https://bugs.webkit.org/show_bug.cgi?id=66590
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-08-19  Beth Dakin  <bdakin@apple.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=66590
4         Re-name scrollbar painter types
5
6         Reviewed by Sam Weinig.
7
8         WTF_USE_WK_SCROLLBAR_PAINTER is now WTF_USE_SCROLLBAR_PAINTER since WK no longer 
9         applies.
10         * wtf/Platform.h:
11
12 2011-08-18  Mark Hahnenberg  <mhahnenberg@apple.com>
13
14         Move allocation in constructors into separate constructorBody() methods
15         https://bugs.webkit.org/show_bug.cgi?id=66265
16
17         Reviewed by Oliver Hunt.
18
19         Refactoring to put all allocations that need to be done after the object's 
20         initialization list has executed but before the object is ready for use 
21         into a separate constructorBody() method.  This method is still called by the constructor, 
22         so the patch doesn't resolve any potential issues, it's just to set up the code for further refactoring.
23
24         * JavaScriptCore.exp:
25         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
26         * jsc.cpp:
27         (GlobalObject::constructorBody):
28         (GlobalObject::GlobalObject):
29         * runtime/ErrorInstance.cpp:
30         (JSC::ErrorInstance::ErrorInstance):
31         * runtime/ErrorInstance.h:
32         (JSC::ErrorInstance::constructorBody):
33         * runtime/ErrorPrototype.cpp:
34         (JSC::ErrorPrototype::ErrorPrototype):
35         (JSC::ErrorPrototype::constructorBody):
36         * runtime/ErrorPrototype.h:
37         * runtime/Executable.cpp:
38         (JSC::FunctionExecutable::FunctionExecutable):
39         * runtime/Executable.h:
40         (JSC::FunctionExecutable::constructorBody):
41         * runtime/InternalFunction.cpp:
42         (JSC::InternalFunction::InternalFunction):
43         * runtime/InternalFunction.h:
44         (JSC::InternalFunction::constructorBody):
45         * runtime/JSByteArray.cpp:
46         (JSC::JSByteArray::JSByteArray):
47         * runtime/JSByteArray.h:
48         (JSC::JSByteArray::constructorBody):
49         * runtime/JSFunction.cpp:
50         (JSC::JSFunction::JSFunction):
51         (JSC::JSFunction::constructorBody):
52         * runtime/JSFunction.h:
53         * runtime/JSGlobalObject.h:
54         (JSC::JSGlobalObject::JSGlobalObject):
55         (JSC::JSGlobalObject::constructorBody):
56         * runtime/JSPropertyNameIterator.cpp:
57         (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
58         * runtime/JSPropertyNameIterator.h:
59         (JSC::JSPropertyNameIterator::constructorBody):
60         * runtime/JSString.h:
61         (JSC::RopeBuilder::JSString):
62         (JSC::RopeBuilder::constructorBody):
63         * runtime/NativeErrorConstructor.cpp:
64         (JSC::NativeErrorConstructor::NativeErrorConstructor):
65         * runtime/NativeErrorConstructor.h:
66         (JSC::NativeErrorConstructor::constructorBody):
67         * runtime/NativeErrorPrototype.cpp:
68         (JSC::NativeErrorPrototype::NativeErrorPrototype):
69         (JSC::NativeErrorPrototype::constructorBody):
70         * runtime/NativeErrorPrototype.h:
71         * runtime/StringObject.cpp:
72         * runtime/StringObject.h:
73         (JSC::StringObject::create):
74         * runtime/StringObjectThatMasqueradesAsUndefined.h:
75         (JSC::StringObjectThatMasqueradesAsUndefined::create):
76         (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
77         * runtime/StringPrototype.cpp:
78         (JSC::StringPrototype::StringPrototype):
79         * runtime/StringPrototype.h:
80         (JSC::StringPrototype::create):
81
82 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
83
84         DFG non-speculative JIT does not inline the double case of ValueAdd
85         https://bugs.webkit.org/show_bug.cgi?id=66025
86
87         Reviewed by Gavin Barraclough.
88         
89         This is a 1.3% win on Kraken overall, with >=8% speed-ups on a few
90         benchmarks (imaging-darkroom, stanford-crypto-pbkdf2,
91         stanford-crypto-sha256-iterative).  It looks like it might have
92         a speed-up in SunSpider (though not statistically significant or
93         particularly reproducible) and a slight slow-down in V8 (0.14%,
94         not statistically significant).  It does slow down v8-crypto by
95         1.5%.
96
97         * dfg/DFGJITCodeGenerator.cpp:
98         (JSC::DFG::JITCodeGenerator::isKnownInteger):
99         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
100         * dfg/DFGNonSpeculativeJIT.cpp:
101         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
102         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
103         * dfg/DFGOperations.cpp:
104
105 2011-08-18  Filip Pizlo  <fpizlo@apple.com>
106
107         [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
108         https://bugs.webkit.org/show_bug.cgi?id=66426
109
110         Reviewed by Oliver Hunt.
111         
112         Changed the branchTestPtr to branchTest32.
113
114         * dfg/DFGSpeculativeJIT.cpp:
115         (JSC::DFG::SpeculativeJIT::compile):
116
117 2011-08-17  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
118
119         https://bugs.webkit.org/show_bug.cgi?id=66379
120         implements load32WithCompactAddressOffsetPatch function 
121         and fixes store32 and moveWithPatch functions for SH4 platforms.
122
123         Reviewed by Gavin Barraclough.
124
125         * assembler/MacroAssemblerSH4.h:
126         (JSC::MacroAssemblerSH4::rshift32):
127         (JSC::MacroAssemblerSH4::store32):
128         (JSC::MacroAssemblerSH4::load32WithCompactAddressOffsetPatch):
129         (JSC::MacroAssemblerSH4::moveWithPatch):
130         * assembler/SH4Assembler.h:
131         (JSC::SH4Assembler::movlMemRegCompact):
132         (JSC::SH4Assembler::readPointer):
133         (JSC::SH4Assembler::repatchCompact):
134         * jit/JIT.h:
135
136 2011-08-17  Filip Pizlo  <fpizlo@apple.com>
137
138         JSC verbose debugging output sometimes doesn't work as expected.
139         https://bugs.webkit.org/show_bug.cgi?id=66107
140
141         Reviewed by Gavin Barraclough.
142         
143         Hardened the CodeBlock::dump() code so that it no longer crashes.  Improved
144         the DFG verbose code so that it prints slightly more useful information.
145
146         * assembler/LinkBuffer.h:
147         (JSC::LinkBuffer::debugSize):
148         * bytecode/CodeBlock.cpp:
149         (JSC::valueToSourceString):
150         (JSC::CodeBlock::dump):
151         * bytecode/CodeBlock.h:
152         (JSC::CodeBlock::numberOfRegExps):
153         * dfg/DFGJITCompiler.cpp:
154         (JSC::DFG::JITCompiler::link):
155
156 2011-08-16  Michael Saboff  <msaboff@apple.com>
157
158         Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure
159         https://bugs.webkit.org/show_bug.cgi?id=66351
160
161         JIT::privateCompilePutByIdTransition expects that regT0 and regT1
162         have the basePayload and baseTag respectively.  In some cases,
163         we may get to this generated code with one or both of these
164         registers trash.  One know case is that regT0 on ARM may be
165         trashed as regT0 (r0) is also arg0 and can be overrun with sp due
166         to calls to JIT::restoreReturnAddress().  This patch uses the
167         values on the stack.  A longer term solution is to work out all
168         cases so that the register entry assumptions can assured.
169
170         While fixing this, also determined that the additional stack offset
171         of sizeof(void*) is not needed for ARM.
172
173         Reviewed by Gavin Barraclough.
174
175         * jit/JITPropertyAccess32_64.cpp:
176         (JSC::JIT::privateCompilePutByIdTransition):
177
178 2011-08-15  Gavin Barraclough  <barraclough@apple.com>
179
180         https://bugs.webkit.org/show_bug.cgi?id=66263
181         DFG JIT does not always zero extend boolean result of DFG operations
182
183         Reviewed by Sam Weinig.
184
185         * dfg/DFGOperations.cpp:
186         * dfg/DFGOperations.h:
187             - Change bool return values to a 64-bit type.
188
189 2011-08-15  Gavin Barraclough  <barraclough@apple.com>
190
191         Crash accessing static property on sealed object
192         https://bugs.webkit.org/show_bug.cgi?id=66242
193
194         Reviewed by Sam Weinig.
195
196         * runtime/JSObject.h:
197         (JSC::JSObject::putDirectInternal):
198             - should only check isExtensible if checkReadOnly.
199
200 2011-08-15  Sam Weinig  <sam@webkit.org>
201
202         Fix release build when building with Clang.
203
204         Reviewed by Anders Carlsson.
205
206         * runtime/Identifier.cpp:
207         (JSC::Identifier::checkCurrentIdentifierTable):
208         Add NO_RETURN_DUE_TO_CRASH.
209
210 2011-08-15  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
211
212         Reviewed by Nikolas Zimmermann.
213
214         Speed up SVGSMILElement::findInstanceTime.
215         https://bugs.webkit.org/show_bug.cgi?id=61025
216
217         Add a new parameter to StdlibExtras.h::binarySerarch function
218         to also handle cases when the array does not contain the key value.
219         This is needed for an svg function.
220
221         * wtf/StdLibExtras.h:
222         (WTF::binarySearch):
223
224 2011-08-13  Sam Weinig  <sam@webkit.org>
225
226         Add back 0xbbadbeef to CRASH to allow for old habits
227         https://bugs.webkit.org/show_bug.cgi?id=66190
228
229         Reviewed by David Kilzer.
230
231         * wtf/Assertions.h:
232         Add back the assignment to the memory address 0xbbadbeef in the CRASH
233         macro, as it does not cause issue in the clang static analyzer and many
234         people use its presence in crash reports to easily identify ASSERTs. 
235
236 2011-08-13  Sam Weinig  <sam@webkit.org>
237
238         Fix a bunch of minor bugs caught by the clang static analyzer in JavaScriptCore
239         https://bugs.webkit.org/show_bug.cgi?id=66182
240
241         Reviewed by Dan Bernstein.
242
243         Fixes 10 warnings in JavaScriptCore and 2 in testapi.
244
245         * API/tests/testapi.c:
246         (main):
247         Remove dead variables.
248
249         * dfg/DFGGraph.cpp:
250         (JSC::DFG::Graph::dump):
251         Initialize hasPrinted and silence an unused warning by casting to void (Ok here
252         since it is debug code and I want to keep it clear that if other cases are added,
253         the hasPrinted flag would be needed).
254
255         * wtf/dtoa.cpp:
256         (WTF::d2b):
257         The variable "de" in the else block is always zero, so there is no reason to
258         use it.
259
260 2011-08-12  Sam Weinig  <sam@webkit.org>
261
262         Use __builtin_trap() for CRASH when building with clang
263         https://bugs.webkit.org/show_bug.cgi?id=66152
264
265         Reviewed by Anders Carlsson.
266
267         * wtf/Assertions.h:
268         Add Clang specific CRASH macro that calls __builtin_trap() instead
269         of silly techniques to crash. This allows the static analyzer to understand
270         that we are intentionally crashing. As a result, we need to mark some functions
271         as not returning.
272
273         Also adds a macros that annotates a function as never returning due to ASSERT or CRASH.
274
275         * wtf/Compiler.h:
276         Add COMPILIER(CLANG) and fix some formatting and spelling mistakes.
277
278         * wtf/FastMalloc.cpp:
279         (WTF::Internal::fastMallocMatchFailed):
280         Add NO_RETURN_DUE_TO_CRASH.
281
282         * yarr/YarrParser.h:
283         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
284         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
285         Add NO_RETURN_DUE_TO_ASSERT.
286
287 2011-08-12  Filip Pizlo  <fpizlo@apple.com>
288
289         DFG JIT has inconsistent use of boxDouble and unboxDouble,
290         inconsistent use of assertions regarding doubles, and those
291         assertions are not turned on in debug builds
292         https://bugs.webkit.org/show_bug.cgi?id=66160
293
294         Reviewed by Gavin Barraclough.
295         
296         JIT assertions are now turned on in debug builds.  JIT
297         assertions are now used for boxing and unboxing doubles, and boxing
298         and unboxing no longer involves code duplication.
299
300         * dfg/DFGJITCodeGenerator.cpp:
301         (JSC::DFG::JITCodeGenerator::fillDouble):
302         * dfg/DFGJITCodeGenerator.h:
303         (JSC::DFG::JITCodeGenerator::boxDouble):
304         (JSC::DFG::JITCodeGenerator::unboxDouble):
305         * dfg/DFGJITCompiler.cpp:
306         (JSC::DFG::JITCompiler::fillNumericToDouble):
307         (JSC::DFG::GeneralizedRegister::moveTo):
308         (JSC::DFG::GeneralizedRegister::swapWith):
309         * dfg/DFGJITCompiler.h:
310         (JSC::DFG::JITCompiler::boxDouble):
311         (JSC::DFG::JITCompiler::unboxDouble):
312         * dfg/DFGNode.h:
313         * dfg/DFGNonSpeculativeJIT.cpp:
314         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
315         (JSC::DFG::NonSpeculativeJIT::compile):
316         * dfg/DFGSpeculativeJIT.cpp:
317         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
318         (JSC::DFG::SpeculativeJIT::convertToDouble):
319
320 2011-08-12  Mark Rowe  <mrowe@apple.com>
321
322         Be more forward-looking in the choice of compiler.
323
324         Rubber-stamped by Jon Honeycutt.
325
326         * Configurations/CompilerVersion.xcconfig:
327
328 2011-08-12  Kalev Lember  <kalevlember@gmail.com>
329
330         [GTK] Fix non-pthreads build after r91906.
331         https://bugs.webkit.org/show_bug.cgi?id=66151
332
333         Reviewed by David Levin.
334
335         r91906 broke the non-pthreads GTK+ build by including a header which
336         doesn't exist. Fix it by including DateMath.h instead of DateMap.h.
337
338         * wtf/gtk/ThreadingGtk.cpp:
339
340 2011-08-12  Mark Rowe  <mrowe@apple.com>
341
342         Update some configuration settings that were missed back in r92432.
343
344         * Configurations/CompilerVersion.xcconfig:
345
346 2011-08-12  Filip Pizlo  <fpizlo@apple.com>
347
348         REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation:
349         Matrix3D.invert)
350         https://bugs.webkit.org/show_bug.cgi?id=66038
351
352         Reviewed by Gavin Barraclough.
353         
354         Simplest and lowest-impact fix for the case where the spilled format
355         of a DFG node differs from the register format: if the format is
356         converted then indicate that the spilled value is no longer valid
357         ("kill the spill").
358
359         * dfg/DFGGenerationInfo.h:
360         (JSC::DFG::GenerationInfo::killSpilled):
361         * dfg/DFGJITCodeGenerator.cpp:
362         (JSC::DFG::JITCodeGenerator::fillDouble):
363         * dfg/DFGSpeculativeJIT.cpp:
364         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
365
366 2011-08-12  Sam Weinig  <sam@webkit.org>
367
368         Move compiler specific macros to their own header
369         https://bugs.webkit.org/show_bug.cgi?id=66119
370
371         Reviewed by Anders Carlsson.
372
373         * JavaScriptCore.gypi:
374         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
375         * JavaScriptCore.xcodeproj/project.pbxproj:
376         * wtf/CMakeLists.txt:
377         Add Compiler.h
378
379         * wtf/AlwaysInline.h:
380         Move the contents of this file (which no longer was just about ALWAYS_INLINE) to
381         Compiler.h.  We can remove this file in a later commit.
382
383         * wtf/Compiler.h: Added.
384         Put all compiler specific checks and features in this file.
385
386         * wtf/Platform.h:
387         Move COMPILER macro and definitions (and the odd WARN_UNUSED_RETURN compiler feature)
388         to Compiler.h.  Include Compiler.h since it is necessary.
389
390 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
391
392         DFG JIT-specific structure stub info code offset fields are signed
393         8-bit, but it is possible for the offsets to be greater than 127
394         https://bugs.webkit.org/show_bug.cgi?id=66122
395
396         Reviewed by Gavin Barraclough.
397
398         * bytecode/StructureStubInfo.h:
399         * dfg/DFGJITCodeGenerator.cpp:
400         (JSC::DFG::JITCodeGenerator::cachedGetById):
401         (JSC::DFG::JITCodeGenerator::cachedPutById):
402
403 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
404
405         DFG JIT speculation failure code sometimes picks the wrong register
406         as a scratch register.
407         https://bugs.webkit.org/show_bug.cgi?id=66104
408
409         Reviewed by Gavin Barraclough.
410         
411         Hardened the code with more assertions and fixed the bug.  Now a
412         spilled register is only used for scratch if it also isn't being
413         used for shuffling.
414
415         * dfg/DFGJITCompiler.cpp:
416         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
417         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
418
419 2011-08-11  Sheriff Bot  <webkit.review.bot@gmail.com>
420
421         Unreviewed, rolling out r92880.
422         http://trac.webkit.org/changeset/92880
423         https://bugs.webkit.org/show_bug.cgi?id=66123
424
425         Breaks compile in VS2010 (Requested by jamesr_ on #webkit).
426
427         * wtf/PassRefPtr.h:
428
429 2011-08-11  Mark Rowe  <mrowe@apple.com>
430
431         Don't conditionalize the use of -fomit-frame-pointer on compiler version as
432         all of our supported compilers are now new enough to have the same, sane behavior.
433
434         Rubber-stamped by Sam Weinig.
435
436         * Configurations/JavaScriptCore.xcconfig:
437
438 2011-08-11  Filip Pizlo  <fpizlo@apple.com>
439
440         DFG JIT verbose mode does not report the generated types of nodes
441         https://bugs.webkit.org/show_bug.cgi?id=65830
442
443         Reviewed by Sam Weinig.
444         
445         Added code that prints the type selected for each node's result.
446
447         * dfg/DFGGenerationInfo.h:
448         (JSC::DFG::dataFormatToString):
449         * dfg/DFGNonSpeculativeJIT.cpp:
450         (JSC::DFG::NonSpeculativeJIT::compile):
451         * dfg/DFGSpeculativeJIT.cpp:
452         (JSC::DFG::SpeculativeJIT::compile):
453
454 2011-08-11  James Robinson  <jamesr@chromium.org>
455
456         nullptr can't be used for PassRefPtr
457         https://bugs.webkit.org/show_bug.cgi?id=66024
458
459         Reviewed by Anders Carlsson.
460
461         * wtf/PassRefPtr.h:
462         (WTF::PassRefPtr::PassRefPtr):
463
464 2011-08-11  Daniel Bates  <dbates@rim.com>
465
466         Removed unused variable in StackBounds::initialize() to resolve
467         compiler warning when building on QNX.
