58faeaf785cb4cb488352d28bd901ecaae9ad2e2
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
2
3         Fix build break after r154861
4         https://bugs.webkit.org/show_bug.cgi?id=120503
5
6         Reviewed by Geoffrey Garen.
7
8         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
9
10         * CMakeLists.txt:
11         * GNUmakefile.list.am:
12         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
13         * Target.pri:
14         * runtime/MapData.h:
15         (JSC::MapData::KeyType::KeyType):
16
17 2013-08-29  Andreas Kling  <akling@apple.com>
18
19         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
20         <https://webkit.org/b/120487>
21
22         Reviewed by Oliver Hunt.
23
24         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
25         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
26         exact amount of space needed.
27
28         * bytecode/CodeBlock.h:
29         * bytecode/CodeBlock.cpp:
30         (JSC::CodeBlock::CodeBlock):
31         (JSC::CodeBlock::shrinkToFit):
32
33 2013-08-29  Oliver Hunt  <oliver@apple.com>
34
35         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
36
37         * runtime/MapData.h:
38         (JSC::MapData::KeyType::KeyType):
39
40 2013-08-29  Oliver Hunt  <oliver@apple.com>
41
42
43         Implement ES6 Map object
44         https://bugs.webkit.org/show_bug.cgi?id=120333
45
46         Reviewed by Geoffrey Garen.
47
48         Implement support for the ES6 Map type and related classes.
49
50         * JavaScriptCore.xcodeproj/project.pbxproj:
51         * heap/CopyToken.h: Add a new token to track copying the backing store
52         * runtime/CommonIdentifiers.h: Add new identifiers
53         * runtime/JSGlobalObject.cpp:
54         * runtime/JSGlobalObject.h:
55             Add new structures and prototypes
56
57         * runtime/JSMap.cpp: Added.
58         * runtime/JSMap.h: Added.
59             New JSMap class to represent a Map instance
60
61         * runtime/MapConstructor.cpp: Added.
62         * runtime/MapConstructor.h: Added.
63             The Map constructor
64
65         * runtime/MapData.cpp: Added.
66         * runtime/MapData.h: Added.
67             The most interesting data structure.  The roughly corresponds
68             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
69             map implementation.  We implement it using 2 hashtables and a flat
70             table.  Due to the different semantics of string comparisons vs.
71             all others we need have one map keyed by String and the other by
72             generic JSValue.  The actual table is represented more or less
73             exactly as described in the ES6 draft - a single contiguous list of
74             key/value pairs.  The entire map could be achieved with just this
75             table, however we need the HashMaps in order to maintain O(1) lookup.
76
77             Deleted values are simply cleared as the draft says, however the
78             implementation compacts the storage on copy as long as the are no
79             active iterators.
80
81         * runtime/MapPrototype.cpp: Added.
82         * runtime/MapPrototype.h: Added.
83             Implement Map prototype functions
84
85         * runtime/VM.cpp:
86             Add new structures.
87
88 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
89
90         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
91         https://bugs.webkit.org/show_bug.cgi?id=120489
92
93         Reviewed by Geoffrey Garen.
94         
95         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
96         DFG compilation but we've also started one or more FTL compilations, then we
97         shouldn't get confused. Previously we would have gotten confused because we would
98         see an in-process deferred compile (the FTL compile) and also an optimized
99         replacement (the DFG code).
100         
101         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
102         did two things in this order: triggered a tier-up compilation from the DFG into
103         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
104         shouldn't be confused by the presence of an in-process deferred compile (the FTL
105         compile). Previously we would have waited for that compile to finish; but the more
106         sensible thing to do is to let it complete and then invalidate it, while at the
107         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
108         
109         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
110         triggered an FTL compile for replacement, then it should fire off a second compile
111         instead of thinking that it can wait for that one to finish. Or vice-versa. We
112         need to allow for two FTL compiles to be enqueued at the same time (one for
113         replacement and one for OSR entry in a loop).
114         
115         Then there's also the problem that DFG::compile() is almost certainly going to be
116         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
117         right now there is no way to tell it which one you want.
118         
119         This fixes these problems and removes a bunch of potential confusion by making the
120         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
121         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
122         
123         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
124         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
125         possible. Fixing that is a bigger issue for a later changeset.
126
127         * CMakeLists.txt:
128         * GNUmakefile.list.am:
129         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
130         * JavaScriptCore.xcodeproj/project.pbxproj:
131         * Target.pri:
132         * bytecode/CodeBlock.cpp:
133         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
134         * dfg/DFGCompilationKey.cpp: Added.
135         (JSC::DFG::CompilationKey::dump):
136         * dfg/DFGCompilationKey.h: Added.
137         (JSC::DFG::CompilationKey::CompilationKey):
138         (JSC::DFG::CompilationKey::operator!):
139         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
140         (JSC::DFG::CompilationKey::profiledBlock):
141         (JSC::DFG::CompilationKey::mode):
142         (JSC::DFG::CompilationKey::operator==):
143         (JSC::DFG::CompilationKey::hash):
144         (JSC::DFG::CompilationKeyHash::hash):
145         (JSC::DFG::CompilationKeyHash::equal):
146         * dfg/DFGCompilationMode.cpp: Added.
147         (WTF::printInternal):
148         * dfg/DFGCompilationMode.h: Added.
149         * dfg/DFGDriver.cpp:
150         (JSC::DFG::compileImpl):
151         (JSC::DFG::compile):
152         * dfg/DFGDriver.h:
153         * dfg/DFGPlan.cpp:
154         (JSC::DFG::Plan::Plan):
155         (JSC::DFG::Plan::key):
156         * dfg/DFGPlan.h:
157         * dfg/DFGWorklist.cpp:
158         (JSC::DFG::Worklist::enqueue):
159         (JSC::DFG::Worklist::compilationState):
160         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
161         (JSC::DFG::Worklist::runThread):
162         * dfg/DFGWorklist.h:
163         * jit/JITStubs.cpp:
164         (JSC::DEFINE_STUB_FUNCTION):
165
166 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
167
168         [Windows] Unreviewed build fix after r154847.
169         If you are going to exclude promises, actually exclude the build components.
170
171         * interpreter/CallFrame.h: Exclude promise declarations
172         * runtime/JSGlobalObject.cpp:
173         (JSC::JSGlobalObject::reset): Exclude promise code.
174         (JSC::JSGlobalObject::visitChildren): Ditto.
175         * runtime/VM.cpp: Ditto.
176         (JSC::VM::VM):
177         (JSC::VM::~VM):
178         * runtime/VM.h:
179
180 2013-08-29  Sam Weinig  <sam@webkit.org>
181
182         Add ENABLE guards for Promises
183         https://bugs.webkit.org/show_bug.cgi?id=120488
184
185         Reviewed by Andreas Kling.
186
187         * Configurations/FeatureDefines.xcconfig:
188         * runtime/JSGlobalObject.cpp:
189         * runtime/JSGlobalObject.h:
190         * runtime/JSPromise.cpp:
191         * runtime/JSPromise.h:
192         * runtime/JSPromiseCallback.cpp:
193         * runtime/JSPromiseCallback.h:
194         * runtime/JSPromiseConstructor.cpp:
195         * runtime/JSPromiseConstructor.h:
196         * runtime/JSPromisePrototype.cpp:
197         * runtime/JSPromisePrototype.h:
198         * runtime/JSPromiseResolver.cpp:
199         * runtime/JSPromiseResolver.h:
200         * runtime/JSPromiseResolverConstructor.cpp:
201         * runtime/JSPromiseResolverConstructor.h:
202         * runtime/JSPromiseResolverPrototype.cpp:
203         * runtime/JSPromiseResolverPrototype.h:
204
205 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
206
207         Unreviewed, fix FTL build.
208
209         * ftl/FTLLowerDFGToLLVM.cpp:
210         (JSC::FTL::LowerDFGToLLVM::callCheck):
211
212 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
213
214         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
215         https://bugs.webkit.org/show_bug.cgi?id=120080
216
217         Reviewed by Michael Saboff.
218
219         * jit/JITOpcodes32_64.cpp:
220         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
221
222 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
223
224         Kill code that became dead after http://trac.webkit.org/changeset/154833
225
226         Rubber stamped by Oliver Hunt.
227
228         * dfg/DFGDriver.h:
229
230 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
231
232         CodeBlock's magic for scaling tier-up thresholds should be more reusable
233         https://bugs.webkit.org/show_bug.cgi?id=120486
234
235         Reviewed by Oliver Hunt.
236         
237         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
238         as a adjustedCounterValue() method.
239
240         * bytecode/CodeBlock.cpp:
241         (JSC::CodeBlock::adjustedCounterValue):
242         (JSC::CodeBlock::optimizeAfterWarmUp):
243         (JSC::CodeBlock::optimizeAfterLongWarmUp):
244         (JSC::CodeBlock::optimizeSoon):
245         * bytecode/CodeBlock.h:
246         * dfg/DFGOSRExitCompilerCommon.cpp:
247         (JSC::DFG::handleExitCounts):
248
249 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
250
251         CodeBlock::prepareForExecution() is silly
252         https://bugs.webkit.org/show_bug.cgi?id=120453
253
254         Reviewed by Oliver Hunt.
255         
256         Instead of saying:
257         
258             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
259         
260         we should just say:
261         
262             JIT::compile(stuff, codeBlock, more stuff);
263         
264         And similarly for the LLInt and DFG.
265         
266         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
267         wrapper that uses the JITType argument to call into the appropriate execution
268         engine, which is what the user wanted to do in the first place.
269
270         * CMakeLists.txt:
271         * GNUmakefile.list.am:
272         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
273         * JavaScriptCore.xcodeproj/project.pbxproj:
274         * Target.pri:
275         * bytecode/CodeBlock.cpp:
276         * bytecode/CodeBlock.h:
277         * dfg/DFGDriver.cpp:
278         (JSC::DFG::compileImpl):
279         (JSC::DFG::compile):
280         * dfg/DFGDriver.h:
281         (JSC::DFG::tryCompile):
282         * dfg/DFGOSRExitPreparation.cpp:
283         (JSC::DFG::prepareCodeOriginForOSRExit):
284         * dfg/DFGWorklist.cpp:
285         (JSC::DFG::globalWorklist):
286         * dfg/DFGWorklist.h:
287         * jit/JIT.cpp:
288         (JSC::JIT::privateCompile):
289         * jit/JIT.h:
290         (JSC::JIT::compile):
291         * jit/JITStubs.cpp:
292         (JSC::DEFINE_STUB_FUNCTION):
293         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
294         (JSC::LLInt::setFunctionEntrypoint):
295         (JSC::LLInt::setEvalEntrypoint):
296         (JSC::LLInt::setProgramEntrypoint):
297         (JSC::LLInt::setEntrypoint):
298         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
299         * llint/LLIntEntrypoints.cpp: Removed.
300         * llint/LLIntEntrypoints.h: Removed.
301         * llint/LLIntSlowPaths.cpp:
302         (JSC::LLInt::jitCompileAndSetHeuristics):
303         * runtime/Executable.cpp:
304         (JSC::ScriptExecutable::prepareForExecutionImpl):
305
306 2013-08-29  Mark Lam  <mark.lam@apple.com>
307
308         Gardening: fixed broken non-DFG build.
309         https://bugs.webkit.org/show_bug.cgi?id=120481.
310
311         Not reviewed.
312
313         * interpreter/StackIterator.h:
314
315 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
316
317         CodeBlock compilation and installation should be simplified and rationalized
318         https://bugs.webkit.org/show_bug.cgi?id=120326
319
320         Reviewed by Oliver Hunt.
321         
322         Rolling r154804 back in after fixing no-LLInt build.
323         
324         Previously Executable owned the code for generating JIT code; you always had
325         to go through Executable. But often you also had to go through CodeBlock,
326         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
327         So you'd ask CodeBlock to do something, which would dispatch through a
328         virtual method that would select the appropriate Executable subtype's method.
329         This all meant that the same code would often be duplicated, because most of
330         the work needed to compile something was identical regardless of code type.
331         But then we tried to fix this, by having templatized helpers in
332         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
333         out what happened when you asked for something to be compiled, you'd go on a
334         wild ride that started with CodeBlock, touched upon Executable, and then
335         ricocheted into either ExecutionHarness or JITDriver (likely both).
336         
337         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
338         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
339         done once the compilation finished.
340         
341         Also, most of the DFG JIT drivers assumed that they couldn't install the
342         JITCode into the CodeBlock directly - instead they would return it via a
343         reference, which happened to be a reference to the JITCode pointer in
344         Executable. This was super weird.
345         
346         Finally, there was no notion of compiling code into a special CodeBlock that
347         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
348         entry.
349         
350         This patch solves these problems by reducing all of that complexity into just
351         three primitives:
352         
353         - Executable::newCodeBlock(). This gives you a new code block, either for call
354           or for construct, and either to serve as the baseline code or the optimized
355           code. The new code block is then owned by the caller; Executable doesn't
356           register it anywhere. The new code block has no JITCode and isn't callable,
357           but it has all of the bytecode.
358         
359         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
360           produces a JITCode, and then installs the JITCode into the CodeBlock. This
361           method takes a JITType, and always compiles with that JIT. If you ask for
362           JITCode::InterpreterThunk then you'll get JITCode that just points to the
363           LLInt entrypoints. Once this returns, it is possible to call into the
364           CodeBlock if you do so manually - but the Executable still won't know about
365           it so JS calls to that Executable will still be routed to whatever CodeBlock
366           is associated with the Executable.
367         
368         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
369           entry for that Executable. This involves unlinking the Executable's last
370           CodeBlock, if there was one. This also tells the GC about any effect on
371           memory usage and does a bunch of weird data structure rewiring, since
372           Executable caches some of CodeBlock's fields for the benefit of virtual call
373           fast paths.
374         
375         This functionality is then wrapped around three convenience methods:
376         
377         - Executable::prepareForExecution(). If there is no code block for that
378           Executable, then one is created (newCodeBlock()), compiled
379           (CodeBlock::prepareForExecution()) and installed (installCode()).
380         
381         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
382           can serve as an optimized replacement of the current one.
383         
384         - CodeBlock::install(). Asks the Executable to install this code block.
385         
386         This patch allows me to kill *a lot* of code and to remove a lot of
387         specializations for functions vs. not-functions, and a lot of places where we
388         pass around JITCode references and such. ExecutionHarness and JITDriver are
389         both gone. Overall this patch has more red than green.
390         
391         It also allows me to work on FTL OSR entry and tier-up:
392         
393         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
394           to do some compilation, but it will require the DFG::Worklist to do
395           something different than what JITStubs.cpp would want, once the compilation
396           finishes. This patch introduces a callback mechanism for that purpose.
397         
398         - FTL OSR entry: this will involve creating a special auto-jettisoned
399           CodeBlock that is used only for FTL OSR entry. The new set of primitives
400           allows for this: Executable can vend you a fresh new CodeBlock, and you can
401           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
402           can take that CodeBlock and compile it yourself. Previously the act of
403           producing a CodeBlock-for-optimization and the act of compiling code for it
404           were tightly coupled; now you can separate them and you can create such
405           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
406
407         * CMakeLists.txt:
408         * GNUmakefile.list.am:
409         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
410         * JavaScriptCore.xcodeproj/project.pbxproj:
411         * Target.pri:
412         * bytecode/CodeBlock.cpp:
413         (JSC::CodeBlock::unlinkIncomingCalls):
414         (JSC::CodeBlock::prepareForExecutionImpl):
415         (JSC::CodeBlock::prepareForExecution):
416         (JSC::CodeBlock::prepareForExecutionAsynchronously):
417         (JSC::CodeBlock::install):
418         (JSC::CodeBlock::newReplacement):
419         (JSC::FunctionCodeBlock::jettisonImpl):
420         * bytecode/CodeBlock.h:
421         (JSC::CodeBlock::hasBaselineJITProfiling):
422         * bytecode/DeferredCompilationCallback.cpp: Added.
423         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
424         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
425         * bytecode/DeferredCompilationCallback.h: Added.
426         * dfg/DFGDriver.cpp:
427         (JSC::DFG::tryCompile):
428         * dfg/DFGDriver.h:
429         (JSC::DFG::tryCompile):
430         * dfg/DFGFailedFinalizer.cpp:
431         (JSC::DFG::FailedFinalizer::finalize):
432         (JSC::DFG::FailedFinalizer::finalizeFunction):
433         * dfg/DFGFailedFinalizer.h:
434         * dfg/DFGFinalizer.h:
435         * dfg/DFGJITFinalizer.cpp:
436         (JSC::DFG::JITFinalizer::finalize):
437         (JSC::DFG::JITFinalizer::finalizeFunction):
438         * dfg/DFGJITFinalizer.h:
439         * dfg/DFGOSRExitPreparation.cpp:
440         (JSC::DFG::prepareCodeOriginForOSRExit):
441         * dfg/DFGOperations.cpp:
442         * dfg/DFGPlan.cpp:
443         (JSC::DFG::Plan::Plan):
444         (JSC::DFG::Plan::compileInThreadImpl):
445         (JSC::DFG::Plan::notifyReady):
446         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
447         (JSC::DFG::Plan::finalizeAndNotifyCallback):
448         * dfg/DFGPlan.h:
449         * dfg/DFGSpeculativeJIT32_64.cpp:
450         (JSC::DFG::SpeculativeJIT::compile):
451         * dfg/DFGWorklist.cpp:
452         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
453         (JSC::DFG::Worklist::runThread):
454         * ftl/FTLJITFinalizer.cpp:
455         (JSC::FTL::JITFinalizer::finalize):
456         (JSC::FTL::JITFinalizer::finalizeFunction):
457         * ftl/FTLJITFinalizer.h:
458         * heap/Heap.h:
459         (JSC::Heap::isDeferred):
460         * interpreter/Interpreter.cpp:
461         (JSC::Interpreter::execute):
462         (JSC::Interpreter::executeCall):
463         (JSC::Interpreter::executeConstruct):
464         (JSC::Interpreter::prepareForRepeatCall):
465         * jit/JITDriver.h: Removed.
466         * jit/JITStubs.cpp:
467         (JSC::DEFINE_STUB_FUNCTION):
468         (JSC::jitCompileFor):
469         (JSC::lazyLinkFor):
470         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
471         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
472         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
473         (JSC::JITToDFGDeferredCompilationCallback::create):
474         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
475         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
476         * jit/JITToDFGDeferredCompilationCallback.h: Added.
477         * llint/LLIntEntrypoints.cpp:
478         (JSC::LLInt::setFunctionEntrypoint):
479         (JSC::LLInt::setEvalEntrypoint):
480         (JSC::LLInt::setProgramEntrypoint):
481         * llint/LLIntEntrypoints.h:
482         * llint/LLIntSlowPaths.cpp:
483         (JSC::LLInt::jitCompileAndSetHeuristics):
484         (JSC::LLInt::setUpCall):
485         * runtime/ArrayPrototype.cpp:
486         (JSC::isNumericCompareFunction):
487         * runtime/CommonSlowPaths.cpp:
488         * runtime/CompilationResult.cpp:
489         (WTF::printInternal):
490         * runtime/CompilationResult.h:
491         * runtime/Executable.cpp:
492         (JSC::ScriptExecutable::installCode):
493         (JSC::ScriptExecutable::newCodeBlockFor):
494         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
495         (JSC::ScriptExecutable::prepareForExecutionImpl):
496         * runtime/Executable.h:
497         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
498         (JSC::ExecutableBase::offsetOfNumParametersFor):
499         (JSC::ScriptExecutable::prepareForExecution):
500         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
501         * runtime/ExecutionHarness.h: Removed.
502
503 2013-08-29  Mark Lam  <mark.lam@apple.com>
504
505         Change StackIterator to not require writes to the JS stack.
506         https://bugs.webkit.org/show_bug.cgi?id=119657.
507
508         Reviewed by Geoffrey Garen.
509
510         * GNUmakefile.list.am:
511         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
512         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
513         * JavaScriptCore.xcodeproj/project.pbxproj:
514         * interpreter/CallFrame.h:
515         - Removed references to StackIteratorPrivate.h.
516         * interpreter/StackIterator.cpp:
517         (JSC::StackIterator::numberOfFrames):
518         (JSC::StackIterator::gotoFrameAtIndex):
519         (JSC::StackIterator::gotoNextFrame):
520         (JSC::StackIterator::resetIterator):
521         (JSC::StackIterator::find):
522         (JSC::StackIterator::readFrame):
523         (JSC::StackIterator::readNonInlinedFrame):
524         - Reads in the current CallFrame's data for non-inlined frames.
525         (JSC::inlinedFrameOffset):
526         - Convenience function to compute the inlined frame offset based on the
527           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
528           Otherwise, it's an inlined frame.
529         (JSC::StackIterator::readInlinedFrame):
530         - Determines the inlined frame's caller frame. Will read in the caller
531           frame if it is also an inlined frame i.e. we haven't reached the
532           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
533           read on the outer most frame.
534           This is based on the old StackIterator::Frame::logicalFrame().
535         (JSC::StackIterator::updateFrame):
536         - Reads the data of the caller frame of the current one. This function
537           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
538           but is now simplified because it delegates to the readInlinedFrame()
539           to get the caller for inlined frames.
540         (JSC::StackIterator::Frame::arguments):
541         - Fixed to use the inlined frame versions of Arguments::create() and
542           Arguments::tearOff() when the frame is an inlined frame.
543         (JSC::StackIterator::Frame::print):
544         (debugPrintCallFrame):
545         (debugPrintStack):
546         - Because sometimes, we want to see the whole stack while debugging.
547         * interpreter/StackIterator.h:
548         (JSC::StackIterator::Frame::argumentCount):
549         (JSC::StackIterator::Frame::callerFrame):
550         (JSC::StackIterator::Frame::callee):
551         (JSC::StackIterator::Frame::scope):
552         (JSC::StackIterator::Frame::codeBlock):
553         (JSC::StackIterator::Frame::bytecodeOffset):
554         (JSC::StackIterator::Frame::inlinedFrameInfo):
555         (JSC::StackIterator::Frame::isJSFrame):
556         (JSC::StackIterator::Frame::isInlinedFrame):
557         (JSC::StackIterator::Frame::callFrame):
558         (JSC::StackIterator::Frame::Frame):
559         (JSC::StackIterator::Frame::~Frame):
560         - StackIterator::Frame now caches commonly used accessed values from
561           the CallFrame. It still delegates argument queries to the CallFrame.
562         (JSC::StackIterator::operator*):
563         (JSC::StackIterator::operator->):
564         (JSC::StackIterator::operator!=):
565         (JSC::StackIterator::operator++):
566         (JSC::StackIterator::end):
567         (JSC::StackIterator::operator==):
568         * interpreter/StackIteratorPrivate.h: Removed.
569
570 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
571
572         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
573         https://bugs.webkit.org/show_bug.cgi?id=120472
574
575         Reviewed by Filip Pizlo.
576         
577         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
578         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
579         throwException can be called when topCallFrame is set.
580         * llint/LLIntSlowPaths.cpp:
581         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
582         * runtime/CommonSlowPaths.cpp:
583         (JSC::SLOW_PATH_DECL):
584         * runtime/CommonSlowPathsExceptions.cpp:
585         (JSC::CommonSlowPaths::interpreterThrowInCaller):
586         * runtime/CommonSlowPathsExceptions.h:
587
588         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
589         to throw errors. It unwinds the stack in order to report them. 
590         * dfg/DFGOperations.cpp:
591         * jit/JITExceptions.cpp:
592         (JSC::genericUnwind):
593         (JSC::jitThrowNew):
594         (JSC::jitThrow):
595         * jit/JITExceptions.h:
596         * llint/LLIntExceptions.cpp:
597         (JSC::LLInt::doThrow):
598     
599 2013-08-29  Commit Queue  <commit-queue@webkit.org>
600
601         Unreviewed, rolling out r154804.
602         http://trac.webkit.org/changeset/154804
603         https://bugs.webkit.org/show_bug.cgi?id=120477
604
605         Broke Windows build (assumes LLInt features not enabled on
606         this build) (Requested by bfulgham on #webkit).
607
608         * CMakeLists.txt:
609         * GNUmakefile.list.am:
610         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
611         * JavaScriptCore.xcodeproj/project.pbxproj:
612         * Target.pri:
613         * bytecode/CodeBlock.cpp:
614         (JSC::CodeBlock::linkIncomingCall):
615         (JSC::CodeBlock::unlinkIncomingCalls):
616         (JSC::CodeBlock::reoptimize):
617         (JSC::ProgramCodeBlock::replacement):
618         (JSC::EvalCodeBlock::replacement):
619         (JSC::FunctionCodeBlock::replacement):
620         (JSC::ProgramCodeBlock::compileOptimized):
621         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
622         (JSC::EvalCodeBlock::compileOptimized):
623         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
624         (JSC::FunctionCodeBlock::compileOptimized):
625         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
626         (JSC::ProgramCodeBlock::jitCompileImpl):
627         (JSC::EvalCodeBlock::jitCompileImpl):
628         (JSC::FunctionCodeBlock::jitCompileImpl):
629         * bytecode/CodeBlock.h:
630         (JSC::CodeBlock::jitType):
631         (JSC::CodeBlock::jitCompile):
632         * bytecode/DeferredCompilationCallback.cpp: Removed.
633         * bytecode/DeferredCompilationCallback.h: Removed.
634         * dfg/DFGDriver.cpp:
635         (JSC::DFG::compile):
636         (JSC::DFG::tryCompile):
637         (JSC::DFG::tryCompileFunction):
638         (JSC::DFG::tryFinalizePlan):
639         * dfg/DFGDriver.h:
640         (JSC::DFG::tryCompile):
641         (JSC::DFG::tryCompileFunction):
642         (JSC::DFG::tryFinalizePlan):
643         * dfg/DFGFailedFinalizer.cpp:
644         (JSC::DFG::FailedFinalizer::finalize):
645         (JSC::DFG::FailedFinalizer::finalizeFunction):
646         * dfg/DFGFailedFinalizer.h:
647         * dfg/DFGFinalizer.h:
648         * dfg/DFGJITFinalizer.cpp:
649         (JSC::DFG::JITFinalizer::finalize):
650         (JSC::DFG::JITFinalizer::finalizeFunction):
651         * dfg/DFGJITFinalizer.h:
652         * dfg/DFGOSRExitPreparation.cpp:
653         (JSC::DFG::prepareCodeOriginForOSRExit):
654         * dfg/DFGOperations.cpp:
655         * dfg/DFGPlan.cpp:
656         (JSC::DFG::Plan::Plan):
657         (JSC::DFG::Plan::compileInThreadImpl):
658         (JSC::DFG::Plan::finalize):
659         * dfg/DFGPlan.h:
660         * dfg/DFGSpeculativeJIT32_64.cpp:
661         (JSC::DFG::SpeculativeJIT::compile):
662         * dfg/DFGWorklist.cpp:
663         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
664         (JSC::DFG::Worklist::runThread):
665         * ftl/FTLJITFinalizer.cpp:
666         (JSC::FTL::JITFinalizer::finalize):
667         (JSC::FTL::JITFinalizer::finalizeFunction):
668         * ftl/FTLJITFinalizer.h:
669         * heap/Heap.h:
670         * interpreter/Interpreter.cpp:
671         (JSC::Interpreter::execute):
672         (JSC::Interpreter::executeCall):
673         (JSC::Interpreter::executeConstruct):
674         (JSC::Interpreter::prepareForRepeatCall):
675         * jit/JITDriver.h: Added.
676         (JSC::jitCompileIfAppropriateImpl):
677         (JSC::jitCompileFunctionIfAppropriateImpl):
678         (JSC::jitCompileIfAppropriate):
679         (JSC::jitCompileFunctionIfAppropriate):
680         * jit/JITStubs.cpp:
681         (JSC::DEFINE_STUB_FUNCTION):
682         (JSC::jitCompileFor):
683         (JSC::lazyLinkFor):
684         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
685         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
686         * llint/LLIntEntrypoints.cpp:
687         (JSC::LLInt::getFunctionEntrypoint):
688         (JSC::LLInt::getEvalEntrypoint):
689         (JSC::LLInt::getProgramEntrypoint):
690         * llint/LLIntEntrypoints.h:
691         (JSC::LLInt::getEntrypoint):
692         * llint/LLIntSlowPaths.cpp:
693         (JSC::LLInt::jitCompileAndSetHeuristics):
694         (JSC::LLInt::setUpCall):
695         * runtime/ArrayPrototype.cpp:
696         (JSC::isNumericCompareFunction):
697         * runtime/CommonSlowPaths.cpp:
698         * runtime/CompilationResult.cpp:
699         (WTF::printInternal):
700         * runtime/CompilationResult.h:
701         * runtime/Executable.cpp:
702         (JSC::EvalExecutable::compileOptimized):
703         (JSC::EvalExecutable::jitCompile):
704         (JSC::EvalExecutable::compileInternal):
705         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
706         (JSC::ProgramExecutable::compileOptimized):
707         (JSC::ProgramExecutable::jitCompile):
708         (JSC::ProgramExecutable::compileInternal):
709         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
710         (JSC::FunctionExecutable::compileOptimizedForCall):
711         (JSC::FunctionExecutable::compileOptimizedForConstruct):
712         (JSC::FunctionExecutable::jitCompileForCall):
713         (JSC::FunctionExecutable::jitCompileForConstruct):
714         (JSC::FunctionExecutable::produceCodeBlockFor):
715         (JSC::FunctionExecutable::compileForCallInternal):
716         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
717         (JSC::FunctionExecutable::compileForConstructInternal):
718         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
719         * runtime/Executable.h:
720         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
721         (JSC::ExecutableBase::offsetOfNumParametersFor):
722         (JSC::ExecutableBase::catchRoutineFor):
723         (JSC::EvalExecutable::compile):
724         (JSC::ProgramExecutable::compile):
725         (JSC::FunctionExecutable::compileForCall):
726         (JSC::FunctionExecutable::compileForConstruct):
727         (JSC::FunctionExecutable::compileFor):
728         (JSC::FunctionExecutable::compileOptimizedFor):
729         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
730         (JSC::FunctionExecutable::jitCompileFor):
731         * runtime/ExecutionHarness.h: Added.
732         (JSC::prepareForExecutionImpl):
733         (JSC::prepareFunctionForExecutionImpl):
734         (JSC::installOptimizedCode):
735         (JSC::prepareForExecution):
736         (JSC::prepareFunctionForExecution):
737         (JSC::replaceWithDeferredOptimizedCode):
738
739 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
740
741         CodeBlock compilation and installation should be simplified and rationalized
742         https://bugs.webkit.org/show_bug.cgi?id=120326
743
744         Reviewed by Oliver Hunt.
745         
746         Previously Executable owned the code for generating JIT code; you always had
747         to go through Executable. But often you also had to go through CodeBlock,
748         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
749         So you'd ask CodeBlock to do something, which would dispatch through a
750         virtual method that would select the appropriate Executable subtype's method.
751         This all meant that the same code would often be duplicated, because most of
752         the work needed to compile something was identical regardless of code type.
753         But then we tried to fix this, by having templatized helpers in
754         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
755         out what happened when you asked for something to be compiled, you'd go on a
756         wild ride that started with CodeBlock, touched upon Executable, and then
757         ricocheted into either ExecutionHarness or JITDriver (likely both).
758         
759         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
760         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
761         done once the compilation finished.
762         
763         Also, most of the DFG JIT drivers assumed that they couldn't install the
764         JITCode into the CodeBlock directly - instead they would return it via a
765         reference, which happened to be a reference to the JITCode pointer in
766         Executable. This was super weird.
767         
768         Finally, there was no notion of compiling code into a special CodeBlock that
769         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
770         entry.
771         
772         This patch solves these problems by reducing all of that complexity into just
773         three primitives:
774         
775         - Executable::newCodeBlock(). This gives you a new code block, either for call
776           or for construct, and either to serve as the baseline code or the optimized
777           code. The new code block is then owned by the caller; Executable doesn't
778           register it anywhere. The new code block has no JITCode and isn't callable,
779           but it has all of the bytecode.
780         
781         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
782           produces a JITCode, and then installs the JITCode into the CodeBlock. This
783           method takes a JITType, and always compiles with that JIT. If you ask for
784           JITCode::InterpreterThunk then you'll get JITCode that just points to the
785           LLInt entrypoints. Once this returns, it is possible to call into the
786           CodeBlock if you do so manually - but the Executable still won't know about
787           it so JS calls to that Executable will still be routed to whatever CodeBlock
788           is associated with the Executable.
789         
790         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
791           entry for that Executable. This involves unlinking the Executable's last
792           CodeBlock, if there was one. This also tells the GC about any effect on
793           memory usage and does a bunch of weird data structure rewiring, since
794           Executable caches some of CodeBlock's fields for the benefit of virtual call
795           fast paths.
796         
797         This functionality is then wrapped around three convenience methods:
798         
799         - Executable::prepareForExecution(). If there is no code block for that
800           Executable, then one is created (newCodeBlock()), compiled
801           (CodeBlock::prepareForExecution()) and installed (installCode()).
802         
803         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
804           can serve as an optimized replacement of the current one.
805         
806         - CodeBlock::install(). Asks the Executable to install this code block.
807         
808         This patch allows me to kill *a lot* of code and to remove a lot of
809         specializations for functions vs. not-functions, and a lot of places where we
810         pass around JITCode references and such. ExecutionHarness and JITDriver are
811         both gone. Overall this patch has more red than green.
812         
813         It also allows me to work on FTL OSR entry and tier-up:
814         
815         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
816           to do some compilation, but it will require the DFG::Worklist to do
817           something different than what JITStubs.cpp would want, once the compilation
818           finishes. This patch introduces a callback mechanism for that purpose.
819         
820         - FTL OSR entry: this will involve creating a special auto-jettisoned
821           CodeBlock that is used only for FTL OSR entry. The new set of primitives
822           allows for this: Executable can vend you a fresh new CodeBlock, and you can
823           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
824           can take that CodeBlock and compile it yourself. Previously the act of
825           producing a CodeBlock-for-optimization and the act of compiling code for it
826           were tightly coupled; now you can separate them and you can create such
827           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
828
829         * CMakeLists.txt:
830         * GNUmakefile.list.am:
831         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
832         * JavaScriptCore.xcodeproj/project.pbxproj:
833         * Target.pri:
834         * bytecode/CodeBlock.cpp:
835         (JSC::CodeBlock::prepareForExecution):
836         (JSC::CodeBlock::install):
837         (JSC::CodeBlock::newReplacement):
838         (JSC::FunctionCodeBlock::jettisonImpl):
839         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
840         * bytecode/CodeBlock.h:
841         (JSC::CodeBlock::hasBaselineJITProfiling):
842         * bytecode/DeferredCompilationCallback.cpp: Added.
843         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
844         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
845         * bytecode/DeferredCompilationCallback.h: Added.
846         * dfg/DFGDriver.cpp:
847         (JSC::DFG::tryCompile):
848         * dfg/DFGDriver.h:
849         (JSC::DFG::tryCompile):
850         * dfg/DFGFailedFinalizer.cpp:
851         (JSC::DFG::FailedFinalizer::finalize):
852         (JSC::DFG::FailedFinalizer::finalizeFunction):
853         * dfg/DFGFailedFinalizer.h:
854         * dfg/DFGFinalizer.h:
855         * dfg/DFGJITFinalizer.cpp:
856         (JSC::DFG::JITFinalizer::finalize):
857         (JSC::DFG::JITFinalizer::finalizeFunction):
858         * dfg/DFGJITFinalizer.h:
859         * dfg/DFGOSRExitPreparation.cpp:
860         (JSC::DFG::prepareCodeOriginForOSRExit):
861         * dfg/DFGOperations.cpp:
862         * dfg/DFGPlan.cpp:
863         (JSC::DFG::Plan::Plan):
864         (JSC::DFG::Plan::compileInThreadImpl):
865         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
866         (JSC::DFG::Plan::finalizeAndNotifyCallback):
867         * dfg/DFGPlan.h:
868         * dfg/DFGWorklist.cpp:
869         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
870         * ftl/FTLJITFinalizer.cpp:
871         (JSC::FTL::JITFinalizer::finalize):
872         (JSC::FTL::JITFinalizer::finalizeFunction):
873         * ftl/FTLJITFinalizer.h:
874         * heap/Heap.h:
875         (JSC::Heap::isDeferred):
876         * interpreter/Interpreter.cpp:
877         (JSC::Interpreter::execute):
878         (JSC::Interpreter::executeCall):
879         (JSC::Interpreter::executeConstruct):
880         (JSC::Interpreter::prepareForRepeatCall):
881         * jit/JITDriver.h: Removed.
882         * jit/JITStubs.cpp:
883         (JSC::DEFINE_STUB_FUNCTION):
884         (JSC::jitCompileFor):
885         (JSC::lazyLinkFor):
886         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
887         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
888         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
889         (JSC::JITToDFGDeferredCompilationCallback::create):
890         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
891         * jit/JITToDFGDeferredCompilationCallback.h: Added.
892         * llint/LLIntEntrypoints.cpp:
893         (JSC::LLInt::setFunctionEntrypoint):
894         (JSC::LLInt::setEvalEntrypoint):
895         (JSC::LLInt::setProgramEntrypoint):
896         * llint/LLIntEntrypoints.h:
897         * llint/LLIntSlowPaths.cpp:
898         (JSC::LLInt::jitCompileAndSetHeuristics):
899         (JSC::LLInt::setUpCall):
900         * runtime/ArrayPrototype.cpp:
901         (JSC::isNumericCompareFunction):
902         * runtime/CommonSlowPaths.cpp:
903         * runtime/CompilationResult.cpp:
904         (WTF::printInternal):
905         * runtime/CompilationResult.h:
906         * runtime/Executable.cpp:
907         (JSC::ScriptExecutable::installCode):
908         (JSC::ScriptExecutable::newCodeBlockFor):
909         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
910         (JSC::ScriptExecutable::prepareForExecutionImpl):
911         * runtime/Executable.h:
912         (JSC::ScriptExecutable::prepareForExecution):
913         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
914         * runtime/ExecutionHarness.h: Removed.
915
916 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
917
918         https://bugs.webkit.org/show_bug.cgi?id=119548
919         Refactoring Exception throws.
920         
921         Reviewed by Geoffrey Garen.
922         
923         Gardening of exception throws. The act of throwing an exception was being handled in 
924         different ways depending on whether the code was running in the LLint, Baseline JIT, 
925         or the DFG Jit. This made development in the vm exception and error objects difficult.
926         
927          * runtime/VM.cpp:
928         (JSC::appendSourceToError): 
929         This function moved from the interpreter into the VM. It views the developers code
930         (if there is a codeBlock) to extract what was trying to be evaluated when the error
931         occurred.
932         
933         (JSC::VM::throwException):
934         This function takes in the error object and sets the following:
935             1: The VM's exception stack
936             2: The VM's exception 
937             3: Appends extra information on the error message(via appendSourceToError)
938             4: The error object's line number
939             5: The error object's column number
940             6: The error object's sourceURL
941             7: The error object's stack trace (unless it already exists because the developer 
942                 created the error object). 
943
944         (JSC::VM::getExceptionInfo):
945         (JSC::VM::setExceptionInfo):
946         (JSC::VM::clearException):
947         (JSC::clearExceptionStack):
948         * runtime/VM.h:
949         (JSC::VM::exceptionOffset):
950         (JSC::VM::exception):
951         (JSC::VM::addressOfException):
952         (JSC::VM::exceptionStack):
953         VM exception and exceptionStack are now private data members.
954
955         * interpreter/Interpreter.h:
956         (JSC::ClearExceptionScope::ClearExceptionScope):
957         Created this structure to temporarily clear the exception within the VM. This 
958         needed to see if addition errors occur when setting the debugger as we are 
959         unwinding the stack.
960
961          * interpreter/Interpreter.cpp:
962         (JSC::Interpreter::unwind): 
963         Removed the code that would try to add error information if it did not exist. 
964         All of this functionality has moved into the VM and all error information is set 
965         at the time the error occurs. 
966
967         The rest of these functions reference the new calling convention to throw an error.
968
969         * API/APICallbackFunction.h:
970         (JSC::APICallbackFunction::call):
971         * API/JSCallbackConstructor.cpp:
972         (JSC::constructJSCallback):
973         * API/JSCallbackObjectFunctions.h:
974         (JSC::::getOwnPropertySlot):
975         (JSC::::defaultValue):
976         (JSC::::put):
977         (JSC::::putByIndex):
978         (JSC::::deleteProperty):
979         (JSC::::construct):
980         (JSC::::customHasInstance):
981         (JSC::::call):
982         (JSC::::getStaticValue):
983         (JSC::::staticFunctionGetter):
984         (JSC::::callbackGetter):
985         * debugger/Debugger.cpp:
986         (JSC::evaluateInGlobalCallFrame):
987         * debugger/DebuggerCallFrame.cpp:
988         (JSC::DebuggerCallFrame::evaluate):
989         * dfg/DFGAssemblyHelpers.h:
990         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
991         * dfg/DFGOperations.cpp:
992         (JSC::DFG::operationPutByValInternal):
993         * ftl/FTLLowerDFGToLLVM.cpp:
994         (JSC::FTL::LowerDFGToLLVM::callCheck):
995         * heap/Heap.cpp:
996         (JSC::Heap::markRoots):
997         * interpreter/CallFrame.h:
998         (JSC::ExecState::clearException):
999         (JSC::ExecState::exception):
1000         (JSC::ExecState::hadException):
1001         * interpreter/Interpreter.cpp:
1002         (JSC::eval):
1003         (JSC::loadVarargs):
1004         (JSC::stackTraceAsString):
1005         (JSC::Interpreter::execute):
1006         (JSC::Interpreter::executeCall):
1007         (JSC::Interpreter::executeConstruct):
1008         (JSC::Interpreter::prepareForRepeatCall):
1009         * interpreter/Interpreter.h:
1010         (JSC::ClearExceptionScope::ClearExceptionScope):
1011         * jit/JITCode.cpp:
1012         (JSC::JITCode::execute):
1013         * jit/JITExceptions.cpp:
1014         (JSC::genericThrow):
1015         * jit/JITOpcodes.cpp:
1016         (JSC::JIT::emit_op_catch):
1017         * jit/JITOpcodes32_64.cpp:
1018         (JSC::JIT::privateCompileCTINativeCall):
1019         (JSC::JIT::emit_op_catch):
1020         * jit/JITStubs.cpp:
1021         (JSC::returnToThrowTrampoline):
1022         (JSC::throwExceptionFromOpCall):
1023         (JSC::DEFINE_STUB_FUNCTION):
1024         (JSC::jitCompileFor):
1025         (JSC::lazyLinkFor):
1026         (JSC::putByVal):
1027         (JSC::cti_vm_handle_exception):
1028         * jit/SlowPathCall.h:
1029         (JSC::JITSlowPathCall::call):
1030         * jit/ThunkGenerators.cpp:
1031         (JSC::nativeForGenerator):
1032         * jsc.cpp:
1033         (functionRun):
1034         (functionLoad):
1035         (functionCheckSyntax):
1036         * llint/LLIntExceptions.cpp:
1037         (JSC::LLInt::doThrow):
1038         (JSC::LLInt::returnToThrow):
1039         (JSC::LLInt::callToThrow):
1040         * llint/LLIntSlowPaths.cpp:
1041         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1042         * llint/LowLevelInterpreter.cpp:
1043         (JSC::CLoop::execute):
1044         * llint/LowLevelInterpreter32_64.asm:
1045         * llint/LowLevelInterpreter64.asm:
1046         * runtime/ArrayConstructor.cpp:
1047         (JSC::constructArrayWithSizeQuirk):
1048         * runtime/CommonSlowPaths.cpp:
1049         (JSC::SLOW_PATH_DECL):
1050         * runtime/CommonSlowPaths.h:
1051         (JSC::CommonSlowPaths::opIn):
1052         * runtime/CommonSlowPathsExceptions.cpp:
1053         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1054         * runtime/Completion.cpp:
1055         (JSC::evaluate):
1056         * runtime/Error.cpp:
1057         (JSC::addErrorInfo):
1058         (JSC::throwTypeError):
1059         (JSC::throwSyntaxError):
1060         * runtime/Error.h:
1061         (JSC::throwVMError):
1062         * runtime/ExceptionHelpers.cpp:
1063         (JSC::throwOutOfMemoryError):
1064         (JSC::throwStackOverflowError):
1065         (JSC::throwTerminatedExecutionException):
1066         * runtime/Executable.cpp:
1067         (JSC::EvalExecutable::create):
1068         (JSC::FunctionExecutable::produceCodeBlockFor):
1069         * runtime/FunctionConstructor.cpp:
1070         (JSC::constructFunction):
1071         (JSC::constructFunctionSkippingEvalEnabledCheck):
1072         * runtime/JSArray.cpp:
1073         (JSC::JSArray::defineOwnProperty):
1074         (JSC::JSArray::put):
1075         (JSC::JSArray::push):
1076         * runtime/JSCJSValue.cpp:
1077         (JSC::JSValue::toObjectSlowCase):
1078         (JSC::JSValue::synthesizePrototype):
1079         (JSC::JSValue::putToPrimitive):
1080         * runtime/JSFunction.cpp:
1081         (JSC::JSFunction::defineOwnProperty):
1082         * runtime/JSGenericTypedArrayViewInlines.h:
1083         (JSC::::create):
1084         (JSC::::createUninitialized):
1085         (JSC::::validateRange):
1086         (JSC::::setWithSpecificType):
1087         * runtime/JSGlobalObjectFunctions.cpp:
1088         (JSC::encode):
1089         (JSC::decode):
1090         (JSC::globalFuncProtoSetter):
1091         * runtime/JSNameScope.cpp:
1092         (JSC::JSNameScope::put):
1093         * runtime/JSONObject.cpp:
1094         (JSC::Stringifier::appendStringifiedValue):
1095         (JSC::Walker::walk):
1096         * runtime/JSObject.cpp:
1097         (JSC::JSObject::put):
1098         (JSC::JSObject::defaultValue):
1099         (JSC::JSObject::hasInstance):
1100         (JSC::JSObject::defaultHasInstance):
1101         (JSC::JSObject::defineOwnNonIndexProperty):
1102         (JSC::throwTypeError):
1103         * runtime/ObjectConstructor.cpp:
1104         (JSC::toPropertyDescriptor):
1105         * runtime/RegExpConstructor.cpp:
1106         (JSC::constructRegExp):
1107         * runtime/StringObject.cpp:
1108         (JSC::StringObject::defineOwnProperty):
1109         * runtime/StringRecursionChecker.cpp:
1110         (JSC::StringRecursionChecker::throwStackOverflowError):
1111
1112 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1113
1114         [GTK] Add support for building JSC with FTL JIT enabled
1115         https://bugs.webkit.org/show_bug.cgi?id=120270
1116
1117         Reviewed by Filip Pizlo.
1118
1119         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1120         compiler flags for the JSC library.
1121         * GNUmakefile.list.am: Add the missing build targets.
1122         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1123         failures when using the Clang compiler with the libstdc++ standard library.
1124         (JSC::FTL::mdKindID):
1125         (JSC::FTL::mdString):
1126
1127 2013-08-23  Andy Estes  <aestes@apple.com>
1128
1129         Fix issues found by the Clang Static Analyzer
1130         https://bugs.webkit.org/show_bug.cgi?id=120230
1131
1132         Reviewed by Darin Adler.
1133
1134         * API/JSValue.mm:
1135         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1136         * API/ObjCCallbackFunction.mm:
1137         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1138         release m_invocation's target since NSInvocation will do it for us on
1139         -dealloc.
1140         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1141         and -release our reference to the copied block.
1142         * API/tests/minidom.c:
1143         (createStringWithContentsOfFile): Free buffer before returning.
1144         * API/tests/testapi.c:
1145         (createStringWithContentsOfFile): Ditto.
1146
1147 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1148
1149         [Windows] Unreviewed build fix after r154629.
1150
1151         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1153
1154 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1155
1156         Windows build fix attempt after r154629.
1157
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1159
1160 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1161
1162         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1163         https://bugs.webkit.org/show_bug.cgi?id=120278
1164
1165         Reviewed by Geoffrey Garen.
1166
1167         * runtime/JSObject.cpp:
1168         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1169
1170 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1171
1172         Fix indention of Executable.h.
1173
1174         Rubber stamped by Mark Hahnenberg.
1175
1176         * runtime/Executable.h:
1177
1178 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1179
1180         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1181         https://bugs.webkit.org/show_bug.cgi?id=120314
1182
1183         Reviewed by Darin Adler.
1184
1185         Currently with the way that defineProperty works, we leave a stray low bit set in 
1186         PropertyDescriptor::m_attributes in the following code:
1187
1188         var o = {};
1189         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1190         
1191         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1192         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1193         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1194         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1195
1196         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1197         framework's public C API, it's safer to just change how we calculate the default value, which is
1198         where the weirdness was originating from in the first place.
1199
1200         * runtime/PropertyDescriptor.cpp:
1201
1202 2013-08-24  Sam Weinig  <sam@webkit.org>
1203
1204         Add support for Promises
1205         https://bugs.webkit.org/show_bug.cgi?id=120260
1206
1207         Reviewed by Darin Adler.
1208
1209         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1210         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1211           in preparation for the Promises eventually being defined in ECMAScript.
1212
1213         * CMakeLists.txt:
1214         * DerivedSources.make:
1215         * DerivedSources.pri:
1216         * GNUmakefile.list.am:
1217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1218         * JavaScriptCore.xcodeproj/project.pbxproj:
1219         * Target.pri:
1220         Add new files.
1221
1222         * jsc.cpp:
1223         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1224         you can't quite use Promises with with the command line tool yet.
1225     
1226         * interpreter/CallFrame.h:
1227         (JSC::ExecState::promisePrototypeTable):
1228         (JSC::ExecState::promiseConstructorTable):
1229         (JSC::ExecState::promiseResolverPrototypeTable):
1230         * runtime/VM.cpp:
1231         (JSC::VM::VM):
1232         (JSC::VM::~VM):
1233         * runtime/VM.h:
1234         Add supporting code for the new static lookup tables.
1235
1236         * runtime/CommonIdentifiers.h:
1237         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1238
1239         * runtime/JSGlobalObject.cpp:
1240         (JSC::JSGlobalObject::reset):
1241         (JSC::JSGlobalObject::visitChildren):
1242         Add supporting code Promise and PromiseResolver's constructors and structures.
1243
1244         * runtime/JSGlobalObject.h:
1245         (JSC::TaskContext::~TaskContext):
1246         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1247
1248         (JSC::JSGlobalObject::promisePrototype):
1249         (JSC::JSGlobalObject::promiseResolverPrototype):
1250         (JSC::JSGlobalObject::promiseStructure):
1251         (JSC::JSGlobalObject::promiseResolverStructure):
1252         (JSC::JSGlobalObject::promiseCallbackStructure):
1253         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1254         Add supporting code Promise and PromiseResolver's constructors and structures.
1255
1256         * runtime/JSPromise.cpp: Added.
1257         * runtime/JSPromise.h: Added.
1258         * runtime/JSPromiseCallback.cpp: Added.
1259         * runtime/JSPromiseCallback.h: Added.
1260         * runtime/JSPromiseConstructor.cpp: Added.
1261         * runtime/JSPromiseConstructor.h: Added.
1262         * runtime/JSPromisePrototype.cpp: Added.
1263         * runtime/JSPromisePrototype.h: Added.
1264         * runtime/JSPromiseResolver.cpp: Added.
1265         * runtime/JSPromiseResolver.h: Added.
1266         * runtime/JSPromiseResolverConstructor.cpp: Added.
1267         * runtime/JSPromiseResolverConstructor.h: Added.
1268         * runtime/JSPromiseResolverPrototype.cpp: Added.
1269         * runtime/JSPromiseResolverPrototype.h: Added.
1270         Add Promise implementation.
1271
1272 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1273
1274         Plenty of -Wcast-align warnings in KeywordLookup.h
1275         https://bugs.webkit.org/show_bug.cgi?id=120316
1276
1277         Reviewed by Darin Adler.
1278
1279         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1280         the character pointers to types of larger size. This avoids spewing lots of warnings
1281         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1282
1283 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1284
1285         RegExpMatchesArray should not call [[put]]
1286         https://bugs.webkit.org/show_bug.cgi?id=120317
1287
1288         Reviewed by Oliver Hunt.
1289
1290         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1291         property called index or input to either of these prototypes will result in broken behavior.
1292
1293         * runtime/RegExpMatchesArray.cpp:
1294         (JSC::RegExpMatchesArray::reifyAllProperties):
1295             - put -> putDirect
1296
1297 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1298
1299         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1300         https://bugs.webkit.org/show_bug.cgi?id=120228
1301
1302         Reviewed by Oliver Hunt.
1303         
1304         It turns out that there were three problems:
1305         
1306         - Using jsNumber() meant that we were converting doubles to integers and then
1307           possibly back again whenever doing a set() between floating point arrays.
1308         
1309         - Slow-path accesses to double typed arrays were slower than necessary because
1310           of the to-int conversion attempt.
1311         
1312         - The use of JSValue as an intermediate for converting between differen types
1313           in typedArray.set() resulted in worse code than I had previously expected.
1314         
1315         This patch solves the problem by using template double-dispatch to ensure that
1316         that C++ compiler sees the simplest possible combination of casts between any
1317         combination of typed array types, while still preserving JS and typed array
1318         conversion semantics. Conversions are done as follows:
1319         
1320             SourceAdaptor::convertTo<TargetAdaptor>(value)
1321         
1322         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1323         with one method for each of int32_t, uint32_t, and double. This means that the
1324         C++ compiler will at worst see a widening cast to one of those types followed
1325         by a narrowing conversion (not necessarily a cast - may have clamping or the
1326         JS toInt32() function).
1327         
1328         This change doesn't just affect typedArray.set(); it also affects slow-path
1329         accesses to typed arrays as well. This patch also adds a bunch of new test
1330         coverage.
1331         
1332         This change is a ~50% speed-up on typedArray.set() involving floating point
1333         types.
1334
1335         * GNUmakefile.list.am:
1336         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1337         * JavaScriptCore.xcodeproj/project.pbxproj:
1338         * runtime/GenericTypedArrayView.h:
1339         (JSC::GenericTypedArrayView::set):
1340         * runtime/JSDataViewPrototype.cpp:
1341         (JSC::setData):
1342         * runtime/JSGenericTypedArrayView.h:
1343         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1344         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1345         * runtime/JSGenericTypedArrayViewInlines.h:
1346         (JSC::::setWithSpecificType):
1347         (JSC::::set):
1348         * runtime/ToNativeFromValue.h: Added.
1349         (JSC::toNativeFromValue):
1350         * runtime/TypedArrayAdaptors.h:
1351         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1352         (JSC::IntegralTypedArrayAdaptor::toDouble):
1353         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1354         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1355         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1356         (JSC::IntegralTypedArrayAdaptor::convertTo):
1357         (JSC::FloatTypedArrayAdaptor::toJSValue):
1358         (JSC::FloatTypedArrayAdaptor::toDouble):
1359         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1360         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1361         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1362         (JSC::FloatTypedArrayAdaptor::convertTo):
1363         (JSC::Uint8ClampedAdaptor::toJSValue):
1364         (JSC::Uint8ClampedAdaptor::toDouble):
1365         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1366         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1367         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1368         (JSC::Uint8ClampedAdaptor::convertTo):
1369
1370 2013-08-24  Dan Bernstein  <mitz@apple.com>
1371
1372         [mac] link against libz in a more civilized manner
1373         https://bugs.webkit.org/show_bug.cgi?id=120258
1374
1375         Reviewed by Darin Adler.
1376
1377         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1378         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1379         Link Binary With Libraries build phase.
1380
1381 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1382
1383         Failure building with python3
1384         https://bugs.webkit.org/show_bug.cgi?id=106645
1385
1386         Reviewed by Benjamin Poulain.
1387
1388         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1389         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1390
1391         * disassembler/udis86/itab.py:
1392         (UdItabGenerator.genInsnTable):
1393         * disassembler/udis86/ud_opcode.py:
1394         (UdOpcodeTables.print_table):
1395         * disassembler/udis86/ud_optable.py:
1396         (UdOptableXmlParser.parseDef):
1397         (UdOptableXmlParser.parse):
1398         (printFn):
1399
1400 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1401
1402         Incorrect TypedArray#set behavior
1403         https://bugs.webkit.org/show_bug.cgi?id=83818
1404
1405         Reviewed by Oliver Hunt and Mark Hahnenberg.
1406         
1407         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1408         not smart enough to figure out optimal versions for *all* of the cases. But I
1409         did come up with optimal implementations for most of the cases, and I wrote
1410         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1411         enough to write optimal code for.
1412
1413         * runtime/JSArrayBufferView.h:
1414         (JSC::JSArrayBufferView::hasArrayBuffer):
1415         * runtime/JSArrayBufferViewInlines.h:
1416         (JSC::JSArrayBufferView::buffer):
1417         (JSC::JSArrayBufferView::existingBufferInButterfly):
1418         (JSC::JSArrayBufferView::neuter):
1419         (JSC::JSArrayBufferView::byteOffset):
1420         * runtime/JSGenericTypedArrayView.h:
1421         * runtime/JSGenericTypedArrayViewInlines.h:
1422         (JSC::::setWithSpecificType):
1423         (JSC::::set):
1424         (JSC::::existingBuffer):
1425
1426 2013-08-23  Alex Christensen  <achristensen@apple.com>
1427
1428         Re-separating Win32 and Win64 builds.
1429         https://bugs.webkit.org/show_bug.cgi?id=120178
1430
1431         Reviewed by Brent Fulgham.
1432
1433         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1434         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1435         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1436         Pass PlatformArchitecture as a command line parameter to bash scripts.
1437         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1438         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1439         * JavaScriptCore.vcxproj/build-generated-files.sh:
1440         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1441
1442 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1443
1444         build-jsc --ftl-jit should work
1445         https://bugs.webkit.org/show_bug.cgi?id=120194
1446
1447         Reviewed by Oliver Hunt.
1448
1449         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1450         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1451         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1452         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1453         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1454         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1455
1456 2013-08-23  Oliver Hunt  <oliver@apple.com>
1457
1458         Re-sort xcode project file
1459
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461
1462 2013-08-23  Oliver Hunt  <oliver@apple.com>
1463
1464         Support in memory compression of rarely used data
1465         https://bugs.webkit.org/show_bug.cgi?id=120143
1466
1467         Reviewed by Gavin Barraclough.
1468
1469         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1470
1471         * Configurations/JavaScriptCore.xcconfig:
1472         * bytecode/UnlinkedCodeBlock.cpp:
1473         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1474         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1475         * bytecode/UnlinkedCodeBlock.h:
1476
1477 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1478
1479         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1480         https://bugs.webkit.org/show_bug.cgi?id=120179
1481
1482         Reviewed by Geoffrey Garen.
1483
1484         There are many places in the code for JSObject and JSArray where they are manipulating their 
1485         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1486         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1487         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1488         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1489         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1490         should not incur any additional overhead.
1491
1492         * heap/Heap.h:
1493         * runtime/JSArray.cpp:
1494         (JSC::JSArray::unshiftCountSlowCase):
1495         * runtime/JSObject.cpp:
1496         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1497         (JSC::JSObject::createInitialUndecided):
1498         (JSC::JSObject::createInitialInt32):
1499         (JSC::JSObject::createInitialDouble):
1500         (JSC::JSObject::createInitialContiguous):
1501         (JSC::JSObject::createArrayStorage):
1502         (JSC::JSObject::convertUndecidedToArrayStorage):
1503         (JSC::JSObject::convertInt32ToArrayStorage):
1504         (JSC::JSObject::convertDoubleToArrayStorage):
1505         (JSC::JSObject::convertContiguousToArrayStorage):
1506         (JSC::JSObject::increaseVectorLength):
1507         (JSC::JSObject::ensureLengthSlow):
1508         * runtime/JSObject.h:
1509         (JSC::JSObject::putDirectInternal):
1510         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1511         (JSC::JSObject::putDirectWithoutTransition):
1512
1513 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1514
1515         Update LLVM binary drops and scripts to the latest version from SVN
1516         https://bugs.webkit.org/show_bug.cgi?id=120184
1517
1518         Reviewed by Mark Hahnenberg.
1519
1520         * dfg/DFGPlan.cpp:
1521         (JSC::DFG::Plan::compileInThreadImpl):
1522
1523 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1524
1525         Don't leak registers for redeclared variables
1526         https://bugs.webkit.org/show_bug.cgi?id=120174
1527
1528         Reviewed by Geoff Garen.
1529
1530         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1531         Only allocate new registers when necessary.
1532
1533         No performance impact.
1534
1535         * interpreter/Interpreter.cpp:
1536         (JSC::Interpreter::execute):
1537         * runtime/Executable.cpp:
1538         (JSC::ProgramExecutable::initializeGlobalProperties):
1539             - Don't allocate the register here.
1540         * runtime/JSGlobalObject.cpp:
1541         (JSC::JSGlobalObject::addGlobalVar):
1542             - Allocate the register here instead.
1543
1544 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1545
1546         https://bugs.webkit.org/show_bug.cgi?id=120128
1547         Remove putDirectVirtual
1548
1549         Unreviewed, checked in commented out code. :-(
1550
1551         * interpreter/Interpreter.cpp:
1552         (JSC::Interpreter::execute):
1553             - delete commented out code
1554
1555 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1556
1557         Error.stack should not be enumerable
1558         https://bugs.webkit.org/show_bug.cgi?id=120171
1559
1560         Reviewed by Oliver Hunt.
1561
1562         Breaks ECMA tests.
1563
1564         * runtime/ErrorInstance.cpp:
1565         (JSC::ErrorInstance::finishCreation):
1566             - None -> DontEnum
1567
1568 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1569
1570         https://bugs.webkit.org/show_bug.cgi?id=120128
1571         Remove putDirectVirtual
1572
1573         Reviewed by Sam Weinig.
1574
1575         This could most generously be described as 'vestigial'.
1576         No performance impact.
1577
1578         * API/JSObjectRef.cpp:
1579         (JSObjectSetProperty):
1580             - changed to use defineOwnProperty
1581         * debugger/DebuggerActivation.cpp:
1582         * debugger/DebuggerActivation.h:
1583             - remove putDirectVirtual
1584         * interpreter/Interpreter.cpp:
1585         (JSC::Interpreter::execute):
1586             - changed to use defineOwnProperty
1587         * runtime/ClassInfo.h:
1588         * runtime/JSActivation.cpp:
1589         * runtime/JSActivation.h:
1590         * runtime/JSCell.cpp:
1591         * runtime/JSCell.h:
1592         * runtime/JSGlobalObject.cpp:
1593         * runtime/JSGlobalObject.h:
1594         * runtime/JSObject.cpp:
1595         * runtime/JSObject.h:
1596         * runtime/JSProxy.cpp:
1597         * runtime/JSProxy.h:
1598         * runtime/JSSymbolTableObject.cpp:
1599         * runtime/JSSymbolTableObject.h:
1600             - remove putDirectVirtual
1601         * runtime/PropertyDescriptor.h:
1602         (JSC::PropertyDescriptor::PropertyDescriptor):
1603             - added constructor for convenience
1604
1605 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1606
1607         errorDescriptionForValue() should not assume error value is an Object
1608         https://bugs.webkit.org/show_bug.cgi?id=119812
1609
1610         Reviewed by Geoffrey Garen.
1611
1612         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1613         has no type, the function now returns the empty string. 
1614         * runtime/ExceptionHelpers.cpp:
1615         (JSC::errorDescriptionForValue):
1616
1617 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1618
1619         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1620         https://bugs.webkit.org/show_bug.cgi?id=120107
1621
1622         Reviewed by Yong Li.
1623
1624         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1625
1626         * dfg/DFGSpeculativeJIT.h:
1627         (JSC::DFG::SpeculativeJIT::callOperation):
1628
1629 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1630
1631         Unreviewed, rolling out r154416.
1632         http://trac.webkit.org/changeset/154416
1633         https://bugs.webkit.org/show_bug.cgi?id=120147
1634
1635         Broke Windows builds (Requested by rniwa on #webkit).
1636
1637         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1638         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1639         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1640         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1641         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1642         * JavaScriptCore.vcxproj/build-generated-files.sh:
1643
1644 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1645
1646         Clarify var/const/function declaration
1647         https://bugs.webkit.org/show_bug.cgi?id=120144
1648
1649         Reviewed by Sam Weinig.
1650
1651         Add methods to JSGlobalObject to declare vars, consts, and functions.
1652
1653         * runtime/Executable.cpp:
1654         (JSC::ProgramExecutable::initializeGlobalProperties):
1655         * runtime/Executable.h:
1656             - Moved declaration code to JSGlobalObject
1657         * runtime/JSGlobalObject.cpp:
1658         (JSC::JSGlobalObject::addGlobalVar):
1659             - internal implementation of addVar, addConst, addFunction
1660         * runtime/JSGlobalObject.h:
1661         (JSC::JSGlobalObject::addVar):
1662         (JSC::JSGlobalObject::addConst):
1663         (JSC::JSGlobalObject::addFunction):
1664             - Added methods to declare vars, consts, and functions
1665
1666 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1667
1668         https://bugs.webkit.org/show_bug.cgi?id=119900
1669         Exception in global setter doesn't unwind correctly
1670
1671         Reviewed by Geoffrey Garen.
1672
1673         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1674
1675         * jit/JITStubs.cpp:
1676         (JSC::DEFINE_STUB_FUNCTION):
1677
1678 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1679
1680         Rename/refactor setButterfly/setStructure
1681         https://bugs.webkit.org/show_bug.cgi?id=120138
1682
1683         Reviewed by Geoffrey Garen.
1684
1685         setButterfly becomes setStructureAndButterfly.
1686
1687         Also removed the Butterfly* argument from setStructure and just implicitly
1688         used m_butterfly internally since that's what every single client of setStructure
1689         was doing already.
1690
1691         * jit/JITStubs.cpp:
1692         (JSC::DEFINE_STUB_FUNCTION):
1693         * runtime/JSObject.cpp:
1694         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1695         (JSC::JSObject::createInitialUndecided):
1696         (JSC::JSObject::createInitialInt32):
1697         (JSC::JSObject::createInitialDouble):
1698         (JSC::JSObject::createInitialContiguous):
1699         (JSC::JSObject::createArrayStorage):
1700         (JSC::JSObject::convertUndecidedToInt32):
1701         (JSC::JSObject::convertUndecidedToDouble):
1702         (JSC::JSObject::convertUndecidedToContiguous):
1703         (JSC::JSObject::convertUndecidedToArrayStorage):
1704         (JSC::JSObject::convertInt32ToDouble):
1705         (JSC::JSObject::convertInt32ToContiguous):
1706         (JSC::JSObject::convertInt32ToArrayStorage):
1707         (JSC::JSObject::genericConvertDoubleToContiguous):
1708         (JSC::JSObject::convertDoubleToArrayStorage):
1709         (JSC::JSObject::convertContiguousToArrayStorage):
1710         (JSC::JSObject::switchToSlowPutArrayStorage):
1711         (JSC::JSObject::setPrototype):
1712         (JSC::JSObject::putDirectAccessor):
1713         (JSC::JSObject::seal):
1714         (JSC::JSObject::freeze):
1715         (JSC::JSObject::preventExtensions):
1716         (JSC::JSObject::reifyStaticFunctionsForDelete):
1717         (JSC::JSObject::removeDirect):
1718         * runtime/JSObject.h:
1719         (JSC::JSObject::setStructureAndButterfly):
1720         (JSC::JSObject::setStructure):
1721         (JSC::JSObject::putDirectInternal):
1722         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1723         (JSC::JSObject::putDirectWithoutTransition):
1724         * runtime/Structure.cpp:
1725         (JSC::Structure::flattenDictionaryStructure):
1726
1727 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1728
1729         https://bugs.webkit.org/show_bug.cgi?id=120127
1730         Remove JSObject::propertyIsEnumerable
1731
1732         Unreviewed typo fix
1733
1734         * runtime/JSObject.h:
1735             - fix typo
1736
1737 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1738
1739         https://bugs.webkit.org/show_bug.cgi?id=120139
1740         PropertyDescriptor argument to define methods should be const
1741
1742         Rubber stamped by Sam Weinig.
1743
1744         This should never be modified, and this way we can use rvalues.
1745
1746         * debugger/DebuggerActivation.cpp:
1747         (JSC::DebuggerActivation::defineOwnProperty):
1748         * debugger/DebuggerActivation.h:
1749         * runtime/Arguments.cpp:
1750         (JSC::Arguments::defineOwnProperty):
1751         * runtime/Arguments.h:
1752         * runtime/ClassInfo.h:
1753         * runtime/JSArray.cpp:
1754         (JSC::JSArray::defineOwnProperty):
1755         * runtime/JSArray.h:
1756         * runtime/JSArrayBuffer.cpp:
1757         (JSC::JSArrayBuffer::defineOwnProperty):
1758         * runtime/JSArrayBuffer.h:
1759         * runtime/JSArrayBufferView.cpp:
1760         (JSC::JSArrayBufferView::defineOwnProperty):
1761         * runtime/JSArrayBufferView.h:
1762         * runtime/JSCell.cpp:
1763         (JSC::JSCell::defineOwnProperty):
1764         * runtime/JSCell.h:
1765         * runtime/JSFunction.cpp:
1766         (JSC::JSFunction::defineOwnProperty):
1767         * runtime/JSFunction.h:
1768         * runtime/JSGenericTypedArrayView.h:
1769         * runtime/JSGenericTypedArrayViewInlines.h:
1770         (JSC::::defineOwnProperty):
1771         * runtime/JSGlobalObject.cpp:
1772         (JSC::JSGlobalObject::defineOwnProperty):
1773         * runtime/JSGlobalObject.h:
1774         * runtime/JSObject.cpp:
1775         (JSC::JSObject::putIndexedDescriptor):
1776         (JSC::JSObject::defineOwnIndexedProperty):
1777         (JSC::putDescriptor):
1778         (JSC::JSObject::defineOwnNonIndexProperty):
1779         (JSC::JSObject::defineOwnProperty):
1780         * runtime/JSObject.h:
1781         * runtime/JSProxy.cpp:
1782         (JSC::JSProxy::defineOwnProperty):
1783         * runtime/JSProxy.h:
1784         * runtime/RegExpMatchesArray.h:
1785         (JSC::RegExpMatchesArray::defineOwnProperty):
1786         * runtime/RegExpObject.cpp:
1787         (JSC::RegExpObject::defineOwnProperty):
1788         * runtime/RegExpObject.h:
1789         * runtime/StringObject.cpp:
1790         (JSC::StringObject::defineOwnProperty):
1791         * runtime/StringObject.h:
1792             - make PropertyDescriptor const
1793
1794 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1795
1796         REGRESSION: Crash under JITCompiler::link while loading Gmail
1797         https://bugs.webkit.org/show_bug.cgi?id=119872
1798
1799         Reviewed by Mark Hahnenberg.
1800         
1801         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1802
1803         * dfg/DFGByteCodeParser.cpp:
1804         (JSC::DFG::ByteCodeParser::parseBlock):
1805
1806 2013-08-21  Alex Christensen  <achristensen@apple.com>
1807
1808         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1809
1810         Reviewed by Brent Fulgham.
1811
1812         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1813         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1814         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1815         Pass PlatformArchitecture as a command line parameter to bash scripts.
1816         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1817         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1818         * JavaScriptCore.vcxproj/build-generated-files.sh:
1819         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1820
1821 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1822
1823         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1824         https://bugs.webkit.org/show_bug.cgi?id=120099
1825
1826         Reviewed by Mark Hahnenberg.
1827         
1828         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1829         JSDataView may have ordinary JS indexed properties.
1830
1831         * runtime/ClassInfo.h:
1832         * runtime/JSArrayBufferView.cpp:
1833         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1834         (JSC::JSArrayBufferView::finishCreation):
1835         * runtime/JSArrayBufferView.h:
1836         (JSC::hasArrayBuffer):
1837         * runtime/JSArrayBufferViewInlines.h:
1838         (JSC::JSArrayBufferView::buffer):
1839         (JSC::JSArrayBufferView::neuter):
1840         (JSC::JSArrayBufferView::byteOffset):
1841         * runtime/JSCell.cpp:
1842         (JSC::JSCell::slowDownAndWasteMemory):
1843         * runtime/JSCell.h:
1844         * runtime/JSDataView.cpp:
1845         (JSC::JSDataView::JSDataView):
1846         (JSC::JSDataView::create):
1847         (JSC::JSDataView::slowDownAndWasteMemory):
1848         * runtime/JSDataView.h:
1849         (JSC::JSDataView::buffer):
1850         * runtime/JSGenericTypedArrayView.h:
1851         * runtime/JSGenericTypedArrayViewInlines.h:
1852         (JSC::::visitChildren):
1853         (JSC::::slowDownAndWasteMemory):
1854
1855 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1856
1857         Remove incorrect ASSERT from CopyVisitor::visitItem
1858
1859         Rubber stamped by Filip Pizlo.
1860
1861         * heap/CopyVisitorInlines.h:
1862         (JSC::CopyVisitor::visitItem):
1863
1864 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1865
1866         https://bugs.webkit.org/show_bug.cgi?id=120127
1867         Remove JSObject::propertyIsEnumerable
1868
1869         Reviewed by Sam Weinig.
1870
1871         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1872
1873         * runtime/JSObject.cpp:
1874         * runtime/JSObject.h:
1875             - remove propertyIsEnumerable
1876         * runtime/ObjectPrototype.cpp:
1877         (JSC::objectProtoFuncPropertyIsEnumerable):
1878             - Move implementation here using getOwnPropertyDescriptor directly.
1879
1880 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1881
1882         DFG should inline new typedArray()
1883         https://bugs.webkit.org/show_bug.cgi?id=120022
1884
1885         Reviewed by Oliver Hunt.
1886         
1887         Adds inlining of typed array allocations in the DFG. Any operation of the
1888         form:
1889         
1890             new foo(blah)
1891         
1892         or:
1893         
1894             foo(blah)
1895         
1896         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1897         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1898         is predicted integer, we generate inline code for an allocation. Otherwise
1899         it turns into a call to an operation that behaves like the constructor would
1900         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1901         copy or another array, or it may allocate an array of that length).
1902
1903         * bytecode/SpeculatedType.cpp:
1904         (JSC::speculationFromTypedArrayType):
1905         (JSC::speculationFromClassInfo):
1906         * bytecode/SpeculatedType.h:
1907         * dfg/DFGAbstractInterpreterInlines.h:
1908         (JSC::DFG::::executeEffects):
1909         * dfg/DFGBackwardsPropagationPhase.cpp:
1910         (JSC::DFG::BackwardsPropagationPhase::propagate):
1911         * dfg/DFGByteCodeParser.cpp:
1912         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1913         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1914         * dfg/DFGCCallHelpers.h:
1915         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1916         * dfg/DFGCSEPhase.cpp:
1917         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1918         * dfg/DFGClobberize.h:
1919         (JSC::DFG::clobberize):
1920         * dfg/DFGFixupPhase.cpp:
1921         (JSC::DFG::FixupPhase::fixupNode):
1922         * dfg/DFGGraph.cpp:
1923         (JSC::DFG::Graph::dump):
1924         * dfg/DFGNode.h:
1925         (JSC::DFG::Node::hasTypedArrayType):
1926         (JSC::DFG::Node::typedArrayType):
1927         * dfg/DFGNodeType.h:
1928         * dfg/DFGOperations.cpp:
1929         (JSC::DFG::newTypedArrayWithSize):
1930         (JSC::DFG::newTypedArrayWithOneArgument):
1931         * dfg/DFGOperations.h:
1932         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1933         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1934         * dfg/DFGPredictionPropagationPhase.cpp:
1935         (JSC::DFG::PredictionPropagationPhase::propagate):
1936         * dfg/DFGSafeToExecute.h:
1937         (JSC::DFG::safeToExecute):
1938         * dfg/DFGSpeculativeJIT.cpp:
1939         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1940         * dfg/DFGSpeculativeJIT.h:
1941         (JSC::DFG::SpeculativeJIT::callOperation):
1942         * dfg/DFGSpeculativeJIT32_64.cpp:
1943         (JSC::DFG::SpeculativeJIT::compile):
1944         * dfg/DFGSpeculativeJIT64.cpp:
1945         (JSC::DFG::SpeculativeJIT::compile):
1946         * jit/JITOpcodes.cpp:
1947         (JSC::JIT::emit_op_new_object):
1948         * jit/JITOpcodes32_64.cpp:
1949         (JSC::JIT::emit_op_new_object):
1950         * runtime/JSArray.h:
1951         (JSC::JSArray::allocationSize):
1952         * runtime/JSArrayBufferView.h:
1953         (JSC::JSArrayBufferView::allocationSize):
1954         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1955         (JSC::constructGenericTypedArrayView):
1956         * runtime/JSObject.h:
1957         (JSC::JSFinalObject::allocationSize):
1958         * runtime/TypedArrayType.cpp:
1959         (JSC::constructorClassInfoForType):
1960         * runtime/TypedArrayType.h:
1961         (JSC::indexToTypedArrayType):
1962
1963 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1964
1965         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1966
1967         Reviewed by Geoffrey Garen.
1968
1969         * dfg/DFGOperations.h:
1970
1971 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1972
1973         https://bugs.webkit.org/show_bug.cgi?id=120093
1974         Remove getOwnPropertyDescriptor trap
1975
1976         Reviewed by Geoff Garen.
1977
1978         All implementations of this method are now called via the method table, and equivalent in behaviour.
1979         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1980
1981         * API/JSCallbackObject.h:
1982         * API/JSCallbackObjectFunctions.h:
1983         * debugger/DebuggerActivation.cpp:
1984         * debugger/DebuggerActivation.h:
1985         * runtime/Arguments.cpp:
1986         * runtime/Arguments.h:
1987         * runtime/ArrayConstructor.cpp:
1988         * runtime/ArrayConstructor.h:
1989         * runtime/ArrayPrototype.cpp:
1990         * runtime/ArrayPrototype.h:
1991         * runtime/BooleanPrototype.cpp:
1992         * runtime/BooleanPrototype.h:
1993             - remove getOwnPropertyDescriptor
1994         * runtime/ClassInfo.h:
1995             - remove getOwnPropertyDescriptor from MethodTable
1996         * runtime/DateConstructor.cpp:
1997         * runtime/DateConstructor.h:
1998         * runtime/DatePrototype.cpp:
1999         * runtime/DatePrototype.h:
2000         * runtime/ErrorPrototype.cpp:
2001         * runtime/ErrorPrototype.h:
2002         * runtime/JSActivation.cpp:
2003         * runtime/JSActivation.h:
2004         * runtime/JSArray.cpp:
2005         * runtime/JSArray.h:
2006         * runtime/JSArrayBuffer.cpp:
2007         * runtime/JSArrayBuffer.h:
2008         * runtime/JSArrayBufferView.cpp:
2009         * runtime/JSArrayBufferView.h:
2010         * runtime/JSCell.cpp:
2011         * runtime/JSCell.h:
2012         * runtime/JSDataView.cpp:
2013         * runtime/JSDataView.h:
2014         * runtime/JSDataViewPrototype.cpp:
2015         * runtime/JSDataViewPrototype.h:
2016         * runtime/JSFunction.cpp:
2017         * runtime/JSFunction.h:
2018         * runtime/JSGenericTypedArrayView.h:
2019         * runtime/JSGenericTypedArrayViewInlines.h:
2020         * runtime/JSGlobalObject.cpp:
2021         * runtime/JSGlobalObject.h:
2022         * runtime/JSNotAnObject.cpp:
2023         * runtime/JSNotAnObject.h:
2024         * runtime/JSONObject.cpp:
2025         * runtime/JSONObject.h:
2026             - remove getOwnPropertyDescriptor
2027         * runtime/JSObject.cpp:
2028         (JSC::JSObject::propertyIsEnumerable):
2029             - switch to call new getOwnPropertyDescriptor member function
2030         (JSC::JSObject::getOwnPropertyDescriptor):
2031             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2032         (JSC::JSObject::defineOwnNonIndexProperty):
2033             - switch to call new getOwnPropertyDescriptor member function
2034         * runtime/JSObject.h:
2035         * runtime/JSProxy.cpp:
2036         * runtime/JSProxy.h:
2037         * runtime/NamePrototype.cpp:
2038         * runtime/NamePrototype.h:
2039         * runtime/NumberConstructor.cpp:
2040         * runtime/NumberConstructor.h:
2041         * runtime/NumberPrototype.cpp:
2042         * runtime/NumberPrototype.h:
2043             - remove getOwnPropertyDescriptor
2044         * runtime/ObjectConstructor.cpp:
2045         (JSC::objectConstructorGetOwnPropertyDescriptor):
2046         (JSC::objectConstructorSeal):
2047         (JSC::objectConstructorFreeze):
2048         (JSC::objectConstructorIsSealed):
2049         (JSC::objectConstructorIsFrozen):
2050             - switch to call new getOwnPropertyDescriptor member function
2051         * runtime/ObjectConstructor.h:
2052             - remove getOwnPropertyDescriptor
2053         * runtime/PropertyDescriptor.h:
2054             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2055         * runtime/RegExpConstructor.cpp:
2056         * runtime/RegExpConstructor.h:
2057         * runtime/RegExpMatchesArray.cpp:
2058         * runtime/RegExpMatchesArray.h:
2059         * runtime/RegExpObject.cpp:
2060         * runtime/RegExpObject.h:
2061         * runtime/RegExpPrototype.cpp:
2062         * runtime/RegExpPrototype.h:
2063         * runtime/StringConstructor.cpp:
2064         * runtime/StringConstructor.h:
2065         * runtime/StringObject.cpp:
2066         * runtime/StringObject.h:
2067             - remove getOwnPropertyDescriptor
2068
2069 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2070
2071         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2072
2073         Reviewed by Oliver Hunt.
2074
2075         When we flatten an object in dictionary mode, we compact its properties. If the object 
2076         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2077         compaction its properties fit inline, the object's Structure "forgets" that the object 
2078         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2079         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2080
2081         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2082         Butterfly pointer so that the GC doesn't get confused later.
2083
2084         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2085         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2086         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2087         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2088
2089         * heap/SlotVisitorInlines.h:
2090         (JSC::SlotVisitor::copyLater):
2091         * runtime/JSObject.cpp:
2092         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2093         (JSC::JSObject::convertUndecidedToInt32):
2094         (JSC::JSObject::convertUndecidedToDouble):
2095         (JSC::JSObject::convertUndecidedToContiguous):
2096         (JSC::JSObject::convertInt32ToDouble):
2097         (JSC::JSObject::convertInt32ToContiguous):
2098         (JSC::JSObject::genericConvertDoubleToContiguous):
2099         (JSC::JSObject::switchToSlowPutArrayStorage):
2100         (JSC::JSObject::setPrototype):
2101         (JSC::JSObject::putDirectAccessor):
2102         (JSC::JSObject::seal):
2103         (JSC::JSObject::freeze):
2104         (JSC::JSObject::preventExtensions):
2105         (JSC::JSObject::reifyStaticFunctionsForDelete):
2106         (JSC::JSObject::removeDirect):
2107         * runtime/JSObject.h:
2108         (JSC::JSObject::setButterfly):
2109         (JSC::JSObject::putDirectInternal):
2110         (JSC::JSObject::setStructure):
2111         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2112         * runtime/Structure.cpp:
2113         (JSC::Structure::flattenDictionaryStructure):
2114
2115 2013-08-20  Alex Christensen  <achristensen@apple.com>
2116
2117         Compile fix for Win64 after r154156.
2118
2119         Rubber stamped by Oliver Hunt.
2120
2121         * jit/JITStubsMSVC64.asm:
2122         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2123         cti_vm_throw_slowpath to cti_vm_handle_exception.
2124
2125 2013-08-20  Alex Christensen  <achristensen@apple.com>
2126
2127         <https://webkit.org/b/120076> More work towards a Win64 build
2128
2129         Reviewed by Brent Fulgham.
2130
2131         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2132         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2133         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2134         * JavaScriptCore.vcxproj/copy-files.cmd:
2135         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2136         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2137         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2138
2139 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2140
2141         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2142
2143         Reviewed by Geoffrey Garen.
2144
2145         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2146         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2147
2148         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2149         and index when triggering the WriteBarrier at the end of compilation. 
2150
2151         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2152         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2153         little extra work that really shouldn't have been its responsibility.
2154
2155         * dfg/DFGByteCodeParser.cpp:
2156         (JSC::DFG::ByteCodeParser::addConstant):
2157         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2158         * dfg/DFGDesiredWriteBarriers.cpp:
2159         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2160         (JSC::DFG::DesiredWriteBarrier::trigger):
2161         * dfg/DFGDesiredWriteBarriers.h:
2162         (JSC::DFG::DesiredWriteBarriers::add):
2163         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2164         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2165         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2166         * dfg/DFGFixupPhase.cpp:
2167         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2168         * dfg/DFGGraph.h:
2169         (JSC::DFG::Graph::constantRegisterForConstant):
2170
2171 2013-08-20  Michael Saboff  <msaboff@apple.com>
2172
2173         https://bugs.webkit.org/show_bug.cgi?id=120075
2174         REGRESSION (r128400): BBC4 website not displaying pictures
2175
2176         Reviewed by Oliver Hunt.
2177
2178         * runtime/RegExpMatchesArray.h:
2179         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2180         so that the match results will be reified before any other modification to the results array.
2181
2182 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2183
2184         Incorrect behavior on emscripten-compiled cube2hash
2185         https://bugs.webkit.org/show_bug.cgi?id=120033
2186
2187         Reviewed by Mark Hahnenberg.
2188         
2189         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2190         then we should bail attempts to CSE.
2191
2192         * dfg/DFGCSEPhase.cpp:
2193         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2194         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2195
2196 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2197
2198         https://bugs.webkit.org/show_bug.cgi?id=120073
2199         Remove use of GOPD from JSFunction::defineProperty
2200
2201         Reviewed by Oliver Hunt.
2202
2203         Call getOwnPropertySlot to check for existing properties instead.
2204
2205         * runtime/JSFunction.cpp:
2206         (JSC::JSFunction::defineOwnProperty):
2207             - getOwnPropertyDescriptor -> getOwnPropertySlot
2208
2209 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2210
2211         https://bugs.webkit.org/show_bug.cgi?id=120067
2212         Remove getPropertyDescriptor
2213
2214         Reviewed by Oliver Hunt.
2215
2216         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2217         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2218
2219         * runtime/JSObject.cpp:
2220         * runtime/JSObject.h:
2221             - remove getPropertyDescriptor
2222         * runtime/ObjectPrototype.cpp:
2223         (JSC::objectProtoFuncLookupGetter):
2224         (JSC::objectProtoFuncLookupSetter):
2225             - replace call to getPropertyDescriptor with getPropertySlot
2226         * runtime/PropertyDescriptor.h:
2227         * runtime/PropertySlot.h:
2228         (JSC::PropertySlot::isAccessor):
2229         (JSC::PropertySlot::isCacheableGetter):
2230         (JSC::PropertySlot::getterSetter):
2231             - rename isGetter() to isAccessor()
2232
2233 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2234
2235         https://bugs.webkit.org/show_bug.cgi?id=120054
2236         Remove some dead code following getOwnPropertyDescriptor cleanup
2237
2238         Reviewed by Oliver Hunt.
2239
2240         * runtime/Lookup.h:
2241         (JSC::getStaticFunctionSlot):
2242             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2243
2244 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2245
2246         https://bugs.webkit.org/show_bug.cgi?id=120052
2247         Remove custom getOwnPropertyDescriptor for JSProxy
2248
2249         Reviewed by Geoff Garen.
2250
2251         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2252         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2253         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2254         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2255         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2256
2257         * runtime/JSProxy.cpp:
2258             - Remove custom getOwnPropertyDescriptor implementation.
2259         * runtime/PropertyDescriptor.h:
2260             - Modify own property access check to perform toThis conversion.
2261
2262 2013-08-20  Alex Christensen  <achristensen@apple.com>
2263
2264         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2265         https://bugs.webkit.org/show_bug.cgi?id=119512
2266
2267         Reviewed by Brent Fulgham.
2268
2269         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2270         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2271         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2272         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2273         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2274         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2275         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2276         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2277
2278 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2279
2280         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2281
2282         Reviewed by Allan Sandfeld Jensen.
2283
2284         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2285         instructions and two constants now DFG is enabled for sh4 architecture.
2286         These missing ensureSpace calls lead to random crashes.
2287
2288         * assembler/MacroAssemblerSH4.h:
2289         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2290
2291 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2292
2293         https://bugs.webkit.org/show_bug.cgi?id=120034
2294         Remove custom getOwnPropertyDescriptor for global objects
2295
2296         Reviewed by Geoff Garen.
2297
2298         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2299
2300         * runtime/JSGlobalObject.cpp:
2301             - Remove custom getOwnPropertyDescriptor implementation.
2302         * runtime/JSSymbolTableObject.h:
2303         (JSC::symbolTableGet):
2304             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2305         * runtime/PropertyDescriptor.h:
2306             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2307         * runtime/PropertySlot.h:
2308         (JSC::PropertySlot::setUndefined):
2309             - This is used by WebCore when blocking access to properties on cross-frame access.
2310               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2311
2312 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2313
2314         DFG should inline typedArray.byteOffset
2315         https://bugs.webkit.org/show_bug.cgi?id=119962
2316
2317         Reviewed by Oliver Hunt.
2318         
2319         This adds a new node, GetTypedArrayByteOffset, which inlines
2320         typedArray.byteOffset.
2321         
2322         Also, I improved a bunch of the clobbering logic related to typed arrays
2323         and clobbering in general. For example, PutByOffset/PutStructure are not
2324         clobber-world so they can be handled by most default cases in CSE. Also,
2325         It's better to use the 'Class_field' notation for typed arrays now that
2326         they no longer involve magical descriptor thingies.
2327
2328         * bytecode/SpeculatedType.h:
2329         * dfg/DFGAbstractHeap.h:
2330         * dfg/DFGAbstractInterpreterInlines.h:
2331         (JSC::DFG::::executeEffects):
2332         * dfg/DFGArrayMode.h:
2333         (JSC::DFG::neverNeedsStorage):
2334         * dfg/DFGCSEPhase.cpp:
2335         (JSC::DFG::CSEPhase::getByValLoadElimination):
2336         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2337         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2338         (JSC::DFG::CSEPhase::checkArrayElimination):
2339         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2340         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2341         (JSC::DFG::CSEPhase::performNodeCSE):
2342         * dfg/DFGClobberize.h:
2343         (JSC::DFG::clobberize):
2344         * dfg/DFGFixupPhase.cpp:
2345         (JSC::DFG::FixupPhase::fixupNode):
2346         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2347         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2348         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2349         * dfg/DFGNodeType.h:
2350         * dfg/DFGPredictionPropagationPhase.cpp:
2351         (JSC::DFG::PredictionPropagationPhase::propagate):
2352         * dfg/DFGSafeToExecute.h:
2353         (JSC::DFG::safeToExecute):
2354         * dfg/DFGSpeculativeJIT.cpp:
2355         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2356         * dfg/DFGSpeculativeJIT.h:
2357         * dfg/DFGSpeculativeJIT32_64.cpp:
2358         (JSC::DFG::SpeculativeJIT::compile):
2359         * dfg/DFGSpeculativeJIT64.cpp:
2360         (JSC::DFG::SpeculativeJIT::compile):
2361         * dfg/DFGTypeCheckHoistingPhase.cpp:
2362         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2363         * runtime/ArrayBuffer.h:
2364         (JSC::ArrayBuffer::offsetOfData):
2365         * runtime/Butterfly.h:
2366         (JSC::Butterfly::offsetOfArrayBuffer):
2367         * runtime/IndexingHeader.h:
2368         (JSC::IndexingHeader::offsetOfArrayBuffer):
2369
2370 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2371
2372         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2373
2374         Reviewed by Geoffrey Garen.
2375
2376         * dfg/DFGByteCodeParser.cpp:
2377         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2378
2379 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2380
2381         https://bugs.webkit.org/show_bug.cgi?id=119995
2382         Start removing custom implementations of getOwnPropertyDescriptor
2383
2384         Reviewed by Oliver Hunt.
2385
2386         This can now typically implemented in terms of getOwnPropertySlot.
2387         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2388         Switch over most classes in JSC & the WebCore bindings generator to use this.
2389
2390         * API/JSCallbackObjectFunctions.h:
2391         * debugger/DebuggerActivation.cpp:
2392         * runtime/Arguments.cpp:
2393         * runtime/ArrayConstructor.cpp:
2394         * runtime/ArrayPrototype.cpp:
2395         * runtime/BooleanPrototype.cpp:
2396         * runtime/DateConstructor.cpp:
2397         * runtime/DatePrototype.cpp:
2398         * runtime/ErrorPrototype.cpp:
2399         * runtime/JSActivation.cpp:
2400         * runtime/JSArray.cpp:
2401         * runtime/JSArrayBuffer.cpp:
2402         * runtime/JSArrayBufferView.cpp:
2403         * runtime/JSCell.cpp:
2404         * runtime/JSDataView.cpp:
2405         * runtime/JSDataViewPrototype.cpp:
2406         * runtime/JSFunction.cpp:
2407         * runtime/JSGenericTypedArrayViewInlines.h:
2408         * runtime/JSNotAnObject.cpp:
2409         * runtime/JSONObject.cpp:
2410         * runtime/JSObject.cpp:
2411         * runtime/NamePrototype.cpp:
2412         * runtime/NumberConstructor.cpp:
2413         * runtime/NumberPrototype.cpp:
2414         * runtime/ObjectConstructor.cpp:
2415             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2416         * runtime/PropertyDescriptor.h:
2417             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2418         * runtime/PropertySlot.h:
2419         (JSC::PropertySlot::isValue):
2420         (JSC::PropertySlot::isGetter):
2421         (JSC::PropertySlot::isCustom):
2422         (JSC::PropertySlot::isCacheableValue):
2423         (JSC::PropertySlot::isCacheableGetter):
2424         (JSC::PropertySlot::isCacheableCustom):
2425         (JSC::PropertySlot::attributes):
2426         (JSC::PropertySlot::getterSetter):
2427             - Add accessors necessary to convert PropertySlot to descriptor.
2428         * runtime/RegExpConstructor.cpp:
2429         * runtime/RegExpMatchesArray.cpp:
2430         * runtime/RegExpMatchesArray.h:
2431         * runtime/RegExpObject.cpp:
2432         * runtime/RegExpPrototype.cpp:
2433         * runtime/StringConstructor.cpp:
2434         * runtime/StringObject.cpp:
2435             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2436
2437 2013-08-19  Michael Saboff  <msaboff@apple.com>
2438
2439         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2440
2441         Reviewed by Sam Weinig.
2442
2443         * dfg/DFGSpeculativeJIT32_64.cpp:
2444         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2445         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2446         all versions of fillSpeculateBoolean().
2447
2448 2013-08-19  Michael Saboff  <msaboff@apple.com>
2449
2450         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2451
2452         Reviewed by Benjamin Poulain.
2453
2454         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2455         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2456
2457         * assembler/MacroAssemblerX86Common.h:
2458         (JSC::MacroAssemblerX86Common::branchTest32):
2459
2460 2013-08-16  Oliver Hunt  <oliver@apple.com>
2461
2462         <https://webkit.org/b/119860> Crash during exception unwinding
2463
2464         Reviewed by Filip Pizlo.
2465
2466         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2467         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2468
2469         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2470         terminals and the subsequent flush keeps the activation (and other registers) live.
2471
2472         * dfg/DFGAbstractInterpreterInlines.h:
2473         (JSC::DFG::::executeEffects):
2474         * dfg/DFGByteCodeParser.cpp:
2475         (JSC::DFG::ByteCodeParser::parseBlock):
2476         * dfg/DFGClobberize.h:
2477         (JSC::DFG::clobberize):
2478         * dfg/DFGFixupPhase.cpp:
2479         (JSC::DFG::FixupPhase::fixupNode):
2480         * dfg/DFGNode.h:
2481         (JSC::DFG::Node::isTerminal):
2482         * dfg/DFGNodeType.h:
2483         * dfg/DFGPredictionPropagationPhase.cpp:
2484         (JSC::DFG::PredictionPropagationPhase::propagate):
2485         * dfg/DFGSafeToExecute.h:
2486         (JSC::DFG::safeToExecute):
2487         * dfg/DFGSpeculativeJIT32_64.cpp:
2488         (JSC::DFG::SpeculativeJIT::compile):
2489         * dfg/DFGSpeculativeJIT64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compile):
2491
2492 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2493
2494         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2495
2496         Reviewed by Oliver Hunt.
2497
2498         Guard the compilation of these files only if DFG_JIT is enabled.
2499
2500         * dfg/DFGDesiredTransitions.cpp:
2501         * dfg/DFGDesiredTransitions.h:
2502         * dfg/DFGDesiredWeakReferences.cpp:
2503         * dfg/DFGDesiredWeakReferences.h:
2504         * dfg/DFGDesiredWriteBarriers.cpp:
2505         * dfg/DFGDesiredWriteBarriers.h:
2506
2507 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2508
2509         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2510         https://bugs.webkit.org/show_bug.cgi?id=119961
2511
2512         Reviewed by Mark Hahnenberg.
2513
2514         * dfg/DFGFixupPhase.cpp:
2515         (JSC::DFG::FixupPhase::fixupNode):
2516
2517 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2518
2519         https://bugs.webkit.org/show_bug.cgi?id=119972
2520         Add attributes field to PropertySlot
2521
2522         Reviewed by Geoff Garen.
2523
2524         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2525         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2526         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2527
2528         No performance impact.
2529
2530         * runtime/PropertySlot.h:
2531         (JSC::PropertySlot::setValue):
2532         (JSC::PropertySlot::setCustom):
2533         (JSC::PropertySlot::setCacheableCustom):
2534         (JSC::PropertySlot::setCustomIndex):
2535         (JSC::PropertySlot::setGetterSlot):
2536         (JSC::PropertySlot::setCacheableGetterSlot):
2537             - These mathods now all require 'attributes'.
2538         * runtime/JSObject.h:
2539         (JSC::JSObject::getDirect):
2540         (JSC::JSObject::getDirectOffset):
2541         (JSC::JSObject::inlineGetOwnPropertySlot):
2542             - Added variants of getDirect, getDirectOffset that return the attributes.
2543         * API/JSCallbackObjectFunctions.h:
2544         (JSC::::getOwnPropertySlot):
2545         * runtime/Arguments.cpp:
2546         (JSC::Arguments::getOwnPropertySlotByIndex):
2547         (JSC::Arguments::getOwnPropertySlot):
2548         * runtime/JSActivation.cpp:
2549         (JSC::JSActivation::symbolTableGet):
2550         (JSC::JSActivation::getOwnPropertySlot):
2551         * runtime/JSArray.cpp:
2552         (JSC::JSArray::getOwnPropertySlot):
2553         * runtime/JSArrayBuffer.cpp:
2554         (JSC::JSArrayBuffer::getOwnPropertySlot):
2555         * runtime/JSArrayBufferView.cpp:
2556         (JSC::JSArrayBufferView::getOwnPropertySlot):
2557         * runtime/JSDataView.cpp:
2558         (JSC::JSDataView::getOwnPropertySlot):
2559         * runtime/JSFunction.cpp:
2560         (JSC::JSFunction::getOwnPropertySlot):
2561         * runtime/JSGenericTypedArrayViewInlines.h:
2562         (JSC::::getOwnPropertySlot):
2563         (JSC::::getOwnPropertySlotByIndex):
2564         * runtime/JSObject.cpp:
2565         (JSC::JSObject::getOwnPropertySlotByIndex):
2566         (JSC::JSObject::fillGetterPropertySlot):
2567         * runtime/JSString.h:
2568         (JSC::JSString::getStringPropertySlot):
2569         * runtime/JSSymbolTableObject.h:
2570         (JSC::symbolTableGet):
2571         * runtime/Lookup.cpp:
2572         (JSC::setUpStaticFunctionSlot):
2573         * runtime/Lookup.h:
2574         (JSC::getStaticPropertySlot):
2575         (JSC::getStaticPropertyDescriptor):
2576         (JSC::getStaticValueSlot):
2577         (JSC::getStaticValueDescriptor):
2578         * runtime/RegExpObject.cpp:
2579         (JSC::RegExpObject::getOwnPropertySlot):
2580         * runtime/SparseArrayValueMap.cpp:
2581         (JSC::SparseArrayEntry::get):
2582             - Pass attributes to PropertySlot::set* methods.
2583
2584 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2585
2586         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2587
2588         Reviewed by Filip Pizlo.
2589
2590         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2591         Vector of WriteBarriers rather than the specific address. The fact that we were 
2592         arbitrarily storing into a Vector's backing store for constants at the end of 
2593         compilation after the Vector could have resized was causing crashes.
2594
2595         * bytecode/CodeBlock.h:
2596         (JSC::CodeBlock::constants):
2597         (JSC::CodeBlock::addConstantLazily):
2598         * dfg/DFGByteCodeParser.cpp:
2599         (JSC::DFG::ByteCodeParser::addConstant):
2600         * dfg/DFGDesiredWriteBarriers.cpp:
2601         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2602         (JSC::DFG::DesiredWriteBarrier::trigger):
2603         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2604         * dfg/DFGDesiredWriteBarriers.h:
2605         (JSC::DFG::DesiredWriteBarriers::add):
2606         * dfg/DFGFixupPhase.cpp:
2607         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2608         * dfg/DFGGraph.h:
2609         (JSC::DFG::Graph::constantRegisterForConstant):
2610
2611 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2612
2613         DFG should optimize typedArray.byteLength
2614         https://bugs.webkit.org/show_bug.cgi?id=119909
2615
2616         Reviewed by Oliver Hunt.
2617         
2618         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2619         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2620         legal since the byteLength of a typed array cannot exceed
2621         numeric_limits<int32_t>::max().
2622
2623         * bytecode/SpeculatedType.cpp:
2624         (JSC::typedArrayTypeFromSpeculation):
2625         * bytecode/SpeculatedType.h:
2626         * dfg/DFGArrayMode.cpp:
2627         (JSC::DFG::toArrayType):
2628         * dfg/DFGArrayMode.h:
2629         * dfg/DFGFixupPhase.cpp:
2630         (JSC::DFG::FixupPhase::fixupNode):
2631         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2632         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2633         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2634         (JSC::DFG::FixupPhase::prependGetArrayLength):
2635         * dfg/DFGGraph.h:
2636         (JSC::DFG::Graph::constantRegisterForConstant):
2637         (JSC::DFG::Graph::convertToConstant):
2638         * runtime/TypedArrayType.h:
2639         (JSC::logElementSize):
2640         (JSC::elementSize):
2641
2642 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2643
2644         DFG optimizes out strict mode arguments tear off
2645         https://bugs.webkit.org/show_bug.cgi?id=119504
2646
2647         Reviewed by Mark Hahnenberg and Oliver Hunt.
2648         
2649         Don't do the optimization for strict mode.
2650
2651         * dfg/DFGArgumentsSimplificationPhase.cpp:
2652         (JSC::DFG::ArgumentsSimplificationPhase::run):
2653         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2654
2655 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2656
2657         [JSC] x86: improve code generation for xxxTest32
2658         https://bugs.webkit.org/show_bug.cgi?id=119876
2659
2660         Reviewed by Geoffrey Garen.
2661
2662         Try to use testb whenever possible when testing for an immediate value.
2663
2664         When the input is an address and an offset, we can tweak the mask
2665         and offset to be able to generate testb for any byte of the mask.
2666
2667         When the input is a register, we can use testb if we are only interested
2668         in testing the low bits.
2669
2670         * assembler/MacroAssemblerX86Common.h:
2671         (JSC::MacroAssemblerX86Common::branchTest32):
2672         (JSC::MacroAssemblerX86Common::test32):
2673         (JSC::MacroAssemblerX86Common::generateTest32):
2674
2675 2013-08-16  Mark Lam  <mark.lam@apple.com>
2676
2677         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2678         error message that an object is not a constructor though it expects a function
2679
2680         Reviewed by Michael Saboff.
2681
2682         * jit/JITStubs.cpp:
2683         (JSC::DEFINE_STUB_FUNCTION):
2684
2685 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2686
2687         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2688         https://bugs.webkit.org/show_bug.cgi?id=119897
2689
2690         Reviewed by Oliver Hunt.
2691         
2692         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2693         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2694         to turn objects into dictionaries when you're storing using bracket syntax or using
2695         eval is still in place.
2696
2697         * bytecode/CodeBlock.h:
2698         (JSC::CodeBlock::putByIdContext):
2699         * dfg/DFGOperations.cpp:
2700         * jit/JITStubs.cpp:
2701         (JSC::DEFINE_STUB_FUNCTION):
2702         * llint/LLIntSlowPaths.cpp:
2703         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2704         * runtime/JSObject.h:
2705         (JSC::JSObject::putDirectInternal):
2706         * runtime/PutPropertySlot.h:
2707         (JSC::PutPropertySlot::PutPropertySlot):
2708         (JSC::PutPropertySlot::context):
2709         * runtime/Structure.cpp:
2710         (JSC::Structure::addPropertyTransition):
2711         * runtime/Structure.h:
2712
2713 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2714
2715         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2716
2717         Reviewed by Allan Sandfeld Jensen.
2718
2719         ctiVMHandleException must jump/return using register ra (r31).
2720
2721         * jit/JITStubsMIPS.h:
2722
2723 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2724
2725         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2726
2727         Reviewed by Allan Sandfeld Jensen.
2728
2729         Fix typo in JITStubsSH4.h file.
2730
2731         * jit/JITStubsSH4.h:
2732
2733 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2734
2735         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2736
2737         Reviewed by Oliver Hunt.
2738
2739         The concurrent compilation thread should interact minimally with the Heap, including not 
2740         triggering WriteBarriers. This is a prerequisite for generational GC.
2741
2742         * JavaScriptCore.xcodeproj/project.pbxproj:
2743         * bytecode/CodeBlock.cpp:
2744         (JSC::CodeBlock::addOrFindConstant):
2745         (JSC::CodeBlock::findConstant):
2746         * bytecode/CodeBlock.h:
2747         (JSC::CodeBlock::addConstantLazily):
2748         * dfg/DFGByteCodeParser.cpp:
2749         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2750         (JSC::DFG::ByteCodeParser::constantUndefined):
2751         (JSC::DFG::ByteCodeParser::constantNull):
2752         (JSC::DFG::ByteCodeParser::one):
2753         (JSC::DFG::ByteCodeParser::constantNaN):
2754         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2755         * dfg/DFGCommonData.cpp:
2756         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2757         * dfg/DFGCommonData.h:
2758         * dfg/DFGDesiredTransitions.cpp: Added.
2759         (JSC::DFG::DesiredTransition::DesiredTransition):
2760         (JSC::DFG::DesiredTransition::reallyAdd):
2761         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2762         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2763         (JSC::DFG::DesiredTransitions::addLazily):
2764         (JSC::DFG::DesiredTransitions::reallyAdd):
2765         * dfg/DFGDesiredTransitions.h: Added.
2766         * dfg/DFGDesiredWeakReferences.cpp: Added.
2767         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2768         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2769         (JSC::DFG::DesiredWeakReferences::addLazily):
2770         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2771         * dfg/DFGDesiredWeakReferences.h: Added.
2772         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2773         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2774         (JSC::DFG::DesiredWriteBarrier::trigger):
2775         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2776         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2777         (JSC::DFG::DesiredWriteBarriers::addImpl):
2778         (JSC::DFG::DesiredWriteBarriers::trigger):
2779         * dfg/DFGDesiredWriteBarriers.h: Added.
2780         (JSC::DFG::DesiredWriteBarriers::add):
2781         (JSC::DFG::initializeLazyWriteBarrier):
2782         * dfg/DFGFixupPhase.cpp:
2783         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2784         * dfg/DFGGraph.h:
2785         (JSC::DFG::Graph::convertToConstant):
2786         * dfg/DFGJITCompiler.h:
2787         (JSC::DFG::JITCompiler::addWeakReference):
2788         * dfg/DFGPlan.cpp:
2789         (JSC::DFG::Plan::Plan):
2790         (JSC::DFG::Plan::reallyAdd):
2791         * dfg/DFGPlan.h:
2792         * dfg/DFGSpeculativeJIT32_64.cpp:
2793         (JSC::DFG::SpeculativeJIT::compile):
2794         * dfg/DFGSpeculativeJIT64.cpp:
2795         (JSC::DFG::SpeculativeJIT::compile):
2796         * runtime/WriteBarrier.h:
2797         (JSC::WriteBarrierBase::set):
2798         (JSC::WriteBarrier::WriteBarrier):
2799
2800 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2801
2802         Fix x86 32bits build after r154158
2803
2804         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2805
2806 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2807
2808         Build fix attempt after r154156.
2809
2810         * jit/JITStubs.cpp:
2811         (JSC::cti_vm_handle_exception): encode!
2812
2813 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2814
2815         [JSC] x86: Use inc and dec when possible
2816         https://bugs.webkit.org/show_bug.cgi?id=119831
2817
2818         Reviewed by Geoffrey Garen.
2819
2820         When incrementing or decrementing by an immediate of 1, use the insctructions
2821         inc and dec instead of add and sub.
2822         The instructions have good timing and their encoding is smaller.
2823
2824         * assembler/MacroAssemblerX86Common.h:
2825         (JSC::MacroAssemblerX86_64::add32):
2826         (JSC::MacroAssemblerX86_64::sub32):
2827         * assembler/MacroAssemblerX86_64.h:
2828         (JSC::MacroAssemblerX86_64::add64):
2829         (JSC::MacroAssemblerX86_64::sub64):
2830         * assembler/X86Assembler.h:
2831         (JSC::X86Assembler::dec_r):
2832         (JSC::X86Assembler::decq_r):
2833         (JSC::X86Assembler::inc_r):
2834         (JSC::X86Assembler::incq_r):
2835
2836 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2837
2838         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2839         https://bugs.webkit.org/show_bug.cgi?id=119874
2840
2841         Reviewed by Oliver Hunt and Mark Hahnenberg.
2842         
2843         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2844         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2845         sometimes for typed array length accesses, and the FixupPhase assuming that a
2846         ForceExit ArrayMode means that it should continue using a generic GetById.
2847
2848         This fixes the confusion.
2849
2850         * dfg/DFGFixupPhase.cpp:
2851         (JSC::DFG::FixupPhase::fixupNode):
2852
2853 2013-08-15  Mark Lam  <mark.lam@apple.com>
2854
2855         Fix crash when performing activation tearoff.
2856         https://bugs.webkit.org/show_bug.cgi?id=119848
2857
2858         Reviewed by Oliver Hunt.
2859
2860         The activation tearoff crash was due to a bug in the baseline JIT.
2861         If we have a scenario where the a baseline JIT frame calls a LLINT
2862         frame, an exception may be thrown while in the LLINT.
2863
2864         Interpreter::throwException() which handles the exception will unwind
2865         all frames until it finds a catcher or sees a host frame. When we
2866         return from the LLINT to the baseline JIT code, the baseline JIT code
2867         errorneously sets topCallFrame to the value in its call frame register,
2868         and starts unwinding the stack frames that have already been unwound.
2869
2870         The fix is:
2871         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2872            This is a more accurate description of what this runtime function
2873            is supposed to do i.e. it handles the exception which include doing
2874            nothing (if there are no more frames to unwind).
2875         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2876            set on it.
2877         3. Reloading the call frame register from topCallFrame when we're
2878            returning from a callee and detect exception handling in progress.
2879
2880         * interpreter/Interpreter.cpp:
2881         (JSC::Interpreter::unwindCallFrame):
2882         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2883         (JSC::Interpreter::getStackTrace):
2884         * interpreter/Interpreter.h:
2885         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2886         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2887         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2888         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2889         * jit/JIT.h:
2890         * jit/JITExceptions.cpp:
2891         (JSC::uncaughtExceptionHandler):
2892         - Convenience function to get the handler for uncaught exceptions.
2893         * jit/JITExceptions.h:
2894         * jit/JITInlines.h:
2895         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2896         * jit/JITOpcodes32_64.cpp:
2897         (JSC::JIT::privateCompileCTINativeCall):
2898         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2899         * jit/JITStubs.cpp:
2900         (JSC::throwExceptionFromOpCall):
2901         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2902         (JSC::cti_vm_handle_exception):
2903         - Check for the case when there are no more frames to unwind.
2904         * jit/JITStubs.h:
2905         * jit/JITStubsARM.h:
2906         * jit/JITStubsARMv7.h:
2907         * jit/JITStubsMIPS.h:
2908         * jit/JITStubsSH4.h:
2909         * jit/JITStubsX86.h:
2910         * jit/JITStubsX86_64.h:
2911         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2912         * jit/SlowPathCall.h:
2913         (JSC::JITSlowPathCall::call):
2914         - reload cfr from topcallFrame when handling an exception.
2915         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2916         * jit/ThunkGenerators.cpp:
2917         (JSC::nativeForGenerator):
2918         * llint/LowLevelInterpreter32_64.asm:
2919         * llint/LowLevelInterpreter64.asm:
2920         - reload cfr from topcallFrame when handling an exception.
2921         * runtime/VM.cpp:
2922         (JSC::VM::VM):
2923         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2924
2925 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2926
2927         Remove some code duplication.
2928         
2929         Rubber stamped by Mark Hahnenberg.
2930
2931         * runtime/JSDataViewPrototype.cpp:
2932         (JSC::getData):
2933         (JSC::setData):
2934
2935 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2936
2937         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2938         https://bugs.webkit.org/show_bug.cgi?id=119794
2939
2940         Reviewed by Filip Pizlo.
2941
2942         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2943
2944         * dfg/DFGUseKind.h:
2945         (JSC::DFG::isNumerical):
2946         (JSC::DFG::isDouble):
2947
2948 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2949
2950         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2951
2952         Rubber stamped by Oliver Hunt.
2953         
2954         This was causing some test crashes for me.
2955
2956         * dfg/DFGCapabilities.cpp:
2957         (JSC::DFG::capabilityLevel):
2958
2959 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2960
2961         [Windows] Clear up improper export declaration.
2962
2963         * runtime/ArrayBufferView.h:
2964
2965 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2966
2967         Unreviewed, remove some unnecessary periods from exceptions.
2968
2969         * runtime/JSDataViewPrototype.cpp:
2970         (JSC::getData):
2971         (JSC::setData):
2972
2973 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2974
2975         Unreviewed, fix 32-bit build.
2976
2977         * dfg/DFGSpeculativeJIT32_64.cpp:
2978         (JSC::DFG::SpeculativeJIT::compile):
2979
2980 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2981
2982         Typed arrays should be rewritten
2983         https://bugs.webkit.org/show_bug.cgi?id=119064
2984
2985         Reviewed by Oliver Hunt.
2986         
2987         Typed arrays were previously deficient in several major ways:
2988         
2989         - They were defined separately in WebCore and in the jsc shell. The two
2990           implementations were different, and the jsc shell one was basically wrong.
2991           The WebCore one was quite awful, also.
2992         
2993         - Typed arrays were not visible to the JIT except through some weird hooks.
2994           For example, the JIT could not ask "what is the Structure that this typed
2995           array would have if I just allocated it from this global object". Also,
2996           it was difficult to wire any of the typed array intrinsics, because most
2997           of the functionality wasn't visible anywhere in JSC.
2998         
2999         - Typed array allocation was brain-dead. Allocating a typed array involved
3000           two JS objects, two GC weak handles, and three malloc allocations.
3001         
3002         - Neutering. It involved keeping tabs on all native views but not the view
3003           wrappers, even though the native views can autoneuter just by asking the
3004           buffer if it was neutered anytime you touch them; while the JS view
3005           wrappers are the ones that you really want to reach out to.
3006         
3007         - Common case-ing. Most typed arrays have one buffer and one view, and
3008           usually nobody touches the buffer. Yet we created all of that stuff
3009           anyway, using data structures optimized for the case where you had a lot
3010           of views.
3011         
3012         - Semantic goofs. Typed arrays should, in the future, behave like ES
3013           features rather than DOM features, for example when it comes to exceptions.
3014           Firefox already does this and I agree with them.
3015         
3016         This patch cleanses our codebase of these sins:
3017         
3018         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3019           management of native references to buffers is left to WebCore.
3020         
3021         - Allocating a typed array requires either two GC allocations (a cell and a
3022           copied storage vector) or one GC allocation, a malloc allocation, and a
3023           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3024           latter). The latter is only used for oversize arrays. Remember that before
3025           it was 7 allocations no matter what.
3026         
3027         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3028           mode/length, void* vector. Before it was a lot more than that - remember,
3029           there were five additional objects that did absolutely nothing for anybody.
3030         
3031         - Native views aren't tracked by the buffer, or by the wrappers. They are
3032           transient. In the future we'll probably switch to not even having them be
3033           malloc'd.
3034         
3035         - Native array buffers have an efficient way of tracking all of their JS view
3036           wrappers, both for neutering, and for lifecycle management. The GC
3037           special-cases native array buffers. This saves a bunch of grief; for example
3038           it means that a JS view wrapper can refer to its buffer via the butterfly,
3039           which would be dead by the time we went to finalize.
3040         
3041         - Typed array semantics now match Firefox, which also happens to be where the
3042           standards are going. The discussion on webkit-dev seemed to confirm that
3043           Chrome is also heading in this direction. This includes making
3044           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3045           ArrayBufferView as a JS-visible construct.
3046         
3047         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3048         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3049         further typed array optimizations in the JSC JITs, including inlining typed
3050         array allocation, inlining more of the accessors, reducing the cost of type
3051         checks, etc.
3052         
3053         An additional property of this patch is that typed arrays are mostly
3054         implemented using templates. This deduplicates a bunch of code, but does mean
3055         that we need some hacks for exporting s_info's of template classes. See
3056         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3057         low-impact compared to code duplication.
3058         
3059         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3060
3061         * CMakeLists.txt:
3062         * DerivedSources.make:
3063         * GNUmakefile.list.am:
3064         * JSCTypedArrayStubs.h: Removed.
3065         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3066         * JavaScriptCore.xcodeproj/project.pbxproj:
3067         * Target.pri:
3068         * bytecode/ByValInfo.h:
3069         (JSC::hasOptimizableIndexingForClassInfo):
3070         (JSC::jitArrayModeForClassInfo):
3071         (JSC::typedArrayTypeForJITArrayMode):
3072         * bytecode/SpeculatedType.cpp:
3073         (JSC::speculationFromClassInfo):
3074         * dfg/DFGArrayMode.cpp:
3075         (JSC::DFG::toTypedArrayType):
3076         * dfg/DFGArrayMode.h:
3077         (JSC::DFG::ArrayMode::typedArrayType):
3078         * dfg/DFGSpeculativeJIT.cpp:
3079         (JSC::DFG::SpeculativeJIT::checkArray):
3080         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3081         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3082         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3083         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3084         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3085         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3086         * dfg/DFGSpeculativeJIT.h:
3087         * dfg/DFGSpeculativeJIT32_64.cpp:
3088         (JSC::DFG::SpeculativeJIT::compile):
3089         * dfg/DFGSpeculativeJIT64.cpp:
3090         (JSC::DFG::SpeculativeJIT::compile):
3091         * heap/CopyToken.h:
3092         * heap/DeferGC.h:
3093         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3094         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3095         * heap/GCIncomingRefCounted.h: Added.
3096         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3097         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3098         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3099         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3100         (JSC::GCIncomingRefCounted::singletonFlag):
3101         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3102         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3103         (JSC::GCIncomingRefCounted::hasSingleton):
3104         (JSC::GCIncomingRefCounted::singleton):
3105         (JSC::GCIncomingRefCounted::vectorOfCells):
3106         * heap/GCIncomingRefCountedInlines.h: Added.
3107         (JSC::::addIncomingReference):
3108         (JSC::::filterIncomingReferences):
3109         * heap/GCIncomingRefCountedSet.h: Added.
3110         (JSC::GCIncomingRefCountedSet::size):
3111         * heap/GCIncomingRefCountedSetInlines.h: Added.
3112         (JSC::::GCIncomingRefCountedSet):
3113         (JSC::::~GCIncomingRefCountedSet):
3114         (JSC::::addReference):
3115         (JSC::::sweep):
3116         (JSC::::removeAll):
3117         (JSC::::removeDead):
3118         * heap/Heap.cpp:
3119         (JSC::Heap::addReference):
3120         (JSC::Heap::extraSize):
3121         (JSC::Heap::size):
3122         (JSC::Heap::capacity):
3123         (JSC::Heap::collect):
3124         (JSC::Heap::decrementDeferralDepth):
3125         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3126         * heap/Heap.h:
3127         * interpreter/CallFrame.h:
3128         (JSC::ExecState::dataViewTable):
3129         * jit/JIT.h:
3130         * jit/JITPropertyAccess.cpp:
3131         (JSC::JIT::privateCompileGetByVal):
3132         (JSC::JIT::privateCompilePutByVal):
3133         (JSC::JIT::emitIntTypedArrayGetByVal):
3134         (JSC::JIT::emitFloatTypedArrayGetByVal):
3135         (JSC::JIT::emitIntTypedArrayPutByVal):
3136         (JSC::JIT::emitFloatTypedArrayPutByVal):
3137         * jsc.cpp:
3138         (GlobalObject::finishCreation):
3139         * runtime/ArrayBuffer.cpp:
3140         (JSC::ArrayBuffer::transfer):
3141         * runtime/ArrayBuffer.h:
3142         (JSC::ArrayBuffer::createAdopted):
3143         (JSC::ArrayBuffer::ArrayBuffer):
3144         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3145         (JSC::ArrayBuffer::pin):
3146         (JSC::ArrayBuffer::unpin):
3147         (JSC::ArrayBufferContents::tryAllocate):
3148         * runtime/ArrayBufferView.cpp:
3149         (JSC::ArrayBufferView::ArrayBufferView):
3150         (JSC::ArrayBufferView::~ArrayBufferView):
3151         (JSC::ArrayBufferView::setNeuterable):
3152         * runtime/ArrayBufferView.h:
3153         (JSC::ArrayBufferView::isNeutered):
3154         (JSC::ArrayBufferView::buffer):
3155         (JSC::ArrayBufferView::baseAddress):
3156         (JSC::ArrayBufferView::byteOffset):
3157         (JSC::ArrayBufferView::verifySubRange):
3158         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3159         (JSC::ArrayBufferView::calculateOffsetAndLength):
3160         * runtime/ClassInfo.h:
3161         * runtime/CommonIdentifiers.h:
3162         * runtime/DataView.cpp: Added.
3163         (JSC::DataView::DataView):
3164         (JSC::DataView::create):
3165         (JSC::DataView::wrap):
3166         * runtime/DataView.h: Added.
3167         (JSC::DataView::byteLength):
3168         (JSC::DataView::getType):
3169         (JSC::DataView::get):
3170         (JSC::DataView::set):
3171         * runtime/Float32Array.h:
3172         * runtime/Float64Array.h:
3173         * runtime/GenericTypedArrayView.h: Added.
3174         (JSC::GenericTypedArrayView::data):
3175         (JSC::GenericTypedArrayView::set):
3176         (JSC::GenericTypedArrayView::setRange):
3177         (JSC::GenericTypedArrayView::zeroRange):
3178         (JSC::GenericTypedArrayView::zeroFill):
3179         (JSC::GenericTypedArrayView::length):
3180         (JSC::GenericTypedArrayView::byteLength):
3181         (JSC::GenericTypedArrayView::item):
3182         (JSC::GenericTypedArrayView::checkInboundData):
3183         (JSC::GenericTypedArrayView::getType):
3184         * runtime/GenericTypedArrayViewInlines.h: Added.
3185         (JSC::::GenericTypedArrayView):
3186         (JSC::::create):
3187         (JSC::::createUninitialized):
3188         (JSC::::subarray):
3189         (JSC::::wrap):
3190         * runtime/IndexingHeader.h:
3191         (JSC::IndexingHeader::arrayBuffer):
3192         (JSC::IndexingHeader::setArrayBuffer):
3193         * runtime/Int16Array.h:
3194         * runtime/Int32Array.h:
3195         * runtime/Int8Array.h:
3196         * runtime/JSArrayBuffer.cpp: Added.
3197         (JSC::JSArrayBuffer::JSArrayBuffer):
3198         (JSC::JSArrayBuffer::finishCreation):
3199         (JSC::JSArrayBuffer::create):
3200         (JSC::JSArrayBuffer::createStructure):
3201         (JSC::JSArrayBuffer::getOwnPropertySlot):
3202         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3203         (JSC::JSArrayBuffer::put):
3204         (JSC::JSArrayBuffer::defineOwnProperty):
3205         (JSC::JSArrayBuffer::deleteProperty):
3206         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3207         * runtime/JSArrayBuffer.h: Added.
3208         (JSC::JSArrayBuffer::impl):
3209         (JSC::toArrayBuffer):
3210         * runtime/JSArrayBufferConstructor.cpp: Added.
3211         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3212         (JSC::JSArrayBufferConstructor::finishCreation):
3213         (JSC::JSArrayBufferConstructor::create):
3214         (JSC::JSArrayBufferConstructor::createStructure):
3215         (JSC::constructArrayBuffer):
3216         (JSC::JSArrayBufferConstructor::getConstructData):
3217         (JSC::JSArrayBufferConstructor::getCallData):
3218         * runtime/JSArrayBufferConstructor.h: Added.
3219         * runtime/JSArrayBufferPrototype.cpp: Added.
3220         (JSC::arrayBufferProtoFuncSlice):
3221         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3222         (JSC::JSArrayBufferPrototype::finishCreation):
3223         (JSC::JSArrayBufferPrototype::create):
3224         (JSC::JSArrayBufferPrototype::createStructure):
3225         * runtime/JSArrayBufferPrototype.h: Added.
3226         * runtime/JSArrayBufferView.cpp: Added.
3227         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3228         (JSC::JSArrayBufferView::JSArrayBufferView):
3229         (JSC::JSArrayBufferView::finishCreation):
3230         (JSC::JSArrayBufferView::getOwnPropertySlot):
3231         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3232         (JSC::JSArrayBufferView::put):
3233         (JSC::JSArrayBufferView::defineOwnProperty):
3234         (JSC::JSArrayBufferView::deleteProperty):
3235         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3236         (JSC::JSArrayBufferView::finalize):
3237         * runtime/JSArrayBufferView.h: Added.
3238         (JSC::JSArrayBufferView::sizeOf):
3239         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3240         (JSC::JSArrayBufferView::ConstructionContext::structure):
3241         (JSC::JSArrayBufferView::ConstructionContext::vector):
3242         (JSC::JSArrayBufferView::ConstructionContext::length):
3243         (JSC::JSArrayBufferView::ConstructionContext::mode):
3244         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3245         (JSC::JSArrayBufferView::mode):
3246         (JSC::JSArrayBufferView::vector):
3247         (JSC::JSArrayBufferView::length):
3248         (JSC::JSArrayBufferView::offsetOfVector):
3249         (JSC::JSArrayBufferView::offsetOfLength):
3250         (JSC::JSArrayBufferView::offsetOfMode):
3251         * runtime/JSArrayBufferViewInlines.h: Added.
3252         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3253         (JSC::JSArrayBufferView::buffer):
3254         (JSC::JSArrayBufferView::impl):
3255         (JSC::JSArrayBufferView::neuter):
3256         (JSC::JSArrayBufferView::byteOffset):
3257         * runtime/JSCell.cpp:
3258         (JSC::JSCell::slowDownAndWasteMemory):
3259         (JSC::JSCell::getTypedArrayImpl):
3260         * runtime/JSCell.h:
3261         * runtime/JSDataView.cpp: Added.
3262         (JSC::JSDataView::JSDataView):
3263         (JSC::JSDataView::create):
3264         (JSC::JSDataView::createUninitialized):
3265         (JSC::JSDataView::set):
3266         (JSC::JSDataView::typedImpl):
3267         (JSC::JSDataView::getOwnPropertySlot):
3268         (JSC::JSDataView::getOwnPropertyDescriptor):
3269         (JSC::JSDataView::slowDownAndWasteMemory):
3270         (JSC::JSDataView::getTypedArrayImpl):
3271         (JSC::JSDataView::createStructure):
3272         * runtime/JSDataView.h: Added.
3273         * runtime/JSDataViewPrototype.cpp: Added.
3274         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3275         (JSC::JSDataViewPrototype::create):
3276         (JSC::JSDataViewPrototype::createStructure):
3277         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3278         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3279         (JSC::getData):
3280         (JSC::setData):
3281         (JSC::dataViewProtoFuncGetInt8):
3282         (JSC::dataViewProtoFuncGetInt16):
3283         (JSC::dataViewProtoFuncGetInt32):
3284         (JSC::dataViewProtoFuncGetUint8):
3285         (JSC::dataViewProtoFuncGetUint16):
3286         (JSC::dataViewProtoFuncGetUint32):
3287         (JSC::dataViewProtoFuncGetFloat32):
3288         (JSC::dataViewProtoFuncGetFloat64):
3289         (JSC::dataViewProtoFuncSetInt8):
3290         (JSC::dataViewProtoFuncSetInt16):
3291         (JSC::dataViewProtoFuncSetInt32):
3292         (JSC::dataViewProtoFuncSetUint8):
3293         (JSC::dataViewProtoFuncSetUint16):
3294         (JSC::dataViewProtoFuncSetUint32):
3295         (JSC::dataViewProtoFuncSetFloat32):
3296         (JSC::dataViewProtoFuncSetFloat64):
3297         * runtime/JSDataViewPrototype.h: Added.
3298         * runtime/JSFloat32Array.h: Added.
3299         * runtime/JSFloat64Array.h: Added.
3300         * runtime/JSGenericTypedArrayView.h: Added.
3301         (JSC::JSGenericTypedArrayView::byteLength):
3302         (JSC::JSGenericTypedArrayView::byteSize):
3303         (JSC::JSGenericTypedArrayView::typedVector):
3304         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3305         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3306         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3307         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3308         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3309         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3310         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3311         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3312         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3313         (JSC::JSGenericTypedArrayView::typedImpl):
3314         (JSC::JSGenericTypedArrayView::createStructure):
3315         (JSC::JSGenericTypedArrayView::info):
3316         (JSC::toNativeTypedView):
3317         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3318         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3319         (JSC::::JSGenericTypedArrayViewConstructor):
3320         (JSC::::finishCreation):
3321         (JSC::::create):
3322         (JSC::::createStructure):
3323         (JSC::constructGenericTypedArrayView):
3324         (JSC::::getConstructData):
3325         (JSC::::getCallData):
3326         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3327         (JSC::::JSGenericTypedArrayView):
3328         (JSC::::create):
3329         (JSC::::createUninitialized):
3330         (JSC::::validateRange):
3331         (JSC::::setWithSpecificType):
3332         (JSC::::set):
3333         (JSC::::getOwnPropertySlot):
3334         (JSC::::getOwnPropertyDescriptor):
3335         (JSC::::put):
3336         (JSC::::defineOwnProperty):
3337         (JSC::::deleteProperty):
3338         (JSC::::getOwnPropertySlotByIndex):
3339         (JSC::::putByIndex):
3340         (JSC::::deletePropertyByIndex):
3341         (JSC::::getOwnNonIndexPropertyNames):
3342         (JSC::::getOwnPropertyNames):
3343         (JSC::::visitChildren):
3344         (JSC::::copyBackingStore):
3345         (JSC::::slowDownAndWasteMemory):
3346         (JSC::::getTypedArrayImpl):
3347         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
3348         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
3349         (JSC::genericTypedArrayViewProtoFuncSet):
3350         (JSC::genericTypedArrayViewProtoFuncSubarray):
3351         (JSC::::JSGenericTypedArrayViewPrototype):
3352         (JSC::::finishCreation):
3353         (JSC::::create):
3354         (JSC::::createStructure):
3355         * runtime/JSGlobalObject.cpp:
3356         (JSC::JSGlobalObject::reset):
3357         (JSC::JSGlobalObject::visitChildren):
3358         * runtime/JSGlobalObject.h:
3359         (JSC::JSGlobalObject::arrayBufferPrototype):
3360         (JSC::JSGlobalObject::arrayBufferStructure):
3361         (JSC::JSGlobalObject::typedArrayStructure):
3362         * runtime/JSInt16Array.h: Added.
3363         * runtime/JSInt32Array.h: Added.
3364         * runtime/JSInt8Array.h: Added.
3365         * runtime/JSTypedArrayConstructors.cpp: Added.
3366         * runtime/JSTypedArrayConstructors.h: Added.
3367         * runtime/JSTypedArrayPrototypes.cpp: Added.
3368         * runtime/JSTypedArrayPrototypes.h: Added.
3369         * runtime/JSTypedArrays.cpp: Added.
3370         * runtime/JSTypedArrays.h: Added.
3371         * runtime/JSUint16Array.h: Added.
3372         * runtime/JSUint32Array.h: Added.
3373         * runtime/JSUint8Array.h: Added.
3374         * runtime/JSUint8ClampedArray.h: Added.
3375         * runtime/Operations.h:
3376         * runtime/Options.h:
3377         * runtime/SimpleTypedArrayController.cpp: Added.
3378         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
3379         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
3380         (JSC::SimpleTypedArrayController::toJS):
3381         * runtime/SimpleTypedArrayController.h: Added.
3382         * runtime/Structure.h:
3383         (JSC::Structure::couldHaveIndexingHeader):
3384         * runtime/StructureInlines.h:
3385         (JSC::Structure::hasIndexingHeader):
3386         * runtime/TypedArrayAdaptors.h: Added.
3387         (JSC::IntegralTypedArrayAdaptor::toNative):
3388         (JSC::IntegralTypedArrayAdaptor::toJSValue):
3389         (JSC::IntegralTypedArrayAdaptor::toDouble):
3390         (JSC::FloatTypedArrayAdaptor::toNative):
3391         (JSC::FloatTypedArrayAdaptor::toJSValue):
3392         (JSC::FloatTypedArrayAdaptor::toDouble):
3393         (JSC::Uint8ClampedAdaptor::toNative):
3394         (JSC::Uint8ClampedAdaptor::toJSValue):
3395         (JSC::Uint8ClampedAdaptor::toDouble):
3396         (JSC::Uint8ClampedAdaptor::clamp):
3397         * runtime/TypedArrayController.cpp: Added.
3398         (JSC::TypedArrayController::TypedArrayController):
3399         (JSC::TypedArrayController::~TypedArrayController):
3400         * runtime/TypedArrayController.h: Added.
3401         * runtime/TypedArrayDescriptor.h: Removed.
3402         * runtime/TypedArrayInlines.h: Added.
3403         * runtime/TypedArrayType.cpp: Added.
3404         (JSC::classInfoForType):
3405         (WTF::printInternal):
3406         * runtime/TypedArrayType.h: Added.
3407         (JSC::toIndex):
3408         (JSC::isTypedView):
3409         (JSC::elementSize):
3410         (JSC::isInt):
3411         (JSC::isFloat):
3412         (JSC::isSigned):
3413         (JSC::isClamped):
3414         * runtime/TypedArrays.h: Added.
3415         * runtime/Uint16Array.h:
3416         * runtime/Uint32Array.h:
3417         * runtime/Uint8Array.h:
3418         * runtime/Uint8ClampedArray.h:
3419         * runtime/VM.cpp:
3420         (JSC::VM::VM):
3421         (JSC::VM::~VM):
3422         * runtime/VM.h:
3423
3424 2013-08-15  Oliver Hunt  <oliver@apple.com>
3425
3426         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
3427
3428         Reviewed by Filip Pizlo.
3429
3430         Make sure dfgCapabilities doesn't report a Dynamic put as
3431         being compilable when we don't actually support it.  
3432
3433         * bytecode/CodeBlock.cpp:
3434         (JSC::CodeBlock::dumpBytecode):
3435         * dfg/DFGCapabilities.cpp:
3436         (JSC::DFG::capabilityLevel):
3437
3438 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3439
3440         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
3441         https://bugs.webkit.org/show_bug.cgi?id=119847
3442
3443         Reviewed by Oliver Hunt.
3444
3445         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
3446         * runtime/ArrayBufferView.h: Ditto.
3447
3448 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
3449
3450         https://bugs.webkit.org/show_bug.cgi?id=119843
3451         PropertySlot::setValue is ambiguous
3452
3453         Reviewed by Geoff Garen.
3454
3455         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
3456         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
3457         Unify on always providing the object, and remove the version that just takes a value.
3458         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
3459         Provide a version of setValue that takes a JSString as the owner of the property.
3460         We won't store this, but it makes it clear that this interface should only be used from JSString.
3461
3462         * API/JSCallbackObjectFunctions.h:
3463         (JSC::::getOwnPropertySlot):
3464         * JSCTypedArrayStubs.h:
3465         * runtime/Arguments.cpp:
3466         (JSC::Arguments::getOwnPropertySlotByIndex):
3467         (JSC::Arguments::getOwnPropertySlot):
3468         * runtime/JSActivation.cpp:
3469         (JSC::JSActivation::symbolTableGet):
3470         (JSC::JSActivation::getOwnPropertySlot):
3471         * runtime/JSArray.cpp:
3472         (JSC::JSArray::getOwnPropertySlot):
3473         * runtime/JSObject.cpp:
3474         (JSC::JSObject::getOwnPropertySlotByIndex):
3475         * runtime/JSString.h:
3476         (JSC::JSString::getStringPropertySlot):
3477         * runtime/JSSymbolTableObject.h:
3478         (JSC::symbolTableGet):
3479         * runtime/SparseArrayValueMap.cpp:
3480         (JSC::SparseArrayEntry::get):
3481             - Pass object containing property to PropertySlot::setValue
3482         * runtime/PropertySlot.h:
3483         (JSC::PropertySlot::setValue):
3484             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
3485         (JSC::PropertySlot::setUndefined):
3486             - removed setValue(JSValue), added setValue(JSString*, JSValue)
3487
3488 2013-08-15  Oliver Hunt  <oliver@apple.com>
3489
3490         Remove bogus assertion.
3491
3492         RS=Filip Pizlo
3493
3494         * dfg/DFGAbstractInterpreterInlines.h:
3495         (JSC::DFG::::executeEffects):
3496
3497 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3498
3499         REGRESSION(r148790) Made 7 tests fail on x86 32bit
3500         https://bugs.webkit.org/show_bug.cgi?id=114913
3501
3502         Reviewed by Filip Pizlo.
3503
3504         The X87 register was not freed before some calls. Instead
3505         of inserting resetX87Registers to the last call sites,
3506         the two X87 registers are now freed in every call.
3507
3508         * llint/LowLevelInterpreter32_64.asm:
3509         * llint/LowLevelInterpreter64.asm:
3510         * offlineasm/instructions.rb:
3511         * offlineasm/x86.rb:
3512
3513 2013-08-14  Michael Saboff  <msaboff@apple.com>
3514
3515         Fixed jit on Win64.
3516         https://bugs.webkit.org/show_bug.cgi?id=119601
3517
3518         Reviewed by Oliver Hunt.
3519
3520         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3521         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3522         * jit/SlowPathCall.h:
3523         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3524
3525 2013-08-14  Alex Christensen  <achristensen@apple.com>
3526
3527         Compile fix for Win64 with jit disabled.
3528         https://bugs.webkit.org/show_bug.cgi?id=119804
3529
3530         Reviewed by Michael Saboff.
3531
3532         * offlineasm/cloop.rb: Added std:: before isnan.
3533
3534 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3535
3536         DFG_JIT implementation for sh4 architecture.
3537         https://bugs.webkit.org/show_bug.cgi?id=119737
3538
3539         Reviewed by Oliver Hunt.
3540
3541         * assembler/MacroAssemblerSH4.h:
3542         (JSC::MacroAssemblerSH4::invert):
3543         (JSC::MacroAssemblerSH4::add32):
3544         (JSC::MacroAssemblerSH4::and32):
3545         (JSC::MacroAssemblerSH4::lshift32):
3546         (JSC::MacroAssemblerSH4::mul32):
3547         (JSC::MacroAssemblerSH4::or32):
3548         (JSC::MacroAssemblerSH4::rshift32):
3549         (JSC::MacroAssemblerSH4::sub32):
3550         (JSC::MacroAssemblerSH4::xor32):
3551         (JSC::MacroAssemblerSH4::store32):
3552         (JSC::MacroAssemblerSH4::swapDouble):
3553         (JSC::MacroAssemblerSH4::storeDouble):
3554         (JSC::MacroAssemblerSH4::subDouble):
3555         (JSC::MacroAssemblerSH4::mulDouble):
3556         (JSC::MacroAssemblerSH4::divDouble):
3557         (JSC::MacroAssemblerSH4::negateDouble):
3558         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3559         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3560         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3561         (JSC::MacroAssemblerSH4::swap):
3562         (JSC::MacroAssemblerSH4::jump):
3563         (JSC::MacroAssemblerSH4::branchNeg32):
3564         (JSC::MacroAssemblerSH4::branchAdd32):
3565         (JSC::MacroAssemblerSH4::branchMul32):
3566         (JSC::MacroAssemblerSH4::urshift32):
3567         * assembler/SH4Assembler.h:
3568         (JSC::SH4Assembler::SH4Assembler):
3569         (JSC::SH4Assembler::labelForWatchpoint):
3570         (JSC::SH4Assembler::label):
3571         (JSC::SH4Assembler::debugOffset):
3572         * dfg/DFGAssemblyHelpers.h:
3573         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3574         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3575         (JSC::DFG::AssemblyHelpers::debugCall):
3576         * dfg/DFGCCallHelpers.h:
3577         (JSC::DFG::CCallHelpers::setupArguments):
3578         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3579         * dfg/DFGFPRInfo.h:
3580         (JSC::DFG::FPRInfo::toRegister):
3581         (JSC::DFG::FPRInfo::toIndex):
3582         (JSC::DFG::FPRInfo::debugName):
3583         * dfg/DFGGPRInfo.h:
3584         (JSC::DFG::GPRInfo::toRegister):
3585         (JSC::DFG::GPRInfo::toIndex):
3586         (JSC::DFG::GPRInfo::debugName):
3587         * dfg/DFGOperations.cpp:
3588         * dfg/DFGSpeculativeJIT.h:
3589         (JSC::DFG::SpeculativeJIT::callOperation):
3590         * jit/JITStubs.h:
3591         * jit/JITStubsSH4.h:
3592
3593 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3594
3595         Unreviewed, fix build.
3596
3597         * API/JSValue.mm:
3598         (isDate):
3599         (isArray):
3600         * API/JSWrapperMap.mm:
3601         (tryUnwrapObjcObject):
3602         * API/ObjCCallbackFunction.mm:
3603         (tryUnwrapBlock):
3604
3605 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3606
3607         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3608         https://bugs.webkit.org/show_bug.cgi?id=119770
3609
3610         Reviewed by Mark Hahnenberg.
3611
3612         * API/JSCallbackConstructor.cpp:
3613         (JSC::JSCallbackConstructor::finishCreation):
3614         * API/JSCallbackConstructor.h:
3615         (JSC::JSCallbackConstructor::createStructure):
3616         * API/JSCallbackFunction.cpp:
3617         (JSC::JSCallbackFunction::finishCreation):
3618         * API/JSCallbackFunction.h:
3619         (JSC::JSCallbackFunction::createStructure):
3620         * API/JSCallbackObject.cpp:
3621         (JSC::::createStructure):
3622         * API/JSCallbackObject.h:
3623         (JSC::JSCallbackObject::visitChildren):
3624         * API/JSCallbackObjectFunctions.h:
3625         (JSC::::asCallbackObject):
3626         (JSC::::finishCreation):
3627         * API/JSObjectRef.cpp:
3628         (JSObjectGetPrivate):
3629         (JSObjectSetPrivate):
3630         (JSObjectGetPrivateProperty):
3631         (JSObjectSetPrivateProperty):
3632         (JSObjectDeletePrivateProperty):
3633         * API/JSValueRef.cpp:
3634         (JSValueIsObjectOfClass):
3635         * API/JSWeakObjectMapRefPrivate.cpp:
3636         * API/ObjCCallbackFunction.h:
3637         (JSC::ObjCCallbackFunction::createStructure):
3638         * JSCTypedArrayStubs.h:
3639         * bytecode/CallLinkStatus.cpp:
3640         (JSC::CallLinkStatus::CallLinkStatus):
3641         (JSC::CallLinkStatus::function):
3642         (JSC::CallLinkStatus::internalFunction):
3643         * bytecode/CodeBlock.h:
3644         (JSC::baselineCodeBlockForInlineCallFrame):
3645         * bytecode/SpeculatedType.cpp:
3646         (JSC::speculationFromClassInfo):
3647         * bytecode/UnlinkedCodeBlock.cpp:
3648         (JSC::UnlinkedFunctionExecutable::visitChildren):
3649         (JSC::UnlinkedCodeBlock::visitChildren):
3650         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3651         * bytecode/UnlinkedCodeBlock.h:
3652         (JSC::UnlinkedFunctionExecutable::createStructure):
3653         (JSC::UnlinkedProgramCodeBlock::createStructure):
3654         (JSC::UnlinkedEvalCodeBlock::createStructure):
3655         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3656         * debugger/Debugger.cpp:
3657         * debugger/DebuggerActivation.cpp:
3658         (JSC::DebuggerActivation::visitChildren):
3659         * debugger/DebuggerActivation.h:
3660         (JSC::DebuggerActivation::createStructure):
3661         * debugger/DebuggerCallFrame.cpp:
3662         (JSC::DebuggerCallFrame::functionName):
3663         * dfg/DFGAbstractInterpreterInlines.h:
3664         (JSC::DFG::::executeEffects):
3665         * dfg/DFGByteCodeParser.cpp:
3666         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3667         (JSC::DFG::ByteCodeParser::parseBlock):
3668         * dfg/DFGFixupPhase.cpp:
3669         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3670         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3671         * dfg/DFGGraph.cpp:
3672         (JSC::DFG::Graph::dump):
3673         * dfg/DFGGraph.h:
3674         (JSC::DFG::Graph::isInternalFunctionConstant):
3675         * dfg/DFGOperations.cpp:
3676         * dfg/DFGSpeculativeJIT.cpp:
3677         (JSC::DFG::SpeculativeJIT::checkArray):
3678         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3679         * dfg/DFGThunks.cpp:
3680         (JSC::DFG::virtualForThunkGenerator):
3681         * interpreter/Interpreter.cpp:
3682         (JSC::loadVarargs):
3683         * jsc.cpp:
3684         (GlobalObject::createStructure):
3685         * profiler/LegacyProfiler.cpp:
3686         (JSC::LegacyProfiler::createCallIdentifier):
3687         * runtime/Arguments.cpp:
3688         (JSC::Arguments::visitChildren):
3689         * runtime/Arguments.h:
3690         (JSC::Arguments::createStructure):
3691         (JSC::asArguments):
3692         (JSC::Arguments::finishCreation):
3693         * runtime/ArrayConstructor.cpp:
3694         (JSC::arrayConstructorIsArray):
3695         * runtime/ArrayConstructor.h:
3696         (JSC::ArrayConstructor::createStructure):
3697         * runtime/ArrayPrototype.cpp:
3698         (JSC::ArrayPrototype::finishCreation):
3699         (JSC::arrayProtoFuncConcat):
3700         (JSC::attemptFastSort):
3701         * runtime/ArrayPrototype.h:
3702         (JSC::ArrayPrototype::createStructure):
3703         * runtime/BooleanConstructor.h:
3704         (JSC::BooleanConstructor::createStructure):
3705         * runtime/BooleanObject.cpp:
3706         (JSC::BooleanObject::finishCreation):
3707         * runtime/BooleanObject.h:
3708         (JSC::BooleanObject::createStructure):
3709         (JSC::asBooleanObject):
3710         * runtime/BooleanPrototype.cpp:
3711         (JSC::BooleanPrototype::finishCreation):
3712         (JSC::booleanProtoFuncToString):
3713         (JSC::booleanProtoFuncValueOf):
3714         * runtime/BooleanPrototype.h:
3715         (JSC::BooleanPrototype::createStructure):
3716         * runtime/DateConstructor.cpp:
3717         (JSC::constructDate):
3718         * runtime/DateConstructor.h:
3719         (JSC::DateConstructor::createStructure):
3720         * runtime/DateInstance.cpp:
3721         (JSC::DateInstance::finishCreation):
3722         * runtime/DateInstance.h:
3723         (JSC::DateInstance::createStructure):
3724         (JSC::asDateInstance):
3725         * runtime/DatePrototype.cpp:
3726         (JSC::formateDateInstance):
3727         (JSC::DatePrototype::finishCreation):
3728         (JSC::dateProtoFuncToISOString):
3729         (JSC::dateProtoFuncToLocaleString):
3730         (JSC::dateProtoFuncToLocaleDateString):
3731         (JSC::dateProtoFuncToLocaleTimeString):
3732         (JSC::dateProtoFuncGetTime):
3733         (JSC::dateProtoFuncGetFullYear):
3734         (JSC::dateProtoFuncGetUTCFullYear):
3735         (JSC::dateProtoFuncGetMonth):
3736         (JSC::dateProtoFuncGetUTCMonth):
3737         (JSC::dateProtoFuncGetDate):
3738         (JSC::dateProtoFuncGetUTCDate):
3739         (JSC::dateProtoFuncGetDay):
3740         (JSC::dateProtoFuncGetUTCDay):
3741         (JSC::dateProtoFuncGetHours):
3742         (JSC::dateProtoFuncGetUTCHours):
3743         (JSC::dateProtoFuncGetMinutes):
3744         (JSC::dateProtoFuncGetUTCMinutes):
3745         (JSC::dateProtoFuncGetSeconds):
3746         (JSC::dateProtoFuncGetUTCSeconds):
3747         (JSC::dateProtoFuncGetMilliSeconds):
3748         (JSC::dateProtoFuncGetUTCMilliseconds):
3749         (JSC::dateProtoFuncGetTimezoneOffset):
3750         (JSC::dateProtoFuncSetTime):
3751         (JSC::setNewValueFromTimeArgs):
3752         (JSC::setNewValueFromDateArgs):
3753         (JSC::dateProtoFuncSetYear):
3754         (JSC::dateProtoFuncGetYear):
3755         * runtime/DatePrototype.h:
3756         (JSC::DatePrototype::createStructure):
3757         * runtime/Error.h:
3758         (JSC::StrictModeTypeErrorFunction::createStructure):
3759         * runtime/ErrorConstructor.h:
3760         (JSC::ErrorConstructor::createStructure):
3761         * runtime/ErrorInstance.cpp:
3762         (JSC::ErrorInstance::finishCreation):
3763         * runtime/ErrorInstance.h:
3764         (JSC::ErrorInstance::createStructure):
3765         * runtime/ErrorPrototype.cpp:
3766         (JSC::ErrorPrototype::finishCreation):
3767         * runtime/ErrorPrototype.h:
3768         (JSC::ErrorPrototype::createStructure):
3769         * runtime/ExceptionHelpers.cpp:
3770         (JSC::isTerminatedExecutionException):
3771         * runtime/ExceptionHelpers.h:
3772         (JSC::TerminatedExecutionError::createStructure):
3773         * runtime/Executable.cpp:
3774         (JSC::EvalExecutable::visitChildren):
3775         (JSC::ProgramExecutable::visitChildren):
3776         (JSC::FunctionExecutable::visitChildren):
3777         (JSC::ExecutableBase::hashFor):
3778         * runtime/Executable.h:
3779         (JSC::ExecutableBase::createStructure):
3780         (JSC::NativeExecutable::createStructure):
3781         (JSC::EvalExecutable::createStructure):
3782         (JSC::ProgramExecutable::createStructure):
3783         (JSC::FunctionExecutable::compileFor):
3784         (JSC::FunctionExecutable::compileOptimizedFor):
3785         (JSC::FunctionExecutable::createStructure):
3786         * runtime/FunctionConstructor.h:
3787         (JSC::FunctionConstructor::createStructure):
3788         * runtime/FunctionPrototype.cpp:
3789         (JSC::functionProtoFuncToString):
3790         (JSC::functionProtoFuncApply):
3791         (JSC::functionProtoFuncBind):
3792         * runtime/FunctionPrototype.h:
3793         (JSC::FunctionPrototype::createStructure):
3794         * runtime/GetterSetter.cpp:
3795         (JSC::GetterSetter::visitChildren):
3796         * runtime/GetterSetter.h:
3797         (JSC::GetterSetter::createStructure):
3798         * runtime/InternalFunction.cpp:
3799         (JSC::InternalFunction::finishCreation):
3800         * runtime/InternalFunction.h:
3801         (JSC::InternalFunction::createStructure):
3802         (JSC::asInternalFunction):
3803         * runtime/JSAPIValueWrapper.h:
3804         (JSC::JSAPIValueWrapper::createStructure):
3805         * runtime/JSActivation.cpp:
3806         (JSC::JSActivation::visitChildren):
3807         (JSC::JSActivation::argumentsGetter):
3808         * runtime/JSActivation.h:
3809         (JSC::JSActivation::createStructure):
3810         (JSC::asActivation):
3811         * runtime/JSArray.h:
3812         (JSC::JSArray::createStructure):
3813         (JSC::asArray):
3814         (JSC::isJSArray):
3815         * runtime/JSBoundFunction.cpp:
3816         (JSC::JSBoundFunction::finishCreation):
3817         (JSC::JSBoundFunction::visitChildren):
3818         * runtime/JSBoundFunction.h:
3819         (JSC::JSBoundFunction::createStructure):
3820         * runtime/JSCJSValue.cpp:
3821         (JSC::JSValue::dumpInContext):
3822         * runtime/JSCJSValueInlines.h:
3823         (JSC::JSValue::isFunction):
3824         * runtime/JSCell.h:
3825         (JSC::jsCast):
3826         (JSC::jsDynamicCast):
3827         * runtime/JSCellInlines.h:
3828         (JSC::allocateCell):
3829         * runtime/JSFunction.cpp:
3830         (JSC::JSFunction::finishCreation):
3831         (JSC::JSFunction::visitChildren):
3832         (JSC::skipOverBoundFunctions):
3833         (JSC::JSFunction::callerGetter):
3834         * runtime/JSFunction.h:
3835         (JSC::JSFunction::createStructure):
3836         * runtime/JSGlobalObject.cpp:
3837         (JSC::JSGlobalObject::visitChildren):
3838         (JSC::slowValidateCell):
3839         * runtime/JSGlobalObject.h:
3840         (JSC::JSGlobalObject::createStructure):
3841         * runtime/JSNameScope.cpp:
3842         (JSC::JSNameScope::visitChildren):
3843         * runtime/JSNameScope.h:
3844         (JSC::JSNameScope::createStructure):
3845         * runtime/JSNotAnObject.h:
3846         (JSC::JSNotAnObject::createStructure):
3847         * runtime/JSONObject.cpp:
3848         (JSC::JSONObject::finishCreation):
3849         (JSC::unwrapBoxedPrimitive):
3850         (JSC::Stringifier::Stringifier):
3851         (JSC::Stringifier::appendStringifiedValue):
3852         (JSC::Stringifier::Holder::Holder):
3853         (JSC::Walker::walk):
3854         (JSC::JSONProtoFuncStringify):
3855         * runtime/JSONObject.h:
3856         (JSC::JSONObject::createStructure):
3857         * runtime/JSObject.cpp:
3858         (JSC::getCallableObjectSlow):
3859         (JSC::JSObject::visitChildren):
3860         (JSC::JSObject::copyBackingStore):
3861         (JSC::JSFinalObject::visitChildren):
3862         (JSC::JSObject::ensureInt32Slow):
3863         (JSC::JSObject::ensureDoubleSlow):
3864         (JSC::JSObject::ensureContiguousSlow):
3865         (JSC::JSObject::ensureArrayStorageSlow):
3866         * runtime/JSObject.h:
3867         (JSC::JSObject::finishCreation):
3868         (JSC::JSObject::createStructure):
3869         (JSC::JSNonFinalObject::createStructure):
3870         (JSC::JSFinalObject::createStructure):
3871         (JSC::isJSFinalObject):
3872         * runtime/JSPropertyNameIterator.cpp:
3873         (JSC::JSPropertyNameIterator::visitChildren):
3874         * runtime/JSPropertyNameIterator.h:
3875         (JSC::JSPropertyNameIterator::createStructure):
3876         * runtime/JSProxy.cpp:
3877         (JSC::JSProxy::visitChildren):
3878         * runtime/JSProxy.h:
3879         (JSC::JSProxy::createStructure):
3880         * runtime/JSScope.cpp:
3881         (JSC::JSScope::visitChildren):
3882         * runtime/JSSegmentedVariableObject.cpp:
3883         (JSC::JSSegmentedVariableObject::visitChildren):
3884         * runtime/JSString.h:
3885         (JSC::JSString::createStructure):
3886         (JSC::isJSString):
3887         * runtime/JSSymbolTableObject.cpp:
3888         (JSC::JSSymbolTableObject::visitChildren):
3889         * runtime/JSVariableObject.h:
3890         * runtime/JSWithScope.cpp:
3891         (JSC::JSWithScope::visitChildren):
3892         * runtime/JSWithScope.h:
3893         (JSC::JSWithScope::createStructure):
3894         * runtime/JSWrapperObject.cpp:
3895         (JSC::JSWrapperObject::visitChildren):
3896         * runtime/JSWrapperObject.h:
3897         (JSC::JSWrapperObject::createStructure):
3898         * runtime/MathObject.cpp:
3899         (JSC::MathObject::finishCreation):
3900         * runtime/MathObject.h:
3901         (JSC::MathObject::createStructure):
3902         * runtime/NameConstructor.h:
3903         (JSC::NameConstructor::createStructure):
3904         * runtime/NameInstance.h:
3905         (JSC::NameInstance::createStructure):
3906         (JSC::NameInstance::finishCreation):
3907         * runtime/NamePrototype.cpp:
3908         (JSC::NamePrototype::finishCreation):
3909         (JSC::privateNameProtoFuncToString):
3910         * runtime/NamePrototype.h:
3911         (JSC::NamePrototype::createStructure):
3912         * runtime/NativeErrorConstructor.cpp:
3913         (JSC::NativeErrorConstructor::visitChildren):
3914         * runtime/NativeErrorConstructor.h:
3915         (JSC::NativeErrorConstructor::createStructure):
3916         (JSC::NativeErrorConstructor::finishCreation):
3917         * runtime/NumberConstructor.cpp:
3918         (JSC::NumberConstructor::finishCreation):
3919         * runtime/NumberConstructor.h:
3920         (JSC::NumberConstructor::createStructure):
3921         * runtime/NumberObject.cpp:
3922         (JSC::NumberObject::finishCreation):