2c8e1bc7ef8408b57451b215cd96ca23376242da
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
2
3         build-jsc --ftl-jit should work
4         https://bugs.webkit.org/show_bug.cgi?id=120194
5
6         Reviewed by Oliver Hunt.
7
8         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
9         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
10         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
11         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
12         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
13         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
14
15 2013-08-23  Oliver Hunt  <oliver@apple.com>
16
17         Re-sort xcode project file
18
19         * JavaScriptCore.xcodeproj/project.pbxproj:
20
21 2013-08-23  Oliver Hunt  <oliver@apple.com>
22
23         Support in memory compression of rarely used data
24         https://bugs.webkit.org/show_bug.cgi?id=120143
25
26         Reviewed by Gavin Barraclough.
27
28         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
29
30         * Configurations/JavaScriptCore.xcconfig:
31         * bytecode/UnlinkedCodeBlock.cpp:
32         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
33         (JSC::UnlinkedCodeBlock::addExpressionInfo):
34         * bytecode/UnlinkedCodeBlock.h:
35
36 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
37
38         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
39         https://bugs.webkit.org/show_bug.cgi?id=120179
40
41         Reviewed by Geoffrey Garen.
42
43         There are many places in the code for JSObject and JSArray where they are manipulating their 
44         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
45         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
46         like it will make this dance even more intricate. To make everybody's lives easier we should use 
47         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
48         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
49         should not incur any additional overhead.
50
51         * heap/Heap.h:
52         * runtime/JSArray.cpp:
53         (JSC::JSArray::unshiftCountSlowCase):
54         * runtime/JSObject.cpp:
55         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
56         (JSC::JSObject::createInitialUndecided):
57         (JSC::JSObject::createInitialInt32):
58         (JSC::JSObject::createInitialDouble):
59         (JSC::JSObject::createInitialContiguous):
60         (JSC::JSObject::createArrayStorage):
61         (JSC::JSObject::convertUndecidedToArrayStorage):
62         (JSC::JSObject::convertInt32ToArrayStorage):
63         (JSC::JSObject::convertDoubleToArrayStorage):
64         (JSC::JSObject::convertContiguousToArrayStorage):
65         (JSC::JSObject::increaseVectorLength):
66         (JSC::JSObject::ensureLengthSlow):
67         * runtime/JSObject.h:
68         (JSC::JSObject::putDirectInternal):
69         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
70         (JSC::JSObject::putDirectWithoutTransition):
71
72 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
73
74         Update LLVM binary drops and scripts to the latest version from SVN
75         https://bugs.webkit.org/show_bug.cgi?id=120184
76
77         Reviewed by Mark Hahnenberg.
78
79         * dfg/DFGPlan.cpp:
80         (JSC::DFG::Plan::compileInThreadImpl):
81
82 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
83
84         Don't leak registers for redeclared variables
85         https://bugs.webkit.org/show_bug.cgi?id=120174
86
87         Reviewed by Geoff Garen.
88
89         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
90         Only allocate new registers when necessary.
91
92         No performance impact.
93
94         * interpreter/Interpreter.cpp:
95         (JSC::Interpreter::execute):
96         * runtime/Executable.cpp:
97         (JSC::ProgramExecutable::initializeGlobalProperties):
98             - Don't allocate the register here.
99         * runtime/JSGlobalObject.cpp:
100         (JSC::JSGlobalObject::addGlobalVar):
101             - Allocate the register here instead.
102
103 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
104
105         https://bugs.webkit.org/show_bug.cgi?id=120128
106         Remove putDirectVirtual
107
108         Unreviewed, checked in commented out code. :-(
109
110         * interpreter/Interpreter.cpp:
111         (JSC::Interpreter::execute):
112             - delete commented out code
113
114 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
115
116         Error.stack should not be enumerable
117         https://bugs.webkit.org/show_bug.cgi?id=120171
118
119         Reviewed by Oliver Hunt.
120
121         Breaks ECMA tests.
122
123         * runtime/ErrorInstance.cpp:
124         (JSC::ErrorInstance::finishCreation):
125             - None -> DontEnum
126
127 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
128
129         https://bugs.webkit.org/show_bug.cgi?id=120128
130         Remove putDirectVirtual
131
132         Reviewed by Sam Weinig.
133
134         This could most generously be described as 'vestigial'.
135         No performance impact.
136
137         * API/JSObjectRef.cpp:
138         (JSObjectSetProperty):
139             - changed to use defineOwnProperty
140         * debugger/DebuggerActivation.cpp:
141         * debugger/DebuggerActivation.h:
142             - remove putDirectVirtual
143         * interpreter/Interpreter.cpp:
144         (JSC::Interpreter::execute):
145             - changed to use defineOwnProperty
146         * runtime/ClassInfo.h:
147         * runtime/JSActivation.cpp:
148         * runtime/JSActivation.h:
149         * runtime/JSCell.cpp:
150         * runtime/JSCell.h:
151         * runtime/JSGlobalObject.cpp:
152         * runtime/JSGlobalObject.h:
153         * runtime/JSObject.cpp:
154         * runtime/JSObject.h:
155         * runtime/JSProxy.cpp:
156         * runtime/JSProxy.h:
157         * runtime/JSSymbolTableObject.cpp:
158         * runtime/JSSymbolTableObject.h:
159             - remove putDirectVirtual
160         * runtime/PropertyDescriptor.h:
161         (JSC::PropertyDescriptor::PropertyDescriptor):
162             - added constructor for convenience
163
164 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
165
166         errorDescriptionForValue() should not assume error value is an Object
167         https://bugs.webkit.org/show_bug.cgi?id=119812
168
169         Reviewed by Geoffrey Garen.
170
171         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
172         has no type, the function now returns the empty string. 
173         * runtime/ExceptionHelpers.cpp:
174         (JSC::errorDescriptionForValue):
175
176 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
177
178         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
179         https://bugs.webkit.org/show_bug.cgi?id=120107
180
181         Reviewed by Yong Li.
182
183         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
184
185         * dfg/DFGSpeculativeJIT.h:
186         (JSC::DFG::SpeculativeJIT::callOperation):
187
188 2013-08-21  Commit Queue  <commit-queue@webkit.org>
189
190         Unreviewed, rolling out r154416.
191         http://trac.webkit.org/changeset/154416
192         https://bugs.webkit.org/show_bug.cgi?id=120147
193
194         Broke Windows builds (Requested by rniwa on #webkit).
195
196         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
197         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
198         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
199         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
200         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
201         * JavaScriptCore.vcxproj/build-generated-files.sh:
202
203 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
204
205         Clarify var/const/function declaration
206         https://bugs.webkit.org/show_bug.cgi?id=120144
207
208         Reviewed by Sam Weinig.
209
210         Add methods to JSGlobalObject to declare vars, consts, and functions.
211
212         * runtime/Executable.cpp:
213         (JSC::ProgramExecutable::initializeGlobalProperties):
214         * runtime/Executable.h:
215             - Moved declaration code to JSGlobalObject
216         * runtime/JSGlobalObject.cpp:
217         (JSC::JSGlobalObject::addGlobalVar):
218             - internal implementation of addVar, addConst, addFunction
219         * runtime/JSGlobalObject.h:
220         (JSC::JSGlobalObject::addVar):
221         (JSC::JSGlobalObject::addConst):
222         (JSC::JSGlobalObject::addFunction):
223             - Added methods to declare vars, consts, and functions
224
225 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
226
227         https://bugs.webkit.org/show_bug.cgi?id=119900
228         Exception in global setter doesn't unwind correctly
229
230         Reviewed by Geoffrey Garen.
231
232         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
233
234         * jit/JITStubs.cpp:
235         (JSC::DEFINE_STUB_FUNCTION):
236
237 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
238
239         Rename/refactor setButterfly/setStructure
240         https://bugs.webkit.org/show_bug.cgi?id=120138
241
242         Reviewed by Geoffrey Garen.
243
244         setButterfly becomes setStructureAndButterfly.
245
246         Also removed the Butterfly* argument from setStructure and just implicitly
247         used m_butterfly internally since that's what every single client of setStructure
248         was doing already.
249
250         * jit/JITStubs.cpp:
251         (JSC::DEFINE_STUB_FUNCTION):
252         * runtime/JSObject.cpp:
253         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
254         (JSC::JSObject::createInitialUndecided):
255         (JSC::JSObject::createInitialInt32):
256         (JSC::JSObject::createInitialDouble):
257         (JSC::JSObject::createInitialContiguous):
258         (JSC::JSObject::createArrayStorage):
259         (JSC::JSObject::convertUndecidedToInt32):
260         (JSC::JSObject::convertUndecidedToDouble):
261         (JSC::JSObject::convertUndecidedToContiguous):
262         (JSC::JSObject::convertUndecidedToArrayStorage):
263         (JSC::JSObject::convertInt32ToDouble):
264         (JSC::JSObject::convertInt32ToContiguous):
265         (JSC::JSObject::convertInt32ToArrayStorage):
266         (JSC::JSObject::genericConvertDoubleToContiguous):
267         (JSC::JSObject::convertDoubleToArrayStorage):
268         (JSC::JSObject::convertContiguousToArrayStorage):
269         (JSC::JSObject::switchToSlowPutArrayStorage):
270         (JSC::JSObject::setPrototype):
271         (JSC::JSObject::putDirectAccessor):
272         (JSC::JSObject::seal):
273         (JSC::JSObject::freeze):
274         (JSC::JSObject::preventExtensions):
275         (JSC::JSObject::reifyStaticFunctionsForDelete):
276         (JSC::JSObject::removeDirect):
277         * runtime/JSObject.h:
278         (JSC::JSObject::setStructureAndButterfly):
279         (JSC::JSObject::setStructure):
280         (JSC::JSObject::putDirectInternal):
281         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
282         (JSC::JSObject::putDirectWithoutTransition):
283         * runtime/Structure.cpp:
284         (JSC::Structure::flattenDictionaryStructure):
285
286 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
287
288         https://bugs.webkit.org/show_bug.cgi?id=120127
289         Remove JSObject::propertyIsEnumerable
290
291         Unreviewed typo fix
292
293         * runtime/JSObject.h:
294             - fix typo
295
296 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
297
298         https://bugs.webkit.org/show_bug.cgi?id=120139
299         PropertyDescriptor argument to define methods should be const
300
301         Rubber stamped by Sam Weinig.
302
303         This should never be modified, and this way we can use rvalues.
304
305         * debugger/DebuggerActivation.cpp:
306         (JSC::DebuggerActivation::defineOwnProperty):
307         * debugger/DebuggerActivation.h:
308         * runtime/Arguments.cpp:
309         (JSC::Arguments::defineOwnProperty):
310         * runtime/Arguments.h:
311         * runtime/ClassInfo.h:
312         * runtime/JSArray.cpp:
313         (JSC::JSArray::defineOwnProperty):
314         * runtime/JSArray.h:
315         * runtime/JSArrayBuffer.cpp:
316         (JSC::JSArrayBuffer::defineOwnProperty):
317         * runtime/JSArrayBuffer.h:
318         * runtime/JSArrayBufferView.cpp:
319         (JSC::JSArrayBufferView::defineOwnProperty):
320         * runtime/JSArrayBufferView.h:
321         * runtime/JSCell.cpp:
322         (JSC::JSCell::defineOwnProperty):
323         * runtime/JSCell.h:
324         * runtime/JSFunction.cpp:
325         (JSC::JSFunction::defineOwnProperty):
326         * runtime/JSFunction.h:
327         * runtime/JSGenericTypedArrayView.h:
328         * runtime/JSGenericTypedArrayViewInlines.h:
329         (JSC::::defineOwnProperty):
330         * runtime/JSGlobalObject.cpp:
331         (JSC::JSGlobalObject::defineOwnProperty):
332         * runtime/JSGlobalObject.h:
333         * runtime/JSObject.cpp:
334         (JSC::JSObject::putIndexedDescriptor):
335         (JSC::JSObject::defineOwnIndexedProperty):
336         (JSC::putDescriptor):
337         (JSC::JSObject::defineOwnNonIndexProperty):
338         (JSC::JSObject::defineOwnProperty):
339         * runtime/JSObject.h:
340         * runtime/JSProxy.cpp:
341         (JSC::JSProxy::defineOwnProperty):
342         * runtime/JSProxy.h:
343         * runtime/RegExpMatchesArray.h:
344         (JSC::RegExpMatchesArray::defineOwnProperty):
345         * runtime/RegExpObject.cpp:
346         (JSC::RegExpObject::defineOwnProperty):
347         * runtime/RegExpObject.h:
348         * runtime/StringObject.cpp:
349         (JSC::StringObject::defineOwnProperty):
350         * runtime/StringObject.h:
351             - make PropertyDescriptor const
352
353 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
354
355         REGRESSION: Crash under JITCompiler::link while loading Gmail
356         https://bugs.webkit.org/show_bug.cgi?id=119872
357
358         Reviewed by Mark Hahnenberg.
359         
360         Apparently, unsigned + signed = unsigned. Work around it with a cast.
361
362         * dfg/DFGByteCodeParser.cpp:
363         (JSC::DFG::ByteCodeParser::parseBlock):
364
365 2013-08-21  Alex Christensen  <achristensen@apple.com>
366
367         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
368
369         Reviewed by Brent Fulgham.
370
371         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
372         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
373         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
374         Pass PlatformArchitecture as a command line parameter to bash scripts.
375         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
376         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
377         * JavaScriptCore.vcxproj/build-generated-files.sh:
378         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
379
380 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
381
382         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
383         https://bugs.webkit.org/show_bug.cgi?id=120099
384
385         Reviewed by Mark Hahnenberg.
386         
387         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
388         JSDataView may have ordinary JS indexed properties.
389
390         * runtime/ClassInfo.h:
391         * runtime/JSArrayBufferView.cpp:
392         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
393         (JSC::JSArrayBufferView::finishCreation):
394         * runtime/JSArrayBufferView.h:
395         (JSC::hasArrayBuffer):
396         * runtime/JSArrayBufferViewInlines.h:
397         (JSC::JSArrayBufferView::buffer):
398         (JSC::JSArrayBufferView::neuter):
399         (JSC::JSArrayBufferView::byteOffset):
400         * runtime/JSCell.cpp:
401         (JSC::JSCell::slowDownAndWasteMemory):
402         * runtime/JSCell.h:
403         * runtime/JSDataView.cpp:
404         (JSC::JSDataView::JSDataView):
405         (JSC::JSDataView::create):
406         (JSC::JSDataView::slowDownAndWasteMemory):
407         * runtime/JSDataView.h:
408         (JSC::JSDataView::buffer):
409         * runtime/JSGenericTypedArrayView.h:
410         * runtime/JSGenericTypedArrayViewInlines.h:
411         (JSC::::visitChildren):
412         (JSC::::slowDownAndWasteMemory):
413
414 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
415
416         Remove incorrect ASSERT from CopyVisitor::visitItem
417
418         Rubber stamped by Filip Pizlo.
419
420         * heap/CopyVisitorInlines.h:
421         (JSC::CopyVisitor::visitItem):
422
423 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
424
425         https://bugs.webkit.org/show_bug.cgi?id=120127
426         Remove JSObject::propertyIsEnumerable
427
428         Reviewed by Sam Weinig.
429
430         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
431
432         * runtime/JSObject.cpp:
433         * runtime/JSObject.h:
434             - remove propertyIsEnumerable
435         * runtime/ObjectPrototype.cpp:
436         (JSC::objectProtoFuncPropertyIsEnumerable):
437             - Move implementation here using getOwnPropertyDescriptor directly.
438
439 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
440
441         DFG should inline new typedArray()
442         https://bugs.webkit.org/show_bug.cgi?id=120022
443
444         Reviewed by Oliver Hunt.
445         
446         Adds inlining of typed array allocations in the DFG. Any operation of the
447         form:
448         
449             new foo(blah)
450         
451         or:
452         
453             foo(blah)
454         
455         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
456         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
457         is predicted integer, we generate inline code for an allocation. Otherwise
458         it turns into a call to an operation that behaves like the constructor would
459         if it was passed one argument (i.e. it may wrap a buffer or it may create a
460         copy or another array, or it may allocate an array of that length).