468         https://bugs.webkit.org/show_bug.cgi?id=66072
469
470         Reviewed by Antonio Gomes.
471
472         * wtf/StackBounds.cpp:
473         (WTF::StackBounds::initialize):
474
475 2011-08-11  Devdatta Deshpande  <pwjd73@motorola.com>
476
477         Implementation of monotonically increasing clock on GTK
478         https://bugs.webkit.org/show_bug.cgi?id=62175
479
480         Reviewed by Martin Robinson.
481
482         * wtf/CurrentTime.cpp:
483         (WTF::monotonicallyIncreasingTime):
484         The default implementation of monotonicallyIncreasingTime only
485         guarantees the result to be non-decreasing.
486         If the system time is changed to past then default implementation will
487         still fail and WebCore timers will not fire.
488
489 2011-08-10  Geoffrey Garen  <ggaren@apple.com>
490
491         Removed some incorrect code that was dead.
492
493         Reviewed by Oliver Hunt.
494
495         clearSingleTransition() wasn't resetting m_data. Luckily,
496         no one cares, because its caller was unused. Removed both.
497
498         * runtime/Structure.cpp:
499         * runtime/StructureTransitionTable.h:
500         (JSC::StructureTransitionTable::~StructureTransitionTable):
501
502 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
503
504         REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
505         https://bugs.webkit.org/show_bug.cgi?id=66010
506
507         Reviewed by Oliver Hunt.
508         
509         Made sure that Construct calls use() on the this argument.
510
511         * dfg/DFGJITCodeGenerator.cpp:
512         (JSC::DFG::JITCodeGenerator::emitCall):
513
514 2011-08-10  Mark Hahnenberg  <mhahnenberg@apple.com>
515
516         JSC should always throw when function arg list is too long
517         https://bugs.webkit.org/show_bug.cgi?id=65869
518
519         Reviewed by Oliver Hunt.
520
521         Changed the behavior of the interpreter and JIT to throw an exception 
522         when too many arguments are passed rather than truncating the list.  Added 
523         a new method to create a "Too many arguments." exception used by this 
524         new functionality.
525
526         * interpreter/Interpreter.cpp:
527         (JSC::Interpreter::privateExecute):
528         * jit/JITStubs.cpp:
529         (JSC::DEFINE_STUB_FUNCTION):
530         * runtime/ExceptionHelpers.cpp:
531         (JSC::createTooManyParamsError):
532         * runtime/ExceptionHelpers.h:
533
534 2011-08-10  Oliver Hunt  <oliver@apple.com>
535
536         Make GC checks more aggressive in release builds
537         https://bugs.webkit.org/show_bug.cgi?id=66001
538
539         Reviewed by Gavin Barraclough.
540
541         * heap/HandleHeap.cpp:
542         (JSC::HandleHeap::visitStrongHandles):
543         (JSC::HandleHeap::visitWeakHandles):
544         (JSC::HandleHeap::finalizeWeakHandles):
545         (JSC::HandleHeap::writeBarrier):
546         (JSC::HandleHeap::isLiveNode):
547         (JSC::HandleHeap::isValidWeakNode):
548            Increase handle heap validation logic, and make some of
549            the crashes trigger in release builds as well as debug.
550         * heap/HandleHeap.h:
551         (JSC::HandleHeap::allocate):
552         (JSC::HandleHeap::makeWeak):
553            Ditto
554         * runtime/JSGlobalData.cpp:
555         (WTF::Recompiler::operator()):
556         * runtime/JSGlobalObject.cpp:
557         (JSC::JSGlobalObject::visitChildren):
558            Fix GC bugs found while testing this patch
559
560 2011-08-10  Oliver Hunt  <oliver@apple.com>
561
562         JSEvaluteScript does not return the correct object when given JSONP data
563         https://bugs.webkit.org/show_bug.cgi?id=66003
564
565         Reviewed by Gavin Barraclough.
566
567         Make sure we propagate the result of the function call rather than the
568         argument.
569
570         * interpreter/Interpreter.cpp:
571         (JSC::Interpreter::execute):
572
573 2011-08-10  Filip Pizlo  <fpizlo@apple.com>
574
575         DFG JIT heap prediction causes regressions when combined with
576         aggressive integer prediction
577         https://bugs.webkit.org/show_bug.cgi?id=65954
578
579         Reviewed by Gavin Barraclough.
580         
581         Disabled heap prediction, but did not remove the capability.
582         This improves V8 crypto performance by 20%.
583
584         * dfg/DFGGraph.h:
585         (JSC::DFG::Graph::predict):
586
587 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
588
589         DFG JIT does not speculative integers as aggressively as it should
590         https://bugs.webkit.org/show_bug.cgi?id=65949
591
592         Reviewed by Gavin Barraclough.
593         
594         Added a tree walk to propagate integer predictions through arithmetic
595         expressions.
596         
597         This is a 71% speed-up on Kraken's imaging-gaussian-blur, which
598         translates to a 19% speed-up on Kraken overall.  It's neutral on
599         other benchmarks.
600
601         * dfg/DFGByteCodeParser.cpp:
602         (JSC::DFG::ByteCodeParser::predictInt32):
603
604 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
605
606         DFG JIT has no way of propagating predictions to loads and calls
607         https://bugs.webkit.org/show_bug.cgi?id=65883
608
609         Reviewed by Gavin Barraclough.
610         
611         This introduces the capability to store predictions on graph
612         nodes.  To save space while being somewhat consistent, the
613         prediction is always stored in the second OpInfo slot (since
614         a GetById will use the first one for the identifier).  This
615         change is a natural extension of r92593 (global variable
616         prediction).
617         
618         This is a 1.5% win on V8 in the arithmetic mean, and a 0.6%
619         win on V8 in the geometric mean.  It is neutral on SunSpider
620         and Kraken.  Interestingly, on V8 it regresses crypto by 3%
621         while progressing deltablue and richards by 2.6% and 4.3%,
622         respectively.
623
624         * dfg/DFGByteCodeParser.cpp:
625         (JSC::DFG::ByteCodeParser::addToGraph):
626         (JSC::DFG::ByteCodeParser::addCall):
627         (JSC::DFG::ByteCodeParser::parseBlock):
628         * dfg/DFGGraph.cpp:
629         (JSC::DFG::Graph::dump):
630         * dfg/DFGGraph.h:
631         (JSC::DFG::Graph::predict):
632         (JSC::DFG::Graph::getPrediction):
633         * dfg/DFGNode.h:
634         (JSC::DFG::isCellPrediction):
635         (JSC::DFG::isArrayPrediction):
636         (JSC::DFG::isInt32Prediction):
637         (JSC::DFG::isDoublePrediction):
638         (JSC::DFG::isNumberPrediction):
639         (JSC::DFG::predictionToString):
640         (JSC::DFG::Node::Node):
641         (JSC::DFG::Node::hasPrediction):
642         (JSC::DFG::Node::getPrediction):
643         (JSC::DFG::Node::predict):
644
645 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
646
647         DFG JIT passes the this argument to constructors even though
648         it's not necessary
649         https://bugs.webkit.org/show_bug.cgi?id=65943
650
651         Reviewed by Gavin Barraclough.
652
653         * dfg/DFGJITCodeGenerator.cpp:
654         (JSC::DFG::JITCodeGenerator::emitCall):
655
656 2011-08-09  Chao-ying Fu  <fu@mips.com>
657
658         Fix one MIPS instruction to call JITStubThunked_##op
659         https://bugs.webkit.org/show_bug.cgi?id=65942
660
661         Reviewed by Gavin Barraclough.
662
663         Changed "bal" to "jalr" for a possible processor mode change from
664         MIPS32 to MIPS16.
665
666         * jit/JITStubs.cpp:
667
668 2011-08-09  Filip Pizlo  <fpizlo@apple.com>
669
670         DFG JIT failure loading web site
671         https://bugs.webkit.org/show_bug.cgi?id=65930
672
673         Reviewed by Oliver Hunt.
674         
675         Put the use() call after the fpr()/gpr() calls, since doing otherwise
676         breaks the register allocator.
677
678         * dfg/DFGNonSpeculativeJIT.cpp:
679         (JSC::DFG::NonSpeculativeJIT::compile):
680
681 2011-08-09  Mark Hahnenberg  <mhahnenberg@apple.com>
682
683         Add ParentClass typedef in all JSC classes
684         https://bugs.webkit.org/show_bug.cgi?id=65731
685
686         Reviewed by Oliver Hunt.
687
688         Just added the Base typedefs in all the classes that are a subclass of JSCell 
689         to point at their parent classes.  This is a change to support future changes to the way
690         constructors and destructors are implemented in JS objects, among other things.
691
692         * API/JSCallbackConstructor.h:
693         * API/JSCallbackFunction.h:
694         * API/JSCallbackObject.h:
695         (JSC::JSCallbackObject::createStructure):
696         (JSC::JSCallbackObject::visitChildren):
697         * API/JSCallbackObjectFunctions.h:
698         (JSC::::asCallbackObject):
699         (JSC::::JSCallbackObject):
700         (JSC::::init):
701         (JSC::::className):
702         (JSC::::getOwnPropertySlot):
703         (JSC::::getOwnPropertyDescriptor):
704         (JSC::::put):
705         (JSC::::deleteProperty):
706         (JSC::::getConstructData):
707         (JSC::::construct):
708         (JSC::::hasInstance):
709         (JSC::::getCallData):
710         (JSC::::call):
711         (JSC::::getOwnPropertyNames):
712         (JSC::::toNumber):
713         (JSC::::toString):
714         (JSC::::setPrivate):
715         (JSC::::getPrivate):
716         (JSC::::inherits):
717         (JSC::::getStaticValue):
718         (JSC::::staticFunctionGetter):
719         (JSC::::callbackGetter):
720         * debugger/DebuggerActivation.h:
721         * jsc.cpp:
722         * runtime/Arguments.h:
723         * runtime/ArrayConstructor.h:
724         * runtime/ArrayPrototype.h:
725         * runtime/BooleanConstructor.h:
726         * runtime/BooleanObject.h:
727         * runtime/BooleanPrototype.h:
728         * runtime/DateConstructor.h:
729         * runtime/DateInstance.h:
730         * runtime/DatePrototype.h:
731         * runtime/Error.cpp:
732         * runtime/ErrorConstructor.h:
733         * runtime/ErrorInstance.h:
734         * runtime/ErrorPrototype.h:
735         * runtime/ExceptionHelpers.cpp:
736         * runtime/Executable.h:
737         * runtime/FunctionConstructor.h:
738         * runtime/FunctionPrototype.h:
739         * runtime/GetterSetter.h:
740         * runtime/InternalFunction.h:
741         * runtime/JSAPIValueWrapper.h:
742         * runtime/JSActivation.h:
743         * runtime/JSArray.h:
744         * runtime/JSFunction.h:
745         * runtime/JSGlobalObject.h:
746         * runtime/JSNotAnObject.h:
747         * runtime/JSONObject.h:
748         * runtime/JSObject.h:
749         * runtime/JSPropertyNameIterator.h:
750         * runtime/JSStaticScopeObject.h:
751         * runtime/JSString.h:
752         * runtime/JSVariableObject.h:
753         * runtime/JSWrapperObject.h:
754         * runtime/MathObject.h:
755         * runtime/NativeErrorConstructor.h:
756         * runtime/NativeErrorPrototype.h:
757         * runtime/NumberConstructor.h:
758         * runtime/NumberObject.h:
759         * runtime/NumberPrototype.h:
760         * runtime/ObjectConstructor.h:
761         * runtime/ObjectPrototype.h:
762         * runtime/RegExp.h:
763         * runtime/RegExpConstructor.h:
764         * runtime/RegExpMatchesArray.h:
765         * runtime/RegExpObject.h:
766         (JSC::RegExpObject::create):
767         * runtime/RegExpPrototype.h:
768         * runtime/ScopeChain.h:
769         * runtime/StrictEvalActivation.h:
770         * runtime/StringConstructor.h:
771         * runtime/StringObject.h:
772         * runtime/StringObjectThatMasqueradesAsUndefined.h:
773         * runtime/StringPrototype.h:
774         * runtime/Structure.h:
775         * runtime/StructureChain.h:
776
777 2011-08-08  Oliver Hunt  <oliver@apple.com>
778
779         Using mprotect to create guard pages breaks our use of madvise to release executable memory
780         https://bugs.webkit.org/show_bug.cgi?id=65870
781
782         Reviewed by Gavin Barraclough.
783
784         Use mmap rather than mprotect to clear guard page permissions.
785
786         * wtf/OSAllocatorPosix.cpp:
787         (WTF::OSAllocator::reserveAndCommit):
788
789 2011-08-08  Oliver Hunt  <oliver@apple.com>
790
791         Non-extensibility does not prevent mutating [[Prototype]]
792         https://bugs.webkit.org/show_bug.cgi?id=65832
793
794         Reviewed by Gavin Barraclough.
795
796         Disallow mutation of __proto__ on objects that are not extensible.
797
798         * runtime/JSObject.cpp:
799         (JSC::JSObject::put):
800
801 2011-08-08  Filip Pizlo  <fpizlo@apple.com>
802
803         DFG JIT does not track speculation decisions for global variables
804         https://bugs.webkit.org/show_bug.cgi?id=65825
805
806         Reviewed by Gavin Barraclough.
807         
808         Added the capability to track predictions for global variables, and
809         ensured that code can abstract over the source of prediction (local
810         versus global variable) wherever it is appropriate to do so.  Also
811         cleaned up the code in SpeculativeJIT that decides how to speculate
812         based on recorded predictions (for example instead of using isInteger,
813         which makes sense for local predictions where the GetLocal would
814         return an integer value, we now tend to use shouldSpeculateInteger,
815         which checks if the value is either already an integer or should be
816         speculated to be an integer).
817         
818         This is an 0.8% win on SunSpider, almost entirely thanks to a 25%
819         win on controlflow-recursive.  It's also a 4.8% win on v8-crypto.
820
821         * dfg/DFGByteCodeParser.cpp:
822         (JSC::DFG::ByteCodeParser::predictArray):
823         (JSC::DFG::ByteCodeParser::predictInt32):
824         (JSC::DFG::ByteCodeParser::parseBlock):
825         * dfg/DFGGraph.cpp:
826         (JSC::DFG::Graph::dump):
827         * dfg/DFGGraph.h:
828         (JSC::DFG::Graph::predictGlobalVar):
829         (JSC::DFG::Graph::predict):
830         (JSC::DFG::Graph::getGlobalVarPrediction):
831         (JSC::DFG::Graph::getPrediction):
832         * dfg/DFGSpeculativeJIT.cpp:
833         (JSC::DFG::SpeculativeJIT::compile):
834         * dfg/DFGSpeculativeJIT.h:
835         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
836         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
837
838 2011-08-07  Martin Robinson  <mrobinson@igalia.com>
839
840         Distribution fix for GTK+.
841
842         * GNUmakefile.list.am: Strip removed files from the source list.
843
844 2011-08-06  Gavin Barraclough  <barraclough@apple.com>
845
846         https://bugs.webkit.org/show_bug.cgi?id=65821
847         Don't form identifiers the first time a string is used as a property name.
848
849         Reviewed by Oliver Hunt.
850
851         This is a 1% win on SunSpider.
852
853         * dfg/DFGOperations.cpp:
854             - Use fastGetOwnProperty.
855         * jit/JITStubs.cpp:
856         (JSC::DEFINE_STUB_FUNCTION):
857             - Use fastGetOwnProperty.
858         * runtime/JSCell.h:
859         * runtime/JSObject.h:
860         (JSC::JSCell::fastGetOwnProperty):
861             - Fast call to get a property without creating an identifier the first time.
862         * runtime/PropertyMapHashTable.h:
863         (JSC::PropertyTable::find):
864         (JSC::PropertyTable::findWithString):
865             - Add interface to look up by either strinsg or identifiers.
866         * runtime/Structure.h:
867         (JSC::Structure::get):
868             - Add a get() call that takes a UString, not an Identifier.
869         * wtf/text/StringImpl.h:
870         (WTF::StringImpl::hasHash):
871             - Add a call to check if the has has been set (to detect the first use as a property name).
872
873 2011-08-06  Aron Rosenberg  <arosenberg@logitech.com>
874
875         Reviewed by Benjamin Poulain.
876
877         [Qt] Fix build with Intel compiler on Windows
878         https://bugs.webkit.org/show_bug.cgi?id=65088
879
880         Intel compiler needs .lib suffixes instead of .a
881         Intel compiler doesn't support nullptr
882         Intel compiler supports unsized arrays
883
884         * JavaScriptCore.pri:
885         * jsc.cpp:
886         * wtf/ByteArray.h:
887         * wtf/NullPtr.h:
888
889 2011-08-05  Gavin Barraclough  <barraclough@apple.com>
890
891         String replace with the empty string means string removal
892         https://bugs.webkit.org/show_bug.cgi?id=65799
893
894         Reviewed by Sam Weinig.
895
896         Optimization for String.prototype.replace([RegExp], ""), this improves v8-regexp by ~3%.
897
898         * runtime/StringPrototype.cpp:
899         (JSC::jsSpliceSubstrings):
900         (JSC::stringProtoFuncReplace):
901
902 2011-08-05  Noel Gordon  <noel.gordon@gmail.com>
903
904         [Chromium] Remove JSZombie references from gyp project files.
905         https://bugs.webkit.org/show_bug.cgi?id=65798
906
907         JSC runtime/JSZombie.{cpp,h} were removed in r92046.  Remove references to these
908         file names from the gyp projects.
909
910         Reviewed by Darin Adler.
911
912         * JavaScriptCore.gypi: zombies be gone.
