4f45d405e56add4dbf7e697261fca069c5192ba1
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-21  Simon Hausmann  <simon.hausmann@nokia.com>
2
3         Remove QtScript source code from WebKit.
4         https://bugs.webkit.org/show_bug.cgi?id=64088
5
6         Reviewed by Tor Arne Vestbø.
7
8         Removed dead code that isn't developed anymore.
9
10         * JavaScriptCore.gypi:
11         * JavaScriptCore.pri:
12         * qt/api/QtScript.pro: Removed.
13         * qt/api/qscriptconverter_p.h: Removed.
14         * qt/api/qscriptengine.cpp: Removed.
15         * qt/api/qscriptengine.h: Removed.
16         * qt/api/qscriptengine_p.cpp: Removed.
17         * qt/api/qscriptengine_p.h: Removed.
18         * qt/api/qscriptfunction.cpp: Removed.
19         * qt/api/qscriptfunction_p.h: Removed.
20         * qt/api/qscriptoriginalglobalobject_p.h: Removed.
21         * qt/api/qscriptprogram.cpp: Removed.
22         * qt/api/qscriptprogram.h: Removed.
23         * qt/api/qscriptprogram_p.h: Removed.
24         * qt/api/qscriptstring.cpp: Removed.
25         * qt/api/qscriptstring.h: Removed.
26         * qt/api/qscriptstring_p.h: Removed.
27         * qt/api/qscriptsyntaxcheckresult.cpp: Removed.
28         * qt/api/qscriptsyntaxcheckresult.h: Removed.
29         * qt/api/qscriptsyntaxcheckresult_p.h: Removed.
30         * qt/api/qscriptvalue.cpp: Removed.
31         * qt/api/qscriptvalue.h: Removed.
32         * qt/api/qscriptvalue_p.h: Removed.
33         * qt/api/qscriptvalueiterator.cpp: Removed.
34         * qt/api/qscriptvalueiterator.h: Removed.
35         * qt/api/qscriptvalueiterator_p.h: Removed.
36         * qt/api/qtscriptglobal.h: Removed.
37         * qt/benchmarks/benchmarks.pri: Removed.
38         * qt/benchmarks/benchmarks.pro: Removed.
39         * qt/benchmarks/qscriptengine/qscriptengine.pro: Removed.
40         * qt/benchmarks/qscriptengine/tst_qscriptengine.cpp: Removed.
41         * qt/benchmarks/qscriptvalue/qscriptvalue.pro: Removed.
42         * qt/benchmarks/qscriptvalue/tst_qscriptvalue.cpp: Removed.
43         * qt/tests/qscriptengine/qscriptengine.pro: Removed.
44         * qt/tests/qscriptengine/tst_qscriptengine.cpp: Removed.
45         * qt/tests/qscriptstring/qscriptstring.pro: Removed.
46         * qt/tests/qscriptstring/tst_qscriptstring.cpp: Removed.
47         * qt/tests/qscriptvalue/qscriptvalue.pro: Removed.
48         * qt/tests/qscriptvalue/tst_qscriptvalue.cpp: Removed.
49         * qt/tests/qscriptvalue/tst_qscriptvalue.h: Removed.
50         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_comparison.cpp: Removed.
51         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_init.cpp: Removed.
52         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_istype.cpp: Removed.
53         * qt/tests/qscriptvalue/tst_qscriptvalue_generated_totype.cpp: Removed.
54         * qt/tests/qscriptvalueiterator/qscriptvalueiterator.pro: Removed.
55         * qt/tests/qscriptvalueiterator/tst_qscriptvalueiterator.cpp: Removed.
56         * qt/tests/tests.pri: Removed.
57         * qt/tests/tests.pro: Removed.
58
59 2011-10-21  Zheng Liu  <zheng.z.liu@intel.com>
60
61         bytecompiler sometimes generates incorrect bytecode for put_by_id
62         https://bugs.webkit.org/show_bug.cgi?id=70403
63
64         Reviewed by Filip Pizlo.
65
66         * bytecompiler/NodesCodegen.cpp:
67         (JSC::AssignDotNode::emitBytecode):
68         (JSC::AssignBracketNode::emitBytecode):
69
70 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
71
72         DFG should not try to predict argument types by looking at the values of
73         argument registers at the time of compilation
74         https://bugs.webkit.org/show_bug.cgi?id=70578
75
76         Reviewed by Oliver Hunt.
77
78         * bytecode/CodeBlock.cpp:
79         * dfg/DFGDriver.cpp:
80         (JSC::DFG::compile):
81         (JSC::DFG::tryCompile):
82         (JSC::DFG::tryCompileFunction):
83         * dfg/DFGDriver.h:
84         (JSC::DFG::tryCompileFunction):
85         * dfg/DFGGraph.cpp:
86         (JSC::DFG::Graph::predictArgumentTypes):
87         * dfg/DFGGraph.h:
88         * runtime/Executable.cpp:
89         (JSC::FunctionExecutable::compileOptimizedForCall):
90         (JSC::FunctionExecutable::compileOptimizedForConstruct):
91         (JSC::FunctionExecutable::compileForCallInternal):
92         (JSC::FunctionExecutable::compileForConstructInternal):
93         * runtime/Executable.h:
94         (JSC::FunctionExecutable::compileForCall):
95         (JSC::FunctionExecutable::compileForConstruct):
96         (JSC::FunctionExecutable::compileFor):
97         (JSC::FunctionExecutable::compileOptimizedFor):
98
99 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
100
101         DFG call optimization handling will fail if the call had been unlinked due
102         to the callee being optimized
103         https://bugs.webkit.org/show_bug.cgi?id=70468
104
105         Reviewed by Geoff Garen.
106         
107         If a call had ever been linked, we remember this fact as well as the function
108         to which it was linked even if unlinkIncomingCalls() or unlinkCalls() are
109         called.
110
111         * bytecode/CodeBlock.cpp:
112         (JSC::CodeBlock::visitAggregate):
113         * bytecode/CodeBlock.h:
114         * dfg/DFGByteCodeParser.cpp:
115         (JSC::DFG::ByteCodeParser::parseBlock):
116         * dfg/DFGRepatch.cpp:
117         (JSC::DFG::dfgLinkFor):
118         * jit/JIT.cpp:
119         (JSC::JIT::linkFor):
120
121 2011-10-20  Yuqiang Xian  <yuqiang.xian@intel.com>
122
123         DFG JIT 32_64 - Fix ByteArray speculation
124         https://bugs.webkit.org/show_bug.cgi?id=70571
125
126         Reviewed by Filip Pizlo.
127
128         * dfg/DFGSpeculativeJIT.h:
129         (JSC::DFG::ValueSource::forPrediction):
130         * dfg/DFGSpeculativeJIT32_64.cpp:
131         (JSC::DFG::SpeculativeJIT::compile):
132
133 2011-10-20  Vincent Scheib  <scheib@chromium.org>
134
135         MouseLock compile and run time flags.
136         https://bugs.webkit.org/show_bug.cgi?id=70530
137
138         Reviewed by Darin Fisher.
139
140         * wtf/Platform.h:
141
142 2011-10-20  Mark Hahnenberg  <mhahnenberg@apple.com>
143
144         Rename static deleteProperty to deletePropertyByIndex
145         https://bugs.webkit.org/show_bug.cgi?id=70257
146
147         Reviewed by Geoffrey Garen.
148
149         Renaming versions of deleteProperty that use an unsigned as the property
150         name to "deletePropertyByIndex" in preparation for adding them to the 
151         MethodTable, which requires unique names for each method.
152
153         * API/JSCallbackObject.h:
154         * API/JSCallbackObjectFunctions.h:
155         (JSC::::deletePropertyVirtual):
156         (JSC::::deletePropertyByIndex):
157         * runtime/Arguments.cpp:
158         (JSC::Arguments::deletePropertyVirtual):
159         (JSC::Arguments::deletePropertyByIndex):
160         * runtime/Arguments.h:
161         * runtime/JSArray.cpp:
162         (JSC::JSArray::deletePropertyVirtual):
163         (JSC::JSArray::deletePropertyByIndex):
164         * runtime/JSArray.h:
165         * runtime/JSCell.cpp:
166         (JSC::JSCell::deletePropertyVirtual):
167         (JSC::JSCell::deletePropertyByIndex):
168         * runtime/JSCell.h:
169         * runtime/JSNotAnObject.cpp:
170         (JSC::JSNotAnObject::deletePropertyVirtual):
171         (JSC::JSNotAnObject::deletePropertyByIndex):
172         * runtime/JSNotAnObject.h:
173         * runtime/JSObject.cpp:
174         (JSC::JSObject::deletePropertyVirtual):
175         (JSC::JSObject::deletePropertyByIndex):
176         * runtime/JSObject.h:
177         * runtime/RegExpMatchesArray.h:
178         (JSC::RegExpMatchesArray::deletePropertyVirtual):
179         (JSC::RegExpMatchesArray::deletePropertyByIndex):
180
181 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
182
183         https://bugs.webkit.org/show_bug.cgi?id=70482
184         DFG-related stubs in the old JIT should not be built if the DFG is disabled
185
186         Reviewed by Zoltan Herczeg.
187         
188         Aiming for a slight code size/build time reduction if the DFG is not in
189         play. This should also make further DFG development slightly easier since
190         the bodies of these JIT stubs can now safely refer to things that are only
191         declared when the DFG is enabled.
192
193         * jit/JITStubs.cpp:
194         * jit/JITStubs.h:
195
196 2011-10-19  Filip Pizlo  <fpizlo@apple.com>
197
198         DFG ConvertThis emits slow code when the source node is known to be,
199         but not predicted to be, a final object
200         https://bugs.webkit.org/show_bug.cgi?id=70466
201
202         Reviewed by Oliver Hunt.
203         
204         Added a new case in ConvertThis compilation.
205
206         * dfg/DFGSpeculativeJIT32_64.cpp:
207         (JSC::DFG::SpeculativeJIT::compile):
208         * dfg/DFGSpeculativeJIT64.cpp:
209         (JSC::DFG::SpeculativeJIT::compile):
210
211 2011-10-19  Filip Pizlo  <fpizlo@apple.com>
212
213         Optimization triggers in the old JIT may sometimes fire repeatedly even
214         though there is no optimization to be done
215         https://bugs.webkit.org/show_bug.cgi?id=70467
216
217         Reviewed by Oliver Hunt.
218         
219         If optimize_from_ret does nothing, it delays the next optimization trigger.
220         This is performance-neutral.
221
222         * jit/JITStubs.cpp:
223         (JSC::DEFINE_STUB_FUNCTION):
224         * runtime/Heuristics.cpp:
225         (JSC::Heuristics::initializeHeuristics):
226
227 2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>
228
229         DFG JIT 32_64 - remove unnecessary double unboxings in fillDouble/fillSpeculateDouble
230         https://bugs.webkit.org/show_bug.cgi?id=70460
231
232         Reviewed by Filip Pizlo.
233
234         As pointed out by Gavin in bug #70418, when a value is already in memory
235         we can avoid loading it to two GPRs at first and then unboxing them to a FPR.
236         This gives 9% improvement on Kraken if without the change in bug #70418,
237         and 1% if based on the code with bug #70418 change.
238         Performance is neutral in V8 and SunSpider.
239
240         * dfg/DFGJITCodeGenerator32_64.cpp:
241         (JSC::DFG::JITCodeGenerator::fillDouble):
242         * dfg/DFGSpeculativeJIT32_64.cpp:
243         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
244
245 2011-10-19  Gavin Barraclough  <barraclough@apple.com>
246
247         Poisoning of strict caller,arguments inappropriately poisoning "in"
248         https://bugs.webkit.org/show_bug.cgi?id=63398
249
250         Reviewed by Oliver Hunt.
251
252         This fixes the problem by correctly implementing the spec -
253         the error should actually be being thrown from a standard JS getter/setter.
254         This implements spec correct behaviour for strict mode JS functions & bound
255         functions, I'll follow up with a patch to do the same for arguments.
256
257         * runtime/JSBoundFunction.cpp:
258         (JSC::JSBoundFunction::finishCreation):
259             - Add the poisoned caller/arguments properties.
260         * runtime/JSBoundFunction.h:
261         * runtime/JSFunction.cpp:
262         (JSC::JSFunction::finishCreation):
263         (JSC::JSFunction::getOwnPropertySlot):
264         (JSC::JSFunction::getOwnPropertyDescriptor):
265         (JSC::JSFunction::put):
266             - If the caller/arguments are accessed on a strict mode function, lazily add the ThrowTypeError getter.
267         * runtime/JSFunction.h:
268         * runtime/JSGlobalObject.cpp:
269         (JSC::JSGlobalObject::createThrowTypeError):
270         (JSC::JSGlobalObject::visitChildren):
271         * runtime/JSGlobalObject.h:
272         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
273             - Add a ThrowTypeError type, per ES5 13.2.3.
274         * runtime/JSGlobalObjectFunctions.cpp:
275         (JSC::globalFuncThrowTypeError):
276         * runtime/JSGlobalObjectFunctions.h:
277             - Implementation of ThrowTypeError.
278         * runtime/JSObject.cpp:
279         (JSC::JSObject::initializeGetterSetterProperty):
280         * runtime/JSObject.h:
281             - This function adds a new property (must not exist already) that is an initialized getter/setter.
282
283 2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>
284
285         DFG JIT 32_64 - improve double boxing/unboxing
286         https://bugs.webkit.org/show_bug.cgi?id=70418
287
288         Reviewed by Gavin Barraclough.
289
290         Double boxing/unboxing in DFG JIT 32_64 is currently implemented inefficiently,
291         which tries to exchange data through memory.
292         On X86 some SSE instructions can help us on such operations with better performance.
293         This improves 32-bit DFG performance by 29% on Kraken, 7% on SunSpider,
294         and 2% on V8, tested on Linux X86 (Core i7 Nehalem).
295
296         * assembler/MacroAssemblerX86Common.h:
297         (JSC::MacroAssemblerX86Common::lshiftPacked):
298         (JSC::MacroAssemblerX86Common::rshiftPacked):
299         (JSC::MacroAssemblerX86Common::orPacked):
300         (JSC::MacroAssemblerX86Common::moveInt32ToPacked):
301         (JSC::MacroAssemblerX86Common::movePackedToInt32):
302         * assembler/X86Assembler.h:
303         (JSC::X86Assembler::movd_rr):
304         (JSC::X86Assembler::psllq_i8r):
305         (JSC::X86Assembler::psrlq_i8r):
306         (JSC::X86Assembler::por_rr):
307         * dfg/DFGJITCodeGenerator.h:
308         (JSC::DFG::JITCodeGenerator::boxDouble):
309         (JSC::DFG::JITCodeGenerator::unboxDouble):
310         * dfg/DFGJITCodeGenerator32_64.cpp:
311         (JSC::DFG::JITCodeGenerator::fillDouble):
312         (JSC::DFG::JITCodeGenerator::fillJSValue):
313         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
314         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
315         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
316         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
317         * dfg/DFGJITCompiler.h:
318         (JSC::DFG::JITCompiler::boxDouble):
319         (JSC::DFG::JITCompiler::unboxDouble):
320         * dfg/DFGSpeculativeJIT32_64.cpp:
321         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
322         (JSC::DFG::SpeculativeJIT::convertToDouble):
323         (JSC::DFG::SpeculativeJIT::compile):
324
325 2011-10-19  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
326
327         [EFL] Fix DSO linkage of wtf_efl.
328
329         Unreviewed build fix.
330
331         Need to add -ldl to jsc_efl (requested by dladdr).
332
333         * wtf/CMakeListsEfl.txt:
334
335 2011-10-19  Geoffrey Garen  <ggaren@apple.com>
336
337         Removed StringImplBase, fusing it into StringImpl
338         https://bugs.webkit.org/show_bug.cgi?id=70443
339
340         Reviewed by Gavin Barraclough.
341
342         * GNUmakefile.list.am:
343         * JavaScriptCore.gypi:
344         * JavaScriptCore.order:
345         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
346         * JavaScriptCore.xcodeproj/project.pbxproj:
347         * wtf/CMakeLists.txt:
348         * wtf/text/StringImpl.h:
349         (WTF::StringImpl::StringImpl):
350         (WTF::StringImpl::ref):
351         (WTF::StringImpl::length):
352         * wtf/text/StringImplBase.h: Removed.
353         * wtf/wtf.pri: Removed!
354
355 2011-10-19  Mark Hahnenberg  <mhahnenberg@apple.com>
356
357         Add getConstructData to the MethodTable
358         https://bugs.webkit.org/show_bug.cgi?id=70163
359
360         Reviewed by Geoffrey Garen.
361
362         Adding getConstructData to the MethodTable in order to be able to 
363         remove all calls to getConstructDataVirtual soon.  Part of the process 
364         of de-virtualizing JSCell.
365
366         * JavaScriptCore.exp:
367         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
368         * runtime/ClassInfo.h:
369
370 2011-10-18  Oliver Hunt  <oliver@apple.com>
371
372         Support CanvasPixelArray in the DFG
373         https://bugs.webkit.org/show_bug.cgi?id=70384
374
375         Reviewed by Filip Pizlo.
376
377         Add support for the old CanvasPixelArray optimisations to the
378         DFG.  This removes the regression seen in the DFG when using
379         a CPA.
380
381         * assembler/MacroAssemblerX86Common.h:
382         (JSC::MacroAssemblerX86Common::store8):
383         (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
384         * assembler/X86Assembler.h:
385         (JSC::X86Assembler::movb_rm):
386         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
387         * bytecode/PredictedType.cpp:
388         (JSC::predictionToString):
389         (JSC::predictionFromClassInfo):
390         * bytecode/PredictedType.h:
391         (JSC::isByteArrayPrediction):
392         * dfg/DFGAbstractState.cpp:
393         (JSC::DFG::AbstractState::initialize):
394         (JSC::DFG::AbstractState::execute):
395         * dfg/DFGNode.h:
396         (JSC::DFG::Node::shouldSpeculateByteArray):
397         * dfg/DFGPropagator.cpp:
398         (JSC::DFG::Propagator::propagateNodePredictions):
399         (JSC::DFG::Propagator::fixupNode):
400         (JSC::DFG::Propagator::performNodeCSE):
401         * dfg/DFGSpeculativeJIT.cpp:
402         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
403         (JSC::DFG::compileClampDoubleToByte):
404         (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
405         (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
406         * dfg/DFGSpeculativeJIT.h:
407         * dfg/DFGSpeculativeJIT32_64.cpp:
408         (JSC::DFG::SpeculativeJIT::compile):
409         * dfg/DFGSpeculativeJIT64.cpp:
410         (JSC::DFG::SpeculativeJIT::compile):
411         * runtime/JSByteArray.h:
412         (JSC::JSByteArray::offsetOfStorage):
413         * wtf/ByteArray.cpp:
414         * wtf/ByteArray.h:
415         (WTF::ByteArray::offsetOfSize):
416         (WTF::ByteArray::offsetOfData):
417
418 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
419
420         Some rope cleanup following r97827
421         https://bugs.webkit.org/show_bug.cgi?id=70398
422
423         Reviewed by Oliver Hunt.
424
425         9% speedup on date-format-xparb, neutral overall.
426         
427         - Removed RopeImpl*.
428         - Removed JSString::m_fiberCount, since this can be deduced from other data.
429         - Renamed a jsString() variant to jsStringFromArguments for clarity.
430
431         * CMakeLists.txt:
432         * GNUmakefile.list.am:
433         * JavaScriptCore.order:
434         * JavaScriptCore.pro:
435         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
436         * JavaScriptCore.xcodeproj/project.pbxproj: Removed RopeImpl*.
437
438         * dfg/DFGSpeculativeJIT.cpp:
439         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
440         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
441         * jit/JITInlineMethods.h:
442         (JSC::JIT::emitLoadCharacterString):
443         * jit/JITPropertyAccess.cpp:
444         (JSC::JIT::stringGetByValStubGenerator):
445         * jit/JITPropertyAccess32_64.cpp:
446         (JSC::JIT::stringGetByValStubGenerator):
447         * jit/SpecializedThunkJIT.h:
448         (JSC::SpecializedThunkJIT::loadJSStringArgument):
449         * jit/ThunkGenerators.cpp:
450         (JSC::stringCharLoad): Use a NULL m_value to signal rope-iness, instead
451         of testing m_fiberCount, since m_fiberCount is gone now.
452
453         * runtime/JSString.cpp:
454         (JSC::JSString::RopeBuilder::expand):
455         (JSC::JSString::visitChildren):
456         (JSC::JSString::resolveRope):
457         (JSC::JSString::resolveRopeSlowCase):
458         (JSC::JSString::outOfMemory): Use a NULL fiber to indicate "last fiber
459         in the vector" instead of testing m_fiberCount, since m_fiberCount is gone now.
460
461         * runtime/JSString.h:
462         (JSC::RopeBuilder::JSString):
463         (JSC::RopeBuilder::finishCreation):
464         (JSC::RopeBuilder::offsetOfLength):
465         (JSC::RopeBuilder::isRope):
466         (JSC::RopeBuilder::string): Removed m_fiberCount. Renamed
467         jsString => jsStringFromArguments for clarity.
468
469         * runtime/Operations.h:
470         (JSC::jsStringFromArguments): Renamed.
471
472         * runtime/RopeImpl.cpp: Removed.
473         * runtime/RopeImpl.h: Removed.
474
475         * runtime/SmallStrings.cpp:
476         (JSC::SmallStrings::createEmptyString): Switched to StringImpl::empty,
477         which is slightly faster.
478
479         * runtime/StringPrototype.cpp:
480         (JSC::stringProtoFuncConcat): Updated for rename.
481
482         * wtf/text/StringImplBase.h:
483         (WTF::StringImplBase::StringImplBase): Removed the concept of an invalid
484         StringImpl, since this was only used by RopeImpl, which is now gone.
485
486 2011-10-19  Rafael Antognolli  <antognolli@profusion.mobi>
487
488         [EFL] Fix DSO linkage of jsc_efl.
489         https://bugs.webkit.org/show_bug.cgi?id=70412
490
491         Unreviewed build fix.
492
493         Need to add -ldl to jsc_efl (requested by dladdr).
494
495         * shell/CMakeListsEfl.txt:
496
497 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
498
499         Rolled out last Windows build fix because it was wrong.
500
501 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
502
503         Rolled out last Windows build fix because it was wrong.
504
505 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
506
507         Try to fix part of the Windows build.
508         
509         Export!
510
511 2011-10-18  Geoffrey Garen  <ggaren@apple.com>
512
513         Switched ropes from malloc memory to GC memory
514         https://bugs.webkit.org/show_bug.cgi?id=70364
515
516         Reviewed by Gavin Barraclough.
517
518         ~1% SunSpider speedup. Neutral elsewhere. Removes one cause for strings
519         having C++ destructors.
520
521         * heap/MarkStack.cpp:
522         (JSC::visitChildren): Call the JSString visitChildren function now,
523         since it's no longer a no-op.
524
525         * runtime/JSString.cpp:
526         (JSC::JSString::~JSString): Moved this destructor out of line because
527         it's called virtually, so there's no value to inlining.
528
529         (JSC::JSString::RopeBuilder::expand): Switched RopeBuilder to be a thin
530         initializing wrapper around JSString. JSString now represents ropes
531         directly, rather than relying on an underlying malloc object.
532
533         (JSC::JSString::visitChildren): Visit our rope fibers, since they're GC
534         objects now.
535
536         (JSC::JSString::resolveRope):
537         (JSC::JSString::resolveRopeSlowCase):
538         (JSC::JSString::outOfMemory): Updated for operating on JSStrings instead
539         of malloc objects.
540
541         (JSC::JSString::replaceCharacter): Removed optimizations for substringing
542         ropes and replacing subsections of ropes. We want to reimplement versions
543         of these optimizations in the future, but this patch already has good
544         performance without them.
545
546         * runtime/JSString.h:
547         (JSC::RopeBuilder::JSString):
548         (JSC::RopeBuilder::finishCreation):
549         (JSC::RopeBuilder::createNull):
550         (JSC::RopeBuilder::create):
551         (JSC::RopeBuilder::createHasOtherOwner):
552         (JSC::jsSingleCharacterString):
553         (JSC::jsSingleCharacterSubstring):
554         (JSC::jsNontrivialString):
555         (JSC::jsString):
556         (JSC::jsSubstring):
557         (JSC::jsOwnedString): Lots of mechanical changes here. The two important
558         things are: (1) The fibers in JSString::m_fibers are JSStrings now, not
559         malloc objects; (2) I simplified the JSString constructor interface to
560         only accept PassRefPtr<StringImpl>, instead of variations on that like
561         UString, reducing refcount churn.
562
563         * runtime/JSValue.h:
564         * runtime/JSValue.cpp:
565         (JSC::JSValue::toPrimitiveString): Updated this function to return a
566         JSString instead of a UString, since that's what clients want now.
567
568         * runtime/Operations.cpp:
569         (JSC::jsAddSlowCase):
570         * runtime/Operations.h:
571         (JSC::jsString):
572         * runtime/SmallStrings.cpp:
573         (JSC::SmallStrings::createEmptyString): Updated for interface changes above.
574
575         * runtime/StringConstructor.cpp:
576         (JSC::constructWithStringConstructor):
577         * runtime/StringObject.h:
578         (JSC::StringObject::create): Don't create a new JSString if we already
579         have a JSString.
580
581         * runtime/StringPrototype.cpp:
582         (JSC::stringProtoFuncConcat): Updated for interface changes above.
583
584 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
585
586         Errrk, fix partial commit of r97825!
587
588         * runtime/DatePrototype.cpp:
589         (JSC::dateProtoFuncToISOString):
590
591 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
592
593         Date.prototype.toISOString fails to throw exception
594         https://bugs.webkit.org/show_bug.cgi?id=70394
595
596         Reviewed by Sam Weinig.
597
598         * runtime/DatePrototype.cpp:
599         (JSC::dateProtoFuncToISOString):
600             - Should throw a range error if the internal value is not finite.
601
602 2011-10-18  Mark Hahnenberg  <mhahnenberg@apple.com>
603
604         Rename static put to putByIndex
605         https://bugs.webkit.org/show_bug.cgi?id=70281
606
607         Reviewed by Geoffrey Garen.
608
609         Renaming versions of deleteProperty that use an unsigned as the property
610         name to "deletePropertyByIndex" in preparation for adding them to the 
611         MethodTable, which requires unique names for each method.
612
613         * dfg/DFGOperations.cpp:
614         (JSC::DFG::putByVal):
615         * jit/JITStubs.cpp:
616         (JSC::DEFINE_STUB_FUNCTION):
617         * runtime/Arguments.cpp:
618         (JSC::Arguments::putVirtual):
619         (JSC::Arguments::putByIndex):
620         * runtime/Arguments.h:
621         * runtime/ArrayPrototype.cpp:
622         (JSC::arrayProtoFuncMap):
623         * runtime/JSArray.cpp:
624         (JSC::JSArray::put):
625         (JSC::JSArray::putVirtual):
626         (JSC::JSArray::putByIndex):
627         * runtime/JSArray.h:
628         * runtime/JSByteArray.cpp:
629         (JSC::JSByteArray::putVirtual):
630         (JSC::JSByteArray::putByIndex):
631         * runtime/JSByteArray.h:
632         * runtime/JSCell.cpp:
633         (JSC::JSCell::putVirtual):
634         (JSC::JSCell::putByIndex):
635         * runtime/JSCell.h:
636         * runtime/JSNotAnObject.cpp:
637         (JSC::JSNotAnObject::putVirtual):
638         (JSC::JSNotAnObject::putByIndex):
639         * runtime/JSNotAnObject.h:
640         * runtime/JSObject.cpp:
641         (JSC::JSObject::putVirtual):
642         (JSC::JSObject::putByIndex):
643         * runtime/JSObject.h:
644         * runtime/RegExpConstructor.cpp:
645         (JSC::RegExpMatchesArray::fillArrayInstance):
646         * runtime/RegExpMatchesArray.h:
647         (JSC::RegExpMatchesArray::putVirtual):
648         (JSC::RegExpMatchesArray::putByIndex):
649
650 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
651
652         Array.prototype methods missing exception checks
653         https://bugs.webkit.org/show_bug.cgi?id=70360
654
655         Reviewed by Geoff Garen.
656
657         Missing exception checks after calls to the static getProperty helper,
658         these may result in the wrong exception being thrown (or an ASSERT being hit,
659         as is currently the case running test-262).
660
661         No performance impact.
662
663         * runtime/ArrayPrototype.cpp:
664         (JSC::arrayProtoFuncConcat):
665         (JSC::arrayProtoFuncReverse):
666         (JSC::arrayProtoFuncShift):
667         (JSC::arrayProtoFuncSlice):
668         (JSC::arrayProtoFuncSplice):
669         (JSC::arrayProtoFuncUnShift):
670         (JSC::arrayProtoFuncReduce):
671         (JSC::arrayProtoFuncReduceRight):
672         (JSC::arrayProtoFuncIndexOf):
673         (JSC::arrayProtoFuncLastIndexOf):
674
675 2011-10-18  Adam Barth  <abarth@webkit.org>
676
677         Always enable ENABLE(XPATH)
678         https://bugs.webkit.org/show_bug.cgi?id=70217
679
680         Reviewed by Eric Seidel.
681
682         * Configurations/FeatureDefines.xcconfig:
683
684 2011-10-18  Gavin Barraclough  <barraclough@apple.com>
685
686         Indexed arguments on the Arguments object should be enumerable.
687         https://bugs.webkit.org/show_bug.cgi?id=70302
688
689         Reviewed by Sam Weinig.
690
691         See ECMA-262 5.1 chapter 10.6 step 11b.
692         This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in.
693
694         * runtime/Arguments.cpp:
695         (JSC::Arguments::getOwnPropertyDescriptor):
696             - The 'enumerable' property should be true for indexed arguments.
697         (JSC::Arguments::getOwnPropertyNames):
698             - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'.
699
700 2011-10-18  Gustavo Noronha Silva  <gns@gnome.org>
701
702         Fix distcheck.
703
704         * GNUmakefile.list.am: fix a typo and add a missing header to the
705         list.
706
707 2011-10-18  Balazs Kelemen  <kbalazs@webkit.org>
708
709         ParallelJobs: maximum number of threads should be determined dynamically
710         https://bugs.webkit.org/show_bug.cgi?id=68540
711
712         Reviewed by Zoltan Herczeg.
713
714         Add logic to determine the number of cores and use this as
715         the maximum number of threads. The implementation currently
716         covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD.
717         The patch was tested on Linux, Mac and Windows which was enough to
718         cover all code path. It should work on the rest accoring to the
719         documentation of those OS's. The hard coded constant is still used
720         on uncovered OS's which should be fixed in the future.
721
722         * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber
723         argument because clients should always fill it and the 0 default value
724         was incorrect anyway.
725         (WTF::ParallelJobs::ParallelJobs):
726         * wtf/ParallelJobsGeneric.cpp:
727         (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads):
728         * wtf/ParallelJobsGeneric.h:
729         (WTF::ParallelEnvironment::ParallelEnvironment):
730
731 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
732
733         Reverted r997709, this caused test failures.
734
735         * jit/JITStubs.cpp:
736         (JSC::DEFINE_STUB_FUNCTION):
737         * runtime/JSObject.cpp:
738         (JSC::JSObject::hasProperty):
739         (JSC::JSObject::hasOwnProperty):
740
741 2011-10-17  Ryosuke Niwa  <rniwa@webkit.org>
742
743         Rename deregister* to unregister*
744         https://bugs.webkit.org/show_bug.cgi?id=70272
745
746         Reviewed by Darin Adler.
747
748         Renamed deregisterWeakMap to unregisterWeakMap.
749
750         * runtime/JSGlobalObject.h:
751         (JSC::JSGlobalObject::unregisterWeakMap):
752
753 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
754
755         Poisoning of strict caller/arguments inappropriately poisoning "in"
756         https://bugs.webkit.org/show_bug.cgi?id=63398
757
758         Reviewed by Sam Weinig.
759
760         The problem here is that the has[Own]Property methods get the slot rather than
761         the descriptor, and getting the slot may cause the property to be eagerly accessed.
762
763         * jit/JITStubs.cpp:
764         (JSC::DEFINE_STUB_FUNCTION):
765             - We don't expect hasProperty to ever throw. If it does, it won't get caught
766               (since it is after the exception check), so ASSERT to guard against this.
767         * runtime/JSObject.cpp:
768         (JSC::JSObject::hasProperty):
769         (JSC::JSObject::hasOwnProperty):
770             - These methods should not check for the presence of the descriptor; never get the value.
771
772 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
773
774         Exception ordering in String.prototype.replace
775         https://bugs.webkit.org/show_bug.cgi?id=70290
776
777         If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called.
778
779         Reviewed by Oliver Hunt.
780
781         * runtime/StringPrototype.cpp:
782         (JSC::stringProtoFuncReplace):
783
784 2011-10-17  Filip Pizlo  <fpizlo@apple.com>
785
786         DFG bytecode parser should understand inline stacks
787         https://bugs.webkit.org/show_bug.cgi?id=70278
788
789         Reviewed by Oliver Hunt.
790         
791         The DFG bytecode parser is now capable of parsing multiple code blocks at
792         once. This remains turned off since not all inlining functionality is
793         implemented.       
794         
795         This required making a few changes elsewhere in the system. The bytecode
796         parser now may do some of the same things that the bytecode generator does,
797         like allocating constants and identifiers. Basic block linking relies on
798         bytecode indices, which are only meaningful within the context of one basic
799         block. This is fine, so long as linking is done eagerly whenever switching
800         from one code block to another.
801
802         * bytecode/CodeOrigin.h:
803         (JSC::CodeOrigin::CodeOrigin):
804         * bytecompiler/BytecodeGenerator.h:
805         * dfg/DFGBasicBlock.h:
806         * dfg/DFGByteCodeParser.cpp:
807         (JSC::DFG::ByteCodeParser::ByteCodeParser):
808         (JSC::DFG::ByteCodeParser::get):
809         (JSC::DFG::ByteCodeParser::set):
810         (JSC::DFG::ByteCodeParser::getThis):
811         (JSC::DFG::ByteCodeParser::setThis):
812         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
813         (JSC::DFG::ByteCodeParser::getPrediction):
814         (JSC::DFG::ByteCodeParser::makeSafe):
815         (JSC::DFG::ByteCodeParser::makeDivSafe):
816         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
817         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
818         (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
819         (JSC::DFG::ByteCodeParser::parseBlock):
820         (JSC::DFG::ByteCodeParser::linkBlock):
821         (JSC::DFG::ByteCodeParser::linkBlocks):
822         (JSC::DFG::ByteCodeParser::setupPredecessors):
823         (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
824         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
825         (JSC::DFG::ByteCodeParser::parseCodeBlock):
826         (JSC::DFG::ByteCodeParser::parse):
827         * dfg/DFGGraph.h:
828         (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
829         (JSC::DFG::GetBytecodeBeginForBlock::operator()):
830         (JSC::DFG::Graph::blockIndexForBytecodeOffset):
831         * dfg/DFGNode.h:
832         * runtime/Identifier.h:
833         (JSC::IdentifierMapIndexHashTraits::emptyValue):
834         * runtime/JSValue.h:
835         * wtf/StdLibExtras.h:
836         (WTF::binarySearchWithFunctor):
837
838 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
839
840         Incorrect behavior from String match/search & undefined pattern
841         https://bugs.webkit.org/show_bug.cgi?id=70286
842
843         Reviewed by Sam weinig.
844
845         * runtime/StringPrototype.cpp:
846         (JSC::stringProtoFuncMatch):
847             - In case of undefined, pattern is "".
848         (JSC::stringProtoFuncSearch):
849             - In case of undefined, pattern is "".
850
851 2011-10-17  Gavin Barraclough  <barraclough@apple.com>
852
853         https://bugs.webkit.org/show_bug.cgi?id=70207
854         After deleting __defineSetter__, it is absent but appears in name list
855
856         Reviewed by Darin Adler.
857
858         * runtime/JSObject.cpp:
859         (JSC::JSObject::getOwnPropertyNames):
860             - This should check whether static functions have been reified.
861
862 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
863
864         Mac build fix.
865
866         * JavaScriptCore.exp: Export!
867
868 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
869
870         Windows build fix.
871
872         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
873
874 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
875
876         Windows build fix.
877
878         * heap/HandleStack.cpp: Added a missing #include.
879
880 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
881
882         Windows build fix.
883
884         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no
885         longer existant symbol.
886
887         * heap/MarkStack.cpp:
888         (JSC::MarkStackArray::shrinkAllocation): Cast to the right type.
889
890 2011-10-17  Geoffrey Garen  <ggaren@apple.com>
891
892         Simplified GC marking logic
893         https://bugs.webkit.org/show_bug.cgi?id=70258
894
895         Reviewed by Filip Pizlo.
896         
897         No perf. change.
898         
899         This is a first step toward GC allocating string backing stores, starting
900         with ropes. It also enables future simplifications and optimizations.
901         
902         - Replaced some complex mark stack logic with a simple linear stack of
903         JSCell pointers.
904         
905         - Replaced logic for short-circuiting marking based on JSType and/or
906         Structure flags with special cases for object, array, and string.
907         
908         - Fiddled with inlining for better codegen.
909
910         * JavaScriptCore.exp:
911         * heap/HandleStack.cpp: Build!
912
913         * heap/Heap.cpp:
914         (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking.
915
916         * heap/HeapRootVisitor.h: Removed unused functions that no longer build.
917
918         * heap/MarkStack.cpp:
919         (JSC::MarkStackArray::MarkStackArray):
920         (JSC::MarkStackArray::~MarkStackArray):
921         (JSC::MarkStackArray::expand):
922         (JSC::MarkStackArray::shrinkAllocation):
923         (JSC::MarkStack::reset):
924         (JSC::visitChildren):
925         (JSC::SlotVisitor::drain):
926         * heap/MarkStack.h:
927         (JSC::MarkStack::MarkStack):
928         (JSC::MarkStack::~MarkStack):
929         (JSC::MarkStackArray::append):
930         (JSC::MarkStackArray::removeLast):
931         (JSC::MarkStackArray::isEmpty):
932         (JSC::MarkStack::append):
933         (JSC::MarkStack::appendUnbarrieredPointer):
934         (JSC::MarkStack::internalAppend): Replaced complex mark set logic with
935         simple linear stack.
936
937         * heap/SlotVisitor.h:
938         (JSC::SlotVisitor::SlotVisitor): Updated for above changes.
939
940         * runtime/JSArray.cpp:
941         (JSC::JSArray::visitChildren):
942         * runtime/JSArray.h:
943         * runtime/JSObject.cpp:
944         (JSC::JSObject::visitChildren):
945         * runtime/JSObject.h: Don't inline visitChildren; it's too big.
946
947         * runtime/Structure.h:
948         (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType
949         because it prevented strings from owning GC pointers.
950
951         * runtime/WriteBarrier.h:
952         (JSC::MarkStack::appendValues): No need to validate; internalAppend will
953         do that for us.
954
955 2011-10-17  Adam Roben  <aroben@apple.com>
956
957         Windows build fix after r97536, part 3
958
959         * runtime/JSAPIValueWrapper.h:
960         * runtime/JSObject.h:
961         Use JS_EXPORTDATA to export the s_info members.
962
963 2011-10-17  Adam Roben  <aroben@apple.com>
964
965         Interpreter build fix after r97564
966
967         * runtime/Executable.cpp:
968         (JSC::FunctionExecutable::compileForCallInternal):
969         (JSC::FunctionExecutable::compileForConstructInternal):
970         Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used
971         there.
972
973 2011-10-17  Adam Roben  <aroben@apple.com>
974
975         Windows build fix after r97536, part 2
976
977         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back
978         JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I
979         was at it.
980
981 2011-10-17  Adam Roben  <aroben@apple.com>
982
983         Windows build fix after r97536
984
985         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of
986         JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of
987         s_info members, which need to be exported via JS_EXPORTDATA instead.
988
989 2011-10-17  Patrick Gansterer  <paroga@webkit.org>
990
991         Interpreter build fix after r97436, r97506, r97532 and r97537.
992
993         * interpreter/Interpreter.cpp:
994         (JSC::Interpreter::privateExecute):
995
996 2011-10-16  Adam Barth  <abarth@webkit.org>
997
998         Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code
999         https://bugs.webkit.org/show_bug.cgi?id=70216
1000
1001         Reviewed by Eric Seidel.
1002
1003         * wtf/Platform.h:
1004
1005 2011-10-16  Noel Gordon  <noel.gordon@gmail.com>
1006
1007         [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files
1008         https://bugs.webkit.org/show_bug.cgi?id=70205
1009
1010         Reviewed by James Robinson.
1011
1012         wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557.
1013         wtf/gtk/ThreadingGtk.cpp was removed in r97269.
1014
1015         * JavaScriptCore.gypi:
1016
1017 2011-10-16  Adam Barth  <abarth@webkit.org>
1018
1019         Always enable ENABLE(DOM_STORAGE)
1020         https://bugs.webkit.org/show_bug.cgi?id=70189
1021
1022         Reviewed by Eric Seidel.
1023
1024         * Configurations/FeatureDefines.xcconfig:
1025
1026 2011-10-15  Dan Horák <dan@danny.cz>
1027
1028         The s390 and s390x architectures both use 64-bit double type
1029         that conforms to the IEEE-754 standard.
1030
1031         https://bugs.webkit.org/show_bug.cgi?id=69940
1032
1033         Reviewed by Gavin Barraclough.
1034
1035         * wtf/dtoa/utils.h:
1036
1037 2011-10-14  Filip Pizlo  <fpizlo@apple.com>
1038
1039         FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks
1040         https://bugs.webkit.org/show_bug.cgi?id=70157
1041
1042         Reviewed by Geoff Garen.
1043         
1044         Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal()
1045         and compileForConstructInternal() to use this method. This required more cleanly
1046         exposing some of CodeBlock's tiering functionality and moving the CompilationKind
1047         enum to Executable.h, as this was the easiest way to make it available to the
1048         declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator.
1049
1050         * bytecode/CodeBlock.cpp:
1051         (JSC::CodeBlock::copyDataFrom):
1052         (JSC::CodeBlock::copyDataFromAlternative):
1053         * bytecode/CodeBlock.h:
1054         (JSC::CodeBlock::setAlternative):
1055         * bytecompiler/BytecodeGenerator.h:
1056         * runtime/Executable.cpp:
1057         (JSC::EvalExecutable::compileInternal):
1058         (JSC::ProgramExecutable::compileInternal):
1059         (JSC::FunctionExecutable::produceCodeBlockFor):
1060         (JSC::FunctionExecutable::compileForCallInternal):
1061         (JSC::FunctionExecutable::compileForConstructInternal):
1062         * runtime/Executable.h:
1063         (JSC::FunctionExecutable::codeBlockFor):
1064
1065 2011-10-15  Laszlo Gombos  <laszlo.1.gombos@nokia.com>
1066
1067         [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port
1068         https://bugs.webkit.org/show_bug.cgi?id=69920
1069
1070         Reviewed by Kenneth Rohde Christiansen.
1071
1072         * JavaScriptCore.pri:
1073         * JavaScriptCore.pro:
1074         * heap/MarkStack.h:
1075         (JSC::::shrinkAllocation):
1076         * jit/ExecutableAllocator.cpp:
1077         * jit/ExecutableAllocator.h:
1078         (JSC::ExecutableAllocator::cacheFlush):
1079         * jit/JITStubs.cpp:
1080         * jsc.pro:
1081         * runtime/ArrayPrototype.cpp:
1082         (JSC::arrayProtoFuncToString):
1083         * runtime/DatePrototype.cpp:
1084         (JSC::formatLocaleDate):
1085         * runtime/StringPrototype.cpp:
1086         (JSC::stringProtoFuncLastIndexOf):
1087         * runtime/TimeoutChecker.cpp:
1088         (JSC::getCPUTime):
1089         * wtf/Assertions.cpp:
1090         * wtf/Assertions.h:
1091         * wtf/Atomics.h:
1092         * wtf/MathExtras.h:
1093         * wtf/OSAllocator.h:
1094         (WTF::OSAllocator::decommitAndRelease):
1095         * wtf/OSAllocatorSymbian.cpp: Removed.
1096         * wtf/OSRandomSource.cpp:
1097         (WTF::cryptographicallyRandomValuesFromOS):
1098         * wtf/PageAllocation.h:
1099         * wtf/PageAllocatorSymbian.h: Removed.
1100         * wtf/PageBlock.cpp:
1101         * wtf/Platform.h:
1102         * wtf/StackBounds.cpp:
1103         * wtf/wtf.pri:
1104
1105 2011-10-15  Yuqiang Xian  <yuqiang.xian@intel.com>
1106
1107         Trivial fix for a missing change in r97512
1108         https://bugs.webkit.org/show_bug.cgi?id=70166
1109
1110         Reviewed by Gavin Barraclough.
1111
1112         * dfg/DFGJITCompiler32_64.cpp:
1113         (JSC::DFG::JITCompiler::link):
1114
1115 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1116
1117         Rename getOwnPropertySlot to getOwnPropertySlotVirtual
1118         https://bugs.webkit.org/show_bug.cgi?id=69810
1119
1120         Reviewed by Geoffrey Garen.
1121
1122         Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual
1123         in preparation for when we add the static getOwnPropertySlot to the MethodTable 
1124         in ClassInfo.
1125
1126         Also added a few static getOwnPropertySlot functions where they had been overlooked 
1127         before (especially in CodeGeneratorJS.pm).
1128
1129         * API/JSCallbackObject.h:
1130         * API/JSCallbackObjectFunctions.h:
1131         (JSC::::getOwnPropertySlotVirtual):
1132         (JSC::::getOwnPropertySlot):
1133         (JSC::::getOwnPropertyDescriptor):
1134         (JSC::::staticFunctionGetter):
1135         * JavaScriptCore.exp:
1136         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1137         * debugger/DebuggerActivation.cpp:
1138         (JSC::DebuggerActivation::getOwnPropertySlotVirtual):
1139         (JSC::DebuggerActivation::getOwnPropertySlot):
1140         * debugger/DebuggerActivation.h:
1141         * runtime/Arguments.cpp:
1142         (JSC::Arguments::getOwnPropertySlotVirtual):
1143         (JSC::Arguments::getOwnPropertySlot):
1144         * runtime/Arguments.h:
1145         * runtime/ArrayConstructor.cpp:
1146         (JSC::ArrayConstructor::getOwnPropertySlotVirtual):
1147         (JSC::ArrayConstructor::getOwnPropertySlot):
1148         * runtime/ArrayConstructor.h:
1149         * runtime/ArrayPrototype.cpp:
1150         (JSC::ArrayPrototype::getOwnPropertySlotVirtual):
1151         * runtime/ArrayPrototype.h:
1152         * runtime/BooleanPrototype.cpp:
1153         (JSC::BooleanPrototype::getOwnPropertySlotVirtual):
1154         * runtime/BooleanPrototype.h:
1155         * runtime/DateConstructor.cpp:
1156         (JSC::DateConstructor::getOwnPropertySlotVirtual):
1157         * runtime/DateConstructor.h:
1158         * runtime/DatePrototype.cpp:
1159         (JSC::DatePrototype::getOwnPropertySlotVirtual):
1160         * runtime/DatePrototype.h:
1161         * runtime/ErrorPrototype.cpp:
1162         (JSC::ErrorPrototype::getOwnPropertySlotVirtual):
1163         * runtime/ErrorPrototype.h:
1164         * runtime/JSActivation.cpp:
1165         (JSC::JSActivation::getOwnPropertySlotVirtual):
1166         * runtime/JSActivation.h:
1167         * runtime/JSArray.cpp:
1168         (JSC::JSArray::getOwnPropertySlotVirtual):
1169         (JSC::JSArray::getOwnPropertySlot):
1170         * runtime/JSArray.h:
1171         * runtime/JSBoundFunction.cpp:
1172         (JSC::JSBoundFunction::getOwnPropertySlotVirtual):
1173         * runtime/JSBoundFunction.h:
1174         * runtime/JSByteArray.cpp:
1175         (JSC::JSByteArray::getOwnPropertySlotVirtual):
1176         * runtime/JSByteArray.h:
1177         * runtime/JSCell.cpp:
1178         (JSC::JSCell::getOwnPropertySlotVirtual):
1179         * runtime/JSCell.h:
1180         * runtime/JSFunction.cpp:
1181         (JSC::JSFunction::getOwnPropertySlotVirtual):
1182         (JSC::JSFunction::getOwnPropertyDescriptor):
1183         (JSC::JSFunction::getOwnPropertyNames):
1184         (JSC::JSFunction::put):
1185         * runtime/JSFunction.h:
1186         * runtime/JSGlobalObject.cpp:
1187         (JSC::JSGlobalObject::getOwnPropertySlotVirtual):
1188         * runtime/JSGlobalObject.h:
1189         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1190         * runtime/JSNotAnObject.cpp:
1191         (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
1192         * runtime/JSNotAnObject.h:
1193         * runtime/JSONObject.cpp:
1194         (JSC::Stringifier::Holder::appendNextProperty):
1195         (JSC::JSONObject::getOwnPropertySlotVirtual):
1196         (JSC::Walker::walk):
1197         * runtime/JSONObject.h:
1198         * runtime/JSObject.cpp:
1199         (JSC::JSObject::getOwnPropertySlotVirtual):
1200         (JSC::JSObject::getOwnPropertySlot):
1201         (JSC::JSObject::hasOwnProperty):
1202         * runtime/JSObject.h:
1203         (JSC::JSObject::getOwnPropertySlotVirtual):
1204         (JSC::JSCell::fastGetOwnPropertySlot):
1205         (JSC::JSObject::getPropertySlot):
1206         (JSC::JSValue::get):
1207         * runtime/JSStaticScopeObject.cpp:
1208         (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual):
1209         * runtime/JSStaticScopeObject.h:
1210         * runtime/JSString.cpp:
1211         (JSC::JSString::getOwnPropertySlotVirtual):
1212         (JSC::JSString::getOwnPropertySlot):
1213         * runtime/JSString.h:
1214         * runtime/Lookup.h:
1215         (JSC::getStaticPropertySlot):
1216         (JSC::getStaticFunctionSlot):
1217         (JSC::getStaticValueSlot):
1218         * runtime/MathObject.cpp:
1219         (JSC::MathObject::getOwnPropertySlotVirtual):
1220         * runtime/MathObject.h:
1221         * runtime/NumberConstructor.cpp:
1222         (JSC::NumberConstructor::getOwnPropertySlotVirtual):
1223         * runtime/NumberConstructor.h:
1224         * runtime/NumberPrototype.cpp:
1225         (JSC::NumberPrototype::getOwnPropertySlotVirtual):
1226         * runtime/NumberPrototype.h:
1227         * runtime/ObjectConstructor.cpp:
1228         (JSC::ObjectConstructor::getOwnPropertySlotVirtual):
1229         * runtime/ObjectConstructor.h:
1230         * runtime/ObjectPrototype.cpp:
1231         (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
1232         * runtime/ObjectPrototype.h:
1233         * runtime/RegExpConstructor.cpp:
1234         (JSC::RegExpConstructor::getOwnPropertySlotVirtual):
1235         * runtime/RegExpConstructor.h:
1236         * runtime/RegExpMatchesArray.h:
1237         (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
1238         * runtime/RegExpObject.cpp:
1239         (JSC::RegExpObject::getOwnPropertySlotVirtual):
1240         * runtime/RegExpObject.h:
1241         * runtime/RegExpPrototype.cpp:
1242         (JSC::RegExpPrototype::getOwnPropertySlotVirtual):
1243         * runtime/RegExpPrototype.h:
1244         * runtime/StringConstructor.cpp:
1245         (JSC::StringConstructor::getOwnPropertySlotVirtual):
1246         * runtime/StringConstructor.h:
1247         * runtime/StringObject.cpp:
1248         (JSC::StringObject::getOwnPropertySlotVirtual):
1249         * runtime/StringObject.h:
1250         * runtime/StringPrototype.cpp:
1251         (JSC::StringPrototype::getOwnPropertySlotVirtual):
1252         * runtime/StringPrototype.h:
1253
1254 2011-10-14  Gavin Barraclough  <baraclough@apple.com>
1255
1256         Most built-in properties are not deletable
1257         https://bugs.webkit.org/show_bug.cgi?id=61014
1258
1259         Reviewed by Filip Pizlo.
1260
1261         Our static hash tables don't allow for deleting properties.
1262         This is the cause of a bunch of expected failures in LayoutTests/sputnik.
1263
1264         This fixes the problem by reifying all static functions immediately prior
1265         to the first deletion.  Reification is tracked by a flag on the structure,
1266         so properties will no longer 'bounce-back' on later access.
1267
1268         Theoretically there could probably also be an issue with custom accessor
1269         properties, but we probably do not really require any of these to be
1270         Configurable anyway. I'll follow up with a separate patch to address this.
1271
1272         * runtime/ClassInfo.h:
1273         (JSC::ClassInfo::hasStaticProperties):
1274             - detects static property tables.
1275         * runtime/JSObject.cpp:
1276         (JSC::JSObject::deleteProperty):
1277             - call reifyStaticFunctions before deletion.
1278         (JSC::JSObject::reifyStaticFunctions):
1279             - If the class has static functions, set them up now.
1280         * runtime/JSObject.h:
1281         (JSC::JSObject::staticFunctionsReified):
1282             - returns true if static functions have been reified,
1283               and as such should no longer be added.
1284         * runtime/Lookup.cpp:
1285         (JSC::setUpStaticFunctionSlot):
1286             - If static functions have been reified do not add.
1287         * runtime/Lookup.h:
1288         (JSC::HashTable::ConstIterator::ConstIterator):
1289         (JSC::HashTable::ConstIterator::operator->):
1290         (JSC::HashTable::ConstIterator::operator*):
1291         (JSC::HashTable::ConstIterator::operator!=):
1292         (JSC::HashTable::ConstIterator::operator++):
1293         (JSC::HashTable::ConstIterator::skipInvalidKeys):
1294         (JSC::HashTable::begin):
1295         (JSC::HashTable::end):
1296         (JSC::getStaticPropertySlot):
1297         (JSC::getStaticPropertyDescriptor):
1298         (JSC::getStaticFunctionSlot):
1299         (JSC::getStaticFunctionDescriptor):
1300             - setUpStaticFunctionSlot may not add, returns a bool.
1301         (JSC::lookupPut):
1302             - remove redundant branch.
1303         * runtime/Structure.cpp:
1304         (JSC::Structure::Structure):
1305             - initialize new flag in constructors.
1306         * runtime/Structure.h:
1307         (JSC::Structure::staticFunctionsReified):
1308         (JSC::Structure::setStaticFunctionsReified):
1309             - added flag
1310
1311 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1312
1313         Rename virtual put to putVirtual
1314         https://bugs.webkit.org/show_bug.cgi?id=69851
1315
1316         Reviewed by Darin Adler.
1317
1318         Renamed virtual versions of put to putVirtual in prepration for 
1319         adding the static put to the MethodTable in ClassInfo since the 
1320         compiler gets mad if the virtual and static versions have the same 
1321         name.
1322
1323         * API/JSCallbackObject.h:
1324         * API/JSCallbackObjectFunctions.h:
1325         (JSC::::putVirtual):
1326         * API/JSObjectRef.cpp:
1327         (JSObjectSetProperty):
1328         (JSObjectSetPropertyAtIndex):
1329         * JavaScriptCore.exp:
1330         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1331         * debugger/DebuggerActivation.cpp:
1332         (JSC::DebuggerActivation::putVirtual):
1333         (JSC::DebuggerActivation::put):
1334         * debugger/DebuggerActivation.h:
1335         * dfg/DFGOperations.cpp:
1336         (JSC::DFG::putByVal):
1337         * interpreter/Interpreter.cpp:
1338         (JSC::Interpreter::execute):
1339         * jit/JITStubs.cpp:
1340         (JSC::DEFINE_STUB_FUNCTION):
1341         * jsc.cpp:
1342         (GlobalObject::finishCreation):
1343         * runtime/Arguments.cpp:
1344         (JSC::Arguments::putVirtual):
1345         * runtime/Arguments.h:
1346         * runtime/ArrayPrototype.cpp:
1347         (JSC::putProperty):
1348         (JSC::arrayProtoFuncConcat):
1349         (JSC::arrayProtoFuncPush):
1350         (JSC::arrayProtoFuncReverse):
1351         (JSC::arrayProtoFuncShift):
1352         (JSC::arrayProtoFuncSlice):
1353         (JSC::arrayProtoFuncSort):
1354         (JSC::arrayProtoFuncSplice):
1355         (JSC::arrayProtoFuncUnShift):
1356         (JSC::arrayProtoFuncFilter):
1357         (JSC::arrayProtoFuncMap):
1358         * runtime/JSActivation.cpp:
1359         (JSC::JSActivation::putVirtual):
1360         * runtime/JSActivation.h:
1361         * runtime/JSArray.cpp:
1362         (JSC::JSArray::putVirtual):
1363         (JSC::JSArray::putSlowCase):
1364         (JSC::JSArray::push):
1365         (JSC::JSArray::shiftCount):
1366         (JSC::JSArray::unshiftCount):
1367         * runtime/JSArray.h:
1368         * runtime/JSByteArray.cpp:
1369         (JSC::JSByteArray::putVirtual):
1370         * runtime/JSByteArray.h:
1371         * runtime/JSCell.cpp:
1372         (JSC::JSCell::putVirtual):
1373         (JSC::JSCell::put):
1374         * runtime/JSCell.h:
1375         * runtime/JSFunction.cpp:
1376         (JSC::JSFunction::putVirtual):
1377         * runtime/JSFunction.h:
1378         * runtime/JSGlobalObject.cpp:
1379         (JSC::JSGlobalObject::putVirtual):
1380         (JSC::JSGlobalObject::putWithAttributes):
1381         * runtime/JSGlobalObject.h:
1382         * runtime/JSNotAnObject.cpp:
1383         (JSC::JSNotAnObject::putVirtual):
1384         * runtime/JSNotAnObject.h:
1385         * runtime/JSONObject.cpp:
1386         (JSC::Walker::walk):
1387         * runtime/JSObject.cpp:
1388         (JSC::JSObject::putVirtual):
1389         (JSC::JSObject::put):
1390         (JSC::JSObject::defineOwnProperty):
1391         * runtime/JSObject.h:
1392         (JSC::JSValue::put):
1393         * runtime/JSStaticScopeObject.cpp:
1394         (JSC::JSStaticScopeObject::putVirtual):
1395         * runtime/JSStaticScopeObject.h:
1396         * runtime/Lookup.h:
1397         (JSC::lookupPut):
1398         * runtime/ObjectPrototype.cpp:
1399         (JSC::ObjectPrototype::putVirtual):
1400         * runtime/ObjectPrototype.h:
1401         * runtime/RegExpConstructor.cpp:
1402         (JSC::RegExpMatchesArray::fillArrayInstance):
1403         (JSC::RegExpConstructor::putVirtual):
1404         * runtime/RegExpConstructor.h:
1405         * runtime/RegExpMatchesArray.h:
1406         (JSC::RegExpMatchesArray::putVirtual):
1407         * runtime/RegExpObject.cpp:
1408         (JSC::RegExpObject::putVirtual):
1409         * runtime/RegExpObject.h:
1410         * runtime/StringObject.cpp:
1411         (JSC::StringObject::putVirtual):
1412         * runtime/StringObject.h:
1413         * runtime/StringPrototype.cpp:
1414         (JSC::stringProtoFuncSplit):
1415
1416 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1417
1418         Reflective Arguments retrieval should be hardened for the
1419         possibility of inlining
1420         https://bugs.webkit.org/show_bug.cgi?id=70068
1421
1422         Reviewed by Oliver Hunt.
1423         
1424         CodeBlock can now track, as part of its RareData, the virtual inline
1425         stack at callsites. CallFrame walking can now rematerialize "inline"
1426         CallFrames by combining the meta-data in CodeBlock with the information
1427         already in the JS stack. Arguments can now safely retrieve the
1428         arguments from inline CallFrames.
1429         
1430         The DFG already had the notion of a "CodeOrigin" in preparation for
1431         inlining. This notion will now be saved into the CodeBlock, if the DFG
1432         had done inlining. So, CodeOrigin has been moved to bytecode/ and has
1433         been changed to behave more like a struct since that is how it's
1434         meant to be used.
1435
1436         * GNUmakefile.list.am:
1437         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1438         * JavaScriptCore.xcodeproj/project.pbxproj:
1439         * bytecode/CodeBlock.h:
1440         (JSC::CodeBlock::inlineCallFrames):
1441         (JSC::CodeBlock::codeOrigins):
1442         (JSC::CodeBlock::hasCodeOrigins):
1443         (JSC::CodeBlock::codeOriginForReturn):
1444         * bytecode/CodeOrigin.h: Added.
1445         (JSC::CodeOrigin::CodeOrigin):
1446         (JSC::CodeOrigin::isSet):
1447         (JSC::getCallReturnOffsetForCodeOrigin):
1448         * dfg/DFGJITCompiler.cpp:
1449         (JSC::DFG::JITCompiler::link):
1450         * dfg/DFGNode.h:
1451         * dfg/DFGSpeculativeJIT.cpp:
1452         (JSC::DFG::SpeculativeJIT::compile):
1453         * dfg/DFGSpeculativeJIT32_64.cpp:
1454         (JSC::DFG::SpeculativeJIT::compile):
1455         * dfg/DFGSpeculativeJIT64.cpp:
1456         (JSC::DFG::SpeculativeJIT::compile):
1457         * interpreter/CallFrame.cpp:
1458         (JSC::CallFrame::isInlineCallFrame):
1459         (JSC::CallFrame::trueCallerFrame):
1460         * interpreter/CallFrame.h:
1461         (JSC::ExecState::inlineCallFrame):
1462         (JSC::ExecState::setInlineCallFrame):
1463         (JSC::ExecState::isInlineCallFrame):
1464         (JSC::ExecState::trueCallerFrame):
1465         * interpreter/Interpreter.cpp:
1466         (JSC::Interpreter::findFunctionCallFrame):
1467         * interpreter/Register.h:
1468         (JSC::Register::operator=):
1469         (JSC::Register::inlineCallFrame):
1470         * runtime/Arguments.h:
1471         (JSC::Arguments::getArgumentsData):
1472         (JSC::Arguments::finishCreationButDontCopyRegisters):
1473         (JSC::Arguments::finishCreation):
1474         (JSC::Arguments::finishCreationAndCopyRegisters):
1475         * runtime/Executable.h:
1476         (JSC::FunctionExecutable::parameterCount):
1477
1478 2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1479
1480         Rename virtual deleteProperty to deletePropertyVirtual
1481         https://bugs.webkit.org/show_bug.cgi?id=69884
1482
1483         Reviewed by Darin Adler.
1484
1485         Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for 
1486         adding the static deleteProperty to the MethodTable in ClassInfo since the 
1487         compiler gets mad if the virtual and static versions have the same name.
1488
1489         * API/JSCallbackObject.h:
1490         * API/JSCallbackObjectFunctions.h:
1491         (JSC::::deletePropertyVirtual):
1492         (JSC::::deleteProperty):
1493         * API/JSObjectRef.cpp:
1494         (JSObjectDeleteProperty):
1495         * JavaScriptCore.exp:
1496         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1497         * debugger/DebuggerActivation.cpp:
1498         (JSC::DebuggerActivation::deletePropertyVirtual):
1499         (JSC::DebuggerActivation::deleteProperty):
1500         * debugger/DebuggerActivation.h:
1501         * jit/JITStubs.cpp:
1502         (JSC::DEFINE_STUB_FUNCTION):
1503         * runtime/Arguments.cpp:
1504         (JSC::Arguments::deletePropertyVirtual):
1505         * runtime/Arguments.h:
1506         * runtime/ArrayPrototype.cpp:
1507         (JSC::arrayProtoFuncPop):
1508         (JSC::arrayProtoFuncReverse):
1509         (JSC::arrayProtoFuncShift):
1510         (JSC::arrayProtoFuncSplice):
1511         (JSC::arrayProtoFuncUnShift):
1512         * runtime/JSActivation.cpp:
1513         (JSC::JSActivation::deletePropertyVirtual):
1514         * runtime/JSActivation.h:
1515         * runtime/JSArray.cpp:
1516         (JSC::JSArray::deletePropertyVirtual):
1517         (JSC::JSArray::deleteProperty):
1518         * runtime/JSArray.h:
1519         * runtime/JSCell.cpp:
1520         (JSC::JSCell::deletePropertyVirtual):
1521         (JSC::JSCell::deleteProperty):
1522         * runtime/JSCell.h:
1523         * runtime/JSFunction.cpp:
1524         (JSC::JSFunction::deletePropertyVirtual):
1525         * runtime/JSFunction.h:
1526         * runtime/JSNotAnObject.cpp:
1527         (JSC::JSNotAnObject::deletePropertyVirtual):
1528         * runtime/JSNotAnObject.h:
1529         * runtime/JSONObject.cpp:
1530         (JSC::Walker::walk):
1531         * runtime/JSObject.cpp:
1532         (JSC::JSObject::deletePropertyVirtual):
1533         (JSC::JSObject::deleteProperty):
1534         (JSC::JSObject::defineOwnProperty):
1535         * runtime/JSObject.h:
1536         * runtime/JSVariableObject.cpp:
1537         (JSC::JSVariableObject::deletePropertyVirtual):
1538         * runtime/JSVariableObject.h:
1539         * runtime/RegExpMatchesArray.h:
1540         (JSC::RegExpMatchesArray::deletePropertyVirtual):
1541         * runtime/StrictEvalActivation.cpp:
1542         (JSC::StrictEvalActivation::deletePropertyVirtual):
1543         * runtime/StrictEvalActivation.h:
1544         * runtime/StringObject.cpp:
1545         (JSC::StringObject::deletePropertyVirtual):
1546         * runtime/StringObject.h:
1547
1548 2011-10-14  Peter Beverloo  <peter@chromium.org>
1549
1550         [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo
1551         https://bugs.webkit.org/show_bug.cgi?id=70028
1552
1553         Reviewed by Adam Barth.
1554
1555         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1556
1557 2011-10-14  Yuqiang Xian  <yuqiang.xian@intel.com>
1558
1559         DFG JIT 32_64 - Performance fix for ResolveGlobal
1560         https://bugs.webkit.org/show_bug.cgi?id=70096
1561
1562         Reviewed by Gavin Barraclough.
1563
1564         Structure check of global object should be a pointer comparison
1565         instead of a tag and payload pair comparison. This fix improves
1566         SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X.
1567         Also two trivial fixes for successful 32-bit build are included.
1568
1569         * dfg/DFGSpeculativeJIT.cpp:
1570         * dfg/DFGSpeculativeJIT32_64.cpp:
1571         (JSC::DFG::SpeculativeJIT::compile):
1572
1573 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1574
1575         Speculation failures in ValueToInt32 are causing a 2x slow-down
1576         in Kraken/stanford-crypto-pbkdf2
1577         https://bugs.webkit.org/show_bug.cgi?id=70089
1578
1579         Reviewed by Gavin Barraclough.
1580         
1581         If we can't truncate to Int32 using machine code, then don't fail
1582         speculation. Just call JSC::toInt32.
1583
1584         * dfg/DFGJITCodeGenerator.h:
1585         (JSC::DFG::callOperation):
1586         * dfg/DFGOperations.h:
1587         * dfg/DFGSpeculativeJIT.cpp:
1588         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1589         * dfg/DFGSpeculativeJIT64.cpp:
1590         (JSC::DFG::SpeculativeJIT::compile):
1591
1592 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1593
1594         Rename virtual getConstructData to getConstructDataVirtual
1595         https://bugs.webkit.org/show_bug.cgi?id=69872
1596
1597         Reviewed by Geoffrey Garen.
1598
1599         Renamed virtual getConstructData functions to getConstructDataVirtual to 
1600         avoid conflicts when we add static getConstructData to the MethodTable.
1601
1602         * API/JSCallbackConstructor.cpp:
1603         (JSC::JSCallbackConstructor::getConstructDataVirtual):
1604         * API/JSCallbackConstructor.h:
1605         * API/JSCallbackObject.h:
1606         * API/JSCallbackObjectFunctions.h:
1607         (JSC::::getConstructDataVirtual):
1608         * API/JSObjectRef.cpp:
1609         (JSObjectIsConstructor):
1610         (JSObjectCallAsConstructor):
1611         * JavaScriptCore.exp:
1612         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1613         * dfg/DFGOperations.cpp:
1614         * jit/JITStubs.cpp:
1615         (JSC::DEFINE_STUB_FUNCTION):
1616         * runtime/ArrayConstructor.cpp:
1617         (JSC::ArrayConstructor::getConstructDataVirtual):
1618         * runtime/ArrayConstructor.h:
1619         * runtime/BooleanConstructor.cpp:
1620         (JSC::BooleanConstructor::getConstructDataVirtual):
1621         * runtime/BooleanConstructor.h:
1622         * runtime/DateConstructor.cpp:
1623         (JSC::DateConstructor::getConstructDataVirtual):
1624         * runtime/DateConstructor.h:
1625         * runtime/Error.h:
1626         (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual):
1627         * runtime/ErrorConstructor.cpp:
1628         (JSC::ErrorConstructor::getConstructDataVirtual):
1629         * runtime/ErrorConstructor.h:
1630         * runtime/FunctionConstructor.cpp:
1631         (JSC::FunctionConstructor::getConstructDataVirtual):
1632         * runtime/FunctionConstructor.h:
1633         * runtime/JSCell.cpp:
1634         (JSC::JSCell::getConstructDataVirtual):
1635         * runtime/JSCell.h:
1636         (JSC::getConstructData):
1637         * runtime/JSFunction.cpp:
1638         (JSC::JSFunction::getConstructDataVirtual):
1639         * runtime/JSFunction.h:
1640         * runtime/NativeErrorConstructor.cpp:
1641         (JSC::NativeErrorConstructor::getConstructDataVirtual):
1642         * runtime/NativeErrorConstructor.h:
1643         * runtime/NumberConstructor.cpp:
1644         (JSC::NumberConstructor::getConstructDataVirtual):
1645         * runtime/NumberConstructor.h:
1646         * runtime/ObjectConstructor.cpp:
1647         (JSC::ObjectConstructor::getConstructDataVirtual):
1648         * runtime/ObjectConstructor.h:
1649         * runtime/RegExpConstructor.cpp:
1650         (JSC::RegExpConstructor::getConstructDataVirtual):
1651         * runtime/RegExpConstructor.h:
1652         * runtime/StringConstructor.cpp:
1653         (JSC::StringConstructor::getConstructDataVirtual):
1654         * runtime/StringConstructor.h:
1655
1656 2011-10-13  Filip Pizlo  <fpizlo@apple.com>
1657
1658         Rubber stamped Stephanie Lewis.
1659         
1660         DFG_ENABLE() macro was always returning false.
1661
1662         * dfg/DFGNode.h:
1663
1664 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1665
1666         Speculative build fix for !DFG builds.
1667
1668         * jit/JIT.cpp:
1669         (JSC::JIT::privateCompile):
1670
1671 2011-10-13  Oliver Hunt  <oliver@apple.com>
1672
1673         Fix performance of ValueToInt32 node when predicting double
1674         https://bugs.webkit.org/show_bug.cgi?id=70063
1675
1676         Reviewed by Filip Pizlo.
1677
1678         Currently we fail to inline double to int conversion when
1679         performing a ValueToInt32 operation on a value we predict
1680         to be a double.
1681
1682         * dfg/DFGAbstractState.cpp:
1683         (JSC::DFG::AbstractState::execute):
1684            Apply correct filter for the double prediction path
1685         * dfg/DFGJITCodeGenerator32_64.cpp:
1686         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1687         * dfg/DFGJITCodeGenerator64.cpp:
1688         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1689            Support double parameters even when value has been spilled.
1690         * dfg/DFGSpeculativeJIT.cpp:
1691         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1692            Moved old valueToInt32 code to this function, and added
1693            path for double prediction
1694         * dfg/DFGSpeculativeJIT.h:
1695         * dfg/DFGSpeculativeJIT32_64.cpp:
1696         (JSC::DFG::SpeculativeJIT::compile):
1697         * dfg/DFGSpeculativeJIT64.cpp:
1698         (JSC::DFG::SpeculativeJIT::compile):
1699            Made the two implementations of ValueToInt32 call a single
1700            shared compileValueToInt32 function.
1701
1702 2011-10-13  Chris Marrin  <cmarrin@apple.com>
1703
1704         Sync requestAnimationFrame callback to CVDisplayLink on Mac
1705         https://bugs.webkit.org/show_bug.cgi?id=68911
1706
1707         Reviewed by Simon Fraser.
1708
1709         Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations
1710         that use the DisplayRefreshMonitor logic.
1711
1712         * wtf/Platform.h:
1713
1714 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1715
1716         DFG JIT should not be using ENABLE macro to enable features
1717         https://bugs.webkit.org/show_bug.cgi?id=70060
1718
1719         Reviewed by Oliver Hunt.
1720
1721         The ENABLE macro is only intended to be used to detect features that are configured
1722         in Platform.h. Using its to detect settings defined in other headers is an error.
1723
1724         The problem is that the ENABLE macro checks if the value is defined, so will silently
1725         return false if you fail to include the header defining the switch. This is not a problem
1726         if (1) the settings are defined in the same header that defines the macro that tests them,
1727         or (2) the header is included everywhere.  In the case of ENABLE settings defined in
1728         Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro.
1729
1730         * bytecode/CodeBlock.cpp:
1731         * dfg/DFGByteCodeParser.cpp:
1732         (JSC::DFG::ByteCodeParser::getPrediction):
1733         (JSC::DFG::ByteCodeParser::makeSafe):
1734         * dfg/DFGCapabilities.h:
1735         (JSC::DFG::canCompileOpcode):
1736         * dfg/DFGGraph.cpp:
1737         (JSC::DFG::Graph::predictArgumentTypes):
1738         * dfg/DFGJITCodeGenerator.cpp:
1739         * dfg/DFGJITCodeGenerator.h:
1740         * dfg/DFGJITCompiler.cpp:
1741         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1742         (JSC::DFG::JITCompiler::compileBody):
1743         (JSC::DFG::JITCompiler::link):
1744         * dfg/DFGJITCompiler.h:
1745         (JSC::DFG::JITCompiler::noticeOSREntry):
1746         * dfg/DFGJITCompiler32_64.cpp:
1747         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1748         (JSC::DFG::JITCompiler::compileBody):
1749         (JSC::DFG::JITCompiler::link):
1750         * dfg/DFGNode.h:
1751         * dfg/DFGOSREntry.cpp:
1752         (JSC::DFG::prepareOSREntry):
1753         * dfg/DFGOperations.cpp:
1754         * dfg/DFGOperations.h:
1755         * dfg/DFGPropagator.cpp:
1756         (JSC::DFG::Propagator::fixpoint):
1757         (JSC::DFG::Propagator::propagateArithNodeFlags):
1758         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1759         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1760         (JSC::DFG::Propagator::propagateNodePredictions):
1761         (JSC::DFG::Propagator::propagatePredictionsForward):
1762         (JSC::DFG::Propagator::propagatePredictionsBackward):
1763         (JSC::DFG::Propagator::propagatePredictions):
1764         (JSC::DFG::Propagator::toDouble):
1765         (JSC::DFG::Propagator::fixupNode):
1766         (JSC::DFG::Propagator::fixup):
1767         (JSC::DFG::Propagator::startIndexForChildren):
1768         (JSC::DFG::Propagator::endIndexForPureCSE):
1769         (JSC::DFG::Propagator::setReplacement):
1770         (JSC::DFG::Propagator::eliminate):
1771         (JSC::DFG::Propagator::performNodeCSE):
1772         (JSC::DFG::Propagator::localCSE):
1773         (JSC::DFG::Propagator::allocateVirtualRegisters):
1774         (JSC::DFG::Propagator::performBlockCFA):
1775         (JSC::DFG::Propagator::performForwardCFA):
1776         (JSC::DFG::Propagator::globalCFA):
1777         * dfg/DFGScoreBoard.h:
1778         * dfg/DFGSpeculativeJIT.cpp:
1779         (JSC::DFG::SpeculativeJIT::compile):
1780         * dfg/DFGSpeculativeJIT.h:
1781         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1782         * dfg/DFGSpeculativeJIT32_64.cpp:
1783         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1784         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1785         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1786         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1787         (JSC::DFG::SpeculativeJIT::compile):
1788         * dfg/DFGSpeculativeJIT64.cpp:
1789         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1790         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1791         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1792         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1793         (JSC::DFG::SpeculativeJIT::compile):
1794         * jit/JIT.cpp:
1795         (JSC::JIT::privateCompile):
1796
1797 2011-10-13  Gavin Barraclough  <baraclough@apple.com>
1798
1799         terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell
1800
1801         Rubber stamped by Filip Pizlo
1802
1803         This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT.
1804
1805         * dfg/DFGSpeculativeJIT32_64.cpp:
1806         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1807         * dfg/DFGSpeculativeJIT64.cpp:
1808         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1809
1810 2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1811
1812         De-virtualized JSCell::toNumber
1813         https://bugs.webkit.org/show_bug.cgi?id=69858
1814
1815         Reviewed by Sam Weinig.
1816
1817
1818         Removed JSCallbackObject::toNumber because its no longer necessary since 
1819         JSObject::toNumber now suffices since we implicitly add valueOf to an object's
1820         prototype whenever a convertToType callback is provided.
1821         * API/JSCallbackObject.h:
1822         * API/JSCallbackObjectFunctions.h:
1823         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1824
1825         De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber.
1826         * runtime/JSCell.cpp:
1827         (JSC::JSCell::toNumber):
1828         * runtime/JSCell.h:
1829         * runtime/JSObject.h:
1830         * runtime/JSString.h:
1831
1832         Removed JSNotAnObject::toNumber because its result doesn't matter and it implements 
1833         defaultValue, therefore JSObject::toNumber can cover its case.
1834         * runtime/JSNotAnObject.cpp:
1835         * runtime/JSNotAnObject.h:
1836
1837 2011-10-13  Xianzhu Wang  <wangxianzhu@chromium.org>
1838
1839         Use realloc() to expand/shrink StringBuilder buffer
1840         https://bugs.webkit.org/show_bug.cgi?id=69913
1841
1842         Reviewed by Darin Adler.
1843
1844         * wtf/text/StringBuilder.cpp:
1845         (WTF::StringBuilder::reserveCapacity):
1846         (WTF::StringBuilder::reallocateBuffer):
1847         (WTF::StringBuilder::appendUninitialized):
1848         (WTF::StringBuilder::shrinkToFit):
1849         * wtf/text/StringBuilder.h:
1850         * wtf/text/StringImpl.cpp:
1851         (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer.
1852         * wtf/text/StringImpl.h:
1853
1854 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1855
1856         If an Arguments object is being used to copy the arguments, then
1857         make this explicit
1858         https://bugs.webkit.org/show_bug.cgi?id=69995
1859
1860         Reviewed by Sam Weinig.
1861
1862         * interpreter/Interpreter.cpp:
1863         (JSC::Interpreter::retrieveArguments):
1864         * runtime/Arguments.h:
1865         (JSC::Arguments::createAndCopyRegisters):
1866         (JSC::Arguments::finishCreationButDontCopyRegisters):
1867         (JSC::Arguments::finishCreation):
1868         (JSC::Arguments::finishCreationAndCopyRegisters):
1869
1870 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1871
1872         DFG CFA does not filter structures aggressively enough.
1873         https://bugs.webkit.org/show_bug.cgi?id=69989
1874
1875         Reviewed by Oliver Hunt.
1876
1877         * dfg/DFGAbstractValue.h:
1878         (JSC::DFG::AbstractValue::clear):
1879         (JSC::DFG::AbstractValue::makeTop):
1880         (JSC::DFG::AbstractValue::clobberStructures):
1881         (JSC::DFG::AbstractValue::set):
1882         (JSC::DFG::AbstractValue::merge):
1883         (JSC::DFG::AbstractValue::filter):
1884         (JSC::DFG::AbstractValue::checkConsistency):
1885
1886 2011-10-12  Adam Barth  <abarth@webkit.org>
1887
1888         Remove ENABLE(XHTMLMP) and associated code
1889         https://bugs.webkit.org/show_bug.cgi?id=69729
1890
1891         Reviewed by David Levin.
1892
1893         * Configurations/FeatureDefines.xcconfig:
1894
1895 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1896
1897         MacroAssemblerX86 8-bit register ops unsafe on CPU(X86)
1898         https://bugs.webkit.org/show_bug.cgi?id=69978
1899
1900         Reviewed by Filip Pizlo.
1901
1902         Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ).
1903
1904         compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding
1905         a couple of xchg instructions.
1906
1907         branchTest8 with a register argument is also affected. In all cases this is currently used
1908         this is testing a value that is correct to 32 or more bits, so we can simply switch these
1909         to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the
1910         32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction).
1911
1912         This fixes the remaining fast/js failures with the DFG JIT 32_64.
1913
1914         * assembler/MacroAssemblerARMv7.h
1915             - removed branchTest8.
1916         * assembler/MacroAssemblerX86Common.h:
1917         (JSC::MacroAssemblerX86Common::compare32):
1918         (JSC::MacroAssemblerX86Common::test8):
1919         (JSC::MacroAssemblerX86Common::test32):
1920         (JSC::MacroAssemblerX86Common::set32):
1921             - added set32 helper that is 'h' register safe.
1922             - removed branchTest8.
1923         * dfg/DFGJITCodeGenerator32_64.cpp:
1924         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1925         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1926             - switch uses of branchTest8 to branchTest32.
1927         * dfg/DFGJITCodeGenerator64.cpp:
1928         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1929         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1930             - switch uses of branchTest8 to branchTest32.
1931         * dfg/DFGSpeculativeJIT32_64.cpp:
1932         (JSC::DFG::SpeculativeJIT::emitBranch):
1933             - switch uses of branchTest8 to branchTest32.
1934         * dfg/DFGSpeculativeJIT64.cpp:
1935         (JSC::DFG::SpeculativeJIT::emitBranch):
1936             - switch uses of branchTest8 to branchTest32.
1937
1938 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1939
1940         Errrk, revert accidental commit!
1941
1942         * wtf/Platform.h:
1943
1944 2011-10-12  Gavin Barraclough  <baraclough@apple.com>
1945
1946         Unreviewed, re-land changes from #69890, #69903.
1947
1948         These were reverted due to bug #69897, but #69903 fixed this problem.
1949
1950         * dfg/DFGJITCodeGenerator.h:
1951         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1952
1953 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
1954
1955         ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly
1956         https://bugs.webkit.org/show_bug.cgi?id=69906
1957
1958         Reviewed by Gavin Barraclough.
1959         
1960         It turns out that the simplest fix is to switch computeUpdatedPredictions()
1961         to using predictionFromValue() combined with mergePrediction(). Doing so
1962         allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
1963         not only fixes a performance bug but kills off a lot of code that I never
1964         liked to begin with.
1965         
1966         This appears to be a 1% win on V8.
1967
1968         * bytecode/CodeBlock.cpp:
1969         (JSC::CodeBlock::visitAggregate):
1970         * bytecode/CodeBlock.h:
1971         * bytecode/PredictedType.cpp:
1972         (JSC::predictionFromValue):
1973         * bytecode/ValueProfile.cpp:
1974         (JSC::ValueProfile::computeStatistics):
1975         (JSC::ValueProfile::computeUpdatedPrediction):
1976         * bytecode/ValueProfile.h:
1977         (JSC::ValueProfile::classInfo):
1978         (JSC::ValueProfile::numberOfSamples):
1979         (JSC::ValueProfile::isLive):
1980         (JSC::ValueProfile::dump):
1981
1982 2011-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1983
1984         De-virtualize JSCell::toString
1985         https://bugs.webkit.org/show_bug.cgi?id=69677
1986
1987         Reviewed by Sam Weinig.
1988
1989         Removed toString from JSCallbackObject, since it is no 
1990         longer necessary since we now implicitly add toString and valueOf
1991         functions to object prototypes when a convertToType callback 
1992         is provided, which is now the standard way to override toString 
1993         and valueOf in the JSC C API.
1994         * API/JSCallbackObject.h:
1995         * API/JSCallbackObjectFunctions.h:
1996         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1997
1998         Removed toString from InterruptedExecutionError and 
1999         TerminatedExecutionError and replaced it with defaultValue,
2000         which JSObject::toString calls.  We'll probably have to de-virtualize 
2001         defaultValue eventually, but we'll cross that bridge when we 
2002         come to it.
2003         * runtime/ExceptionHelpers.cpp:
2004         (JSC::InterruptedExecutionError::defaultValue):
2005         (JSC::TerminatedExecutionError::defaultValue):
2006         * runtime/ExceptionHelpers.h:
2007
2008         Removed toString from JSNotAnObject, since its return value doesn't
2009         actually matter and JSObject::toString can cover it.
2010         * runtime/JSNotAnObject.cpp:
2011         * runtime/JSNotAnObject.h:
2012
2013         De-virtualized JSCell::toString, JSObject::toString and JSString::toString.
2014         Added handling of all cases for JSCell to JSCell::toString.
2015         * runtime/JSObject.h:
2016         * runtime/JSString.h:
2017         * runtime/JSCell.cpp:
2018         (JSC::JSCell::toString):
2019         * runtime/JSCell.h:
2020
2021 2011-10-12  Oliver Hunt  <oliver@apple.com>
2022
2023         Global stringStructure caches its prototype chain, abandoning a web page
2024         https://bugs.webkit.org/show_bug.cgi?id=69952
2025
2026         Reviewed by Filip Pizlo.
2027
2028         When visiting a structure, we don't keep the prototype chain
2029         alive if we're not the structure for an object type.
2030
2031         * runtime/Structure.cpp:
2032         (JSC::Structure::visitChildren):
2033
2034 2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
2035
2036         DFG JIT 32_64 - Fix ArrayPop
2037         https://bugs.webkit.org/show_bug.cgi?id=69918
2038
2039         Reviewed by Filip Pizlo.
2040
2041         The storageLengthGPR is polluted by EmptyValueTag and later used to
2042         index the array, which results in abnormal behaviors in execution.
2043         This fix makes 32_64 DFG pass v8-deltablue and kraken
2044         crypto-sha256-iterative on Linux ia32.
2045
2046         * assembler/MacroAssemblerX86Common.h:
2047         (JSC::MacroAssemblerX86Common::store32):
2048         * assembler/X86Assembler.h:
2049         (JSC::X86Assembler::movl_i32m):
2050         * dfg/DFGSpeculativeJIT32_64.cpp:
2051         (JSC::DFG::SpeculativeJIT::compile):
2052
2053 2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
2054
2055         Fix build with GLib 2.31
2056         https://bugs.webkit.org/show_bug.cgi?id=69840
2057
2058         Reviewed by Martin Robinson.
2059
2060         * GNUmakefile.list.am: removed ThreadingGtk.cpp.
2061         * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions.
2062         * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations.
2063         * wtf/gobject/GOwnPtr.h: ditto.
2064         * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations.
2065         * wtf/gtk/ThreadingGtk.cpp: Removed.
2066
2067 2011-10-12  Filip Pizlo  <fpizlo@apple.com>
2068
2069         Layout tests crashing in DFG JIT code
2070         https://bugs.webkit.org/show_bug.cgi?id=69897
2071
2072         Reviewed by Gavin Barraclough.
2073         
2074         Abstract value filtration didn't take into account cases where a structure
2075         set filter, combined with predicted type knowledge, could lead to a stronger
2076         filter for the structure abstract value.
2077         
2078         This bug would have been benign in release builds; it would have just meant
2079         that the analysis was less precise and some optimization opportunities would
2080         be missed. I have an ASSERT that is meant to catch such cases, and it was
2081         triggering sporadically in one of the LayoutTests.
2082
2083         * dfg/DFGAbstractValue.h:
2084         (JSC::DFG::AbstractValue::filter):
2085
2086 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2087
2088         Unreviewed, temporarily reverted r97216 due to bug #69897.
2089
2090         * dfg/DFGJITCodeGenerator.h:
2091         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2092
2093 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
2094
2095         DFG 32_64 - fix silentFillGPR
2096         https://bugs.webkit.org/show_bug.cgi?id=69903
2097
2098         Reviewed by Filip Pizlo.
2099
2100         Fix a small bug in silentFillGPR,
2101         and add the newly introduced DFG file to CMakeListsEfl.
2102
2103         * CMakeListsEfl.txt:
2104         * dfg/DFGJITCodeGenerator.h:
2105         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2106
2107 2011-10-08  Filip Pizlo  <fpizlo@apple.com>
2108
2109         DFG does not have flow-sensitive intraprocedural control flow analysis
2110         https://bugs.webkit.org/show_bug.cgi?id=69690
2111
2112         Reviewed by Gavin Barraclough.
2113
2114         Implemented a control flow analysis (CFA). It currently propagates type
2115         proofs only. For example, if all predecessors to a basic block have
2116         checks that variable X is a JSFinalObject with structure 0xabcdef, then
2117         this basic block will now know this fact and will know that it does not
2118         have to emit either JSFinalObject checks or any structure checks since
2119         the structure is precisely known. The CFA takes heap side-effects into
2120         account (though somewhat conservatively), so that if the object pointed
2121         to by variable X could have possibly undergone a structure transition
2122         then this is reflected: the analysis may simply say that X's structure
2123         is unknown.
2124         
2125         This also propagates a wealth of other type information which is
2126         currently not being used. For example, we now know when a variable can
2127         only hold doubles. Even if a variable may hold other types at different
2128         points in its live range, we can still prove exactly when it will only
2129         be double.
2130         
2131         There's a bunch of stuff that the CFA could do that it still does not
2132         do, like precise handling of PutStructure (i.e. structure transitions),
2133         precise handling of CheckFunction and CheckMethod, etc. So this is
2134         very much intended to be a starting point rather than an end unto
2135         itself.
2136         
2137         This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
2138         and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
2139         Neutral on SunSpider.
2140
2141         * GNUmakefile.list.am:
2142         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2143         * JavaScriptCore.xcodeproj/project.pbxproj:
2144         * bytecode/ActionablePrediction.h: Removed.
2145         * bytecode/PredictedType.cpp:
2146         (JSC::predictionToString):
2147         * bytecode/PredictedType.h:
2148         * dfg/DFGAbstractState.cpp: Added.
2149         (JSC::DFG::AbstractState::AbstractState):
2150         (JSC::DFG::AbstractState::~AbstractState):
2151         (JSC::DFG::AbstractState::beginBasicBlock):
2152         (JSC::DFG::AbstractState::initialize):
2153         (JSC::DFG::AbstractState::endBasicBlock):
2154         (JSC::DFG::AbstractState::reset):
2155         (JSC::DFG::AbstractState::execute):
2156         (JSC::DFG::AbstractState::clobberStructures):
2157         (JSC::DFG::AbstractState::mergeStateAtTail):
2158         (JSC::DFG::AbstractState::merge):
2159         (JSC::DFG::AbstractState::mergeToSuccessors):
2160         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
2161         (JSC::DFG::AbstractState::dump):
2162         * dfg/DFGAbstractState.h: Added.
2163         (JSC::DFG::AbstractState::forNode):
2164         (JSC::DFG::AbstractState::isValid):
2165         * dfg/DFGAbstractValue.h: Added.
2166         (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
2167         (JSC::DFG::StructureAbstractValue::clear):
2168         (JSC::DFG::StructureAbstractValue::makeTop):
2169         (JSC::DFG::StructureAbstractValue::top):
2170         (JSC::DFG::StructureAbstractValue::add):
2171         (JSC::DFG::StructureAbstractValue::addAll):
2172         (JSC::DFG::StructureAbstractValue::contains):
2173         (JSC::DFG::StructureAbstractValue::isSubsetOf):
2174         (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
2175         (JSC::DFG::StructureAbstractValue::isSupersetOf):
2176         (JSC::DFG::StructureAbstractValue::filter):
2177         (JSC::DFG::StructureAbstractValue::isClear):
2178         (JSC::DFG::StructureAbstractValue::isTop):
2179         (JSC::DFG::StructureAbstractValue::size):
2180         (JSC::DFG::StructureAbstractValue::at):
2181         (JSC::DFG::StructureAbstractValue::operator[]):
2182         (JSC::DFG::StructureAbstractValue::last):
2183         (JSC::DFG::StructureAbstractValue::predictionFromStructures):
2184         (JSC::DFG::StructureAbstractValue::operator==):
2185         (JSC::DFG::StructureAbstractValue::dump):
2186         (JSC::DFG::AbstractValue::AbstractValue):
2187         (JSC::DFG::AbstractValue::clear):
2188         (JSC::DFG::AbstractValue::isClear):
2189         (JSC::DFG::AbstractValue::makeTop):
2190         (JSC::DFG::AbstractValue::clobberStructures):
2191         (JSC::DFG::AbstractValue::isTop):
2192         (JSC::DFG::AbstractValue::top):
2193         (JSC::DFG::AbstractValue::set):
2194         (JSC::DFG::AbstractValue::operator==):
2195         (JSC::DFG::AbstractValue::merge):
2196         (JSC::DFG::AbstractValue::filter):
2197         (JSC::DFG::AbstractValue::validate):
2198         (JSC::DFG::AbstractValue::dump):
2199         * dfg/DFGBasicBlock.h: Added.
2200         (JSC::DFG::BasicBlock::BasicBlock):
2201         (JSC::DFG::BasicBlock::getBytecodeBegin):
2202         * dfg/DFGByteCodeParser.cpp:
2203         (JSC::DFG::ByteCodeParser::getLocal):
2204         (JSC::DFG::ByteCodeParser::setLocal):
2205         (JSC::DFG::ByteCodeParser::getArgument):
2206         (JSC::DFG::ByteCodeParser::setArgument):
2207         (JSC::DFG::ByteCodeParser::parseBlock):
2208         (JSC::DFG::ByteCodeParser::processPhiStack):
2209         (JSC::DFG::ByteCodeParser::setupPredecessors):
2210         * dfg/DFGGraph.cpp:
2211         (JSC::DFG::Graph::dump):
2212         * dfg/DFGGraph.h:
2213         * dfg/DFGJITCodeGenerator.h:
2214         (JSC::DFG::block):
2215         * dfg/DFGJITCodeGenerator32_64.cpp:
2216         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2217         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2218         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2219         * dfg/DFGJITCodeGenerator64.cpp:
2220         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2221         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2222         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2223         * dfg/DFGJITCompiler.h:
2224         (JSC::DFG::JITCompiler::noticeOSREntry):
2225         * dfg/DFGNode.h:
2226         (JSC::DFG::NodeIndexTraits::defaultValue):
2227         (JSC::DFG::Node::variableAccessData):
2228         (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
2229         (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
2230         (JSC::DFG::Node::setTakenBlockIndex):
2231         (JSC::DFG::Node::setNotTakenBlockIndex):
2232         (JSC::DFG::Node::takenBlockIndex):
2233         (JSC::DFG::Node::notTakenBlockIndex):
2234         * dfg/DFGOSREntry.cpp:
2235         (JSC::DFG::prepareOSREntry):
2236         * dfg/DFGOSREntry.h:
2237         * dfg/DFGOperands.h: Added.
2238         (JSC::DFG::operandIsArgument):
2239         (JSC::DFG::OperandValueTraits::defaultValue):
2240         (JSC::DFG::Operands::Operands):
2241         (JSC::DFG::Operands::numberOfArguments):
2242         (JSC::DFG::Operands::numberOfLocals):
2243         (JSC::DFG::Operands::argument):
2244         (JSC::DFG::Operands::local):
2245         (JSC::DFG::Operands::setLocal):
2246         (JSC::DFG::Operands::setArgumentFirstTime):
2247         (JSC::DFG::Operands::setLocalFirstTime):
2248         (JSC::DFG::Operands::operand):
2249         (JSC::DFG::Operands::setOperand):
2250         (JSC::DFG::Operands::clear):
2251         (JSC::DFG::dumpOperands):
2252         * dfg/DFGPropagator.cpp:
2253         (JSC::DFG::Propagator::fixpoint):
2254         (JSC::DFG::Propagator::propagateArithNodeFlags):
2255         (JSC::DFG::Propagator::propagateNodePredictions):
2256         (JSC::DFG::Propagator::propagatePredictions):
2257         (JSC::DFG::Propagator::performBlockCFA):
2258         (JSC::DFG::Propagator::performForwardCFA):
2259         (JSC::DFG::Propagator::globalCFA):
2260         * dfg/DFGSpeculativeJIT.cpp:
2261         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2262         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2263         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
2264         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2265         (JSC::DFG::SpeculativeJIT::compile):
2266         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
2267         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2268         * dfg/DFGSpeculativeJIT.h:
2269         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2270         * dfg/DFGSpeculativeJIT32_64.cpp:
2271         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2272         (JSC::DFG::SpeculativeJIT::compare):
2273         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2274         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2275         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2276         (JSC::DFG::SpeculativeJIT::emitBranch):
2277         (JSC::DFG::SpeculativeJIT::compile):
2278         * dfg/DFGSpeculativeJIT64.cpp:
2279         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2280         (JSC::DFG::SpeculativeJIT::compare):
2281         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2282         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2283         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2284         (JSC::DFG::SpeculativeJIT::emitBranch):
2285         (JSC::DFG::SpeculativeJIT::compile):
2286         * dfg/DFGStructureSet.h:
2287         (JSC::DFG::StructureSet::clear):
2288         (JSC::DFG::StructureSet::predictionFromStructures):
2289         (JSC::DFG::StructureSet::operator==):
2290         (JSC::DFG::StructureSet::dump):
2291         * dfg/DFGVariableAccessData.h: Added.
2292
2293 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2294
2295         DFG JIT 32_64 - Fix silentFillGPR for non-integer constants.
2296         https://bugs.webkit.org/show_bug.cgi?id=69890
2297
2298         Reviewed by Oliver Hunt.
2299
2300         Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues.
2301
2302         * dfg/DFGJITCodeGenerator.h:
2303         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2304
2305 2011-10-11  Ryosuke Niwa  <rniwa@webkit.org>
2306
2307         GTK build fix attempt after r97197.
2308
2309         * wtf/BitVector.h:
2310
2311 2011-10-11  Oliver Hunt  <oliver@apple.com>
2312
2313         Remove unintentional logging.
2314
2315         * heap/Heap.cpp:
2316
2317 2011-10-11  Oliver Hunt  <oliver@apple.com>
2318
2319         Tidy up card walking logic
2320         https://bugs.webkit.org/show_bug.cgi?id=69883
2321
2322         Reviewed by Gavin Barraclough.
2323
2324         Special case common cell sizes when walking a block's
2325         cards.
2326
2327         * heap/CardSet.h:
2328         (JSC::::testAndClear):
2329         * heap/Heap.cpp:
2330         (JSC::GCTimer::GCCounter::GCCounter):
2331         (JSC::GCTimer::GCCounter::count):
2332         (JSC::GCTimer::GCCounter::~GCCounter):
2333         (JSC::Heap::markRoots):
2334         * heap/MarkStack.cpp:
2335         (JSC::MarkStack::reset):
2336         * heap/MarkStack.h:
2337         (JSC::MarkStack::visitCount):
2338         (JSC::MarkStack::MarkStack):
2339         (JSC::MarkStack::append):
2340         * heap/MarkedBlock.h:
2341         (JSC::MarkedBlock::gatherDirtyCellsWithSize):
2342         (JSC::MarkedBlock::gatherDirtyCells):
2343         * runtime/Structure.h:
2344         (JSC::MarkStack::internalAppend):
2345
2346 2011-10-11  Filip Pizlo  <fpizlo@apple.com>
2347
2348         DFG virtual register allocator should be more aggressive in
2349         reusing temporary slots
2350         https://bugs.webkit.org/show_bug.cgi?id=69868
2351
2352         Reviewed by Oliver Hunt.
2353         
2354         1.2% win on V8, neutral elsewhere. The win is probably because it
2355         increases precision of GC conservative scans.
2356         
2357         This required making the DFG::ScoreBoard operate over a bitvector
2358         of preserved variables, rather than just a preserved variable
2359         threshold. To do this, I improved the WTF::BitVector class to make
2360         it more user-friendly. It still retains all previous functionality.
2361         Also made changes to PackedIntVector to accomodate those changes.
2362         Finally, this adds more debugging to the virtual register allocator
2363         and to the OSR exit code, as this was necessary to track down bugs
2364         in an earlier version of this patch.
2365
2366         * dfg/DFGByteCodeParser.cpp:
2367         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2368         (JSC::DFG::ByteCodeParser::getLocal):
2369         * dfg/DFGGraph.h:
2370         * dfg/DFGJITCompiler.cpp:
2371         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2372         * dfg/DFGPropagator.cpp:
2373         (JSC::DFG::Propagator::allocateVirtualRegisters):
2374         * dfg/DFGScoreBoard.h:
2375         (JSC::DFG::ScoreBoard::ScoreBoard):
2376         (JSC::DFG::ScoreBoard::~ScoreBoard):
2377         (JSC::DFG::ScoreBoard::allocate):
2378         (JSC::DFG::ScoreBoard::use):
2379         (JSC::DFG::ScoreBoard::highWatermark):
2380         (JSC::DFG::ScoreBoard::dump):
2381         (JSC::DFG::ScoreBoard::max):
2382         * dfg/DFGSpeculativeJIT.cpp:
2383         (JSC::DFG::ValueRecovery::dump):
2384         * wtf/BitVector.cpp:
2385         (WTF::BitVector::setSlow):
2386         (WTF::BitVector::resizeOutOfLine):
2387         (WTF::BitVector::dump):
2388         * wtf/BitVector.h:
2389         (WTF::BitVector::BitVector):
2390         (WTF::BitVector::operator=):
2391         (WTF::BitVector::quickGet):
2392         (WTF::BitVector::quickSet):
2393         (WTF::BitVector::quickClear):
2394         (WTF::BitVector::get):
2395         (WTF::BitVector::set):
2396         (WTF::BitVector::clear):
2397         * wtf/PackedIntVector.h:
2398         (WTF::PackedIntVector::get):
2399         (WTF::PackedIntVector::set):
2400
2401 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2402
2403         DFG JIT 32_64 - Switch to cdecl calling convention.
2404         https://bugs.webkit.org/show_bug.cgi?id=69863
2405
2406         Reviewed by Oliver Hunt.
2407
2408         This makes it easier to keep the stack correctly aligned, which is required on OS X.
2409
2410         * assembler/MacroAssemblerCodeRef.h:
2411         (JSC::FunctionPtr::FunctionPtr):
2412             - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms.
2413         * dfg/DFGJITCodeGenerator.h:
2414         (JSC::DFG::callOperation):
2415             - Switch calls to poke arguments rather than pushing them.
2416         (JSC::DFG::resetCallArguments):
2417         (JSC::DFG::addCallArgument):
2418         (JSC::DFG::addCallArgumentBoxed):
2419             - Helper functions to stack up call arguments on X86.
2420         * dfg/DFGJITCodeGenerator32_64.cpp:
2421         (JSC::DFG::JITCodeGenerator::emitCall):
2422             - Don't push, poke!
2423         * dfg/DFGJITCompiler32_64.cpp:
2424         (JSC::DFG::JITCompiler::compileBody):
2425             - Don't push, poke!
2426         * dfg/DFGOperations.cpp:
2427             - Switch ReturnAddress wrappers to push return address last, update asm trampolines.
2428         * dfg/DFGOperations.h:
2429             - switch DFG_OPERATION to assert CDECL on STDCALL platforms.
2430         * dfg/DFGSpeculativeJIT32_64.cpp:
2431         (JSC::DFG::fmodWithCDecl):
2432         (JSC::DFG::SpeculativeJIT::compile):
2433             - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL.
2434
2435 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
2436
2437         Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t
2438         https://bugs.webkit.org/show_bug.cgi?id=69821
2439
2440         Reviewed by Filip Pizlo.
2441
2442         Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an
2443         intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building.
2444
2445         dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for
2446         JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary
2447         move), so by switching all associated operations to return a size_t we can fix the type
2448         problem on Linux & make it a small tweak that removes an unnecessary instruction.
2449
2450         * dfg/DFGJITCodeGenerator.cpp:
2451         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2452             - comparisons now return a size_t.
2453         * dfg/DFGJITCodeGenerator.h:
2454         (JSC::DFG::callOperation):
2455             - Removed Z_DFGOperation_EJ form.
2456         * dfg/DFGJITCodeGenerator32_64.cpp:
2457         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2458         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2459             - comparisons now return a size_t.
2460         * dfg/DFGJITCodeGenerator64.cpp:
2461         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2462         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2463         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2464             - comparisons now return a size_t.
2465         * dfg/DFGOperations.cpp:
2466         * dfg/DFGOperations.h:
2467             - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t,
2468               Both need to return values zero extended to fill a register.
2469         * dfg/DFGSpeculativeJIT.cpp:
2470         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2471             - comparisons now return a size_t.
2472         * dfg/DFGSpeculativeJIT.h:
2473         * dfg/DFGSpeculativeJIT32_64.cpp:
2474         (JSC::DFG::SpeculativeJIT::compare):
2475             - comparisons now return a size_t.
2476         * dfg/DFGSpeculativeJIT64.cpp:
2477         (JSC::DFG::SpeculativeJIT::compare):
2478             - comparisons now return a size_t.
2479
2480 2011-10-11  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
2481
2482         [Qt] Remove all references to QTDIR_build and standalone_package
2483
2484         Qt is now modularized, which means we no longer import WebKit into
2485         the Qt source tree. Instead we use git submodules, and building
2486         QtWebKit as "part of Qt" is really building QtWebKit as from trunk.
2487
2488         To decrease the number of buildsystem configurations we also remove
2489         the standalone_package code-path used when we were providing tarballs
2490         with the derived sources pre-generated.
2491
2492         Reviewed by Simon Hausmann.
2493
2494         * DerivedSources.pro:
2495         * JavaScriptCore.pri:
2496         * JavaScriptCore.pro:
2497
2498 2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>
2499
2500         Add missing copyright notice in DFG JIT files
2501         https://bugs.webkit.org/show_bug.cgi?id=69809
2502
2503         Reviewed by Gavin Barraclough.
2504
2505         * dfg/DFGJITCodeGenerator32_64.cpp:
2506         * dfg/DFGJITCompiler32_64.cpp:
2507         * dfg/DFGJITCompilerInlineMethods.h:
2508         * dfg/DFGSpeculativeJIT32_64.cpp:
2509
2510 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
2511
2512         DFG JSVALUE64 spill/fill code should not box integers and doubles
2513         https://bugs.webkit.org/show_bug.cgi?id=69782
2514
2515         Reviewed by Oliver Hunt.
2516         
2517         Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat.
2518         This required changing all of the places that spill registers (both silently
2519         and not) and filling registers (both silently and on demand). It also required
2520         changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile)
2521         may have the wrong format for the old JIT (unboxed int or double).
2522         
2523         This is a slight win on Kraken (0.25%) and neutral elsewhere.
2524
2525         * dfg/DFGGenerationInfo.h:
2526         (JSC::DFG::GenerationInfo::spill):
2527         * dfg/DFGJITCodeGenerator.h:
2528         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2529         (JSC::DFG::JITCodeGenerator::spill):
2530         * dfg/DFGJITCodeGenerator64.cpp:
2531         (JSC::DFG::JITCodeGenerator::fillInteger):
2532         (JSC::DFG::JITCodeGenerator::fillDouble):
2533         (JSC::DFG::JITCodeGenerator::fillJSValue):
2534         * dfg/DFGJITCompiler.cpp:
2535         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2536         * dfg/DFGSpeculativeJIT.cpp:
2537         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2538         * dfg/DFGSpeculativeJIT.h:
2539         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
2540         (JSC::DFG::ValueRecovery::virtualRegister):
2541         * dfg/DFGSpeculativeJIT64.cpp:
2542         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2543         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2544         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2545         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2546
2547 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2548
2549         DFG JIT switch dfgConvert methods to use callOperation
2550         https://bugs.webkit.org/show_bug.cgi?id=69806
2551
2552         Reviewed by Filip Pizlo.
2553
2554         * dfg/DFGJITCodeGenerator.h:
2555         (JSC::DFG::callOperation):
2556         * dfg/DFGJITCodeGenerator32_64.cpp:
2557         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2558         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2559         * dfg/DFGJITCodeGenerator64.cpp:
2560         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2561         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2562         * dfg/DFGOperations.h:
2563
2564 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2565
2566         Remove some unused methods from the DFG JIT.
2567
2568         Rubber stamped by Oliver Hunt
2569
2570         Thee methods were only used by the non-speculative JIT, and can be removed.
2571
2572         * dfg/DFGJITCodeGenerator.h:
2573         * dfg/DFGJITCodeGenerator32_64.cpp:
2574         * dfg/DFGJITCodeGenerator64.cpp:
2575             - removed:
2576                 nonSpeculativeAdd
2577                 nonSpeculativeArithSub
2578                 nonSpeculativeArithMod
2579                 nonSpeculativeCheckHasInstance
2580                 nonSpeculativeInstanceOf
2581         * dfg/DFGOperations.cpp:
2582         * dfg/DFGOperations.h:
2583             - removed:
2584                 operationArithMod
2585                 operationInstanceOf
2586                 operationThrowHasInstanceError
2587
2588 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2589
2590         Switch most calls in DFGJITCodeGenerator to use callOperation.
2591         https://bugs.webkit.org/show_bug.cgi?id=69802
2592
2593         Reviewed by Oliver Hunt.
2594
2595         Compares, add, mod are the easy cases.
2596
2597         * dfg/DFGJITCodeGenerator.h:
2598         (JSC::DFG::callOperation):
2599         * dfg/DFGJITCodeGenerator32_64.cpp:
2600         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2601         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2602         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2603         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2604         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2605         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2606         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2607         * dfg/DFGJITCodeGenerator64.cpp:
2608         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2609         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2610         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2611         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2612         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2613         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2614         * dfg/DFGOperations.cpp:
2615         * dfg/DFGOperations.h:
2616
2617 2011-10-10  Gavin Barraclough  <baraclough@apple.com>
2618
2619         DFG: Switch GetById / PutById to use callOperation
2620         https://bugs.webkit.org/show_bug.cgi?id=69795
2621
2622         Reviewed by Oliver Hunt.
2623
2624         Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag.
2625
2626         * dfg/DFGJITCodeGenerator.h:
2627         (JSC::DFG::callOperation):
2628         * dfg/DFGJITCodeGenerator32_64.cpp:
2629         (JSC::DFG::JITCodeGenerator::cachedGetById):
2630         (JSC::DFG::JITCodeGenerator::cachedPutById):
2631         * dfg/DFGJITCodeGenerator64.cpp:
2632         (JSC::DFG::JITCodeGenerator::cachedGetById):
2633         (JSC::DFG::JITCodeGenerator::cachedPutById):
2634         * dfg/DFGOperations.cpp:
2635         * dfg/DFGOperations.h:
2636         * dfg/DFGRepatch.cpp:
2637         (JSC::DFG::appropriatePutByIdFunction):
2638
2639 2011-10-10  Filip Pizlo  <fpizlo@apple.com>
2640
2641         REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs
2642         https://bugs.webkit.org/show_bug.cgi?id=69412
2643
2644         Reviewed by Oliver Hunt.
2645
2646         * dfg/DFGSpeculativeJIT32_64.cpp:
2647         (JSC::DFG::SpeculativeJIT::compile):
2648         * dfg/DFGSpeculativeJIT64.cpp:
2649         (JSC::DFG::SpeculativeJIT::compile):
2650         * jit/JIT.cpp:
2651         (JSC::JIT::privateCompile):
2652         * jit/JIT.h:
2653
2654 2011-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2655
2656         Remove getCallDataVirtual methods
2657         https://bugs.webkit.org/show_bug.cgi?id=69186
2658
2659         Reviewed by Geoffrey Garen.
2660
2661         Removed all getCallDataVirtual methods and replaced their call sites 
2662         with an explicit lookup in the MethodTable.
2663
2664         * API/JSCallbackFunction.cpp:
2665         * API/JSCallbackFunction.h:
2666         * API/JSCallbackObject.h:
2667         * API/JSCallbackObjectFunctions.h:
2668         * API/JSObjectRef.cpp:
2669         (JSObjectIsFunction):
2670         (JSObjectCallAsFunction):
2671         * JavaScriptCore.exp:
2672         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2673         * interpreter/Interpreter.cpp:
2674         (JSC::Interpreter::privateExecute):
2675         * jit/JITStubs.cpp:
2676         (JSC::DEFINE_STUB_FUNCTION):
2677         * runtime/ArrayConstructor.cpp:
2678         * runtime/ArrayConstructor.h:
2679         * runtime/BooleanConstructor.cpp:
2680         * runtime/BooleanConstructor.h:
2681         * runtime/DateConstructor.cpp:
2682         * runtime/DateConstructor.h:
2683
2684         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
2685         the class definition in JSGlobalObject.cpp.
2686         * runtime/Error.cpp:
2687         (JSC::createTypeErrorFunction):
2688         * runtime/Error.h:
2689         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2690         (JSC::StrictModeTypeErrorFunction::create):
2691         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2692         (JSC::StrictModeTypeErrorFunction::getConstructData):
2693         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2694         (JSC::StrictModeTypeErrorFunction::getCallData):
2695         (JSC::StrictModeTypeErrorFunction::createStructure):
2696         * runtime/ErrorConstructor.cpp:
2697         * runtime/ErrorConstructor.h:
2698         * runtime/FunctionConstructor.cpp:
2699         * runtime/FunctionConstructor.h:
2700         * runtime/FunctionPrototype.cpp:
2701         * runtime/FunctionPrototype.h:
2702
2703         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
2704         to declare their own ClassInfo if they don't override getCallData, provided 
2705         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
2706         functionality as of the pure virtual method InternalFunction used to have.
2707         Also made this new implementation protected rather than private for the same reason.
2708         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
2709         object is being created provides their own implementation of getCallData.  This 
2710         just makes execution fail earlier in a place where the source of the error is 
2711         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
2712         they appear much more intentional to anybody who fails to provide their own 
2713         implementation or who tries to explicitly call InternalFunction::getCallData.
2714         * runtime/InternalFunction.cpp:
2715         (JSC::InternalFunction::finishCreation):
2716         (JSC::InternalFunction::getCallData):
2717         * runtime/InternalFunction.h:
2718         * runtime/JSCell.cpp:
2719         * runtime/JSCell.h:
2720         * runtime/JSFunction.cpp:
2721         * runtime/JSFunction.h:
2722
2723         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
2724         it to be reused rather than creating a new Structure every time we instantiate it.
2725         * runtime/JSGlobalObject.cpp:
2726         (JSC::JSGlobalObject::reset):
2727         (JSC::JSGlobalObject::visitChildren):
2728         * runtime/JSGlobalObject.h:
2729         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
2730         * runtime/JSONObject.cpp:
2731         (JSC::Stringifier::Stringifier):
2732         (JSC::Stringifier::toJSON):
2733         (JSC::Stringifier::appendStringifiedValue):
2734         * runtime/JSObject.cpp:
2735         (JSC::JSObject::put):
2736         * runtime/JSObject.h:
2737         (JSC::getCallData):
2738         * runtime/NativeErrorConstructor.cpp:
2739         * runtime/NativeErrorConstructor.h:
2740         * runtime/NumberConstructor.cpp:
2741         * runtime/NumberConstructor.h:
2742         * runtime/ObjectConstructor.cpp:
2743         * runtime/ObjectConstructor.h:
2744         * runtime/Operations.cpp:
2745         (JSC::jsTypeStringForValue):
2746         (JSC::jsIsObjectType):
2747         (JSC::jsIsFunctionType):
2748         * runtime/PropertySlot.cpp:
2749         (JSC::PropertySlot::functionGetter):
2750         * runtime/RegExpConstructor.cpp:
2751         * runtime/RegExpConstructor.h:
2752         * runtime/StringConstructor.cpp:
2753         * runtime/StringConstructor.h:
2754         * runtime/Structure.h:
2755
2756 2011-10-10  Gavin Barraclough  <barraclough@apple.com>
2757
2758         Switch last calls from DFGSpeculativeJIT to use callOperation.
2759         https://bugs.webkit.org/show_bug.cgi?id=69780
2760
2761         Reviewed by Oliver Hunt.
2762
2763         Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers.
2764
2765         * dfg/DFGJITCodeGenerator.cpp:
2766         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2767         * dfg/DFGJITCodeGenerator.h:
2768         (JSC::DFG::callOperation):
2769         * dfg/DFGJITCodeGenerator32_64.cpp:
2770         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2771         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2772         * dfg/DFGJITCodeGenerator64.cpp:
2773         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2774         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2775         * dfg/DFGOperations.h:
2776         * dfg/DFGSpeculativeJIT.cpp:
2777         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2778         * dfg/DFGSpeculativeJIT.h:
2779         * dfg/DFGSpeculativeJIT32_64.cpp:
2780         (JSC::DFG::SpeculativeJIT::compare):
2781         (JSC::DFG::SpeculativeJIT::compile):
2782         * dfg/DFGSpeculativeJIT64.cpp:
2783         (JSC::DFG::SpeculativeJIT::compare):
2784         (JSC::DFG::SpeculativeJIT::compile):
2785         * wtf/Platform.h:
2786
2787 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2788
2789         JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace"
2790         https://bugs.webkit.org/show_bug.cgi?id=69748
2791
2792         Reviewed by Filip Pizlo.
2793
2794         * dfg/DFGJITCodeGenerator32_64.cpp:
2795         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2796         * dfg/DFGSpeculativeJIT32_64.cpp:
2797         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2798
2799 2011-10-10  Adam Roben  <aroben@apple.com>
2800
2801         Build fix
2802
2803         * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros.
2804
2805 2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>
2806
2807         JSVALUE32_64 DFG JIT - Bug fix for BranchNull
2808         https://bugs.webkit.org/show_bug.cgi?id=69743
2809
2810         Reviewed by Darin Adler.
2811
2812         This fixes the error in access-binary-trees. All SunSpider cases passed.
2813
2814         * dfg/DFGJITCodeGenerator32_64.cpp:
2815         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2816
2817 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
2818
2819         DFG JIT: callOperation should return the Call.
2820         https://bugs.webkit.org/show_bug.cgi?id=69682
2821
2822         Reviewed by Oliver Hunt.
2823
2824         * dfg/DFGJITCodeGenerator.h:
2825         (JSC::DFG::callOperation):
2826         (JSC::DFG::appendCallWithExceptionCheckSetResult):
2827         * dfg/DFGJITCompiler.h:
2828         (JSC::DFG::JITCompiler::appendCall):
2829         * wtf/Platform.h:
2830
2831 2011-10-10  Sheriff Bot  <webkit.review.bot@gmail.com>
2832
2833         Unreviewed, rolling out r97045.
2834         http://trac.webkit.org/changeset/97045
2835         https://bugs.webkit.org/show_bug.cgi?id=69746
2836
2837         makes apple bots very crashy :( (Requested by kling on
2838         #webkit).
2839
2840         * config.h:
2841
2842 2011-10-10  Andreas Kling  <kling@webkit.org>
2843
2844         Shrink BorderValue.
2845         https://bugs.webkit.org/show_bug.cgi?id=69521
2846
2847         Reviewed by Antti Koivisto.
2848
2849         * config.h: Touch to force full rebuild.
2850
2851 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2852
2853         Improve Null or Undefined test in 32_64 DFG
2854         https://bugs.webkit.org/show_bug.cgi?id=69734
2855
2856         Reviewed by Darin Adler.
2857
2858         Currently Null or Undefined value test in 32_64 DFG will check
2859         Null and Undefined tag separately and introduce one more branch.
2860         It can be improved in the way how the baseline JIT is doing - by
2861         relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".
2862
2863         * dfg/DFGJITCodeGenerator32_64.cpp:
2864         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2865         * dfg/DFGSpeculativeJIT32_64.cpp:
2866         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2867         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2868
2869 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2870
2871         JSVALUE32_64 DFG JIT - Bug fix for ConvertThis
2872         https://bugs.webkit.org/show_bug.cgi?id=69721
2873
2874         Reviewed by Darin Adler.
2875
2876         * dfg/DFGSpeculativeJIT32_64.cpp:
2877         (JSC::DFG::SpeculativeJIT::compile):
2878
2879 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2880
2881         Remove unused callOperation code of DFG JIT on X86
2882         https://bugs.webkit.org/show_bug.cgi?id=69722
2883
2884         Reviewed by Filip Pizlo.
2885
2886         * dfg/DFGJITCodeGenerator.h:
2887         (JSC::DFG::callOperation):
2888
2889 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2890
2891         JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble
2892         https://bugs.webkit.org/show_bug.cgi?id=69720
2893
2894         Reviewed by Filip Pizlo.
2895
2896         In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by
2897         a FPR and will be used for further optimizations, though we currently
2898         don't fully utilize it. For now when filling a JS value which was
2899         spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat
2900         to DataFormatJS to avoid compilation errors.
2901
2902         * dfg/DFGJITCodeGenerator32_64.cpp:
2903         (JSC::DFG::JITCodeGenerator::fillJSValue):
2904
2905 2011-10-09  Filip Pizlo  <fpizlo@apple.com>
2906
2907         DFG should not always speculate that a ByVal access has an integer index
2908         https://bugs.webkit.org/show_bug.cgi?id=69716
2909
2910         Reviewed by Oliver Hunt.
2911         
2912         1% win on SunSpider, neutral elsewhere.
2913
2914         * dfg/DFGJITCodeGenerator.h:
2915         (JSC::DFG::callOperation):
2916         * dfg/DFGNode.h:
2917         * dfg/DFGOperations.cpp:
2918         * dfg/DFGOperations.h:
2919         * dfg/DFGPropagator.cpp:
2920         (JSC::DFG::Propagator::byValHasIntBase):
2921         (JSC::DFG::Propagator::clobbersWorld):
2922         (JSC::DFG::Propagator::getMethodLoadElimination):
2923         (JSC::DFG::Propagator::checkStructureLoadElimination):
2924         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2925         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
2926         (JSC::DFG::Propagator::performNodeCSE):
2927         * dfg/DFGSpeculativeJIT32_64.cpp:
2928         (JSC::DFG::SpeculativeJIT::compile):
2929         * dfg/DFGSpeculativeJIT64.cpp:
2930         (JSC::DFG::SpeculativeJIT::compile):
2931
2932 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2933
2934         Fix value profiling in 32_64 JIT
2935         https://bugs.webkit.org/show_bug.cgi?id=69717
2936
2937         Reviewed by Filip Pizlo.
2938
2939         Current value profiling for 32_64 JIT is broken and cannot record
2940         correct predicated types, which results in many speculation failures
2941         in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations
2942         again and again. 
2943         With this fix 32_64 DFG JIT can demonstrate real performance gains.
2944
2945         * bytecode/ValueProfile.cpp:
2946         (JSC::ValueProfile::computeStatistics):
2947         * bytecode/ValueProfile.h:
2948         (JSC::ValueProfile::classInfo):
2949         (JSC::ValueProfile::numberOfSamples):
2950         (JSC::ValueProfile::isLive):
2951         (JSC::ValueProfile::numberOfInt32s):
2952         (JSC::ValueProfile::numberOfDoubles):
2953         (JSC::ValueProfile::numberOfBooleans):
2954         (JSC::ValueProfile::dump):
2955             Empty value check should be performed on decoded JSValue,
2956             as for 32_64 empty value is not identical to encoded 0.
2957         * jit/JIT.cpp:
2958         (JSC::JIT::privateCompile):
2959         * jit/JITInlineMethods.h:
2960         (JSC::JIT::emitValueProfilingSite):
2961         * jit/JITStubCall.h:
2962         (JSC::JITStubCall::callWithValueProfiling):
2963             Record the right profiling result for 32_64.
2964
2965 2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>
2966
2967         Remove 32 bit restrictions in DFG JIT
2968         https://bugs.webkit.org/show_bug.cgi?id=69711
2969
2970         Reviewed by Filip Pizlo.
2971
2972         op_call/op_construct support was disabled for 32 bit DFG JIT because
2973         there was regression in javascriptcore tests. Now the bugs are fixed
2974         and there should be no regression. This makes 32 bit DFG have the same
2975         capability as 64 bit DFG, and improves the coverage.
2976
2977         * dfg/DFGCapabilities.h:
2978         (JSC::DFG::canCompileOpcode):
2979
2980 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2981
2982         Add static version of JSCell::getConstructData
2983         https://bugs.webkit.org/show_bug.cgi?id=69673
2984
2985         Reviewed by Geoffrey Garen.
2986
2987         Added static version of getConstructData to all classes that 
2988         override it and changed the virtual versions to call the static 
2989         versions.  This is the first step in de-virtualizing JSCell::getConstructData.
2990
2991         * API/JSCallbackConstructor.cpp:
2992         (JSC::JSCallbackConstructor::getConstructData):
2993         * API/JSCallbackConstructor.h:
2994         * API/JSCallbackObject.h:
2995         * API/JSCallbackObjectFunctions.h:
2996         (JSC::::getConstructData):
2997         * runtime/ArrayConstructor.cpp:
2998         (JSC::ArrayConstructor::getConstructData):
2999         * runtime/ArrayConstructor.h:
3000         * runtime/BooleanConstructor.cpp:
3001         (JSC::BooleanConstructor::getConstructData):
3002         * runtime/BooleanConstructor.h:
3003         * runtime/DateConstructor.cpp:
3004         (JSC::DateConstructor::getConstructData):
3005         * runtime/DateConstructor.h:
3006         * runtime/ErrorConstructor.cpp:
3007         (JSC::ErrorConstructor::getConstructData):
3008         * runtime/ErrorConstructor.h:
3009         * runtime/FunctionConstructor.cpp:
3010         (JSC::FunctionConstructor::getConstructData):
3011         * runtime/FunctionConstructor.h:
3012         * runtime/JSCell.cpp:
3013         (JSC::JSCell::getConstructData):
3014         * runtime/JSCell.h:
3015         * runtime/JSFunction.cpp:
3016         (JSC::JSFunction::getConstructData):
3017         * runtime/JSFunction.h:
3018         * runtime/NativeErrorConstructor.cpp:
3019         (JSC::NativeErrorConstructor::getConstructData):
3020         * runtime/NativeErrorConstructor.h:
3021         * runtime/NumberConstructor.cpp:
3022         (JSC::NumberConstructor::getConstructData):
3023         * runtime/NumberConstructor.h:
3024         * runtime/ObjectConstructor.cpp:
3025         (JSC::ObjectConstructor::getConstructData):
3026         * runtime/ObjectConstructor.h:
3027         * runtime/RegExpConstructor.cpp:
3028         (JSC::RegExpConstructor::getConstructData):
3029         * runtime/RegExpConstructor.h:
3030         * runtime/StringConstructor.cpp:
3031         (JSC::StringConstructor::getConstructData):
3032         * runtime/StringConstructor.h:
3033
3034 2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3035
3036         Add static version of JSCell::getOwnPropertySlot
3037         https://bugs.webkit.org/show_bug.cgi?id=69593
3038
3039         Reviewed by Geoffrey Garen.
3040
3041         Added static version of getOwnPropertySlot to every class that overrides
3042         JSCell::getOwnPropertySlot.  The virtual versions now call the static versions.
3043         This is the first step in de-virtualizing JSCell::getOwnPropertySlot.
3044
3045         * JavaScriptCore.exp:
3046         * debugger/DebuggerActivation.cpp:
3047         (JSC::DebuggerActivation::getOwnPropertySlot):
3048         * debugger/DebuggerActivation.h:
3049         * runtime/Arguments.cpp:
3050         (JSC::Arguments::getOwnPropertySlot):
3051         * runtime/Arguments.h:
3052         * runtime/ArrayConstructor.h:
3053         * runtime/ArrayPrototype.cpp:
3054         (JSC::ArrayPrototype::getOwnPropertySlot):
3055         * runtime/ArrayPrototype.h:
3056         * runtime/BooleanPrototype.cpp:
3057         (JSC::BooleanPrototype::getOwnPropertySlot):
3058         * runtime/BooleanPrototype.h:
3059         * runtime/DateConstructor.cpp:
3060         (JSC::DateConstructor::getOwnPropertySlot):
3061         * runtime/DateConstructor.h:
3062         * runtime/DatePrototype.cpp:
3063         (JSC::DatePrototype::getOwnPropertySlot):
3064         * runtime/DatePrototype.h:
3065         * runtime/ErrorPrototype.cpp:
3066         (JSC::ErrorPrototype::getOwnPropertySlot):
3067         * runtime/ErrorPrototype.h:
3068         * runtime/JSActivation.cpp:
3069         (JSC::JSActivation::getOwnPropertySlot):
3070         * runtime/JSActivation.h:
3071         * runtime/JSArray.cpp:
3072         (JSC::JSArray::getOwnPropertySlot):
3073         * runtime/JSArray.h:
3074         * runtime/JSBoundFunction.cpp:
3075         (JSC::JSBoundFunction::getOwnPropertySlot):
3076         * runtime/JSBoundFunction.h:
3077         * runtime/JSByteArray.cpp:
3078         (JSC::JSByteArray::getOwnPropertySlot):
3079         * runtime/JSByteArray.h:
3080         * runtime/JSCell.cpp:
3081         (JSC::JSCell::getOwnPropertySlot):
3082         * runtime/JSCell.h:
3083         * runtime/JSFunction.cpp:
3084         (JSC::JSFunction::getOwnPropertySlot):
3085         * runtime/JSFunction.h:
3086         * runtime/JSGlobalObject.cpp:
3087         (JSC::JSGlobalObject::getOwnPropertySlot):
3088         * runtime/JSGlobalObject.h:
3089         * runtime/JSNotAnObject.cpp:
3090         (JSC::JSNotAnObject::getOwnPropertySlot):
3091         * runtime/JSNotAnObject.h:
3092         * runtime/JSONObject.cpp:
3093         (JSC::JSONObject::getOwnPropertySlot):
3094         * runtime/JSONObject.h:
3095         * runtime/JSObject.cpp:
3096         (JSC::JSObject::getOwnPropertySlot):
3097         * runtime/JSObject.h:
3098         (JSC::JSObject::getOwnPropertySlot):
3099         * runtime/JSStaticScopeObject.cpp:
3100         (JSC::JSStaticScopeObject::getOwnPropertySlot):
3101         * runtime/JSStaticScopeObject.h:
3102         * runtime/JSString.cpp:
3103         (JSC::JSString::getOwnPropertySlot):
3104         * runtime/JSString.h:
3105         * runtime/MathObject.cpp:
3106         (JSC::MathObject::getOwnPropertySlot):
3107         * runtime/MathObject.h:
3108         * runtime/NumberConstructor.cpp:
3109         (JSC::NumberConstructor::getOwnPropertySlot):
3110         * runtime/NumberConstructor.h:
3111         * runtime/NumberPrototype.cpp:
3112         (JSC::NumberPrototype::getOwnPropertySlot):
3113         * runtime/NumberPrototype.h:
3114         * runtime/ObjectConstructor.cpp:
3115         (JSC::ObjectConstructor::getOwnPropertySlot):
3116         * runtime/ObjectConstructor.h:
3117         * runtime/ObjectPrototype.cpp:
3118         (JSC::ObjectPrototype::getOwnPropertySlot):
3119         * runtime/ObjectPrototype.h:
3120         * runtime/RegExpConstructor.cpp:
3121         (JSC::RegExpConstructor::getOwnPropertySlot):
3122         * runtime/RegExpConstructor.h:
3123         * runtime/RegExpMatchesArray.h:
3124         (JSC::RegExpMatchesArray::getOwnPropertySlot):
3125         * runtime/RegExpObject.cpp:
3126         (JSC::RegExpObject::getOwnPropertySlot):
3127         * runtime/RegExpObject.h:
3128         * runtime/RegExpPrototype.cpp:
3129         (JSC::RegExpPrototype::getOwnPropertySlot):
3130         * runtime/RegExpPrototype.h:
3131         * runtime/StringConstructor.cpp:
3132         (JSC::StringConstructor::getOwnPropertySlot):
3133         * runtime/StringConstructor.h:
3134         * runtime/StringObject.cpp:
3135         (JSC::StringObject::getOwnPropertySlot):
3136         * runtime/StringObject.h:
3137         * runtime/StringPrototype.cpp:
3138         (JSC::StringPrototype::getOwnPropertySlot):
3139         * runtime/StringPrototype.h:
3140
3141 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3142
3143         JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions
3144         https://bugs.webkit.org/show_bug.cgi?id=69699
3145
3146         Reviewed by Filip Pizlo.
3147
3148         It should match SetLocal where only payload is stored for array predictions.
3149
3150         * dfg/DFGSpeculativeJIT32_64.cpp:
3151         (JSC::DFG::SpeculativeJIT::compile):
3152
3153 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3154
3155         JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
3156         https://bugs.webkit.org/show_bug.cgi?id=69702
3157
3158         Reviewed by Filip Pizlo.
3159
3160         There are some errors in generating code for Branch and LogicalNot,
3161         when the operand is predicted as ObjectOrOther.
3162
3163         * dfg/DFGSpeculativeJIT32_64.cpp:
3164         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3165         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3166
3167 2011-10-08  Sheriff Bot  <webkit.review.bot@gmail.com>
3168
3169         Unreviewed, rolling out r96996.
3170         http://trac.webkit.org/changeset/96996
3171         https://bugs.webkit.org/show_bug.cgi?id=69697
3172
3173         It broke all tests on the Qt bot (Requested by Ossy_night on
3174         #webkit).
3175
3176         * API/JSCallbackFunction.cpp:
3177         (JSC::JSCallbackFunction::getCallDataVirtual):
3178         * API/JSCallbackFunction.h:
3179         * API/JSCallbackObject.h:
3180         * API/JSCallbackObjectFunctions.h:
3181         (JSC::::getCallDataVirtual):
3182         * API/JSObjectRef.cpp:
3183         (JSObjectIsFunction):
3184         (JSObjectCallAsFunction):
3185         * JavaScriptCore.exp:
3186         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3187         * interpreter/Interpreter.cpp:
3188         (JSC::Interpreter::privateExecute):
3189         * jit/JITStubs.cpp:
3190         (JSC::DEFINE_STUB_FUNCTION):
3191         * runtime/ArrayConstructor.cpp:
3192         (JSC::ArrayConstructor::getCallDataVirtual):
3193         * runtime/ArrayConstructor.h:
3194         * runtime/BooleanConstructor.cpp:
3195         (JSC::BooleanConstructor::getCallDataVirtual):
3196         * runtime/BooleanConstructor.h:
3197         * runtime/DateConstructor.cpp:
3198         (JSC::DateConstructor::getCallDataVirtual):
3199         * runtime/DateConstructor.h:
3200         * runtime/Error.cpp:
3201         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3202         (JSC::StrictModeTypeErrorFunction::create):
3203         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
3204         (JSC::StrictModeTypeErrorFunction::getConstructData):
3205         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
3206         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
3207         (JSC::StrictModeTypeErrorFunction::getCallData):
3208         (JSC::StrictModeTypeErrorFunction::createStructure):
3209         (JSC::createTypeErrorFunction):
3210         * runtime/Error.h:
3211         * runtime/ErrorConstructor.cpp:
3212         (JSC::ErrorConstructor::getCallDataVirtual):
3213         * runtime/ErrorConstructor.h:
3214         * runtime/FunctionConstructor.cpp:
3215         (JSC::FunctionConstructor::getCallDataVirtual):
3216         * runtime/FunctionConstructor.h:
3217         * runtime/FunctionPrototype.cpp:
3218         (JSC::FunctionPrototype::getCallDataVirtual):
3219         * runtime/FunctionPrototype.h:
3220         * runtime/InternalFunction.cpp:
3221         (JSC::InternalFunction::finishCreation):
3222         * runtime/InternalFunction.h:
3223         * runtime/JSCell.cpp:
3224         (JSC::JSCell::getCallDataVirtual):
3225         * runtime/JSCell.h:
3226         (JSC::getCallData):
3227         * runtime/JSFunction.cpp:
3228         (JSC::JSFunction::getCallDataVirtual):
3229         * runtime/JSFunction.h:
3230         * runtime/JSGlobalObject.cpp:
3231         (JSC::JSGlobalObject::reset):
3232         (JSC::JSGlobalObject::visitChildren):
3233         * runtime/JSGlobalObject.h:
3234         * runtime/JSONObject.cpp:
3235         (JSC::Stringifier::Stringifier):
3236         (JSC::Stringifier::toJSON):
3237         (JSC::Stringifier::appendStringifiedValue):
3238         * runtime/JSObject.cpp:
3239         (JSC::JSObject::put):
3240         * runtime/JSObject.h:
3241         * runtime/NativeErrorConstructor.cpp:
3242         (JSC::NativeErrorConstructor::getCallDataVirtual):
3243         * runtime/NativeErrorConstructor.h:
3244         * runtime/NumberConstructor.cpp:
3245         (JSC::NumberConstructor::getCallDataVirtual):
3246         * runtime/NumberConstructor.h:
3247         * runtime/ObjectConstructor.cpp:
3248         (JSC::ObjectConstructor::getCallDataVirtual):
3249         * runtime/ObjectConstructor.h:
3250         * runtime/Operations.cpp:
3251         (JSC::jsTypeStringForValue):
3252         (JSC::jsIsObjectType):
3253         (JSC::jsIsFunctionType):
3254         * runtime/PropertySlot.cpp:
3255         (JSC::PropertySlot::functionGetter):
3256         * runtime/RegExpConstructor.cpp:
3257         (JSC::RegExpConstructor::getCallDataVirtual):
3258         * runtime/RegExpConstructor.h:
3259         * runtime/StringConstructor.cpp:
3260         (JSC::StringConstructor::getCallDataVirtual):
3261         * runtime/StringConstructor.h:
3262         * runtime/Structure.h:
3263
3264 2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>
3265
3266         DFG JIT - only Array predictions can result in unboxed cells in register file
3267         https://bugs.webkit.org/show_bug.cgi?id=69695
3268
3269         Reviewed by Filip Pizlo.
3270
3271         In current DFG JIT, only array predictions can result in unboxed cells
3272         in register file, not for the other cell predictions.
3273
3274         * dfg/DFGSpeculativeJIT.h:
3275         (JSC::DFG::ValueSource::forPrediction):
3276
3277 2011-10-07  Yuqiang Xian  <yuqiang.xian@intel.com>
3278
3279         bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT
3280         https://bugs.webkit.org/show_bug.cgi?id=69696
3281
3282         Reviewed by Filip Pizlo.
3283
3284         On 32-bit, we should use TimesEight (8) instead of ScalePtr (4)
3285         to compute the address of a JS array element.
3286
3287         * dfg/DFGSpeculativeJIT32_64.cpp:
3288         (JSC::DFG::SpeculativeJIT::compile):
3289
3290 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3291
3292         Add static version of JSCell::deleteProperty
3293         https://bugs.webkit.org/show_bug.cgi?id=69659
3294
3295         Reviewed by Geoffrey Garen.
3296
3297         Added static version of both versions of put to all classes that 
3298         override them and changed the virtual versions to call the static 
3299         versions.  This is the first step in de-virtualizing JSCell::deleteProperty.
3300
3301         * API/JSCallbackObject.h:
3302         * API/JSCallbackObjectFunctions.h:
3303         (JSC::::deleteProperty):
3304         * debugger/DebuggerActivation.cpp:
3305         (JSC::DebuggerActivation::deleteProperty):
3306         * debugger/DebuggerActivation.h:
3307         * runtime/Arguments.cpp:
3308         (JSC::Arguments::deleteProperty):
3309         * runtime/Arguments.h:
3310         * runtime/JSActivation.cpp:
3311         (JSC::JSActivation::deleteProperty):
3312         * runtime/JSActivation.h:
3313         * runtime/JSArray.cpp:
3314         (JSC::JSArray::deleteProperty):
3315         * runtime/JSArray.h:
3316         * runtime/JSCell.cpp:
3317         (JSC::JSCell::deleteProperty):
3318         * runtime/JSCell.h:
3319         * runtime/JSFunction.cpp:
3320         (JSC::JSFunction::deleteProperty):
3321         * runtime/JSFunction.h:
3322         * runtime/JSNotAnObject.cpp:
3323         (JSC::JSNotAnObject::deleteProperty):
3324         * runtime/JSNotAnObject.h:
3325         * runtime/JSObject.cpp:
3326         (JSC::JSObject::deleteProperty):
3327         * runtime/JSObject.h:
3328         * runtime/JSVariableObject.cpp:
3329         (JSC::JSVariableObject::deleteProperty):
3330         * runtime/JSVariableObject.h:
3331         * runtime/RegExpMatchesArray.h:
3332         (JSC::RegExpMatchesArray::deleteProperty):
3333         * runtime/StrictEvalActivation.cpp:
3334         (JSC::StrictEvalActivation::deleteProperty):
3335         * runtime/StrictEvalActivation.h:
3336         * runtime/StringObject.cpp:
3337         (JSC::StringObject::deleteProperty):
3338         * runtime/StringObject.h:
3339
3340 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3341
3342         Remove getCallDataVirtual methods
3343         https://bugs.webkit.org/show_bug.cgi?id=69186
3344
3345         Reviewed by Geoffrey Garen.
3346
3347         Removed all getCallDataVirtual methods and replaced their call sites 
3348         with an explicit lookup in the MethodTable.
3349
3350         * API/JSCallbackFunction.cpp:
3351         * API/JSCallbackFunction.h:
3352         * API/JSCallbackObject.h:
3353         * API/JSCallbackObjectFunctions.h:
3354         * API/JSObjectRef.cpp:
3355         (JSObjectIsFunction):
3356         (JSObjectCallAsFunction):
3357         * JavaScriptCore.exp:
3358         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3359         * interpreter/Interpreter.cpp:
3360         (JSC::Interpreter::privateExecute):
3361         * jit/JITStubs.cpp:
3362         (JSC::DEFINE_STUB_FUNCTION):
3363         * runtime/ArrayConstructor.cpp:
3364         * runtime/ArrayConstructor.h:
3365         * runtime/BooleanConstructor.cpp:
3366         * runtime/BooleanConstructor.h:
3367         * runtime/DateConstructor.cpp:
3368         * runtime/DateConstructor.h:
3369         * runtime/Error.cpp:
3370         (JSC::createTypeErrorFunction):
3371
3372         Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
3373         the class definition in JSGlobalObject.cpp.
3374         * runtime/Error.h:
3375         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3376         (JSC::StrictModeTypeErrorFunction::create):
3377         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
3378         (JSC::StrictModeTypeErrorFunction::getConstructData):
3379         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
3380         (JSC::StrictModeTypeErrorFunction::getCallData):
3381         (JSC::StrictModeTypeErrorFunction::createStructure):
3382         * runtime/ErrorConstructor.cpp:
3383         * runtime/ErrorConstructor.h:
3384         * runtime/FunctionConstructor.cpp:
3385         * runtime/FunctionConstructor.h:
3386         * runtime/FunctionPrototype.cpp:
3387         * runtime/FunctionPrototype.h:
3388
3389         To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
3390         to declare their own ClassInfo if they don't override getCallData, provided 
3391         an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
3392         functionality as of the pure virtual method InternalFunction used to have.
3393         Also made this new implementation protected rather than private for the same reason.
3394         Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
3395         object is being created provides their own implementation of getCallData.  This 
3396         just makes execution fail earlier in a place where the source of the error is 
3397         easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
3398         they appear much more intentional to anybody who fails to provide their own 
3399         implementation or who tries to explicitly call InternalFunction::getCallData.
3400         * runtime/InternalFunction.cpp:
3401         (JSC::InternalFunction::finishCreation):
3402         (JSC::InternalFunction::getCallData):
3403         * runtime/InternalFunction.h:
3404         * runtime/JSCell.cpp:
3405         * runtime/JSCell.h:
3406         * runtime/JSFunction.cpp:
3407         * runtime/JSFunction.h:
3408
3409         Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
3410         it to be reused rather than creating a new Structure every time we instantiate it.
3411         * runtime/JSGlobalObject.cpp:
3412         (JSC::JSGlobalObject::reset):
3413         (JSC::JSGlobalObject::visitChildren):
3414         * runtime/JSGlobalObject.h:
3415         (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
3416         * runtime/JSONObject.cpp:
3417         (JSC::Stringifier::Stringifier):
3418         (JSC::Stringifier::toJSON):
3419         (JSC::Stringifier::appendStringifiedValue):
3420         * runtime/JSObject.cpp:
3421         (JSC::JSObject::put):
3422         * runtime/JSObject.h:
3423         (JSC::getCallData):
3424         * runtime/NativeErrorConstructor.cpp:
3425         * runtime/NativeErrorConstructor.h:
3426         * runtime/NumberConstructor.cpp:
3427         * runtime/NumberConstructor.h:
3428         * runtime/ObjectConstructor.cpp:
3429         * runtime/ObjectConstructor.h:
3430         * runtime/Operations.cpp:
3431         (JSC::jsTypeStringForValue):
3432         (JSC::jsIsObjectType):
3433         (JSC::jsIsFunctionType):
3434         * runtime/PropertySlot.cpp:
3435         (JSC::PropertySlot::functionGetter):
3436         * runtime/RegExpConstructor.cpp:
3437         * runtime/RegExpConstructor.h:
3438         * runtime/StringConstructor.cpp:
3439         * runtime/StringConstructor.h:
3440         * runtime/Structure.h:
3441
3442 2011-10-07  Oliver Hunt  <oliver@apple.com>
3443
3444         Add missing break statement.
3445
3446         Reviewed by Gavin Barraclough.
3447
3448         * dfg/DFGPropagator.cpp:
3449         (JSC::DFG::Propagator::propagateNodePredictions):
3450
3451 2011-10-07  Oliver Hunt  <oliver@apple.com>
3452
3453         Support some string intrinsics in the DFG JIT
3454         https://bugs.webkit.org/show_bug.cgi?id=69678
3455
3456         Reviewed by Gavin Barraclough.
3457
3458         Add support for charAt and charCodeAt intrinsics in the DFG.
3459
3460         * create_hash_table:
3461         * dfg/DFGByteCodeParser.cpp:
3462         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3463         * dfg/DFGIntrinsic.h:
3464         * dfg/DFGNode.h:
3465         * dfg/DFGPropagator.cpp:
3466         (JSC::DFG::Propagator::propagateNodePredictions):
3467         (JSC::DFG::Propagator::performNodeCSE):
3468         * dfg/DFGSpeculativeJIT.cpp:
3469         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
3470         * dfg/DFGSpeculativeJIT.h:
3471         * dfg/DFGSpeculativeJIT32_64.cpp:
3472         (JSC::DFG::SpeculativeJIT::compile):
3473         * dfg/DFGSpeculativeJIT64.cpp:
3474         (JSC::DFG::SpeculativeJIT::compile):
3475
3476 2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3477
3478         Add static version of JSCell::put
3479         https://bugs.webkit.org/show_bug.cgi?id=69382
3480
3481         Reviewed by Geoffrey Garen.
3482
3483         Added static version of both versions of put to all classes that 
3484         override them and changed the virtual versions to call the static 
3485         versions.
3486
3487         * API/JSCallbackObject.h:
3488         * API/JSCallbackObjectFunctions.h:
3489         (JSC::::put):
3490         * JavaScriptCore.exp:
3491         * debugger/DebuggerActivation.cpp:
3492         (JSC::DebuggerActivation::put):
3493         * debugger/DebuggerActivation.h:
3494         * runtime/Arguments.cpp:
3495         (JSC::Arguments::put):
3496         * runtime/Arguments.h:
3497         * runtime/JSActivation.cpp:
3498         (JSC::JSActivation::put):
3499         * runtime/JSActivation.h:
3500         * runtime/JSArray.cpp:
3501         (JSC::JSArray::put):
3502         * runtime/JSArray.h:
3503         * runtime/JSByteArray.cpp:
3504         (JSC::JSByteArray::put):
3505         * runtime/JSByteArray.h:
3506         * runtime/JSCell.cpp:
3507         (JSC::JSCell::put):
3508         * runtime/JSCell.h:
3509         * runtime/JSFunction.cpp:
3510         (JSC::JSFunction::put):
3511         * runtime/JSFunction.h:
3512         * runtime/JSGlobalObject.cpp:
3513         (JSC::JSGlobalObject::put):
3514         * runtime/JSGlobalObject.h:
3515         * runtime/JSNotAnObject.cpp:
3516         (JSC::JSNotAnObject::put):
3517         * runtime/JSNotAnObject.h:
3518         * runtime/JSObject.cpp:
3519         (JSC::JSObject::put):
3520         * runtime/JSObject.h:
3521         * runtime/JSStaticScopeObject.cpp:
3522         (JSC::JSStaticScopeObject::put):
3523         * runtime/JSStaticScopeObject.h:
3524         * runtime/ObjectPrototype.cpp:
3525         (JSC::ObjectPrototype::put):
3526         * runtime/ObjectPrototype.h:
3527         * runtime/RegExpConstructor.cpp:
3528         (JSC::RegExpConstructor::put):
3529         * runtime/RegExpConstructor.h:
3530         * runtime/RegExpMatchesArray.h:
3531         (JSC::RegExpMatchesArray::put):
3532         * runtime/RegExpObject.cpp:
3533         (JSC::RegExpObject::put):
3534         * runtime/RegExpObject.h:
3535         * runtime/StringObject.cpp:
3536         (JSC::StringObject::put):
3537         * runtime/StringObject.h:
3538
3539 2011-10-07  Gavin Barraclough  <barraclough@apple.com>
3540
3541         Refactor DFG to make for use of callOperation
3542         https://bugs.webkit.org/show_bug.cgi?id=69672
3543
3544         Reviewed by Oliver Hunt.
3545
3546         * dfg/DFGJITCodeGenerator.h:
3547         (JSC::DFG::callOperation):
3548             - Added new callOperation calls, don't ASSERT flushed (use helpers for unexpected calls, too).
3549         * dfg/DFGOperations.cpp:
3550         * dfg/DFGOperations.h:
3551             - Switch operationNewObject/operationCreateThis to return Cells,
3552             - Added C_DFGOperation_E/C_DFGOperation_EC/J_DFGOperation_EA/J_DFGOperation_EJA call types.
3553         * dfg/DFGSpeculativeJIT32_64.cpp:
3554         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3555         (JSC::DFG::SpeculativeJIT::emitBranch):
3556         (JSC::DFG::SpeculativeJIT::compile):
3557             - Replace code plating calls to operations to with calls to callOperation.
3558         * dfg/DFGSpeculativeJIT64.cpp:
3559         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3560         (JSC::DFG::SpeculativeJIT::emitBranch):
3561         (JSC::DFG::SpeculativeJIT::compile):
3562             - Replace code plating calls to operations to with calls to callOperation.
3563
3564 2011-10-07  Oliver Hunt  <oliver@apple.com>
3565
3566         Support string indexing in the DFG
3567         https://bugs.webkit.org/show_bug.cgi?id=69671
3568
3569         Reviewed by Gavin Barraclough.
3570
3571         Emit code to support inline indexing of strings 
3572
3573         * dfg/DFGSpeculativeJIT.cpp:
3574         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3575             Shared code to perform string indexing.
3576         * dfg/DFGSpeculativeJIT.h:
3577         * dfg/DFGSpeculativeJIT32_64.cpp:
3578         (JSC::DFG::SpeculativeJIT::compile):
3579         * dfg/DFGSpeculativeJIT64.cpp:
3580         (JSC::DFG::SpeculativeJIT::compile):
3581             Use compileGetByValOnString if we predict that the base object
3582             is a string in GetByVal.
3583         * runtime/JSString.h:
3584         (JSC::JSString::offsetOfFiberCount):
3585         (JSC::JSString::offsetOfValue):
3586
3587 2011-10-07  Filip Pizlo  <fpizlo@apple.com>
3588
3589         DFG ConvertThis speculation logic is wrong
3590         https://bugs.webkit.org/show_bug.cgi?id=69663
3591
3592         Reviewed by Oliver Hunt.
3593
3594         * dfg/DFGPropagator.cpp:
3595         (JSC::DFG::Propagator::fixupNode):
3596         * dfg/DFGSpeculativeJIT32_64.cpp:
3597         (JSC::DFG::SpeculativeJIT::compile):
3598         * dfg/DFGSpeculativeJIT64.cpp:
3599         (JSC::DFG::SpeculativeJIT::compile):
3600
3601 2011-10-07  Oliver Hunt  <oliver@apple.com>
3602
3603         Verify that our call speculation is valid.
3604
3605         Reviewed by Filip Pizlo.
3606
3607         Before specialising an intrinsic we need to verify that
3608         we our speculation is correct.
3609
3610         * dfg/DFGByteCodeParser.cpp:
3611         (JSC::DFG::ByteCodeParser::parseBlock):
3612
3613 2011-10-07  Brent Fulgham  <bfulgham@webkit.org>
3614
3615         [WinCairo] Unreviewed build correction for the build bot.
3616
3617         * JavaScriptCore.vcproj/JavaScriptCore.sln: Add the missing
3618         Release_Cairo_CFLite and Debug_Cairo_CFLite targets so that
3619         build-jsc can find the target it needs to run the JSC tests.
3620
3621 2011-10-07  Oliver Hunt  <oliver@apple.com>
3622
3623         Fix 32-bit build.
3624
3625         * jit/JITCall32_64.cpp:
3626         (JSC::JIT::compileOpCall):
3627
3628 2011-10-07  Oliver Hunt  <oliver@apple.com>
3629
3630         Support direct calls to intrinsic functions
3631         https://bugs.webkit.org/show_bug.cgi?id=69646
3632
3633         Reviewed by Gavin Barraclough.
3634
3635         Add support for optimising non-method_check calls
3636         to intrinsic functions (eg. when Math.abs, etc are
3637         cached in local variables). 
3638
3639         * bytecode/CodeBlock.h:
3640         (JSC::getCallLinkInfoBytecodeIndex):
3641             Support searching CallLinkInfos by bytecode index
3642         * dfg/DFGByteCodeParser.cpp:
3643         (JSC::DFG::ByteCodeParser::parseBlock):
3644             Add support for linked calls in addition to method_check
3645             when searching for intrinsics
3646         * dfg/DFGNode.h:
3647         (JSC::DFG::Node::hasFunctionCheckData):
3648         (JSC::DFG::Node::function):
3649             Add ability to store a JSFunction* in a node - this is safe
3650             as the function will be marked by the codeblock we're compiling
3651         * dfg/DFGPropagator.cpp:
3652         (JSC::DFG::Propagator::propagateNodePredictions):
3653         (JSC::DFG::Propagator::checkFunctionElimination):
3654         (JSC::DFG::Propagator::performNodeCSE):
3655             Add support for new CheckFunction node, and implement CSE pass.
3656         * dfg/DFGSpeculativeJIT32_64.cpp:
3657         (JSC::DFG::SpeculativeJIT::compile):
3658         * dfg/DFGSpeculativeJIT64.cpp:
3659         (JSC::DFG::SpeculativeJIT::compile):
3660             Rather trivial implementation of CheckFunction
3661         * jit/JIT.cpp:
3662         (JSC::JIT::privateCompile):
3663         * jit/JIT.h:
3664         * jit/JITCall.cpp:
3665         (JSC::JIT::compileOpCall):
3666         * jit/JITCall32_64.cpp:
3667         (JSC::JIT::compileOpCall):
3668             Need to propagate bytecode index for calls now.
3669
3670 2011-10-07  Dominic Cooney  <dominicc@chromium.org>
3671
3672         [JSC] Disable ThreadRestrictionVerifier for JIT ExecutableMemoryHandles
3673         https://bugs.webkit.org/show_bug.cgi?id=69599
3674
3675         Reviewed by Sam Weinig.
3676
3677         DFG JIT manipulates MetaAllocatorHandles across threads, eg in
3678         allocating JITCode buffers on a background thread to execute a
3679         proxy autoconfiguration PAC file but garbage collecting it in
3680         response to allocation on the main thread. Disabling
3681         ThreadRestrictionVerification until there is a verification scheme
3682         that understands this handoff.
3683
3684         * wtf/MetaAllocator.cpp:
3685         (WTF::MetaAllocator::allocate):
3686
3687 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3688
3689         DFG should not always speculate that ConvertThis is operating on an object
3690         https://bugs.webkit.org/show_bug.cgi?id=69570
3691
3692         Reviewed by Oliver Hunt.
3693         
3694         Mostly neutral, but with a slight regression in Kraken since it increases
3695         coverage in DFG and thus reveals some performance pathologies (which I
3696         prefer to think of as performance opportunities, in a good way).
3697
3698         * bytecode/PredictedType.cpp:
3699         (JSC::predictionToString):
3700         * bytecode/PredictedType.h:
3701         (JSC::isOtherPrediction):
3702         (JSC::mergePredictions):
3703         * dfg/DFGPropagator.cpp:
3704         (JSC::DFG::Propagator::propagateNodePredictions):
3705         * dfg/DFGSpeculativeJIT32_64.cpp:
3706         (JSC::DFG::SpeculativeJIT::compile):
3707         * dfg/DFGSpeculativeJIT64.cpp:
3708         (JSC::DFG::SpeculativeJIT::compile):
3709
3710 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3711
3712         Windows build fix
3713
3714         Unreviewed build fix.  Weird runtime failures on Windows due to 
3715         linking issues caused by the ClassInfo struct in JSByteArray not 
3716         being declared with JS_EXPORTDATA.
3717
3718         * runtime/JSByteArray.h:
3719
3720 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3721
3722         Structure does not reset m_previous when pinning the property map
3723         https://bugs.webkit.org/show_bug.cgi?id=69583
3724
3725         Reviewed by Gavin Barraclough.
3726         
3727         This is an 0.6% performance improvement in V8, and 0.2% overall.
3728
3729         * runtime/Structure.cpp:
3730         (JSC::Structure::changePrototypeTransition):
3731         (JSC::Structure::despecifyFunctionTransition):
3732         (JSC::Structure::getterSetterTransition):
3733         (JSC::Structure::toDictionaryTransition):
3734         (JSC::Structure::preventExtensionsTransition):
3735         (JSC::Structure::addPropertyWithoutTransition):
3736         (JSC::Structure::removePropertyWithoutTransition):
3737         (JSC::Structure::pin):
3738         * runtime/Structure.h:
3739
3740 2011-10-06  Anders Carlsson  <andersca@apple.com>
3741
3742         When building with clang, enable -Wglobal-constructors and -Wexit-time-destructors
3743         https://bugs.webkit.org/show_bug.cgi?id=69586
3744
3745         Reviewed by Darin Adler.
3746
3747         * Configurations/Base.xcconfig:
3748         Add -Wglobal-constructors and -Wexit-time-destructors when building with clang.
3749
3750         * JavaScriptCore.xcodeproj/project.pbxproj:
3751         When building with clang, we don't need to run the check-for-global-initializers and
3752         check-for-exit-time-destructors anymore.
3753
3754         * jsc.cpp:
3755         (runInteractive):
3756         Move interpreterName into runInteractive.
3757
3758         * wtf/StdLibExtras.h:
3759         When building with clang, disable the -Wglobal-constructors and -Wexit-time-destructors
3760         warnings around the variable declaration.
3761
3762 2011-10-06  Anders Carlsson  <andersca@apple.com>
3763
3764         Add DEFINE_DEBUG_ONLY_GLOBAL for globals that should be defined in debug builds
3765         https://bugs.webkit.org/show_bug.cgi?id=69584
3766
3767         Reviewed by Darin Adler.
3768
3769         Add DEFINE_DEBUG_ONLY_GLOBAL macro.
3770
3771         * wtf/StdLibExtras.h:
3772
3773 2011-10-06  Oliver Hunt  <oliver@apple.com>
3774
3775         Write barrier shouldn't allocate temporaries inside control flow
3776         https://bugs.webkit.org/show_bug.cgi?id=69582
3777
3778         Reviewed by Gavin Barraclough.
3779
3780         Reorder the code to avoid spill-related badness.
3781
3782         * dfg/DFGJITCodeGenerator.cpp:
3783         (JSC::DFG::JITCodeGenerator::writeBarrier):
3784
3785 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3786
3787         DFG::shouldSpeculate methods are too complicated
3788         https://bugs.webkit.org/show_bug.cgi?id=69560
3789
3790         Reviewed by Geoffrey Garen.
3791         
3792         Moved shouldSpeculate methods to DFG::Node, and cleaned them up to
3793         just use node predictions.
3794         
3795         By itself this would have meant that SpeculativeJIT code would have
3796         had to say things like m_jit.graph()[nodeIndex].shouldSpeculateXYZ().
3797         So this adds an at(NodeIndex) method to JITCodeGenerator. I replaced
3798         all uses of the m_jit.graph()[nodeIndex] idiom with at(nodeIndex).
3799         
3800         This is an 0.4% progression overall that shows up in all benchmarks,
3801         for reasons unknown.
3802
3803         * dfg/DFGJITCodeGenerator.h:
3804         (JSC::DFG::JITCodeGenerator::at):
3805         (JSC::DFG::JITCodeGenerator::canReuse):
3806         (JSC::DFG::JITCodeGenerator::isFilled):
3807         (JSC::DFG::JITCodeGenerator::isFilledDouble):
3808         (JSC::DFG::JITCodeGenerator::use):
3809         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
3810         (JSC::DFG::JITCodeGenerator::silentFillGPR):
3811         (JSC::DFG::JITCodeGenerator::silentFillFPR):
3812         (JSC::DFG::detectPeepHoleBranch):
3813         (JSC::DFG::integerResult):
3814         (JSC::DFG::noResult):
3815         (JSC::DFG::cellResult):
3816         (JSC::DFG::jsValueResult):
3817         (JSC::DFG::storageResult):
3818         (JSC::DFG::doubleResult):
3819         (JSC::DFG::initConstantInfo):
3820         (JSC::DFG::appendCallWithExceptionCheck):
3821         * dfg/DFGJITCodeGenerator32_64.cpp:
3822         (JSC::DFG::JITCodeGenerator::fillInteger):
3823         (JSC::DFG::JITCodeGenerator::fillDouble):
3824         (JSC::DFG::JITCodeGenerator::fillJSValue):
3825         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
3826         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3827         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
3828         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
3829         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
3830         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3831         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3832         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3833         (JSC::DFG::JITCodeGenerator::emitCall):
3834         * dfg/DFGJITCodeGenerator64.cpp:
3835         (JSC::DFG::JITCodeGenerator::fillInteger):
3836         (JSC::DFG::JITCodeGenerator::fillDouble):
3837         (JSC::DFG::JITCodeGenerator::fillJSValue):
3838         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3839         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
3840         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
3841         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
3842         (JSC::DFG::JITCodeGenerator::emitCall):
3843         * dfg/DFGNode.h:
3844         (JSC::DFG::Node::shouldSpeculateInteger):
3845         (JSC::DFG::Node::shouldSpeculateDouble):
3846         (JSC::DFG::Node::shouldSpeculateNumber):
3847         (JSC::DFG::Node::shouldNotSpeculateInteger):
3848         (JSC::DFG::Node::shouldSpeculateFinalObject):
3849         (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
3850         (JSC::DFG::Node::shouldSpeculateArray):
3851         (JSC::DFG::Node::shouldSpeculateArrayOrOther):
3852         (JSC::DFG::Node::shouldSpeculateObject):
3853         (JSC::DFG::Node::shouldSpeculateCell):
3854         (JSC::DFG::Node::canSpeculateInteger):
3855         * dfg/DFGSpeculativeJIT.cpp:
3856         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
3857         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3858         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
3859         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3860         (JSC::DFG::SpeculativeJIT::compile):
3861         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3862         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3863         * dfg/DFGSpeculativeJIT.h:
3864         (JSC::DFG::SpeculativeJIT::isInteger):
3865         (JSC::DFG::SpeculativeJIT::isKnownArray):
3866         (JSC::DFG::SpeculativeJIT::isKnownString):
3867         * dfg/DFGSpeculativeJIT32_64.cpp:
3868         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3869         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3870         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3871         (JSC::DFG::SpeculativeJIT::convertToDouble):
3872         (JSC::DFG::SpeculativeJIT::compare):
3873         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3874         (JSC::DFG::SpeculativeJIT::emitBranch):
3875         (JSC::DFG::SpeculativeJIT::compile):
3876         * dfg/DFGSpeculativeJIT64.cpp:
3877         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3878         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3879         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3880         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3881         (JSC::DFG::SpeculativeJIT::compare):
3882         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3883         (JSC::DFG::SpeculativeJIT::emitBranch):
3884         (JSC::DFG::SpeculativeJIT::compile):
3885
3886 2011-10-06  Gavin Peters  <gavinp@chromium.org>
3887
3888         REGRESSION (r96595): First frame in assertion backtraces is no longer labeled "1"
3889         https://bugs.webkit.org/show_bug.cgi?id=69556
3890
3891         Reviewed by Adam Roben.
3892
3893         * wtf/Assertions.cpp:
3894
3895 2011-10-06  Filip Pizlo  <fpizlo@apple.com>
3896
3897         DFG implementation of UInt32ToNumber is missing a break statement
3898         https://bugs.webkit.org/show_bug.cgi?id=69552
3899
3900         Reviewed by Oliver Hunt.
3901
3902         * dfg/DFGSpeculativeJIT32_64.cpp:
3903         (JSC::DFG::SpeculativeJIT::compile):
3904         * dfg/DFGSpeculativeJIT64.cpp:
3905         (JSC::DFG::SpeculativeJIT::compile):
3906
3907 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3908
3909         Unreviewed build fix for DFG JIT 32_64 release builds.
3910
3911         * dfg/DFGJITCompiler.cpp:
3912         * dfg/DFGJITCompiler.h:
3913         * dfg/DFGJITCompiler32_64.cpp:
3914             - Remove three unused methods.
3915
3916 2011-10-06  Gavin Barraclough  <barraclough@apple.com>
3917
3918         DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
3919         https://bugs.webkit.org/show_bug.cgi?id=69549
3920
3921         Reviewed by Oliver Hunt.
3922
3923         This breaks sunspider/3d-cube.
3924
3925         * dfg/DFGSpeculativeJIT32_64.cpp:
3926         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3927             - Speculation check on the tag. 
3928
3929 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3930
3931         Snow Leopard build fix
3932
3933         Unreviewed build fix
3934
3935         * JavaScriptCore.exp:
3936
3937 2011-10-05  Gavin Barraclough  <barraclough@apple.com>
3938
3939         Add explicit JSGlobalThis type.
3940         https://bugs.webkit.org/show_bug.cgi?id=69478
3941
3942         Reviewed by Darin Adler.
3943
3944         JSC supports a split global object, as used by WebCore for the Window. As a stage
3945         of making this visible to JSC, make it so that if the global this value is not the
3946         global object itself, it must be a subclass of JSGlobalThis.
3947
3948         * API/JSCallbackObjectFunctions.h:
3949         (JSC::::finishCreation):
3950             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3951         * JavaScriptCore.xcodeproj/project.pbxproj:
3952             - Added JSGlobalThis.h
3953         * jsc.cpp:
3954         (GlobalObject::finishCreation):
3955             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3956         * runtime/JSGlobalObject.h:
3957         (JSC::JSGlobalObject::create):
3958         (JSC::JSGlobalObject::finishCreation):
3959             - finishCreation takes a JSGlobalThis, or thisValue is implicit.
3960         * runtime/JSGlobalThis.h: Added.
3961         (JSC::JSGlobalThis::create):
3962         (JSC::JSGlobalThis::JSGlobalThis):
3963         (JSC::JSGlobalThis::finishCreation):
3964             - Thin wrapper on JSNonFinalObject to allow type checking.
3965         * testRegExp.cpp:
3966         (GlobalObject::finishCreation):
3967             - Don't pass the thisValue to JSGlobalObject::finishCreation.
3968
3969 2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3970
3971         JSC objects need to know their own cell size at runtime.
3972         https://bugs.webkit.org/show_bug.cgi?id=69390
3973
3974         Reviewed by Geoffrey Garen.
3975
3976         Added the cellSize field to ClassInfo and the static calculation of 
3977         size of each class to the CREATE_METHOD_TABLE macro, which will be 
3978         renamed in a followup patch to make its name match its broader use.
3979
3980         Also added a few ClassInfo structs so that each object that is allocated has its 
3981         correct size.  
3982
3983         * JavaScriptCore.exp:
3984         * runtime/ClassInfo.h:
3985
3986         Changed JSByteArray s_defaultInfo to s_info so that the template will get the 
3987         correct ClassInfo struct from it when it's allocated.
3988         * runtime/JSByteArray.cpp:
3989         * runtime/JSByteArray.h:
3990         * runtime/JSCell.h:
3991         (JSC::allocateCell):
3992         * runtime/JSNotAnObject.cpp:
3993         * runtime/JSNotAnObject.h:
3994         * runtime/JSObject.cpp:
3995         * runtime/JSObject.h:
3996         (JSC::JSCell::cellSize):
3997         * runtime/JSStaticScopeObject.cpp:
3998         * runtime/JSStaticScopeObject.h:
3999         * runtime/StrictEvalActivation.cpp:
4000         * runtime/StrictEvalActivation.h:
4001
4002 2011-10-06  Gavin Peters  <gavinp@chromium.org>
4003
4004         export new stack dumping method
4005         https://bugs.webkit.org/show_bug.cgi?id=69018
4006
4007         The original landing of bug 69018 didn't export WTFGetBacktrace, so that when bug 69453 landed, the first use
4008         of this function, many builds broke.  So here we add the exports, so that the function is usable.
4009
4010         Reviewed by Adam Roben.
4011
4012         * JavaScriptCore.exp:
4013         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
4014
4015 2011-10-06  Csaba Osztrogonác  <ossy@webkit.org>
4016
4017         REGRESSION(r96347): Build is broken with MSVC compiler if !PLATFORM(WINDOWS)
4018         https://bugs.webkit.org/show_bug.cgi?id=69413
4019
4020         Reviewed by Darin Adler.
4021
4022         * assembler/MacroAssemblerCodeRef.h: Define STDCALL for MSVC in a proper way.
4023