Unreviewed, fix build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix build.
4
5         * API/JSValue.mm:
6         (isDate):
7         (isArray):
8         * API/JSWrapperMap.mm:
9         (tryUnwrapObjcObject):
10         * API/ObjCCallbackFunction.mm:
11         (tryUnwrapBlock):
12
13 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
14
15         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
16         https://bugs.webkit.org/show_bug.cgi?id=119770
17
18         Reviewed by Mark Hahnenberg.
19
20         * API/JSCallbackConstructor.cpp:
21         (JSC::JSCallbackConstructor::finishCreation):
22         * API/JSCallbackConstructor.h:
23         (JSC::JSCallbackConstructor::createStructure):
24         * API/JSCallbackFunction.cpp:
25         (JSC::JSCallbackFunction::finishCreation):
26         * API/JSCallbackFunction.h:
27         (JSC::JSCallbackFunction::createStructure):
28         * API/JSCallbackObject.cpp:
29         (JSC::::createStructure):
30         * API/JSCallbackObject.h:
31         (JSC::JSCallbackObject::visitChildren):
32         * API/JSCallbackObjectFunctions.h:
33         (JSC::::asCallbackObject):
34         (JSC::::finishCreation):
35         * API/JSObjectRef.cpp:
36         (JSObjectGetPrivate):
37         (JSObjectSetPrivate):
38         (JSObjectGetPrivateProperty):
39         (JSObjectSetPrivateProperty):
40         (JSObjectDeletePrivateProperty):
41         * API/JSValueRef.cpp:
42         (JSValueIsObjectOfClass):
43         * API/JSWeakObjectMapRefPrivate.cpp:
44         * API/ObjCCallbackFunction.h:
45         (JSC::ObjCCallbackFunction::createStructure):
46         * JSCTypedArrayStubs.h:
47         * bytecode/CallLinkStatus.cpp:
48         (JSC::CallLinkStatus::CallLinkStatus):
49         (JSC::CallLinkStatus::function):
50         (JSC::CallLinkStatus::internalFunction):
51         * bytecode/CodeBlock.h:
52         (JSC::baselineCodeBlockForInlineCallFrame):
53         * bytecode/SpeculatedType.cpp:
54         (JSC::speculationFromClassInfo):
55         * bytecode/UnlinkedCodeBlock.cpp:
56         (JSC::UnlinkedFunctionExecutable::visitChildren):
57         (JSC::UnlinkedCodeBlock::visitChildren):
58         (JSC::UnlinkedProgramCodeBlock::visitChildren):
59         * bytecode/UnlinkedCodeBlock.h:
60         (JSC::UnlinkedFunctionExecutable::createStructure):
61         (JSC::UnlinkedProgramCodeBlock::createStructure):
62         (JSC::UnlinkedEvalCodeBlock::createStructure):
63         (JSC::UnlinkedFunctionCodeBlock::createStructure):
64         * debugger/Debugger.cpp:
65         * debugger/DebuggerActivation.cpp:
66         (JSC::DebuggerActivation::visitChildren):
67         * debugger/DebuggerActivation.h:
68         (JSC::DebuggerActivation::createStructure):
69         * debugger/DebuggerCallFrame.cpp:
70         (JSC::DebuggerCallFrame::functionName):
71         * dfg/DFGAbstractInterpreterInlines.h:
72         (JSC::DFG::::executeEffects):
73         * dfg/DFGByteCodeParser.cpp:
74         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
75         (JSC::DFG::ByteCodeParser::parseBlock):
76         * dfg/DFGFixupPhase.cpp:
77         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
78         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
79         * dfg/DFGGraph.cpp:
80         (JSC::DFG::Graph::dump):
81         * dfg/DFGGraph.h:
82         (JSC::DFG::Graph::isInternalFunctionConstant):
83         * dfg/DFGOperations.cpp:
84         * dfg/DFGSpeculativeJIT.cpp:
85         (JSC::DFG::SpeculativeJIT::checkArray):
86         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
87         * dfg/DFGThunks.cpp:
88         (JSC::DFG::virtualForThunkGenerator):
89         * interpreter/Interpreter.cpp:
90         (JSC::loadVarargs):
91         * jsc.cpp:
92         (GlobalObject::createStructure):
93         * profiler/LegacyProfiler.cpp:
94         (JSC::LegacyProfiler::createCallIdentifier):
95         * runtime/Arguments.cpp:
96         (JSC::Arguments::visitChildren):
97         * runtime/Arguments.h:
98         (JSC::Arguments::createStructure):
99         (JSC::asArguments):
100         (JSC::Arguments::finishCreation):
101         * runtime/ArrayConstructor.cpp:
102         (JSC::arrayConstructorIsArray):
103         * runtime/ArrayConstructor.h:
104         (JSC::ArrayConstructor::createStructure):
105         * runtime/ArrayPrototype.cpp:
106         (JSC::ArrayPrototype::finishCreation):
107         (JSC::arrayProtoFuncConcat):
108         (JSC::attemptFastSort):
109         * runtime/ArrayPrototype.h:
110         (JSC::ArrayPrototype::createStructure):
111         * runtime/BooleanConstructor.h:
112         (JSC::BooleanConstructor::createStructure):
113         * runtime/BooleanObject.cpp:
114         (JSC::BooleanObject::finishCreation):
115         * runtime/BooleanObject.h:
116         (JSC::BooleanObject::createStructure):
117         (JSC::asBooleanObject):
118         * runtime/BooleanPrototype.cpp:
119         (JSC::BooleanPrototype::finishCreation):
120         (JSC::booleanProtoFuncToString):
121         (JSC::booleanProtoFuncValueOf):
122         * runtime/BooleanPrototype.h:
123         (JSC::BooleanPrototype::createStructure):
124         * runtime/DateConstructor.cpp:
125         (JSC::constructDate):
126         * runtime/DateConstructor.h:
127         (JSC::DateConstructor::createStructure):
128         * runtime/DateInstance.cpp:
129         (JSC::DateInstance::finishCreation):
130         * runtime/DateInstance.h:
131         (JSC::DateInstance::createStructure):
132         (JSC::asDateInstance):
133         * runtime/DatePrototype.cpp:
134         (JSC::formateDateInstance):
135         (JSC::DatePrototype::finishCreation):
136         (JSC::dateProtoFuncToISOString):
137         (JSC::dateProtoFuncToLocaleString):
138         (JSC::dateProtoFuncToLocaleDateString):
139         (JSC::dateProtoFuncToLocaleTimeString):
140         (JSC::dateProtoFuncGetTime):
141         (JSC::dateProtoFuncGetFullYear):
142         (JSC::dateProtoFuncGetUTCFullYear):
143         (JSC::dateProtoFuncGetMonth):
144         (JSC::dateProtoFuncGetUTCMonth):
145         (JSC::dateProtoFuncGetDate):
146         (JSC::dateProtoFuncGetUTCDate):
147         (JSC::dateProtoFuncGetDay):
148         (JSC::dateProtoFuncGetUTCDay):
149         (JSC::dateProtoFuncGetHours):
150         (JSC::dateProtoFuncGetUTCHours):
151         (JSC::dateProtoFuncGetMinutes):
152         (JSC::dateProtoFuncGetUTCMinutes):
153         (JSC::dateProtoFuncGetSeconds):
154         (JSC::dateProtoFuncGetUTCSeconds):
155         (JSC::dateProtoFuncGetMilliSeconds):
156         (JSC::dateProtoFuncGetUTCMilliseconds):
157         (JSC::dateProtoFuncGetTimezoneOffset):
158         (JSC::dateProtoFuncSetTime):
159         (JSC::setNewValueFromTimeArgs):
160         (JSC::setNewValueFromDateArgs):
161         (JSC::dateProtoFuncSetYear):
162         (JSC::dateProtoFuncGetYear):
163         * runtime/DatePrototype.h:
164         (JSC::DatePrototype::createStructure):
165         * runtime/Error.h:
166         (JSC::StrictModeTypeErrorFunction::createStructure):
167         * runtime/ErrorConstructor.h:
168         (JSC::ErrorConstructor::createStructure):
169         * runtime/ErrorInstance.cpp:
170         (JSC::ErrorInstance::finishCreation):
171         * runtime/ErrorInstance.h:
172         (JSC::ErrorInstance::createStructure):
173         * runtime/ErrorPrototype.cpp:
174         (JSC::ErrorPrototype::finishCreation):
175         * runtime/ErrorPrototype.h:
176         (JSC::ErrorPrototype::createStructure):
177         * runtime/ExceptionHelpers.cpp:
178         (JSC::isTerminatedExecutionException):
179         * runtime/ExceptionHelpers.h:
180         (JSC::TerminatedExecutionError::createStructure):
181         * runtime/Executable.cpp:
182         (JSC::EvalExecutable::visitChildren):
183         (JSC::ProgramExecutable::visitChildren):
184         (JSC::FunctionExecutable::visitChildren):
185         (JSC::ExecutableBase::hashFor):
186         * runtime/Executable.h:
187         (JSC::ExecutableBase::createStructure):
188         (JSC::NativeExecutable::createStructure):
189         (JSC::EvalExecutable::createStructure):
190         (JSC::ProgramExecutable::createStructure):
191         (JSC::FunctionExecutable::compileFor):
192         (JSC::FunctionExecutable::compileOptimizedFor):
193         (JSC::FunctionExecutable::createStructure):
194         * runtime/FunctionConstructor.h:
195         (JSC::FunctionConstructor::createStructure):
196         * runtime/FunctionPrototype.cpp:
197         (JSC::functionProtoFuncToString):
198         (JSC::functionProtoFuncApply):
199         (JSC::functionProtoFuncBind):
200         * runtime/FunctionPrototype.h:
201         (JSC::FunctionPrototype::createStructure):
202         * runtime/GetterSetter.cpp:
203         (JSC::GetterSetter::visitChildren):
204         * runtime/GetterSetter.h:
205         (JSC::GetterSetter::createStructure):
206         * runtime/InternalFunction.cpp:
207         (JSC::InternalFunction::finishCreation):
208         * runtime/InternalFunction.h:
209         (JSC::InternalFunction::createStructure):
210         (JSC::asInternalFunction):
211         * runtime/JSAPIValueWrapper.h:
212         (JSC::JSAPIValueWrapper::createStructure):
213         * runtime/JSActivation.cpp:
214         (JSC::JSActivation::visitChildren):
215         (JSC::JSActivation::argumentsGetter):
216         * runtime/JSActivation.h:
217         (JSC::JSActivation::createStructure):
218         (JSC::asActivation):
219         * runtime/JSArray.h:
220         (JSC::JSArray::createStructure):
221         (JSC::asArray):
222         (JSC::isJSArray):
223         * runtime/JSBoundFunction.cpp:
224         (JSC::JSBoundFunction::finishCreation):
225         (JSC::JSBoundFunction::visitChildren):
226         * runtime/JSBoundFunction.h:
227         (JSC::JSBoundFunction::createStructure):
228         * runtime/JSCJSValue.cpp:
229         (JSC::JSValue::dumpInContext):
230         * runtime/JSCJSValueInlines.h:
231         (JSC::JSValue::isFunction):
232         * runtime/JSCell.h:
233         (JSC::jsCast):
234         (JSC::jsDynamicCast):
235         * runtime/JSCellInlines.h:
236         (JSC::allocateCell):
237         * runtime/JSFunction.cpp:
238         (JSC::JSFunction::finishCreation):
239         (JSC::JSFunction::visitChildren):
240         (JSC::skipOverBoundFunctions):
241         (JSC::JSFunction::callerGetter):
242         * runtime/JSFunction.h:
243         (JSC::JSFunction::createStructure):
244         * runtime/JSGlobalObject.cpp:
245         (JSC::JSGlobalObject::visitChildren):
246         (JSC::slowValidateCell):
247         * runtime/JSGlobalObject.h:
248         (JSC::JSGlobalObject::createStructure):
249         * runtime/JSNameScope.cpp:
250         (JSC::JSNameScope::visitChildren):
251         * runtime/JSNameScope.h:
252         (JSC::JSNameScope::createStructure):
253         * runtime/JSNotAnObject.h:
254         (JSC::JSNotAnObject::createStructure):
255         * runtime/JSONObject.cpp:
256         (JSC::JSONObject::finishCreation):
257         (JSC::unwrapBoxedPrimitive):
258         (JSC::Stringifier::Stringifier):
259         (JSC::Stringifier::appendStringifiedValue):
260         (JSC::Stringifier::Holder::Holder):
261         (JSC::Walker::walk):
262         (JSC::JSONProtoFuncStringify):
263         * runtime/JSONObject.h:
264         (JSC::JSONObject::createStructure):
265         * runtime/JSObject.cpp:
266         (JSC::getCallableObjectSlow):
267         (JSC::JSObject::visitChildren):
268         (JSC::JSObject::copyBackingStore):
269         (JSC::JSFinalObject::visitChildren):
270         (JSC::JSObject::ensureInt32Slow):
271         (JSC::JSObject::ensureDoubleSlow):
272         (JSC::JSObject::ensureContiguousSlow):
273         (JSC::JSObject::ensureArrayStorageSlow):
274         * runtime/JSObject.h:
275         (JSC::JSObject::finishCreation):
276         (JSC::JSObject::createStructure):
277         (JSC::JSNonFinalObject::createStructure):
278         (JSC::JSFinalObject::createStructure):
279         (JSC::isJSFinalObject):
280         * runtime/JSPropertyNameIterator.cpp:
281         (JSC::JSPropertyNameIterator::visitChildren):
282         * runtime/JSPropertyNameIterator.h:
283         (JSC::JSPropertyNameIterator::createStructure):
284         * runtime/JSProxy.cpp:
285         (JSC::JSProxy::visitChildren):
286         * runtime/JSProxy.h:
287         (JSC::JSProxy::createStructure):
288         * runtime/JSScope.cpp:
289         (JSC::JSScope::visitChildren):
290         * runtime/JSSegmentedVariableObject.cpp:
291         (JSC::JSSegmentedVariableObject::visitChildren):
292         * runtime/JSString.h:
293         (JSC::JSString::createStructure):
294         (JSC::isJSString):
295         * runtime/JSSymbolTableObject.cpp:
296         (JSC::JSSymbolTableObject::visitChildren):
297         * runtime/JSVariableObject.h:
298         * runtime/JSWithScope.cpp:
299         (JSC::JSWithScope::visitChildren):
300         * runtime/JSWithScope.h:
301         (JSC::JSWithScope::createStructure):
302         * runtime/JSWrapperObject.cpp:
303         (JSC::JSWrapperObject::visitChildren):
304         * runtime/JSWrapperObject.h:
305         (JSC::JSWrapperObject::createStructure):
306         * runtime/MathObject.cpp:
307         (JSC::MathObject::finishCreation):
308         * runtime/MathObject.h:
309         (JSC::MathObject::createStructure):
310         * runtime/NameConstructor.h:
311         (JSC::NameConstructor::createStructure):
312         * runtime/NameInstance.h:
313         (JSC::NameInstance::createStructure):
314         (JSC::NameInstance::finishCreation):
315         * runtime/NamePrototype.cpp:
316         (JSC::NamePrototype::finishCreation):
317         (JSC::privateNameProtoFuncToString):
318         * runtime/NamePrototype.h:
319         (JSC::NamePrototype::createStructure):
320         * runtime/NativeErrorConstructor.cpp:
321         (JSC::NativeErrorConstructor::visitChildren):
322         * runtime/NativeErrorConstructor.h:
323         (JSC::NativeErrorConstructor::createStructure):
324         (JSC::NativeErrorConstructor::finishCreation):
325         * runtime/NumberConstructor.cpp:
326         (JSC::NumberConstructor::finishCreation):
327         * runtime/NumberConstructor.h:
328         (JSC::NumberConstructor::createStructure):
329         * runtime/NumberObject.cpp:
330         (JSC::NumberObject::finishCreation):
331         * runtime/NumberObject.h:
332         (JSC::NumberObject::createStructure):
333         * runtime/NumberPrototype.cpp:
334         (JSC::NumberPrototype::finishCreation):
335         * runtime/NumberPrototype.h:
336         (JSC::NumberPrototype::createStructure):
337         * runtime/ObjectConstructor.h:
338         (JSC::ObjectConstructor::createStructure):
339         * runtime/ObjectPrototype.cpp:
340         (JSC::ObjectPrototype::finishCreation):
341         * runtime/ObjectPrototype.h:
342         (JSC::ObjectPrototype::createStructure):
343         * runtime/PropertyMapHashTable.h:
344         (JSC::PropertyTable::createStructure):
345         * runtime/PropertyTable.cpp:
346         (JSC::PropertyTable::visitChildren):
347         * runtime/RegExp.h:
348         (JSC::RegExp::createStructure):
349         * runtime/RegExpConstructor.cpp:
350         (JSC::RegExpConstructor::finishCreation):
351         (JSC::RegExpConstructor::visitChildren):
352         (JSC::constructRegExp):
353         * runtime/RegExpConstructor.h:
354         (JSC::RegExpConstructor::createStructure):
355         (JSC::asRegExpConstructor):
356         * runtime/RegExpMatchesArray.cpp:
357         (JSC::RegExpMatchesArray::visitChildren):
358         * runtime/RegExpMatchesArray.h:
359         (JSC::RegExpMatchesArray::createStructure):
360         * runtime/RegExpObject.cpp:
361         (JSC::RegExpObject::finishCreation):
362         (JSC::RegExpObject::visitChildren):
363         * runtime/RegExpObject.h:
364         (JSC::RegExpObject::createStructure):
365         (JSC::asRegExpObject):
366         * runtime/RegExpPrototype.cpp:
367         (JSC::regExpProtoFuncTest):
368         (JSC::regExpProtoFuncExec):
369         (JSC::regExpProtoFuncCompile):
370         (JSC::regExpProtoFuncToString):
371         * runtime/RegExpPrototype.h:
372         (JSC::RegExpPrototype::createStructure):
373         * runtime/SparseArrayValueMap.cpp:
374         (JSC::SparseArrayValueMap::createStructure):
375         * runtime/SparseArrayValueMap.h:
376         * runtime/StrictEvalActivation.h:
377         (JSC::StrictEvalActivation::createStructure):
378         * runtime/StringConstructor.h:
379         (JSC::StringConstructor::createStructure):
380         * runtime/StringObject.cpp:
381         (JSC::StringObject::finishCreation):
382         * runtime/StringObject.h:
383         (JSC::StringObject::createStructure):
384         (JSC::asStringObject):
385         * runtime/StringPrototype.cpp:
386         (JSC::StringPrototype::finishCreation):
387         (JSC::stringProtoFuncReplace):
388         (JSC::stringProtoFuncToString):
389         (JSC::stringProtoFuncMatch):
390         (JSC::stringProtoFuncSearch):
391         (JSC::stringProtoFuncSplit):
392         * runtime/StringPrototype.h:
393         (JSC::StringPrototype::createStructure):
394         * runtime/Structure.cpp:
395         (JSC::Structure::Structure):
396         (JSC::Structure::materializePropertyMap):
397         (JSC::Structure::get):
398         (JSC::Structure::visitChildren):
399         * runtime/Structure.h:
400         (JSC::Structure::typeInfo):
401         (JSC::Structure::previousID):
402         (JSC::Structure::outOfLineSize):
403         (JSC::Structure::totalStorageCapacity):
404         (JSC::Structure::materializePropertyMapIfNecessary):
405         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
406         * runtime/StructureChain.cpp:
407         (JSC::StructureChain::visitChildren):
408         * runtime/StructureChain.h:
409         (JSC::StructureChain::createStructure):
410         * runtime/StructureInlines.h:
411         (JSC::Structure::get):
412         * runtime/StructureRareData.cpp:
413         (JSC::StructureRareData::createStructure):
414         (JSC::StructureRareData::visitChildren):
415         * runtime/StructureRareData.h:
416         * runtime/SymbolTable.h:
417         (JSC::SharedSymbolTable::createStructure):
418         * runtime/VM.cpp:
419         (JSC::VM::VM):
420         (JSC::StackPreservingRecompiler::operator()):
421         (JSC::VM::releaseExecutableMemory):
422         * runtime/WriteBarrier.h:
423         (JSC::validateCell):
424         * testRegExp.cpp:
425         (GlobalObject::createStructure):
426
427 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
428
429         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
430         https://bugs.webkit.org/show_bug.cgi?id=119762
431
432         Reviewed by Geoffrey Garen.
433
434         * heap/Heap.cpp:
435         (JSC::Heap::Heap):
436         (JSC::Heap::markRoots):
437         (JSC::Heap::collect):
438         * jsc.cpp:
439         (StopWatch::start):
440         (StopWatch::stop):
441         * testRegExp.cpp:
442         (StopWatch::start):
443         (StopWatch::stop):
444
445 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
446
447         [sh4] Prepare LLINT for DFG_JIT implementation.
448         https://bugs.webkit.org/show_bug.cgi?id=119755
449
450         Reviewed by Oliver Hunt.
451
452         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
453         * offlineasm/sh4.rb:
454             - Handle storeb opcode.
455             - Make relative jumps when possible using braf opcode.
456             - Update bmulio implementation to be consistent with baseline JIT.
457             - Remove useless code from leap opcode.
458             - Fix incorrect comment.
459
460 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
461
462         [sh4] Prepare baseline JIT for DFG_JIT implementation.
463         https://bugs.webkit.org/show_bug.cgi?id=119758
464
465         Reviewed by Oliver Hunt.
466
467         * assembler/MacroAssemblerSH4.h:
468             - Introduce a loadEffectiveAddress function to avoid code duplication.
469             - Add ASSERTs and clean code.
470         * assembler/SH4Assembler.h:
471             - Prepare DFG_JIT implementation.
472             - Add ASSERTs.
473         * jit/JITStubs.cpp:
474             - Add SH4 specific call for assertions.
475         * jit/JITStubs.h:
476             - Cosmetic change.
477         * jit/JITStubsSH4.h:
478             - Use constants to be more flexible with sh4 JIT stack frame.
479         * jit/JSInterfaceJIT.h:
480             - Cosmetic change.
481
482 2013-08-13  Oliver Hunt  <oliver@apple.com>
483
484         Harden executeConstruct against incorrect return types from host functions
485         https://bugs.webkit.org/show_bug.cgi?id=119757
486
487         Reviewed by Mark Hahnenberg.
488
489         Add logic to guard against bogus return types.  There doesn't seem to be any
490         class in webkit that does this wrong, but the typed array stubs in debug JSC
491         do exhibit this bad behaviour.
492
493         * interpreter/Interpreter.cpp:
494         (JSC::Interpreter::executeConstruct):
495
496 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
497
498         [Qt] Fix C++11 build with gcc 4.4 and 4.5
499         https://bugs.webkit.org/show_bug.cgi?id=119736
500
501         Reviewed by Anders Carlsson.
502
503         Don't force C++11 mode off anymore.
504
505         * Target.pri:
506
507 2013-08-12  Oliver Hunt  <oliver@apple.com>
508
509         Remove CodeBlock's notion of adding identifiers entirely
510         https://bugs.webkit.org/show_bug.cgi?id=119708
511
512         Reviewed by Geoffrey Garen.
513
514         Remove addAdditionalIdentifier entirely, including the bogus assertion.
515         Move the addition of identifiers to DFGPlan::reallyAdd
516
517         * bytecode/CodeBlock.h:
518         * dfg/DFGDesiredIdentifiers.cpp:
519         (JSC::DFG::DesiredIdentifiers::reallyAdd):
520         * dfg/DFGDesiredIdentifiers.h:
521         * dfg/DFGPlan.cpp:
522         (JSC::DFG::Plan::reallyAdd):
523         (JSC::DFG::Plan::finalize):
524         * dfg/DFGPlan.h:
525
526 2013-08-12  Oliver Hunt  <oliver@apple.com>
527
528         Build fix
529
530         * runtime/JSCell.h:
531
532 2013-08-12  Oliver Hunt  <oliver@apple.com>
533
534         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
535         https://bugs.webkit.org/show_bug.cgi?id=119705
536
537         Reviewed by Geoffrey Garen.
538
539         Relatively trivial refactoring
540
541         * bytecode/CodeBlock.h:
542         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
543         (JSC::CodeBlock::addAdditionalIdentifier):
544         (JSC::CodeBlock::identifier):
545         (JSC::CodeBlock::numberOfIdentifiers):
546         * dfg/DFGCommonData.h:
547
548 2013-08-12  Oliver Hunt  <oliver@apple.com>
549
550         Stop making unnecessary copy of CodeBlock Identifier Vector
551         https://bugs.webkit.org/show_bug.cgi?id=119702
552
553         Reviewed by Michael Saboff.
554
555         Make CodeBlock simply use a separate Vector for additional Identifiers
556         and use the UnlinkedCodeBlock for the initial set of identifiers.
557
558         * bytecode/CodeBlock.cpp:
559         (JSC::CodeBlock::printGetByIdOp):
560         (JSC::dumpStructure):
561         (JSC::dumpChain):
562         (JSC::CodeBlock::printGetByIdCacheStatus):
563         (JSC::CodeBlock::printPutByIdOp):
564         (JSC::CodeBlock::dumpBytecode):
565         (JSC::CodeBlock::CodeBlock):
566         (JSC::CodeBlock::shrinkToFit):
567         * bytecode/CodeBlock.h:
568         (JSC::CodeBlock::numberOfIdentifiers):
569         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
570         (JSC::CodeBlock::addAdditionalIdentifier):
571         (JSC::CodeBlock::identifier):
572         * dfg/DFGDesiredIdentifiers.cpp:
573         (JSC::DFG::DesiredIdentifiers::reallyAdd):
574         * jit/JIT.h:
575         * jit/JITOpcodes.cpp:
576         (JSC::JIT::emitSlow_op_get_arguments_length):
577         * jit/JITPropertyAccess.cpp:
578         (JSC::JIT::emit_op_get_by_id):
579         (JSC::JIT::compileGetByIdHotPath):
580         (JSC::JIT::emitSlow_op_get_by_id):
581         (JSC::JIT::compileGetByIdSlowCase):
582         (JSC::JIT::emitSlow_op_put_by_id):
583         * jit/JITPropertyAccess32_64.cpp:
584         (JSC::JIT::emit_op_get_by_id):
585         (JSC::JIT::compileGetByIdHotPath):
586         (JSC::JIT::compileGetByIdSlowCase):
587         * jit/JITStubs.cpp:
588         (JSC::DEFINE_STUB_FUNCTION):
589         * llint/LLIntSlowPaths.cpp:
590         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
591
592 2013-08-08  Mark Lam  <mark.lam@apple.com>
593
594         Restoring use of StackIterator instead of Interpreter::getStacktrace().
595         https://bugs.webkit.org/show_bug.cgi?id=119575.
596
597         Reviewed by Oliver Hunt.
598
599         * interpreter/Interpreter.h:
600         - Made getStackTrace() private.
601         * interpreter/StackIterator.cpp:
602         (JSC::StackIterator::StackIterator):
603         (JSC::StackIterator::numberOfFrames):
604         - Computes the number of frames by iterating through the whole stack
605           from the starting frame. The iterator will save its current frame
606           position before counting the frames, and then restoring it after
607           the counting.
608         (JSC::StackIterator::gotoFrameAtIndex):
609         (JSC::StackIterator::gotoNextFrame):
610         (JSC::StackIterator::resetIterator):
611         - Points the iterator to the starting frame.
612         * interpreter/StackIteratorPrivate.h:
613
614 2013-08-08  Mark Lam  <mark.lam@apple.com>
615
616         Moved ErrorConstructor and NativeErrorConstructor helper functions into
617         the Interpreter class.
618         https://bugs.webkit.org/show_bug.cgi?id=119576.
619
620         Reviewed by Oliver Hunt.
621
622         This change is needed to prepare for making Interpreter::getStackTrace()
623         private. It does not change the behavior of the code, only the lexical
624         scoping.
625
626         * interpreter/Interpreter.h:
627         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
628         * runtime/ErrorConstructor.cpp:
629         (JSC::Interpreter::constructWithErrorConstructor):
630         (JSC::ErrorConstructor::getConstructData):
631         (JSC::Interpreter::callErrorConstructor):
632         (JSC::ErrorConstructor::getCallData):
633         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
634           directly. So, we moved the helper functions into the Interpreter
635           class.
636         * runtime/NativeErrorConstructor.cpp:
637         (JSC::Interpreter::constructWithNativeErrorConstructor):
638         (JSC::NativeErrorConstructor::getConstructData):
639         (JSC::Interpreter::callNativeErrorConstructor):
640         (JSC::NativeErrorConstructor::getCallData):
641         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
642           directly. So, we moved the helper functions into the Interpreter
643           class.
644
645 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
646
647         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
648         https://bugs.webkit.org/show_bug.cgi?id=119555
649
650         Reviewed by Geoffrey Garen.
651
652         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
653         This was causing crashes on maps.google.com in 32-bit debug builds.
654
655         * dfg/DFGSpeculativeJIT32_64.cpp:
656         (JSC::DFG::SpeculativeJIT::compile):
657
658 2013-08-06  Michael Saboff  <msaboff@apple.com>
659
660         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
661         https://bugs.webkit.org/show_bug.cgi?id=119405
662
663         Reviewed by Geoffrey Garen.
664
665         * dfg/DFGSpeculativeJIT.cpp:
666         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
667         ourselves to save a register and then load from it.
668
669 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
670
671         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
672         https://bugs.webkit.org/show_bug.cgi?id=119528
673
674         Reviewed by Geoffrey Garen.
675
676         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
677         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
678         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
679         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
680         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
681
682         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
683
684         * bytecode/CodeBlock.cpp:
685         (JSC::CodeBlock::finalizeUnconditionally):
686         * dfg/DFGDriver.cpp:
687         (JSC::DFG::compile):
688         * dfg/DFGFixupPhase.cpp:
689         (JSC::DFG::FixupPhase::fixupNode):
690         * dfg/DFGGraph.cpp:
691         (JSC::DFG::Graph::dump):
692         * dfg/DFGSpeculativeJIT64.cpp:
693         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
694         * runtime/JSObject.h:
695         (JSC::JSObject::getIndexQuickly):
696         (JSC::JSObject::tryGetIndexQuickly):
697
698 2013-08-08  Stephanie Lewis  <slewis@apple.com>
699
700         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
701
702         Unreviewed.
703
704         Ensure llint symbols are in source order.
705
706         * JavaScriptCore.order:
707
708 2013-08-06  Mark Lam  <mark.lam@apple.com>
709
710         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
711         https://bugs.webkit.org/show_bug.cgi?id=119532.
712
713         Reviewed by Oliver Hunt.
714
715         * parser/Parser.cpp:
716         (JSC::::Parser):
717         - Just need to initialize the Parser's JSTokenLocation's initial line and
718           startOffset as well during Parser construction.
719
720 2013-08-06  Stephanie Lewis  <slewis@apple.com>
721
722         Update Order Files for Safari
723         <rdar://problem/14517392>
724
725         Unreviewed.
726
727         * JavaScriptCore.order:
728
729 2013-08-04  Sam Weinig  <sam@webkit.org>
730
731         Remove support for HTML5 MicroData
732         https://bugs.webkit.org/show_bug.cgi?id=119480
733
734         Reviewed by Anders Carlsson.
735
736         * Configurations/FeatureDefines.xcconfig:
737
738 2013-08-05  Oliver Hunt  <oliver@apple.com>
739
740         Delay Arguments creation in strict mode
741         https://bugs.webkit.org/show_bug.cgi?id=119505
742
743         Reviewed by Geoffrey Garen.
744
745         Make use of the write tracking performed by the parser to
746         allow us to know if we're modifying the parameters to a function.
747         Then use that information to make strict mode function opt out
748         of eager arguments creation.
749
750         * bytecompiler/BytecodeGenerator.cpp:
751         (JSC::BytecodeGenerator::BytecodeGenerator):
752         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
753         (JSC::BytecodeGenerator::emitReturn):
754         * bytecompiler/BytecodeGenerator.h:
755         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
756         * parser/Nodes.h:
757         (JSC::ScopeNode::modifiesParameter):
758         * parser/Parser.cpp:
759         (JSC::::parseInner):
760         * parser/Parser.h:
761         (JSC::Scope::declareParameter):
762         (JSC::Scope::getCapturedVariables):
763         (JSC::Parser::declareWrite):
764         * parser/ParserModes.h:
765
766 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
767
768         Remove useless code from COMPILER(RVCT) JITStubs
769         https://bugs.webkit.org/show_bug.cgi?id=119521
770
771         Reviewed by Geoffrey Garen.
772
773         * jit/JITStubsARMv7.h:
774         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
775         (JSC::ctiOpThrowNotCaught): Ditto.
776
777 2013-07-23  David Farler  <dfarler@apple.com>
778
779         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
780         https://bugs.webkit.org/show_bug.cgi?id=117762
781
782         Reviewed by Mark Rowe.
783
784         * Configurations/DebugRelease.xcconfig:
785         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
786         * Configurations/JavaScriptCore.xcconfig:
787         Add ASAN_OTHER_LDFLAGS.
788         * Configurations/ToolExecutable.xcconfig:
789         Don't use ASAN for build tools.
790
791 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
792
793         Build fix for ARM MSVC after r153222 and r153648.
794
795         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
796
797 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
798
799         Build fix for ARM MSVC after r150109.
800
801         Read the stub template from a header files instead of the JITStubs.cpp.
802
803         * CMakeLists.txt:
804         * DerivedSources.pri:
805         * create_jit_stubs:
806
807 2013-08-05  Oliver Hunt  <oliver@apple.com>
808
809         Move TypedArray implementation into JSC
810         https://bugs.webkit.org/show_bug.cgi?id=119489
811
812         Reviewed by Filip Pizlo.
813
814         Move TypedArray implementation into JSC in advance of re-implementation
815
816         * GNUmakefile.list.am:
817         * JSCTypedArrayStubs.h:
818         * JavaScriptCore.xcodeproj/project.pbxproj:
819         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
820         (JSC::ArrayBuffer::transfer):
821         (JSC::ArrayBuffer::addView):
822         (JSC::ArrayBuffer::removeView):
823         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
824         (JSC::ArrayBufferContents::ArrayBufferContents):
825         (JSC::ArrayBufferContents::data):
826         (JSC::ArrayBufferContents::sizeInBytes):
827         (JSC::ArrayBufferContents::transfer):
828         (JSC::ArrayBufferContents::copyTo):
829         (JSC::ArrayBuffer::isNeutered):
830         (JSC::ArrayBuffer::~ArrayBuffer):
831         (JSC::ArrayBuffer::clampValue):
832         (JSC::ArrayBuffer::create):
833         (JSC::ArrayBuffer::createUninitialized):
834         (JSC::ArrayBuffer::ArrayBuffer):
835         (JSC::ArrayBuffer::data):
836         (JSC::ArrayBuffer::byteLength):
837         (JSC::ArrayBuffer::slice):
838         (JSC::ArrayBuffer::sliceImpl):
839         (JSC::ArrayBuffer::clampIndex):
840         (JSC::ArrayBufferContents::tryAllocate):
841         (JSC::ArrayBufferContents::~ArrayBufferContents):
842         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
843         (JSC::ArrayBufferView::ArrayBufferView):
844         (JSC::ArrayBufferView::~ArrayBufferView):
845         (JSC::ArrayBufferView::neuter):
846         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
847         (JSC::ArrayBufferView::buffer):
848         (JSC::ArrayBufferView::baseAddress):
849         (JSC::ArrayBufferView::byteOffset):
850         (JSC::ArrayBufferView::setNeuterable):
851         (JSC::ArrayBufferView::isNeuterable):
852         (JSC::ArrayBufferView::verifySubRange):
853         (JSC::ArrayBufferView::clampOffsetAndNumElements):
854         (JSC::ArrayBufferView::setImpl):
855         (JSC::ArrayBufferView::setRangeImpl):
856         (JSC::ArrayBufferView::zeroRangeImpl):
857         (JSC::ArrayBufferView::calculateOffsetAndLength):
858         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
859         (JSC::Float32Array::set):
860         (JSC::Float32Array::getType):
861         (JSC::Float32Array::create):
862         (JSC::Float32Array::createUninitialized):
863         (JSC::Float32Array::Float32Array):
864         (JSC::Float32Array::subarray):
865         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
866         (JSC::Float64Array::set):
867         (JSC::Float64Array::getType):
868         (JSC::Float64Array::create):
869         (JSC::Float64Array::createUninitialized):
870         (JSC::Float64Array::Float64Array):
871         (JSC::Float64Array::subarray):
872         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
873         (JSC::Int16Array::getType):
874         (JSC::Int16Array::create):
875         (JSC::Int16Array::createUninitialized):
876         (JSC::Int16Array::Int16Array):
877         (JSC::Int16Array::subarray):
878         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
879         (JSC::Int32Array::getType):
880         (JSC::Int32Array::create):
881         (JSC::Int32Array::createUninitialized):
882         (JSC::Int32Array::Int32Array):
883         (JSC::Int32Array::subarray):
884         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
885         (JSC::Int8Array::getType):
886         (JSC::Int8Array::create):
887         (JSC::Int8Array::createUninitialized):
888         (JSC::Int8Array::Int8Array):
889         (JSC::Int8Array::subarray):
890         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
891         (JSC::IntegralTypedArrayBase::set):
892         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
893         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
894         (JSC::TypedArrayBase::data):
895         (JSC::TypedArrayBase::set):
896         (JSC::TypedArrayBase::setRange):
897         (JSC::TypedArrayBase::zeroRange):
898         (JSC::TypedArrayBase::length):
899         (JSC::TypedArrayBase::byteLength):
900         (JSC::TypedArrayBase::item):
901         (JSC::TypedArrayBase::checkInboundData):
902         (JSC::TypedArrayBase::TypedArrayBase):
903         (JSC::TypedArrayBase::create):
904         (JSC::TypedArrayBase::createUninitialized):
905         (JSC::TypedArrayBase::subarrayImpl):
906         (JSC::TypedArrayBase::neuter):
907         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
908         (JSC::Uint16Array::getType):
909         (JSC::Uint16Array::create):
910         (JSC::Uint16Array::createUninitialized):
911         (JSC::Uint16Array::Uint16Array):
912         (JSC::Uint16Array::subarray):
913         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
914         (JSC::Uint32Array::getType):
915         (JSC::Uint32Array::create):
916         (JSC::Uint32Array::createUninitialized):
917         (JSC::Uint32Array::Uint32Array):
918         (JSC::Uint32Array::subarray):
919         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
920         (JSC::Uint8Array::getType):
921         (JSC::Uint8Array::create):
922         (JSC::Uint8Array::createUninitialized):
923         (JSC::Uint8Array::Uint8Array):
924         (JSC::Uint8Array::subarray):
925         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
926         (JSC::Uint8ClampedArray::getType):
927         (JSC::Uint8ClampedArray::create):
928         (JSC::Uint8ClampedArray::createUninitialized):
929         (JSC::Uint8ClampedArray::zeroFill):
930         (JSC::Uint8ClampedArray::set):
931         (JSC::Uint8ClampedArray::Uint8ClampedArray):
932         (JSC::Uint8ClampedArray::subarray):
933         * runtime/VM.h:
934
935 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
936
937         Copied space should be able to handle more than one copied backing store per JSCell
938         https://bugs.webkit.org/show_bug.cgi?id=119471
939
940         Reviewed by Mark Hahnenberg.
941         
942         This allows a cell to call copyLater() multiple times for multiple different
943         backing stores, and then have copyBackingStore() called exactly once for each
944         of those. A token tells it which backing store to copy. All backing stores
945         must be named using the CopyToken, an enumeration which currently cannot
946         exceed eight entries.
947         
948         When copyBackingStore() is called, it's up to the callee to (a) use the token
949         to decide what to copy and (b) call its base class's copyBackingStore() in
950         case the base class had something that needed copying. The only exception is
951         that JSCell never asks anything to be copied, and so if your base is JSCell
952         then you don't have to do anything.
953
954         * GNUmakefile.list.am:
955         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
956         * JavaScriptCore.xcodeproj/project.pbxproj:
957         * heap/CopiedBlock.h:
958         * heap/CopiedBlockInlines.h:
959         (JSC::CopiedBlock::reportLiveBytes):
960         * heap/CopyToken.h: Added.
961         * heap/CopyVisitor.cpp:
962         (JSC::CopyVisitor::copyFromShared):
963         * heap/CopyVisitor.h:
964         * heap/CopyVisitorInlines.h:
965         (JSC::CopyVisitor::visitItem):
966         * heap/CopyWorkList.h:
967         (JSC::CopyWorklistItem::CopyWorklistItem):
968         (JSC::CopyWorklistItem::cell):
969         (JSC::CopyWorklistItem::token):
970         (JSC::CopyWorkListSegment::get):
971         (JSC::CopyWorkListSegment::append):
972         (JSC::CopyWorkListSegment::data):
973         (JSC::CopyWorkListIterator::get):
974         (JSC::CopyWorkListIterator::operator*):
975         (JSC::CopyWorkListIterator::operator->):
976         (JSC::CopyWorkList::append):
977         * heap/SlotVisitor.h:
978         * heap/SlotVisitorInlines.h:
979         (JSC::SlotVisitor::copyLater):
980         * runtime/ClassInfo.h:
981         * runtime/JSCell.cpp:
982         (JSC::JSCell::copyBackingStore):
983         * runtime/JSCell.h:
984         * runtime/JSObject.cpp:
985         (JSC::JSObject::visitButterfly):
986         (JSC::JSObject::copyBackingStore):
987         * runtime/JSObject.h:
988
989 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
990
991         [Automake] Define ENABLE_JIT through the Autoconf header
992         https://bugs.webkit.org/show_bug.cgi?id=119445
993
994         Reviewed by Martin Robinson.
995
996         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
997
998 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
999
1000         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1001         https://bugs.webkit.org/show_bug.cgi?id=119470
1002
1003         Reviewed by Oliver Hunt.
1004         
1005         Structure can still tell you if the object "could" (in the conservative sense)
1006         have an indexing header; that's used by the compiler.
1007         
1008         Most of the time if you want to know if there's an indexing header, you ask the
1009         JSObject.
1010         
1011         In some cases, the JSObject wants to know if it would have an indexing header if
1012         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1013
1014         * dfg/DFGRepatch.cpp:
1015         (JSC::DFG::tryCachePutByID):
1016         (JSC::DFG::tryBuildPutByIdList):
1017         * dfg/DFGSpeculativeJIT.cpp:
1018         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1019         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1020         * runtime/ButterflyInlines.h:
1021         (JSC::Butterfly::create):
1022         (JSC::Butterfly::growPropertyStorage):
1023         (JSC::Butterfly::growArrayRight):
1024         (JSC::Butterfly::resizeArray):
1025         * runtime/JSObject.cpp:
1026         (JSC::JSObject::copyButterfly):
1027         (JSC::JSObject::visitButterfly):
1028         * runtime/JSObject.h:
1029         (JSC::JSObject::hasIndexingHeader):
1030         (JSC::JSObject::setButterfly):
1031         * runtime/Structure.h:
1032         (JSC::Structure::couldHaveIndexingHeader):
1033         (JSC::Structure::hasIndexingHeader):
1034
1035 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1036
1037         Give the error object's stack property accessor attributes.
1038         https://bugs.webkit.org/show_bug.cgi?id=119404
1039
1040         Reviewed by Geoffrey Garen.
1041         
1042         Changed the attributes of error object's stack property to allow developers to write
1043         and delete the stack property. This will match the functionality of Chrome. Firefox  
1044         allows developers to write the error's stack, but not delete it. 
1045
1046         * interpreter/Interpreter.cpp:
1047         (JSC::Interpreter::addStackTraceIfNecessary):
1048         * runtime/ErrorInstance.cpp:
1049         (JSC::ErrorInstance::finishCreation):
1050
1051 2013-08-02  Oliver Hunt  <oliver@apple.com>
1052
1053         Incorrect type speculation reported by ToPrimitive
1054         https://bugs.webkit.org/show_bug.cgi?id=119458
1055
1056         Reviewed by Mark Hahnenberg.
1057
1058         Make sure that we report the correct type possibilities for the output
1059         from ToPrimitive
1060
1061         * dfg/DFGAbstractInterpreterInlines.h:
1062         (JSC::DFG::::executeEffects):
1063
1064 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1065
1066         Remove no-arguments constructor to PropertySlot
1067         https://bugs.webkit.org/show_bug.cgi?id=119460
1068
1069         Reviewed by Geoff Garen.
1070
1071         This constructor was unsafe if getValue is subsequently called,
1072         and the property is a getter. Simplest to just remove it.
1073
1074         * runtime/Arguments.cpp:
1075         (JSC::Arguments::defineOwnProperty):
1076         * runtime/JSActivation.cpp:
1077         (JSC::JSActivation::getOwnPropertyDescriptor):
1078         * runtime/JSFunction.cpp:
1079         (JSC::JSFunction::getOwnPropertyDescriptor):
1080         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1081         (JSC::JSFunction::put):
1082         (JSC::JSFunction::defineOwnProperty):
1083         * runtime/JSGlobalObject.cpp:
1084         (JSC::JSGlobalObject::defineOwnProperty):
1085         * runtime/JSGlobalObject.h:
1086         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1087         * runtime/JSNameScope.cpp:
1088         (JSC::JSNameScope::put):
1089         * runtime/JSONObject.cpp:
1090         (JSC::Stringifier::Holder::appendNextProperty):
1091         (JSC::Walker::walk):
1092         * runtime/JSObject.cpp:
1093         (JSC::JSObject::hasProperty):
1094         (JSC::JSObject::hasOwnProperty):
1095         (JSC::JSObject::reifyStaticFunctionsForDelete):
1096         * runtime/Lookup.h:
1097         (JSC::getStaticPropertyDescriptor):
1098         (JSC::getStaticFunctionDescriptor):
1099         (JSC::getStaticValueDescriptor):
1100         * runtime/ObjectConstructor.cpp:
1101         (JSC::defineProperties):
1102         * runtime/PropertySlot.h:
1103
1104 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1105
1106         DFG validation can cause assertion failures due to dumping
1107         https://bugs.webkit.org/show_bug.cgi?id=119456
1108
1109         Reviewed by Geoffrey Garen.
1110
1111         * bytecode/CodeBlock.cpp:
1112         (JSC::CodeBlock::hasHash):
1113         (JSC::CodeBlock::isSafeToComputeHash):
1114         (JSC::CodeBlock::hash):
1115         (JSC::CodeBlock::dumpAssumingJITType):
1116         * bytecode/CodeBlock.h:
1117
1118 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1119
1120         Have vm's exceptionStack match java's vm's exceptionStack.
1121         https://bugs.webkit.org/show_bug.cgi?id=119362
1122
1123         Reviewed by Geoffrey Garen.
1124         
1125         The error object's stack is only updated if it does not exist yet. This matches 
1126         the functionality of other browsers, and Java VMs. 
1127
1128         * interpreter/Interpreter.cpp:
1129         (JSC::Interpreter::addStackTraceIfNecessary):
1130         (JSC::Interpreter::throwException):
1131         * runtime/VM.cpp:
1132         (JSC::VM::clearExceptionStack):
1133         * runtime/VM.h:
1134         (JSC::VM::lastExceptionStack):
1135
1136 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1137
1138         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1139         https://bugs.webkit.org/show_bug.cgi?id=119447
1140
1141         Reviewed by Geoffrey Garen.
1142
1143         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1144         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1145         r153583 (sh4) and r153648 (ARM).
1146
1147         * jit/JITStubsMIPS.h:
1148
1149 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1150
1151         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1152         https://bugs.webkit.org/show_bug.cgi?id=119422
1153
1154         Reviewed by Oliver Hunt.
1155         
1156         This simplifies some code and also allows Structure to claim that an object
1157         has an indexing header even if it doesn't have indexed properties.
1158         
1159         I also changed some calls to use hasIndexedProperties() since in some cases,
1160         that's what we actually meant. Currently the two are synonyms.
1161
1162         * dfg/DFGRepatch.cpp:
1163         (JSC::DFG::tryCachePutByID):
1164         (JSC::DFG::tryBuildPutByIdList):
1165         * dfg/DFGSpeculativeJIT.cpp:
1166         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1167         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1168         * runtime/ButterflyInlines.h:
1169         (JSC::Butterfly::create):
1170         (JSC::Butterfly::growPropertyStorage):
1171         (JSC::Butterfly::growArrayRight):
1172         (JSC::Butterfly::resizeArray):
1173         * runtime/IndexingType.h:
1174         * runtime/JSObject.cpp:
1175         (JSC::JSObject::copyButterfly):
1176         (JSC::JSObject::visitButterfly):
1177         (JSC::JSObject::setPrototype):
1178         * runtime/JSObject.h:
1179         (JSC::JSObject::setButterfly):
1180         * runtime/JSPropertyNameIterator.cpp:
1181         (JSC::JSPropertyNameIterator::create):
1182         * runtime/Structure.h:
1183         (JSC::Structure::hasIndexingHeader):
1184
1185 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1186
1187         REGRESSION: ARM still crashes after change set r153612.
1188         https://bugs.webkit.org/show_bug.cgi?id=119433
1189
1190         Reviewed by Michael Saboff.
1191
1192         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1193         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1194         for sh4 architecture.
1195
1196         * jit/JITStubsARM.h:
1197         * jit/JITStubsARMv7.h:
1198
1199 2013-08-02  Michael Saboff  <msaboff@apple.com>
1200
1201         REGRESSION(r153612): It made jsc and layout tests crash
1202         https://bugs.webkit.org/show_bug.cgi?id=119440
1203
1204         Reviewed by Csaba Osztrogonác.
1205
1206         Made the changes if changeset r153612 only apply to 32 bit builds.
1207
1208         * jit/JITExceptions.cpp:
1209         * jit/JITExceptions.h:
1210         * jit/JITStubs.cpp:
1211         (JSC::cti_vm_throw_slowpath):
1212         * jit/JITStubs.h:
1213
1214 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1215
1216         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1217
1218         * CMakeLists.txt:
1219
1220 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1221
1222         [Forms: color] <input type='color'> popover color well implementation
1223         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1224
1225         Reviewed by Benjamin Poulain.
1226
1227         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1228
1229 2013-08-01  Oliver Hunt  <oliver@apple.com>
1230
1231         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1232         https://bugs.webkit.org/show_bug.cgi?id=119408
1233
1234         Reviewed by Filip Pizlo.
1235
1236         Construct ToString and Phantom nodes in advance of MakeRope
1237         nodes to ensure that ordering is ensured, and correct values
1238         will be reified on OSR exit.
1239
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::ByteCodeParser::parseBlock):
1242
1243 2013-08-01  Michael Saboff  <msaboff@apple.com>
1244
1245         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1246         https://bugs.webkit.org/show_bug.cgi?id=119140
1247
1248         Reviewed by Filip Pizlo.
1249
1250         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1251
1252         * jit/JITExceptions.cpp:
1253         (JSC::encode):
1254         * jit/JITExceptions.h:
1255         * jit/JITStubs.cpp:
1256         (JSC::cti_vm_throw_slowpath):
1257         * jit/JITStubs.h:
1258
1259 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1260
1261         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1262         https://bugs.webkit.org/show_bug.cgi?id=119391
1263
1264         Reviewed by Csaba Osztrogonác.
1265
1266         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1267             - Call frame is in r14 register.
1268             - Do not restore registers from JIT stack frame here.
1269
1270 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1271
1272         More cleanup in PropertySlot
1273         https://bugs.webkit.org/show_bug.cgi?id=119359
1274
1275         Reviewed by Geoff Garen.
1276
1277         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1278         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1279
1280         * dfg/DFGRepatch.cpp:
1281         (JSC::DFG::tryCacheGetByID):
1282         (JSC::DFG::tryBuildGetByIDList):
1283             - No need to ASSERT slotBase is an object.
1284         * jit/JITStubs.cpp:
1285         (JSC::tryCacheGetByID):
1286         (JSC::DEFINE_STUB_FUNCTION):
1287             - No need to ASSERT slotBase is an object.
1288         * runtime/JSObject.cpp:
1289         (JSC::JSObject::getOwnPropertySlotByIndex):
1290         (JSC::JSObject::fillGetterPropertySlot):
1291             - Pass an object through to setGetterSlot.
1292         * runtime/JSObject.h:
1293         (JSC::PropertySlot::getValue):
1294             - Moved from PropertySlot (need to know anout JSObject).
1295         * runtime/PropertySlot.cpp:
1296         (JSC::PropertySlot::functionGetter):
1297             - update per member name changes
1298         * runtime/PropertySlot.h:
1299         (JSC::PropertySlot::PropertySlot):
1300             - Argument to constructor set to 'thisValue'.
1301         (JSC::PropertySlot::slotBase):
1302             - This returns a JSObject*.
1303         (JSC::PropertySlot::setValue):
1304         (JSC::PropertySlot::setCustom):
1305         (JSC::PropertySlot::setCacheableCustom):
1306         (JSC::PropertySlot::setCustomIndex):
1307         (JSC::PropertySlot::setGetterSlot):
1308         (JSC::PropertySlot::setCacheableGetterSlot):
1309             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1310         * runtime/SparseArrayValueMap.cpp:
1311         (JSC::SparseArrayEntry::get):
1312             - Pass an object through to setGetterSlot.
1313         * runtime/SparseArrayValueMap.h:
1314             - Pass an object through to setGetterSlot.
1315
1316 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1317
1318         Reduce JSC API static value setter/getter overhead.
1319         https://bugs.webkit.org/show_bug.cgi?id=119277
1320
1321         Reviewed by Geoffrey Garen.
1322
1323         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1324         need to get called every time when set or get the static value.
1325
1326         * API/JSCallbackObjectFunctions.h:
1327         (JSC::::put):
1328         (JSC::::putByIndex):
1329         (JSC::::getStaticValue):
1330         * API/JSClassRef.cpp:
1331         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1332         * API/JSClassRef.h:
1333         (StaticValueEntry::StaticValueEntry):
1334
1335 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1336
1337         Use emptyString instead of String("")
1338         https://bugs.webkit.org/show_bug.cgi?id=119335
1339
1340         Reviewed by Darin Adler.
1341
1342         Use emptyString() instead of String("") because it is better style and
1343         faster. This is a followup to r116908, removing all occurrences of
1344         String("") from WebKit.
1345
1346         * runtime/RegExpConstructor.cpp:
1347         (JSC::constructRegExp):
1348         * runtime/RegExpPrototype.cpp:
1349         (JSC::regExpProtoFuncCompile):
1350         * runtime/StringPrototype.cpp:
1351         (JSC::stringProtoFuncMatch):
1352         (JSC::stringProtoFuncSearch):
1353
1354 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1355
1356         <input type=color> Mac UI behaviour
1357         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1358
1359         Reviewed by Brady Eidson.
1360
1361         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1362
1363 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1364
1365         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1366         https://bugs.webkit.org/show_bug.cgi?id=119349
1367
1368         Reviewed by Geoffrey Garen.
1369
1370         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1371         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1372         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1373         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1374         JIT then this resizing never happens and we crash at link time in the DFG.
1375
1376         We can fix this by also doing the resize in the DFG to catch this case.
1377
1378         * dfg/DFGJITCompiler.cpp:
1379         (JSC::DFG::JITCompiler::link):
1380
1381 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1382
1383         Speculative Windows build fix.
1384
1385         Reviewed by NOBODY
1386
1387         * runtime/JSString.cpp:
1388         (JSC::JSRopeString::getIndexSlowCase):
1389         * runtime/JSString.h:
1390
1391 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1392
1393         Some cleanup in JSValue::get
1394         https://bugs.webkit.org/show_bug.cgi?id=119343
1395
1396         Reviewed by Geoff Garen.
1397
1398         JSValue::get is implemented to:
1399             1) Check if the value is a cell – if not, synthesize a prototype to search,
1400             2) call getOwnPropertySlot on the cell,
1401             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1402         By all rights this should crash when passed a string and accessing a property that does not exist, because
1403         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1404         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1405         prototype chain, and faking out a return value of undefined if no property is found.
1406
1407         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1408         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1409
1410         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1411         slots anyway.
1412
1413         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1414
1415 2013-07-31  Michael Saboff  <msaboff@apple.com>
1416
1417         [Win] JavaScript crash.
1418         https://bugs.webkit.org/show_bug.cgi?id=119339
1419
1420         Reviewed by Mark Hahnenberg.
1421
1422         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1423         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1424
1425 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1426
1427         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1428         https://bugs.webkit.org/show_bug.cgi?id=119281
1429
1430         Reviewed by Geoffrey Garen.
1431
1432         This leads to out of bounds accesses and subsequent crashes.
1433
1434         * dfg/DFGSpeculativeJIT.cpp:
1435         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1436         * dfg/DFGSpeculativeJIT64.cpp:
1437         (JSC::DFG::SpeculativeJIT::compile):
1438
1439 2013-07-30  Oliver Hunt  <oliver@apple.com>
1440
1441         Add an assertion to SpeculateCellOperand
1442         https://bugs.webkit.org/show_bug.cgi?id=119276
1443
1444         Reviewed by Michael Saboff.
1445
1446         More assertions are better
1447
1448         * dfg/DFGSpeculativeJIT64.cpp:
1449         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1450         (JSC::DFG::SpeculativeJIT::compile):
1451
1452 2013-07-30  Mark Lam  <mark.lam@apple.com>
1453
1454         Fix problems with divot and lineStart mismatches.
1455         https://bugs.webkit.org/show_bug.cgi?id=118662.
1456
1457         Reviewed by Oliver Hunt.
1458
1459         r152494 added the recording of lineStart values for divot positions.
1460         This is needed for the computation of column numbers. Similarly, it also
1461         added the recording of line numbers for the divot positions. One problem
1462         with the approach taken was that the line and lineStart values were
1463         recorded independently, and hence were not always guaranteed to be
1464         sampled at the same place that the divot position is recorded. This
1465         resulted in potential mismatches that cause some assertions to fail.
1466
1467         The solution is to introduce a JSTextPosition abstraction that records
1468         the divot position, line, and lineStart as a single quantity. Wherever
1469         we record the divot position as an unsigned int previously, we now record
1470         its JSTextPosition which captures all 3 values in one go. This ensures
1471         that the captured line and lineStart will always match the captured divot
1472         position.
1473
1474         * bytecompiler/BytecodeGenerator.cpp:
1475         (JSC::BytecodeGenerator::emitCall):
1476         (JSC::BytecodeGenerator::emitCallEval):
1477         (JSC::BytecodeGenerator::emitCallVarargs):
1478         (JSC::BytecodeGenerator::emitConstruct):
1479         (JSC::BytecodeGenerator::emitDebugHook):
1480         - Use JSTextPosition instead of passing line and lineStart explicitly.
1481         * bytecompiler/BytecodeGenerator.h:
1482         (JSC::BytecodeGenerator::emitExpressionInfo):
1483         - Use JSTextPosition instead of passing line and lineStart explicitly.
1484         * bytecompiler/NodesCodegen.cpp:
1485         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1486         (JSC::ResolveNode::emitBytecode):
1487         (JSC::BracketAccessorNode::emitBytecode):
1488         (JSC::DotAccessorNode::emitBytecode):
1489         (JSC::NewExprNode::emitBytecode):
1490         (JSC::EvalFunctionCallNode::emitBytecode):
1491         (JSC::FunctionCallValueNode::emitBytecode):
1492         (JSC::FunctionCallResolveNode::emitBytecode):
1493         (JSC::FunctionCallBracketNode::emitBytecode):
1494         (JSC::FunctionCallDotNode::emitBytecode):
1495         (JSC::CallFunctionCallDotNode::emitBytecode):
1496         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1497         (JSC::PostfixNode::emitResolve):
1498         (JSC::PostfixNode::emitBracket):
1499         (JSC::PostfixNode::emitDot):
1500         (JSC::DeleteResolveNode::emitBytecode):
1501         (JSC::DeleteBracketNode::emitBytecode):
1502         (JSC::DeleteDotNode::emitBytecode):
1503         (JSC::PrefixNode::emitResolve):
1504         (JSC::PrefixNode::emitBracket):
1505         (JSC::PrefixNode::emitDot):
1506         (JSC::UnaryOpNode::emitBytecode):
1507         (JSC::BinaryOpNode::emitStrcat):
1508         (JSC::BinaryOpNode::emitBytecode):
1509         (JSC::ThrowableBinaryOpNode::emitBytecode):
1510         (JSC::InstanceOfNode::emitBytecode):
1511         (JSC::emitReadModifyAssignment):
1512         (JSC::ReadModifyResolveNode::emitBytecode):
1513         (JSC::AssignResolveNode::emitBytecode):
1514         (JSC::AssignDotNode::emitBytecode):
1515         (JSC::ReadModifyDotNode::emitBytecode):
1516         (JSC::AssignBracketNode::emitBytecode):
1517         (JSC::ReadModifyBracketNode::emitBytecode):
1518         (JSC::ForInNode::emitBytecode):
1519         (JSC::WithNode::emitBytecode):
1520         (JSC::ThrowNode::emitBytecode):
1521         - Use JSTextPosition instead of passing line and lineStart explicitly.
1522         * parser/ASTBuilder.h:
1523         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1524         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1525         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1526         (JSC::ASTBuilder::createResolve):
1527         (JSC::ASTBuilder::createBracketAccess):
1528         (JSC::ASTBuilder::createDotAccess):
1529         (JSC::ASTBuilder::createRegExp):
1530         (JSC::ASTBuilder::createNewExpr):
1531         (JSC::ASTBuilder::createAssignResolve):
1532         (JSC::ASTBuilder::createExprStatement):
1533         (JSC::ASTBuilder::createForInLoop):
1534         (JSC::ASTBuilder::createReturnStatement):
1535         (JSC::ASTBuilder::createBreakStatement):
1536         (JSC::ASTBuilder::createContinueStatement):
1537         (JSC::ASTBuilder::createLabelStatement):
1538         (JSC::ASTBuilder::createWithStatement):
1539         (JSC::ASTBuilder::createThrowStatement):
1540         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1541         (JSC::ASTBuilder::appendUnaryToken):
1542         (JSC::ASTBuilder::unaryTokenStackLastStart):
1543         (JSC::ASTBuilder::assignmentStackAppend):
1544         (JSC::ASTBuilder::createAssignment):
1545         (JSC::ASTBuilder::setExceptionLocation):
1546         (JSC::ASTBuilder::makeDeleteNode):
1547         (JSC::ASTBuilder::makeFunctionCallNode):
1548         (JSC::ASTBuilder::makeBinaryNode):
1549         (JSC::ASTBuilder::makeAssignNode):
1550         (JSC::ASTBuilder::makePrefixNode):
1551         (JSC::ASTBuilder::makePostfixNode):
1552         - Use JSTextPosition instead of passing line and lineStart explicitly.
1553         * parser/Lexer.cpp:
1554         (JSC::::lex):
1555         - Added support for capturing the appropriate JSTextPositions instead
1556           of just the character offset.
1557         * parser/Lexer.h:
1558         (JSC::Lexer::currentPosition):
1559         (JSC::::lexExpectIdentifier):
1560         - Added support for capturing the appropriate JSTextPositions instead
1561           of just the character offset.
1562         * parser/NodeConstructors.h:
1563         (JSC::Node::Node):
1564         (JSC::ResolveNode::ResolveNode):
1565         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1566         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1567         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1568         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1569         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1570         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1571         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1572         (JSC::PostfixNode::PostfixNode):
1573         (JSC::DeleteResolveNode::DeleteResolveNode):
1574         (JSC::DeleteBracketNode::DeleteBracketNode):
1575         (JSC::DeleteDotNode::DeleteDotNode):
1576         (JSC::PrefixNode::PrefixNode):
1577         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1578         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1579         (JSC::AssignBracketNode::AssignBracketNode):
1580         (JSC::AssignDotNode::AssignDotNode):
1581         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1582         (JSC::AssignErrorNode::AssignErrorNode):
1583         (JSC::WithNode::WithNode):
1584         (JSC::ForInNode::ForInNode):
1585         - Use JSTextPosition instead of passing line and lineStart explicitly.
1586         * parser/Nodes.cpp:
1587         (JSC::StatementNode::setLoc):
1588         - Use JSTextPosition instead of passing line and lineStart explicitly.
1589         * parser/Nodes.h:
1590         (JSC::Node::lineNo):
1591         (JSC::Node::startOffset):
1592         (JSC::Node::lineStartOffset):
1593         (JSC::Node::position):
1594         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1595         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1596         (JSC::ThrowableExpressionData::divot):
1597         (JSC::ThrowableExpressionData::divotStart):
1598         (JSC::ThrowableExpressionData::divotEnd):
1599         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1600         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1601         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1602         (JSC::ThrowableSubExpressionData::subexpressionStart):
1603         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1604         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1605         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1606         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1607         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1608         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1609         - Use JSTextPosition instead of passing line and lineStart explicitly.
1610         * parser/Parser.cpp:
1611         (JSC::::Parser):
1612         (JSC::::parseInner):
1613         - Use JSTextPosition instead of passing line and lineStart explicitly.
1614         (JSC::::didFinishParsing):
1615         - Remove setting of m_lastLine value. We always pass in the value from
1616           m_lastLine anyway. So, this assignment is effectively a nop.
1617         (JSC::::parseVarDeclaration):
1618         (JSC::::parseVarDeclarationList):
1619         (JSC::::parseForStatement):
1620         (JSC::::parseBreakStatement):
1621         (JSC::::parseContinueStatement):
1622         (JSC::::parseReturnStatement):
1623         (JSC::::parseThrowStatement):
1624         (JSC::::parseWithStatement):
1625         (JSC::::parseTryStatement):
1626         (JSC::::parseBlockStatement):
1627         (JSC::::parseFunctionDeclaration):
1628         (JSC::LabelInfo::LabelInfo):
1629         (JSC::::parseExpressionOrLabelStatement):
1630         (JSC::::parseExpressionStatement):
1631         (JSC::::parseAssignmentExpression):
1632         (JSC::::parseBinaryExpression):
1633         (JSC::::parseProperty):
1634         (JSC::::parsePrimaryExpression):
1635         (JSC::::parseMemberExpression):
1636         (JSC::::parseUnaryExpression):
1637         - Use JSTextPosition instead of passing line and lineStart explicitly.