461
462         * bytecode/SpeculatedType.cpp:
463         (JSC::speculationFromTypedArrayType):
464         (JSC::speculationFromClassInfo):
465         * bytecode/SpeculatedType.h:
466         * dfg/DFGAbstractInterpreterInlines.h:
467         (JSC::DFG::::executeEffects):
468         * dfg/DFGBackwardsPropagationPhase.cpp:
469         (JSC::DFG::BackwardsPropagationPhase::propagate):
470         * dfg/DFGByteCodeParser.cpp:
471         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
472         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
473         * dfg/DFGCCallHelpers.h:
474         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
475         * dfg/DFGCSEPhase.cpp:
476         (JSC::DFG::CSEPhase::putStructureStoreElimination):
477         * dfg/DFGClobberize.h:
478         (JSC::DFG::clobberize):
479         * dfg/DFGFixupPhase.cpp:
480         (JSC::DFG::FixupPhase::fixupNode):
481         * dfg/DFGGraph.cpp:
482         (JSC::DFG::Graph::dump):
483         * dfg/DFGNode.h:
484         (JSC::DFG::Node::hasTypedArrayType):
485         (JSC::DFG::Node::typedArrayType):
486         * dfg/DFGNodeType.h:
487         * dfg/DFGOperations.cpp:
488         (JSC::DFG::newTypedArrayWithSize):
489         (JSC::DFG::newTypedArrayWithOneArgument):
490         * dfg/DFGOperations.h:
491         (JSC::DFG::operationNewTypedArrayWithSizeForType):
492         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
493         * dfg/DFGPredictionPropagationPhase.cpp:
494         (JSC::DFG::PredictionPropagationPhase::propagate):
495         * dfg/DFGSafeToExecute.h:
496         (JSC::DFG::safeToExecute):
497         * dfg/DFGSpeculativeJIT.cpp:
498         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
499         * dfg/DFGSpeculativeJIT.h:
500         (JSC::DFG::SpeculativeJIT::callOperation):
501         * dfg/DFGSpeculativeJIT32_64.cpp:
502         (JSC::DFG::SpeculativeJIT::compile):
503         * dfg/DFGSpeculativeJIT64.cpp:
504         (JSC::DFG::SpeculativeJIT::compile):
505         * jit/JITOpcodes.cpp:
506         (JSC::JIT::emit_op_new_object):
507         * jit/JITOpcodes32_64.cpp:
508         (JSC::JIT::emit_op_new_object):
509         * runtime/JSArray.h:
510         (JSC::JSArray::allocationSize):
511         * runtime/JSArrayBufferView.h:
512         (JSC::JSArrayBufferView::allocationSize):
513         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
514         (JSC::constructGenericTypedArrayView):
515         * runtime/JSObject.h:
516         (JSC::JSFinalObject::allocationSize):
517         * runtime/TypedArrayType.cpp:
518         (JSC::constructorClassInfoForType):
519         * runtime/TypedArrayType.h:
520         (JSC::indexToTypedArrayType):
521
522 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
523
524         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
525
526         Reviewed by Geoffrey Garen.
527
528         * dfg/DFGOperations.h:
529
530 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
531
532         https://bugs.webkit.org/show_bug.cgi?id=120093
533         Remove getOwnPropertyDescriptor trap
534
535         Reviewed by Geoff Garen.
536
537         All implementations of this method are now called via the method table, and equivalent in behaviour.
538         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
539
540         * API/JSCallbackObject.h:
541         * API/JSCallbackObjectFunctions.h:
542         * debugger/DebuggerActivation.cpp:
543         * debugger/DebuggerActivation.h:
544         * runtime/Arguments.cpp:
545         * runtime/Arguments.h:
546         * runtime/ArrayConstructor.cpp:
547         * runtime/ArrayConstructor.h:
548         * runtime/ArrayPrototype.cpp:
549         * runtime/ArrayPrototype.h:
550         * runtime/BooleanPrototype.cpp:
551         * runtime/BooleanPrototype.h:
552             - remove getOwnPropertyDescriptor
553         * runtime/ClassInfo.h:
554             - remove getOwnPropertyDescriptor from MethodTable
555         * runtime/DateConstructor.cpp:
556         * runtime/DateConstructor.h:
557         * runtime/DatePrototype.cpp:
558         * runtime/DatePrototype.h:
559         * runtime/ErrorPrototype.cpp:
560         * runtime/ErrorPrototype.h:
561         * runtime/JSActivation.cpp:
562         * runtime/JSActivation.h:
563         * runtime/JSArray.cpp:
564         * runtime/JSArray.h:
565         * runtime/JSArrayBuffer.cpp:
566         * runtime/JSArrayBuffer.h:
567         * runtime/JSArrayBufferView.cpp:
568         * runtime/JSArrayBufferView.h:
569         * runtime/JSCell.cpp:
570         * runtime/JSCell.h:
571         * runtime/JSDataView.cpp:
572         * runtime/JSDataView.h:
573         * runtime/JSDataViewPrototype.cpp:
574         * runtime/JSDataViewPrototype.h:
575         * runtime/JSFunction.cpp:
576         * runtime/JSFunction.h:
577         * runtime/JSGenericTypedArrayView.h:
578         * runtime/JSGenericTypedArrayViewInlines.h:
579         * runtime/JSGlobalObject.cpp:
580         * runtime/JSGlobalObject.h:
581         * runtime/JSNotAnObject.cpp:
582         * runtime/JSNotAnObject.h:
583         * runtime/JSONObject.cpp:
584         * runtime/JSONObject.h:
585             - remove getOwnPropertyDescriptor
586         * runtime/JSObject.cpp:
587         (JSC::JSObject::propertyIsEnumerable):
588             - switch to call new getOwnPropertyDescriptor member function
589         (JSC::JSObject::getOwnPropertyDescriptor):
590             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
591         (JSC::JSObject::defineOwnNonIndexProperty):
592             - switch to call new getOwnPropertyDescriptor member function
593         * runtime/JSObject.h:
594         * runtime/JSProxy.cpp:
595         * runtime/JSProxy.h:
596         * runtime/NamePrototype.cpp:
597         * runtime/NamePrototype.h:
598         * runtime/NumberConstructor.cpp:
599         * runtime/NumberConstructor.h:
600         * runtime/NumberPrototype.cpp:
601         * runtime/NumberPrototype.h:
602             - remove getOwnPropertyDescriptor
603         * runtime/ObjectConstructor.cpp:
604         (JSC::objectConstructorGetOwnPropertyDescriptor):
605         (JSC::objectConstructorSeal):
606         (JSC::objectConstructorFreeze):
607         (JSC::objectConstructorIsSealed):
608         (JSC::objectConstructorIsFrozen):
609             - switch to call new getOwnPropertyDescriptor member function
610         * runtime/ObjectConstructor.h:
611             - remove getOwnPropertyDescriptor
612         * runtime/PropertyDescriptor.h:
613             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
614         * runtime/RegExpConstructor.cpp:
615         * runtime/RegExpConstructor.h:
616         * runtime/RegExpMatchesArray.cpp:
617         * runtime/RegExpMatchesArray.h:
618         * runtime/RegExpObject.cpp:
619         * runtime/RegExpObject.h:
620         * runtime/RegExpPrototype.cpp:
621         * runtime/RegExpPrototype.h:
622         * runtime/StringConstructor.cpp:
623         * runtime/StringConstructor.h:
624         * runtime/StringObject.cpp:
625         * runtime/StringObject.h:
626             - remove getOwnPropertyDescriptor
627
628 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
629
630         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
631
632         Reviewed by Oliver Hunt.
633
634         When we flatten an object in dictionary mode, we compact its properties. If the object 
635         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
636         compaction its properties fit inline, the object's Structure "forgets" that the object 
637         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
638         with bytes = 0, which causes all sorts of badness in CopiedSpace.
639
640         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
641         Butterfly pointer so that the GC doesn't get confused later.
642
643         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
644         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
645         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
646         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
647
648         * heap/SlotVisitorInlines.h:
649         (JSC::SlotVisitor::copyLater):
650         * runtime/JSObject.cpp:
651         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
652         (JSC::JSObject::convertUndecidedToInt32):
653         (JSC::JSObject::convertUndecidedToDouble):
654         (JSC::JSObject::convertUndecidedToContiguous):
655         (JSC::JSObject::convertInt32ToDouble):
656         (JSC::JSObject::convertInt32ToContiguous):
657         (JSC::JSObject::genericConvertDoubleToContiguous):
658         (JSC::JSObject::switchToSlowPutArrayStorage):
659         (JSC::JSObject::setPrototype):
660         (JSC::JSObject::putDirectAccessor):
661         (JSC::JSObject::seal):
662         (JSC::JSObject::freeze):
663         (JSC::JSObject::preventExtensions):
664         (JSC::JSObject::reifyStaticFunctionsForDelete):
665         (JSC::JSObject::removeDirect):
666         * runtime/JSObject.h:
667         (JSC::JSObject::setButterfly):
668         (JSC::JSObject::putDirectInternal):
669         (JSC::JSObject::setStructure):
670         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
671         * runtime/Structure.cpp:
672         (JSC::Structure::flattenDictionaryStructure):
673
674 2013-08-20  Alex Christensen  <achristensen@apple.com>
675
676         Compile fix for Win64 after r154156.
677
678         Rubber stamped by Oliver Hunt.
679
680         * jit/JITStubsMSVC64.asm:
681         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
682         cti_vm_throw_slowpath to cti_vm_handle_exception.
683
684 2013-08-20  Alex Christensen  <achristensen@apple.com>
685
686         <https://webkit.org/b/120076> More work towards a Win64 build
687
688         Reviewed by Brent Fulgham.
689
690         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
691         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
692         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
693         * JavaScriptCore.vcxproj/copy-files.cmd:
694         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
695         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
696         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
697
698 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
699
700         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
701
702         Reviewed by Geoffrey Garen.
703
704         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
705         initializeLazyWriteBarrierFor* wrapper functions more sane. 
706
707         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
708         and index when triggering the WriteBarrier at the end of compilation. 
709
710         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
711         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
712         little extra work that really shouldn't have been its responsibility.
713
714         * dfg/DFGByteCodeParser.cpp:
715         (JSC::DFG::ByteCodeParser::addConstant):
716         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
717         * dfg/DFGDesiredWriteBarriers.cpp:
718         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
719         (JSC::DFG::DesiredWriteBarrier::trigger):
720         * dfg/DFGDesiredWriteBarriers.h:
721         (JSC::DFG::DesiredWriteBarriers::add):
722         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
723         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
724         (JSC::DFG::initializeLazyWriteBarrierForConstant):
725         * dfg/DFGFixupPhase.cpp:
726         (JSC::DFG::FixupPhase::truncateConstantToInt32):
727         * dfg/DFGGraph.h:
728         (JSC::DFG::Graph::constantRegisterForConstant):
729
730 2013-08-20  Michael Saboff  <msaboff@apple.com>
731
732         https://bugs.webkit.org/show_bug.cgi?id=120075
733         REGRESSION (r128400): BBC4 website not displaying pictures
734
735         Reviewed by Oliver Hunt.
736
737         * runtime/RegExpMatchesArray.h:
738         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
739         so that the match results will be reified before any other modification to the results array.
740
741 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
742
743         Incorrect behavior on emscripten-compiled cube2hash
744         https://bugs.webkit.org/show_bug.cgi?id=120033
745
746         Reviewed by Mark Hahnenberg.
747         
748         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
749         then we should bail attempts to CSE.
750
751         * dfg/DFGCSEPhase.cpp:
752         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
753         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
754
755 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
756
757         https://bugs.webkit.org/show_bug.cgi?id=120073
758         Remove use of GOPD from JSFunction::defineProperty
759
760         Reviewed by Oliver Hunt.
761
762         Call getOwnPropertySlot to check for existing properties instead.
763
764         * runtime/JSFunction.cpp:
765         (JSC::JSFunction::defineOwnProperty):
766             - getOwnPropertyDescriptor -> getOwnPropertySlot
767
768 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
769
770         https://bugs.webkit.org/show_bug.cgi?id=120067
771         Remove getPropertyDescriptor
772
773         Reviewed by Oliver Hunt.
774
775         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
776         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
777
778         * runtime/JSObject.cpp:
779         * runtime/JSObject.h:
780             - remove getPropertyDescriptor
781         * runtime/ObjectPrototype.cpp:
782         (JSC::objectProtoFuncLookupGetter):
783         (JSC::objectProtoFuncLookupSetter):
784             - replace call to getPropertyDescriptor with getPropertySlot
785         * runtime/PropertyDescriptor.h:
786         * runtime/PropertySlot.h:
787         (JSC::PropertySlot::isAccessor):
788         (JSC::PropertySlot::isCacheableGetter):
789         (JSC::PropertySlot::getterSetter):
790             - rename isGetter() to isAccessor()
791
792 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
793
794         https://bugs.webkit.org/show_bug.cgi?id=120054
795         Remove some dead code following getOwnPropertyDescriptor cleanup
796
797         Reviewed by Oliver Hunt.
798
799         * runtime/Lookup.h:
800         (JSC::getStaticFunctionSlot):
801             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
802
803 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
804
805         https://bugs.webkit.org/show_bug.cgi?id=120052
806         Remove custom getOwnPropertyDescriptor for JSProxy
807
808         Reviewed by Geoff Garen.
809
810         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
811         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
812         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
813         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
814         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
815
816         * runtime/JSProxy.cpp:
817             - Remove custom getOwnPropertyDescriptor implementation.
818         * runtime/PropertyDescriptor.h:
819             - Modify own property access check to perform toThis conversion.
820
821 2013-08-20  Alex Christensen  <achristensen@apple.com>
822
823         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
824         https://bugs.webkit.org/show_bug.cgi?id=119512
825
826         Reviewed by Brent Fulgham.
827
828         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
829         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
830         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
831         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
832         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
833         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
834         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
835         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
836
837 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
838
839         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
840
841         Reviewed by Allan Sandfeld Jensen.
842
843         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
844         instructions and two constants now DFG is enabled for sh4 architecture.
845         These missing ensureSpace calls lead to random crashes.
846
847         * assembler/MacroAssemblerSH4.h:
848         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
849
850 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
851
852         https://bugs.webkit.org/show_bug.cgi?id=120034
853         Remove custom getOwnPropertyDescriptor for global objects
854
855         Reviewed by Geoff Garen.
856
857         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
858
859         * runtime/JSGlobalObject.cpp:
860             - Remove custom getOwnPropertyDescriptor implementation.
861         * runtime/JSSymbolTableObject.h:
862         (JSC::symbolTableGet):
863             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
864         * runtime/PropertyDescriptor.h:
865             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
866         * runtime/PropertySlot.h:
867         (JSC::PropertySlot::setUndefined):
868             - This is used by WebCore when blocking access to properties on cross-frame access.
869               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
870
871 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
872
873         DFG should inline typedArray.byteOffset
874         https://bugs.webkit.org/show_bug.cgi?id=119962
875
876         Reviewed by Oliver Hunt.
877         
878         This adds a new node, GetTypedArrayByteOffset, which inlines
879         typedArray.byteOffset.
880         
881         Also, I improved a bunch of the clobbering logic related to typed arrays
882         and clobbering in general. For example, PutByOffset/PutStructure are not
883         clobber-world so they can be handled by most default cases in CSE. Also,
884         It's better to use the 'Class_field' notation for typed arrays now that
885         they no longer involve magical descriptor thingies.
886
887         * bytecode/SpeculatedType.h:
888         * dfg/DFGAbstractHeap.h:
889         * dfg/DFGAbstractInterpreterInlines.h:
890         (JSC::DFG::::executeEffects):
891         * dfg/DFGArrayMode.h:
892         (JSC::DFG::neverNeedsStorage):
893         * dfg/DFGCSEPhase.cpp:
894         (JSC::DFG::CSEPhase::getByValLoadElimination):
895         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
896         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
897         (JSC::DFG::CSEPhase::checkArrayElimination):
898         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
899         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
900         (JSC::DFG::CSEPhase::performNodeCSE):
901         * dfg/DFGClobberize.h:
902         (JSC::DFG::clobberize):
903         * dfg/DFGFixupPhase.cpp:
904         (JSC::DFG::FixupPhase::fixupNode):
905         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
906         (JSC::DFG::FixupPhase::convertToGetArrayLength):
907         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
908         * dfg/DFGNodeType.h:
909         * dfg/DFGPredictionPropagationPhase.cpp:
910         (JSC::DFG::PredictionPropagationPhase::propagate):
911         * dfg/DFGSafeToExecute.h:
912         (JSC::DFG::safeToExecute):
913         * dfg/DFGSpeculativeJIT.cpp:
914         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
915         * dfg/DFGSpeculativeJIT.h:
916         * dfg/DFGSpeculativeJIT32_64.cpp:
917         (JSC::DFG::SpeculativeJIT::compile):
918         * dfg/DFGSpeculativeJIT64.cpp:
919         (JSC::DFG::SpeculativeJIT::compile):
920         * dfg/DFGTypeCheckHoistingPhase.cpp:
921         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
922         * runtime/ArrayBuffer.h:
923         (JSC::ArrayBuffer::offsetOfData):
924         * runtime/Butterfly.h:
925         (JSC::Butterfly::offsetOfArrayBuffer):
926         * runtime/IndexingHeader.h:
927         (JSC::IndexingHeader::offsetOfArrayBuffer):
928
929 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
930
931         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
932
933         Reviewed by Geoffrey Garen.
934
935         * dfg/DFGByteCodeParser.cpp:
936         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
937
938 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
939
940         https://bugs.webkit.org/show_bug.cgi?id=119995
941         Start removing custom implementations of getOwnPropertyDescriptor
942
943         Reviewed by Oliver Hunt.
944
945         This can now typically implemented in terms of getOwnPropertySlot.
946         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
947         Switch over most classes in JSC & the WebCore bindings generator to use this.
948
949         * API/JSCallbackObjectFunctions.h:
950         * debugger/DebuggerActivation.cpp:
951         * runtime/Arguments.cpp:
952         * runtime/ArrayConstructor.cpp:
953         * runtime/ArrayPrototype.cpp:
954         * runtime/BooleanPrototype.cpp:
955         * runtime/DateConstructor.cpp:
956         * runtime/DatePrototype.cpp:
957         * runtime/ErrorPrototype.cpp:
958         * runtime/JSActivation.cpp:
959         * runtime/JSArray.cpp:
960         * runtime/JSArrayBuffer.cpp:
961         * runtime/JSArrayBufferView.cpp:
962         * runtime/JSCell.cpp:
963         * runtime/JSDataView.cpp:
964         * runtime/JSDataViewPrototype.cpp:
965         * runtime/JSFunction.cpp:
966         * runtime/JSGenericTypedArrayViewInlines.h:
967         * runtime/JSNotAnObject.cpp:
968         * runtime/JSONObject.cpp:
969         * runtime/JSObject.cpp:
970         * runtime/NamePrototype.cpp:
971         * runtime/NumberConstructor.cpp:
972         * runtime/NumberPrototype.cpp:
973         * runtime/ObjectConstructor.cpp:
974             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
975         * runtime/PropertyDescriptor.h:
976             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
977         * runtime/PropertySlot.h:
978         (JSC::PropertySlot::isValue):
979         (JSC::PropertySlot::isGetter):
980         (JSC::PropertySlot::isCustom):
981         (JSC::PropertySlot::isCacheableValue):
982         (JSC::PropertySlot::isCacheableGetter):
983         (JSC::PropertySlot::isCacheableCustom):
984         (JSC::PropertySlot::attributes):
985         (JSC::PropertySlot::getterSetter):
986             - Add accessors necessary to convert PropertySlot to descriptor.
987         * runtime/RegExpConstructor.cpp:
988         * runtime/RegExpMatchesArray.cpp:
989         * runtime/RegExpMatchesArray.h:
990         * runtime/RegExpObject.cpp:
991         * runtime/RegExpPrototype.cpp:
992         * runtime/StringConstructor.cpp:
993         * runtime/StringObject.cpp:
994             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
995
996 2013-08-19  Michael Saboff  <msaboff@apple.com>
997
998         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
999
1000         Reviewed by Sam Weinig.
1001
1002         * dfg/DFGSpeculativeJIT32_64.cpp:
1003         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1004         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1005         all versions of fillSpeculateBoolean().
1006
1007 2013-08-19  Michael Saboff  <msaboff@apple.com>
1008
1009         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1010
1011         Reviewed by Benjamin Poulain.
1012
1013         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1014         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1015
1016         * assembler/MacroAssemblerX86Common.h:
1017         (JSC::MacroAssemblerX86Common::branchTest32):
1018
1019 2013-08-16  Oliver Hunt  <oliver@apple.com>
1020
1021         <https://webkit.org/b/119860> Crash during exception unwinding
1022
1023         Reviewed by Filip Pizlo.
1024
1025         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1026         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1027
1028         We need this so that Throw and ThrowReferenceError no longer need to be treated as
1029         terminals and the subsequent flush keeps the activation (and other registers) live.
1030
1031         * dfg/DFGAbstractInterpreterInlines.h:
1032         (JSC::DFG::::executeEffects):
1033         * dfg/DFGByteCodeParser.cpp:
1034         (JSC::DFG::ByteCodeParser::parseBlock):
1035         * dfg/DFGClobberize.h:
1036         (JSC::DFG::clobberize):
1037         * dfg/DFGFixupPhase.cpp:
1038         (JSC::DFG::FixupPhase::fixupNode):
1039         * dfg/DFGNode.h:
1040         (JSC::DFG::Node::isTerminal):
1041         * dfg/DFGNodeType.h:
1042         * dfg/DFGPredictionPropagationPhase.cpp:
1043         (JSC::DFG::PredictionPropagationPhase::propagate):
1044         * dfg/DFGSafeToExecute.h:
1045         (JSC::DFG::safeToExecute):
1046         * dfg/DFGSpeculativeJIT32_64.cpp:
1047         (JSC::DFG::SpeculativeJIT::compile):
1048         * dfg/DFGSpeculativeJIT64.cpp:
1049         (JSC::DFG::SpeculativeJIT::compile):
1050
1051 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1052
1053         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1054
1055         Reviewed by Oliver Hunt.
1056
1057         Guard the compilation of these files only if DFG_JIT is enabled.
1058
1059         * dfg/DFGDesiredTransitions.cpp:
1060         * dfg/DFGDesiredTransitions.h:
1061         * dfg/DFGDesiredWeakReferences.cpp:
1062         * dfg/DFGDesiredWeakReferences.h:
1063         * dfg/DFGDesiredWriteBarriers.cpp:
1064         * dfg/DFGDesiredWriteBarriers.h:
1065
1066 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1067
1068         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
1069         https://bugs.webkit.org/show_bug.cgi?id=119961
1070
1071         Reviewed by Mark Hahnenberg.
1072
1073         * dfg/DFGFixupPhase.cpp:
1074         (JSC::DFG::FixupPhase::fixupNode):
1075
1076 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1077
1078         https://bugs.webkit.org/show_bug.cgi?id=119972
1079         Add attributes field to PropertySlot
1080
1081         Reviewed by Geoff Garen.
1082
1083         For all JSC types, this makes getOwnPropertyDescriptor redundant.
1084         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1085         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1086
1087         No performance impact.
1088
1089         * runtime/PropertySlot.h:
1090         (JSC::PropertySlot::setValue):
1091         (JSC::PropertySlot::setCustom):
1092         (JSC::PropertySlot::setCacheableCustom):
1093         (JSC::PropertySlot::setCustomIndex):
1094         (JSC::PropertySlot::setGetterSlot):
1095         (JSC::PropertySlot::setCacheableGetterSlot):
1096             - These mathods now all require 'attributes'.
1097         * runtime/JSObject.h:
1098         (JSC::JSObject::getDirect):
1099         (JSC::JSObject::getDirectOffset):
1100         (JSC::JSObject::inlineGetOwnPropertySlot):
1101             - Added variants of getDirect, getDirectOffset that return the attributes.
1102         * API/JSCallbackObjectFunctions.h:
1103         (JSC::::getOwnPropertySlot):
1104         * runtime/Arguments.cpp:
1105         (JSC::Arguments::getOwnPropertySlotByIndex):
1106         (JSC::Arguments::getOwnPropertySlot):
1107         * runtime/JSActivation.cpp:
1108         (JSC::JSActivation::symbolTableGet):
1109         (JSC::JSActivation::getOwnPropertySlot):
1110         * runtime/JSArray.cpp:
1111         (JSC::JSArray::getOwnPropertySlot):
1112         * runtime/JSArrayBuffer.cpp:
1113         (JSC::JSArrayBuffer::getOwnPropertySlot):
1114         * runtime/JSArrayBufferView.cpp:
1115         (JSC::JSArrayBufferView::getOwnPropertySlot):
1116         * runtime/JSDataView.cpp:
1117         (JSC::JSDataView::getOwnPropertySlot):
1118         * runtime/JSFunction.cpp:
1119         (JSC::JSFunction::getOwnPropertySlot):
1120         * runtime/JSGenericTypedArrayViewInlines.h:
1121         (JSC::::getOwnPropertySlot):
1122         (JSC::::getOwnPropertySlotByIndex):
1123         * runtime/JSObject.cpp:
1124         (JSC::JSObject::getOwnPropertySlotByIndex):
1125         (JSC::JSObject::fillGetterPropertySlot):
1126         * runtime/JSString.h:
1127         (JSC::JSString::getStringPropertySlot):
1128         * runtime/JSSymbolTableObject.h:
1129         (JSC::symbolTableGet):
1130         * runtime/Lookup.cpp:
1131         (JSC::setUpStaticFunctionSlot):
1132         * runtime/Lookup.h:
1133         (JSC::getStaticPropertySlot):
1134         (JSC::getStaticPropertyDescriptor):
1135         (JSC::getStaticValueSlot):
1136         (JSC::getStaticValueDescriptor):
1137         * runtime/RegExpObject.cpp:
1138         (JSC::RegExpObject::getOwnPropertySlot):
1139         * runtime/SparseArrayValueMap.cpp:
1140         (JSC::SparseArrayEntry::get):
1141             - Pass attributes to PropertySlot::set* methods.
1142
1143 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1144
1145         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1146
1147         Reviewed by Filip Pizlo.
1148
1149         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1150         Vector of WriteBarriers rather than the specific address. The fact that we were 
1151         arbitrarily storing into a Vector's backing store for constants at the end of 
1152         compilation after the Vector could have resized was causing crashes.
1153
1154         * bytecode/CodeBlock.h:
1155         (JSC::CodeBlock::constants):
1156         (JSC::CodeBlock::addConstantLazily):
1157         * dfg/DFGByteCodeParser.cpp:
1158         (JSC::DFG::ByteCodeParser::addConstant):
1159         * dfg/DFGDesiredWriteBarriers.cpp:
1160         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1161         (JSC::DFG::DesiredWriteBarrier::trigger):
1162         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1163         * dfg/DFGDesiredWriteBarriers.h:
1164         (JSC::DFG::DesiredWriteBarriers::add):
1165         * dfg/DFGFixupPhase.cpp:
1166         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1167         * dfg/DFGGraph.h:
1168         (JSC::DFG::Graph::constantRegisterForConstant):
1169
1170 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1171
1172         DFG should optimize typedArray.byteLength
1173         https://bugs.webkit.org/show_bug.cgi?id=119909
1174
1175         Reviewed by Oliver Hunt.
1176         
1177         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1178         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1179         legal since the byteLength of a typed array cannot exceed
1180         numeric_limits<int32_t>::max().
1181
1182         * bytecode/SpeculatedType.cpp:
1183         (JSC::typedArrayTypeFromSpeculation):
1184         * bytecode/SpeculatedType.h:
1185         * dfg/DFGArrayMode.cpp:
1186         (JSC::DFG::toArrayType):
1187         * dfg/DFGArrayMode.h:
1188         * dfg/DFGFixupPhase.cpp:
1189         (JSC::DFG::FixupPhase::fixupNode):
1190         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1191         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1192         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1193         (JSC::DFG::FixupPhase::prependGetArrayLength):
1194         * dfg/DFGGraph.h:
1195         (JSC::DFG::Graph::constantRegisterForConstant):
1196         (JSC::DFG::Graph::convertToConstant):
1197         * runtime/TypedArrayType.h:
1198         (JSC::logElementSize):
1199         (JSC::elementSize):
1200
1201 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1202
1203         DFG optimizes out strict mode arguments tear off
1204         https://bugs.webkit.org/show_bug.cgi?id=119504
1205
1206         Reviewed by Mark Hahnenberg and Oliver Hunt.
1207         
1208         Don't do the optimization for strict mode.
1209
1210         * dfg/DFGArgumentsSimplificationPhase.cpp:
1211         (JSC::DFG::ArgumentsSimplificationPhase::run):
1212         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1213
1214 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1215
1216         [JSC] x86: improve code generation for xxxTest32
1217         https://bugs.webkit.org/show_bug.cgi?id=119876
1218
1219         Reviewed by Geoffrey Garen.
1220
1221         Try to use testb whenever possible when testing for an immediate value.
1222
1223         When the input is an address and an offset, we can tweak the mask
1224         and offset to be able to generate testb for any byte of the mask.
1225
1226         When the input is a register, we can use testb if we are only interested
1227         in testing the low bits.
1228
1229         * assembler/MacroAssemblerX86Common.h:
1230         (JSC::MacroAssemblerX86Common::branchTest32):
1231         (JSC::MacroAssemblerX86Common::test32):
1232         (JSC::MacroAssemblerX86Common::generateTest32):
1233
1234 2013-08-16  Mark Lam  <mark.lam@apple.com>
1235
1236         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1237         error message that an object is not a constructor though it expects a function
1238
1239         Reviewed by Michael Saboff.
1240
1241         * jit/JITStubs.cpp:
1242         (JSC::DEFINE_STUB_FUNCTION):
1243
1244 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1245
1246         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1247         https://bugs.webkit.org/show_bug.cgi?id=119897
1248
1249         Reviewed by Oliver Hunt.
1250         
1251         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1252         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1253         to turn objects into dictionaries when you're storing using bracket syntax or using
1254         eval is still in place.
1255
1256         * bytecode/CodeBlock.h:
1257         (JSC::CodeBlock::putByIdContext):
1258         * dfg/DFGOperations.cpp:
1259         * jit/JITStubs.cpp:
1260         (JSC::DEFINE_STUB_FUNCTION):
1261         * llint/LLIntSlowPaths.cpp:
1262         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1263         * runtime/JSObject.h:
1264         (JSC::JSObject::putDirectInternal):
1265         * runtime/PutPropertySlot.h:
1266         (JSC::PutPropertySlot::PutPropertySlot):
1267         (JSC::PutPropertySlot::context):
1268         * runtime/Structure.cpp:
1269         (JSC::Structure::addPropertyTransition):
1270         * runtime/Structure.h:
1271
1272 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1273
1274         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1275
1276         Reviewed by Allan Sandfeld Jensen.
1277
1278         ctiVMHandleException must jump/return using register ra (r31).
1279
1280         * jit/JITStubsMIPS.h:
1281
1282 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1283
1284         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1285
1286         Reviewed by Allan Sandfeld Jensen.
1287
1288         Fix typo in JITStubsSH4.h file.
1289
1290         * jit/JITStubsSH4.h:
1291
1292 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1293
1294         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1295
1296         Reviewed by Oliver Hunt.
1297
1298         The concurrent compilation thread should interact minimally with the Heap, including not 
1299         triggering WriteBarriers. This is a prerequisite for generational GC.
1300
1301         * JavaScriptCore.xcodeproj/project.pbxproj:
1302         * bytecode/CodeBlock.cpp:
1303         (JSC::CodeBlock::addOrFindConstant):
1304         (JSC::CodeBlock::findConstant):
1305         * bytecode/CodeBlock.h:
1306         (JSC::CodeBlock::addConstantLazily):
1307         * dfg/DFGByteCodeParser.cpp:
1308         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1309         (JSC::DFG::ByteCodeParser::constantUndefined):
1310         (JSC::DFG::ByteCodeParser::constantNull):
1311         (JSC::DFG::ByteCodeParser::one):
1312         (JSC::DFG::ByteCodeParser::constantNaN):
1313         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1314         * dfg/DFGCommonData.cpp:
1315         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1316         * dfg/DFGCommonData.h:
1317         * dfg/DFGDesiredTransitions.cpp: Added.
1318         (JSC::DFG::DesiredTransition::DesiredTransition):
1319         (JSC::DFG::DesiredTransition::reallyAdd):
1320         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1321         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1322         (JSC::DFG::DesiredTransitions::addLazily):
1323         (JSC::DFG::DesiredTransitions::reallyAdd):
1324         * dfg/DFGDesiredTransitions.h: Added.
1325         * dfg/DFGDesiredWeakReferences.cpp: Added.
1326         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1327         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1328         (JSC::DFG::DesiredWeakReferences::addLazily):
1329         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1330         * dfg/DFGDesiredWeakReferences.h: Added.
1331         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1332         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1333         (JSC::DFG::DesiredWriteBarrier::trigger):
1334         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1335         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1336         (JSC::DFG::DesiredWriteBarriers::addImpl):
1337         (JSC::DFG::DesiredWriteBarriers::trigger):
1338         * dfg/DFGDesiredWriteBarriers.h: Added.
1339         (JSC::DFG::DesiredWriteBarriers::add):
1340         (JSC::DFG::initializeLazyWriteBarrier):
1341         * dfg/DFGFixupPhase.cpp:
1342         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1343         * dfg/DFGGraph.h:
1344         (JSC::DFG::Graph::convertToConstant):
1345         * dfg/DFGJITCompiler.h:
1346         (JSC::DFG::JITCompiler::addWeakReference):
1347         * dfg/DFGPlan.cpp:
1348         (JSC::DFG::Plan::Plan):
1349         (JSC::DFG::Plan::reallyAdd):
1350         * dfg/DFGPlan.h:
1351         * dfg/DFGSpeculativeJIT32_64.cpp:
1352         (JSC::DFG::SpeculativeJIT::compile):
1353         * dfg/DFGSpeculativeJIT64.cpp:
1354         (JSC::DFG::SpeculativeJIT::compile):
1355         * runtime/WriteBarrier.h:
1356         (JSC::WriteBarrierBase::set):
1357         (JSC::WriteBarrier::WriteBarrier):
1358
1359 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1360
1361         Fix x86 32bits build after r154158
1362
1363         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1364
1365 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1366
1367         Build fix attempt after r154156.
1368
1369         * jit/JITStubs.cpp:
1370         (JSC::cti_vm_handle_exception): encode!
1371
1372 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1373
1374         [JSC] x86: Use inc and dec when possible
1375         https://bugs.webkit.org/show_bug.cgi?id=119831
1376
1377         Reviewed by Geoffrey Garen.
1378
1379         When incrementing or decrementing by an immediate of 1, use the insctructions
1380         inc and dec instead of add and sub.
1381         The instructions have good timing and their encoding is smaller.
1382
1383         * assembler/MacroAssemblerX86Common.h:
1384         (JSC::MacroAssemblerX86_64::add32):
1385         (JSC::MacroAssemblerX86_64::sub32):
1386         * assembler/MacroAssemblerX86_64.h:
1387         (JSC::MacroAssemblerX86_64::add64):
1388         (JSC::MacroAssemblerX86_64::sub64):
1389         * assembler/X86Assembler.h:
1390         (JSC::X86Assembler::dec_r):
1391         (JSC::X86Assembler::decq_r):
1392         (JSC::X86Assembler::inc_r):
1393         (JSC::X86Assembler::incq_r):
1394
1395 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1396
1397         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1398         https://bugs.webkit.org/show_bug.cgi?id=119874
1399
1400         Reviewed by Oliver Hunt and Mark Hahnenberg.
1401         
1402         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1403         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1404         sometimes for typed array length accesses, and the FixupPhase assuming that a
1405         ForceExit ArrayMode means that it should continue using a generic GetById.
1406
1407         This fixes the confusion.
1408
1409         * dfg/DFGFixupPhase.cpp:
1410         (JSC::DFG::FixupPhase::fixupNode):
1411
1412 2013-08-15  Mark Lam  <mark.lam@apple.com>
1413
1414         Fix crash when performing activation tearoff.
1415         https://bugs.webkit.org/show_bug.cgi?id=119848
1416
1417         Reviewed by Oliver Hunt.
1418
1419         The activation tearoff crash was due to a bug in the baseline JIT.
1420         If we have a scenario where the a baseline JIT frame calls a LLINT
1421         frame, an exception may be thrown while in the LLINT.
1422
1423         Interpreter::throwException() which handles the exception will unwind
1424         all frames until it finds a catcher or sees a host frame. When we
1425         return from the LLINT to the baseline JIT code, the baseline JIT code
1426         errorneously sets topCallFrame to the value in its call frame register,
1427         and starts unwinding the stack frames that have already been unwound.
1428
1429         The fix is:
1430         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1431            This is a more accurate description of what this runtime function
1432            is supposed to do i.e. it handles the exception which include doing
1433            nothing (if there are no more frames to unwind).
1434         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1435            set on it.
1436         3. Reloading the call frame register from topCallFrame when we're
1437            returning from a callee and detect exception handling in progress.
1438
1439         * interpreter/Interpreter.cpp:
1440         (JSC::Interpreter::unwindCallFrame):
1441         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1442         (JSC::Interpreter::getStackTrace):
1443         * interpreter/Interpreter.h:
1444         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1445         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1446         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1447         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1448         * jit/JIT.h:
1449         * jit/JITExceptions.cpp:
1450         (JSC::uncaughtExceptionHandler):
1451         - Convenience function to get the handler for uncaught exceptions.
1452         * jit/JITExceptions.h:
1453         * jit/JITInlines.h:
1454         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1455         * jit/JITOpcodes32_64.cpp:
1456         (JSC::JIT::privateCompileCTINativeCall):
1457         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1458         * jit/JITStubs.cpp:
1459         (JSC::throwExceptionFromOpCall):
1460         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1461         (JSC::cti_vm_handle_exception):
1462         - Check for the case when there are no more frames to unwind.
1463         * jit/JITStubs.h:
1464         * jit/JITStubsARM.h:
1465         * jit/JITStubsARMv7.h:
1466         * jit/JITStubsMIPS.h:
1467         * jit/JITStubsSH4.h:
1468         * jit/JITStubsX86.h:
1469         * jit/JITStubsX86_64.h:
1470         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1471         * jit/SlowPathCall.h:
1472         (JSC::JITSlowPathCall::call):
1473         - reload cfr from topcallFrame when handling an exception.
1474         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1475         * jit/ThunkGenerators.cpp:
1476         (JSC::nativeForGenerator):
1477         * llint/LowLevelInterpreter32_64.asm:
1478         * llint/LowLevelInterpreter64.asm:
1479         - reload cfr from topcallFrame when handling an exception.
1480         * runtime/VM.cpp:
1481         (JSC::VM::VM):
1482         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1483
1484 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1485
1486         Remove some code duplication.
1487         
1488         Rubber stamped by Mark Hahnenberg.
1489
1490         * runtime/JSDataViewPrototype.cpp:
1491         (JSC::getData):
1492         (JSC::setData):
1493
1494 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1495
1496         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1497         https://bugs.webkit.org/show_bug.cgi?id=119794
1498
1499         Reviewed by Filip Pizlo.
1500
1501         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1502
1503         * dfg/DFGUseKind.h:
1504         (JSC::DFG::isNumerical):
1505         (JSC::DFG::isDouble):
1506
1507 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1508
1509         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1510
1511         Rubber stamped by Oliver Hunt.
1512         
1513         This was causing some test crashes for me.
1514
1515         * dfg/DFGCapabilities.cpp:
1516         (JSC::DFG::capabilityLevel):
1517
1518 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1519
1520         [Windows] Clear up improper export declaration.
1521
1522         * runtime/ArrayBufferView.h:
1523
1524 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1525
1526         Unreviewed, remove some unnecessary periods from exceptions.
1527
1528         * runtime/JSDataViewPrototype.cpp:
1529         (JSC::getData):
1530         (JSC::setData):
1531
1532 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1533
1534         Unreviewed, fix 32-bit build.
1535
1536         * dfg/DFGSpeculativeJIT32_64.cpp:
1537         (JSC::DFG::SpeculativeJIT::compile):
1538
1539 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1540
1541         Typed arrays should be rewritten
1542         https://bugs.webkit.org/show_bug.cgi?id=119064
1543
1544         Reviewed by Oliver Hunt.
1545         
1546         Typed arrays were previously deficient in several major ways:
1547         
1548         - They were defined separately in WebCore and in the jsc shell. The two
1549           implementations were different, and the jsc shell one was basically wrong.
1550           The WebCore one was quite awful, also.
1551         
1552         - Typed arrays were not visible to the JIT except through some weird hooks.
1553           For example, the JIT could not ask "what is the Structure that this typed
1554           array would have if I just allocated it from this global object". Also,
1555           it was difficult to wire any of the typed array intrinsics, because most
1556           of the functionality wasn't visible anywhere in JSC.
1557         
1558         - Typed array allocation was brain-dead. Allocating a typed array involved
1559           two JS objects, two GC weak handles, and three malloc allocations.
1560         
1561         - Neutering. It involved keeping tabs on all native views but not the view
1562           wrappers, even though the native views can autoneuter just by asking the
1563           buffer if it was neutered anytime you touch them; while the JS view
1564           wrappers are the ones that you really want to reach out to.
1565         
1566         - Common case-ing. Most typed arrays have one buffer and one view, and
1567           usually nobody touches the buffer. Yet we created all of that stuff
1568           anyway, using data structures optimized for the case where you had a lot
1569           of views.
1570         
1571         - Semantic goofs. Typed arrays should, in the future, behave like ES
1572           features rather than DOM features, for example when it comes to exceptions.
1573           Firefox already does this and I agree with them.
1574         
1575         This patch cleanses our codebase of these sins:
1576         
1577         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1578           management of native references to buffers is left to WebCore.
1579         
1580         - Allocating a typed array requires either two GC allocations (a cell and a
1581           copied storage vector) or one GC allocation, a malloc allocation, and a
1582           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1583           latter). The latter is only used for oversize arrays. Remember that before
1584           it was 7 allocations no matter what.
1585         
1586         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1587           mode/length, void* vector. Before it was a lot more than that - remember,
1588           there were five additional objects that did absolutely nothing for anybody.
1589         
1590         - Native views aren't tracked by the buffer, or by the wrappers. They are
1591           transient. In the future we'll probably switch to not even having them be
1592           malloc'd.
1593         
1594         - Native array buffers have an efficient way of tracking all of their JS view
1595           wrappers, both for neutering, and for lifecycle management. The GC
1596           special-cases native array buffers. This saves a bunch of grief; for example
1597           it means that a JS view wrapper can refer to its buffer via the butterfly,
1598           which would be dead by the time we went to finalize.
1599         
1600         - Typed array semantics now match Firefox, which also happens to be where the
1601           standards are going. The discussion on webkit-dev seemed to confirm that
1602           Chrome is also heading in this direction. This includes making
1603           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1604           ArrayBufferView as a JS-visible construct.
1605         
1606         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1607         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1608         further typed array optimizations in the JSC JITs, including inlining typed
1609         array allocation, inlining more of the accessors, reducing the cost of type
1610         checks, etc.
1611         
1612         An additional property of this patch is that typed arrays are mostly
1613         implemented using templates. This deduplicates a bunch of code, but does mean
1614         that we need some hacks for exporting s_info's of template classes. See
1615         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1616         low-impact compared to code duplication.
1617         
1618         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1619
1620         * CMakeLists.txt:
1621         * DerivedSources.make:
1622         * GNUmakefile.list.am:
1623         * JSCTypedArrayStubs.h: Removed.
1624         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1625         * JavaScriptCore.xcodeproj/project.pbxproj:
1626         * Target.pri:
1627         * bytecode/ByValInfo.h:
1628         (JSC::hasOptimizableIndexingForClassInfo):
1629         (JSC::jitArrayModeForClassInfo):
1630         (JSC::typedArrayTypeForJITArrayMode):
1631         * bytecode/SpeculatedType.cpp:
1632         (JSC::speculationFromClassInfo):
1633         * dfg/DFGArrayMode.cpp:
1634         (JSC::DFG::toTypedArrayType):
1635         * dfg/DFGArrayMode.h:
1636         (JSC::DFG::ArrayMode::typedArrayType):
1637         * dfg/DFGSpeculativeJIT.cpp:
1638         (JSC::DFG::SpeculativeJIT::checkArray):
1639         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1640         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1641         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1642         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1643         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1644         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1645         * dfg/DFGSpeculativeJIT.h:
1646         * dfg/DFGSpeculativeJIT32_64.cpp:
1647         (JSC::DFG::SpeculativeJIT::compile):
1648         * dfg/DFGSpeculativeJIT64.cpp:
1649         (JSC::DFG::SpeculativeJIT::compile):
1650         * heap/CopyToken.h:
1651         * heap/DeferGC.h:
1652         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1653         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1654         * heap/GCIncomingRefCounted.h: Added.
1655         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1656         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1657         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1658         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1659         (JSC::GCIncomingRefCounted::singletonFlag):
1660         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1661         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1662         (JSC::GCIncomingRefCounted::hasSingleton):
1663         (JSC::GCIncomingRefCounted::singleton):
1664         (JSC::GCIncomingRefCounted::vectorOfCells):
1665         * heap/GCIncomingRefCountedInlines.h: Added.
1666         (JSC::::addIncomingReference):
1667         (JSC::::filterIncomingReferences):
1668         * heap/GCIncomingRefCountedSet.h: Added.
1669         (JSC::GCIncomingRefCountedSet::size):
1670         * heap/GCIncomingRefCountedSetInlines.h: Added.
1671         (JSC::::GCIncomingRefCountedSet):
1672         (JSC::::~GCIncomingRefCountedSet):
1673         (JSC::::addReference):
1674         (JSC::::sweep):
1675         (JSC::::removeAll):
1676         (JSC::::removeDead):
1677         * heap/Heap.cpp:
1678         (JSC::Heap::addReference):
1679         (JSC::Heap::extraSize):
1680         (JSC::Heap::size):
1681         (JSC::Heap::capacity):
1682         (JSC::Heap::collect):
1683         (JSC::Heap::decrementDeferralDepth):
1684         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1685         * heap/Heap.h:
1686         * interpreter/CallFrame.h:
1687         (JSC::ExecState::dataViewTable):
1688         * jit/JIT.h:
1689         * jit/JITPropertyAccess.cpp:
1690         (JSC::JIT::privateCompileGetByVal):
1691         (JSC::JIT::privateCompilePutByVal):
1692         (JSC::JIT::emitIntTypedArrayGetByVal):
1693         (JSC::JIT::emitFloatTypedArrayGetByVal):
1694         (JSC::JIT::emitIntTypedArrayPutByVal):
1695         (JSC::JIT::emitFloatTypedArrayPutByVal):
1696         * jsc.cpp:
1697         (GlobalObject::finishCreation):
1698         * runtime/ArrayBuffer.cpp:
1699         (JSC::ArrayBuffer::transfer):
1700         * runtime/ArrayBuffer.h:
1701         (JSC::ArrayBuffer::createAdopted):
1702         (JSC::ArrayBuffer::ArrayBuffer):
1703         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1704         (JSC::ArrayBuffer::pin):
1705         (JSC::ArrayBuffer::unpin):
1706         (JSC::ArrayBufferContents::tryAllocate):
1707         * runtime/ArrayBufferView.cpp:
1708         (JSC::ArrayBufferView::ArrayBufferView):
1709         (JSC::ArrayBufferView::~ArrayBufferView):
1710         (JSC::ArrayBufferView::setNeuterable):
1711         * runtime/ArrayBufferView.h:
1712         (JSC::ArrayBufferView::isNeutered):
1713         (JSC::ArrayBufferView::buffer):
1714         (JSC::ArrayBufferView::baseAddress):
1715         (JSC::ArrayBufferView::byteOffset):
1716         (JSC::ArrayBufferView::verifySubRange):
1717         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1718         (JSC::ArrayBufferView::calculateOffsetAndLength):
1719         * runtime/ClassInfo.h:
1720         * runtime/CommonIdentifiers.h:
1721         * runtime/DataView.cpp: Added.
1722         (JSC::DataView::DataView):
1723         (JSC::DataView::create):
1724         (JSC::DataView::wrap):
1725         * runtime/DataView.h: Added.
1726         (JSC::DataView::byteLength):
1727         (JSC::DataView::getType):
1728         (JSC::DataView::get):
1729         (JSC::DataView::set):
1730         * runtime/Float32Array.h:
1731         * runtime/Float64Array.h:
1732         * runtime/GenericTypedArrayView.h: Added.
1733         (JSC::GenericTypedArrayView::data):
1734         (JSC::GenericTypedArrayView::set):
1735         (JSC::GenericTypedArrayView::setRange):
1736         (JSC::GenericTypedArrayView::zeroRange):
1737         (JSC::GenericTypedArrayView::zeroFill):
1738         (JSC::GenericTypedArrayView::length):
1739         (JSC::GenericTypedArrayView::byteLength):
1740         (JSC::GenericTypedArrayView::item):
1741         (JSC::GenericTypedArrayView::checkInboundData):
1742         (JSC::GenericTypedArrayView::getType):
1743         * runtime/GenericTypedArrayViewInlines.h: Added.
1744         (JSC::::GenericTypedArrayView):
1745         (JSC::::create):
1746         (JSC::::createUninitialized):
1747         (JSC::::subarray):
1748         (JSC::::wrap):
1749         * runtime/IndexingHeader.h:
1750         (JSC::IndexingHeader::arrayBuffer):
1751         (JSC::IndexingHeader::setArrayBuffer):
1752         * runtime/Int16Array.h:
1753         * runtime/Int32Array.h:
1754         * runtime/Int8Array.h:
1755         * runtime/JSArrayBuffer.cpp: Added.
1756         (JSC::JSArrayBuffer::JSArrayBuffer):
1757         (JSC::JSArrayBuffer::finishCreation):
1758         (JSC::JSArrayBuffer::create):
1759         (JSC::JSArrayBuffer::createStructure):
1760         (JSC::JSArrayBuffer::getOwnPropertySlot):
1761         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1762         (JSC::JSArrayBuffer::put):
1763         (JSC::JSArrayBuffer::defineOwnProperty):
1764         (JSC::JSArrayBuffer::deleteProperty):
1765         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1766         * runtime/JSArrayBuffer.h: Added.
1767         (JSC::JSArrayBuffer::impl):
1768         (JSC::toArrayBuffer):
1769         * runtime/JSArrayBufferConstructor.cpp: Added.
1770         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1771         (JSC::JSArrayBufferConstructor::finishCreation):
1772         (JSC::JSArrayBufferConstructor::create):
1773         (JSC::JSArrayBufferConstructor::createStructure):
1774         (JSC::constructArrayBuffer):
1775         (JSC::JSArrayBufferConstructor::getConstructData):
1776         (JSC::JSArrayBufferConstructor::getCallData):
1777         * runtime/JSArrayBufferConstructor.h: Added.
1778         * runtime/JSArrayBufferPrototype.cpp: Added.
1779         (JSC::arrayBufferProtoFuncSlice):
1780         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1781         (JSC::JSArrayBufferPrototype::finishCreation):
1782         (JSC::JSArrayBufferPrototype::create):
1783         (JSC::JSArrayBufferPrototype::createStructure):
1784         * runtime/JSArrayBufferPrototype.h: Added.
1785         * runtime/JSArrayBufferView.cpp: Added.
1786         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1787         (JSC::JSArrayBufferView::JSArrayBufferView):
1788         (JSC::JSArrayBufferView::finishCreation):
1789         (JSC::JSArrayBufferView::getOwnPropertySlot):
1790         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1791         (JSC::JSArrayBufferView::put):
1792         (JSC::JSArrayBufferView::defineOwnProperty):
1793         (JSC::JSArrayBufferView::deleteProperty):
1794         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1795         (JSC::JSArrayBufferView::finalize):
1796         * runtime/JSArrayBufferView.h: Added.
1797         (JSC::JSArrayBufferView::sizeOf):
1798         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1799         (JSC::JSArrayBufferView::ConstructionContext::structure):
1800         (JSC::JSArrayBufferView::ConstructionContext::vector):
1801         (JSC::JSArrayBufferView::ConstructionContext::length):
1802         (JSC::JSArrayBufferView::ConstructionContext::mode):
1803         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1804         (JSC::JSArrayBufferView::mode):
1805         (JSC::JSArrayBufferView::vector):
1806         (JSC::JSArrayBufferView::length):
1807         (JSC::JSArrayBufferView::offsetOfVector):
1808         (JSC::JSArrayBufferView::offsetOfLength):
1809         (JSC::JSArrayBufferView::offsetOfMode):
1810         * runtime/JSArrayBufferViewInlines.h: Added.
1811         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1812         (JSC::JSArrayBufferView::buffer):
1813         (JSC::JSArrayBufferView::impl):
1814         (JSC::JSArrayBufferView::neuter):
1815         (JSC::JSArrayBufferView::byteOffset):
1816         * runtime/JSCell.cpp:
1817         (JSC::JSCell::slowDownAndWasteMemory):
1818         (JSC::JSCell::getTypedArrayImpl):
1819         * runtime/JSCell.h:
1820         * runtime/JSDataView.cpp: Added.
1821         (JSC::JSDataView::JSDataView):
1822         (JSC::JSDataView::create):
1823         (JSC::JSDataView::createUninitialized):
1824         (JSC::JSDataView::set):
1825         (JSC::JSDataView::typedImpl):
1826         (JSC::JSDataView::getOwnPropertySlot):
1827         (JSC::JSDataView::getOwnPropertyDescriptor):
1828         (JSC::JSDataView::slowDownAndWasteMemory):
1829         (JSC::JSDataView::getTypedArrayImpl):
1830         (JSC::JSDataView::createStructure):
1831         * runtime/JSDataView.h: Added.
1832         * runtime/JSDataViewPrototype.cpp: Added.
1833         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1834         (JSC::JSDataViewPrototype::create):
1835         (JSC::JSDataViewPrototype::createStructure):
1836         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1837         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1838         (JSC::getData):
1839         (JSC::setData):
1840         (JSC::dataViewProtoFuncGetInt8):
1841         (JSC::dataViewProtoFuncGetInt16):
1842         (JSC::dataViewProtoFuncGetInt32):
1843         (JSC::dataViewProtoFuncGetUint8):
1844         (JSC::dataViewProtoFuncGetUint16):
1845         (JSC::dataViewProtoFuncGetUint32):
1846         (JSC::dataViewProtoFuncGetFloat32):
1847         (JSC::dataViewProtoFuncGetFloat64):
1848         (JSC::dataViewProtoFuncSetInt8):
1849         (JSC::dataViewProtoFuncSetInt16):
1850         (JSC::dataViewProtoFuncSetInt32):
1851         (JSC::dataViewProtoFuncSetUint8):
1852         (JSC::dataViewProtoFuncSetUint16):
1853         (JSC::dataViewProtoFuncSetUint32):
1854         (JSC::dataViewProtoFuncSetFloat32):
1855         (JSC::dataViewProtoFuncSetFloat64):
1856         * runtime/JSDataViewPrototype.h: Added.
1857         * runtime/JSFloat32Array.h: Added.
1858         * runtime/JSFloat64Array.h: Added.
1859         * runtime/JSGenericTypedArrayView.h: Added.
1860         (JSC::JSGenericTypedArrayView::byteLength):
1861         (JSC::JSGenericTypedArrayView::byteSize):
1862         (JSC::JSGenericTypedArrayView::typedVector):
1863         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1864         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1865         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1866         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1867         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1868         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1869         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1870         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1871         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1872         (JSC::JSGenericTypedArrayView::typedImpl):
1873         (JSC::JSGenericTypedArrayView::createStructure):
1874         (JSC::JSGenericTypedArrayView::info):
1875         (JSC::toNativeTypedView):
1876         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1877         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1878         (JSC::::JSGenericTypedArrayViewConstructor):
1879         (JSC::::finishCreation):
1880         (JSC::::create):
1881         (JSC::::createStructure):
1882         (JSC::constructGenericTypedArrayView):
1883         (JSC::::getConstructData):
1884         (JSC::::getCallData):
1885         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1886         (JSC::::JSGenericTypedArrayView):
1887         (JSC::::create):
1888         (JSC::::createUninitialized):
1889         (JSC::::validateRange):
1890         (JSC::::setWithSpecificType):
1891         (JSC::::set):
1892         (JSC::::getOwnPropertySlot):
1893         (JSC::::getOwnPropertyDescriptor):
1894         (JSC::::put):
1895         (JSC::::defineOwnProperty):
1896         (JSC::::deleteProperty):
1897         (JSC::::getOwnPropertySlotByIndex):
1898         (JSC::::putByIndex):
1899         (JSC::::deletePropertyByIndex):
1900         (JSC::::getOwnNonIndexPropertyNames):
1901         (JSC::::getOwnPropertyNames):
1902         (JSC::::visitChildren):
1903         (JSC::::copyBackingStore):
1904         (JSC::::slowDownAndWasteMemory):
1905         (JSC::::getTypedArrayImpl):
1906         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1907         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1908         (JSC::genericTypedArrayViewProtoFuncSet):
1909         (JSC::genericTypedArrayViewProtoFuncSubarray):
1910         (JSC::::JSGenericTypedArrayViewPrototype):
1911         (JSC::::finishCreation):
1912         (JSC::::create):
1913         (JSC::::createStructure):
1914         * runtime/JSGlobalObject.cpp:
1915         (JSC::JSGlobalObject::reset):
1916         (JSC::JSGlobalObject::visitChildren):
1917         * runtime/JSGlobalObject.h:
1918         (JSC::JSGlobalObject::arrayBufferPrototype):
1919         (JSC::JSGlobalObject::arrayBufferStructure):
1920         (JSC::JSGlobalObject::typedArrayStructure):
1921         * runtime/JSInt16Array.h: Added.
1922         * runtime/JSInt32Array.h: Added.
1923         * runtime/JSInt8Array.h: Added.
1924         * runtime/JSTypedArrayConstructors.cpp: Added.
1925         * runtime/JSTypedArrayConstructors.h: Added.
1926         * runtime/JSTypedArrayPrototypes.cpp: Added.
1927         * runtime/JSTypedArrayPrototypes.h: Added.
1928         * runtime/JSTypedArrays.cpp: Added.
1929         * runtime/JSTypedArrays.h: Added.
1930         * runtime/JSUint16Array.h: Added.
1931         * runtime/JSUint32Array.h: Added.
1932         * runtime/JSUint8Array.h: Added.
1933         * runtime/JSUint8ClampedArray.h: Added.
1934         * runtime/Operations.h:
1935         * runtime/Options.h:
1936         * runtime/SimpleTypedArrayController.cpp: Added.
1937         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1938         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1939         (JSC::SimpleTypedArrayController::toJS):
1940         * runtime/SimpleTypedArrayController.h: Added.
1941         * runtime/Structure.h:
1942         (JSC::Structure::couldHaveIndexingHeader):
1943         * runtime/StructureInlines.h:
1944         (JSC::Structure::hasIndexingHeader):
1945         * runtime/TypedArrayAdaptors.h: Added.
1946         (JSC::IntegralTypedArrayAdaptor::toNative):
1947         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1948         (JSC::IntegralTypedArrayAdaptor::toDouble):
1949         (JSC::FloatTypedArrayAdaptor::toNative):
1950         (JSC::FloatTypedArrayAdaptor::toJSValue):
1951         (JSC::FloatTypedArrayAdaptor::toDouble):
1952         (JSC::Uint8ClampedAdaptor::toNative):
1953         (JSC::Uint8ClampedAdaptor::toJSValue):
1954         (JSC::Uint8ClampedAdaptor::toDouble):
1955         (JSC::Uint8ClampedAdaptor::clamp):
1956         * runtime/TypedArrayController.cpp: Added.
1957         (JSC::TypedArrayController::TypedArrayController):
1958         (JSC::TypedArrayController::~TypedArrayController):
1959         * runtime/TypedArrayController.h: Added.
1960         * runtime/TypedArrayDescriptor.h: Removed.
1961         * runtime/TypedArrayInlines.h: Added.
1962         * runtime/TypedArrayType.cpp: Added.
1963         (JSC::classInfoForType):
1964         (WTF::printInternal):
1965         * runtime/TypedArrayType.h: Added.
1966         (JSC::toIndex):
1967         (JSC::isTypedView):
1968         (JSC::elementSize):
1969         (JSC::isInt):
1970         (JSC::isFloat):
1971         (JSC::isSigned):
1972         (JSC::isClamped):
1973         * runtime/TypedArrays.h: Added.
1974         * runtime/Uint16Array.h:
1975         * runtime/Uint32Array.h:
1976         * runtime/Uint8Array.h:
1977         * runtime/Uint8ClampedArray.h:
1978         * runtime/VM.cpp:
1979         (JSC::VM::VM):
1980         (JSC::VM::~VM):
1981         * runtime/VM.h:
1982
1983 2013-08-15  Oliver Hunt  <oliver@apple.com>
1984
1985         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1986
1987         Reviewed by Filip Pizlo.
1988
1989         Make sure dfgCapabilities doesn't report a Dynamic put as
1990         being compilable when we don't actually support it.  
1991
1992         * bytecode/CodeBlock.cpp:
1993         (JSC::CodeBlock::dumpBytecode):
1994         * dfg/DFGCapabilities.cpp:
1995         (JSC::DFG::capabilityLevel):
1996
1997 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1998
1999         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2000         https://bugs.webkit.org/show_bug.cgi?id=119847
2001
2002         Reviewed by Oliver Hunt.
2003
2004         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2005         * runtime/ArrayBufferView.h: Ditto.
2006
2007 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
2008
2009         https://bugs.webkit.org/show_bug.cgi?id=119843
2010         PropertySlot::setValue is ambiguous
2011
2012         Reviewed by Geoff Garen.
2013
2014         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2015         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2016         Unify on always providing the object, and remove the version that just takes a value.
2017         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2018         Provide a version of setValue that takes a JSString as the owner of the property.
2019         We won't store this, but it makes it clear that this interface should only be used from JSString.
2020
2021         * API/JSCallbackObjectFunctions.h:
2022         (JSC::::getOwnPropertySlot):
2023         * JSCTypedArrayStubs.h:
2024         * runtime/Arguments.cpp:
2025         (JSC::Arguments::getOwnPropertySlotByIndex):
2026         (JSC::Arguments::getOwnPropertySlot):
2027         * runtime/JSActivation.cpp:
2028         (JSC::JSActivation::symbolTableGet):
2029         (JSC::JSActivation::getOwnPropertySlot):
2030         * runtime/JSArray.cpp:
2031         (JSC::JSArray::getOwnPropertySlot):
2032         * runtime/JSObject.cpp:
2033         (JSC::JSObject::getOwnPropertySlotByIndex):
2034         * runtime/JSString.h:
2035         (JSC::JSString::getStringPropertySlot):
2036         * runtime/JSSymbolTableObject.h:
2037         (JSC::symbolTableGet):
2038         * runtime/SparseArrayValueMap.cpp:
2039         (JSC::SparseArrayEntry::get):
2040             - Pass object containing property to PropertySlot::setValue
2041         * runtime/PropertySlot.h:
2042         (JSC::PropertySlot::setValue):
2043             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2044         (JSC::PropertySlot::setUndefined):
2045             - removed setValue(JSValue), added setValue(JSString*, JSValue)
2046
2047 2013-08-15  Oliver Hunt  <oliver@apple.com>
2048
2049         Remove bogus assertion.
2050
2051         RS=Filip Pizlo
2052
2053         * dfg/DFGAbstractInterpreterInlines.h:
2054         (JSC::DFG::::executeEffects):
2055
2056 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2057
2058         REGRESSION(r148790) Made 7 tests fail on x86 32bit
2059         https://bugs.webkit.org/show_bug.cgi?id=114913
2060
2061         Reviewed by Filip Pizlo.
2062
2063         The X87 register was not freed before some calls. Instead
2064         of inserting resetX87Registers to the last call sites,
2065         the two X87 registers are now freed in every call.
2066
2067         * llint/LowLevelInterpreter32_64.asm:
2068         * llint/LowLevelInterpreter64.asm:
2069         * offlineasm/instructions.rb:
2070         * offlineasm/x86.rb:
2071
2072 2013-08-14  Michael Saboff  <msaboff@apple.com>
2073
2074         Fixed jit on Win64.
2075         https://bugs.webkit.org/show_bug.cgi?id=119601
2076
2077         Reviewed by Oliver Hunt.
2078
2079         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2080         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2081         * jit/SlowPathCall.h:
2082         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2083
2084 2013-08-14  Alex Christensen  <achristensen@apple.com>
2085
2086         Compile fix for Win64 with jit disabled.
2087         https://bugs.webkit.org/show_bug.cgi?id=119804
2088
2089         Reviewed by Michael Saboff.
2090
2091         * offlineasm/cloop.rb: Added std:: before isnan.
2092
2093 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2094
2095         DFG_JIT implementation for sh4 architecture.
2096         https://bugs.webkit.org/show_bug.cgi?id=119737
2097
2098         Reviewed by Oliver Hunt.
2099
2100         * assembler/MacroAssemblerSH4.h:
2101         (JSC::MacroAssemblerSH4::invert):
2102         (JSC::MacroAssemblerSH4::add32):
2103         (JSC::MacroAssemblerSH4::and32):
2104         (JSC::MacroAssemblerSH4::lshift32):
2105         (JSC::MacroAssemblerSH4::mul32):
2106         (JSC::MacroAssemblerSH4::or32):
2107         (JSC::MacroAssemblerSH4::rshift32):
2108         (JSC::MacroAssemblerSH4::sub32):
2109         (JSC::MacroAssemblerSH4::xor32):
2110         (JSC::MacroAssemblerSH4::store32):
2111         (JSC::MacroAssemblerSH4::swapDouble):
2112         (JSC::MacroAssemblerSH4::storeDouble):
2113         (JSC::MacroAssemblerSH4::subDouble):
2114         (JSC::MacroAssemblerSH4::mulDouble):
2115         (JSC::MacroAssemblerSH4::divDouble):
2116         (JSC::MacroAssemblerSH4::negateDouble):
2117         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2118         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2119         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2120         (JSC::MacroAssemblerSH4::swap):
2121         (JSC::MacroAssemblerSH4::jump):
2122         (JSC::MacroAssemblerSH4::branchNeg32):
2123         (JSC::MacroAssemblerSH4::branchAdd32):
2124         (JSC::MacroAssemblerSH4::branchMul32):
2125         (JSC::MacroAssemblerSH4::urshift32):
2126         * assembler/SH4Assembler.h:
2127         (JSC::SH4Assembler::SH4Assembler):
2128         (JSC::SH4Assembler::labelForWatchpoint):
2129         (JSC::SH4Assembler::label):
2130         (JSC::SH4Assembler::debugOffset):
2131         * dfg/DFGAssemblyHelpers.h:
2132         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2133         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2134         (JSC::DFG::AssemblyHelpers::debugCall):
2135         * dfg/DFGCCallHelpers.h:
2136         (JSC::DFG::CCallHelpers::setupArguments):
2137         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2138         * dfg/DFGFPRInfo.h:
2139         (JSC::DFG::FPRInfo::toRegister):
2140         (JSC::DFG::FPRInfo::toIndex):
2141         (JSC::DFG::FPRInfo::debugName):
2142         * dfg/DFGGPRInfo.h:
2143         (JSC::DFG::GPRInfo::toRegister):
2144         (JSC::DFG::GPRInfo::toIndex):
2145         (JSC::DFG::GPRInfo::debugName):
2146         * dfg/DFGOperations.cpp:
2147         * dfg/DFGSpeculativeJIT.h:
2148         (JSC::DFG::SpeculativeJIT::callOperation):
2149         * jit/JITStubs.h:
2150         * jit/JITStubsSH4.h:
2151
2152 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2153
2154         Unreviewed, fix build.
2155
2156         * API/JSValue.mm:
2157         (isDate):
2158         (isArray):
2159         * API/JSWrapperMap.mm:
2160         (tryUnwrapObjcObject):
2161         * API/ObjCCallbackFunction.mm:
2162         (tryUnwrapBlock):
2163
2164 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2165
2166         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2167         https://bugs.webkit.org/show_bug.cgi?id=119770
2168
2169         Reviewed by Mark Hahnenberg.
2170
2171         * API/JSCallbackConstructor.cpp:
2172         (JSC::JSCallbackConstructor::finishCreation):
2173         * API/JSCallbackConstructor.h:
2174         (JSC::JSCallbackConstructor::createStructure):
2175         * API/JSCallbackFunction.cpp:
2176         (JSC::JSCallbackFunction::finishCreation):
2177         * API/JSCallbackFunction.h:
2178         (JSC::JSCallbackFunction::createStructure):
2179         * API/JSCallbackObject.cpp:
2180         (JSC::::createStructure):
2181         * API/JSCallbackObject.h:
2182         (JSC::JSCallbackObject::visitChildren):
2183         * API/JSCallbackObjectFunctions.h:
2184         (JSC::::asCallbackObject):
2185         (JSC::::finishCreation):
2186         * API/JSObjectRef.cpp:
2187         (JSObjectGetPrivate):
2188         (JSObjectSetPrivate):
2189         (JSObjectGetPrivateProperty):
2190         (JSObjectSetPrivateProperty):
2191         (JSObjectDeletePrivateProperty):
2192         * API/JSValueRef.cpp:
2193         (JSValueIsObjectOfClass):
2194         * API/JSWeakObjectMapRefPrivate.cpp:
2195         * API/ObjCCallbackFunction.h:
2196         (JSC::ObjCCallbackFunction::createStructure):
2197         * JSCTypedArrayStubs.h:
2198         * bytecode/CallLinkStatus.cpp:
2199         (JSC::CallLinkStatus::CallLinkStatus):
2200         (JSC::CallLinkStatus::function):
2201         (JSC::CallLinkStatus::internalFunction):
2202         * bytecode/CodeBlock.h:
2203         (JSC::baselineCodeBlockForInlineCallFrame):
2204         * bytecode/SpeculatedType.cpp:
2205         (JSC::speculationFromClassInfo):
2206         * bytecode/UnlinkedCodeBlock.cpp:
2207         (JSC::UnlinkedFunctionExecutable::visitChildren):
2208         (JSC::UnlinkedCodeBlock::visitChildren):
2209         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2210         * bytecode/UnlinkedCodeBlock.h:
2211         (JSC::UnlinkedFunctionExecutable::createStructure):
2212         (JSC::UnlinkedProgramCodeBlock::createStructure):
2213         (JSC::UnlinkedEvalCodeBlock::createStructure):
2214         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2215         * debugger/Debugger.cpp:
2216         * debugger/DebuggerActivation.cpp:
2217         (JSC::DebuggerActivation::visitChildren):
2218         * debugger/DebuggerActivation.h:
2219         (JSC::DebuggerActivation::createStructure):
2220         * debugger/DebuggerCallFrame.cpp:
2221         (JSC::DebuggerCallFrame::functionName):
2222         * dfg/DFGAbstractInterpreterInlines.h:
2223         (JSC::DFG::::executeEffects):
2224         * dfg/DFGByteCodeParser.cpp:
2225         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2226         (JSC::DFG::ByteCodeParser::parseBlock):
2227         * dfg/DFGFixupPhase.cpp:
2228         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2229         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2230         * dfg/DFGGraph.cpp:
2231         (JSC::DFG::Graph::dump):
2232         * dfg/DFGGraph.h:
2233         (JSC::DFG::Graph::isInternalFunctionConstant):
2234         * dfg/DFGOperations.cpp:
2235         * dfg/DFGSpeculativeJIT.cpp:
2236         (JSC::DFG::SpeculativeJIT::checkArray):
2237         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2238         * dfg/DFGThunks.cpp:
2239         (JSC::DFG::virtualForThunkGenerator):
2240         * interpreter/Interpreter.cpp:
2241         (JSC::loadVarargs):
2242         * jsc.cpp:
2243         (GlobalObject::createStructure):
2244         * profiler/LegacyProfiler.cpp:
2245         (JSC::LegacyProfiler::createCallIdentifier):
2246         * runtime/Arguments.cpp:
2247         (JSC::Arguments::visitChildren):
2248         * runtime/Arguments.h:
2249         (JSC::Arguments::createStructure):
2250         (JSC::asArguments):
2251         (JSC::Arguments::finishCreation):
2252         * runtime/ArrayConstructor.cpp:
2253         (JSC::arrayConstructorIsArray):
2254         * runtime/ArrayConstructor.h:
2255         (JSC::ArrayConstructor::createStructure):
2256         * runtime/ArrayPrototype.cpp:
2257         (JSC::ArrayPrototype::finishCreation):
2258         (JSC::arrayProtoFuncConcat):
2259         (JSC::attemptFastSort):
2260         * runtime/ArrayPrototype.h:
2261         (JSC::ArrayPrototype::createStructure):
2262         * runtime/BooleanConstructor.h:
2263         (JSC::BooleanConstructor::createStructure):
2264         * runtime/BooleanObject.cpp:
2265         (JSC::BooleanObject::finishCreation):
2266         * runtime/BooleanObject.h:
2267         (JSC::BooleanObject::createStructure):
2268         (JSC::asBooleanObject):
2269         * runtime/BooleanPrototype.cpp:
2270         (JSC::BooleanPrototype::finishCreation):
2271         (JSC::booleanProtoFuncToString):
2272         (JSC::booleanProtoFuncValueOf):
2273         * runtime/BooleanPrototype.h:
2274         (JSC::BooleanPrototype::createStructure):
2275         * runtime/DateConstructor.cpp:
2276         (JSC::constructDate):
2277         * runtime/DateConstructor.h:
2278         (JSC::DateConstructor::createStructure):
2279         * runtime/DateInstance.cpp:
2280         (JSC::DateInstance::finishCreation):
2281         * runtime/DateInstance.h:
2282         (JSC::DateInstance::createStructure):
2283         (JSC::asDateInstance):
2284         * runtime/DatePrototype.cpp:
2285         (JSC::formateDateInstance):
2286         (JSC::DatePrototype::finishCreation):
2287         (JSC::dateProtoFuncToISOString):
2288         (JSC::dateProtoFuncToLocaleString):
2289         (JSC::dateProtoFuncToLocaleDateString):
2290         (JSC::dateProtoFuncToLocaleTimeString):
2291         (JSC::dateProtoFuncGetTime):
2292         (JSC::dateProtoFuncGetFullYear):
2293         (JSC::dateProtoFuncGetUTCFullYear):
2294         (JSC::dateProtoFuncGetMonth):
2295         (JSC::dateProtoFuncGetUTCMonth):
2296         (JSC::dateProtoFuncGetDate):
2297         (JSC::dateProtoFuncGetUTCDate):
2298         (JSC::dateProtoFuncGetDay):
2299         (JSC::dateProtoFuncGetUTCDay):
2300         (JSC::dateProtoFuncGetHours):
2301         (JSC::dateProtoFuncGetUTCHours):
2302         (JSC::dateProtoFuncGetMinutes):
2303         (JSC::dateProtoFuncGetUTCMinutes):
2304         (JSC::dateProtoFuncGetSeconds):
2305         (JSC::dateProtoFuncGetUTCSeconds):
2306         (JSC::dateProtoFuncGetMilliSeconds):
2307         (JSC::dateProtoFuncGetUTCMilliseconds):
2308         (JSC::dateProtoFuncGetTimezoneOffset):
2309         (JSC::dateProtoFuncSetTime):
2310         (JSC::setNewValueFromTimeArgs):
2311         (JSC::setNewValueFromDateArgs):
2312         (JSC::dateProtoFuncSetYear):
2313         (JSC::dateProtoFuncGetYear):
2314         * runtime/DatePrototype.h:
2315         (JSC::DatePrototype::createStructure):
2316         * runtime/Error.h:
2317         (JSC::StrictModeTypeErrorFunction::createStructure):
2318         * runtime/ErrorConstructor.h:
2319         (JSC::ErrorConstructor::createStructure):
2320         * runtime/ErrorInstance.cpp:
2321         (JSC::ErrorInstance::finishCreation):
2322         * runtime/ErrorInstance.h:
2323         (JSC::ErrorInstance::createStructure):
2324         * runtime/ErrorPrototype.cpp:
2325         (JSC::ErrorPrototype::finishCreation):
2326         * runtime/ErrorPrototype.h:
2327         (JSC::ErrorPrototype::createStructure):
2328         * runtime/ExceptionHelpers.cpp:
2329         (JSC::isTerminatedExecutionException):
2330         * runtime/ExceptionHelpers.h:
2331         (JSC::TerminatedExecutionError::createStructure):
2332         * runtime/Executable.cpp:
2333         (JSC::EvalExecutable::visitChildren):
2334         (JSC::ProgramExecutable::visitChildren):
2335         (JSC::FunctionExecutable::visitChildren):
2336         (JSC::ExecutableBase::hashFor):
2337         * runtime/Executable.h:
2338         (JSC::ExecutableBase::createStructure):
2339         (JSC::NativeExecutable::createStructure):
2340         (JSC::EvalExecutable::createStructure):
2341         (JSC::ProgramExecutable::createStructure):
2342         (JSC::FunctionExecutable::compileFor):
2343         (JSC::FunctionExecutable::compileOptimizedFor):
2344         (JSC::FunctionExecutable::createStructure):
2345         * runtime/FunctionConstructor.h:
2346         (JSC::FunctionConstructor::createStructure):
2347         * runtime/FunctionPrototype.cpp:
2348         (JSC::functionProtoFuncToString):
2349         (JSC::functionProtoFuncApply):
2350         (JSC::functionProtoFuncBind):
2351         * runtime/FunctionPrototype.h:
2352         (JSC::FunctionPrototype::createStructure):
2353         * runtime/GetterSetter.cpp:
2354         (JSC::GetterSetter::visitChildren):
2355         * runtime/GetterSetter.h:
2356         (JSC::GetterSetter::createStructure):
2357         * runtime/InternalFunction.cpp:
2358         (JSC::InternalFunction::finishCreation):
2359         * runtime/InternalFunction.h:
2360         (JSC::InternalFunction::createStructure):
2361         (JSC::asInternalFunction):
2362         * runtime/JSAPIValueWrapper.h:
2363         (JSC::JSAPIValueWrapper::createStructure):
2364         * runtime/JSActivation.cpp:
2365         (JSC::JSActivation::visitChildren):
2366         (JSC::JSActivation::argumentsGetter):
2367         * runtime/JSActivation.h:
2368         (JSC::JSActivation::createStructure):
2369         (JSC::asActivation):
2370         * runtime/JSArray.h:
2371         (JSC::JSArray::createStructure):
2372         (JSC::asArray):
2373         (JSC::isJSArray):
2374         * runtime/JSBoundFunction.cpp:
2375         (JSC::JSBoundFunction::finishCreation):
2376         (JSC::JSBoundFunction::visitChildren):
2377         * runtime/JSBoundFunction.h:
2378         (JSC::JSBoundFunction::createStructure):
2379         * runtime/JSCJSValue.cpp:
2380         (JSC::JSValue::dumpInContext):
2381         * runtime/JSCJSValueInlines.h:
2382         (JSC::JSValue::isFunction):
2383         * runtime/JSCell.h:
2384         (JSC::jsCast):
2385         (JSC::jsDynamicCast):
2386         * runtime/JSCellInlines.h:
2387         (JSC::allocateCell):
2388         * runtime/JSFunction.cpp:
2389         (JSC::JSFunction::finishCreation):
2390         (JSC::JSFunction::visitChildren):
2391         (JSC::skipOverBoundFunctions):
2392         (JSC::JSFunction::callerGetter):
2393         * runtime/JSFunction.h:
2394         (JSC::JSFunction::createStructure):
2395         * runtime/JSGlobalObject.cpp:
2396         (JSC::JSGlobalObject::visitChildren):
2397         (JSC::slowValidateCell):
2398         * runtime/JSGlobalObject.h:
2399         (JSC::JSGlobalObject::createStructure):
2400         * runtime/JSNameScope.cpp:
2401         (JSC::JSNameScope::visitChildren):
2402         * runtime/JSNameScope.h:
2403         (JSC::JSNameScope::createStructure):
2404         * runtime/JSNotAnObject.h:
2405         (JSC::JSNotAnObject::createStructure):
2406         * runtime/JSONObject.cpp:
2407         (JSC::JSONObject::finishCreation):
2408         (JSC::unwrapBoxedPrimitive):
2409         (JSC::Stringifier::Stringifier):
2410         (JSC::Stringifier::appendStringifiedValue):
2411         (JSC::Stringifier::Holder::Holder):
2412         (JSC::Walker::walk):
2413         (JSC::JSONProtoFuncStringify):
2414         * runtime/JSONObject.h:
2415         (JSC::JSONObject::createStructure):
2416         * runtime/JSObject.cpp:
2417         (JSC::getCallableObjectSlow):
2418         (JSC::JSObject::visitChildren):
2419         (JSC::JSObject::copyBackingStore):
2420         (JSC::JSFinalObject::visitChildren):
2421         (JSC::JSObject::ensureInt32Slow):
2422         (JSC::JSObject::ensureDoubleSlow):
2423         (JSC::JSObject::ensureContiguousSlow):
2424         (JSC::JSObject::ensureArrayStorageSlow):
2425         * runtime/JSObject.h:
2426         (JSC::JSObject::finishCreation):
2427         (JSC::JSObject::createStructure):
2428         (JSC::JSNonFinalObject::createStructure):
2429         (JSC::JSFinalObject::createStructure):
2430         (JSC::isJSFinalObject):
2431         * runtime/JSPropertyNameIterator.cpp:
2432         (JSC::JSPropertyNameIterator::visitChildren):
2433         * runtime/JSPropertyNameIterator.h:
2434         (JSC::JSPropertyNameIterator::createStructure):
2435         * runtime/JSProxy.cpp:
2436         (JSC::JSProxy::visitChildren):
2437         * runtime/JSProxy.h:
2438         (JSC::JSProxy::createStructure):
2439         * runtime/JSScope.cpp:
2440         (JSC::JSScope::visitChildren):
2441         * runtime/JSSegmentedVariableObject.cpp:
2442         (JSC::JSSegmentedVariableObject::visitChildren):
2443         * runtime/JSString.h:
2444         (JSC::JSString::createStructure):
2445         (JSC::isJSString):
2446         * runtime/JSSymbolTableObject.cpp:
2447         (JSC::JSSymbolTableObject::visitChildren):
2448         * runtime/JSVariableObject.h:
2449         * runtime/JSWithScope.cpp:
2450         (JSC::JSWithScope::visitChildren):
2451         * runtime/JSWithScope.h:
2452         (JSC::JSWithScope::createStructure):
2453         * runtime/JSWrapperObject.cpp:
2454         (JSC::JSWrapperObject::visitChildren):
2455         * runtime/JSWrapperObject.h:
2456         (JSC::JSWrapperObject::createStructure):
2457         * runtime/MathObject.cpp:
2458         (JSC::MathObject::finishCreation):
2459         * runtime/MathObject.h:
2460         (JSC::MathObject::createStructure):
2461         * runtime/NameConstructor.h:
2462         (JSC::NameConstructor::createStructure):
2463         * runtime/NameInstance.h:
2464         (JSC::NameInstance::createStructure):
2465         (JSC::NameInstance::finishCreation):
2466         * runtime/NamePrototype.cpp:
2467         (JSC::NamePrototype::finishCreation):
2468         (JSC::privateNameProtoFuncToString):
2469         * runtime/NamePrototype.h:
2470         (JSC::NamePrototype::createStructure):
2471         * runtime/NativeErrorConstructor.cpp:
2472         (JSC::NativeErrorConstructor::visitChildren):
2473         * runtime/NativeErrorConstructor.h:
2474         (JSC::NativeErrorConstructor::createStructure):
2475         (JSC::NativeErrorConstructor::finishCreation):
2476         * runtime/NumberConstructor.cpp:
2477         (JSC::NumberConstructor::finishCreation):
2478         * runtime/NumberConstructor.h:
2479         (JSC::NumberConstructor::createStructure):
2480         * runtime/NumberObject.cpp:
2481         (JSC::NumberObject::finishCreation):
2482         * runtime/NumberObject.h:
2483         (JSC::NumberObject::createStructure):
2484         * runtime/NumberPrototype.cpp:
2485         (JSC::NumberPrototype::finishCreation):
2486         * runtime/NumberPrototype.h:
2487         (JSC::NumberPrototype::createStructure):
2488         * runtime/ObjectConstructor.h:
2489         (JSC::ObjectConstructor::createStructure):
2490         * runtime/ObjectPrototype.cpp:
2491         (JSC::ObjectPrototype::finishCreation):
2492         * runtime/ObjectPrototype.h:
2493         (JSC::ObjectPrototype::createStructure):
2494         * runtime/PropertyMapHashTable.h:
2495         (JSC::PropertyTable::createStructure):
2496         * runtime/PropertyTable.cpp:
2497         (JSC::PropertyTable::visitChildren):
2498         * runtime/RegExp.h:
2499         (JSC::RegExp::createStructure):
2500         * runtime/RegExpConstructor.cpp:
2501         (JSC::RegExpConstructor::finishCreation):
2502         (JSC::RegExpConstructor::visitChildren):
2503         (JSC::constructRegExp):
2504         * runtime/RegExpConstructor.h:
2505         (JSC::RegExpConstructor::createStructure):
2506         (JSC::asRegExpConstructor):
2507         * runtime/RegExpMatchesArray.cpp:
2508         (JSC::RegExpMatchesArray::visitChildren):
2509         * runtime/RegExpMatchesArray.h:
2510         (JSC::RegExpMatchesArray::createStructure):
2511         * runtime/RegExpObject.cpp:
2512         (JSC::RegExpObject::finishCreation):
2513         (JSC::RegExpObject::visitChildren):
2514         * runtime/RegExpObject.h:
2515         (JSC::RegExpObject::createStructure):
2516         (JSC::asRegExpObject):
2517         * runtime/RegExpPrototype.cpp:
2518         (JSC::regExpProtoFuncTest):
2519         (JSC::regExpProtoFuncExec):
2520         (JSC::regExpProtoFuncCompile):
2521         (JSC::regExpProtoFuncToString):
2522         * runtime/RegExpPrototype.h:
2523         (JSC::RegExpPrototype::createStructure):
2524         * runtime/SparseArrayValueMap.cpp:
2525         (JSC::SparseArrayValueMap::createStructure):
2526         * runtime/SparseArrayValueMap.h:
2527         * runtime/StrictEvalActivation.h:
2528         (JSC::StrictEvalActivation::createStructure):
2529         * runtime/StringConstructor.h:
2530         (JSC::StringConstructor::createStructure):
2531         * runtime/StringObject.cpp:
2532         (JSC::StringObject::finishCreation):
2533         * runtime/StringObject.h:
2534         (JSC::StringObject::createStructure):
2535         (JSC::asStringObject):
2536         * runtime/StringPrototype.cpp:
2537         (JSC::StringPrototype::finishCreation):
2538         (JSC::stringProtoFuncReplace):
2539         (JSC::stringProtoFuncToString):
2540         (JSC::stringProtoFuncMatch):
2541         (JSC::stringProtoFuncSearch):
2542         (JSC::stringProtoFuncSplit):
2543         * runtime/StringPrototype.h:
2544         (JSC::StringPrototype::createStructure):
2545         * runtime/Structure.cpp:
2546         (JSC::Structure::Structure):
2547         (JSC::Structure::materializePropertyMap):
2548         (JSC::Structure::get):
2549         (JSC::Structure::visitChildren):
2550         * runtime/Structure.h:
2551         (JSC::Structure::typeInfo):
2552         (JSC::Structure::previousID):
2553         (JSC::Structure::outOfLineSize):
2554         (JSC::Structure::totalStorageCapacity):
2555         (JSC::Structure::materializePropertyMapIfNecessary):
2556         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2557         * runtime/StructureChain.cpp:
2558         (JSC::StructureChain::visitChildren):
2559         * runtime/StructureChain.h:
2560         (JSC::StructureChain::createStructure):
2561         * runtime/StructureInlines.h:
2562         (JSC::Structure::get):
2563         * runtime/StructureRareData.cpp:
2564         (JSC::StructureRareData::createStructure):
2565         (JSC::StructureRareData::visitChildren):
2566         * runtime/StructureRareData.h:
2567         * runtime/SymbolTable.h:
2568         (JSC::SharedSymbolTable::createStructure):
2569         * runtime/VM.cpp:
2570         (JSC::VM::VM):
2571         (JSC::StackPreservingRecompiler::operator()):
2572         (JSC::VM::releaseExecutableMemory):
2573         * runtime/WriteBarrier.h:
2574         (JSC::validateCell):
2575         * testRegExp.cpp:
2576         (GlobalObject::createStructure):
2577
2578 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2579
2580         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2581         https://bugs.webkit.org/show_bug.cgi?id=119762
2582
2583         Reviewed by Geoffrey Garen.
2584
2585         * heap/Heap.cpp:
2586         (JSC::Heap::Heap):
2587         (JSC::Heap::markRoots):
2588         (JSC::Heap::collect):
2589         * jsc.cpp:
2590         (StopWatch::start):
2591         (StopWatch::stop):
2592         * testRegExp.cpp:
2593         (StopWatch::start):
2594         (StopWatch::stop):
2595
2596 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2597
2598         [sh4] Prepare LLINT for DFG_JIT implementation.
2599         https://bugs.webkit.org/show_bug.cgi?id=119755
2600
2601         Reviewed by Oliver Hunt.
2602
2603         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2604         * offlineasm/sh4.rb:
2605             - Handle storeb opcode.
2606             - Make relative jumps when possible using braf opcode.
2607             - Update bmulio implementation to be consistent with baseline JIT.
2608             - Remove useless code from leap opcode.
2609             - Fix incorrect comment.
2610
2611 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2612
2613         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2614         https://bugs.webkit.org/show_bug.cgi?id=119758
2615
2616         Reviewed by Oliver Hunt.
2617
2618         * assembler/MacroAssemblerSH4.h:
2619             - Introduce a loadEffectiveAddress function to avoid code duplication.
2620             - Add ASSERTs and clean code.
2621         * assembler/SH4Assembler.h:
2622             - Prepare DFG_JIT implementation.
2623             - Add ASSERTs.
2624         * jit/JITStubs.cpp:
2625             - Add SH4 specific call for assertions.
2626         * jit/JITStubs.h:
2627             - Cosmetic change.
2628         * jit/JITStubsSH4.h:
2629             - Use constants to be more flexible with sh4 JIT stack frame.
2630         * jit/JSInterfaceJIT.h:
2631             - Cosmetic change.
2632
2633 2013-08-13  Oliver Hunt  <oliver@apple.com>
2634
2635         Harden executeConstruct against incorrect return types from host functions
2636         https://bugs.webkit.org/show_bug.cgi?id=119757
2637
2638         Reviewed by Mark Hahnenberg.
2639
2640         Add logic to guard against bogus return types.  There doesn't seem to be any
2641         class in webkit that does this wrong, but the typed array stubs in debug JSC
2642         do exhibit this bad behaviour.
2643
2644         * interpreter/Interpreter.cpp:
2645         (JSC::Interpreter::executeConstruct):
2646
2647 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2648
2649         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2650         https://bugs.webkit.org/show_bug.cgi?id=119736
2651
2652         Reviewed by Anders Carlsson.
2653
2654         Don't force C++11 mode off anymore.
2655
2656         * Target.pri:
2657
2658 2013-08-12  Oliver Hunt  <oliver@apple.com>
2659
2660         Remove CodeBlock's notion of adding identifiers entirely
2661         https://bugs.webkit.org/show_bug.cgi?id=119708
2662
2663         Reviewed by Geoffrey Garen.
2664
2665         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2666         Move the addition of identifiers to DFGPlan::reallyAdd
2667
2668         * bytecode/CodeBlock.h:
2669         * dfg/DFGDesiredIdentifiers.cpp:
2670         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2671         * dfg/DFGDesiredIdentifiers.h:
2672         * dfg/DFGPlan.cpp:
2673         (JSC::DFG::Plan::reallyAdd):
2674         (JSC::DFG::Plan::finalize):
2675         * dfg/DFGPlan.h:
2676
2677 2013-08-12  Oliver Hunt  <oliver@apple.com>
2678
2679         Build fix
2680
2681         * runtime/JSCell.h:
2682
2683 2013-08-12  Oliver Hunt  <oliver@apple.com>
2684
2685         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2686         https://bugs.webkit.org/show_bug.cgi?id=119705
2687
2688         Reviewed by Geoffrey Garen.
2689
2690         Relatively trivial refactoring
2691
2692         * bytecode/CodeBlock.h:
2693         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2694         (JSC::CodeBlock::addAdditionalIdentifier):
2695         (JSC::CodeBlock::identifier):
2696         (JSC::CodeBlock::numberOfIdentifiers):
2697         * dfg/DFGCommonData.h:
2698
2699 2013-08-12  Oliver Hunt  <oliver@apple.com>
2700
2701         Stop making unnecessary copy of CodeBlock Identifier Vector
2702         https://bugs.webkit.org/show_bug.cgi?id=119702
2703
2704         Reviewed by Michael Saboff.
2705
2706         Make CodeBlock simply use a separate Vector for additional Identifiers
2707         and use the UnlinkedCodeBlock for the initial set of identifiers.
2708
2709         * bytecode/CodeBlock.cpp:
2710         (JSC::CodeBlock::printGetByIdOp):
2711         (JSC::dumpStructure):
2712         (JSC::dumpChain):
2713         (JSC::CodeBlock::printGetByIdCacheStatus):
2714         (JSC::CodeBlock::printPutByIdOp):
2715         (JSC::CodeBlock::dumpBytecode):
2716         (JSC::CodeBlock::CodeBlock):
2717         (JSC::CodeBlock::shrinkToFit):
2718         * bytecode/CodeBlock.h:
2719         (JSC::CodeBlock::numberOfIdentifiers):
2720         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2721         (JSC::CodeBlock::addAdditionalIdentifier):
2722         (JSC::CodeBlock::identifier):
2723         * dfg/DFGDesiredIdentifiers.cpp:
2724         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2725         * jit/JIT.h:
2726         * jit/JITOpcodes.cpp:
2727         (JSC::JIT::emitSlow_op_get_arguments_length):
2728         * jit/JITPropertyAccess.cpp:
2729         (JSC::JIT::emit_op_get_by_id):
2730         (JSC::JIT::compileGetByIdHotPath):
2731         (JSC::JIT::emitSlow_op_get_by_id):
2732         (JSC::JIT::compileGetByIdSlowCase):
2733         (JSC::JIT::emitSlow_op_put_by_id):
2734         * jit/JITPropertyAccess32_64.cpp:
2735         (JSC::JIT::emit_op_get_by_id):
2736         (JSC::JIT::compileGetByIdHotPath):
2737         (JSC::JIT::compileGetByIdSlowCase):
2738         * jit/JITStubs.cpp:
2739         (JSC::DEFINE_STUB_FUNCTION):
2740         * llint/LLIntSlowPaths.cpp:
2741         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2742
2743 2013-08-08  Mark Lam  <mark.lam@apple.com>
2744
2745         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2746         https://bugs.webkit.org/show_bug.cgi?id=119575.
2747
2748         Reviewed by Oliver Hunt.
2749
2750         * interpreter/Interpreter.h:
2751         - Made getStackTrace() private.
2752         * interpreter/StackIterator.cpp:
2753         (JSC::StackIterator::StackIterator):
2754         (JSC::StackIterator::numberOfFrames):
2755         - Computes the number of frames by iterating through the whole stack
2756           from the starting frame. The iterator will save its current frame
2757           position before counting the frames, and then restoring it after
2758           the counting.
2759         (JSC::StackIterator::gotoFrameAtIndex):
2760         (JSC::StackIterator::gotoNextFrame):
2761         (JSC::StackIterator::resetIterator):
2762         - Points the iterator to the starting frame.
2763         * interpreter/StackIteratorPrivate.h:
2764
2765 2013-08-08  Mark Lam  <mark.lam@apple.com>
2766
2767         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2768         the Interpreter class.
2769         https://bugs.webkit.org/show_bug.cgi?id=119576.
2770
2771         Reviewed by Oliver Hunt.
2772
2773         This change is needed to prepare for making Interpreter::getStackTrace()
2774         private. It does not change the behavior of the code, only the lexical
2775         scoping.
2776
2777         * interpreter/Interpreter.h:
2778         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2779         * runtime/ErrorConstructor.cpp:
2780         (JSC::Interpreter::constructWithErrorConstructor):
2781         (JSC::ErrorConstructor::getConstructData):
2782         (JSC::Interpreter::callErrorConstructor):
2783         (JSC::ErrorConstructor::getCallData):
2784         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2785           directly. So, we moved the helper functions into the Interpreter
2786           class.
2787         * runtime/NativeErrorConstructor.cpp:
2788         (JSC::Interpreter::constructWithNativeErrorConstructor):
2789         (JSC::NativeErrorConstructor::getConstructData):
2790         (JSC::Interpreter::callNativeErrorConstructor):
2791         (JSC::NativeErrorConstructor::getCallData):
2792         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2793           directly. So, we moved the helper functions into the Interpreter
2794           class.
2795
2796 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2797
2798         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2799         https://bugs.webkit.org/show_bug.cgi?id=119555
2800
2801         Reviewed by Geoffrey Garen.
2802
2803         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2804         This was causing crashes on maps.google.com in 32-bit debug builds.
2805
2806         * dfg/DFGSpeculativeJIT32_64.cpp:
2807         (JSC::DFG::SpeculativeJIT::compile):
2808
2809 2013-08-06  Michael Saboff  <msaboff@apple.com>
2810
2811         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2812         https://bugs.webkit.org/show_bug.cgi?id=119405
2813
2814         Reviewed by Geoffrey Garen.
2815
2816         * dfg/DFGSpeculativeJIT.cpp:
2817         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2818         ourselves to save a register and then load from it.
2819
2820 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2821
2822         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2823         https://bugs.webkit.org/show_bug.cgi?id=119528
2824
2825         Reviewed by Geoffrey Garen.
2826
2827         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2828         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2829         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2830         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2831         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2832
2833         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2834
2835         * bytecode/CodeBlock.cpp:
2836         (JSC::CodeBlock::finalizeUnconditionally):
2837         * dfg/DFGDriver.cpp:
2838         (JSC::DFG::compile):
2839         * dfg/DFGFixupPhase.cpp:
2840         (JSC::DFG::FixupPhase::fixupNode):
2841         * dfg/DFGGraph.cpp:
2842         (JSC::DFG::Graph::dump):
2843         * dfg/DFGSpeculativeJIT64.cpp:
2844         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2845         * runtime/JSObject.h:
2846         (JSC::JSObject::getIndexQuickly):
2847         (JSC::JSObject::tryGetIndexQuickly):
2848
2849 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2850
2851         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2852
2853         Unreviewed.
2854
2855         Ensure llint symbols are in source order.
2856
2857         * JavaScriptCore.order:
2858
2859 2013-08-06  Mark Lam  <mark.lam@apple.com>
2860
2861         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2862         https://bugs.webkit.org/show_bug.cgi?id=119532.
2863
2864         Reviewed by Oliver Hunt.
2865
2866         * parser/Parser.cpp:
2867         (JSC::::Parser):
2868         - Just need to initialize the Parser's JSTokenLocation's initial line and
2869           startOffset as well during Parser construction.
2870
2871 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2872
2873         Update Order Files for Safari
2874         <rdar://problem/14517392>
2875
2876         Unreviewed.
2877
2878         * JavaScriptCore.order:
2879
2880 2013-08-04  Sam Weinig  <sam@webkit.org>
2881
2882         Remove support for HTML5 MicroData
2883         https://bugs.webkit.org/show_bug.cgi?id=119480
2884
2885         Reviewed by Anders Carlsson.
2886
2887         * Configurations/FeatureDefines.xcconfig:
2888
2889 2013-08-05  Oliver Hunt  <oliver@apple.com>
2890
2891         Delay Arguments creation in strict mode
2892         https://bugs.webkit.org/show_bug.cgi?id=119505
2893
2894         Reviewed by Geoffrey Garen.
2895
2896         Make use of the write tracking performed by the parser to
2897         allow us to know if we're modifying the parameters to a function.
2898         Then use that information to make strict mode function opt out
2899         of eager arguments creation.
2900
2901         * bytecompiler/BytecodeGenerator.cpp:
2902         (JSC::BytecodeGenerator::BytecodeGenerator):
2903         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2904         (JSC::BytecodeGenerator::emitReturn):
2905         * bytecompiler/BytecodeGenerator.h:
2906         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2907         * parser/Nodes.h:
2908         (JSC::ScopeNode::modifiesParameter):
2909         * parser/Parser.cpp:
2910         (JSC::::parseInner):
2911         * parser/Parser.h:
2912         (JSC::Scope::declareParameter):
2913         (JSC::Scope::getCapturedVariables):
2914         (JSC::Parser::declareWrite):
2915         * parser/ParserModes.h:
2916
2917 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2918
2919         Remove useless code from COMPILER(RVCT) JITStubs
2920         https://bugs.webkit.org/show_bug.cgi?id=119521
2921
2922         Reviewed by Geoffrey Garen.
2923
2924         * jit/JITStubsARMv7.h:
2925         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2926         (JSC::ctiOpThrowNotCaught): Ditto.
2927
2928 2013-07-23  David Farler  <dfarler@apple.com>
2929
2930         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2931         https://bugs.webkit.org/show_bug.cgi?id=117762
2932
2933         Reviewed by Mark Rowe.
2934
2935         * Configurations/DebugRelease.xcconfig:
2936         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2937         * Configurations/JavaScriptCore.xcconfig:
2938         Add ASAN_OTHER_LDFLAGS.
2939         * Configurations/ToolExecutable.xcconfig:
2940         Don't use ASAN for build tools.
2941
2942 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2943
2944         Build fix for ARM MSVC after r153222 and r153648.
2945
2946         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2947
2948 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2949
2950         Build fix for ARM MSVC after r150109.
2951
2952         Read the stub template from a header files instead of the JITStubs.cpp.
2953
2954         * CMakeLists.txt:
2955         * DerivedSources.pri:
2956         * create_jit_stubs:
2957
2958 2013-08-05  Oliver Hunt  <oliver@apple.com>
2959
2960         Move TypedArray implementation into JSC
2961         https://bugs.webkit.org/show_bug.cgi?id=119489
2962
2963         Reviewed by Filip Pizlo.
2964
2965         Move TypedArray implementation into JSC in advance of re-implementation
2966
2967         * GNUmakefile.list.am:
2968         * JSCTypedArrayStubs.h:
2969         * JavaScriptCore.xcodeproj/project.pbxproj:
2970         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2971         (JSC::ArrayBuffer::transfer):
2972         (JSC::ArrayBuffer::addView):
2973         (JSC::ArrayBuffer::removeView):
2974         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2975         (JSC::ArrayBufferContents::ArrayBufferContents):
2976         (JSC::ArrayBufferContents::data):
2977         (JSC::ArrayBufferContents::sizeInBytes):
2978         (JSC::ArrayBufferContents::transfer):
2979         (JSC::ArrayBufferContents::copyTo):
2980         (JSC::ArrayBuffer::isNeutered):
2981         (JSC::ArrayBuffer::~ArrayBuffer):
2982         (JSC::ArrayBuffer::clampValue):
2983         (JSC::ArrayBuffer::create):
2984         (JSC::ArrayBuffer::createUninitialized):
2985         (JSC::ArrayBuffer::ArrayBuffer):
2986         (JSC::ArrayBuffer::data):
2987         (JSC::ArrayBuffer::byteLength):
2988         (JSC::ArrayBuffer::slice):
2989         (JSC::ArrayBuffer::sliceImpl):
2990         (JSC::ArrayBuffer::clampIndex):
2991         (JSC::ArrayBufferContents::tryAllocate):
2992         (JSC::ArrayBufferContents::~ArrayBufferContents):
2993         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2994         (JSC::ArrayBufferView::ArrayBufferView):
2995         (JSC::ArrayBufferView::~ArrayBufferView):
2996         (JSC::ArrayBufferView::neuter):
2997         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2998         (JSC::ArrayBufferView::buffer):
2999         (JSC::ArrayBufferView::baseAddress):
3000         (JSC::ArrayBufferView::byteOffset):
3001         (JSC::ArrayBufferView::setNeuterable):
3002         (JSC::ArrayBufferView::isNeuterable):
3003         (JSC::ArrayBufferView::verifySubRange):
3004         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3005         (JSC::ArrayBufferView::setImpl):
3006         (JSC::ArrayBufferView::setRangeImpl):
3007         (JSC::ArrayBufferView::zeroRangeImpl):
3008         (JSC::ArrayBufferView::calculateOffsetAndLength):
3009         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
3010         (JSC::Float32Array::set):
3011         (JSC::Float32Array::getType):
3012         (JSC::Float32Array::create):
3013         (JSC::Float32Array::createUninitialized):
3014         (JSC::Float32Array::Float32Array):
3015         (JSC::Float32Array::subarray):
3016         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
3017         (JSC::Float64Array::set):
3018         (JSC::Float64Array::getType):
3019         (JSC::Float64Array::create):
3020         (JSC::Float64Array::createUninitialized):
3021         (JSC::Float64Array::Float64Array):
3022         (JSC::Float64Array::subarray):
3023         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
3024         (JSC::Int16Array::getType):
3025         (JSC::Int16Array::create):
3026         (JSC::Int16Array::createUninitialized):
3027         (JSC::Int16Array::Int16Array):
3028         (JSC::Int16Array::subarray):
3029         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
3030         (JSC::Int32Array::getType):
3031         (JSC::Int32Array::create):
3032         (JSC::Int32Array::createUninitialized):
3033         (JSC::Int32Array::Int32Array):
3034         (JSC::Int32Array::subarray):
3035         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
3036         (JSC::Int8Array::getType):
3037         (JSC::Int8Array::create):
3038         (JSC::Int8Array::createUninitialized):
3039         (JSC::Int8Array::Int8Array):
3040         (JSC::Int8Array::subarray):
3041         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
3042         (JSC::IntegralTypedArrayBase::set):
3043         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
3044         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
3045         (JSC::TypedArrayBase::data):
3046         (JSC::TypedArrayBase::set):
3047         (JSC::TypedArrayBase::setRange):
3048         (JSC::TypedArrayBase::zeroRange):
3049         (JSC::TypedArrayBase::length):
3050         (JSC::TypedArrayBase::byteLength):
3051         (JSC::TypedArrayBase::item):
3052         (JSC::TypedArrayBase::checkInboundData):
3053         (JSC::TypedArrayBase::TypedArrayBase):
3054         (JSC::TypedArrayBase::create):
3055         (JSC::TypedArrayBase::createUninitialized):
3056         (JSC::TypedArrayBase::subarrayImpl):
3057         (JSC::TypedArrayBase::neuter):
3058         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
3059         (JSC::Uint16Array::getType):
3060         (JSC::Uint16Array::create):
3061         (JSC::Uint16Array::createUninitialized):
3062         (JSC::Uint16Array::Uint16Array):
3063         (JSC::Uint16Array::subarray):
3064         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
3065         (JSC::Uint32Array::getType):
3066         (JSC::Uint32Array::create):
3067         (JSC::Uint32Array::createUninitialized):
3068         (JSC::Uint32Array::Uint32Array):
3069         (JSC::Uint32Array::subarray):
3070         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
3071         (JSC::Uint8Array::getType):
3072         (JSC::Uint8Array::create):
3073         (JSC::Uint8Array::createUninitialized):
3074         (JSC::Uint8Array::Uint8Array):
3075         (JSC::Uint8Array::subarray):
3076         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
3077         (JSC::Uint8ClampedArray::getType):
3078         (JSC::Uint8ClampedArray::create):
3079         (JSC::Uint8ClampedArray::createUninitialized):
3080         (JSC::Uint8ClampedArray::zeroFill):
3081         (JSC::Uint8ClampedArray::set):
3082         (JSC::Uint8ClampedArray::Uint8ClampedArray):
3083         (JSC::Uint8ClampedArray::subarray):
3084         * runtime/VM.h:
3085
3086 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3087
3088         Copied space should be able to handle more than one copied backing store per JSCell
3089         https://bugs.webkit.org/show_bug.cgi?id=119471
3090
3091         Reviewed by Mark Hahnenberg.
3092         
3093         This allows a cell to call copyLater() multiple times for multiple different
3094         backing stores, and then have copyBackingStore() called exactly once for each
3095         of those. A token tells it which backing store to copy. All backing stores
3096         must be named using the CopyToken, an enumeration which currently cannot
3097         exceed eight entries.
3098         
3099         When copyBackingStore() is called, it's up to the callee to (a) use the token
3100         to decide what to copy and (b) call its base class's copyBackingStore() in
3101         case the base class had something that needed copying. The only exception is
3102         that JSCell never asks anything to be copied, and so if your base is JSCell
3103         then you don't have to do anything.
3104
3105         * GNUmakefile.list.am:
3106         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3107         * JavaScriptCore.xcodeproj/project.pbxproj:
3108         * heap/CopiedBlock.h:
3109         * heap/CopiedBlockInlines.h:
3110         (JSC::CopiedBlock::reportLiveBytes):
3111         * heap/CopyToken.h: Added.
3112         * heap/CopyVisitor.cpp:
3113         (JSC::CopyVisitor::copyFromShared):
3114         * heap/CopyVisitor.h:
3115         * heap/CopyVisitorInlines.h:
3116         (JSC::CopyVisitor::visitItem):
3117         * heap/CopyWorkList.h:
3118         (JSC::CopyWorklistItem::CopyWorklistItem):
3119         (JSC::CopyWorklistItem::cell):
3120         (JSC::CopyWorklistItem::token):
3121         (JSC::CopyWorkListSegment::get):
3122         (JSC::CopyWorkListSegment::append):
3123         (JSC::CopyWorkListSegment::data):
3124         (JSC::CopyWorkListIterator::get):
3125         (JSC::CopyWorkListIterator::operator*):
3126         (JSC::CopyWorkListIterator::operator->):
3127         (JSC::CopyWorkList::append):
3128         * heap/SlotVisitor.h:
3129         * heap/SlotVisitorInlines.h:
3130         (JSC::SlotVisitor::copyLater):
3131         * runtime/ClassInfo.h:
3132         * runtime/JSCell.cpp:
3133         (JSC::JSCell::copyBackingStore):
3134         * runtime/JSCell.h:
3135         * runtime/JSObject.cpp:
3136         (JSC::JSObject::visitButterfly):
3137         (JSC::JSObject::copyBackingStore):
3138         * runtime/JSObject.h:
3139
3140 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
3141
3142         [Automake] Define ENABLE_JIT through the Autoconf header
3143         https://bugs.webkit.org/show_bug.cgi?id=119445
3144
3145         Reviewed by Martin Robinson.
3146
3147         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
3148
3149 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3150
3151         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
3152         https://bugs.webkit.org/show_bug.cgi?id=119470
3153
3154         Reviewed by Oliver Hunt.
3155         
3156         Structure can still tell you if the object "could" (in the conservative sense)
3157         have an indexing header; that's used by the compiler.
3158         
3159         Most of the time if you want to know if there's an indexing header, you ask the
3160         JSObject.
3161         
3162         In some cases, the JSObject wants to know if it would have an indexing header if
3163         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3164
3165         * dfg/DFGRepatch.cpp:
3166         (JSC::DFG::tryCachePutByID):
3167         (JSC::DFG::tryBuildPutByIdList):
3168         * dfg/DFGSpeculativeJIT.cpp:
3169         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3170         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3171         * runtime/ButterflyInlines.h:
3172         (JSC::Butterfly::create):
3173         (JSC::Butterfly::growPropertyStorage):
3174         (JSC::Butterfly::growArrayRight):
3175         (JSC::Butterfly::resizeArray):
3176         * runtime/JSObject.cpp:
3177         (JSC::JSObject::copyButterfly):
3178         (JSC::JSObject::visitButterfly):
3179         * runtime/JSObject.h:
3180         (JSC::JSObject::hasIndexingHeader):
3181         (JSC::JSObject::setButterfly):
3182         * runtime/Structure.h:
3183         (JSC::Structure::couldHaveIndexingHeader):
3184         (JSC::Structure::hasIndexingHeader):
3185
3186 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3187
3188         Give the error object's stack property accessor attributes.
3189         https://bugs.webkit.org/show_bug.cgi?id=119404
3190
3191         Reviewed by Geoffrey Garen.
3192         
3193         Changed the attributes of error object's stack property to allow developers to write
3194         and delete the stack property. This will match the functionality of Chrome. Firefox  
3195         allows developers to write the error's stack, but not delete it. 
3196
3197         * interpreter/Interpreter.cpp:
3198         (JSC::Interpreter::addStackTraceIfNecessary):
3199         * runtime/ErrorInstance.cpp:
3200         (JSC::ErrorInstance::finishCreation):
3201
3202 2013-08-02  Oliver Hunt  <oliver@apple.com>
3203
3204         Incorrect type speculation reported by ToPrimitive
3205         https://bugs.webkit.org/show_bug.cgi?id=119458
3206
3207         Reviewed by Mark Hahnenberg.
3208
3209         Make sure that we report the correct type possibilities for the output
3210         from ToPrimitive
3211
3212         * dfg/DFGAbstractInterpreterInlines.h:
3213         (JSC::DFG::::executeEffects):
3214
3215 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3216
3217         Remove no-arguments constructor to PropertySlot
3218         https://bugs.webkit.org/show_bug.cgi?id=119460
3219
3220         Reviewed by Geoff Garen.
3221
3222         This constructor was unsafe if getValue is subsequently called,
3223         and the property is a getter. Simplest to just remove it.
3224
3225         * runtime/Arguments.cpp:
3226         (JSC::Arguments::defineOwnProperty):
3227         * runtime/JSActivation.cpp:
3228         (JSC::JSActivation::getOwnPropertyDescriptor):
3229         * runtime/JSFunction.cpp:
3230         (JSC::JSFunction::getOwnPropertyDescriptor):
3231         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3232         (JSC::JSFunction::put):
3233         (JSC::JSFunction::defineOwnProperty):
3234         * runtime/JSGlobalObject.cpp:
3235         (JSC::JSGlobalObject::defineOwnProperty):
3236         * runtime/JSGlobalObject.h:
3237         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3238         * runtime/JSNameScope.cpp:
3239         (JSC::JSNameScope::put):
3240         * runtime/JSONObject.cpp:
3241         (JSC::Stringifier::Holder::appendNextProperty):
3242         (JSC::Walker::walk):
3243         * runtime/JSObject.cpp:
3244         (JSC::JSObject::hasProperty):
3245         (JSC::JSObject::hasOwnProperty):
3246         (JSC::JSObject::reifyStaticFunctionsForDelete):
3247         * runtime/Lookup.h:
3248         (JSC::getStaticPropertyDescriptor):
3249         (JSC::getStaticFunctionDescriptor):
3250         (JSC::getStaticValueDescriptor):
3251         * runtime/ObjectConstructor.cpp:
3252         (JSC::defineProperties):
3253         * runtime/PropertySlot.h:
3254
3255 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3256
3257         DFG validation can cause assertion failures due to dumping
3258         https://bugs.webkit.org/show_bug.cgi?id=119456
3259
3260         Reviewed by Geoffrey Garen.
3261
3262         * bytecode/CodeBlock.cpp:
3263         (JSC::CodeBlock::hasHash):
3264         (JSC::CodeBlock::isSafeToComputeHash):
3265         (JSC::CodeBlock::hash):
3266         (JSC::CodeBlock::dumpAssumingJITType):
3267         * bytecode/CodeBlock.h:
3268
3269 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3270
3271         Have vm's exceptionStack match java's vm's exceptionStack.
3272         https://bugs.webkit.org/show_bug.cgi?id=119362
3273
3274         Reviewed by Geoffrey Garen.
3275         
3276         The error object's stack is only updated if it does not exist yet. This matches 
3277         the functionality of other browsers, and Java VMs. 
3278
3279         * interpreter/Interpreter.cpp:
3280         (JSC::Interpreter::addStackTraceIfNecessary):
3281         (JSC::Interpreter::throwException):
3282         * runtime/VM.cpp:
3283         (JSC::VM::clearExceptionStack):
3284         * runtime/VM.h:
3285         (JSC::VM::lastExceptionStack):
3286
3287 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3288
3289         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3290         https://bugs.webkit.org/show_bug.cgi?id=119447
3291
3292         Reviewed by Geoffrey Garen.
3293
3294         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3295         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3296         r153583 (sh4) and r153648 (ARM).
3297
3298         * jit/JITStubsMIPS.h:
3299
3300 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3301
3302         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3303         https://bugs.webkit.org/show_bug.cgi?id=119422
3304
3305         Reviewed by Oliver Hunt.
3306         
3307         This simplifies some code and also allows Structure to claim that an object
3308         has an indexing header even if it doesn't have indexed properties.
3309         
3310         I also changed some calls to use hasIndexedProperties() since in some cases,
3311         that's what we actually meant. Currently the two are synonyms.
3312
3313         * dfg/DFGRepatch.cpp:
3314         (JSC::DFG::tryCachePutByID):
3315         (JSC::DFG::tryBuildPutByIdList):
3316         * dfg/DFGSpeculativeJIT.cpp:
3317         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3318         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3319         * runtime/ButterflyInlines.h:
3320         (JSC::Butterfly::create):
3321         (JSC::Butterfly::growPropertyStorage):
3322         (JSC::Butterfly::growArrayRight):
3323         (JSC::Butterfly::resizeArray):
3324         * runtime/IndexingType.h:
3325         * runtime/JSObject.cpp:
3326         (JSC::JSObject::copyButterfly):
3327         (JSC::JSObject::visitButterfly):
3328         (JSC::JSObject::setPrototype):
3329         * runtime/JSObject.h:
3330         (JSC::JSObject::setButterfly):
3331         * runtime/JSPropertyNameIterator.cpp:
3332         (JSC::JSPropertyNameIterator::create):
3333         * runtime/Structure.h:
3334         (JSC::Structure::hasIndexingHeader):
3335
3336 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3337
3338         REGRESSION: ARM still crashes after change set r153612.
3339         https://bugs.webkit.org/show_bug.cgi?id=119433
3340
3341         Reviewed by Michael Saboff.
3342
3343         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3344         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3345         for sh4 architecture.
3346
3347         * jit/JITStubsARM.h:
3348         * jit/JITStubsARMv7.h:
3349
3350 2013-08-02  Michael Saboff  <msaboff@apple.com>
3351
3352         REGRESSION(r153612): It made jsc and layout tests crash
3353         https://bugs.webkit.org/show_bug.cgi?id=119440
3354
3355         Reviewed by Csaba Osztrogonác.
3356
3357         Made the changes if changeset r153612 only apply to 32 bit builds.
3358
3359         * jit/JITExceptions.cpp:
3360         * jit/JITExceptions.h:
3361         * jit/JITStubs.cpp:
3362         (JSC::cti_vm_throw_slowpath):
3363         * jit/JITStubs.h:
3364
3365 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3366
3367         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3368
3369         * CMakeLists.txt:
3370
3371 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3372
3373         [Forms: color] <input type='color'> popover color well implementation
3374         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3375
3376         Reviewed by Benjamin Poulain.
3377
3378         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3379
3380 2013-08-01  Oliver Hunt  <oliver@apple.com>
3381
3382         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3383         https://bugs.webkit.org/show_bug.cgi?id=119408
3384
3385         Reviewed by Filip Pizlo.
3386
3387         Construct ToString and Phantom nodes in advance of MakeRope
3388         nodes to ensure that ordering is ensured, and correct values
3389         will be reified on OSR exit.
3390
3391         * dfg/DFGByteCodeParser.cpp:
3392         (JSC::DFG::ByteCodeParser::parseBlock):
3393
3394 2013-08-01  Michael Saboff  <msaboff@apple.com>
3395
3396         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3397         https://bugs.webkit.org/show_bug.cgi?id=119140
3398
3399         Reviewed by Filip Pizlo.
3400
3401         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3402
3403         * jit/JITExceptions.cpp:
3404         (JSC::encode):
3405         * jit/JITExceptions.h:
3406         * jit/JITStubs.cpp:
3407         (JSC::cti_vm_throw_slowpath):
3408         * jit/JITStubs.h:
3409
3410 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3411
3412         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3413         https://bugs.webkit.org/show_bug.cgi?id=119391
3414
3415         Reviewed by Csaba Osztrogonác.
3416
3417         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3418             - Call frame is in r14 register.
3419             - Do not restore registers from JIT stack frame here.