):
3080         * runtime/DateInstance.h:
3081         (JSC::DateInstance::create):
3082         * runtime/DatePrototype.h:
3083         (JSC::DatePrototype::create):
3084         * runtime/Error.cpp:
3085         (JSC::createError):
3086         (JSC::createEvalError):
3087         (JSC::createRangeError):
3088         (JSC::createReferenceError):
3089         (JSC::createSyntaxError):
3090         (JSC::createTypeError):
3091         (JSC::createURIError):
3092         (JSC::StrictModeTypeErrorFunction::create):
3093         (JSC::createTypeErrorFunction):
3094         * runtime/ErrorConstructor.h:
3095         (JSC::ErrorConstructor::create):
3096         * runtime/ErrorInstance.cpp:
3097         (JSC::ErrorInstance::ErrorInstance):
3098         (JSC::ErrorInstance::create):
3099         * runtime/ErrorInstance.h:
3100         * runtime/ErrorPrototype.cpp:
3101         (JSC::ErrorPrototype::ErrorPrototype):
3102         * runtime/ErrorPrototype.h:
3103         (JSC::ErrorPrototype::create):
3104         * runtime/ExceptionHelpers.cpp:
3105         (JSC::InterruptedExecutionError::InterruptedExecutionError):
3106         (JSC::InterruptedExecutionError::create):
3107         (JSC::createInterruptedExecutionException):
3108         (JSC::TerminatedExecutionError::TerminatedExecutionError):
3109         (JSC::TerminatedExecutionError::create):
3110         (JSC::createTerminatedExecutionException):
3111         * runtime/Executable.cpp:
3112         (JSC::FunctionExecutable::FunctionExecutable):
3113         (JSC::FunctionExecutable::fromGlobalCode):
3114         * runtime/Executable.h:
3115         (JSC::ExecutableBase::create):
3116         (JSC::NativeExecutable::create):
3117         (JSC::ScriptExecutable::ScriptExecutable):
3118         (JSC::EvalExecutable::create):
3119         (JSC::ProgramExecutable::create):
3120         (JSC::FunctionExecutable::create):
3121         (JSC::FunctionExecutable::make):
3122         * runtime/FunctionConstructor.cpp:
3123         (JSC::constructFunctionSkippingEvalEnabledCheck):
3124         * runtime/FunctionConstructor.h:
3125         (JSC::FunctionConstructor::create):
3126         * runtime/FunctionPrototype.cpp:
3127         (JSC::FunctionPrototype::addFunctionProperties):
3128         * runtime/FunctionPrototype.h:
3129         (JSC::FunctionPrototype::create):
3130         * runtime/GetterSetter.h:
3131         (JSC::GetterSetter::create):
3132         * runtime/JSAPIValueWrapper.h:
3133         (JSC::JSAPIValueWrapper::create):
3134         (JSC::jsAPIValueWrapper):
3135         * runtime/JSActivation.cpp:
3136         (JSC::JSActivation::argumentsGetter):
3137         * runtime/JSActivation.h:
3138         (JSC::JSActivation::create):
3139         * runtime/JSArray.h:
3140         (JSC::JSArray::create):
3141         * runtime/JSCell.h:
3142         (JSC::JSCell::allocateCell):
3143         * runtime/JSFunction.h:
3144         (JSC::JSFunction::create):
3145         * runtime/JSGlobalObject.cpp:
3146         (JSC::JSGlobalObject::init):
3147         (JSC::JSGlobalObject::reset):
3148         * runtime/JSGlobalObject.h:
3149         (JSC::constructEmptyArray):
3150         (JSC::constructArray):
3151         * runtime/JSNotAnObject.h:
3152         (JSC::JSNotAnObject::create):
3153         * runtime/JSONObject.h:
3154         (JSC::JSONObject::create):
3155         * runtime/JSObject.cpp:
3156         (JSC::JSObject::defineGetter):
3157         (JSC::JSObject::defineSetter):
3158         (JSC::putDescriptor):
3159         * runtime/JSObject.h:
3160         (JSC::JSFinalObject::create):
3161         * runtime/JSPropertyNameIterator.cpp:
3162         (JSC::JSPropertyNameIterator::create):
3163         * runtime/JSPropertyNameIterator.h:
3164         (JSC::JSPropertyNameIterator::create):
3165         * runtime/JSString.cpp:
3166         (JSC::JSString::substringFromRope):
3167         (JSC::JSString::replaceCharacter):
3168         (JSC::StringObject::create):
3169         * runtime/JSString.h:
3170         (JSC::RopeBuilder::JSString):
3171         (JSC::RopeBuilder::create):
3172         (JSC::RopeBuilder::createHasOtherOwner):
3173         (JSC::jsSingleCharacterString):
3174         (JSC::jsSingleCharacterSubstring):
3175         (JSC::jsNontrivialString):
3176         (JSC::jsString):
3177         (JSC::jsSubstring):
3178         (JSC::jsOwnedString):
3179         * runtime/JSValue.cpp:
3180         (JSC::JSValue::toObjectSlowCase):
3181         (JSC::JSValue::synthesizeObject):
3182         (JSC::JSValue::synthesizePrototype):
3183         * runtime/Lookup.cpp:
3184         (JSC::setUpStaticFunctionSlot):
3185         * runtime/MathObject.h:
3186         (JSC::MathObject::create):
3187         * runtime/NativeErrorConstructor.cpp:
3188         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3189         * runtime/NativeErrorConstructor.h:
3190         (JSC::NativeErrorConstructor::create):
3191         * runtime/NativeErrorPrototype.h:
3192         (JSC::NativeErrorPrototype::create):
3193         * runtime/NumberConstructor.cpp:
3194         (JSC::constructWithNumberConstructor):
3195         * runtime/NumberConstructor.h:
3196         (JSC::NumberConstructor::create):
3197         * runtime/NumberObject.cpp:
3198         (JSC::constructNumber):
3199         * runtime/NumberObject.h:
3200         (JSC::NumberObject::create):
3201         * runtime/NumberPrototype.h:
3202         (JSC::NumberPrototype::create):
3203         * runtime/ObjectConstructor.h:
3204         (JSC::ObjectConstructor::create):
3205         * runtime/ObjectPrototype.h:
3206         (JSC::ObjectPrototype::create):
3207         * runtime/Operations.h:
3208         (JSC::jsString):
3209         * runtime/RegExp.cpp:
3210         (JSC::RegExp::RegExp):
3211         (JSC::RegExp::createWithoutCaching):
3212         (JSC::RegExp::create):
3213         * runtime/RegExp.h:
3214         * runtime/RegExpCache.cpp:
3215         (JSC::RegExpCache::lookupOrCreate):
3216         * runtime/RegExpConstructor.cpp:
3217         (JSC::RegExpConstructor::arrayOfMatches):
3218         (JSC::constructRegExp):
3219         * runtime/RegExpConstructor.h:
3220         (JSC::RegExpConstructor::create):
3221         * runtime/RegExpMatchesArray.h:
3222         (JSC::RegExpMatchesArray::create):
3223         * runtime/RegExpObject.h:
3224         (JSC::RegExpObject::create):
3225         * runtime/RegExpPrototype.cpp:
3226         (JSC::regExpProtoFuncCompile):
3227         * runtime/RegExpPrototype.h:
3228         (JSC::RegExpPrototype::create):
3229         * runtime/ScopeChain.h:
3230         (JSC::ScopeChainNode::create):
3231         (JSC::ScopeChainNode::push):
3232         * runtime/SmallStrings.cpp:
3233         (JSC::SmallStrings::createEmptyString):
3234         (JSC::SmallStrings::createSingleCharacterString):
3235         * runtime/StringConstructor.cpp:
3236         (JSC::constructWithStringConstructor):
3237         * runtime/StringConstructor.h:
3238         (JSC::StringConstructor::create):
3239         * runtime/StringObject.h:
3240         (JSC::StringObject::create):
3241         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3242         (JSC::StringObjectThatMasqueradesAsUndefined::create):
3243         * runtime/StringPrototype.cpp:
3244         (JSC::stringProtoFuncMatch):
3245         (JSC::stringProtoFuncSearch):
3246         * runtime/StringPrototype.h:
3247         (JSC::StringPrototype::create):
3248         * runtime/Structure.h:
3249         (JSC::Structure::create):
3250         (JSC::Structure::createStructure):
3251         * runtime/StructureChain.h:
3252         (JSC::StructureChain::create):
3253
3254 2011-07-17  Ryuan Choi  <ryuan.choi@samsung.com>
3255
3256         [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash.
3257         https://bugs.webkit.org/show_bug.cgi?id=64337
3258
3259         Replace ecore_timer_add to Ecore_Pipe.
3260         This is needed because ecore_timer should not be called in a child thread,
3261         but in the main thread.
3262
3263         Reviewed by Antonio Gomes.
3264
3265         * wtf/efl/MainThreadEfl.cpp:
3266         (WTF::pipeObject):
3267         (WTF::monitorDispatchFunctions):
3268         (WTF::initializeMainThreadPlatform):
3269         (WTF::scheduleDispatchFunctionsOnMainThread):
3270
3271 2011-07-17  Filip Pizlo  <fpizlo@apple.com>
3272
3273         DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline.
3274         https://bugs.webkit.org/show_bug.cgi?id=64637
3275
3276         Reviewed by Gavin Barraclough.
3277
3278         * dfg/DFGOperations.cpp:
3279
3280 2011-07-16  Gavin Barraclough  <barraclough@apple.com>
3281
3282         https://bugs.webkit.org/show_bug.cgi?id=64657
3283         Converted this value not preserved when accessed via direct eval.
3284
3285         Reviewed by Oliver Hunt.
3286
3287         Upon entry into a non-strict function, primitive this values should be boxed as Object types
3288         (or substituted with the global object) - which is done by op_convert_this. However we only
3289         do so where this is used lexically within the function (we omit the conversion op if not).
3290         The problem comes if a direct eval (running within the function's scope) accesses the this
3291         value.
3292
3293         We are safe in the case of a single eval, since the this object will be converted within
3294         callEval, however the converted value is not preserved, and a new wrapper object is allocated
3295         each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
3296         object will be lost between eval statements.
3297
3298         * bytecompiler/BytecodeGenerator.cpp:
3299         (JSC::BytecodeGenerator::BytecodeGenerator):
3300             - If a function uses eval, we always need to convert this.
3301         * interpreter/Interpreter.cpp:
3302         (JSC::Interpreter::execute):
3303             - Don't convert primitive values here - this is too late!
3304         (JSC::Interpreter::privateExecute):
3305             - Changed op_convert_this to call new isPrimitive method.
3306         * jit/JITStubs.cpp:
3307         (JSC::DEFINE_STUB_FUNCTION):
3308             - Changed op_convert_this to call new isPrimitive method.
3309         * runtime/JSCell.h:
3310         (JSC::JSCell::JSValue::isPrimitive):
3311             - Added JSValue::isPrimitive.
3312         * runtime/JSValue.h:
3313             - Added JSValue::isPrimitive.
3314
3315 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
3316
3317         DFG JIT compare/branch code emits is-integer tests even when a value is
3318         definitely not an integer.
3319         https://bugs.webkit.org/show_bug.cgi?id=64654
3320
3321         Reviewed by Gavin Barraclough.
3322         
3323         Added the isKnownNotInteger() method, which returns true if a node is
3324         definitely not an integer and will always fail any is-integer test.  Then
3325         modified the compare and branch code to use this method; if it returns
3326         true then is-int tests are omitted and the compiler always emits a slow
3327         call.
3328
3329         * dfg/DFGJITCodeGenerator.cpp:
3330         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
3331         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3332         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
3333         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
3334         * dfg/DFGJITCodeGenerator.h:
3335         * dfg/DFGSpeculativeJIT.cpp:
3336         (JSC::DFG::SpeculativeJIT::compare):
3337
3338 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
3339
3340         DFG speculative JIT has dead code for slow calls for branches.
3341         https://bugs.webkit.org/show_bug.cgi?id=64653
3342
3343         Reviewed by Gavin Barraclough.
3344         
3345         Removed SpeculativeJIT::compilePeepHoleCall.
3346
3347         * dfg/DFGSpeculativeJIT.cpp:
3348         * dfg/DFGSpeculativeJIT.h:
3349
3350 2011-07-15  Mark Rowe  <mrowe@apple.com>
3351
3352         Fix the build.
3353
3354         * dfg/DFGGraph.h:
3355
3356 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
3357
3358         NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
3359         https://bugs.webkit.org/show_bug.cgi?id=55346
3360
3361         Reviewed by Sam Weinig.
3362
3363         * runtime/ErrorPrototype.cpp:
3364         (JSC::ErrorPrototype::ErrorPrototype):
3365             - Switch to putDirect since we're not the only ones tranitioning this Structure now.
3366         * runtime/NativeErrorPrototype.cpp:
3367         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3368         * runtime/NativeErrorPrototype.h:
3369             - Switch base class to ErrorPrototype.
3370
3371 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
3372
3373         DFG JIT - Where arguments passed are integers, speculate this.
3374         https://bugs.webkit.org/show_bug.cgi?id=64630
3375
3376         Reviewed by Sam Weinig.
3377
3378         Presently the DFG JIT is overly aggressively predicting double.
3379         Use a bit of dynamic information, and curtail this a little.
3380
3381         * dfg/DFGGraph.cpp:
3382         (JSC::DFG::Graph::predictArgumentTypes):
3383             - Check for integer arguments.
3384         * dfg/DFGGraph.h:
3385             - Function declaration.
3386         * runtime/Executable.cpp:
3387         (JSC::tryDFGCompile):
3388         (JSC::FunctionExecutable::compileForCallInternal):
3389             - Add call to predictArgumentTypes.
3390
3391 2011-07-15  Filip Pizlo  <fpizlo@apple.com>
3392
3393         DFG JIT is inconsistent about fusing branches and speculating
3394         integer comparisons for branches.
3395         https://bugs.webkit.org/show_bug.cgi?id=64573
3396
3397         Reviewed by Gavin Barraclough.
3398         
3399         This patch moves some of NonSpeculativeJIT's functionality up into the
3400         JITCodeGenerator superclass so that it can be used from both JITs.  Now,
3401         in cases where the speculative JIT doesn't want to speculate but still
3402         wants to emit good code, it can reliably emit the same code sequence as
3403         the non-speculative JIT.  This patch also extends the non-speculative
3404         JIT's compare optimizations to include compare/branch fusing, and
3405         extends the speculative JIT's compare optimizations to cover StrictEqual.
3406
3407         * dfg/DFGJITCodeGenerator.cpp:
3408         (JSC::DFG::JITCodeGenerator::isKnownInteger):
3409         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
3410         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3411         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
3412         * dfg/DFGJITCodeGenerator.h:
3413         (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
3414         * dfg/DFGNonSpeculativeJIT.cpp:
3415         (JSC::DFG::NonSpeculativeJIT::compile):
3416         * dfg/DFGNonSpeculativeJIT.h:
3417         * dfg/DFGOperations.cpp:
3418         * dfg/DFGSpeculativeJIT.cpp:
3419         (JSC::DFG::SpeculativeJIT::compare):
3420         (JSC::DFG::SpeculativeJIT::compile):
3421         * dfg/DFGSpeculativeJIT.h:
3422         * wtf/Platform.h:
3423
3424 2011-07-14  Gavin Barraclough  <barraclough@apple.com>
3425
3426         https://bugs.webkit.org/show_bug.cgi?id=64250
3427         Global strict mode function leaking global object as "this".
3428
3429         Reviewed by Oliver Hunt.
3430
3431         The root problem here is that we pass the wrong values into
3432         calls, and then try to fix them up in the callee. Correct
3433         behaviour per the spec is to pass in the value undefined,
3434         as this unless either (1) the function call is based on an
3435         explicit property access or (2) the base of the call comes
3436         directly from a 'with'.
3437
3438         This change does away with the need for this conversion of
3439         objects (non strict code should only box primitives), and
3440         does away with all this conversion for strict functions.
3441
3442         This patch may have web compatibility ramifications, and may
3443         require some advocacy.
3444
3445         * bytecode/CodeBlock.cpp:
3446         (JSC::CodeBlock::dump):
3447      &