1638         * parser/Parser.h:
1639         (JSC::Parser::next):
1640         (JSC::Parser::nextExpectIdentifier):
1641         (JSC::Parser::getToken):
1642         (JSC::Parser::tokenStartPosition):
1643         (JSC::Parser::tokenEndPosition):
1644         (JSC::Parser::lastTokenEndPosition):
1645         (JSC::::parse):
1646         - Use JSTextPosition instead of passing line and lineStart explicitly.
1647         * parser/ParserTokens.h:
1648         (JSC::JSTextPosition::JSTextPosition):
1649         (JSC::JSTextPosition::operator+):
1650         (JSC::JSTextPosition::operator-):
1651         (JSC::JSTextPosition::operator int):
1652         - Added JSTextPosition.
1653         * parser/SyntaxChecker.h:
1654         (JSC::SyntaxChecker::makeFunctionCallNode):
1655         (JSC::SyntaxChecker::makeAssignNode):
1656         (JSC::SyntaxChecker::makePrefixNode):
1657         (JSC::SyntaxChecker::makePostfixNode):
1658         (JSC::SyntaxChecker::makeDeleteNode):
1659         (JSC::SyntaxChecker::createResolve):
1660         (JSC::SyntaxChecker::createBracketAccess):
1661         (JSC::SyntaxChecker::createDotAccess):
1662         (JSC::SyntaxChecker::createRegExp):
1663         (JSC::SyntaxChecker::createNewExpr):
1664         (JSC::SyntaxChecker::createAssignResolve):
1665         (JSC::SyntaxChecker::createForInLoop):
1666         (JSC::SyntaxChecker::createReturnStatement):
1667         (JSC::SyntaxChecker::createBreakStatement):
1668         (JSC::SyntaxChecker::createContinueStatement):
1669         (JSC::SyntaxChecker::createWithStatement):
1670         (JSC::SyntaxChecker::createLabelStatement):
1671         (JSC::SyntaxChecker::createThrowStatement):
1672         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1673         (JSC::SyntaxChecker::operatorStackPop):
1674         - Use JSTextPosition instead of passing line and lineStart explicitly.
1675
1676 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1677
1678         Unreviewed. Fix make distcheck.
1679
1680         * GNUmakefile.list.am: Add missing files to compilation.
1681         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1682         include FTL header files not included in the compilation.
1683         * dfg/DFGDriver.cpp: Ditto.
1684         * dfg/DFGPlan.cpp: Ditto.
1685
1686 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1687
1688         Eager stack trace for error objects.
1689         https://bugs.webkit.org/show_bug.cgi?id=118918
1690
1691         Reviewed by Geoffrey Garen.
1692         
1693         Chrome and Firefox give error objects the stack property and we wanted to match
1694         that functionality. This allows developers to see the stack without throwing an object.
1695
1696         * runtime/ErrorInstance.cpp:
1697         (JSC::ErrorInstance::finishCreation):
1698          For error objects that are not thrown as an exception, we pass the stackTrace in 
1699          as a parameter. This allows the error object to have the stack property.
1700         
1701         * interpreter/Interpreter.cpp:
1702         (JSC::stackTraceAsString):
1703         Helper function used to eliminate duplicate code.
1704
1705         (JSC::Interpreter::addStackTraceIfNecessary):
1706         When an error object is created by the user the vm->exceptionStack is not set.
1707         If the user throws this error object later the stack that is in the error object 
1708         may not be the correct stack for the throw, so when we set the vm->exception stack,
1709         the stack property on the error object is set as well.
1710         
1711         * runtime/ErrorConstructor.cpp:
1712         (JSC::constructWithErrorConstructor):
1713         (JSC::callErrorConstructor):
1714         * runtime/NativeErrorConstructor.cpp:
1715         (JSC::constructWithNativeErrorConstructor):
1716         (JSC::callNativeErrorConstructor):
1717         These functions indicate that the user created an error object. For all error objects 
1718         that the user explicitly creates, the topCallFrame is at a new frame created to 
1719         handle the user's call. In this case though, the error object needs the caller's 
1720         frame to create the stack trace correctly.
1721         
1722         * interpreter/Interpreter.h:
1723         * runtime/ErrorInstance.h:
1724         (JSC::ErrorInstance::create):
1725
1726 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1727
1728         Some cleanup in PropertySlot
1729         https://bugs.webkit.org/show_bug.cgi?id=119189
1730
1731         Reviewed by Geoff Garen.
1732
1733         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1734         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1735         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1736         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1737         (this is invalidOffset if not cacheable).
1738
1739             * Internally, always track the type of the property using an enum value, PropertyType.
1740             * Use m_offset to indicate cacheable.
1741             * Keep the external interface (CachedPropertyType) unchanged.
1742             * Better pack data into the m_data union.
1743
1744         Performance neutral.
1745
1746         * dfg/DFGRepatch.cpp:
1747         (JSC::DFG::tryCacheGetByID):
1748         (JSC::DFG::tryBuildGetByIDList):
1749             - cachedPropertyType() -> isCacheable*()
1750         * jit/JITPropertyAccess.cpp:
1751         (JSC::JIT::privateCompileGetByIdProto):
1752         (JSC::JIT::privateCompileGetByIdSelfList):
1753         (JSC::JIT::privateCompileGetByIdProtoList):
1754         (JSC::JIT::privateCompileGetByIdChainList):
1755         (JSC::JIT::privateCompileGetByIdChain):
1756             - cachedPropertyType() -> isCacheable*()
1757         * jit/JITPropertyAccess32_64.cpp:
1758         (JSC::JIT::privateCompileGetByIdProto):
1759         (JSC::JIT::privateCompileGetByIdSelfList):
1760         (JSC::JIT::privateCompileGetByIdProtoList):
1761         (JSC::JIT::privateCompileGetByIdChainList):
1762         (JSC::JIT::privateCompileGetByIdChain):
1763             - cachedPropertyType() -> isCacheable*()
1764         * jit/JITStubs.cpp:
1765         (JSC::tryCacheGetByID):
1766             - cachedPropertyType() -> isCacheable*()
1767         * llint/LLIntSlowPaths.cpp:
1768         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1769             - cachedPropertyType() -> isCacheable*()
1770         * runtime/PropertySlot.cpp:
1771         (JSC::PropertySlot::functionGetter):
1772             - refactoring described above.
1773         * runtime/PropertySlot.h:
1774         (JSC::PropertySlot::PropertySlot):
1775         (JSC::PropertySlot::getValue):
1776         (JSC::PropertySlot::isCacheable):
1777         (JSC::PropertySlot::isCacheableValue):
1778         (JSC::PropertySlot::isCacheableGetter):
1779         (JSC::PropertySlot::isCacheableCustom):
1780         (JSC::PropertySlot::cachedOffset):
1781         (JSC::PropertySlot::customGetter):
1782         (JSC::PropertySlot::setValue):
1783         (JSC::PropertySlot::setCustom):
1784         (JSC::PropertySlot::setCacheableCustom):
1785         (JSC::PropertySlot::setCustomIndex):
1786         (JSC::PropertySlot::setGetterSlot):
1787         (JSC::PropertySlot::setCacheableGetterSlot):
1788         (JSC::PropertySlot::setUndefined):
1789         (JSC::PropertySlot::slotBase):
1790         (JSC::PropertySlot::setBase):
1791             - refactoring described above.
1792
1793 2013-07-28  Oliver Hunt  <oliver@apple.com>
1794
1795         REGRESSION: Crash when opening Facebook.com
1796         https://bugs.webkit.org/show_bug.cgi?id=119155
1797
1798         Reviewed by Andreas Kling.
1799
1800         Scope nodes are always objects, so we should be using SpecObjectOther
1801         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1802         contradiction in the CFA, resulting in bogus codegen.
1803
1804         * dfg/DFGAbstractInterpreterInlines.h:
1805         (JSC::DFG::::executeEffects):
1806         * dfg/DFGPredictionPropagationPhase.cpp:
1807         (JSC::DFG::PredictionPropagationPhase::propagate):
1808
1809 2013-07-26  Oliver Hunt  <oliver@apple.com>
1810
1811         REGRESSION(FTL?): Crashes in plugin tests
1812         https://bugs.webkit.org/show_bug.cgi?id=119141
1813
1814         Reviewed by Michael Saboff.
1815
1816         Re-export getStackTrace
1817
1818         * interpreter/Interpreter.h:
1819
1820 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1821
1822         REGRESSION: Crash when opening a message on Gmail
1823         https://bugs.webkit.org/show_bug.cgi?id=119105
1824
1825         Reviewed by Oliver Hunt and Mark Hahnenberg.
1826         
1827         - GetById patching in the DFG needs to be more disciplined about how it derives the
1828           slow path.
1829         
1830         - Fix some dumping code thread safety issues.
1831
1832         * bytecode/CallLinkStatus.cpp:
1833         (JSC::CallLinkStatus::dump):
1834         * bytecode/CodeBlock.cpp:
1835         (JSC::CodeBlock::dumpBytecode):
1836         * dfg/DFGRepatch.cpp:
1837         (JSC::DFG::getPolymorphicStructureList):
1838         (JSC::DFG::tryBuildGetByIDList):
1839
1840 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
1841
1842         [mips] Fix LLINT build for mips backend
1843         https://bugs.webkit.org/show_bug.cgi?id=119152
1844
1845         Reviewed by Oliver Hunt.
1846
1847         * offlineasm/mips.rb:
1848
1849 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1850
1851         Setting a large numeric property on an object causes it to allocate a huge backing store
1852         https://bugs.webkit.org/show_bug.cgi?id=118914
1853
1854         Reviewed by Geoffrey Garen.
1855
1856         There are two distinct actions that we're trying to optimize for:
1857
1858         new Array(100000);
1859
1860         and:
1861
1862         a = [];
1863         a[100000] = 42;
1864         
1865         In the first case, the programmer has indicated that they expect this Array to be very big, 
1866         so they should get a contiguous array up until some threshold, above which we perform density 
1867         calculations to see if it is indeed dense enough to warrant being contiguous.
1868         
1869         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
1870         we should be more conservative and assume it should be sparse until we've proven otherwise.
1871         
1872         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
1873         between them for the purposes of not over-allocating large backing stores like we see on 
1874         http://www.peekanalytics.com/burgerjoints/
1875         
1876         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
1877         introduce a new heuristic for the second case. If we are putting to an index above a certain 
1878         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
1879         map instead. So for example, in the second case above the empty array has a blank indexing 
1880         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1881
1882         This fix is ~800x speedup on the accompanying regression test :-o
1883
1884         * runtime/ArrayConventions.h:
1885         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1886         * runtime/JSObject.cpp:
1887         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1888         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1889         (JSC::JSObject::putByIndexBeyondVectorLength):
1890         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1891
1892 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1893
1894         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
1895         https://bugs.webkit.org/show_bug.cgi?id=119148
1896
1897         Reviewed by Csaba Osztrogonác.
1898
1899         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
1900         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
1901         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
1902         code duplication.
1903
1904 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1905
1906         REGRESSION(FTL): Crash in sh4 baseline JIT.
1907         https://bugs.webkit.org/show_bug.cgi?id=119138
1908
1909         Reviewed by Csaba Osztrogonác.
1910
1911         This crash is due to incomplete report of r150146 and r148474.
1912
1913         * jit/JITStubsSH4.h:
1914
1915 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
1916
1917         Unreviewed.
1918
1919         * Target.pri: Adding missing DFG files to the Qt build.
1920
1921 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
1922
1923         GTK and Qt buildfix after the intrusive win buildfix r153360.
1924
1925         * GNUmakefile.list.am:
1926         * Target.pri:
1927
1928 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1929
1930         Unreviewed, fix build break after r153360.
1931
1932         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
1933
1934 2013-07-25  Roger Fong  <roger_fong@apple.com>
1935
1936         Unreviewed build fix, AppleWin port.
1937
1938         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1939         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1940         * JavaScriptCore.vcxproj/copy-files.cmd:
1941
1942 2013-07-25  Roger Fong  <roger_fong@apple.com>
1943
1944         Unreviewed. Followup to r153360.
1945
1946         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1947         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1948
1949 2013-07-25  Michael Saboff  <msaboff@apple.com>
1950
1951         [Windows] Speculative build fix.
1952
1953         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
1954         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
1955
1956         * JavaScriptCore.xcodeproj/project.pbxproj:
1957         * llint/LLIntExceptions.cpp:
1958         * llint/LLIntExceptions.h:
1959         * llint/LLIntSlowPaths.cpp:
1960         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1961         * runtime/CommonSlowPaths.cpp:
1962         (JSC::SLOW_PATH_DECL):
1963         * runtime/CommonSlowPathsExceptions.cpp: Added.
1964         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1965         * runtime/CommonSlowPathsExceptions.h: Added.
1966
1967 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
1968
1969         [Windows] Unreviewed build fix.
1970
1971         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
1972         parser/SourceCode.h,.cpp.
1973         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1974
1975 2013-07-25  Anders Carlsson  <andersca@apple.com>
1976
1977         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
1978         https://bugs.webkit.org/show_bug.cgi?id=119108
1979
1980         Reviewed by Mark Hahnenberg.
1981
1982         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
1983
1984         * heap/CopiedSpace.cpp:
1985         (JSC::CopiedSpace::tryAllocateSlowCase):
1986         * heap/Heap.cpp:
1987         (JSC::Heap::protect):
1988         (JSC::Heap::unprotect):
1989         (JSC::Heap::collect):
1990         * heap/MarkedAllocator.cpp:
1991         (JSC::MarkedAllocator::allocateSlowCase):
1992         * runtime/JSGlobalObject.cpp:
1993         (JSC::JSGlobalObject::init):
1994         * runtime/VM.h:
1995         (JSC::VM::currentThreadIsHoldingAPILock):
1996
1997 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
1998
1999         REGRESSION(FTL): Most layout tests crashes
2000         https://bugs.webkit.org/show_bug.cgi?id=119089
2001
2002         Reviewed by Oliver Hunt.
2003
2004         * runtime/ExecutionHarness.h:
2005         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2006         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2007         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2008         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2009         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2010         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2011
2012 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2013
2014         [Windows] Unreviewed build fix.
2015
2016         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2017         include path.
2018
2019 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2020
2021         [Windows] Unreviewed build fix.
2022
2023         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2024         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2025         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2026
2027 2013-07-25  Oliver Hunt  <oliver@apple.com>
2028
2029         Make all jit & non-jit combos build cleanly
2030         https://bugs.webkit.org/show_bug.cgi?id=119102
2031
2032         Reviewed by Anders Carlsson.
2033
2034         * bytecode/CodeBlock.cpp:
2035         (JSC::CodeBlock::counterValueForOptimizeSoon):
2036         * bytecode/CodeBlock.h:
2037         (JSC::CodeBlock::optimizeAfterWarmUp):
2038         (JSC::CodeBlock::numberOfDFGCompiles):
2039
2040 2013-07-25  Oliver Hunt  <oliver@apple.com>
2041
2042         32 bit portion of load validation logic
2043         https://bugs.webkit.org/show_bug.cgi?id=118878
2044
2045         Reviewed by NOBODY (Build fix).
2046
2047         * dfg/DFGSpeculativeJIT32_64.cpp:
2048         (JSC::DFG::SpeculativeJIT::compile):
2049
2050 2013-07-25  Oliver Hunt  <oliver@apple.com>
2051
2052         More 32bit build fixes
2053
2054         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2055
2056         * API/APICallbackFunction.h:
2057         (JSC::APICallbackFunction::call):
2058         * bytecode/CodeBlock.cpp:
2059         * runtime/Structure.cpp:
2060
2061 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2062
2063         Optimize the thread locks for API Shims
2064         https://bugs.webkit.org/show_bug.cgi?id=118573
2065
2066         Reviewed by Geoffrey Garen.
2067
2068         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2069         only used by WebCore's main thread).
2070
2071         * API/APIShims.h:
2072         (JSC::APIEntryShim::APIEntryShim):
2073         (JSC::APICallbackShim::APICallbackShim):
2074         * runtime/JSLock.cpp:
2075         (JSC::JSLockHolder::JSLockHolder):
2076         (JSC::JSLockHolder::init):
2077         (JSC::JSLockHolder::~JSLockHolder):
2078         (JSC::JSLock::DropAllLocks::DropAllLocks):
2079         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2080         * runtime/VM.cpp:
2081         (JSC::VM::VM):
2082         * runtime/VM.h:
2083
2084 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2085
2086         Unreviewed build fix after r153218.
2087
2088         Broke the EFL port build with gcc 4.7.
2089
2090         * interpreter/StackIterator.cpp:
2091         (JSC::printif):
2092
2093 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2094
2095         Build fix: add missing #include.
2096         https://bugs.webkit.org/show_bug.cgi?id=119087
2097
2098         Reviewed by Allan Sandfeld Jensen.
2099
2100         * bytecode/ArrayProfile.cpp:
2101
2102 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2103
2104         Unreviewed, build fix on the EFL port.
2105
2106         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2107
2108 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2109
2110         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2111         https://bugs.webkit.org/show_bug.cgi?id=119083
2112
2113         Reviewed by Allan Sandfeld Jensen.
2114
2115         * assembler/MacroAssemblerSH4.h:
2116         (JSC::MacroAssemblerSH4::store8):
2117
2118 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2119
2120         [Qt] Fix test build after FTL upstream
2121
2122         Unreviewed build fix.
2123
2124         * Target.pri:
2125
2126 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2127
2128         [Qt] Build fix after FTL.
2129
2130         Un Reviewed build fix.
2131
2132         * Target.pri:
2133         * interpreter/StackIterator.cpp:
2134         (JSC::StackIterator::Frame::print):
2135
2136 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2137
2138         Unreviewed build fix after FTL upstream.
2139
2140         * dfg/DFGWorklist.cpp:
2141         (JSC::DFG::Worklist::~Worklist):
2142
2143 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2144
2145         Unreviewed, build fix on the EFL port.
2146
2147         * CMakeLists.txt:
2148         Added SourceCode.cpp and removed BlackBerry file.
2149         * jit/JITCode.h:
2150         (JSC::JITCode::nextTierJIT):
2151         Fixed to build break because of -Werror=return-type
2152         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2153         * runtime/JSScope.h:
2154         (JSC::makeType):
2155         Fixed to build break because of -Werror=return-type
2156
2157 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2158
2159         Unreviewed build fixing after FTL upstream.
2160
2161         * runtime/Executable.cpp:
2162         (JSC::FunctionExecutable::produceCodeBlockFor):
2163
2164 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2165
2166         Add missing implementation of bxxxnz in sh4 LLINT.
2167         https://bugs.webkit.org/show_bug.cgi?id=119079
2168
2169         Reviewed by Allan Sandfeld Jensen.
2170
2171         * offlineasm/sh4.rb:
2172
2173 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2174
2175         Unreviewed, build fix on the Qt port.
2176
2177         * Target.pri: Add additional build files for the FTL.
2178
2179 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2180
2181         Unreviewed buildfix after FTL upstream..
2182
2183         * interpreter/StackIterator.cpp:
2184         (JSC::StackIterator::Frame::codeType):
2185         (JSC::StackIterator::Frame::functionName):
2186         (JSC::StackIterator::Frame::sourceURL):
2187         (JSC::StackIterator::Frame::logicalFrame):
2188
2189 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2190
2191         Unreviewed.
2192
2193         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2194         method is not left undefined, causing build failures on (at least) the GTK port.
2195
2196 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2197
2198         Unreviewed, further build fixing on the GTK port.
2199
2200         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2201
2202 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2203
2204         Unreviewed GTK build fixing.
2205
2206         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2207         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2208
2209 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2210
2211         Buildfix after this error:
2212         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2213
2214         * dfg/DFGPlan.cpp:
2215         (JSC::DFG::Plan::compileInThread):
2216
2217 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2218
2219         One more buildfix after FTL upstream.
2220
2221         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2222
2223         * dfg/DFGLazyJSValue.cpp:
2224         (JSC::DFG::LazyJSValue::getValue):
2225         (JSC::DFG::LazyJSValue::strictEqual):
2226
2227 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2228
2229         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2230         https://bugs.webkit.org/show_bug.cgi?id=119076
2231
2232         Reviewed by Allan Sandfeld Jensen.
2233
2234         * offlineasm/mips.rb:
2235         * offlineasm/sh4.rb:
2236
2237 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2238
2239         Unreviewed GTK build fix.
2240
2241         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2242
2243 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2244
2245         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2246         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2247
2248         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2249
2250 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2251
2252         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2253
2254         * GNUmakefile.am:
2255         * GNUmakefile.list.am:
2256
2257 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2258
2259         Unreviewed buildfix after FTL upstream.
2260
2261         * runtime/JSScope.h:
2262         (JSC::needsVarInjectionChecks):
2263
2264 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2265
2266         One more fix after FTL upstream.
2267
2268         * Target.pri:
2269         * bytecode/CodeBlock.h:
2270         * bytecode/GetByIdStatus.h:
2271         (JSC::GetByIdStatus::GetByIdStatus):
2272
2273 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2274
2275         Unreviewed buildfix after FTL upstream.
2276
2277         Add ftl directory as include path.
2278
2279         * CMakeLists.txt:
2280         * JavaScriptCore.pri:
2281
2282 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2283
2284         Unreviewed buildfix after FTL upstream for non C++11 builds.
2285
2286         * interpreter/CallFrame.h:
2287         * interpreter/StackIteratorPrivate.h:
2288         (JSC::StackIterator::end):
2289
2290 2013-07-24  Oliver Hunt  <oliver@apple.com>
2291
2292         Endeavour to fix CMakelist builds
2293
2294         * CMakeLists.txt:
2295
2296 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2297
2298         fourthTier: DFG IR dumps should be easier to read
2299         https://bugs.webkit.org/show_bug.cgi?id=119050
2300
2301         Reviewed by Mark Hahnenberg.
2302         
2303         Added a DumpContext that includes support for printing an endnote
2304         that describes all structures in full, while the main flow of the
2305         dump just uses made-up names for the structures. This is helpful
2306         since Structure::dump() may print a lot. The stuff it prints is
2307         useful, but if it's all inline with the surrounding thing you're        
2308         dumping (often, a node in the DFG), then you get a ridiculously
2309         long print-out. All classes that dump structures (including
2310         Structure itself) now have dumpInContext() methods that use
2311         inContext() for dumping anything that might transitively print a
2312         structure. If Structure::dumpInContext() is called with a NULL
2313         context, it just uses dump() like before. Hence you don't have to
2314         know anything about DumpContext unless you want to.
2315         
2316         inContext(*structure, context) dumps something like %B4:Array,
2317         and the endnote will have something like:
2318         
2319             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2320         
2321         where B4 is the inferred name that StringHashDumpContext came up
2322         with.
2323         
2324         Also shortened a bunch of other dumps, removing information that
2325         isn't so important.
2326         
2327         * JavaScriptCore.xcodeproj/project.pbxproj:
2328         * bytecode/ArrayProfile.cpp:
2329         (JSC::dumpArrayModes):
2330         * bytecode/CodeBlockHash.cpp:
2331         (JSC):
2332         (JSC::CodeBlockHash::CodeBlockHash):
2333         (JSC::CodeBlockHash::dump):
2334         * bytecode/CodeOrigin.cpp:
2335         (JSC::CodeOrigin::dumpInContext):
2336         (JSC):
2337         (JSC::InlineCallFrame::dumpInContext):
2338         (JSC::InlineCallFrame::dump):
2339         * bytecode/CodeOrigin.h:
2340         (CodeOrigin):
2341         (InlineCallFrame):
2342         * bytecode/Operands.h:
2343         (JSC::OperandValueTraits::isEmptyForDump):
2344         (Operands):
2345         (JSC::Operands::dump):
2346         (JSC):
2347         * bytecode/OperandsInlines.h: Added.
2348         (JSC):
2349         (JSC::::dumpInContext):
2350         * bytecode/StructureSet.h:
2351         (JSC::StructureSet::dumpInContext):
2352         (JSC::StructureSet::dump):
2353         (StructureSet):
2354         * dfg/DFGAbstractValue.cpp:
2355         (JSC::DFG::AbstractValue::dump):
2356         (DFG):
2357         (JSC::DFG::AbstractValue::dumpInContext):
2358         * dfg/DFGAbstractValue.h:
2359         (JSC::DFG::AbstractValue::operator!):
2360         (AbstractValue):
2361         * dfg/DFGCFAPhase.cpp:
2362         (JSC::DFG::CFAPhase::performBlockCFA):
2363         * dfg/DFGCommon.cpp:
2364         * dfg/DFGCommon.h:
2365         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2366         * dfg/DFGDisassembler.cpp:
2367         (JSC::DFG::Disassembler::createDumpList):
2368         * dfg/DFGDisassembler.h:
2369         (Disassembler):
2370         * dfg/DFGFlushFormat.h:
2371         (WTF::inContext):
2372         (WTF):
2373         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2374         * dfg/DFGGraph.cpp:
2375         (JSC::DFG::Graph::dumpCodeOrigin):
2376         (JSC::DFG::Graph::dump):
2377         (JSC::DFG::Graph::dumpBlockHeader):
2378         * dfg/DFGGraph.h:
2379         (Graph):
2380         * dfg/DFGLazyJSValue.cpp:
2381         (JSC::DFG::LazyJSValue::dumpInContext):
2382         (JSC::DFG::LazyJSValue::dump):
2383         (DFG):
2384         * dfg/DFGLazyJSValue.h:
2385         (LazyJSValue):
2386         * dfg/DFGNode.h:
2387         (JSC::DFG::nodeMapDump):
2388         (WTF::inContext):
2389         (WTF):
2390         * dfg/DFGOSRExitCompiler32_64.cpp:
2391         (JSC::DFG::OSRExitCompiler::compileExit):
2392         * dfg/DFGOSRExitCompiler64.cpp:
2393         (JSC::DFG::OSRExitCompiler::compileExit):
2394         * dfg/DFGStructureAbstractValue.h:
2395         (JSC::DFG::StructureAbstractValue::dumpInContext):
2396         (JSC::DFG::StructureAbstractValue::dump):
2397         (StructureAbstractValue):
2398         * ftl/FTLExitValue.cpp:
2399         (JSC::FTL::ExitValue::dumpInContext):
2400         (JSC::FTL::ExitValue::dump):
2401         (FTL):
2402         * ftl/FTLExitValue.h:
2403         (ExitValue):
2404         * ftl/FTLLowerDFGToLLVM.cpp:
2405         * ftl/FTLValueSource.cpp:
2406         (JSC::FTL::ValueSource::dumpInContext):
2407         (FTL):
2408         * ftl/FTLValueSource.h:
2409         (ValueSource):
2410         * runtime/DumpContext.cpp: Added.
2411         (JSC):
2412         (JSC::DumpContext::DumpContext):
2413         (JSC::DumpContext::~DumpContext):
2414         (JSC::DumpContext::isEmpty):
2415         (JSC::DumpContext::dump):
2416         * runtime/DumpContext.h: Added.
2417         (JSC):
2418         (DumpContext):
2419         * runtime/JSCJSValue.cpp:
2420         (JSC::JSValue::dump):
2421         (JSC):
2422         (JSC::JSValue::dumpInContext):
2423         * runtime/JSCJSValue.h:
2424         (JSC):
2425         (JSValue):
2426         * runtime/Structure.cpp:
2427         (JSC::Structure::dumpInContext):
2428         (JSC):
2429         (JSC::Structure::dumpBrief):
2430         (JSC::Structure::dumpContextHeader):
2431         * runtime/Structure.h:
2432         (JSC):
2433         (Structure):
2434
2435 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2436
2437         fourthTier: DFG should do a high-level LICM before going to FTL
2438         https://bugs.webkit.org/show_bug.cgi?id=118749
2439
2440         Reviewed by Oliver Hunt.
2441         
2442         Implements LICM hoisting for nodes that never write anything and never read
2443         things that are clobbered by the loop. There are some other preconditions for
2444         hoisting, see DFGLICMPhase.cpp.
2445
2446         Also did a few fixes:
2447         
2448         - ClobberSet::add was failing to switch Super entries to Direct entries in
2449           some cases.
2450         
2451         - DFGClobberize.cpp needed to #include "Operations.h".
2452         
2453         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2454         
2455         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2456           Knowing the indexInBlock is an optional optimization that all other clients
2457           of AI still opt into, but LICM doesn't.
2458         
2459         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2460
2461         * JavaScriptCore.xcodeproj/project.pbxproj:
2462         * dfg/DFGAbstractInterpreter.h:
2463         (AbstractInterpreter):
2464         * dfg/DFGAbstractInterpreterInlines.h:
2465         (JSC::DFG::::executeEffects):
2466         (JSC::DFG::::execute):
2467         (DFG):
2468         (JSC::DFG::::clobberWorld):
2469         (JSC::DFG::::clobberStructures):
2470         * dfg/DFGAtTailAbstractState.cpp: Added.
2471         (DFG):
2472         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2473         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2474         (JSC::DFG::AtTailAbstractState::createValueForNode):
2475         (JSC::DFG::AtTailAbstractState::forNode):
2476         * dfg/DFGAtTailAbstractState.h: Added.
2477         (DFG):
2478         (AtTailAbstractState):
2479         (JSC::DFG::AtTailAbstractState::initializeTo):
2480         (JSC::DFG::AtTailAbstractState::forNode):
2481         (JSC::DFG::AtTailAbstractState::variables):
2482         (JSC::DFG::AtTailAbstractState::block):
2483         (JSC::DFG::AtTailAbstractState::isValid):
2484         (JSC::DFG::AtTailAbstractState::setDidClobber):
2485         (JSC::DFG::AtTailAbstractState::setIsValid):
2486         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2487         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2488         (JSC::DFG::AtTailAbstractState::haveStructures):
2489         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2490         * dfg/DFGBasicBlock.h:
2491         (JSC::DFG::BasicBlock::insertBeforeLast):
2492         * dfg/DFGBasicBlockInlines.h:
2493         (DFG):
2494         * dfg/DFGClobberSet.cpp:
2495         (JSC::DFG::ClobberSet::add):
2496         (JSC::DFG::ClobberSet::addAll):
2497         * dfg/DFGClobberize.cpp:
2498         (JSC::DFG::doesWrites):
2499         * dfg/DFGClobberize.h:
2500         (DFG):
2501         * dfg/DFGDCEPhase.cpp:
2502         (JSC::DFG::DCEPhase::DCEPhase):
2503         (JSC::DFG::DCEPhase::run):
2504         (JSC::DFG::DCEPhase::fixupBlock):
2505         (DCEPhase):
2506         * dfg/DFGEdgeDominates.h: Added.
2507         (DFG):
2508         (EdgeDominates):
2509         (JSC::DFG::EdgeDominates::EdgeDominates):
2510         (JSC::DFG::EdgeDominates::operator()):
2511         (JSC::DFG::EdgeDominates::result):
2512         (JSC::DFG::edgesDominate):
2513         * dfg/DFGFixupPhase.cpp:
2514         (JSC::DFG::FixupPhase::fixupNode):
2515         (JSC::DFG::FixupPhase::checkArray):
2516         * dfg/DFGLICMPhase.cpp: Added.
2517         (LICMPhase):
2518         (JSC::DFG::LICMPhase::LICMPhase):
2519         (JSC::DFG::LICMPhase::run):
2520         (JSC::DFG::LICMPhase::attemptHoist):
2521         (DFG):
2522         (JSC::DFG::performLICM):
2523         * dfg/DFGLICMPhase.h: Added.
2524         (DFG):
2525         * dfg/DFGPlan.cpp:
2526         (JSC::DFG::Plan::compileInThreadImpl):
2527
2528 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2529
2530         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2531         https://bugs.webkit.org/show_bug.cgi?id=118910
2532
2533         Reviewed by Sam Weinig.
2534         
2535         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2536         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2537         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2538         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2539         create them all up front). FTL AbstractHeaps also don't actually give you the
2540         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2541         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2542         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2543         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2544         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2545         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2546         payload is the direct subtype of its corresponding TOP Kind).
2547         
2548         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2549         clobbered. It represents the set that results from unifying a bunch of
2550         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2551         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2552         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2553         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2554         member is equal to it, or if any of its ancestors are equal to a direct member.
2555         
2556         Example #1:
2557         
2558             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2559               is a subtype of Variables, which is a subtype of World.
2560             - You query Variables. I.e. Variables with a TOP payload, which is the
2561               supertype of Variables(X) for any X, and a subtype of World.
2562             
2563             The set will have Variables(5) as a direct member, and Variables and World as
2564             super members. The Variables query will immediately return true, because
2565             Variables is indeed a super member.
2566         
2567         Example #2:
2568         
2569             - I add Variables(5)
2570             - You query NamedProperties
2571             
2572             NamedProperties is not a member at all (neither direct or super). We next
2573             query World. World is a member, but it's a super member, so we return false.
2574         
2575         Example #3:
2576         
2577             - I add Variables
2578             - You query Variables(5)
2579             
2580             The set will have Variables as a direct member, and World as a super member.
2581             The Variables(5) query will not find Variables(5) in the set, but then it
2582             will query Variables. Variables is a direct member, so we return true.
2583         
2584         Example #4:
2585         
2586             - I add Variables
2587             - You query NamedProperties(5)
2588             
2589             Neither NamedProperties nor NamedProperties(5) are members. We next query
2590             World. World is a member, but it's a super member, so we return false.
2591         
2592         Overlap queries require that either the heap being queried is in the set (either
2593         direct or super), or that one of its ancestors is a direct member. Another way to
2594         think about how this works is that two heaps A and B are said to overlap if
2595         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2596         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2597         heaps and answers the question, "is any member in the set an ancestor (i.e.
2598         supertype) of some other heap". We would have the set contain the heaps themselves,
2599         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2600         chain of A, and repeatedly querying its membership in the set. This is what the
2601         "direct" members of our set do. Now consider the other part, where we want to ask if
2602         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2603         would implement this by implementing set.add(B) as adding not just B but also all of
2604         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2605         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2606         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2607         heap" question. ClobberSet does this, but combines the two sets into a single
2608         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2609         supertype set and the subtype set; if it's false then it's only a member of one of
2610         them.
2611         
2612         Finally, this adds a functorized clobberize() method that adds the read and write
2613         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2614         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2615         are also provided. This allows you to say things like:
2616         
2617             ClobberSet set;
2618             addWrites(graph, node1, set);
2619             if (readsOverlap(graph, node2, set))
2620                 // We know that node1 may write to something that node2 may read from.
2621         
2622         Currently this facility is only used to improve graph dumping, but it will be
2623         instrumental in both LICM and GVN. In the future, I want to completely kill the
2624         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2625         of accomplishing almost exactly what AbstractHeap gives you.
2626
2627         * JavaScriptCore.xcodeproj/project.pbxproj:
2628         * dfg/DFGAbstractHeap.cpp: Added.
2629         (DFG):
2630         (JSC::DFG::AbstractHeap::Payload::dump):
2631         (JSC::DFG::AbstractHeap::dump):
2632         (WTF):
2633         (WTF::printInternal):
2634         * dfg/DFGAbstractHeap.h: Added.
2635         (DFG):
2636         (AbstractHeap):
2637         (Payload):
2638         (JSC::DFG::AbstractHeap::Payload::Payload):
2639         (JSC::DFG::AbstractHeap::Payload::top):
2640         (JSC::DFG::AbstractHeap::Payload::isTop):
2641         (JSC::DFG::AbstractHeap::Payload::value):
2642         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2643         (JSC::DFG::AbstractHeap::Payload::operator==):
2644         (JSC::DFG::AbstractHeap::Payload::operator!=):
2645         (JSC::DFG::AbstractHeap::Payload::operator<):
2646         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2647         (JSC::DFG::AbstractHeap::Payload::overlaps):
2648         (JSC::DFG::AbstractHeap::AbstractHeap):
2649         (JSC::DFG::AbstractHeap::operator!):
2650         (JSC::DFG::AbstractHeap::kind):
2651         (JSC::DFG::AbstractHeap::payload):
2652         (JSC::DFG::AbstractHeap::isDisjoint):
2653         (JSC::DFG::AbstractHeap::overlaps):
2654         (JSC::DFG::AbstractHeap::supertype):
2655         (JSC::DFG::AbstractHeap::hash):
2656         (JSC::DFG::AbstractHeap::operator==):
2657         (JSC::DFG::AbstractHeap::operator!=):
2658         (JSC::DFG::AbstractHeap::operator<):
2659         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2660         (JSC::DFG::AbstractHeap::payloadImpl):
2661         (JSC::DFG::AbstractHeap::encode):
2662         (JSC::DFG::AbstractHeapHash::hash):
2663         (JSC::DFG::AbstractHeapHash::equal):
2664         (AbstractHeapHash):
2665         (WTF):
2666         * dfg/DFGClobberSet.cpp: Added.
2667         (DFG):
2668         (JSC::DFG::ClobberSet::ClobberSet):
2669         (JSC::DFG::ClobberSet::~ClobberSet):
2670         (JSC::DFG::ClobberSet::add):
2671         (JSC::DFG::ClobberSet::addAll):
2672         (JSC::DFG::ClobberSet::contains):
2673         (JSC::DFG::ClobberSet::overlaps):
2674         (JSC::DFG::ClobberSet::clear):
2675         (JSC::DFG::ClobberSet::direct):
2676         (JSC::DFG::ClobberSet::super):
2677         (JSC::DFG::ClobberSet::dump):
2678         (JSC::DFG::ClobberSet::setOf):
2679         (JSC::DFG::addReads):
2680         (JSC::DFG::addWrites):
2681         (JSC::DFG::addReadsAndWrites):
2682         (JSC::DFG::readsOverlap):
2683         (JSC::DFG::writesOverlap):
2684         * dfg/DFGClobberSet.h: Added.
2685         (DFG):
2686         (ClobberSet):
2687         (JSC::DFG::ClobberSet::isEmpty):
2688         (ClobberSetAdd):
2689         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2690         (JSC::DFG::ClobberSetAdd::operator()):
2691         (ClobberSetOverlaps):
2692         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2693         (JSC::DFG::ClobberSetOverlaps::operator()):
2694         (JSC::DFG::ClobberSetOverlaps::result):
2695         * dfg/DFGClobberize.cpp: Added.
2696         (DFG):
2697         (JSC::DFG::didWrites):
2698         * dfg/DFGClobberize.h: Added.
2699         (DFG):
2700         (JSC::DFG::clobberize):
2701         (NoOpClobberize):
2702         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2703         (JSC::DFG::NoOpClobberize::operator()):
2704         (CheckClobberize):
2705         (JSC::DFG::CheckClobberize::CheckClobberize):
2706         (JSC::DFG::CheckClobberize::operator()):
2707         (JSC::DFG::CheckClobberize::result):
2708         * dfg/DFGGraph.cpp:
2709         (JSC::DFG::Graph::dump):
2710
2711 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2712
2713         fourthTier: It should be easy to figure out which blocks nodes belong to
2714         https://bugs.webkit.org/show_bug.cgi?id=118957
2715
2716         Reviewed by Sam Weinig.
2717
2718         * dfg/DFGGraph.cpp:
2719         (DFG):
2720         (JSC::DFG::Graph::initializeNodeOwners):
2721         * dfg/DFGGraph.h:
2722         (Graph):
2723         * dfg/DFGNode.h:
2724
2725 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2726
2727         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2728         https://bugs.webkit.org/show_bug.cgi?id=118956
2729
2730         Reviewed by Sam Weinig.
2731         
2732         We had two way of expressing that something exits forward: the NodeExitsForward
2733         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2734         makes it just be a flag.
2735
2736         * dfg/DFGAbstractInterpreterInlines.h:
2737         (JSC::DFG::::executeEffects):
2738         * dfg/DFGArgumentsSimplificationPhase.cpp:
2739         (JSC::DFG::ArgumentsSimplificationPhase::run):
2740         * dfg/DFGCSEPhase.cpp:
2741         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2742         (JSC::DFG::CSEPhase::checkStructureElimination):
2743         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2744         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2745         (JSC::DFG::CSEPhase::checkArrayElimination):
2746         (JSC::DFG::CSEPhase::performNodeCSE):
2747         * dfg/DFGConstantFoldingPhase.cpp:
2748         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2749         * dfg/DFGFixupPhase.cpp:
2750         (JSC::DFG::FixupPhase::fixupNode):
2751         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2752         * dfg/DFGMinifiedNode.h:
2753         (JSC::DFG::belongsInMinifiedGraph):
2754         (JSC::DFG::MinifiedNode::hasChild):
2755         * dfg/DFGNode.h:
2756         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2757         (JSC::DFG::Node::hasStructureSet):
2758         (JSC::DFG::Node::hasStructure):
2759         (JSC::DFG::Node::hasArrayMode):
2760         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2761         * dfg/DFGNodeType.h:
2762         (DFG):
2763         (JSC::DFG::needsOSRForwardRewiring):
2764         * dfg/DFGPredictionPropagationPhase.cpp:
2765         (JSC::DFG::PredictionPropagationPhase::propagate):
2766         * dfg/DFGSafeToExecute.h:
2767         (JSC::DFG::safeToExecute):
2768         * dfg/DFGSpeculativeJIT.cpp:
2769         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2770         * dfg/DFGSpeculativeJIT32_64.cpp:
2771         (JSC::DFG::SpeculativeJIT::compile):
2772         * dfg/DFGSpeculativeJIT64.cpp:
2773         (JSC::DFG::SpeculativeJIT::compile):
2774         * dfg/DFGTypeCheckHoistingPhase.cpp:
2775         (JSC::DFG::TypeCheckHoistingPhase::run):
2776         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2777         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2778         * dfg/DFGVariableEventStream.cpp:
2779         (JSC::DFG::VariableEventStream::reconstruct):
2780         * ftl/FTLCapabilities.cpp:
2781         (JSC::FTL::canCompile):
2782         * ftl/FTLLowerDFGToLLVM.cpp:
2783         (JSC::FTL::LowerDFGToLLVM::compileNode):
2784         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2785
2786 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2787
2788         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2789         https://bugs.webkit.org/show_bug.cgi?id=118946
2790
2791         Reviewed by Geoffrey Garen.
2792         
2793         We want to decouple the exit target code origin of a node from the code origin
2794         for all other purposes. The purposes of code origins are:
2795         
2796         - Where the node will exit, if it exits. The exit target should be consistent with
2797           the surrounding nodes, in that if you just looked at the code origins of nodes in
2798           the graph, they would be consistent with the code origins in bytecode. This is
2799           necessary for live-at-bytecode analyses to work, and to preserve the original
2800           bytecode semantics when exiting.
2801         
2802         - What kind of code the node came from, for semantics thingies. For example, we
2803           might use the code origin to find the node's global object for doing an original
2804           array check. Or we might use it to determine if the code is in strict mode. Or
2805           other similar things. When we use the code origin in this way, we're basically
2806           using it as a way of describing the node's meta-data without putting it into the
2807           node directly, to save space. In the absurd extreme you could imagine nodes not
2808           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2809           what bytecode the node originated from. We won't do that, but you can think of
2810           this use of code origins as just a way of compressing meta-data.
2811         
2812         - What code origin we should supply profiling to, if we exit. This is closely
2813           related to the semantics thingies, in that the exit profiling is a persistent
2814           kind of semantic meta-data that survives between recompiles, and the only way to
2815           do that is to ascribe it to the original bytecode via the code origin.
2816         
2817         If we hoist a node, we need to change the exit target code origin, but we must not
2818         change the code origin for other purposes. The best way to do this is to decouple
2819         the two kinds of code origin.
2820         
2821         OSR exit data structures already do this, because they may edit the exit target
2822         code origin while keeping the code origin for profiling intact. This happens for
2823         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2824         That's what this patch does.
2825
2826         * dfg/DFGNode.h:
2827         (JSC::DFG::Node::Node):
2828         (Node):
2829         * dfg/DFGOSRExit.cpp:
2830         (JSC::DFG::OSRExit::OSRExit):
2831         * dfg/DFGOSRExitBase.h:
2832         (JSC::DFG::OSRExitBase::OSRExitBase):
2833         * dfg/DFGSpeculativeJIT.cpp:
2834         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2835         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2836         * dfg/DFGSpeculativeJIT.h:
2837         (SpeculativeJIT):
2838         * ftl/FTLLowerDFGToLLVM.cpp:
2839         (JSC::FTL::LowerDFGToLLVM::compileNode):
2840         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2841         (LowerDFGToLLVM):
2842         * ftl/FTLOSRExit.cpp:
2843         (JSC::FTL::OSRExit::OSRExit):
2844         * ftl/FTLOSRExit.h:
2845         (OSRExit):
2846
2847 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2848
2849         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2850         https://bugs.webkit.org/show_bug.cgi?id=118866
2851
2852         Reviewed by Sam Weinig.
2853         
2854         Adds a safeToExecute() method that takes a node and an abstract state and tells you
2855         if the node will run without crashing under that state.
2856
2857         * JavaScriptCore.xcodeproj/project.pbxproj:
2858         * bytecode/CodeBlock.cpp:
2859         (JSC::CodeBlock::CodeBlock):
2860         * dfg/DFGCFAPhase.cpp:
2861         (CFAPhase):
2862         (JSC::DFG::CFAPhase::CFAPhase):
2863         (JSC::DFG::CFAPhase::run):
2864         (JSC::DFG::CFAPhase::performBlockCFA):
2865         (JSC::DFG::CFAPhase::performForwardCFA):
2866         * dfg/DFGSafeToExecute.h: Added.
2867         (DFG):
2868         (SafeToExecuteEdge):
2869         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2870         (JSC::DFG::SafeToExecuteEdge::operator()):
2871         (JSC::DFG::SafeToExecuteEdge::result):
2872         (JSC::DFG::safeToExecute):
2873         * dfg/DFGStructureAbstractValue.h:
2874         (JSC::DFG::StructureAbstractValue::isValidOffset):
2875         (StructureAbstractValue):
2876         * runtime/Options.h:
2877         (JSC):
2878
2879 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2880
2881         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2882         https://bugs.webkit.org/show_bug.cgi?id=118948
2883
2884         Reviewed by Sam Weinig.
2885         
2886         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2887           This allows doing "what if" experiments with IR generation, even if the generated IR
2888           can't yet execute.
2889         
2890         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2891           off-ramp.
2892
2893         * JavaScriptCore.xcodeproj/project.pbxproj:
2894         * dfg/DFGPlan.cpp:
2895         (JSC::DFG::Plan::compileInThreadImpl):
2896         * ftl/FTLFail.cpp: Added.
2897         (FTL):
2898         (JSC::FTL::fail):
2899         * ftl/FTLFail.h: Added.
2900         (FTL):
2901         * ftl/FTLIntrinsicRepository.h:
2902         (FTL):
2903         * ftl/FTLLowerDFGToLLVM.cpp:
2904         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2905         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
2906         * runtime/Options.h:
2907         (JSC):
2908
2909 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2910
2911         fourthTier: StringObjectUse uses structures, and CSE should know that
2912         https://bugs.webkit.org/show_bug.cgi?id=118940
2913
2914         Reviewed by Geoffrey Garen.
2915         
2916         This is asymptomatic right now, but we should fix it.
2917
2918         * JavaScriptCore.xcodeproj/project.pbxproj:
2919         * dfg/DFGCSEPhase.cpp:
2920         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2921         * dfg/DFGEdgeUsesStructure.h: Added.
2922         (DFG):
2923         (EdgeUsesStructure):
2924         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
2925         (JSC::DFG::EdgeUsesStructure::operator()):
2926         (JSC::DFG::EdgeUsesStructure::result):
2927         (JSC::DFG::edgesUseStructure):
2928         * dfg/DFGUseKind.h:
2929         (DFG):
2930         (JSC::DFG::usesStructure):
2931
2932 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2933
2934         fourthTier: String GetByVal out-of-bounds handling is so wrong
2935         https://bugs.webkit.org/show_bug.cgi?id=118935
2936
2937         Reviewed by Geoffrey Garen.
2938         
2939         Bunch of String GetByVal out-of-bounds fixes:
2940         
2941         - Even if the string proto chain is sane, we need to watch out for negative
2942           indices. They may get values or call getters in the prototypes, since proto
2943           sanity doesn't check for negative indexed properties, as they are not
2944           technically indexed properties.
2945         
2946         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
2947           given this information.
2948         
2949         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
2950           given this information.
2951         
2952         Also fixed some other things:
2953         
2954         - If the DFG is disabled, the testRunner should pretend that we've done a
2955           bunch of DFG compiles. That's necessary to prevent the tests from timing
2956           out.
2957         
2958         - Disassembler shouldn't try to dump source code since it's not safe in the
2959           concurrent JIT.
2960
2961         * API/JSCTestRunnerUtils.cpp:
2962         (JSC::numberOfDFGCompiles):
2963         * JavaScriptCore.xcodeproj/project.pbxproj:
2964         * dfg/DFGAbstractInterpreterInlines.h:
2965         (JSC::DFG::::executeEffects):
2966         * dfg/DFGDisassembler.cpp:
2967         (JSC::DFG::Disassembler::dumpHeader):
2968         * dfg/DFGGraph.h:
2969         (JSC::DFG::Graph::byValIsPure):
2970         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
2971         (DFG):
2972         (SaneStringGetByValSlowPathGenerator):
2973         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
2974         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
2975         * dfg/DFGSpeculativeJIT.cpp:
2976         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2977
2978 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2979
2980         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
2981         https://bugs.webkit.org/show_bug.cgi?id=118911
2982
2983         Reviewed by Geoffrey Garen.
2984         
2985         We could also have a separate method like "willNotCrash(offset)", but that's not
2986         what isValidOffset() is intended to mean.
2987
2988         * runtime/Structure.h:
2989         (JSC::Structure::isValidOffset):
2990
2991 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2992
2993         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
2994         https://bugs.webkit.org/show_bug.cgi?id=118878
2995
2996         Reviewed by Oliver Hunt.
2997         
2998         - Change Structure::isValidOffset() to actually answer the question "If I attempted
2999           to load from an object of this structure, at this offset, would I commit suicide
3000           or would I get back some kind of value?"
3001         
3002         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3003           way from the start.
3004         
3005         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3006         
3007         - Make GetByOffset also reference the base object in addition to the butterfly.
3008         
3009         The future use of this power will be to answer questions like "If I hoisted this
3010         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3011         fine?"
3012         
3013         I don't currently plan to use this power to perform validation, since the CSE has
3014         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3015         remove - both in the case of StructureSets where size >= 2 and in the case of
3016         CheckStructures that match across PutStructures. At first I tried to write a
3017         validator that was aware of this, but the validation code got way too complicated
3018         and I started having nightmares of spurious assertion bugs being filed against me.
3019         
3020         This also changes some of the code for how we hash FunctionExecutable's for debug
3021         dumps, since that code still had some thread-safety issues. Basically, the
3022         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3023         that could transitively try to compute the hash from the source code. The source
3024         code is a string that may be lazily computed, and that involves all manner of thread
3025         unsafe things.
3026
3027         * bytecode/CodeOrigin.cpp:
3028         (JSC::InlineCallFrame::hash):
3029         * dfg/DFGAbstractInterpreterInlines.h:
3030         (JSC::DFG::::executeEffects):
3031         * dfg/DFGByteCodeParser.cpp:
3032         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3033         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3034         (JSC::DFG::ByteCodeParser::parseBlock):
3035         * dfg/DFGCFAPhase.cpp:
3036         (JSC::DFG::CFAPhase::performBlockCFA):
3037         * dfg/DFGConstantFoldingPhase.cpp:
3038         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3039         * dfg/DFGFixupPhase.cpp:
3040         (JSC::DFG::FixupPhase::fixupNode):
3041         * dfg/DFGGraph.h:
3042         (StorageAccessData):
3043         * dfg/DFGNode.h:
3044         (JSC::DFG::Node::convertToGetByOffset):
3045         * dfg/DFGSpeculativeJIT64.cpp:
3046         (JSC::DFG::SpeculativeJIT::compile):
3047         * ftl/FTLLowerDFGToLLVM.cpp:
3048         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3049         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3050         * runtime/FunctionExecutableDump.cpp:
3051         (JSC::FunctionExecutableDump::dump):
3052         * runtime/Structure.h:
3053         (Structure):
3054         (JSC::Structure::isValidOffset):
3055
3056 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3057
3058         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3059         https://bugs.webkit.org/show_bug.cgi?id=118880
3060
3061         Reviewed by Sam Weinig.
3062         
3063         It should be possible to have an AbstractState that is backed by a HashMap. But to
3064         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3065         the map, since otherwise the idiom of getting a reference to the AbstractValue
3066         returned by forNode() would cause really subtle memory corruption bugs.
3067
3068         * dfg/DFGAbstractInterpreterInlines.h:
3069         (JSC::DFG::::executeEffects):
3070         * dfg/DFGInPlaceAbstractState.h:
3071         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3072         (InPlaceAbstractState):
3073
3074 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3075
3076         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3077         https://bugs.webkit.org/show_bug.cgi?id=118835
3078
3079         Reviewed by Oliver Hunt.
3080         
3081         This separates AbstractState into two things:
3082         
3083         - InPlaceAbstractState, which can tell you the abstract state of anything you
3084           might care about, and uses the old AbstractState's algorithms and data
3085           structures for doing so.
3086         
3087         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3088           respect to an AbstractStateType. Currently we always use
3089           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3090           class that supports basic primitives like forNode() and variables().
3091         
3092         This is important because:
3093         
3094         - We want to hoist things out of loops.
3095
3096         - We don't know what things rely on what type checks.
3097
3098         - We only want to hoist type checks out of loops if they aren't clobbered.
3099
3100         - We may want to still hoist things that depended on those type checks, if it's
3101           safe to do those things based on the CFA state at the tail of the loop
3102           pre-header.
3103
3104         - We don't want things to rely on their type checks by way of a token, because
3105           that's just weird.
3106
3107         So, we want to be able to have a special form of the CFA that can
3108         incrementally update a basic block's state-at-tail, and we want to be able to
3109         do this for multiple blocks simultaneously. This requires *not* storing the
3110         per-node state in the nodes themselves, but instead using the at-tail HashMap
3111         directly.
3112
3113         Hence we need to have a way of making the abstract interpreter (i.e.
3114         AbstractState::execute) polymorphic with respect to state representation. Put
3115         another way, we need to separate the way that abstract state is represented
3116         from the way DFG IR is abstractly interpreted.
3117
3118         * JavaScriptCore.xcodeproj/project.pbxproj:
3119         * dfg/DFGAbstractInterpreter.h: Added.
3120         (DFG):
3121         (AbstractInterpreter):
3122         (JSC::DFG::AbstractInterpreter::forNode):
3123         (JSC::DFG::AbstractInterpreter::variables):
3124         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3125         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3126         (JSC::DFG::AbstractInterpreter::filter):
3127         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3128         (JSC::DFG::AbstractInterpreter::filterByValue):
3129         (JSC::DFG::AbstractInterpreter::trySetConstant):
3130         (JSC::DFG::AbstractInterpreter::filterByType):
3131         * dfg/DFGAbstractInterpreterInlines.h: Added.
3132         (DFG):
3133         (JSC::DFG::::AbstractInterpreter):
3134         (JSC::DFG::::~AbstractInterpreter):
3135         (JSC::DFG::::booleanResult):
3136         (JSC::DFG::::startExecuting):
3137         (JSC::DFG::::executeEdges):
3138         (JSC::DFG::::verifyEdge):
3139         (JSC::DFG::::verifyEdges):
3140         (JSC::DFG::::executeEffects):
3141         (JSC::DFG::::execute):
3142         (JSC::DFG::::clobberWorld):
3143         (JSC::DFG::::clobberCapturedVars):
3144         (JSC::DFG::::clobberStructures):
3145         (JSC::DFG::::dump):
3146         (JSC::DFG::::filter):
3147         (JSC::DFG::::filterArrayModes):
3148         (JSC::DFG::::filterByValue):
3149         * dfg/DFGAbstractState.cpp: Removed.
3150         * dfg/DFGAbstractState.h: Removed.
3151         * dfg/DFGArgumentsSimplificationPhase.cpp:
3152         * dfg/DFGCFAPhase.cpp:
3153         (JSC::DFG::CFAPhase::CFAPhase):
3154         (JSC::DFG::CFAPhase::performBlockCFA):
3155         (CFAPhase):
3156         * dfg/DFGCFGSimplificationPhase.cpp:
3157         * dfg/DFGConstantFoldingPhase.cpp:
3158         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3159         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3160         (ConstantFoldingPhase):
3161         * dfg/DFGInPlaceAbstractState.cpp: Added.
3162         (DFG):
3163         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3164         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3165         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3166         (JSC::DFG::setLiveValues):
3167         (JSC::DFG::InPlaceAbstractState::initialize):
3168         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3169         (JSC::DFG::InPlaceAbstractState::reset):
3170         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3171         (JSC::DFG::InPlaceAbstractState::merge):
3172         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3173         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3174         * dfg/DFGInPlaceAbstractState.h: Added.
3175         (DFG):
3176         (InPlaceAbstractState):
3177         (JSC::DFG::InPlaceAbstractState::forNode):
3178         (JSC::DFG::InPlaceAbstractState::variables):
3179         (JSC::DFG::InPlaceAbstractState::block):
3180         (JSC::DFG::InPlaceAbstractState::didClobber):
3181         (JSC::DFG::InPlaceAbstractState::isValid):
3182         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3183         (JSC::DFG::InPlaceAbstractState::setIsValid):
3184         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3185         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3186         (JSC::DFG::InPlaceAbstractState::haveStructures):
3187         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3188         * dfg/DFGMergeMode.h: Added.
3189         (DFG):
3190         * dfg/DFGSpeculativeJIT.cpp:
3191         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3192         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3193         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3194         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3195         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3196         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3197         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3198         * dfg/DFGSpeculativeJIT.h:
3199         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3200         (SpeculativeJIT):
3201         * dfg/DFGSpeculativeJIT32_64.cpp:
3202         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3203         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3204         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3205         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3206         * dfg/DFGSpeculativeJIT64.cpp:
3207         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3208         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3209         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3210         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3211         * ftl/FTLLowerDFGToLLVM.cpp:
3212         (FTL):
3213         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3214         (JSC::FTL::LowerDFGToLLVM::compileNode):
3215         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3216         (JSC::FTL::LowerDFGToLLVM::speculate):
3217         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3218         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3219         (LowerDFGToLLVM):
3220
3221 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3222
3223         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3224         https://bugs.webkit.org/show_bug.cgi?id=118867
3225
3226         Reviewed by Mark Hahnenberg.
3227         
3228         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3229         ArrayProfile.
3230
3231         It also makes it easier to ask any array-using node how to create its type check.
3232         
3233         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3234         an array profile, thinking that it was storing into a value profile. Reshuffling the
3235         fields in ArrayProfile revealed this.
3236
3237         * bytecode/ArrayProfile.cpp:
3238         (JSC::ArrayProfile::computeUpdatedPrediction):
3239         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3240         * bytecode/ArrayProfile.h:
3241         (JSC::ArrayProfile::ArrayProfile):
3242         (ArrayProfile):
3243         * bytecode/CodeBlock.cpp:
3244         (JSC::CodeBlock::updateAllArrayPredictions):
3245         (JSC::CodeBlock::updateAllPredictions):
3246         * bytecode/CodeBlock.h:
3247         (CodeBlock):
3248         (JSC::CodeBlock::updateAllArrayPredictions):
3249         * dfg/DFGArrayMode.h:
3250         (ArrayMode):
3251         * dfg/DFGByteCodeParser.cpp:
3252         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3253         (JSC::DFG::ByteCodeParser::parseBlock):
3254         * dfg/DFGFixupPhase.cpp:
3255         (JSC::DFG::FixupPhase::fixupNode):
3256         (FixupPhase):
3257         (JSC::DFG::FixupPhase::checkArray):
3258         (JSC::DFG::FixupPhase::blessArrayOperation):
3259         * llint/LowLevelInterpreter64.asm:
3260
3261 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3262
3263         fourthTier: CFA should consider live-at-head for clobbering and dumping
3264         https://bugs.webkit.org/show_bug.cgi?id=118857
3265
3266         Reviewed by Mark Hahnenberg.
3267         
3268         - clobberStructures() was not considering nodes live-at-head when in SSA
3269           form. This means it would fail to clobber some structures.
3270         
3271         - dump() was not considering nodes live-at-head when in SSA form. This
3272           means it wouldn't dump everything that you might be interested in.
3273         
3274         - AbstractState::m_currentNode is a useless variable and we should get
3275           rid of it.
3276
3277         * dfg/DFGAbstractState.cpp:
3278         (JSC::DFG::AbstractState::AbstractState):
3279         (JSC::DFG::AbstractState::beginBasicBlock):
3280         (JSC::DFG::AbstractState::reset):
3281         (JSC::DFG::AbstractState::startExecuting):
3282         (JSC::DFG::AbstractState::clobberStructures):
3283         (JSC::DFG::AbstractState::dump):
3284         * dfg/DFGAbstractState.h:
3285         (AbstractState):
3286
3287 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3288
3289         fourthTier: Add a phase to create loop pre-headers
3290         https://bugs.webkit.org/show_bug.cgi?id=118778
3291
3292         Reviewed by Oliver Hunt.
3293         
3294         Add a loop pre-header creation phase. Any loop that doesn't already have
3295         just one predecessor that isn't part of the loop has a pre-header
3296         prepended. All non-loop predecessors then jump to that pre-header.
3297         
3298         Also fix a handful of bugs:
3299         
3300         - DFG::Analysis should set m_valid before running the analysis, since that
3301           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3302           may be called by the analysis before the analysis completes. NaturalLoops
3303           does this with loopsOf().
3304         
3305         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3306           returning 0, since that'll happen if the block isn't in any loop.
3307         
3308         - Change BlockInsertionSet to dethread the graph, since anyone using it
3309           will want to do so.
3310         
3311         - Change dethreading to ignore SSA form graphs.
3312         
3313         This also adds NaturalLoops::belongsTo(), which I always used in the
3314         pre-header creation phase. I didn't end up using it but I'll probably use
3315         it in the near future.
3316         
3317         * JavaScriptCore.xcodeproj/project.pbxproj:
3318         * dfg/DFGAnalysis.h:
3319         (JSC::DFG::Analysis::computeIfNecessary):
3320         * dfg/DFGBlockInsertionSet.cpp:
3321         (JSC::DFG::BlockInsertionSet::execute):
3322         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3323         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3324         * dfg/DFGGraph.cpp:
3325         (JSC::DFG::Graph::dethread):
3326         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3327         (DFG):
3328         (LoopPreHeaderCreationPhase):
3329         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3330         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3331         (JSC::DFG::performLoopPreHeaderCreation):
3332         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3333         (DFG):
3334         * dfg/DFGNaturalLoops.h:
3335         (NaturalLoop):
3336         (JSC::DFG::NaturalLoops::headerOf):
3337         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3338         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3339         (JSC::DFG::NaturalLoops::belongsTo):
3340         (NaturalLoops):
3341         * dfg/DFGPlan.cpp:
3342         (JSC::DFG::Plan::compileInThreadImpl):
3343
3344 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3345
3346         fourthTier: Rationalize Node::replacement
3347         https://bugs.webkit.org/show_bug.cgi?id=118774
3348
3349         Reviewed by Oliver Hunt.
3350         
3351         - Clearing of replacements is now done in Graph::clearReplacements().
3352         
3353         - New nodes now have replacement set to 0.
3354         
3355         - Node::replacement is now part of a 'misc' union. I'll be putting at least
3356           one other field into that union as part of LICM work (see
3357           https://bugs.webkit.org/show_bug.cgi?id=118749).
3358
3359         * dfg/DFGCPSRethreadingPhase.cpp:
3360         (JSC::DFG::CPSRethreadingPhase::run):
3361         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3362         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3363         * dfg/DFGCSEPhase.cpp:
3364         (JSC::DFG::CSEPhase::run):
3365         (JSC::DFG::CSEPhase::setReplacement):
3366         (JSC::DFG::CSEPhase::performBlockCSE):
3367         * dfg/DFGGraph.cpp:
3368         (DFG):
3369         (JSC::DFG::Graph::clearReplacements):
3370         * dfg/DFGGraph.h:
3371         (JSC::DFG::Graph::performSubstitutionForEdge):
3372         (Graph):
3373         * dfg/DFGNode.h:
3374         (JSC::DFG::Node::Node):
3375         * dfg/DFGSSAConversionPhase.cpp:
3376         (JSC::DFG::SSAConversionPhase::run):
3377
3378 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3379
3380         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3381         https://bugs.webkit.org/show_bug.cgi?id=118750
3382
3383         Reviewed by Mark Hahnenberg.
3384
3385         * dfg/DFGBasicBlock.h:
3386         (BasicBlock):
3387         * dfg/DFGNaturalLoops.cpp:
3388         (JSC::DFG::NaturalLoops::compute):
3389         (JSC::DFG::NaturalLoops::loopsOf):
3390         * dfg/DFGNaturalLoops.h:
3391         (DFG):
3392         (JSC::DFG::NaturalLoop::NaturalLoop):
3393         (NaturalLoop):
3394         (JSC::DFG::NaturalLoop::index):
3395         (JSC::DFG::NaturalLoop::isOuterMostLoop):
3396         (JSC::DFG::NaturalLoop::addBlock):
3397         (JSC::DFG::NaturalLoops::headerOf):
3398         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3399     &nb