5baee7e767107266f4a551d85d994c2ab20830eb
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
2
3         CodeBlock compilation and installation should be simplified and rationalized
4         https://bugs.webkit.org/show_bug.cgi?id=120326
5
6         Reviewed by Oliver Hunt.
7         
8         Previously Executable owned the code for generating JIT code; you always had
9         to go through Executable. But often you also had to go through CodeBlock,
10         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
11         So you'd ask CodeBlock to do something, which would dispatch through a
12         virtual method that would select the appropriate Executable subtype's method.
13         This all meant that the same code would often be duplicated, because most of
14         the work needed to compile something was identical regardless of code type.
15         But then we tried to fix this, by having templatized helpers in
16         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
17         out what happened when you asked for something to be compiled, you'd go on a
18         wild ride that started with CodeBlock, touched upon Executable, and then
19         ricocheted into either ExecutionHarness or JITDriver (likely both).
20         
21         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
22         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
23         done once the compilation finished.
24         
25         Also, most of the DFG JIT drivers assumed that they couldn't install the
26         JITCode into the CodeBlock directly - instead they would return it via a
27         reference, which happened to be a reference to the JITCode pointer in
28         Executable. This was super weird.
29         
30         Finally, there was no notion of compiling code into a special CodeBlock that
31         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
32         entry.
33         
34         This patch solves these problems by reducing all of that complexity into just
35         three primitives:
36         
37         - Executable::newCodeBlock(). This gives you a new code block, either for call
38           or for construct, and either to serve as the baseline code or the optimized
39           code. The new code block is then owned by the caller; Executable doesn't
40           register it anywhere. The new code block has no JITCode and isn't callable,
41           but it has all of the bytecode.
42         
43         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
44           produces a JITCode, and then installs the JITCode into the CodeBlock. This
45           method takes a JITType, and always compiles with that JIT. If you ask for
46           JITCode::InterpreterThunk then you'll get JITCode that just points to the
47           LLInt entrypoints. Once this returns, it is possible to call into the
48           CodeBlock if you do so manually - but the Executable still won't know about
49           it so JS calls to that Executable will still be routed to whatever CodeBlock
50           is associated with the Executable.
51         
52         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
53           entry for that Executable. This involves unlinking the Executable's last
54           CodeBlock, if there was one. This also tells the GC about any effect on
55           memory usage and does a bunch of weird data structure rewiring, since
56           Executable caches some of CodeBlock's fields for the benefit of virtual call
57           fast paths.
58         
59         This functionality is then wrapped around three convenience methods:
60         
61         - Executable::prepareForExecution(). If there is no code block for that
62           Executable, then one is created (newCodeBlock()), compiled
63           (CodeBlock::prepareForExecution()) and installed (installCode()).
64         
65         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
66           can serve as an optimized replacement of the current one.
67         
68         - CodeBlock::install(). Asks the Executable to install this code block.
69         
70         This patch allows me to kill *a lot* of code and to remove a lot of
71         specializations for functions vs. not-functions, and a lot of places where we
72         pass around JITCode references and such. ExecutionHarness and JITDriver are
73         both gone. Overall this patch has more red than green.
74         
75         It also allows me to work on FTL OSR entry and tier-up:
76         
77         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
78           to do some compilation, but it will require the DFG::Worklist to do
79           something different than what JITStubs.cpp would want, once the compilation
80           finishes. This patch introduces a callback mechanism for that purpose.
81         
82         - FTL OSR entry: this will involve creating a special auto-jettisoned
83           CodeBlock that is used only for FTL OSR entry. The new set of primitives
84           allows for this: Executable can vend you a fresh new CodeBlock, and you can
85           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
86           can take that CodeBlock and compile it yourself. Previously the act of
87           producing a CodeBlock-for-optimization and the act of compiling code for it
88           were tightly coupled; now you can separate them and you can create such
89           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
90
91         * CMakeLists.txt:
92         * GNUmakefile.list.am:
93         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
94         * JavaScriptCore.xcodeproj/project.pbxproj:
95         * Target.pri:
96         * bytecode/CodeBlock.cpp:
97         (JSC::CodeBlock::prepareForExecution):
98         (JSC::CodeBlock::install):
99         (JSC::CodeBlock::newReplacement):
100         (JSC::FunctionCodeBlock::jettisonImpl):
101         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
102         * bytecode/CodeBlock.h:
103         (JSC::CodeBlock::hasBaselineJITProfiling):
104         * bytecode/DeferredCompilationCallback.cpp: Added.
105         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
106         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
107         * bytecode/DeferredCompilationCallback.h: Added.
108         * dfg/DFGDriver.cpp:
109         (JSC::DFG::tryCompile):
110         * dfg/DFGDriver.h:
111         (JSC::DFG::tryCompile):
112         * dfg/DFGFailedFinalizer.cpp:
113         (JSC::DFG::FailedFinalizer::finalize):
114         (JSC::DFG::FailedFinalizer::finalizeFunction):
115         * dfg/DFGFailedFinalizer.h:
116         * dfg/DFGFinalizer.h:
117         * dfg/DFGJITFinalizer.cpp:
118         (JSC::DFG::JITFinalizer::finalize):
119         (JSC::DFG::JITFinalizer::finalizeFunction):
120         * dfg/DFGJITFinalizer.h:
121         * dfg/DFGOSRExitPreparation.cpp:
122         (JSC::DFG::prepareCodeOriginForOSRExit):
123         * dfg/DFGOperations.cpp:
124         * dfg/DFGPlan.cpp:
125         (JSC::DFG::Plan::Plan):
126         (JSC::DFG::Plan::compileInThreadImpl):
127         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
128         (JSC::DFG::Plan::finalizeAndNotifyCallback):
129         * dfg/DFGPlan.h:
130         * dfg/DFGWorklist.cpp:
131         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
132         * ftl/FTLJITFinalizer.cpp:
133         (JSC::FTL::JITFinalizer::finalize):
134         (JSC::FTL::JITFinalizer::finalizeFunction):
135         * ftl/FTLJITFinalizer.h:
136         * heap/Heap.h:
137         (JSC::Heap::isDeferred):
138         * interpreter/Interpreter.cpp:
139         (JSC::Interpreter::execute):
140         (JSC::Interpreter::executeCall):
141         (JSC::Interpreter::executeConstruct):
142         (JSC::Interpreter::prepareForRepeatCall):
143         * jit/JITDriver.h: Removed.
144         * jit/JITStubs.cpp:
145         (JSC::DEFINE_STUB_FUNCTION):
146         (JSC::jitCompileFor):
147         (JSC::lazyLinkFor):
148         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
149         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
150         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
151         (JSC::JITToDFGDeferredCompilationCallback::create):
152         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
153         * jit/JITToDFGDeferredCompilationCallback.h: Added.
154         * llint/LLIntEntrypoints.cpp:
155         (JSC::LLInt::setFunctionEntrypoint):
156         (JSC::LLInt::setEvalEntrypoint):
157         (JSC::LLInt::setProgramEntrypoint):
158         * llint/LLIntEntrypoints.h:
159         * llint/LLIntSlowPaths.cpp:
160         (JSC::LLInt::jitCompileAndSetHeuristics):
161         (JSC::LLInt::setUpCall):
162         * runtime/ArrayPrototype.cpp:
163         (JSC::isNumericCompareFunction):
164         * runtime/CommonSlowPaths.cpp:
165         * runtime/CompilationResult.cpp:
166         (WTF::printInternal):
167         * runtime/CompilationResult.h:
168         * runtime/Executable.cpp:
169         (JSC::ScriptExecutable::installCode):
170         (JSC::ScriptExecutable::newCodeBlockFor):
171         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
172         (JSC::ScriptExecutable::prepareForExecutionImpl):
173         * runtime/Executable.h:
174         (JSC::ScriptExecutable::prepareForExecution):
175         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
176         * runtime/ExecutionHarness.h: Removed.
177
178 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
179
180         https://bugs.webkit.org/show_bug.cgi?id=119548
181         Refactoring Exception throws.
182         
183         Reviewed by Geoffrey Garen.
184         
185         Gardening of exception throws. The act of throwing an exception was being handled in 
186         different ways depending on whether the code was running in the LLint, Baseline JIT, 
187         or the DFG Jit. This made development in the vm exception and error objects difficult.
188         
189          * runtime/VM.cpp:
190         (JSC::appendSourceToError): 
191         This function moved from the interpreter into the VM. It views the developers code
192         (if there is a codeBlock) to extract what was trying to be evaluated when the error
193         occurred.
194         
195         (JSC::VM::throwException):
196         This function takes in the error object and sets the following:
197             1: The VM's exception stack
198             2: The VM's exception 
199             3: Appends extra information on the error message(via appendSourceToError)
200             4: The error object's line number
201             5: The error object's column number
202             6: The error object's sourceURL
203             7: The error object's stack trace (unless it already exists because the developer 
204                 created the error object). 
205
206         (JSC::VM::getExceptionInfo):
207         (JSC::VM::setExceptionInfo):
208         (JSC::VM::clearException):
209         (JSC::clearExceptionStack):
210         * runtime/VM.h:
211         (JSC::VM::exceptionOffset):
212         (JSC::VM::exception):
213         (JSC::VM::addressOfException):
214         (JSC::VM::exceptionStack):
215         VM exception and exceptionStack are now private data members.
216
217         * interpreter/Interpreter.h:
218         (JSC::ClearExceptionScope::ClearExceptionScope):
219         Created this structure to temporarily clear the exception within the VM. This 
220         needed to see if addition errors occur when setting the debugger as we are 
221         unwinding the stack.
222
223          * interpreter/Interpreter.cpp:
224         (JSC::Interpreter::unwind): 
225         Removed the code that would try to add error information if it did not exist. 
226         All of this functionality has moved into the VM and all error information is set 
227         at the time the error occurs. 
228
229         The rest of these functions reference the new calling convention to throw an error.
230
231         * API/APICallbackFunction.h:
232         (JSC::APICallbackFunction::call):
233         * API/JSCallbackConstructor.cpp:
234         (JSC::constructJSCallback):
235         * API/JSCallbackObjectFunctions.h:
236         (JSC::::getOwnPropertySlot):
237         (JSC::::defaultValue):
238         (JSC::::put):
239         (JSC::::putByIndex):
240         (JSC::::deleteProperty):
241         (JSC::::construct):
242         (JSC::::customHasInstance):
243         (JSC::::call):
244         (JSC::::getStaticValue):
245         (JSC::::staticFunctionGetter):
246         (JSC::::callbackGetter):
247         * debugger/Debugger.cpp:
248         (JSC::evaluateInGlobalCallFrame):
249         * debugger/DebuggerCallFrame.cpp:
250         (JSC::DebuggerCallFrame::evaluate):
251         * dfg/DFGAssemblyHelpers.h:
252         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
253         * dfg/DFGOperations.cpp:
254         (JSC::DFG::operationPutByValInternal):
255         * ftl/FTLLowerDFGToLLVM.cpp:
256         (JSC::FTL::LowerDFGToLLVM::callCheck):
257         * heap/Heap.cpp:
258         (JSC::Heap::markRoots):
259         * interpreter/CallFrame.h:
260         (JSC::ExecState::clearException):
261         (JSC::ExecState::exception):
262         (JSC::ExecState::hadException):
263         * interpreter/Interpreter.cpp:
264         (JSC::eval):
265         (JSC::loadVarargs):
266         (JSC::stackTraceAsString):
267         (JSC::Interpreter::execute):
268         (JSC::Interpreter::executeCall):
269         (JSC::Interpreter::executeConstruct):
270         (JSC::Interpreter::prepareForRepeatCall):
271         * interpreter/Interpreter.h:
272         (JSC::ClearExceptionScope::ClearExceptionScope):
273         * jit/JITCode.cpp:
274         (JSC::JITCode::execute):
275         * jit/JITExceptions.cpp:
276         (JSC::genericThrow):
277         * jit/JITOpcodes.cpp:
278         (JSC::JIT::emit_op_catch):
279         * jit/JITOpcodes32_64.cpp:
280         (JSC::JIT::privateCompileCTINativeCall):
281         (JSC::JIT::emit_op_catch):
282         * jit/JITStubs.cpp:
283         (JSC::returnToThrowTrampoline):
284         (JSC::throwExceptionFromOpCall):
285         (JSC::DEFINE_STUB_FUNCTION):
286         (JSC::jitCompileFor):
287         (JSC::lazyLinkFor):
288         (JSC::putByVal):
289         (JSC::cti_vm_handle_exception):
290         * jit/SlowPathCall.h:
291         (JSC::JITSlowPathCall::call):
292         * jit/ThunkGenerators.cpp:
293         (JSC::nativeForGenerator):
294         * jsc.cpp:
295         (functionRun):
296         (functionLoad):
297         (functionCheckSyntax):
298         * llint/LLIntExceptions.cpp:
299         (JSC::LLInt::doThrow):
300         (JSC::LLInt::returnToThrow):
301         (JSC::LLInt::callToThrow):
302         * llint/LLIntSlowPaths.cpp:
303         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
304         * llint/LowLevelInterpreter.cpp:
305         (JSC::CLoop::execute):
306         * llint/LowLevelInterpreter32_64.asm:
307         * llint/LowLevelInterpreter64.asm:
308         * runtime/ArrayConstructor.cpp:
309         (JSC::constructArrayWithSizeQuirk):
310         * runtime/CommonSlowPaths.cpp:
311         (JSC::SLOW_PATH_DECL):
312         * runtime/CommonSlowPaths.h:
313         (JSC::CommonSlowPaths::opIn):
314         * runtime/CommonSlowPathsExceptions.cpp:
315         (JSC::CommonSlowPaths::interpreterThrowInCaller):
316         * runtime/Completion.cpp:
317         (JSC::evaluate):
318         * runtime/Error.cpp:
319         (JSC::addErrorInfo):
320         (JSC::throwTypeError):
321         (JSC::throwSyntaxError):
322         * runtime/Error.h:
323         (JSC::throwVMError):
324         * runtime/ExceptionHelpers.cpp:
325         (JSC::throwOutOfMemoryError):
326         (JSC::throwStackOverflowError):
327         (JSC::throwTerminatedExecutionException):
328         * runtime/Executable.cpp:
329         (JSC::EvalExecutable::create):
330         (JSC::FunctionExecutable::produceCodeBlockFor):
331         * runtime/FunctionConstructor.cpp:
332         (JSC::constructFunction):
333         (JSC::constructFunctionSkippingEvalEnabledCheck):
334         * runtime/JSArray.cpp:
335         (JSC::JSArray::defineOwnProperty):
336         (JSC::JSArray::put):
337         (JSC::JSArray::push):
338         * runtime/JSCJSValue.cpp:
339         (JSC::JSValue::toObjectSlowCase):
340         (JSC::JSValue::synthesizePrototype):
341         (JSC::JSValue::putToPrimitive):
342         * runtime/JSFunction.cpp:
343         (JSC::JSFunction::defineOwnProperty):
344         * runtime/JSGenericTypedArrayViewInlines.h:
345         (JSC::::create):
346         (JSC::::createUninitialized):
347         (JSC::::validateRange):
348         (JSC::::setWithSpecificType):
349         * runtime/JSGlobalObjectFunctions.cpp:
350         (JSC::encode):
351         (JSC::decode):
352         (JSC::globalFuncProtoSetter):
353         * runtime/JSNameScope.cpp:
354         (JSC::JSNameScope::put):
355         * runtime/JSONObject.cpp:
356         (JSC::Stringifier::appendStringifiedValue):
357         (JSC::Walker::walk):
358         * runtime/JSObject.cpp:
359         (JSC::JSObject::put):
360         (JSC::JSObject::defaultValue):
361         (JSC::JSObject::hasInstance):
362         (JSC::JSObject::defaultHasInstance):
363         (JSC::JSObject::defineOwnNonIndexProperty):
364         (JSC::throwTypeError):
365         * runtime/ObjectConstructor.cpp:
366         (JSC::toPropertyDescriptor):
367         * runtime/RegExpConstructor.cpp:
368         (JSC::constructRegExp):
369         * runtime/StringObject.cpp:
370         (JSC::StringObject::defineOwnProperty):
371         * runtime/StringRecursionChecker.cpp:
372         (JSC::StringRecursionChecker::throwStackOverflowError):
373
374 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
375
376         [GTK] Add support for building JSC with FTL JIT enabled
377         https://bugs.webkit.org/show_bug.cgi?id=120270
378
379         Reviewed by Filip Pizlo.
380
381         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
382         compiler flags for the JSC library.
383         * GNUmakefile.list.am: Add the missing build targets.
384         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
385         failures when using the Clang compiler with the libstdc++ standard library.
386         (JSC::FTL::mdKindID):
387         (JSC::FTL::mdString):
388
389 2013-08-23  Andy Estes  <aestes@apple.com>
390
391         Fix issues found by the Clang Static Analyzer
392         https://bugs.webkit.org/show_bug.cgi?id=120230
393
394         Reviewed by Darin Adler.
395
396         * API/JSValue.mm:
397         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
398         * API/ObjCCallbackFunction.mm:
399         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
400         release m_invocation's target since NSInvocation will do it for us on
401         -dealloc.
402         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
403         and -release our reference to the copied block.
404         * API/tests/minidom.c:
405         (createStringWithContentsOfFile): Free buffer before returning.
406         * API/tests/testapi.c:
407         (createStringWithContentsOfFile): Ditto.
408
409 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
410
411         [Windows] Unreviewed build fix after r154629.
412
413         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
414         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
415
416 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
417
418         Windows build fix attempt after r154629.
419
420         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
421
422 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
423
424         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
425         https://bugs.webkit.org/show_bug.cgi?id=120278
426
427         Reviewed by Geoffrey Garen.
428
429         * runtime/JSObject.cpp:
430         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
431
432 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
433
434         Fix indention of Executable.h.
435
436         Rubber stamped by Mark Hahnenberg.
437
438         * runtime/Executable.h:
439
440 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
441
442         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
443         https://bugs.webkit.org/show_bug.cgi?id=120314
444
445         Reviewed by Darin Adler.
446
447         Currently with the way that defineProperty works, we leave a stray low bit set in 
448         PropertyDescriptor::m_attributes in the following code:
449
450         var o = {};
451         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
452         
453         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
454         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
455         but only the top three bits mean anything. Even in the case above, the top three bits are set 
456         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
457
458         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
459         framework's public C API, it's safer to just change how we calculate the default value, which is
460         where the weirdness was originating from in the first place.
461
462         * runtime/PropertyDescriptor.cpp:
463
464 2013-08-24  Sam Weinig  <sam@webkit.org>
465
466         Add support for Promises
467         https://bugs.webkit.org/show_bug.cgi?id=120260
468
469         Reviewed by Darin Adler.
470
471         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
472         - Despite Promises being defined in the DOM, the implementation is being put in JSC
473           in preparation for the Promises eventually being defined in ECMAScript.
474
475         * CMakeLists.txt:
476         * DerivedSources.make:
477         * DerivedSources.pri:
478         * GNUmakefile.list.am:
479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
480         * JavaScriptCore.xcodeproj/project.pbxproj:
481         * Target.pri:
482         Add new files.
483
484         * jsc.cpp:
485         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
486         you can't quite use Promises with with the command line tool yet.
487     
488         * interpreter/CallFrame.h:
489         (JSC::ExecState::promisePrototypeTable):
490         (JSC::ExecState::promiseConstructorTable):
491         (JSC::ExecState::promiseResolverPrototypeTable):
492         * runtime/VM.cpp:
493         (JSC::VM::VM):
494         (JSC::VM::~VM):
495         * runtime/VM.h:
496         Add supporting code for the new static lookup tables.
497
498         * runtime/CommonIdentifiers.h:
499         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
500
501         * runtime/JSGlobalObject.cpp:
502         (JSC::JSGlobalObject::reset):
503         (JSC::JSGlobalObject::visitChildren):
504         Add supporting code Promise and PromiseResolver's constructors and structures.
505
506         * runtime/JSGlobalObject.h:
507         (JSC::TaskContext::~TaskContext):
508         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
509
510         (JSC::JSGlobalObject::promisePrototype):
511         (JSC::JSGlobalObject::promiseResolverPrototype):
512         (JSC::JSGlobalObject::promiseStructure):
513         (JSC::JSGlobalObject::promiseResolverStructure):
514         (JSC::JSGlobalObject::promiseCallbackStructure):
515         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
516         Add supporting code Promise and PromiseResolver's constructors and structures.
517
518         * runtime/JSPromise.cpp: Added.
519         * runtime/JSPromise.h: Added.
520         * runtime/JSPromiseCallback.cpp: Added.
521         * runtime/JSPromiseCallback.h: Added.
522         * runtime/JSPromiseConstructor.cpp: Added.
523         * runtime/JSPromiseConstructor.h: Added.
524         * runtime/JSPromisePrototype.cpp: Added.
525         * runtime/JSPromisePrototype.h: Added.
526         * runtime/JSPromiseResolver.cpp: Added.
527         * runtime/JSPromiseResolver.h: Added.
528         * runtime/JSPromiseResolverConstructor.cpp: Added.
529         * runtime/JSPromiseResolverConstructor.h: Added.
530         * runtime/JSPromiseResolverPrototype.cpp: Added.
531         * runtime/JSPromiseResolverPrototype.h: Added.
532         Add Promise implementation.
533
534 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
535
536         Plenty of -Wcast-align warnings in KeywordLookup.h
537         https://bugs.webkit.org/show_bug.cgi?id=120316
538
539         Reviewed by Darin Adler.
540
541         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
542         the character pointers to types of larger size. This avoids spewing lots of warnings
543         in the KeywordLookup.h header when compiling with the -Wcast-align option.
544
545 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
546
547         RegExpMatchesArray should not call [[put]]
548         https://bugs.webkit.org/show_bug.cgi?id=120317
549
550         Reviewed by Oliver Hunt.
551
552         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
553         property called index or input to either of these prototypes will result in broken behavior.
554
555         * runtime/RegExpMatchesArray.cpp:
556         (JSC::RegExpMatchesArray::reifyAllProperties):
557             - put -> putDirect
558
559 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
560
561         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
562         https://bugs.webkit.org/show_bug.cgi?id=120228
563
564         Reviewed by Oliver Hunt.
565         
566         It turns out that there were three problems:
567         
568         - Using jsNumber() meant that we were converting doubles to integers and then
569           possibly back again whenever doing a set() between floating point arrays.
570         
571         - Slow-path accesses to double typed arrays were slower than necessary because
572           of the to-int conversion attempt.
573         
574         - The use of JSValue as an intermediate for converting between differen types
575           in typedArray.set() resulted in worse code than I had previously expected.
576         
577         This patch solves the problem by using template double-dispatch to ensure that
578         that C++ compiler sees the simplest possible combination of casts between any
579         combination of typed array types, while still preserving JS and typed array
580         conversion semantics. Conversions are done as follows:
581         
582             SourceAdaptor::convertTo<TargetAdaptor>(value)
583         
584         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
585         with one method for each of int32_t, uint32_t, and double. This means that the
586         C++ compiler will at worst see a widening cast to one of those types followed
587         by a narrowing conversion (not necessarily a cast - may have clamping or the
588         JS toInt32() function).
589         
590         This change doesn't just affect typedArray.set(); it also affects slow-path
591         accesses to typed arrays as well. This patch also adds a bunch of new test
592         coverage.
593         
594         This change is a ~50% speed-up on typedArray.set() involving floating point
595         types.
596
597         * GNUmakefile.list.am:
598         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
599         * JavaScriptCore.xcodeproj/project.pbxproj:
600         * runtime/GenericTypedArrayView.h:
601         (JSC::GenericTypedArrayView::set):
602         * runtime/JSDataViewPrototype.cpp:
603         (JSC::setData):
604         * runtime/JSGenericTypedArrayView.h:
605         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
606         (JSC::JSGenericTypedArrayView::setIndexQuickly):
607         * runtime/JSGenericTypedArrayViewInlines.h:
608         (JSC::::setWithSpecificType):
609         (JSC::::set):
610         * runtime/ToNativeFromValue.h: Added.
611         (JSC::toNativeFromValue):
612         * runtime/TypedArrayAdaptors.h:
613         (JSC::IntegralTypedArrayAdaptor::toJSValue):
614         (JSC::IntegralTypedArrayAdaptor::toDouble):
615         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
616         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
617         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
618         (JSC::IntegralTypedArrayAdaptor::convertTo):
619         (JSC::FloatTypedArrayAdaptor::toJSValue):
620         (JSC::FloatTypedArrayAdaptor::toDouble):
621         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
622         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
623         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
624         (JSC::FloatTypedArrayAdaptor::convertTo):
625         (JSC::Uint8ClampedAdaptor::toJSValue):
626         (JSC::Uint8ClampedAdaptor::toDouble):
627         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
628         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
629         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
630         (JSC::Uint8ClampedAdaptor::convertTo):
631
632 2013-08-24  Dan Bernstein  <mitz@apple.com>
633
634         [mac] link against libz in a more civilized manner
635         https://bugs.webkit.org/show_bug.cgi?id=120258
636
637         Reviewed by Darin Adler.
638
639         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
640         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
641         Link Binary With Libraries build phase.
642
643 2013-08-23  Laszlo Papp  <lpapp@kde.org>
644
645         Failure building with python3
646         https://bugs.webkit.org/show_bug.cgi?id=106645
647
648         Reviewed by Benjamin Poulain.
649
650         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
651         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
652
653         * disassembler/udis86/itab.py:
654         (UdItabGenerator.genInsnTable):
655         * disassembler/udis86/ud_opcode.py:
656         (UdOpcodeTables.print_table):
657         * disassembler/udis86/ud_optable.py:
658         (UdOptableXmlParser.parseDef):
659         (UdOptableXmlParser.parse):
660         (printFn):
661
662 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
663
664         Incorrect TypedArray#set behavior
665         https://bugs.webkit.org/show_bug.cgi?id=83818
666
667         Reviewed by Oliver Hunt and Mark Hahnenberg.
668         
669         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
670         not smart enough to figure out optimal versions for *all* of the cases. But I
671         did come up with optimal implementations for most of the cases, and I wrote
672         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
673         enough to write optimal code for.
674
675         * runtime/JSArrayBufferView.h:
676         (JSC::JSArrayBufferView::hasArrayBuffer):
677         * runtime/JSArrayBufferViewInlines.h:
678         (JSC::JSArrayBufferView::buffer):
679         (JSC::JSArrayBufferView::existingBufferInButterfly):
680         (JSC::JSArrayBufferView::neuter):
681         (JSC::JSArrayBufferView::byteOffset):
682         * runtime/JSGenericTypedArrayView.h:
683         * runtime/JSGenericTypedArrayViewInlines.h:
684         (JSC::::setWithSpecificType):
685         (JSC::::set):
686         (JSC::::existingBuffer):
687
688 2013-08-23  Alex Christensen  <achristensen@apple.com>
689
690         Re-separating Win32 and Win64 builds.
691         https://bugs.webkit.org/show_bug.cgi?id=120178
692
693         Reviewed by Brent Fulgham.
694
695         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
696         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
697         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
698         Pass PlatformArchitecture as a command line parameter to bash scripts.
699         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
700         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
701         * JavaScriptCore.vcxproj/build-generated-files.sh:
702         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
703
704 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
705
706         build-jsc --ftl-jit should work
707         https://bugs.webkit.org/show_bug.cgi?id=120194
708
709         Reviewed by Oliver Hunt.
710
711         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
712         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
713         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
714         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
715         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
716         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
717
718 2013-08-23  Oliver Hunt  <oliver@apple.com>
719
720         Re-sort xcode project file
721
722         * JavaScriptCore.xcodeproj/project.pbxproj:
723
724 2013-08-23  Oliver Hunt  <oliver@apple.com>
725
726         Support in memory compression of rarely used data
727         https://bugs.webkit.org/show_bug.cgi?id=120143
728
729         Reviewed by Gavin Barraclough.
730
731         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
732
733         * Configurations/JavaScriptCore.xcconfig:
734         * bytecode/UnlinkedCodeBlock.cpp:
735         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
736         (JSC::UnlinkedCodeBlock::addExpressionInfo):
737         * bytecode/UnlinkedCodeBlock.h:
738
739 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
740
741         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
742         https://bugs.webkit.org/show_bug.cgi?id=120179
743
744         Reviewed by Geoffrey Garen.
745
746         There are many places in the code for JSObject and JSArray where they are manipulating their 
747         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
748         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
749         like it will make this dance even more intricate. To make everybody's lives easier we should use 
750         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
751         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
752         should not incur any additional overhead.
753
754         * heap/Heap.h:
755         * runtime/JSArray.cpp:
756         (JSC::JSArray::unshiftCountSlowCase):
757         * runtime/JSObject.cpp:
758         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
759         (JSC::JSObject::createInitialUndecided):
760         (JSC::JSObject::createInitialInt32):
761         (JSC::JSObject::createInitialDouble):
762         (JSC::JSObject::createInitialContiguous):
763         (JSC::JSObject::createArrayStorage):
764         (JSC::JSObject::convertUndecidedToArrayStorage):
765         (JSC::JSObject::convertInt32ToArrayStorage):
766         (JSC::JSObject::convertDoubleToArrayStorage):
767         (JSC::JSObject::convertContiguousToArrayStorage):
768         (JSC::JSObject::increaseVectorLength):
769         (JSC::JSObject::ensureLengthSlow):
770         * runtime/JSObject.h:
771         (JSC::JSObject::putDirectInternal):
772         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
773         (JSC::JSObject::putDirectWithoutTransition):
774
775 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
776
777         Update LLVM binary drops and scripts to the latest version from SVN
778         https://bugs.webkit.org/show_bug.cgi?id=120184
779
780         Reviewed by Mark Hahnenberg.
781
782         * dfg/DFGPlan.cpp:
783         (JSC::DFG::Plan::compileInThreadImpl):
784
785 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
786
787         Don't leak registers for redeclared variables
788         https://bugs.webkit.org/show_bug.cgi?id=120174
789
790         Reviewed by Geoff Garen.
791
792         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
793         Only allocate new registers when necessary.
794
795         No performance impact.
796
797         * interpreter/Interpreter.cpp:
798         (JSC::Interpreter::execute):
799         * runtime/Executable.cpp:
800         (JSC::ProgramExecutable::initializeGlobalProperties):
801             - Don't allocate the register here.
802         * runtime/JSGlobalObject.cpp:
803         (JSC::JSGlobalObject::addGlobalVar):
804             - Allocate the register here instead.
805
806 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
807
808         https://bugs.webkit.org/show_bug.cgi?id=120128
809         Remove putDirectVirtual
810
811         Unreviewed, checked in commented out code. :-(
812
813         * interpreter/Interpreter.cpp:
814         (JSC::Interpreter::execute):
815             - delete commented out code
816
817 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
818
819         Error.stack should not be enumerable
820         https://bugs.webkit.org/show_bug.cgi?id=120171
821
822         Reviewed by Oliver Hunt.
823
824         Breaks ECMA tests.
825
826         * runtime/ErrorInstance.cpp:
827         (JSC::ErrorInstance::finishCreation):
828             - None -> DontEnum
829
830 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
831
832         https://bugs.webkit.org/show_bug.cgi?id=120128
833         Remove putDirectVirtual
834
835         Reviewed by Sam Weinig.
836
837         This could most generously be described as 'vestigial'.
838         No performance impact.
839
840         * API/JSObjectRef.cpp:
841         (JSObjectSetProperty):
842             - changed to use defineOwnProperty
843         * debugger/DebuggerActivation.cpp:
844         * debugger/DebuggerActivation.h:
845             - remove putDirectVirtual
846         * interpreter/Interpreter.cpp:
847         (JSC::Interpreter::execute):
848             - changed to use defineOwnProperty
849         * runtime/ClassInfo.h:
850         * runtime/JSActivation.cpp:
851         * runtime/JSActivation.h:
852         * runtime/JSCell.cpp:
853         * runtime/JSCell.h:
854         * runtime/JSGlobalObject.cpp:
855         * runtime/JSGlobalObject.h:
856         * runtime/JSObject.cpp:
857         * runtime/JSObject.h:
858         * runtime/JSProxy.cpp:
859         * runtime/JSProxy.h:
860         * runtime/JSSymbolTableObject.cpp:
861         * runtime/JSSymbolTableObject.h:
862             - remove putDirectVirtual
863         * runtime/PropertyDescriptor.h:
864         (JSC::PropertyDescriptor::PropertyDescriptor):
865             - added constructor for convenience
866
867 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
868
869         errorDescriptionForValue() should not assume error value is an Object
870         https://bugs.webkit.org/show_bug.cgi?id=119812
871
872         Reviewed by Geoffrey Garen.
873
874         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
875         has no type, the function now returns the empty string. 
876         * runtime/ExceptionHelpers.cpp:
877         (JSC::errorDescriptionForValue):
878
879 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
880
881         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
882         https://bugs.webkit.org/show_bug.cgi?id=120107
883
884         Reviewed by Yong Li.
885
886         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
887
888         * dfg/DFGSpeculativeJIT.h:
889         (JSC::DFG::SpeculativeJIT::callOperation):
890
891 2013-08-21  Commit Queue  <commit-queue@webkit.org>
892
893         Unreviewed, rolling out r154416.
894         http://trac.webkit.org/changeset/154416
895         https://bugs.webkit.org/show_bug.cgi?id=120147
896
897         Broke Windows builds (Requested by rniwa on #webkit).
898
899         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
900         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
901         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
902         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
903         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
904         * JavaScriptCore.vcxproj/build-generated-files.sh:
905
906 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
907
908         Clarify var/const/function declaration
909         https://bugs.webkit.org/show_bug.cgi?id=120144
910
911         Reviewed by Sam Weinig.
912
913         Add methods to JSGlobalObject to declare vars, consts, and functions.
914
915         * runtime/Executable.cpp:
916         (JSC::ProgramExecutable::initializeGlobalProperties):
917         * runtime/Executable.h:
918             - Moved declaration code to JSGlobalObject
919         * runtime/JSGlobalObject.cpp:
920         (JSC::JSGlobalObject::addGlobalVar):
921             - internal implementation of addVar, addConst, addFunction
922         * runtime/JSGlobalObject.h:
923         (JSC::JSGlobalObject::addVar):
924         (JSC::JSGlobalObject::addConst):
925         (JSC::JSGlobalObject::addFunction):
926             - Added methods to declare vars, consts, and functions
927
928 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
929
930         https://bugs.webkit.org/show_bug.cgi?id=119900
931         Exception in global setter doesn't unwind correctly
932
933         Reviewed by Geoffrey Garen.
934
935         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
936
937         * jit/JITStubs.cpp:
938         (JSC::DEFINE_STUB_FUNCTION):
939
940 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
941
942         Rename/refactor setButterfly/setStructure
943         https://bugs.webkit.org/show_bug.cgi?id=120138
944
945         Reviewed by Geoffrey Garen.
946
947         setButterfly becomes setStructureAndButterfly.
948
949         Also removed the Butterfly* argument from setStructure and just implicitly
950         used m_butterfly internally since that's what every single client of setStructure
951         was doing already.
952
953         * jit/JITStubs.cpp:
954         (JSC::DEFINE_STUB_FUNCTION):
955         * runtime/JSObject.cpp:
956         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
957         (JSC::JSObject::createInitialUndecided):
958         (JSC::JSObject::createInitialInt32):
959         (JSC::JSObject::createInitialDouble):
960         (JSC::JSObject::createInitialContiguous):
961         (JSC::JSObject::createArrayStorage):
962         (JSC::JSObject::convertUndecidedToInt32):
963         (JSC::JSObject::convertUndecidedToDouble):
964         (JSC::JSObject::convertUndecidedToContiguous):
965         (JSC::JSObject::convertUndecidedToArrayStorage):
966         (JSC::JSObject::convertInt32ToDouble):
967         (JSC::JSObject::convertInt32ToContiguous):
968         (JSC::JSObject::convertInt32ToArrayStorage):
969         (JSC::JSObject::genericConvertDoubleToContiguous):
970         (JSC::JSObject::convertDoubleToArrayStorage):
971         (JSC::JSObject::convertContiguousToArrayStorage):
972         (JSC::JSObject::switchToSlowPutArrayStorage):
973         (JSC::JSObject::setPrototype):
974         (JSC::JSObject::putDirectAccessor):
975         (JSC::JSObject::seal):
976         (JSC::JSObject::freeze):
977         (JSC::JSObject::preventExtensions):
978         (JSC::JSObject::reifyStaticFunctionsForDelete):
979         (JSC::JSObject::removeDirect):
980         * runtime/JSObject.h:
981         (JSC::JSObject::setStructureAndButterfly):
982         (JSC::JSObject::setStructure):
983         (JSC::JSObject::putDirectInternal):
984         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
985         (JSC::JSObject::putDirectWithoutTransition):
986         * runtime/Structure.cpp:
987         (JSC::Structure::flattenDictionaryStructure):
988
989 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
990
991         https://bugs.webkit.org/show_bug.cgi?id=120127
992         Remove JSObject::propertyIsEnumerable
993
994         Unreviewed typo fix
995
996         * runtime/JSObject.h:
997             - fix typo
998
999 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1000
1001         https://bugs.webkit.org/show_bug.cgi?id=120139
1002         PropertyDescriptor argument to define methods should be const
1003
1004         Rubber stamped by Sam Weinig.
1005
1006         This should never be modified, and this way we can use rvalues.
1007
1008         * debugger/DebuggerActivation.cpp:
1009         (JSC::DebuggerActivation::defineOwnProperty):
1010         * debugger/DebuggerActivation.h:
1011         * runtime/Arguments.cpp:
1012         (JSC::Arguments::defineOwnProperty):
1013         * runtime/Arguments.h:
1014         * runtime/ClassInfo.h:
1015         * runtime/JSArray.cpp:
1016         (JSC::JSArray::defineOwnProperty):
1017         * runtime/JSArray.h:
1018         * runtime/JSArrayBuffer.cpp:
1019         (JSC::JSArrayBuffer::defineOwnProperty):
1020         * runtime/JSArrayBuffer.h:
1021         * runtime/JSArrayBufferView.cpp:
1022         (JSC::JSArrayBufferView::defineOwnProperty):
1023         * runtime/JSArrayBufferView.h:
1024         * runtime/JSCell.cpp:
1025         (JSC::JSCell::defineOwnProperty):
1026         * runtime/JSCell.h:
1027         * runtime/JSFunction.cpp:
1028         (JSC::JSFunction::defineOwnProperty):
1029         * runtime/JSFunction.h:
1030         * runtime/JSGenericTypedArrayView.h:
1031         * runtime/JSGenericTypedArrayViewInlines.h:
1032         (JSC::::defineOwnProperty):
1033         * runtime/JSGlobalObject.cpp:
1034         (JSC::JSGlobalObject::defineOwnProperty):
1035         * runtime/JSGlobalObject.h:
1036         * runtime/JSObject.cpp:
1037         (JSC::JSObject::putIndexedDescriptor):
1038         (JSC::JSObject::defineOwnIndexedProperty):
1039         (JSC::putDescriptor):
1040         (JSC::JSObject::defineOwnNonIndexProperty):
1041         (JSC::JSObject::defineOwnProperty):
1042         * runtime/JSObject.h:
1043         * runtime/JSProxy.cpp:
1044         (JSC::JSProxy::defineOwnProperty):
1045         * runtime/JSProxy.h:
1046         * runtime/RegExpMatchesArray.h:
1047         (JSC::RegExpMatchesArray::defineOwnProperty):
1048         * runtime/RegExpObject.cpp:
1049         (JSC::RegExpObject::defineOwnProperty):
1050         * runtime/RegExpObject.h:
1051         * runtime/StringObject.cpp:
1052         (JSC::StringObject::defineOwnProperty):
1053         * runtime/StringObject.h:
1054             - make PropertyDescriptor const
1055
1056 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1057
1058         REGRESSION: Crash under JITCompiler::link while loading Gmail
1059         https://bugs.webkit.org/show_bug.cgi?id=119872
1060
1061         Reviewed by Mark Hahnenberg.
1062         
1063         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1064
1065         * dfg/DFGByteCodeParser.cpp:
1066         (JSC::DFG::ByteCodeParser::parseBlock):
1067
1068 2013-08-21  Alex Christensen  <achristensen@apple.com>
1069
1070         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1071
1072         Reviewed by Brent Fulgham.
1073
1074         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1075         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1076         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1077         Pass PlatformArchitecture as a command line parameter to bash scripts.
1078         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1079         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1080         * JavaScriptCore.vcxproj/build-generated-files.sh:
1081         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1082
1083 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1084
1085         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1086         https://bugs.webkit.org/show_bug.cgi?id=120099
1087
1088         Reviewed by Mark Hahnenberg.
1089         
1090         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1091         JSDataView may have ordinary JS indexed properties.
1092
1093         * runtime/ClassInfo.h:
1094         * runtime/JSArrayBufferView.cpp:
1095         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1096         (JSC::JSArrayBufferView::finishCreation):
1097         * runtime/JSArrayBufferView.h:
1098         (JSC::hasArrayBuffer):
1099         * runtime/JSArrayBufferViewInlines.h:
1100         (JSC::JSArrayBufferView::buffer):
1101         (JSC::JSArrayBufferView::neuter):
1102         (JSC::JSArrayBufferView::byteOffset):
1103         * runtime/JSCell.cpp:
1104         (JSC::JSCell::slowDownAndWasteMemory):
1105         * runtime/JSCell.h:
1106         * runtime/JSDataView.cpp:
1107         (JSC::JSDataView::JSDataView):
1108         (JSC::JSDataView::create):
1109         (JSC::JSDataView::slowDownAndWasteMemory):
1110         * runtime/JSDataView.h:
1111         (JSC::JSDataView::buffer):
1112         * runtime/JSGenericTypedArrayView.h:
1113         * runtime/JSGenericTypedArrayViewInlines.h:
1114         (JSC::::visitChildren):
1115         (JSC::::slowDownAndWasteMemory):
1116
1117 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1118
1119         Remove incorrect ASSERT from CopyVisitor::visitItem
1120
1121         Rubber stamped by Filip Pizlo.
1122
1123         * heap/CopyVisitorInlines.h:
1124         (JSC::CopyVisitor::visitItem):
1125
1126 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1127
1128         https://bugs.webkit.org/show_bug.cgi?id=120127
1129         Remove JSObject::propertyIsEnumerable
1130
1131         Reviewed by Sam Weinig.
1132
1133         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1134
1135         * runtime/JSObject.cpp:
1136         * runtime/JSObject.h:
1137             - remove propertyIsEnumerable
1138         * runtime/ObjectPrototype.cpp:
1139         (JSC::objectProtoFuncPropertyIsEnumerable):
1140             - Move implementation here using getOwnPropertyDescriptor directly.
1141
1142 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1143
1144         DFG should inline new typedArray()
1145         https://bugs.webkit.org/show_bug.cgi?id=120022
1146
1147         Reviewed by Oliver Hunt.
1148         
1149         Adds inlining of typed array allocations in the DFG. Any operation of the
1150         form:
1151         
1152             new foo(blah)
1153         
1154         or:
1155         
1156             foo(blah)
1157         
1158         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1159         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1160         is predicted integer, we generate inline code for an allocation. Otherwise
1161         it turns into a call to an operation that behaves like the constructor would
1162         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1163         copy or another array, or it may allocate an array of that length).
1164
1165         * bytecode/SpeculatedType.cpp:
1166         (JSC::speculationFromTypedArrayType):
1167         (JSC::speculationFromClassInfo):
1168         * bytecode/SpeculatedType.h:
1169         * dfg/DFGAbstractInterpreterInlines.h:
1170         (JSC::DFG::::executeEffects):
1171         * dfg/DFGBackwardsPropagationPhase.cpp:
1172         (JSC::DFG::BackwardsPropagationPhase::propagate):
1173         * dfg/DFGByteCodeParser.cpp:
1174         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1175         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1176         * dfg/DFGCCallHelpers.h:
1177         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1178         * dfg/DFGCSEPhase.cpp:
1179         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1180         * dfg/DFGClobberize.h:
1181         (JSC::DFG::clobberize):
1182         * dfg/DFGFixupPhase.cpp:
1183         (JSC::DFG::FixupPhase::fixupNode):
1184         * dfg/DFGGraph.cpp:
1185         (JSC::DFG::Graph::dump):
1186         * dfg/DFGNode.h:
1187         (JSC::DFG::Node::hasTypedArrayType):
1188         (JSC::DFG::Node::typedArrayType):
1189         * dfg/DFGNodeType.h:
1190         * dfg/DFGOperations.cpp:
1191         (JSC::DFG::newTypedArrayWithSize):
1192         (JSC::DFG::newTypedArrayWithOneArgument):
1193         * dfg/DFGOperations.h:
1194         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1195         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1196         * dfg/DFGPredictionPropagationPhase.cpp:
1197         (JSC::DFG::PredictionPropagationPhase::propagate):
1198         * dfg/DFGSafeToExecute.h:
1199         (JSC::DFG::safeToExecute):
1200         * dfg/DFGSpeculativeJIT.cpp:
1201         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1202         * dfg/DFGSpeculativeJIT.h:
1203         (JSC::DFG::SpeculativeJIT::callOperation):
1204         * dfg/DFGSpeculativeJIT32_64.cpp:
1205         (JSC::DFG::SpeculativeJIT::compile):
1206         * dfg/DFGSpeculativeJIT64.cpp:
1207         (JSC::DFG::SpeculativeJIT::compile):
1208         * jit/JITOpcodes.cpp:
1209         (JSC::JIT::emit_op_new_object):
1210         * jit/JITOpcodes32_64.cpp:
1211         (JSC::JIT::emit_op_new_object):
1212         * runtime/JSArray.h:
1213         (JSC::JSArray::allocationSize):
1214         * runtime/JSArrayBufferView.h:
1215         (JSC::JSArrayBufferView::allocationSize):
1216         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1217         (JSC::constructGenericTypedArrayView):
1218         * runtime/JSObject.h:
1219         (JSC::JSFinalObject::allocationSize):
1220         * runtime/TypedArrayType.cpp:
1221         (JSC::constructorClassInfoForType):
1222         * runtime/TypedArrayType.h:
1223         (JSC::indexToTypedArrayType):
1224
1225 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1226
1227         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1228
1229         Reviewed by Geoffrey Garen.
1230
1231         * dfg/DFGOperations.h:
1232
1233 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1234
1235         https://bugs.webkit.org/show_bug.cgi?id=120093
1236         Remove getOwnPropertyDescriptor trap
1237
1238         Reviewed by Geoff Garen.
1239
1240         All implementations of this method are now called via the method table, and equivalent in behaviour.
1241         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1242
1243         * API/JSCallbackObject.h:
1244         * API/JSCallbackObjectFunctions.h:
1245         * debugger/DebuggerActivation.cpp:
1246         * debugger/DebuggerActivation.h:
1247         * runtime/Arguments.cpp:
1248         * runtime/Arguments.h:
1249         * runtime/ArrayConstructor.cpp:
1250         * runtime/ArrayConstructor.h:
1251         * runtime/ArrayPrototype.cpp:
1252         * runtime/ArrayPrototype.h:
1253         * runtime/BooleanPrototype.cpp:
1254         * runtime/BooleanPrototype.h:
1255             - remove getOwnPropertyDescriptor
1256         * runtime/ClassInfo.h:
1257             - remove getOwnPropertyDescriptor from MethodTable
1258         * runtime/DateConstructor.cpp:
1259         * runtime/DateConstructor.h:
1260         * runtime/DatePrototype.cpp:
1261         * runtime/DatePrototype.h:
1262         * runtime/ErrorPrototype.cpp:
1263         * runtime/ErrorPrototype.h:
1264         * runtime/JSActivation.cpp:
1265         * runtime/JSActivation.h:
1266         * runtime/JSArray.cpp:
1267         * runtime/JSArray.h:
1268         * runtime/JSArrayBuffer.cpp:
1269         * runtime/JSArrayBuffer.h:
1270         * runtime/JSArrayBufferView.cpp:
1271         * runtime/JSArrayBufferView.h:
1272         * runtime/JSCell.cpp:
1273         * runtime/JSCell.h:
1274         * runtime/JSDataView.cpp:
1275         * runtime/JSDataView.h:
1276         * runtime/JSDataViewPrototype.cpp:
1277         * runtime/JSDataViewPrototype.h:
1278         * runtime/JSFunction.cpp:
1279         * runtime/JSFunction.h:
1280         * runtime/JSGenericTypedArrayView.h:
1281         * runtime/JSGenericTypedArrayViewInlines.h:
1282         * runtime/JSGlobalObject.cpp:
1283         * runtime/JSGlobalObject.h:
1284         * runtime/JSNotAnObject.cpp:
1285         * runtime/JSNotAnObject.h:
1286         * runtime/JSONObject.cpp:
1287         * runtime/JSONObject.h:
1288             - remove getOwnPropertyDescriptor
1289         * runtime/JSObject.cpp:
1290         (JSC::JSObject::propertyIsEnumerable):
1291             - switch to call new getOwnPropertyDescriptor member function
1292         (JSC::JSObject::getOwnPropertyDescriptor):
1293             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1294         (JSC::JSObject::defineOwnNonIndexProperty):
1295             - switch to call new getOwnPropertyDescriptor member function
1296         * runtime/JSObject.h:
1297         * runtime/JSProxy.cpp:
1298         * runtime/JSProxy.h:
1299         * runtime/NamePrototype.cpp:
1300         * runtime/NamePrototype.h:
1301         * runtime/NumberConstructor.cpp:
1302         * runtime/NumberConstructor.h:
1303         * runtime/NumberPrototype.cpp:
1304         * runtime/NumberPrototype.h:
1305             - remove getOwnPropertyDescriptor
1306         * runtime/ObjectConstructor.cpp:
1307         (JSC::objectConstructorGetOwnPropertyDescriptor):
1308         (JSC::objectConstructorSeal):
1309         (JSC::objectConstructorFreeze):
1310         (JSC::objectConstructorIsSealed):
1311         (JSC::objectConstructorIsFrozen):
1312             - switch to call new getOwnPropertyDescriptor member function
1313         * runtime/ObjectConstructor.h:
1314             - remove getOwnPropertyDescriptor
1315         * runtime/PropertyDescriptor.h:
1316             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1317         * runtime/RegExpConstructor.cpp:
1318         * runtime/RegExpConstructor.h:
1319         * runtime/RegExpMatchesArray.cpp:
1320         * runtime/RegExpMatchesArray.h:
1321         * runtime/RegExpObject.cpp:
1322         * runtime/RegExpObject.h:
1323         * runtime/RegExpPrototype.cpp:
1324         * runtime/RegExpPrototype.h:
1325         * runtime/StringConstructor.cpp:
1326         * runtime/StringConstructor.h:
1327         * runtime/StringObject.cpp:
1328         * runtime/StringObject.h:
1329             - remove getOwnPropertyDescriptor
1330
1331 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1332
1333         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
1334
1335         Reviewed by Oliver Hunt.
1336
1337         When we flatten an object in dictionary mode, we compact its properties. If the object 
1338         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
1339         compaction its properties fit inline, the object's Structure "forgets" that the object 
1340         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
1341         with bytes = 0, which causes all sorts of badness in CopiedSpace.
1342
1343         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
1344         Butterfly pointer so that the GC doesn't get confused later.
1345
1346         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
1347         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
1348         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
1349         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
1350
1351         * heap/SlotVisitorInlines.h:
1352         (JSC::SlotVisitor::copyLater):
1353         * runtime/JSObject.cpp:
1354         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1355         (JSC::JSObject::convertUndecidedToInt32):
1356         (JSC::JSObject::convertUndecidedToDouble):
1357         (JSC::JSObject::convertUndecidedToContiguous):
1358         (JSC::JSObject::convertInt32ToDouble):
1359         (JSC::JSObject::convertInt32ToContiguous):
1360         (JSC::JSObject::genericConvertDoubleToContiguous):
1361         (JSC::JSObject::switchToSlowPutArrayStorage):
1362         (JSC::JSObject::setPrototype):
1363         (JSC::JSObject::putDirectAccessor):
1364         (JSC::JSObject::seal):
1365         (JSC::JSObject::freeze):
1366         (JSC::JSObject::preventExtensions):
1367         (JSC::JSObject::reifyStaticFunctionsForDelete):
1368         (JSC::JSObject::removeDirect):
1369         * runtime/JSObject.h:
1370         (JSC::JSObject::setButterfly):
1371         (JSC::JSObject::putDirectInternal):
1372         (JSC::JSObject::setStructure):
1373         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1374         * runtime/Structure.cpp:
1375         (JSC::Structure::flattenDictionaryStructure):
1376
1377 2013-08-20  Alex Christensen  <achristensen@apple.com>
1378
1379         Compile fix for Win64 after r154156.
1380
1381         Rubber stamped by Oliver Hunt.
1382
1383         * jit/JITStubsMSVC64.asm:
1384         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
1385         cti_vm_throw_slowpath to cti_vm_handle_exception.
1386
1387 2013-08-20  Alex Christensen  <achristensen@apple.com>
1388
1389         <https://webkit.org/b/120076> More work towards a Win64 build
1390
1391         Reviewed by Brent Fulgham.
1392
1393         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1394         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1395         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1396         * JavaScriptCore.vcxproj/copy-files.cmd:
1397         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1398         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1399         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
1400
1401 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1402
1403         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1404
1405         Reviewed by Geoffrey Garen.
1406
1407         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
1408         initializeLazyWriteBarrierFor* wrapper functions more sane. 
1409
1410         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
1411         and index when triggering the WriteBarrier at the end of compilation. 
1412
1413         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
1414         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
1415         little extra work that really shouldn't have been its responsibility.
1416
1417         * dfg/DFGByteCodeParser.cpp:
1418         (JSC::DFG::ByteCodeParser::addConstant):
1419         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1420         * dfg/DFGDesiredWriteBarriers.cpp:
1421         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1422         (JSC::DFG::DesiredWriteBarrier::trigger):
1423         * dfg/DFGDesiredWriteBarriers.h:
1424         (JSC::DFG::DesiredWriteBarriers::add):
1425         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1426         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1427         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1428         * dfg/DFGFixupPhase.cpp:
1429         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1430         * dfg/DFGGraph.h:
1431         (JSC::DFG::Graph::constantRegisterForConstant):
1432
1433 2013-08-20  Michael Saboff  <msaboff@apple.com>
1434
1435         https://bugs.webkit.org/show_bug.cgi?id=120075
1436         REGRESSION (r128400): BBC4 website not displaying pictures
1437
1438         Reviewed by Oliver Hunt.
1439
1440         * runtime/RegExpMatchesArray.h:
1441         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1442         so that the match results will be reified before any other modification to the results array.
1443
1444 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
1445
1446         Incorrect behavior on emscripten-compiled cube2hash
1447         https://bugs.webkit.org/show_bug.cgi?id=120033
1448
1449         Reviewed by Mark Hahnenberg.
1450         
1451         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1452         then we should bail attempts to CSE.
1453
1454         * dfg/DFGCSEPhase.cpp:
1455         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1456         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1457
1458 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1459
1460         https://bugs.webkit.org/show_bug.cgi?id=120073
1461         Remove use of GOPD from JSFunction::defineProperty
1462
1463         Reviewed by Oliver Hunt.
1464
1465         Call getOwnPropertySlot to check for existing properties instead.
1466
1467         * runtime/JSFunction.cpp:
1468         (JSC::JSFunction::defineOwnProperty):
1469             - getOwnPropertyDescriptor -> getOwnPropertySlot
1470
1471 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1472
1473         https://bugs.webkit.org/show_bug.cgi?id=120067
1474         Remove getPropertyDescriptor
1475
1476         Reviewed by Oliver Hunt.
1477
1478         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1479         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1480
1481         * runtime/JSObject.cpp:
1482         * runtime/JSObject.h:
1483             - remove getPropertyDescriptor
1484         * runtime/ObjectPrototype.cpp:
1485         (JSC::objectProtoFuncLookupGetter):
1486         (JSC::objectProtoFuncLookupSetter):
1487             - replace call to getPropertyDescriptor with getPropertySlot
1488         * runtime/PropertyDescriptor.h:
1489         * runtime/PropertySlot.h:
1490         (JSC::PropertySlot::isAccessor):
1491         (JSC::PropertySlot::isCacheableGetter):
1492         (JSC::PropertySlot::getterSetter):
1493             - rename isGetter() to isAccessor()
1494
1495 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1496
1497         https://bugs.webkit.org/show_bug.cgi?id=120054
1498         Remove some dead code following getOwnPropertyDescriptor cleanup
1499
1500         Reviewed by Oliver Hunt.
1501
1502         * runtime/Lookup.h:
1503         (JSC::getStaticFunctionSlot):
1504             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1505
1506 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1507
1508         https://bugs.webkit.org/show_bug.cgi?id=120052
1509         Remove custom getOwnPropertyDescriptor for JSProxy
1510
1511         Reviewed by Geoff Garen.
1512
1513         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1514         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1515         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1516         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1517         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1518
1519         * runtime/JSProxy.cpp:
1520             - Remove custom getOwnPropertyDescriptor implementation.
1521         * runtime/PropertyDescriptor.h:
1522             - Modify own property access check to perform toThis conversion.
1523
1524 2013-08-20  Alex Christensen  <achristensen@apple.com>
1525
1526         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1527         https://bugs.webkit.org/show_bug.cgi?id=119512
1528
1529         Reviewed by Brent Fulgham.
1530
1531         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1532         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1533         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1534         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1535         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1536         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1537         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1538         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1539
1540 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
1541
1542         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1543
1544         Reviewed by Allan Sandfeld Jensen.
1545
1546         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1547         instructions and two constants now DFG is enabled for sh4 architecture.
1548         These missing ensureSpace calls lead to random crashes.
1549
1550         * assembler/MacroAssemblerSH4.h:
1551         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1552
1553 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
1554
1555         https://bugs.webkit.org/show_bug.cgi?id=120034
1556         Remove custom getOwnPropertyDescriptor for global objects
1557
1558         Reviewed by Geoff Garen.
1559
1560         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1561
1562         * runtime/JSGlobalObject.cpp:
1563             - Remove custom getOwnPropertyDescriptor implementation.
1564         * runtime/JSSymbolTableObject.h:
1565         (JSC::symbolTableGet):
1566             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1567         * runtime/PropertyDescriptor.h:
1568             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1569         * runtime/PropertySlot.h:
1570         (JSC::PropertySlot::setUndefined):
1571             - This is used by WebCore when blocking access to properties on cross-frame access.
1572               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1573
1574 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1575
1576         DFG should inline typedArray.byteOffset
1577         https://bugs.webkit.org/show_bug.cgi?id=119962
1578
1579         Reviewed by Oliver Hunt.
1580         
1581         This adds a new node, GetTypedArrayByteOffset, which inlines
1582         typedArray.byteOffset.
1583         
1584         Also, I improved a bunch of the clobbering logic related to typed arrays
1585         and clobbering in general. For example, PutByOffset/PutStructure are not
1586         clobber-world so they can be handled by most default cases in CSE. Also,
1587         It's better to use the 'Class_field' notation for typed arrays now that
1588         they no longer involve magical descriptor thingies.
1589
1590         * bytecode/SpeculatedType.h:
1591         * dfg/DFGAbstractHeap.h:
1592         * dfg/DFGAbstractInterpreterInlines.h:
1593         (JSC::DFG::::executeEffects):
1594         * dfg/DFGArrayMode.h:
1595         (JSC::DFG::neverNeedsStorage):
1596         * dfg/DFGCSEPhase.cpp:
1597         (JSC::DFG::CSEPhase::getByValLoadElimination):
1598         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1599         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1600         (JSC::DFG::CSEPhase::checkArrayElimination):
1601         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1602         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
1603         (JSC::DFG::CSEPhase::performNodeCSE):
1604         * dfg/DFGClobberize.h:
1605         (JSC::DFG::clobberize):
1606         * dfg/DFGFixupPhase.cpp:
1607         (JSC::DFG::FixupPhase::fixupNode):
1608         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1609         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1610         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1611         * dfg/DFGNodeType.h:
1612         * dfg/DFGPredictionPropagationPhase.cpp:
1613         (JSC::DFG::PredictionPropagationPhase::propagate):
1614         * dfg/DFGSafeToExecute.h:
1615         (JSC::DFG::safeToExecute):
1616         * dfg/DFGSpeculativeJIT.cpp:
1617         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1618         * dfg/DFGSpeculativeJIT.h:
1619         * dfg/DFGSpeculativeJIT32_64.cpp:
1620         (JSC::DFG::SpeculativeJIT::compile):
1621         * dfg/DFGSpeculativeJIT64.cpp:
1622         (JSC::DFG::SpeculativeJIT::compile):
1623         * dfg/DFGTypeCheckHoistingPhase.cpp:
1624         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1625         * runtime/ArrayBuffer.h:
1626         (JSC::ArrayBuffer::offsetOfData):
1627         * runtime/Butterfly.h:
1628         (JSC::Butterfly::offsetOfArrayBuffer):
1629         * runtime/IndexingHeader.h:
1630         (JSC::IndexingHeader::offsetOfArrayBuffer):
1631
1632 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
1633
1634         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
1635
1636         Reviewed by Geoffrey Garen.
1637
1638         * dfg/DFGByteCodeParser.cpp:
1639         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1640
1641 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1642
1643         https://bugs.webkit.org/show_bug.cgi?id=119995
1644         Start removing custom implementations of getOwnPropertyDescriptor
1645
1646         Reviewed by Oliver Hunt.
1647
1648         This can now typically implemented in terms of getOwnPropertySlot.
1649         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
1650         Switch over most classes in JSC & the WebCore bindings generator to use this.
1651
1652         * API/JSCallbackObjectFunctions.h:
1653         * debugger/DebuggerActivation.cpp:
1654         * runtime/Arguments.cpp:
1655         * runtime/ArrayConstructor.cpp:
1656         * runtime/ArrayPrototype.cpp:
1657         * runtime/BooleanPrototype.cpp:
1658         * runtime/DateConstructor.cpp:
1659         * runtime/DatePrototype.cpp:
1660         * runtime/ErrorPrototype.cpp:
1661         * runtime/JSActivation.cpp:
1662         * runtime/JSArray.cpp:
1663         * runtime/JSArrayBuffer.cpp:
1664         * runtime/JSArrayBufferView.cpp:
1665         * runtime/JSCell.cpp:
1666         * runtime/JSDataView.cpp:
1667         * runtime/JSDataViewPrototype.cpp:
1668         * runtime/JSFunction.cpp:
1669         * runtime/JSGenericTypedArrayViewInlines.h:
1670         * runtime/JSNotAnObject.cpp:
1671         * runtime/JSONObject.cpp:
1672         * runtime/JSObject.cpp:
1673         * runtime/NamePrototype.cpp:
1674         * runtime/NumberConstructor.cpp:
1675         * runtime/NumberPrototype.cpp:
1676         * runtime/ObjectConstructor.cpp:
1677             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1678         * runtime/PropertyDescriptor.h:
1679             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
1680         * runtime/PropertySlot.h:
1681         (JSC::PropertySlot::isValue):
1682         (JSC::PropertySlot::isGetter):
1683         (JSC::PropertySlot::isCustom):
1684         (JSC::PropertySlot::isCacheableValue):
1685         (JSC::PropertySlot::isCacheableGetter):
1686         (JSC::PropertySlot::isCacheableCustom):
1687         (JSC::PropertySlot::attributes):
1688         (JSC::PropertySlot::getterSetter):
1689             - Add accessors necessary to convert PropertySlot to descriptor.
1690         * runtime/RegExpConstructor.cpp:
1691         * runtime/RegExpMatchesArray.cpp:
1692         * runtime/RegExpMatchesArray.h:
1693         * runtime/RegExpObject.cpp:
1694         * runtime/RegExpPrototype.cpp:
1695         * runtime/StringConstructor.cpp:
1696         * runtime/StringObject.cpp:
1697             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1698
1699 2013-08-19  Michael Saboff  <msaboff@apple.com>
1700
1701         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
1702
1703         Reviewed by Sam Weinig.
1704
1705         * dfg/DFGSpeculativeJIT32_64.cpp:
1706         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1707         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1708         all versions of fillSpeculateBoolean().
1709
1710 2013-08-19  Michael Saboff  <msaboff@apple.com>
1711
1712         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1713
1714         Reviewed by Benjamin Poulain.
1715
1716         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1717         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1718
1719         * assembler/MacroAssemblerX86Common.h:
1720         (JSC::MacroAssemblerX86Common::branchTest32):
1721
1722 2013-08-16  Oliver Hunt  <oliver@apple.com>
1723
1724         <https://webkit.org/b/119860> Crash during exception unwinding
1725
1726         Reviewed by Filip Pizlo.
1727
1728         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1729         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1730
1731         We need this so that Throw and ThrowReferenceError no longer need to be treated as
1732         terminals and the subsequent flush keeps the activation (and other registers) live.
1733
1734         * dfg/DFGAbstractInterpreterInlines.h:
1735         (JSC::DFG::::executeEffects):
1736         * dfg/DFGByteCodeParser.cpp:
1737         (JSC::DFG::ByteCodeParser::parseBlock):
1738         * dfg/DFGClobberize.h:
1739         (JSC::DFG::clobberize):
1740         * dfg/DFGFixupPhase.cpp:
1741         (JSC::DFG::FixupPhase::fixupNode):
1742         * dfg/DFGNode.h:
1743         (JSC::DFG::Node::isTerminal):
1744         * dfg/DFGNodeType.h:
1745         * dfg/DFGPredictionPropagationPhase.cpp:
1746         (JSC::DFG::PredictionPropagationPhase::propagate):
1747         * dfg/DFGSafeToExecute.h:
1748         (JSC::DFG::safeToExecute):
1749         * dfg/DFGSpeculativeJIT32_64.cpp:
1750         (JSC::DFG::SpeculativeJIT::compile):
1751         * dfg/DFGSpeculativeJIT64.cpp:
1752         (JSC::DFG::SpeculativeJIT::compile):
1753
1754 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1755
1756         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1757
1758         Reviewed by Oliver Hunt.
1759
1760         Guard the compilation of these files only if DFG_JIT is enabled.
1761
1762         * dfg/DFGDesiredTransitions.cpp:
1763         * dfg/DFGDesiredTransitions.h:
1764         * dfg/DFGDesiredWeakReferences.cpp:
1765         * dfg/DFGDesiredWeakReferences.h:
1766         * dfg/DFGDesiredWriteBarriers.cpp:
1767         * dfg/DFGDesiredWriteBarriers.h:
1768
1769 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1770
1771         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
1772         https://bugs.webkit.org/show_bug.cgi?id=119961
1773
1774         Reviewed by Mark Hahnenberg.
1775
1776         * dfg/DFGFixupPhase.cpp:
1777         (JSC::DFG::FixupPhase::fixupNode):
1778
1779 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1780
1781         https://bugs.webkit.org/show_bug.cgi?id=119972
1782         Add attributes field to PropertySlot
1783
1784         Reviewed by Geoff Garen.
1785
1786         For all JSC types, this makes getOwnPropertyDescriptor redundant.
1787         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1788         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1789
1790         No performance impact.
1791
1792         * runtime/PropertySlot.h:
1793         (JSC::PropertySlot::setValue):
1794         (JSC::PropertySlot::setCustom):
1795         (JSC::PropertySlot::setCacheableCustom):
1796         (JSC::PropertySlot::setCustomIndex):
1797         (JSC::PropertySlot::setGetterSlot):
1798         (JSC::PropertySlot::setCacheableGetterSlot):
1799             - These mathods now all require 'attributes'.
1800         * runtime/JSObject.h:
1801         (JSC::JSObject::getDirect):
1802         (JSC::JSObject::getDirectOffset):
1803         (JSC::JSObject::inlineGetOwnPropertySlot):
1804             - Added variants of getDirect, getDirectOffset that return the attributes.
1805         * API/JSCallbackObjectFunctions.h:
1806         (JSC::::getOwnPropertySlot):
1807         * runtime/Arguments.cpp:
1808         (JSC::Arguments::getOwnPropertySlotByIndex):
1809         (JSC::Arguments::getOwnPropertySlot):
1810         * runtime/JSActivation.cpp:
1811         (JSC::JSActivation::symbolTableGet):
1812         (JSC::JSActivation::getOwnPropertySlot):
1813         * runtime/JSArray.cpp:
1814         (JSC::JSArray::getOwnPropertySlot):
1815         * runtime/JSArrayBuffer.cpp:
1816         (JSC::JSArrayBuffer::getOwnPropertySlot):
1817         * runtime/JSArrayBufferView.cpp:
1818         (JSC::JSArrayBufferView::getOwnPropertySlot):
1819         * runtime/JSDataView.cpp:
1820         (JSC::JSDataView::getOwnPropertySlot):
1821         * runtime/JSFunction.cpp:
1822         (JSC::JSFunction::getOwnPropertySlot):
1823         * runtime/JSGenericTypedArrayViewInlines.h:
1824         (JSC::::getOwnPropertySlot):
1825         (JSC::::getOwnPropertySlotByIndex):
1826         * runtime/JSObject.cpp:
1827         (JSC::JSObject::getOwnPropertySlotByIndex):
1828         (JSC::JSObject::fillGetterPropertySlot):
1829         * runtime/JSString.h:
1830         (JSC::JSString::getStringPropertySlot):
1831         * runtime/JSSymbolTableObject.h:
1832         (JSC::symbolTableGet):
1833         * runtime/Lookup.cpp:
1834         (JSC::setUpStaticFunctionSlot):
1835         * runtime/Lookup.h:
1836         (JSC::getStaticPropertySlot):
1837         (JSC::getStaticPropertyDescriptor):
1838         (JSC::getStaticValueSlot):
1839         (JSC::getStaticValueDescriptor):
1840         * runtime/RegExpObject.cpp:
1841         (JSC::RegExpObject::getOwnPropertySlot):
1842         * runtime/SparseArrayValueMap.cpp:
1843         (JSC::SparseArrayEntry::get):
1844             - Pass attributes to PropertySlot::set* methods.
1845
1846 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1847
1848         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1849
1850         Reviewed by Filip Pizlo.
1851
1852         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1853         Vector of WriteBarriers rather than the specific address. The fact that we were 
1854         arbitrarily storing into a Vector's backing store for constants at the end of 
1855         compilation after the Vector could have resized was causing crashes.
1856
1857         * bytecode/CodeBlock.h:
1858         (JSC::CodeBlock::constants):
1859         (JSC::CodeBlock::addConstantLazily):
1860         * dfg/DFGByteCodeParser.cpp:
1861         (JSC::DFG::ByteCodeParser::addConstant):
1862         * dfg/DFGDesiredWriteBarriers.cpp:
1863         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1864         (JSC::DFG::DesiredWriteBarrier::trigger):
1865         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1866         * dfg/DFGDesiredWriteBarriers.h:
1867         (JSC::DFG::DesiredWriteBarriers::add):
1868         * dfg/DFGFixupPhase.cpp:
1869         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1870         * dfg/DFGGraph.h:
1871         (JSC::DFG::Graph::constantRegisterForConstant):
1872
1873 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1874
1875         DFG should optimize typedArray.byteLength
1876         https://bugs.webkit.org/show_bug.cgi?id=119909
1877
1878         Reviewed by Oliver Hunt.
1879         
1880         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1881         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1882         legal since the byteLength of a typed array cannot exceed
1883         numeric_limits<int32_t>::max().
1884
1885         * bytecode/SpeculatedType.cpp:
1886         (JSC::typedArrayTypeFromSpeculation):
1887         * bytecode/SpeculatedType.h:
1888         * dfg/DFGArrayMode.cpp:
1889         (JSC::DFG::toArrayType):
1890         * dfg/DFGArrayMode.h:
1891         * dfg/DFGFixupPhase.cpp:
1892         (JSC::DFG::FixupPhase::fixupNode):
1893         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1894         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1895         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1896         (JSC::DFG::FixupPhase::prependGetArrayLength):
1897         * dfg/DFGGraph.h:
1898         (JSC::DFG::Graph::constantRegisterForConstant):
1899         (JSC::DFG::Graph::convertToConstant):
1900         * runtime/TypedArrayType.h:
1901         (JSC::logElementSize):
1902         (JSC::elementSize):
1903
1904 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1905
1906         DFG optimizes out strict mode arguments tear off
1907         https://bugs.webkit.org/show_bug.cgi?id=119504
1908
1909         Reviewed by Mark Hahnenberg and Oliver Hunt.
1910         
1911         Don't do the optimization for strict mode.
1912
1913         * dfg/DFGArgumentsSimplificationPhase.cpp:
1914         (JSC::DFG::ArgumentsSimplificationPhase::run):
1915         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1916
1917 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1918
1919         [JSC] x86: improve code generation for xxxTest32
1920         https://bugs.webkit.org/show_bug.cgi?id=119876
1921
1922         Reviewed by Geoffrey Garen.
1923
1924         Try to use testb whenever possible when testing for an immediate value.
1925
1926         When the input is an address and an offset, we can tweak the mask
1927         and offset to be able to generate testb for any byte of the mask.
1928
1929         When the input is a register, we can use testb if we are only interested
1930         in testing the low bits.
1931
1932         * assembler/MacroAssemblerX86Common.h:
1933         (JSC::MacroAssemblerX86Common::branchTest32):
1934         (JSC::MacroAssemblerX86Common::test32):
1935         (JSC::MacroAssemblerX86Common::generateTest32):
1936
1937 2013-08-16  Mark Lam  <mark.lam@apple.com>
1938
1939         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1940         error message that an object is not a constructor though it expects a function
1941
1942         Reviewed by Michael Saboff.
1943
1944         * jit/JITStubs.cpp:
1945         (JSC::DEFINE_STUB_FUNCTION):
1946
1947 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1948
1949         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1950         https://bugs.webkit.org/show_bug.cgi?id=119897
1951
1952         Reviewed by Oliver Hunt.
1953         
1954         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1955         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1956         to turn objects into dictionaries when you're storing using bracket syntax or using
1957         eval is still in place.
1958
1959         * bytecode/CodeBlock.h:
1960         (JSC::CodeBlock::putByIdContext):
1961         * dfg/DFGOperations.cpp:
1962         * jit/JITStubs.cpp:
1963         (JSC::DEFINE_STUB_FUNCTION):
1964         * llint/LLIntSlowPaths.cpp:
1965         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1966         * runtime/JSObject.h:
1967         (JSC::JSObject::putDirectInternal):
1968         * runtime/PutPropertySlot.h:
1969         (JSC::PutPropertySlot::PutPropertySlot):
1970         (JSC::PutPropertySlot::context):
1971         * runtime/Structure.cpp:
1972         (JSC::Structure::addPropertyTransition):
1973         * runtime/Structure.h:
1974
1975 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1976
1977         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1978
1979         Reviewed by Allan Sandfeld Jensen.
1980
1981         ctiVMHandleException must jump/return using register ra (r31).
1982
1983         * jit/JITStubsMIPS.h:
1984
1985 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1986
1987         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1988
1989         Reviewed by Allan Sandfeld Jensen.
1990
1991         Fix typo in JITStubsSH4.h file.
1992
1993         * jit/JITStubsSH4.h:
1994
1995 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1996
1997         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1998
1999         Reviewed by Oliver Hunt.
2000
2001         The concurrent compilation thread should interact minimally with the Heap, including not 
2002         triggering WriteBarriers. This is a prerequisite for generational GC.
2003
2004         * JavaScriptCore.xcodeproj/project.pbxproj:
2005         * bytecode/CodeBlock.cpp:
2006         (JSC::CodeBlock::addOrFindConstant):
2007         (JSC::CodeBlock::findConstant):
2008         * bytecode/CodeBlock.h:
2009         (JSC::CodeBlock::addConstantLazily):
2010         * dfg/DFGByteCodeParser.cpp:
2011         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2012         (JSC::DFG::ByteCodeParser::constantUndefined):
2013         (JSC::DFG::ByteCodeParser::constantNull):
2014         (JSC::DFG::ByteCodeParser::one):
2015         (JSC::DFG::ByteCodeParser::constantNaN):
2016         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2017         * dfg/DFGCommonData.cpp:
2018         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2019         * dfg/DFGCommonData.h:
2020         * dfg/DFGDesiredTransitions.cpp: Added.
2021         (JSC::DFG::DesiredTransition::DesiredTransition):
2022         (JSC::DFG::DesiredTransition::reallyAdd):
2023         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2024         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2025         (JSC::DFG::DesiredTransitions::addLazily):
2026         (JSC::DFG::DesiredTransitions::reallyAdd):
2027         * dfg/DFGDesiredTransitions.h: Added.
2028         * dfg/DFGDesiredWeakReferences.cpp: Added.
2029         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2030         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2031         (JSC::DFG::DesiredWeakReferences::addLazily):
2032         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2033         * dfg/DFGDesiredWeakReferences.h: Added.
2034         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2035         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2036         (JSC::DFG::DesiredWriteBarrier::trigger):
2037         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2038         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2039         (JSC::DFG::DesiredWriteBarriers::addImpl):
2040         (JSC::DFG::DesiredWriteBarriers::trigger):
2041         * dfg/DFGDesiredWriteBarriers.h: Added.
2042         (JSC::DFG::DesiredWriteBarriers::add):
2043         (JSC::DFG::initializeLazyWriteBarrier):
2044         * dfg/DFGFixupPhase.cpp:
2045         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2046         * dfg/DFGGraph.h:
2047         (JSC::DFG::Graph::convertToConstant):
2048         * dfg/DFGJITCompiler.h:
2049         (JSC::DFG::JITCompiler::addWeakReference):
2050         * dfg/DFGPlan.cpp:
2051         (JSC::DFG::Plan::Plan):
2052         (JSC::DFG::Plan::reallyAdd):
2053         * dfg/DFGPlan.h:
2054         * dfg/DFGSpeculativeJIT32_64.cpp:
2055         (JSC::DFG::SpeculativeJIT::compile):
2056         * dfg/DFGSpeculativeJIT64.cpp:
2057         (JSC::DFG::SpeculativeJIT::compile):
2058         * runtime/WriteBarrier.h:
2059         (JSC::WriteBarrierBase::set):
2060         (JSC::WriteBarrier::WriteBarrier):
2061
2062 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2063
2064         Fix x86 32bits build after r154158
2065
2066         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2067
2068 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2069
2070         Build fix attempt after r154156.
2071
2072         * jit/JITStubs.cpp:
2073         (JSC::cti_vm_handle_exception): encode!
2074
2075 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2076
2077         [JSC] x86: Use inc and dec when possible
2078         https://bugs.webkit.org/show_bug.cgi?id=119831
2079
2080         Reviewed by Geoffrey Garen.
2081
2082         When incrementing or decrementing by an immediate of 1, use the insctructions
2083         inc and dec instead of add and sub.
2084         The instructions have good timing and their encoding is smaller.
2085
2086         * assembler/MacroAssemblerX86Common.h:
2087         (JSC::MacroAssemblerX86_64::add32):
2088         (JSC::MacroAssemblerX86_64::sub32):
2089         * assembler/MacroAssemblerX86_64.h:
2090         (JSC::MacroAssemblerX86_64::add64):
2091         (JSC::MacroAssemblerX86_64::sub64):
2092         * assembler/X86Assembler.h:
2093         (JSC::X86Assembler::dec_r):
2094         (JSC::X86Assembler::decq_r):
2095         (JSC::X86Assembler::inc_r):
2096         (JSC::X86Assembler::incq_r):
2097
2098 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2099
2100         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2101         https://bugs.webkit.org/show_bug.cgi?id=119874
2102
2103         Reviewed by Oliver Hunt and Mark Hahnenberg.
2104         
2105         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2106         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2107         sometimes for typed array length accesses, and the FixupPhase assuming that a
2108         ForceExit ArrayMode means that it should continue using a generic GetById.
2109
2110         This fixes the confusion.
2111
2112         * dfg/DFGFixupPhase.cpp:
2113         (JSC::DFG::FixupPhase::fixupNode):
2114
2115 2013-08-15  Mark Lam  <mark.lam@apple.com>
2116
2117         Fix crash when performing activation tearoff.
2118         https://bugs.webkit.org/show_bug.cgi?id=119848
2119
2120         Reviewed by Oliver Hunt.
2121
2122         The activation tearoff crash was due to a bug in the baseline JIT.
2123         If we have a scenario where the a baseline JIT frame calls a LLINT
2124         frame, an exception may be thrown while in the LLINT.
2125
2126         Interpreter::throwException() which handles the exception will unwind
2127         all frames until it finds a catcher or sees a host frame. When we
2128         return from the LLINT to the baseline JIT code, the baseline JIT code
2129         errorneously sets topCallFrame to the value in its call frame register,
2130         and starts unwinding the stack frames that have already been unwound.
2131
2132         The fix is:
2133         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2134            This is a more accurate description of what this runtime function
2135            is supposed to do i.e. it handles the exception which include doing
2136            nothing (if there are no more frames to unwind).
2137         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2138            set on it.
2139         3. Reloading the call frame register from topCallFrame when we're
2140            returning from a callee and detect exception handling in progress.
2141
2142         * interpreter/Interpreter.cpp:
2143         (JSC::Interpreter::unwindCallFrame):
2144         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2145         (JSC::Interpreter::getStackTrace):
2146         * interpreter/Interpreter.h:
2147         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2148         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2149         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2150         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2151         * jit/JIT.h:
2152         * jit/JITExceptions.cpp:
2153         (JSC::uncaughtExceptionHandler):
2154         - Convenience function to get the handler for uncaught exceptions.
2155         * jit/JITExceptions.h:
2156         * jit/JITInlines.h:
2157         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2158         * jit/JITOpcodes32_64.cpp:
2159         (JSC::JIT::privateCompileCTINativeCall):
2160         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2161         * jit/JITStubs.cpp:
2162         (JSC::throwExceptionFromOpCall):
2163         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2164         (JSC::cti_vm_handle_exception):
2165         - Check for the case when there are no more frames to unwind.
2166         * jit/JITStubs.h:
2167         * jit/JITStubsARM.h:
2168         * jit/JITStubsARMv7.h:
2169         * jit/JITStubsMIPS.h:
2170         * jit/JITStubsSH4.h:
2171         * jit/JITStubsX86.h:
2172         * jit/JITStubsX86_64.h:
2173         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2174         * jit/SlowPathCall.h:
2175         (JSC::JITSlowPathCall::call):
2176         - reload cfr from topcallFrame when handling an exception.
2177         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2178         * jit/ThunkGenerators.cpp:
2179         (JSC::nativeForGenerator):
2180         * llint/LowLevelInterpreter32_64.asm:
2181         * llint/LowLevelInterpreter64.asm:
2182         - reload cfr from topcallFrame when handling an exception.
2183         * runtime/VM.cpp:
2184         (JSC::VM::VM):
2185         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2186
2187 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2188
2189         Remove some code duplication.
2190         
2191         Rubber stamped by Mark Hahnenberg.
2192
2193         * runtime/JSDataViewPrototype.cpp:
2194         (JSC::getData):
2195         (JSC::setData):
2196
2197 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2198
2199         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2200         https://bugs.webkit.org/show_bug.cgi?id=119794
2201
2202         Reviewed by Filip Pizlo.
2203
2204         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2205
2206         * dfg/DFGUseKind.h:
2207         (JSC::DFG::isNumerical):
2208         (JSC::DFG::isDouble):
2209
2210 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2211
2212         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2213
2214         Rubber stamped by Oliver Hunt.
2215         
2216         This was causing some test crashes for me.
2217
2218         * dfg/DFGCapabilities.cpp:
2219         (JSC::DFG::capabilityLevel):
2220
2221 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2222
2223         [Windows] Clear up improper export declaration.
2224
2225         * runtime/ArrayBufferView.h:
2226
2227 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2228
2229         Unreviewed, remove some unnecessary periods from exceptions.
2230
2231         * runtime/JSDataViewPrototype.cpp:
2232         (JSC::getData):
2233         (JSC::setData):
2234
2235 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2236
2237         Unreviewed, fix 32-bit build.
2238
2239         * dfg/DFGSpeculativeJIT32_64.cpp:
2240         (JSC::DFG::SpeculativeJIT::compile):
2241
2242 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2243
2244         Typed arrays should be rewritten
2245         https://bugs.webkit.org/show_bug.cgi?id=119064
2246
2247         Reviewed by Oliver Hunt.
2248         
2249         Typed arrays were previously deficient in several major ways:
2250         
2251         - They were defined separately in WebCore and in the jsc shell. The two
2252           implementations were different, and the jsc shell one was basically wrong.
2253           The WebCore one was quite awful, also.
2254         
2255         - Typed arrays were not visible to the JIT except through some weird hooks.
2256           For example, the JIT could not ask "what is the Structure that this typed
2257           array would have if I just allocated it from this global object". Also,
2258           it was difficult to wire any of the typed array intrinsics, because most
2259           of the functionality wasn't visible anywhere in JSC.
2260         
2261         - Typed array allocation was brain-dead. Allocating a typed array involved
2262           two JS objects, two GC weak handles, and three malloc allocations.
2263         
2264         - Neutering. It involved keeping tabs on all native views but not the view
2265           wrappers, even though the native views can autoneuter just by asking the
2266           buffer if it was neutered anytime you touch them; while the JS view
2267           wrappers are the ones that you really want to reach out to.
2268         
2269         - Common case-ing. Most typed arrays have one buffer and one view, and
2270           usually nobody touches the buffer. Yet we created all of that stuff
2271           anyway, using data structures optimized for the case where you had a lot
2272           of views.
2273         
2274         - Semantic goofs. Typed arrays should, in the future, behave like ES
2275           features rather than DOM features, for example when it comes to exceptions.
2276           Firefox already does this and I agree with them.
2277         
2278         This patch cleanses our codebase of these sins:
2279         
2280         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
2281           management of native references to buffers is left to WebCore.
2282         
2283         - Allocating a typed array requires either two GC allocations (a cell and a
2284           copied storage vector) or one GC allocation, a malloc allocation, and a
2285           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
2286           latter). The latter is only used for oversize arrays. Remember that before
2287           it was 7 allocations no matter what.
2288         
2289         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
2290           mode/length, void* vector. Before it was a lot more than that - remember,
2291           there were five additional objects that did absolutely nothing for anybody.
2292         
2293         - Native views aren't tracked by the buffer, or by the wrappers. They are
2294           transient. In the future we'll probably switch to not even having them be
2295           malloc'd.
2296         
2297         - Native array buffers have an efficient way of tracking all of their JS view
2298           wrappers, both for neutering, and for lifecycle management. The GC
2299           special-cases native array buffers. This saves a bunch of grief; for example
2300           it means that a JS view wrapper can refer to its buffer via the butterfly,
2301           which would be dead by the time we went to finalize.
2302         
2303         - Typed array semantics now match Firefox, which also happens to be where the
2304           standards are going. The discussion on webkit-dev seemed to confirm that
2305           Chrome is also heading in this direction. This includes making
2306           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
2307           ArrayBufferView as a JS-visible construct.
2308         
2309         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
2310         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
2311         further typed array optimizations in the JSC JITs, including inlining typed
2312         array allocation, inlining more of the accessors, reducing the cost of type
2313         checks, etc.
2314         
2315         An additional property of this patch is that typed arrays are mostly
2316         implemented using templates. This deduplicates a bunch of code, but does mean
2317         that we need some hacks for exporting s_info's of template classes. See
2318         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
2319         low-impact compared to code duplication.
2320         
2321         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
2322
2323         * CMakeLists.txt:
2324         * DerivedSources.make:
2325         * GNUmakefile.list.am:
2326         * JSCTypedArrayStubs.h: Removed.
2327         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2328         * JavaScriptCore.xcodeproj/project.pbxproj:
2329         * Target.pri:
2330         * bytecode/ByValInfo.h:
2331         (JSC::hasOptimizableIndexingForClassInfo):
2332         (JSC::jitArrayModeForClassInfo):
2333         (JSC::typedArrayTypeForJITArrayMode):
2334         * bytecode/SpeculatedType.cpp:
2335         (JSC::speculationFromClassInfo):
2336         * dfg/DFGArrayMode.cpp:
2337         (JSC::DFG::toTypedArrayType):
2338         * dfg/DFGArrayMode.h:
2339         (JSC::DFG::ArrayMode::typedArrayType):
2340         * dfg/DFGSpeculativeJIT.cpp:
2341         (JSC::DFG::SpeculativeJIT::checkArray):
2342         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2343         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2344         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2345         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2346         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2347         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2348         * dfg/DFGSpeculativeJIT.h:
2349         * dfg/DFGSpeculativeJIT32_64.cpp:
2350         (JSC::DFG::SpeculativeJIT::compile):
2351         * dfg/DFGSpeculativeJIT64.cpp:
2352         (JSC::DFG::SpeculativeJIT::compile):
2353         * heap/CopyToken.h:
2354         * heap/DeferGC.h:
2355         (JSC::DeferGCForAWhile::DeferGCForAWhile):
2356         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
2357         * heap/GCIncomingRefCounted.h: Added.
2358         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
2359         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
2360         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
2361         (JSC::GCIncomingRefCounted::incomingReferenceAt):
2362         (JSC::GCIncomingRefCounted::singletonFlag):
2363         (JSC::GCIncomingRefCounted::hasVectorOfCells):
2364         (JSC::GCIncomingRefCounted::hasAnyIncoming):
2365         (JSC::GCIncomingRefCounted::hasSingleton):
2366         (JSC::GCIncomingRefCounted::singleton):
2367         (JSC::GCIncomingRefCounted::vectorOfCells):
2368         * heap/GCIncomingRefCountedInlines.h: Added.
2369         (JSC::::addIncomingReference):
2370         (JSC::::filterIncomingReferences):
2371         * heap/GCIncomingRefCountedSet.h: Added.
2372         (JSC::GCIncomingRefCountedSet::size):
2373         * heap/GCIncomingRefCountedSetInlines.h: Added.
2374         (JSC::::GCIncomingRefCountedSet):
2375         (JSC::::~GCIncomingRefCountedSet):
2376         (JSC::::addReference):
2377         (JSC::::sweep):
2378         (JSC::::removeAll):
2379         (JSC::::removeDead):
2380         * heap/Heap.cpp:
2381         (JSC::Heap::addReference):
2382         (JSC::Heap::extraSize):
2383         (JSC::Heap::size):
2384         (JSC::Heap::capacity):
2385         (JSC::Heap::collect):
2386         (JSC::Heap::decrementDeferralDepth):
2387         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2388         * heap/Heap.h:
2389         * interpreter/CallFrame.h:
2390         (JSC::ExecState::dataViewTable):
2391         * jit/JIT.h:
2392         * jit/JITPropertyAccess.cpp:
2393         (JSC::JIT::privateCompileGetByVal):
2394         (JSC::JIT::privateCompilePutByVal):
2395         (JSC::JIT::emitIntTypedArrayGetByVal):
2396         (JSC::JIT::emitFloatTypedArrayGetByVal):
2397         (JSC::JIT::emitIntTypedArrayPutByVal):
2398         (JSC::JIT::emitFloatTypedArrayPutByVal):
2399         * jsc.cpp:
2400         (GlobalObject::finishCreation):
2401         * runtime/ArrayBuffer.cpp:
2402         (JSC::ArrayBuffer::transfer):
2403         * runtime/ArrayBuffer.h:
2404         (JSC::ArrayBuffer::createAdopted):
2405         (JSC::ArrayBuffer::ArrayBuffer):
2406         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
2407         (JSC::ArrayBuffer::pin):
2408         (JSC::ArrayBuffer::unpin):
2409         (JSC::ArrayBufferContents::tryAllocate):
2410         * runtime/ArrayBufferView.cpp:
2411         (JSC::ArrayBufferView::ArrayBufferView):
2412         (JSC::ArrayBufferView::~ArrayBufferView):
2413         (JSC::ArrayBufferView::setNeuterable):
2414         * runtime/ArrayBufferView.h:
2415         (JSC::ArrayBufferView::isNeutered):
2416         (JSC::ArrayBufferView::buffer):
2417         (JSC::ArrayBufferView::baseAddress):
2418         (JSC::ArrayBufferView::byteOffset):
2419         (JSC::ArrayBufferView::verifySubRange):
2420         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2421         (JSC::ArrayBufferView::calculateOffsetAndLength):
2422         * runtime/ClassInfo.h:
2423         * runtime/CommonIdentifiers.h:
2424         * runtime/DataView.cpp: Added.
2425         (JSC::DataView::DataView):
2426         (JSC::DataView::create):
2427         (JSC::DataView::wrap):
2428         * runtime/DataView.h: Added.
2429         (JSC::DataView::byteLength):
2430         (JSC::DataView::getType):
2431         (JSC::DataView::get):
2432         (JSC::DataView::set):
2433         * runtime/Float32Array.h:
2434         * runtime/Float64Array.h:
2435         * runtime/GenericTypedArrayView.h: Added.
2436         (JSC::GenericTypedArrayView::data):
2437         (JSC::GenericTypedArrayView::set):
2438         (JSC::GenericTypedArrayView::setRange):
2439         (JSC::GenericTypedArrayView::zeroRange):
2440         (JSC::GenericTypedArrayView::zeroFill):
2441         (JSC::GenericTypedArrayView::length):
2442         (JSC::GenericTypedArrayView::byteLength):
2443         (JSC::GenericTypedArrayView::item):
2444         (JSC::GenericTypedArrayView::checkInboundData):
2445         (JSC::GenericTypedArrayView::getType):
2446         * runtime/GenericTypedArrayViewInlines.h: Added.
2447         (JSC::::GenericTypedArrayView):
2448         (JSC::::create):
2449         (JSC::::createUninitialized):
2450         (JSC::::subarray):
2451         (JSC::::wrap):
2452         * runtime/IndexingHeader.h:
2453         (JSC::IndexingHeader::arrayBuffer):
2454         (JSC::IndexingHeader::setArrayBuffer):
2455         * runtime/Int16Array.h:
2456         * runtime/Int32Array.h:
2457         * runtime/Int8Array.h:
2458         * runtime/JSArrayBuffer.cpp: Added.
2459         (JSC::JSArrayBuffer::JSArrayBuffer):
2460         (JSC::JSArrayBuffer::finishCreation):
2461         (JSC::JSArrayBuffer::create):
2462         (JSC::JSArrayBuffer::createStructure):
2463         (JSC::JSArrayBuffer::getOwnPropertySlot):
2464         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2465         (JSC::JSArrayBuffer::put):
2466         (JSC::JSArrayBuffer::defineOwnProperty):
2467         (JSC::JSArrayBuffer::deleteProperty):
2468         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2469         * runtime/JSArrayBuffer.h: Added.
2470         (JSC::JSArrayBuffer::impl):
2471         (JSC::toArrayBuffer):
2472         * runtime/JSArrayBufferConstructor.cpp: Added.
2473         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2474         (JSC::JSArrayBufferConstructor::finishCreation):
2475         (JSC::JSArrayBufferConstructor::create):
2476         (JSC::JSArrayBufferConstructor::createStructure):
2477         (JSC::constructArrayBuffer):
2478         (JSC::JSArrayBufferConstructor::getConstructData):
2479         (JSC::JSArrayBufferConstructor::getCallData):
2480         * runtime/JSArrayBufferConstructor.h: Added.
2481         * runtime/JSArrayBufferPrototype.cpp: Added.
2482         (JSC::arrayBufferProtoFuncSlice):
2483         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2484         (JSC::JSArrayBufferPrototype::finishCreation):
2485         (JSC::JSArrayBufferPrototype::create):
2486         (JSC::JSArrayBufferPrototype::createStructure):
2487         * runtime/JSArrayBufferPrototype.h: Added.
2488         * runtime/JSArrayBufferView.cpp: Added.
2489         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2490         (JSC::JSArrayBufferView::JSArrayBufferView):
2491         (JSC::JSArrayBufferView::finishCreation):
2492         (JSC::JSArrayBufferView::getOwnPropertySlot):
2493         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2494         (JSC::JSArrayBufferView::put):
2495         (JSC::JSArrayBufferView::defineOwnProperty):
2496         (JSC::JSArrayBufferView::deleteProperty):
2497         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2498         (JSC::JSArrayBufferView::finalize):
2499         * runtime/JSArrayBufferView.h: Added.
2500         (JSC::JSArrayBufferView::sizeOf):
2501         (JSC::JSArrayBufferView::ConstructionContext::operator!):
2502         (JSC::JSArrayBufferView::ConstructionContext::structure):
2503         (JSC::JSArrayBufferView::ConstructionContext::vector):
2504         (JSC::JSArrayBufferView::ConstructionContext::length):
2505         (JSC::JSArrayBufferView::ConstructionContext::mode):
2506         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2507         (JSC::JSArrayBufferView::mode):
2508         (JSC::JSArrayBufferView::vector):
2509         (JSC::JSArrayBufferView::length):
2510         (JSC::JSArrayBufferView::offsetOfVector):
2511         (JSC::JSArrayBufferView::offsetOfLength):
2512         (JSC::JSArrayBufferView::offsetOfMode):
2513         * runtime/JSArrayBufferViewInlines.h: Added.
2514         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2515         (JSC::JSArrayBufferView::buffer):
2516         (JSC::JSArrayBufferView::impl):
2517         (JSC::JSArrayBufferView::neuter):
2518         (JSC::JSArrayBufferView::byteOffset):
2519         * runtime/JSCell.cpp:
2520         (JSC::JSCell::slowDownAndWasteMemory):
2521         (JSC::JSCell::getTypedArrayImpl):
2522         * runtime/JSCell.h:
2523         * runtime/JSDataView.cpp: Added.
2524         (JSC::JSDataView::JSDataView):
2525         (JSC::JSDataView::create):
2526         (JSC::JSDataView::createUninitialized):
2527         (JSC::JSDataView::set):
2528         (JSC::JSDataView::typedImpl):
2529         (JSC::JSDataView::getOwnPropertySlot):
2530         (JSC::JSDataView::getOwnPropertyDescriptor):
2531         (JSC::JSDataView::slowDownAndWasteMemory):
2532         (JSC::JSDataView::getTypedArrayImpl):
2533         (JSC::JSDataView::createStructure):
2534         * runtime/JSDataView.h: Added.
2535         * runtime/JSDataViewPrototype.cpp: Added.
2536         (JSC::JSDataViewPrototype::JSDataViewPrototype):
2537         (JSC::JSDataViewPrototype::create):
2538         (JSC::JSDataViewPrototype::createStructure):
2539         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2540         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2541         (JSC::getData):
2542         (JSC::setData):
2543         (JSC::dataViewProtoFuncGetInt8):
2544         (JSC::dataViewProtoFuncGetInt16):
2545         (JSC::dataViewProtoFuncGetInt32):
2546         (JSC::dataViewProtoFuncGetUint8):
2547         (JSC::dataViewProtoFuncGetUint16):
2548         (JSC::dataViewProtoFuncGetUint32):
2549         (JSC::dataViewProtoFuncGetFloat32):
2550         (JSC::dataViewProtoFuncGetFloat64):
2551         (JSC::dataViewProtoFuncSetInt8):
2552         (JSC::dataViewProtoFuncSetInt16):
2553         (JSC::dataViewProtoFuncSetInt32):
2554         (JSC::dataViewProtoFuncSetUint8):
2555         (JSC::dataViewProtoFuncSetUint16):
2556         (JSC::dataViewProtoFuncSetUint32):
2557         (JSC::dataViewProtoFuncSetFloat32):
2558         (JSC::dataViewProtoFuncSetFloat64):
2559         * runtime/JSDataViewPrototype.h: Added.
2560         * runtime/JSFloat32Array.h: Added.
2561         * runtime/JSFloat64Array.h: Added.
2562         * runtime/JSGenericTypedArrayView.h: Added.
2563         (JSC::JSGenericTypedArrayView::byteLength):
2564         (JSC::JSGenericTypedArrayView::byteSize):
2565         (JSC::JSGenericTypedArrayView::typedVector):
2566         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2567         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2568         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2569         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2570         (JSC::JSGenericTypedArrayView::getIndexQuickly):
2571         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2572         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2573         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2574         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2575         (JSC::JSGenericTypedArrayView::typedImpl):
2576         (JSC::JSGenericTypedArrayView::createStructure):
2577         (JSC::JSGenericTypedArrayView::info):
2578         (JSC::toNativeTypedView):
2579         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
2580         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
2581         (JSC::::JSGenericTypedArrayViewConstructor):
2582         (JSC::::finishCreation):
2583         (JSC::::create):
2584         (JSC::::createStructure):
2585         (JSC::constructGenericTypedArrayView):
2586         (JSC::::getConstructData):
2587         (JSC::::getCallData):
2588         * runtime/JSGenericTypedArrayViewInlines.h: Added.
2589         (JSC::::JSGenericTypedArrayView):
2590         (JSC::::create):
2591         (JSC::::createUninitialized):
2592         (JSC::::validateRange):
2593         (JSC::::setWithSpecificType):
2594         (JSC::::set):
2595         (JSC::::getOwnPropertySlot):
2596         (JSC::::getOwnPropertyDescriptor):
2597         (JSC::::put):
2598         (JSC::::defineOwnProperty):
2599         (JSC::::deleteProperty):
2600         (JSC::::getOwnPropertySlotByIndex):
2601         (JSC::::putByIndex):
2602         (JSC::::deletePropertyByIndex):
2603         (JSC::::getOwnNonIndexPropertyNames):
2604         (JSC::::getOwnPropertyNames):
2605         (JSC::::visitChildren):
2606         (JSC::::copyBackingStore):
2607         (JSC::::slowDownAndWasteMemory):
2608         (JSC::::getTypedArrayImpl):
2609         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
2610         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
2611         (JSC::genericTypedArrayViewProtoFuncSet):
2612         (JSC::genericTypedArrayViewProtoFuncSubarray):
2613         (JSC::::JSGenericTypedArrayViewPrototype):
2614         (JSC::::finishCreation):
2615         (JSC::::create):
2616         (JSC::::createStructure):
2617         * runtime/JSGlobalObject.cpp:
2618         (JSC::JSGlobalObject::reset):
2619         (JSC::JSGlobalObject::visitChildren):
2620         * runtime/JSGlobalObject.h:
2621         (JSC::JSGlobalObject::arrayBufferPrototype):
2622         (JSC::JSGlobalObject::arrayBufferStructure):
2623         (JSC::JSGlobalObject::typedArrayStructure):
2624         * runtime/JSInt16Array.h: Added.
2625         * runtime/JSInt32Array.h: Added.
2626         * runtime/JSInt8Array.h: Added.
2627         * runtime/JSTypedArrayConstructors.cpp: Added.
2628         * runtime/JSTypedArrayConstructors.h: Added.
2629         * runtime/JSTypedArrayPrototypes.cpp: Added.
2630         * runtime/JSTypedArrayPrototypes.h: Added.
2631         * runtime/JSTypedArrays.cpp: Added.
2632         * runtime/JSTypedArrays.h: Added.
2633         * runtime/JSUint16Array.h: Added.
2634         * runtime/JSUint32Array.h: Added.
2635         * runtime/JSUint8Array.h: Added.
2636         * runtime/JSUint8ClampedArray.h: Added.
2637         * runtime/Operations.h:
2638         * runtime/Options.h:
2639         * runtime/SimpleTypedArrayController.cpp: Added.
2640         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
2641         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
2642         (JSC::SimpleTypedArrayController::toJS):
2643         * runtime/SimpleTypedArrayController.h: Added.
2644         * runtime/Structure.h:
2645         (JSC::Structure::couldHaveIndexingHeader):
2646         * runtime/StructureInlines.h:
2647         (JSC::Structure::hasIndexingHeader):
2648         * runtime/TypedArrayAdaptors.h: Added.
2649         (JSC::IntegralTypedArrayAdaptor::toNative):
2650         (JSC::IntegralTypedArrayAdaptor::toJSValue):
2651         (JSC::IntegralTypedArrayAdaptor::toDouble):
2652         (JSC::FloatTypedArrayAdaptor::toNative):
2653         (JSC::FloatTypedArrayAdaptor::toJSValue):
2654         (JSC::FloatTypedArrayAdaptor::toDouble):
2655         (JSC::Uint8ClampedAdaptor::toNative):
2656         (JSC::Uint8ClampedAdaptor::toJSValue):
2657         (JSC::Uint8ClampedAdaptor::toDouble):
2658         (JSC::Uint8ClampedAdaptor::clamp):
2659         * runtime/TypedArrayController.cpp: Added.
2660         (JSC::TypedArrayController::TypedArrayController):
2661         (JSC::TypedArrayController::~TypedArrayController):
2662         * runtime/TypedArrayController.h: Added.
2663         * runtime/TypedArrayDescriptor.h: Removed.
2664         * runtime/TypedArrayInlines.h: Added.
2665         * runtime/TypedArrayType.cpp: Added.
2666         (JSC::classInfoForType):
2667         (WTF::printInternal):
2668         * runtime/TypedArrayType.h: Added.
2669         (JSC::toIndex):
2670         (JSC::isTypedView):
2671         (JSC::elementSize):
2672         (JSC::isInt):
2673         (JSC::isFloat):
2674         (JSC::isSigned):
2675         (JSC::isClamped):
2676         * runtime/TypedArrays.h: Added.
2677         * runtime/Uint16Array.h:
2678         * runtime/Uint32Array.h:
2679         * runtime/Uint8Array.h:
2680         * runtime/Uint8ClampedArray.h:
2681         * runtime/VM.cpp:
2682         (JSC::VM::VM):
2683         (JSC::VM::~VM):
2684         * runtime/VM.h:
2685
2686 2013-08-15  Oliver Hunt  <oliver@apple.com>
2687
2688         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
2689
2690         Reviewed by Filip Pizlo.
2691
2692         Make sure dfgCapabilities doesn't report a Dynamic put as
2693         being compilable when we don't actually support it.  
2694
2695         * bytecode/CodeBlock.cpp:
2696         (JSC::CodeBlock::dumpBytecode):
2697         * dfg/DFGCapabilities.cpp:
2698         (JSC::DFG::capabilityLevel):
2699
2700 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2701
2702         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2703         https://bugs.webkit.org/show_bug.cgi?id=119847
2704
2705         Reviewed by Oliver Hunt.
2706
2707         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2708         * runtime/ArrayBufferView.h: Ditto.
2709
2710 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
2711
2712         https://bugs.webkit.org/show_bug.cgi?id=119843
2713         PropertySlot::setValue is ambiguous
2714
2715         Reviewed by Geoff Garen.
2716
2717         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2718         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2719         Unify on always providing the object, and remove the version that just takes a value.
2720         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2721         Provide a version of setValue that takes a JSString as the owner of the property.
2722         We won't store this, but it makes it clear that this interface should only be used from JSString.
2723
2724         * API/JSCallbackObjectFunctions.h:
2725         (JSC::::getOwnPropertySlot):
2726         * JSCTypedArrayStubs.h:
2727         * runtime/Arguments.cpp:
2728         (JSC::Arguments::getOwnPropertySlotByIndex):
2729         (JSC::Arguments::getOwnPropertySlot):
2730         * runtime/JSActivation.cpp:
2731         (JSC::JSActivation::symbolTableGet):
2732         (JSC::JSActivation::getOwnPropertySlot):
2733         * runtime/JSArray.cpp:
2734         (JSC::JSArray::getOwnPropertySlot):
2735         * runtime/JSObject.cpp:
2736         (JSC::JSObject::getOwnPropertySlotByIndex):
2737         * runtime/JSString.h:
2738         (JSC::JSString::getStringPropertySlot):
2739         * runtime/JSSymbolTableObject.h:
2740         (JSC::symbolTableGet):
2741         * runtime/SparseArrayValueMap.cpp:
2742         (JSC::SparseArrayEntry::get):
2743             - Pass object containing property to PropertySlot::setValue
2744         * runtime/PropertySlot.h:
2745         (JSC::PropertySlot::setValue):
2746             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2747         (JSC::PropertySlot::setUndefined):
2748             - removed setValue(JSValue), added setValue(JSString*, JSValue)
2749
2750 2013-08-15  Oliver Hunt  <oliver@apple.com>
2751
2752         Remove bogus assertion.
2753
2754         RS=Filip Pizlo
2755
2756         * dfg/DFGAbstractInterpreterInlines.h:
2757         (JSC::DFG::::executeEffects):
2758
2759 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2760
2761         REGRESSION(r148790) Made 7 tests fail on x86 32bit
2762         https://bugs.webkit.org/show_bug.cgi?id=114913
2763
2764         Reviewed by Filip Pizlo.
2765
2766         The X87 register was not freed before some calls. Instead
2767         of inserting resetX87Registers to the last call sites,
2768         the two X87 registers are now freed in every call.
2769
2770         * llint/LowLevelInterpreter32_64.asm:
2771         * llint/LowLevelInterpreter64.asm:
2772         * offlineasm/instructions.rb:
2773         * offlineasm/x86.rb:
2774
2775 2013-08-14  Michael Saboff  <msaboff@apple.com>
2776
2777         Fixed jit on Win64.
2778         https://bugs.webkit.org/show_bug.cgi?id=119601
2779
2780         Reviewed by Oliver Hunt.
2781
2782         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2783         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2784         * jit/SlowPathCall.h:
2785         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2786
2787 2013-08-14  Alex Christensen  <achristensen@apple.com>
2788
2789         Compile fix for Win64 with jit disabled.
2790         https://bugs.webkit.org/show_bug.cgi?id=119804
2791
2792         Reviewed by Michael Saboff.
2793
2794         * offlineasm/cloop.rb: Added std:: before isnan.
2795
2796 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2797
2798         DFG_JIT implementation for sh4 architecture.
2799         https://bugs.webkit.org/show_bug.cgi?id=119737
2800
2801         Reviewed by Oliver Hunt.
2802
2803         * assembler/MacroAssemblerSH4.h:
2804         (JSC::MacroAssemblerSH4::invert):
2805         (JSC::MacroAssemblerSH4::add32):
2806         (JSC::MacroAssemblerSH4::and32):
2807         (JSC::MacroAssemblerSH4::lshift32):
2808         (JSC::MacroAssemblerSH4::mul32):
2809         (JSC::MacroAssemblerSH4::or32):
2810         (JSC::MacroAssemblerSH4::rshift32):
2811         (JSC::MacroAssemblerSH4::sub32):
2812         (JSC::MacroAssemblerSH4::xor32):
2813         (JSC::MacroAssemblerSH4::store32):
2814         (JSC::MacroAssemblerSH4::swapDouble):
2815         (JSC::MacroAssemblerSH4::storeDouble):
2816         (JSC::MacroAssemblerSH4::subDouble):
2817         (JSC::MacroAssemblerSH4::mulDouble):
2818         (JSC::MacroAssemblerSH4::divDouble):
2819         (JSC::MacroAssemblerSH4::negateDouble):
2820         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2821         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2822         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2823         (JSC::MacroAssemblerSH4::swap):
2824         (JSC::MacroAssemblerSH4::jump):
2825         (JSC::MacroAssemblerSH4::branchNeg32):
2826         (JSC::MacroAssemblerSH4::branchAdd32):
2827         (JSC::MacroAssemblerSH4::branchMul32):
2828         (JSC::MacroAssemblerSH4::urshift32):
2829         * assembler/SH4Assembler.h:
2830         (JSC::SH4Assembler::SH4Assembler):
2831         (JSC::SH4Assembler::labelForWatchpoint):
2832         (JSC::SH4Assembler::label):
2833         (JSC::SH4Assembler::debugOffset):
2834         * dfg/DFGAssemblyHelpers.h:
2835         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2836         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2837         (JSC::DFG::AssemblyHelpers::debugCall):
2838         * dfg/DFGCCallHelpers.h:
2839         (JSC::DFG::CCallHelpers::setupArguments):
2840         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2841         * dfg/DFGFPRInfo.h:
2842         (JSC::DFG::FPRInfo::toRegister):
2843         (JSC::DFG::FPRInfo::toIndex):
2844         (JSC::DFG::FPRInfo::debugName):
2845         * dfg/DFGGPRInfo.h:
2846         (JSC::DFG::GPRInfo::toRegister):
2847         (JSC::DFG::GPRInfo::toIndex):
2848         (JSC::DFG::GPRInfo::debugName):
2849         * dfg/DFGOperations.cpp:
2850         * dfg/DFGSpeculativeJIT.h:
2851         (JSC::DFG::SpeculativeJIT::callOperation):
2852         * jit/JITStubs.h:
2853         * jit/JITStubsSH4.h:
2854
2855 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2856
2857         Unreviewed, fix build.
2858
2859         * API/JSValue.mm:
2860         (isDate):
2861         (isArray):
2862         * API/JSWrapperMap.mm:
2863         (tryUnwrapObjcObject):
2864         * API/ObjCCallbackFunction.mm:
2865         (tryUnwrapBlock):
2866
2867 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2868
2869         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2870         https://bugs.webkit.org/show_bug.cgi?id=119770
2871
2872         Reviewed by Mark Hahnenberg.
2873
2874         * API/JSCallbackConstructor.cpp:
2875         (JSC::JSCallbackConstructor::finishCreation):
2876         * API/JSCallbackConstructor.h:
2877         (JSC::JSCallbackConstructor::createStructure):
2878         * API/JSCallbackFunction.cpp:
2879         (JSC::JSCallbackFunction::finishCreation):
2880         * API/JSCallbackFunction.h:
2881         (JSC::JSCallbackFunction::createStructure):
2882         * API/JSCallbackObject.cpp:
2883         (JSC::::createStructure):
2884         * API/JSCallbackObject.h:
2885         (JSC::JSCallbackObject::visitChildren):
2886         * API/JSCallbackObjectFunctions.h:
2887         (JSC::::asCallbackObject):
2888         (JSC::::finishCreation):
2889         * API/JSObjectRef.cpp:
2890         (JSObjectGetPrivate):
2891         (JSObjectSetPrivate):
2892         (JSObjectGetPrivateProperty):
2893         (JSObjectSetPrivateProperty):
2894         (JSObjectDeletePrivateProperty):
2895         * API/JSValueRef.cpp:
2896         (JSValueIsObjectOfClass):
2897         * API/JSWeakObjectMapRefPrivate.cpp:
2898         * API/ObjCCallbackFunction.h:
2899         (JSC::ObjCCallbackFunction::createStructure):
2900         * JSCTypedArrayStubs.h:
2901         * bytecode/CallLinkStatus.cpp:
2902         (JSC::CallLinkStatus::CallLinkStatus):
2903         (JSC::CallLinkStatus::function):
2904         (JSC::CallLinkStatus::internalFunction):
2905         * bytecode/CodeBlock.h:
2906         (JSC::baselineCodeBlockForInlineCallFrame):
2907         * bytecode/SpeculatedType.cpp:
2908         (JSC::speculationFromClassInfo):
2909         * bytecode/UnlinkedCodeBlock.cpp:
2910         (JSC::UnlinkedFunctionExecutable::visitChildren):
2911         (JSC::UnlinkedCodeBlock::visitChildren):
2912         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2913         * bytecode/UnlinkedCodeBlock.h:
2914         (JSC::UnlinkedFunctionExecutable::createStructure):
2915         (JSC::UnlinkedProgramCodeBlock::createStructure):
2916         (JSC::UnlinkedEvalCodeBlock::createStructure):
2917         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2918         * debugger/Debugger.cpp:
2919         * debugger/DebuggerActivation.cpp:
2920         (JSC::DebuggerActivation::visitChildren):
2921         * debugger/DebuggerActivation.h:
2922         (JSC::DebuggerActivation::createStructure):
2923         * debugger/DebuggerCallFrame.cpp:
2924         (JSC::DebuggerCallFrame::functionName):
2925         * dfg/DFGAbstractInterpreterInlines.h:
2926         (JSC::DFG::::executeEffects):
2927         * dfg/DFGByteCodeParser.cpp:
2928         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2929         (JSC::DFG::ByteCodeParser::parseBlock):
2930         * dfg/DFGFixupPhase.cpp:
2931         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2932         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2933         * dfg/DFGGraph.cpp:
2934         (JSC::DFG::Graph::dump):
2935         * dfg/DFGGraph.h:
2936         (JSC::DFG::Graph::isInternalFunctionConstant):
2937         * dfg/DFGOperations.cpp:
2938         * dfg/DFGSpeculativeJIT.cpp:
2939         (JSC::DFG::SpeculativeJIT::checkArray):
2940         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2941         * dfg/DFGThunks.cpp:
2942         (JSC::DFG::virtualForThunkGenerator):
2943         * interpreter/Interpreter.cpp:
2944         (JSC::loadVarargs):
2945         * jsc.cpp:
2946         (GlobalObject::createStructure):
2947         * profiler/LegacyProfiler.cpp:
2948         (JSC::LegacyProfiler::createCallIdentifier):
2949         * runtime/Arguments.cpp:
2950         (JSC::Arguments::visitChildren):
2951         * runtime/Arguments.h:
2952         (JSC::Arguments::createStructure):
2953         (JSC::asArguments):
2954         (JSC::Arguments::finishCreation):
2955         * runtime/ArrayConstructor.cpp:
2956         (JSC::arrayConstructorIsArray):
2957         * runtime/ArrayConstructor.h:
2958         (JSC::ArrayConstructor::createStructure):
2959         * runtime/ArrayPrototype.cpp:
2960         (JSC::ArrayPrototype::finishCreation):
2961         (JSC::arrayProtoFuncConcat):
2962         (JSC::attemptFastSort):
2963         * runtime/ArrayPrototype.h:
2964         (JSC::ArrayPrototype::createStructure):
2965         * runtime/BooleanConstructor.h:
2966         (JSC::BooleanConstructor::createStructure):
2967         * runtime/BooleanObject.cpp:
2968         (JSC::BooleanObject::finishCreation):
2969         * runtime/BooleanObject.h:
2970         (JSC::BooleanObject::createStructure):
2971         (JSC::asBooleanObject):
2972         * runtime/BooleanPrototype.cpp:
2973         (JSC::BooleanPrototype::finishCreation):
2974         (JSC::booleanProtoFuncToString):
2975         (JSC::booleanProtoFuncValueOf):
2976         * runtime/BooleanPrototype.h:
2977         (JSC::BooleanPrototype::createStructure):
2978         * runtime/DateConstructor.cpp:
2979         (JSC::constructDate):
2980         * runtime/DateConstructor.h:
2981         (JSC::DateConstructor::createStructure):
2982         * runtime/DateInstance.cpp:
2983         (JSC::DateInstance::finishCreation):
2984         * runtime/DateInstance.h:
2985         (JSC::DateInstance::createStructure):
2986         (JSC::asDateInstance):
2987         * runtime/DatePrototype.cpp:
2988         (JSC::formateDateInstance):
2989         (JSC::DatePrototype::finishCreation):
2990         (JSC::dateProtoFuncToISOString):
2991         (JSC::dateProtoFuncToLocaleString):
2992         (JSC::dateProtoFuncToLocaleDateString):
2993         (JSC::dateProtoFuncToLocaleTimeString):
2994         (JSC::dateProtoFuncGetTime):
2995         (JSC::dateProtoFuncGetFullYear):
2996         (JSC::dateProtoFuncGetUTCFullYear):
2997         (JSC::dateProtoFuncGetMonth):
2998         (JSC::dateProtoFuncGetUTCMonth):
2999         (JSC::dateProtoFuncGetDate):
3000         (JSC::dateProtoFuncGetUTCDate):
3001         (JSC::dateProtoFuncGetDay):
3002         (JSC::dateProtoFuncGetUTCDay):
3003         (JSC::dateProtoFuncGetHours):
3004         (JSC::dateProtoFuncGetUTCHours):
3005         (JSC::dateProtoFuncGetMinutes):
3006         (JSC::dateProtoFuncGetUTCMinutes):
3007         (JSC::dateProtoFuncGetSeconds):
3008         (JSC::dateProtoFuncGetUTCSeconds):
3009         (JSC::dateProtoFuncGetMilliSeconds):
3010         (JSC::dateProtoFuncGetUTCMilliseconds):
3011         (JSC::dateProtoFuncGetTimezoneOffset):
3012         (JSC::dateProtoFuncSetTime):
3013         (JSC::setNewValueFromTimeArgs):
3014         (JSC::setNewValueFromDateArgs):
3015         (JSC::dateProtoFuncSetYear):
3016         (JSC::dateProtoFuncGetYear):
3017         * runtime/DatePrototype.h:
3018         (JSC::DatePrototype::createStructure):
3019         * runtime/Error.h:
3020         (JSC::StrictModeTypeErrorFunction::createStructure):
3021         * runtime/ErrorConstructor.h:
3022         (JSC::ErrorConstructor::createStructure):
3023         * runtime/ErrorInstance.cpp:
3024         (JSC::ErrorInstance::finishCreation):
3025         * runtime/ErrorInstance.h:
3026         (JSC::ErrorInstance::createStructure):
3027         * runtime/ErrorPrototype.cpp:
3028         (JSC::ErrorPrototype::finishCreation):
3029         * runtime/ErrorPrototype.h:
3030         (JSC::ErrorPrototype::createStructure):
3031         * runtime/ExceptionHelpers.cpp:
3032         (JSC::isTerminatedExecutionException):
3033         * runtime/ExceptionHelpers.h:
3034         (JSC::TerminatedExecutionError::createStructure):
3035         * runtime/Executable.cpp:
3036         (JSC::EvalExecutable::visitChildren):
3037         (JSC::ProgramExecutable::visitChildren):
3038         (JSC::FunctionExecutable::visitChildren):
3039         (JSC::ExecutableBase::hashFor):
3040         * runtime/Executable.h:
3041         (JSC::ExecutableBase::createStructure):
3042         (JSC::NativeExecutable::createStructure):
3043         (JSC::EvalExecutable::createStructure):
3044         (JSC::ProgramExecutable::createStructure):
3045         (JSC::FunctionExecutable::compileFor):
3046         (JSC::FunctionExecutable::compileOptimizedFor):
3047         (JSC::FunctionExecutable::createStructure):
3048         * runtime/FunctionConstructor.h:
3049         (JSC::FunctionConstructor::createStructure):
3050         * runtime/FunctionPrototype.cpp:
3051         (JSC::functionProtoFuncToString):
3052         (JSC::functionProtoFuncApply):
3053         (JSC::functionProtoFuncBind):
3054         * runtime/FunctionPrototype.h:
3055         (JSC::FunctionPrototype::createStructure):
3056         * runtime/GetterSetter.cpp:
3057         (JSC::GetterSetter::visitChildren):
3058         * runtime/GetterSetter.h:
3059         (JSC::GetterSetter::createStructure):
3060         * runtime/InternalFunction.cpp:
3061         (JSC::InternalFunction::finishCreation):
3062         * runtime/InternalFunction.h:
3063         (JSC::InternalFunction::createStructure):
3064         (JSC::asInternalFunction):
3065         * runtime/JSAPIValueWrapper.h:
3066         (JSC::JSAPIValueWrapper::createStructure):
3067         * runtime/JSActivation.cpp:
3068         (JSC::JSActivation::visitChildren):
3069         (JSC::JSActivation::argumentsGetter):
3070         * runtime/JSActivation.h:
3071         (JSC::JSActivation::createStructure):
3072         (JSC::asActivation):
3073         * runtime/JSArray.h:
3074         (JSC::JSArray::createStructure):
3075         (JSC::asArray):
3076         (JSC::isJSArray):
3077         * runtime/JSBoundFunction.cpp:
3078         (JSC::JSBoundFunction::finishCreation):
3079         (JSC::JSBoundFunction::visitChildren):
3080         * runtime/JSBoundFunction.h:
3081         (JSC::JSBoundFunction::createStructure):
3082         * runtime/JSCJSValue.cpp:
3083         (JSC::JSValue::dumpInContext):
3084         * runtime/JSCJSValueInlines.h:
3085         (JSC::JSValue::isFunction):
3086         * runtime/JSCell.h:
3087         (JSC::jsCast):
3088         (JSC::jsDynamicCast):
3089         * runtime/JSCellInlines.h:
3090         (JSC::allocateCell):
3091         * runtime/JSFunction.cpp:
3092         (JSC::JSFunction::finishCreation):
3093         (JSC::JSFunction::visitChildren):
3094         (JSC::skipOverBoundFunctions):
3095         (JSC::JSFunction::callerGetter):
3096         * runtime/JSFunction.h:
3097         (JSC::JSFunction::createStructure):
3098         * runtime/JSGlobalObject.cpp:
3099         (JSC::JSGlobalObject::visitChildren):
3100         (JSC::slowValidateCell):
3101         * runtime/JSGlobalObject.h:
3102         (JSC::JSGlobalObject::createStructure):
3103         * runtime/JSNameScope.cpp:
3104         (JSC::JSNameScope::visitChildren):
3105         * runtime/JSNameScope.h:
3106         (JSC::JSNameScope::createStructure):
3107         * runtime/JSNotAnObject.h:
3108         (JSC::JSNotAnObject::createStructure):
3109         * runtime/JSONObject.cpp:
3110         (JSC::JSONObject::finishCreation):
3111         (JSC::unwrapBoxedPrimitive):
3112         (JSC::Stringifier::Stringifier):
3113         (JSC::Stringifier::appendStringifiedValue):
3114         (JSC::Stringifier::Holder::Holder):
3115         (JSC::Walker::walk):
3116         (JSC::JSONProtoFuncStringify):
3117         * runtime/JSONObject.h:
3118         (JSC::JSONObject::createStructure):
3119         * runtime/JSObject.cpp:
3120         (JSC::getCallableObjectSlow):
3121         (JSC::JSObject::visitChildren):
3122         (JSC::JSObject::copyBackingStore):
3123         (JSC::JSFinalObject::visitChildren):
3124         (JSC::JSObject::ensureInt32Slow):
3125         (JSC::JSObject::ensureDoubleSlow):
3126         (JSC::JSObject::ensureContiguousSlow):
3127         (JSC::JSObject::ensureArrayStorageSlow):
3128         * runtime/JSObject.h:
3129         (JSC::JSObject::finishCreation):
3130         (JSC::JSObject::createStructure):
3131         (JSC::JSNonFinalObject::createStructure):
3132         (JSC::JSFinalObject::createStructure):
3133         (JSC::isJSFinalObject):
3134         * runtime/JSPropertyNameIterator.cpp:
3135         (JSC::JSPropertyNameIterator::visitChildren):
3136         * runtime/JSPropertyNameIterator.h:
3137         (JSC::JSPropertyNameIterator::createStructure):
3138         * runtime/JSProxy.cpp:
3139         (JSC::JSProxy::visitChildren):
3140         * runtime/JSProxy.h:
3141         (JSC::JSProxy::createStructure):
3142         * runtime/JSScope.cpp:
3143         (JSC::JSScope::visitChildren):
3144         * runtime/JSSegmentedVariableObject.cpp:
3145         (JSC::JSSegmentedVariableObject::visitChildren):
3146         * runtime/JSString.h:
3147         (JSC::JSString::createStructure):
3148         (JSC::isJSString):
3149         * runtime/JSSymbolTableObject.cpp:
3150         (JSC::JSSymbolTableObject::visitChildren):
3151         * runtime/JSVariableObject.h:
3152         * runtime/JSWithScope.cpp:
3153         (JSC::JSWithScope::visitChildren):
3154         * runtime/JSWithScope.h:
3155         (JSC::JSWithScope::createStructure):
3156         * runtime/JSWrapperObject.cpp:
3157         (JSC::JSWrapperObject::visitChildren):
3158         * runtime/JSWrapperObject.h:
3159         (JSC::JSWrapperObject::createStructure):
3160         * runtime/MathObject.cpp:
3161         (JSC::MathObject::finishCreation):
3162         * runtime/MathObject.h:
3163         (JSC::MathObject::createStructure):
3164         * runtime/NameConstructor.h:
3165         (JSC::NameConstructor::createStructure):
3166         * runtime/NameInstance.h:
3167         (JSC::NameInstance::createStructure):
3168         (JSC::NameInstance::finishCreation):
3169         * runtime/NamePrototype.cpp:
3170         (JSC::NamePrototype::finishCreation):
3171         (JSC::privateNameProtoFuncToString):
3172         * runtime/NamePrototype.h:
3173         (JSC::NamePrototype::createStructure):
3174         * runtime/NativeErrorConstructor.cpp:
3175         (JSC::NativeErrorConstructor::visitChildren):
3176         * runtime/NativeErrorConstructor.h:
3177         (JSC::NativeErrorConstructor::createStructure):
3178         (JSC::NativeErrorConstructor::finishCreation):
3179         * runtime/NumberConstructor.cpp:
3180         (JSC::NumberConstructor::finishCreation):
3181         * runtime/NumberConstructor.h:
3182         (JSC::NumberConstructor::createStructure):
3183         * runtime/NumberObject.cpp:
3184         (JSC::NumberObject::finishCreation):
3185         * runtime/NumberObject.h:
3186         (JSC::NumberObject::createStructure):
3187         * runtime/NumberPrototype.cpp:
3188         (JSC::NumberPrototype::finishCreation):
3189         * runtime/NumberPrototype.h:
3190         (JSC::NumberPrototype::createStructure):
3191         * runtime/ObjectConstructor.h:
3192         (JSC::ObjectConstructor::createStructure):
3193         * runtime/ObjectPrototype.cpp:
3194         (JSC::ObjectPrototype::finishCreation):
3195         * runtime/ObjectPrototype.h:
3196         (JSC::ObjectPrototype::createStructure):
3197         * runtime/PropertyMapHashTable.h:
3198         (JSC::PropertyTable::createStructure):
3199         * runtime/PropertyTable.cpp:
3200         (JSC::PropertyTable::visitChildren):
3201         * runtime/RegExp.h:
3202         (JSC::RegExp::createStructure):
3203         * runtime/RegExpConstructor.cpp:
3204         (JSC::RegExpConstructor::finishCreation):
3205         (JSC::RegExpConstructor::visitChildren):
3206         (JSC::constructRegExp):
3207         * runtime/RegExpConstructor.h:
3208         (JSC::RegExpConstructor::createStructure):
3209         (JSC::asRegExpConstructor):
3210         * runtime/RegExpMatchesArray.cpp:
3211         (JSC::RegExpMatchesArray::visitChildren):
3212         * runtime/RegExpMatchesArray.h:
3213         (JSC::RegExpMatchesArray::createStructure):
3214         * runtime/RegExpObject.cpp:
3215         (JSC::RegExpObject::finishCreation):
3216         (JSC::RegExpObject::visitChildren):
3217         * runtime/RegExpObject.h:
3218         (JSC::RegExpObject::createStructure):
3219         (JSC::asRegExpObject):
3220         * runtime/RegExpPrototype.cpp:
3221         (JSC::regExpProtoFuncTest):
3222         (JSC::regExpProtoFuncExec):
3223         (JSC::regExpProtoFuncCompile):
3224         (JSC::regExpProtoFuncToString):
3225         * runtime/RegExpPrototype.h:
3226         (JSC::RegExpPrototype::createStructure):
3227         * runtime/SparseArrayValueMap.cpp:
3228         (JSC::SparseArrayValueMap::createStructure):
3229         * runtime/SparseArrayValueMap.h:
3230         * runtime/StrictEvalActivation.h:
3231         (JSC::StrictEvalActivation::createStructure):
3232         * runtime/StringConstructor.h:
3233         (JSC::StringConstructor::createStructure):
3234         * runtime/StringObject.cpp:
3235         (JSC::StringObject::finishCreation):
3236         * runtime/StringObject.h:
3237         (JSC::StringObject::createStructure):
3238         (JSC::asStringObject):
3239         * runtime/StringPrototype.cpp:
3240         (JSC::StringPrototype::finishCreation):
3241         (JSC::stringProtoFuncReplace):
3242         (JSC::stringProtoFuncToString):
3243         (JSC::stringProtoFuncMatch):
3244         (JSC::stringProtoFuncSearch):
3245         (JSC::stringProtoFuncSplit):
3246         * runtime/StringPrototype.h:
3247         (JSC::StringPrototype::createStructure):
3248         * runtime/Structure.cpp:
3249         (JSC::Structure::Structure):
3250         (JSC::Structure::materializePropertyMap):
3251         (JSC::Structure::get):
3252         (JSC::Structure::visitChildren):
3253         * runtime/Structure.h:
3254         (JSC::Structure::typeInfo):
3255         (JSC::Structure::previousID):
3256         (JSC::Structure::outOfLineSize):
3257         (JSC::Structure::totalStorageCapacity):
3258         (JSC::Structure::materializePropertyMapIfNecessary):
3259         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3260         * runtime/StructureChain.cpp:
3261         (JSC::StructureChain::visitChildren):
3262         * runtime/StructureChain.h:
3263         (JSC::StructureChain::createStructure):
3264         * runtime/StructureInlines.h:
3265         (JSC::Structure::get):
3266         * runtime/StructureRareData.cpp:
3267         (JSC::StructureRareData::createStructure):
3268         (JSC::StructureRareData::visitChildren):
3269         * runtime/StructureRareData.h:
3270         * runtime/SymbolTable.h:
3271         (JSC::SharedSymbolTable::createStructure):
3272         * runtime/VM.cpp:
3273         (JSC::VM::VM):
3274         (JSC::StackPreservingRecompiler::operator()):
3275         (JSC::VM::releaseExecutableMemory):
3276         * runtime/WriteBarrier.h:
3277         (JSC::validateCell):
3278         * testRegExp.cpp:
3279         (GlobalObject::createStructure):
3280
3281 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
3282
3283         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
3284         https://bugs.webkit.org/show_bug.cgi?id=119762
3285
3286         Reviewed by Geoffrey Garen.
3287
3288         * heap/Heap.cpp:
3289         (JSC::Heap::Heap):
3290         (JSC::Heap::markRoots):
3291         (JSC::Heap::collect):
3292         * jsc.cpp:
3293         (StopWatch::start):
3294         (StopWatch::stop):
3295         * testRegExp.cpp:
3296         (StopWatch::start):
3297         (StopWatch::stop):
3298
3299 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
3300
3301         [sh4] Prepare LLINT for DFG_JIT implementation.
3302         https://bugs.webkit.org/show_bug.cgi?id=119755
3303
3304         Reviewed by Oliver Hunt.
3305
3306         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
3307         * offlineasm/sh4.rb:
3308             - Handle storeb opcode.
3309             - Make relative jumps when possible using braf opcode.
3310             - Update bmulio implementation to be consistent with baseline JIT.
3311             - Remove useless code from leap opcode.
3312             - Fix incorrect comment.
3313
3314 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
3315
3316         [sh4] Prepare baseline JIT for DFG_JIT implementation.
3317         https://bugs.webkit.org/show_bug.cgi?id=119758
3318
3319         Reviewed by Oliver Hunt.
3320
3321         * assembler/MacroAssemblerSH4.h:
3322             - Introduce a loadEffectiveAddress function to avoid code duplication.
3323             - Add ASSERTs and clean code.
3324         * assembler/SH4Assembler.h:
3325             - Prepare DFG_JIT implementation.
3326             - Add ASSERTs.
3327         * jit/JITStubs.cpp:
3328             - Add SH4 specific call for assertions.
3329         * jit/JITStubs.h:
3330             - Cosmetic change.
3331         * jit/JITStubsSH4.h:
3332             - Use constants to be more flexible with sh4 JIT stack frame.
3333         * jit/JSInterfaceJIT.h:
3334             - Cosmetic change.
3335
3336 2013-08-13  Oliver Hunt  <oliver@apple.com>
3337
3338         Harden executeConstruct against incorrect return types from host functions
3339         https://bugs.webkit.org/show_bug.cgi?id=119757
3340
3341         Reviewed by Mark Hahnenberg.
3342
3343         Add logic to guard against bogus return types.  There doesn't seem to be any
3344         class in webkit that does this wrong, but the typed array stubs in debug JSC
3345         do exhibit this bad behaviour.
3346
3347         * interpreter/Interpreter.cpp:
3348         (JSC::Interpreter::executeConstruct):
3349
3350 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3351
3352         [Qt] Fix C++11 build with gcc 4.4 and 4.5
3353         https://bugs.webkit.org/show_bug.cgi?id=119736
3354
3355         Reviewed by Anders Carlsson.
3356
3357         Don't force C++11 mode off anymore.
3358
3359         * Target.pri:
3360
3361 2013-08-12  Oliver Hunt  <oliver@apple.com>
3362
3363         Remove CodeBlock's notion of adding identifiers entirely
3364         https://bugs.webkit.org/show_bug.cgi?id=119708
3365
3366         Reviewed by Geoffrey Garen.
3367
3368         Remove addAdditionalIdentifier entirely, including the bogus assertion.
3369         Move the addition of identifiers to DFGPlan::reallyAdd
3370
3371         * bytecode/CodeBlock.h:
3372         * dfg/DFGDesiredIdentifiers.cpp:
3373         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3374         * dfg/DFGDesiredIdentifiers.h:
3375         * dfg/DFGPlan.cpp:
3376         (JSC::DFG::Plan::reallyAdd):
3377         (JSC::DFG::Plan::finalize):
3378         * dfg/DFGPlan.h:
3379
3380 2013-08-12  Oliver Hunt  <oliver@apple.com>
3381
3382         Build fix
3383
3384         * runtime/JSCell.h:
3385
3386 2013-08-12  Oliver Hunt  <oliver@apple.com>
3387
3388         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
3389         https://bugs.webkit.org/show_bug.cgi?id=119705
3390
3391         Reviewed by Geoffrey Garen.
3392
3393         Relatively trivial refactoring
3394
3395         * bytecode/CodeBlock.h:
3396         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
3397         (JSC::CodeBlock::addAdditionalIdentifier):
3398         (JSC::CodeBlock::identifier):
3399         (JSC::CodeBlock::numberOfIdentifiers):
3400         * dfg/DFGCommonData.h:
3401
3402 2013-08-12  Oliver Hunt  <oliver@apple.com>
3403
3404         Stop making unnecessary copy of CodeBlock Identifier Vector
3405         https://bugs.webkit.org/show_bug.cgi?id=119702
3406
3407         Reviewed by Michael Saboff.
3408
3409         Make CodeBlock simply use a separate Vector for additional Identifiers
3410         and use the UnlinkedCodeBlock for the initial set of identifiers.
3411
3412         * bytecode/CodeBlock.cpp:
3413         (JSC::CodeBlock::printGetByIdOp):
3414         (JSC::dumpStructure):
3415         (JSC::dumpChain):
3416         (JSC::CodeBlock::printGetByIdCacheStatus):
3417         (JSC::CodeBlock::printPutByIdOp):
3418         (JSC::CodeBlock::dumpBytecode):
3419         (JSC::CodeBlock::CodeBlock):
3420         (JSC::CodeBlock::shrinkToFit):
3421         * bytecode/CodeBlock.h:
3422         (JSC::CodeBlock::numberOfIdentifiers):
3423         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
3424         (JSC::CodeBlock::addAdditionalIdentifier):
3425         (JSC::CodeBlock::identifier):
3426         * dfg/DFGDesiredIdentifiers.cpp:
3427         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3428         * jit/JIT.h:
3429         * jit/JITOpcodes.cpp:
3430         (JSC::JIT::emitSlow_op_get_arguments_length):
3431         * jit/JITPropertyAccess.cpp:
3432         (JSC::JIT::emit_op_get_by_id):
3433         (JSC::JIT::compileGetByIdHotPath):
3434         (JSC::JIT::emitSlow_op_get_by_id):
3435         (JSC::JIT::compileGetByIdSlowCase):
3436         (JSC::JIT::emitSlow_op_put_by_id):
3437         * jit/JITPropertyAccess32_64.cpp:
3438         (JSC::JIT::emit_op_get_by_id):
3439         (JSC::JIT::compileGetByIdHotPath):
3440         (JSC::JIT::compileGetByIdSlowCase):
3441         * jit/JITStubs.cpp:
3442         (JSC::DEFINE_STUB_FUNCTION):
3443         * llint/LLIntSlowPaths.cpp:
3444         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3445
3446 2013-08-08  Mark Lam  <mark.lam@apple.com>
3447
3448         Restoring use of StackIterator instead of Interpreter::getStacktrace().
3449         https://bugs.webkit.org/show_bug.cgi?id=119575.
3450
3451         Reviewed by Oliver Hunt.
3452
3453         * interpreter/Interpreter.h:
3454         - Made getStackTrace() private.
3455         * interpreter/StackIterator.cpp:
3456         (JSC::StackIterator::StackIterator):
3457         (JSC::StackIterator::numberOfFrames):
3458         - Computes the number of frames by iterating through the whole stack
3459           from the starting frame. The iterator will save its current frame
3460           position before counting the frames, and then restoring it after
3461           the counting.
3462         (JSC::StackIterator::gotoFrameAtIndex):
3463         (JSC::StackIterator::gotoNextFrame):
3464         (JSC::StackIterator::resetIterator):
3465         - Points the iterator to the starting frame.
3466         * interpreter/StackIteratorPrivate.h:
3467
3468 2013-08-08  Mark Lam  <mark.lam@apple.com>
3469
3470         Moved ErrorConstructor and NativeErrorConstructor helper functions into
3471         the Interpreter class.
3472         https://bugs.webkit.org/show_bug.cgi?id=119576.
3473
3474         Reviewed by Oliver Hunt.
3475
3476         This change is needed to prepare for making Interpreter::getStackTrace()
3477         private. It does not change the behavior of the code, only the lexical
3478         scoping.
3479
3480         * interpreter/Interpreter.h:
3481         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
3482         * runtime/ErrorConstructor.cpp:
3483         (JSC::Interpreter::constructWithErrorConstructor):
3484         (JSC::ErrorConstructor::getConstructData):
3485         (JSC::Interpreter::callErrorConstructor):
3486         (JSC::ErrorConstructor::getCallData):
3487         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
3488           directly. So, we moved the helper functions into the Interpreter
3489           class.
3490         * runtime/NativeErrorConstructor.cpp:
3491         (JSC::Interpreter::constructWithNativeErrorConstructor):
3492         (JSC::NativeErrorConstructor::getConstructData):
3493         (JSC::Interpreter::callNativeErrorConstructor):
3494         (JSC::NativeErrorConstructor::getCallData):
3495         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
3496           directly. So, we moved the helper functions into the Interpreter
3497           class.
3498
3499 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3500
3501         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
3502         https://bugs.webkit.org/show_bug.cgi?id=119555
3503
3504         Reviewed by Geoffrey Garen.
3505
3506         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
3507         This was causing crashes on maps.google.com in 32-bit debug builds.
3508
3509         * dfg/DFGSpeculativeJIT32_64.cpp:
3510         (JSC::DFG::SpeculativeJIT::compile):
3511
3512 2013-08-06  Michael Saboff  <msaboff@apple.com>
3513
3514         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
3515         https://bugs.webkit.org/show_bug.cgi?id=119405
3516
3517         Reviewed by Geoffrey Garen.
3518
3519         * dfg/DFGSpeculativeJIT.cpp:
3520         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
3521         ourselves to save a register and then load from it.
3522
3523 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
3524
3525         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
3526         https://bugs.webkit.org/show_bug.cgi?id=119528
3527
3528         Reviewed by Geoffrey Garen.
3529
3530         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
3531         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
3532         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
3533         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
3534         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
3535
3536         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
3537
3538         * bytecode/CodeBlock.cpp:
3539         (JSC::CodeBlock::finalizeUnconditionally):
3540         * dfg/DFGDriver.cpp:
3541         (JSC::DFG::compile):
3542         * dfg/DFGFixupPhase.cpp:
3543         (JSC::DFG::FixupPhase::fixupNode):
3544         * dfg/DFGGraph.cpp:
3545         (JSC::DFG::Graph::dump):
3546         * dfg/DFGSpeculativeJIT64.cpp:
3547         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3548         * runtime/JSObject.h:
3549         (JSC::JSObject::getIndexQuickly):
3550         (JSC::JSObject::tryGetIndexQuickly):
3551
3552 2013-08-08  Stephanie Lewis  <slewis@apple.com>
3553
3554         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
3555
3556         Unreviewed.
3557
3558         Ensure llint symbols are in source order.
3559
3560         * JavaScriptCore.order:
3561
3562 2013-08-06  Mark Lam  <mark.lam@apple.com>
3563
3564         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
3565         https://bugs.webkit.org/show_bug.cgi?id=119532.
3566
3567         Reviewed by Oliver Hunt.
3568
3569         * parser/Parser.cpp:
3570         (JSC::::Parser):
3571         - Just need to initialize the Parser's JSTokenLocation's initial line and
3572           startOffset as well during Parser construction.
3573
3574 2013-08-06  Stephanie Lewis  <slewis@apple.com>
3575
3576         Update Order Files for Safari
3577         <rdar://problem/14517392>
3578
3579         Unreviewed.
3580
3581         * JavaScriptCore.order:
3582
3583 2013-08-04  Sam Weinig  <sam@webkit.org>
3584
3585         Remove support for HTML5 MicroData
3586         https://bugs.webkit.org/show_bug.cgi?id=119480
3587
3588         Reviewed by Anders Carlsson.
3589
3590         * Configurations/FeatureDefines.xcconfig:
3591
3592 2013-08-05  Oliver Hunt  <oliver@apple.com>
3593
3594         Delay Arguments creation in strict mode
3595         https://bugs.webkit.org/show_bug.cgi?id=119505
3596
3597         Reviewed by Geoffrey Garen.
3598
3599         Make use of the write tracking performed by the parser to
3600         allow us to know if we're modifying the parameters to a function.
3601         Then use that information to make strict mode function opt out
3602         of eager arguments creation.
3603
3604         * bytecompiler/BytecodeGenerator.cpp:
3605         (JSC::BytecodeGenerator::BytecodeGenerator):
3606         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3607         (JSC::BytecodeGenerator::emitReturn):
3608         * bytecompiler/BytecodeGenerator.h:
3609         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
3610         * parser/Nodes.h:
3611         (JSC::ScopeNode::modifiesParameter):
3612         * parser/Parser.cpp:
3613         (JSC::::parseInner):
3614         * parser/Parser.h:
3615         (JSC::Scope::declareParameter):
3616         (JSC::Scope::getCapturedVariables):
3617         (JSC::Parser::declareWrite):
3618         * parser/ParserModes.h:
3619
3620 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3621
3622         Remove useless code from COMPILER(RVCT) JITStubs
3623         https://bugs.webkit.org/show_bug.cgi?id=119521
3624
3625         Reviewed by Geoffrey Garen.
3626
3627         * jit/JITStubsARMv7.h:
3628         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
3629         (JSC::ctiOpThrowNotCaught): Ditto.
3630
3631 2013-07-23  David Farler  <dfarler@apple.com>
3632
3633         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
3634         https://bugs.webkit.org/show_bug.cgi?id=117762
3635
3636         Reviewed by Mark Rowe.
3637
3638         * Configurations/DebugRelease.xcconfig:
3639         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
3640         * Configurations/JavaScriptCore.xcconfig:
3641         Add ASAN_OTHER_LDFLAGS.
3642         * Configurations/ToolExecutable.xcconfig:
3643         Don't use ASAN for build tools.
3644
3645 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3646
3647         Build fix for ARM MSVC after r153222 and r153648.
3648
3649         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
3650
3651 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3652
3653         Build fix for ARM MSVC after r150109.
3654
3655         Read the stub template from a header files instead of the JITStubs.cpp.
3656
3657         * CMakeLists.txt:
3658         * DerivedSources.pri:
3659         * create_jit_stubs:
3660
3661 2013-08-05  Oliver Hunt  <oliver@apple.com>
3662
3663         Move TypedArray implementation into JSC
3664         https://bugs.webkit.org/show_bug.cgi?id=119489
3665
3666         Reviewed by Filip Pizlo.
3667
3668         Move TypedArray implementation into JSC in advance of re-implementation
3669
3670         * GNUmakefile.list.am:
3671         * JSCTypedArrayStubs.h:
3672         * JavaScriptCore.xcodeproj/project.pbxproj:
3673         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
3674         (JSC::ArrayBuffer::transfer):
3675         (JSC::ArrayBuffer::addView):
3676         (JSC::ArrayBuffer::removeView):
3677         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
3678         (JSC::ArrayBufferContents::ArrayBufferContents):
3679         (JSC::ArrayBufferContents::data):
3680         (JSC::ArrayBufferContents::sizeInBytes):
3681         (JSC::ArrayBufferContents::transfer):
3682         (JSC::ArrayBufferContents::copyTo):
3683         (JSC::ArrayBuffer::isNeutered):
3684         (JSC::ArrayBuffer::~ArrayBuffer):
3685         (JSC::ArrayBuffer::clampValue):
3686         (JSC::ArrayBuffer::create):
3687         (JSC::ArrayBuffer::createUninitialized):
3688         (JSC::ArrayBuffer::ArrayBuffer):
3689         (JSC::ArrayBuffer::data):
3690         (JSC::ArrayBuffer::byteLength):
3691         (JSC::ArrayBuffer::slice):
3692         (JSC::ArrayBuffer::sliceImpl):
3693         (JSC::ArrayBuffer::clampIndex):
3694         (JSC::ArrayBufferContents::tryAllocate):
3695         (JSC::ArrayBufferContents::~ArrayBufferContents):
3696         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
3697         (JSC::ArrayBufferView::ArrayBufferView):
3698         (JSC::ArrayBufferView::~ArrayBufferView):
3699         (JSC::ArrayBufferView::neuter):
3700         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
3701         (JSC::ArrayBufferView::buffer):
3702         (JSC::ArrayBufferView::baseAddress):
3703         (JSC::ArrayBufferView::byteOffset):
3704         (JSC::ArrayBufferView::setNeuterable):
3705         (JSC::ArrayBufferView::isNeuterable):
3706         (JSC::ArrayBufferView::verifySubRange):
3707         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3708         (JSC::ArrayBufferView::setImpl):
3709         (JSC::ArrayBufferView::setRangeImpl):
3710         (JSC::ArrayBufferView::zeroRangeImpl):
3711         (JSC::ArrayBufferView::calculateOffsetAndLength):
3712         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
3713         (JSC::Float32Array::set):
3714         (JSC::Float32Array::getType):
3715         (JSC::Float32Array::create):
3716         (JSC::Float32Array::createUninitialized):
3717         (JSC::Float32Array::Float32Array):
3718         (JSC::Float32Array::subarray):
3719         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
3720         (JSC::Float64Array::set):
3721         (JSC::Float64Array::getType):
3722         (JSC::Float64Array::create):
3723         (JSC::Float64Array::createUninitialized):
3724         (JSC::Float64Array::Float64Array):
3725         (JSC::Float64Array::subarray):
3726         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
3727         (JSC::Int16Array::getType):
3728         (JSC::Int16Array::create):
3729         (JSC::Int16Array::createUninitialized):
3730         (JSC::Int16Array::Int16Array):
3731         (JSC::Int16Array::subarray):
3732         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
3733         (JSC::Int32Array::getType):
3734         (JSC::Int32Array::create):
3735         (JSC::Int32Array::createUninitialized):
3736         (JSC::Int32Array::Int32Array):
3737         (JSC::Int32Array::subarray):
3738         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
3739         (JSC::Int8Array::getType):
3740         (JSC::Int8Array::create):
3741         (JSC::Int8Array::createUninitialized):
3742         (JSC::Int8Array::Int8Array):
3743         (JSC::Int8Array::subarray):
3744         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
3745         (JSC::IntegralTypedArrayBase::set):
3746         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
3747         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
3748         (JSC::TypedArrayBase::data):
3749         (JSC::TypedArrayBase::set):
3750         (JSC::TypedArrayBase::setRange):
3751         (JSC::TypedArrayBase::zeroRange):
3752         (JSC::TypedArrayBase::length):
3753         (JSC::TypedArrayBase::byteLength):
3754         (JSC::TypedArrayBase::item):
3755         (JSC::TypedArrayBase::checkInboundData):
3756         (JSC::TypedArrayBase::TypedArrayBase):
3757         (JSC::TypedArrayBase::create):
3758         (JSC::TypedArrayBase::createUninitialized):
3759         (JSC::TypedArrayBase::subarrayImpl):
3760         (JSC::TypedArrayBase::neuter):
3761         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
3762         (JSC::Uint16Array::getType):
3763         (JSC::Uint16Array::create):
3764         (JSC::Uint16Array::createUninitialized):
3765         (JSC::Uint16Array::Uint16Array):
3766         (JSC::Uint16Array::subarray):
3767         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
3768         (JSC::Uint32Array::getType):
3769         (JSC::Uint32Array::create):
3770         (JSC::Uint32Array::createUninitialized):
3771         (JSC::Uint32Array::Uint32Array):
3772         (JSC::Uint32Array::subarray):
3773         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
3774         (JSC::Uint8Array::getType):
3775         (JSC::Uint8Array::create):
3776         (JSC::Uint8Array::createUninitialized):
3777         (JSC::Uint8Array::Uint8Array):
3778         (JSC::Uint8Array::subarray):
3779         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
3780         (JSC::Uint8ClampedArray::getType):
3781         (JSC::Uint8ClampedArray::create):
3782         (JSC::Uint8ClampedArray::createUninitialized):
3783         (JSC::Uint8ClampedArray::zeroFill):
3784         (JSC::Uint8ClampedArray::set):
3785         (JSC::Uint8ClampedArray::Uint8ClampedArray):
3786         (JSC::Uint8ClampedArray::subarray):
3787         * runtime/VM.h:
3788
3789 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3790
3791         Copied space should be able to handle more than one copied backing store per JSCell
3792         https://bugs.webkit.org/show_bug.cgi?id=119471
3793
3794         Reviewed by Mark Hahnenberg.
3795         
3796         This allows a cell to call copyLater() multiple times for multiple different
3797         backing stores, and then have copyBackingStore() called exactly once for each
3798         of those. A token tells it which backing store to copy. All backing stores
3799         must be named using the CopyToken, an enumeration which currently cannot
3800         exceed eight entries.
3801         
3802         When copyBackingStore() is called, it's up to the callee to (a) use the token
3803         to decide what to copy and (b) call its base class's copyBackingStore() in
3804         case the base class had something that needed copying. The only exception is
3805         that JSCell never asks anything to be copied, and so if your base is JSCell
3806         then you don't have to do anything.
3807
3808         * GNUmakefile.list.am:
3809         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3810         * JavaScriptCore.xcodeproj/project.pbxproj:
3811         * heap/CopiedBlock.h:
3812         * heap/CopiedBlockInlines.h:
3813         (JSC::CopiedBlock::reportLiveBytes):
3814         * heap/CopyToken.h: Added.
3815         * heap/CopyVisitor.cpp:
3816         (JSC::CopyVisitor::copyFromShared):
3817         * heap/CopyVisitor.h:
3818         * heap/CopyVisitorInlines.h:
3819         (JSC::CopyVisitor::visitItem):
3820         * heap/CopyWorkList.h:
3821         (JSC::CopyWorklistItem::CopyWorklistItem):
3822         (JSC::CopyWorklistItem::cell):
3823         (JSC::CopyWorklistItem::token):
3824         (JSC::CopyWorkListSegment::get):
3825         (JSC::CopyWorkListSegment::append):
3826         (JSC::CopyWorkListSegment::data):
3827         (JSC::CopyWorkListIterator::get):
3828         (JSC::CopyWorkListIterator::operator*):
3829         (JSC::CopyWorkListIterator::operator->):
3830         (JSC::CopyWorkList::append):
3831         * heap/SlotVisitor.h:
3832         * heap/SlotVisitorInlines.h:
3833         (JSC::SlotVisitor::copyLater):
3834         * runtime/ClassInfo.h:
3835         * runtime/JSCell.cpp:
3836         (JSC::JSCell::copyBackingStore):
3837         * runtime/JSCell.h:
3838         * runtime/JSObject.cpp:
3839         (JSC::JSObject::visitButterfly):
3840         (JSC::JSObject::copyBackingStore):
3841         * runtime/JSObject.h:
3842
3843 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
3844
3845         [Automake] Define ENABLE_JIT through the Autoconf header
3846         https://bugs.webkit.org/show_bug.cgi?id=119445
3847
3848         Reviewed by Martin Robinson.
3849
3850         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
3851
3852 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3853
3854         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
3855         https://bugs.webkit.org/show_bug.cgi?id=119470
3856
3857         Reviewed by Oliver Hunt.
3858         
3859         Structure can still tell you if the object "could" (in the conservative sense)
3860         have an indexing header; that's used by the compiler.
3861         
3862         Most of the time if you want to know if there's an indexing header, you ask the
3863         JSObject.
3864         
3865         In some cases, the JSObject wants to know if it would have an indexing header if
3866         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3867
3868         * dfg/DFGRepatch.cpp:
3869         (JSC::DFG::tryCachePutByID):
3870         (JSC::DFG::tryBuildPutByIdList):
3871         * dfg/DFGSpeculativeJIT.cpp:
3872         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3873         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3874         * runtime/ButterflyInlines.h:
3875         (JSC::Butterfly::create):
3876         (JSC::Butterfly::growPropertyStorage):
3877         (JSC::Butterfly::growArrayRight):
3878         (JSC::Butterfly::resizeArray):
3879         * runtime/JSObject.cpp:
3880         (JSC::JSObject::copyButterfly):
3881         (JSC::JSObject::visitButterfly):
3882         * runtime/JSObject.h:
3883         (JSC::JSObject::hasIndexingHeader):
3884         (JSC::JSObject::setButterfly):
3885         * runtime/Structure.h:
3886         (JSC::Structure::couldHaveIndexingHeader):
3887         (JSC::Structure::hasIndexingHeader):
3888
3889 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3890
3891         Give the error object's stack property accessor attributes.
3892         https://bugs.webkit.org/show_bug.cgi?id=119404
3893
3894         Reviewed by Geoffrey Garen.
3895         
3896         Changed the attributes of error object's stack property to allow developers to write
3897         and delete the stack property. This will match the functionality of Chrome. Firefox  
3898         allows developers to write the error's stack, but not delete it. 
3899
3900         * interpreter/Interpreter.cpp:
3901         (JSC::Interpreter::addStackTraceIfNecessary):
3902         * runtime/ErrorInstance.cpp:
3903         (JSC::ErrorInstance::finishCreation):
3904
3905 2013-08-02  Oliver Hunt  <oliver@apple.com>
3906
3907         Incorrect type speculation reported by ToPrimitive
3908         https://bugs.webkit.org/show_bug.cgi?id=119458
3909
3910         Reviewed by Mark Hahnenberg.
3911
3912         Make sure that we report the correct type possibilities for the output
3913         from ToPrimitive
3914
3915         * dfg/DFGAbstractInterpreterInlines.h:
3916         (JSC::DFG::::executeEffects):
3917
3918 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3919
3920         Remove no-arguments constructor to PropertySlot
3921         https://bugs.webkit.org/show_bug.cgi?id=119460
3922
3923         Reviewed by Geoff Garen.
3924
3925         This constructor was unsafe if getValue is subsequently called,
3926         and the property is a getter. Simplest to just remove it.
3927
3928         * runtime/Arguments.cpp:
3929         (JSC::Arguments::defineOwnProperty):
3930         * runtime/JSActivation.cpp:
3931         (JSC::JSActivation::getOwnPropertyDescriptor):
3932         * runtime/JSFunction.cpp:
3933         (JSC::JSFunction::getOwnPropertyDescriptor):
3934         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3935         (JSC::JSFunction::put):
3936         (JSC::JSFunction::defineOwnProperty):
3937         * runtime/JSGlobalObject.cpp:
3938         (JSC::JSGlobalObject::defineOwnProperty):
3939         * runtime/JSGlobalObject.h:
3940         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3941         * runtime/JSNameScope.cpp:
3942         (JSC::JSNameScope::put):
3943         * runtime/JSONObject.cpp:
3944         (JSC::Stringifier::Holder::appendNextProperty):
3945         (JSC::Walker::walk):
3946         * runtime/JSObject.cpp:
3947         (JSC::JSObject::hasProperty):
3948         (JSC::JSObject::hasOwnProperty):
3949         (JSC::JSObject::reifyStaticFunctionsForDelete):
3950         * runtime/Lookup.h:
3951         (JSC::getStaticPropertyDescriptor):
3952         (JSC::getStaticFunctionDescriptor):
3953         (JSC::getStaticValueDescriptor):
3954         * runtime/ObjectConstructor.cpp:
3955         (JSC::defineProperties):
3956         * runtime/PropertySlot.h:
3957
3958 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3959