44113f16336e5ea3481ce27b9f61190fc231eb8e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
2
3         Indexed arguments on the Arguments object should be enumerable.
4         https://bugs.webkit.org/show_bug.cgi?id=70302
5
6         Reviewed by Sam Weinig.
7
8         See ECMA-262 5.1 chapter 10.6 step 11b.
9         This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in.
10
11         * runtime/Arguments.cpp:
12         (JSC::Arguments::getOwnPropertyDescriptor):
13             - The 'enumerable' property should be true for indexed arguments.
14         (JSC::Arguments::getOwnPropertyNames):
15             - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'.
16
17 2011-10-18  Gustavo Noronha Silva  <gns@gnome.org>
18
19         Fix distcheck.
20
21         * GNUmakefile.list.am: fix a typo and add a missing header to the
22         list.
23
24 2011-10-18  Balazs Kelemen  <kbalazs@webkit.org>
25
26         ParallelJobs: maximum number of threads should be determined dynamically
27         https://bugs.webkit.org/show_bug.cgi?id=68540
28
29         Reviewed by Zoltan Herczeg.
30
31         Add logic to determine the number of cores and use this as
32         the maximum number of threads. The implementation currently
33         covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD.
34         The patch was tested on Linux, Mac and Windows which was enough to
35         cover all code path. It should work on the rest accoring to the
36         documentation of those OS's. The hard coded constant is still used
37         on uncovered OS's which should be fixed in the future.
38
39         * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber
40         argument because clients should always fill it and the 0 default value
41         was incorrect anyway.
42         (WTF::ParallelJobs::ParallelJobs):
43         * wtf/ParallelJobsGeneric.cpp:
44         (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads):
45         * wtf/ParallelJobsGeneric.h:
46         (WTF::ParallelEnvironment::ParallelEnvironment):
47
48 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
49
50         Reverted r997709, this caused test failures.
51
52         * jit/JITStubs.cpp:
53         (JSC::DEFINE_STUB_FUNCTION):
54         * runtime/JSObject.cpp:
55         (JSC::JSObject::hasProperty):
56         (JSC::JSObject::hasOwnProperty):
57
58 2011-10-17  Ryosuke Niwa  <rniwa@webkit.org>
59
60         Rename deregister* to unregister*
61         https://bugs.webkit.org/show_bug.cgi?id=70272
62
63         Reviewed by Darin Adler.
64
65         Renamed deregisterWeakMap to unregisterWeakMap.
66
67         * runtime/JSGlobalObject.h:
68         (JSC::JSGlobalObject::unregisterWeakMap):
69
70 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
71
72         Poisoning of strict caller/arguments inappropriately poisoning "in"
73         https://bugs.webkit.org/show_bug.cgi?id=63398
74
75         Reviewed by Sam Weinig.
76
77         The problem here is that the has[Own]Property methods get the slot rather than
78         the descriptor, and getting the slot may cause the property to be eagerly accessed.
79
80         * jit/JITStubs.cpp:
81         (JSC::DEFINE_STUB_FUNCTION):
82             - We don't expect hasProperty to ever throw. If it does, it won't get caught
83               (since it is after the exception check), so ASSERT to guard against this.
84         * runtime/JSObject.cpp:
85         (JSC::JSObject::hasProperty):
86         (JSC::JSObject::hasOwnProperty):
87             - These methods should not check for the presence of the descriptor; never get the value.
88
89 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
90
91         Exception ordering in String.prototype.replace
92         https://bugs.webkit.org/show_bug.cgi?id=70290
93
94         If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called.
95
96         Reviewed by Oliver Hunt.
97
98         * runtime/StringPrototype.cpp:
99         (JSC::stringProtoFuncReplace):
100
101 2011-10-17  Filip Pizlo  <fpizlo@apple.com>
102
103         DFG bytecode parser should understand inline stacks
104         https://bugs.webkit.org/show_bug.cgi?id=70278
105
106         Reviewed by Oliver Hunt.
107         
108         The DFG bytecode parser is now capable of parsing multiple code blocks at
109         once. This remains turned off since not all inlining functionality is
110         implemented.       
111         
112         This required making a few changes elsewhere in the system. The bytecode
113         parser now may do some of the same things that the bytecode generator does,
114         like allocating constants and identifiers. Basic block linking relies on
115         bytecode indices, which are only meaningful within the context of one basic
116         block. This is fine, so long as linking is done eagerly whenever switching
117         from one code block to another.
118
119         * bytecode/CodeOrigin.h:
120         (JSC::CodeOrigin::CodeOrigin):
121         * bytecompiler/BytecodeGenerator.h:
122         * dfg/DFGBasicBlock.h:
123         * dfg/DFGByteCodeParser.cpp:
124         (JSC::DFG::ByteCodeParser::ByteCodeParser):
125         (JSC::DFG::ByteCodeParser::get):
126         (JSC::DFG::ByteCodeParser::set):
127         (JSC::DFG::ByteCodeParser::getThis):
128         (JSC::DFG::ByteCodeParser::setThis):
129         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
130         (JSC::DFG::ByteCodeParser::getPrediction):
131         (JSC::DFG::ByteCodeParser::makeSafe):
132         (JSC::DFG::ByteCodeParser::makeDivSafe):
133         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
134         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
135         (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
136         (JSC::DFG::ByteCodeParser::parseBlock):
137         (JSC::DFG::ByteCodeParser::linkBlock):
138         (JSC::DFG::ByteCodeParser::linkBlocks):
139         (JSC::DFG::ByteCodeParser::setupPredecessors):
140         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
141         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
142         (JSC::DFG::ByteCodeParser::parseCodeBlock):
143         (JSC::DFG::ByteCodeParser::parse):
144         * dfg/DFGGraph.h:
145         (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
146         (JSC::DFG::GetBytecodeBeginForBlock::operator()):
147         (JSC::DFG::Graph::blockIndexForBytecodeOffset):
148         * dfg/DFGNode.h:
149         * runtime/Identifier.h:
150         (JSC::IdentifierMapIndexHashTraits::emptyValue):
151         * runtime/JSValue.h:
152         * wtf/StdLibExtras.h:
153         (WTF::binarySearchWithFunctor):
154
155 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
156
157         Incorrect behavior from String match/search & undefined pattern
158         https://bugs.webkit.org/show_bug.cgi?id=70286
159
160         Reviewed by Sam weinig.
161
162         * runtime/StringPrototype.cpp:
163         (JSC::stringProtoFuncMatch):
164             - In case of undefined, pattern is "".
165         (JSC::stringProtoFuncSearch):
166             - In case of undefined, pattern is "".
167
168 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
169
170         https://bugs.webkit.org/show_bug.cgi?id=70207
171         After deleting __defineSetter__, it is absent but appears in name list
172
173         Reviewed by Darin Adler.
174
175         * runtime/JSObject.cpp:
176         (JSC::JSObject::getOwnPropertyNames):
177             - This should check whether static functions have been reified.
178
179 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
180
181         Mac build fix.
182
183         * JavaScriptCore.exp: Export!
184
185 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
186
187         Windows build fix.
188
189         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
190
191 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
192
193         Windows build fix.
194
195         * heap/HandleStack.cpp: Added a missing #include.
196
197 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
198
199         Windows build fix.
200
201         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no
202         longer existant symbol.
203
204         * heap/MarkStack.cpp:
205         (JSC::MarkStackArray::shrinkAllocation): Cast to the right type.
206
207 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
208
209         Simplified GC marking logic
210         https://bugs.webkit.org/show_bug.cgi?id=70258
211
212         Reviewed by Filip Pizlo.
213         
214         No perf. change.
215         
216         This is a first step toward GC allocating string backing stores, starting
217         with ropes. It also enables future simplifications and optimizations.
218         
219         - Replaced some complex mark stack logic with a simple linear stack of
220         JSCell pointers.
221         
222         - Replaced logic for short-circuiting marking based on JSType and/or
223         Structure flags with special cases for object, array, and string.
224         
225         - Fiddled with inlining for better codegen.
226
227         * JavaScriptCore.exp:
228         * heap/HandleStack.cpp: Build!
229
230         * heap/Heap.cpp:
231         (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking.
232
233         * heap/HeapRootVisitor.h: Removed unused functions that no longer build.
234
235         * heap/MarkStack.cpp:
236         (JSC::MarkStackArray::MarkStackArray):
237         (JSC::MarkStackArray::~MarkStackArray):
238         (JSC::MarkStackArray::expand):
239         (JSC::MarkStackArray::shrinkAllocation):
240         (JSC::MarkStack::reset):
241         (JSC::visitChildren):
242         (JSC::SlotVisitor::drain):
243         * heap/MarkStack.h:
244         (JSC::MarkStack::MarkStack):
245         (JSC::MarkStack::~MarkStack):
246         (JSC::MarkStackArray::append):
247         (JSC::MarkStackArray::removeLast):
248         (JSC::MarkStackArray::isEmpty):
249         (JSC::MarkStack::append):
250         (JSC::MarkStack::appendUnbarrieredPointer):
251         (JSC::MarkStack::internalAppend): Replaced complex mark set logic with
252         simple linear stack.
253
254         * heap/SlotVisitor.h:
255         (JSC::SlotVisitor::SlotVisitor): Updated for above changes.
256
257         * runtime/JSArray.cpp:
258         (JSC::JSArray::visitChildren):
259         * runtime/JSArray.h:
260         * runtime/JSObject.cpp:
261         (JSC::JSObject::visitChildren):
262         * runtime/JSObject.h: Don't inline visitChildren; it's too big.
263
264         * runtime/Structure.h:
265         (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType
266         because it prevented strings from owning GC pointers.
267
268         * runtime/WriteBarrier.h:
269         (JSC::MarkStack::appendValues): No need to validate; internalAppend will
270         do that for us.
271
272 2011-10-17  Adam Roben  <aroben@apple.com>
273
274         Windows build fix after r97536, part 3
275
276         * runtime/JSAPIValueWrapper.h:
277         * runtime/JSObject.h:
278         Use JS_EXPORTDATA to export the s_info members.
279
280 2011-10-17  Adam Roben  <aroben@apple.com>
281
282         Interpreter build fix after r97564
283
284         * runtime/Executable.cpp:
285         (JSC::FunctionExecutable::compileForCallInternal):
286         (JSC::FunctionExecutable::compileForConstructInternal):
287         Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used
288         there.
289
290 2011-10-17  Adam Roben  <aroben@apple.com>
291
292         Windows build fix after r97536, part 2
293
294         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back
295         JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I
296         was at it.
297
298 2011-10-17  Adam Roben  <aroben@apple.com>
299
300         Windows build fix after r97536
301
302         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of
303         JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of
304         s_info members, which need to be exported via JS_EXPORTDATA instead.
305
306 2011-10-17  Patrick Gansterer  <paroga@webkit.org>
307
308         Interpreter build fix after r97436, r97506, r97532 and r97537.
309
310         * interpreter/Interpreter.cpp:
311         (JSC::Interpreter::privateExecute):
312
313 2011-10-16  Adam Barth  <abarth@webkit.org>
314
315         Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code
316         https://bugs.webkit.org/show_bug.cgi?id=70216
317
318         Reviewed by Eric Seidel.
319
320         * wtf/Platform.h:
321
322 2011-10-16  Noel Gordon  <noel.gordon@gmail.com>
323
324         [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files
325         https://bugs.webkit.org/show_bug.cgi?id=70205
326
327         Reviewed by James Robinson.
328
329         wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557.
330         wtf/gtk/ThreadingGtk.cpp was removed in r97269.
331
332         * JavaScriptCore.gypi:
333
334 2011-10-16  Adam Barth  <abarth@webkit.org>
335
336         Always enable ENABLE(DOM_STORAGE)
337         https://bugs.webkit.org/show_bug.cgi?id=70189
338
339         Reviewed by Eric Seidel.
340
341         * Configurations/FeatureDefines.xcconfig:
342
343 2011-10-15  Dan Horák <dan@danny.cz>
344
345         The s390 and s390x architectures both use 64-bit double type
346         that conforms to the IEEE-754 standard.
347
348         https://bugs.webkit.org/show_bug.cgi?id=69940
349
350         Reviewed by Gavin Barraclough.
351
352         * wtf/dtoa/utils.h:
353
354 2011-10-14  Filip Pizlo  <fpizlo@apple.com>
355
356         FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks
357         https://bugs.webkit.org/show_bug.cgi?id=70157
358
359         Reviewed by Geoff Garen.
360         
361         Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal()
362         and compileForConstructInternal() to use this method. This required more cleanly
363         exposing some of CodeBlock's tiering functionality and moving the CompilationKind
364         enum to Executable.h, as this was the easiest way to make it available to the
365         declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator.
366
367         * bytecode/CodeBlock.cpp:
368         (JSC::CodeBlock::copyDataFrom):
369         (JSC::CodeBlock::copyDataFromAlternative):
370         * bytecode/CodeBlock.h:
371         (JSC::CodeBlock::setAlternative):
372         * bytecompiler/BytecodeGenerator.h:
373         * runtime/Executable.cpp:
374         (JSC::EvalExecutable::compileInternal):
375         (JSC::ProgramExecutable::compileInternal):
376         (JSC::FunctionExecutable::produceCodeBlockFor):
377         (JSC::FunctionExecutable::compileForCallInternal):
378         (JSC::FunctionExecutable::compileForConstructInternal):
379         * runtime/Executable.h:
380         (JSC::FunctionExecutable::codeBlockFor):
381
382 2011-10-15  Laszlo Gombos  <laszlo.1.gombos@nokia.com>
383
384         [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port
385         https://bugs.webkit.org/show_bug.cgi?id=69920
386
387         Reviewed by Kenneth Rohde Christiansen.
388
389         * JavaScriptCore.pri:
390         * JavaScriptCore.pro:
391         * heap/MarkStack.h:
392         (JSC::::shrinkAllocation):
393         * jit/ExecutableAllocator.cpp:
394         * jit/ExecutableAllocator.h:
395         (JSC::ExecutableAllocator::cacheFlush):
396         * jit/JITStubs.cpp:
397         * jsc.pro:
398         * runtime/ArrayPrototype.cpp:
399         (JSC::arrayProtoFuncToString):
400         * runtime/DatePrototype.cpp:
401         (JSC::formatLocaleDate):
402         * runtime/StringPrototype.cpp:
403         (JSC::stringProtoFuncLastIndexOf):
404         * runtime/TimeoutChecker.cpp:
405         (JSC::getCPUTime):
406         * wtf/Assertions.cpp:
407         * wtf/Assertions.h:
408         * wtf/Atomics.h:
409         * wtf/MathExtras.h:
410         * wtf/OSAllocator.h:
411         (WTF::OSAllocator::decommitAndRelease):
412         * wtf/OSAllocatorSymbian.cpp: Removed.
413         * wtf/OSRandomSource.cpp:
414         (WTF::cryptographicallyRandomValuesFromOS):
415         * wtf/PageAllocation.h:
416         * wtf/PageAllocatorSymbian.h: Removed.
417         * wtf/PageBlock.cpp:
418         * wtf/Platform.h:
419         * wtf/StackBounds.cpp:
420         * wtf/wtf.pri:
421
422 2011-10-15  Yuqiang Xian  <yuqiang.xian@intel.com>
423
424         Trivial fix for a missing change in r97512
425         https://bugs.webkit.org/show_bug.cgi?id=70166
426
427         Reviewed by Gavin Barraclough.
428
429         * dfg/DFGJITCompiler32_64.cpp:
430         (JSC::DFG::JITCompiler::link):
431
432 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
433
434         Rename getOwnPropertySlot to getOwnPropertySlotVirtual
435         https://bugs.webkit.org/show_bug.cgi?id=69810
436
437         Reviewed by Geoffrey Garen.
438
439         Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual
440         in preparation for when we add the static getOwnPropertySlot to the MethodTable 
441         in ClassInfo.
442
443         Also added a few static getOwnPropertySlot functions where they had been overlooked 
444         before (especially in CodeGeneratorJS.pm).
445
446         * API/JSCallbackObject.h:
447         * API/JSCallbackObjectFunctions.h:
448         (JSC::::getOwnPropertySlotVirtual):
449         (JSC::::getOwnPropertySlot):
450         (JSC::::getOwnPropertyDescriptor):
451         (JSC::::staticFunctionGetter):
452         * JavaScriptCore.exp:
453         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
454         * debugger/DebuggerActivation.cpp:
455         (JSC::DebuggerActivation::getOwnPropertySlotVirtual):
456         (JSC::DebuggerActivation::getOwnPropertySlot):
457         * debugger/DebuggerActivation.h:
458         * runtime/Arguments.cpp:
459         (JSC::Arguments::getOwnPropertySlotVirtual):
460         (JSC::Arguments::getOwnPropertySlot):
461         * runtime/Arguments.h:
462         * runtime/ArrayConstructor.cpp:
463         (JSC::ArrayConstructor::getOwnPropertySlotVirtual):
464         (JSC::ArrayConstructor::getOwnPropertySlot):
465         * runtime/ArrayConstructor.h:
466         * runtime/ArrayPrototype.cpp:
467         (JSC::ArrayPrototype::getOwnPropertySlotVirtual):
468         * runtime/ArrayPrototype.h:
469         * runtime/BooleanPrototype.cpp:
470         (JSC::BooleanPrototype::getOwnPropertySlotVirtual):
471         * runtime/BooleanPrototype.h:
472         * runtime/DateConstructor.cpp:
473         (JSC::DateConstructor::getOwnPropertySlotVirtual):
474         * runtime/DateConstructor.h:
475         * runtime/DatePrototype.cpp:
476         (JSC::DatePrototype::getOwnPropertySlotVirtual):
477         * runtime/DatePrototype.h:
478         * runtime/ErrorPrototype.cpp:
479         (JSC::ErrorPrototype::getOwnPropertySlotVirtual):
480         * runtime/ErrorPrototype.h:
481         * runtime/JSActivation.cpp:
482         (JSC::JSActivation::getOwnPropertySlotVirtual):
483         * runtime/JSActivation.h:
484         * runtime/JSArray.cpp:
485         (JSC::JSArray::getOwnPropertySlotVirtual):
486         (JSC::JSArray::getOwnPropertySlot):
487         * runtime/JSArray.h:
488         * runtime/JSBoundFunction.cpp:
489         (JSC::JSBoundFunction::getOwnPropertySlotVirtual):
490         * runtime/JSBoundFunction.h:
491         * runtime/JSByteArray.cpp:
492         (JSC::JSByteArray::getOwnPropertySlotVirtual):
493         * runtime/JSByteArray.h:
494         * runtime/JSCell.cpp:
495         (JSC::JSCell::getOwnPropertySlotVirtual):
496         * runtime/JSCell.h:
497         * runtime/JSFunction.cpp:
498         (JSC::JSFunction::getOwnPropertySlotVirtual):
499         (JSC::JSFunction::getOwnPropertyDescriptor):
500         (JSC::JSFunction::getOwnPropertyNames):
501         (JSC::JSFunction::put):
502         * runtime/JSFunction.h:
503         * runtime/JSGlobalObject.cpp:
504         (JSC::JSGlobalObject::getOwnPropertySlotVirtual):
505         * runtime/JSGlobalObject.h:
506         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
507         * runtime/JSNotAnObject.cpp:
508         (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
509         * runtime/JSNotAnObject.h:
510         * runtime/JSONObject.cpp:
511         (JSC::Stringifier::Holder::appendNextProperty):
512         (JSC::JSONObject::getOwnPropertySlotVirtual):
513         (JSC::Walker::walk):
514         * runtime/JSONObject.h:
515         * runtime/JSObject.cpp:
516         (JSC::JSObject::getOwnPropertySlotVirtual):
517         (JSC::JSObject::getOwnPropertySlot):
518         (JSC::JSObject::hasOwnProperty):
519         * runtime/JSObject.h:
520         (JSC::JSObject::getOwnPropertySlotVirtual):
521         (JSC::JSCell::fastGetOwnPropertySlot):
522         (JSC::JSObject::getPropertySlot):
523         (JSC::JSValue::get):
524         * runtime/JSStaticScopeObject.cpp:
525         (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual):
526         * runtime/JSStaticScopeObject.h:
527         * runtime/JSString.cpp:
528         (JSC::JSString::getOwnPropertySlotVirtual):
529         (JSC::JSString::getOwnPropertySlot):
530         * runtime/JSString.h:
531         * runtime/Lookup.h:
532         (JSC::getStaticPropertySlot):
533         (JSC::getStaticFunctionSlot):
534         (JSC::getStaticValueSlot):
535         * runtime/MathObject.cpp:
536         (JSC::MathObject::getOwnPropertySlotVirtual):
537         * runtime/MathObject.h:
538         * runtime/NumberConstructor.cpp:
539         (JSC::NumberConstructor::getOwnPropertySlotVirtual):
540         * runtime/NumberConstructor.h:
541         * runtime/NumberPrototype.cpp:
542         (JSC::NumberPrototype::getOwnPropertySlotVirtual):
543         * runtime/NumberPrototype.h:
544         * runtime/ObjectConstructor.cpp:
545         (JSC::ObjectConstructor::getOwnPropertySlotVirtual):
546         * runtime/ObjectConstructor.h:
547         * runtime/ObjectPrototype.cpp:
548         (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
549         * runtime/ObjectPrototype.h:
550         * runtime/RegExpConstructor.cpp:
551         (JSC::RegExpConstructor::getOwnPropertySlotVirtual):
552         * runtime/RegExpConstructor.h:
553         * runtime/RegExpMatchesArray.h:
554         (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
555         * runtime/RegExpObject.cpp:
556         (JSC::RegExpObject::getOwnPropertySlotVirtual):
557         * runtime/RegExpObject.h:
558         * runtime/RegExpPrototype.cpp:
559         (JSC::RegExpPrototype::getOwnPropertySlotVirtual):
560         * runtime/RegExpPrototype.h:
561         * runtime/StringConstructor.cpp:
562         (JSC::StringConstructor::getOwnPropertySlotVirtual):
563         * runtime/StringConstructor.h:
564         * runtime/StringObject.cpp:
565         (JSC::StringObject::getOwnPropertySlotVirtual):
566         * runtime/StringObject.h:
567         * runtime/StringPrototype.cpp:
568         (JSC::StringPrototype::getOwnPropertySlotVirtual):
569         * runtime/StringPrototype.h:
570
571 2011-10-14  Gavin Barraclough  <baraclough@apple.com>
572
573         Most built-in properties are not deletable
574         https://bugs.webkit.org/show_bug.cgi?id=61014
575
576         Reviewed by Filip Pizlo.
577
578         Our static hash tables don't allow for deleting properties.
579         This is the cause of a bunch of expected failures in LayoutTests/sputnik.
580
581         This fixes the problem by reifying all static functions immediately prior
582         to the first deletion.  Reification is tracked by a flag on the structure,
583         so properties will no longer 'bounce-back' on later access.