913
914 2011-08-05  Mark Rowe  <mrowe@apple.com>
915
916         <http://webkit.org/b/65785> ThreadRestrictionVerifier needs a mode where an object
917         is tied to a particular dispatch queue
918
919         A RefCounted object can be opted in to this mode by calling setDispatchQueueForVerifier
920         with the dispatch queue it will be tied to. This will cause ThreadRestrictionVerifier
921         to ensure that all operations are performed on the given dispatch queue.
922
923         Reviewed by Anders Carlsson.
924
925         * wtf/RefCounted.h:
926         (WTF::RefCountedBase::setDispatchQueueForVerifier):
927         * wtf/ThreadRestrictionVerifier.h:
928         (WTF::ThreadRestrictionVerifier::ThreadRestrictionVerifier):
929         (WTF::ThreadRestrictionVerifier::~ThreadRestrictionVerifier):
930         (WTF::ThreadRestrictionVerifier::setDispatchQueueMode):
931         (WTF::ThreadRestrictionVerifier::setShared):
932         (WTF::ThreadRestrictionVerifier::isSafeToUse):
933
934 2011-08-05  Oliver Hunt  <oliver@apple.com>
935
936         Inline allocation of function objects
937         https://bugs.webkit.org/show_bug.cgi?id=65779
938
939         Reviewed by Gavin Barraclough.
940
941         Inline allocation and initilisation of function objects
942         in generated code.  This ended up being a 60-70% improvement
943         in function allocation performance.  This improvement shows
944         up as a ~2% improvement in 32bit sunspider and V8, but is a
945         wash on 64-bit.
946
947         We currently don't inline the allocation of named function
948         expressions, as that requires being able to gc allocate a
949         variable object.
950
951         * jit/JIT.cpp:
952         (JSC::JIT::privateCompileSlowCases):
953         * jit/JIT.h:
954         (JSC::JIT::emitStoreCell):
955         * jit/JITInlineMethods.h:
956         (JSC::JIT::emitAllocateBasicJSObject):
957         (JSC::JIT::emitAllocateJSFinalObject):
958         (JSC::JIT::emitAllocateJSFunction):
959         * jit/JITOpcodes.cpp:
960         (JSC::JIT::emit_op_new_func):
961         (JSC::JIT::emitSlow_op_new_func):
962         (JSC::JIT::emit_op_new_func_exp):
963         (JSC::JIT::emitSlow_op_new_func_exp):
964         * jit/JITOpcodes32_64.cpp:
965             Removed duplicate implementation of op_new_func and op_new_func_exp
966         * runtime/JSFunction.h:
967         (JSC::JSFunction::offsetOfScopeChain):
968         (JSC::JSFunction::offsetOfExecutable):
969
970 2011-08-04  David Levin  <levin@chromium.org>
971
972         CStringBuffer should have thread safety checks turned on.
973         https://bugs.webkit.org/show_bug.cgi?id=58093
974
975         Reviewed by Dmitry Titov.
976
977         * wtf/text/CString.h:
978         (WTF::CStringBuffer::CStringBuffer): Removed the ifdef that
979         turned this off for Chromium.
980
981 2011-08-04  Mark Rowe  <mrowe@apple.com>
982
983         Future-proof Xcode configuration settings.
984
985         * Configurations/Base.xcconfig:
986         * Configurations/DebugRelease.xcconfig:
987         * Configurations/JavaScriptCore.xcconfig:
988         * Configurations/Version.xcconfig:
989
990 2011-08-04  Mark Hahnenberg  <mhahnenberg@apple.com>
991
992         Interpreter can potentially GC in the middle of initializing a structure chain
993         https://bugs.webkit.org/show_bug.cgi?id=65638
994
995         Reviewed by Oliver Hunt.
996
997         Moved the allocation of a prototype StructureChain before the initialization of 
998         the structure chain within the interpreter that was causing intermittent GC crashes.
999
1000         * interpreter/Interpreter.cpp:
1001         (JSC::Interpreter::tryCachePutByID):
1002         * wtf/Platform.h:
1003
1004 2011-08-04  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Eval handling attempts literal parsing even when the eval
1007         string is in the cache
1008         https://bugs.webkit.org/show_bug.cgi?id=65675
1009
1010         Reviewed by Oliver Hunt.
1011         
1012         This is a 25% speed-up on date-format-tofte and a 1.5% speed-up overall
1013         in SunSpider.  It's neutral on V8.
1014
1015         * bytecode/EvalCodeCache.h:
1016         (JSC::EvalCodeCache::tryGet):
1017         (JSC::EvalCodeCache::getSlow):
1018         (JSC::EvalCodeCache::get):
1019         * interpreter/Interpreter.cpp:
1020         (JSC::Interpreter::callEval):
1021
1022 2011-08-03  Mark Rowe  <mrowe@apple.com>
1023
1024         Bring some order to FeatureDefines.xcconfig to make it easier to follow.
1025
1026         Reviewed by Sam Weinig.
1027
1028         * Configurations/FeatureDefines.xcconfig:
1029
1030 2011-08-03  Mark Rowe  <mrowe@apple.com>
1031
1032         Clean up FeatureDefines.xcconfig to remove some unnecessary conditional settings
1033
1034         Reviewed by Dave Kilzer.
1035
1036         * Configurations/FeatureDefines.xcconfig:
1037
1038 2011-08-03  Filip Pizlo  <fpizlo@apple.com>
1039
1040         JSC GC heap size improvement breaks build on some platforms due to
1041         unused parameter
1042         https://bugs.webkit.org/show_bug.cgi?id=65641
1043
1044         Reviewed by Darin Adler.
1045         
1046         Fix build on non-x86 platforms, by ensuring that the relevant
1047         parameter always appears to be used even when it isn't.
1048
1049         * heap/Heap.cpp:
1050
1051 2011-08-03  Carlos Garcia Campos  <cgarcia@igalia.com>
1052
1053         [GTK] Reorganize pkg-config files
1054         https://bugs.webkit.org/show_bug.cgi?id=65548
1055
1056         Reviewed by Martin Robinson.
1057
1058         * GNUmakefile.am:
1059         * javascriptcoregtk.pc.in: Renamed from Source/WebKit/gtk/javascriptcoregtk.pc.in.
1060
1061 2011-08-01  David Levin  <levin@chromium.org>
1062
1063         Add asserts to RefCounted to make sure ref/deref happens on the right thread.
1064         https://bugs.webkit.org/show_bug.cgi?id=31639
1065
1066         Reviewed by Dmitry Titov.
1067
1068         * GNUmakefile.list.am: Added new files to the build.
1069         * JavaScriptCore.gypi: Ditto.
1070         * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto.
1071         * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
1072         * jit/ExecutableAllocator.h:
1073         (JSC::ExecutablePool::ExecutablePool): Turned off checks for this
1074         due to not being able to figure out what was guarding it (bug 58091).
1075         * parser/SourceProvider.h:
1076         (JSC::SourceProvider::SourceProvider): Ditto.
1077         * wtf/CMakeLists.txt: Added new files to the build.
1078         * wtf/ThreadRestrictionVerifier.h: Added.
1079         Everything is done in the header to avoid the issue with exports
1080         that are only useful in debug but still needing to export them.
1081         * wtf/RefCounted.h:
1082         (WTF::RefCountedBase::ref): Added checks using the non thread safe verifier.
1083         and filed bug 58171 about making it stricter.
1084         (WTF::RefCountedBase::hasOneRef): Ditto.
1085         (WTF::RefCountedBase::refCount): Ditto.
1086         (WTF::RefCountedBase::setMutexForVerifier): Expose a way to change the checks to be based
1087         on a mutex. This is in the header to avoid adding more exports from JavaScriptCore.
1088         (WTF::RefCountedBase::deprecatedTurnOffVerifier): Temporary way to turn off verification.
1089         Filed bug 58174 to remove this method.
1090         (WTF::RefCountedBase::derefBase):
1091         * wtf/SizeLimits.cpp: Adjusted the debug size check for RefCounted.
1092         * wtf/text/CString.h:
1093         (WTF::CStringBuffer::CStringBuffer): Turned off checks for this while a fix is being
1094         done in Chromium (bug 58093).
1095
1096 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1097
1098         JSC GC may not be able to reuse partially-free blocks after a
1099         full collection
1100         https://bugs.webkit.org/show_bug.cgi?id=65585
1101
1102         Reviewed by Darin Adler.
1103         
1104         This fixes the linked list management bug.  This fix is performance
1105         neutral on SunSpider.
1106
1107         * heap/NewSpace.cpp:
1108         (JSC::NewSpace::removeBlock):
1109
1110 2011-07-30  Oliver Hunt  <oliver@apple.com>
1111
1112         Simplify JSFunction creation for functions written in JS
1113         https://bugs.webkit.org/show_bug.cgi?id=65422
1114
1115         Reviewed by Gavin Barraclough.
1116
1117         Remove hash lookups used to write name property and transition
1118         function structure by caching the resultant structure and property
1119         offset in JSGlobalObject.  This doesn't impact performance, but
1120         we can use this change to make other improvements later.
1121
1122         * runtime/Executable.cpp:
1123         (JSC::FunctionExecutable::FunctionExecutable):
1124         * runtime/Executable.h:
1125         (JSC::ScriptExecutable::ScriptExecutable):
1126         (JSC::FunctionExecutable::jsName):
1127         * runtime/JSFunction.cpp:
1128         (JSC::JSFunction::JSFunction):
1129         * runtime/JSGlobalObject.cpp:
1130         (JSC::JSGlobalObject::reset):
1131         * runtime/JSGlobalObject.h:
1132         (JSC::JSGlobalObject::namedFunctionStructure):
1133         (JSC::JSGlobalObject::functionNameOffset):
1134
1135 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1136
1137         JSC GC uses dummy cells to avoid having to remember which cells
1138         it has already destroyed
1139         https://bugs.webkit.org/show_bug.cgi?id=65556
1140
1141         Reviewed by Oliver Hunt.
1142         
1143         This gets rid of dummy cells, and ensures that it's not necessary
1144         to invoke a destructor on cells that have already been swept.  In
1145         the common case, a block knows that either all of its free cells
1146         still need to have destructors called, or none of them do, which
1147         minimizes the amount of branching that needs to happen per cell
1148         when performing a sweep.
1149         
1150         This is performance neutral on SunSpider and V8.  It is meant as
1151         a stepping stone to simplify the implementation of more
1152         sophisticated sweeping algorithms.
1153
1154         * heap/Heap.cpp:
1155         (JSC::CountFunctor::ClearMarks::operator()):
1156         * heap/MarkedBlock.cpp:
1157         (JSC::MarkedBlock::initForCellSize):
1158         (JSC::MarkedBlock::callDestructor):
1159         (JSC::MarkedBlock::specializedReset):
1160         (JSC::MarkedBlock::reset):
1161         (JSC::MarkedBlock::specializedSweep):
1162         (JSC::MarkedBlock::sweep):
1163         (JSC::MarkedBlock::produceFreeList):
1164         (JSC::MarkedBlock::lazySweep):
1165         (JSC::MarkedBlock::blessNewBlockForFastPath):
1166         (JSC::MarkedBlock::blessNewBlockForSlowPath):
1167         (JSC::MarkedBlock::canonicalizeBlock):
1168         * heap/MarkedBlock.h:
1169         (JSC::MarkedBlock::FreeCell::setNoObject):
1170         (JSC::MarkedBlock::setDestructorState):
1171         (JSC::MarkedBlock::destructorState):
1172         (JSC::MarkedBlock::notifyMayHaveFreshFreeCells):
1173         * runtime/JSCell.cpp:
1174         * runtime/JSCell.h:
1175         (JSC::JSCell::JSCell::JSCell):
1176         * runtime/JSGlobalData.cpp:
1177         (JSC::JSGlobalData::JSGlobalData):
1178         (JSC::JSGlobalData::clearBuiltinStructures):
1179         * runtime/JSGlobalData.h:
1180         * runtime/Structure.h:
1181
1182 2011-08-01  Michael Saboff  <msaboff@apple.com>
1183
1184         Virtual copying of FastMalloc allocated memory causes madvise MADV_FREE_REUSABLE errors
1185         https://bugs.webkit.org/show_bug.cgi?id=65502
1186
1187         Reviewed by Anders Carlsson.
1188
1189         With the fix of the issues causing madvise MADV_FREE_REUSABLE to fail,
1190         added an assert to the return code of madvise to catch any regressions.
1191
1192         * wtf/TCSystemAlloc.cpp:
1193         (TCMalloc_SystemRelease):
1194
1195 2011-08-02  Anders Carlsson  <andersca@apple.com>
1196
1197         Fix Windows build.
1198
1199         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1200
1201 2011-08-02  Anders Carlsson  <andersca@apple.com>
1202
1203         Fix a Windows build error.
1204
1205         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1206
1207 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1208
1209         JSC GC is far too conservative about growing the heap size, particularly
1210         on desktop platforms
1211         https://bugs.webkit.org/show_bug.cgi?id=65438
1212
1213         Reviewed by Oliver Hunt.
1214
1215         The minimum heap size is now 16MB instead of 512KB, provided all of the
1216         following are true:
1217         a) ENABLE(LARGE_HEAP) is set, which currently only happens on
1218            x86 targets, but could reasonably happen on any platform that is
1219            known to have a decent amount of RAM.
1220         b) JSGlobalData is initialized with HeapSize = LargeHeap, which
1221            currently only happens when it's the JSDOMWindowBase in WebCore or
1222            in the jsc command-line tool.
1223            
1224         This is a 4.1% speed-up on SunSpider.
1225
1226         * JavaScriptCore.exp:
1227         * heap/Heap.cpp:
1228         (JSC::Heap::Heap):
1229         (JSC::Heap::collect):
1230         * heap/Heap.h:
1231         * jsc.cpp:
1232         (main):
1233         * runtime/JSGlobalData.cpp:
1234         (JSC::JSGlobalData::JSGlobalData):
1235         (JSC::JSGlobalData::createContextGroup):
1236         (JSC::JSGlobalData::create):
1237         (JSC::JSGlobalData::createLeaked):
1238         (JSC::JSGlobalData::sharedInstance):
1239         * runtime/JSGlobalData.h:
1240         * wtf/Platform.h:
1241
1242 2011-08-02  Filip Pizlo  <fpizlo@apple.com>
1243
1244         JSC does a GC even when the heap still has free pages
1245         https://bugs.webkit.org/show_bug.cgi?id=65445
1246
1247         Reviewed by Oliver Hunt.
1248         
1249         If the high watermark is not reached, then we allocate new blocks as
1250         before.  If the current watermark does reach (or exceed) the high
1251         watermark, then we check if there is a block on the free block pool.
1252         If there is, we simply allocation from it.  If there isn't, we
1253         invoke a collectin as before.  This effectively couples the elastic
1254         scavenging to the collector's decision function.  That is, if an
1255         application rapidly varies its heap usage (sometimes using more and
1256         sometimes less) then the collector will not thrash as it used to.
1257         But if heap usage drops and stays low then the scavenger thread and
1258         the GC will eventually reach a kind of consensus: the GC will set
1259         the watermark low because of low heap usage, and the scavenger thread
1260         will steadily eliminate pages from the free page pool, until the size
1261         of the free pool is below the high watermark.
1262         
1263         On command-line, this is neutral on SunSpider and Kraken and a 3% win
1264         on V8.  In browser, this is a 1% win on V8 and neutral on the other
1265         two.
1266
1267         * heap/Heap.cpp:
1268         (JSC::Heap::allocateSlowCase):
1269         (JSC::Heap::allocateBlock):
1270         * heap/Heap.h:
1271
1272 2011-08-02  Jeff Miller  <jeffm@apple.com>
1273
1274         Move WTF_USE_AVFOUNDATION from JavaScriptCore/wtf/platform.h to WebCore/config.h
1275         https://bugs.webkit.org/show_bug.cgi?id=65552
1276         
1277         Since this is a WebCore feature, there's no need to define it in JavaScriptCore/wtf/platform.h.
1278
1279         Reviewed by Adam Roben.
1280
1281         * wtf/Platform.h: Removed WTF_USE_AVFOUNDATION.
1282
1283 2011-08-01  Jean-luc Brouillet  <jeanluc@chromium.org>
1284
1285         Removing old source files in gyp files that slow build
1286         https://bugs.webkit.org/show_bug.cgi?id=65503
1287
1288         Reviewed by Adam Barth.
1289
1290         A number of stale files are listed in the gyp files. These slow the
1291         build on Visual Studio 2010. Removing them.
1292
1293         * JavaScriptCore.gypi:
1294
1295 2011-07-14  David Levin  <levin@chromium.org>
1296
1297         currentThread is too slow!
1298         https://bugs.webkit.org/show_bug.cgi?id=64577
1299
1300         Reviewed by Darin Adler and Dmitry Titov.
1301
1302         The problem is that currentThread results in a pthread_once call which always takes a lock.
1303         With this change, currentThread is 10% faster than isMainThread in release mode and only
1304         5% slower than isMainThread in debug.
1305
1306         * wtf/ThreadIdentifierDataPthreads.cpp:
1307         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
1308         which is no longer needed because this is called from initializeThreading().
1309         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
1310         intialization of the pthread key should already be done.
1311         (WTF::ThreadIdentifierData::initialize): Ditto.
1312         * wtf/ThreadIdentifierDataPthreads.h:
1313         * wtf/ThreadingPthreads.cpp:
1314         (WTF::initializeThreading): Acquire the pthread key here.
1315
1316 2011-08-01  Filip Pizlo  <fpizlo@apple.com>
1317
1318         DFG JIT sometimes creates speculation check data structures that have
1319         invalid information about the format of a register
1320         https://bugs.webkit.org/show_bug.cgi?id=65490
1321
1322         Reviewed by Gavin Barraclough.
1323         
1324         The code now makes sure to (1) always have correct and up-to-date
1325         information about register format at the time that a speculation
1326         check is emitted, (2) assert that speculation data is correct
1327         inside the speculation check implementation, and (3) avoid creating
1328         speculation data altogether if compilation has already failed, since
1329         at that point the format data is almost guaranteed to be bogus.
1330
1331         * dfg/DFGNonSpeculativeJIT.cpp:
1332         (JSC::DFG::EntryLocation::EntryLocation):
1333         * dfg/DFGSpeculativeJIT.cpp:
1334         (JSC::DFG::SpeculationCheck::SpeculationCheck):
1335         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1336         (JSC::DFG::SpeculativeJIT::compile):
1337         * dfg/DFGSpeculativeJIT.h:
1338         (JSC::DFG::SpeculativeJIT::speculationCheck):
1339
1340 2011-08-01  Filip Pizlo  <fpizlo@apple.com>
1341
1342         REGRESSION(r92092): Build fails on 64 bit
1343         https://bugs.webkit.org/show_bug.cgi?id=65458
1344
1345         Reviewed by Oliver Hunt.
1346         
1347         The build was broken because some compilers were smart enough to see
1348         an array index out of bounds due to the decision fuction for when to
1349         go from precise size classes to imprecise size classes being broken:
1350         it would assume that sizes in the range 97..128 belonged to a precise
1351         size class when in fact they belonged to an imprecise one.
1352         
1353         In fact, the code would have run correctly, by way of a fluke, because
1354         though the 4th precise size class (for 97..128) didn't exist, the next
1355         array over from m_preciseSizeClasses was m_impreciseSizeClasses, and
1356         its first entry would have been a size class that is appropriate for
1357         allocations in the range 97..128.  However, this relies on specific
1358         ordering of fields in NewSpace, so it's still a bug.
1359         
1360         This fixes the bug by ensuring that allocations larger than 96 use
1361         the imprecise size classes.
1362
1363         * heap/NewSpace.h:
1364         (JSC::NewSpace::sizeClassFor):
1365
1366 2011-07-31  Gavin Barraclough  <barraclough@apple.com>
1367
1368         https://bugs.webkit.org/show_bug.cgi?id=64679
1369         Fix bugs in Array.prototype this handling.
1370
1371         Unreviewed - rolling out r91290.
1372
1373         Looks like the wild wild web isn't ready for this yet.
1374
1375         This change broke http://slides.html5rocks.com/#landing-slide.
1376         Interestingly, this might only be due to our lack of bind support -
1377         it looks like this site is calling  Array.prototype.slice as a part
1378         of its bind implementation.
1379
1380         * runtime/ArrayPrototype.cpp:
1381         (JSC::arrayProtoFuncJoin):
1382         (JSC::arrayProtoFuncConcat):
1383         (JSC::arrayProtoFuncPop):
1384         (JSC::arrayProtoFuncPush):
1385         (JSC::arrayProtoFuncReverse):
1386         (JSC::arrayProtoFuncShift):
1387         (JSC::arrayProtoFuncSlice):
1388         (JSC::arrayProtoFuncSort):
1389         (JSC::arrayProtoFuncSplice):
1390         (JSC::arrayProtoFuncUnShift):
1391         (JSC::arrayProtoFuncFilter):
1392         (JSC::arrayProtoFuncMap):
1393         (JSC::arrayProtoFuncEvery):
1394         (JSC::arrayProtoFuncForEach):
1395         (JSC::arrayProtoFuncSome):
1396         (JSC::arrayProtoFuncReduce):
1397         (JSC::arrayProtoFuncReduceRight):
1398         (JSC::arrayProtoFuncIndexOf):
1399         (JSC::arrayProtoFuncLastIndexOf):
1400
1401 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1402
1403         JSC GC lays out size classes under wrong assumptions about expected
1404         object size.
1405         https://bugs.webkit.org/show_bug.cgi?id=65437
1406
1407         Reviewed by Oliver Hunt.
1408         
1409         Changed the atom size - which is both the smallest allocation size and
1410         the smallest possible stepping unit for size class spacing - from
1411         8 bytes to 4 pointer-size words.  This is a 1% win on SunSpider.
1412
1413         * heap/MarkedBlock.h:
1414
1415 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1416
1417         DFG non-speculative JIT does not optimize PutByVal
1418         https://bugs.webkit.org/show_bug.cgi?id=65424
1419
1420         Reviewed by Gavin Barraclough.
1421         
1422         Added code to emit PutByVal inline fast path.
1423
1424         * dfg/DFGNonSpeculativeJIT.cpp:
1425         (JSC::DFG::NonSpeculativeJIT::compile):
1426
1427 2011-07-31  Filip Pizlo  <fpizlo@apple.com>
1428
1429         The JSC garbage collector returns memory to the operating system too
1430         eagerly.
1431         https://bugs.webkit.org/show_bug.cgi?id=65382
1432
1433         Reviewed by Oliver Hunt.
1434         
1435         This introduces a memory reuse model similar to the one in FastMalloc.
1436         A periodic scavenger thread runs in the background and returns half the
1437         free memory to the OS on each timer fire.  New block allocations first
1438         attempt to get the memory from the collector's internal pool, reverting
1439         to OS allocation only when this pool is empty.
1440
1441         * heap/Heap.cpp:
1442         (JSC::Heap::Heap):
1443         (JSC::Heap::~Heap):
1444         (JSC::Heap::destroy):
1445         (JSC::Heap::waitForRelativeTimeWhileHoldingLock):
1446         (JSC::Heap::waitForRelativeTime):
1447         (JSC::Heap::blockFreeingThreadStartFunc):
1448         (JSC::Heap::blockFreeingThreadMain):
1449         (JSC::Heap::allocateBlock):
1450         (JSC::Heap::freeBlocks):
1451         (JSC::Heap::releaseFreeBlocks):
1452         * heap/Heap.h:
1453         * heap/MarkedBlock.cpp:
1454         (JSC::MarkedBlock::destroy):
1455         (JSC::MarkedBlock::MarkedBlock):
1456         (JSC::MarkedBlock::initForCellSize):
1457         (JSC::MarkedBlock::reset):
1458         * heap/MarkedBlock.h:
1459         * wtf/Platform.h:
1460
1461 2011-07-30  Filip Pizlo  <fpizlo@apple.com>
1462
1463         DFG JIT speculation failure pass sometimes forgets to emit code to
1464         move certain registers.
1465         https://bugs.webkit.org/show_bug.cgi?id=65421
1466
1467         Reviewed by Oliver Hunt.
1468         
1469         Restructured the offending loops (for gprs and fprs).  It's once again
1470         possible to use spreadsheets on docs.google.com.
1471
1472         * dfg/DFGJITCompiler.cpp:
1473         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
1474
1475 2011-07-30  Patrick Gansterer  <paroga@webkit.org>
1476
1477         Remove inclusion of MainThread.h from Threading.h
1478         https://bugs.webkit.org/show_bug.cgi?id=65081
1479
1480         Reviewed by Darin Adler.
1481
1482         Add missing and remove unneeded include statements for MainThread.
1483
1484         * wtf/CryptographicallyRandomNumber.cpp:
1485         * wtf/Threading.h:
1486         * wtf/ThreadingPthreads.cpp:
1487         * wtf/text/StringStatics.cpp:
1488
1489 2011-07-30  Oliver Hunt  <oliver@apple.com>
1490
1491         Reduce the size of JSGlobalObject slightly
1492         https://bugs.webkit.org/show_bug.cgi?id=65417
1493
1494         Reviewed by Dan Bernstein.
1495
1496         Push a few members that either aren't commonly used,
1497         or aren't frequently accessed into a separate struct.
1498
1499         * runtime/JSGlobalObject.cpp:
1500         (JSC::JSGlobalObject::init):
1501         (JSC::JSGlobalObject::WeakMapsFinalizer::finalize):
1502         * runtime/JSGlobalObject.h:
1503         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1504         (JSC::JSGlobalObject::createRareDataIfNeeded):
1505         (JSC::JSGlobalObject::setProfileGroup):
1506         (JSC::JSGlobalObject::profileGroup):
1507         (JSC::JSGlobalObject::registerWeakMap):
1508         (JSC::JSGlobalObject::deregisterWeakMap):
1509
1510 2011-07-30  Balazs Kelemen  <kbalazs@webkit.org>
1511
1512         MessageQueue::waitForMessageFilteredWithTimeout can triggers an assertion
1513         https://bugs.webkit.org/show_bug.cgi?id=65263
1514
1515         Reviewed by Dmitry Titov.
1516
1517         * wtf/Deque.h:
1518         (WTF::::operator): Don't check the validity of an iterator
1519         that will be reassigned right now.
1520         * wtf/MessageQueue.h:
1521         (WTF::::removeIf): Revert r51198 as I beleave this is the better
1522         solution for the problem that was solved by that.
1523
1524 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1525
1526         JSC GC zombie support no longer works, and is likely no longer needed.
1527         https://bugs.webkit.org/show_bug.cgi?id=65404
1528
1529         Reviewed by Darin Adler.
1530         
1531         This removes zombies, because they no longer work, are not tested, are
1532         probably not needed, and are getting in the way of GC optimization
1533         work.
1534
1535         * JavaScriptCore.xcodeproj/project.pbxproj:
1536         * heap/Handle.h:
1537         (JSC::HandleConverter::operator->):
1538         (JSC::HandleConverter::operator*):
1539         * heap/HandleHeap.cpp:
1540         (JSC::HandleHeap::isValidWeakNode):
1541         * heap/Heap.cpp:
1542         (JSC::Heap::destroy):
1543         (JSC::Heap::collect):
1544         * heap/MarkedBlock.cpp:
1545         (JSC::MarkedBlock::sweep):
1546         * heap/MarkedBlock.h:
1547         (JSC::MarkedBlock::clearMarks):
1548         * interpreter/Register.h:
1549         (JSC::Register::Register):
1550         (JSC::Register::operator=):
1551         * runtime/ArgList.h:
1552         (JSC::MarkedArgumentBuffer::append):
1553         (JSC::ArgList::ArgList):
1554         * runtime/JSCell.cpp:
1555         (JSC::isZombie):
1556         * runtime/JSCell.h:
1557         * runtime/JSGlobalData.cpp:
1558         (JSC::JSGlobalData::JSGlobalData):
1559         (JSC::JSGlobalData::clearBuiltinStructures):
1560         * runtime/JSGlobalData.h:
1561         * runtime/JSValue.h:
1562         * runtime/JSValueInlineMethods.h:
1563         (JSC::JSValue::JSValue):
1564         * runtime/JSZombie.cpp: Removed.
1565         * runtime/JSZombie.h: Removed.
1566         * runtime/WriteBarrier.h:
1567         (JSC::WriteBarrierBase::setEarlyValue):
1568         (JSC::WriteBarrierBase::operator*):
1569         (JSC::WriteBarrierBase::setWithoutWriteBarrier):
1570         * wtf/Platform.h:
1571
1572 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1573
1574         DFG JIT verbose mode provides no details about predictions
1575         https://bugs.webkit.org/show_bug.cgi?id=65389
1576
1577         Reviewed by Darin Adler.
1578         
1579         Added a print-out of the predictions to the IR dump, with names as follows:
1580         "p-bottom" = the parser made no predictions
1581         "p-int32" = the parser predicted int32
1582         ... (same for array, cell, double, number)
1583         "p-top" = the parser made conflicting predictions which will be ignored.
1584
1585         * dfg/DFGGraph.cpp:
1586         (JSC::DFG::Graph::dump):
1587         * dfg/DFGGraph.h:
1588         (JSC::DFG::predictionToString):
1589
1590 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1591
1592         DFG JIT does not have any way of undoing double speculation.
1593         https://bugs.webkit.org/show_bug.cgi?id=65334
1594
1595         Reviewed by Gavin Barraclough.
1596         
1597         This adds code to do a branchConvertDoubleToInt on specualtion failure.
1598         This is performance-neutral on most benchmarks but does result in
1599         a slight improvement in Kraken.
1600
1601         * dfg/DFGJITCompiler.cpp:
1602         (JSC::DFG::GeneralizedRegister::moveTo):
1603         (JSC::DFG::GeneralizedRegister::swapWith):
1604         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
1605         (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
1606         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
1607
1608 2011-07-29  Filip Pizlo  <fpizlo@apple.com>
1609
1610         Crash when opening docs.google.com
1611         https://bugs.webkit.org/show_bug.cgi?id=65327
1612
1613         Reviewed by Gavin Barraclough.
1614         
1615         The speculative JIT was only checking whether a value is an array when
1616         we had already checked that it was, rather then when we hadn't.
1617
1618         * dfg/DFGSpeculativeJIT.cpp:
1619         (JSC::DFG::SpeculativeJIT::compile):
1620
1621 2011-07-28  Oliver Hunt  <oliver@apple.com>
1622
1623         *_list instructions are only used in one place, where the code is wrong.
1624         https://bugs.webkit.org/show_bug.cgi?id=65348
1625
1626         Reviewed by Darin Adler.
1627
1628         Simply remove the instructions and all users.  Speeds up the interpreter
1629         slightly due to code motion, but otherwise has no effect (because none
1630         of the _list instructions are ever used).
1631
1632         * bytecode/CodeBlock.cpp:
1633         (JSC::isPropertyAccess):
1634         (JSC::CodeBlock::dump):
1635         (JSC::CodeBlock::visitStructures):
1636         * bytecode/Instruction.h:
1637         * bytecode/Opcode.h:
1638         * interpreter/Interpreter.cpp:
1639         (JSC::Interpreter::privateExecute):
1640         * jit/JIT.cpp:
1641         (JSC::JIT::privateCompileMainPass):
1642
1643 2011-07-28  Gavin Barraclough  <barraclough@apple.com>
1644
1645         https://bugs.webkit.org/show_bug.cgi?id=65325
1646         Performance tweak to parseInt
1647
1648         Reviewed by Oliver Hunt.
1649
1650         * runtime/JSGlobalObjectFunctions.cpp:
1651         (JSC::globalFuncParseInt):
1652             - This change may an existing optimization redundant,
1653               cleanup from Darin's comments, plus fix existing bugs.
1654
1655 2011-07-28  Gavin Barraclough  <barraclough@apple.com>
1656
1657         https://bugs.webkit.org/show_bug.cgi?id=65325
1658         Performance tweak to parseInt
1659
1660         Reviewed by Oliver Hunt.
1661
1662         * runtime/JSGlobalObjectFunctions.cpp:
1663         (JSC::globalFuncParseInt):
1664             - parseInt applied to small positive numbers = floor.
1665
1666 2011-07-28  Dan Bernstein  <mitz@apple.com>
1667
1668         Build fix.
1669
1670         * runtime/Executable.cpp:
1671         (JSC::FunctionExecutable::compileForCallInternal):
1672
1673 2011-07-28  Kent Tamura  <tkent@chromium.org>
1674
1675         Improve StringImpl::stripWhiteSpace() and simplifyWhiteSpace().
1676         https://bugs.webkit.org/show_bug.cgi?id=65300
1677
1678         Reviewed by Darin Adler.
1679
1680         r91837 had performance regression of StringImpl::stripWhiteSpace()
1681         and simplifyWhiteSpace(). This changes the code so that compilers
1682         generates code equivalent to r91836 or piror.
1683
1684         * wtf/text/StringImpl.cpp:
1685         (WTF::StringImpl::stripMatchedCharacters):
1686         A template member function for stripWhiteSpace(). This function takes a functor.
1687         (WTF::UCharPredicate):
1688         A functor for generic predicate for single UChar argument.
1689         (WTF::SpaceOrNewlinePredicate):
1690         A special functor for isSpaceOrNewline().
1691         (WTF::StringImpl::stripWhiteSpace):
1692         Use stripmatchedCharacters().
1693         (WTF::StringImpl::simplifyMatchedCharactersToSpace):
1694         A template member function for simplifyWhiteSpace().
1695         (WTF::StringImpl::simplifyWhiteSpace):
1696         Use simplifyMatchedCharactersToSpace().
1697         * wtf/text/StringImpl.h:
1698
1699 2011-07-27  Dmitry Lomov  <dslomov@google.com>
1700
1701         [chromium] Turn on WTF_MULTIPLE_THREADS.
1702         https://bugs.webkit.org/show_bug.cgi?id=61017
1703         The patch turns on WTF_MULTIPLE_THREADS in chromium and 
1704         pushes some relevant initializations from JSC::initializeThreading
1705         to WTF::initializeThreading.
1706
1707         Reviewed by David Levin.
1708
1709         * runtime/InitializeThreading.cpp:
1710         (JSC::initializeThreadingOnce):
1711         * wtf/FastMalloc.cpp:
1712         (WTF::isForbidden):
1713         (WTF::fastMallocForbid):
1714         (WTF::fastMallocAllow):
1715         * wtf/Platform.h:
1716         * wtf/ThreadingPthreads.cpp:
1717         (WTF::initializeThreading):
1718         * wtf/ThreadingWin.cpp:
1719         (WTF::initializeThreading):
1720         * wtf/gtk/ThreadingGtk.cpp:
1721         (WTF::initializeThreading):
1722         * wtf/qt/ThreadingQt.cpp:
1723         (WTF::initializeThreading):
1724
1725 2011-07-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1726
1727         Remove operator new from JSCell
1728         https://bugs.webkit.org/show_bug.cgi?id=64999
1729
1730         Reviewed by Oliver Hunt.
1731
1732         Removed the implementation of operator new in JSCell, so any further uses
1733         will not successfully link.  Also removed any remaining uses of operator new.
1734
1735         * API/JSContextRef.cpp:
1736         * debugger/DebuggerActivation.h:
1737         (JSC::DebuggerActivation::create):
1738         * interpreter/Interpreter.cpp:
1739         (JSC::Interpreter::execute):
1740         (JSC::Interpreter::createExceptionScope):
1741         (JSC::Interpreter::privateExecute):
1742         * jit/JITStubs.cpp:
1743         (JSC::DEFINE_STUB_FUNCTION):
1744         * runtime/JSCell.h:
1745         * runtime/JSGlobalObject.h:
1746         (JSC::JSGlobalObject::create):
1747         * runtime/JSStaticScopeObject.h:
1748         (JSC::JSStaticScopeObject::create):
1749         (JSC::JSStaticScopeObject::JSStaticScopeObject):
1750         * runtime/StrictEvalActivation.h:
1751         (JSC::StrictEvalActivation::create):
1752
1753 2011-07-27  Filip Pizlo  <fpizlo@apple.com>
1754
1755         DFG graph has no notion of double prediction.
1756         https://bugs.webkit.org/show_bug.cgi?id=65234
1757
1758         Reviewed by Gavin Barraclough.
1759         
1760         Added the notion of PredictDouble, and PredictNumber, which is the least
1761         upper bound of PredictInt32 and PredictDouble.  Least upper bound is
1762         defined as the bitwise-or of two predictions.  Bottom is defined as 0,
1763         and Top is defined as all bits being set.  Added the ability to explicitly
1764         distinguish between a node having had a prediction associated with it,
1765         and that prediction still being valid (i.e. no conflicting predictions
1766         have also been added).  Used this to guard the speculative JIT from
1767         speculating Int32 in cases where the graph knows that the value is
1768         double, which currently only happens for GetLocal nodes on arguments
1769         which were double at compile-time.
1770
1771         * dfg/DFGGraph.cpp:
1772         (JSC::DFG::Graph::predictArgumentTypes):
1773         * dfg/DFGGraph.h:
1774         (JSC::DFG::isCellPrediction):
1775         (JSC::DFG::isArrayPrediction):
1776         (JSC::DFG::isInt32Prediction):
1777         (JSC::DFG::isDoublePrediction):
1778         (JSC::DFG::isNumberPrediction):
1779         * dfg/DFGSpeculativeJIT.cpp:
1780         (JSC::DFG::SpeculativeJIT::compile):
1781         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1782         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
1783         * dfg/DFGSpeculativeJIT.h:
1784         (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):
1785
1786 2011-07-27  Gavin Barraclough  <barraclough@apple.com>
1787
1788         https://bugs.webkit.org/show_bug.cgi?id=65294
1789         DFG JIT - may speculate based on wrong arguments.
1790
1791         Reviewed by Oliver Hunt
1792
1793         In the case of a DFG compiled function calling to and compiling a second function that
1794         also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp),
1795         we call compileFor passing the caller functions exec state, rather than the callee's.
1796         This may lead to mis-optimization, since the DFG compiler will example the exec state's
1797         arguments on the assumption that these will be passed to the callee - it is wanting the
1798         callee exec state, not the caller's exec state.
1799
1800         Fixing this for all cases of compilation is tricksy, due to the way the numeric sort
1801         function is compiled, & the structure of the calls in the Interpreter::execute methods.
1802         Only fix for compilation from the JIT, in other calls don't speculate based on arguments
1803         for now.
1804
1805         * dfg/DFGOperations.cpp:
1806         * runtime/Executable.cpp:
1807         (JSC::tryDFGCompile):
1808         (JSC::tryDFGCompileFunction):
1809         (JSC::FunctionExecutable::compileForCallInternal):
1810         * runtime/Executable.h:
1811         (JSC::FunctionExecutable::compileForCall):
1812         (JSC::FunctionExecutable::compileFor):
1813
1814 2011-07-27  Oliver Hunt  <oliver@apple.com>
1815
1816         Handle callback oriented JSONP
1817         https://bugs.webkit.org/show_bug.cgi?id=65271
1818
1819         Reviewed by Gavin Barraclough.
1820
1821         Handle the callback oriented versions of JSONP.  The Literal parser
1822         now handles <Identifier> (. <Identifier>)* (jsonData).
1823
1824         * interpreter/Interpreter.cpp:
1825         (JSC::Interpreter::execute):
1826         * runtime/LiteralParser.cpp:
1827         (JSC::LiteralParser::tryJSONPParse):
1828         (JSC::LiteralParser::Lexer::lex):
1829         * runtime/LiteralParser.h:
1830
1831 2011-07-27  Stephanie Lewis  <slewis@apple.com>
1832
1833         Revert http://trac.webkit.org/changeset/90415.
1834         Caused a 5% sunspider regression in-browser.
1835
1836         Unreviewed rollout.
1837
1838         * bytecode/CodeBlock.cpp:
1839         (JSC::CodeBlock::visitAggregate):
1840         * heap/Heap.cpp:
1841         (JSC::Heap::collectAllGarbage):
1842         * heap/MarkStack.h:
1843         (JSC::MarkStack::MarkStack):
1844         * runtime/JSGlobalData.cpp:
1845         (JSC::JSGlobalData::releaseExecutableMemory):
1846         * runtime/RegExp.cpp:
1847         (JSC::RegExp::compile):
1848         (JSC::RegExp::invalidateCode):
1849         * runtime/RegExp.h:
1850
1851 2011-07-27  Shinya Kawanaka  <shinyak@google.com>
1852
1853         Added an interface to take IsWhiteSpaceFunctionPtr.
1854         https://bugs.webkit.org/show_bug.cgi?id=57746
1855
1856         Reviewed by Kent Tamura.
1857
1858         * wtf/text/StringImpl.cpp:
1859         (WTF::StringImpl::stripWhiteSpace):
1860           Added an interface to take IsWhiteSpaceFunctionPtr.
1861         (WTF::StringImpl::simplifyWhiteSpace): ditto.
1862         * wtf/text/StringImpl.h:
1863         * wtf/text/WTFString.cpp:
1864         (WTF::String::stripWhiteSpace): ditto.
1865         (WTF::String::simplifyWhiteSpace): ditto.
1866         * wtf/text/WTFString.h:
1867
1868 2011-07-27  Filip Pizlo  <fpizlo@apple.com>
1869
1870         DFG JIT speculation failure code performs incorrect conversions in
1871         the case where two registers need to be swapped.
1872         https://bugs.webkit.org/show_bug.cgi?id=65233
1873
1874         Reviewed by Gavin Barraclough.
1875         
1876         * dfg/DFGJITCompiler.cpp:
1877         (JSC::DFG::GeneralizedRegister::swapWith):
1878
1879 2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1880
1881         reduce and reduceRight bind callback's this to null rather than undefined
1882         https://bugs.webkit.org/show_bug.cgi?id=62264
1883
1884         Reviewed by Oliver Hunt.
1885
1886         Fixed Array.prototype.reduce and Array.prototype.reduceRight so that they behave correctly
1887         when calling the callback function without an argument for this, which means it should 
1888         be undefined according to ES 15.4.4.21 and 15.4.4.22.
1889
1890         * runtime/ArrayPrototype.cpp:
1891         (JSC::arrayProtoFuncReduce):
1892         (JSC::arrayProtoFuncReduceRight):
1893
1894 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
1895
1896         JSC command-line tool does not come with any facility for
1897         measuring time precisely.
1898         https://bugs.webkit.org/show_bug.cgi?id=65223
1899
1900         Reviewed by Gavin Barraclough.
1901         
1902         Exposed WTF::currentTime() as currentTimePrecise().
1903
1904         * jsc.cpp:
1905         (GlobalObject::GlobalObject):
1906         (functionPreciseTime):
1907
1908 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
1909
1910         DFG speculative JIT never emits inline double comparisons, even when it
1911         would be obvious more efficient to do so.
1912         https://bugs.webkit.org/show_bug.cgi?id=65212
1913
1914         Reviewed by Gavin Barraclough.
1915         
1916         This handles the obvious case of inlining double comparisons: it only addresses
1917         the speculative JIT, and only for fused compare/branch sequences.  But it does
1918         handle the case where both operands are double (and there is no slow path),
1919         or where one operand is double and the other is unknown type (in which case it
1920         attempts to unbox the double, otherwise taking slow path).  This is an 0.8%
1921         speed-up on SunSpider.
1922
1923         * dfg/DFGSpeculativeJIT.cpp:
1924         (JSC::DFG::SpeculativeJIT::convertToDouble):
1925         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1926         (JSC::DFG::SpeculativeJIT::compare):
1927         (JSC::DFG::SpeculativeJIT::compile):
1928         * dfg/DFGSpeculativeJIT.h:
1929         (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):
1930         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
1931
1932 2011-07-26  Filip Pizlo  <fpizlo@apple.com>
1933
1934         https://bugs.webkit.org/show_bug.cgi?id=64969
1935         DFG JIT generates inefficient code for speculation failures.
1936
1937         Reviewed by Gavin Barraclough.
1938         
1939         This implements a speculation failure strategy where (1) values spilled on
1940         non-speculative but not spilled on speculative are spilled, (2) values that
1941         are in registers on both paths are rearranged without ever touching memory,
1942         and (3) values spilled on speculative but not spilled on non-speculative are
1943         filled.
1944         
1945         The register shuffling is the most interesting part of this patch.  It
1946         constructs a permutation graph for registers.  Each node represents a
1947         register, and each directed edge corresponds to the register's value having
1948         to be moved to a different register as part of the shuffling.  This is a
1949         directed graph where each node may only have 0 or 1 incoming edges, and
1950         0 or 1 outgoing edges.  The algorithm then first finds maximal non-cyclic
1951         subgraphs where all nodes in the subgraph are reachable from a start node.
1952         Such subgraphs always resemble linked lists, and correspond to simply
1953         moving the value in the second-to-last register into the last register, and
1954         then moving the value in the third-to-last register into the second-to-last
1955         register, and so on.  Once these subgraphs are taken care of, the remaining
1956         subgraphs are cycles, and are handled using either (a) conversion or no-op
1957         if the cycle involves one node, (b) swap if it involves two nodes, or (c)
1958         a cyclic shuffle involving a scratch register if there are three or more
1959         nodes.
1960         
1961         * dfg/DFGGenerationInfo.h:
1962         (JSC::DFG::needDataFormatConversion):
1963         * dfg/DFGJITCompiler.cpp:
1964         (JSC::DFG::GeneralizedRegister::GeneralizedRegister):
1965         (JSC::DFG::GeneralizedRegister::createGPR):
1966         (JSC::DFG::GeneralizedRegister::createFPR):
1967         (JSC::DFG::GeneralizedRegister::dump):
1968         (JSC::DFG::GeneralizedRegister::findInSpeculationCheck):
1969         (JSC::DFG::GeneralizedRegister::findInEntryLocation):
1970         (JSC::DFG::GeneralizedRegister::previousDataFormat):
1971         (JSC::DFG::GeneralizedRegister::nextDataFormat):
1972         (JSC::DFG::GeneralizedRegister::convert):
1973         (JSC::DFG::GeneralizedRegister::moveTo):
1974         (JSC::DFG::GeneralizedRegister::swapWith):
1975         (JSC::DFG::ShuffledRegister::ShuffledRegister):
1976         (JSC::DFG::ShuffledRegister::isEndOfNonCyclingPermutation):
1977         (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
1978         (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
1979         (JSC::DFG::ShuffledRegister::lookup):
1980         (JSC::DFG::lookupForRegister):
1981         (JSC::DFG::NodeToRegisterMap::Tuple::Tuple):
1982         (JSC::DFG::NodeToRegisterMap::NodeToRegisterMap):
1983         (JSC::DFG::NodeToRegisterMap::set):
1984         (JSC::DFG::NodeToRegisterMap::end):
1985         (JSC::DFG::NodeToRegisterMap::find):
1986         (JSC::DFG::NodeToRegisterMap::clear):
1987         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
1988         (JSC::DFG::JITCompiler::linkSpeculationChecks):
1989         * dfg/DFGJITCompiler.h:
1990         * dfg/DFGNonSpeculativeJIT.cpp:
1991         (JSC::DFG::EntryLocation::EntryLocation):
1992         * dfg/DFGNonSpeculativeJIT.h:
1993         * dfg/DFGSpeculativeJIT.cpp:
1994         (JSC::DFG::SpeculationCheck::SpeculationCheck):
1995         * dfg/DFGSpeculativeJIT.h:
1996
1997 2011-07-26  Oliver Hunt  <oliver@apple.com>
1998
1999         Buffer overflow creating error messages for JSON.parse
2000         https://bugs.webkit.org/show_bug.cgi?id=65211
2001
2002         Reviewed by Darin Adler.
2003
2004         Parse string length to the UString constructor.
2005
2006         * runtime/LiteralParser.cpp:
2007         (JSC::LiteralParser::parse):
2008
2009 2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2010
2011         Refactor automatically generated JS DOM bindings to replace operator new with static create methods
2012         https://bugs.webkit.org/show_bug.cgi?id=64732
2013
2014         Reviewed by Oliver Hunt.
2015
2016         Replacing the public constructors in the automatically generated JS DOM bindings with static 
2017         create methods.  JSByteArray is used by several of these bindings in WebCore.
2018
2019         * JavaScriptCore.exp:
2020         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2021         * runtime/JSByteArray.cpp:
2022         (JSC::JSByteArray::create):
2023         * runtime/JSByteArray.h:
2024
2025 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
2026
2027         Unreviewed build fix for Qt/Linux.
2028
2029         On platforms with no glib and gstreamer we should not build javascriptcore
2030         with the Glib support. This is related to http://trac.webkit.org/changeset/91752.
2031
2032         * wtf/wtf.pri:
2033
2034 2011-07-26  Juan C. Montemayor  <jmont@apple.com>
2035
2036         JSON errors should be informative
2037         https://bugs.webkit.org/show_bug.cgi?id=63339
2038
2039         Added error messages to the JSON Parser.
2040
2041         Reviewed by Oliver Hunt.
2042
2043         * runtime/JSONObject.cpp:
2044         (JSC::JSONProtoFuncParse):
2045         * runtime/LiteralParser.cpp:
2046         (JSC::LiteralParser::Lexer::lex):
2047         (JSC::LiteralParser::Lexer::lexString):
2048         (JSC::LiteralParser::Lexer::lexNumber):
2049         (JSC::LiteralParser::parse):
2050         * runtime/LiteralParser.h:
2051         (JSC::LiteralParser::getErrorMessage):
2052         (JSC::LiteralParser::Lexer::sawError):
2053         (JSC::LiteralParser::Lexer::getErrorMessage):
2054
2055 2011-07-26  Sheriff Bot  <webkit.review.bot@gmail.com>
2056
2057         Unreviewed, rolling out r91746.
2058         http://trac.webkit.org/changeset/91746
2059         https://bugs.webkit.org/show_bug.cgi?id=65180
2060
2061         It broke SL build (Requested by Ossy on #webkit).
2062
2063         * wtf/text/StringImpl.cpp:
2064         (WTF::StringImpl::stripWhiteSpace):
2065         (WTF::StringImpl::simplifyWhiteSpace):
2066         * wtf/text/StringImpl.h:
2067         * wtf/text/WTFString.cpp:
2068         * wtf/text/WTFString.h:
2069
2070 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
2071
2072         Reviewed by Andreas Kling.
2073
2074         [Qt] Change default backend to use GStreamer on Linux and QuickTime on Mac.
2075         https://bugs.webkit.org/show_bug.cgi?id=63472
2076
2077         Enable the bits needed for GStreamer only when QtMultimedia is not used.
2078
2079         * wtf/wtf.pri:
2080
2081 2011-07-26  Shinya Kawanaka  <shinyak@google.com>
2082
2083         Added an interface to take IsWhiteSpaceFunctionPtr.
2084         https://bugs.webkit.org/show_bug.cgi?id=57746
2085
2086         Reviewed by Kent Tamura.
2087
2088         * wtf/text/StringImpl.cpp:
2089         (WTF::StringImpl::stripWhiteSpace):
2090           Added an interface to take IsWhiteSpaceFunctionPtr.
2091         (WTF::StringImpl::simplifyWhiteSpace): ditto.
2092         * wtf/text/StringImpl.h:
2093         * wtf/text/WTFString.cpp:
2094         (WTF::String::stripWhiteSpace): ditto.
2095         (WTF::String::simplifyWhiteSpace): ditto.
2096         * wtf/text/WTFString.h:
2097
2098 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2099
2100         DFG non-speculative JIT emits inefficient code for arithmetic
2101         involving two registers
2102         https://bugs.webkit.org/show_bug.cgi?id=65160
2103
2104         Reviewed by Gavin Barraclough.
2105         
2106         The non-speculative JIT now emits inline code for double arithmetic, but
2107         still attempts integer arithmetic first.  This is a speed-up on SunSpider
2108         (albeit a small one), and a large speed-up on Kraken.
2109
2110         * dfg/DFGNonSpeculativeJIT.cpp:
2111         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2112
2113 2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2114
2115         [EFL] Build break with --debug after r89153.
2116         https://bugs.webkit.org/show_bug.cgi?id=65150
2117
2118         Unreviewed build fix.
2119
2120         * wtf/CMakeListsEfl.txt: Add missing libraries.
2121
2122 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2123
2124         DFG non-speculative JIT emits obviously inefficient code for arithmetic
2125         where one operand is a constant.
2126         https://bugs.webkit.org/show_bug.cgi?id=65146
2127
2128         Reviewed by Gavin Barraclough.
2129         
2130         Changed the code to emit double arithmetic inline.
2131
2132         * dfg/DFGNonSpeculativeJIT.cpp:
2133         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2134
2135 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2136
2137         DFG JIT bytecode parser misuses pointers into objects allocated as part of a
2138         WTF::Vector.
2139         https://bugs.webkit.org/show_bug.cgi?id=65128
2140
2141         Reviewed by Gavin Barraclough.
2142         
2143         The bytecode parser code seems to be right to have a DFGNode& phiNode reference
2144         into the graph, since this makes the code greatly more readable.  This patch
2145         thus makes the minimal change necessary to make the code right: it uses a
2146         pointer (to disambiguate between reloading the pointer and performing a
2147         copy from one location of the vector to another) and reloads it after the
2148         calls to addToGraph().
2149
2150         * dfg/DFGByteCodeParser.cpp:
2151         (JSC::DFG::ByteCodeParser::processPhiStack):
2152
2153 2011-07-25  Sheriff Bot  <webkit.review.bot@gmail.com>
2154
2155         Unreviewed, rolling out r91686.
2156         http://trac.webkit.org/changeset/91686
2157         https://bugs.webkit.org/show_bug.cgi?id=65144
2158
2159         1.5% regression in JSC (Requested by jmontemayor on #webkit).
2160
2161         * runtime/JSONObject.cpp:
2162         (JSC::JSONProtoFuncParse):
2163         * runtime/LiteralParser.cpp:
2164         (JSC::LiteralParser::Lexer::lex):
2165         (JSC::LiteralParser::Lexer::lexString):
2166         (JSC::LiteralParser::Lexer::lexNumber):
2167         (JSC::LiteralParser::parse):
2168         * runtime/LiteralParser.h:
2169
2170 2011-07-25  Jon Lee  <jonlee@apple.com>
2171
2172         Assertion called in ExecutableBase::generatedJITCodeForCall() when JIT is not available
2173         https://bugs.webkit.org/show_bug.cgi?id=65132
2174         <rdar://problem/9836297>
2175         
2176         Reviewed by Oliver Hunt.
2177         
2178         Make sure the JIT is available to use before running the following calls:
2179
2180         * bytecode/CodeBlock.cpp:
2181         (JSC::CodeBlock::unlinkCalls): Added check, return early if JIT is not available.
2182         * bytecode/CodeBlock.h:
2183         (JSC::CodeBlock::addMethodCallLinkInfos): Added assertion.
2184
2185 2011-07-25  Juan C. Montemayor  <jmont@apple.com>
2186
2187         JSON errors should be informative
2188         https://bugs.webkit.org/show_bug.cgi?id=63339
2189
2190         Added error messages to the JSON Parser.
2191
2192         Reviewed by Oliver Hunt.
2193
2194         * runtime/JSONObject.cpp:
2195         (JSC::JSONProtoFuncParse):
2196         * runtime/LiteralParser.cpp:
2197         (JSC::LiteralParser::Lexer::lex):
2198         (JSC::LiteralParser::Lexer::lexString):
2199         (JSC::LiteralParser::Lexer::lexNumber):
2200         (JSC::LiteralParser::parse):
2201         * runtime/LiteralParser.h:
2202         (JSC::LiteralParser::getErrorMessage):
2203         (JSC::LiteralParser::Lexer::sawError):
2204         (JSC::LiteralParser::Lexer::getErrorMessage):
2205
2206 2011-07-25  Filip Pizlo  <fpizlo@apple.com>
2207
2208         X86-64 assembler emits three instructions instead of two for certain
2209         loads and stores.
2210         https://bugs.webkit.org/show_bug.cgi?id=65095
2211
2212         Reviewed by Gavin Barraclough.
2213         
2214         Simply made these four methods in the assembler use the scratch register,
2215         which they were previously avoiding.  It still optimizes for the case where
2216         an absolute address memory accesses is using EAX.  This results in a slight
2217         performance improvement.
2218
2219         * assembler/MacroAssemblerX86_64.h:
2220         (JSC::MacroAssemblerX86_64::load32):
2221         (JSC::MacroAssemblerX86_64::store32):
2222         (JSC::MacroAssemblerX86_64::loadPtr):
2223         (JSC::MacroAssemblerX86_64::storePtr):
2224
2225 2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2226
2227         [EFL] Implement EFL-specific current time and monotonicallyIncreasingTime.
2228         https://bugs.webkit.org/show_bug.cgi?id=64354
2229
2230         Use ecore_time_unix_get which returns unix time as double type for currentTime
2231         and ecore_time_get which uses monotonic clock for monotonicallyIncreasingTime.
2232
2233         Reviewed by Kent Tamura.
2234
2235         * wtf/CurrentTime.cpp:
2236         (WTF::currentTime):
2237         (WTF::monotonicallyIncreasingTime):
2238
2239 2011-07-22  Sommer Panage  <panage@apple.com>
2240
2241         Reviewed by Oliver Hunt.
2242
2243         export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h
2244         https://bugs.webkit.org/show_bug.cgi?id=64981
2245
2246         UIAutomation for iOS would like to support a Javascript backtrace in our error logs.
2247         Currently, the C API does not provide the tools to do this. However, the private API
2248         does expose the necessary functionality to get a backtrace
2249         (via Interpreter::retrieveLastCaller). We recognize this information may result in
2250         failure in the cases of programs run by 'eval', stack frames beneath host function
2251         call frames, and in programs run from other programs. Thus, we propose exporting our
2252         JSContextCreateBacktrace in JSContextRefPrivate.h. This will provide us with the tools
2253         we need while not advertising an API that isn't really ready for full use.
2254
2255         * API/JSContextRef.cpp:
2256         * API/JSContextRefPrivate.h:
2257         * JavaScriptCore.exp:
2258
2259
2260 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2261
2262         https://bugs.webkit.org/show_bug.cgi?id=65051
2263         DFG JIT - Enable by default for mac platform on x86-64.
2264
2265         Rubber Stamped by Geoff Garen.
2266
2267         This is now a performance progression.
2268
2269         * wtf/Platform.h:
2270             - Removed definition of ENABLE_DFG_JIT_RESTRICTIONS.
2271
2272 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2273
2274         https://bugs.webkit.org/show_bug.cgi?id=65047
2275         DFG JIT - Add support for op_resolve/op_resolve_base
2276
2277         Reviewed by Sam Weinig.
2278
2279         These are necessary for any significant eval code coverage
2280         (and as such increase LayoutTest coverage).
2281
2282         * dfg/DFGAliasTracker.h:
2283         (JSC::DFG::AliasTracker::recordResolve):
2284             - Conservatively blow aliasing optimizations for now.
2285         * dfg/DFGByteCodeParser.cpp:
2286         (JSC::DFG::ByteCodeParser::parseBlock):
2287             - Add support for op_resolve/op_resolve_base.
2288         * dfg/DFGJITCodeGenerator.h:
2289         (JSC::DFG::JITCodeGenerator::callOperation):
2290             - Add call with exec, identifer aguments.
2291         * dfg/DFGNode.h:
2292             - Add new node types.
2293         (JSC::DFG::Node::hasIdentifier):
2294             - Resolve nodes have identifiers, too!
2295         * dfg/DFGNonSpeculativeJIT.cpp:
2296         (JSC::DFG::NonSpeculativeJIT::compile):
2297             - Add generation for new Nodes.
2298         * dfg/DFGOperations.cpp:
2299         * dfg/DFGOperations.h:
2300             - Added new operations.
2301         * dfg/DFGSpeculativeJIT.cpp:
2302         (JSC::DFG::SpeculativeJIT::compile):
2303             - Add generation for new Nodes.
2304
2305 2011-07-22  Gavin Barraclough  <barraclough@apple.com>
2306
2307         https://bugs.webkit.org/show_bug.cgi?id=65036
2308         Messing with the register allocation within flow control = badness.
2309
2310         Reviewed by Sam Weinig.
2311
2312         * dfg/DFGNonSpeculativeJIT.cpp:
2313         (JSC::DFG::NonSpeculativeJIT::compile):
2314             - Fix register allocation.
2315
2316 2011-07-22  Mark Hahnenberg  <mhahnenberg@apple.com>
2317
2318         Date.prototype.toISOString doesn't handle negative years or years > 9999 correctly.
2319         https://bugs.webkit.org/show_bug.cgi?id=63986
2320
2321         Reviewed by Geoffrey Garen.
2322
2323         Changed the implementation of Date.prototype.toISOString() to use the extended year
2324         format (+/-yyyyyy) for years outside of [0,9999] to be in compliance with ES 15.9.1.15.1.
2325
2326         * runtime/DatePrototype.cpp:
2327         (JSC::dateProtoFuncToISOString):
2328
2329 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2330
2331         Windows build fix
2332
2333         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2334
2335 2011-07-21  Ryosuke Niwa  <rniwa@webkit.org>
2336
2337         Build fix after r91555.
2338
2339         * JavaScriptCore.exp:
2340
2341 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2342
2343         https://bugs.webkit.org/show_bug.cgi?id=19271
2344         eliminate PIC branches by changing NaN handling in JSValue::toNumber
2345
2346         Reviewed by Sam Weinig.
2347
2348         Moving the non-numeric cases out of line seems to be a consistent
2349         win on SunSpider for me, to the order of about 0.5%.
2350
2351         * runtime/JSCell.h:
2352         (JSC::JSCell::JSValue::toNumber):
2353             - Changed to only handle values that are already numbers, moce non-numeric cases out of line.
2354         * runtime/JSValue.cpp:
2355         (JSC::JSValue::toNumberSlowCase):
2356             - Added toNumberSlowCase, handling non-numeric cases.
2357         * runtime/JSValue.h:
2358             - Add declaration of toNumberSlowCase.
2359
2360 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2361
2362         https://bugs.webkit.org/show_bug.cgi?id=64875
2363         Use of `yield` keyword is broken
2364
2365         Reviewed by Sam Weinig.
2366
2367         * parser/Lexer.cpp:
2368         (JSC::Lexer::parseIdentifier):
2369             - The bug here is that a successful match of a RESERVED_IF_STRICT token from
2370               parseKeyword is being nullified back to IDENT. The problem is that in the
2371               case of IDENT matches parseKeyword should not move the lexer's input
2372               position, but in the case of RESERVED_IF_STRICT it has done so.
2373
2374 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2375
2376         https://bugs.webkit.org/show_bug.cgi?id=64900
2377         Function.prototype.apply should accept an array-like object as its second argument
2378
2379         Reviewed by Sam Weinig.
2380
2381         * interpreter/Interpreter.cpp:
2382         (JSC::Interpreter::privateExecute):
2383         * jit/JITStubs.cpp:
2384         (JSC::DEFINE_STUB_FUNCTION):
2385         * runtime/FunctionPrototype.cpp:
2386         (JSC::functionProtoFuncApply):
2387             - Remove the type error if object is not an array.
2388
2389 2011-07-21  Gavin Barraclough  <barraclough@apple.com>
2390
2391         https://bugs.webkit.org/show_bug.cgi?id=64964
2392         DFG JIT - Enable support for eval code
2393
2394         Reviewed by Sam Weinig.
2395
2396         This is basically the same as program code, to the JIT!
2397
2398         * bytecode/Opcode.cpp:
2399         * bytecode/Opcode.h:
2400             - Enable opcodeNames in !NDEBUG builds.
2401         * dfg/DFGOperations.cpp:
2402             - Fix a bug exposed by eval support, throw correct type error for new.
2403         * runtime/Executable.cpp:
2404         (JSC::EvalExecutable::compileInternal):
2405             - Enable DFG JIT for eval code.
2406
2407 2011-07-20  Sheriff Bot  <webkit.review.bot@gmail.com>
2408
2409         Unreviewed, rolling out r91380.
2410         http://trac.webkit.org/changeset/91380
2411         https://bugs.webkit.org/show_bug.cgi?id=64924
2412
2413         Caused assertion failures in Chromium's IndexedDB tests
2414         (Requested by rniwa on #webkit).
2415
2416         * wtf/ThreadIdentifierDataPthreads.cpp:
2417         (WTF::ThreadIdentifierData::identifier):
2418         (WTF::ThreadIdentifierData::initialize):
2419         (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
2420         (WTF::ThreadIdentifierData::initializeKeyOnce):
2421         * wtf/ThreadIdentifierDataPthreads.h:
2422         * wtf/ThreadingPthreads.cpp:
2423         (WTF::initializeThreading):
2424
2425 2011-07-20  Filip Pizlo  <fpizlo@apple.com>
2426
2427         DFG non-speculative JIT does not use() the aliased GetByVal,
2428         resulting in bloated use counts.
2429         https://bugs.webkit.org/show_bug.cgi?id=64911
2430
2431         Reviewed by Gavin Barraclough.
2432         
2433         Inserted a call to use() for the aliased GetByVal.
2434
2435         * dfg/DFGNonSpeculativeJIT.cpp:
2436         (JSC::DFG::NonSpeculativeJIT::compile):
2437
2438 2011-07-20  Gavin Barraclough  <barraclough@apple.com>
2439
2440         https://bugs.webkit.org/show_bug.cgi?id=64909
2441         DFG JIT - Missing ToInt32 conversions for double constants.
2442
2443         Reviewed by Sam Weinig.
2444
2445         * dfg/DFGByteCodeParser.cpp:
2446         (JSC::DFG::ByteCodeParser::toInt32):
2447             - We cannot trivially omit ToInt32 conversions on double constants.
2448
2449 2011-07-20  Filip Pizlo  <fpizlo@apple.com>
2450
2451         DFG speculative JIT sometimes claims to use compare operands twice, leading to
2452         use count corruption.
2453         https://bugs.webkit.org/show_bug.cgi?id=64903
2454
2455         Reviewed by Gavin Barraclough.
2456         
2457         Move the calls to use() in SpeculativeJIT::compare() so that they only happen
2458         if the JITCodeGenerator's helper method (which also calls use()) is not called.
2459
2460         * dfg/DFGSpeculativeJIT.cpp:
2461         (JSC::DFG::SpeculativeJIT::compare):
2462
2463 2011-07-20  Oliver Hunt  <oliver@apple.com>
2464
2465         Don't throw away code when JSGarbageCollect API is called
2466         https://bugs.webkit.org/show_bug.cgi?id=64894
2467
2468         Reviewed by Sam Weinig.
2469
2470         Just call collectAllGarbage.  That will clean up all unneeded
2471         code without causing any pathological recompilation problems.
2472
2473         * API/JSBase.cpp:
2474         (JSGarbageCollect):
2475
2476 2011-07-20  Oliver Hunt  <oliver@apple.com>
2477
2478         Codeblock doesn't visit cached structures in global resolve instructions
2479         https://bugs.webkit.org/show_bug.cgi?id=64889
2480
2481         Reviewed by Sam Weinig.
2482
2483         Visit the global resolve instructions.  This fixes a couple
2484         of random crashes seen in the jquery tests when using the
2485         interpreter.
2486
2487         * bytecode/CodeBlock.cpp:
2488         (JSC::CodeBlock::visitAggregate):
2489
2490 2011-07-20  James Robinson  <jamesr@chromium.org>
2491
2492         Revert worker and WebKit2 runloops to use currentTime() for scheduling instead of the monotonic clock
2493         https://bugs.webkit.org/show_bug.cgi?id=64841
2494
2495         Reviewed by Mark Rowe.
2496
2497         http://trac.webkit.org/changeset/91206 converted most of WebKit's deferred work scheduling to using the
2498         monotonic clock instead of WTF::currentTime().  This broke many plugin tests on WebKit2 for reasons that are
2499         unclear.  This reverts everything except for WebCore::ThreadTimers back to the previous behavior.
2500
2501         * wtf/ThreadingPthreads.cpp:
2502         (WTF::ThreadCondition::timedWait):
2503         * wtf/ThreadingWin.cpp:
2504         (WTF::absoluteTimeToWaitTimeoutInterval):
2505         * wtf/gtk/ThreadingGtk.cpp:
2506         (WTF::ThreadCondition::timedWait):
2507         * wtf/qt/ThreadingQt.cpp:
2508         (WTF::ThreadCondition::timedWait):
2509
2510 2011-07-14  David Levin  <levin@chromium.org>
2511
2512         currentThread is too slow!
2513         https://bugs.webkit.org/show_bug.cgi?id=64577
2514
2515         Reviewed by Darin Adler and Dmitry Titov.
2516
2517         The problem is that currentThread results in a pthread_once call which always takes a lock.
2518         With this change, currentThread is 10% faster than isMainThread in release mode and only
2519         5% slower than isMainThread in debug.
2520
2521         * wtf/ThreadIdentifierDataPthreads.cpp:
2522         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
2523         which is no longer needed because this is called from initializeThreading().
2524         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
2525         intialization of the pthread key should already be done.
2526         (WTF::ThreadIdentifierData::initialize): Ditto.
2527         * wtf/ThreadIdentifierDataPthreads.h:
2528         * wtf/ThreadingPthreads.cpp:
2529         (WTF::initializeThreading): Acquire the pthread key here.
2530
2531 2011-07-20  Mark Rowe  <mrowe@apple.com>
2532
2533         Fix the 32-bit build.
2534
2535         * runtime/ObjectPrototype.cpp:
2536         (JSC::objectProtoFuncToString):
2537
2538 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2539
2540         https://bugs.webkit.org/show_bug.cgi?id=64678
2541         Fix bugs in Object.prototype this handling.
2542
2543         Reviewed by Darin Adler.
2544
2545         Fix ES5.1 correctness issues identified by Mads Ager.
2546
2547         * runtime/ObjectPrototype.cpp:
2548         (JSC::objectProtoFuncToString):
2549             - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]".
2550
2551 2011-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2552
2553         [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
2554         https://bugs.webkit.org/show_bug.cgi?id=63918
2555
2556         Reviewed by Darin Adler.
2557
2558         When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
2559         method due to additional string copying within several of the constructors when dealing with 
2560         UStrings.  This has been added to the UString version of the appendStringInConstruct method 
2561         within the JSString class.
2562
2563         * runtime/JSString.h:
2564         (JSC::RopeBuilder::JSString):
2565         (JSC::RopeBuilder::appendStringInConstruct):
2566
2567 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2568
2569         https://bugs.webkit.org/show_bug.cgi?id=64679
2570         Fix bugs in Array.prototype this handling.
2571
2572         Reviewed by Oliver Hunt.
2573
2574         * runtime/ArrayPrototype.cpp:
2575         (JSC::arrayProtoFuncJoin):
2576         (JSC::arrayProtoFuncConcat):
2577         (JSC::arrayProtoFuncPop):
2578         (JSC::arrayProtoFuncPush):
2579         (JSC::arrayProtoFuncReverse):
2580         (JSC::arrayProtoFuncShift):
2581         (JSC::arrayProtoFuncSlice):
2582         (JSC::arrayProtoFuncSort):
2583         (JSC::arrayProtoFuncSplice):
2584         (JSC::arrayProtoFuncUnShift):
2585         (JSC::arrayProtoFuncFilter):
2586         (JSC::arrayProtoFuncMap):
2587         (JSC::arrayProtoFuncEvery):
2588         (JSC::arrayProtoFuncForEach):
2589         (JSC::arrayProtoFuncSome):
2590         (JSC::arrayProtoFuncReduce):
2591         (JSC::arrayProtoFuncReduceRight):
2592         (JSC::arrayProtoFuncIndexOf):
2593         (JSC::arrayProtoFuncLastIndexOf):
2594             - These methods should throw if this value is undefined.
2595
2596 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2597
2598         https://bugs.webkit.org/show_bug.cgi?id=64677
2599         Fix bugs in String.prototype this handling.
2600
2601         Reviewed by Oliver Hunt.
2602
2603         undefined/null this values should throw TypeErrors, not convert to
2604         the global object, and primitive values should not be converted via
2605         object types.
2606
2607         * runtime/StringPrototype.cpp:
2608         (JSC::stringProtoFuncReplace):
2609         (JSC::stringProtoFuncCharAt):
2610         (JSC::stringProtoFuncCharCodeAt):
2611         (JSC::stringProtoFuncIndexOf):
2612         (JSC::stringProtoFuncLastIndexOf):
2613         (JSC::stringProtoFuncMatch):
2614         (JSC::stringProtoFuncSearch):
2615         (JSC::stringProtoFuncSlice):
2616         (JSC::stringProtoFuncSplit):
2617         (JSC::stringProtoFuncSubstr):
2618         (JSC::stringProtoFuncSubstring):
2619         (JSC::stringProtoFuncToLowerCase):
2620         (JSC::stringProtoFuncToUpperCase):
2621         (JSC::stringProtoFuncLocaleCompare):
2622         (JSC::stringProtoFuncBig):
2623         (JSC::stringProtoFuncSmall):
2624         (JSC::stringProtoFuncBlink):
2625         (JSC::stringProtoFuncBold):
2626         (JSC::stringProtoFuncFixed):
2627         (JSC::stringProtoFuncItalics):
2628         (JSC::stringProtoFuncStrike):
2629         (JSC::stringProtoFuncSub):
2630         (JSC::stringProtoFuncSup):
2631         (JSC::stringProtoFuncFontcolor):
2632         (JSC::stringProtoFuncFontsize):
2633         (JSC::stringProtoFuncAnchor):
2634         (JSC::stringProtoFuncLink):
2635         (JSC::trimString):
2636             - These methods should throw if this value is undefined,
2637               convert ToString directly, not via ToObject.
2638
2639 2011-07-19  Filip Pizlo  <fpizlo@apple.com>
2640
2641         DFG JIT sometimes emits spill code even when the respective values
2642         are never needed.
2643         https://bugs.webkit.org/show_bug.cgi?id=64774
2644
2645         Reviewed by Gavin Barraclough.
2646         
2647         The main high-level change is that it is now easier to call use() on a
2648         virtual register.  JSValueOperand and its other-typed relatives now have
2649         a handy use() method, and jsValueResult() and friends now make it easier to
2650         pass UseChildrenCalledExplicitly.
2651         
2652         The rest of this patch hoists the call to use() as high as possible for
2653         all of those cases where either flushRegisters() or silentSpillAllRegisters()
2654         may be called.
2655
2656         * dfg/DFGJITCodeGenerator.cpp:
2657         (JSC::DFG::JITCodeGenerator::cachedGetById):
2658         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2659         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2660         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2661         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2662         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2663         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2664         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2665         (JSC::DFG::JITCodeGenerator::emitBranch):
2666         * dfg/DFGJITCodeGenerator.h:
2667         (JSC::DFG::JITCodeGenerator::use):
2668         (JSC::DFG::JITCodeGenerator::integerResult):
2669         (JSC::DFG::JITCodeGenerator::jsValueResult):
2670         (JSC::DFG::IntegerOperand::use):
2671         (JSC::DFG::DoubleOperand::use):
2672         (JSC::DFG::JSValueOperand::use):
2673         * dfg/DFGNonSpeculativeJIT.cpp:
2674         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
2675         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
2676         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2677         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2678         (JSC::DFG::NonSpeculativeJIT::compile):
2679         * dfg/DFGSpeculativeJIT.cpp:
2680         (JSC::DFG::SpeculativeJIT::compile):
2681         * dfg/DFGSpeculativeJIT.h:
2682         (JSC::DFG::SpeculateStrictInt32Operand::use):
2683         (JSC::DFG::SpeculateCellOperand::use):
2684
2685 2011-07-19  Xan Lopez  <xlopez@igalia.com>
2686
2687         ARMv7 backend broken, lacks 3 parameter rshift32 method
2688         https://bugs.webkit.org/show_bug.cgi?id=64571
2689
2690         Reviewed by Zoltan Herczeg.
2691
2692         * assembler/MacroAssemblerARMv7.h:
2693         (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method.
2694
2695 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2696
2697         DFG JIT does not optimize strict equality as effectively as the old JIT does.
2698         https://bugs.webkit.org/show_bug.cgi?id=64759
2699
2700         Reviewed by Gavin Barraclough.
2701         
2702         This adds a more complete set of strict equality optimizations.  If either
2703         operand is known numeric, then the code reverts to the old style of optimizing
2704         (first try integer comparison).  Otherwise it uses the old JIT's trick of
2705         first simultaneously checking if both operands are either numbers or cells;
2706         if not then a fast path is taken.
2707
2708         * dfg/DFGJITCodeGenerator.cpp:
2709         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2710         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2711         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2712         * dfg/DFGJITCodeGenerator.h:
2713         * dfg/DFGNonSpeculativeJIT.cpp:
2714         (JSC::DFG::NonSpeculativeJIT::compile):
2715         * dfg/DFGOperations.cpp:
2716         * dfg/DFGOperations.h:
2717         * dfg/DFGSpeculativeJIT.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719
2720 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
2721
2722         https://bugs.webkit.org/show_bug.cgi?id=64760
2723         DFG JIT - Should be able to compile program code.
2724
2725         Reviewed by Geoff Garen.
2726
2727         Add support for op_end, hooks to compile program code in Executable.cpp.
2728
2729         * dfg/DFGByteCodeParser.cpp:
2730         (JSC::DFG::ByteCodeParser::parseBlock):
2731             - Add support for op_end
2732         * dfg/DFGJITCompiler.cpp:
2733         (JSC::DFG::JITCompiler::compileEntry):
2734         (JSC::DFG::JITCompiler::compileBody):
2735         (JSC::DFG::JITCompiler::link):
2736             - Added, separate out steps of compileFunction.
2737         (JSC::DFG::JITCompiler::compile):
2738             - Added, compile program code.
2739         (JSC::DFG::JITCompiler::compileFunction):
2740             - Sections separated out to helper functions.
2741         * dfg/DFGJITCompiler.h:
2742         (JSC::DFG::JITCompiler::JITCompiler):
2743             - Added m_exceptionCheckCount.
2744         * runtime/Executable.cpp:
2745         (JSC::tryDFGCompile):
2746         (JSC::tryDFGCompileFunction):
2747         (JSC::ProgramExecutable::compileInternal):
2748         (JSC::FunctionExecutable::compileForCallInternal):
2749             - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code.
2750
2751 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
2752
2753         https://bugs.webkit.org/show_bug.cgi?id=64678
2754         Fix bugs in Object.prototype this handling.
2755
2756         Reviewed by Oliver Hunt.
2757
2758         undefined/null this values should throw TypeErrors, not convert to the global object,
2759         also, to toLocaleString should be calling the ToObject & invoking the object's toString
2760         function, even for values that are already strings.
2761
2762         * runtime/ObjectPrototype.cpp:
2763         (JSC::objectProtoFuncValueOf):
2764         (JSC::objectProtoFuncHasOwnProperty):
2765         (JSC::objectProtoFuncIsPrototypeOf):
2766         (JSC::objectProtoFuncPropertyIsEnumerable):
2767         (JSC::objectProtoFuncToLocaleString):
2768         (JSC::objectProtoFuncToString):
2769
2770 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2771
2772         JSC GC lazy sweep does not inline the common cases of cell destruction.
2773         https://bugs.webkit.org/show_bug.cgi?id=64745
2774
2775         Reviewed by Oliver Hunt.
2776         
2777         This inlines the case of JSFinalObject destruction.
2778
2779         * heap/MarkedBlock.cpp:
2780         (JSC::MarkedBlock::lazySweep):
2781
2782 2011-07-18  Oliver Hunt  <oliver@apple.com>
2783
2784         Interpreter build-fix
2785
2786         * interpreter/Interpreter.cpp:
2787         (JSC::Interpreter::privateExecute):
2788
2789 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2790
2791         DFG JIT does not optimize equal-null comparisons and branches.
2792         https://bugs.webkit.org/show_bug.cgi?id=64659
2793
2794         Reviewed by Gavin Barraclough.
2795         
2796         Added a peephole-aware compare-to-null implementation to JITCodeGenerator,
2797         which is used by both the speculative and non-speculative JIT.  Through
2798         the use of the new isNullConstant helper, the two JITs invoke the
2799         nonSpecualtiveCompareNull() helper instead of their regular comparison
2800         helpers when compiling CompareEq.  Through the use of the new isKnownCell
2801         helper, the compare-null code will skip the is-a-cell check if the
2802         speculative JIT had been speculating cell.
2803
2804         * dfg/DFGJITCodeGenerator.cpp:
2805         (JSC::DFG::JITCodeGenerator::isKnownCell):
2806         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2807         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2808         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
2809         * dfg/DFGJITCodeGenerator.h:
2810         (JSC::DFG::JITCodeGenerator::isNullConstant):
2811         * dfg/DFGNonSpeculativeJIT.cpp:
2812         (JSC::DFG::NonSpeculativeJIT::compile):
2813         * dfg/DFGOperations.cpp:
2814         * dfg/DFGSpeculativeJIT.cpp:
2815         (JSC::DFG::SpeculativeJIT::compile):
2816
2817 2011-07-18  James Robinson  <jamesr@chromium.org>
2818
2819         Timer scheduling should be based off the monotonic clock
2820         https://bugs.webkit.org/show_bug.cgi?id=64544
2821
2822         Reviewed by Darin Adler.
2823
2824         Switches ThreadCondition::timedWait and related utility functions from currentTime() to
2825         monotonicallyIncreasingTime().
2826
2827         Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit.
2828
2829         * JavaScriptCore.exp:
2830         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2831         * wtf/ThreadingPthreads.cpp:
2832         (WTF::ThreadCondition::timedWait):
2833         * wtf/ThreadingWin.cpp:
2834         (WTF::absoluteTimeToWaitTimeoutInterval):
2835         * wtf/gtk/ThreadingGtk.cpp:
2836         (WTF::ThreadCondition::timedWait):
2837         * wtf/qt/ThreadingQt.cpp:
2838         (WTF::ThreadCondition::timedWait):
2839
2840 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
2841
2842         JSC JIT does not inline GC allocation fast paths
2843         https://bugs.webkit.org/show_bug.cgi?id=64582
2844
2845         Reviewed by Oliver Hunt.
2846
2847         This addresses inlining allocation for the easiest-to-allocate cases:
2848         op_new_object and op_create_this.  Inlining GC allocation fast paths
2849         required three changes.  First, the JSGlobalData now saves the vtable
2850         pointer of JSFinalObject, since that's what op_new_object and
2851         op_create_this allocate.  Second, the Heap exposes a reference to
2852         the appropriate SizeClass, so that the JIT may inline accesses
2853         directly to the SizeClass for JSFinalObject allocations.  And third,
2854         the JIT is extended with code to emit inline fast paths for GC
2855         allocation.  A stub call is emitted in the case where the inline fast
2856         path fails.
2857
2858         * heap/Heap.h:
2859         (JSC::Heap::sizeClassFor):
2860         (JSC::Heap::allocate):
2861         * jit/JIT.cpp:
2862         (JSC::JIT::privateCompileSlowCases):
2863         * jit/JIT.h:
2864         * jit/JITInlineMethods.h:
2865         (JSC::JIT::emitAllocateJSFinalObject):
2866         * jit/JITOpcodes.cpp:
2867         (JSC::JIT::emit_op_new_object):
2868         (JSC::JIT::emitSlow_op_new_object):
2869         (JSC::JIT::emit_op_create_this):
2870         (JSC::JIT::emitSlow_op_create_this):
2871         * jit/JITOpcodes32_64.cpp:
2872         (JSC::JIT::emit_op_new_object):
2873         (JSC::JIT::emitSlow_op_new_object):
2874         (JSC::JIT::emit_op_create_this):
2875         (JSC::JIT::emitSlow_op_create_this):
2876         * runtime/JSGlobalData.cpp:
2877         (JSC::JSGlobalData::storeVPtrs):
2878         * runtime/JSGlobalData.h:
2879         * runtime/JSObject.h:
2880         (JSC::JSFinalObject::JSFinalObject):
2881         (JSC::JSObject::offsetOfInheritorID):
2882
2883 2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2884
2885         Refactor JSC to replace JSCell::operator new with static create method
2886         https://bugs.webkit.org/show_bug.cgi?id=64466
2887
2888         Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com).
2889
2890         First step in a longer refactoring process to remove the use of
2891         operator new overloading in order to allocate GC objects and to replace
2892         this method with static create methods for each individual type of heap-allocated
2893         JS object.  This particular patch only deals with replacing uses of
2894         operator new within JSC proper.  Future patches will remove it from the
2895         parts that interface with the DOM.  Due to the DOM's continued dependence
2896         on it, operator new has not actually been removed from JSCell.
2897
2898         * API/JSCallbackConstructor.h:
2899         (JSC::JSCallbackConstructor::create):
2900         * API/JSCallbackFunction.h:
2901         (JSC::JSCallbackFunction::create):
2902         * API/JSCallbackObject.h:
2903         (JSC::JSCallbackObject::operator new):
2904         (JSC::JSCallbackObject::create):
2905         * API/JSCallbackObjectFunctions.h:
2906         (JSC::::staticFunctionGetter):
2907         * API/JSClassRef.cpp:
2908         (OpaqueJSClass::prototype):
2909         * API/JSContextRef.cpp:
2910         * API/JSObjectRef.cpp:
2911         (JSObjectMake):
2912         (JSObjectMakeFunctionWithCallback):
2913         (JSObjectMakeConstructor):
2914         * JavaScriptCore.exp:
2915         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2916         * bytecode/CodeBlock.cpp:
2917         (JSC::CodeBlock::createActivation):
2918         * bytecompiler/BytecodeGenerator.cpp:
2919         (JSC::BytecodeGenerator::BytecodeGenerator):
2920         * bytecompiler/BytecodeGenerator.h:
2921         (JSC::BytecodeGenerator::makeFunction):
2922         * bytecompiler/NodesCodegen.cpp:
2923         (JSC::RegExpNode::emitBytecode):
2924         * interpreter/Interpreter.cpp:
2925         (JSC::Interpreter::privateExecute):
2926         (JSC::Interpreter::retrieveArguments):
2927         * jit/JITStubs.cpp:
2928         (JSC::DEFINE_STUB_FUNCTION):
2929         * jsc.cpp:
2930         (GlobalObject::create):
2931         (GlobalObject::GlobalObject):
2932         (functionRun):
2933         (jscmain):
2934         * runtime/Arguments.h:
2935         (JSC::Arguments::create):
2936         (JSC::Arguments::createNoParameters):
2937         * runtime/ArrayConstructor.cpp:
2938         (JSC::constructArrayWithSizeQuirk):
2939         * runtime/ArrayConstructor.h:
2940         (JSC::ArrayConstructor::create):
2941         * runtime/ArrayPrototype.cpp:
2942         (JSC::arrayProtoFuncSplice):
2943         * runtime/ArrayPrototype.h:
2944         (JSC::ArrayPrototype::create):
2945         * runtime/BooleanConstructor.cpp:
2946         (JSC::constructBoolean):
2947         (JSC::constructBooleanFromImmediateBoolean):
2948         * runtime/BooleanConstructor.h:
2949         (JSC::BooleanConstructor::create):
2950         * runtime/BooleanObject.h:
2951         (JSC::BooleanObject::create):
2952         * runtime/BooleanPrototype.h:
2953         (JSC::BooleanPrototype::create):
2954         * runtime/DateConstructor.cpp:
2955         (JSC::constructDate):
2956         * runtime/DateConstructor.h:
2957         (JSC::DateConstructor::create):
2958         * runtime/DateInstance.h:
2959         (JSC::DateInstance::create):
2960         * runtime/DatePrototype.h:
2961         (JSC::DatePrototype::create):
2962         * runtime/Error.cpp:
2963         (JSC::createError):
2964         (JSC::createEvalError):
2965         (JSC::createRangeError):
2966         (JSC::createReferenceError):
2967         (JSC::createSyntaxError):
2968         (JSC::createTypeError):
2969         (JSC::createURIError):
2970         (JSC::StrictModeTypeErrorFunction::create):
2971         (JSC::createTypeErrorFunction):
2972         * runtime/ErrorConstructor.h:
2973         (JSC::ErrorConstructor::create):
2974         * runtime/ErrorInstance.cpp:
2975         (JSC::ErrorInstance::ErrorInstance):
2976         (JSC::ErrorInstance::create):
2977         * runtime/ErrorInstance.h:
2978         * runtime/ErrorPrototype.cpp:
2979         (JSC::ErrorPrototype::ErrorPrototype):
2980         * runtime/ErrorPrototype.h:
2981         (JSC::ErrorPrototype::create):
2982         * runtime/ExceptionHelpers.cpp:
2983         (JSC::InterruptedExecutionError::InterruptedExecutionError):
2984         (JSC::InterruptedExecutionError::create):
2985         (JSC::createInterruptedExecutionException):
2986         (JSC::TerminatedExecutionError::TerminatedExecutionError):
2987         (JSC::TerminatedExecutionError::create):
2988         (JSC::createTerminatedExecutionException):
2989         * runtime/Executable.cpp:
2990         (JSC::FunctionExecutable::FunctionExecutable):
2991         (JSC::FunctionExecutable::fromGlobalCode):
2992         * runtime/Executable.h:
2993         (JSC::ExecutableBase::create):
2994         (JSC::NativeExecutable::create):
2995         (JSC::ScriptExecutable::ScriptExecutable):
2996         (JSC::EvalExecutable::create):
2997         (JSC::ProgramExecutable::create):
2998         (JSC::FunctionExecutable::create):
2999         (JSC::FunctionExecutable::make):
3000         * runtime/FunctionConstructor.cpp:
3001         (JSC::constructFunctionSkippingEvalEnabledCheck):
3002         * runtime/FunctionConstructor.h:
3003         (JSC::FunctionConstructor::create):
3004         * runtime/FunctionPrototype.cpp:
3005         (JSC::FunctionPrototype::addFunctionProperties):
3006         * runtime/FunctionPrototype.h:
3007         (JSC::FunctionPrototype::create):
3008         * runtime/GetterSetter.h:
3009         (JSC::GetterSetter::create):
3010         * runtime/JSAPIValueWrapper.h:
3011         (JSC::JSAPIValueWrapper::create):
3012         (JSC::jsAPIValueWrapper):
3013         * runtime/JSActivation.cpp:
3014         (JSC::JSActivation::argumentsGetter):
3015         * runtime/JSActivation.h:
3016         (JSC::JSActivation::create):
3017         * runtime/JSArray.h:
3018         (JSC::JSArray::create):
3019         * runtime/JSCell.h:
3020         (JSC::JSCell::allocateCell):
3021         * runtime/JSFunction.h:
3022         (JSC::JSFunction::create):
3023         * runtime/JSGlobalObject.cpp:
3024         (JSC::JSGlobalObject::init):
3025         (JSC::JSGlobalObject::reset):
3026         * runtime/JSGlobalObject.h:
3027         (JSC::constructEmptyArray):
3028         (JSC::constructArray):
3029         * runtime/JSNotAnObject.h:
3030         (JSC::JSNotAnObject::create):
3031         * runtime/JSONObject.h:
3032         (JSC::JSONObject::create):
3033         * runtime/JSObject.cpp:
3034         (JSC::JSObject::defineGetter):
3035         (JSC::JSObject::defineSetter):
3036         (JSC::putDescriptor):
3037         * runtime/JSObject.h:
3038         (JSC::JSFinalObject::create):
3039         * runtime/JSPropertyNameIterator.cpp:
3040         (JSC::JSPropertyNameIterator::create):
3041         * runtime/JSPropertyNameIterator.h:
3042         (JSC::JSPropertyNameIterator::create):
3043         * runtime/JSString.cpp:
3044         (JSC::JSString::substringFromRope):
3045         (JSC::JSString::replaceCharacter):
3046         (JSC::StringObject::create):
3047         * runtime/JSString.h:
3048         (JSC::RopeBuilder::JSString):
3049         (JSC::RopeBuilder::create):
3050         (JSC::RopeBuilder::createHasOtherOwner):
3051         (JSC::jsSingleCharacterString):
3052         (JSC::jsSingleCharacterSubstring):
3053         (JSC::jsNontrivialString):
3054         (JSC::jsString):
3055         (JSC::jsSubstring):
3056         (JSC::jsOwnedString):
3057         * runtime/JSValue.cpp:
3058         (JSC::JSValue::toObjectSlowCase):
3059         (JSC::JSValue::synthesizeObject):
3060         (JSC::JSValue::synthesizePrototype):
3061         * runtime/Lookup.cpp:
3062         (JSC::setUpStaticFunctionSlot):
3063         * runtime/MathObject.h:
3064         (JSC::MathObject::create):
3065         * runtime/NativeErrorConstructor.cpp:
3066         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3067         * runtime/NativeErrorConstructor.h:
3068         (JSC::NativeErrorConstructor::create):
3069         * runtime/NativeErrorPrototype.h:
3070         (JSC::NativeErrorPrototype::create):
3071         * runtime/NumberConstructor.cpp:
3072         (JSC::constructWithNumberConstructor):
3073         * runtime/NumberConstructor.h:
3074         (JSC::NumberConstructor::create):
3075         * runtime/NumberObject.cpp:
3076         (JSC::constructNumber):
3077         * runtime/NumberObject.h:
3078         (JSC::NumberObject::create):
3079         * runtime/NumberPrototype.h:
3080         (JSC::NumberPrototype::create):
3081         * runtime/ObjectConstructor.h:
3082         (JSC::ObjectConstructor::create):
3083         * runtime/ObjectPrototype.h:
3084         (JSC::ObjectPrototype::create):
3085         * runtime/Operations.h:
3086         (JSC::jsString):
3087         * runtime/RegExp.cpp:
3088         (JSC::RegExp::RegExp):
3089         (JSC::RegExp::createWithoutCaching):
3090         (JSC::RegExp::create):
3091         * runtime/RegExp.h:
3092         * runtime/RegExpCache.cpp:
3093         (JSC::RegExpCache::lookupOrCreate):
3094         * runtime/RegExpConstructor.cpp:
3095         (JSC::RegExpConstructor::arrayOfMatches):
3096         (JSC::constructRegExp):
3097         * runtime/RegExpConstructor.h:
3098         (JSC::RegExpConstructor::create):
3099         * runtime/RegExpMatchesArray.h:
3100         (JSC::RegExpMatchesArray::create):
3101         * runtime/RegExpObject.h:
3102         (JSC::RegExpObject::create):
3103         * runtime/RegExpPrototype.cpp:
3104         (JSC::regExpProtoFuncCompile):
3105         * runtime/RegExpPrototype.h:
3106         (JSC::RegExpPrototype::create):
3107         * runtime/ScopeChain.h:
3108         (JSC::ScopeChainNode::create):
3109         (JSC::ScopeChainNode::push):
3110         * runtime/SmallStrings.cpp:
3111         (JSC::SmallStrings::createEmptyString):
3112         (JSC::SmallStrings::createSingleCharacterString):
3113         * runtime/StringConstructor.cpp:
3114         (JSC::constructWithStringConstructor):
3115         * runtime/StringConstructor.h:
3116         (JSC::StringConstructor::create):
3117         * runtime/StringObject.h:
3118         (JSC::StringObject::create):
3119         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3120         (JSC::StringObjectThatMasqueradesAsUndefined::create):
3121         * runtime/StringPrototype.cpp:
3122         (JSC::stringProtoFuncMatch):
3123         (JSC::stringProtoFuncSearch):
3124         * runtime/StringPrototype.h:
3125         (JSC::StringPrototype::create):
3126         * runtime/Structure.h:
3127         (JSC::Structure::create):
3128         (JSC::Structure::createStructure):
3129         * runtime/StructureChain.h:
3130         (JSC::StructureChain::create):
3131
3132 2011-07-17  Ryuan Choi  <ryuan.choi@samsung.com>
3133
3134         [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash.
3135         https://bugs.webkit.org/show_bug.cgi?id=64337
3136
3137         Replace ecore_timer_add to Ecore_Pipe.
3138         This is needed because ecore_timer should not be called in a child thread,
3139         but in the main thread.
3140
3141         Reviewed by Antonio Gomes.
3142
3143         * wtf/efl/MainThreadEfl.cpp:
3144         (WTF::pipeObject):
3145         (WTF::monitorDispatchFunctions):
3146         (WTF::initializeMainThreadPlatform):
3147         (WTF::scheduleDispatchFunctionsOnMainThread):
3148
3149 2011-07-17  Filip Pizlo  <fpizlo@apple.com>
3150
3151         DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline.
3152         https://bugs.webkit.org/show_bug.cgi?id=64637
3153
3154         Reviewed by Gavin Barraclough.
3155
3156         * dfg/DFGOperations.cpp:
3157
3158 2011-07-16  Gavin Barraclough  <barraclough@apple.com>
3159
3160         https://bugs.webkit.org/show_bug.cgi?id=64657
3161         Converted this value not preserved when accessed via direct eval.
3162
3163         Reviewed by Oliver Hunt.
3164
3165         Upon entry into a non-strict function, primitive this values should be boxed as Object types
3166         (or substituted with the global object) - which is done by op_convert_this. However we only
3167         do so where this is used lexically within the function (we omit the conversion op if not).
3168         The problem comes if a direct eval (running within the function's scope) accesses the this
3169         value.
3170
3171         We are safe in the case of a single eval, since the this object will be converted within
3172         callEval, however the converted value is not preserved, and a new wrapper object is allocated
3173         each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
3174         object will be lost between eval statements.
3175
3176         * bytecompiler/BytecodeGenerator.cpp:
3177         (JSC::BytecodeGenerator::BytecodeGenerator):
3178             - If a function uses eval, we always need to convert this.
3179         * interpreter/Interpreter.cpp:
3180         (JSC::Interpreter::execute):
3181             - Don't convert primitive values here - this is too late!
3182         (JSC::Interpreter::privateExecute):
3183             - Changed op_convert_this to call new isPrimitive method.
3184         * jit/JITStubs.cpp:
3185         (JSC::DEFINE_STUB_FUNCTION):
3186             - Changed op_convert_this to call new isPrimitive method.
3187         * runtime/JSCell.h:
3188         (JSC::JSCell::JSValue::isPrimitive):
3189             - Added JSValue::isPrimitive.
3190         * runtime/JSValue.h:
3191             - Added JSValue::isPrimitive.
3192
3193 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
3194
3195         DFG JIT compare/branch code emits is-integer tests even when a value is
3196         definitely not an integer.
3197         https://bugs.webkit.org/show_bug.cgi?id=64654
3198
3199         Reviewed by Gavin Barraclough.
3200         
3201         Added the isKnownNotInteger() method, which returns true if a node is
3202         definitely not an integer and will always fail any is-integer test.  Then
3203         modified the compare and branch code to use this method; if it returns
3204         true then is-int tests are omitted and the compiler always emits a slow
3205         call.
3206
3207         * dfg/DFGJITCodeGenerator.cpp:
3208         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
3209         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3210         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
3211         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
3212         * dfg/DFGJITCodeGenerator.h:
3213         * dfg/DFGSpeculativeJIT.cpp:
3214         (JSC::DFG::SpeculativeJIT::compare):
3215
3216 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
3217
3218         DFG speculative JIT has dead code for slow calls for branches.
3219         https://bugs.webkit.org/show_bug.cgi?id=64653
3220
3221         Reviewed by Gavin Barraclough.
3222         
3223         Removed SpeculativeJIT::compilePeepHoleCall.
3224
3225         * dfg/DFGSpeculativeJIT.cpp:
3226         * dfg/DFGSpeculativeJIT.h:
3227
3228 2011-07-15  Mark Rowe  <mrowe@apple.com>
3229
3230         Fix the build.
3231
3232         * dfg/DFGGraph.h:
3233
3234 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
3235
3236         NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
3237         https://bugs.webkit.org/show_bug.cgi?id=55346
3238
3239         Reviewed by Sam Weinig.
3240
3241         * runtime/ErrorPrototype.cpp:
3242         (JSC::ErrorPrototype::ErrorPrototype):
3243             - Switch to putDirect since we're not the only ones tranitioning this Structure now.
3244         * runtime/NativeErrorPrototype.cpp:
3245         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3246         * runtime/NativeErrorPrototype.h:
3247             - Switch base class to ErrorPrototype.
3248
3249 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
3250
3251         DFG JIT - Where arguments passed are integers, speculate this.
3252         https://bugs.webkit.org/show_bug.cgi?id=64630
3253
3254         Reviewed by Sam Weinig.
3255
3256         Presently the DFG JIT is overly aggressively predicting double.
3257         Use a bit of dynamic information, and curtail this a little.
3258
3259         * dfg/DFGGraph.cpp:
3260         (JSC::DFG::Graph::predictArgumentTypes):
3261             - Check for integer arguments.
3262         * dfg/DFGGraph.h:
3263             - Function declaration.
3264         * runtime/Executable.cpp:
3265         (JSC::tryDFGCompile):
3266         (JSC::FunctionExecutable::compileForCallInternal):
3267             - Add call to predictArgumentTypes.
3268
3269 2011-07-15  Filip Pizlo  <fpizlo@apple.com>
3270
3271         DFG JIT is inconsistent about fusing branches and speculating
3272         integer comparisons for branches.
3273         https://bugs.webkit.org/show_bug.cgi?id=64573
3274
3275         Reviewed by Gavin Barraclough.
3276         
3277         This patch moves some of NonSpeculativeJIT's functionality up into the
3278         JITCodeGenerator superclass so that it can be used from both JITs.  Now,
3279         in cases where the speculative JIT doesn't want to speculate but still
3280         wants to emit good code, it can reliably emit the same code sequence as
3281         the non-speculative JIT.  This patch also extends the non-speculative
3282         JIT's compare optimizations to include compare/branch fusing, and
3283         extends the speculative JIT's compare optimizations to cover StrictEqual.
3284
3285         * dfg/DFGJITCodeGenerator.cpp:
3286         (JSC::DFG::JITCodeGenerator::isKnownInteger):
3287         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
3288         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3289         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
3290         * dfg/DFGJITCodeGenerator.h:
3291         (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
3292         * dfg/DFGNonSpeculativeJIT.cpp:
3293         (JSC::DFG::NonSpeculativeJIT::compile):
3294         * dfg/DFGNonSpeculativeJIT.h:
3295         * dfg/DFGOperations.cpp:
3296         * dfg/DFGSpeculativeJIT.cpp:
3297         (JSC::DFG::SpeculativeJIT::compare):
3298         (JSC::DFG::SpeculativeJIT::compile):
3299         * dfg/DFGSpeculativeJIT.h:
3300         * wtf/Platform.h:
3301
3302 2011-07-14  Gavin Barraclough  <barraclough@apple.com>
3303
3304         https://bugs.webkit.org/show_bug.cgi?id=64250
3305         Global strict mode function leaking global object as "this".
3306
3307         Reviewed by Oliver Hunt.
3308
3309         The root problem here is that we pass the wrong values into
3310         calls, and then try to fix them up in the callee. Correct
3311         behaviour per the spec is to pass in the value undefined,
3312         as this unless either (1) the function call is based on an
3313         explicit property access or (2) the base of the call comes
3314         directly from a 'with'.
3315
3316         This change does away with the need for this conversion of
3317         objects (non strict code should only box primitives), and
3318         does away with all this conversion for strict functions.
3319
3320         This patch may have web compatibility ramifications, and may
3321         require some advocacy.
3322
3323         * bytecode/CodeBlock.cpp:
3324         (JSC::CodeBlock::dump):
3325             - Removed op_convert_this_strict, added op_resolve_with_this.
3326         * bytecode/Opcode.h:
3327             - Removed op_convert_this_strict, added op_resolve_with_this.
3328         * bytecompiler/BytecodeGenerator.cpp:
3329         (JSC::BytecodeGenerator::BytecodeGenerator):
3330         (JSC::BytecodeGenerator::emitResolveWithThis):
3331             - Removed op_convert_this_strict, added op_resolve_with_this.
3332         * bytecompiler/BytecodeGenerator.h:
3333             - Removed op_convert_this_strict, added op_resolve_with_this.
3334         * bytecompiler/NodesCodegen.cpp:
3335         (JSC::EvalFunctionCallNode::emitBytecode):
3336         (JSC::FunctionCallResolveNode::emitBytecode):
3337             - Removed op_convert_this_strict, added op_resolve_with_this.
3338         * dfg/DFGSpeculativeJIT.cpp:
3339         (JSC::DFG::SpeculativeJIT::compile):
3340             - Change NeedsThisConversion check to test for JSString's vptr
3341               (objects no longer need conversion).
3342         * interpreter/Interpreter.cpp:
3343         (JSC::Interpreter::resolveThisAndProperty):
3344             - Based on resolveBaseAndProperty, but produce correct this value.
3345         (JSC::Interpreter::privateExecute):
3346             - Removed op_convert_this_strict, added op_resolve_with_this.
3347         * interpreter/Interpreter.h:
3348         * jit/JIT.cpp:
3349         (JSC::JIT::privateCompileMainPass):
3350         (JSC::JIT::privateCompileSlowCases):
3351             - Removed op_convert_this_strict, added op_resolve_with_this.
3352         * jit/JIT.h:
3353         * jit/JITOpcodes.cpp:
3354         (JSC::JIT::emit_op_resolve_with_this):
3355             - Removed op_convert_this_strict, added op_resolve_with_this.
3356         (JSC::JIT::emit_op_convert_this):
3357         (JSC::JIT::emitSlow_op_convert_this):
3358             - Change NeedsThisConversion check to test for JSString's vptr
3359               (objects no longer need conversion).
3360         * jit/JITOpcodes32_64.cpp:
3361         (JSC::JIT::emit_op_resolve_with_this):
3362             - Removed op_convert_this_strict, added op_resolve_with_this.
3363         (JSC::JIT::emit_op_convert_this):
3364         (JSC::JIT::emitSlow_op_convert_this):
3365             - Change NeedsThisConversion check to test for JSString's vptr
3366               (objects no longer need conversion).
3367         * jit/JITStubs.cpp:
3368         (JSC::DEFINE_STUB_FUNCTION):
3369             - Removed op_convert_this_strict, added op_resolve_with_this.
3370         * jit/JITStubs.h:
3371             - Removed op_convert_this_strict, added op_resolve_with_this.
3372         * runtime/JSActivation.h:
3373             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
3374         * runtime/JSStaticScopeObject.h:
3375             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
3376         * runtime/JSString.h:
3377         (JSC::RopeBuilder::createStructure):
3378             - removed NeedsThisConversion.
3379         * runtime/JSTypeInfo.h:
3380         (JSC::TypeInfo::isEnvironmentRecord):
3381         (JSC::TypeInfo::overridesHasInstance):
3382             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
3383         * runtime/JSValue.h:
3384             - removed NeedsThisConversion.
3385         * runtime/JSVariableObject.h:
3386             - Corrected StructureFlags inheritance.
3387         * runtime/StrictEvalActivation.h:
3388         (JSC::StrictEvalActivation::createStructure):
3389             - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
3390         * runtime/Structure.h:
3391             - removed NeedsThisConversion.
3392         * tests/mozilla/ecma/String/15.5.4.6-2.js:
3393         (getTestCases):
3394             - Removed invalid test case.
3395
3396 2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>
3397
3398         Unreviewed, rolling out r91082, r91087, and r91089.
3399         http://trac.webkit.org/changeset/91082
3400         http://trac.webkit.org/changeset/91087
3401         http://trac.webkit.org/changeset/91089
3402         https://bugs.webkit.org/show_bug.cgi?id=64616
3403
3404         gtk tests are failing a lot after this change. (Requested by
3405         dave_levin on #webkit).
3406
3407         * wtf/ThreadIdentifierDataPthreads.cpp:
3408         (WTF::ThreadIdentifierData::identifier):
3409         (WTF::ThreadIdentifierData::initialize):
3410         (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
3411         (WTF::ThreadIdentifierData::initializeKeyOnce):
3412         * wtf/ThreadIdentifierDataPthreads.h:
3413         * wtf/ThreadingPthreads.cpp:
3414         (WTF::initializeThreading):
3415
3416 2011-07-15  David Levin  <levin@chromium.org>
3417
3418         Another attempted build fix.
3419
3420         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
3421         up the definition of PTHREAD_KEYS_MAX.
3422
3423 2011-07-15  David Levin  <levin@chromium.org>
3424
3425         Chromium build fix.
3426
3427         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
3428         up the definition of PTHREAD_KEYS_MAX.
3429
3430 2011-07-14  David Levin  <levin@chromium.org>
3431
3432         currentThread is too slow!
3433         https://bugs.webkit.org/show_bug.cgi?id=64577
3434
3435         Reviewed by Darin Adler and Dmitry Titov.
3436
3437         The problem is that currentThread results in a pthread_once call which always takes a lock.
3438         With this change, currentThread is 10% faster than isMainThread in release mode and only
3439         5% slower than isMainThread in debug.
3440
3441         * wtf/ThreadIdentifierDataPthreads.cpp:
3442         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff