DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-07-02  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
4         https://bugs.webkit.org/show_bug.cgi?id=90407
5
6         Reviewed by Mark Hahnenberg.
7
8         * dfg/DFGArgumentsSimplificationPhase.cpp:
9         (JSC::DFG::ArgumentsSimplificationPhase::run):
10
11 2012-07-02  Gavin Barraclough  <barraclough@apple.com>
12
13         Array.prototype.pop should throw if property is not configurable
14         https://bugs.webkit.org/show_bug.cgi?id=75788
15
16         Rubber Stamped by Oliver Hunt.
17
18         No real bug here any more, but the error we throw sometimes has a misleading message.
19  
20         * runtime/JSArray.cpp:
21         (JSC::JSArray::pop):
22
23 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
24
25         JSObject wastes too much memory on unused property slots
26         https://bugs.webkit.org/show_bug.cgi?id=90255
27
28         Reviewed by Mark Hahnenberg.
29         
30         Rolling back in after applying a simple fix: it appears that
31         JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
32         property storage than necessary. Fixing this appears to resolve the crash.
33         
34         This does a few things:
35         
36         - JSNonFinalObject no longer has inline property storage.
37         
38         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
39           or 2x the inline storage for JSFinalObject.
40         
41         - Property storage is only reallocated if it needs to be. Previously, we
42           would reallocate the property storage on any transition where the original
43           structure said shouldGrowProperyStorage(), but this led to spurious
44           reallocations when doing transitionless property adds and there are
45           deleted property slots available. That in turn led to crashes, because we
46           would switch to out-of-line storage even if the capacity matched the
47           criteria for inline storage.
48         
49         - Inline JSFunction allocation is killed off because we don't have a good
50           way of inlining property storage allocation. This didn't hurt performance.
51           Killing off code is better than fixing it if that code wasn't doing any
52           good.
53         
54         This looks like a 1% progression on V8.
55
56         * interpreter/Interpreter.cpp:
57         (JSC::Interpreter::privateExecute):
58         * jit/JIT.cpp:
59         (JSC::JIT::privateCompileSlowCases):
60         * jit/JIT.h:
61         * jit/JITInlineMethods.h:
62         (JSC::JIT::emitAllocateBasicJSObject):
63         (JSC):
64         * jit/JITOpcodes.cpp:
65         (JSC::JIT::emit_op_new_func):
66         (JSC):
67         (JSC::JIT::emit_op_new_func_exp):
68         * runtime/JSFunction.cpp:
69         (JSC::JSFunction::finishCreation):
70         * runtime/JSObject.h:
71         (JSC::JSObject::isUsingInlineStorage):
72         (JSObject):
73         (JSC::JSObject::finishCreation):
74         (JSC):
75         (JSC::JSNonFinalObject::hasInlineStorage):
76         (JSNonFinalObject):
77         (JSC::JSNonFinalObject::JSNonFinalObject):
78         (JSC::JSNonFinalObject::finishCreation):
79         (JSC::JSFinalObject::hasInlineStorage):
80         (JSC::JSFinalObject::finishCreation):
81         (JSC::JSObject::offsetOfInlineStorage):
82         (JSC::JSObject::setPropertyStorage):
83         (JSC::Structure::inlineStorageCapacity):
84         (JSC::Structure::isUsingInlineStorage):
85         (JSC::JSObject::putDirectInternal):
86         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
87         (JSC::JSObject::putDirectWithoutTransition):
88         * runtime/Structure.cpp:
89         (JSC::Structure::Structure):
90         (JSC::nextPropertyStorageCapacity):
91         (JSC):
92         (JSC::Structure::growPropertyStorageCapacity):
93         (JSC::Structure::suggestedNewPropertyStorageSize):
94         * runtime/Structure.h:
95         (JSC::Structure::putWillGrowPropertyStorage):
96         (Structure):
97
98 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
99
100         Webkit crashes in DFG on Google Docs when creating a new document
101         https://bugs.webkit.org/show_bug.cgi?id=90209
102
103         Reviewed by Gavin Barraclough.
104         
105         Don't attempt to short-circuit Phantom(GetLocal) if the GetLocal is for a
106         captured variable.
107
108         * dfg/DFGCFGSimplificationPhase.cpp:
109         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
110
111 2012-06-30  Zan Dobersek  <zandobersek@gmail.com>
112
113         Unreviewed, rolling out r121605.
114         http://trac.webkit.org/changeset/121605
115         https://bugs.webkit.org/show_bug.cgi?id=90336
116
117         Changes caused flaky crashes in sputnik/Unicode tests on Apple
118         WK1 and GTK Linux builders
119
120         * interpreter/Interpreter.cpp:
121         (JSC::Interpreter::privateExecute):
122         * jit/JIT.cpp:
123         (JSC::JIT::privateCompileSlowCases):
124         * jit/JIT.h:
125         * jit/JITInlineMethods.h:
126         (JSC::JIT::emitAllocateBasicJSObject):
127         (JSC::JIT::emitAllocateJSFinalObject):
128         (JSC):
129         (JSC::JIT::emitAllocateJSFunction):
130         * jit/JITOpcodes.cpp:
131         (JSC::JIT::emit_op_new_func):
132         (JSC::JIT::emitSlow_op_new_func):
133         (JSC):
134         (JSC::JIT::emit_op_new_func_exp):
135         (JSC::JIT::emitSlow_op_new_func_exp):
136         * runtime/JSFunction.cpp:
137         (JSC::JSFunction::finishCreation):
138         * runtime/JSObject.h:
139         (JSC::JSObject::isUsingInlineStorage):
140         (JSObject):
141         (JSC::JSObject::finishCreation):
142         (JSC):
143         (JSNonFinalObject):
144         (JSC::JSNonFinalObject::JSNonFinalObject):
145         (JSC::JSNonFinalObject::finishCreation):
146         (JSFinalObject):
147         (JSC::JSFinalObject::finishCreation):
148         (JSC::JSObject::offsetOfInlineStorage):
149         (JSC::JSObject::setPropertyStorage):
150         (JSC::Structure::isUsingInlineStorage):
151         (JSC::JSObject::putDirectInternal):
152         (JSC::JSObject::putDirectWithoutTransition):
153         (JSC::JSObject::transitionTo):
154         * runtime/Structure.cpp:
155         (JSC::Structure::Structure):
156         (JSC):
157         (JSC::Structure::growPropertyStorageCapacity):
158         (JSC::Structure::suggestedNewPropertyStorageSize):
159         * runtime/Structure.h:
160         (JSC::Structure::shouldGrowPropertyStorage):
161         (JSC::Structure::propertyStorageSize):
162
163 2012-06-29  Mark Hahnenberg  <mhahnenberg@apple.com>
164
165         Remove warning about protected values when the Heap is being destroyed
166         https://bugs.webkit.org/show_bug.cgi?id=90302
167
168         Reviewed by Geoffrey Garen.
169
170         Having to do book-keeping about whether values allocated from a certain 
171         VM are or are not protected makes the JSC API much more difficult to use 
172         correctly. Clients should be able to throw an entire VM away and not have 
173         to worry about unprotecting all of the values that they protected earlier.
174
175         * heap/Heap.cpp:
176         (JSC::Heap::lastChanceToFinalize):
177
178 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
179
180         JSObject wastes too much memory on unused property slots
181         https://bugs.webkit.org/show_bug.cgi?id=90255
182
183         Reviewed by Mark Hahnenberg.
184         
185         This does a few things:
186         
187         - JSNonFinalObject no longer has inline property storage.
188         
189         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
190           or 2x the inline storage for JSFinalObject.
191         
192         - Property storage is only reallocated if it needs to be. Previously, we
193           would reallocate the property storage on any transition where the original
194           structure said shouldGrowProperyStorage(), but this led to spurious
195           reallocations when doing transitionless property adds and there are
196           deleted property slots available. That in turn led to crashes, because we
197           would switch to out-of-line storage even if the capacity matched the
198           criteria for inline storage.
199         
200         - Inline JSFunction allocation is killed off because we don't have a good
201           way of inlining property storage allocation. This didn't hurt performance.
202           Killing off code is better than fixing it if that code wasn't doing any
203           good.
204         
205         This looks like a 1% progression on V8.
206
207         * interpreter/Interpreter.cpp:
208         (JSC::Interpreter::privateExecute):
209         * jit/JIT.cpp:
210         (JSC::JIT::privateCompileSlowCases):
211         * jit/JIT.h:
212         * jit/JITInlineMethods.h:
213         (JSC::JIT::emitAllocateBasicJSObject):
214         (JSC):
215         * jit/JITOpcodes.cpp:
216         (JSC::JIT::emit_op_new_func):
217         (JSC):
218         (JSC::JIT::emit_op_new_func_exp):
219         * runtime/JSFunction.cpp:
220         (JSC::JSFunction::finishCreation):
221         * runtime/JSObject.h:
222         (JSC::JSObject::isUsingInlineStorage):
223         (JSObject):
224         (JSC::JSObject::finishCreation):
225         (JSC):
226         (JSC::JSNonFinalObject::hasInlineStorage):
227         (JSNonFinalObject):
228         (JSC::JSNonFinalObject::JSNonFinalObject):
229         (JSC::JSNonFinalObject::finishCreation):
230         (JSC::JSFinalObject::hasInlineStorage):
231         (JSC::JSFinalObject::finishCreation):
232         (JSC::JSObject::offsetOfInlineStorage):
233         (JSC::JSObject::setPropertyStorage):
234         (JSC::Structure::inlineStorageCapacity):
235         (JSC::Structure::isUsingInlineStorage):
236         (JSC::JSObject::putDirectInternal):
237         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
238         (JSC::JSObject::putDirectWithoutTransition):
239         * runtime/Structure.cpp:
240         (JSC::Structure::Structure):
241         (JSC::nextPropertyStorageCapacity):
242         (JSC):
243         (JSC::Structure::growPropertyStorageCapacity):
244         (JSC::Structure::suggestedNewPropertyStorageSize):
245         * runtime/Structure.h:
246         (JSC::Structure::putWillGrowPropertyStorage):
247         (Structure):
248
249 2012-06-28  Filip Pizlo  <fpizlo@apple.com>
250
251         DFG recompilation heuristics should be based on count, not rate
252         https://bugs.webkit.org/show_bug.cgi?id=90146
253
254         Reviewed by Oliver Hunt.
255         
256         This removes a bunch of code that was previously trying to prevent spurious
257         reoptimizations if a large enough majority of executions of a code block did
258         not result in OSR exit. It turns out that this code was purely harmful. This
259         patch removes all of that logic and replaces it with a dead-simple
260         heuristic: if you exit more than N times (where N is an exponential function
261         of the number of times the code block has already been recompiled) then we
262         will recompile.
263         
264         This appears to be a broad ~1% win on many benchmarks large and small.
265
266         * bytecode/CodeBlock.cpp:
267         (JSC::CodeBlock::CodeBlock):
268         * bytecode/CodeBlock.h:
269         (JSC::CodeBlock::osrExitCounter):
270         (JSC::CodeBlock::countOSRExit):
271         (CodeBlock):
272         (JSC::CodeBlock::addressOfOSRExitCounter):
273         (JSC::CodeBlock::offsetOfOSRExitCounter):
274         (JSC::CodeBlock::adjustedExitCountThreshold):
275         (JSC::CodeBlock::exitCountThresholdForReoptimization):
276         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
277         (JSC::CodeBlock::shouldReoptimizeNow):
278         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
279         * bytecode/ExecutionCounter.cpp:
280         (JSC::ExecutionCounter::setThreshold):
281         * bytecode/ExecutionCounter.h:
282         (ExecutionCounter):
283         (JSC::ExecutionCounter::clippedThreshold):
284         * dfg/DFGJITCompiler.cpp:
285         (JSC::DFG::JITCompiler::compileBody):
286         * dfg/DFGOSRExit.cpp:
287         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
288         * dfg/DFGOSRExitCompiler.cpp:
289         (JSC::DFG::OSRExitCompiler::handleExitCounts):
290         * dfg/DFGOperations.cpp:
291         * jit/JITStubs.cpp:
292         (JSC::DEFINE_STUB_FUNCTION):
293         * runtime/Options.cpp:
294         (Options):
295         (JSC::Options::initializeOptions):
296         * runtime/Options.h:
297         (Options):
298
299 2012-06-28  Mark Lam  <mark.lam@apple.com>
300
301         Adding a commenting utility to record BytecodeGenerator comments
302         with opcodes that are emitted.  Presently, the comments can only
303         be constant strings.  Adding comments for opcodes is optional.
304         If a comment is added, the comment will be printed following the
305         opcode when CodeBlock::dump() is called.
306
307         This utility is disabled by default, and is only meant for VM
308         development purposes.  It should not be enabled for product builds.
309
310         To enable this utility, set ENABLE_BYTECODE_COMMENTS in CodeBlock.h
311         to 1.
312
313         https://bugs.webkit.org/show_bug.cgi?id=90095
314
315         Reviewed by Geoffrey Garen.
316
317         * GNUmakefile.list.am:
318         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
319         * JavaScriptCore.xcodeproj/project.pbxproj:
320         * bytecode/CodeBlock.cpp:
321         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): Dumps the comment.
322         (JSC):
323         (JSC::CodeBlock::printUnaryOp): Add comment dumps.
324         (JSC::CodeBlock::printBinaryOp): Add comment dumps.
325         (JSC::CodeBlock::printConditionalJump): Add comment dumps.
326         (JSC::CodeBlock::printCallOp): Add comment dumps.
327         (JSC::CodeBlock::printPutByIdOp): Add comment dumps.
328         (JSC::CodeBlock::dump): Add comment dumps.
329         (JSC::CodeBlock::CodeBlock):
330         (JSC::CodeBlock::commentForBytecodeOffset):
331             Finds the comment for an opcode if available.
332         (JSC::CodeBlock::dumpBytecodeComments):
333             For debugging whether comments are collected.
334             It is not being called anywhere.
335         * bytecode/CodeBlock.h:
336         (CodeBlock):
337         (JSC::CodeBlock::bytecodeComments):
338         * bytecode/Comment.h: Added.
339         (JSC):
340         (Comment):
341         * bytecompiler/BytecodeGenerator.cpp:
342         (JSC::BytecodeGenerator::BytecodeGenerator):
343         (JSC::BytecodeGenerator::emitOpcode): Calls emitComment().
344         (JSC):
345         (JSC::BytecodeGenerator::emitComment): Adds comment to CodeBlock.
346         (JSC::BytecodeGenerator::prependComment):
347             Registers a comment for emitComemnt() to use later.
348         * bytecompiler/BytecodeGenerator.h:
349         (BytecodeGenerator):
350         (JSC::BytecodeGenerator::emitComment):
351         (JSC::BytecodeGenerator::prependComment):
352             These are inlined versions of these functions that nullify them
353             when ENABLE_BYTECODE_COMMENTS is 0.
354         (JSC::BytecodeGenerator::comments):
355
356 2012-06-28  Oliver Hunt  <oliver@apple.com>
357
358         32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
359         https://bugs.webkit.org/show_bug.cgi?id=90127
360
361         Reviewed by Filip Pizlo.
362
363         The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
364         correctly.  This patch fixes this by killing the fill info in the GenerationInfo
365         when the spillFormat doesn't guarantee the value is a double.
366
367         * dfg/DFGSpeculativeJIT32_64.cpp:
368         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
369
370 2012-06-28  Kent Tamura  <tkent@chromium.org>
371
372         Classify form control states by their owner forms
373         https://bugs.webkit.org/show_bug.cgi?id=89950
374
375         Reviewed by Hajime Morita.
376
377         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
378         Expose WTF::StringBuilder::canShrink()
379
380 2012-06-27  Michael Saboff  <msaboff@apple.com>
381
382         [Win] jscore-tests flakey
383         https://bugs.webkit.org/show_bug.cgi?id=88118
384
385         Reviewed by Jessie Berlin.
386
387         jsDriver.pl on windows intermittently doesn't get the returned value from jsc,
388         instead it gets 126.  Added a new option to jsc (-x) which prints the exit
389         code before exiting.  jsDriver.pl uses this option on Windows and parses the
390         exit code output for the exit code, removing it before comparing the actual
391         and expected outputs.  Filed a follow on "FIXME" defect:
392         [WIN] Intermittent failure for jsc return value to propagate through jsDriver.pl
393         https://bugs.webkit.org/show_bug.cgi?id=90119
394
395         * jsc.cpp:
396         (CommandLine::CommandLine):
397         (CommandLine):
398         (printUsageStatement):
399         (parseArguments):
400         (jscmain):
401         * tests/mozilla/jsDriver.pl:
402         (execute_tests):
403
404 2012-06-27  Sheriff Bot  <webkit.review.bot@gmail.com>
405
406         Unreviewed, rolling out r121359.
407         http://trac.webkit.org/changeset/121359
408         https://bugs.webkit.org/show_bug.cgi?id=90115
409
410         Broke many inspector tests (Requested by jpfau on #webkit).
411
412         * interpreter/Interpreter.h:
413         (JSC::StackFrame::toString):
414
415 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
416
417         Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on
418         https://bugs.webkit.org/show_bug.cgi?id=90053
419         <rdar://problem/11764613>
420
421         Reviewed by Mark Hahnenberg.
422         
423         The problem is that the code was assuming that the recovery should be Undefined if the source of
424         the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a
425         UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive.
426         In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this
427         was already in place but the fast check for !shouldGenerate() broke it.
428
429         * dfg/DFGSpeculativeJIT.cpp:
430         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
431
432 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
433
434         DFG disassembly should be easier to read
435         https://bugs.webkit.org/show_bug.cgi?id=90106
436
437         Reviewed by Mark Hahnenberg.
438         
439         Did a few things:
440         
441         - Options::showDFGDisassembly now shows OSR exit disassembly as well.
442         
443         - Phi node dumping doesn't attempt to do line wrapping since it just made the dump harder
444           to read.
445         
446         - DFG graph disassembly view shows a few additional node types that turn out to be
447           essential for understanding OSR exits.
448         
449         Put together, these changes reinforce the philosophy that anything needed for computing
450         OSR exit is just as important as the machine code itself. Of course, we still don't take
451         that philosophy to its full extreme - for example Phantom nodes are not dumped. We may
452         revisit that in the future.
453
454         * assembler/LinkBuffer.cpp:
455         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
456         * assembler/LinkBuffer.h:
457         (JSC):
458         * dfg/DFGDisassembler.cpp:
459         (JSC::DFG::Disassembler::dump):
460         * dfg/DFGGraph.cpp:
461         (JSC::DFG::Graph::dumpBlockHeader):
462         * dfg/DFGNode.h:
463         (JSC::DFG::Node::willHaveCodeGenOrOSR):
464         * dfg/DFGOSRExitCompiler.cpp:
465         * jit/JIT.cpp:
466         (JSC::JIT::privateCompile):
467
468 2012-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
469
470         JSLock should be per-JSGlobalData
471         https://bugs.webkit.org/show_bug.cgi?id=89123
472
473         Reviewed by Geoffrey Garen.
474
475         * API/APIShims.h:
476         (APIEntryShimWithoutLock):
477         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
478         determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
479         HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
480         JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
481         its destruction has begun. 
482         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
483         (JSC::APIEntryShim::APIEntryShim):
484         (APIEntryShim):
485         (JSC::APIEntryShim::~APIEntryShim):
486         (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
487         Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
488         and before we've released it, which can only done in APIEntryShim.
489         (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
490         * API/JSContextRef.cpp:
491         (JSGlobalContextCreate):
492         (JSGlobalContextCreateInGroup):
493         (JSGlobalContextRelease):
494         (JSContextCreateBacktrace):
495         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
496         * heap/CopiedSpace.cpp:
497         (JSC::CopiedSpace::tryAllocateSlowCase):
498         * heap/Heap.cpp:
499         (JSC::Heap::protect):
500         (JSC::Heap::unprotect):
501         (JSC::Heap::collect):
502         (JSC::Heap::setActivityCallback):
503         (JSC::Heap::activityCallback):
504         (JSC::Heap::sweeper):
505         * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
506         are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
507         and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
508         prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
509         (Heap):
510         * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
511         (JSC::HeapTimer::~HeapTimer):
512         (JSC::HeapTimer::invalidate):
513         (JSC):
514         (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
515         that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
516         HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
517         (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
518         out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
519         but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
520         we were interrupted between releasing our mutex and trying to grab the APILock.
521         * heap/HeapTimer.h:
522         (HeapTimer):
523         * heap/IncrementalSweeper.cpp:
524         (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
525         all of that for us. 
526         (JSC::IncrementalSweeper::create):
527         * heap/IncrementalSweeper.h:
528         (IncrementalSweeper):
529         * heap/MarkedAllocator.cpp:
530         (JSC::MarkedAllocator::allocateSlowCase):
531         * heap/WeakBlock.cpp:
532         (JSC::WeakBlock::reap):
533         * jsc.cpp:
534         (functionGC):
535         (functionReleaseExecutableMemory):
536         (jscmain):
537         * runtime/Completion.cpp:
538         (JSC::checkSyntax):
539         (JSC::evaluate):
540         * runtime/GCActivityCallback.h:
541         (DefaultGCActivityCallback):
542         (JSC::DefaultGCActivityCallback::create):
543         * runtime/JSGlobalData.cpp:
544         (JSC::JSGlobalData::JSGlobalData):
545         (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
546         that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
547         it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
548         APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
549         (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
550         (JSC::JSGlobalData::sharedInstanceInternal):
551         * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
552         de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
553         (JSGlobalData):
554         (JSC::JSGlobalData::apiLock):
555         * runtime/JSGlobalObject.cpp:
556         (JSC::JSGlobalObject::~JSGlobalObject):
557         (JSC::JSGlobalObject::init):
558         * runtime/JSLock.cpp:
559         (JSC):
560         (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
561         (JSC::GlobalJSLock::~GlobalJSLock):
562         (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
563         it can successfully unlock it later without it disappearing from underneath it.
564         (JSC::JSLockHolder::~JSLockHolder):
565         (JSC::JSLock::JSLock):
566         (JSC::JSLock::~JSLock):
567         (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
568         actually waiting for long periods. 
569         (JSC::JSLock::unlock):
570         (JSC::JSLock::currentThreadIsHoldingLock):
571         (JSC::JSLock::dropAllLocks):
572         (JSC::JSLock::dropAllLocksUnconditionally):
573         (JSC::JSLock::grabAllLocks):
574         (JSC::JSLock::DropAllLocks::DropAllLocks):
575         (JSC::JSLock::DropAllLocks::~DropAllLocks):
576         * runtime/JSLock.h:
577         (JSC):
578         (GlobalJSLock):
579         (JSLockHolder):
580         (JSLock):
581         (DropAllLocks):
582         * runtime/WeakGCMap.h:
583         (JSC::WeakGCMap::set):
584         * testRegExp.cpp:
585         (realMain):
586
587 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
588
589         x86 disassembler confuses immediates with addresses
590         https://bugs.webkit.org/show_bug.cgi?id=90099
591
592         Reviewed by Mark Hahnenberg.
593         
594         Prepend "$" to immediates to disambiguate between immediates and addresses. This is in
595         accordance with the gas and AT&T syntax.
596
597         * disassembler/udis86/udis86_syn-att.c:
598         (gen_operand):
599
600 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
601
602         Add a comment clarifying Options::showDisassembly versus Options::showDFGDisassembly.
603
604         Rubber stamped by Mark Hahnenberg.
605
606         * runtime/Options.cpp:
607         (JSC::Options::initializeOptions):
608
609 2012-06-27  Anthony Scian  <ascian@rim.com>
610
611         Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
612         https://bugs.webkit.org/show_bug.cgi?id=40118
613
614         Reviewed by Yong Li.
615
616         Added member functions to expose function name, urlString, and line #.
617         Refactored toString to make use of these member functions to reduce
618         duplicated code for future maintenance.
619
620         Manually tested refactoring of toString by tracing thrown exceptions.
621
622         * interpreter/Interpreter.h:
623         (StackFrame):
624         (JSC::StackFrame::toString):
625         (JSC::StackFrame::friendlySourceURL):
626         (JSC::StackFrame::friendlyFunctionName):
627         (JSC::StackFrame::friendlyLineNumber):
628
629 2012-06-27  Oswald Buddenhagen  <oswald.buddenhagen@nokia.com>
630
631         [Qt] Remove redundant c++11 warning suppression code
632
633         This is already handled in default_post.
634
635         Reviewed by Tor Arne Vestbø.
636
637         * Target.pri:
638
639 2012-06-26  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
640
641         [Qt] Add missing heades to HEADERS
642
643         For JavaScriptCore there aren't any Qt specific files, so we include all
644         headers for easy editing in Qt Creator.
645
646         Reviewed by Simon Hausmann.
647
648         * Target.pri:
649
650 2012-06-26  Dominic Cooney  <dominicc@chromium.org>
651
652         [Chromium] Remove unused build scripts and empty folders for JavaScriptCore w/ gyp
653         https://bugs.webkit.org/show_bug.cgi?id=90029
654
655         Reviewed by Adam Barth.
656
657         * gyp: Removed.
658         * gyp/generate-derived-sources.sh: Removed.
659         * gyp/generate-dtrace-header.sh: Removed.
660         * gyp/run-if-exists.sh: Removed.
661         * gyp/update-info-plist.sh: Removed.
662
663 2012-06-26  Geoffrey Garen  <ggaren@apple.com>
664
665         Reduced (but did not eliminate) use of "berzerker GC"
666         https://bugs.webkit.org/show_bug.cgi?id=89237
667
668         Reviewed by Gavin Barraclough.
669
670         (PART 2)
671
672         This part turns off "berzerker GC" and turns on incremental shrinking.
673
674         * heap/IncrementalSweeper.cpp:
675         (JSC::IncrementalSweeper::doSweep): Free or shrink after sweeping to
676         maintain the behavior we used to get from the occasional berzerker GC,
677         which would run all finalizers and then free or shrink all blocks
678         synchronously.
679
680         * heap/MarkedBlock.h:
681         (JSC::MarkedBlock::needsSweeping): Sweep zapped blocks, too. It's always
682         safe to sweep a zapped block (that's the point of zapping), and it's
683         sometimes profitable. For example, consider this case: Block A does some
684         allocation (transitioning Block A from Marked to FreeListed), then GC
685         happens (transitioning Block A to Zapped), then all objects in Block A
686         are free, then the incremental sweeper visits Block A. If we skipped
687         Zapped blocks, we'd skip Block A, even though it would be profitable to
688         run its destructors and free its memory.
689
690         * runtime/GCActivityCallback.cpp:
691         (JSC::DefaultGCActivityCallback::doWork): Don't sweep eagerly; we'll do
692         this incrementally.
693
694 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
695
696         DFG PutByValAlias is too aggressive
697         https://bugs.webkit.org/show_bug.cgi?id=90026
698         <rdar://problem/11751830>
699
700         Reviewed by Gavin Barraclough.
701         
702         For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
703         performance by much.
704         
705         For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
706         is within bounds. This also has the effect of making our out-of-bounds handling consistent
707         with WebCore.
708
709         * dfg/DFGCSEPhase.cpp:
710         (JSC::DFG::CSEPhase::performNodeCSE):
711         * dfg/DFGGraph.h:
712         (JSC::DFG::Graph::byValIsPure):
713         (JSC::DFG::Graph::clobbersWorld):
714         * dfg/DFGNodeType.h:
715         (DFG):
716         * dfg/DFGSpeculativeJIT.cpp:
717         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
718         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
719
720 2012-06-26  Yong Li  <yoli@rim.com>
721
722         [BlackBerry] Add JSC statistics into about:memory
723         https://bugs.webkit.org/show_bug.cgi?id=89779
724
725         Reviewed by Rob Buis.
726
727         Fix non-JIT build on BlackBerry broken by r121196.
728
729         * runtime/MemoryStatistics.cpp:
730         (JSC::globalMemoryStatistics):
731
732 2012-06-25  Filip Pizlo  <fpizlo@apple.com>
733
734         DFG::operationNewArray is unnecessarily slow, and may use the wrong array
735         prototype when inlined
736         https://bugs.webkit.org/show_bug.cgi?id=89821
737
738         Reviewed by Geoffrey Garen.
739         
740         Fixes all array allocations to use the right structure, and hence the right prototype. Adds
741         inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
742         empty arrays.
743
744         * dfg/DFGAbstractState.cpp:
745         (JSC::DFG::AbstractState::execute):
746         * dfg/DFGByteCodeParser.cpp:
747         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
748         * dfg/DFGCCallHelpers.h:
749         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
750         (CCallHelpers):
751         * dfg/DFGNodeType.h:
752         (DFG):
753         * dfg/DFGOperations.cpp:
754         * dfg/DFGOperations.h:
755         * dfg/DFGPredictionPropagationPhase.cpp:
756         (JSC::DFG::PredictionPropagationPhase::propagate):
757         * dfg/DFGSpeculativeJIT.h:
758         (JSC::DFG::SpeculativeJIT::callOperation):
759         * dfg/DFGSpeculativeJIT32_64.cpp:
760         (JSC::DFG::SpeculativeJIT::compile):
761         * dfg/DFGSpeculativeJIT64.cpp:
762         (JSC::DFG::SpeculativeJIT::compile):
763         * runtime/JSArray.h:
764         (JSC):
765         (JSC::constructArray):
766         * runtime/JSGlobalObject.h:
767         (JSC):
768         (JSC::constructArray):
769
770 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
771
772         New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
773         https://bugs.webkit.org/show_bug.cgi?id=89953
774
775         Reviewed by Zoltan Herczeg.
776         
777         DFG 32-bit JIT was confused about the difference between a predicted type and a
778         proven type. This is easy to get confused about, since a local that is predicted int32
779         almost always means that the local must be an int32 since speculations are hoisted to
780         stores to locals. But that is less likely to be the case for arguments, where there is
781         an additional least-upper-bounding step: any store to an argument with a weird type
782         may force the argument to be any type.
783         
784         This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
785         GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
786         a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
787         than the VariableAccessData::prediction(), which is a predicted type.
788
789         * dfg/DFGSpeculativeJIT32_64.cpp:
790         (JSC::DFG::SpeculativeJIT::compile):
791
792 2012-06-25  Filip Pizlo  <fpizlo@apple.com>
793
794         JSC should try to make profiling deterministic because otherwise reproducing failures is
795         nearly impossible
796         https://bugs.webkit.org/show_bug.cgi?id=89940
797
798         Rubber stamped by Gavin Barraclough.
799         
800         This rolls out the part of http://trac.webkit.org/changeset/121215 that introduced randomness
801         into the system. Now, instead of randomizing the tier-up threshold, we always set it to an
802         artificially low (and statically predetermined!) value. This gives most of the benefit of
803         threshold randomization without actually making the system behave completely differently on
804         each invocation.
805
806         * bytecode/ExecutionCounter.cpp:
807         (JSC::ExecutionCounter::setThreshold):
808         * runtime/Options.cpp:
809         (Options):
810         (JSC::Options::initializeOptions):
811         * runtime/Options.h:
812         (Options):
813
814 2012-06-22  Filip Pizlo  <fpizlo@apple.com>
815
816         Value profiling should use tier-up threshold randomization to get more coverage
817         https://bugs.webkit.org/show_bug.cgi?id=89802
818
819         Reviewed by Gavin Barraclough.
820         
821         This patch causes both LLInt and Baseline JIT code to take the OSR slow path several
822         times before actually doing OSR. If we take the OSR slow path before the execution
823         count threshold is reached, then we just call CodeBlock::updateAllPredictions() to
824         compute the current latest least-upper-bound SpecType of all values seen in each
825         ValueProfile.
826
827         * bytecode/CodeBlock.cpp:
828         (JSC::CodeBlock::stronglyVisitStrongReferences):
829         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
830         (JSC):
831         (JSC::CodeBlock::updateAllPredictions):
832         (JSC::CodeBlock::shouldOptimizeNow):
833         * bytecode/CodeBlock.h:
834         (JSC::CodeBlock::llintExecuteCounter):
835         (JSC::CodeBlock::jitExecuteCounter):
836         (CodeBlock):
837         (JSC::CodeBlock::updateAllPredictions):
838         * bytecode/ExecutionCounter.cpp:
839         (JSC::ExecutionCounter::setThreshold):
840         (JSC::ExecutionCounter::status):
841         (JSC):
842         * bytecode/ExecutionCounter.h:
843         (JSC::ExecutionCounter::count):
844         (ExecutionCounter):
845         * dfg/DFGAbstractState.cpp:
846         (JSC::DFG::AbstractState::execute):
847         * dfg/DFGOperations.cpp:
848         * dfg/DFGSpeculativeJIT.cpp:
849         (JSC::DFG::SpeculativeJIT::compile):
850         * jit/JITStubs.cpp:
851         (JSC::DEFINE_STUB_FUNCTION):
852         * llint/LLIntSlowPaths.cpp:
853         (JSC::LLInt::jitCompileAndSetHeuristics):
854         (JSC::LLInt::entryOSR):
855         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
856         * runtime/JSGlobalObject.cpp:
857         (JSC::JSGlobalObject::JSGlobalObject):
858         (JSC):
859         * runtime/JSGlobalObject.h:
860         (JSGlobalObject):
861         (JSC::JSGlobalObject::weakRandomInteger):
862         * runtime/Options.cpp:
863         (Options):
864         (JSC::Options::initializeOptions):
865         * runtime/Options.h:
866         (Options):
867         * runtime/WeakRandom.h:
868         (WeakRandom):
869         (JSC::WeakRandom::seedUnsafe):
870
871 2012-06-25  Yong Li  <yoli@rim.com>
872
873         [BlackBerry] Add JSC statistics into about:memory
874         https://bugs.webkit.org/show_bug.cgi?id=89779
875
876         Reviewed by Rob Buis.
877
878         Add MemoryStatistics.cpp into build, and fill JITBytes for BlackBerry port.
879
880         * PlatformBlackBerry.cmake:
881         * runtime/MemoryStatistics.cpp:
882         (JSC::globalMemoryStatistics):
883
884 2012-06-23  Sheriff Bot  <webkit.review.bot@gmail.com>
885
886         Unreviewed, rolling out r121058.
887         http://trac.webkit.org/changeset/121058
888         https://bugs.webkit.org/show_bug.cgi?id=89809
889
890         Patch causes plugins tests to crash in GTK debug builds
891         (Requested by zdobersek on #webkit).
892
893         * API/APIShims.h:
894         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
895         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
896         (APIEntryShimWithoutLock):
897         (JSC::APIEntryShim::APIEntryShim):
898         (APIEntryShim):
899         (JSC::APICallbackShim::~APICallbackShim):
900         * API/JSContextRef.cpp:
901         (JSGlobalContextCreate):
902         (JSGlobalContextCreateInGroup):
903         (JSGlobalContextRelease):
904         (JSContextCreateBacktrace):
905         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
906         * heap/CopiedSpace.cpp:
907         (JSC::CopiedSpace::tryAllocateSlowCase):
908         * heap/Heap.cpp:
909         (JSC::Heap::protect):
910         (JSC::Heap::unprotect):
911         (JSC::Heap::collect):
912         (JSC::Heap::setActivityCallback):
913         (JSC::Heap::activityCallback):
914         (JSC::Heap::sweeper):
915         * heap/Heap.h:
916         (Heap):
917         * heap/HeapTimer.cpp:
918         (JSC::HeapTimer::~HeapTimer):
919         (JSC::HeapTimer::invalidate):
920         (JSC::HeapTimer::timerDidFire):
921         (JSC):
922         * heap/HeapTimer.h:
923         (HeapTimer):
924         * heap/IncrementalSweeper.cpp:
925         (JSC::IncrementalSweeper::doWork):
926         (JSC::IncrementalSweeper::create):
927         * heap/IncrementalSweeper.h:
928         (IncrementalSweeper):
929         * heap/MarkedAllocator.cpp:
930         (JSC::MarkedAllocator::allocateSlowCase):
931         * heap/WeakBlock.cpp:
932         (JSC::WeakBlock::reap):
933         * jsc.cpp:
934         (functionGC):
935         (functionReleaseExecutableMemory):
936         (jscmain):
937         * runtime/Completion.cpp:
938         (JSC::checkSyntax):
939         (JSC::evaluate):
940         * runtime/GCActivityCallback.h:
941         (DefaultGCActivityCallback):
942         (JSC::DefaultGCActivityCallback::create):
943         * runtime/JSGlobalData.cpp:
944         (JSC::JSGlobalData::JSGlobalData):
945         (JSC::JSGlobalData::~JSGlobalData):
946         (JSC::JSGlobalData::sharedInstance):
947         (JSC::JSGlobalData::sharedInstanceInternal):
948         * runtime/JSGlobalData.h:
949         (JSGlobalData):
950         * runtime/JSGlobalObject.cpp:
951         (JSC::JSGlobalObject::~JSGlobalObject):
952         (JSC::JSGlobalObject::init):
953         * runtime/JSLock.cpp:
954         (JSC):
955         (JSC::createJSLockCount):
956         (JSC::JSLock::lockCount):
957         (JSC::setLockCount):
958         (JSC::JSLock::JSLock):
959         (JSC::JSLock::lock):
960         (JSC::JSLock::unlock):
961         (JSC::JSLock::currentThreadIsHoldingLock):
962         (JSC::JSLock::DropAllLocks::DropAllLocks):
963         (JSC::JSLock::DropAllLocks::~DropAllLocks):
964         * runtime/JSLock.h:
965         (JSC):
966         (JSLock):
967         (JSC::JSLock::JSLock):
968         (JSC::JSLock::~JSLock):
969         (DropAllLocks):
970         * runtime/WeakGCMap.h:
971         (JSC::WeakGCMap::set):
972         * testRegExp.cpp:
973         (realMain):
974
975 2012-06-22  Alexandru Chiculita  <achicu@adobe.com>
976
977         [CSS Shaders] Re-enable the CSS Shaders compile time flag on Safari Mac
978         https://bugs.webkit.org/show_bug.cgi?id=89781
979
980         Reviewed by Dean Jackson.
981
982         Added ENABLE_CSS_SHADERS flag as enabled by default on Safari for Mac.
983
984         * Configurations/FeatureDefines.xcconfig:
985
986 2012-06-22  Filip Pizlo  <fpizlo@apple.com>
987
988         DFG tier-up should happen in prologues, not epilogues
989         https://bugs.webkit.org/show_bug.cgi?id=89752
990
991         Reviewed by Geoffrey Garen.
992
993         This change has two outcomes:
994         
995         1) Slightly reduces the likelihood that a function will be optimized both
996         standalone and via inlining.  Previously, if you had a call sequence like foo() 
997         calls bar() exactly once, and nobody else calls bar(), then bar() would get
998         optimized first (because it returns first) and then foo() gets optimized.  If foo()
999         can inline bar() then that means that bar() gets optimized twice.  But now, if we
1000         optimize in prologues, then foo() will be optimized first.  If it inlines bar(),
1001         that means that there will no longer be any calls to bar().
1002         
1003         2) It lets us kill some code in JITStubs.  Epilogue tier-up was very different from
1004         loop tier-up, since epilogue tier-up should not attempt OSR.  But prologue tier-up
1005         requires OSR (albeit really easy OSR since it's the top of the compilation unit),
1006         so it becomes just like loop tier-up.  As a result, we now have one optimization
1007         hook (cti_optimize) instead of two (cti_optimize_from_loop and
1008         cti_optimize_from_ret).
1009         
1010         As a consequence of not having an optimization check in epilogues, the OSR exit
1011         code must now trigger reoptimization itself instead of just signaling the epilogue
1012         check to fire.
1013         
1014         This also adds the ability to count the number of DFG compilations, which was
1015         useful for debugging this patch and might be useful for other things in the future.
1016
1017         * bytecode/CodeBlock.cpp:
1018         (JSC::CodeBlock::reoptimize):
1019         (JSC):
1020         * bytecode/CodeBlock.h:
1021         (CodeBlock):
1022         * dfg/DFGByteCodeParser.cpp:
1023         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1024         * dfg/DFGDriver.cpp:
1025         (DFG):
1026         (JSC::DFG::getNumCompilations):
1027         (JSC::DFG::compile):
1028         * dfg/DFGDriver.h:
1029         (DFG):
1030         * dfg/DFGOSRExitCompiler.cpp:
1031         (JSC::DFG::OSRExitCompiler::handleExitCounts):
1032         * dfg/DFGOperations.cpp:
1033         * dfg/DFGOperations.h:
1034         * jit/JIT.cpp:
1035         (JSC::JIT::emitOptimizationCheck):
1036         * jit/JIT.h:
1037         * jit/JITCall32_64.cpp:
1038         (JSC::JIT::emit_op_ret):
1039         (JSC::JIT::emit_op_ret_object_or_this):
1040         * jit/JITOpcodes.cpp:
1041         (JSC::JIT::emit_op_ret):
1042         (JSC::JIT::emit_op_ret_object_or_this):
1043         (JSC::JIT::emit_op_enter):
1044         * jit/JITOpcodes32_64.cpp:
1045         (JSC::JIT::emit_op_enter):
1046         * jit/JITStubs.cpp:
1047         (JSC::DEFINE_STUB_FUNCTION):
1048         * jit/JITStubs.h:
1049
1050 2012-06-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1051
1052         JSLock should be per-JSGlobalData
1053         https://bugs.webkit.org/show_bug.cgi?id=89123
1054
1055         Reviewed by Gavin Barraclough.
1056
1057         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1058         * API/APIShims.h:
1059         (APIEntryShimWithoutLock):
1060         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
1061         determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
1062         HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
1063         JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
1064         its destruction has begun. 
1065         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): Now derefs if it also refed.
1066         (JSC::APIEntryShim::APIEntryShim):
1067         (APIEntryShim):
1068         (JSC::APIEntryShim::~APIEntryShim):
1069         (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
1070         Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
1071         and before we've released it, which can only done in APIEntryShim.
1072         (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
1073         * API/JSContextRef.cpp:
1074         (JSGlobalContextCreate):
1075         (JSGlobalContextCreateInGroup):
1076         (JSGlobalContextRelease):
1077         (JSContextCreateBacktrace):
1078         * heap/CopiedSpace.cpp:
1079         (JSC::CopiedSpace::tryAllocateSlowCase):
1080         * heap/Heap.cpp:
1081         (JSC::Heap::protect):
1082         (JSC::Heap::unprotect):
1083         (JSC::Heap::collect):
1084         (JSC::Heap::setActivityCallback):
1085         (JSC::Heap::activityCallback):
1086         (JSC::Heap::sweeper):
1087         * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
1088         are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
1089         and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
1090         prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
1091         (Heap):
1092         * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
1093         (JSC::HeapTimer::~HeapTimer):
1094         (JSC::HeapTimer::invalidate):
1095         (JSC):
1096         (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
1097         that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
1098         HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
1099         (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
1100         out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
1101         but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
1102         we were interrupted between releasing our mutex and trying to grab the APILock.
1103         * heap/HeapTimer.h: 
1104         (HeapTimer):
1105         * heap/IncrementalSweeper.cpp:
1106         (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
1107         all of that for us. 
1108         (JSC::IncrementalSweeper::create):
1109         * heap/IncrementalSweeper.h:
1110         (IncrementalSweeper):
1111         * heap/MarkedAllocator.cpp:
1112         (JSC::MarkedAllocator::allocateSlowCase):
1113         * heap/WeakBlock.cpp:
1114         (JSC::WeakBlock::reap):
1115         * jsc.cpp:
1116         (functionGC):
1117         (functionReleaseExecutableMemory):
1118         (jscmain):
1119         * runtime/Completion.cpp:
1120         (JSC::checkSyntax):
1121         (JSC::evaluate):
1122         * runtime/GCActivityCallback.h:
1123         (DefaultGCActivityCallback):
1124         (JSC::DefaultGCActivityCallback::create):
1125         * runtime/JSGlobalData.cpp:
1126         (JSC::JSGlobalData::JSGlobalData):
1127         (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
1128         that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
1129         it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
1130         APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
1131         (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
1132         (JSC::JSGlobalData::sharedInstanceInternal):
1133         * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
1134         de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
1135         (JSGlobalData):
1136         (JSC::JSGlobalData::apiLock):
1137         * runtime/JSGlobalObject.cpp:
1138         (JSC::JSGlobalObject::~JSGlobalObject):
1139         (JSC::JSGlobalObject::init):
1140         * runtime/JSLock.cpp:
1141         (JSC):
1142         (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
1143         (JSC::GlobalJSLock::~GlobalJSLock):
1144         (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
1145         it can successfully unlock it later without it disappearing from underneath it.
1146         (JSC::JSLockHolder::~JSLockHolder):
1147         (JSC::JSLock::JSLock):
1148         (JSC::JSLock::~JSLock):
1149         (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
1150         actually waiting for long periods. 
1151         (JSC::JSLock::unlock):
1152         (JSC::JSLock::currentThreadIsHoldingLock): 
1153         (JSC::JSLock::dropAllLocks):
1154         (JSC::JSLock::dropAllLocksUnconditionally):
1155         (JSC::JSLock::grabAllLocks):
1156         (JSC::JSLock::DropAllLocks::DropAllLocks):
1157         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1158         * runtime/JSLock.h:
1159         (JSC):
1160         (GlobalJSLock):
1161         (JSLockHolder):
1162         (JSLock):
1163         (DropAllLocks):
1164         * runtime/WeakGCMap.h:
1165         (JSC::WeakGCMap::set):
1166         * testRegExp.cpp:
1167         (realMain):
1168
1169 2012-06-22  Peter Beverloo  <peter@chromium.org>
1170
1171         [Chromium] Disable c++0x compatibility warnings in JavaScriptCore.gyp when building for Android
1172         https://bugs.webkit.org/show_bug.cgi?id=88853
1173
1174         Reviewed by Steve Block.
1175
1176         The Android exclusions were necessary to fix a gyp generation error, as
1177         the gcc_version variable wasn't being defined for Android. Remove these
1178         exceptions when Chromium is able to define the gcc_version variable.
1179
1180         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1181
1182 2012-06-21  Filip Pizlo  <fpizlo@apple.com>
1183
1184         op_resolve_global should not prevent DFG inlining
1185         https://bugs.webkit.org/show_bug.cgi?id=89726
1186
1187         Reviewed by Gavin Barraclough.
1188
1189         * bytecode/CodeBlock.cpp:
1190         (JSC::CodeBlock::CodeBlock):
1191         (JSC::CodeBlock::shrinkToFit):
1192         * bytecode/GlobalResolveInfo.h:
1193         (JSC::GlobalResolveInfo::GlobalResolveInfo):
1194         (GlobalResolveInfo):
1195         * dfg/DFGByteCodeParser.cpp:
1196         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1197         * dfg/DFGCapabilities.h:
1198         (JSC::DFG::canInlineOpcode):
1199         * dfg/DFGOperations.cpp:
1200         * dfg/DFGOperations.h:
1201         * dfg/DFGSpeculativeJIT.h:
1202         (JSC::DFG::SpeculativeJIT::callOperation):
1203         * dfg/DFGSpeculativeJIT32_64.cpp:
1204         (JSC::DFG::SpeculativeJIT::compile):
1205         * dfg/DFGSpeculativeJIT64.cpp:
1206         (JSC::DFG::SpeculativeJIT::compile):
1207
1208 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1209
1210         DFG should inline 'new Array()'
1211         https://bugs.webkit.org/show_bug.cgi?id=89632
1212
1213         Reviewed by Geoffrey Garen.
1214         
1215         This adds support for treating InternalFunction like intrinsics. The code
1216         to do so is actually quite clean, so I don't feel bad about perpetuating
1217         the InternalFunction vs. JSFunction-with-NativeExecutable dichotomy.
1218         
1219         Currently this newfound power is only used to inline 'new Array()'.
1220         
1221         * dfg/DFGByteCodeParser.cpp:
1222         (ByteCodeParser):
1223         (JSC::DFG::ByteCodeParser::handleCall):
1224         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1225         (DFG):
1226         * dfg/DFGGraph.h:
1227         (JSC::DFG::Graph::isInternalFunctionConstant):
1228         (JSC::DFG::Graph::valueOfInternalFunctionConstant):
1229
1230 2012-06-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1231
1232         Adding copyrights to new files.
1233
1234         * heap/HeapTimer.cpp:
1235         * heap/HeapTimer.h:
1236         * heap/IncrementalSweeper.cpp:
1237         * heap/IncrementalSweeper.h:
1238
1239 2012-06-21  Arnaud Renevier  <arno@renevier.net>
1240
1241         make sure headers are included only once per file
1242         https://bugs.webkit.org/show_bug.cgi?id=88922
1243
1244         Reviewed by Alexey Proskuryakov.
1245
1246         * bytecode/CodeBlock.h:
1247         * heap/MachineStackMarker.cpp:
1248         * runtime/JSVariableObject.h:
1249
1250 2012-06-21  Ryuan Choi  <ryuan.choi@gmail.com>
1251
1252         [EFL][WK2] Make WebKit2/Efl headers and resources installable.
1253         https://bugs.webkit.org/show_bug.cgi?id=88207
1254
1255         Reviewed by Chang Shu.
1256
1257         * shell/CMakeLists.txt: Use ${EXEC_INSTALL_DIR} instead of hardcoding "bin"
1258
1259 2012-06-20  Geoffrey Garen  <ggaren@apple.com>
1260
1261         Reduced (but did not eliminate) use of "berzerker GC"
1262         https://bugs.webkit.org/show_bug.cgi?id=89237
1263
1264         Reviewed by Gavin Barraclough.
1265
1266         (PART 1)
1267
1268         This patch turned out to be crashy, so I'm landing the non-crashy bits
1269         first.
1270
1271         This part is pre-requisite refactoring. I didn't actually turn off
1272         "berzerker GC" or turn on incremental shrinking.
1273
1274         * heap/MarkedAllocator.cpp:
1275         (JSC::MarkedAllocator::removeBlock): Make sure to clear the free list when
1276         we throw away the block we're currently allocating out of. Otherwise, we'll
1277         allocate out of a stale free list.
1278
1279         * heap/MarkedSpace.cpp:
1280         (JSC::Free::Free):
1281         (JSC::Free::operator()):
1282         (JSC::Free::returnValue): Refactored this functor to use a shared helper
1283         function, so we can share our implementation with the incremental sweeper.
1284
1285         Also changed to freeing individual blocks immediately instead of linking
1286         them into a list for later freeing. This makes the programming interface
1287         simpler, and it's slightly more efficient to boot.
1288
1289         (JSC::MarkedSpace::~MarkedSpace): Updated for rename.
1290
1291         (JSC::MarkedSpace::freeBlock):
1292         (JSC::MarkedSpace::freeOrShrinkBlock): New helper functions to share behavior
1293         with the incremental sweeper.
1294
1295         (JSC::MarkedSpace::shrink): Updated for new functor behavior.
1296
1297         * heap/MarkedSpace.h: Statically typed languages are awesome.
1298
1299 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1300
1301         DFG should optimize ResolveGlobal
1302         https://bugs.webkit.org/show_bug.cgi?id=89617
1303
1304         Reviewed by Oliver Hunt.
1305         
1306         This adds inlining of ResolveGlobal accesses that are known monomorphic. It also
1307         adds the specific function optimization to ResolveGlobal, when it is inlined. And,
1308         it makes internal functions act like specific functions, since that will be the
1309         most common use-case of this optimization.
1310         
1311         This is only a slighy speed-up (sub 1%), since we don't yet do the obvious thing
1312         with this optimization, which is to completely inline common "globally resolved"
1313         function and constructor calls, like "new Array()".
1314
1315         * CMakeLists.txt:
1316         * GNUmakefile.list.am:
1317         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1318         * JavaScriptCore.xcodeproj/project.pbxproj:
1319         * Target.pri:
1320         * bytecode/CodeBlock.cpp:
1321         (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
1322         * bytecode/CodeBlock.h:
1323         (CodeBlock):
1324         (JSC::CodeBlock::numberOfGlobalResolveInfos):
1325         * bytecode/GlobalResolveInfo.h:
1326         (JSC::getGlobalResolveInfoBytecodeOffset):
1327         (JSC):
1328         * bytecode/ResolveGlobalStatus.cpp: Added.
1329         (JSC):
1330         (JSC::computeForStructure):
1331         (JSC::computeForLLInt):
1332         (JSC::ResolveGlobalStatus::computeFor):
1333         * bytecode/ResolveGlobalStatus.h: Added.
1334         (JSC):
1335         (ResolveGlobalStatus):
1336         (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
1337         (JSC::ResolveGlobalStatus::state):
1338         (JSC::ResolveGlobalStatus::isSet):
1339         (JSC::ResolveGlobalStatus::operator!):
1340         (JSC::ResolveGlobalStatus::isSimple):
1341         (JSC::ResolveGlobalStatus::takesSlowPath):
1342         (JSC::ResolveGlobalStatus::structure):
1343         (JSC::ResolveGlobalStatus::offset):
1344         (JSC::ResolveGlobalStatus::specificValue):
1345         * dfg/DFGByteCodeParser.cpp:
1346         (ByteCodeParser):
1347         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1348         (DFG):
1349         (JSC::DFG::ByteCodeParser::handleGetById):
1350         (JSC::DFG::ByteCodeParser::parseBlock):
1351         * runtime/JSObject.cpp:
1352         (JSC::getCallableObjectSlow):
1353         (JSC):
1354         (JSC::JSObject::put):
1355         (JSC::JSObject::putDirectVirtual):
1356         (JSC::JSObject::putDirectAccessor):
1357         * runtime/JSObject.h:
1358         (JSC):
1359         (JSC::getCallableObject):
1360         (JSC::JSObject::putOwnDataProperty):
1361         (JSC::JSObject::putDirect):
1362         (JSC::JSObject::putDirectWithoutTransition):
1363
1364 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1365
1366         Functions on global objects should be specializable
1367         https://bugs.webkit.org/show_bug.cgi?id=89615
1368
1369         Reviewed by Oliver Hunt.
1370         
1371         I tested to see if this brought back the bug in https://bugs.webkit.org/show_bug.cgi?id=33343,
1372         and it didn't. Bug 33343 was the reason why we disabled global object function specialization
1373         to begin with. So I'm guessing this is safe.
1374
1375         * runtime/JSGlobalObject.cpp:
1376         (JSC::JSGlobalObject::init):
1377
1378 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1379
1380         build-webkit failure due to illegal 32-bit integer constants in code
1381         generated by offlineasm
1382         https://bugs.webkit.org/show_bug.cgi?id=89347
1383
1384         Reviewed by Geoffrey Garen.
1385         
1386         The offending constants are the magic numbers used by offlineasm to find
1387         offsets in the generated machine code. Added code to turn them into what
1388         the C++ compiler will believe to be valid 32-bit values.
1389
1390         * offlineasm/offsets.rb:
1391
1392 2012-06-19  Geoffrey Garen  <ggaren@apple.com>
1393
1394         Made the incremental sweeper more aggressive
1395         https://bugs.webkit.org/show_bug.cgi?id=89527
1396
1397         Reviewed by Oliver Hunt.
1398
1399         This is a pre-requisite to getting rid of "berzerker GC" because we need
1400         the sweeper to reclaim memory in a timely fashion, or we'll see a memory
1401         footprint regression.
1402
1403         * heap/IncrementalSweeper.h:
1404         * heap/IncrementalSweeper.cpp:
1405         (JSC::IncrementalSweeper::scheduleTimer): Since the time slice is predictable,
1406         no need to use a data member to record it.
1407
1408         (JSC::IncrementalSweeper::doSweep): Sweep as many blocks as we can in a
1409         small time slice. This is better than sweeping only one block per timer
1410         fire because that strategy has a heavy timer overhead, and artificially
1411         delays memory reclamation.
1412
1413 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1414
1415         DFG should be able to print disassembly interleaved with the IR
1416         https://bugs.webkit.org/show_bug.cgi?id=89551
1417
1418         Reviewed by Geoffrey Garen.
1419         
1420         This change also removes running Dominators unconditionally on every DFG
1421         compile. Dominators are designed to be computed on-demand, and currently
1422         the only demand is graph dumps.
1423
1424         * CMakeLists.txt:
1425         * GNUmakefile.list.am:
1426         * JavaScriptCore.xcodeproj/project.pbxproj:
1427         * Target.pri:
1428         * assembler/ARMv7Assembler.h:
1429         (JSC::ARMv7Assembler::labelIgnoringWatchpoints):
1430         (ARMv7Assembler):
1431         * assembler/AbstractMacroAssembler.h:
1432         (AbstractMacroAssembler):
1433         (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
1434         * assembler/X86Assembler.h:
1435         (X86Assembler):
1436         (JSC::X86Assembler::labelIgnoringWatchpoints):
1437         * dfg/DFGCommon.h:
1438         (JSC::DFG::shouldShowDisassembly):
1439         (DFG):
1440         * dfg/DFGDisassembler.cpp: Added.
1441         (DFG):
1442         (JSC::DFG::Disassembler::Disassembler):
1443         (JSC::DFG::Disassembler::dump):
1444         (JSC::DFG::Disassembler::dumpDisassembly):
1445         * dfg/DFGDisassembler.h: Added.
1446         (DFG):
1447         (Disassembler):
1448         (JSC::DFG::Disassembler::setStartOfCode):
1449         (JSC::DFG::Disassembler::setForBlock):
1450         (JSC::DFG::Disassembler::setForNode):
1451         (JSC::DFG::Disassembler::setEndOfMainPath):
1452         (JSC::DFG::Disassembler::setEndOfCode):
1453         * dfg/DFGDriver.cpp:
1454         (JSC::DFG::compile):
1455         * dfg/DFGGraph.cpp:
1456         (JSC::DFG::Graph::dumpCodeOrigin):
1457         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1458         (DFG):
1459         (JSC::DFG::Graph::printNodeWhiteSpace):
1460         (JSC::DFG::Graph::dump):
1461         (JSC::DFG::Graph::dumpBlockHeader):
1462         * dfg/DFGGraph.h:
1463         * dfg/DFGJITCompiler.cpp:
1464         (JSC::DFG::JITCompiler::JITCompiler):
1465         (DFG):
1466         (JSC::DFG::JITCompiler::compile):
1467         (JSC::DFG::JITCompiler::compileFunction):
1468         * dfg/DFGJITCompiler.h:
1469         (JITCompiler):
1470         (JSC::DFG::JITCompiler::setStartOfCode):
1471         (JSC::DFG::JITCompiler::setForBlock):
1472         (JSC::DFG::JITCompiler::setForNode):
1473         (JSC::DFG::JITCompiler::setEndOfMainPath):
1474         (JSC::DFG::JITCompiler::setEndOfCode):
1475         * dfg/DFGNode.h:
1476         (Node):
1477         (JSC::DFG::Node::willHaveCodeGen):
1478         * dfg/DFGNodeFlags.cpp:
1479         (JSC::DFG::nodeFlagsAsString):
1480         * dfg/DFGSpeculativeJIT.cpp:
1481         (JSC::DFG::SpeculativeJIT::compile):
1482         * dfg/DFGSpeculativeJIT.h:
1483         (SpeculativeJIT):
1484         * runtime/Options.cpp:
1485         (Options):
1486         (JSC::Options::initializeOptions):
1487         * runtime/Options.h:
1488         (Options):
1489
1490 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1491
1492         JSC should be able to show disassembly for all generated JIT code
1493         https://bugs.webkit.org/show_bug.cgi?id=89536
1494
1495         Reviewed by Gavin Barraclough.
1496         
1497         Now instead of doing linkBuffer.finalizeCode(), you do
1498         FINALIZE_CODE(linkBuffer, (... explanation ...)). FINALIZE_CODE() then
1499         prints your explanation and the disassembled code, if
1500         Options::showDisassembly is set to true.
1501
1502         * CMakeLists.txt:
1503         * GNUmakefile.list.am:
1504         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1505         * JavaScriptCore.xcodeproj/project.pbxproj:
1506         * Target.pri:
1507         * assembler/LinkBuffer.cpp: Added.
1508         (JSC):
1509         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1510         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1511         (JSC::LinkBuffer::linkCode):
1512         (JSC::LinkBuffer::performFinalization):
1513         (JSC::LinkBuffer::dumpLinkStatistics):
1514         (JSC::LinkBuffer::dumpCode):
1515         * assembler/LinkBuffer.h:
1516         (LinkBuffer):
1517         (JSC):
1518         * assembler/MacroAssemblerCodeRef.h:
1519         (JSC::MacroAssemblerCodeRef::tryToDisassemble):
1520         (MacroAssemblerCodeRef):
1521         * dfg/DFGJITCompiler.cpp:
1522         (JSC::DFG::JITCompiler::compile):
1523         (JSC::DFG::JITCompiler::compileFunction):
1524         * dfg/DFGOSRExitCompiler.cpp:
1525         * dfg/DFGRepatch.cpp:
1526         (JSC::DFG::generateProtoChainAccessStub):
1527         (JSC::DFG::tryCacheGetByID):
1528         (JSC::DFG::tryBuildGetByIDList):
1529         (JSC::DFG::emitPutReplaceStub):
1530         (JSC::DFG::emitPutTransitionStub):
1531         * dfg/DFGThunks.cpp:
1532         (JSC::DFG::osrExitGenerationThunkGenerator):
1533         * disassembler/Disassembler.h:
1534         (JSC):
1535         (JSC::tryToDisassemble):
1536         * disassembler/UDis86Disassembler.cpp:
1537         (JSC::tryToDisassemble):
1538         * jit/JIT.cpp:
1539         (JSC::JIT::privateCompile):
1540         * jit/JITCode.h:
1541         (JSC::JITCode::tryToDisassemble):
1542         * jit/JITOpcodes.cpp:
1543         (JSC::JIT::privateCompileCTIMachineTrampolines):
1544         * jit/JITOpcodes32_64.cpp:
1545         (JSC::JIT::privateCompileCTIMachineTrampolines):
1546         (JSC::JIT::privateCompileCTINativeCall):
1547         * jit/JITPropertyAccess.cpp:
1548         (JSC::JIT::stringGetByValStubGenerator):
1549         (JSC::JIT::privateCompilePutByIdTransition):
1550         (JSC::JIT::privateCompilePatchGetArrayLength):
1551         (JSC::JIT::privateCompileGetByIdProto):
1552         (JSC::JIT::privateCompileGetByIdSelfList):
1553         (JSC::JIT::privateCompileGetByIdProtoList):
1554         (JSC::JIT::privateCompileGetByIdChainList):
1555         (JSC::JIT::privateCompileGetByIdChain):
1556         * jit/JITPropertyAccess32_64.cpp:
1557         (JSC::JIT::stringGetByValStubGenerator):
1558         (JSC::JIT::privateCompilePutByIdTransition):
1559         (JSC::JIT::privateCompilePatchGetArrayLength):
1560         (JSC::JIT::privateCompileGetByIdProto):
1561         (JSC::JIT::privateCompileGetByIdSelfList):
1562         (JSC::JIT::privateCompileGetByIdProtoList):
1563         (JSC::JIT::privateCompileGetByIdChainList):
1564         (JSC::JIT::privateCompileGetByIdChain):
1565         * jit/SpecializedThunkJIT.h:
1566         (JSC::SpecializedThunkJIT::finalize):
1567         * jit/ThunkGenerators.cpp:
1568         (JSC::charCodeAtThunkGenerator):
1569         (JSC::charAtThunkGenerator):
1570         (JSC::fromCharCodeThunkGenerator):
1571         (JSC::sqrtThunkGenerator):
1572         (JSC::floorThunkGenerator):
1573         (JSC::ceilThunkGenerator):
1574         (JSC::roundThunkGenerator):
1575         (JSC::expThunkGenerator):
1576         (JSC::logThunkGenerator):
1577         (JSC::absThunkGenerator):
1578         (JSC::powThunkGenerator):
1579         * llint/LLIntThunks.cpp:
1580         (JSC::LLInt::generateThunkWithJumpTo):
1581         (JSC::LLInt::functionForCallEntryThunkGenerator):
1582         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1583         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1584         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1585         (JSC::LLInt::evalEntryThunkGenerator):
1586         (JSC::LLInt::programEntryThunkGenerator):
1587         * runtime/Options.cpp:
1588         (Options):
1589         (JSC::Options::initializeOptions):
1590         * runtime/Options.h:
1591         (Options):
1592         * yarr/YarrJIT.cpp:
1593         (JSC::Yarr::YarrGenerator::compile):
1594
1595 2012-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1596
1597         [Qt][Mac] REGRESSION(r120742): It broke the build
1598         https://bugs.webkit.org/show_bug.cgi?id=89516
1599
1600         Reviewed by Geoffrey Garen.
1601
1602         Removing GCActivityCallbackCF.cpp because it doesn't mesh well with cross-platform 
1603         code on Darwin (e.g. Qt). We now use plain ol' vanilla ifdefs to handle platforms 
1604         without CF support. These if-defs will probably disappear in the future when we 
1605         use cross-platform timers in HeapTimer.
1606
1607         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1608         * JavaScriptCore.xcodeproj/project.pbxproj:
1609         * runtime/GCActivityCallback.cpp:
1610         (JSC):
1611         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1612         (JSC::DefaultGCActivityCallback::doWork):
1613         (JSC::DefaultGCActivityCallback::scheduleTimer):
1614         (JSC::DefaultGCActivityCallback::cancelTimer):
1615         (JSC::DefaultGCActivityCallback::didAllocate):
1616         (JSC::DefaultGCActivityCallback::willCollect):
1617         (JSC::DefaultGCActivityCallback::cancel):
1618         * runtime/GCActivityCallbackCF.cpp: Removed.
1619
1620 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1621
1622         DFG CFA forgets to notify subsequent phases of found constants if it proves LogicalNot to be a constant
1623         https://bugs.webkit.org/show_bug.cgi?id=89511
1624         <rdar://problem/11700089>
1625
1626         Reviewed by Geoffrey Garen.
1627
1628         * dfg/DFGAbstractState.cpp:
1629         (JSC::DFG::AbstractState::execute):
1630
1631 2012-06-19  Mark Lam  <mark.lam@apple.com>
1632
1633         CodeBlock::needsCallReturnIndices() is no longer needed.
1634         https://bugs.webkit.org/show_bug.cgi?id=89490
1635
1636         Reviewed by Geoffrey Garen.
1637
1638         * bytecode/CodeBlock.h:
1639         (JSC::CodeBlock::needsCallReturnIndices): removed.
1640         * dfg/DFGJITCompiler.cpp:
1641         (JSC::DFG::JITCompiler::link):
1642         * jit/JIT.cpp:
1643         (JSC::JIT::privateCompile):
1644
1645 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1646
1647         Unreviewed, try to fix Windows build.
1648
1649         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
1650
1651 2012-06-17  Filip Pizlo  <fpizlo@apple.com>
1652
1653         It should be possible to look at disassembly
1654         https://bugs.webkit.org/show_bug.cgi?id=89319
1655
1656         Reviewed by Sam Weinig.
1657         
1658         This imports the udis86 disassembler library. The library is placed
1659         behind an abstraction in disassembler/Disassembler.h, so that we can
1660         in the future use other disassemblers (for other platforms) whenever
1661         appropriate. As a first step, the disassembler is being invoked for
1662         DFG verbose dumps.
1663         
1664         If we ever want to merge a new version of udis86 in the future, I've
1665         made notes about changes I made to the library in
1666         disassembler/udis86/differences.txt.
1667
1668         * CMakeLists.txt:
1669         * DerivedSources.make:
1670         * GNUmakefile.list.am:
1671         * JavaScriptCore.pri:
1672         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1673         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
1674         * JavaScriptCore.xcodeproj/project.pbxproj:
1675         * dfg/DFGJITCompiler.cpp:
1676         (JSC::DFG::JITCompiler::compile):
1677         (JSC::DFG::JITCompiler::compileFunction):
1678         * disassembler: Added.
1679         * disassembler/Disassembler.h: Added.
1680         (JSC):
1681         (JSC::tryToDisassemble):
1682         * disassembler/UDis86Disassembler.cpp: Added.
1683         (JSC):
1684         (JSC::tryToDisassemble):
1685         * disassembler/udis86: Added.
1686         * disassembler/udis86/differences.txt: Added.
1687         * disassembler/udis86/itab.py: Added.
1688         (UdItabGenerator):
1689         (UdItabGenerator.__init__):
1690         (UdItabGenerator.toGroupId):
1691         (UdItabGenerator.genLookupTable):
1692         (UdItabGenerator.genLookupTableList):
1693         (UdItabGenerator.genInsnTable):
1694         (genItabH):
1695         (genItabH.UD_ITAB_H):
1696         (genItabC):
1697         (genItab):
1698         (main):
1699         * disassembler/udis86/optable.xml: Added.
1700         * disassembler/udis86/ud_opcode.py: Added.
1701         (UdOpcodeTables):
1702         (UdOpcodeTables.sizeOfTable):
1703         (UdOpcodeTables.nameOfTable):
1704         (UdOpcodeTables.updateTable):
1705         (UdOpcodeTables.Insn):
1706         (UdOpcodeTables.Insn.__init__):
1707         (UdOpcodeTables.Insn.__init__.opcode):
1708         (UdOpcodeTables.parse):
1709         (UdOpcodeTables.addInsnDef):
1710         (UdOpcodeTables.print_table):
1711         (UdOpcodeTables.print_tree):
1712         * disassembler/udis86/ud_optable.py: Added.
1713         (UdOptableXmlParser):
1714         (UdOptableXmlParser.parseDef):
1715         (UdOptableXmlParser.parse):
1716         (printFn):
1717         (parse):
1718         (main):
1719         * disassembler/udis86/udis86.c: Added.
1720         (ud_init):
1721         (ud_disassemble):
1722         (ud_set_mode):
1723         (ud_set_vendor):
1724         (ud_set_pc):
1725         (ud):
1726         (ud_insn_asm):
1727         (ud_insn_off):
1728         (ud_insn_hex):
1729         (ud_insn_ptr):
1730         (ud_insn_len):
1731         * disassembler/udis86/udis86.h: Added.
1732         * disassembler/udis86/udis86_decode.c: Added.
1733         (eff_adr_mode):
1734         (ud_lookup_mnemonic):
1735         (decode_prefixes):
1736         (modrm):
1737         (resolve_operand_size):
1738         (resolve_mnemonic):
1739         (decode_a):
1740         (decode_gpr):
1741         (resolve_gpr64):
1742         (resolve_gpr32):
1743         (resolve_reg):
1744         (decode_imm):
1745         (decode_modrm_reg):
1746         (decode_modrm_rm):
1747         (decode_o):
1748         (decode_operand):
1749         (decode_operands):
1750         (clear_insn):
1751         (resolve_mode):
1752         (gen_hex):
1753         (decode_insn):
1754         (decode_3dnow):
1755         (decode_ssepfx):
1756         (decode_ext):
1757         (decode_opcode):
1758         (ud_decode):
1759         * disassembler/udis86/udis86_decode.h: Added.
1760         (ud_itab_entry_operand):
1761         (ud_itab_entry):
1762         (ud_lookup_table_list_entry):
1763         (sse_pfx_idx):
1764         (mode_idx):
1765         (modrm_mod_idx):
1766         (vendor_idx):
1767         (is_group_ptr):
1768         (group_idx):
1769         * disassembler/udis86/udis86_extern.h: Added.
1770         * disassembler/udis86/udis86_input.c: Added.
1771         (inp_buff_hook):
1772         (inp_file_hook):
1773         (ud):
1774         (ud_set_user_opaque_data):
1775         (ud_get_user_opaque_data):
1776         (ud_set_input_buffer):
1777         (ud_set_input_file):
1778         (ud_input_skip):
1779         (ud_input_end):
1780         (ud_inp_next):
1781         (ud_inp_back):
1782         (ud_inp_peek):
1783         (ud_inp_move):
1784         (ud_inp_uint8):
1785         (ud_inp_uint16):
1786         (ud_inp_uint32):
1787         (ud_inp_uint64):
1788         * disassembler/udis86/udis86_input.h: Added.
1789         * disassembler/udis86/udis86_itab_holder.c: Added.
1790         * disassembler/udis86/udis86_syn-att.c: Added.
1791         (opr_cast):
1792         (gen_operand):
1793         (ud_translate_att):
1794         * disassembler/udis86/udis86_syn-intel.c: Added.
1795         (opr_cast):
1796         (gen_operand):
1797         (ud_translate_intel):
1798         * disassembler/udis86/udis86_syn.c: Added.
1799         * disassembler/udis86/udis86_syn.h: Added.
1800         (mkasm):
1801         * disassembler/udis86/udis86_types.h: Added.
1802         (ud_operand):
1803         (ud):
1804         * jit/JITCode.h:
1805         (JITCode):
1806         (JSC::JITCode::tryToDisassemble):
1807
1808 2012-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1809
1810         GCActivityCallback and IncrementalSweeper should share code
1811         https://bugs.webkit.org/show_bug.cgi?id=89400
1812
1813         Reviewed by Geoffrey Garen.
1814
1815         A lot of functionality is duplicated between GCActivityCallback and IncrementalSweeper. 
1816         We should extract the common functionality out into a separate class that both of them 
1817         can inherit from. This refactoring will be an even greater boon when we add the ability 
1818         to shut these two agents down in a thread-safe fashion
1819
1820         * CMakeLists.txt:
1821         * GNUmakefile.list.am:
1822         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1823         * JavaScriptCore.xcodeproj/project.pbxproj:
1824         * Target.pri:
1825         * heap/Heap.cpp:
1826         (JSC::Heap::Heap): Move initialization down so that the JSGlobalData has a valid Heap when 
1827         we're initializing the GCActivityCallback and the IncrementalSweeper.
1828         * heap/Heap.h:
1829         (Heap):
1830         * heap/HeapTimer.cpp: Added.
1831         (JSC):
1832         (JSC::HeapTimer::HeapTimer): Initialize the various base class data that
1833         DefaultGCActivityCallback::commonConstructor() used to do.
1834         (JSC::HeapTimer::~HeapTimer): Call to invalidate().
1835         (JSC::HeapTimer::synchronize): Same functionality as the old DefaultGCActivityCallback::synchronize().
1836         Virtual so that non-CF subclasses can override.
1837         (JSC::HeapTimer::invalidate): Tears down the runloop timer to prevent any future firing.
1838         (JSC::HeapTimer::timerDidFire): Callback to pass to the timer function. Casts and calls the virtual doWork().
1839         * heap/HeapTimer.h: Added. This is the class that serves as the common base class for 
1840         both GCActivityCallback and IncrementalSweeper. It handles setting up and tearing down run loops and synchronizing 
1841         across threads for its subclasses. 
1842         (JSC):
1843         (HeapTimer):
1844         * heap/IncrementalSweeper.cpp: Changes to accomodate the extraction of common functionality 
1845         between IncrementalSweeper and GCActivityCallback into a common ancestor.
1846         (JSC):
1847         (JSC::IncrementalSweeper::doWork): 
1848         (JSC::IncrementalSweeper::IncrementalSweeper):
1849         (JSC::IncrementalSweeper::cancelTimer):
1850         (JSC::IncrementalSweeper::create):
1851         * heap/IncrementalSweeper.h:
1852         (IncrementalSweeper):
1853         * runtime/GCActivityCallback.cpp:
1854         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1855         (JSC::DefaultGCActivityCallback::doWork):
1856         * runtime/GCActivityCallback.h:
1857         (GCActivityCallback):
1858         (JSC::GCActivityCallback::willCollect):
1859         (JSC::GCActivityCallback::GCActivityCallback):
1860         (JSC):
1861         (DefaultGCActivityCallback): Remove the platform data struct. The platform data should be kept in 
1862         the class itself so as to be accessible by doWork(). Most of the platform data for CF is kept in 
1863         HeapTimer anyways, so we only need the m_delay field now.
1864         * runtime/GCActivityCallbackBlackBerry.cpp:
1865         (JSC):
1866         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1867         (JSC::DefaultGCActivityCallback::doWork):
1868         (JSC::DefaultGCActivityCallback::didAllocate):
1869         * runtime/GCActivityCallbackCF.cpp:
1870         (JSC):
1871         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1872         (JSC::DefaultGCActivityCallback::doWork):
1873         (JSC::DefaultGCActivityCallback::scheduleTimer):
1874         (JSC::DefaultGCActivityCallback::cancelTimer):
1875         (JSC::DefaultGCActivityCallback::didAllocate):
1876         (JSC::DefaultGCActivityCallback::willCollect):
1877         (JSC::DefaultGCActivityCallback::cancel):
1878
1879
1880 2012-06-19  Mike West  <mkwst@chromium.org>
1881
1882         Introduce ENABLE_CSP_NEXT configuration flag.
1883         https://bugs.webkit.org/show_bug.cgi?id=89300
1884
1885         Reviewed by Adam Barth.
1886
1887         The 1.0 draft of the Content Security Policy spec is just about to
1888         move to Last Call. We'll hide work on the upcoming 1.1 spec behind
1889         this ENABLE flag, disabled by default.
1890
1891         Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
1892
1893         * Configurations/FeatureDefines.xcconfig:
1894
1895 2012-06-18  Mark Lam  <mark.lam@apple.com>
1896
1897         Changed JSC to always record line number information so that error.stack
1898         and window.onerror() can report proper line numbers.
1899         https://bugs.webkit.org/show_bug.cgi?id=89410
1900
1901         Reviewed by Geoffrey Garen.
1902
1903         * bytecode/CodeBlock.cpp:
1904         (JSC::CodeBlock::CodeBlock):
1905         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1906         (JSC::CodeBlock::shrinkToFit): m_lineInfo is now available unconditionally.
1907
1908         * bytecode/CodeBlock.h:
1909         (JSC::CodeBlock::addLineInfo):
1910         (JSC::CodeBlock::hasLineInfo): Unused.  Now removed.
1911         (JSC::CodeBlock::needsCallReturnIndices):
1912         (CodeBlock):
1913         (RareData):  Hoisted m_lineInfo out of m_rareData.  m_lineInfo is now
1914         filled in unconditionally.
1915
1916         * bytecompiler/BytecodeGenerator.h:
1917         (JSC::BytecodeGenerator::addLineInfo):
1918
1919 2012-06-18  Andy Estes  <aestes@apple.com>
1920
1921         Fix r120663, which didn't land the change that was reviewed.
1922
1923 2012-06-18  Andy Estes  <aestes@apple.com>
1924
1925         [JSC] In JSGlobalData.cpp, enableAssembler() sometimes leaks two CF objects
1926         https://bugs.webkit.org/show_bug.cgi?id=89415
1927
1928         Reviewed by Sam Weinig.
1929
1930         In the case where canUseJIT was a non-NULL CFBooleanRef,
1931         enableAssembler() would leak both canUseJITKey and canUseJIT by
1932         returning before calling CFRelease. Fix this by using RetainPtr.
1933
1934         * runtime/JSGlobalData.cpp:
1935         (JSC::enableAssembler):
1936
1937 2012-06-17  Geoffrey Garen  <ggaren@apple.com>
1938
1939         GC copy phase spends needless cycles zero-filling blocks
1940         https://bugs.webkit.org/show_bug.cgi?id=89128
1941
1942         Reviewed by Gavin Barraclough.
1943
1944         We only need to zero-fill when we're allocating memory that might not
1945         get fully initialized before GC.
1946
1947         * heap/CopiedBlock.h:
1948         (JSC::CopiedBlock::createNoZeroFill):
1949         (JSC::CopiedBlock::create): Added a way to create without zero-filling.
1950         This is our optimization.
1951
1952         (JSC::CopiedBlock::zeroFillToEnd):
1953         (JSC::CopiedBlock::CopiedBlock): Split zero-filling out from creation,
1954         so we can sometimes create without zero-filling.
1955
1956         * heap/CopiedSpace.cpp:
1957         (JSC::CopiedSpace::init):
1958         (JSC::CopiedSpace::tryAllocateSlowCase):
1959         (JSC::CopiedSpace::doneCopying): Renamed addNewBlock to allocateBlock()
1960         to clarify that the new block is always newly-allocated.
1961
1962         (JSC::CopiedSpace::doneFillingBlock): Make sure to zero-fill to the end
1963         of a block that might be used in the future for allocation. (Most of the
1964         time, this is a no-op, since we've already filled the block completely.)
1965
1966         (JSC::CopiedSpace::getFreshBlock): Removed this function because the
1967         abstraction of "allocation must succeed" is no longer useful.
1968
1969         * heap/CopiedSpace.h: Updated declarations to match.
1970
1971         * heap/CopiedSpaceInlineMethods.h:
1972         (JSC::CopiedSpace::allocateBlockForCopyingPhase): New function, which
1973         knows that it can skip zero-filling.
1974
1975         Added tighter scoping to our lock, to improve parallelism.
1976
1977         (JSC::CopiedSpace::allocateBlock): Folded getFreshBlock functionality
1978         into this function, for simplicity.
1979
1980         * heap/MarkStack.cpp:
1981         (JSC::SlotVisitor::startCopying):
1982         (JSC::SlotVisitor::allocateNewSpace): Use our new zero-fill-free helper
1983         function for great good.
1984
1985 2012-06-17  Filip Pizlo  <fpizlo@apple.com>
1986
1987         DFG should attempt to use structure watchpoints for all inlined get_by_id's and put_by_id's
1988         https://bugs.webkit.org/show_bug.cgi?id=89316
1989
1990         Reviewed by Oliver Hunt.
1991
1992         * dfg/DFGByteCodeParser.cpp:
1993         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
1994         (ByteCodeParser):
1995         (JSC::DFG::ByteCodeParser::handleGetById):
1996         (JSC::DFG::ByteCodeParser::parseBlock):
1997
1998 2012-06-15  Yong Li  <yoli@rim.com>
1999
2000         [BlackBerry] Put platform-specific GC policy in GCActivityCallback
2001         https://bugs.webkit.org/show_bug.cgi?id=89236
2002
2003         Reviewed by Rob Buis.
2004
2005         Add GCActivityCallbackBlackBerry.cpp and implement platform-specific
2006         low memory GC policy there.
2007
2008         * PlatformBlackBerry.cmake:
2009         * heap/Heap.h:
2010         (JSC::Heap::isSafeToCollect): Added.
2011         * runtime/GCActivityCallbackBlackBerry.cpp: Added.
2012         (JSC):
2013         (JSC::DefaultGCActivityCallbackPlatformData::DefaultGCActivityCallbackPlatformData):
2014         (DefaultGCActivityCallbackPlatformData):
2015         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2016         (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
2017         (JSC::DefaultGCActivityCallback::didAllocate):
2018         (JSC::DefaultGCActivityCallback::willCollect):
2019         (JSC::DefaultGCActivityCallback::synchronize):
2020         (JSC::DefaultGCActivityCallback::cancel):
2021
2022 2012-06-15  Filip Pizlo  <fpizlo@apple.com>
2023
2024         DFG should be able to set watchpoints on structure transitions in the
2025         method check prototype chain
2026         https://bugs.webkit.org/show_bug.cgi?id=89058
2027
2028         Adding the same assertion to 32-bit that I added to 64-bit. This change
2029         does not affect correctness but it's a good thing for assertion coverage.
2030
2031         * dfg/DFGSpeculativeJIT32_64.cpp:
2032         (JSC::DFG::SpeculativeJIT::compile):
2033
2034 2012-06-13  Filip Pizlo  <fpizlo@apple.com>
2035
2036         DFG should be able to set watchpoints on structure transitions in the
2037         method check prototype chain
2038         https://bugs.webkit.org/show_bug.cgi?id=89058
2039
2040         Reviewed by Gavin Barraclough.
2041         
2042         This adds the ability to set watchpoints on Structures, and then does
2043         the most modest thing we can do with this ability: the DFG now sets
2044         watchpoints on structure transitions in the prototype chain of method
2045         checks.
2046         
2047         This appears to be a >1% speed-up on V8.
2048
2049         * bytecode/PutByIdStatus.cpp:
2050         (JSC::PutByIdStatus::computeFromLLInt):
2051         (JSC::PutByIdStatus::computeFor):
2052         * bytecode/StructureSet.h:
2053         (JSC::StructureSet::containsOnly):
2054         (StructureSet):
2055         * bytecode/Watchpoint.cpp:
2056         (JSC::WatchpointSet::WatchpointSet):
2057         (JSC::InlineWatchpointSet::add):
2058         (JSC):
2059         (JSC::InlineWatchpointSet::inflateSlow):
2060         (JSC::InlineWatchpointSet::freeFat):
2061         * bytecode/Watchpoint.h:
2062         (WatchpointSet):
2063         (JSC):
2064         (InlineWatchpointSet):
2065         (JSC::InlineWatchpointSet::InlineWatchpointSet):
2066         (JSC::InlineWatchpointSet::~InlineWatchpointSet):
2067         (JSC::InlineWatchpointSet::hasBeenInvalidated):
2068         (JSC::InlineWatchpointSet::isStillValid):
2069         (JSC::InlineWatchpointSet::startWatching):
2070         (JSC::InlineWatchpointSet::notifyWrite):
2071         (JSC::InlineWatchpointSet::isFat):
2072         (JSC::InlineWatchpointSet::fat):
2073         (JSC::InlineWatchpointSet::inflate):
2074         * dfg/DFGAbstractState.cpp:
2075         (JSC::DFG::AbstractState::execute):
2076         * dfg/DFGByteCodeParser.cpp:
2077         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
2078         (ByteCodeParser):
2079         (JSC::DFG::ByteCodeParser::parseBlock):
2080         * dfg/DFGCSEPhase.cpp:
2081         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2082         (CSEPhase):
2083         (JSC::DFG::CSEPhase::performNodeCSE):
2084         * dfg/DFGCommon.h:
2085         * dfg/DFGGraph.cpp:
2086         (JSC::DFG::Graph::dump):
2087         * dfg/DFGGraph.h:
2088         (JSC::DFG::Graph::isCellConstant):
2089         * dfg/DFGJITCompiler.h:
2090         (JSC::DFG::JITCompiler::addWeakReferences):
2091         (JITCompiler):
2092         * dfg/DFGNode.h:
2093         (JSC::DFG::Node::hasStructure):
2094         (Node):
2095         (JSC::DFG::Node::structure):
2096         * dfg/DFGNodeType.h:
2097         (DFG):
2098         * dfg/DFGPredictionPropagationPhase.cpp:
2099         (JSC::DFG::PredictionPropagationPhase::propagate):
2100         * dfg/DFGRepatch.cpp:
2101         (JSC::DFG::emitPutTransitionStub):
2102         * dfg/DFGSpeculativeJIT64.cpp:
2103         (JSC::DFG::SpeculativeJIT::compile):
2104         * jit/JITStubs.cpp:
2105         (JSC::JITThunks::tryCachePutByID):
2106         * llint/LLIntSlowPaths.cpp:
2107         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2108         * runtime/Structure.cpp:
2109         (JSC::Structure::Structure):
2110         * runtime/Structure.h:
2111         (JSC::Structure::transitionWatchpointSetHasBeenInvalidated):
2112         (Structure):
2113         (JSC::Structure::transitionWatchpointSetIsStillValid):
2114         (JSC::Structure::addTransitionWatchpoint):
2115         (JSC::Structure::notifyTransitionFromThisStructure):
2116         (JSC::JSCell::setStructure):
2117         * runtime/SymbolTable.cpp:
2118         (JSC::SymbolTableEntry::attemptToWatch):
2119
2120 2012-06-13  Filip Pizlo  <fpizlo@apple.com>
2121
2122         DFG should be able to set watchpoints on global variables
2123         https://bugs.webkit.org/show_bug.cgi?id=88692
2124
2125         Reviewed by Geoffrey Garen.
2126         
2127         Rolling back in after fixing Windows build issues, and implementing
2128         branchTest8 for the Qt port's strange assemblers.
2129         
2130         This implements global variable constant folding by allowing the optimizing
2131         compiler to set a "watchpoint" on globals that it wishes to constant fold.
2132         If the watchpoint fires, then an OSR exit is forced by overwriting the
2133         machine code that the optimizing compiler generated with a jump.
2134         
2135         As such, this patch is adding quite a bit of stuff:
2136         
2137         - Jump replacement on those hardware targets supported by the optimizing
2138           JIT. It is now possible to patch in a jump instruction over any recorded
2139           watchpoint label. The jump must be "local" in the sense that it must be
2140           within the range of the largest jump distance supported by a one
2141           instruction jump.
2142           
2143         - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
2144           that records the location where a jump must be inserted and the
2145           destination to which it should jump. Watchpoints can be added to a
2146           WatchpointSet. The WatchpointSet can be fired all at once, which plants
2147           all jumps. WatchpointSet also remembers if it had ever been invalidated,
2148           which allows for monotonicity: we typically don't want to optimize using
2149           watchpoints on something for which watchpoints had previously fired. The
2150           act of notifying a WatchpointSet has a trivial fast path in case no
2151           Watchpoints are registered (one-byte load+branch).
2152         
2153         - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
2154           except that you don't have to emit branches. But, you need to know what
2155           WatchpointSet to add the resulting Watchpoint to. Not everything that
2156           you could write a speculationCheck() for will have a WatchpointSet that
2157           would get notified if the condition you were speculating against became
2158           invalid.
2159           
2160         - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
2161           do so without incurring any space overhead for those entries that don't
2162           have WatchpointSets.
2163           
2164         - The bytecode generator infers all global function variables to be
2165           watchable, and makes all stores perform the WatchpointSet's write check,
2166           and marks all loads as being potentially watchable (i.e. you can compile
2167           them to a watchpoint and a constant).
2168         
2169         Put together, this allows for fully sleazy inlining of calls to globally
2170         declared functions. The inline prologue will no longer contain the load of
2171         the function, or any checks of the function you're calling. I.e. it's
2172         pretty much like the kind of inlining you would see in Java or C++.
2173         Furthermore, the watchpointing functionality is built to be fairly general,
2174         and should allow setting watchpoints on all sorts of interesting things
2175         in the future.
2176         
2177         The sleazy inlining means that we will now sometimes inline in code paths
2178         that have never executed. Previously, to inline we would have either had
2179         to have executed the call (to read the call's inline cache) or have
2180         executed the method check (to read the method check's inline cache). Now,
2181         we might inline when the callee is a watched global variable. This
2182         revealed some humorous bugs. First, constant folding disagreed with CFA
2183         over what kinds of operations can clobber (example: code path A is dead
2184         but stores a String into variable X, all other code paths store 0 into
2185         X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
2186         clobbering constant, but constant folding thought it was clobbering
2187         because it saw the String prediction). Second, inlining would crash if
2188         the inline callee had not been compiled. This patch fixes both bugs,
2189         since otherwise run-javascriptcore-tests would report regressions.
2190
2191         * CMakeLists.txt:
2192         * GNUmakefile.list.am:
2193         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2194         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2195         * JavaScriptCore.xcodeproj/project.pbxproj:
2196         * Target.pri:
2197         * assembler/ARMv7Assembler.h:
2198         (ARMv7Assembler):
2199         (JSC::ARMv7Assembler::ARMv7Assembler):
2200         (JSC::ARMv7Assembler::labelForWatchpoint):
2201         (JSC::ARMv7Assembler::label):
2202         (JSC::ARMv7Assembler::replaceWithJump):
2203         (JSC::ARMv7Assembler::maxJumpReplacementSize):
2204         * assembler/AbstractMacroAssembler.h:
2205         (JSC):
2206         (AbstractMacroAssembler):
2207         (Label):
2208         (JSC::AbstractMacroAssembler::watchpointLabel):
2209         (JSC::AbstractMacroAssembler::readPointer):
2210         * assembler/AssemblerBuffer.h:
2211         * assembler/MacroAssemblerARM.h:
2212         (JSC::MacroAssemblerARM::branchTest8):
2213         (MacroAssemblerARM):
2214         (JSC::MacroAssemblerARM::replaceWithJump):
2215         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2216         * assembler/MacroAssemblerARMv7.h:
2217         (JSC::MacroAssemblerARMv7::load8Signed):
2218         (JSC::MacroAssemblerARMv7::load16Signed):
2219         (MacroAssemblerARMv7):
2220         (JSC::MacroAssemblerARMv7::replaceWithJump):
2221         (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
2222         (JSC::MacroAssemblerARMv7::branchTest8):
2223         (JSC::MacroAssemblerARMv7::jump):
2224         (JSC::MacroAssemblerARMv7::makeBranch):
2225         * assembler/MacroAssemblerMIPS.h:
2226         (JSC::MacroAssemblerMIPS::branchTest8):
2227         (MacroAssemblerMIPS):
2228         (JSC::MacroAssemblerMIPS::replaceWithJump):
2229         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2230         * assembler/MacroAssemblerSH4.h:
2231         (JSC::MacroAssemblerSH4::branchTest8):
2232         (MacroAssemblerSH4):
2233         (JSC::MacroAssemblerSH4::replaceWithJump):
2234         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2235         * assembler/MacroAssemblerX86.h:
2236         (MacroAssemblerX86):
2237         (JSC::MacroAssemblerX86::branchTest8):
2238         * assembler/MacroAssemblerX86Common.h:
2239         (JSC::MacroAssemblerX86Common::replaceWithJump):
2240         (MacroAssemblerX86Common):
2241         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
2242         * assembler/MacroAssemblerX86_64.h:
2243         (MacroAssemblerX86_64):
2244         (JSC::MacroAssemblerX86_64::branchTest8):
2245         * assembler/X86Assembler.h:
2246         (JSC::X86Assembler::X86Assembler):
2247         (X86Assembler):
2248         (JSC::X86Assembler::cmpb_im):
2249         (JSC::X86Assembler::testb_im):
2250         (JSC::X86Assembler::labelForWatchpoint):
2251         (JSC::X86Assembler::label):
2252         (JSC::X86Assembler::replaceWithJump):
2253         (JSC::X86Assembler::maxJumpReplacementSize):
2254         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2255         * bytecode/CodeBlock.cpp:
2256         (JSC):
2257         (JSC::CodeBlock::printGetByIdCacheStatus):
2258         (JSC::CodeBlock::dump):
2259         * bytecode/CodeBlock.h:
2260         (JSC::CodeBlock::appendOSRExit):
2261         (JSC::CodeBlock::appendSpeculationRecovery):
2262         (CodeBlock):
2263         (JSC::CodeBlock::appendWatchpoint):
2264         (JSC::CodeBlock::numberOfWatchpoints):
2265         (JSC::CodeBlock::watchpoint):
2266         (DFGData):
2267         * bytecode/DFGExitProfile.h:
2268         (JSC::DFG::exitKindToString):
2269         (JSC::DFG::exitKindIsCountable):
2270         * bytecode/GetByIdStatus.cpp:
2271         (JSC::GetByIdStatus::computeForChain):
2272         * bytecode/Instruction.h:
2273         (Instruction):
2274         (JSC::Instruction::Instruction):
2275         * bytecode/Opcode.h:
2276         (JSC):
2277         (JSC::padOpcodeName):
2278         * bytecode/Watchpoint.cpp: Added.
2279         (JSC):
2280         (JSC::Watchpoint::~Watchpoint):
2281         (JSC::Watchpoint::correctLabels):
2282         (JSC::Watchpoint::fire):
2283         (JSC::WatchpointSet::WatchpointSet):
2284         (JSC::WatchpointSet::~WatchpointSet):
2285         (JSC::WatchpointSet::add):
2286         (JSC::WatchpointSet::notifyWriteSlow):
2287         (JSC::WatchpointSet::fireAllWatchpoints):
2288         * bytecode/Watchpoint.h: Added.
2289         (JSC):
2290         (Watchpoint):
2291         (JSC::Watchpoint::Watchpoint):
2292         (JSC::Watchpoint::setDestination):
2293         (WatchpointSet):
2294         (JSC::WatchpointSet::isStillValid):
2295         (JSC::WatchpointSet::hasBeenInvalidated):
2296         (JSC::WatchpointSet::startWatching):
2297         (JSC::WatchpointSet::notifyWrite):
2298         (JSC::WatchpointSet::addressOfIsWatched):
2299         * bytecompiler/BytecodeGenerator.cpp:
2300         (JSC::ResolveResult::checkValidity):
2301         (JSC::BytecodeGenerator::addGlobalVar):
2302         (JSC::BytecodeGenerator::BytecodeGenerator):
2303         (JSC::BytecodeGenerator::resolve):
2304         (JSC::BytecodeGenerator::emitResolve):
2305         (JSC::BytecodeGenerator::emitResolveWithBase):
2306         (JSC::BytecodeGenerator::emitResolveWithThis):
2307         (JSC::BytecodeGenerator::emitGetStaticVar):
2308         (JSC::BytecodeGenerator::emitPutStaticVar):
2309         * bytecompiler/BytecodeGenerator.h:
2310         (BytecodeGenerator):
2311         * bytecompiler/NodesCodegen.cpp:
2312         (JSC::FunctionCallResolveNode::emitBytecode):
2313         (JSC::PostfixResolveNode::emitBytecode):
2314         (JSC::PrefixResolveNode::emitBytecode):
2315         (JSC::ReadModifyResolveNode::emitBytecode):
2316         (JSC::AssignResolveNode::emitBytecode):
2317         (JSC::ConstDeclNode::emitCodeSingle):
2318         * dfg/DFGAbstractState.cpp:
2319         (JSC::DFG::AbstractState::execute):
2320         (JSC::DFG::AbstractState::clobberStructures):
2321         * dfg/DFGAbstractState.h:
2322         (AbstractState):
2323         (JSC::DFG::AbstractState::didClobber):
2324         * dfg/DFGByteCodeParser.cpp:
2325         (JSC::DFG::ByteCodeParser::handleInlining):
2326         (JSC::DFG::ByteCodeParser::parseBlock):
2327         * dfg/DFGCCallHelpers.h:
2328         (CCallHelpers):
2329         (JSC::DFG::CCallHelpers::setupArguments):
2330         * dfg/DFGCSEPhase.cpp:
2331         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
2332         (CSEPhase):
2333         (JSC::DFG::CSEPhase::globalVarStoreElimination):
2334         (JSC::DFG::CSEPhase::performNodeCSE):
2335         * dfg/DFGCapabilities.h:
2336         (JSC::DFG::canCompileOpcode):
2337         * dfg/DFGConstantFoldingPhase.cpp:
2338         (JSC::DFG::ConstantFoldingPhase::run):
2339         * dfg/DFGCorrectableJumpPoint.h:
2340         (JSC::DFG::CorrectableJumpPoint::isSet):
2341         (CorrectableJumpPoint):
2342         * dfg/DFGJITCompiler.cpp:
2343         (JSC::DFG::JITCompiler::linkOSRExits):
2344         (JSC::DFG::JITCompiler::link):
2345         * dfg/DFGNode.h:
2346         (JSC::DFG::Node::hasIdentifierNumberForCheck):
2347         (Node):
2348         (JSC::DFG::Node::identifierNumberForCheck):
2349         (JSC::DFG::Node::hasRegisterPointer):
2350         * dfg/DFGNodeType.h:
2351         (DFG):
2352         * dfg/DFGOSRExit.cpp:
2353         (JSC::DFG::OSRExit::OSRExit):
2354         * dfg/DFGOSRExit.h:
2355         (OSRExit):
2356         * dfg/DFGOperations.cpp:
2357         * dfg/DFGOperations.h:
2358         * dfg/DFGPredictionPropagationPhase.cpp:
2359         (JSC::DFG::PredictionPropagationPhase::propagate):
2360         * dfg/DFGSpeculativeJIT.h:
2361         (JSC::DFG::SpeculativeJIT::callOperation):
2362         (JSC::DFG::SpeculativeJIT::appendCall):
2363         (SpeculativeJIT):
2364         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * interpreter/Interpreter.cpp:
2370         (JSC::Interpreter::privateExecute):
2371         * jit/JIT.cpp:
2372         (JSC::JIT::privateCompileMainPass):
2373         (JSC::JIT::privateCompileSlowCases):
2374         * jit/JIT.h:
2375         * jit/JITPropertyAccess.cpp:
2376         (JSC::JIT::emit_op_put_global_var_check):
2377         (JSC):
2378         (JSC::JIT::emitSlow_op_put_global_var_check):
2379         * jit/JITPropertyAccess32_64.cpp:
2380         (JSC::JIT::emit_op_put_global_var_check):
2381         (JSC):
2382         (JSC::JIT::emitSlow_op_put_global_var_check):
2383         * jit/JITStubs.cpp:
2384         (JSC::DEFINE_STUB_FUNCTION):
2385         (JSC):
2386         * jit/JITStubs.h:
2387         * llint/LLIntSlowPaths.cpp:
2388         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2389         (LLInt):
2390         * llint/LLIntSlowPaths.h:
2391         (LLInt):
2392         * llint/LowLevelInterpreter32_64.asm:
2393         * llint/LowLevelInterpreter64.asm:
2394         * runtime/JSObject.cpp:
2395         (JSC::JSObject::removeDirect):
2396         * runtime/JSObject.h:
2397         (JSObject):
2398         * runtime/JSSymbolTableObject.h:
2399         (JSC::symbolTableGet):
2400         (JSC::symbolTablePut):
2401         (JSC::symbolTablePutWithAttributes):
2402         * runtime/SymbolTable.cpp: Added.
2403         (JSC):
2404         (JSC::SymbolTableEntry::copySlow):
2405         (JSC::SymbolTableEntry::freeFatEntrySlow):
2406         (JSC::SymbolTableEntry::couldBeWatched):
2407         (JSC::SymbolTableEntry::attemptToWatch):
2408         (JSC::SymbolTableEntry::addressOfIsWatched):
2409         (JSC::SymbolTableEntry::addWatchpoint):
2410         (JSC::SymbolTableEntry::notifyWriteSlow):
2411         (JSC::SymbolTableEntry::inflateSlow):
2412         * runtime/SymbolTable.h:
2413         (JSC):
2414         (SymbolTableEntry):
2415         (Fast):
2416         (JSC::SymbolTableEntry::Fast::Fast):
2417         (JSC::SymbolTableEntry::Fast::isNull):
2418         (JSC::SymbolTableEntry::Fast::getIndex):
2419         (JSC::SymbolTableEntry::Fast::isReadOnly):
2420         (JSC::SymbolTableEntry::Fast::getAttributes):
2421         (JSC::SymbolTableEntry::Fast::isFat):
2422         (JSC::SymbolTableEntry::SymbolTableEntry):
2423         (JSC::SymbolTableEntry::~SymbolTableEntry):
2424         (JSC::SymbolTableEntry::operator=):
2425         (JSC::SymbolTableEntry::isNull):
2426         (JSC::SymbolTableEntry::getIndex):
2427         (JSC::SymbolTableEntry::getFast):
2428         (JSC::SymbolTableEntry::getAttributes):
2429         (JSC::SymbolTableEntry::isReadOnly):
2430         (JSC::SymbolTableEntry::watchpointSet):
2431         (JSC::SymbolTableEntry::notifyWrite):
2432         (FatEntry):
2433         (JSC::SymbolTableEntry::FatEntry::FatEntry):
2434         (JSC::SymbolTableEntry::isFat):
2435         (JSC::SymbolTableEntry::fatEntry):
2436         (JSC::SymbolTableEntry::inflate):
2437         (JSC::SymbolTableEntry::bits):
2438         (JSC::SymbolTableEntry::freeFatEntry):
2439         (JSC::SymbolTableEntry::pack):
2440         (JSC::SymbolTableEntry::isValidIndex):
2441
2442 2012-06-13  Sheriff Bot  <webkit.review.bot@gmail.com>
2443
2444         Unreviewed, rolling out r120172.
2445         http://trac.webkit.org/changeset/120172
2446         https://bugs.webkit.org/show_bug.cgi?id=88976
2447
2448         The patch causes compilation failures on Gtk, Qt and Apple Win
2449         bots (Requested by zdobersek on #webkit).
2450
2451         * CMakeLists.txt:
2452         * GNUmakefile.list.am:
2453         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2454         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2455         * JavaScriptCore.xcodeproj/project.pbxproj:
2456         * Target.pri:
2457         * assembler/ARMv7Assembler.h:
2458         (JSC::ARMv7Assembler::nop):
2459         (JSC::ARMv7Assembler::label):
2460         (JSC::ARMv7Assembler::readPointer):
2461         (ARMv7Assembler):
2462         * assembler/AbstractMacroAssembler.h:
2463         (JSC):
2464         (AbstractMacroAssembler):
2465         (Label):
2466         * assembler/AssemblerBuffer.h:
2467         * assembler/MacroAssemblerARM.h:
2468         * assembler/MacroAssemblerARMv7.h:
2469         (JSC::MacroAssemblerARMv7::nop):
2470         (JSC::MacroAssemblerARMv7::jump):
2471         (JSC::MacroAssemblerARMv7::makeBranch):
2472         * assembler/MacroAssemblerMIPS.h:
2473         * assembler/MacroAssemblerSH4.h:
2474         * assembler/MacroAssemblerX86.h:
2475         (MacroAssemblerX86):
2476         (JSC::MacroAssemblerX86::moveWithPatch):
2477         * assembler/MacroAssemblerX86Common.h:
2478         * assembler/MacroAssemblerX86_64.h:
2479         (JSC::MacroAssemblerX86_64::branchTest8):
2480         * assembler/X86Assembler.h:
2481         (JSC::X86Assembler::cmpb_im):
2482         (JSC::X86Assembler::codeSize):
2483         (JSC::X86Assembler::label):
2484         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2485         * bytecode/CodeBlock.cpp:
2486         (JSC::CodeBlock::dump):
2487         * bytecode/CodeBlock.h:
2488         (JSC::CodeBlock::appendOSRExit):
2489         (JSC::CodeBlock::appendSpeculationRecovery):
2490         (DFGData):
2491         * bytecode/DFGExitProfile.h:
2492         (JSC::DFG::exitKindToString):
2493         (JSC::DFG::exitKindIsCountable):
2494         * bytecode/Instruction.h:
2495         * bytecode/Opcode.h:
2496         (JSC):
2497         (JSC::padOpcodeName):
2498         * bytecode/Watchpoint.cpp: Removed.
2499         * bytecode/Watchpoint.h: Removed.
2500         * bytecompiler/BytecodeGenerator.cpp:
2501         (JSC::ResolveResult::checkValidity):
2502         (JSC::BytecodeGenerator::addGlobalVar):
2503         (JSC::BytecodeGenerator::BytecodeGenerator):
2504         (JSC::BytecodeGenerator::resolve):
2505         (JSC::BytecodeGenerator::emitResolve):
2506         (JSC::BytecodeGenerator::emitResolveWithBase):
2507         (JSC::BytecodeGenerator::emitResolveWithThis):
2508         (JSC::BytecodeGenerator::emitGetStaticVar):
2509         (JSC::BytecodeGenerator::emitPutStaticVar):
2510         * bytecompiler/BytecodeGenerator.h:
2511         (BytecodeGenerator):
2512         * bytecompiler/NodesCodegen.cpp:
2513         (JSC::FunctionCallResolveNode::emitBytecode):
2514         (JSC::PostfixResolveNode::emitBytecode):
2515         (JSC::PrefixResolveNode::emitBytecode):
2516         (JSC::ReadModifyResolveNode::emitBytecode):
2517         (JSC::AssignResolveNode::emitBytecode):
2518         (JSC::ConstDeclNode::emitCodeSingle):
2519         * dfg/DFGAbstractState.cpp:
2520         (JSC::DFG::AbstractState::execute):
2521         (JSC::DFG::AbstractState::clobberStructures):
2522         * dfg/DFGAbstractState.h:
2523         (AbstractState):
2524         * dfg/DFGByteCodeParser.cpp:
2525         (JSC::DFG::ByteCodeParser::handleInlining):
2526         (JSC::DFG::ByteCodeParser::parseBlock):
2527         * dfg/DFGCCallHelpers.h:
2528         (JSC::DFG::CCallHelpers::setupArguments):
2529         * dfg/DFGCSEPhase.cpp:
2530         (JSC::DFG::CSEPhase::globalVarStoreElimination):
2531         (JSC::DFG::CSEPhase::performNodeCSE):
2532         * dfg/DFGCapabilities.h:
2533         (JSC::DFG::canCompileOpcode):
2534         * dfg/DFGConstantFoldingPhase.cpp:
2535         (JSC::DFG::ConstantFoldingPhase::run):
2536         * dfg/DFGCorrectableJumpPoint.h:
2537         * dfg/DFGJITCompiler.cpp:
2538         (JSC::DFG::JITCompiler::linkOSRExits):
2539         (JSC::DFG::JITCompiler::link):
2540         * dfg/DFGNode.h:
2541         (JSC::DFG::Node::hasRegisterPointer):
2542         * dfg/DFGNodeType.h:
2543         (DFG):
2544         * dfg/DFGOSRExit.cpp:
2545         (JSC::DFG::OSRExit::OSRExit):
2546         * dfg/DFGOSRExit.h:
2547         (OSRExit):
2548         * dfg/DFGOperations.cpp:
2549         * dfg/DFGOperations.h:
2550         * dfg/DFGPredictionPropagationPhase.cpp:
2551         (JSC::DFG::PredictionPropagationPhase::propagate):
2552         * dfg/DFGSpeculativeJIT.h:
2553         (JSC::DFG::SpeculativeJIT::callOperation):
2554         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2555         (JSC::DFG::SpeculativeJIT::speculationCheck):
2556         * dfg/DFGSpeculativeJIT32_64.cpp:
2557         (JSC::DFG::SpeculativeJIT::compile):
2558         * dfg/DFGSpeculativeJIT64.cpp:
2559         (JSC::DFG::SpeculativeJIT::compile):
2560         * jit/JIT.cpp:
2561         (JSC::JIT::privateCompileMainPass):
2562         (JSC::JIT::privateCompileSlowCases):
2563         * jit/JIT.h:
2564         * jit/JITPropertyAccess.cpp:
2565         * jit/JITPropertyAccess32_64.cpp:
2566         * jit/JITStubs.cpp:
2567         * jit/JITStubs.h:
2568         * llint/LLIntSlowPaths.cpp:
2569         * llint/LLIntSlowPaths.h:
2570         (LLInt):
2571         * llint/LowLevelInterpreter32_64.asm:
2572         * llint/LowLevelInterpreter64.asm:
2573         * runtime/JSObject.cpp:
2574         (JSC::JSObject::removeDirect):
2575         * runtime/JSObject.h:
2576         (JSObject):
2577         * runtime/JSSymbolTableObject.h:
2578         (JSC::symbolTableGet):
2579         (JSC::symbolTablePut):
2580         (JSC::symbolTablePutWithAttributes):
2581         * runtime/SymbolTable.cpp: Removed.
2582         * runtime/SymbolTable.h:
2583         (JSC):
2584         (JSC::SymbolTableEntry::isNull):
2585         (JSC::SymbolTableEntry::getIndex):
2586         (SymbolTableEntry):
2587         (JSC::SymbolTableEntry::getAttributes):
2588         (JSC::SymbolTableEntry::isReadOnly):
2589         (JSC::SymbolTableEntry::pack):
2590         (JSC::SymbolTableEntry::isValidIndex):
2591
2592 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
2593
2594         DFG should be able to set watchpoints on global variables
2595         https://bugs.webkit.org/show_bug.cgi?id=88692
2596
2597         Reviewed by Geoffrey Garen.
2598         
2599         This implements global variable constant folding by allowing the optimizing
2600         compiler to set a "watchpoint" on globals that it wishes to constant fold.
2601         If the watchpoint fires, then an OSR exit is forced by overwriting the
2602         machine code that the optimizing compiler generated with a jump.
2603         
2604         As such, this patch is adding quite a bit of stuff:
2605         
2606         - Jump replacement on those hardware targets supported by the optimizing
2607           JIT. It is now possible to patch in a jump instruction over any recorded
2608           watchpoint label. The jump must be "local" in the sense that it must be
2609           within the range of the largest jump distance supported by a one
2610           instruction jump.
2611           
2612         - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
2613           that records the location where a jump must be inserted and the
2614           destination to which it should jump. Watchpoints can be added to a
2615           WatchpointSet. The WatchpointSet can be fired all at once, which plants
2616           all jumps. WatchpointSet also remembers if it had ever been invalidated,
2617           which allows for monotonicity: we typically don't want to optimize using
2618           watchpoints on something for which watchpoints had previously fired. The
2619           act of notifying a WatchpointSet has a trivial fast path in case no
2620           Watchpoints are registered (one-byte load+branch).
2621         
2622         - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
2623           except that you don't have to emit branches. But, you need to know what
2624           WatchpointSet to add the resulting Watchpoint to. Not everything that
2625           you could write a speculationCheck() for will have a WatchpointSet that
2626           would get notified if the condition you were speculating against became
2627           invalid.
2628           
2629         - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
2630           do so without incurring any space overhead for those entries that don't
2631           have WatchpointSets.
2632           
2633         - The bytecode generator infers all global function variables to be
2634           watchable, and makes all stores perform the WatchpointSet's write check,
2635           and marks all loads as being potentially watchable (i.e. you can compile
2636           them to a watchpoint and a constant).
2637         
2638         Put together, this allows for fully sleazy inlining of calls to globally
2639         declared functions. The inline prologue will no longer contain the load of
2640         the function, or any checks of the function you're calling. I.e. it's
2641         pretty much like the kind of inlining you would see in Java or C++.
2642         Furthermore, the watchpointing functionality is built to be fairly general,
2643         and should allow setting watchpoints on all sorts of interesting things
2644         in the future.
2645         
2646         The sleazy inlining means that we will now sometimes inline in code paths
2647         that have never executed. Previously, to inline we would have either had
2648         to have executed the call (to read the call's inline cache) or have
2649         executed the method check (to read the method check's inline cache). Now,
2650         we might inline when the callee is a watched global variable. This
2651         revealed some humorous bugs. First, constant folding disagreed with CFA
2652         over what kinds of operations can clobber (example: code path A is dead
2653         but stores a String into variable X, all other code paths store 0 into
2654         X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
2655         clobbering constant, but constant folding thought it was clobbering
2656         because it saw the String prediction). Second, inlining would crash if
2657         the inline callee had not been compiled. This patch fixes both bugs,
2658         since otherwise run-javascriptcore-tests would report regressions.
2659
2660         * CMakeLists.txt:
2661         * GNUmakefile.list.am:
2662         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2663         * JavaScriptCore.xcodeproj/project.pbxproj:
2664         * Target.pri:
2665         * assembler/ARMv7Assembler.h:
2666         (ARMv7Assembler):
2667         (JSC::ARMv7Assembler::ARMv7Assembler):
2668         (JSC::ARMv7Assembler::labelForWatchpoint):
2669         (JSC::ARMv7Assembler::label):
2670         (JSC::ARMv7Assembler::replaceWithJump):
2671         (JSC::ARMv7Assembler::maxJumpReplacementSize):
2672         * assembler/AbstractMacroAssembler.h:
2673         (JSC):
2674         (AbstractMacroAssembler):
2675         (Label):
2676         (JSC::AbstractMacroAssembler::watchpointLabel):
2677         * assembler/AssemblerBuffer.h:
2678         * assembler/MacroAssemblerARM.h:
2679         (JSC::MacroAssemblerARM::replaceWithJump):
2680         (MacroAssemblerARM):
2681         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2682         * assembler/MacroAssemblerARMv7.h:
2683         (MacroAssemblerARMv7):
2684         (JSC::MacroAssemblerARMv7::replaceWithJump):
2685         (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
2686         (JSC::MacroAssemblerARMv7::branchTest8):
2687         (JSC::MacroAssemblerARMv7::jump):
2688         (JSC::MacroAssemblerARMv7::makeBranch):
2689         * assembler/MacroAssemblerMIPS.h:
2690         (JSC::MacroAssemblerMIPS::replaceWithJump):
2691         (MacroAssemblerMIPS):
2692         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2693         * assembler/MacroAssemblerSH4.h:
2694         (JSC::MacroAssemblerSH4::replaceWithJump):
2695         (MacroAssemblerSH4):
2696         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2697         * assembler/MacroAssemblerX86.h:
2698         (MacroAssemblerX86):
2699         (JSC::MacroAssemblerX86::branchTest8):
2700         * assembler/MacroAssemblerX86Common.h:
2701         (JSC::MacroAssemblerX86Common::replaceWithJump):
2702         (MacroAssemblerX86Common):
2703         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
2704         * assembler/MacroAssemblerX86_64.h:
2705         (MacroAssemblerX86_64):
2706         (JSC::MacroAssemblerX86_64::branchTest8):
2707         * assembler/X86Assembler.h:
2708         (JSC::X86Assembler::X86Assembler):
2709         (X86Assembler):
2710         (JSC::X86Assembler::cmpb_im):
2711         (JSC::X86Assembler::testb_im):
2712         (JSC::X86Assembler::labelForWatchpoint):
2713         (JSC::X86Assembler::label):
2714         (JSC::X86Assembler::replaceWithJump):
2715         (JSC::X86Assembler::maxJumpReplacementSize):
2716         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2717         * bytecode/CodeBlock.cpp:
2718         (JSC::CodeBlock::dump):
2719         * bytecode/CodeBlock.h:
2720         (JSC::CodeBlock::appendOSRExit):
2721         (JSC::CodeBlock::appendSpeculationRecovery):
2722         (CodeBlock):
2723         (JSC::CodeBlock::appendWatchpoint):
2724         (JSC::CodeBlock::numberOfWatchpoints):
2725         (JSC::CodeBlock::watchpoint):
2726         (DFGData):
2727         * bytecode/DFGExitProfile.h:
2728         (JSC::DFG::exitKindToString):
2729         (JSC::DFG::exitKindIsCountable):
2730         * bytecode/Instruction.h:
2731         (Instruction):
2732         (JSC::Instruction::Instruction):
2733         * bytecode/Opcode.h:
2734         (JSC):
2735         (JSC::padOpcodeName):
2736         * bytecode/Watchpoint.cpp: Added.
2737         (JSC):
2738         (JSC::Watchpoint::~Watchpoint):
2739         (JSC::Watchpoint::correctLabels):
2740         (JSC::Watchpoint::fire):
2741         (JSC::WatchpointSet::WatchpointSet):
2742         (JSC::WatchpointSet::~WatchpointSet):
2743         (JSC::WatchpointSet::add):
2744         (JSC::WatchpointSet::notifyWriteSlow):
2745         (JSC::WatchpointSet::fireAllWatchpoints):
2746         * bytecode/Watchpoint.h: Added.
2747         (JSC):
2748         (Watchpoint):
2749         (JSC::Watchpoint::Watchpoint):
2750         (JSC::Watchpoint::setDestination):
2751         (WatchpointSet):
2752         (JSC::WatchpointSet::isStillValid):
2753         (JSC::WatchpointSet::hasBeenInvalidated):
2754         (JSC::WatchpointSet::startWatching):
2755         (JSC::WatchpointSet::notifyWrite):
2756         (JSC::WatchpointSet::addressOfIsWatched):
2757         * bytecompiler/BytecodeGenerator.cpp:
2758         (JSC::ResolveResult::checkValidity):
2759         (JSC::BytecodeGenerator::addGlobalVar):
2760         (JSC::BytecodeGenerator::BytecodeGenerator):
2761         (JSC::BytecodeGenerator::resolve):
2762         (JSC::BytecodeGenerator::emitResolve):
2763         (JSC::BytecodeGenerator::emitResolveWithBase):
2764         (JSC::BytecodeGenerator::emitResolveWithThis):
2765         (JSC::BytecodeGenerator::emitGetStaticVar):
2766         (JSC::BytecodeGenerator::emitPutStaticVar):
2767         * bytecompiler/BytecodeGenerator.h:
2768         (BytecodeGenerator):
2769         * bytecompiler/NodesCodegen.cpp:
2770         (JSC::FunctionCallResolveNode::emitBytecode):
2771         (JSC::PostfixResolveNode::emitBytecode):
2772         (JSC::PrefixResolveNode::emitBytecode):
2773         (JSC::ReadModifyResolveNode::emitBytecode):
2774         (JSC::AssignResolveNode::emitBytecode):
2775         (JSC::ConstDeclNode::emitCodeSingle):
2776         * dfg/DFGAbstractState.cpp:
2777         (JSC::DFG::AbstractState::execute):
2778         (JSC::DFG::AbstractState::clobberStructures):
2779         * dfg/DFGAbstractState.h:
2780         (AbstractState):
2781         (JSC::DFG::AbstractState::didClobber):
2782         * dfg/DFGByteCodeParser.cpp:
2783         (JSC::DFG::ByteCodeParser::handleInlining):
2784         (JSC::DFG::ByteCodeParser::parseBlock):
2785         * dfg/DFGCCallHelpers.h:
2786         (CCallHelpers):
2787         (JSC::DFG::CCallHelpers::setupArguments):
2788         * dfg/DFGCSEPhase.cpp:
2789         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
2790         (CSEPhase):
2791         (JSC::DFG::CSEPhase::globalVarStoreElimination):
2792         (JSC::DFG::CSEPhase::performNodeCSE):
2793         * dfg/DFGCapabilities.h:
2794         (JSC::DFG::canCompileOpcode):
2795         * dfg/DFGConstantFoldingPhase.cpp:
2796         (JSC::DFG::ConstantFoldingPhase::run):
2797         * dfg/DFGCorrectableJumpPoint.h:
2798         (JSC::DFG::CorrectableJumpPoint::isSet):
2799         (CorrectableJumpPoint):
2800         * dfg/DFGJITCompiler.cpp:
2801         (JSC::DFG::JITCompiler::linkOSRExits):
2802         (JSC::DFG::JITCompiler::link):
2803         * dfg/DFGNode.h:
2804         (JSC::DFG::Node::hasIdentifierNumberForCheck):
2805         (Node):
2806         (JSC::DFG::Node::identifierNumberForCheck):
2807         (JSC::DFG::Node::hasRegisterPointer):
2808         * dfg/DFGNodeType.h:
2809         (DFG):
2810         * dfg/DFGOSRExit.cpp:
2811         (JSC::DFG::OSRExit::OSRExit):
2812         * dfg/DFGOSRExit.h:
2813         (OSRExit):
2814         * dfg/DFGOperations.cpp:
2815         * dfg/DFGOperations.h:
2816         * dfg/DFGPredictionPropagationPhase.cpp:
2817         (JSC::DFG::PredictionPropagationPhase::propagate):
2818         * dfg/DFGSpeculativeJIT.h:
2819         (JSC::DFG::SpeculativeJIT::callOperation):
2820         (JSC::DFG::SpeculativeJIT::appendCall):
2821         (SpeculativeJIT):
2822         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2823         * dfg/DFGSpeculativeJIT32_64.cpp:
2824         (JSC::DFG::SpeculativeJIT::compile):
2825         * dfg/DFGSpeculativeJIT64.cpp:
2826         (JSC::DFG::SpeculativeJIT::compile):
2827         * jit/JIT.cpp:
2828         (JSC::JIT::privateCompileMainPass):
2829         (JSC::JIT::privateCompileSlowCases):
2830         * jit/JIT.h:
2831         * jit/JITPropertyAccess.cpp:
2832         (JSC::JIT::emit_op_put_global_var_check):
2833         (JSC):
2834         (JSC::JIT::emitSlow_op_put_global_var_check):
2835         * jit/JITPropertyAccess32_64.cpp:
2836         (JSC::JIT::emit_op_put_global_var_check):
2837         (JSC):
2838         (JSC::JIT::emitSlow_op_put_global_var_check):
2839         * jit/JITStubs.cpp:
2840         (JSC::JITThunks::JITThunks):
2841         (JSC::DEFINE_STUB_FUNCTION):
2842         (JSC):
2843         * jit/JITStubs.h:
2844         * llint/LLIntSlowPaths.cpp:
2845         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2846         (LLInt):
2847         * llint/LLIntSlowPaths.h:
2848         (LLInt):
2849         * llint/LowLevelInterpreter32_64.asm:
2850         * llint/LowLevelInterpreter64.asm:
2851         * runtime/JSObject.cpp:
2852         (JSC::JSObject::removeDirect):
2853         * runtime/JSObject.h:
2854         (JSObject):
2855         * runtime/JSSymbolTableObject.h:
2856         (JSC::symbolTableGet):
2857         (JSC::symbolTablePut):
2858         (JSC::symbolTablePutWithAttributes):
2859         * runtime/SymbolTable.cpp: Added.
2860         (JSC):
2861         (JSC::SymbolTableEntry::copySlow):
2862         (JSC::SymbolTableEntry::freeFatEntrySlow):
2863         (JSC::SymbolTableEntry::couldBeWatched):
2864         (JSC::SymbolTableEntry::attemptToWatch):
2865         (JSC::SymbolTableEntry::addressOfIsWatched):
2866         (JSC::SymbolTableEntry::addWatchpoint):
2867         (JSC::SymbolTableEntry::notifyWriteSlow):
2868         (JSC::SymbolTableEntry::inflateSlow):
2869         * runtime/SymbolTable.h:
2870         (JSC):
2871         (SymbolTableEntry):
2872         (Fast):
2873         (JSC::SymbolTableEntry::Fast::Fast):
2874         (JSC::SymbolTableEntry::Fast::isNull):
2875         (JSC::SymbolTableEntry::Fast::getIndex):
2876         (JSC::SymbolTableEntry::Fast::isReadOnly):
2877         (JSC::SymbolTableEntry::Fast::getAttributes):
2878         (JSC::SymbolTableEntry::Fast::isFat):
2879         (JSC::SymbolTableEntry::SymbolTableEntry):
2880         (JSC::SymbolTableEntry::~SymbolTableEntry):
2881         (JSC::SymbolTableEntry::operator=):
2882         (JSC::SymbolTableEntry::isNull):
2883         (JSC::SymbolTableEntry::getIndex):
2884         (JSC::SymbolTableEntry::getFast):
2885         (JSC::SymbolTableEntry::getAttributes):
2886         (JSC::SymbolTableEntry::isReadOnly):
2887         (JSC::SymbolTableEntry::watchpointSet):
2888         (JSC::SymbolTableEntry::notifyWrite):
2889         (FatEntry):
2890         (JSC::SymbolTableEntry::FatEntry::FatEntry):
2891         (JSC::SymbolTableEntry::isFat):
2892         (JSC::SymbolTableEntry::fatEntry):
2893         (JSC::SymbolTableEntry::inflate):
2894         (JSC::SymbolTableEntry::bits):
2895         (JSC::SymbolTableEntry::freeFatEntry):
2896         (JSC::SymbolTableEntry::pack):
2897         (JSC::SymbolTableEntry::isValidIndex):
2898
2899 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
2900
2901         Unreviewed build fix for ARMv7 debug builds.
2902
2903         * jit/JITStubs.cpp:
2904         (JSC::JITThunks::JITThunks):
2905
2906 2012-06-12  Geoffrey Garen  <ggaren@apple.com>
2907
2908         Build fix for case-sensitive file systems: use the right case.
2909
2910         * heap/ListableHandler.h:
2911
2912 2012-06-11  Geoffrey Garen  <ggaren@apple.com>
2913
2914         GC should be 1.7X faster
2915         https://bugs.webkit.org/show_bug.cgi?id=88840
2916
2917         Reviewed by Oliver Hunt.
2918
2919         I profiled, and removed anything that showed up as a concurrency
2920         bottleneck. Then, I added 3 threads to our max thread count, since we
2921         can scale up to more threads now.
2922
2923         * heap/BlockAllocator.cpp:
2924         (JSC::BlockAllocator::BlockAllocator):
2925         (JSC::BlockAllocator::~BlockAllocator):
2926         (JSC::BlockAllocator::releaseFreeBlocks):
2927         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
2928         (JSC::BlockAllocator::waitForRelativeTime):
2929         (JSC::BlockAllocator::blockFreeingThreadMain):
2930         * heap/BlockAllocator.h:
2931         (BlockAllocator):
2932         (JSC::BlockAllocator::allocate):
2933         (JSC::BlockAllocator::deallocate): Use a spin lock for the common case
2934         where we're just popping a linked list. (A pthread mutex would sleep our
2935         thread even if the lock were only contended for a microsecond.) 
2936
2937         Scope the lock to avoid holding it while allocating VM, since that's a
2938         slow activity and it doesn't modify any of our data structures.
2939
2940         We still use a pthread mutex to handle our condition variable since we
2941         have to, and it's not a hot path.
2942
2943         * heap/CopiedSpace.cpp:
2944         (JSC::CopiedSpace::CopiedSpace):
2945         (JSC::CopiedSpace::doneFillingBlock):
2946         * heap/CopiedSpace.h:
2947         (JSC::CopiedSpace::CopiedSpace): Use a spin lock for the to space lock,
2948         since it just guards linked list and hash table manipulation.
2949
2950         * heap/MarkStack.cpp:
2951         (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator):
2952         (JSC::MarkStackSegmentAllocator::allocate):
2953         (JSC::MarkStackSegmentAllocator::release):
2954         (JSC::MarkStackSegmentAllocator::shrinkReserve): Use a spin lock, since
2955         we're just managing a linked list.
2956
2957         (JSC::MarkStackArray::donateSomeCellsTo): Changed donation to be proportional
2958         to our current stack size. This fixes cases where we used to donate too
2959         much. Interestingly, donating too much was starving the donor (when it
2960         ran out of work later) *and* the recipient (since it had to wait on a
2961         long donation operation to complete before it could acquire the lock).
2962
2963         In the worst case, we're still guaranteed to donate N cells in roughly log N time.
2964
2965         This change also fixes cases where we used to donate too little, since
2966         we would always keep a fixed minimum number of cells. In the worst case,
2967         with N marking threads, would could have N large object graph roots in
2968         our stack for the duration of GC, and scale to only 1 thread.
2969
2970         It's an interesting observation that a single object in the mark stack
2971         might represent an arbitrarily large object graph -- and only the act
2972         of marking can find out.
2973
2974         (JSC::MarkStackArray::stealSomeCellsFrom): Steal in proportion to idle
2975         threads. Once again, this fixes cases where constants could cause us
2976         to steal too much or too little.
2977
2978         (JSC::SlotVisitor::donateKnownParallel): Always wake up other threads
2979         if they're idle. We can afford to do this because we're conservative
2980         about when we donate.
2981
2982         (JSC::SlotVisitor::drainFromShared):
2983         * heap/MarkStack.h:
2984         (MarkStackSegmentAllocator):
2985         (MarkStackArray):
2986         (JSC):
2987         * heap/SlotVisitor.h: Merged the "should I donate?" decision into a
2988         single function, for simplicity.
2989
2990         * runtime/Options.cpp:
2991         (minimumNumberOfScansBetweenRebalance): Reduced the delay before donation
2992         a lot. We can afford to do this because, in the common case, donation is
2993         a single branch that decides not to donate. 
2994
2995         (cpusToUse): Use more CPUs now, since we scale better now.
2996
2997         * runtime/Options.h:
2998         (Options): Removed now-unused variables.
2999
3000 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3001
3002         REGRESSION(120121): inspector tests crash in DFG
3003         https://bugs.webkit.org/show_bug.cgi?id=88941
3004
3005         Reviewed by Geoffrey Garen.
3006         
3007         The CFG simplifier has two different ways of fixing up GetLocal, Phantom, and Flush. If we've
3008         already fixed up the node one way, we shouldn't try the other way. The reason why we shouldn't
3009         is that the second way depends on the node referring to other nodes in the to-be-jettisoned
3010         block. After fixup they potentially will refer to nodes in the block being merged to.
3011
3012         * dfg/DFGCFGSimplificationPhase.cpp:
3013         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3014         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3015
3016 2012-06-12  Leo Yang  <leo.yang@torchmobile.com.cn>
3017
3018         Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
3019         https://bugs.webkit.org/show_bug.cgi?id=87334
3020
3021         Reviewed by Geoffrey Garen.
3022
3023         Add a copy member function to JSC::HasTable. This function will copy all data
3024         members except for *table* which contains thread specific data that prevents
3025         up copying it. When you want to copy a JSC::HashTable that was constructed
3026         on another thread you should call JSC::HashTable::copy().
3027
3028         * runtime/Lookup.h:
3029         (JSC::HashTable::copy):
3030         (HashTable):
3031
3032 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3033
3034         DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
3035         until after CFG simplification
3036         https://bugs.webkit.org/show_bug.cgi?id=88927
3037         <rdar://problem/11513971>
3038
3039         Reviewed by Geoffrey Garen.
3040         
3041         Speculation fixup needs to run if simplification did things, because simplification can change
3042         predictions - particularly if you had a control flow path that stored weird things into a
3043         variable, but that path got axed by the simplifier.
3044         
3045         Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
3046         one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.
3047
3048         * dfg/DFGDriver.cpp:
3049         (JSC::DFG::compile):
3050         * dfg/DFGFixupPhase.cpp:
3051         (JSC::DFG::FixupPhase::fixupNode):
3052
3053 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3054
3055         REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
3056         https://bugs.webkit.org/show_bug.cgi?id=88783
3057         <rdar://problem/11640299>
3058
3059         Reviewed by Geoffrey Garen.
3060         
3061         If you don't keep alive the base of an object access over the various checks
3062         you do for the prototype chain, you're going to have a bad time.
3063
3064         * dfg/DFGByteCodeParser.cpp:
3065         (JSC::DFG::ByteCodeParser::handleGetById):
3066
3067 2012-06-12  Hojong Han  <hojong.han@samsung.com>
3068
3069         Property names of the built-in object cannot be retrieved 
3070         after trying to delete one of its properties
3071         https://bugs.webkit.org/show_bug.cgi?id=86461
3072
3073         Reviewed by Gavin Barraclough.
3074
3075         * runtime/JSObject.cpp:
3076         (JSC::getClassPropertyNames):
3077         (JSC::JSObject::getOwnPropertyNames):
3078
3079 2012-06-11  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3080
3081         [CMAKE][EFL] Remove duplicated executable output path
3082         https://bugs.webkit.org/show_bug.cgi?id=88765
3083
3084         Reviewed by Daniel Bates.
3085
3086         CMake files for EFL port have redefined executable output path. However, EFL port doesn't
3087         need to define again because it is already defined in top-level CMake file.
3088
3089         * shell/CMakeLists.txt:
3090
3091 2012-06-11  Carlos Garcia Campos  <cgarcia@igalia.com>
3092
3093         Unreviewed. Fix make distcheck issues.
3094
3095         * GNUmakefile.list.am: Remove non existent header file.
3096
3097 2012-06-10  Patrick Gansterer  <paroga@webkit.org>
3098
3099         Unreviewed. Build fix for !ENABLE(JIT) after r119844 and r119925.
3100
3101         * runtime/Executable.h:
3102         (ExecutableBase):
3103         (JSC::ExecutableBase::clearCodeVirtual):
3104
3105 2012-06-10  Patrick Gansterer  <paroga@webkit.org>
3106
3107         Unreviewed. Build fix for !ENABLE(JIT) after r119844.
3108
3109         * runtime/Executable.h:
3110         (ExecutableBase):
3111         (JSC):
3112
3113 2012-06-09  Dominic Cooney  <dominicc@chromium.org>
3114
3115         [Chromium] Remove JavaScriptCore dependencies from gyp
3116         https://bugs.webkit.org/show_bug.cgi?id=88510
3117
3118         Reviewed by Adam Barth.
3119
3120         Chromium doesn't support JSC any more and there doesn't seem to be
3121         a strong interest in using GYP as the common build system in other
3122         ports.
3123
3124         * JavaScriptCore.gyp/JavaScriptCore.gyp: WebCore still depends on YARR interpreter.
3125         * JavaScriptCore.gypi: Only include YARR source.
3126         * gyp/JavaScriptCore.gyp: Removed.
3127         * gyp/gtk.gyp: Removed.
3128
3129 2012-06-09  Geoffrey Garen  <ggaren@apple.com>
3130
3131         Unreviewed, rolling back in part2 of r118646.
3132
3133         This patch removes eager finalization.
3134
3135         Weak pointer finalization should be lazy
3136         https://bugs.webkit.org/show_bug.cgi?id=87599
3137
3138         Reviewed by Sam Weinig.
3139
3140         * heap/Heap.cpp:
3141         (JSC::Heap::collect): Don't finalize eagerly -- we'll do it lazily.
3142
3143         * heap/MarkedBlock.cpp:
3144         (JSC::MarkedBlock::sweep): Do sweep weak sets when sweeping a block,
3145         since we won't get another chance.
3146
3147         * heap/MarkedBlock.h:
3148         (JSC::MarkedBlock::sweepWeakSet):
3149         * heap/MarkedSpace.cpp:
3150         (MarkedSpace::WeakSetSweep):
3151         * heap/MarkedSpace.h:
3152         (JSC::MarkedSpace::sweepWeakSets): Removed now-unused code.
3153
3154 2012-06-09  Sukolsak Sakshuwong  <sukolsak@google.com>
3155
3156         Add UNDO_MANAGER flag
3157         https://bugs.webkit.org/show_bug.cgi?id=87908
3158
3159         Reviewed by Tony Chang.
3160
3161         * Configurations/FeatureDefines.xcconfig:
3162
3163 2012-06-08  Geoffrey Garen  <ggaren@apple.com>
3164
3165         Unreviewed, rolling back in part1 of r118646.
3166
3167         This patch includes everything necessary for lazy finalization, but
3168         keeps eager finalization enabled for the time being.
3169
3170         Weak pointer finalization should be lazy
3171         https://bugs.webkit.org/show_bug.cgi?id=87599
3172
3173         Reviewed by Sam Weinig.
3174
3175         * heap/MarkedBlock.cpp:
3176         * heap/MarkedBlock.h:
3177         (JSC::MarkedBlock::resetAllocator):
3178         * heap/MarkedSpace.cpp:
3179         (JSC::MarkedSpace::resetAllocators):
3180         * heap/MarkedSpace.h:
3181         (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
3182         It will happen automatically when a weak set is swept. It's simpler to
3183         have only one canonical way for this to happen, and it wasn't buying
3184         us anything to do it eagerly.
3185         * heap/WeakBlock.cpp:
3186         (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
3187         the sweep would be a no-op. If even one finalizer is pending, we need to
3188         run it, since we won't get another chance.
3189         * heap/WeakSet.cpp:
3190         (JSC::WeakSet::sweep): This loop can be simpler now that
3191         WeakBlock::sweep() does what we mean.
3192         Reset our allocator after a sweep because this is the optimal time to
3193         start trying to recycle old weak pointers.
3194         (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
3195         allocator because we've swept already, and forcing a new sweep would be
3196         wasteful.
3197         * heap/WeakSet.h:
3198         (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
3199         because the shrink may have removed the block the allocator was going to
3200         allocate out of.
3201
3202 2012-06-08  Gavin Barraclough  <barraclough@apple.com>
3203
3204         Unreviewed roll out r119795.
3205         
3206         This broke jquery/core.html
3207
3208         * dfg/DFGSpeculativeJIT.h:
3209         (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
3210         * jit/JITInlineMethods.h:
3211         (JSC::JIT::emitAllocateBasicJSObject):
3212         * llint/LowLevelInterpreter.asm:
3213         * runtime/JSGlobalData.h:
3214         (JSGlobalData):
3215         * runtime/JSGlobalThis.cpp:
3216         (JSC::JSGlobalThis::setUnwrappedObject):
3217         * runtime/JSObject.cpp:
3218         (JSC::JSObject::visitChildren):
3219         (JSC::JSObject::createInheritorID):
3220         * runtime/JSObject.h:
3221         (JSObject):
3222         (JSC::JSObject::resetInheritorID):
3223         (JSC):
3224         (JSC::JSObject::offsetOfInheritorID):
3225         (JSC::JSObject::inheritorID):
3226
3227 2012-06-08  Filip Pizlo  <fpizlo@apple.com>
3228
3229         PredictedType should be called SpeculatedType
3230         https://bugs.webkit.org/show_bug.cgi?id=88477
3231
3232         Unreviewed, fix a renaming goof from http://trac.webkit.org/changeset/119660.
3233         I accidentally renamed ByteCodeParser::getPrediction to
3234         ByteCodeParser::getSpeculation.  That was not the intent. This changes it
3235         back.
3236
3237         * dfg/DFGByteCodeParser.cpp:
3238         (JSC::DFG::ByteCodeParser::addCall):
3239         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3240         (JSC::DFG::ByteCodeParser::getPrediction):
3241         (JSC::DFG::ByteCodeParser::handleCall):
3242         (JSC::DFG::ByteCodeParser::parseBlock):
3243
3244 2012-06-08  Andy Wingo  <wingo@igalia.com>
3245
3246         Explictly mark stubs called by JIT as being internal
3247         https://bugs.webkit.org/show_bug.cgi?id=88552
3248
3249         Reviewed by Filip Pizlo.
3250
3251         * dfg/DFGOSRExitCompiler.h:
3252         * dfg/DFGOperations.cpp:
3253         * dfg/DFGOperations.h:
3254         * jit/HostCallReturnValue.h:
3255         * jit/JITStubs.cpp:
3256         * jit/JITStubs.h:
3257         * jit/ThunkGenerators.cpp:
3258         * llint/LLIntSlowPaths.h: Mark a bunch of stubs as being
3259         WTF_INTERNAL.  Change most calls to SYMBOL_STRING_RELOCATION to
3260         LOCAL_REFERENCE, or GLOBAL_REFERENCE in the case of the wrappers
3261         to truly global symbols.
3262         * offlineasm/asm.rb: Generate LOCAL_REFERENCE instead of
3263         SYMBOL_STRING_RELOCATION.
3264
3265 2012-06-08  Geoffrey Garen  <ggaren@apple.com>
3266
3267         Don't rely on weak pointers for eager CodeBlock finalization
3268         https://bugs.webkit.org/show_bug.cgi?id=88465
3269
3270         Reviewed by Gavin Barraclough.
3271
3272         This is incompatible with lazy weak pointer finalization.
3273
3274         I considered just making CodeBlock finalization lazy-friendly, but it
3275         turns out that the heap is already way up in CodeBlock's business when
3276         it comes to finalization, so I decided to finish the job and move full
3277         responsibility for CodeBlock finalization into the heap.
3278
3279         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Maybe this
3280         will build.
3281
3282         * debugger/Debugger.cpp: Updated for rename.
3283
3284         * heap/Heap.cpp:
3285         (JSC::Heap::deleteAllCompiledCode): Renamed for consistency. Fixed a bug
3286         where we would not delete code for a code block that had been previously
3287         jettisoned. I don't know if this happens in practice -- I mostly did
3288         this to improve consistency with deleteUnmarkedCompiledCode.
3289
3290         (JSC::Heap::deleteUnmarkedCompiledCode): New function, responsible for
3291         eager finalization of unmarked code blocks.
3292
3293         (JSC::Heap::collect): Updated for rename. Updated to call
3294         deleteUnmarkedCompiledCode(), which takes care of jettisoned DFG code
3295         blocks too.
3296
3297         (JSC::Heap::addCompiledCode): Renamed, since this points to all code
3298         now, not just functions.
3299
3300         * heap/Heap.h:
3301         (Heap): Keep track of all user code, not just functions. This is a
3302         negligible additional overhead, since most code is function code.
3303
3304         * runtime/Executable.cpp:
3305         (JSC::*::finalize): Removed these functions, since we don't rely on
3306         weak pointer finalization anymore.
3307
3308         (JSC::FunctionExecutable::FunctionExecutable): Moved linked-list stuff
3309         into base class so all executables can be in the list.
3310
3311         (JSC::EvalExecutable::clearCode):
3312         (JSC::ProgramExecutable::clearCode):
3313         (JSC::FunctionExecutable::clearCode): All we need to do is delete our
3314         CodeBlock -- that will delete all of its internal data structures.
3315
3316         (JSC::FunctionExecutable::clearCodeIfNotCompiling): Factored out a helper
3317         function to improve clarity.
3318
3319         * runtime/Executable.h:
3320         (JSC::ExecutableBase): Moved linked-list stuff
3321         into base class so all executables can be in the list.
3322
3323         (JSC::NativeExecutable::create):
3324         (NativeExecutable):
3325         (ScriptExecutable):
3326         (JSC::ScriptExecutable::finishCreation):
3327         (JSC::EvalExecutable::create):
3328         (EvalExecutable):
3329         (JSC::ProgramExecutable::create):
3330         (ProgramExecutable):
3331         (FunctionExecutable):
3332         (JSC::FunctionExecutable::create): Don't use a finalizer -- the heap
3333         will call us back to destroy our code block.
3334
3335         (JSC::FunctionExecutable::discardCode): Renamed to clearCodeIfNotCompiling()
3336         for clarity.
3337
3338         (JSC::FunctionExecutable::isCompiling): New helper function, for clarity.
3339
3340         (JSC::ScriptExecutable::clearCodeVirtual): New helper function, since
3341         the heap needs to make polymorphic calls to clear code.
3342
3343         * runtime/JSGlobalData.cpp:
3344         (JSC::StackPreservingRecompiler::operator()):
3345         * runtime/JSGlobalObject.cpp:
3346         (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Updated for
3347         renames.
3348
3349 2012-06-07  Filip Pizlo  <fpizlo@apple.com>
3350
3351         DFG should inline prototype chain accesses, and do the right things if the
3352         specific function optimization is available
3353         https://bugs.webkit.org/show_bug.cgi?id=88594
3354
3355         Reviewed by Gavin Barraclough.
3356         
3357         Looks like a 3% win on V8.
3358
3359         * bytecode/CodeBlock.h:
3360         (JSC::Structure::prototypeForLookup):
3361         (JSC):
3362         * bytecode/GetByIdStatus.cpp:
3363         (JSC::GetByIdStatus::computeFromLLInt):
3364         (JSC):
3365         (JSC::GetByIdStatus::computeForChain):
3366         (JSC::GetByIdStatus::computeFor):
3367         * bytecode/GetByIdStatus.h:
3368         (JSC::GetByIdStatus::GetByIdStatus):
3369         (JSC::GetByIdStatus::isSimple):
3370         (JSC::GetByIdStatus::chain):
3371         (JSC::GetByIdStatus::specificValue):
3372         (GetByIdStatus):
3373         * bytecode/StructureSet.h:
3374         (StructureSet):
3375         (JSC::StructureSet::singletonStructure):
3376         * bytecode/StructureStubInfo.h:
3377         (JSC::StructureStubInfo::initGetByIdProto):
3378         (JSC::StructureStubInfo::initGetByIdChain):