DFG should inline Array.push and Array.pop
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG should inline Array.push and Array.pop
4         https://bugs.webkit.org/show_bug.cgi?id=69314
5
6         Reviewed by Oliver Hunt.
7         
8         1% speed-up in V8 due to 6% speed-up in V8-deltablue.
9
10         * assembler/MacroAssemblerX86_64.h:
11         (JSC::MacroAssemblerX86_64::storePtr):
12         * create_hash_table:
13         * dfg/DFGByteCodeParser.cpp:
14         (JSC::DFG::ByteCodeParser::handleIntrinsic):
15         (JSC::DFG::ByteCodeParser::parseBlock):
16         * dfg/DFGGraph.cpp:
17         (JSC::DFG::Graph::dump):
18         * dfg/DFGIntrinsic.h:
19         * dfg/DFGNode.h:
20         (JSC::DFG::Node::hasHeapPrediction):
21         * dfg/DFGOperations.cpp:
22         * dfg/DFGOperations.h:
23         * dfg/DFGPropagator.cpp:
24         (JSC::DFG::Propagator::propagateNodePredictions):
25         (JSC::DFG::Propagator::getByValLoadElimination):
26         (JSC::DFG::Propagator::getMethodLoadElimination):
27         * dfg/DFGSpeculativeJIT32_64.cpp:
28         (JSC::DFG::SpeculativeJIT::compile):
29         * dfg/DFGSpeculativeJIT64.cpp:
30         (JSC::DFG::SpeculativeJIT::compile):
31
32 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
33
34         JSC ASSERT Opening the Web Inspector
35         https://bugs.webkit.org/show_bug.cgi?id=69293
36
37         Reviewed by Oliver Hunt.
38         
39         If a polymorphic access structure list has a duplicated structure, then
40         don't crash.
41
42         * dfg/DFGByteCodeParser.cpp:
43         (JSC::DFG::ByteCodeParser::parseBlock):
44
45 2011-10-03  Gavin Barraclough  <barraclough@apple.com>
46
47         On X86, switch bucketCount into a register, timeoutCheck into memory
48         https://bugs.webkit.org/show_bug.cgi?id=69299
49
50         Reviewed by Geoff Garen.
51
52         We don't have sufficient registers to keep both in registers, and DFG JIT will trample esi;
53         it doesn't matter if the bucketCount gets stomped on (in fact it may add to randomness!),
54         but it if the timeoutCheck gets trashed we may make calls out to the timout_check stub
55         function too frequently (regressing performance). This patch has no perf impact on sunspider.
56
57         * JavaScriptCore.xcodeproj/project.pbxproj:
58         * assembler/MacroAssemblerX86.h:
59         (JSC::MacroAssemblerX86::branchAdd32):
60         (JSC::MacroAssemblerX86::branchSub32):
61             - Added branchSub32 with AbsoluteAddress.
62         * jit/JIT.cpp:
63         (JSC::JIT::emitTimeoutCheck):
64             - Keep timeout count in memory on X86.
65         * jit/JITInlineMethods.h:
66         (JSC::JIT::emitValueProfilingSite):
67             - remove X86 specific code, switch bucket count back into a register.
68         * jit/JITStubs.cpp:
69             - Stop initializing esi (it is no longer the timeoutCheck!)
70         * jit/JSInterfaceJIT.h:
71             - change definition of esi to be the bucketCountRegister.
72         * runtime/JSGlobalData.cpp:
73         (JSC::JSGlobalData::JSGlobalData):
74         * runtime/JSGlobalData.h:
75             - Add timeoutCount as a property to global data (the counter should be per-thread).
76
77 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
78
79         DFG backends don't have access to per-node predictions from the propagator
80         https://bugs.webkit.org/show_bug.cgi?id=69291
81
82         Reviewed by Oliver Hunt.
83         
84         Nodes now have two notion of predictions: the heap prediction, which is
85         what came directly from value profiling, and the propagator's predictions,
86         which arise out of abstract interpretation. Every node has a propagator
87         prediction, but not every node has a heap prediction; and there is no
88         guarantee that a node that has both will keep them consistent as the
89         propagator may have additional information available to it.
90         
91         This is performance neutral.
92
93         * dfg/DFGGraph.cpp:
94         (JSC::DFG::Graph::dump):
95         * dfg/DFGGraph.h:
96         * dfg/DFGJITCompiler.h:
97         (JSC::DFG::JITCompiler::getPrediction):
98         * dfg/DFGNode.h:
99         (JSC::DFG::Node::Node):
100         (JSC::DFG::Node::hasHeapPrediction):
101         (JSC::DFG::Node::getHeapPrediction):
102         (JSC::DFG::Node::predictHeap):
103         (JSC::DFG::Node::prediction):
104         (JSC::DFG::Node::predict):
105         * dfg/DFGPropagator.cpp:
106         (JSC::DFG::Propagator::Propagator):
107         (JSC::DFG::Propagator::setPrediction):
108         (JSC::DFG::Propagator::mergePrediction):
109         (JSC::DFG::Propagator::propagateNodePredictions):
110         (JSC::DFG::Propagator::fixupNode):
111         (JSC::DFG::Propagator::isPredictedNumerical):
112         (JSC::DFG::Propagator::logicalNotIsPure):
113         (JSC::DFG::Propagator::setReplacement):
114
115 2011-10-03  Jer Noble  <jer.noble@apple.com>
116
117         Unreviewed, rolling out r96526.
118         http://trac.webkit.org/changeset/96526
119         https://bugs.webkit.org/show_bug.cgi?id=68587
120
121         WEB_AUDIO has numerous 64->32 bit casting warnings, causing
122         build breakages where -Wall is enabled.
123
124         * Configurations/FeatureDefines.xcconfig:
125         * wtf/Platform.h:
126
127 2011-10-03  Gavin Barraclough  <barraclough@apple.com>
128
129         Unreviewed build fix for DFG JIT 32_64.
130
131         * dfg/DFGJITCompiler32_64.cpp:
132         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
133         * dfg/DFGSpeculativeJIT32_64.cpp:
134         (JSC::DFG::SpeculativeJIT::compile):
135
136 2011-10-02  Filip Pizlo  <fpizlo@apple.com>
137
138         DFG should speculate more aggressively on obvious cases on
139         polymorphic get_by_id
140         https://bugs.webkit.org/show_bug.cgi?id=69235
141
142         Reviewed by Oliver Hunt.
143         
144         This implements trivial polymorphic get_by_id. It also fixes
145         problems in the CSE for CheckStructure in the put_by_id
146         transition case.
147         
148         Doing this required knowing whether a polymorphic get_by_id stub
149         was doing a direct access rather than a call of some kind.
150         
151         Slight speed-up on Kraken and SunSpider. 0.5% speed-up in the
152         scaled mean of all benchmarks.
153
154         * GNUmakefile.list.am:
155         * JavaScriptCore.xcodeproj/project.pbxproj:
156         * bytecode/Instruction.h:
157         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
158         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
159         * dfg/DFGByteCodeParser.cpp:
160         (JSC::DFG::ByteCodeParser::cellConstant):
161         (JSC::DFG::ByteCodeParser::parseBlock):
162         * dfg/DFGGraph.cpp:
163         (JSC::DFG::Graph::dump):
164         * dfg/DFGGraph.h:
165         (JSC::DFG::Graph::addStructureSet):
166         (JSC::DFG::Graph::addStructureTransitionData):
167         * dfg/DFGNode.h:
168         (JSC::DFG::StructureTransitionData::StructureTransitionData):
169         (JSC::DFG::Node::hasStructureTransitionData):
170         (JSC::DFG::Node::structureTransitionData):
171         (JSC::DFG::Node::hasStructureSet):
172         (JSC::DFG::Node::structureSet):
173         * dfg/DFGPropagator.cpp:
174         (JSC::DFG::Propagator::checkStructureLoadElimination):
175         (JSC::DFG::Propagator::performNodeCSE):
176         * dfg/DFGRepatch.cpp:
177         (JSC::DFG::tryBuildGetByIDList):
178         (JSC::DFG::tryBuildGetByIDProtoList):
179         * dfg/DFGSpeculativeJIT32_64.cpp:
180         (JSC::DFG::SpeculativeJIT::compile):
181         * dfg/DFGSpeculativeJIT64.cpp:
182         (JSC::DFG::SpeculativeJIT::compile):
183         * dfg/DFGStructureSet.h: Added.
184         (JSC::DFG::StructureSet::StructureSet):
185         (JSC::DFG::StructureSet::add):
186         (JSC::DFG::StructureSet::addAll):
187         (JSC::DFG::StructureSet::remove):
188         (JSC::DFG::StructureSet::contains):
189         (JSC::DFG::StructureSet::isSubsetOf):
190         (JSC::DFG::StructureSet::isSupersetOf):
191         (JSC::DFG::StructureSet::size):
192         (JSC::DFG::StructureSet::at):
193         (JSC::DFG::StructureSet::operator[]):
194         (JSC::DFG::StructureSet::last):
195         * jit/JITPropertyAccess.cpp:
196         (JSC::JIT::privateCompileGetByIdSelfList):
197         (JSC::JIT::privateCompileGetByIdProtoList):
198         (JSC::JIT::privateCompileGetByIdChainList):
199         * jit/JITPropertyAccess32_64.cpp:
200         (JSC::JIT::privateCompileGetByIdSelfList):
201         (JSC::JIT::privateCompileGetByIdProtoList):
202         (JSC::JIT::privateCompileGetByIdChainList):
203         * jit/JITStubs.cpp:
204         (JSC::DEFINE_STUB_FUNCTION):
205         (JSC::getPolymorphicAccessStructureListSlot):
206
207 2011-10-03  Jer Noble  <jer.noble@apple.com>
208
209         Enable WEB_AUDIO by default in the WebKit/mac port.
210         https://bugs.webkit.org/show_bug.cgi?id=68587
211
212         Reviewed by Simon Fraser.
213
214         * Configurations/FeatureDefines.xcconfig:
215         * wtf/Platform.h:
216
217 2011-10-03  Carlos Garcia Campos  <cgarcia@igalia.com>
218
219         [GTK] Fix make distcheck build
220         https://bugs.webkit.org/show_bug.cgi?id=69243
221
222         Reviewed by Martin Robinson.
223
224         * GNUmakefile.list.am:
225
226 2011-10-03  Pierre Rossi  <pierre.rossi@gmail.com>
227
228         [Qt] Build fix: Qt::escape is deprecated in Qt5
229         https://bugs.webkit.org/show_bug.cgi?id=69162
230
231         Use QString::toHtmlEscaped in the Qt5 case.
232
233         Reviewed by Andreas Kling.
234
235         * JavaScriptCore.pri:
236         * wtf/qt/UtilsQt.h: Added.
237         (escapeHtml):
238         * wtf/wtf.pri:
239
240 2011-10-03  Balazs Kelemen  <kbalazs@webkit.org>
241
242         libdispatch based ParallelJobs is not enough parallel
243         https://bugs.webkit.org/show_bug.cgi?id=66378
244
245         Reviewed by Zoltan Herczeg.
246
247         Use the appropriate libdispatch API for our use case.
248         Throw away the hard coded limit of parallel threads
249         and use dispatch_apply with the default priority normal
250         queue istead of using our own custom serial queue (which
251         was a misuse of the API). Enabling PARALLEL_JOBS is now
252         a 60% win (2.63x as fast) on the methanol benchmark
253         (https://gitorious.org/methanol) with an SVG centric test set
254         while the old implementation was almost identical (less than 5% win).
255
256         * wtf/ParallelJobsLibdispatch.h:
257         (WTF::ParallelEnvironment::ParallelEnvironment):
258         (WTF::ParallelEnvironment::execute):
259
260 2011-10-02  Zoltan Herczeg  <zherczeg@webkit.org>
261
262         [Qt]REGRESSION(r95912): It made sputnik tests flakey
263         https://bugs.webkit.org/show_bug.cgi?id=68990
264
265         Reviewed by Geoffrey Garen.
266
267         Changing signed char to int in r96354 solved the
268         problem. However transitionCount still returns
269         with a signed char and should be changed to int.
270
271         * runtime/Structure.h:
272         (JSC::Structure::transitionCount):
273
274 2011-10-02  Filip Pizlo  <fpizlo@apple.com>
275
276         DFG misses some obvious opportunities for common subexpression elimination
277         https://bugs.webkit.org/show_bug.cgi?id=69233
278
279         Reviewed by Oliver Hunt.
280         
281         0.7% speed-up on SunSpider.
282
283         * dfg/DFGPropagator.cpp:
284         (JSC::DFG::Propagator::getByValLoadElimination):
285         (JSC::DFG::Propagator::getMethodLoadElimination):
286         (JSC::DFG::Propagator::checkStructureLoadElimination):
287         (JSC::DFG::Propagator::getByOffsetLoadElimination):
288         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
289         (JSC::DFG::Propagator::performNodeCSE):
290
291 2011-10-02  Gavin Barraclough  <barraclough@apple.com>
292
293         Bug 67455 - Different regular expression result
294
295         Reviewed by Darin Adler.
296         
297         Fix a regression introduced in r72140. A return was added to the backtracking loop for
298         backtrackParentheses with QuantifierNonGreedy, so it always returns after one iteration.
299         This is incorrect. The additional return should only trigger to force an early return if
300         an error has occured.
301
302         * yarr/YarrInterpreter.cpp:
303         (JSC::Yarr::Interpreter::matchParentheses):
304             - Simplify some nested if else logic.
305         (JSC::Yarr::Interpreter::backtrackParentheses):
306             - Simplify some nested if else logic.
307             - Only return early from backtrackParentheses on success/error, not on failure.
308
309 2011-10-01  Geoffrey Garen  <ggaren@apple.com>
310
311         Removed redundant helper functions for allocating Strong handles
312         https://bugs.webkit.org/show_bug.cgi?id=69218
313
314         Reviewed by Sam Weinig.
315
316         * heap/Heap.h:
317         (JSC::Heap::handleHeap):
318         * runtime/JSGlobalData.h: Removed these helper functions, since they
319         just created indirection.
320
321         * heap/StrongInlines.h: Added. Broke out a header for inline functions
322         to resolve circular dependencies created by inlining. I'm told this is
323         the future for JavaScriptCore.
324
325         * GNUmakefile.list.am:
326         * JavaScriptCore.gypi:
327         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
328         * JavaScriptCore.xcodeproj/project.pbxproj: Go forth and build.
329
330         * API/JSCallbackObjectFunctions.h:
331         (JSC::::init):
332         * runtime/WeakGCMap.h:
333         (JSC::WeakGCMap::add):
334         (JSC::WeakGCMap::set):
335         * runtime/StructureTransitionTable.h:
336         (JSC::StructureTransitionTable::setSingleTransition):
337         * heap/Local.h:
338         (JSC::::Local):
339         * heap/Strong.h:
340         (JSC::::Strong):
341         (JSC::::set):
342         * heap/Weak.h:
343         (JSC::Weak::Weak):
344         (JSC::Weak::set): Allocate handles directly instead of going through a
345         chain of forwarding functions.
346
347         * bytecompiler/BytecodeGenerator.cpp:
348         * runtime/JSGlobalData.cpp:
349         * runtime/LiteralParser.cpp:
350         * runtime/RegExpCache.cpp: Updated for header changes.
351
352 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
353
354         All of JSC's heuristics should be in one place for easier tuning
355         https://bugs.webkit.org/show_bug.cgi?id=69201
356
357         Reviewed by Oliver Hunt.
358         
359         This makes it possible to change tiered compilation heuristics in
360         one place (Heuristics.cpp) without recompiling the whole project.
361         
362         It also makes it possible to enable setting heuristics using
363         environment variables. This is off by default. When turned on, it
364         makes tuning the system much easier.
365
366         * CMakeLists.txt:
367         * GNUmakefile.list.am:
368         * JavaScriptCore.pro:
369         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
370         * JavaScriptCore.xcodeproj/project.pbxproj:
371         * bytecode/CodeBlock.cpp:
372         (JSC::CodeBlock::shouldOptimizeNow):
373         * bytecode/CodeBlock.h:
374         * dfg/DFGJITCompiler.cpp:
375         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
376         * jit/JIT.cpp:
377         (JSC::JIT::emitOptimizationCheck):
378         * runtime/Heuristics.cpp: Added.
379         (JSC::Heuristics::parse):
380         (JSC::Heuristics::setHeuristic):
381         (JSC::Heuristics::initializeHeuristics):
382         * runtime/Heuristics.h: Added.
383         * runtime/InitializeThreading.cpp:
384         (JSC::initializeThreadingOnce):
385
386 2011-10-01  Oliver Hunt  <oliver@apple.com>
387
388         Support string length in the DFG
389         https://bugs.webkit.org/show_bug.cgi?id=69215
390
391         Reviewed by Geoff Garen.
392
393         Adds a GetStringLength node to the DFG so that we can support
394         string.length inline.
395
396         * dfg/DFGNode.h:
397         * dfg/DFGPropagator.cpp:
398         (JSC::DFG::Propagator::propagateNodePredictions):
399         (JSC::DFG::Propagator::fixupNode):
400         (JSC::DFG::Propagator::performNodeCSE):
401         * dfg/DFGSpeculativeJIT.h:
402         (JSC::DFG::SpeculativeJIT::isKnownString):
403         * dfg/DFGSpeculativeJIT32_64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::compile):
407         * runtime/JSString.h:
408         (JSC::JSString::offsetOfLength):
409
410 2011-10-01  Yuqiang Xian  <yuqiang.xian@intel.com>
411
412         JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT
413         https://bugs.webkit.org/show_bug.cgi?id=69205
414
415         Reviewed by Gavin Barraclough.
416
417         If there are unboxed integers and cells in register file (e.g. by SetLocal), 
418         they must be reboxed before exiting from the speculative DFG JIT execution.
419         This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new
420         ValueRecoveryTechnique (AlreadyInRegisterFileAsCell).
421
422         * dfg/DFGJITCompiler32_64.cpp:
423         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
424         * dfg/DFGSpeculativeJIT.cpp:
425         (JSC::DFG::ValueSource::dump):
426         (JSC::DFG::ValueRecovery::dump):
427         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
428         * dfg/DFGSpeculativeJIT.h:
429         (JSC::DFG::ValueSource::forPrediction):
430         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):
431
432 2011-10-01  Sheriff Bot  <webkit.review.bot@gmail.com>
433
434         Unreviewed, rolling out r96421.
435         http://trac.webkit.org/changeset/96421
436         https://bugs.webkit.org/show_bug.cgi?id=69206
437
438         It broke Qt-WK2 build (Requested by ossy on #webkit).
439
440         * JavaScriptCore.pri:
441         * wtf/qt/UtilsQt.h: Removed.
442         * wtf/wtf.pri:
443
444 2011-09-30  Daniel Bates  <dbates@webkit.org>
445
446         Attempt to fix the Apple Windows and WinCairo Debug builds after
447         <http://trac.webkit.org/changeset/96446> (https://bugs.webkit.org/show_bug.cgi?id=69203).
448
449         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove the symbol
450         ?toStrictThisObject@JSObject@JSC@@UBE?AVJSValue@2@PAVExecState@2@@Z since the
451         corresponding function, JSValue::toStrictThisObject(), was removed.
452
453 2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>
454
455         DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
456         https://bugs.webkit.org/show_bug.cgi?id=69126
457
458         Reviewed by Gavin Barraclough.
459
460         The setupResults routine has the bug of reversing the source and destination. 
461         Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.
462
463         * dfg/DFGJITCodeGenerator.h:
464         (JSC::DFG::setupTwoStubArgs):
465         (JSC::DFG::setupResults):
466         * dfg/DFGJITCodeGenerator32_64.cpp:
467         (JSC::DFG::JITCodeGenerator::fillJSValue):
468         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
469         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
470
471 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
472
473         Remove toStrictThisObject, toThisString, toThisJSString
474         https://bugs.webkit.org/show_bug.cgi?id=69203
475
476         Rubber stamped by Sam Weinig
477
478         These are no longer used.
479
480         * JavaScriptCore.exp:
481         * runtime/JSActivation.cpp:
482         * runtime/JSActivation.h:
483         * runtime/JSObject.cpp:
484         * runtime/JSObject.h:
485         * runtime/JSStaticScopeObject.cpp:
486         * runtime/JSStaticScopeObject.h:
487         * runtime/JSValue.h:
488         * runtime/StrictEvalActivation.cpp:
489         * runtime/StrictEvalActivation.h:
490
491 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
492
493         DFG does not speculate aggressively enough on put_by_id
494         https://bugs.webkit.org/show_bug.cgi?id=69114
495
496         Reviewed by Oliver Hunt.
497
498         This adds new nodes along with optimizations for those nodes:
499         
500         GetPropertyStorage: CheckStructure used to do both the structure
501         check and retrieve the storage pointer. Now CheckStructure just
502         checks the structure, and GetPropertyStorage retrieves the
503         storage pointer.
504         
505         PutStructure: Changes the structure, and has the expected store
506         to load optimization with CheckStructure.
507         
508         PutByOffset: Directly sets the value. Has store to load
509         optimization with GetByOffset.
510
511         * dfg/DFGByteCodeParser.cpp:
512         (JSC::DFG::ByteCodeParser::cellConstant):
513         (JSC::DFG::ByteCodeParser::parseBlock):
514         * dfg/DFGGraph.cpp:
515         (JSC::DFG::Graph::dump):
516         * dfg/DFGJITCodeGenerator.cpp:
517         (JSC::DFG::JITCodeGenerator::writeBarrier):
518         * dfg/DFGJITCodeGenerator.h:
519         * dfg/DFGNode.h:
520         (JSC::DFG::Node::hasStructure):
521         (JSC::DFG::Node::hasStorageAccessData):
522         * dfg/DFGPropagator.cpp:
523         (JSC::DFG::Propagator::propagateNodePredictions):
524         (JSC::DFG::Propagator::impureCSE):
525         (JSC::DFG::Propagator::checkStructureLoadElimination):
526         (JSC::DFG::Propagator::getByOffsetLoadElimination):
527         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
528         (JSC::DFG::Propagator::eliminate):
529         (JSC::DFG::Propagator::performNodeCSE):
530         * dfg/DFGSpeculativeJIT32_64.cpp:
531         (JSC::DFG::SpeculativeJIT::compile):
532         * dfg/DFGSpeculativeJIT64.cpp:
533         (JSC::DFG::SpeculativeJIT::compile):
534
535 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
536
537         StringRecursionChecker should not work in terms of EncodedJSValue
538         https://bugs.webkit.org/show_bug.cgi?id=69188
539
540         Reviewed by Oliver Hunt.
541
542         0 is not the empty value on 32_64.
543         Code that casts literals to EncodedJSValues may be unsafe if we change our internal representation.
544
545         * runtime/ArrayPrototype.cpp:
546         (JSC::arrayProtoFuncToString):
547         (JSC::arrayProtoFuncToLocaleString):
548         (JSC::arrayProtoFuncJoin):
549         * runtime/ErrorPrototype.cpp:
550         (JSC::errorProtoFuncToString):
551         * runtime/RegExpPrototype.cpp:
552         (JSC::regExpProtoFuncToString):
553         * runtime/StringRecursionChecker.cpp:
554         (JSC::StringRecursionChecker::throwStackOverflowError):
555         (JSC::StringRecursionChecker::emptyString):
556         * runtime/StringRecursionChecker.h:
557         (JSC::StringRecursionChecker::performCheck):
558         (JSC::StringRecursionChecker::earlyReturnValue):
559
560 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
561
562         DFG JIT, Branch on integer can always be a 32-bit compare.
563         https://bugs.webkit.org/show_bug.cgi?id=69174
564
565         Reviewed by Sam Weinig.
566
567         if (shouldSpeculateInteger(node.child1()) && !isStrictInt32(node.child1())),
568         the JSVALUE64 JIT will currently compare all 64bits in the register, but in
569         these cases the DataFormat is always a JS boxed integer. In these cases we
570         can just compare the low 32bits anyway - no need to check the tag.
571         This allows the code to be unified with the JSVALUE32_64 JIT.
572
573         * dfg/DFGSpeculativeJIT32_64.cpp:
574         (JSC::DFG::SpeculativeJIT::compile):
575         * dfg/DFGSpeculativeJIT64.cpp:
576         (JSC::DFG::SpeculativeJIT::compile):
577
578 2011-09-30  Oliver Hunt  <oliver@apple.com>
579
580         Need a sensible GGC policy
581
582         Reviewed by Geoff Garen.
583
584         This replaces the existing random collection policy
585         with a deterministic policy based on nursery size.
586
587         * heap/AllocationSpace.cpp:
588         (JSC::AllocationSpace::allocateSlowCase):
589         * heap/Heap.cpp:
590         (JSC::Heap::Heap):
591         (JSC::Heap::markRoots):
592         (JSC::Heap::collect):
593         * heap/Heap.h:
594         * heap/MarkedSpace.cpp:
595         (JSC::MarkedSpace::MarkedSpace):
596         (JSC::MarkedSpace::resetAllocator):
597         * heap/MarkedSpace.h:
598         (JSC::MarkedSpace::nurseryWaterMark):
599         (JSC::MarkedSpace::allocate):
600
601 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
602
603         DFG 32-bit support for op_call and op_construct causes
604         run-javascriptcore-tests to fail
605         https://bugs.webkit.org/show_bug.cgi?id=69171
606
607         Reviewed by Gavin Barraclough.
608         
609         This fixes one obvious bug that was causing test failures (no
610         support for dummy slow case for op_add in 32_64), and disables
611         op_call and op_construct by default.        
612
613         * dfg/DFGCapabilities.h:
614         (JSC::DFG::canCompileOpcode):
615         * jit/JITArithmetic32_64.cpp:
616         (JSC::JIT::emit_op_add):
617         (JSC::JIT::emitSlow_op_add):
618
619 2011-09-30  Geoffrey Garen  <ggaren@apple.com>
620
621         Crash due to out of bounds read/write in MarkedSpace
622         https://bugs.webkit.org/show_bug.cgi?id=69148
623         
624         This was a case of being surprised by a poorly aritulcated cell size limit,
625         plus an incorrect ASSERT guarding the cell size limit.
626
627         Reviewed by Oliver Hunt.
628
629         * heap/MarkedSpace.h:
630         (JSC::MarkedSpace::sizeClassFor): Changed heap size ranges to be inclusive,
631         since it makes the ranges easier to understand.
632         
633         Bumped up the max cell size to support the use case in this bug. Since the
634         atomSize is much bigger than it used to be, there isn't much accounting
635         cost to handling more size classes.
636         
637         Switched to FixedArray, to help catch SizeClass indexing bugs in the future.
638
639         * heap/MarkedSpace.cpp:
640         (JSC::MarkedSpace::MarkedSpace):
641         (JSC::MarkedSpace::resetAllocator):
642         (JSC::MarkedSpace::canonicalizeCellLivenessData): Updated for size ranges
643         being inclusive.
644
645 2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>
646
647         [Qt] Build fix: Qt::escape is deprecated in Qt5
648         https://bugs.webkit.org/show_bug.cgi?id=69162
649
650         Use QString::toHtmlEscaped in the Qt5 case.
651
652         Reviewed by Andreas Kling.
653
654         * JavaScriptCore.pri:
655         * wtf/qt/UtilsQt.h: Added.
656         (escapeHtml):
657         * wtf/wtf.pri:
658
659 2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>
660
661         Fix bug in getHostCallReturnValue of DFG JIT on X86
662         https://bugs.webkit.org/show_bug.cgi?id=69133
663
664         Reviewed by Gavin Barraclough.
665
666         We need to insert the additional argument in the stack slot before
667         return address instead of simply pushing it afterwards.
668         Also getHostCallReturnValue* should be attributed as stdcall
669         to make the stack cleaned up by the callee.
670
671         * dfg/DFGOperations.cpp:
672
673 2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>
674
675         [Qt] wtf header files are unknown to Qt Creator
676         https://bugs.webkit.org/show_bug.cgi?id=69158
677
678         Adding the HEADERS variable in wtf.pri so that
679         the header files can be accessed easily.
680
681         Reviewed by Andreas Kling.
682
683         * wtf/wtf.pri:
684
685 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
686
687         Merge some more of DFGSpeculativeJIT 32_64/64
688         https://bugs.webkit.org/show_bug.cgi?id=69164
689
690         Reviewed by Oliver Hunt.
691
692         * dfg/DFGJITCodeGenerator.h:
693         * dfg/DFGJITCodeGenerator32_64.cpp:
694         * dfg/DFGJITCodeGenerator64.cpp:
695         * dfg/DFGSpeculativeJIT.cpp:
696         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
697         * dfg/DFGSpeculativeJIT.h:
698         * dfg/DFGSpeculativeJIT32_64.cpp:
699         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
700         (JSC::DFG::SpeculativeJIT::compare):
701         (JSC::DFG::SpeculativeJIT::compileValueAdd):
702         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
703         (JSC::DFG::SpeculativeJIT::compile):
704         * dfg/DFGSpeculativeJIT64.cpp:
705         (JSC::DFG::SpeculativeJIT::compare):
706         (JSC::DFG::SpeculativeJIT::compileValueAdd):
707         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
708         (JSC::DFG::SpeculativeJIT::compile):
709
710 2011-09-30  Mark Hahnenberg  <mhahnenberg@apple.com>
711
712         Add getCallData to MethodTable in ClassInfo
713         https://bugs.webkit.org/show_bug.cgi?id=69024
714
715         Reviewed by Sam Weinig.
716
717         * JavaScriptCore.exp:
718         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
719
720         Added the getCallData to the MethodTable in the ClassInfo struct.
721         * runtime/ClassInfo.h:
722
723 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
724
725         Add op_call/op_constructor support to JSVALUE32_64 DFG JIT
726         https://bugs.webkit.org/show_bug.cgi?id=69120
727
728         Reviewed by Gavin Barraclough.
729
730         Improve the coverage of JSVALUE32_64 DFG JIT.
731
732         * dfg/DFGByteCodeParser.cpp:
733         (JSC::DFG::ByteCodeParser::parseBlock):
734         * dfg/DFGCapabilities.h:
735         (JSC::DFG::canCompileOpcode):
736         * dfg/DFGJITCodeGenerator.h:
737         (JSC::DFG::tagOfCallData):
738         (JSC::DFG::payloadOfCallData):
739         * dfg/DFGJITCodeGenerator32_64.cpp:
740         (JSC::DFG::JITCodeGenerator::emitCall):
741
742 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
743
744         DFG JIT - register not unlocked after usage in ArithDiv
745         https://bugs.webkit.org/show_bug.cgi?id=69122
746
747         Reviewed by Geoffrey Garen.
748
749         Some allocated register is not unlocked after the usage in ArithDiv. 
750         Also there's a typo in "ENBALE_DFG_CONSISTENTCY_CHECK".
751
752         * dfg/DFGNode.h:
753         * dfg/DFGSpeculativeJIT32_64.cpp:
754         (JSC::DFG::SpeculativeJIT::compile):
755         * dfg/DFGSpeculativeJIT64.cpp:
756         (JSC::DFG::SpeculativeJIT::compile):
757
758 2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>
759
760         De-virtualize JSCell::toObject
761         https://bugs.webkit.org/show_bug.cgi?id=68937
762
763         Reviewed by Darin Adler.
764
765         * JavaScriptCore.exp:
766         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
767
768         De-virtualized JSCell::toObject and changed its implementation to manually check the 
769         cases for JSString and JSObject rather than leaving it up to the virtual method call.
770         * runtime/JSCell.cpp:
771         (JSC::JSCell::toObject):
772         * runtime/JSCell.h:
773
774         Removed JSNotAnObject::toObject because the case for JSObject works for it.
775         Also removed JSObject::toObject because it was essentially the identity function,
776         which is not necessary since toObject is no longer virtual.
777         * runtime/JSNotAnObject.cpp:
778         * runtime/JSNotAnObject.h:
779         * runtime/JSObject.cpp:
780         * runtime/JSObject.h:
781
782         De-virtualized JSObject::toObject and JSString::toObject.
783         * runtime/JSString.h:
784
785 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
786
787         Start refactoring DFGSpeculativeJIT
788         https://bugs.webkit.org/show_bug.cgi?id=69112
789
790         Reviewed by Oliver Hunt.
791
792         Again, move JSVALUE64 code into a DFJSpeculativeJIT64.cpp
793
794         * JavaScriptCore.xcodeproj/project.pbxproj:
795         * dfg/DFGSpeculativeJIT.cpp:
796         (JSC::DFG::ValueSource::dump):
797         (JSC::DFG::ValueRecovery::dump):
798         (JSC::DFG::OSRExit::OSRExit):
799         (JSC::DFG::OSRExit::dump):
800         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
801         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
802         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
803         (JSC::DFG::SpeculativeJIT::compile):
804         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
805         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
806         * dfg/DFGSpeculativeJIT.h:
807         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
808         * dfg/DFGSpeculativeJIT32_64.cpp:
809         (JSC::DFG::SpeculativeJIT::compare):
810         * dfg/DFGSpeculativeJIT64.cpp: Copied from Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp.
811         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
812         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
813         (JSC::DFG::SpeculativeJIT::compile):
814
815 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
816
817         Refactor out trivially duplicated code in DFGJITCodeGenerator.
818         https://bugs.webkit.org/show_bug.cgi?id=69109
819
820         Reviewed by Oliver Hunt.
821
822         Some code is trivially redundant between DFGJITCodeGenerator.cpp & DFGJITCodeGenerator32_64.cpp
823
824         Basically move a JSVALUE64 specific code into a new DFGJITCodeGenerator64.cpp, leave common code
825         in DFGJITCodeGenerator.cpp, and remove copies from DFGJITCodeGenerator32_64.cpp.
826
827         For some function differences are trivial & make more sense to ifdef individually, and some
828         Operand methods make more sense left in DFGJITCodeGenerator.cpp alongside similar constructors.
829
830         * JavaScriptCore.xcodeproj/project.pbxproj:
831         * dfg/DFGJITCodeGenerator.cpp:
832         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
833         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
834         (JSC::DFG::JITCodeGenerator::writeBarrier):
835         (JSC::DFG::JITCodeGenerator::dump):
836         (JSC::DFG::JITCodeGenerator::checkConsistency):
837         (JSC::DFG::GPRTemporary::GPRTemporary):
838         (JSC::DFG::FPRTemporary::FPRTemporary):
839         * dfg/DFGJITCodeGenerator32_64.cpp:
840         * dfg/DFGJITCodeGenerator64.cpp: Copied from Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp.
841         * dfg/DFGJITCompiler.h:
842         (JSC::DFG::JITCompiler::branchIfNotCell):
843         * dfg/DFGJITCompilerInlineMethods.h:
844
845 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
846
847         DFG JIT should infer which uses of a variable are not aliased
848         https://bugs.webkit.org/show_bug.cgi?id=68593
849
850         Reviewed by Oliver Hunt.
851         
852         This separates how a variable is stored (i.e. its virtual register)
853         from how it's predicted. Each variable now takes a
854         VariableAccessData as its operand, instead of the virtual register.
855         The VariableAccessData stores the operand and the prediction. If
856         multiple uses of a variable are aliased, their VariableAccessDatas
857         are unified.
858         
859         This also adds tracking of which argument values are used. It
860         correctly observes that an argument value is not used, if the
861         argument is assigned to inside the function before being used.
862         
863         This also adds tracking of which variables are live at the head of
864         a basic block, and separates that from a variable being live at the
865         tail.
866         
867         Finally, this communicates to both OSR entry and OSR exit code how
868         a variable is predicted at a particular point in the code, rather
869         than just communicating how it was predicted in the entire code
870         block (since with this patch there is no longer the notion of a
871         variable having just one prediction for a code block).
872
873         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
874         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
875         * JavaScriptCore.xcodeproj/project.pbxproj:
876         * bytecode/ActionablePrediction.h: Added.
877         (JSC::actionablePredictionFromPredictedType):
878         (JSC::valueObeysPrediction):
879         (JSC::actionablePredictionToString):
880         (JSC::ActionablePredictions::ActionablePredictions):
881         (JSC::ActionablePredictions::setArgument):
882         (JSC::ActionablePredictions::argument):
883         (JSC::ActionablePredictions::setVariable):
884         (JSC::ActionablePredictions::variable):
885         (JSC::ActionablePredictions::argumentUpperBound):
886         (JSC::ActionablePredictions::variableUpperBound):
887         (JSC::ActionablePredictions::pack):
888         (JSC::ActionablePredictions::packVector):
889         * bytecode/CodeBlock.h:
890         * bytecode/PredictionTracker.h:
891         * dfg/DFGByteCodeParser.cpp:
892         (JSC::DFG::ByteCodeParser::newVariableAccessData):
893         (JSC::DFG::ByteCodeParser::getLocal):
894         (JSC::DFG::ByteCodeParser::setLocal):
895         (JSC::DFG::ByteCodeParser::getArgument):
896         (JSC::DFG::ByteCodeParser::setArgument):
897         (JSC::DFG::ByteCodeParser::parseBlock):
898         (JSC::DFG::ByteCodeParser::processPhiStack):
899         (JSC::DFG::ByteCodeParser::parse):
900         * dfg/DFGDriver.cpp:
901         (JSC::DFG::compile):
902         * dfg/DFGGraph.cpp:
903         (JSC::DFG::Graph::nameOfVariableAccessData):
904         (JSC::DFG::Graph::dump):
905         (JSC::DFG::Graph::predictArgumentTypes):
906         * dfg/DFGGraph.h:
907         (JSC::DFG::operandIsArgument):
908         (JSC::DFG::VariableRecord::setFirstTime):
909         (JSC::DFG::BasicBlock::BasicBlock):
910         (JSC::DFG::Graph::predict):
911         (JSC::DFG::Graph::getPrediction):
912         * dfg/DFGJITCompiler.h:
913         (JSC::DFG::JITCompiler::noticeOSREntry):
914         * dfg/DFGNode.h:
915         (JSC::DFG::Node::hasVariableAccessData):
916         (JSC::DFG::Node::hasLocal):
917         (JSC::DFG::Node::variableAccessData):
918         (JSC::DFG::Node::local):
919         * dfg/DFGOSREntry.cpp:
920         (JSC::DFG::prepareOSREntry):
921         * dfg/DFGOSREntry.h:
922         * dfg/DFGPropagator.cpp:
923         (JSC::DFG::Propagator::propagateNodePredictions):
924         * dfg/DFGSpeculativeJIT.cpp:
925         (JSC::DFG::ValueSource::dump):
926         (JSC::DFG::OSRExit::OSRExit):
927         (JSC::DFG::SpeculativeJIT::compile):
928         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
929         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
930         * dfg/DFGSpeculativeJIT.h:
931         (JSC::DFG::ValueSource::ValueSource):
932         (JSC::DFG::ValueSource::forPrediction):
933         (JSC::DFG::ValueSource::isSet):
934         (JSC::DFG::ValueSource::kind):
935         (JSC::DFG::ValueSource::nodeIndex):
936         (JSC::DFG::ValueSource::nodeIndexFromKind):
937         (JSC::DFG::ValueSource::kindFromNodeIndex):
938         (JSC::DFG::SpeculativeJIT::isKnownArray):
939         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
940         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
941         * dfg/DFGSpeculativeJIT32_64.cpp:
942         (JSC::DFG::OSRExit::OSRExit):
943         (JSC::DFG::SpeculativeJIT::compile):
944         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
945         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
946         * wtf/PackedIntVector.h: Added.
947         (WTF::PackedIntVector::PackedIntVector):
948         (WTF::PackedIntVector::operator=):
949         (WTF::PackedIntVector::size):
950         (WTF::PackedIntVector::ensureSize):
951         (WTF::PackedIntVector::resize):
952         (WTF::PackedIntVector::clearAll):
953         (WTF::PackedIntVector::get):
954         (WTF::PackedIntVector::set):
955         (WTF::PackedIntVector::mask):
956         * wtf/Platform.h:
957         * wtf/UnionFind.h: Added.
958         (WTF::UnionFind::UnionFind):
959         (WTF::UnionFind::find):
960         (WTF::UnionFind::unify):
961
962 2011-09-29  Oliver Hunt  <oliver@apple.com>
963
964         Build fix.
965
966         * heap/AllocationSpace.h:
967
968 2011-09-29  Oliver Hunt  <oliver@apple.com>
969
970         Add logic to collect dirty objects as roots
971         https://bugs.webkit.org/show_bug.cgi?id=69100
972
973         Reviewed by Geoff Garen.
974
975         This gives us the ability to walk all the MarkedBlocks in an
976         AllocationSpace and collect the dirty objects, and then use
977         them as GC roots.
978         
979         I also rearranged the order of these instructions because it
980         makes them smaller on some platforms with some card sizes.
981
982         * dfg/DFGJITCodeGenerator.cpp:
983         (JSC::DFG::JITCodeGenerator::markCellCard):
984         * dfg/DFGJITCodeGenerator32_64.cpp:
985         (JSC::DFG::JITCodeGenerator::markCellCard):
986         * heap/AllocationSpace.cpp:
987            Tidy up the write barrier logic a bit.
988         (JSC::MarkedBlock::gatherDirtyObjects):
989         (JSC::TakeIfDirty::returnValue):
990         (JSC::TakeIfDirty::TakeIfDirty):
991         (JSC::TakeIfDirty::operator()):
992         (JSC::AllocationSpace::gatherDirtyObjects):
993         * heap/AllocationSpace.h:
994         * heap/CardSet.h:
995         (JSC::::isCardMarked):
996         (JSC::::clearCard):
997         * heap/Heap.cpp:
998         (JSC::Heap::markRoots):
999         * heap/Heap.h:
1000         (JSC::Heap::writeBarrier):
1001         * heap/MarkStack.cpp:
1002         (JSC::SlotVisitor::visitChildren):
1003         * heap/MarkedBlock.h:
1004         (JSC::MarkedBlock::setDirtyObject):
1005         (JSC::MarkedBlock::addressOfCardFor):
1006         * heap/SlotVisitor.h:
1007         * jit/JITPropertyAccess.cpp:
1008         (JSC::JIT::emitWriteBarrier):
1009            Tidy the write barrier a bit.
1010
1011 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
1012
1013         Unreviewed windows build fix.
1014
1015         * assembler/MacroAssemblerCodeRef.h:
1016         * dfg/DFGOperations.h:
1017
1018 2011-09-29  Filip Pizlo  <fpizlo@apple.com>
1019
1020         Structure transitions involving many (> 64) properties sometimes cause structure corruption
1021         https://bugs.webkit.org/show_bug.cgi?id=69102
1022
1023         Reviewed by Darin Adler.
1024         
1025         Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
1026         don't lead to the dictionary kind being forgotten.
1027         
1028         * runtime/Structure.cpp:
1029         (JSC::Structure::Structure):
1030         * runtime/Structure.h:
1031
1032 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1033
1034         DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT
1035         https://bugs.webkit.org/show_bug.cgi?id=69058
1036
1037         Reviewed by Gavin Barraclough.
1038
1039         Also Fixed the stdcall FunctionPtr constructors to make them compiled correctly on Linux
1040
1041         * assembler/MacroAssemblerCodeRef.h:
1042         (JSC::FunctionPtr::FunctionPtr):
1043
1044 2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1045
1046         De-virtualize JSCell::visitChildrenVirtual and remove all other visitChildrenVirtual methods
1047         https://bugs.webkit.org/show_bug.cgi?id=68839
1048
1049         Reviewed by Geoffrey Garen.
1050
1051         Removed the remaining visitChildrenVirtual methods.  This patch completes the process of 
1052         de-virtualizing visitChildren.
1053
1054         * API/JSCallbackObject.h:
1055         * JavaScriptCore.exp:
1056         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1057         * debugger/DebuggerActivation.cpp:
1058         * debugger/DebuggerActivation.h:
1059         * runtime/Arguments.cpp:
1060         * runtime/Arguments.h:
1061         * runtime/Executable.cpp:
1062         * runtime/Executable.h:
1063         * runtime/GetterSetter.cpp:
1064         * runtime/GetterSetter.h:
1065         * runtime/JSActivation.cpp:
1066         * runtime/JSActivation.h:
1067         * runtime/JSArray.cpp:
1068         * runtime/JSArray.h:
1069         * runtime/JSFunction.cpp:
1070         * runtime/JSFunction.h:
1071         * runtime/JSGlobalObject.cpp:
1072         * runtime/JSGlobalObject.h:
1073         * runtime/JSObject.cpp:
1074         * runtime/JSPropertyNameIterator.cpp:
1075         * runtime/JSPropertyNameIterator.h:
1076         * runtime/JSStaticScopeObject.cpp:
1077         * runtime/JSStaticScopeObject.h:
1078         * runtime/JSValue.h:
1079         * runtime/NativeErrorConstructor.cpp:
1080         * runtime/NativeErrorConstructor.h:
1081         * runtime/RegExpObject.cpp:
1082         * runtime/RegExpObject.h:
1083         * runtime/Structure.cpp:
1084         * runtime/Structure.h:
1085         * runtime/StructureChain.cpp:
1086         * runtime/StructureChain.h:
1087
1088         Inlined the method table access and call to the visitChildren function (the only call sites 
1089         to visitChildren are here).
1090         * heap/MarkStack.cpp:
1091         (JSC::SlotVisitor::visitChildren):
1092
1093         Changed the field name for the visitChildren function pointer to visitChildren (from 
1094         visitChildrenFunctionPtr) to make call sites less verbose.
1095         * runtime/ClassInfo.h:
1096
1097         Discovered JSBoundFunction doesn't have its own ClassInfo (it used JSFunction's ClassInfo) but 
1098         overrides visitChildren, so it needs to have its own ClassInfo.
1099         * runtime/JSBoundFunction.cpp:
1100         * runtime/JSBoundFunction.h:
1101
1102         Had to move className up to make sure that the virtual destructor in JSObject wasn't 
1103         the first non-inline virtual method in JSObject (as per the comment in the file).
1104         Also moved JSCell::visitChildrenVirtual into JSObject.h in order for it be inline-able
1105         to mitigate the cost of an extra method call.
1106
1107         Also added a convenience accessor function methodTable() to JSCell to return the MethodTable to make 
1108         call sites more concise.  Implementation is inline in JSObject.h.
1109         * runtime/JSObject.h:
1110         (JSC::JSCell::methodTable):
1111         * runtime/JSCell.h:
1112
1113         Added an out of line virtual destructor to JSWrapperObject and ScopeChainNode to 
1114         appease the vtable gods.  It refused to compile if there were no virtual methods in 
1115         both of these classes due to the presence of a weak vtable pointer.
1116         * runtime/JSWrapperObject.cpp:
1117         (JSC::JSWrapperObject::~JSWrapperObject):
1118         * runtime/JSWrapperObject.h:
1119         * runtime/ScopeChain.cpp:
1120         (JSC::ScopeChainNode::~ScopeChainNode):
1121         * runtime/ScopeChain.h:
1122
1123 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1124
1125         Bug fixes for CreateThis, NewObject and GetByOffset in JSVALUE32_64 DFG JIT
1126         https://bugs.webkit.org/show_bug.cgi?id=69075
1127
1128         Reviewed by Gavin Barraclough.
1129
1130         * dfg/DFGSpeculativeJIT32_64.cpp:
1131         (JSC::DFG::SpeculativeJIT::compile):
1132
1133 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1134
1135         JSVALUE32_64 DFG JIT failed to be built on 32-bit Linux due to incorrect overloaded OpInfo constructor
1136         https://bugs.webkit.org/show_bug.cgi?id=69054
1137
1138         Reviewed by Gavin Barraclough.
1139
1140         size_t is equal to uint32_t on most 32-bit platforms, except for Mac OS.
1141
1142         * dfg/DFGNode.h:
1143
1144 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
1145
1146         DFG checkArgumentTypes fails to check boolean predictions
1147         https://bugs.webkit.org/show_bug.cgi?id=69059
1148
1149         Reviewed by Gavin Barraclough.
1150
1151         * dfg/DFGSpeculativeJIT.cpp:
1152         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1153         * dfg/DFGSpeculativeJIT32_64.cpp:
1154         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1155
1156 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1157
1158         Build fix pt 2 for r96286.
1159
1160         * assembler/MacroAssemblerCodeRef.h:
1161
1162 2011-09-28  Ryosuke Niwa  <rniwa@webkit.org>
1163
1164         Build fix attempt for r96286.
1165
1166         * assembler/MacroAssemblerCodeRef.h:
1167
1168 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1169
1170         DFG JIT Operations on 32_64 should use stdcall calling convention.
1171         https://bugs.webkit.org/show_bug.cgi?id=69046
1172
1173         Reviewed by Sam Weinig.
1174
1175         All calls out are expecting stdcall conventions, but the default on OS X are cdecl.
1176         Leave D_DFGOperation_DD calls as the one exception, since we want to be able to link
1177         directly to std library functions like fmod - leave these calls obeying the default
1178         platform calling convention.
1179
1180         * assembler/MacroAssemblerCodeRef.h:
1181         (JSC::FunctionPtr::FunctionPtr):
1182             - Add implicit constructors for std calls.
1183         * dfg/DFGJITCodeGenerator.h:
1184         (JSC::DFG::callOperation):
1185             - Make this work non-Mac platforms.
1186         * dfg/DFGOperations.cpp:
1187         (JSC::DFG::operationPutByValInternal):
1188         * dfg/DFGOperations.h:
1189             - Mark all operations as stdcalls.
1190
1191 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
1192
1193         DFG JIT falls back on numerical comparisons when it does not
1194         recognize a prediction
1195         https://bugs.webkit.org/show_bug.cgi?id=68977
1196
1197         Reviewed by Geoffrey Garen.
1198         
1199         This fixes both the way comparison implementations are selected. It
1200         also fixes a bug where comparisons other than equality (like < or >)
1201         on objects are compiled as if the comparison was equality.
1202
1203         * dfg/DFGSpeculativeJIT.cpp:
1204         (JSC::DFG::SpeculativeJIT::compare):
1205
1206 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1207
1208         Implement callOperation(D_DFGOperation_DD) for DFG JIT 32_64
1209         https://bugs.webkit.org/show_bug.cgi?id=69026
1210
1211         Reviewed by Sam Weinig.
1212
1213         * assembler/X86Assembler.h:
1214         (JSC::X86Assembler::fstpl):
1215         * dfg/DFGJITCodeGenerator.h:
1216         (JSC::DFG::callOperation):
1217
1218 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1219
1220         Merge bug#68580, bug#68932 for DFG JIT with JSVALUE32_64
1221         https://bugs.webkit.org/show_bug.cgi?id=69017
1222
1223         Reviewed by Oliver Hunt.
1224
1225         * dfg/DFGJITCodeGenerator.h:
1226         (JSC::DFG::callOperation):
1227         * dfg/DFGOperations.cpp:
1228         * dfg/DFGSpeculativeJIT.cpp:
1229         (JSC::DFG::SpeculativeJIT::compile):
1230         * dfg/DFGSpeculativeJIT32_64.cpp:
1231         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
1232         (JSC::DFG::SpeculativeJIT::compile):
1233
1234 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1235
1236         https://bugs.webkit.org/show_bug.cgi?id=64679
1237         Fix bugs in Array.prototype this handling.
1238
1239         Reviewed by Oliver Hunt.
1240
1241         * runtime/ArrayPrototype.cpp:
1242         (JSC::arrayProtoFuncJoin):
1243         (JSC::arrayProtoFuncConcat):
1244         (JSC::arrayProtoFuncPop):
1245         (JSC::arrayProtoFuncPush):
1246         (JSC::arrayProtoFuncReverse):
1247         (JSC::arrayProtoFuncShift):
1248         (JSC::arrayProtoFuncSlice):
1249         (JSC::arrayProtoFuncSort):
1250         (JSC::arrayProtoFuncSplice):
1251         (JSC::arrayProtoFuncUnShift):
1252         (JSC::arrayProtoFuncFilter):
1253         (JSC::arrayProtoFuncMap):
1254         (JSC::arrayProtoFuncEvery):
1255         (JSC::arrayProtoFuncForEach):
1256         (JSC::arrayProtoFuncSome):
1257         (JSC::arrayProtoFuncReduce):
1258         (JSC::arrayProtoFuncReduceRight):
1259         (JSC::arrayProtoFuncIndexOf):
1260         (JSC::arrayProtoFuncLastIndexOf):
1261             - These methods should throw if this value is undefined.
1262
1263 2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
1264
1265         Value profiling in baseline JIT for JSVALUE32_64
1266         https://bugs.webkit.org/show_bug.cgi?id=68750
1267
1268         Reviewed by Geoff Garen.
1269
1270         * jit/JITArithmetic32_64.cpp:
1271         (JSC::JIT::emit_op_mul):
1272         (JSC::JIT::emit_op_div):
1273         * jit/JITCall32_64.cpp:
1274         (JSC::JIT::emit_op_call_put_result):
1275         * jit/JITOpcodes32_64.cpp:
1276         (JSC::JIT::emit_op_resolve):
1277         (JSC::JIT::emit_op_resolve_base):
1278         (JSC::JIT::emit_op_resolve_skip):
1279         (JSC::JIT::emit_op_resolve_global):
1280         (JSC::JIT::emitSlow_op_resolve_global):
1281         (JSC::JIT::emit_op_resolve_with_base):
1282         (JSC::JIT::emit_op_resolve_with_this):
1283         * jit/JITPropertyAccess32_64.cpp:
1284         (JSC::JIT::emit_op_method_check):
1285         (JSC::JIT::emit_op_get_by_val):
1286         (JSC::JIT::emitSlow_op_get_by_val):
1287         (JSC::JIT::emit_op_get_by_id):
1288         (JSC::JIT::emitSlow_op_get_by_id):
1289         (JSC::JIT::emit_op_get_scoped_var):
1290         (JSC::JIT::emit_op_get_global_var):
1291         * jit/JITStubCall.h:
1292         (JSC::JITStubCall::callWithValueProfiling):
1293
1294 2011-09-28  Yuqiang Xian  <yuqiang.xian@intel.com>
1295
1296         Wrong integer checks in JSVALUE32_64 DFG JIT
1297         https://bugs.webkit.org/show_bug.cgi?id=68985
1298
1299         Reviewed by Geoffrey Garen.
1300
1301         * dfg/DFGJITCodeGenerator32_64.cpp:
1302         (JSC::DFG::JITCodeGenerator::fillDouble):
1303         * dfg/DFGSpeculativeJIT32_64.cpp:
1304         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1305
1306 2011-09-28  Adam Barth  <abarth@webkit.org>
1307
1308         Remove empty directories.
1309
1310         * wtf/brew: Removed.
1311         * wtf/unicode/brew: Removed.
1312
1313 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
1314
1315         DFG JIT cannot compile op_new_object, op_new_array,
1316         op_new_array_buffer, or op_new_regexp
1317         https://bugs.webkit.org/show_bug.cgi?id=68580
1318
1319         Reviewed by Oliver Hunt.
1320         
1321         This implements all four opcodes, but has op_new_regexp turns off
1322         by default because it unveils some bad speculation logic when
1323         compiling string-validate-input.
1324         
1325         With op_new_regexp turned off, this is a 5% win on Kraken and a
1326         0.7% speed-up on V8. Neutral on SunSpider.
1327
1328         * dfg/DFGByteCodeParser.cpp:
1329         (JSC::DFG::ByteCodeParser::parseBlock):
1330         * dfg/DFGCapabilities.h:
1331         (JSC::DFG::canCompileOpcode):
1332         * dfg/DFGJITCodeGenerator.h:
1333         (JSC::DFG::callOperation):
1334         * dfg/DFGNode.h:
1335         (JSC::DFG::Node::hasConstantBuffer):
1336         (JSC::DFG::Node::startConstant):
1337         (JSC::DFG::Node::numConstants):
1338         (JSC::DFG::Node::hasRegexpIndex):
1339         (JSC::DFG::Node::regexpIndex):
1340         * dfg/DFGOperations.cpp:
1341         * dfg/DFGOperations.h:
1342         * dfg/DFGPropagator.cpp:
1343         (JSC::DFG::Propagator::propagateNodePredictions):
1344         * dfg/DFGSpeculativeJIT.cpp:
1345         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
1346         (JSC::DFG::SpeculativeJIT::compile):
1347         * dfg/DFGSpeculativeJIT.h:
1348         (JSC::DFG::SpeculativeJIT::isKnownArray):
1349
1350 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
1351
1352         DFG JIT should speculate more aggressively on reads of array.length
1353         https://bugs.webkit.org/show_bug.cgi?id=68932
1354
1355         Reviewed by Oliver Hunt.
1356         
1357         This is a 2% speed-up on Kraken, neutral elsewhere.
1358
1359         * dfg/DFGNode.h:
1360         * dfg/DFGPropagator.cpp:
1361         (JSC::DFG::Propagator::propagateNodePredictions):
1362         (JSC::DFG::Propagator::fixupNode):
1363         (JSC::DFG::Propagator::performNodeCSE):
1364         * dfg/DFGSpeculativeJIT.cpp:
1365         (JSC::DFG::SpeculativeJIT::compile):
1366
1367 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
1368
1369         DFG JIT - merge changes between 95905 - 96175
1370         https://bugs.webkit.org/show_bug.cgi?id=68963
1371
1372         Reviewed by Sam Weinig.
1373
1374         Merge missing changes from bug#68677, bug#68784, bug#68785.
1375
1376         * dfg/DFGJITCompiler32_64.cpp:
1377         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1378         (JSC::DFG::JITCompiler::compileEntry):
1379         (JSC::DFG::JITCompiler::compileBody):
1380         * dfg/DFGSpeculativeJIT32_64.cpp:
1381         (JSC::DFG::SpeculativeJIT::compile):
1382
1383 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
1384
1385         Get JSVALUE32_64 DFG JIT building on OS X.
1386         https://bugs.webkit.org/show_bug.cgi?id=68961
1387
1388         Reviewed by Geoff Garen.
1389
1390         * Merge bug #68763 (DFG JIT should not eagerly initialize integer tags in the register file).
1391         * Forward-declare functions in DFGOperations.cpp
1392         * UNUSED_PARAM for unused arguments
1393         * NO_RETURN for unimplemented function that ASSERT_NOT_REACHED
1394         * Fix argument types handled by OpInfo constructor.
1395         * Use SYMBOL_STRING instead of STRINGIZE for asm symbols.
1396         * Add files to Xcode project.
1397
1398 2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
1399
1400         Bug fixes for GetById, PutById, and GetByOffset in JSVALUE32_64 DFG JIT
1401         https://bugs.webkit.org/show_bug.cgi?id=68755
1402
1403         Reviewed by Gavin Barraclough.
1404
1405         We need to load/store and repatch both tag and payload of a property
1406         for GetById/PutById. Also reorder the loads of tag and payload for
1407         GetByOffset as the result tag GPR could reuse the storage GPR.
1408
1409         * bytecode/StructureStubInfo.h:
1410         * dfg/DFGJITCodeGenerator32_64.cpp:
1411         (JSC::DFG::JITCodeGenerator::cachedGetById):
1412         (JSC::DFG::JITCodeGenerator::cachedPutById):
1413         * dfg/DFGJITCompiler.h:
1414         (JSC::DFG::JITCompiler::addPropertyAccess):
1415         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
1416         * dfg/DFGJITCompiler32_64.cpp:
1417         (JSC::DFG::JITCompiler::link):
1418         * dfg/DFGRepatch.cpp:
1419         (JSC::DFG::dfgRepatchByIdSelfAccess):
1420         * dfg/DFGSpeculativeJIT32_64.cpp:
1421         (JSC::DFG::SpeculativeJIT::compile):
1422
1423 2011-09-24  Gavin Barraclough  <barraclough@apple.com>
1424
1425         Macro assembler branch8 & 16 methods vary in treatment of upper bits
1426         https://bugs.webkit.org/show_bug.cgi?id=68301
1427
1428         Reviewed by Sam Weinig.
1429
1430         Fix for branch16 - remove it!
1431         No performance impact.
1432
1433         * assembler/MacroAssembler.h:
1434         * assembler/MacroAssemblerARM.h:
1435         * assembler/MacroAssemblerARMv7.h:
1436         * assembler/MacroAssemblerMIPS.h:
1437         * assembler/MacroAssemblerSH4.h:
1438         * assembler/MacroAssemblerX86Common.h:
1439         * yarr/YarrJIT.cpp:
1440         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1441         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1442         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1443         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1444         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1445
1446 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1447
1448         Add static version of JSCell::getCallData
1449         https://bugs.webkit.org/show_bug.cgi?id=68741
1450
1451         Reviewed by Darin Adler.
1452
1453         In this patch we just extract the bodies of the virtual getCallData methods
1454         throughout the JSCell inheritance hierarchy out into static methods, which are 
1455         now called from the virtual methods.  This is an intermediate step in trying to 
1456         move the virtual-ness of getCallData into our own method table stored in 
1457         ClassInfo.  We need to convert the methods to static methods because static methods 
1458         can be represented as function pointers rather than pointers to member functions, and
1459         function pointers are smaller and faster to call than pointers to member functions.
1460
1461         * API/JSCallbackFunction.cpp:
1462         (JSC::JSCallbackFunction::getCallDataVirtual):
1463         (JSC::JSCallbackFunction::getCallData):
1464         * API/JSCallbackFunction.h:
1465         * API/JSCallbackObject.h:
1466         * API/JSCallbackObjectFunctions.h:
1467         (JSC::::getCallDataVirtual):
1468         (JSC::::getCallData):
1469         * API/JSObjectRef.cpp:
1470         (JSObjectIsFunction):
1471         (JSObjectCallAsFunction):
1472         * JavaScriptCore.exp:
1473         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1474         * interpreter/Interpreter.cpp:
1475         (JSC::Interpreter::privateExecute):
1476         * jit/JITStubs.cpp:
1477         (JSC::DEFINE_STUB_FUNCTION):
1478         * runtime/ArrayConstructor.cpp:
1479         (JSC::ArrayConstructor::getCallDataVirtual):
1480         (JSC::ArrayConstructor::getCallData):
1481         * runtime/ArrayConstructor.h:
1482         * runtime/BooleanConstructor.cpp:
1483         (JSC::BooleanConstructor::getCallDataVirtual):
1484         (JSC::BooleanConstructor::getCallData):
1485         * runtime/BooleanConstructor.h:
1486         * runtime/DateConstructor.cpp:
1487         (JSC::DateConstructor::getCallDataVirtual):
1488         (JSC::DateConstructor::getCallData):
1489         * runtime/DateConstructor.h:
1490         * runtime/Error.cpp:
1491         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
1492         (JSC::StrictModeTypeErrorFunction::getCallData):
1493         * runtime/ErrorConstructor.cpp:
1494         (JSC::ErrorConstructor::getCallDataVirtual):
1495         (JSC::ErrorConstructor::getCallData):
1496         * runtime/ErrorConstructor.h:
1497         * runtime/FunctionConstructor.cpp:
1498         (JSC::FunctionConstructor::getCallDataVirtual):
1499         (JSC::FunctionConstructor::getCallData):
1500         * runtime/FunctionConstructor.h:
1501         * runtime/FunctionPrototype.cpp:
1502         (JSC::FunctionPrototype::getCallDataVirtual):
1503         (JSC::FunctionPrototype::getCallData):
1504         * runtime/FunctionPrototype.h:
1505         * runtime/InternalFunction.h:
1506         * runtime/JSCell.cpp:
1507         (JSC::JSCell::getCallDataVirtual):
1508         (JSC::JSCell::getCallData):
1509         * runtime/JSCell.h:
1510         (JSC::getCallData):
1511         * runtime/JSFunction.cpp:
1512         (JSC::JSFunction::getCallDataVirtual):
1513         (JSC::JSFunction::getCallData):
1514         * runtime/JSFunction.h:
1515         * runtime/JSONObject.cpp:
1516         (JSC::Stringifier::Stringifier):
1517         (JSC::Stringifier::toJSON):
1518         (JSC::Stringifier::appendStringifiedValue):
1519         * runtime/JSObject.cpp:
1520         (JSC::JSObject::put):
1521         * runtime/NativeErrorConstructor.cpp:
1522         (JSC::NativeErrorConstructor::getCallDataVirtual):
1523         (JSC::NativeErrorConstructor::getCallData):
1524         * runtime/NativeErrorConstructor.h:
1525         * runtime/NumberConstructor.cpp:
1526         (JSC::NumberConstructor::getCallDataVirtual):
1527         (JSC::NumberConstructor::getCallData):
1528         * runtime/NumberConstructor.h:
1529         * runtime/ObjectConstructor.cpp:
1530         (JSC::ObjectConstructor::getCallDataVirtual):
1531         (JSC::ObjectConstructor::getCallData):
1532         * runtime/ObjectConstructor.h:
1533         * runtime/Operations.cpp:
1534         (JSC::jsTypeStringForValue):
1535         (JSC::jsIsObjectType):
1536         (JSC::jsIsFunctionType):
1537         * runtime/PropertySlot.cpp:
1538         (JSC::PropertySlot::functionGetter):
1539         * runtime/RegExpConstructor.cpp:
1540         (JSC::RegExpConstructor::getCallDataVirtual):
1541         (JSC::RegExpConstructor::getCallData):
1542         * runtime/RegExpConstructor.h:
1543         * runtime/StringConstructor.cpp:
1544         (JSC::StringConstructor::getCallDataVirtual):
1545         (JSC::StringConstructor::getCallData):
1546         * runtime/StringConstructor.h:
1547
1548 2011-09-27  Tim Horton  <timothy_horton@apple.com>
1549
1550         Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption
1551         https://bugs.webkit.org/show_bug.cgi?id=68816
1552         <rdar://problem/10186468>
1553
1554         Reviewed by Simon Fraser.
1555         
1556         Add ByteArray::clear, which zeros the memory in the ByteArray.
1557
1558         * wtf/ByteArray.h:
1559         (WTF::ByteArray::clear): Added.
1560
1561 2011-09-27  Sheriff Bot  <webkit.review.bot@gmail.com>
1562
1563         Unreviewed, rolling out r96131.
1564         http://trac.webkit.org/changeset/96131
1565         https://bugs.webkit.org/show_bug.cgi?id=68927
1566
1567         It made 18+ tests crash on all platform (Requested by
1568         Ossy_night on #webkit).
1569
1570         * JavaScriptCore.exp:
1571         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1572         * interpreter/Interpreter.cpp:
1573         (JSC::Interpreter::throwException):
1574         * interpreter/Interpreter.h:
1575         * jsc.cpp:
1576         (GlobalObject::finishCreation):
1577         * parser/Parser.h:
1578         (JSC::Parser::parse):
1579         * runtime/CommonIdentifiers.h:
1580         * runtime/Error.cpp:
1581         (JSC::addErrorInfo):
1582         * runtime/Error.h:
1583
1584 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1585
1586         De-virtualize JSCell::getPrimitiveNumber
1587         https://bugs.webkit.org/show_bug.cgi?id=68851
1588
1589         Reviewed by Darin Adler.
1590
1591         * JavaScriptCore.exp:
1592         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1593
1594         Changed JSCell::getPrimitiveNumber to manually handle the dispatch for 
1595         JSCells (JSObject and JSString in this case).
1596         * runtime/JSCell.cpp:
1597         (JSC::JSCell::getPrimitiveNumber):
1598         * runtime/JSCell.h:
1599
1600         Removed JSNotAnObject::getPrimitiveNumber since its return value doesn't 
1601         matter and it already implements defaultValue, so JSObject::getPrimitiveNumber
1602         can cover the case for JSNotAnObject.
1603         * runtime/JSNotAnObject.cpp:
1604         * runtime/JSNotAnObject.h:
1605
1606         De-virtualized JSObject::getPrimitiveNumber and JSString::getPrimitiveNumber 
1607         and changed them to be const.  Also made JSString::getPrimitiveNumber public 
1608         because it needs to be called from JSCell::getPrimitiveNumber and also since it's 
1609         no longer virtual, we want people who have a more specific pointer (JSString* 
1610         instead of JSCell*) to not have to pay the cost of a virtual method call.
1611         * runtime/JSObject.cpp:
1612         (JSC::JSObject::getPrimitiveNumber):
1613         * runtime/JSObject.h:
1614         * runtime/JSString.cpp:
1615         (JSC::JSString::getPrimitiveNumber):
1616         * runtime/JSString.h:
1617
1618 2011-09-27  Juan Carlos Montemayor Elosua  <j.mont@me.com>
1619
1620         Implement Error.stack
1621         https://bugs.webkit.org/show_bug.cgi?id=66994
1622
1623         Reviewed by Oliver Hunt.
1624
1625         This patch utilizes topCallFrame to create a stack trace when
1626         an error is thrown. Users will also be able to use the stack()
1627         command in jsc to get arrays with stack trace information.
1628
1629         * JavaScriptCore.exp:
1630         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1631         * interpreter/Interpreter.cpp:
1632         (JSC::getCallerLine):
1633         (JSC::getSourceURLFromCallFrame):
1634         (JSC::getStackFrameCodeType):
1635         (JSC::Interpreter::getStackTrace):
1636         (JSC::Interpreter::throwException):
1637         * interpreter/Interpreter.h:
1638         (JSC::StackFrame::toString):
1639         * jsc.cpp:
1640         (GlobalObject::finishCreation):
1641         (functionJSCStack):
1642         * parser/Parser.h:
1643         (JSC::Parser::parse):
1644         * runtime/CommonIdentifiers.h:
1645         * runtime/Error.cpp:
1646         (JSC::addErrorInfo):
1647         * runtime/Error.h:
1648
1649 2011-09-27  Carlos Garcia Campos  <cgarcia@igalia.com>
1650
1651         [GTK] Reorganize header files
1652         https://bugs.webkit.org/show_bug.cgi?id=65616
1653
1654         Reviewed by Martin Robinson.
1655
1656         Install header files under $libwebkitgtkincludedir/JavaScriptCore.
1657
1658         * GNUmakefile.am: Use $libwebkitgtkincludedir.
1659         * javascriptcoregtk.pc.in: Use webkitgtk-<api-version> as include dir.
1660
1661 2011-09-26  Geoffrey Garen  <ggaren@apple.com>
1662
1663         REGRESSION (r95912): Conservative marking doesn't filter out pointers to
1664         MarkedBlock metadata
1665         https://bugs.webkit.org/show_bug.cgi?id=68860
1666
1667         Reviewed by Oliver Hunt.
1668         
1669         Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom.
1670
1671         * heap/MarkedBlock.h:
1672         (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask
1673         because the mask doesn't produce the actual atom number.
1674
1675         (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good
1676         enough; we also need to test that a pointer is beyond the metadata section
1677         of a MarkedBlock, to avoid treating random metadata as a JSCell.
1678
1679 2011-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1680
1681         Make JSCell::toBoolean non-virtual
1682         https://bugs.webkit.org/show_bug.cgi?id=67727
1683
1684         Reviewed by Geoffrey Garen.
1685
1686         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
1687         before it was simply virtual and would crash if its implementation was called). 
1688         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
1689         explicitly covers all cases of toBoolean, so having a virtual implementation of 
1690         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
1691
1692         * JavaScriptCore.exp:
1693         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1694         * runtime/JSCell.cpp:
1695         * runtime/JSCell.h:
1696         * runtime/JSNotAnObject.cpp:
1697         * runtime/JSNotAnObject.h:
1698         * runtime/JSObject.h:
1699         * runtime/JSString.h:
1700         (JSC::JSCell::toBoolean):
1701         (JSC::JSValue::toBoolean):
1702
1703 2011-09-26  Chris Marrin  <cmarrin@apple.com>
1704
1705         Enable requestAnimationFrame on Windows
1706         https://bugs.webkit.org/show_bug.cgi?id=68397
1707
1708         Reviewed by Simon Fraser.
1709
1710         Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows
1711
1712         * wtf/Platform.h:
1713
1714 2011-09-26  Noel Gordon  <noel.gordon@gmail.com>
1715
1716         [Chromium] Remove DFGAliasTracker.h references from gyp project files
1717         https://bugs.webkit.org/show_bug.cgi?id=68787
1718
1719         Reviewed by Geoffrey Garen.
1720
1721         DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
1722         to that file from the gyp project files.
1723
1724         * JavaScriptCore.gypi:
1725
1726 2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
1727
1728         [Qt]REGRESSION(r95865): It made 4 tests crash
1729         https://bugs.webkit.org/show_bug.cgi?id=68780
1730         
1731         Reviewed by Oliver Hunt.
1732
1733         emitJumpSlowCaseIfNotJSCell(...) cannot be moved
1734         away since the next load depends on it.
1735
1736         * jit/JITPropertyAccess32_64.cpp:
1737         (JSC::JIT::emit_op_put_by_val):
1738
1739 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1740
1741         Add custom vtable struct to ClassInfo struct
1742         https://bugs.webkit.org/show_bug.cgi?id=68567
1743
1744         Reviewed by Oliver Hunt.
1745
1746         Declared/defined the MethodTable struct and added it to the ClassInfo struct.
1747         Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
1748         succinctly where they need to be defined.
1749
1750         Also added to it the first function to use this macro, visitChildren. 
1751
1752         This is part of the process of getting rid of all C++ virtual methods in JSCell.  
1753         Eventually all virtual functions in JSCell that can't easily be converted to 
1754         non-virtual functions will be put into this custom vtable structure.
1755         * runtime/ClassInfo.h:
1756
1757         Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
1758         ClassInfo structs declared in these classes.  This saves us from having to visit 
1759         each s_info definition in the future when we add more methods to the MethodTable.
1760         * API/JSCallbackConstructor.cpp:
1761         * API/JSCallbackFunction.cpp:
1762         * API/JSCallbackObject.cpp:
1763         * JavaScriptCore.exp:
1764         * runtime/Arguments.cpp:
1765         * runtime/ArrayConstructor.cpp:
1766         * runtime/ArrayPrototype.cpp:
1767         * runtime/BooleanObject.cpp:
1768         * runtime/BooleanPrototype.cpp:
1769         * runtime/DateConstructor.cpp:
1770         * runtime/DateInstance.cpp:
1771         * runtime/DatePrototype.cpp:
1772         * runtime/ErrorInstance.cpp:
1773         * runtime/ErrorPrototype.cpp:
1774         * runtime/ExceptionHelpers.cpp:
1775         * runtime/Executable.cpp:
1776         * runtime/GetterSetter.cpp:
1777         * runtime/InternalFunction.cpp:
1778         * runtime/JSAPIValueWrapper.cpp:
1779         * runtime/JSActivation.cpp:
1780         * runtime/JSArray.cpp:
1781         * runtime/JSByteArray.cpp:
1782         * runtime/JSFunction.cpp:
1783         * runtime/JSGlobalObject.cpp:
1784         * runtime/JSONObject.cpp:
1785         * runtime/JSObject.cpp:
1786         * runtime/JSPropertyNameIterator.cpp:
1787         * runtime/JSString.cpp:
1788         * runtime/MathObject.cpp:
1789         * runtime/NativeErrorConstructor.cpp:
1790         * runtime/NumberConstructor.cpp:
1791         * runtime/NumberObject.cpp:
1792         * runtime/NumberPrototype.cpp:
1793         * runtime/ObjectConstructor.cpp:
1794         * runtime/ObjectPrototype.cpp:
1795         * runtime/RegExp.cpp:
1796         * runtime/RegExpConstructor.cpp:
1797         * runtime/RegExpObject.cpp:
1798         * runtime/RegExpPrototype.cpp:
1799         * runtime/ScopeChain.cpp:
1800         * runtime/StringConstructor.cpp:
1801         * runtime/StringObject.cpp:
1802         * runtime/StringPrototype.cpp:
1803         * runtime/Structure.cpp:
1804         * runtime/StructureChain.cpp:
1805
1806         Had to make visitChildren and visitChildrenVirtual protected instead of private
1807         because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
1808         visitChildren function pointer in their vtable since they don't provide their own
1809         implementation. Same for RegExpObject.
1810         * runtime/JSWrapperObject.h:
1811         * runtime/RegExpObject.h:
1812
1813 2011-09-25  Adam Barth  <abarth@webkit.org>
1814
1815         Finish removing PLATFORM(BREWMP) by removing associated code
1816         https://bugs.webkit.org/show_bug.cgi?id=68779
1817
1818         Reviewed by Sam Weinig.
1819
1820         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1821         * JavaScriptCore.gypi:
1822         * gyp/JavaScriptCore.gyp:
1823         * wscript:
1824         * wtf/FastMalloc.cpp:
1825         (WTF::fastMallocSize):
1826         * wtf/Vector.h:
1827         * wtf/brew: Removed.
1828         * wtf/brew/MainThreadBrew.cpp: Removed.
1829         * wtf/brew/OwnPtrBrew.cpp: Removed.
1830         * wtf/brew/RefPtrBrew.h: Removed.
1831         * wtf/brew/ShellBrew.h: Removed.
1832         * wtf/brew/StringBrew.cpp: Removed.
1833         * wtf/brew/SystemMallocBrew.h: Removed.
1834         * wtf/unicode/brew: Removed.
1835         * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
1836         * wtf/unicode/brew/UnicodeBrew.h: Removed.
1837
1838 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1839
1840         DFG JIT does not count speculation successes correctly
1841         https://bugs.webkit.org/show_bug.cgi?id=68785
1842
1843         Reviewed by Geoffrey Garen.
1844
1845         * dfg/DFGJITCompiler.cpp:
1846         (JSC::DFG::JITCompiler::compileEntry):
1847         (JSC::DFG::JITCompiler::compileBody):
1848         * dfg/DFGOperations.cpp:
1849
1850 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1851
1852         DFG support for op_resolve_global is not enabled
1853         https://bugs.webkit.org/show_bug.cgi?id=68786
1854
1855         Reviewed by Geoffrey Garen.
1856
1857         * dfg/DFGCapabilities.h:
1858         (JSC::DFG::canCompileOpcode):
1859
1860 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1861
1862         DFG static prediction code is no longer needed and should be removed
1863         https://bugs.webkit.org/show_bug.cgi?id=68784
1864
1865         Reviewed by Oliver Hunt.
1866         
1867         This gets rid of static prediction code, and ensures that we do not
1868         try to compile code where dynamic predictions are not available.
1869         This is accomplished by immediately performing an OSR exit wherever
1870         a value is retrieved for which no predictions exist.
1871         
1872         This also adds value profiling for this on functions used for calls.
1873         
1874         The heuristics for deciding when to optimize code are also tweaked,
1875         since it is now profitable to optimize sooner. This may need to be
1876         tweaked further, but this patch only makes minimal changes.
1877         
1878         This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
1879         overall win on Kraken.  It's neutral elsewhere.
1880
1881         * bytecode/CodeBlock.cpp:
1882         (JSC::CodeBlock::shouldOptimizeNow):
1883         (JSC::CodeBlock::dumpValueProfiles):
1884         * bytecode/CodeBlock.h:
1885         * bytecode/PredictedType.cpp:
1886         (JSC::predictionToString):
1887         * bytecode/PredictedType.h:
1888         (JSC::isCellPrediction):
1889         (JSC::isObjectPrediction):
1890         (JSC::isFinalObjectPrediction):
1891         (JSC::isStringPrediction):
1892         (JSC::isArrayPrediction):
1893         (JSC::isInt32Prediction):
1894         (JSC::isDoublePrediction):
1895         (JSC::isNumberPrediction):
1896         (JSC::isBooleanPrediction):
1897         (JSC::mergePredictions):
1898         * bytecode/PredictionTracker.h:
1899         (JSC::PredictionTracker::predictArgument):
1900         (JSC::PredictionTracker::predict):
1901         (JSC::PredictionTracker::predictGlobalVar):
1902         * bytecode/ValueProfile.cpp:
1903         (JSC::ValueProfile::computeUpdatedPrediction):
1904         * dfg/DFGByteCodeParser.cpp:
1905         (JSC::DFG::ByteCodeParser::set):
1906         (JSC::DFG::ByteCodeParser::addCall):
1907         (JSC::DFG::ByteCodeParser::getPrediction):
1908         (JSC::DFG::ByteCodeParser::parseBlock):
1909         * dfg/DFGGraph.cpp:
1910         (JSC::DFG::Graph::predictArgumentTypes):
1911         * dfg/DFGGraph.h:
1912         (JSC::DFG::Graph::predict):
1913         (JSC::DFG::Graph::predictGlobalVar):
1914         (JSC::DFG::Graph::getMethodCheckPrediction):
1915         (JSC::DFG::Graph::getJSConstantPrediction):
1916         (JSC::DFG::Graph::getPrediction):
1917         * dfg/DFGJITCodeGenerator.cpp:
1918         (JSC::DFG::JITCodeGenerator::writeBarrier):
1919         (JSC::DFG::JITCodeGenerator::emitBranch):
1920         * dfg/DFGJITCompiler.h:
1921         (JSC::DFG::JITCompiler::getPrediction):
1922         * dfg/DFGNode.h:
1923         (JSC::DFG::Node::valueOfJSConstantNode):
1924         (JSC::DFG::Node::isInt32Constant):
1925         (JSC::DFG::Node::isDoubleConstant):
1926         (JSC::DFG::Node::isNumberConstant):
1927         (JSC::DFG::Node::isBooleanConstant):
1928         (JSC::DFG::Node::predict):
1929         * dfg/DFGPropagator.cpp:
1930         (JSC::DFG::Propagator::Propagator):
1931         (JSC::DFG::Propagator::propagateNodePredictions):
1932         (JSC::DFG::Propagator::fixupNode):
1933         (JSC::DFG::Propagator::isPredictedNumerical):
1934         (JSC::DFG::Propagator::logicalNotIsPure):
1935         * dfg/DFGSpeculativeJIT.cpp:
1936         (JSC::DFG::SpeculativeJIT::compile):
1937         * dfg/DFGSpeculativeJIT.h:
1938         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
1939         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
1940         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
1941         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
1942         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
1943         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
1944         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
1945         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
1946         * jit/JIT.cpp:
1947         (JSC::JIT::privateCompile):
1948
1949 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1950
1951         DFG JIT Construct opcode takes a this argument even though it's
1952         not passed
1953         https://bugs.webkit.org/show_bug.cgi?id=68782
1954
1955         Reviewed by Oliver Hunt.
1956         
1957         This is performance-neutral, mostly. It's a slight speed-up on
1958         v8-splay.
1959         
1960         * dfg/DFGByteCodeParser.cpp:
1961         (JSC::DFG::ByteCodeParser::addCall):
1962         * dfg/DFGJITCodeGenerator.cpp:
1963         (JSC::DFG::JITCodeGenerator::emitCall):
1964
1965 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1966
1967         DFG tracking of the value in cachedResultRegister does not handle
1968         op_mov correctly
1969         https://bugs.webkit.org/show_bug.cgi?id=68781
1970
1971         Reviewed by Oliver Hunt.
1972         
1973         This takes the simplest approach: it makes the old JIT dumber rather
1974         than making the DFG JIT smarter. This is performance-neutral.
1975
1976         * jit/JIT.h:
1977         (JSC::JIT::canBeOptimized):
1978         * jit/JITOpcodes.cpp:
1979         (JSC::JIT::emit_op_mov):
1980
1981 2011-09-25  Adam Barth  <abarth@webkit.org>
1982
1983         Remove PLATFORM(HAIKU) and associated code
1984         https://bugs.webkit.org/show_bug.cgi?id=68774
1985
1986         Reviewed by Sam Weinig.
1987
1988         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1989         * JavaScriptCore.gypi:
1990         * gyp/JavaScriptCore.gyp:
1991         * heap/MachineStackMarker.cpp:
1992         * wtf/PageAllocation.h:
1993         * wtf/Platform.h:
1994         * wtf/StackBounds.cpp:
1995         * wtf/haiku: Removed.
1996         * wtf/haiku/MainThreadHaiku.cpp: Removed.
1997         * wtf/haiku/StringHaiku.cpp: Removed.
1998         * wtf/text/WTFString.h:
1999
2000 2011-09-24  Adam Barth  <abarth@webkit.org>
2001
2002         Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
2003         https://bugs.webkit.org/show_bug.cgi?id=68767
2004
2005         Reviewed by Eric Seidel.
2006
2007         * Configurations/FeatureDefines.xcconfig:
2008
2009 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2010
2011         JIT implementation of put_by_val increments m_length instead of setting
2012         it to index+1
2013         https://bugs.webkit.org/show_bug.cgi?id=68766
2014
2015         Reviewed by Geoffrey Garen.
2016
2017         * jit/JITPropertyAccess.cpp:
2018         (JSC::JIT::emit_op_put_by_val):
2019
2020 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2021
2022         More build fixage.
2023
2024         * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.
2025
2026 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2027
2028         The DFG should not attempt to guess types in the absence of value
2029         profiles
2030         https://bugs.webkit.org/show_bug.cgi?id=68677
2031
2032         Reviewed by Oliver Hunt.
2033         
2034         This adds the ForceOSRExit node, which is ignored by the propagator
2035         and virtual register allocator (and hence ensuring that liveness analysis
2036         works correctly), but forces terminateSpeculativeExecution() in the
2037         back-end. This appears to be a slight speed-up on benchmark averages,
2038         with ~5% swings on individual benchmarks, in both directions. But it's
2039         never a regression on any average, and appears to be a ~1% progression
2040         in the SunSpider average.
2041         
2042         This also adds a bit better debugging support in the old JIT and in DFG,
2043         as this was necessary to debug the much more frequent OSR transitions
2044         that occur with this change.
2045
2046         * dfg/DFGByteCodeParser.cpp:
2047         (JSC::DFG::ByteCodeParser::addCall):
2048         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2049         (JSC::DFG::ByteCodeParser::parseBlock):
2050         * dfg/DFGJITCompiler.cpp:
2051         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2052         * dfg/DFGNode.h:
2053         * dfg/DFGPropagator.cpp:
2054         (JSC::DFG::Propagator::propagateNodePredictions):
2055         * dfg/DFGSpeculativeJIT.cpp:
2056         (JSC::DFG::SpeculativeJIT::compile):
2057         * jit/JIT.cpp:
2058         (JSC::JIT::privateCompileMainPass):
2059         (JSC::JIT::privateCompileSlowCases):
2060         (JSC::JIT::privateCompile):
2061         * jit/JIT.h:
2062
2063 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2064
2065         Some Windows build fixage.
2066
2067         * heap/MarkedBlock.cpp:
2068         (JSC::MarkedBlock::sweep):
2069         * heap/MarkedBlock.h:
2070         (JSC::MarkedBlock::isLive): Show the compiler that all control paths
2071         return a value. There, there, compiler. Everything's going to be OK.
2072
2073         * runtime/JSCell.h:
2074         (JSC::JSCell::setVPtr): Oops! Unrename this function.
2075
2076 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2077
2078         Allocate new objects unmarked
2079         https://bugs.webkit.org/show_bug.cgi?id=68764
2080
2081         Reviewed by Oliver Hunt.
2082         
2083         This is a pre-requisite to using the mark bit to determine object age.
2084
2085         ~2% v8 speedup, mostly due to a 12% v8-splay speedup.
2086
2087         * heap/MarkedBlock.h:
2088         (JSC::MarkedBlock::isLive):
2089         (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
2090         this patch. They can now determine object liveness without relying on
2091         newly allocated objects having their mark bits set. Each MarkedBlock
2092         now has a state variable that tells us how to determine whether its
2093         cells are live. (This new state variable supercedes the old one about
2094         destructor state. The rest of this patch is just refactoring to support
2095         the invariants of this new state variable without introducing a
2096         performance regression.)
2097
2098         (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
2099         state when a block becomes fully allocated.
2100
2101         (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
2102         this function because, logically, clearing all mark bits is the first
2103         step in saying "mark bits now exactly reflect object liveness".
2104
2105         (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
2106         that this function only tells you about the mark bits, so it's only
2107         meaningful if you've put the mark bits into a meaningful state before
2108         calling it.
2109
2110         (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
2111         instead of testing mark bits, since mark bits are not always the right
2112         way to find out if an object is live anymore. (New objects are live, but
2113         not marked.)
2114
2115         * heap/MarkedBlock.cpp:
2116         (JSC::MarkedBlock::recycle):
2117         (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
2118         initialization when recycling an old block -- into the MarkedBlock
2119         constructor, for simplicity.
2120
2121         (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
2122         a zapped cell before running a destructor, and always zap after
2123         running a destructor. This does not seem to be expensive, and the
2124         alternative just creates a too-confusing matrix of possible cell states
2125         ((zombie undestructed cell + zombie destructed cell + zapped destructed
2126         cell) * 5! permutations for progressing through block states = "Oh my!").
2127
2128         (JSC::MarkedBlock::specializedSweep):
2129         (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
2130         optimization to use template specialization to constant fold lots of
2131         branches and elide certain operations entirely during a sweep. Merged
2132         four or five functions that were logically about sweeping into this one
2133         function pair, so there's only one way to do things now, it's
2134         automatically correct, and it's always fast.
2135
2136         (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
2137         about exactly what it does, and to honor the new block state system.
2138
2139         * heap/AllocationSpace.cpp:
2140         (JSC::AllocationSpace::allocateBlock): Updated for rename.
2141
2142         (JSC::AllocationSpace::freeBlocks): Updated for changed interface.
2143
2144         (JSC::TakeIfUnmarked::TakeIfUnmarked):
2145         (JSC::TakeIfUnmarked::operator()):
2146         (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
2147         to clarify that this functor only tests the mark bits, so it's only
2148         valid if you've put the mark bits into a meaningful state before
2149         calling it.
2150         
2151         (JSC::AllocationSpace::shrink): Updated for rename.
2152
2153         * heap/AllocationSpace.h:
2154         (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
2155         little more specific about what we're making canonical.
2156
2157         (JSC::AllocationSpace::forEachCell): Updated for rename.
2158
2159         (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
2160         liveness data before iterating blocks -- clients that want iterated
2161         blocks to have valid cell lieveness data should make this call for
2162         themselves. (And not all clients want it.)
2163
2164         * heap/ConservativeRoots.cpp:
2165         (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
2166         obsolete comment.
2167
2168         * heap/Heap.cpp:
2169         (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
2170         because clearMarks() now does that implicitly.
2171
2172         (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
2173         tear-down tests cell liveness when running destructors.
2174
2175         (JSC::Heap::markRoots):
2176         (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
2177         and into collect, since it strictly depends on root marking, and does
2178         not contribute to root marking.
2179
2180         (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
2181         specific about what we're making canonical.
2182
2183         * heap/Heap.h:
2184         (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
2185         data before iterating protected cells, since we know they're all live,
2186         and don't need to test for it.
2187
2188         * heap/Local.h:
2189         (JSC::::set): Can't make the same ASSERT we used to because we just don't
2190         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
2191         in a weaker form in the future.
2192
2193         * heap/MarkedSpace.cpp:
2194         (JSC::MarkedSpace::addBlock):
2195         (JSC::MarkedSpace::removeBlock): Updated for interface change.
2196         (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
2197         specific about what we're making canonical.
2198
2199         * heap/MarkedSpace.h:
2200         (JSC::MarkedSpace::allocate):
2201         (JSC::MarkedSpace::SizeClass::SizeClass):
2202         (JSC::MarkedSpace::SizeClass::resetAllocator):
2203         (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
2204         functionality a bit. We now track only one block -- "currentBlock" --
2205         and rely on its internal state to know whether it has more cells to
2206         allocate.
2207
2208         * heap/Weak.h:
2209         (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
2210         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
2211         in a weaker form in the future.
2212
2213         * runtime/JSCell.h:
2214         (JSC::JSCell::vptr):
2215         (JSC::JSCell::zap):
2216         (JSC::JSCell::isZapped):
2217         (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
2218         In the future, exactly how a JSCell zaps itself will change, as the
2219         internal representation of JSCell changes.
2220
2221 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2222
2223         DFG JIT should not eagerly initialize integer tags in the register file
2224         https://bugs.webkit.org/show_bug.cgi?id=68763
2225
2226         Reviewed by Oliver Hunt.
2227
2228         * dfg/DFGJITCompiler.cpp:
2229         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2230         * dfg/DFGSpeculativeJIT.cpp:
2231         (JSC::DFG::ValueRecovery::dump):
2232         (JSC::DFG::OSRExit::OSRExit):
2233         (JSC::DFG::SpeculativeJIT::compile):
2234         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2235         * dfg/DFGSpeculativeJIT.h:
2236         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
2237         (JSC::DFG::OSRExit::operandForArgument):
2238         (JSC::DFG::OSRExit::operandForIndex):
2239         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2240
2241 2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>
2242
2243         Add JSVALUE32_64 support to DFG JIT
2244         https://bugs.webkit.org/show_bug.cgi?id=67460
2245
2246         Reviewed by Gavin Barraclough.
2247
2248         This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
2249         It's tested on IA32 Linux EFL port currently. It still cannot run
2250         all the test cases and benchmarks so should be turned off now.
2251         
2252         The major work includes:
2253         1) dealing with JSVALUE32_64 data format in DFG JIT;
2254         2) bindings between 64-bit JS Value and 32-bit registers;
2255         3) handling of function calls. Currently for DFG operation function
2256         calls we follow the X86 cdecl calling convention on Linux, and the
2257         implementation is in a naive way by pushing the arguments into stack
2258         one by one.
2259         
2260         The known issues include:
2261         1) some code duplicates unnecessarily, especially in Speculative JIT
2262         code generation, where most of the operations on SpeculataInteger /
2263         SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
2264         is needed in the future;
2265         2) lack of op_call and op_construct support, comparing to current
2266         JSVALUE64 DFG;
2267         3) currently integer speculations assume to be StrictInt32;
2268         4) lack of JSBoolean speculations;
2269         5) boxing and unboxing doubles could be improved;
2270         6) DFG X86 register description is different with the baseline JIT,
2271         the timeoutCheckRegister is used for general purpose usage;
2272         7) calls to runtime functions with primitive double parameters (e.g.
2273         fmod) don't work. Support needs to be added to the assembler to
2274         implement the mechanism of passing double parameters for X86 cdecl
2275         convention.
2276         
2277         And there should be many other hidden bugs which should be exposed and
2278         resolved in later debugging process.
2279
2280         * CMakeListsEfl.txt:
2281         * assembler/MacroAssemblerX86.h:
2282         (JSC::MacroAssemblerX86::loadDouble):
2283         (JSC::MacroAssemblerX86::storeDouble):
2284         * assembler/X86Assembler.h:
2285         (JSC::X86Assembler::movsd_rm):
2286         * bytecode/StructureStubInfo.h:
2287         * dfg/DFGByteCodeParser.cpp:
2288         (JSC::DFG::ByteCodeParser::parseBlock):
2289         * dfg/DFGCapabilities.h:
2290         (JSC::DFG::canCompileOpcode):
2291         * dfg/DFGFPRInfo.h:
2292         (JSC::DFG::FPRInfo::debugName):
2293         * dfg/DFGGPRInfo.h:
2294         (JSC::DFG::GPRInfo::toRegister):
2295         (JSC::DFG::GPRInfo::toIndex):
2296         (JSC::DFG::GPRInfo::debugName):
2297         * dfg/DFGGenerationInfo.h:
2298         (JSC::DFG::needDataFormatConversion):
2299         (JSC::DFG::GenerationInfo::initJSValue):
2300         (JSC::DFG::GenerationInfo::initDouble):
2301         (JSC::DFG::GenerationInfo::gpr):
2302         (JSC::DFG::GenerationInfo::tagGPR):
2303         (JSC::DFG::GenerationInfo::payloadGPR):
2304         (JSC::DFG::GenerationInfo::fpr):
2305         (JSC::DFG::GenerationInfo::fillJSValue):
2306         (JSC::DFG::GenerationInfo::fillCell):
2307         (JSC::DFG::GenerationInfo::fillDouble):
2308         * dfg/DFGJITCodeGenerator.cpp:
2309         * dfg/DFGJITCodeGenerator.h:
2310         (JSC::DFG::JITCodeGenerator::allocate):
2311         (JSC::DFG::JITCodeGenerator::use):
2312         (JSC::DFG::JITCodeGenerator::registersMatched):
2313         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
2314         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2315         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2316         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
2317         (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
2318         (JSC::DFG::JITCodeGenerator::boxDouble):
2319         (JSC::DFG::JITCodeGenerator::unboxDouble):
2320         (JSC::DFG::JITCodeGenerator::spill):
2321         (JSC::DFG::addressOfDoubleConstant):
2322         (JSC::DFG::integerResult):
2323         (JSC::DFG::jsValueResult):
2324         (JSC::DFG::setupResults):
2325         (JSC::DFG::callOperation):
2326         (JSC::JSValueOperand::JSValueOperand):
2327         (JSC::JSValueOperand::~JSValueOperand):
2328         (JSC::JSValueOperand::isDouble):
2329         (JSC::JSValueOperand::fill):
2330         (JSC::JSValueOperand::tagGPR):
2331         (JSC::JSValueOperand::payloadGPR):
2332         (JSC::JSValueOperand::fpr):
2333         (JSC::GPRTemporary::~GPRTemporary):
2334         (JSC::GPRTemporary::gpr):
2335         (JSC::GPRResult2::GPRResult2):
2336         * dfg/DFGJITCodeGenerator32_64.cpp: Added.
2337         (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
2338         (JSC::DFG::JITCodeGenerator::fillInteger):
2339         (JSC::DFG::JITCodeGenerator::fillDouble):
2340         (JSC::DFG::JITCodeGenerator::fillJSValue):
2341         (JSC::DFG::JITCodeGenerator::fillStorage):
2342         (JSC::DFG::JITCodeGenerator::useChildren):
2343         (JSC::DFG::JITCodeGenerator::isStrictInt32):
2344         (JSC::DFG::JITCodeGenerator::isKnownInteger):
2345         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
2346         (JSC::DFG::JITCodeGenerator::isKnownCell):
2347         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
2348         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2349         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
2350         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2351         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2352         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
2353         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2354         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2355         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2356         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
2357         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
2358         (JSC::DFG::JITCodeGenerator::cachedGetById):
2359         (JSC::DFG::JITCodeGenerator::writeBarrier):
2360         (JSC::DFG::JITCodeGenerator::cachedPutById):
2361         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2362         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2363         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2364         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
2365         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2366         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2367         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2368         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2369         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2370         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2371         (JSC::DFG::JITCodeGenerator::emitBranch):
2372         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
2373         (JSC::DFG::JITCodeGenerator::emitCall):
2374         (JSC::DFG::JITCodeGenerator::speculationCheck):
2375         (JSC::DFG::dataFormatString):
2376         (JSC::DFG::JITCodeGenerator::dump):
2377         (JSC::DFG::JITCodeGenerator::checkConsistency):
2378         (JSC::DFG::GPRTemporary::GPRTemporary):
2379         (JSC::DFG::FPRTemporary::FPRTemporary):
2380         * dfg/DFGJITCompiler.cpp:
2381         * dfg/DFGJITCompiler.h:
2382         (JSC::DFG::JITCompiler::tagForGlobalVar):
2383         (JSC::DFG::JITCompiler::payloadForGlobalVar):
2384         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
2385         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2386         (JSC::DFG::JITCompiler::boxDouble):
2387         (JSC::DFG::JITCompiler::unboxDouble):
2388         (JSC::DFG::JITCompiler::addPropertyAccess):
2389         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
2390         * dfg/DFGJITCompiler32_64.cpp: Added.
2391         (JSC::DFG::JITCompiler::fillNumericToDouble):
2392         (JSC::DFG::JITCompiler::fillInt32ToInteger):
2393         (JSC::DFG::JITCompiler::fillToJS):
2394         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2395         (JSC::DFG::JITCompiler::linkOSRExits):
2396         (JSC::DFG::JITCompiler::compileEntry):
2397         (JSC::DFG::JITCompiler::compileBody):
2398         (JSC::DFG::JITCompiler::link):
2399         (JSC::DFG::JITCompiler::compile):
2400         (JSC::DFG::JITCompiler::compileFunction):
2401         (JSC::DFG::JITCompiler::jitAssertIsInt32):
2402         (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
2403         (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
2404         (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
2405         (JSC::DFG::JITCompiler::jitAssertIsCell):
2406         (JSC::DFG::JITCompiler::emitCount):
2407         (JSC::DFG::JITCompiler::setSamplingFlag):
2408         (JSC::DFG::JITCompiler::clearSamplingFlag):
2409         * dfg/DFGJITCompilerInlineMethods.h: Added.
2410         (JSC::DFG::JITCompiler::emitLoadTag):
2411         (JSC::DFG::JITCompiler::emitLoadPayload):
2412         (JSC::DFG::JITCompiler::emitLoad):
2413         (JSC::DFG::JITCompiler::emitLoad2):
2414         (JSC::DFG::JITCompiler::emitLoadDouble):
2415         (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
2416         (JSC::DFG::JITCompiler::emitStore):
2417         (JSC::DFG::JITCompiler::emitStoreInt32):
2418         (JSC::DFG::JITCompiler::emitStoreCell):
2419         (JSC::DFG::JITCompiler::emitStoreBool):
2420         (JSC::DFG::JITCompiler::emitStoreDouble):
2421         * dfg/DFGNode.h:
2422         * dfg/DFGOperations.cpp:
2423         * dfg/DFGRepatch.cpp:
2424         (JSC::DFG::generateProtoChainAccessStub):
2425         (JSC::DFG::tryCacheGetByID):
2426         (JSC::DFG::tryBuildGetByIDList):
2427         (JSC::DFG::tryCachePutByID):
2428         * dfg/DFGSpeculativeJIT.cpp:
2429         * dfg/DFGSpeculativeJIT.h:
2430         (JSC::DFG::ValueRecovery::inGPR):
2431         (JSC::DFG::ValueRecovery::inPair):
2432         (JSC::DFG::ValueRecovery::tagGPR):
2433         (JSC::DFG::ValueRecovery::payloadGPR):
2434         * dfg/DFGSpeculativeJIT32_64.cpp: Added.
2435         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2436         (JSC::DFG::ValueSource::dump):
2437         (JSC::DFG::ValueRecovery::dump):
2438         (JSC::DFG::OSRExit::OSRExit):
2439         (JSC::DFG::OSRExit::dump):
2440         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2441         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2442         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2443         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2444         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2445         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
2446         (JSC::DFG::SpeculativeJIT::convertToDouble):
2447         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2448         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2449         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2450         (JSC::DFG::SpeculativeJIT::compare):
2451         (JSC::DFG::SpeculativeJIT::compile):
2452         (JSC::DFG::SpeculativeJIT::compileMovHint):
2453         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2454         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
2455         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2456         * runtime/JSValue.h:
2457
2458 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2459
2460         wtf/BitVector.h has a variety of bugs which manifest when the
2461         vector grows beyond 63 bits
2462         https://bugs.webkit.org/show_bug.cgi?id=68746
2463
2464         Reviewed by Oliver Hunt.
2465         
2466         Out-of-lined slow path code in BitVector so that not every user
2467         of CodeBlock ends up having to compile it. Fixed a variety of
2468         index computation and size computation bugs.
2469         
2470         I have not seen these issues manifest themselves, but they are
2471         blocking a patch that uses BitVector more aggressively.
2472
2473         * GNUmakefile.list.am:
2474         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
2475         * JavaScriptCore.xcodeproj/project.pbxproj:
2476         * wtf/BitVector.cpp: Added.
2477         (BitVector::BitVector):
2478         (BitVector::operator=):
2479         (BitVector::resize):
2480         (BitVector::clearAll):
2481         (BitVector::OutOfLineBits::create):
2482         (BitVector::OutOfLineBits::destroy):
2483         (BitVector::resizeOutOfLine):
2484         * wtf/BitVector.h:
2485         (WTF::BitVector::ensureSize):
2486         (WTF::BitVector::get):
2487         (WTF::BitVector::set):
2488         (WTF::BitVector::clear):
2489         (WTF::BitVector::byteCount):
2490         (WTF::BitVector::OutOfLineBits::numWords):
2491         (WTF::BitVector::OutOfLineBits::bits):
2492         (WTF::BitVector::outOfLineBits):
2493         * wtf/CMakeLists.txt:
2494         * wtf/wtf.pri:
2495
2496 2011-09-23  Adam Klein  <adamk@chromium.org>
2497
2498         Add ENABLE_MUTATION_OBSERVERS feature flag
2499         https://bugs.webkit.org/show_bug.cgi?id=68732
2500
2501         Reviewed by Ojan Vafai.
2502
2503         This flag will guard an implementation of the "Mutation Observers" proposed in
2504         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
2505
2506         * Configurations/FeatureDefines.xcconfig:
2507
2508 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2509
2510         De-virtualize JSCell::getJSNumber
2511         https://bugs.webkit.org/show_bug.cgi?id=68651
2512
2513         Reviewed by Oliver Hunt.
2514
2515         Added a new JSType to check whether or not something is a 
2516         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
2517         currently a better way to determine whether something is indeed a NumberObject.
2518         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
2519         for whether the object is a NumberObject or not.  This patch is part of 
2520         the larger process of de-virtualizing JSCell.
2521
2522         * JavaScriptCore.exp:
2523         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2524         * runtime/JSCell.cpp:
2525         (JSC::JSCell::getJSNumber):
2526         * runtime/JSCell.h:
2527         (JSC::JSValue::getJSNumber):
2528         * runtime/JSType.h:
2529         * runtime/JSTypeInfo.h:
2530         (JSC::TypeInfo::isNumberObject):
2531         * runtime/JSValue.h:
2532         * runtime/NumberObject.cpp:
2533         (JSC::NumberObject::getJSNumber):
2534         * runtime/NumberObject.h:
2535         (JSC::NumberObject::createStructure):
2536         * runtime/NumberPrototype.h:
2537         (JSC::NumberPrototype::createStructure):
2538
2539 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2540
2541         Resolve opcodes should have value profiling.
2542         https://bugs.webkit.org/show_bug.cgi?id=68723
2543
2544         Reviewed by Oliver Hunt.
2545         
2546         This adds value profiling to all forms of op_resolve in the
2547         old JIT, and patches that information into the DFG along with
2548         performing the appropriate type propagation.
2549
2550         * dfg/DFGByteCodeParser.cpp:
2551         (JSC::DFG::ByteCodeParser::parseBlock):
2552         * dfg/DFGGraph.h:
2553         (JSC::DFG::Graph::predict):
2554         * dfg/DFGNode.h:
2555         (JSC::DFG::Node::hasIdentifier):
2556         (JSC::DFG::Node::resolveGlobalDataIndex):
2557         (JSC::DFG::Node::hasPrediction):
2558         * dfg/DFGPropagator.cpp:
2559         (JSC::DFG::Propagator::propagateNodePredictions):
2560         * dfg/DFGSpeculativeJIT.cpp:
2561         (JSC::DFG::SpeculativeJIT::compile):
2562         * jit/JITOpcodes.cpp:
2563         (JSC::JIT::emit_op_resolve):
2564         (JSC::JIT::emit_op_resolve_base):
2565         (JSC::JIT::emit_op_resolve_skip):
2566         (JSC::JIT::emit_op_resolve_global):
2567         (JSC::JIT::emitSlow_op_resolve_global):
2568         (JSC::JIT::emit_op_resolve_with_base):
2569         (JSC::JIT::emit_op_resolve_with_this):
2570         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
2571         * jit/JITStubCall.h:
2572         (JSC::JITStubCall::callWithValueProfiling):
2573
2574 2011-09-23  Oliver Hunt  <oliver@apple.com>
2575
2576         Fix windows build.
2577
2578         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2579
2580 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
2581
2582         Strict mode does not work in non-trivial nested functions.
2583         https://bugs.webkit.org/show_bug.cgi?id=68740
2584
2585         Reviewed by Oliver Hunt.
2586
2587         Function-info caching does not preserve all state that it should.
2588
2589         * parser/JSParser.cpp:
2590         (JSC::JSParser::Scope::saveFunctionInfo):
2591         (JSC::JSParser::Scope::restoreFunctionInfo):
2592         (JSC::JSParser::parseFunctionInfo):
2593         * parser/SourceProviderCacheItem.h:
2594
2595 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2596
2597         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
2598         https://bugs.webkit.org/show_bug.cgi?id=68724
2599
2600         Reviewed by Oliver Hunt.
2601
2602         * dfg/DFGPropagator.cpp:
2603         (JSC::DFG::Propagator::propagateNodePredictions):
2604
2605 2011-09-23  Oliver Hunt  <oliver@apple.com>
2606
2607         Build fix.
2608
2609         * JavaScriptCore.xcodeproj/project.pbxproj:
2610
2611 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2612
2613         DFG implementation of PutScopedVar corrupts register allocation
2614         https://bugs.webkit.org/show_bug.cgi?id=68735
2615
2616         Reviewed by Oliver Hunt.
2617
2618         * dfg/DFGSpeculativeJIT.cpp:
2619         (JSC::DFG::SpeculativeJIT::compile):
2620
2621 2011-09-23  Oliver Hunt  <oliver@apple.com>
2622
2623         Make write barriers actually do something when enabled
2624         https://bugs.webkit.org/show_bug.cgi?id=68717
2625
2626         Reviewed by Geoffrey Garen.
2627
2628         Add a basic card marking style write barrier to JSC (currently
2629         turned off).  This requires two scratch registers in the JIT
2630         so there was some register re-arranging to satisfy that requirement.
2631         Happily this produced a minor perf bump in sunspider (~0.5%).
2632
2633         Turning the barriers on causes an overall regression of around 1.5%
2634
2635         * JavaScriptCore.exp:
2636         * JavaScriptCore.xcodeproj/project.pbxproj:
2637         * assembler/MacroAssemblerX86Common.h:
2638         (JSC::MacroAssemblerX86Common::store8):
2639         * assembler/X86Assembler.h:
2640         (JSC::X86Assembler::movb_i8m):
2641         * dfg/DFGJITCodeGenerator.cpp:
2642         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
2643         (JSC::DFG::JITCodeGenerator::writeBarrier):
2644         (JSC::DFG::JITCodeGenerator::markCellCard):
2645         (JSC::DFG::JITCodeGenerator::cachedPutById):
2646         * dfg/DFGJITCodeGenerator.h:
2647         * dfg/DFGRepatch.cpp:
2648         (JSC::DFG::tryCachePutByID):
2649         * dfg/DFGSpeculativeJIT.cpp:
2650         (JSC::DFG::SpeculativeJIT::compile):
2651         * heap/CardSet.h: Added.
2652         (JSC::CardSet::CardSet):
2653         (JSC::::cardForAtom):
2654         (JSC::::cardMarkedForAtom):
2655         (JSC::::markCardForAtom):
2656         * heap/Heap.cpp:
2657         * heap/Heap.h:
2658         (JSC::Heap::addressOfCardFor):
2659         (JSC::Heap::writeBarrierFastCase):
2660         * heap/MarkedBlock.h:
2661         (JSC::MarkedBlock::setDirtyObject):
2662         (JSC::MarkedBlock::addressOfCardFor):
2663         (JSC::MarkedBlock::offsetOfCards):
2664         * jit/JIT.h:
2665         * jit/JITPropertyAccess.cpp:
2666         (JSC::JIT::emit_op_put_by_val):
2667         (JSC::JIT::emit_op_put_by_id):
2668         (JSC::JIT::privateCompilePutByIdTransition):
2669         (JSC::JIT::emit_op_put_scoped_var):
2670         (JSC::JIT::emit_op_put_global_var):
2671         (JSC::JIT::emitWriteBarrier):
2672         * jit/JITPropertyAccess32_64.cpp:
2673         (JSC::JIT::emit_op_put_by_val):
2674         (JSC::JIT::emit_op_put_by_id):
2675         (JSC::JIT::emitSlow_op_put_by_id):
2676         (JSC::JIT::privateCompilePutByIdTransition):
2677         (JSC::JIT::emit_op_put_scoped_var):
2678         (JSC::JIT::emit_op_put_global_var):
2679
2680 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
2681
2682         https://bugs.webkit.org/show_bug.cgi?id=68077
2683         SH4 assemblers doesn't refer to executable memory handle.
2684
2685         Reviewed by Gavin Barraclough.
2686
2687         * assembler/MacroAssemblerSH4.h:
2688         (JSC::MacroAssemblerSH4::branch8):
2689         * assembler/SH4Assembler.h:
2690         (JSC::SH4Assembler::executableCopy):
2691
2692 2011-09-23  Oliver Hunt  <oliver@apple.com>
2693
2694         PutScopedVar nodes should report that it has a var number
2695         https://bugs.webkit.org/show_bug.cgi?id=68721
2696
2697         Reviewed by Anders Carlsson.
2698
2699         Another assertion fix.
2700
2701         * dfg/DFGNode.h:
2702         (JSC::DFG::Node::hasVarNumber):
2703
2704 2011-09-23  Oliver Hunt  <oliver@apple.com>
2705
2706         Add a bunch of unhandled node types to the propagator
2707         https://bugs.webkit.org/show_bug.cgi?id=68716
2708
2709         Reviewed by Darin Adler.
2710
2711         Remove the ASSERT_NOT_REACHED() default for debug builds in the
2712         prediction propagator, this way unhandled nodes will just cause
2713         compile time failures rather than failing at some point in the
2714         future.
2715
2716         * dfg/DFGPropagator.cpp:
2717         (JSC::DFG::Propagator::propagateNodePredictions):
2718
2719 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2720
2721         Add static version of JSCell::visitChildren
2722         https://bugs.webkit.org/show_bug.cgi?id=68404
2723
2724         Reviewed by Darin Adler.
2725
2726         In this patch we just extract the bodies of the virtual visitChildren methods
2727         throughout the JSCell inheritance hierarchy out into static methods, which are 
2728         now called from the virtual methods.  This is an intermediate step in trying to 
2729         move the virtual-ness of visitChildren into our own custom vtable stored in 
2730         ClassInfo.  We need to convert the methods to static methods in order to be 
2731         able to more easily store and refer to them in our custom vtable since normal 
2732         member methods store some implicit information in their types, making it 
2733         impossible to store them generically in ClassInfo.
2734
2735         * API/JSCallbackObject.h:
2736         (JSC::JSCallbackObject::visitChildrenVirtual):
2737         (JSC::JSCallbackObject::visitChildren):
2738         * JavaScriptCore.exp:
2739         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2740         * debugger/DebuggerActivation.cpp:
2741         (JSC::DebuggerActivation::visitChildrenVirtual):
2742         (JSC::DebuggerActivation::visitChildren):
2743         * debugger/DebuggerActivation.h:
2744         * heap/MarkStack.cpp:
2745         (JSC::SlotVisitor::visitChildren):
2746         (JSC::SlotVisitor::drain):
2747         * runtime/Arguments.cpp:
2748         (JSC::Arguments::visitChildrenVirtual):
2749         (JSC::Arguments::visitChildren):
2750         * runtime/Arguments.h:
2751         * runtime/Executable.cpp:
2752         (JSC::EvalExecutable::visitChildrenVirtual):
2753         (JSC::EvalExecutable::visitChildren):
2754         (JSC::ProgramExecutable::visitChildrenVirtual):
2755         (JSC::ProgramExecutable::visitChildren):
2756         (JSC::FunctionExecutable::visitChildrenVirtual):
2757         (JSC::FunctionExecutable::visitChildren):
2758         * runtime/Executable.h:
2759         * runtime/GetterSetter.cpp:
2760         (JSC::GetterSetter::visitChildrenVirtual):
2761         (JSC::GetterSetter::visitChildren):
2762         * runtime/GetterSetter.h:
2763         * runtime/JSActivation.cpp:
2764         (JSC::JSActivation::visitChildrenVirtual):
2765         (JSC::JSActivation::visitChildren):
2766         * runtime/JSActivation.h:
2767         * runtime/JSArray.cpp:
2768         (JSC::JSArray::visitChildrenVirtual):
2769         (JSC::JSArray::visitChildren):
2770         * runtime/JSArray.h:
2771         * runtime/JSBoundFunction.cpp:
2772         (JSC::JSBoundFunction::visitChildrenVirtual):
2773         (JSC::JSBoundFunction::visitChildren):
2774         * runtime/JSBoundFunction.h:
2775         * runtime/JSCell.h:
2776         (JSC::JSCell::visitChildrenVirtual):
2777         (JSC::JSCell::visitChildren):
2778         * runtime/JSFunction.cpp:
2779         (JSC::JSFunction::visitChildrenVirtual):
2780         (JSC::JSFunction::visitChildren):
2781         * runtime/JSFunction.h:
2782         * runtime/JSGlobalObject.cpp:
2783         (JSC::JSGlobalObject::visitChildrenVirtual):
2784         (JSC::JSGlobalObject::visitChildren):
2785         * runtime/JSGlobalObject.h:
2786         * runtime/JSObject.cpp:
2787         (JSC::JSObject::visitChildrenVirtual):
2788         (JSC::JSObject::visitChildren):
2789         * runtime/JSObject.h:
2790         (JSC::JSObject::visitChildrenDirect):
2791         * runtime/JSPropertyNameIterator.cpp:
2792         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
2793         (JSC::JSPropertyNameIterator::visitChildren):
2794         * runtime/JSPropertyNameIterator.h:
2795         * runtime/JSStaticScopeObject.cpp:
2796         (JSC::JSStaticScopeObject::visitChildrenVirtual):
2797         (JSC::JSStaticScopeObject::visitChildren):
2798         * runtime/JSStaticScopeObject.h:
2799         * runtime/JSWrapperObject.cpp:
2800         (JSC::JSWrapperObject::visitChildrenVirtual):
2801         (JSC::JSWrapperObject::visitChildren):
2802         * runtime/JSWrapperObject.h:
2803         * runtime/NativeErrorConstructor.cpp:
2804         (JSC::NativeErrorConstructor::visitChildrenVirtual):
2805         (JSC::NativeErrorConstructor::visitChildren):
2806         * runtime/NativeErrorConstructor.h:
2807         * runtime/RegExpObject.cpp:
2808         (JSC::RegExpObject::visitChildrenVirtual):
2809         (JSC::RegExpObject::visitChildren):
2810         * runtime/RegExpObject.h:
2811         * runtime/ScopeChain.cpp:
2812         (JSC::ScopeChainNode::visitChildrenVirtual):
2813         (JSC::ScopeChainNode::visitChildren):
2814         * runtime/ScopeChain.h:
2815         * runtime/Structure.cpp:
2816         (JSC::Structure::visitChildrenVirtual):
2817         (JSC::Structure::visitChildren):
2818         * runtime/Structure.h:
2819         * runtime/StructureChain.cpp:
2820         (JSC::StructureChain::visitChildrenVirtual):
2821         (JSC::StructureChain::visitChildren):
2822         * runtime/StructureChain.h:
2823
2824 2011-09-23  Oliver Hunt  <oliver@apple.com>
2825
2826         Node propagation doesn't handle PutScopedVar
2827         https://bugs.webkit.org/show_bug.cgi?id=68713
2828
2829         Reviewed by Sam Weinig.
2830
2831         This was causing assertion failures.
2832
2833         * dfg/DFGPropagator.cpp:
2834         (JSC::DFG::Propagator::propagateNodePredictions):
2835
2836 2011-09-23  Anders Carlsson  <andersca@apple.com>
2837
2838         Make sure to define OVERRIDE and FINAL for older builds of clang.
2839
2840         * wtf/Compiler.h:
2841
2842 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
2843
2844         Implement op_resolve_global in the DFG JIT
2845         https://bugs.webkit.org/show_bug.cgi?id=68704
2846
2847         Reviewed by Oliver Hunt.
2848
2849         This is performance neutral, but increases coverage.
2850
2851         * dfg/DFGByteCodeParser.cpp:
2852         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2853         (JSC::DFG::ByteCodeParser::parseBlock):
2854         * dfg/DFGNode.h:
2855         (JSC::DFG::Node::hasIdentifier):
2856         (JSC::DFG::Node::resolveInfoIndex):
2857         * dfg/DFGOperations.cpp:
2858         * dfg/DFGOperations.h:
2859         * dfg/DFGSpeculativeJIT.cpp:
2860         (JSC::DFG::SpeculativeJIT::compile):
2861
2862 2011-09-23  Mark Rowe  <mrowe@apple.com>
2863
2864         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
2865
2866         * wtf/Platform.h:
2867
2868 2011-09-22  Anders Carlsson  <andersca@apple.com>
2869
2870         We should add support for OVERRIDE and FINAL annotations
2871         https://bugs.webkit.org/show_bug.cgi?id=68654
2872
2873         Reviewed by David Hyatt.
2874
2875         Add OVERRIDE and FINAL macros for compilers that support them.
2876
2877         * wtf/Compiler.h:
2878
2879 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
2880
2881         GetScopedVar should have value profiling
2882         https://bugs.webkit.org/show_bug.cgi?id=68676
2883
2884         Reviewed by Oliver Hunt.
2885         
2886         Added GetScopedVar value profiling and predictin propagation.
2887         Added GetScopeChain to CSE.
2888
2889         * dfg/DFGByteCodeParser.cpp:
2890         (JSC::DFG::ByteCodeParser::parseBlock):
2891         * dfg/DFGGraph.h:
2892         (JSC::DFG::Graph::predict):
2893         * dfg/DFGNode.h:
2894         (JSC::DFG::Node::hasPrediction):
2895         * dfg/DFGPropagator.cpp:
2896         (JSC::DFG::Propagator::propagateNodePredictions):
2897         (JSC::DFG::Propagator::getScopeChainLoadElimination):
2898         (JSC::DFG::Propagator::performNodeCSE):
2899         * jit/JITPropertyAccess.cpp:
2900         (JSC::JIT::emit_op_get_scoped_var):
2901
2902 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
2903
2904         PPC build fix, part 3.
2905
2906         * runtime/Executable.cpp:
2907         (JSC::FunctionExecutable::compileForConstructInternal):
2908
2909 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
2910
2911         Another PPC build fix.
2912
2913         * runtime/Executable.cpp:
2914         * runtime/Executable.h:
2915
2916 2011-09-22  Dean Jackson  <dino@apple.com>
2917
2918         Add ENABLE_CSS_FILTERS
2919         https://bugs.webkit.org/show_bug.cgi?id=68652
2920
2921         Reviewed by Simon Fraser.
2922
2923         * Configurations/FeatureDefines.xcconfig:
2924
2925 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
2926
2927         Incorrect this value passed to callbacks.
2928         https://bugs.webkit.org/show_bug.cgi?id=68668
2929
2930         Reviewed by Oliver Hunt.
2931
2932         From Array/String prototype function.  Should be undefined, but
2933         global object is passed instead (this is visible for strict callbacks).
2934
2935         * runtime/ArrayPrototype.cpp:
2936         (JSC::arrayProtoFuncSort):
2937         (JSC::arrayProtoFuncFilter):
2938         (JSC::arrayProtoFuncMap):
2939         (JSC::arrayProtoFuncEvery):
2940         (JSC::arrayProtoFuncForEach):
2941         (JSC::arrayProtoFuncSome):
2942         * runtime/JSArray.cpp:
2943         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2944         (JSC::JSArray::sort):
2945         * runtime/StringPrototype.cpp:
2946         (JSC::stringProtoFuncReplace):
2947
2948 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
2949
2950         Function.prototype.bind.length shoudl be 1.
2951
2952         Rubber stamped by Olier Hunt.
2953
2954         * runtime/FunctionPrototype.cpp:
2955         (JSC::FunctionPrototype::addFunctionProperties):
2956
2957 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
2958
2959         PPC build fix.
2960
2961         * bytecode/CodeBlock.h:
2962
2963 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
2964
2965         Windows build fix pt. 2
2966
2967         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2968
2969 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
2970
2971         Windows build fix pt. 1
2972
2973         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2974
2975 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
2976
2977         DFG JIT does not support to_primitive or strcat
2978         https://bugs.webkit.org/show_bug.cgi?id=68582
2979
2980         Reviewed by Darin Adler.
2981         
2982         This adds functional support for to_primitive and strcat. It focuses
2983         on minimizing the amount of code emitted on to_primitive (if we know
2984         that it is a primitive or can speculate cheaply, then we omit the
2985         slow path) and on keeping the implementation of strcat simple while
2986         leveraging whatever optimizations we have already. In particular,
2987         unlike the Call and Construct nodes which require extending the size
2988         of the DFG's callee registers, StrCat takes advantage of the fact
2989         that no JS code can run while StrCat is in progress and uses a
2990         scratch buffer, rather than the register file, to store the list of
2991         values to concatenate. This was done mainly to keep the code simple,
2992         but there are probably other benefits to keeping call frame sizes
2993         down. Essentially, this patch ensures that the presence of an
2994         op_strcat does not mess up any other optimizations we might do while
2995         ensuring that if you do execute it, it'll work about as well as you'd
2996         expect.
2997         
2998         When combined with the previous patch for integer division, this is a
2999         14% speed-up on Kraken. Without it, it would have been a 2% loss.
3000
3001         * assembler/AbstractMacroAssembler.h:
3002         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
3003         * dfg/DFGByteCodeParser.cpp:
3004         (JSC::DFG::ByteCodeParser::parseBlock):
3005         * dfg/DFGCapabilities.h:
3006         (JSC::DFG::canCompileOpcode):
3007         * dfg/DFGJITCodeGenerator.h:
3008         (JSC::DFG::JITCodeGenerator::callOperation):
3009         * dfg/DFGJITCompiler.cpp:
3010         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3011         * dfg/DFGNode.h:
3012         * dfg/DFGOperations.cpp:
3013         * dfg/DFGOperations.h:
3014         * dfg/DFGPropagator.cpp:
3015         (JSC::DFG::Propagator::propagateNodePredictions):
3016         (JSC::DFG::Propagator::performNodeCSE):
3017         * dfg/DFGSpeculativeJIT.cpp:
3018         (JSC::DFG::SpeculativeJIT::compile):
3019         * runtime/JSGlobalData.cpp:
3020         (JSC::JSGlobalData::JSGlobalData):
3021         (JSC::JSGlobalData::~JSGlobalData):
3022         * runtime/JSGlobalData.h:
3023         (JSC::JSGlobalData::scratchBufferForSize):
3024
3025 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3026
3027         DFG JIT should support integer division
3028         https://bugs.webkit.org/show_bug.cgi?id=68597
3029
3030         Reviewed by Darin Adler.
3031         
3032         This adds support for ArithDiv speculating integer, and speculating
3033         that the result is integer (i.e. remainder = 0).
3034         
3035         This is a 4% win on Kraken and a 1% loss on V8.
3036
3037         * bytecode/CodeBlock.h:
3038         * dfg/DFGByteCodeParser.cpp:
3039         (JSC::DFG::ByteCodeParser::makeDivSafe):
3040         (JSC::DFG::ByteCodeParser::parseBlock):
3041         * dfg/DFGNode.h:
3042         (JSC::DFG::Node::hasArithNodeFlags):
3043         * dfg/DFGPropagator.cpp:
3044         (JSC::DFG::Propagator::propagateArithNodeFlags):
3045         (JSC::DFG::Propagator::propagateNodePredictions):
3046         (JSC::DFG::Propagator::fixupNode):
3047         * dfg/DFGSpeculativeJIT.cpp:
3048         (JSC::DFG::SpeculativeJIT::compile):
3049         * jit/JITArithmetic.cpp:
3050         (JSC::JIT::emit_op_div):
3051
3052 2011-09-22  Oliver Hunt  <oliver@apple.com>
3053
3054         Implement put_scoped_var in the DFG jit
3055         https://bugs.webkit.org/show_bug.cgi?id=68653
3056
3057         Reviewed by Gavin Barraclough.
3058
3059         Naive implementation of put_scoped_var.  Same story as the
3060         get_scoped_var implementation, although I've hoisted scope
3061         object acquisition into a separate dfg node.  Ideally in the
3062         future we would reuse the resolved scope chain object, but
3063         for now we don't.
3064
3065         * dfg/DFGByteCodeParser.cpp:
3066         (JSC::DFG::ByteCodeParser::parseBlock):
3067         * dfg/DFGCapabilities.h:
3068         (JSC::DFG::canCompileOpcode):
3069         * dfg/DFGNode.h:
3070         (JSC::DFG::Node::hasScopeChainDepth):
3071         (JSC::DFG::Node::scopeChainDepth):
3072         * dfg/DFGPropagator.cpp:
3073         (JSC::DFG::Propagator::propagateNodePredictions):
3074         * dfg/DFGSpeculativeJIT.cpp:
3075         (JSC::DFG::SpeculativeJIT::compile):
3076
3077 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3078
3079         Implement Function.prototype.bind
3080         https://bugs.webkit.org/show_bug.cgi?id=26382
3081
3082         Reviewed by Sam Weinig.
3083
3084         This patch provides a basic functional implementation
3085         for Function.bind. It should (hopefully!) be fully
3086         functionally correct, and the bound functions can be
3087         called to quickly (since they are a subclass of
3088         JSFunction, not InternalFunction), but we'll probably
3089         want to follow up with some optimization work to keep
3090         bound calls in JIT code.
3091
3092         * JavaScriptCore.JSVALUE32_64only.exp:
3093         * JavaScriptCore.JSVALUE64only.exp:
3094         * JavaScriptCore.exp:
3095         * JavaScriptCore.xcodeproj/project.pbxproj:
3096         * jit/JITStubs.cpp:
3097         (JSC::JITThunks::hostFunctionStub):
3098         * jit/JITStubs.h:
3099         * jsc.cpp:
3100         (GlobalObject::addFunction):
3101         * runtime/CommonIdentifiers.h:
3102         * runtime/ConstructData.h:
3103         * runtime/Executable.h:
3104         (JSC::NativeExecutable::NativeExecutable):
3105         * runtime/FunctionPrototype.cpp:
3106         (JSC::FunctionPrototype::addFunctionProperties):
3107         (JSC::functionProtoFuncBind):
3108         * runtime/FunctionPrototype.h:
3109         * runtime/JSBoundFunction.cpp: Added.
3110         (JSC::boundFunctionCall):
3111         (JSC::boundFunctionConstruct):
3112         (JSC::JSBoundFunction::create):
3113         (JSC::JSBoundFunction::hasInstance):
3114         (JSC::JSBoundFunction::getOwnPropertySlot):
3115         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
3116         (JSC::JSBoundFunction::JSBoundFunction):
3117         (JSC::JSBoundFunction::finishCreation):
3118         * runtime/JSBoundFunction.h: Added.
3119         (JSC::JSBoundFunction::targetFunction):
3120         (JSC::JSBoundFunction::boundThis):
3121         (JSC::JSBoundFunction::boundArgs):
3122         (JSC::JSBoundFunction::createStructure):
3123         * runtime/JSFunction.cpp:
3124         (JSC::JSFunction::create):
3125         (JSC::JSFunction::finishCreation):
3126         (JSC::createDescriptorForThrowingProperty):
3127         (JSC::JSFunction::getOwnPropertySlot):
3128         * runtime/JSFunction.h:
3129         * runtime/JSGlobalData.cpp:
3130         (JSC::JSGlobalData::getHostFunction):
3131         * runtime/JSGlobalData.h:
3132         * runtime/JSGlobalObject.cpp:
3133         (JSC::JSGlobalObject::reset):
3134         (JSC::JSGlobalObject::visitChildren):
3135         * runtime/JSGlobalObject.h:
3136         (JSC::JSGlobalObject::boundFunctionStructure):
3137         * runtime/Lookup.cpp:
3138         (JSC::setUpStaticFunctionSlot):
3139
3140 2011-09-22  Oliver Hunt  <oliver@apple.com>
3141
3142         Implement get_scoped_var in the DFG
3143         https://bugs.webkit.org/show_bug.cgi?id=68640
3144
3145         Reviewed by Gavin Barraclough.
3146
3147         Naive implementation of get_scoped_var in the DFG.  Essentially this
3148         is the bare minimum required to get correct behaviour, so there's no
3149         load/store coalescing or type profiling involved, even though these
3150         would be wins.  No impact on SunSpider or V8.
3151
3152         * dfg/DFGByteCodeParser.cpp:
3153         (JSC::DFG::ByteCodeParser::parseBlock):
3154         * dfg/DFGCapabilities.h:
3155         (JSC::DFG::canCompileOpcode):
3156         * dfg/DFGNode.h:
3157         (JSC::DFG::Node::hasVarNumber):
3158         (JSC::DFG::Node::hasScopeChainDepth):
3159         (JSC::DFG::Node::scopeChainDepth):
3160         * dfg/DFGPropagator.cpp:
3161         (JSC::DFG::Propagator::propagateNodePredictions):
3162         * dfg/DFGSpeculativeJIT.cpp:
3163         (JSC::DFG::SpeculativeJIT::compile):
3164
3165 2011-09-22  Adam Roben  <aroben@apple.com>
3166
3167         Remove FindSafari from all our .sln files
3168
3169         It isn't used anymore, so there's no point in building it.
3170
3171         Part of <http://webkit.org/b/68628> Remove FindSafari
3172
3173         Reviewed by Steve Falkenburg.
3174
3175         * JavaScriptCore.vcproj/JavaScriptCore.sln:
3176
3177 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3178
3179         32-bit call code clobbers the function cell tag
3180         https://bugs.webkit.org/show_bug.cgi?id=68606
3181
3182         Reviewed by Csaba Osztrogon√°c.
3183         
3184         This is a minimalistic fix: it simply emits code to restore the
3185         cell tag on the slow path, if we know that we failed due to
3186         emitCallIfNotType.
3187
3188         * jit/JITCall32_64.cpp:
3189         (JSC::JIT::compileOpCallVarargsSlowCase):
3190         (JSC::JIT::compileOpCallSlowCase):
3191
3192 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3193
3194         Add missing addPtr->add32 mapping for X86.
3195
3196         Rubber stamped by Sam Weinig.
3197
3198         * assembler/MacroAssembler.h:
3199         (JSC::MacroAssembler::addPtr):
3200
3201 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3202
3203         Add missing addDouble for AbsoluteAddress to X86
3204
3205         Rubber stamped by Geoff Garen.
3206
3207         * assembler/MacroAssemblerX86.h:
3208         (JSC::MacroAssemblerX86::addDouble):
3209         * assembler/X86Assembler.h:
3210         (JSC::X86Assembler::addsd_mr):
3211         (JSC::X86Assembler::cvtsi2sd_rr):
3212         (JSC::X86Assembler::cvtsi2sd_mr):
3213
3214 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3215
3216         Build fix following fix for bug #68586.
3217
3218         * jit/JIT.cpp:
3219         * jit/JITInlineMethods.h:
3220
3221 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3222
3223         DFG JIT should be able to compile op_throw
3224         https://bugs.webkit.org/show_bug.cgi?id=68571
3225
3226         Reviewed by Geoffrey Garen.
3227         
3228         This compiles op_throw in the simplest way possible: it's an OSR
3229         point back to the old JIT. This is a good step towards increasing
3230         coverage, particularly on Kraken, but it's neutral because the
3231         same functions that do throw also use some other unsupported
3232         opcodes.
3233
3234         * dfg/DFGByteCodeParser.cpp:
3235         (JSC::DFG::ByteCodeParser::parseBlock):
3236         * dfg/DFGCapabilities.h:
3237         (JSC::DFG::canCompileOpcode):
3238         * dfg/DFGNode.h:
3239         * dfg/DFGPropagator.cpp:
3240         (JSC::DFG::Propagator::propagateNodePredictions):
3241         * dfg/DFGSpeculativeJIT.cpp:
3242         (JSC::DFG::SpeculativeJIT::compile):
3243
3244 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3245
3246         DFG should support continuous optimization
3247         https://bugs.webkit.org/show_bug.cgi?id=68329
3248
3249         Reviewed by Geoffrey Garen.
3250         
3251         This adds the ability to reoptimize a code block if speculation
3252         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
3253         on V8, neutral on SunSpider.
3254
3255         * CMakeLists.txt:
3256         * GNUmakefile.list.am:
3257         * JavaScriptCore.pro:
3258         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3259         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3260         * JavaScriptCore.xcodeproj/project.pbxproj:
3261         * bytecode/CodeBlock.cpp:
3262         (JSC::CodeBlock::CodeBlock):
3263         (JSC::ProgramCodeBlock::jettison):
3264         (JSC::EvalCodeBlock::jettison):
3265         (JSC::FunctionCodeBlock::jettison):
3266         (JSC::CodeBlock::shouldOptimizeNow):
3267         (JSC::CodeBlock::dumpValueProfiles):
3268         * bytecode/CodeBlock.h:
3269         * dfg/DFGByteCodeParser.cpp:
3270         (JSC::DFG::ByteCodeParser::getStrongPrediction):
3271         * dfg/DFGJITCompiler.cpp:
3272         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3273         (JSC::DFG::JITCompiler::compileEntry):
3274         (JSC::DFG::JITCompiler::compileBody):
3275         * dfg/DFGJITCompiler.h:
3276         (JSC::DFG::JITCompiler::noticeOSREntry):
3277         * dfg/DFGOSREntry.cpp:
3278         (JSC::DFG::prepareOSREntry):
3279         * dfg/DFGOSREntry.h:
3280         (JSC::DFG::getOSREntryDataBytecodeIndex):
3281         * dfg/DFGSpeculativeJIT.cpp:
3282         (JSC::DFG::SpeculativeJIT::compile):
3283         * heap/ConservativeRoots.cpp:
3284         (JSC::ConservativeRoots::ConservativeRoots):
3285         (JSC::ConservativeRoots::~ConservativeRoots):
3286         (JSC::DummyMarkHook::mark):
3287         (JSC::ConservativeRoots::genericAddPointer):
3288         (JSC::ConservativeRoots::genericAddSpan):
3289         (JSC::ConservativeRoots::add):
3290         * heap/ConservativeRoots.h:
3291         * heap/Heap.cpp:
3292         (JSC::Heap::addJettisonCodeBlock):
3293         (JSC::Heap::markRoots):
3294         * heap/Heap.h:
3295         * heap/JettisonedCodeBlocks.cpp: Added.
3296         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
3297         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
3298         (JSC::JettisonedCodeBlocks::addCodeBlock):
3299         (JSC::JettisonedCodeBlocks::clearMarks):
3300         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
3301         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
3302         * heap/JettisonedCodeBlocks.h: Added.
3303         (JSC::JettisonedCodeBlocks::mark):
3304         * interpreter/RegisterFile.cpp:
3305         (JSC::RegisterFile::gatherConservativeRoots):
3306         * interpreter/RegisterFile.h:
3307         * jit/JITStubs.cpp:
3308         (JSC::DEFINE_STUB_FUNCTION):
3309         * runtime/Executable.cpp:
3310         (JSC::jettisonCodeBlock):
3311         (JSC::EvalExecutable::jettisonOptimizedCode):
3312         (JSC::ProgramExecutable::jettisonOptimizedCode):
3313         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
3314         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
3315         * runtime/Executable.h:
3316         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
3317         * wtf/BitVector.h: Added.
3318         (WTF::BitVector::BitVector):
3319         (WTF::BitVector::~BitVector):
3320         (WTF::BitVector::operator=):
3321         (WTF::BitVector::size):
3322         (WTF::BitVector::ensureSize):
3323         (WTF::BitVector::resize):
3324         (WTF::BitVector::clearAll):
3325         (WTF::BitVector::get):
3326         (WTF::BitVector::set):
3327         (WTF::BitVector::clear):
3328         (WTF::BitVector::bitsInPointer):
3329         (WTF::BitVector::maxInlineBits):
3330         (WTF::BitVector::byteCount):
3331         (WTF::BitVector::makeInlineBits):
3332         (WTF::BitVector::OutOfLineBits::numBits):
3333         (WTF::BitVector::OutOfLineBits::numWords):
3334         (WTF::BitVector::OutOfLineBits::bits):
3335         (WTF::BitVector::OutOfLineBits::create):
3336         (WTF::BitVector::OutOfLineBits::destroy):
3337         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
3338         (WTF::BitVector::isInline):
3339         (WTF::BitVector::outOfLineBits):
3340         (WTF::BitVector::resizeOutOfLine):
3341         (WTF::BitVector::bits):
3342
3343 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3344
3345         Add X86 GPRInfo for DFG JIT.
3346         https://bugs.webkit.org/show_bug.cgi?id=68586
3347
3348         Reviewed by Geoff Garen.
3349
3350         * dfg/DFGGPRInfo.h:
3351         (JSC::DFG::GPRInfo::toRegister):
3352         (JSC::DFG::GPRInfo::toIndex):
3353         (JSC::DFG::GPRInfo::debugName):
3354
3355 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3356
3357         Should support value profiling on CPU(X86)
3358         https://bugs.webkit.org/show_bug.cgi?id=68575
3359
3360         Reviewed by Sam Weinig.
3361
3362         Fix verbose profiling in ToT (SlowCaseProfile had been
3363         partially renamed to RareCaseProfile), add in-memory
3364         bucket counter for CPU(X86), move JIT::m_canBeOptimized
3365         out of the DFG_JIT ifdef.
3366
3367         * bytecode/CodeBlock.cpp:
3368         (JSC::CodeBlock::resetRareCaseProfiles):
3369         (JSC::CodeBlock::dumpValueProfiles):
3370         * bytecode/CodeBlock.h:
3371         * dfg/DFGByteCodeParser.cpp:
3372         (JSC::DFG::ByteCodeParser::makeSafe):
3373         * jit/JIT.cpp:
3374         (JSC::JIT::privateCompileSlowCases):
3375         (JSC::JIT::privateCompile):
3376         * jit/JIT.h:
3377         * jit/JITInlineMethods.h:
3378         (JSC::JIT::emitValueProfilingSite):
3379
3380 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3381
3382         DFG does not support compiling functions as constructors
3383         https://bugs.webkit.org/show_bug.cgi?id=68500
3384
3385         Reviewed by Oliver Hunt.
3386         
3387         This adds support for compiling constructors to the DFG. It's a
3388         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
3389         It's also a 13% win on access-binary-trees, but it's neutral in
3390         the SunSpider and Kraken averages.
3391
3392         * dfg/DFGByteCodeParser.cpp:
3393         (JSC::DFG::ByteCodeParser::parseBlock):
3394         * dfg/DFGCapabilities.h:
3395         (JSC::DFG::mightCompileFunctionForConstruct):
3396         (JSC::DFG::canCompileOpcode):
3397         * dfg/DFGNode.h:
3398         * dfg/DFGOperations.cpp:
3399         * dfg/DFGOperations.h:
3400         * dfg/DFGPropagator.cpp:
3401         (JSC::DFG::Propagator::propagateNodePredictions):
3402         (JSC::DFG::Propagator::performNodeCSE):
3403         * dfg/DFGSpeculativeJIT.cpp:
3404         (JSC::DFG::SpeculativeJIT::compile):
3405         * runtime/Executable.cpp:
3406         (JSC::FunctionExecutable::compileOptimizedForConstruct):
3407         (JSC::FunctionExecutable::compileForConstructInternal):
3408         * runtime/Executable.h:
3409         (JSC::FunctionExecutable::compileForConstruct):
3410         (JSC::FunctionExecutable::compileFor):
3411         (JSC::FunctionExecutable::compileOptimizedFor):
3412
3413 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3414
3415         Replace jsFunctionVPtr compares with a type check on the Structure.
3416         https://bugs.webkit.org/show_bug.cgi?id=68557
3417
3418         Reviewed by Oliver Hunt.
3419
3420         This will permit calls to still optimize to subclasses of JSFunction
3421         that have the correct type (but a different C++ vptr).
3422
3423         This patch stops passing the globalData into numerous functions.
3424
3425         * dfg/DFGByteCodeParser.cpp:
3426         (JSC::DFG::ByteCodeParser::parseBlock):
3427         * dfg/DFGGraph.h:
3428         (JSC::DFG::Graph::isFunctionConstant):
3429         (JSC::DFG::Graph::valueOfFunctionConstant):
3430         * dfg/DFGJITCompiler.h:
3431         (JSC::DFG::JITCompiler::isFunctionConstant):
3432         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
3433         * dfg/DFGOperations.cpp:
3434         * interpreter/Interpreter.cpp:
3435         (JSC::Interpreter::privateExecute):
3436         * jit/JIT.h:
3437         * jit/JITCall.cpp:
3438         (JSC::JIT::compileOpCallVarargs):
3439         (JSC::JIT::compileOpCallSlowCase):
3440         * jit/JITCall32_64.cpp:
3441         (JSC::JIT::compileOpCallVarargs):
3442         (JSC::JIT::compileOpCallSlowCase):
3443         * jit/JITInlineMethods.h:
3444         (JSC::JIT::emitJumpIfNotType):
3445         * jit/JITStubs.cpp:
3446         (JSC::DEFINE_STUB_FUNCTION):
3447         * runtime/Executable.h:
3448         (JSC::isHostFunction):
3449         * runtime/JSFunct