584
585         Theoretically there could probably also be an issue with custom accessor
586         properties, but we probably do not really require any of these to be
587         Configurable anyway. I'll follow up with a separate patch to address this.
588
589         * runtime/ClassInfo.h:
590         (JSC::ClassInfo::hasStaticProperties):
591             - detects static property tables.
592         * runtime/JSObject.cpp:
593         (JSC::JSObject::deleteProperty):
594             - call reifyStaticFunctions before deletion.
595         (JSC::JSObject::reifyStaticFunctions):
596             - If the class has static functions, set them up now.
597         * runtime/JSObject.h:
598         (JSC::JSObject::staticFunctionsReified):
599             - returns true if static functions have been reified,
600               and as such should no longer be added.
601         * runtime/Lookup.cpp:
602         (JSC::setUpStaticFunctionSlot):
603             - If static functions have been reified do not add.
604         * runtime/Lookup.h:
605         (JSC::HashTable::ConstIterator::ConstIterator):
606         (JSC::HashTable::ConstIterator::operator->):
607         (JSC::HashTable::ConstIterator::operator*):
608         (JSC::HashTable::ConstIterator::operator!=):
609         (JSC::HashTable::ConstIterator::operator++):
610         (JSC::HashTable::ConstIterator::skipInvalidKeys):
611         (JSC::HashTable::begin):
612         (JSC::HashTable::end):
613         (JSC::getStaticPropertySlot):
614         (JSC::getStaticPropertyDescriptor):
615         (JSC::getStaticFunctionSlot):
616         (JSC::getStaticFunctionDescriptor):
617             - setUpStaticFunctionSlot may not add, returns a bool.
618         (JSC::lookupPut):
619             - remove redundant branch.
620         * runtime/Structure.cpp:
621         (JSC::Structure::Structure):
622             - initialize new flag in constructors.
623         * runtime/Structure.h:
624         (JSC::Structure::staticFunctionsReified):
625         (JSC::Structure::setStaticFunctionsReified):
626             - added flag
627
628 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
629
630         Rename virtual put to putVirtual
631         https://bugs.webkit.org/show_bug.cgi?id=69851
632
633         Reviewed by Darin Adler.
634
635         Renamed virtual versions of put to putVirtual in prepration for 
636         adding the static put to the MethodTable in ClassInfo since the 
637         compiler gets mad if the virtual and static versions have the same 
638         name.
639
640         * API/JSCallbackObject.h:
641         * API/JSCallbackObjectFunctions.h:
642         (JSC::::putVirtual):
643         * API/JSObjectRef.cpp:
644         (JSObjectSetProperty):
645         (JSObjectSetPropertyAtIndex):
646         * JavaScriptCore.exp:
647         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
648         * debugger/DebuggerActivation.cpp:
649         (JSC::DebuggerActivation::putVirtual):
650         (JSC::DebuggerActivation::put):
651         * debugger/DebuggerActivation.h:
652         * dfg/DFGOperations.cpp:
653         (JSC::DFG::putByVal):
654         * interpreter/Interpreter.cpp:
655         (JSC::Interpreter::execute):
656         * jit/JITStubs.cpp:
657         (JSC::DEFINE_STUB_FUNCTION):
658         * jsc.cpp:
659         (GlobalObject::finishCreation):
660         * runtime/Arguments.cpp:
661         (JSC::Arguments::putVirtual):
662         * runtime/Arguments.h:
663         * runtime/ArrayPrototype.cpp:
664         (JSC::putProperty):
665         (JSC::arrayProtoFuncConcat):
666         (JSC::arrayProtoFuncPush):
667         (JSC::arrayProtoFuncReverse):
668         (JSC::arrayProtoFuncShift):
669         (JSC::arrayProtoFuncSlice):
670         (JSC::arrayProtoFuncSort):
671         (JSC::arrayProtoFuncSplice):
672         (JSC::arrayProtoFuncUnShift):
673         (JSC::arrayProtoFuncFilter):
674         (JSC::arrayProtoFuncMap):
675         * runtime/JSActivation.cpp:
676         (JSC::JSActivation::putVirtual):
677         * runtime/JSActivation.h:
678         * runtime/JSArray.cpp:
679         (JSC::JSArray::putVirtual):
680         (JSC::JSArray::putSlowCase):
681         (JSC::JSArray::push):
682         (JSC::JSArray::shiftCount):
683         (JSC::JSArray::unshiftCount):
684         * runtime/JSArray.h:
685         * runtime/JSByteArray.cpp:
686         (JSC::JSByteArray::putVirtual):
687         * runtime/JSByteArray.h:
688         * runtime/JSCell.cpp:
689         (JSC::JSCell::putVirtual):
690         (JSC::JSCell::put):
691         * runtime/JSCell.h:
692         * runtime/JSFunction.cpp:
693         (JSC::JSFunction::putVirtual):
694         * runtime/JSFunction.h:
695         * runtime/JSGlobalObject.cpp:
696         (JSC::JSGlobalObject::putVirtual):
697         (JSC::JSGlobalObject::putWithAttributes):
698         * runtime/JSGlobalObject.h:
699         * runtime/JSNotAnObject.cpp:
700         (JSC::JSNotAnObject::putVirtual):
701         * runtime/JSNotAnObject.h:
702         * runtime/JSONObject.cpp:
703         (JSC::Walker::walk):
704         * runtime/JSObject.cpp:
705         (JSC::JSObject::putVirtual):
706         (JSC::JSObject::put):
707         (JSC::JSObject::defineOwnProperty):
708         * runtime/JSObject.h:
709         (JSC::JSValue::put):
710         * runtime/JSStaticScopeObject.cpp:
711         (JSC::JSStaticScopeObject::putVirtual):
712         * runtime/JSStaticScopeObject.h:
713         * runtime/Lookup.h:
714         (JSC::lookupPut):
715         * runtime/ObjectPrototype.cpp:
716         (JSC::ObjectPrototype::putVirtual):
717         * runtime/ObjectPrototype.h:
718         * runtime/RegExpConstructor.cpp:
719         (JSC::RegExpMatchesArray::fillArrayInstance):
720         (JSC::RegExpConstructor::putVirtual):
721         * runtime/RegExpConstructor.h:
722         * runtime/RegExpMatchesArray.h:
723         (JSC::RegExpMatchesArray::putVirtual):
724         * runtime/RegExpObject.cpp:
725         (JSC::RegExpObject::putVirtual):
726         * runtime/RegExpObject.h:
727         * runtime/StringObject.cpp:
728         (JSC::StringObject::putVirtual):
729         * runtime/StringObject.h:
730         * runtime/StringPrototype.cpp:
731         (JSC::stringProtoFuncSplit):
732
733 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
734
735         Reflective Arguments retrieval should be hardened for the
736         possibility of inlining
737         https://bugs.webkit.org/show_bug.cgi?id=70068
738
739         Reviewed by Oliver Hunt.
740         
741         CodeBlock can now track, as part of its RareData, the virtual inline
742         stack at callsites. CallFrame walking can now rematerialize "inline"
743         CallFrames by combining the meta-data in CodeBlock with the information
744         already in the JS stack. Arguments can now safely retrieve the
745         arguments from inline CallFrames.
746         
747         The DFG already had the notion of a "CodeOrigin" in preparation for
748         inlining. This notion will now be saved into the CodeBlock, if the DFG
749         had done inlining. So, CodeOrigin has been moved to bytecode/ and has
750         been changed to behave more like a struct since that is how it's
751         meant to be used.
752
753         * GNUmakefile.list.am:
754         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
755         * JavaScriptCore.xcodeproj/project.pbxproj:
756         * bytecode/CodeBlock.h:
757         (JSC::CodeBlock::inlineCallFrames):
758         (JSC::CodeBlock::codeOrigins):
759         (JSC::CodeBlock::hasCodeOrigins):
760         (JSC::CodeBlock::codeOriginForReturn):
761         * bytecode/CodeOrigin.h: Added.
762         (JSC::CodeOrigin::CodeOrigin):
763         (JSC::CodeOrigin::isSet):
764         (JSC::getCallReturnOffsetForCodeOrigin):
765         * dfg/DFGJITCompiler.cpp:
766         (JSC::DFG::JITCompiler::link):
767         * dfg/DFGNode.h:
768         * dfg/DFGSpeculativeJIT.cpp:
769         (JSC::DFG::SpeculativeJIT::compile):
770         * dfg/DFGSpeculativeJIT32_64.cpp:
771         (JSC::DFG::SpeculativeJIT::compile):
772         * dfg/DFGSpeculativeJIT64.cpp:
773         (JSC::DFG::SpeculativeJIT::compile):
774         * interpreter/CallFrame.cpp:
775         (JSC::CallFrame::isInlineCallFrame):
776         (JSC::CallFrame::trueCallerFrame):
777         * interpreter/CallFrame.h:
778         (JSC::ExecState::inlineCallFrame):
779         (JSC::ExecState::setInlineCallFrame):
780         (JSC::ExecState::isInlineCallFrame):
781         (JSC::ExecState::trueCallerFrame):
782         * interpreter/Interpreter.cpp:
783         (JSC::Interpreter::findFunctionCallFrame):
784         * interpreter/Register.h:
785         (JSC::Register::operator=):
786         (JSC::Register::inlineCallFrame):
787         * runtime/Arguments.h:
788         (JSC::Arguments::getArgumentsData):
789         (JSC::Arguments::finishCreationButDontCopyRegisters):
790         (JSC::Arguments::finishCreation):
791         (JSC::Arguments::finishCreationAndCopyRegisters):
792         * runtime/Executable.h:
793         (JSC::FunctionExecutable::parameterCount):
794
795 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
796
797         Rename virtual deleteProperty to deletePropertyVirtual
798         https://bugs.webkit.org/show_bug.cgi?id=69884
799
800         Reviewed by Darin Adler.
801
802         Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for 
803         adding the static deleteProperty to the MethodTable in ClassInfo since the 
804         compiler gets mad if the virtual and static versions have the same name.
805
806         * API/JSCallbackObject.h:
807         * API/JSCallbackObjectFunctions.h:
808         (JSC::::deletePropertyVirtual):
809         (JSC::::deleteProperty):
810         * API/JSObjectRef.cpp:
811         (JSObjectDeleteProperty):
812         * JavaScriptCore.exp:
813         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
814         * debugger/DebuggerActivation.cpp:
815         (JSC::DebuggerActivation::deletePropertyVirtual):
816         (JSC::DebuggerActivation::deleteProperty):
817         * debugger/DebuggerActivation.h:
818         * jit/JITStubs.cpp:
819         (JSC::DEFINE_STUB_FUNCTION):
820         * runtime/Arguments.cpp:
821         (JSC::Arguments::deletePropertyVirtual):
822         * runtime/Arguments.h:
823         * runtime/ArrayPrototype.cpp:
824         (JSC::arrayProtoFuncPop):
825         (JSC::arrayProtoFuncReverse):
826         (JSC::arrayProtoFuncShift):
827         (JSC::arrayProtoFuncSplice):
828         (JSC::arrayProtoFuncUnShift):
829         * runtime/JSActivation.cpp:
830         (JSC::JSActivation::deletePropertyVirtual):
831         * runtime/JSActivation.h:
832         * runtime/JSArray.cpp:
833         (JSC::JSArray::deletePropertyVirtual):
834         (JSC::JSArray::deleteProperty):
835         * runtime/JSArray.h:
836         * runtime/JSCell.cpp:
837         (JSC::JSCell::deletePropertyVirtual):
838         (JSC::JSCell::deleteProperty):
839         * runtime/JSCell.h:
840         * runtime/JSFunction.cpp:
841         (JSC::JSFunction::deletePropertyVirtual):
842         * runtime/JSFunction.h:
843         * runtime/JSNotAnObject.cpp:
844         (JSC::JSNotAnObject::deletePropertyVirtual):
845         * runtime/JSNotAnObject.h:
846         * runtime/JSONObject.cpp:
847         (JSC::Walker::walk):
848         * runtime/JSObject.cpp:
849         (JSC::JSObject::deletePropertyVirtual):
850         (JSC::JSObject::deleteProperty):
851         (JSC::JSObject::defineOwnProperty):
852         * runtime/JSObject.h:
853         * runtime/JSVariableObject.cpp:
854         (JSC::JSVariableObject::deletePropertyVirtual):
855         * runtime/JSVariableObject.h:
856         * runtime/RegExpMatchesArray.h:
857         (JSC::RegExpMatchesArray::deletePropertyVirtual):
858         * runtime/StrictEvalActivation.cpp:
859         (JSC::StrictEvalActivation::deletePropertyVirtual):
860         * runtime/StrictEvalActivation.h:
861         * runtime/StringObject.cpp:
862         (JSC::StringObject::deletePropertyVirtual):
863         * runtime/StringObject.h:
864
865 2011-10-14  Peter Beverloo  <peter@chromium.org>
866
867         [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo
868         https://bugs.webkit.org/show_bug.cgi?id=70028
869
870         Reviewed by Adam Barth.
871
872         * JavaScriptCore.gyp/JavaScriptCore.gyp:
873
874 2011-10-14  Yuqiang Xian  <yuqiang.xian@intel.com>
875
876         DFG JIT 32_64 - Performance fix for ResolveGlobal
877         https://bugs.webkit.org/show_bug.cgi?id=70096
878
879         Reviewed by Gavin Barraclough.
880
881         Structure check of global object should be a pointer comparison
882         instead of a tag and payload pair comparison. This fix improves
883         SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X.
884         Also two trivial fixes for successful 32-bit build are included.
885
886         * dfg/DFGSpeculativeJIT.cpp:
887         * dfg/DFGSpeculativeJIT32_64.cpp:
888         (JSC::DFG::SpeculativeJIT::compile):
889
890 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
891
892         Speculation failures in ValueToInt32 are causing a 2x slow-down
893         in Kraken/stanford-crypto-pbkdf2
894         https://bugs.webkit.org/show_bug.cgi?id=70089
895
896         Reviewed by Gavin Barraclough.
897         
898         If we can't truncate to Int32 using machine code, then don't fail
899         speculation. Just call JSC::toInt32.
900
901         * dfg/DFGJITCodeGenerator.h:
902         (JSC::DFG::callOperation):
903         * dfg/DFGOperations.h:
904         * dfg/DFGSpeculativeJIT.cpp:
905         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
906         * dfg/DFGSpeculativeJIT64.cpp:
907         (JSC::DFG::SpeculativeJIT::compile):
908
909 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
910
911         Rename virtual getConstructData to getConstructDataVirtual
912         https://bugs.webkit.org/show_bug.cgi?id=69872
913
914         Reviewed by Geoffrey Garen.
915
916         Renamed virtual getConstructData functions to getConstructDataVirtual to 
917         avoid conflicts when we add static getConstructData to the MethodTable.
918
919         * API/JSCallbackConstructor.cpp:
920         (JSC::JSCallbackConstructor::getConstructDataVirtual):
921         * API/JSCallbackConstructor.h:
922         * API/JSCallbackObject.h:
923         * API/JSCallbackObjectFunctions.h:
924         (JSC::::getConstructDataVirtual):
925         * API/JSObjectRef.cpp:
926         (JSObjectIsConstructor):
927         (JSObjectCallAsConstructor):
928         * JavaScriptCore.exp:
929         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
930         * dfg/DFGOperations.cpp:
931         * jit/JITStubs.cpp:
932         (JSC::DEFINE_STUB_FUNCTION):
933         * runtime/ArrayConstructor.cpp:
934         (JSC::ArrayConstructor::getConstructDataVirtual):
935         * runtime/ArrayConstructor.h:
936         * runtime/BooleanConstructor.cpp:
937         (JSC::BooleanConstructor::getConstructDataVirtual):
938         * runtime/BooleanConstructor.h:
939         * runtime/DateConstructor.cpp:
940         (JSC::DateConstructor::getConstructDataVirtual):
941         * runtime/DateConstructor.h:
942         * runtime/Error.h:
943         (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual):
944         * runtime/ErrorConstructor.cpp:
945         (JSC::ErrorConstructor::getConstructDataVirtual):
946         * runtime/ErrorConstructor.h:
947         * runtime/FunctionConstructor.cpp:
948         (JSC::FunctionConstructor::getConstructDataVirtual):
949         * runtime/FunctionConstructor.h:
950         * runtime/JSCell.cpp:
951         (JSC::JSCell::getConstructDataVirtual):
952         * runtime/JSCell.h:
953         (JSC::getConstructData):
954         * runtime/JSFunction.cpp:
955         (JSC::JSFunction::getConstructDataVirtual):
956         * runtime/JSFunction.h:
957         * runtime/NativeErrorConstructor.cpp:
958         (JSC::NativeErrorConstructor::getConstructDataVirtual):
959         * runtime/NativeErrorConstructor.h:
960         * runtime/NumberConstructor.cpp:
961         (JSC::NumberConstructor::getConstructDataVirtual):
962         * runtime/NumberConstructor.h:
963         * runtime/ObjectConstructor.cpp:
964         (JSC::ObjectConstructor::getConstructDataVirtual):
965         * runtime/ObjectConstructor.h:
966         * runtime/RegExpConstructor.cpp:
967         (JSC::RegExpConstructor::getConstructDataVirtual):
968         * runtime/RegExpConstructor.h:
969         * runtime/StringConstructor.cpp:
970         (JSC::StringConstructor::getConstructDataVirtual):
971         * runtime/StringConstructor.h:
972
973 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
974
975         Rubber stamped Stephanie Lewis.
976         
977         DFG_ENABLE() macro was always returning false.
978
979         * dfg/DFGNode.h:
980
981 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
982
983         Speculative build fix for !DFG builds.
984
985         * jit/JIT.cpp:
986         (JSC::JIT::privateCompile):
987
988 2011-10-13  Oliver Hunt  <oliver@apple.com>
989
990         Fix performance of ValueToInt32 node when predicting double
991         https://bugs.webkit.org/show_bug.cgi?id=70063
992
993         Reviewed by Filip Pizlo.
994
995         Currently we fail to inline double to int conversion when
996         performing a ValueToInt32 operation on a value we predict
997         to be a double.
998
999         * dfg/DFGAbstractState.cpp:
1000         (JSC::DFG::AbstractState::execute):
1001            Apply correct filter for the double prediction path
1002         * dfg/DFGJITCodeGenerator32_64.cpp:
1003         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1004         * dfg/DFGJITCodeGenerator64.cpp:
1005         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1006            Support double parameters even when value has been spilled.
1007         * dfg/DFGSpeculativeJIT.cpp:
1008         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1009            Moved old valueToInt32 code to this function, and added
1010            path for double prediction
1011         * dfg/DFGSpeculativeJIT.h:
1012         * dfg/DFGSpeculativeJIT32_64.cpp:
1013         (JSC::DFG::SpeculativeJIT::compile):
1014         * dfg/DFGSpeculativeJIT64.cpp:
1015         (JSC::DFG::SpeculativeJIT::compile):
1016            Made the two implementations of ValueToInt32 call a single
1017            shared compileValueToInt32 function.
1018
1019 2011-10-13  Chris Marrin  <cmarrin@apple.com>
1020
1021         Sync requestAnimationFrame callback to CVDisplayLink on Mac
1022         https://bugs.webkit.org/show_bug.cgi?id=68911
1023
1024         Reviewed by Simon Fraser.
1025
1026         Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations
1027         that use the DisplayRefreshMonitor logic.
1028
1029         * wtf/Platform.h:
1030
1031 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1032
1033         DFG JIT should not be using ENABLE macro to enable features
1034         https://bugs.webkit.org/show_bug.cgi?id=70060
1035
1036         Reviewed by Oliver Hunt.
1037
1038         The ENABLE macro is only intended to be used to detect features that are configured
1039         in Platform.h. Using its to detect settings defined in other headers is an error.
1040
1041         The problem is that the ENABLE macro checks if the value is defined, so will silently
1042         return false if you fail to include the header defining the switch. This is not a problem
1043         if (1) the settings are defined in the same header that defines the macro that tests them,
1044         or (2) the header is included everywhere.  In the case of ENABLE settings defined in
1045         Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro.
1046
1047         * bytecode/CodeBlock.cpp:
1048         * dfg/DFGByteCodeParser.cpp:
1049         (JSC::DFG::ByteCodeParser::getPrediction):
1050         (JSC::DFG::ByteCodeParser::makeSafe):
1051         * dfg/DFGCapabilities.h:
1052         (JSC::DFG::canCompileOpcode):
1053         * dfg/DFGGraph.cpp:
1054         (JSC::DFG::Graph::predictArgumentTypes):
1055         * dfg/DFGJITCodeGenerator.cpp:
1056         * dfg/DFGJITCodeGenerator.h:
1057         * dfg/DFGJITCompiler.cpp:
1058         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1059         (JSC::DFG::JITCompiler::compileBody):
1060         (JSC::DFG::JITCompiler::link):
1061         * dfg/DFGJITCompiler.h:
1062         (JSC::DFG::JITCompiler::noticeOSREntry):
1063         * dfg/DFGJITCompiler32_64.cpp:
1064         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1065         (JSC::DFG::JITCompiler::compileBody):
1066         (JSC::DFG::JITCompiler::link):
1067         * dfg/DFGNode.h:
1068         * dfg/DFGOSREntry.cpp:
1069         (JSC::DFG::prepareOSREntry):
1070         * dfg/DFGOperations.cpp:
1071         * dfg/DFGOperations.h:
1072         * dfg/DFGPropagator.cpp:
1073         (JSC::DFG::Propagator::fixpoint):
1074         (JSC::DFG::Propagator::propagateArithNodeFlags):
1075         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1076         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1077         (JSC::DFG::Propagator::propagateNodePredictions):
1078         (JSC::DFG::Propagator::propagatePredictionsForward):
1079         (JSC::DFG::Propagator::propagatePredictionsBackward):
1080         (JSC::DFG::Propagator::propagatePredictions):
1081         (JSC::DFG::Propagator::toDouble):
1082         (JSC::DFG::Propagator::fixupNode):
1083         (JSC::DFG::Propagator::fixup):
1084         (JSC::DFG::Propagator::startIndexForChildren):
1085         (JSC::DFG::Propagator::endIndexForPureCSE):
1086         (JSC::DFG::Propagator::setReplacement):
1087         (JSC::DFG::Propagator::eliminate):
1088         (JSC::DFG::Propagator::performNodeCSE):
1089         (JSC::DFG::Propagator::localCSE):
1090         (JSC::DFG::Propagator::allocateVirtualRegisters):
1091         (JSC::DFG::Propagator::performBlockCFA):
1092         (JSC::DFG::Propagator::performForwardCFA):
1093         (JSC::DFG::Propagator::globalCFA):
1094         * dfg/DFGScoreBoard.h:
1095         * dfg/DFGSpeculativeJIT.cpp:
1096         (JSC::DFG::SpeculativeJIT::compile):
1097         * dfg/DFGSpeculativeJIT.h:
1098         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1099         * dfg/DFGSpeculativeJIT32_64.cpp:
1100         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1101         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1102         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1103         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1104         (JSC::DFG::SpeculativeJIT::compile):
1105         * dfg/DFGSpeculativeJIT64.cpp:
1106         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1107         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1108         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1109         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1110         (JSC::DFG::SpeculativeJIT::compile):
1111         * jit/JIT.cpp:
1112         (JSC::JIT::privateCompile):
1113
1114 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1115
1116         terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell
1117
1118         Rubber stamped by Filip Pizlo
1119
1120         This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT.
1121
1122         * dfg/DFGSpeculativeJIT32_64.cpp:
1123         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1124         * dfg/DFGSpeculativeJIT64.cpp:
1125         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1126
1127 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1128
1129         De-virtualized JSCell::toNumber
1130         https://bugs.webkit.org/show_bug.cgi?id=69858
1131
1132         Reviewed by Sam Weinig.
1133
1134
1135         Removed JSCallbackObject::toNumber because its no longer necessary since 
1136         JSObject::toNumber now suffices since we implicitly add valueOf to an object's
1137         prototype whenever a convertToType callback is provided.
1138         * API/JSCallbackObject.h:
1139         * API/JSCallbackObjectFunctions.h:
1140         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1141
1142         De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber.
1143         * runtime/JSCell.cpp:
1144         (JSC::JSCell::toNumber):
1145         * runtime/JSCell.h:
1146         * runtime/JSObject.h:
1147         * runtime/JSString.h:
1148
1149         Removed JSNotAnObject::toNumber because its result doesn't matter and it implements 
1150         defaultValue, therefore JSObject::toNumber can cover its case.
1151         * runtime/JSNotAnObject.cpp:
1152         * runtime/JSNotAnObject.h:
1153
1154 2011-10-13  Xianzhu Wang  <wangxianzhu@chromium.org>
1155
1156         Use realloc() to expand/shrink StringBuilder buffer
1157         https://bugs.webkit.org/show_bug.cgi?id=69913
1158
1159         Reviewed by Darin Adler.
1160
1161         * wtf/text/StringBuilder.cpp:
1162         (WTF::StringBuilder::reserveCapacity):
1163         (WTF::StringBuilder::reallocateBuffer):
1164         (WTF::StringBuilder::appendUninitialized):
1165         (WTF::StringBuilder::shrinkToFit):
1166         * wtf/text/StringBuilder.h:
1167         * wtf/text/StringImpl.cpp:
1168         (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer.
1169         * wtf/text/StringImpl.h:
1170
1171 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1172
1173         If an Arguments object is being used to copy the arguments, then
1174         make this explicit
1175         https://bugs.webkit.org/show_bug.cgi?id=69995
1176
1177         Reviewed by Sam Weinig.
1178
1179         * interpreter/Interpreter.cpp:
1180         (JSC::Interpreter::retrieveArguments):
1181         * runtime/Arguments.h:
1182         (JSC::Arguments::createAndCopyRegisters):
1183         (JSC::Arguments::finishCreationButDontCopyRegisters):
1184         (JSC::Arguments::finishCreation):
1185         (JSC::Arguments::finishCreationAndCopyRegisters):
1186
1187 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1188
1189         DFG CFA does not filter structures aggressively enough.
1190         https://bugs.webkit.org/show_bug.cgi?id=69989
1191
1192         Reviewed by Oliver Hunt.
1193
1194         * dfg/DFGAbstractValue.h:
1195         (JSC::DFG::AbstractValue::clear):
1196         (JSC::DFG::AbstractValue::makeTop):
1197         (JSC::DFG::AbstractValue::clobberStructures):
1198         (JSC::DFG::AbstractValue::set):
1199         (JSC::DFG::AbstractValue::merge):
1200         (JSC::DFG::AbstractValue::filter):
1201         (JSC::DFG::AbstractValue::checkConsistency):
1202
1203 2011-10-12  Adam Barth  <abarth@webkit.org>
1204
1205         Remove ENABLE(XHTMLMP) and associated code
1206         https://bugs.webkit.org/show_bug.cgi?id=69729
1207
1208         Reviewed by David Levin.
1209
1210         * Configurations/FeatureDefines.xcconfig:
1211
1212 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1213
1214         MacroAssemblerX86 8-bit register ops unsafe on CPU(X86)
1215         https://bugs.webkit.org/show_bug.cgi?id=69978
1216
1217         Reviewed by Filip Pizlo.
1218
1219         Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ).
1220
1221         compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding
1222         a couple of xchg instructions.
1223
1224         branchTest8 with a register argument is also affected. In all cases this is currently used
1225         this is testing a value that is correct to 32 or more bits, so we can simply switch these
1226         to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the
1227         32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction).
1228
1229         This fixes the remaining fast/js failures with the DFG JIT 32_64.
1230
1231         * assembler/MacroAssemblerARMv7.h
1232             - removed branchTest8.
1233         * assembler/MacroAssemblerX86Common.h:
1234         (JSC::MacroAssemblerX86Common::compare32):
1235         (JSC::MacroAssemblerX86Common::test8):
1236         (JSC::MacroAssemblerX86Common::test32):
1237         (JSC::MacroAssemblerX86Common::set32):
1238             - added set32 helper that is 'h' register safe.
1239             - removed branchTest8.
1240         * dfg/DFGJITCodeGenerator32_64.cpp:
1241         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1242         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1243             - switch uses of branchTest8 to branchTest32.
1244         * dfg/DFGJITCodeGenerator64.cpp:
1245         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1246         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1247             - switch uses of branchTest8 to branchTest32.
1248         * dfg/DFGSpeculativeJIT32_64.cpp:
1249         (JSC::DFG::SpeculativeJIT::emitBranch):
1250             - switch uses of branchTest8 to branchTest32.
1251         * dfg/DFGSpeculativeJIT64.cpp:
1252         (JSC::DFG::SpeculativeJIT::emitBranch):
1253             - switch uses of branchTest8 to branchTest32.
1254
1255 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1256
1257         Errrk, revert accidental commit!
1258
1259         * wtf/Platform.h:
1260
1261 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1262
1263         Unreviewed, re-land changes from #69890, #69903.
1264
1265         These were reverted due to bug #69897, but #69903 fixed this problem.
1266
1267         * dfg/DFGJITCodeGenerator.h:
1268         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1269
1270 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1271
1272         ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly
1273         https://bugs.webkit.org/show_bug.cgi?id=69906
1274
1275         Reviewed by Gavin Barraclough.
1276         
1277         It turns out that the simplest fix is to switch computeUpdatedPredictions()
1278         to using predictionFromValue() combined with mergePrediction(). Doing so
1279         allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
1280         not only fixes a performance bug but kills off a lot of code that I never
1281         liked to begin with.
1282         
1283         This appears to be a 1% win on V8.
1284
1285         * bytecode/CodeBlock.cpp:
1286         (JSC::CodeBlock::visitAggregate):
1287         * bytecode/CodeBlock.h:
1288         * bytecode/PredictedType.cpp:
1289         (JSC::predictionFromValue):
1290         * bytecode/ValueProfile.cpp:
1291         (JSC::ValueProfile::computeStatistics):
1292         (JSC::ValueProfile::computeUpdatedPrediction):
1293         * bytecode/ValueProfile.h:
1294         (JSC::ValueProfile::classInfo):
1295         (JSC::ValueProfile::numberOfSamples):
1296         (JSC::ValueProfile::isLive):
1297         (JSC::ValueProfile::dump):
1298
1299 2011-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1300
1301         De-virtualize JSCell::toString
1302         https://bugs.webkit.org/show_bug.cgi?id=69677
1303
1304         Reviewed by Sam Weinig.
1305
1306         Removed toString from JSCallbackObject, since it is no 
1307         longer necessary since we now implicitly add toString and valueOf
1308         functions to object prototypes when a convertToType callback 
1309         is provided, which is now the standard way to override toString 
1310         and valueOf in the JSC C API.
1311         * API/JSCallbackObject.h:
1312         * API/JSCallbackObjectFunctions.h:
1313         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1314
1315         Removed toString from InterruptedExecutionError and 
1316         TerminatedExecutionError and replaced it with defaultValue,
1317         which JSObject::toString calls.  We'll probably have to de-virtualize 
1318         defaultValue eventually, but we'll cross that bridge when we 
1319         come to it.
1320         * runtime/ExceptionHelpers.cpp:
1321         (JSC::InterruptedExecutionError::defaultValue):
1322         (JSC::TerminatedExecutionError::defaultValue):
1323         * runtime/ExceptionHelpers.h:
1324
1325         Removed toString from JSNotAnObject, since its return value doesn't
1326         actually matter and JSObject::toString can cover it.
1327         * runtime/JSNotAnObject.cpp:
1328         * runtime/JSNotAnObject.h:
1329
1330         De-virtualized JSCell::toString, JSObject::toString and JSString::toString.
1331         Added handling of all cases for JSCell to JSCell::toString.
1332         * runtime/JSObject.h:
1333         * runtime/JSString.h:
1334         * runtime/JSCell.cpp:
1335         (JSC::JSCell::toString):
1336         * runtime/JSCell.h:
1337
1338 2011-10-12  Oliver Hunt  <oliver@apple.com>
1339
1340         Global stringStructure caches its prototype chain, abandoning a web page
1341         https://bugs.webkit.org/show_bug.cgi?id=69952
1342
1343         Reviewed by Filip Pizlo.
1344
1345         When visiting a structure, we don't keep the prototype chain
1346         alive if we're not the structure for an object type.
1347
1348         * runtime/Structure.cpp:
1349         (JSC::Structure::visitChildren):
1350
1351 2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
1352
1353         DFG JIT 32_64 - Fix ArrayPop
1354         https://bugs.webkit.org/show_bug.cgi?id=69918
1355
1356         Reviewed by Filip Pizlo.
1357
1358         The storageLengthGPR is polluted by EmptyValueTag and later used to
1359         index the array, which results in abnormal behaviors in execution.
1360         This fix makes 32_64 DFG pass v8-deltablue and kraken
1361         crypto-sha256-iterative on Linux ia32.
1362
1363         * assembler/MacroAssemblerX86Common.h:
1364         (JSC::MacroAssemblerX86Common::store32):
1365         * assembler/X86Assembler.h:
1366         (JSC::X86Assembler::movl_i32m):
1367         * dfg/DFGSpeculativeJIT32_64.cpp:
1368         (JSC::DFG::SpeculativeJIT::compile):
1369
1370 2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
1371
1372         Fix build with GLib 2.31
1373         https://bugs.webkit.org/show_bug.cgi?id=69840
1374
1375         Reviewed by Martin Robinson.
1376
1377         * GNUmakefile.list.am: removed ThreadingGtk.cpp.
1378         * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions.
1379         * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations.
1380         * wtf/gobject/GOwnPtr.h: ditto.
1381         * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations.
1382         * wtf/gtk/ThreadingGtk.cpp: Removed.
1383
1384 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1385
1386         Layout tests crashing in DFG JIT code
1387         https://bugs.webkit.org/show_bug.cgi?id=69897
1388
1389         Reviewed by Gavin Barraclough.
1390         
1391         Abstract value filtration didn't take into account cases where a structure
1392         set filter, combined with predicted type knowledge, could lead to a stronger
1393         filter for the structure abstract value.
1394         
1395         This bug would have been benign in release builds; it would have just meant
1396         that the analysis was less precise and some optimization opportunities would
1397         be missed. I have an ASSERT that is meant to catch such cases, and it was
1398         triggering sporadically in one of the LayoutTests.
1399
1400         * dfg/DFGAbstractValue.h:
1401         (JSC::DFG::AbstractValue::filter):
1402
1403 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1404
1405         Unreviewed, temporarily reverted r97216 due to bug #69897.
1406
1407         * dfg/DFGJITCodeGenerator.h:
1408         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1409
1410 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
1411
1412         DFG 32_64 - fix silentFillGPR
1413         https://bugs.webkit.org/show_bug.cgi?id=69903
1414
1415         Reviewed by Filip Pizlo.
1416
1417         Fix a small bug in silentFillGPR,
1418         and add the newly introduced DFG file to CMakeListsEfl.
1419
1420         * CMakeListsEfl.txt:
1421         * dfg/DFGJITCodeGenerator.h:
1422         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1423
1424 2011-10-08  Filip Pizlo  <fpizlo@apple.com>
1425
1426         DFG does not have flow-sensitive intraprocedural control flow analysis
1427         https://bugs.webkit.org/show_bug.cgi?id=69690
1428
1429         Reviewed by Gavin Barraclough.
1430
1431         Implemented a control flow analysis (CFA). It currently propagates type
1432         proofs only. For example, if all predecessors to a basic block have
1433         checks that variable X is a JSFinalObject with structure 0xabcdef, then
1434         this basic block will now know this fact and will know that it does not
1435         have to emit either JSFinalObject checks or any structure checks since
1436         the structure is precisely known. The CFA takes heap side-effects into
1437         account (though somewhat conservatively), so that if the object pointed
1438         to by variable X could have possibly undergone a structure transition
1439         then this is reflected: the analysis may simply say that X's structure
1440         is unknown.
1441         
1442         This also propagates a wealth of other type information which is
1443         currently not being used. For example, we now know when a variable can
1444         only hold doubles. Even if a variable may hold other types at different
1445         points in its live range, we can still prove exactly when it will only
1446         be double.
1447         
1448         There's a bunch of stuff that the CFA could do that it still does not
1449         do, like precise handling of PutStructure (i.e. structure transitions),
1450         precise handling of CheckFunction and CheckMethod, etc. So this is
1451         very much intended to be a starting point rather than an end unto
1452         itself.
1453         
1454         This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
1455         and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
1456         Neutral on SunSpider.
1457
1458         * GNUmakefile.list.am:
1459         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461         * bytecode/ActionablePrediction.h: Removed.
1462         * bytecode/PredictedType.cpp:
1463         (JSC::predictionToString):
1464         * bytecode/PredictedType.h:
1465         * dfg/DFGAbstractState.cpp: Added.
1466         (JSC::DFG::AbstractState::AbstractState):
1467         (JSC::DFG::AbstractState::~AbstractState):
1468         (JSC::DFG::AbstractState::beginBasicBlock):
1469         (JSC::DFG::AbstractState::initialize):
1470         (JSC::DFG::AbstractState::endBasicBlock):
1471         (JSC::DFG::AbstractState::reset):
1472         (JSC::DFG::AbstractState::execute):
1473         (JSC::DFG::AbstractState::clobberStructures):
1474         (JSC::DFG::AbstractState::mergeStateAtTail):
1475         (JSC::DFG::AbstractState::merge):
1476         (JSC::DFG::AbstractState::mergeToSuccessors):
1477         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
1478         (JSC::DFG::AbstractState::dump):
1479         * dfg/DFGAbstractState.h: Added.
1480         (JSC::DFG::AbstractState::forNode):
1481         (JSC::DFG::AbstractState::isValid):
1482         * dfg/DFGAbstractValue.h: Added.
1483         (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
1484         (JSC::DFG::StructureAbstractValue::clear):
1485         (JSC::DFG::StructureAbstractValue::makeTop):
1486         (JSC::DFG::StructureAbstractValue::top):
1487         (JSC::DFG::StructureAbstractValue::add):
1488         (JSC::DFG::StructureAbstractValue::addAll):
1489         (JSC::DFG::StructureAbstractValue::contains):
1490         (JSC::DFG::StructureAbstractValue::isSubsetOf):
1491         (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
1492         (JSC::DFG::StructureAbstractValue::isSupersetOf):
1493         (JSC::DFG::StructureAbstractValue::filter):
1494         (JSC::DFG::StructureAbstractValue::isClear):
1495         (JSC::DFG::StructureAbstractValue::isTop):
1496         (JSC::DFG::StructureAbstractValue::size):
1497         (JSC::DFG::StructureAbstractValue::at):
1498         (JSC::DFG::StructureAbstractValue::operator[]):
1499         (JSC::DFG::StructureAbstractValue::last):
1500         (JSC::DFG::StructureAbstractValue::predictionFromStructures):
1501         (JSC::DFG::StructureAbstractValue::operator==):
1502         (JSC::DFG::StructureAbstractValue::dump):
1503         (JSC::DFG::AbstractValue::AbstractValue):
1504         (JSC::DFG::AbstractValue::clear):
1505         (JSC::DFG::AbstractValue::isClear):
1506         (JSC::DFG::AbstractValue::makeTop):
1507         (JSC::DFG::AbstractValue::clobberStructures):
1508         (JSC::DFG::AbstractValue::isTop):
1509         (JSC::DFG::AbstractValue::top):
1510         (JSC::DFG::AbstractValue::set):
1511         (JSC::DFG::AbstractValue::operator==):
1512         (JSC::DFG::AbstractValue::merge):
1513         (JSC::DFG::AbstractValue::filter):
1514         (JSC::DFG::AbstractValue::validate):
1515         (JSC::DFG::AbstractValue::dump):
1516         * dfg/DFGBasicBlock.h: Added.
1517         (JSC::DFG::BasicBlock::BasicBlock):
1518         (JSC::DFG::BasicBlock::getBytecodeBegin):
1519         * dfg/DFGByteCodeParser.cpp:
1520         (JSC::DFG::ByteCodeParser::getLocal):
1521         (JSC::DFG::ByteCodeParser::setLocal):
1522         (JSC::DFG::ByteCodeParser::getArgument):
1523         (JSC::DFG::ByteCodeParser::setArgument):
1524         (JSC::DFG::ByteCodeParser::parseBlock):
1525         (JSC::DFG::ByteCodeParser::processPhiStack):
1526         (JSC::DFG::ByteCodeParser::setupPredecessors):
1527         * dfg/DFGGraph.cpp:
1528         (JSC::DFG::Graph::dump):
1529         * dfg/DFGGraph.h:
1530         * dfg/DFGJITCodeGenerator.h:
1531         (JSC::DFG::block):
1532         * dfg/DFGJITCodeGenerator32_64.cpp:
1533         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
1534         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1535         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1536         * dfg/DFGJITCodeGenerator64.cpp:
1537         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
1538         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1539         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1540         * dfg/DFGJITCompiler.h:
1541         (JSC::DFG::JITCompiler::noticeOSREntry):
1542         * dfg/DFGNode.h:
1543         (JSC::DFG::NodeIndexTraits::defaultValue):
1544         (JSC::DFG::Node::variableAccessData):
1545         (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
1546         (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
1547         (JSC::DFG::Node::setTakenBlockIndex):
1548         (JSC::DFG::Node::setNotTakenBlockIndex):
1549         (JSC::DFG::Node::takenBlockIndex):
1550         (JSC::DFG::Node::notTakenBlockIndex):
1551         * dfg/DFGOSREntry.cpp:
1552         (JSC::DFG::prepareOSREntry):
1553         * dfg/DFGOSREntry.h:
1554         * dfg/DFGOperands.h: Added.
1555         (JSC::DFG::operandIsArgument):
1556         (JSC::DFG::OperandValueTraits::defaultValue):
1557         (JSC::DFG::Operands::Operands):
1558         (JSC::DFG::Operands::numberOfArguments):
1559         (JSC::DFG::Operands::numberOfLocals):
1560         (JSC::DFG::Operands::argument):
1561         (JSC::DFG::Operands::local):
1562         (JSC::DFG::Operands::setLocal):
1563         (JSC::DFG::Operands::setArgumentFirstTime):
1564         (JSC::DFG::Operands::setLocalFirstTime):
1565         (JSC::DFG::Operands::operand):
1566         (JSC::DFG::Operands::setOperand):
1567         (JSC::DFG::Operands::clear):
1568         (JSC::DFG::dumpOperands):
1569         * dfg/DFGPropagator.cpp:
1570         (JSC::DFG::Propagator::fixpoint):
1571         (JSC::DFG::Propagator::propagateArithNodeFlags):
1572         (JSC::DFG::Propagator::propagateNodePredictions):
1573         (JSC::DFG::Propagator::propagatePredictions):
1574         (JSC::DFG::Propagator::performBlockCFA):
1575         (JSC::DFG::Propagator::performForwardCFA):
1576         (JSC::DFG::Propagator::globalCFA):
1577         * dfg/DFGSpeculativeJIT.cpp:
1578         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1579         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1580         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1581         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1582         (JSC::DFG::SpeculativeJIT::compile):
1583         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1584         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1585         * dfg/DFGSpeculativeJIT.h:
1586         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1587         * dfg/DFGSpeculativeJIT32_64.cpp:
1588         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1589         (JSC::DFG::SpeculativeJIT::compare):
1590         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1591         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1592         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1593         (JSC::DFG::SpeculativeJIT::emitBranch):
1594         (JSC::DFG::SpeculativeJIT::compile):
1595         * dfg/DFGSpeculativeJIT64.cpp:
1596         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1597         (JSC::DFG::SpeculativeJIT::compare):
1598         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1599         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1600         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1601         (JSC::DFG::SpeculativeJIT::emitBranch):
1602         (JSC::DFG::SpeculativeJIT::compile):
1603         * dfg/DFGStructureSet.h:
1604         (JSC::DFG::StructureSet::clear):
1605         (JSC::DFG::StructureSet::predictionFromStructures):
1606         (JSC::DFG::StructureSet::operator==):
1607         (JSC::DFG::StructureSet::dump):
1608         * dfg/DFGVariableAccessData.h: Added.
1609
1610 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1611
1612         DFG JIT 32_64 - Fix silentFillGPR for non-integer constants.
1613         https://bugs.webkit.org/show_bug.cgi?id=69890
1614
1615         Reviewed by Oliver Hunt.
1616
1617         Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues.
1618
1619         * dfg/DFGJITCodeGenerator.h:
1620         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1621
1622 2011-10-11  Ryosuke Niwa  <rniwa@webkit.org>
1623
1624         GTK build fix attempt after r97197.
1625
1626         * wtf/BitVector.h:
1627
1628 2011-10-11  Oliver Hunt  <oliver@apple.com>
1629
1630         Remove unintentional logging.
1631
1632         * heap/Heap.cpp:
1633
1634 2011-10-11  Oliver Hunt  <oliver@apple.com>
1635
1636         Tidy up card walking logic
1637         https://bugs.webkit.org/show_bug.cgi?id=69883
1638
1639         Reviewed by Gavin Barraclough.
1640
1641         Special case common cell sizes when walking a block's
1642         cards.
1643
1644         * heap/CardSet.h:
1645         (JSC::::testAndClear):
1646         * heap/Heap.cpp:
1647         (JSC::GCTimer::GCCounter::GCCounter):
1648         (JSC::GCTimer::GCCounter::count):
1649         (JSC::GCTimer::GCCounter::~GCCounter):
1650         (JSC::Heap::markRoots):
1651         * heap/MarkStack.cpp:
1652         (JSC::MarkStack::reset):
1653         * heap/MarkStack.h:
1654         (JSC::MarkStack::visitCount):
1655         (JSC::MarkStack::MarkStack):
1656         (JSC::MarkStack::append):
1657         * heap/MarkedBlock.h:
1658         (JSC::MarkedBlock::gatherDirtyCellsWithSize):
1659         (JSC::MarkedBlock::gatherDirtyCells):
1660         * runtime/Structure.h:
1661         (JSC::MarkStack::internalAppend):
1662
1663 2011-10-11  Filip Pizlo  <fpizlo@apple.com>
1664
1665         DFG virtual register allocator should be more aggressive in
1666         reusing temporary slots
1667         https://bugs.webkit.org/show_bug.cgi?id=69868
1668
1669         Reviewed by Oliver Hunt.
1670         
1671         1.2% win on V8, neutral elsewhere. The win is probably because it
1672         increases precision of GC conservative scans.
1673         
1674         This required making the DFG::ScoreBoard operate over a bitvector
1675         of preserved variables, rather than just a preserved variable
1676         threshold. To do this, I improved the WTF::BitVector class to make
1677         it more user-friendly. It still retains all previous functionality.
1678         Also made changes to PackedIntVector to accomodate those changes.
1679         Finally, this adds more debugging to the virtual register allocator
1680         and to the OSR exit code, as this was necessary to track down bugs
1681         in an earlier version of this patch.
1682
1683         * dfg/DFGByteCodeParser.cpp:
1684         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1685         (JSC::DFG::ByteCodeParser::getLocal):
1686         * dfg/DFGGraph.h:
1687         * dfg/DFGJITCompiler.cpp:
1688         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1689         * dfg/DFGPropagator.cpp:
1690         (JSC::DFG::Propagator::allocateVirtualRegisters):
1691         * dfg/DFGScoreBoard.h:
1692         (JSC::DFG::ScoreBoard::ScoreBoard):
1693         (JSC::DFG::ScoreBoard::~ScoreBoard):
1694         (JSC::DFG::ScoreBoard::allocate):
1695         (JSC::DFG::ScoreBoard::use):
1696         (JSC::DFG::ScoreBoard::highWatermark):
1697         (JSC::DFG::ScoreBoard::dump):
1698         (JSC::DFG::ScoreBoard::max):
1699         * dfg/DFGSpeculativeJIT.cpp:
1700         (JSC::DFG::ValueRecovery::dump):
1701         * wtf/BitVector.cpp:
1702         (WTF::BitVector::setSlow):
1703         (WTF::BitVector::resizeOutOfLine):
1704         (WTF::BitVector::dump):
1705         * wtf/BitVector.h:
1706         (WTF::BitVector::BitVector):
1707         (WTF::BitVector::operator=):
1708         (WTF::BitVector::quickGet):
1709         (WTF::BitVector::quickSet):
1710         (WTF::BitVector::quickClear):
1711         (WTF::BitVector::get):
1712         (WTF::BitVector::set):
1713         (WTF::BitVector::clear):
1714         * wtf/PackedIntVector.h:
1715         (WTF::PackedIntVector::get):
1716         (WTF::PackedIntVector::set):
1717
1718 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1719
1720         DFG JIT 32_64 - Switch to cdecl calling convention.
1721         https://bugs.webkit.org/show_bug.cgi?id=69863
1722
1723         Reviewed by Oliver Hunt.
1724
1725         This makes it easier to keep the stack correctly aligned, which is required on OS X.
1726
1727         * assembler/MacroAssemblerCodeRef.h:
1728         (JSC::FunctionPtr::FunctionPtr):
1729             - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms.
1730         * dfg/DFGJITCodeGenerator.h:
1731         (JSC::DFG::callOperation):
1732             - Switch calls to poke arguments rather than pushing them.
1733         (JSC::DFG::resetCallArguments):
1734         (JSC::DFG::addCallArgument):
1735         (JSC::DFG::addCallArgumentBoxed):
1736             - Helper functions to stack up call arguments on X86.
1737         * dfg/DFGJITCodeGenerator32_64.cpp:
1738         (JSC::DFG::JITCodeGenerator::emitCall):
1739             - Don't push, poke!
1740         * dfg/DFGJITCompiler32_64.cpp:
1741         (JSC::DFG::JITCompiler::compileBody):
1742             - Don't push, poke!
1743         * dfg/DFGOperations.cpp:
1744             - Switch ReturnAddress wrappers to push return address last, update asm trampolines.
1745         * dfg/DFGOperations.h:
1746             - switch DFG_OPERATION to assert CDECL on STDCALL platforms.
1747         * dfg/DFGSpeculativeJIT32_64.cpp:
1748         (JSC::DFG::fmodWithCDecl):
1749         (JSC::DFG::SpeculativeJIT::compile):
1750             - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL.
1751
1752 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
1753
1754         Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t
1755         https://bugs.webkit.org/show_bug.cgi?id=69821
1756
1757         Reviewed by Filip Pizlo.
1758
1759         Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an
1760         intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building.
1761
1762         dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for
1763         JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary
1764         move), so by switching all associated operations to return a size_t we can fix the type
1765         problem on Linux & make it a small tweak that removes an unnecessary instruction.
1766
1767         * dfg/DFGJITCodeGenerator.cpp:
1768         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
1769             - comparisons now return a size_t.
1770         * dfg/DFGJITCodeGenerator.h:
1771         (JSC::DFG::callOperation):
1772             - Removed Z_DFGOperation_EJ form.
1773         * dfg/DFGJITCodeGenerator32_64.cpp:
1774         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1775         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1776             - comparisons now return a size_t.
1777         * dfg/DFGJITCodeGenerator64.cpp:
1778         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1779         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1780         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1781             - comparisons now return a size_t.
1782         * dfg/DFGOperations.cpp:
1783         * dfg/DFGOperations.h:
1784             - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t,
1785               Both need to return values zero extended to fill a register.
1786         * dfg/DFGSpeculativeJIT.cpp:
1787         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1788             - comparisons now return a size_t.
1789         * dfg/DFGSpeculativeJIT.h:
1790         * dfg/DFGSpeculativeJIT32_64.cpp:
1791         (JSC::DFG::SpeculativeJIT::compare):
1792             - comparisons now return a size_t.
1793         * dfg/DFGSpeculativeJIT64.cpp:
1794         (JSC::DFG::SpeculativeJIT::compare):
1795             - comparisons now return a size_t.
1796
1797 2011-10-11  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
1798
1799         [Qt] Remove all references to QTDIR_build and standalone_package
1800
1801         Qt is now modularized, which means we no longer import WebKit into
1802         the Qt source tree. Instead we use git submodules, and building
1803         QtWebKit as "part of Qt" is really building QtWebKit as from trunk.
1804
1805         To decrease the number of buildsystem configurations we also remove
1806         the standalone_package code-path used when we were providing tarballs
1807         with the derived sources pre-generated.
1808
1809         Reviewed by Simon Hausmann.
1810
1811         * DerivedSources.pro:
1812         * JavaScriptCore.pri:
1813         * JavaScriptCore.pro:
1814
1815 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
1816
1817         Add missing copyright notice in DFG JIT files
1818         https://bugs.webkit.org/show_bug.cgi?id=69809
1819
1820         Reviewed by Gavin Barraclough.
1821
1822         * dfg/DFGJITCodeGenerator32_64.cpp:
1823         * dfg/DFGJITCompiler32_64.cpp:
1824         * dfg/DFGJITCompilerInlineMethods.h:
1825         * dfg/DFGSpeculativeJIT32_64.cpp:
1826
1827 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
1828
1829         DFG JSVALUE64 spill/fill code should not box integers and doubles
1830         https://bugs.webkit.org/show_bug.cgi?id=69782
1831
1832         Reviewed by Oliver Hunt.
1833         
1834         Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat.
1835         This required changing all of the places that spill registers (both silently
1836         and not) and filling registers (both silently and on demand). It also required
1837         changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile)
1838         may have the wrong format for the old JIT (unboxed int or double).
1839         
1840         This is a slight win on Kraken (0.25%) and neutral elsewhere.
1841
1842         * dfg/DFGGenerationInfo.h:
1843         (JSC::DFG::GenerationInfo::spill):
1844         * dfg/DFGJITCodeGenerator.h:
1845         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1846         (JSC::DFG::JITCodeGenerator::spill):
1847         * dfg/DFGJITCodeGenerator64.cpp:
1848         (JSC::DFG::JITCodeGenerator::fillInteger):
1849         (JSC::DFG::JITCodeGenerator::fillDouble):
1850         (JSC::DFG::JITCodeGenerator::fillJSValue):
1851         * dfg/DFGJITCompiler.cpp:
1852         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1853         * dfg/DFGSpeculativeJIT.cpp:
1854         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1855         * dfg/DFGSpeculativeJIT.h:
1856         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
1857         (JSC::DFG::ValueRecovery::virtualRegister):
1858         * dfg/DFGSpeculativeJIT64.cpp:
1859         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1860         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1861         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1862         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1863
1864 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1865
1866         DFG JIT switch dfgConvert methods to use callOperation
1867         https://bugs.webkit.org/show_bug.cgi?id=69806
1868
1869         Reviewed by Filip Pizlo.
1870
1871         * dfg/DFGJITCodeGenerator.h:
1872         (JSC::DFG::callOperation):
1873         * dfg/DFGJITCodeGenerator32_64.cpp:
1874         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1875         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1876         * dfg/DFGJITCodeGenerator64.cpp:
1877         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1878         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1879         * dfg/DFGOperations.h:
1880
1881 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1882
1883         Remove some unused methods from the DFG JIT.
1884
1885         Rubber stamped by Oliver Hunt
1886
1887         Thee methods were only used by the non-speculative JIT, and can be removed.
1888
1889         * dfg/DFGJITCodeGenerator.h:
1890         * dfg/DFGJITCodeGenerator32_64.cpp:
1891         * dfg/DFGJITCodeGenerator64.cpp:
1892             - removed:
1893                 nonSpeculativeAdd
1894                 nonSpeculativeArithSub
1895                 nonSpeculativeArithMod
1896                 nonSpeculativeCheckHasInstance
1897                 nonSpeculativeInstanceOf
1898         * dfg/DFGOperations.cpp:
1899         * dfg/DFGOperations.h:
1900             - removed:
1901                 operationArithMod
1902                 operationInstanceOf
1903                 operationThrowHasInstanceError
1904
1905 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1906
1907         Switch most calls in DFGJITCodeGenerator to use callOperation.
1908         https://bugs.webkit.org/show_bug.cgi?id=69802
1909
1910         Reviewed by Oliver Hunt.
1911
1912         Compares, add, mod are the easy cases.
1913
1914         * dfg/DFGJITCodeGenerator.h:
1915         (JSC::DFG::callOperation):
1916         * dfg/DFGJITCodeGenerator32_64.cpp:
1917         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1918         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1919         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
1920         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1921         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1922         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1923         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
1924         * dfg/DFGJITCodeGenerator64.cpp:
1925         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1926         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1927         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1928         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1929         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1930         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
1931         * dfg/DFGOperations.cpp:
1932         * dfg/DFGOperations.h:
1933
1934 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
1935
1936         DFG: Switch GetById / PutById to use callOperation
1937         https://bugs.webkit.org/show_bug.cgi?id=69795
1938
1939         Reviewed by Oliver Hunt.
1940
1941         Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag.
1942
1943         * dfg/DFGJITCodeGenerator.h:
1944         (JSC::DFG::callOperation):
1945         * dfg/DFGJITCodeGenerator32_64.cpp:
1946         (JSC::DFG::JITCodeGenerator::cachedGetById):
1947         (JSC::DFG::JITCodeGenerator::cachedPutById):
1948         * dfg/DFGJITCodeGenerator64.cpp:
1949         (JSC::DFG::JITCodeGenerator::cachedGetById):
1950         (JSC::DFG::JITCodeGenerator::cachedPutById):
1951         * dfg/DFGOperations.cpp:
1952         * dfg/DFGOperations.h:
1953         * dfg/DFGRepatch.cpp:
1954         (JSC::DFG::appropriatePutByIdFunction):
1955
1956 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
1957
1958         REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs
1959         https://bugs.webkit.org/show_bug.cgi?id=69412
1960
1961         Reviewed by Oliver Hunt.
1962
1963         * dfg/DFGSpeculativeJIT32_64.cpp:
1964         (JSC::DFG::SpeculativeJIT::compile):
1965         * dfg/DFGSpeculativeJIT64.cpp:
1966         (JSC::DFG::SpeculativeJIT::compile):
1967         * jit/JIT.cpp:
1968         (JSC::JIT::privateCompile):
1969         * jit/JIT.h:
1970
1971 2011-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1972
1973         Remove getCallDataVirtual methods
1974         https://bugs.webkit.org/show_bug.cgi?id=69186
1975
1976         Reviewed by Geoffrey Garen.
1977
1978         Removed all getCallDataVirtual methods and replaced their call sites 
1979         with an explicit lookup in the MethodTable.
1980
1981         * API/JSCallbackFunction.cpp:
1982         * API/JSCallbackFunction.h:
1983         * API/JSCallbackObject.h:
1984         * API/JSCallbackObjectFunctions.h:
1985         * API/JSObjectRef.cpp:
1986         (JSObjectIsFunction):
1987         (JSObjectCallAsFunction):
1988         * JavaScriptCore.exp:
1989         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1990         * interpreter/Interpreter.cpp:
1991         (JSC::Interpreter::privateExecute):
1992         * jit/JITStubs.cpp:
1993         (JSC::DEFINE_STUB_FUNCTION):
1994         * runtime/ArrayConstructor.cpp:
1995         * runtime/ArrayConstructor.h:
1996         * runtime/BooleanConstructor.cpp:
1997         * runtime/BooleanConstructor.h:
1998         * runtime/DateConstructor.cpp:
1999         * runtime/DateConstructor.h:
2000
2001         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2002         the class definition in JSGlobalObject.cpp.
2003         * runtime/Error.cpp:
2004         (JSC::createTypeErrorFunction):
2005         * runtime/Error.h:
2006         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2007         (JSC::StrictModeTypeErrorFunction::create):
2008         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2009         (JSC::StrictModeTypeErrorFunction::getConstructData):
2010         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2011         (JSC::StrictModeTypeErrorFunction::getCallData):
2012         (JSC::StrictModeTypeErrorFunction::createStructure):
2013         * runtime/ErrorConstructor.cpp:
2014         * runtime/ErrorConstructor.h:
2015         * runtime/FunctionConstructor.cpp:
2016         * runtime/FunctionConstructor.h:
2017         * runtime/FunctionPrototype.cpp:
2018         * runtime/FunctionPrototype.h:
2019
2020         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2021         to declare their own ClassInfo if they don't override getCallData, provided 
2022         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2023         functionality as of the pure virtual method InternalFunction used to have.
2024         Also made this new implementation protected rather than private for the same reason.
2025         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2026         object is being created provides their own implementation of getCallData.  This 
2027         just makes execution fail earlier in a place where the source of the error is 
2028         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2029         they appear much more intentional to anybody who fails to provide their own 
2030         implementation or who tries to explicitly call InternalFunction::getCallData.
2031         * runtime/InternalFunction.cpp:
2032         (JSC::InternalFunction::finishCreation):
2033         (JSC::InternalFunction::getCallData):
2034         * runtime/InternalFunction.h:
2035         * runtime/JSCell.cpp:
2036         * runtime/JSCell.h:
2037         * runtime/JSFunction.cpp:
2038         * runtime/JSFunction.h:
2039
2040         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2041         it to be reused rather than creating a new Structure every time we instantiate it.
2042         * runtime/JSGlobalObject.cpp:
2043         (JSC::JSGlobalObject::reset):
2044         (JSC::JSGlobalObject::visitChildren):
2045         * runtime/JSGlobalObject.h:
2046         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2047         * runtime/JSONObject.cpp:
2048         (JSC::Stringifier::Stringifier):
2049         (JSC::Stringifier::toJSON):
2050         (JSC::Stringifier::appendStringifiedValue):
2051         * runtime/JSObject.cpp:
2052         (JSC::JSObject::put):
2053         * runtime/JSObject.h:
2054         (JSC::getCallData):
2055         * runtime/NativeErrorConstructor.cpp:
2056         * runtime/NativeErrorConstructor.h:
2057         * runtime/NumberConstructor.cpp:
2058         * runtime/NumberConstructor.h:
2059         * runtime/ObjectConstructor.cpp:
2060         * runtime/ObjectConstructor.h:
2061         * runtime/Operations.cpp:
2062         (JSC::jsTypeStringForValue):
2063         (JSC::jsIsObjectType):
2064         (JSC::jsIsFunctionType):
2065         * runtime/PropertySlot.cpp:
2066         (JSC::PropertySlot::functionGetter):
2067         * runtime/RegExpConstructor.cpp:
2068         * runtime/RegExpConstructor.h:
2069         * runtime/StringConstructor.cpp:
2070         * runtime/StringConstructor.h:
2071         * runtime/Structure.h:
2072
2073 2011-10-10  Gavin Barraclough  <barraclough@apple.com>
2074
2075         Switch last calls from DFGSpeculativeJIT to use callOperation.
2076         https://bugs.webkit.org/show_bug.cgi?id=69780
2077
2078         Reviewed by Oliver Hunt.
2079
2080         Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers.
2081
2082         * dfg/DFGJITCodeGenerator.cpp:
2083         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2084         * dfg/DFGJITCodeGenerator.h:
2085         (JSC::DFG::callOperation):
2086         * dfg/DFGJITCodeGenerator32_64.cpp:
2087         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2088         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2089         * dfg/DFGJITCodeGenerator64.cpp:
2090         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2091         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2092         * dfg/DFGOperations.h:
2093         * dfg/DFGSpeculativeJIT.cpp:
2094         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2095         * dfg/DFGSpeculativeJIT.h:
2096         * dfg/DFGSpeculativeJIT32_64.cpp:
2097         (JSC::DFG::SpeculativeJIT::compare):
2098         (JSC::DFG::SpeculativeJIT::compile):
2099         * dfg/DFGSpeculativeJIT64.cpp:
2100         (JSC::DFG::SpeculativeJIT::compare):
2101         (JSC::DFG::SpeculativeJIT::compile):
2102         * wtf/Platform.h:
2103
2104 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2105
2106         JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace"
2107         https://bugs.webkit.org/show_bug.cgi?id=69748
2108
2109         Reviewed by Filip Pizlo.
2110
2111         * dfg/DFGJITCodeGenerator32_64.cpp:
2112         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2113         * dfg/DFGSpeculativeJIT32_64.cpp:
2114         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2115
2116 2011-10-10  Adam Roben  <aroben@apple.com>
2117
2118         Build fix
2119
2120         * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros.
2121
2122 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2123
2124         JSVALUE32_64 DFG JIT - Bug fix for BranchNull
2125         https://bugs.webkit.org/show_bug.cgi?id=69743
2126
2127         Reviewed by Darin Adler.
2128
2129         This fixes the error in access-binary-trees. All SunSpider cases passed.
2130
2131         * dfg/DFGJITCodeGenerator32_64.cpp:
2132         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2133
2134 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2135
2136         DFG JIT: callOperation should return the Call.
2137         https://bugs.webkit.org/show_bug.cgi?id=69682
2138
2139         Reviewed by Oliver Hunt.
2140
2141         * dfg/DFGJITCodeGenerator.h:
2142         (JSC::DFG::callOperation):
2143         (JSC::DFG::appendCallWithExceptionCheckSetResult):
2144         * dfg/DFGJITCompiler.h:
2145         (JSC::DFG::JITCompiler::appendCall):
2146         * wtf/Platform.h:
2147
2148 2011-10-10  Sheriff Bot  <webkit.review.bot@gmail.com>
2149
2150         Unreviewed, rolling out r97045.
2151         http://trac.webkit.org/changeset/97045
2152         https://bugs.webkit.org/show_bug.cgi?id=69746
2153
2154         makes apple bots very crashy :( (Requested by kling on
2155         #webkit).
2156
2157         * config.h:
2158
2159 2011-10-10  Andreas Kling  <kling@webkit.org>
2160
2161         Shrink BorderValue.
2162         https://bugs.webkit.org/show_bug.cgi?id=69521
2163
2164         Reviewed by Antti Koivisto.
2165
2166         * config.h: Touch to force full rebuild.
2167
2168 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2169
2170         Improve Null or Undefined test in 32_64 DFG
2171         https://bugs.webkit.org/show_bug.cgi?id=69734
2172
2173         Reviewed by Darin Adler.
2174
2175         Currently Null or Undefined value test in 32_64 DFG will check
2176         Null and Undefined tag separately and introduce one more branch.
2177         It can be improved in the way how the baseline JIT is doing - by
2178         relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".
2179
2180         * dfg/DFGJITCodeGenerator32_64.cpp:
2181         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2182         * dfg/DFGSpeculativeJIT32_64.cpp:
2183         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2184         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2185
2186 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2187
2188         JSVALUE32_64 DFG JIT - Bug fix for ConvertThis
2189         https://bugs.webkit.org/show_bug.cgi?id=69721
2190
2191         Reviewed by Darin Adler.
2192
2193         * dfg/DFGSpeculativeJIT32_64.cpp:
2194         (JSC::DFG::SpeculativeJIT::compile):
2195
2196 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2197
2198         Remove unused callOperation code of DFG JIT on X86
2199         https://bugs.webkit.org/show_bug.cgi?id=69722
2200
2201         Reviewed by Filip Pizlo.
2202
2203         * dfg/DFGJITCodeGenerator.h:
2204         (JSC::DFG::callOperation):
2205
2206 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2207
2208         JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble
2209         https://bugs.webkit.org/show_bug.cgi?id=69720
2210
2211         Reviewed by Filip Pizlo.
2212
2213         In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by
2214         a FPR and will be used for further optimizations, though we currently
2215         don't fully utilize it. For now when filling a JS value which was
2216         spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat
2217         to DataFormatJS to avoid compilation errors.
2218
2219         * dfg/DFGJITCodeGenerator32_64.cpp:
2220         (JSC::DFG::JITCodeGenerator::fillJSValue):
2221
2222 2011-10-09  Filip Pizlo  <fpizlo@apple.com>
2223
2224         DFG should not always speculate that a ByVal access has an integer index
2225         https://bugs.webkit.org/show_bug.cgi?id=69716
2226
2227         Reviewed by Oliver Hunt.
2228         
2229         1% win on SunSpider, neutral elsewhere.
2230
2231         * dfg/DFGJITCodeGenerator.h:
2232         (JSC::DFG::callOperation):
2233         * dfg/DFGNode.h:
2234         * dfg/DFGOperations.cpp:
2235         * dfg/DFGOperations.h:
2236         * dfg/DFGPropagator.cpp:
2237         (JSC::DFG::Propagator::byValHasIntBase):
2238         (JSC::DFG::Propagator::clobbersWorld):
2239         (JSC::DFG::Propagator::getMethodLoadElimination):
2240         (JSC::DFG::Propagator::checkStructureLoadElimination):
2241         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2242         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
2243         (JSC::DFG::Propagator::performNodeCSE):
2244         * dfg/DFGSpeculativeJIT32_64.cpp:
2245         (JSC::DFG::SpeculativeJIT::compile):
2246         * dfg/DFGSpeculativeJIT64.cpp:
2247         (JSC::DFG::SpeculativeJIT::compile):
2248
2249 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2250
2251         Fix value profiling in 32_64 JIT
2252         https://bugs.webkit.org/show_bug.cgi?id=69717
2253
2254         Reviewed by Filip Pizlo.
2255
2256         Current value profiling for 32_64 JIT is broken and cannot record
2257         correct predicated types, which results in many speculation failures
2258         in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations
2259         again and again. 
2260         With this fix 32_64 DFG JIT can demonstrate real performance gains.
2261
2262         * bytecode/ValueProfile.cpp:
2263         (JSC::ValueProfile::computeStatistics):
2264         * bytecode/ValueProfile.h:
2265         (JSC::ValueProfile::classInfo):
2266         (JSC::ValueProfile::numberOfSamples):
2267         (JSC::ValueProfile::isLive):
2268         (JSC::ValueProfile::numberOfInt32s):
2269         (JSC::ValueProfile::numberOfDoubles):
2270         (JSC::ValueProfile::numberOfBooleans):
2271         (JSC::ValueProfile::dump):
2272             Empty value check should be performed on decoded JSValue,
2273             as for 32_64 empty value is not identical to encoded 0.
2274         * jit/JIT.cpp:
2275         (JSC::JIT::privateCompile):
2276         * jit/JITInlineMethods.h:
2277         (JSC::JIT::emitValueProfilingSite):
2278         * jit/JITStubCall.h:
2279         (JSC::JITStubCall::callWithValueProfiling):
2280             Record the right profiling result for 32_64.
2281
2282 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2283
2284         Remove 32 bit restrictions in DFG JIT
2285         https://bugs.webkit.org/show_bug.cgi?id=69711
2286
2287         Reviewed by Filip Pizlo.
2288
2289         op_call/op_construct support was disabled for 32 bit DFG JIT because
2290         there was regression in javascriptcore tests. Now the bugs are fixed
2291         and there should be no regression. This makes 32 bit DFG have the same
2292         capability as 64 bit DFG, and improves the coverage.
2293
2294         * dfg/DFGCapabilities.h:
2295         (JSC::DFG::canCompileOpcode):
2296
2297 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2298
2299         Add static version of JSCell::getConstructData
2300         https://bugs.webkit.org/show_bug.cgi?id=69673
2301
2302         Reviewed by Geoffrey Garen.
2303
2304         Added static version of getConstructData to all classes that 
2305         override it and changed the virtual versions to call the static 
2306         versions.  This is the first step in de-virtualizing JSCell::getConstructData.
2307
2308         * API/JSCallbackConstructor.cpp:
2309         (JSC::JSCallbackConstructor::getConstructData):
2310         * API/JSCallbackConstructor.h:
2311         * API/JSCallbackObject.h:
2312         * API/JSCallbackObjectFunctions.h:
2313         (JSC::::getConstructData):
2314         * runtime/ArrayConstructor.cpp:
2315         (JSC::ArrayConstructor::getConstructData):
2316         * runtime/ArrayConstructor.h:
2317         * runtime/BooleanConstructor.cpp:
2318         (JSC::BooleanConstructor::getConstructData):
2319         * runtime/BooleanConstructor.h:
2320         * runtime/DateConstructor.cpp:
2321         (JSC::DateConstructor::getConstructData):
2322         * runtime/DateConstructor.h:
2323         * runtime/ErrorConstructor.cpp:
2324         (JSC::ErrorConstructor::getConstructData):
2325         * runtime/ErrorConstructor.h:
2326         * runtime/FunctionConstructor.cpp:
2327         (JSC::FunctionConstructor::getConstructData):
2328         * runtime/FunctionConstructor.h:
2329         * runtime/JSCell.cpp:
2330         (JSC::JSCell::getConstructData):
2331         * runtime/JSCell.h:
2332         * runtime/JSFunction.cpp:
2333         (JSC::JSFunction::getConstructData):
2334         * runtime/JSFunction.h:
2335         * runtime/NativeErrorConstructor.cpp:
2336         (JSC::NativeErrorConstructor::getConstructData):
2337         * runtime/NativeErrorConstructor.h:
2338         * runtime/NumberConstructor.cpp:
2339         (JSC::NumberConstructor::getConstructData):
2340         * runtime/NumberConstructor.h:
2341         * runtime/ObjectConstructor.cpp:
2342         (JSC::ObjectConstructor::getConstructData):
2343         * runtime/ObjectConstructor.h:
2344         * runtime/RegExpConstructor.cpp:
2345         (JSC::RegExpConstructor::getConstructData):
2346         * runtime/RegExpConstructor.h:
2347         * runtime/StringConstructor.cpp:
2348         (JSC::StringConstructor::getConstructData):
2349         * runtime/StringConstructor.h:
2350
2351 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2352
2353         Add static version of JSCell::getOwnPropertySlot
2354         https://bugs.webkit.org/show_bug.cgi?id=69593
2355
2356         Reviewed by Geoffrey Garen.
2357
2358         Added static version of getOwnPropertySlot to every class that overrides
2359         JSCell::getOwnPropertySlot.  The virtual versions now call the static versions.
2360         This is the first step in de-virtualizing JSCell::getOwnPropertySlot.
2361
2362         * JavaScriptCore.exp:
2363         * debugger/DebuggerActivation.cpp:
2364         (JSC::DebuggerActivation::getOwnPropertySlot):
2365         * debugger/DebuggerActivation.h:
2366         * runtime/Arguments.cpp:
2367         (JSC::Arguments::getOwnPropertySlot):
2368         * runtime/Arguments.h:
2369         * runtime/ArrayConstructor.h:
2370         * runtime/ArrayPrototype.cpp:
2371         (JSC::ArrayPrototype::getOwnPropertySlot):
2372         * runtime/ArrayPrototype.h:
2373         * runtime/BooleanPrototype.cpp:
2374         (JSC::BooleanPrototype::getOwnPropertySlot):
2375         * runtime/BooleanPrototype.h:
2376         * runtime/DateConstructor.cpp:
2377         (JSC::DateConstructor::getOwnPropertySlot):
2378         * runtime/DateConstructor.h:
2379         * runtime/DatePrototype.cpp:
2380         (JSC::DatePrototype::getOwnPropertySlot):
2381         * runtime/DatePrototype.h:
2382         * runtime/ErrorPrototype.cpp:
2383         (JSC::ErrorPrototype::getOwnPropertySlot):
2384         * runtime/ErrorPrototype.h:
2385         * runtime/JSActivation.cpp:
2386         (JSC::JSActivation::getOwnPropertySlot):
2387         * runtime/JSActivation.h:
2388         * runtime/JSArray.cpp:
2389         (JSC::JSArray::getOwnPropertySlot):
2390         * runtime/JSArray.h:
2391         * runtime/JSBoundFunction.cpp:
2392         (JSC::JSBoundFunction::getOwnPropertySlot):
2393         * runtime/JSBoundFunction.h:
2394         * runtime/JSByteArray.cpp:
2395         (JSC::JSByteArray::getOwnPropertySlot):
2396         * runtime/JSByteArray.h:
2397         * runtime/JSCell.cpp:
2398         (JSC::JSCell::getOwnPropertySlot):
2399         * runtime/JSCell.h:
2400         * runtime/JSFunction.cpp:
2401         (JSC::JSFunction::getOwnPropertySlot):
2402         * runtime/JSFunction.h:
2403         * runtime/JSGlobalObject.cpp:
2404         (JSC::JSGlobalObject::getOwnPropertySlot):
2405         * runtime/JSGlobalObject.h:
2406         * runtime/JSNotAnObject.cpp:
2407         (JSC::JSNotAnObject::getOwnPropertySlot):
2408         * runtime/JSNotAnObject.h:
2409         * runtime/JSONObject.cpp:
2410         (JSC::JSONObject::getOwnPropertySlot):
2411         * runtime/JSONObject.h:
2412         * runtime/JSObject.cpp:
2413         (JSC::JSObject::getOwnPropertySlot):
2414         * runtime/JSObject.h:
2415         (JSC::JSObject::getOwnPropertySlot):
2416         * runtime/JSStaticScopeObject.cpp:
2417         (JSC::JSStaticScopeObject::getOwnPropertySlot):
2418         * runtime/JSStaticScopeObject.h:
2419         * runtime/JSString.cpp:
2420         (JSC::JSString::getOwnPropertySlot):
2421         * runtime/JSString.h:
2422         * runtime/MathObject.cpp:
2423         (JSC::MathObject::getOwnPropertySlot):
2424         * runtime/MathObject.h:
2425         * runtime/NumberConstructor.cpp:
2426         (JSC::NumberConstructor::getOwnPropertySlot):
2427         * runtime/NumberConstructor.h:
2428         * runtime/NumberPrototype.cpp:
2429         (JSC::NumberPrototype::getOwnPropertySlot):
2430         * runtime/NumberPrototype.h:
2431         * runtime/ObjectConstructor.cpp:
2432         (JSC::ObjectConstructor::getOwnPropertySlot):
2433         * runtime/ObjectConstructor.h:
2434         * runtime/ObjectPrototype.cpp:
2435         (JSC::ObjectPrototype::getOwnPropertySlot):
2436         * runtime/ObjectPrototype.h:
2437         * runtime/RegExpConstructor.cpp:
2438         (JSC::RegExpConstructor::getOwnPropertySlot):
2439         * runtime/RegExpConstructor.h:
2440         * runtime/RegExpMatchesArray.h:
2441         (JSC::RegExpMatchesArray::getOwnPropertySlot):
2442         * runtime/RegExpObject.cpp:
2443         (JSC::RegExpObject::getOwnPropertySlot):
2444         * runtime/RegExpObject.h:
2445         * runtime/RegExpPrototype.cpp:
2446         (JSC::RegExpPrototype::getOwnPropertySlot):
2447         * runtime/RegExpPrototype.h:
2448         * runtime/StringConstructor.cpp:
2449         (JSC::StringConstructor::getOwnPropertySlot):
2450         * runtime/StringConstructor.h:
2451         * runtime/StringObject.cpp:
2452         (JSC::StringObject::getOwnPropertySlot):
2453         * runtime/StringObject.h:
2454         * runtime/StringPrototype.cpp:
2455         (JSC::StringPrototype::getOwnPropertySlot):
2456         * runtime/StringPrototype.h:
2457
2458 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2459
2460         JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions
2461         https://bugs.webkit.org/show_bug.cgi?id=69699
2462
2463         Reviewed by Filip Pizlo.
2464
2465         It should match SetLocal where only payload is stored for array predictions.
2466
2467         * dfg/DFGSpeculativeJIT32_64.cpp:
2468         (JSC::DFG::SpeculativeJIT::compile):
2469
2470 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2471
2472         JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
2473         https://bugs.webkit.org/show_bug.cgi?id=69702
2474
2475         Reviewed by Filip Pizlo.
2476
2477         There are some errors in generating code for Branch and LogicalNot,
2478         when the operand is predicted as ObjectOrOther.
2479
2480         * dfg/DFGSpeculativeJIT32_64.cpp:
2481         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2482         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2483
2484 2011-10-08  Sheriff Bot  <webkit.review.bot@gmail.com>
2485
2486         Unreviewed, rolling out r96996.
2487         http://trac.webkit.org/changeset/96996
2488         https://bugs.webkit.org/show_bug.cgi?id=69697
2489
2490         It broke all tests on the Qt bot (Requested by Ossy_night on
2491         #webkit).
2492
2493         * API/JSCallbackFunction.cpp:
2494         (JSC::JSCallbackFunction::getCallDataVirtual):
2495         * API/JSCallbackFunction.h:
2496         * API/JSCallbackObject.h:
2497         * API/JSCallbackObjectFunctions.h:
2498         (JSC::::getCallDataVirtual):
2499         * API/JSObjectRef.cpp:
2500         (JSObjectIsFunction):
2501         (JSObjectCallAsFunction):
2502         * JavaScriptCore.exp:
2503         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2504         * interpreter/Interpreter.cpp:
2505         (JSC::Interpreter::privateExecute):
2506         * jit/JITStubs.cpp:
2507         (JSC::DEFINE_STUB_FUNCTION):
2508         * runtime/ArrayConstructor.cpp:
2509         (JSC::ArrayConstructor::getCallDataVirtual):
2510         * runtime/ArrayConstructor.h:
2511         * runtime/BooleanConstructor.cpp:
2512         (JSC::BooleanConstructor::getCallDataVirtual):
2513         * runtime/BooleanConstructor.h:
2514         * runtime/DateConstructor.cpp:
2515         (JSC::DateConstructor::getCallDataVirtual):
2516         * runtime/DateConstructor.h:
2517         * runtime/Error.cpp:
2518         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2519         (JSC::StrictModeTypeErrorFunction::create):
2520         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2521         (JSC::StrictModeTypeErrorFunction::getConstructData):
2522         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2523         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
2524         (JSC::StrictModeTypeErrorFunction::getCallData):
2525         (JSC::StrictModeTypeErrorFunction::createStructure):
2526         (JSC::createTypeErrorFunction):
2527         * runtime/Error.h:
2528         * runtime/ErrorConstructor.cpp:
2529         (JSC::ErrorConstructor::getCallDataVirtual):
2530         * runtime/ErrorConstructor.h:
2531         * runtime/FunctionConstructor.cpp:
2532         (JSC::FunctionConstructor::getCallDataVirtual):
2533         * runtime/FunctionConstructor.h:
2534         * runtime/FunctionPrototype.cpp:
2535         (JSC::FunctionPrototype::getCallDataVirtual):
2536         * runtime/FunctionPrototype.h:
2537         * runtime/InternalFunction.cpp:
2538         (JSC::InternalFunction::finishCreation):
2539         * runtime/InternalFunction.h:
2540         * runtime/JSCell.cpp:
2541         (JSC::JSCell::getCallDataVirtual):
2542         * runtime/JSCell.h:
2543         (JSC::getCallData):
2544         * runtime/JSFunction.cpp:
2545         (JSC::JSFunction::getCallDataVirtual):
2546         * runtime/JSFunction.h:
2547         * runtime/JSGlobalObject.cpp:
2548         (JSC::JSGlobalObject::reset):
2549         (JSC::JSGlobalObject::visitChildren):
2550         * runtime/JSGlobalObject.h:
2551         * runtime/JSONObject.cpp:
2552         (JSC::Stringifier::Stringifier):
2553         (JSC::Stringifier::toJSON):
2554         (JSC::Stringifier::appendStringifiedValue):
2555         * runtime/JSObject.cpp:
2556         (JSC::JSObject::put):
2557         * runtime/JSObject.h:
2558         * runtime/NativeErrorConstructor.cpp:
2559         (JSC::NativeErrorConstructor::getCallDataVirtual):
2560         * runtime/NativeErrorConstructor.h:
2561         * runtime/NumberConstructor.cpp:
2562         (JSC::NumberConstructor::getCallDataVirtual):
2563         * runtime/NumberConstructor.h:
2564         * runtime/ObjectConstructor.cpp:
2565         (JSC::ObjectConstructor::getCallDataVirtual):
2566         * runtime/ObjectConstructor.h:
2567         * runtime/Operations.cpp:
2568         (JSC::jsTypeStringForValue):
2569         (JSC::jsIsObjectType):
2570         (JSC::jsIsFunctionType):
2571         * runtime/PropertySlot.cpp:
2572         (JSC::PropertySlot::functionGetter):
2573         * runtime/RegExpConstructor.cpp:
2574         (JSC::RegExpConstructor::getCallDataVirtual):
2575         * runtime/RegExpConstructor.h:
2576         * runtime/StringConstructor.cpp:
2577         (JSC::StringConstructor::getCallDataVirtual):
2578         * runtime/StringConstructor.h:
2579         * runtime/Structure.h:
2580
2581 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
2582
2583         DFG JIT - only Array predictions can result in unboxed cells in register file
2584         https://bugs.webkit.org/show_bug.cgi?id=69695
2585
2586         Reviewed by Filip Pizlo.
2587
2588         In current DFG JIT, only array predictions can result in unboxed cells
2589         in register file, not for the other cell predictions.
2590
2591         * dfg/DFGSpeculativeJIT.h:
2592         (JSC::DFG::ValueSource::forPrediction):
2593
2594 2011-10-07  Yuqiang Xian  <yuqiang.xian@intel.com>
2595
2596         bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT
2597         https://bugs.webkit.org/show_bug.cgi?id=69696
2598
2599         Reviewed by Filip Pizlo.
2600
2601         On 32-bit, we should use TimesEight (8) instead of ScalePtr (4)
2602         to compute the address of a JS array element.
2603
2604         * dfg/DFGSpeculativeJIT32_64.cpp:
2605         (JSC::DFG::SpeculativeJIT::compile):
2606
2607 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2608
2609         Add static version of JSCell::deleteProperty
2610         https://bugs.webkit.org/show_bug.cgi?id=69659
2611
2612         Reviewed by Geoffrey Garen.
2613
2614         Added static version of both versions of put to all classes that 
2615         override them and changed the virtual versions to call the static 
2616         versions.  This is the first step in de-virtualizing JSCell::deleteProperty.
2617
2618         * API/JSCallbackObject.h:
2619         * API/JSCallbackObjectFunctions.h:
2620         (JSC::::deleteProperty):
2621         * debugger/DebuggerActivation.cpp:
2622         (JSC::DebuggerActivation::deleteProperty):
2623         * debugger/DebuggerActivation.h:
2624         * runtime/Arguments.cpp:
2625         (JSC::Arguments::deleteProperty):
2626         * runtime/Arguments.h:
2627         * runtime/JSActivation.cpp:
2628         (JSC::JSActivation::deleteProperty):
2629         * runtime/JSActivation.h:
2630         * runtime/JSArray.cpp:
2631         (JSC::JSArray::deleteProperty):
2632         * runtime/JSArray.h:
2633         * runtime/JSCell.cpp:
2634         (JSC::JSCell::deleteProperty):
2635         * runtime/JSCell.h:
2636         * runtime/JSFunction.cpp:
2637         (JSC::JSFunction::deleteProperty):
2638         * runtime/JSFunction.h:
2639         * runtime/JSNotAnObject.cpp:
2640         (JSC::JSNotAnObject::deleteProperty):
2641         * runtime/JSNotAnObject.h:
2642         * runtime/JSObject.cpp:
2643         (JSC::JSObject::deleteProperty):
2644         * runtime/JSObject.h:
2645         * runtime/JSVariableObject.cpp:
2646         (JSC::JSVariableObject::deleteProperty):
2647         * runtime/JSVariableObject.h:
2648         * runtime/RegExpMatchesArray.h:
2649         (JSC::RegExpMatchesArray::deleteProperty):
2650         * runtime/StrictEvalActivation.cpp:
2651         (JSC::StrictEvalActivation::deleteProperty):
2652         * runtime/StrictEvalActivation.h:
2653         * runtime/StringObject.cpp:
2654         (JSC::StringObject::deleteProperty):
2655         * runtime/StringObject.h:
2656
2657 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2658
2659         Remove getCallDataVirtual methods
2660         https://bugs.webkit.org/show_bug.cgi?id=69186
2661
2662         Reviewed by Geoffrey Garen.
2663
2664         Removed all getCallDataVirtual methods and replaced their call sites 
2665         with an explicit lookup in the MethodTable.
2666
2667         * API/JSCallbackFunction.cpp:
2668         * API/JSCallbackFunction.h:
2669         * API/JSCallbackObject.h:
2670         * API/JSCallbackObjectFunctions.h:
2671         * API/JSObjectRef.cpp:
2672         (JSObjectIsFunction):
2673         (JSObjectCallAsFunction):
2674         * JavaScriptCore.exp:
2675         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2676         * interpreter/Interpreter.cpp:
2677         (JSC::Interpreter::privateExecute):
2678         * jit/JITStubs.cpp:
2679         (JSC::DEFINE_STUB_FUNCTION):
2680         * runtime/ArrayConstructor.cpp:
2681         * runtime/ArrayConstructor.h:
2682         * runtime/BooleanConstructor.cpp:
2683         * runtime/BooleanConstructor.h:
2684         * runtime/DateConstructor.cpp:
2685         * runtime/DateConstructor.h:
2686         * runtime/Error.cpp:
2687         (JSC::createTypeErrorFunction):
2688
2689         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2690         the class definition in JSGlobalObject.cpp.
2691         * runtime/Error.h:
2692         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2693         (JSC::StrictModeTypeErrorFunction::create):
2694         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2695         (JSC::StrictModeTypeErrorFunction::getConstructData):
2696         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2697         (JSC::StrictModeTypeErrorFunction::getCallData):
2698         (JSC::StrictModeTypeErrorFunction::createStructure):
2699         * runtime/ErrorConstructor.cpp:
2700         * runtime/ErrorConstructor.h:
2701         * runtime/FunctionConstructor.cpp:
2702         * runtime/FunctionConstructor.h:
2703         * runtime/FunctionPrototype.cpp:
2704         * runtime/FunctionPrototype.h:
2705
2706         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2707         to declare their own ClassInfo if they don't override getCallData, provided 
2708         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2709         functionality as of the pure virtual method InternalFunction used to have.
2710         Also made this new implementation protected rather than private for the same reason.
2711         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2712         object is being created provides their own implementation of getCallData.  This 
2713         just makes execution fail earlier in a place where the source of the error is 
2714         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2715         they appear much more intentional to anybody who fails to provide their own 
2716         implementation or who tries to explicitly call InternalFunction::getCallData.
2717         * runtime/InternalFunction.cpp:
2718         (JSC::InternalFunction::finishCreation):
2719         (JSC::InternalFunction::getCallData):
2720         * runtime/InternalFunction.h:
2721         * runtime/JSCell.cpp:
2722         * runtime/JSCell.h:
2723         * runtime/JSFunction.cpp:
2724         * runtime/JSFunction.h:
2725
2726         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2727         it to be reused rather than creating a new Structure every time we instantiate it.
2728         * runtime/JSGlobalObject.cpp:
2729         (JSC::JSGlobalObject::reset):
2730         (JSC::JSGlobalObject::visitChildren):
2731         * runtime/JSGlobalObject.h:
2732         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2733         * runtime/JSONObject.cpp:
2734         (JSC::Stringifier::Stringifier):
2735         (JSC::Stringifier::toJSON):
2736         (JSC::Stringifier::appendStringifiedValue):
2737         * runtime/JSObject.cpp:
2738         (JSC::JSObject::put):
2739         * runtime/JSObject.h:
2740         (JSC::getCallData):
2741         * runtime/NativeErrorConstructor.cpp:
2742         * runtime/NativeErrorConstructor.h:
2743         * runtime/NumberConstructor.cpp:
2744         * runtime/NumberConstructor.h:
2745         * runtime/ObjectConstructor.cpp:
2746         * runtime/ObjectConstructor.h:
2747         * runtime/Operations.cpp:
2748         (JSC::jsTypeStringForValue):
2749         (JSC::jsIsObjectType):
2750         (JSC::jsIsFunctionType):
2751         * runtime/PropertySlot.cpp:
2752         (JSC::PropertySlot::functionGetter):
2753         * runtime/RegExpConstructor.cpp:
2754         * runtime/RegExpConstructor.h:
2755         * runtime/StringConstructor.cpp:
2756         * runtime/StringConstructor.h:
2757         * runtime/Structure.h:
2758
2759 2011-10-07  Oliver Hunt  <oliver@apple.com>
2760
2761         Add missing break statement.
2762
2763         Reviewed by Gavin Barraclough.
2764
2765         * dfg/DFGPropagator.cpp:
2766         (JSC::DFG::Propagator::propagateNodePredictions):
2767
2768 2011-10-07  Oliver Hunt  <oliver@apple.com>
2769
2770         Support some string intrinsics in the DFG JIT
2771         https://bugs.webkit.org/show_bug.cgi?id=69678
2772
2773         Reviewed by Gavin Barraclough.
2774
2775         Add support for charAt and charCodeAt intrinsics in the DFG.
2776
2777         * create_hash_table:
2778         * dfg/DFGByteCodeParser.cpp:
2779         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2780         * dfg/DFGIntrinsic.h:
2781         * dfg/DFGNode.h:
2782         * dfg/DFGPropagator.cpp:
2783         (JSC::DFG::Propagator::propagateNodePredictions):
2784         (JSC::DFG::Propagator::performNodeCSE):
2785         * dfg/DFGSpeculativeJIT.cpp:
2786         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2787         * dfg/DFGSpeculativeJIT.h:
2788         * dfg/DFGSpeculativeJIT32_64.cpp:
2789         (JSC::DFG::SpeculativeJIT::compile):
2790         * dfg/DFGSpeculativeJIT64.cpp:
2791         (JSC::DFG::SpeculativeJIT::compile):
2792
2793 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2794
2795         Add static version of JSCell::put
2796         https://bugs.webkit.org/show_bug.cgi?id=69382
2797
2798         Reviewed by Geoffrey Garen.
2799
2800         Added static version of both versions of put to all classes that 
2801         override them and changed the virtual versions to call the static 
2802         versions.
2803
2804         * API/JSCallbackObject.h:
2805         * API/JSCallbackObjectFunctions.h:
2806         (JSC::::put):
2807         * JavaScriptCore.exp:
2808         * debugger/DebuggerActivation.cpp:
2809         (JSC::DebuggerActivation::put):
2810         * debugger/DebuggerActivation.h:
2811         * runtime/Arguments.cpp:
2812         (JSC::Arguments::put):
2813         * runtime/Arguments.h:
2814         * runtime/JSActivation.cpp:
2815         (JSC::JSActivation::put):
2816         * runtime/JSActivation.h:
2817         * runtime/JSArray.cpp:
2818         (JSC::JSArray::put):
2819         * runtime/JSArray.h:
2820         * runtime/JSByteArray.cpp:
2821         (JSC::JSByteArray::put):
2822         * runtime/JSByteArray.h:
2823         * runtime/JSCell.cpp:
2824         (JSC::JSCell::put):
2825         * runtime/JSCell.h:
2826         * runtime/JSFunction.cpp:
2827         (JSC::JSFunction::put):
2828         * runtime/JSFunction.h:
2829         * runtime/JSGlobalObject.cpp:
2830         (JSC::JSGlobalObject::put):
2831         * runtime/JSGlobalObject.h:
2832         * runtime/JSNotAnObject.cpp:
2833         (JSC::JSNotAnObject::put):
2834         * runtime/JSNotAnObject.h:
2835         * runtime/JSObject.cpp:
2836         (JSC::JSObject::put):
2837         * runtime/JSObject.h:
2838         * runtime/JSStaticScopeObject.cpp:
2839         (JSC::JSStaticScopeObject::put):
2840         * runtime/JSStaticScopeObject.h:
2841         * runtime/ObjectPrototype.cpp:
2842         (JSC::ObjectPrototype::put):
2843         * runtime/ObjectPrototype.h:
2844         * runtime/RegExpConstructor.cpp:
2845         (JSC::RegExpConstructor::put):
2846         * runtime/RegExpConstructor.h:
2847         * runtime/RegExpMatchesArray.h:
2848         (JSC::RegExpMatchesArray::put):
2849         * runtime/RegExpObject.cpp:
2850         (JSC::RegExpObject::put):
2851         * runtime/RegExpObject.h:
2852         * runtime/StringObject.cpp:
2853         (JSC::StringObject::put):
2854         * runtime/StringObject.h:
2855
2856 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2857
2858         Refactor DFG to make for use of callOperation
2859         https://bugs.webkit.org/show_bug.cgi?id=69672
2860
2861         Reviewed by Oliver Hunt.
2862
2863         * dfg/DFGJITCodeGenerator.h:
2864         (JSC::DFG::callOperation):
2865             - Added new callOperation calls, don't ASSERT flushed (use helpers for unexpected calls, too).
2866         * dfg/DFGOperations.cpp:
2867         * dfg/DFGOperations.h:
2868             - Switch operationNewObject/operationCreateThis to return Cells,
2869             - Added C_DFGOperation_E/C_DFGOperation_EC/J_DFGOperation_EA/J_DFGOperation_EJA call types.
2870         * dfg/DFGSpeculativeJIT32_64.cpp:
2871         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2872         (JSC::DFG::SpeculativeJIT::emitBranch):
2873         (JSC::DFG::SpeculativeJIT::compile):
2874             - Replace code plating calls to operations to with calls to callOperation.
2875         * dfg/DFGSpeculativeJIT64.cpp:
2876         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2877         (JSC::DFG::SpeculativeJIT::emitBranch):
2878         (JSC::DFG::SpeculativeJIT::compile):
2879             - Replace code plating calls to operations to with calls to callOperation.
2880
2881 2011-10-07  Oliver Hunt  <oliver@apple.com>
2882
2883         Support string indexing in the DFG
2884         https://bugs.webkit.org/show_bug.cgi?id=69671
2885
2886         Reviewed by Gavin Barraclough.
2887
2888         Emit code to support inline indexing of strings 
2889
2890         * dfg/DFGSpeculativeJIT.cpp:
2891         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2892             Shared code to perform string indexing.
2893         * dfg/DFGSpeculativeJIT.h:
2894         * dfg/DFGSpeculativeJIT32_64.cpp:
2895         (JSC::DFG::SpeculativeJIT::compile):
2896         * dfg/DFGSpeculativeJIT64.cpp:
2897         (JSC::DFG::SpeculativeJIT::compile):
2898             Use compileGetByValOnString if we predict that the base object
2899             is a string in GetByVal.
2900         * runtime/JSString.h:
2901         (JSC::JSString::offsetOfFiberCount):
2902         (JSC::JSString::offsetOfValue):
2903
2904 2011-10-07  Filip Pizlo  <fpizlo@apple.com>
2905
2906         DFG ConvertThis speculation logic is wrong
2907         https://bugs.webkit.org/show_bug.cgi?id=69663
2908
2909         Reviewed by Oliver Hunt.
2910
2911         * dfg/DFGPropagator.cpp:
2912         (JSC::DFG::Propagator::fixupNode):
2913         * dfg/DFGSpeculativeJIT32_64.cpp:
2914         (JSC::DFG::SpeculativeJIT::compile):
2915         * dfg/DFGSpeculativeJIT64.cpp:
2916         (JSC::DFG::SpeculativeJIT::compile):
2917
2918 2011-10-07  Oliver Hunt  <oliver@apple.com>
2919
2920         Verify that our call speculation is valid.
2921
2922         Reviewed by Filip Pizlo.
2923
2924         Before specialising an intrinsic we need to verify that
2925         we our speculation is correct.
2926
2927         * dfg/DFGByteCodeParser.cpp:
2928         (JSC::DFG::ByteCodeParser::parseBlock):
2929
2930 2011-10-07  Brent Fulgham  <bfulgham@webkit.org>
2931
2932         [WinCairo] Unreviewed build correction for the build bot.
2933
2934         * JavaScriptCore.vcproj/JavaScriptCore.sln: Add the missing
2935         Release_Cairo_CFLite and Debug_Cairo_CFLite targets so that
2936         build-jsc can find the target it needs to run the JSC tests.
2937
2938 2011-10-07  Oliver Hunt  <oliver@apple.com>
2939
2940         Fix 32-bit build.
2941
2942         * jit/JITCall32_64.cpp:
2943         (JSC::JIT::compileOpCall):
2944
2945 2011-10-07  Oliver Hunt  <oliver@apple.com>
2946
2947         Support direct calls to intrinsic functions
2948         https://bugs.webkit.org/show_bug.cgi?id=69646
2949
2950         Reviewed by Gavin Barraclough.
2951
2952         Add support for optimising non-method_check calls
2953         to intrinsic functions (eg. when Math.abs, etc are
2954         cached in local variables). 
2955
2956         * bytecode/CodeBlock.h:
2957         (JSC::getCallLinkInfoBytecodeIndex):
2958             Support searching CallLinkInfos by bytecode index
2959         * dfg/DFGByteCodeParser.cpp:
2960         (JSC::DFG::ByteCodeParser::parseBlock):
2961             Add support for linked calls in addition to method_check
2962             when searching for intrinsics
2963         * dfg/DFGNode.h:
2964         (JSC::DFG::Node::hasFunctionCheckData):
2965         (JSC::DFG::Node::function):
2966             Add ability to store a JSFunction* in a node - this is safe
2967             as the function will be marked by the codeblock we're compiling
2968         * dfg/DFGPropagator.cpp:
2969         (JSC::DFG::Propagator::propagateNodePredictions):
2970         (JSC::DFG::Propagator::checkFunctionElimination):
2971         (JSC::DFG::Propagator::performNodeCSE):
2972             Add support for new CheckFunction node, and implement CSE pass.
2973         * dfg/DFGSpeculativeJIT32_64.cpp:
2974         (JSC::DFG::SpeculativeJIT::compile):
2975         * dfg/DFGSpeculativeJIT64.cpp:
2976         (JSC::DFG::SpeculativeJIT::compile):
2977             Rather trivial implementation of CheckFunction
2978         * jit/JIT.cpp:
2979         (JSC::JIT::privateCompile):
2980         * jit/JIT.h:
2981         * jit/JITCall.cpp:
2982         (JSC::JIT::compileOpCall):
2983         * jit/JITCall32_64.cpp:
2984         (JSC::JIT::compileOpCall):
2985             Need to propagate bytecode index for calls now.
2986
2987 2011-10-07  Dominic Cooney  <dominicc@chromium.org>
2988
2989         [JSC] Disable ThreadRestrictionVerifier for JIT ExecutableMemoryHandles
2990         https://bugs.webkit.org/show_bug.cgi?id=69599
2991
2992         Reviewed by Sam Weinig.
2993
2994         DFG JIT manipulates MetaAllocatorHandles across threads, eg in
2995         allocating JITCode buffers on a background thread to execute a
2996         proxy autoconfiguration PAC file but garbage collecting it in
2997         response to allocation on the main thread. Disabling
2998         ThreadRestrictionVerification until there is a verification scheme
2999         that understands this handoff.
3000
3001         * wtf/MetaAllocator.cpp:
3002         (WTF::MetaAllocator::allocate):
3003
3004 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3005
3006         DFG should not always speculate that ConvertThis is operating on an object
3007         https://bugs.webkit.org/show_bug.cgi?id=69570
3008
3009         Reviewed by Oliver Hunt.
3010         
3011         Mostly neutral, but with a slight regression in Kraken since it increases
3012         coverage in DFG and thus reveals some performance pathologies (which I
3013         prefer to think of as performance opportunities, in a good way).
3014
3015         * bytecode/PredictedType.cpp:
3016         (JSC::predictionToString):
3017         * bytecode/PredictedType.h:
3018         (JSC::isOtherPrediction):
3019         (JSC::mergePredictions):
3020         * dfg/DFGPropagator.cpp:
3021         (JSC::DFG::Propagator::propagateNodePredictions):
3022         * dfg/DFGSpeculativeJIT32_64.cpp:
3023         (JSC::DFG::SpeculativeJIT::compile):
3024         * dfg/DFGSpeculativeJIT64.cpp:
3025         (JSC::DFG::SpeculativeJIT::compile):
3026
3027 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3028
3029         Windows build fix
3030
3031         Unreviewed build fix.  Weird runtime failures on Windows due to 
3032         linking issues caused by the ClassInfo struct in JSByteArray not 
3033         being declared with JS_EXPORTDATA.
3034
3035         * runtime/JSByteArray.h:
3036
3037 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3038
3039         Structure does not reset m_previous when pinning the property map
3040         https://bugs.webkit.org/show_bug.cgi?id=69583
3041
3042         Reviewed by Gavin Barraclough.
3043         
3044         This is an 0.6% performance improvement in V8, and 0.2% overall.
3045
3046         * runtime/Structure.cpp:
3047         (JSC::Structure::changePrototypeTransition):
3048         (JSC::Structure::despecifyFunctionTransition):
3049         (JSC::Structure::getterSetterTransition):
3050         (JSC::Structure::toDictionaryTransition):
3051         (JSC::Structure::preventExtensionsTransition):
3052         (JSC::Structure::addPropertyWithoutTransition):
3053         (JSC::Structure::removePropertyWithoutTransition):
3054         (JSC::Structure::pin):
3055         * runtime/Structure.h:
3056
3057 2011-10-06  Anders Carlsson  <andersca@apple.com>
3058
3059         When building with clang, enable -Wglobal-constructors and -Wexit-time-destructors
3060         https://bugs.webkit.org/show_bug.cgi?id=69586
3061
3062         Reviewed by Darin Adler.
3063
3064         * Configurations/Base.xcconfig:
3065         Add -Wglobal-constructors and -Wexit-time-destructors when building with clang.
3066
3067         * JavaScriptCore.xcodeproj/project.pbxproj:
3068         When building with clang, we don't need to run the check-for-global-initializers and
3069         check-for-exit-time-destructors anymore.
3070
3071         * jsc.cpp:
3072         (runInteractive):
3073         Move interpreterName into runInteractive.
3074
3075         * wtf/StdLibExtras.h:
3076         When building with clang, disable the -Wglobal-constructors and -Wexit-time-destructors
3077         warnings around the variable declaration.
3078
3079 2011-10-06  Anders Carlsson  <andersca@apple.com>
3080
3081         Add DEFINE_DEBUG_ONLY_GLOBAL for globals that should be defined in debug builds
3082         https://bugs.webkit.org/show_bug.cgi?id=69584
3083
3084         Reviewed by Darin Adler.
3085
3086         Add DEFINE_DEBUG_ONLY_GLOBAL macro.
3087
3088         * wtf/StdLibExtras.h:
3089
3090 2011-10-06  Oliver Hunt  <oliver@apple.com>
3091
3092         Write barrier shouldn't allocate temporaries inside control flow
3093         https://bugs.webkit.org/show_bug.cgi?id=69582
3094
3095         Reviewed by Gavin Barraclough.
3096
3097         Reorder the code to avoid spill-related badness.
3098
3099         * dfg/DFGJITCodeGenerator.cpp:
3100         (JSC::DFG::JITCodeGenerator::writeBarrier):
3101
3102 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3103
3104         DFG::shouldSpeculate methods are too complicated
3105         https://bugs.webkit.org/show_bug.cgi?id=69560
3106
3107         Reviewed by Geoffrey Garen.
3108         
3109         Moved shouldSpeculate methods to DFG::Node, and cleaned them up to
3110         just use node predictions.
3111         
3112         By itself this would have meant that SpeculativeJIT code would have
3113         had to say things like m_jit.graph()[nodeIndex].shouldSpeculateXYZ().
3114         So this adds an at(NodeIndex) method to JITCodeGenerator. I replaced
3115         all uses of the m_jit.graph()[nodeIndex] idiom with at(nodeIndex).
3116         
3117         This is an 0.4% progression overall that shows up in all benchmarks,
3118         for reasons unknown.
3119
3120         * dfg/DFGJITCodeGenerator.h:
3121         (JSC::DFG::JITCodeGenerator::at):
3122         (JSC::DFG::JITCodeGenerator::canReuse):
3123         (JSC::DFG::JITCodeGenerator::isFilled):
3124         (JSC::DFG::JITCodeGenerator::isFilledDouble):
3125         (JSC::DFG::JITCodeGenerator::use):
3126         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
3127         (JSC::DFG::JITCodeGenerator::silentFillGPR):
3128         (JSC::DFG::JITCodeGenerator::silentFillFPR):
3129         (JSC::DFG::detectPeepHoleBranch):
3130         (JSC::DFG::integerResult):
3131         (JSC::DFG::noResult):
3132         (JSC::DFG::cellResult):
3133         (JSC::DFG::jsValueResult):
3134         (JSC::DFG::storageResult):
3135         (JSC::DFG::doubleResult):
3136         (JSC::DFG::initConstantInfo):
3137         (JSC::DFG::appendCallWithExceptionCheck):
3138         * dfg/DFGJITCodeGenerator32_64.cpp:
3139         (JSC::DFG::JITCodeGenerator::fillInteger):
3140         (JSC::DFG::JITCodeGenerator::fillDouble):
3141         (JSC::DFG::JITCodeGenerator::fillJSValue):
3142         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
3143         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3144         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
3145         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
3146         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
3147         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3148         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3149         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3150         (JSC::DFG::JITCodeGenerator::emitCall):
3151         * dfg/DFGJITCodeGenerator64.cpp:
3152         (JSC::DFG::JITCodeGenerator::fillInteger):
3153         (JSC::DFG::JITCodeGenerator::fillDouble):
3154         (JSC::DFG::JITCodeGenerator::fillJSValue):
3155         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3156         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3157         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3158         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3159         (JSC::DFG::JITCodeGenerator::emitCall):
3160         * dfg/DFGNode.h:
3161         (JSC::DFG::Node::shouldSpeculateInteger):
3162         (JSC::DFG::Node::shouldSpeculateDouble):
3163         (JSC::DFG::Node::shouldSpeculateNumber):
3164         (JSC::DFG::Node::shouldNotSpeculateInteger):
3165         (JSC::DFG::Node::shouldSpeculateFinalObject):
3166         (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
3167         (JSC::DFG::Node::shouldSpeculateArray):
3168         (JSC::DFG::Node::shouldSpeculateArrayOrOther):
3169         (JSC::DFG::Node::shouldSpeculateObject):
3170         (JSC::DFG::Node::shouldSpeculateCell):
3171         (JSC::DFG::Node::canSpeculateInteger):
3172         * dfg/DFGSpeculativeJIT.cpp:
3173         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
3174         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3175         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
3176         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3177         (JSC::DFG::SpeculativeJIT::compile):
3178         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3179         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3180         * dfg/DFGSpeculativeJIT.h:
3181         (JSC::DFG::SpeculativeJIT::isInteger):
3182         (JSC::DFG::SpeculativeJIT::isKnownArray):
3183         (JSC::DFG::SpeculativeJIT::isKnownString):
3184         * dfg/DFGSpeculativeJIT32_64.cpp:
3185         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3186         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3187         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3188         (JSC::DFG::SpeculativeJIT::convertToDouble):
3189         (JSC::DFG::SpeculativeJIT::compare):
3190         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3191         (JSC::DFG::SpeculativeJIT::emitBranch):
3192         (JSC::DFG::SpeculativeJIT::compile):
3193         * dfg/DFGSpeculativeJIT64.cpp:
3194         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3195         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3196         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3197         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3198         (JSC::DFG::SpeculativeJIT::compare):
3199         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3200         (JSC::DFG::SpeculativeJIT::emitBranch):
3201         (JSC::DFG::SpeculativeJIT::compile):
3202
3203 2011-10-06  Gavin Peters  <gavinp@chromium.org>
3204
3205         REGRESSION (r96595): First frame in assertion backtraces is no longer labeled "1"
3206         https://bugs.webkit.org/show_bug.cgi?id=69556
3207
3208         Reviewed by Adam Roben.
3209
3210         * wtf/Assertions.cpp:
3211
3212 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3213
3214         DFG implementation of UInt32ToNumber is missing a break statement
3215         https://bugs.webkit.org/show_bug.cgi?id=69552
3216
3217         Reviewed by Oliver Hunt.
3218
3219         * dfg/DFGSpeculativeJIT32_64.cpp:
3220         (JSC::DFG::SpeculativeJIT::compile):
3221         * dfg/DFGSpeculativeJIT64.cpp:
3222         (JSC::DFG::SpeculativeJIT::compile):
3223
3224 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3225
3226         Unreviewed build fix for DFG JIT 32_64 release builds.
3227
3228         * dfg/DFGJITCompiler.cpp:
3229         * dfg/DFGJITCompiler.h:
3230         * dfg/DFGJITCompiler32_64.cpp:
3231             - Remove three unused methods.
3232
3233 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3234
3235         DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
3236         https://bugs.webkit.org/show_bug.cgi?id=69549
3237
3238         Reviewed by Oliver Hunt.
3239
3240         This breaks sunspider/3d-cube.
3241
3242         * dfg/DFGSpeculativeJIT32_64.cpp:
3243         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3244             - Speculation check on the tag. 
3245
3246 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3247
3248         Snow Leopard build fix
3249
3250         Unreviewed build fix
3251
3252         * JavaScriptCore.exp:
3253
3254 2011-10-05  Gavin Barraclough  <barraclough@apple.com>
3255
3256         Add explicit JSGlobalThis type.
3257         https://bugs.webkit.org/show_bug.cgi?id=69478
3258
3259         Reviewed by Darin Adler.
3260
3261         JSC supports a split global object, as used by WebCore for the Window. As a stage
3262         of making this visible to JSC, make it so that if the global this value is not the
3263         global object itself, it must be a subclass of JSGlobalThis.
3264
3265         * API/JSCallbackObjectFunctions.h:
3266         (JSC::::finishCreation):
3267             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3268         * JavaScriptCore.xcodeproj/project.pbxproj:
3269             - Added JSGlobalThis.h
3270         * jsc.cpp:
3271         (GlobalObject::finishCreation):
3272             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3273         * runtime/JSGlobalObject.h:
3274         (JSC::JSGlobalObject::create):
3275         (JSC::JSGlobalObject::finishCreation):
3276             - finishCreation takes a JSGlobalThis, or thisValue is implicit.
3277         * runtime/JSGlobalThis.h: Added.
3278         (JSC::JSGlobalThis::create):
3279         (JSC::JSGlobalThis::JSGlobalThis):
3280         (JSC::JSGlobalThis::finishCreation):
3281             - Thin wrapper on JSNonFinalObject to allow type checking.
3282         * testRegExp.cpp:
3283         (GlobalObject::finishCreation):
3284             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3285
3286 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3287
3288         JSC objects need to know their own cell size at runtime.
3289         https://bugs.webkit.org/show_bug.cgi?id=69390
3290
3291         Reviewed by Geoffrey Garen.
3292
3293         Added the cellSize field to ClassInfo and the static calculation of 
3294         size of each class to the CREATE_METHOD_TABLE macro, which will be 
3295         renamed in a followup patch to make its name match its broader use.
3296
3297         Also added a few ClassInfo structs so that each object that is allocated has its 
3298         correct size.  
3299
3300         * JavaScriptCore.exp:
3301         * runtime/ClassInfo.h:
3302
3303         Changed JSByteArray s_defaultInfo to s_info so that the template will get the 
3304         correct ClassInfo struct from it when it's allocated.
3305         * runtime/JSByteArray.cpp:
3306         * runtime/JSByteArray.h:
3307         * runtime/JSCell.h:
3308         (JSC::allocateCell):
3309         * runtime/JSNotAnObject.cpp:
3310         * runtime/JSNotAnObject.h:
3311         * runtime/JSObject.cpp:
3312         * runtime/JSObject.h:
3313         (JSC::JSCell::cellSize):
3314         * runtime/JSStaticScopeObject.cpp:
3315         * runtime/JSStaticScopeObject.h:
3316         * runtime/StrictEvalActivation.cpp:
3317         * runtime/StrictEvalActivation.h:
3318
3319 2011-10-06  Gavin Peters  <gavinp@chromium.org>
3320
3321         export new stack dumping method
3322         https://bugs.webkit.org/show_bug.cgi?id=69018
3323
3324         The original landing of bug 69018 didn't export WTFGetBacktrace, so that when bug 69453 landed, the first use
3325         of this function, many builds broke.  So here we add the exports, so that the function is usable.
3326
3327         Reviewed by Adam Roben.
3328
3329         * JavaScriptCore.exp:
3330         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3331
3332 2011-10-06  Csaba Osztrogonác  <ossy@webkit.org>
3333
3334         REGRESSION(r96347): Build is broken with MSVC compiler if !PLATFORM(WINDOWS)
3335         https://bugs.webkit.org/show_bug.cgi?id=69413
3336
3337         Reviewed by Darin Adler.
3338
3339         * assembler/MacroAssemblerCodeRef.h: Define STDCALL for MSVC in a proper way.
3340
3341 2011-10-05  Filip Pizlo  <fpizlo@apple.com>
3342
3343         SpeculativeJIT::isKnownString() is wrong
3344         https://bugs.webkit.org/show_bug.cgi?id=69501
3345
3346         Reviewed by Oliver Hunt.
3347         
3348         Removed the wrong case (GetLocal predicted String) and added a case that
3349         works (StrCat).
3350
3351         * dfg/DFGSpeculativeJIT.h:
3352         (JSC::DFG::SpeculativeJIT::isKnownString):
3353
3354 2011-10-05  Ryosuke Niwa  <rniwa@webkit.org>
3355
3356         Windows build fix attempt after r96760.
3357
3358         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3359
3360 2011-10-05  Chris Rogers  <crogers@google.com>
3361
3362         Define a log2f() function for Windows in wtf/MathExtras.h
3363         https://bugs.webkit.org/show_bug.cgi?id=69491
3364
3365         Reviewed by Darin Adler.
3366
3367         * wtf/MathExtras.h:
3368         (log2f):
3369
3370 2011-10-05  Jer Noble  <jer.noble@apple.com>
3371
3372         Enable WEB_AUDIO by default in the WebKit/mac port.
3373         https://bugs.webkit.org/show_bug.cgi?id=68587
3374
3375         Reviewed by Simon Fraser.
3376
3377         * Configurations/FeatureDefines.xcconfig:
3378         * wtf/Platform.h:
3379
3380 2011-10-05  Filip Pizlo  <fpizlo@apple.com>
3381
3382         Assertion hit in JSC::DFG::SpeculativeJIT::compile on SL bots
3383         https://bugs.webkit.org/show_bug.cgi?id=69346
3384
3385         Reviewed by Oliver Hunt.
3386         
3387         Removed the assertion, since it was completely wrong for op_post_inc.
3388         Short of having specialized PostInc nodes in the DFG, there is no
3389         robust way of asserting what this assertion was trying to assert while
3390         also supporting op_post_inc.
3391
3392         * dfg/DFGByteCodeParser.cpp:
3393         (JSC::DFG::ByteCodeParser::parseBlock):
3394         * dfg/DFGSpeculativeJIT64.cpp:
3395         (JSC::DFG::SpeculativeJIT::compile):
3396         * dfg/DFGSpeculativeJIT32_64.cpp:
3397         (JSC::DFG::SpeculativeJIT::compile):
3398
3399 2011-10-05  Geoffrey Garen  <ggaren@apple.com>
3400
3401         Added a simpler mechanism for registering one-off finalizers
3402         https://bugs.webkit.org/show_bug.cgi?id=69466
3403
3404         Reviewed by Oliver Hunt.
3405
3406         * heap/Heap.cpp:
3407         (JSC::Heap::addFinalizer):
3408         (JSC::Heap::FinalizerOwner::finalize):
3409         * heap/Heap.h: New function for adding an arbitrary finalizer for an
3410         arbitrary cell without declaring any special classes or Handles yourself.
3411
3412         * JavaScriptCore.exp: Fix build.
3413
3414         * runtime/Executable.cpp:
3415         (JSC::ExecutableBase::clearCode):
3416         (JSC::ExecutableBase::clearCodeVirtual):
3417         (JSC::EvalExecutable::clearCodeVirtual):
3418         (JSC::ProgramExecutable::clearCodeVirtual):
3419         (JSC::FunctionExecutable::discardCode):
3420         (JSC::FunctionExecutable::clearCodeVirtual):
3421         * runtime/Executable.h:
3422         (JSC::ExecutableBase::finishCreation): Use the new mechanism for eager
3423         finalization of executables.
3424
3425         * runtime/JSGlobalObject.cpp:
3426         (JSC::JSGlobalObject::clearRareData):
3427         * runtime/JSGlobalObject.h:
3428         (JSC::JSGlobalObject::createRareDataIfNeeded):
3429         (JSC::JSGlobalObject::registerWeakMap): Use the new mechanism for eager
3430         finalization of weak maps.
3431
3432 2011-10-05  Adam Roben  <aroben@apple.com>
3433
3434         Ensure RetainPtr::hashTableDeletedValue returns a pointer, not a pointer to a pointer
3435
3436         RetainPtr's behavior of allowing the template parameter to be either a pointer type or a
3437         pointed-to type confused us when we implemented hashTableDeletedValue.
3438
3439         Fixes <http://webkit.org/b/69414> <rdar://problem/10236833> Using RetainPtr as the key type
3440         in HashMap/HashSet fails to compile
3441
3442         Reviewed by John Sullivan.
3443
3444         * wtf/RetainPtr.h:
3445         (WTF::RetainPtr::hashTableDeletedValue): Changed to use the PtrType typedef rather than T*,
3446         since T might itself be a pointer.
3447
3448         (WTF::PtrHash<RetainPtr<P> >): Updated this to use PtrType everywhere, even though T* didn't
3449         seem to be causing a problem.
3450
3451 2011-10-05  Oliver Hunt  <oliver@apple.com>
3452
3453         Remove last vestiges of anonymous storage.
3454
3455         Reviewed by Gavin Barraclough.
3456
3457         One anonymous storage function escaped my prior purge of
3458         this feature, this patch removes it.
3459
3460         * runtime/JSGlobalObject.h:
3461         (JSC::JSGlobalObject::finishCreation):
3462         * runtime/JSObject.h:
3463
3464 2011-10-04  Filip Pizlo  <fpizlo@apple.com>
3465
3466         DFG should be capable of a broader range of speculations on branch and not
3467         https://bugs.webkit.org/show_bug.cgi?id=69322
3468
3469         Reviewed by Oliver Hunt.
3470         
3471         * bytecode/PredictedType.h:
3472         (JSC::isFinalObjectOrOtherPrediction):
3473         (JSC::isArrayOrOtherPrediction):
3474         * dfg/DFGJITCodeGenerator.cpp:
3475         * dfg/DFGJITCodeGenerator.h:
3476         (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
3477         * dfg/DFGJITCodeGenerator32_64.cpp:
3478         (JSC::DFG::JITCodeGenerator::fillDouble):
3479         (JSC::DFG::JITCodeGenerator::fillJSValue):
3480         * dfg/DFGJITCodeGenerator64.cpp:
3481         (JSC::DFG::JITCodeGenerator::fillDouble):
3482         (JSC::DFG::JITCodeGenerator::fillJSValue):
3483         * dfg/DFGOperations.cpp:
3484         * dfg/DFGSpeculativeJIT.h:
3485         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObjectOrOther):
3486         (JSC::DFG::SpeculativeJIT::shouldSpeculateArrayOrOther):
3487         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3488         * dfg/DFGSpeculativeJIT32_64.cpp:
3489         (JSC::DFG::SpeculativeJIT::emitBranch):
3490         * dfg/DFGSpeculativeJIT64.cpp:
3491         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3492         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3493         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3494         (JSC::DFG::SpeculativeJIT::emitBranch):
3495
3496 2011-10-05  Sheriff Bot  <webkit.review.bot@gmail.com>
3497
3498         Unreviewed, rolling out r96733.
3499         http://trac.webkit.org/changeset/96733
3500         https://bugs.webkit.org/show_bug.cgi?id=69454
3501
3502         Broke GCC for some reason (Requested by andersca on #webkit).
3503
3504         * wtf/ListHashSet.h:
3505         (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator):
3506         (WTF::ListHashSetReverseIterator::get):
3507         (WTF::ListHashSetReverseIterator::operator*):
3508         (WTF::ListHashSetReverseIterator::operator->):
3509         (WTF::ListHashSetReverseIterator::operator++):
3510         (WTF::ListHashSetReverseIterator::operator--):
3511         (WTF::ListHashSetReverseIterator::operator==):
3512         (WTF::ListHashSetReverseIterator::operator!=):
3513         (WTF::ListHashSetReverseIterator::operator const_reverse_iterator):
3514         (WTF::ListHashSetReverseIterator::node):
3515         (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator):
3516         (WTF::ListHashSetConstReverseIterator::get):
3517         (WTF::ListHashSetConstReverseIterator::operator*):
3518         (WTF::ListHashSetConstReverseIterator::operator->):
3519         (WTF::ListHashSetConstReverseIterator::operator++):
3520         (WTF::ListHashSetConstReverseIterator::operator--):
3521         (WTF::ListHashSetConstReverseIterator::operator==):
3522         (WTF::ListHashSetConstReverseIterator::operator!=):
3523         (WTF::ListHashSetConstReverseIterator::node):
3524         (WTF::::rbegin):
3525         (WTF::::rend):
3526         (WTF::::makeReverseIterator):
3527         (WTF::::makeConstReverseIterator):
3528
3529 2011-10-04  Oliver Hunt  <oliver@apple.com>
3530
3531         Add rudimentary filtering to write barriers
3532         https://bugs.webkit.org/show_bug.cgi?id=69392
3533
3534         Reviewed by Filip Pizlo.
3535
3536         Add approximate filtering for write barriers based on the
3537         target's mark bit.  Also add some macros to support dumping
3538         GC phase timings.
3539
3540         * dfg/DFGJITCodeGenerator.cpp:
3541         (JSC::DFG::JITCodeGenerator::markCellCard):
3542         * heap/Heap.cpp:
3543         (JSC::GCTimer::GCTimerScope::GCTimerScope):
3544         (JSC::GCTimer::GCTimerScope::~GCTimerScope):
3545         (JSC::Heap::markRoots):
3546         (JSC::Heap::collect):
3547            Add phase timing information.
3548         * heap/MarkedBlock.h:
3549         (JSC::MarkedBlock::offsetOfMarks):
3550         (JSC::MarkedBlock::gatherDirtyCells):
3551         * jit/JITPropertyAccess.cpp:
3552         (JSC::JIT::emitWriteBarrier):
3553
3554 2011-10-05  Anders Carlsson  <andersca@apple.com>
3555
3556         Use std::reverse_iterator for ListHashSet reverse iterators
3557         https://bugs.webkit.org/show_bug.cgi?id=69446
3558
3559         Reviewed by Darin Adler.
3560
3561         * wtf/ListHashSet.h:
3562         Use the std::reverse_iterator iterator adaptor for the ListHashSet reverse iterators
3563         and get rid of the ListHashSetReverseIterator and ListHashSetConstReverseIterator classes.
3564
3565 2011-10-04  Gavin Barraclough  <barraclough@apple.com>
3566
3567         Make Object.prototype getter/setter methods match ES5 behaviour
3568         https://bugs.webkit.org/show_bug.cgi?id=69393
3569
3570         Reviewed by Sam Weinig.
3571
3572         The rest of Object.prototype no longer substitute Null/Undefined with the global object,
3573         this is old ES3 behaviour. Remove it here too.
3574
3575         * runtime/ObjectPrototype.cpp:
3576         (JSC::objectProtoFuncDefineGetter):
3577         (JSC::objectProtoFuncDefineSetter):
3578         (JSC::objectProtoFuncLookupGetter):
3579         (JSC::objectProtoFuncLookupSetter):
3580
3581 2011-10-05  Patrick Gansterer  <paroga@webkit.org>
3582
3583         Get rid of posixThread in MachineStackMarker::Thread
3584         https://bugs.webkit.org/show_bug.cgi?id=54836
3585
3586         Reviewed by Oliver Hunt.
3587
3588         * heap/MachineStackMarker.cpp:
3589         (JSC::MachineThreads::Thread::Thread):
3590         (JSC::getCurrentPlatformThread):
3591         (JSC::equalThread):
3592         (JSC::MachineThreads::addCurrentThread):
3593         (JSC::MachineThreads::removeCurrentThread):
3594         (JSC::MachineThreads::gatherConservativeRoots):
3595
3596 2011-10-04  Geoffrey Garen  <ggaren@apple.com>
3597
3598         Removed JSValue::toJSNumber
3599         https://bugs.webkit.org/show_bug.cgi?id=69399
3600
3601         No perf. change.
3602
3603         toJSNumber() used to provide an implicit fast path for immediate numbers,
3604         but those fast paths are all explicit now, so it's just cruft.
3605
3606         * interpreter/Interpreter.cpp:
3607         (JSC::Interpreter::privateExecute):
3608         * jit/JITStubs.cpp:
3609         (JSC::DEFINE_STUB_FUNCTION):
3610         * runtime/JSValue.h:
3611         * runtime/JSValueInlineMethods.h:
3612
3613 2011-10-05  Gavin Peters  <gavinp@chromium.org>
3614
3615         REGRESSION (r96595): WTFReportBacktrace listed as the top frame in all assertion backtraces
3616         https://bugs.webkit.org/show_bug.cgi?id=69424
3617
3618         Skip an extra frame in WTFReportBacktrace.  As well, I now don't count skipped frames in maxFrames,
3619         so I've updated maxFrames to 31, as with one skipped frame the previous value was effectively
3620         31 reported frames.
3621
3622         Reviewed by Adam Roben.
3623
3624         * wtf/Assertions.cpp:
3625         * wtf/Assertions.h:
3626
3627 2011-10-05  Patrick Gansterer  <paroga@webkit.org>
3628
3629         Unreviewed WinCE build fix for r96595.
3630
3631         * wtf/Assertions.cpp:
3632         RtlCaptureStackBackTrace() isn't available on WinCE.
3633
3634 2011-10-04  Kent Tamura  <tkent@chromium.org>
3635
3636         Introduce feature flags for incomplete input types
3637         https://bugs.webkit.org/show_bug.cgi?id=68971
3638
3639         Reviewed by Hajime Morita.
3640
3641         * Configurations/FeatureDefines.xcconfig:
3642         Add ENABLE_INPUT_TYPE_* flags. They are enabled only for iOS.
3643
3644 2011-10-04  Geoffrey Garen  <ggaren@apple.com>
3645
3646         Build fix.
3647
3648         * jit/JITStubs.cpp:
3649         (JSC::DEFINE_STUB_FUNCTION): Use an explicit cast when shortening.
3650
3651 2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>
3652
3653         Add static ClassInfo structs to classes that override JSCell::getCallData
3654         https://bugs.webkit.org/show_bug.cgi?id=69311
3655
3656         Reviewed by Darin Adler.
3657
3658         Added ClassInfo structs to each class that defined its own getCallData 
3659         function but did not already have its own ClassInfo struct.  This is a 
3660         necessary addition for when we switch over to looking up getCallData from 
3661         the MethodTable in ClassInfo rather than doing the virtual call (which we 
3662         are removing).  These new ClassInfo structs are public because we often 
3663         use these structs in other areas of the code to uniquely identify JSC classes and 
3664         to enforce runtime invariants based on those class identities using ASSERTs.
3665         Also added new createStructure methods to those classes that didn't have 
3666         them so that the new ClassInfo structs would be used when creating the Structures 
3667         in these classes.
3668
3669         * runtime/BooleanConstructor.cpp:
3670         * runtime/BooleanConstructor.h:
3671         (JSC::BooleanConstructor::createStructure):
3672
3673         getCallData was not marked as static in StrictModeTypeErrorFunction.  
3674         * runtime/Error.cpp:
3675         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
3676         (JSC::StrictModeTypeErrorFunction::getCallData):
3677         (JSC::StrictModeTypeErrorFunction::createStructure):
3678         * runtime/ErrorConstructor.cpp:
3679         * runtime/ErrorConstructor.h:
3680         (JSC::ErrorConstructor::createStructure):
3681         * runtime/FunctionConstructor.cpp:
3682         * runtime/FunctionConstructor.h:
3683         (JSC::FunctionConstructor::createStructure):
3684         * runtime/FunctionPrototype.cpp:
3685         * runtime/FunctionPrototype.h:
3686
3687 2011-10-03  Geoffrey Garen  <ggaren@apple.com>
3688
3689         Some JSValue cleanup
3690         https://bugs.webkit.org/show_bug.cgi?id=69320
3691
3692         Reviewed by Darin Adler.
3693         
3694         No measurable performance change.
3695
3696         Removed some JSValue::get* functions. get* used to be an optimization
3697         when every value operation was a virtual function call: get* would combine
3698         two virtual calls into one. Now, with non-virtual, inlined functions, get*
3699         isn't faster, and may be slightly slower.
3700
3701         Merged getBoolean(bool&) and getBoolean() into asBoolean().
3702
3703         Merged uncheckedGetNumber(), getJSNumber() and getNumber() into
3704         asNumber().
3705
3706         * runtime/JSValue.h:
3707         * runtime/JSValueInlineMethods.h:
3708         (JSC::JSValue::asNumber):
3709         (JSC::JSValue::asBoolean): As promised!
3710
3711         * runtime/NumberPrototype.cpp:
3712         (JSC::toThisNumber):
3713         (JSC::numberProtoFuncToExponential):
3714         (JSC::numberProtoFuncToFixed):
3715         (JSC::numberProtoFuncToPrecision):
3716         (JSC::numberProtoFuncToString):
3717         (JSC::numberProtoFuncToLocaleString):
3718         (JSC::numberProtoFuncValueOf): Removed a bunch of uses of getJSNumber()
3719         by switching to toThisNumber().
3720
3721         * API/JSCallbackObjectFunctions.h:
3722         (JSC::::toNumber):
3723         * dfg/DFGGraph.h:
3724         (JSC::DFG::Graph::valueOfNumberConstant):
3725         (JSC::DFG::Graph::valueOfBooleanConstant):
3726         * dfg/DFGOperations.cpp:
3727         (JSC::DFG::putByVal):
3728         * interpreter/Interpreter.cpp:
3729         (JSC::Interpreter::privateExecute):
3730         * jit/JITStubs.cpp:
3731         (JSC::DEFINE_STUB_FUNCTION):
3732         * runtime/DateInstance.h:
3733         (JSC::DateInstance::internalNumber):
3734         * runtime/FunctionPrototype.cpp:
3735         (JSC::functionProtoFuncBind):
3736         * runtime/JSArray.cpp:
3737         (JSC::compareNumbersForQSort): Replaced getNumber() => isNumber() / asNumber().
3738         getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().
3739
3740         * runtime/JSCell.cpp:
3741         * runtime/JSCell.h: Nixed getJSNumber().
3742
3743         * runtime/JSGlobalObjectFunctions.cpp:
3744         (JSC::globalFuncParseInt):
3745         * runtime/JSONObject.cpp:
3746         (JSC::gap):
3747         (JSC::Stringifier::Stringifier):
3748         (JSC::Stringifier::appendStringifiedValue):
3749         * runtime/NumberObject.cpp:
3750         * runtime/NumberObject.h:
3751         (JSC::NumberObject::createStructure):
3752         * runtime/Operations.h:
3753         (JSC::JSValue::equalSlowCaseInline):
3754         (JSC::JSValue::strictEqual):
3755         (JSC::jsLess):
3756         (JSC::jsLessEq):
3757         (JSC::jsAdd): Replaced getNumber() => isNumber() / asNumber().
3758         getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().
3759
3760 2011-10-04  Scott Graham  <scottmg@chromium.org>
3761
3762         Add GAMEPAD feature flag
3763         https://bugs.webkit.org/show_bug.cgi?id=66859
3764
3765         Reviewed by Darin Fisher.
3766
3767         * Configurations/FeatureDefines.xcconfig:
3768
3769 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
3770
3771         JITCodeGenerator should no longer have code that tries too hard
3772         to be both speculative and non-speculative
3773         https://bugs.webkit.org/show_bug.cgi?id=69321
3774
3775         Reviewed by Gavin Barraclough.
3776         
3777         Removed m_isSpeculative and speculationCheck() from JITCodeGenerator.
3778         This required moving emitBranch() to SpeculativeJIT, since it was
3779         the main user of that field and method. Other than trvial clean-ups
3780         in emitBranch(), the code is unchanged (and still has some disparity
3781         between 64 and 32_64, and still lacks some obvious optimizations).
3782
3783         * dfg/DFGJITCodeGenerator.cpp:
3784         * dfg/DFGJITCodeGenerator.h:
3785         (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
3786         * dfg/DFGJITCodeGenerator32_64.cpp:
3787         (JSC::DFG::JITCodeGenerator::fillDouble):
3788         (JSC::DFG::JITCodeGenerator::fillJSValue):
3789         * dfg/DFGJITCodeGenerator64.cpp:
3790         (JSC::DFG::JITCodeGenerator::fillDouble):
3791         (JSC::DFG::JITCodeGenerator::fillJSValue):
3792         * dfg/DFGSpeculativeJIT.h:
3793         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3794         * dfg/DFGSpeculativeJIT32_64.cpp:
3795         (JSC::DFG::SpeculativeJIT::emitBranch):
3796         * dfg/DFGSpeculativeJIT64.cpp:
3797         (JSC::DFG::SpeculativeJIT::emitBranch):
3798
3799 2011-10-04  David Hyatt  <hyatt@apple.com>
3800
3801         https://bugs.webkit.org/show_bug.cgi?id=69372
3802         
3803         [CSS3 Regions] Make sure overflow:visible lets content spill out of regions.
3804         
3805         Add support for reverse iteration to ListHashSet to support being able to walk them
3806         backwards easily.
3807
3808         Reviewed by Anders Carlsson.
3809
3810         * wtf/ListHashSet.h:
3811         (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator):
3812         (WTF::ListHashSetReverseIterator::get):
3813         (WTF::ListHashSetReverseIterator::operator*):
3814         (WTF::ListHashSetReverseIterator::operator->):
3815         (WTF::ListHashSetReverseIterator::operator++):
3816         (WTF::ListHashSetReverseIterator::operator--):
3817         (WTF::ListHashSetReverseIterator::operator==):
3818         (WTF::ListHashSetReverseIterator::operator!=):
3819         (WTF::ListHashSetReverseIterator::operator const_reverse_iterator):
3820         (WTF::ListHashSetReverseIterator::node):
3821         (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator):
3822         (WTF::ListHashSetConstReverseIterator::get):
3823         (WTF::ListHashSetConstReverseIterator::operator*):
3824         (WTF::ListHashSetConstReverseIterator::operator->):
3825         (WTF::ListHashSetConstReverseIterator::operator++):
3826         (WTF::ListHashSetConstReverseIterator::operator--):
3827         (WTF::ListHashSetConstReverseIterator::operator==):
3828         (WTF::ListHashSetConstReverseIterator::operator!=):
3829         (WTF::ListHashSetConstReverseIterator::node):
3830         (WTF::::rbegin):
3831         (WTF::::rend):
3832         (WTF::::makeReverseIterator):
3833         (WTF::::makeConstReverseIterator):
3834         (WTF::::makeConstIterator):
3835
3836 2011-10-04  Gavin Peters  <gavinp@chromium.org>
3837
3838         fix gtk breakage caused by changeset 96595
3839         https://bugs.webkit.org/show_bug.cgi?id=69371
3840
3841         ews did not catch build breakage in the gtk WebKitPluginProcess target; this patch removes
3842         the pretty printer on gtk, which should fix the build on that platform.
3843
3844         Reviewed by NOBODY, this is a build fix.
3845
3846         * wtf/Assertions.cpp:
3847
3848 2011-10-04  Sheriff Bot  <webkit.review.bot@gmail.com>
3849
3850         Unreviewed, rolling out r96630.
3851         http://trac.webkit.org/changeset/96630
3852         https://bugs.webkit.org/show_bug.cgi?id=69368
3853
3854         Caused assertion failures in validateCell (Requested by
3855         mhahnenberg on #webkit).
3856
3857         * runtime/BooleanConstructor.cpp:
3858         * runtime/BooleanConstructor.h:
3859         * runtime/Error.cpp:
3860         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
3861         (JSC::StrictModeTypeErrorFunction::getCallData):
3862         * runtime/ErrorConstructor.cpp:
3863         * runtime/ErrorConstructor.h:
3864         * runtime/FunctionConstructor.cpp:
3865         * runtime/FunctionConstructor.h:
3866         * runtime/FunctionPrototype.cpp:
3867         * runtime/FunctionPrototype.h:
3868
3869 2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>
3870
3871         Add static ClassInfo structs to classes that override JSCell::getCallData
3872         https://bugs.webkit.org/show_bug.cgi?id=69311
3873
3874         Reviewed by Darin Adler.
3875
3876         Added ClassInfo structs to each class that defined its own getCallData 
3877         function but did not already have its own ClassInfo struct.  This is a 
3878         necessary addition for when we switch over to looking up getCallData from 
3879         the MethodTable in ClassInfo rather than doing the virtual call (which we 
3880         are removing).  These new ClassInfo structs are public because we often 
3881         use these structs in other areas of the code to uniquely identify JSC classes and 
3882         to enforce runtime invariants based on those class identities using ASSERTs.
3883
3884         * runtime/BooleanConstructor.cpp:
3885         * runtime/BooleanConstructor.h:
3886
3887         getCallData was not marked as static is StrictModeTypeErrorFunction.  
3888         * runtime/Error.cpp:
3889         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
3890         (JSC::StrictModeTypeErrorFunction::getCallData):
3891         * runtime/ErrorConstructor.cpp:
3892         * runtime/ErrorConstructor.h:
3893         * runtime/FunctionConstructor.cpp:
3894         * runtime/FunctionConstructor.h:
3895         * runtime/FunctionPrototype.cpp:
3896         * runtime/FunctionPrototype.h:
3897
3898 2011-10-04  Ryosuke Niwa  <rniwa@webkit.org>
3899
3900         Leopard build fix after r96613.
3901
3902         * wtf/Platform.h:
3903
3904 2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>
3905
3906         Implicitly add toString and valueOf to prototype when convertToType callback is provided
3907         https://bugs.webkit.org/show_bug.cgi?id=69156
3908
3909         Reviewed by Geoffrey Garen.
3910
3911         Added callbacks for toString and valueOf which are implicitly added to a client object's
3912         prototype if they provide a convertToType callback when declaring their class through 
3913         the JSC API.
3914
3915         * API/JSCallbackFunction.cpp:
3916         (JSC::JSCallbackFunction::toStringCallback):
3917         (JSC::JSCallbackFunction::valueOfCallback):
3918         * API/JSCallbackFunction.h:
3919         * API/JSClassRef.cpp:
3920         (OpaqueJSClass::prototype):
3921         * API/tests/testapi.js:
3922
3923 2011-10-03  Jon Lee  <jonlee@apple.com>
3924
3925         Extend DOM WheelEvent to differentiate between physical and logical scroll directions
3926         https://bugs.webkit.org/show_bug.cgi?id=68959
3927         <rdar://problem/10036688>
3928
3929         Reviewed by Sam Weinig.
3930
3931         * wtf/Platform.h: Added HAVE_INVERTED_WHEEL_EVENTS for Lion and later.
3932
3933 2011-10-04  Csaba Osztrogonác  <ossy@webkit.org>
3934
3935         MinGW warning fix after r96286.
3936
3937         Avoid redefining STDCALL, because STDCALL is also defined in mingw32/include/windef.h:
3938         #define __stdcall __attribute__((stdcall))
3939         #define STDCALL __stdcall
3940
3941         Reviewed by Tor Arne Vestbø.
3942
3943         * assembler/MacroAssemblerCodeRef.h:
3944
3945 2011-10-04  Gavin Peters  <gavinp@chromium.org>
3946
3947        add more stack dumping methods
3948        https://bugs.webkit.org/show_bug.cgi?id=69018
3949
3950        In addition to WTFReportBacktrace, this adds the cross-platform WTFGetBacktrace, which lets
3951        WebKit programmatically retrieve the current stack.  This is useful if you need to add more
3952        reporting to field crash report uploads, if you're tracking down an irreproducable bug,
3953        for instance.
3954
3955        Reviewed by Darin Adler.
3956
3957        * wtf/Assertions.cpp:
3958        * wtf/Assertions.h:
3959
3960 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
3961
3962         DFG should inline Array.push and Array.pop
3963         https://bugs.webkit.org/show_bug.cgi?id=69314
3964
3965         Reviewed by Geoff Garen.
3966         
3967         Fix 32-bit.
3968
3969         * dfg/DFGSpeculativeJIT32_64.cpp:
3970         (JSC::DFG::SpeculativeJIT::compile):
3971
3972 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
3973
3974         DFG should inline Array.push and Array.pop
3975         https://bugs.webkit.org/show_bug.cgi?id=69314
3976
3977         Reviewed by Oliver Hunt.
3978         
3979         1% speed-up in V8 due to 6% speed-up in V8-deltablue.
3980
3981         * assembler/MacroAssemblerX86_64.h:
3982         (JSC::MacroAssemblerX86_64::storePtr):
3983         * create_hash_table:
3984         * dfg/DFGByteCodeParser.cpp:
3985         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3986         (JSC::DFG::ByteCodeParser::parseBlock):
3987         * dfg/DFGGraph.cpp:
3988         (JSC::DFG::Graph::dump):
3989         * dfg/DFGIntrinsic.h:
3990         * dfg/DFGNode.h:
3991         (JSC::DFG::Node::hasHeapPrediction):
3992         * dfg/DFGOperations.cpp:
3993         * dfg/DFGOperations.h:
3994         * dfg/DFGPropagator.cpp:
3995         (JSC::DFG::Propagator::propagateNodePredictions):
3996         (JSC::DFG::Propagator::getByValLoadElimination):
3997         (JSC::DFG::Propagator::getMethodLoadElimination):
3998         * dfg/DFGSpeculativeJIT32_64.cpp:
3999         (JSC::DFG::SpeculativeJIT::compile):
4000         * dfg/DFGSpeculativeJIT64.cpp:
4001         (JSC::DFG::SpeculativeJIT::compile):
4002
4003 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
4004
4005         JSC ASSERT Opening the Web Inspector
4006         https://bugs.webkit.org/show_bug.cgi?id=69293
4007
4008         Reviewed by Oliver Hunt.
4009         
4010         If a polymorphic access structure list has a duplicated structure, then
4011         don't crash.
4012
4013         * dfg/DFGByteCodeParser.cpp:
4014         (JSC::DFG::ByteCodeParser::parseBlock):
4015
4016 2011-10-03  Gavin Barraclough  <barraclough@apple.com>
4017
4018         On X86, switch bucketCount into a register, timeoutCheck into memory
4019         https://bugs.webkit.org/show_bug.cgi?id=69299
4020
4021         Reviewed by Geoff Garen.
4022
4023         We don't have sufficient registers to keep both in registers, and DFG JIT will trample esi;
4024         it doesn't matter if the bucketCount gets stomped on (in fact it may add to randomness!),
4025         but it if the timeoutCheck gets trashed we may make calls out to the timout_check stub
4026         function too frequently (regressing performance). This patch has no perf impact on sunspider.
4027
4028         * JavaScriptCore.xcodeproj/project.pbxproj: