Update LLVM binary drops and scripts to the latest version from SVN
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
2
3         Update LLVM binary drops and scripts to the latest version from SVN
4         https://bugs.webkit.org/show_bug.cgi?id=120184
5
6         Reviewed by Mark Hahnenberg.
7
8         * dfg/DFGPlan.cpp:
9         (JSC::DFG::Plan::compileInThreadImpl):
10
11 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
12
13         Don't leak registers for redeclared variables
14         https://bugs.webkit.org/show_bug.cgi?id=120174
15
16         Reviewed by Geoff Garen.
17
18         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
19         Only allocate new registers when necessary.
20
21         No performance impact.
22
23         * interpreter/Interpreter.cpp:
24         (JSC::Interpreter::execute):
25         * runtime/Executable.cpp:
26         (JSC::ProgramExecutable::initializeGlobalProperties):
27             - Don't allocate the register here.
28         * runtime/JSGlobalObject.cpp:
29         (JSC::JSGlobalObject::addGlobalVar):
30             - Allocate the register here instead.
31
32 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
33
34         https://bugs.webkit.org/show_bug.cgi?id=120128
35         Remove putDirectVirtual
36
37         Unreviewed, checked in commented out code. :-(
38
39         * interpreter/Interpreter.cpp:
40         (JSC::Interpreter::execute):
41             - delete commented out code
42
43 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
44
45         Error.stack should not be enumerable
46         https://bugs.webkit.org/show_bug.cgi?id=120171
47
48         Reviewed by Oliver Hunt.
49
50         Breaks ECMA tests.
51
52         * runtime/ErrorInstance.cpp:
53         (JSC::ErrorInstance::finishCreation):
54             - None -> DontEnum
55
56 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
57
58         https://bugs.webkit.org/show_bug.cgi?id=120128
59         Remove putDirectVirtual
60
61         Reviewed by Sam Weinig.
62
63         This could most generously be described as 'vestigial'.
64         No performance impact.
65
66         * API/JSObjectRef.cpp:
67         (JSObjectSetProperty):
68             - changed to use defineOwnProperty
69         * debugger/DebuggerActivation.cpp:
70         * debugger/DebuggerActivation.h:
71             - remove putDirectVirtual
72         * interpreter/Interpreter.cpp:
73         (JSC::Interpreter::execute):
74             - changed to use defineOwnProperty
75         * runtime/ClassInfo.h:
76         * runtime/JSActivation.cpp:
77         * runtime/JSActivation.h:
78         * runtime/JSCell.cpp:
79         * runtime/JSCell.h:
80         * runtime/JSGlobalObject.cpp:
81         * runtime/JSGlobalObject.h:
82         * runtime/JSObject.cpp:
83         * runtime/JSObject.h:
84         * runtime/JSProxy.cpp:
85         * runtime/JSProxy.h:
86         * runtime/JSSymbolTableObject.cpp:
87         * runtime/JSSymbolTableObject.h:
88             - remove putDirectVirtual
89         * runtime/PropertyDescriptor.h:
90         (JSC::PropertyDescriptor::PropertyDescriptor):
91             - added constructor for convenience
92
93 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
94
95         errorDescriptionForValue() should not assume error value is an Object
96         https://bugs.webkit.org/show_bug.cgi?id=119812
97
98         Reviewed by Geoffrey Garen.
99
100         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
101         has no type, the function now returns the empty string. 
102         * runtime/ExceptionHelpers.cpp:
103         (JSC::errorDescriptionForValue):
104
105 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
106
107         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
108         https://bugs.webkit.org/show_bug.cgi?id=120107
109
110         Reviewed by Yong Li.
111
112         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
113
114         * dfg/DFGSpeculativeJIT.h:
115         (JSC::DFG::SpeculativeJIT::callOperation):
116
117 2013-08-21  Commit Queue  <commit-queue@webkit.org>
118
119         Unreviewed, rolling out r154416.
120         http://trac.webkit.org/changeset/154416
121         https://bugs.webkit.org/show_bug.cgi?id=120147
122
123         Broke Windows builds (Requested by rniwa on #webkit).
124
125         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
126         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
127         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
128         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
129         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
130         * JavaScriptCore.vcxproj/build-generated-files.sh:
131
132 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
133
134         Clarify var/const/function declaration
135         https://bugs.webkit.org/show_bug.cgi?id=120144
136
137         Reviewed by Sam Weinig.
138
139         Add methods to JSGlobalObject to declare vars, consts, and functions.
140
141         * runtime/Executable.cpp:
142         (JSC::ProgramExecutable::initializeGlobalProperties):
143         * runtime/Executable.h:
144             - Moved declaration code to JSGlobalObject
145         * runtime/JSGlobalObject.cpp:
146         (JSC::JSGlobalObject::addGlobalVar):
147             - internal implementation of addVar, addConst, addFunction
148         * runtime/JSGlobalObject.h:
149         (JSC::JSGlobalObject::addVar):
150         (JSC::JSGlobalObject::addConst):
151         (JSC::JSGlobalObject::addFunction):
152             - Added methods to declare vars, consts, and functions
153
154 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
155
156         https://bugs.webkit.org/show_bug.cgi?id=119900
157         Exception in global setter doesn't unwind correctly
158
159         Reviewed by Geoffrey Garen.
160
161         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
162
163         * jit/JITStubs.cpp:
164         (JSC::DEFINE_STUB_FUNCTION):
165
166 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
167
168         Rename/refactor setButterfly/setStructure
169         https://bugs.webkit.org/show_bug.cgi?id=120138
170
171         Reviewed by Geoffrey Garen.
172
173         setButterfly becomes setStructureAndButterfly.
174
175         Also removed the Butterfly* argument from setStructure and just implicitly
176         used m_butterfly internally since that's what every single client of setStructure
177         was doing already.
178
179         * jit/JITStubs.cpp:
180         (JSC::DEFINE_STUB_FUNCTION):
181         * runtime/JSObject.cpp:
182         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
183         (JSC::JSObject::createInitialUndecided):
184         (JSC::JSObject::createInitialInt32):
185         (JSC::JSObject::createInitialDouble):
186         (JSC::JSObject::createInitialContiguous):
187         (JSC::JSObject::createArrayStorage):
188         (JSC::JSObject::convertUndecidedToInt32):
189         (JSC::JSObject::convertUndecidedToDouble):
190         (JSC::JSObject::convertUndecidedToContiguous):
191         (JSC::JSObject::convertUndecidedToArrayStorage):
192         (JSC::JSObject::convertInt32ToDouble):
193         (JSC::JSObject::convertInt32ToContiguous):
194         (JSC::JSObject::convertInt32ToArrayStorage):
195         (JSC::JSObject::genericConvertDoubleToContiguous):
196         (JSC::JSObject::convertDoubleToArrayStorage):
197         (JSC::JSObject::convertContiguousToArrayStorage):
198         (JSC::JSObject::switchToSlowPutArrayStorage):
199         (JSC::JSObject::setPrototype):
200         (JSC::JSObject::putDirectAccessor):
201         (JSC::JSObject::seal):
202         (JSC::JSObject::freeze):
203         (JSC::JSObject::preventExtensions):
204         (JSC::JSObject::reifyStaticFunctionsForDelete):
205         (JSC::JSObject::removeDirect):
206         * runtime/JSObject.h:
207         (JSC::JSObject::setStructureAndButterfly):
208         (JSC::JSObject::setStructure):
209         (JSC::JSObject::putDirectInternal):
210         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
211         (JSC::JSObject::putDirectWithoutTransition):
212         * runtime/Structure.cpp:
213         (JSC::Structure::flattenDictionaryStructure):
214
215 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
216
217         https://bugs.webkit.org/show_bug.cgi?id=120127
218         Remove JSObject::propertyIsEnumerable
219
220         Unreviewed typo fix
221
222         * runtime/JSObject.h:
223             - fix typo
224
225 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
226
227         https://bugs.webkit.org/show_bug.cgi?id=120139
228         PropertyDescriptor argument to define methods should be const
229
230         Rubber stamped by Sam Weinig.
231
232         This should never be modified, and this way we can use rvalues.
233
234         * debugger/DebuggerActivation.cpp:
235         (JSC::DebuggerActivation::defineOwnProperty):
236         * debugger/DebuggerActivation.h:
237         * runtime/Arguments.cpp:
238         (JSC::Arguments::defineOwnProperty):
239         * runtime/Arguments.h:
240         * runtime/ClassInfo.h:
241         * runtime/JSArray.cpp:
242         (JSC::JSArray::defineOwnProperty):
243         * runtime/JSArray.h:
244         * runtime/JSArrayBuffer.cpp:
245         (JSC::JSArrayBuffer::defineOwnProperty):
246         * runtime/JSArrayBuffer.h:
247         * runtime/JSArrayBufferView.cpp:
248         (JSC::JSArrayBufferView::defineOwnProperty):
249         * runtime/JSArrayBufferView.h:
250         * runtime/JSCell.cpp:
251         (JSC::JSCell::defineOwnProperty):
252         * runtime/JSCell.h:
253         * runtime/JSFunction.cpp:
254         (JSC::JSFunction::defineOwnProperty):
255         * runtime/JSFunction.h:
256         * runtime/JSGenericTypedArrayView.h:
257         * runtime/JSGenericTypedArrayViewInlines.h:
258         (JSC::::defineOwnProperty):
259         * runtime/JSGlobalObject.cpp:
260         (JSC::JSGlobalObject::defineOwnProperty):
261         * runtime/JSGlobalObject.h:
262         * runtime/JSObject.cpp:
263         (JSC::JSObject::putIndexedDescriptor):
264         (JSC::JSObject::defineOwnIndexedProperty):
265         (JSC::putDescriptor):
266         (JSC::JSObject::defineOwnNonIndexProperty):
267         (JSC::JSObject::defineOwnProperty):
268         * runtime/JSObject.h:
269         * runtime/JSProxy.cpp:
270         (JSC::JSProxy::defineOwnProperty):
271         * runtime/JSProxy.h:
272         * runtime/RegExpMatchesArray.h:
273         (JSC::RegExpMatchesArray::defineOwnProperty):
274         * runtime/RegExpObject.cpp:
275         (JSC::RegExpObject::defineOwnProperty):
276         * runtime/RegExpObject.h:
277         * runtime/StringObject.cpp:
278         (JSC::StringObject::defineOwnProperty):
279         * runtime/StringObject.h:
280             - make PropertyDescriptor const
281
282 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
283
284         REGRESSION: Crash under JITCompiler::link while loading Gmail
285         https://bugs.webkit.org/show_bug.cgi?id=119872
286
287         Reviewed by Mark Hahnenberg.
288         
289         Apparently, unsigned + signed = unsigned. Work around it with a cast.
290
291         * dfg/DFGByteCodeParser.cpp:
292         (JSC::DFG::ByteCodeParser::parseBlock):
293
294 2013-08-21  Alex Christensen  <achristensen@apple.com>
295
296         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
297
298         Reviewed by Brent Fulgham.
299
300         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
301         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
302         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
303         Pass PlatformArchitecture as a command line parameter to bash scripts.
304         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
305         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
306         * JavaScriptCore.vcxproj/build-generated-files.sh:
307         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
308
309 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
310
311         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
312         https://bugs.webkit.org/show_bug.cgi?id=120099
313
314         Reviewed by Mark Hahnenberg.
315         
316         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
317         JSDataView may have ordinary JS indexed properties.
318
319         * runtime/ClassInfo.h:
320         * runtime/JSArrayBufferView.cpp:
321         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
322         (JSC::JSArrayBufferView::finishCreation):
323         * runtime/JSArrayBufferView.h:
324         (JSC::hasArrayBuffer):
325         * runtime/JSArrayBufferViewInlines.h:
326         (JSC::JSArrayBufferView::buffer):
327         (JSC::JSArrayBufferView::neuter):
328         (JSC::JSArrayBufferView::byteOffset):
329         * runtime/JSCell.cpp:
330         (JSC::JSCell::slowDownAndWasteMemory):
331         * runtime/JSCell.h:
332         * runtime/JSDataView.cpp:
333         (JSC::JSDataView::JSDataView):
334         (JSC::JSDataView::create):
335         (JSC::JSDataView::slowDownAndWasteMemory):
336         * runtime/JSDataView.h:
337         (JSC::JSDataView::buffer):
338         * runtime/JSGenericTypedArrayView.h:
339         * runtime/JSGenericTypedArrayViewInlines.h:
340         (JSC::::visitChildren):
341         (JSC::::slowDownAndWasteMemory):
342
343 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
344
345         Remove incorrect ASSERT from CopyVisitor::visitItem
346
347         Rubber stamped by Filip Pizlo.
348
349         * heap/CopyVisitorInlines.h:
350         (JSC::CopyVisitor::visitItem):
351
352 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
353
354         https://bugs.webkit.org/show_bug.cgi?id=120127
355         Remove JSObject::propertyIsEnumerable
356
357         Reviewed by Sam Weinig.
358
359         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
360
361         * runtime/JSObject.cpp:
362         * runtime/JSObject.h:
363             - remove propertyIsEnumerable
364         * runtime/ObjectPrototype.cpp:
365         (JSC::objectProtoFuncPropertyIsEnumerable):
366             - Move implementation here using getOwnPropertyDescriptor directly.
367
368 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
369
370         DFG should inline new typedArray()
371         https://bugs.webkit.org/show_bug.cgi?id=120022
372
373         Reviewed by Oliver Hunt.
374         
375         Adds inlining of typed array allocations in the DFG. Any operation of the
376         form:
377         
378             new foo(blah)
379         
380         or:
381         
382             foo(blah)
383         
384         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
385         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
386         is predicted integer, we generate inline code for an allocation. Otherwise
387         it turns into a call to an operation that behaves like the constructor would
388         if it was passed one argument (i.e. it may wrap a buffer or it may create a
389         copy or another array, or it may allocate an array of that length).
390
391         * bytecode/SpeculatedType.cpp:
392         (JSC::speculationFromTypedArrayType):
393         (JSC::speculationFromClassInfo):
394         * bytecode/SpeculatedType.h:
395         * dfg/DFGAbstractInterpreterInlines.h:
396         (JSC::DFG::::executeEffects):
397         * dfg/DFGBackwardsPropagationPhase.cpp:
398         (JSC::DFG::BackwardsPropagationPhase::propagate):
399         * dfg/DFGByteCodeParser.cpp:
400         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
401         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
402         * dfg/DFGCCallHelpers.h:
403         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
404         * dfg/DFGCSEPhase.cpp:
405         (JSC::DFG::CSEPhase::putStructureStoreElimination):
406         * dfg/DFGClobberize.h:
407         (JSC::DFG::clobberize):
408         * dfg/DFGFixupPhase.cpp:
409         (JSC::DFG::FixupPhase::fixupNode):
410         * dfg/DFGGraph.cpp:
411         (JSC::DFG::Graph::dump):
412         * dfg/DFGNode.h:
413         (JSC::DFG::Node::hasTypedArrayType):
414         (JSC::DFG::Node::typedArrayType):
415         * dfg/DFGNodeType.h:
416         * dfg/DFGOperations.cpp:
417         (JSC::DFG::newTypedArrayWithSize):
418         (JSC::DFG::newTypedArrayWithOneArgument):
419         * dfg/DFGOperations.h:
420         (JSC::DFG::operationNewTypedArrayWithSizeForType):
421         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
422         * dfg/DFGPredictionPropagationPhase.cpp:
423         (JSC::DFG::PredictionPropagationPhase::propagate):
424         * dfg/DFGSafeToExecute.h:
425         (JSC::DFG::safeToExecute):
426         * dfg/DFGSpeculativeJIT.cpp:
427         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
428         * dfg/DFGSpeculativeJIT.h:
429         (JSC::DFG::SpeculativeJIT::callOperation):
430         * dfg/DFGSpeculativeJIT32_64.cpp:
431         (JSC::DFG::SpeculativeJIT::compile):
432         * dfg/DFGSpeculativeJIT64.cpp:
433         (JSC::DFG::SpeculativeJIT::compile):
434         * jit/JITOpcodes.cpp:
435         (JSC::JIT::emit_op_new_object):
436         * jit/JITOpcodes32_64.cpp:
437         (JSC::JIT::emit_op_new_object):
438         * runtime/JSArray.h:
439         (JSC::JSArray::allocationSize):
440         * runtime/JSArrayBufferView.h:
441         (JSC::JSArrayBufferView::allocationSize):
442         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
443         (JSC::constructGenericTypedArrayView):
444         * runtime/JSObject.h:
445         (JSC::JSFinalObject::allocationSize):
446         * runtime/TypedArrayType.cpp:
447         (JSC::constructorClassInfoForType):
448         * runtime/TypedArrayType.h:
449         (JSC::indexToTypedArrayType):
450
451 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
452
453         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
454
455         Reviewed by Geoffrey Garen.
456
457         * dfg/DFGOperations.h:
458
459 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
460
461         https://bugs.webkit.org/show_bug.cgi?id=120093
462         Remove getOwnPropertyDescriptor trap
463
464         Reviewed by Geoff Garen.
465
466         All implementations of this method are now called via the method table, and equivalent in behaviour.
467         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
468
469         * API/JSCallbackObject.h:
470         * API/JSCallbackObjectFunctions.h:
471         * debugger/DebuggerActivation.cpp:
472         * debugger/DebuggerActivation.h:
473         * runtime/Arguments.cpp:
474         * runtime/Arguments.h:
475         * runtime/ArrayConstructor.cpp:
476         * runtime/ArrayConstructor.h:
477         * runtime/ArrayPrototype.cpp:
478         * runtime/ArrayPrototype.h:
479         * runtime/BooleanPrototype.cpp:
480         * runtime/BooleanPrototype.h:
481             - remove getOwnPropertyDescriptor
482         * runtime/ClassInfo.h:
483             - remove getOwnPropertyDescriptor from MethodTable
484         * runtime/DateConstructor.cpp:
485         * runtime/DateConstructor.h:
486         * runtime/DatePrototype.cpp:
487         * runtime/DatePrototype.h:
488         * runtime/ErrorPrototype.cpp:
489         * runtime/ErrorPrototype.h:
490         * runtime/JSActivation.cpp:
491         * runtime/JSActivation.h:
492         * runtime/JSArray.cpp:
493         * runtime/JSArray.h:
494         * runtime/JSArrayBuffer.cpp:
495         * runtime/JSArrayBuffer.h:
496         * runtime/JSArrayBufferView.cpp:
497         * runtime/JSArrayBufferView.h:
498         * runtime/JSCell.cpp:
499         * runtime/JSCell.h:
500         * runtime/JSDataView.cpp:
501         * runtime/JSDataView.h:
502         * runtime/JSDataViewPrototype.cpp:
503         * runtime/JSDataViewPrototype.h:
504         * runtime/JSFunction.cpp:
505         * runtime/JSFunction.h:
506         * runtime/JSGenericTypedArrayView.h:
507         * runtime/JSGenericTypedArrayViewInlines.h:
508         * runtime/JSGlobalObject.cpp:
509         * runtime/JSGlobalObject.h:
510         * runtime/JSNotAnObject.cpp:
511         * runtime/JSNotAnObject.h:
512         * runtime/JSONObject.cpp:
513         * runtime/JSONObject.h:
514             - remove getOwnPropertyDescriptor
515         * runtime/JSObject.cpp:
516         (JSC::JSObject::propertyIsEnumerable):
517             - switch to call new getOwnPropertyDescriptor member function
518         (JSC::JSObject::getOwnPropertyDescriptor):
519             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
520         (JSC::JSObject::defineOwnNonIndexProperty):
521             - switch to call new getOwnPropertyDescriptor member function
522         * runtime/JSObject.h:
523         * runtime/JSProxy.cpp:
524         * runtime/JSProxy.h:
525         * runtime/NamePrototype.cpp:
526         * runtime/NamePrototype.h:
527         * runtime/NumberConstructor.cpp:
528         * runtime/NumberConstructor.h:
529         * runtime/NumberPrototype.cpp:
530         * runtime/NumberPrototype.h:
531             - remove getOwnPropertyDescriptor
532         * runtime/ObjectConstructor.cpp:
533         (JSC::objectConstructorGetOwnPropertyDescriptor):
534         (JSC::objectConstructorSeal):
535         (JSC::objectConstructorFreeze):
536         (JSC::objectConstructorIsSealed):
537         (JSC::objectConstructorIsFrozen):
538             - switch to call new getOwnPropertyDescriptor member function
539         * runtime/ObjectConstructor.h:
540             - remove getOwnPropertyDescriptor
541         * runtime/PropertyDescriptor.h:
542             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
543         * runtime/RegExpConstructor.cpp:
544         * runtime/RegExpConstructor.h:
545         * runtime/RegExpMatchesArray.cpp:
546         * runtime/RegExpMatchesArray.h:
547         * runtime/RegExpObject.cpp:
548         * runtime/RegExpObject.h:
549         * runtime/RegExpPrototype.cpp:
550         * runtime/RegExpPrototype.h:
551         * runtime/StringConstructor.cpp:
552         * runtime/StringConstructor.h:
553         * runtime/StringObject.cpp:
554         * runtime/StringObject.h:
555             - remove getOwnPropertyDescriptor
556
557 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
558
559         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
560
561         Reviewed by Oliver Hunt.
562
563         When we flatten an object in dictionary mode, we compact its properties. If the object 
564         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
565         compaction its properties fit inline, the object's Structure "forgets" that the object 
566         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
567         with bytes = 0, which causes all sorts of badness in CopiedSpace.
568
569         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
570         Butterfly pointer so that the GC doesn't get confused later.
571
572         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
573         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
574         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
575         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
576
577         * heap/SlotVisitorInlines.h:
578         (JSC::SlotVisitor::copyLater):
579         * runtime/JSObject.cpp:
580         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
581         (JSC::JSObject::convertUndecidedToInt32):
582         (JSC::JSObject::convertUndecidedToDouble):
583         (JSC::JSObject::convertUndecidedToContiguous):
584         (JSC::JSObject::convertInt32ToDouble):
585         (JSC::JSObject::convertInt32ToContiguous):
586         (JSC::JSObject::genericConvertDoubleToContiguous):
587         (JSC::JSObject::switchToSlowPutArrayStorage):
588         (JSC::JSObject::setPrototype):
589         (JSC::JSObject::putDirectAccessor):
590         (JSC::JSObject::seal):
591         (JSC::JSObject::freeze):
592         (JSC::JSObject::preventExtensions):
593         (JSC::JSObject::reifyStaticFunctionsForDelete):
594         (JSC::JSObject::removeDirect):
595         * runtime/JSObject.h:
596         (JSC::JSObject::setButterfly):
597         (JSC::JSObject::putDirectInternal):
598         (JSC::JSObject::setStructure):
599         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
600         * runtime/Structure.cpp:
601         (JSC::Structure::flattenDictionaryStructure):
602
603 2013-08-20  Alex Christensen  <achristensen@apple.com>
604
605         Compile fix for Win64 after r154156.
606
607         Rubber stamped by Oliver Hunt.
608
609         * jit/JITStubsMSVC64.asm:
610         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
611         cti_vm_throw_slowpath to cti_vm_handle_exception.
612
613 2013-08-20  Alex Christensen  <achristensen@apple.com>
614
615         <https://webkit.org/b/120076> More work towards a Win64 build
616
617         Reviewed by Brent Fulgham.
618
619         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
620         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
621         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
622         * JavaScriptCore.vcxproj/copy-files.cmd:
623         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
624         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
625         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
626
627 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
628
629         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
630
631         Reviewed by Geoffrey Garen.
632
633         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
634         initializeLazyWriteBarrierFor* wrapper functions more sane. 
635
636         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
637         and index when triggering the WriteBarrier at the end of compilation. 
638
639         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
640         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
641         little extra work that really shouldn't have been its responsibility.
642
643         * dfg/DFGByteCodeParser.cpp:
644         (JSC::DFG::ByteCodeParser::addConstant):
645         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
646         * dfg/DFGDesiredWriteBarriers.cpp:
647         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
648         (JSC::DFG::DesiredWriteBarrier::trigger):
649         * dfg/DFGDesiredWriteBarriers.h:
650         (JSC::DFG::DesiredWriteBarriers::add):
651         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
652         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
653         (JSC::DFG::initializeLazyWriteBarrierForConstant):
654         * dfg/DFGFixupPhase.cpp:
655         (JSC::DFG::FixupPhase::truncateConstantToInt32):
656         * dfg/DFGGraph.h:
657         (JSC::DFG::Graph::constantRegisterForConstant):
658
659 2013-08-20  Michael Saboff  <msaboff@apple.com>
660
661         https://bugs.webkit.org/show_bug.cgi?id=120075
662         REGRESSION (r128400): BBC4 website not displaying pictures
663
664         Reviewed by Oliver Hunt.
665
666         * runtime/RegExpMatchesArray.h:
667         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
668         so that the match results will be reified before any other modification to the results array.
669
670 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
671
672         Incorrect behavior on emscripten-compiled cube2hash
673         https://bugs.webkit.org/show_bug.cgi?id=120033
674
675         Reviewed by Mark Hahnenberg.
676         
677         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
678         then we should bail attempts to CSE.
679
680         * dfg/DFGCSEPhase.cpp:
681         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
682         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
683
684 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
685
686         https://bugs.webkit.org/show_bug.cgi?id=120073
687         Remove use of GOPD from JSFunction::defineProperty
688
689         Reviewed by Oliver Hunt.
690
691         Call getOwnPropertySlot to check for existing properties instead.
692
693         * runtime/JSFunction.cpp:
694         (JSC::JSFunction::defineOwnProperty):
695             - getOwnPropertyDescriptor -> getOwnPropertySlot
696
697 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
698
699         https://bugs.webkit.org/show_bug.cgi?id=120067
700         Remove getPropertyDescriptor
701
702         Reviewed by Oliver Hunt.
703
704         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
705         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
706
707         * runtime/JSObject.cpp:
708         * runtime/JSObject.h:
709             - remove getPropertyDescriptor
710         * runtime/ObjectPrototype.cpp:
711         (JSC::objectProtoFuncLookupGetter):
712         (JSC::objectProtoFuncLookupSetter):
713             - replace call to getPropertyDescriptor with getPropertySlot
714         * runtime/PropertyDescriptor.h:
715         * runtime/PropertySlot.h:
716         (JSC::PropertySlot::isAccessor):
717         (JSC::PropertySlot::isCacheableGetter):
718         (JSC::PropertySlot::getterSetter):
719             - rename isGetter() to isAccessor()
720
721 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
722
723         https://bugs.webkit.org/show_bug.cgi?id=120054
724         Remove some dead code following getOwnPropertyDescriptor cleanup
725
726         Reviewed by Oliver Hunt.
727
728         * runtime/Lookup.h:
729         (JSC::getStaticFunctionSlot):
730             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
731
732 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
733
734         https://bugs.webkit.org/show_bug.cgi?id=120052
735         Remove custom getOwnPropertyDescriptor for JSProxy
736
737         Reviewed by Geoff Garen.
738
739         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
740         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
741         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
742         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
743         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
744
745         * runtime/JSProxy.cpp:
746             - Remove custom getOwnPropertyDescriptor implementation.
747         * runtime/PropertyDescriptor.h:
748             - Modify own property access check to perform toThis conversion.
749
750 2013-08-20  Alex Christensen  <achristensen@apple.com>
751
752         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
753         https://bugs.webkit.org/show_bug.cgi?id=119512
754
755         Reviewed by Brent Fulgham.
756
757         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
758         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
759         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
760         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
761         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
762         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
763         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
764         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
765
766 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
767
768         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
769
770         Reviewed by Allan Sandfeld Jensen.
771
772         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
773         instructions and two constants now DFG is enabled for sh4 architecture.
774         These missing ensureSpace calls lead to random crashes.
775
776         * assembler/MacroAssemblerSH4.h:
777         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
778
779 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
780
781         https://bugs.webkit.org/show_bug.cgi?id=120034
782         Remove custom getOwnPropertyDescriptor for global objects
783
784         Reviewed by Geoff Garen.
785
786         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
787
788         * runtime/JSGlobalObject.cpp:
789             - Remove custom getOwnPropertyDescriptor implementation.
790         * runtime/JSSymbolTableObject.h:
791         (JSC::symbolTableGet):
792             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
793         * runtime/PropertyDescriptor.h:
794             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
795         * runtime/PropertySlot.h:
796         (JSC::PropertySlot::setUndefined):
797             - This is used by WebCore when blocking access to properties on cross-frame access.
798               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
799
800 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
801
802         DFG should inline typedArray.byteOffset
803         https://bugs.webkit.org/show_bug.cgi?id=119962
804
805         Reviewed by Oliver Hunt.
806         
807         This adds a new node, GetTypedArrayByteOffset, which inlines
808         typedArray.byteOffset.
809         
810         Also, I improved a bunch of the clobbering logic related to typed arrays
811         and clobbering in general. For example, PutByOffset/PutStructure are not
812         clobber-world so they can be handled by most default cases in CSE. Also,
813         It's better to use the 'Class_field' notation for typed arrays now that
814         they no longer involve magical descriptor thingies.
815
816         * bytecode/SpeculatedType.h:
817         * dfg/DFGAbstractHeap.h:
818         * dfg/DFGAbstractInterpreterInlines.h:
819         (JSC::DFG::::executeEffects):
820         * dfg/DFGArrayMode.h:
821         (JSC::DFG::neverNeedsStorage):
822         * dfg/DFGCSEPhase.cpp:
823         (JSC::DFG::CSEPhase::getByValLoadElimination):
824         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
825         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
826         (JSC::DFG::CSEPhase::checkArrayElimination):
827         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
828         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
829         (JSC::DFG::CSEPhase::performNodeCSE):
830         * dfg/DFGClobberize.h:
831         (JSC::DFG::clobberize):
832         * dfg/DFGFixupPhase.cpp:
833         (JSC::DFG::FixupPhase::fixupNode):
834         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
835         (JSC::DFG::FixupPhase::convertToGetArrayLength):
836         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
837         * dfg/DFGNodeType.h:
838         * dfg/DFGPredictionPropagationPhase.cpp:
839         (JSC::DFG::PredictionPropagationPhase::propagate):
840         * dfg/DFGSafeToExecute.h:
841         (JSC::DFG::safeToExecute):
842         * dfg/DFGSpeculativeJIT.cpp:
843         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
844         * dfg/DFGSpeculativeJIT.h:
845         * dfg/DFGSpeculativeJIT32_64.cpp:
846         (JSC::DFG::SpeculativeJIT::compile):
847         * dfg/DFGSpeculativeJIT64.cpp:
848         (JSC::DFG::SpeculativeJIT::compile):
849         * dfg/DFGTypeCheckHoistingPhase.cpp:
850         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
851         * runtime/ArrayBuffer.h:
852         (JSC::ArrayBuffer::offsetOfData):
853         * runtime/Butterfly.h:
854         (JSC::Butterfly::offsetOfArrayBuffer):
855         * runtime/IndexingHeader.h:
856         (JSC::IndexingHeader::offsetOfArrayBuffer):
857
858 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
859
860         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
861
862         Reviewed by Geoffrey Garen.
863
864         * dfg/DFGByteCodeParser.cpp:
865         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
866
867 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
868
869         https://bugs.webkit.org/show_bug.cgi?id=119995
870         Start removing custom implementations of getOwnPropertyDescriptor
871
872         Reviewed by Oliver Hunt.
873
874         This can now typically implemented in terms of getOwnPropertySlot.
875         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
876         Switch over most classes in JSC & the WebCore bindings generator to use this.
877
878         * API/JSCallbackObjectFunctions.h:
879         * debugger/DebuggerActivation.cpp:
880         * runtime/Arguments.cpp:
881         * runtime/ArrayConstructor.cpp:
882         * runtime/ArrayPrototype.cpp:
883         * runtime/BooleanPrototype.cpp:
884         * runtime/DateConstructor.cpp:
885         * runtime/DatePrototype.cpp:
886         * runtime/ErrorPrototype.cpp:
887         * runtime/JSActivation.cpp:
888         * runtime/JSArray.cpp:
889         * runtime/JSArrayBuffer.cpp:
890         * runtime/JSArrayBufferView.cpp:
891         * runtime/JSCell.cpp:
892         * runtime/JSDataView.cpp:
893         * runtime/JSDataViewPrototype.cpp:
894         * runtime/JSFunction.cpp:
895         * runtime/JSGenericTypedArrayViewInlines.h:
896         * runtime/JSNotAnObject.cpp:
897         * runtime/JSONObject.cpp:
898         * runtime/JSObject.cpp:
899         * runtime/NamePrototype.cpp:
900         * runtime/NumberConstructor.cpp:
901         * runtime/NumberPrototype.cpp:
902         * runtime/ObjectConstructor.cpp:
903             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
904         * runtime/PropertyDescriptor.h:
905             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
906         * runtime/PropertySlot.h:
907         (JSC::PropertySlot::isValue):
908         (JSC::PropertySlot::isGetter):
909         (JSC::PropertySlot::isCustom):
910         (JSC::PropertySlot::isCacheableValue):
911         (JSC::PropertySlot::isCacheableGetter):
912         (JSC::PropertySlot::isCacheableCustom):
913         (JSC::PropertySlot::attributes):
914         (JSC::PropertySlot::getterSetter):
915             - Add accessors necessary to convert PropertySlot to descriptor.
916         * runtime/RegExpConstructor.cpp:
917         * runtime/RegExpMatchesArray.cpp:
918         * runtime/RegExpMatchesArray.h:
919         * runtime/RegExpObject.cpp:
920         * runtime/RegExpPrototype.cpp:
921         * runtime/StringConstructor.cpp:
922         * runtime/StringObject.cpp:
923             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
924
925 2013-08-19  Michael Saboff  <msaboff@apple.com>
926
927         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
928
929         Reviewed by Sam Weinig.
930
931         * dfg/DFGSpeculativeJIT32_64.cpp:
932         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
933         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
934         all versions of fillSpeculateBoolean().
935
936 2013-08-19  Michael Saboff  <msaboff@apple.com>
937
938         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
939
940         Reviewed by Benjamin Poulain.
941
942         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
943         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
944
945         * assembler/MacroAssemblerX86Common.h:
946         (JSC::MacroAssemblerX86Common::branchTest32):
947
948 2013-08-16  Oliver Hunt  <oliver@apple.com>
949
950         <https://webkit.org/b/119860> Crash during exception unwinding
951
952         Reviewed by Filip Pizlo.
953
954         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
955         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
956
957         We need this so that Throw and ThrowReferenceError no longer need to be treated as
958         terminals and the subsequent flush keeps the activation (and other registers) live.
959
960         * dfg/DFGAbstractInterpreterInlines.h:
961         (JSC::DFG::::executeEffects):
962         * dfg/DFGByteCodeParser.cpp:
963         (JSC::DFG::ByteCodeParser::parseBlock):
964         * dfg/DFGClobberize.h:
965         (JSC::DFG::clobberize):
966         * dfg/DFGFixupPhase.cpp:
967         (JSC::DFG::FixupPhase::fixupNode):
968         * dfg/DFGNode.h:
969         (JSC::DFG::Node::isTerminal):
970         * dfg/DFGNodeType.h:
971         * dfg/DFGPredictionPropagationPhase.cpp:
972         (JSC::DFG::PredictionPropagationPhase::propagate):
973         * dfg/DFGSafeToExecute.h:
974         (JSC::DFG::safeToExecute):
975         * dfg/DFGSpeculativeJIT32_64.cpp:
976         (JSC::DFG::SpeculativeJIT::compile):
977         * dfg/DFGSpeculativeJIT64.cpp:
978         (JSC::DFG::SpeculativeJIT::compile):
979
980 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
981
982         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
983
984         Reviewed by Oliver Hunt.
985
986         Guard the compilation of these files only if DFG_JIT is enabled.
987
988         * dfg/DFGDesiredTransitions.cpp:
989         * dfg/DFGDesiredTransitions.h:
990         * dfg/DFGDesiredWeakReferences.cpp:
991         * dfg/DFGDesiredWeakReferences.h:
992         * dfg/DFGDesiredWriteBarriers.cpp:
993         * dfg/DFGDesiredWriteBarriers.h:
994
995 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
996
997         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
998         https://bugs.webkit.org/show_bug.cgi?id=119961
999
1000         Reviewed by Mark Hahnenberg.
1001
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::fixupNode):
1004
1005 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1006
1007         https://bugs.webkit.org/show_bug.cgi?id=119972
1008         Add attributes field to PropertySlot
1009
1010         Reviewed by Geoff Garen.
1011
1012         For all JSC types, this makes getOwnPropertyDescriptor redundant.
1013         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1014         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1015
1016         No performance impact.
1017
1018         * runtime/PropertySlot.h:
1019         (JSC::PropertySlot::setValue):
1020         (JSC::PropertySlot::setCustom):
1021         (JSC::PropertySlot::setCacheableCustom):
1022         (JSC::PropertySlot::setCustomIndex):
1023         (JSC::PropertySlot::setGetterSlot):
1024         (JSC::PropertySlot::setCacheableGetterSlot):
1025             - These mathods now all require 'attributes'.
1026         * runtime/JSObject.h:
1027         (JSC::JSObject::getDirect):
1028         (JSC::JSObject::getDirectOffset):
1029         (JSC::JSObject::inlineGetOwnPropertySlot):
1030             - Added variants of getDirect, getDirectOffset that return the attributes.
1031         * API/JSCallbackObjectFunctions.h:
1032         (JSC::::getOwnPropertySlot):
1033         * runtime/Arguments.cpp:
1034         (JSC::Arguments::getOwnPropertySlotByIndex):
1035         (JSC::Arguments::getOwnPropertySlot):
1036         * runtime/JSActivation.cpp:
1037         (JSC::JSActivation::symbolTableGet):
1038         (JSC::JSActivation::getOwnPropertySlot):
1039         * runtime/JSArray.cpp:
1040         (JSC::JSArray::getOwnPropertySlot):
1041         * runtime/JSArrayBuffer.cpp:
1042         (JSC::JSArrayBuffer::getOwnPropertySlot):
1043         * runtime/JSArrayBufferView.cpp:
1044         (JSC::JSArrayBufferView::getOwnPropertySlot):
1045         * runtime/JSDataView.cpp:
1046         (JSC::JSDataView::getOwnPropertySlot):
1047         * runtime/JSFunction.cpp:
1048         (JSC::JSFunction::getOwnPropertySlot):
1049         * runtime/JSGenericTypedArrayViewInlines.h:
1050         (JSC::::getOwnPropertySlot):
1051         (JSC::::getOwnPropertySlotByIndex):
1052         * runtime/JSObject.cpp:
1053         (JSC::JSObject::getOwnPropertySlotByIndex):
1054         (JSC::JSObject::fillGetterPropertySlot):
1055         * runtime/JSString.h:
1056         (JSC::JSString::getStringPropertySlot):
1057         * runtime/JSSymbolTableObject.h:
1058         (JSC::symbolTableGet):
1059         * runtime/Lookup.cpp:
1060         (JSC::setUpStaticFunctionSlot):
1061         * runtime/Lookup.h:
1062         (JSC::getStaticPropertySlot):
1063         (JSC::getStaticPropertyDescriptor):
1064         (JSC::getStaticValueSlot):
1065         (JSC::getStaticValueDescriptor):
1066         * runtime/RegExpObject.cpp:
1067         (JSC::RegExpObject::getOwnPropertySlot):
1068         * runtime/SparseArrayValueMap.cpp:
1069         (JSC::SparseArrayEntry::get):
1070             - Pass attributes to PropertySlot::set* methods.
1071
1072 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1073
1074         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1075
1076         Reviewed by Filip Pizlo.
1077
1078         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1079         Vector of WriteBarriers rather than the specific address. The fact that we were 
1080         arbitrarily storing into a Vector's backing store for constants at the end of 
1081         compilation after the Vector could have resized was causing crashes.
1082
1083         * bytecode/CodeBlock.h:
1084         (JSC::CodeBlock::constants):
1085         (JSC::CodeBlock::addConstantLazily):
1086         * dfg/DFGByteCodeParser.cpp:
1087         (JSC::DFG::ByteCodeParser::addConstant):
1088         * dfg/DFGDesiredWriteBarriers.cpp:
1089         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1090         (JSC::DFG::DesiredWriteBarrier::trigger):
1091         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1092         * dfg/DFGDesiredWriteBarriers.h:
1093         (JSC::DFG::DesiredWriteBarriers::add):
1094         * dfg/DFGFixupPhase.cpp:
1095         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1096         * dfg/DFGGraph.h:
1097         (JSC::DFG::Graph::constantRegisterForConstant):
1098
1099 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1100
1101         DFG should optimize typedArray.byteLength
1102         https://bugs.webkit.org/show_bug.cgi?id=119909
1103
1104         Reviewed by Oliver Hunt.
1105         
1106         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1107         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1108         legal since the byteLength of a typed array cannot exceed
1109         numeric_limits<int32_t>::max().
1110
1111         * bytecode/SpeculatedType.cpp:
1112         (JSC::typedArrayTypeFromSpeculation):
1113         * bytecode/SpeculatedType.h:
1114         * dfg/DFGArrayMode.cpp:
1115         (JSC::DFG::toArrayType):
1116         * dfg/DFGArrayMode.h:
1117         * dfg/DFGFixupPhase.cpp:
1118         (JSC::DFG::FixupPhase::fixupNode):
1119         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1120         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1121         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1122         (JSC::DFG::FixupPhase::prependGetArrayLength):
1123         * dfg/DFGGraph.h:
1124         (JSC::DFG::Graph::constantRegisterForConstant):
1125         (JSC::DFG::Graph::convertToConstant):
1126         * runtime/TypedArrayType.h:
1127         (JSC::logElementSize):
1128         (JSC::elementSize):
1129
1130 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1131
1132         DFG optimizes out strict mode arguments tear off
1133         https://bugs.webkit.org/show_bug.cgi?id=119504
1134
1135         Reviewed by Mark Hahnenberg and Oliver Hunt.
1136         
1137         Don't do the optimization for strict mode.
1138
1139         * dfg/DFGArgumentsSimplificationPhase.cpp:
1140         (JSC::DFG::ArgumentsSimplificationPhase::run):
1141         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1142
1143 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1144
1145         [JSC] x86: improve code generation for xxxTest32
1146         https://bugs.webkit.org/show_bug.cgi?id=119876
1147
1148         Reviewed by Geoffrey Garen.
1149
1150         Try to use testb whenever possible when testing for an immediate value.
1151
1152         When the input is an address and an offset, we can tweak the mask
1153         and offset to be able to generate testb for any byte of the mask.
1154
1155         When the input is a register, we can use testb if we are only interested
1156         in testing the low bits.
1157
1158         * assembler/MacroAssemblerX86Common.h:
1159         (JSC::MacroAssemblerX86Common::branchTest32):
1160         (JSC::MacroAssemblerX86Common::test32):
1161         (JSC::MacroAssemblerX86Common::generateTest32):
1162
1163 2013-08-16  Mark Lam  <mark.lam@apple.com>
1164
1165         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1166         error message that an object is not a constructor though it expects a function
1167
1168         Reviewed by Michael Saboff.
1169
1170         * jit/JITStubs.cpp:
1171         (JSC::DEFINE_STUB_FUNCTION):
1172
1173 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1174
1175         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1176         https://bugs.webkit.org/show_bug.cgi?id=119897
1177
1178         Reviewed by Oliver Hunt.
1179         
1180         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1181         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1182         to turn objects into dictionaries when you're storing using bracket syntax or using
1183         eval is still in place.
1184
1185         * bytecode/CodeBlock.h:
1186         (JSC::CodeBlock::putByIdContext):
1187         * dfg/DFGOperations.cpp:
1188         * jit/JITStubs.cpp:
1189         (JSC::DEFINE_STUB_FUNCTION):
1190         * llint/LLIntSlowPaths.cpp:
1191         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1192         * runtime/JSObject.h:
1193         (JSC::JSObject::putDirectInternal):
1194         * runtime/PutPropertySlot.h:
1195         (JSC::PutPropertySlot::PutPropertySlot):
1196         (JSC::PutPropertySlot::context):
1197         * runtime/Structure.cpp:
1198         (JSC::Structure::addPropertyTransition):
1199         * runtime/Structure.h:
1200
1201 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1202
1203         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1204
1205         Reviewed by Allan Sandfeld Jensen.
1206
1207         ctiVMHandleException must jump/return using register ra (r31).
1208
1209         * jit/JITStubsMIPS.h:
1210
1211 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1212
1213         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1214
1215         Reviewed by Allan Sandfeld Jensen.
1216
1217         Fix typo in JITStubsSH4.h file.
1218
1219         * jit/JITStubsSH4.h:
1220
1221 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1222
1223         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1224
1225         Reviewed by Oliver Hunt.
1226
1227         The concurrent compilation thread should interact minimally with the Heap, including not 
1228         triggering WriteBarriers. This is a prerequisite for generational GC.
1229
1230         * JavaScriptCore.xcodeproj/project.pbxproj:
1231         * bytecode/CodeBlock.cpp:
1232         (JSC::CodeBlock::addOrFindConstant):
1233         (JSC::CodeBlock::findConstant):
1234         * bytecode/CodeBlock.h:
1235         (JSC::CodeBlock::addConstantLazily):
1236         * dfg/DFGByteCodeParser.cpp:
1237         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1238         (JSC::DFG::ByteCodeParser::constantUndefined):
1239         (JSC::DFG::ByteCodeParser::constantNull):
1240         (JSC::DFG::ByteCodeParser::one):
1241         (JSC::DFG::ByteCodeParser::constantNaN):
1242         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1243         * dfg/DFGCommonData.cpp:
1244         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1245         * dfg/DFGCommonData.h:
1246         * dfg/DFGDesiredTransitions.cpp: Added.
1247         (JSC::DFG::DesiredTransition::DesiredTransition):
1248         (JSC::DFG::DesiredTransition::reallyAdd):
1249         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1250         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1251         (JSC::DFG::DesiredTransitions::addLazily):
1252         (JSC::DFG::DesiredTransitions::reallyAdd):
1253         * dfg/DFGDesiredTransitions.h: Added.
1254         * dfg/DFGDesiredWeakReferences.cpp: Added.
1255         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1256         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1257         (JSC::DFG::DesiredWeakReferences::addLazily):
1258         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1259         * dfg/DFGDesiredWeakReferences.h: Added.
1260         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1261         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1262         (JSC::DFG::DesiredWriteBarrier::trigger):
1263         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1264         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1265         (JSC::DFG::DesiredWriteBarriers::addImpl):
1266         (JSC::DFG::DesiredWriteBarriers::trigger):
1267         * dfg/DFGDesiredWriteBarriers.h: Added.
1268         (JSC::DFG::DesiredWriteBarriers::add):
1269         (JSC::DFG::initializeLazyWriteBarrier):
1270         * dfg/DFGFixupPhase.cpp:
1271         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1272         * dfg/DFGGraph.h:
1273         (JSC::DFG::Graph::convertToConstant):
1274         * dfg/DFGJITCompiler.h:
1275         (JSC::DFG::JITCompiler::addWeakReference):
1276         * dfg/DFGPlan.cpp:
1277         (JSC::DFG::Plan::Plan):
1278         (JSC::DFG::Plan::reallyAdd):
1279         * dfg/DFGPlan.h:
1280         * dfg/DFGSpeculativeJIT32_64.cpp:
1281         (JSC::DFG::SpeculativeJIT::compile):
1282         * dfg/DFGSpeculativeJIT64.cpp:
1283         (JSC::DFG::SpeculativeJIT::compile):
1284         * runtime/WriteBarrier.h:
1285         (JSC::WriteBarrierBase::set):
1286         (JSC::WriteBarrier::WriteBarrier):
1287
1288 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1289
1290         Fix x86 32bits build after r154158
1291
1292         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1293
1294 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1295
1296         Build fix attempt after r154156.
1297
1298         * jit/JITStubs.cpp:
1299         (JSC::cti_vm_handle_exception): encode!
1300
1301 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1302
1303         [JSC] x86: Use inc and dec when possible
1304         https://bugs.webkit.org/show_bug.cgi?id=119831
1305
1306         Reviewed by Geoffrey Garen.
1307
1308         When incrementing or decrementing by an immediate of 1, use the insctructions
1309         inc and dec instead of add and sub.
1310         The instructions have good timing and their encoding is smaller.
1311
1312         * assembler/MacroAssemblerX86Common.h:
1313         (JSC::MacroAssemblerX86_64::add32):
1314         (JSC::MacroAssemblerX86_64::sub32):
1315         * assembler/MacroAssemblerX86_64.h:
1316         (JSC::MacroAssemblerX86_64::add64):
1317         (JSC::MacroAssemblerX86_64::sub64):
1318         * assembler/X86Assembler.h:
1319         (JSC::X86Assembler::dec_r):
1320         (JSC::X86Assembler::decq_r):
1321         (JSC::X86Assembler::inc_r):
1322         (JSC::X86Assembler::incq_r):
1323
1324 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1325
1326         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1327         https://bugs.webkit.org/show_bug.cgi?id=119874
1328
1329         Reviewed by Oliver Hunt and Mark Hahnenberg.
1330         
1331         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1332         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1333         sometimes for typed array length accesses, and the FixupPhase assuming that a
1334         ForceExit ArrayMode means that it should continue using a generic GetById.
1335
1336         This fixes the confusion.
1337
1338         * dfg/DFGFixupPhase.cpp:
1339         (JSC::DFG::FixupPhase::fixupNode):
1340
1341 2013-08-15  Mark Lam  <mark.lam@apple.com>
1342
1343         Fix crash when performing activation tearoff.
1344         https://bugs.webkit.org/show_bug.cgi?id=119848
1345
1346         Reviewed by Oliver Hunt.
1347
1348         The activation tearoff crash was due to a bug in the baseline JIT.
1349         If we have a scenario where the a baseline JIT frame calls a LLINT
1350         frame, an exception may be thrown while in the LLINT.
1351
1352         Interpreter::throwException() which handles the exception will unwind
1353         all frames until it finds a catcher or sees a host frame. When we
1354         return from the LLINT to the baseline JIT code, the baseline JIT code
1355         errorneously sets topCallFrame to the value in its call frame register,
1356         and starts unwinding the stack frames that have already been unwound.
1357
1358         The fix is:
1359         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1360            This is a more accurate description of what this runtime function
1361            is supposed to do i.e. it handles the exception which include doing
1362            nothing (if there are no more frames to unwind).
1363         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1364            set on it.
1365         3. Reloading the call frame register from topCallFrame when we're
1366            returning from a callee and detect exception handling in progress.
1367
1368         * interpreter/Interpreter.cpp:
1369         (JSC::Interpreter::unwindCallFrame):
1370         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1371         (JSC::Interpreter::getStackTrace):
1372         * interpreter/Interpreter.h:
1373         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1374         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1375         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1376         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1377         * jit/JIT.h:
1378         * jit/JITExceptions.cpp:
1379         (JSC::uncaughtExceptionHandler):
1380         - Convenience function to get the handler for uncaught exceptions.
1381         * jit/JITExceptions.h:
1382         * jit/JITInlines.h:
1383         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1384         * jit/JITOpcodes32_64.cpp:
1385         (JSC::JIT::privateCompileCTINativeCall):
1386         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1387         * jit/JITStubs.cpp:
1388         (JSC::throwExceptionFromOpCall):
1389         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1390         (JSC::cti_vm_handle_exception):
1391         - Check for the case when there are no more frames to unwind.
1392         * jit/JITStubs.h:
1393         * jit/JITStubsARM.h:
1394         * jit/JITStubsARMv7.h:
1395         * jit/JITStubsMIPS.h:
1396         * jit/JITStubsSH4.h:
1397         * jit/JITStubsX86.h:
1398         * jit/JITStubsX86_64.h:
1399         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1400         * jit/SlowPathCall.h:
1401         (JSC::JITSlowPathCall::call):
1402         - reload cfr from topcallFrame when handling an exception.
1403         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1404         * jit/ThunkGenerators.cpp:
1405         (JSC::nativeForGenerator):
1406         * llint/LowLevelInterpreter32_64.asm:
1407         * llint/LowLevelInterpreter64.asm:
1408         - reload cfr from topcallFrame when handling an exception.
1409         * runtime/VM.cpp:
1410         (JSC::VM::VM):
1411         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1412
1413 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1414
1415         Remove some code duplication.
1416         
1417         Rubber stamped by Mark Hahnenberg.
1418
1419         * runtime/JSDataViewPrototype.cpp:
1420         (JSC::getData):
1421         (JSC::setData):
1422
1423 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1424
1425         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1426         https://bugs.webkit.org/show_bug.cgi?id=119794
1427
1428         Reviewed by Filip Pizlo.
1429
1430         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1431
1432         * dfg/DFGUseKind.h:
1433         (JSC::DFG::isNumerical):
1434         (JSC::DFG::isDouble):
1435
1436 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1437
1438         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1439
1440         Rubber stamped by Oliver Hunt.
1441         
1442         This was causing some test crashes for me.
1443
1444         * dfg/DFGCapabilities.cpp:
1445         (JSC::DFG::capabilityLevel):
1446
1447 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1448
1449         [Windows] Clear up improper export declaration.
1450
1451         * runtime/ArrayBufferView.h:
1452
1453 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1454
1455         Unreviewed, remove some unnecessary periods from exceptions.
1456
1457         * runtime/JSDataViewPrototype.cpp:
1458         (JSC::getData):
1459         (JSC::setData):
1460
1461 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1462
1463         Unreviewed, fix 32-bit build.
1464
1465         * dfg/DFGSpeculativeJIT32_64.cpp:
1466         (JSC::DFG::SpeculativeJIT::compile):
1467
1468 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1469
1470         Typed arrays should be rewritten
1471         https://bugs.webkit.org/show_bug.cgi?id=119064
1472
1473         Reviewed by Oliver Hunt.
1474         
1475         Typed arrays were previously deficient in several major ways:
1476         
1477         - They were defined separately in WebCore and in the jsc shell. The two
1478           implementations were different, and the jsc shell one was basically wrong.
1479           The WebCore one was quite awful, also.
1480         
1481         - Typed arrays were not visible to the JIT except through some weird hooks.
1482           For example, the JIT could not ask "what is the Structure that this typed
1483           array would have if I just allocated it from this global object". Also,
1484           it was difficult to wire any of the typed array intrinsics, because most
1485           of the functionality wasn't visible anywhere in JSC.
1486         
1487         - Typed array allocation was brain-dead. Allocating a typed array involved
1488           two JS objects, two GC weak handles, and three malloc allocations.
1489         
1490         - Neutering. It involved keeping tabs on all native views but not the view
1491           wrappers, even though the native views can autoneuter just by asking the
1492           buffer if it was neutered anytime you touch them; while the JS view
1493           wrappers are the ones that you really want to reach out to.
1494         
1495         - Common case-ing. Most typed arrays have one buffer and one view, and
1496           usually nobody touches the buffer. Yet we created all of that stuff
1497           anyway, using data structures optimized for the case where you had a lot
1498           of views.
1499         
1500         - Semantic goofs. Typed arrays should, in the future, behave like ES
1501           features rather than DOM features, for example when it comes to exceptions.
1502           Firefox already does this and I agree with them.
1503         
1504         This patch cleanses our codebase of these sins:
1505         
1506         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1507           management of native references to buffers is left to WebCore.
1508         
1509         - Allocating a typed array requires either two GC allocations (a cell and a
1510           copied storage vector) or one GC allocation, a malloc allocation, and a
1511           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1512           latter). The latter is only used for oversize arrays. Remember that before
1513           it was 7 allocations no matter what.
1514         
1515         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1516           mode/length, void* vector. Before it was a lot more than that - remember,
1517           there were five additional objects that did absolutely nothing for anybody.
1518         
1519         - Native views aren't tracked by the buffer, or by the wrappers. They are
1520           transient. In the future we'll probably switch to not even having them be
1521           malloc'd.
1522         
1523         - Native array buffers have an efficient way of tracking all of their JS view
1524           wrappers, both for neutering, and for lifecycle management. The GC
1525           special-cases native array buffers. This saves a bunch of grief; for example
1526           it means that a JS view wrapper can refer to its buffer via the butterfly,
1527           which would be dead by the time we went to finalize.
1528         
1529         - Typed array semantics now match Firefox, which also happens to be where the
1530           standards are going. The discussion on webkit-dev seemed to confirm that
1531           Chrome is also heading in this direction. This includes making
1532           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1533           ArrayBufferView as a JS-visible construct.
1534         
1535         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1536         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1537         further typed array optimizations in the JSC JITs, including inlining typed
1538         array allocation, inlining more of the accessors, reducing the cost of type
1539         checks, etc.
1540         
1541         An additional property of this patch is that typed arrays are mostly
1542         implemented using templates. This deduplicates a bunch of code, but does mean
1543         that we need some hacks for exporting s_info's of template classes. See
1544         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1545         low-impact compared to code duplication.
1546         
1547         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1548
1549         * CMakeLists.txt:
1550         * DerivedSources.make:
1551         * GNUmakefile.list.am:
1552         * JSCTypedArrayStubs.h: Removed.
1553         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1554         * JavaScriptCore.xcodeproj/project.pbxproj:
1555         * Target.pri:
1556         * bytecode/ByValInfo.h:
1557         (JSC::hasOptimizableIndexingForClassInfo):
1558         (JSC::jitArrayModeForClassInfo):
1559         (JSC::typedArrayTypeForJITArrayMode):
1560         * bytecode/SpeculatedType.cpp:
1561         (JSC::speculationFromClassInfo):
1562         * dfg/DFGArrayMode.cpp:
1563         (JSC::DFG::toTypedArrayType):
1564         * dfg/DFGArrayMode.h:
1565         (JSC::DFG::ArrayMode::typedArrayType):
1566         * dfg/DFGSpeculativeJIT.cpp:
1567         (JSC::DFG::SpeculativeJIT::checkArray):
1568         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1569         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1570         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1571         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1572         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1573         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1574         * dfg/DFGSpeculativeJIT.h:
1575         * dfg/DFGSpeculativeJIT32_64.cpp:
1576         (JSC::DFG::SpeculativeJIT::compile):
1577         * dfg/DFGSpeculativeJIT64.cpp:
1578         (JSC::DFG::SpeculativeJIT::compile):
1579         * heap/CopyToken.h:
1580         * heap/DeferGC.h:
1581         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1582         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1583         * heap/GCIncomingRefCounted.h: Added.
1584         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1585         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1586         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1587         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1588         (JSC::GCIncomingRefCounted::singletonFlag):
1589         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1590         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1591         (JSC::GCIncomingRefCounted::hasSingleton):
1592         (JSC::GCIncomingRefCounted::singleton):
1593         (JSC::GCIncomingRefCounted::vectorOfCells):
1594         * heap/GCIncomingRefCountedInlines.h: Added.
1595         (JSC::::addIncomingReference):
1596         (JSC::::filterIncomingReferences):
1597         * heap/GCIncomingRefCountedSet.h: Added.
1598         (JSC::GCIncomingRefCountedSet::size):
1599         * heap/GCIncomingRefCountedSetInlines.h: Added.
1600         (JSC::::GCIncomingRefCountedSet):
1601         (JSC::::~GCIncomingRefCountedSet):
1602         (JSC::::addReference):
1603         (JSC::::sweep):
1604         (JSC::::removeAll):
1605         (JSC::::removeDead):
1606         * heap/Heap.cpp:
1607         (JSC::Heap::addReference):
1608         (JSC::Heap::extraSize):
1609         (JSC::Heap::size):
1610         (JSC::Heap::capacity):
1611         (JSC::Heap::collect):
1612         (JSC::Heap::decrementDeferralDepth):
1613         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1614         * heap/Heap.h:
1615         * interpreter/CallFrame.h:
1616         (JSC::ExecState::dataViewTable):
1617         * jit/JIT.h:
1618         * jit/JITPropertyAccess.cpp:
1619         (JSC::JIT::privateCompileGetByVal):
1620         (JSC::JIT::privateCompilePutByVal):
1621         (JSC::JIT::emitIntTypedArrayGetByVal):
1622         (JSC::JIT::emitFloatTypedArrayGetByVal):
1623         (JSC::JIT::emitIntTypedArrayPutByVal):
1624         (JSC::JIT::emitFloatTypedArrayPutByVal):
1625         * jsc.cpp:
1626         (GlobalObject::finishCreation):
1627         * runtime/ArrayBuffer.cpp:
1628         (JSC::ArrayBuffer::transfer):
1629         * runtime/ArrayBuffer.h:
1630         (JSC::ArrayBuffer::createAdopted):
1631         (JSC::ArrayBuffer::ArrayBuffer):
1632         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1633         (JSC::ArrayBuffer::pin):
1634         (JSC::ArrayBuffer::unpin):
1635         (JSC::ArrayBufferContents::tryAllocate):
1636         * runtime/ArrayBufferView.cpp:
1637         (JSC::ArrayBufferView::ArrayBufferView):
1638         (JSC::ArrayBufferView::~ArrayBufferView):
1639         (JSC::ArrayBufferView::setNeuterable):
1640         * runtime/ArrayBufferView.h:
1641         (JSC::ArrayBufferView::isNeutered):
1642         (JSC::ArrayBufferView::buffer):
1643         (JSC::ArrayBufferView::baseAddress):
1644         (JSC::ArrayBufferView::byteOffset):
1645         (JSC::ArrayBufferView::verifySubRange):
1646         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1647         (JSC::ArrayBufferView::calculateOffsetAndLength):
1648         * runtime/ClassInfo.h:
1649         * runtime/CommonIdentifiers.h:
1650         * runtime/DataView.cpp: Added.
1651         (JSC::DataView::DataView):
1652         (JSC::DataView::create):
1653         (JSC::DataView::wrap):
1654         * runtime/DataView.h: Added.
1655         (JSC::DataView::byteLength):
1656         (JSC::DataView::getType):
1657         (JSC::DataView::get):
1658         (JSC::DataView::set):
1659         * runtime/Float32Array.h:
1660         * runtime/Float64Array.h:
1661         * runtime/GenericTypedArrayView.h: Added.
1662         (JSC::GenericTypedArrayView::data):
1663         (JSC::GenericTypedArrayView::set):
1664         (JSC::GenericTypedArrayView::setRange):
1665         (JSC::GenericTypedArrayView::zeroRange):
1666         (JSC::GenericTypedArrayView::zeroFill):
1667         (JSC::GenericTypedArrayView::length):
1668         (JSC::GenericTypedArrayView::byteLength):
1669         (JSC::GenericTypedArrayView::item):
1670         (JSC::GenericTypedArrayView::checkInboundData):
1671         (JSC::GenericTypedArrayView::getType):
1672         * runtime/GenericTypedArrayViewInlines.h: Added.
1673         (JSC::::GenericTypedArrayView):
1674         (JSC::::create):
1675         (JSC::::createUninitialized):
1676         (JSC::::subarray):
1677         (JSC::::wrap):
1678         * runtime/IndexingHeader.h:
1679         (JSC::IndexingHeader::arrayBuffer):
1680         (JSC::IndexingHeader::setArrayBuffer):
1681         * runtime/Int16Array.h:
1682         * runtime/Int32Array.h:
1683         * runtime/Int8Array.h:
1684         * runtime/JSArrayBuffer.cpp: Added.
1685         (JSC::JSArrayBuffer::JSArrayBuffer):
1686         (JSC::JSArrayBuffer::finishCreation):
1687         (JSC::JSArrayBuffer::create):
1688         (JSC::JSArrayBuffer::createStructure):
1689         (JSC::JSArrayBuffer::getOwnPropertySlot):
1690         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1691         (JSC::JSArrayBuffer::put):
1692         (JSC::JSArrayBuffer::defineOwnProperty):
1693         (JSC::JSArrayBuffer::deleteProperty):
1694         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1695         * runtime/JSArrayBuffer.h: Added.
1696         (JSC::JSArrayBuffer::impl):
1697         (JSC::toArrayBuffer):
1698         * runtime/JSArrayBufferConstructor.cpp: Added.
1699         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1700         (JSC::JSArrayBufferConstructor::finishCreation):
1701         (JSC::JSArrayBufferConstructor::create):
1702         (JSC::JSArrayBufferConstructor::createStructure):
1703         (JSC::constructArrayBuffer):
1704         (JSC::JSArrayBufferConstructor::getConstructData):
1705         (JSC::JSArrayBufferConstructor::getCallData):
1706         * runtime/JSArrayBufferConstructor.h: Added.
1707         * runtime/JSArrayBufferPrototype.cpp: Added.
1708         (JSC::arrayBufferProtoFuncSlice):
1709         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1710         (JSC::JSArrayBufferPrototype::finishCreation):
1711         (JSC::JSArrayBufferPrototype::create):
1712         (JSC::JSArrayBufferPrototype::createStructure):
1713         * runtime/JSArrayBufferPrototype.h: Added.
1714         * runtime/JSArrayBufferView.cpp: Added.
1715         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1716         (JSC::JSArrayBufferView::JSArrayBufferView):
1717         (JSC::JSArrayBufferView::finishCreation):
1718         (JSC::JSArrayBufferView::getOwnPropertySlot):
1719         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1720         (JSC::JSArrayBufferView::put):
1721         (JSC::JSArrayBufferView::defineOwnProperty):
1722         (JSC::JSArrayBufferView::deleteProperty):
1723         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1724         (JSC::JSArrayBufferView::finalize):
1725         * runtime/JSArrayBufferView.h: Added.
1726         (JSC::JSArrayBufferView::sizeOf):
1727         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1728         (JSC::JSArrayBufferView::ConstructionContext::structure):
1729         (JSC::JSArrayBufferView::ConstructionContext::vector):
1730         (JSC::JSArrayBufferView::ConstructionContext::length):
1731         (JSC::JSArrayBufferView::ConstructionContext::mode):
1732         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1733         (JSC::JSArrayBufferView::mode):
1734         (JSC::JSArrayBufferView::vector):
1735         (JSC::JSArrayBufferView::length):
1736         (JSC::JSArrayBufferView::offsetOfVector):
1737         (JSC::JSArrayBufferView::offsetOfLength):
1738         (JSC::JSArrayBufferView::offsetOfMode):
1739         * runtime/JSArrayBufferViewInlines.h: Added.
1740         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1741         (JSC::JSArrayBufferView::buffer):
1742         (JSC::JSArrayBufferView::impl):
1743         (JSC::JSArrayBufferView::neuter):
1744         (JSC::JSArrayBufferView::byteOffset):
1745         * runtime/JSCell.cpp:
1746         (JSC::JSCell::slowDownAndWasteMemory):
1747         (JSC::JSCell::getTypedArrayImpl):
1748         * runtime/JSCell.h:
1749         * runtime/JSDataView.cpp: Added.
1750         (JSC::JSDataView::JSDataView):
1751         (JSC::JSDataView::create):
1752         (JSC::JSDataView::createUninitialized):
1753         (JSC::JSDataView::set):
1754         (JSC::JSDataView::typedImpl):
1755         (JSC::JSDataView::getOwnPropertySlot):
1756         (JSC::JSDataView::getOwnPropertyDescriptor):
1757         (JSC::JSDataView::slowDownAndWasteMemory):
1758         (JSC::JSDataView::getTypedArrayImpl):
1759         (JSC::JSDataView::createStructure):
1760         * runtime/JSDataView.h: Added.
1761         * runtime/JSDataViewPrototype.cpp: Added.
1762         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1763         (JSC::JSDataViewPrototype::create):
1764         (JSC::JSDataViewPrototype::createStructure):
1765         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1766         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1767         (JSC::getData):
1768         (JSC::setData):
1769         (JSC::dataViewProtoFuncGetInt8):
1770         (JSC::dataViewProtoFuncGetInt16):
1771         (JSC::dataViewProtoFuncGetInt32):
1772         (JSC::dataViewProtoFuncGetUint8):
1773         (JSC::dataViewProtoFuncGetUint16):
1774         (JSC::dataViewProtoFuncGetUint32):
1775         (JSC::dataViewProtoFuncGetFloat32):
1776         (JSC::dataViewProtoFuncGetFloat64):
1777         (JSC::dataViewProtoFuncSetInt8):
1778         (JSC::dataViewProtoFuncSetInt16):
1779         (JSC::dataViewProtoFuncSetInt32):
1780         (JSC::dataViewProtoFuncSetUint8):
1781         (JSC::dataViewProtoFuncSetUint16):
1782         (JSC::dataViewProtoFuncSetUint32):
1783         (JSC::dataViewProtoFuncSetFloat32):
1784         (JSC::dataViewProtoFuncSetFloat64):
1785         * runtime/JSDataViewPrototype.h: Added.
1786         * runtime/JSFloat32Array.h: Added.
1787         * runtime/JSFloat64Array.h: Added.
1788         * runtime/JSGenericTypedArrayView.h: Added.
1789         (JSC::JSGenericTypedArrayView::byteLength):
1790         (JSC::JSGenericTypedArrayView::byteSize):
1791         (JSC::JSGenericTypedArrayView::typedVector):
1792         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1793         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1794         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1795         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1796         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1797         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1798         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1799         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1800         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1801         (JSC::JSGenericTypedArrayView::typedImpl):
1802         (JSC::JSGenericTypedArrayView::createStructure):
1803         (JSC::JSGenericTypedArrayView::info):
1804         (JSC::toNativeTypedView):
1805         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1806         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1807         (JSC::::JSGenericTypedArrayViewConstructor):
1808         (JSC::::finishCreation):
1809         (JSC::::create):
1810         (JSC::::createStructure):
1811         (JSC::constructGenericTypedArrayView):
1812         (JSC::::getConstructData):
1813         (JSC::::getCallData):
1814         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1815         (JSC::::JSGenericTypedArrayView):
1816         (JSC::::create):
1817         (JSC::::createUninitialized):
1818         (JSC::::validateRange):
1819         (JSC::::setWithSpecificType):
1820         (JSC::::set):
1821         (JSC::::getOwnPropertySlot):
1822         (JSC::::getOwnPropertyDescriptor):
1823         (JSC::::put):
1824         (JSC::::defineOwnProperty):
1825         (JSC::::deleteProperty):
1826         (JSC::::getOwnPropertySlotByIndex):
1827         (JSC::::putByIndex):
1828         (JSC::::deletePropertyByIndex):
1829         (JSC::::getOwnNonIndexPropertyNames):
1830         (JSC::::getOwnPropertyNames):
1831         (JSC::::visitChildren):
1832         (JSC::::copyBackingStore):
1833         (JSC::::slowDownAndWasteMemory):
1834         (JSC::::getTypedArrayImpl):
1835         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1836         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1837         (JSC::genericTypedArrayViewProtoFuncSet):
1838         (JSC::genericTypedArrayViewProtoFuncSubarray):
1839         (JSC::::JSGenericTypedArrayViewPrototype):
1840         (JSC::::finishCreation):
1841         (JSC::::create):
1842         (JSC::::createStructure):
1843         * runtime/JSGlobalObject.cpp:
1844         (JSC::JSGlobalObject::reset):
1845         (JSC::JSGlobalObject::visitChildren):
1846         * runtime/JSGlobalObject.h:
1847         (JSC::JSGlobalObject::arrayBufferPrototype):
1848         (JSC::JSGlobalObject::arrayBufferStructure):
1849         (JSC::JSGlobalObject::typedArrayStructure):
1850         * runtime/JSInt16Array.h: Added.
1851         * runtime/JSInt32Array.h: Added.
1852         * runtime/JSInt8Array.h: Added.
1853         * runtime/JSTypedArrayConstructors.cpp: Added.
1854         * runtime/JSTypedArrayConstructors.h: Added.
1855         * runtime/JSTypedArrayPrototypes.cpp: Added.
1856         * runtime/JSTypedArrayPrototypes.h: Added.
1857         * runtime/JSTypedArrays.cpp: Added.
1858         * runtime/JSTypedArrays.h: Added.
1859         * runtime/JSUint16Array.h: Added.
1860         * runtime/JSUint32Array.h: Added.
1861         * runtime/JSUint8Array.h: Added.
1862         * runtime/JSUint8ClampedArray.h: Added.
1863         * runtime/Operations.h:
1864         * runtime/Options.h:
1865         * runtime/SimpleTypedArrayController.cpp: Added.
1866         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1867         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1868         (JSC::SimpleTypedArrayController::toJS):
1869         * runtime/SimpleTypedArrayController.h: Added.
1870         * runtime/Structure.h:
1871         (JSC::Structure::couldHaveIndexingHeader):
1872         * runtime/StructureInlines.h:
1873         (JSC::Structure::hasIndexingHeader):
1874         * runtime/TypedArrayAdaptors.h: Added.
1875         (JSC::IntegralTypedArrayAdaptor::toNative):
1876         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1877         (JSC::IntegralTypedArrayAdaptor::toDouble):
1878         (JSC::FloatTypedArrayAdaptor::toNative):
1879         (JSC::FloatTypedArrayAdaptor::toJSValue):
1880         (JSC::FloatTypedArrayAdaptor::toDouble):
1881         (JSC::Uint8ClampedAdaptor::toNative):
1882         (JSC::Uint8ClampedAdaptor::toJSValue):
1883         (JSC::Uint8ClampedAdaptor::toDouble):
1884         (JSC::Uint8ClampedAdaptor::clamp):
1885         * runtime/TypedArrayController.cpp: Added.
1886         (JSC::TypedArrayController::TypedArrayController):
1887         (JSC::TypedArrayController::~TypedArrayController):
1888         * runtime/TypedArrayController.h: Added.
1889         * runtime/TypedArrayDescriptor.h: Removed.
1890         * runtime/TypedArrayInlines.h: Added.
1891         * runtime/TypedArrayType.cpp: Added.
1892         (JSC::classInfoForType):
1893         (WTF::printInternal):
1894         * runtime/TypedArrayType.h: Added.
1895         (JSC::toIndex):
1896         (JSC::isTypedView):
1897         (JSC::elementSize):
1898         (JSC::isInt):
1899         (JSC::isFloat):
1900         (JSC::isSigned):
1901         (JSC::isClamped):
1902         * runtime/TypedArrays.h: Added.
1903         * runtime/Uint16Array.h:
1904         * runtime/Uint32Array.h:
1905         * runtime/Uint8Array.h:
1906         * runtime/Uint8ClampedArray.h:
1907         * runtime/VM.cpp:
1908         (JSC::VM::VM):
1909         (JSC::VM::~VM):
1910         * runtime/VM.h:
1911
1912 2013-08-15  Oliver Hunt  <oliver@apple.com>
1913
1914         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1915
1916         Reviewed by Filip Pizlo.
1917
1918         Make sure dfgCapabilities doesn't report a Dynamic put as
1919         being compilable when we don't actually support it.  
1920
1921         * bytecode/CodeBlock.cpp:
1922         (JSC::CodeBlock::dumpBytecode):
1923         * dfg/DFGCapabilities.cpp:
1924         (JSC::DFG::capabilityLevel):
1925
1926 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1927
1928         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1929         https://bugs.webkit.org/show_bug.cgi?id=119847
1930
1931         Reviewed by Oliver Hunt.
1932
1933         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1934         * runtime/ArrayBufferView.h: Ditto.
1935
1936 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1937
1938         https://bugs.webkit.org/show_bug.cgi?id=119843
1939         PropertySlot::setValue is ambiguous
1940
1941         Reviewed by Geoff Garen.
1942
1943         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1944         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1945         Unify on always providing the object, and remove the version that just takes a value.
1946         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1947         Provide a version of setValue that takes a JSString as the owner of the property.
1948         We won't store this, but it makes it clear that this interface should only be used from JSString.
1949
1950         * API/JSCallbackObjectFunctions.h:
1951         (JSC::::getOwnPropertySlot):
1952         * JSCTypedArrayStubs.h:
1953         * runtime/Arguments.cpp:
1954         (JSC::Arguments::getOwnPropertySlotByIndex):
1955         (JSC::Arguments::getOwnPropertySlot):
1956         * runtime/JSActivation.cpp:
1957         (JSC::JSActivation::symbolTableGet):
1958         (JSC::JSActivation::getOwnPropertySlot):
1959         * runtime/JSArray.cpp:
1960         (JSC::JSArray::getOwnPropertySlot):
1961         * runtime/JSObject.cpp:
1962         (JSC::JSObject::getOwnPropertySlotByIndex):
1963         * runtime/JSString.h:
1964         (JSC::JSString::getStringPropertySlot):
1965         * runtime/JSSymbolTableObject.h:
1966         (JSC::symbolTableGet):
1967         * runtime/SparseArrayValueMap.cpp:
1968         (JSC::SparseArrayEntry::get):
1969             - Pass object containing property to PropertySlot::setValue
1970         * runtime/PropertySlot.h:
1971         (JSC::PropertySlot::setValue):
1972             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1973         (JSC::PropertySlot::setUndefined):
1974             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1975
1976 2013-08-15  Oliver Hunt  <oliver@apple.com>
1977
1978         Remove bogus assertion.
1979
1980         RS=Filip Pizlo
1981
1982         * dfg/DFGAbstractInterpreterInlines.h:
1983         (JSC::DFG::::executeEffects):
1984
1985 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1986
1987         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1988         https://bugs.webkit.org/show_bug.cgi?id=114913
1989
1990         Reviewed by Filip Pizlo.
1991
1992         The X87 register was not freed before some calls. Instead
1993         of inserting resetX87Registers to the last call sites,
1994         the two X87 registers are now freed in every call.
1995
1996         * llint/LowLevelInterpreter32_64.asm:
1997         * llint/LowLevelInterpreter64.asm:
1998         * offlineasm/instructions.rb:
1999         * offlineasm/x86.rb:
2000
2001 2013-08-14  Michael Saboff  <msaboff@apple.com>
2002
2003         Fixed jit on Win64.
2004         https://bugs.webkit.org/show_bug.cgi?id=119601
2005
2006         Reviewed by Oliver Hunt.
2007
2008         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2009         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2010         * jit/SlowPathCall.h:
2011         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2012
2013 2013-08-14  Alex Christensen  <achristensen@apple.com>
2014
2015         Compile fix for Win64 with jit disabled.
2016         https://bugs.webkit.org/show_bug.cgi?id=119804
2017
2018         Reviewed by Michael Saboff.
2019
2020         * offlineasm/cloop.rb: Added std:: before isnan.
2021
2022 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2023
2024         DFG_JIT implementation for sh4 architecture.
2025         https://bugs.webkit.org/show_bug.cgi?id=119737
2026
2027         Reviewed by Oliver Hunt.
2028
2029         * assembler/MacroAssemblerSH4.h:
2030         (JSC::MacroAssemblerSH4::invert):
2031         (JSC::MacroAssemblerSH4::add32):
2032         (JSC::MacroAssemblerSH4::and32):
2033         (JSC::MacroAssemblerSH4::lshift32):
2034         (JSC::MacroAssemblerSH4::mul32):
2035         (JSC::MacroAssemblerSH4::or32):
2036         (JSC::MacroAssemblerSH4::rshift32):
2037         (JSC::MacroAssemblerSH4::sub32):
2038         (JSC::MacroAssemblerSH4::xor32):
2039         (JSC::MacroAssemblerSH4::store32):
2040         (JSC::MacroAssemblerSH4::swapDouble):
2041         (JSC::MacroAssemblerSH4::storeDouble):
2042         (JSC::MacroAssemblerSH4::subDouble):
2043         (JSC::MacroAssemblerSH4::mulDouble):
2044         (JSC::MacroAssemblerSH4::divDouble):
2045         (JSC::MacroAssemblerSH4::negateDouble):
2046         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2047         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2048         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2049         (JSC::MacroAssemblerSH4::swap):
2050         (JSC::MacroAssemblerSH4::jump):
2051         (JSC::MacroAssemblerSH4::branchNeg32):
2052         (JSC::MacroAssemblerSH4::branchAdd32):
2053         (JSC::MacroAssemblerSH4::branchMul32):
2054         (JSC::MacroAssemblerSH4::urshift32):
2055         * assembler/SH4Assembler.h:
2056         (JSC::SH4Assembler::SH4Assembler):
2057         (JSC::SH4Assembler::labelForWatchpoint):
2058         (JSC::SH4Assembler::label):
2059         (JSC::SH4Assembler::debugOffset):
2060         * dfg/DFGAssemblyHelpers.h:
2061         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2062         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2063         (JSC::DFG::AssemblyHelpers::debugCall):
2064         * dfg/DFGCCallHelpers.h:
2065         (JSC::DFG::CCallHelpers::setupArguments):
2066         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2067         * dfg/DFGFPRInfo.h:
2068         (JSC::DFG::FPRInfo::toRegister):
2069         (JSC::DFG::FPRInfo::toIndex):
2070         (JSC::DFG::FPRInfo::debugName):
2071         * dfg/DFGGPRInfo.h:
2072         (JSC::DFG::GPRInfo::toRegister):
2073         (JSC::DFG::GPRInfo::toIndex):
2074         (JSC::DFG::GPRInfo::debugName):
2075         * dfg/DFGOperations.cpp:
2076         * dfg/DFGSpeculativeJIT.h:
2077         (JSC::DFG::SpeculativeJIT::callOperation):
2078         * jit/JITStubs.h:
2079         * jit/JITStubsSH4.h:
2080
2081 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2082
2083         Unreviewed, fix build.
2084
2085         * API/JSValue.mm:
2086         (isDate):
2087         (isArray):
2088         * API/JSWrapperMap.mm:
2089         (tryUnwrapObjcObject):
2090         * API/ObjCCallbackFunction.mm:
2091         (tryUnwrapBlock):
2092
2093 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2094
2095         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2096         https://bugs.webkit.org/show_bug.cgi?id=119770
2097
2098         Reviewed by Mark Hahnenberg.
2099
2100         * API/JSCallbackConstructor.cpp:
2101         (JSC::JSCallbackConstructor::finishCreation):
2102         * API/JSCallbackConstructor.h:
2103         (JSC::JSCallbackConstructor::createStructure):
2104         * API/JSCallbackFunction.cpp:
2105         (JSC::JSCallbackFunction::finishCreation):
2106         * API/JSCallbackFunction.h:
2107         (JSC::JSCallbackFunction::createStructure):
2108         * API/JSCallbackObject.cpp:
2109         (JSC::::createStructure):
2110         * API/JSCallbackObject.h:
2111         (JSC::JSCallbackObject::visitChildren):
2112         * API/JSCallbackObjectFunctions.h:
2113         (JSC::::asCallbackObject):
2114         (JSC::::finishCreation):
2115         * API/JSObjectRef.cpp:
2116         (JSObjectGetPrivate):
2117         (JSObjectSetPrivate):
2118         (JSObjectGetPrivateProperty):
2119         (JSObjectSetPrivateProperty):
2120         (JSObjectDeletePrivateProperty):
2121         * API/JSValueRef.cpp:
2122         (JSValueIsObjectOfClass):
2123         * API/JSWeakObjectMapRefPrivate.cpp:
2124         * API/ObjCCallbackFunction.h:
2125         (JSC::ObjCCallbackFunction::createStructure):
2126         * JSCTypedArrayStubs.h:
2127         * bytecode/CallLinkStatus.cpp:
2128         (JSC::CallLinkStatus::CallLinkStatus):
2129         (JSC::CallLinkStatus::function):
2130         (JSC::CallLinkStatus::internalFunction):
2131         * bytecode/CodeBlock.h:
2132         (JSC::baselineCodeBlockForInlineCallFrame):
2133         * bytecode/SpeculatedType.cpp:
2134         (JSC::speculationFromClassInfo):
2135         * bytecode/UnlinkedCodeBlock.cpp:
2136         (JSC::UnlinkedFunctionExecutable::visitChildren):
2137         (JSC::UnlinkedCodeBlock::visitChildren):
2138         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2139         * bytecode/UnlinkedCodeBlock.h:
2140         (JSC::UnlinkedFunctionExecutable::createStructure):
2141         (JSC::UnlinkedProgramCodeBlock::createStructure):
2142         (JSC::UnlinkedEvalCodeBlock::createStructure):
2143         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2144         * debugger/Debugger.cpp:
2145         * debugger/DebuggerActivation.cpp:
2146         (JSC::DebuggerActivation::visitChildren):
2147         * debugger/DebuggerActivation.h:
2148         (JSC::DebuggerActivation::createStructure):
2149         * debugger/DebuggerCallFrame.cpp:
2150         (JSC::DebuggerCallFrame::functionName):
2151         * dfg/DFGAbstractInterpreterInlines.h:
2152         (JSC::DFG::::executeEffects):
2153         * dfg/DFGByteCodeParser.cpp:
2154         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2155         (JSC::DFG::ByteCodeParser::parseBlock):
2156         * dfg/DFGFixupPhase.cpp:
2157         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2158         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2159         * dfg/DFGGraph.cpp:
2160         (JSC::DFG::Graph::dump):
2161         * dfg/DFGGraph.h:
2162         (JSC::DFG::Graph::isInternalFunctionConstant):
2163         * dfg/DFGOperations.cpp:
2164         * dfg/DFGSpeculativeJIT.cpp:
2165         (JSC::DFG::SpeculativeJIT::checkArray):
2166         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2167         * dfg/DFGThunks.cpp:
2168         (JSC::DFG::virtualForThunkGenerator):
2169         * interpreter/Interpreter.cpp:
2170         (JSC::loadVarargs):
2171         * jsc.cpp:
2172         (GlobalObject::createStructure):
2173         * profiler/LegacyProfiler.cpp:
2174         (JSC::LegacyProfiler::createCallIdentifier):
2175         * runtime/Arguments.cpp:
2176         (JSC::Arguments::visitChildren):
2177         * runtime/Arguments.h:
2178         (JSC::Arguments::createStructure):
2179         (JSC::asArguments):
2180         (JSC::Arguments::finishCreation):
2181         * runtime/ArrayConstructor.cpp:
2182         (JSC::arrayConstructorIsArray):
2183         * runtime/ArrayConstructor.h:
2184         (JSC::ArrayConstructor::createStructure):
2185         * runtime/ArrayPrototype.cpp:
2186         (JSC::ArrayPrototype::finishCreation):
2187         (JSC::arrayProtoFuncConcat):
2188         (JSC::attemptFastSort):
2189         * runtime/ArrayPrototype.h:
2190         (JSC::ArrayPrototype::createStructure):
2191         * runtime/BooleanConstructor.h:
2192         (JSC::BooleanConstructor::createStructure):
2193         * runtime/BooleanObject.cpp:
2194         (JSC::BooleanObject::finishCreation):
2195         * runtime/BooleanObject.h:
2196         (JSC::BooleanObject::createStructure):
2197         (JSC::asBooleanObject):
2198         * runtime/BooleanPrototype.cpp:
2199         (JSC::BooleanPrototype::finishCreation):
2200         (JSC::booleanProtoFuncToString):
2201         (JSC::booleanProtoFuncValueOf):
2202         * runtime/BooleanPrototype.h:
2203         (JSC::BooleanPrototype::createStructure):
2204         * runtime/DateConstructor.cpp:
2205         (JSC::constructDate):
2206         * runtime/DateConstructor.h:
2207         (JSC::DateConstructor::createStructure):
2208         * runtime/DateInstance.cpp:
2209         (JSC::DateInstance::finishCreation):
2210         * runtime/DateInstance.h:
2211         (JSC::DateInstance::createStructure):
2212         (JSC::asDateInstance):
2213         * runtime/DatePrototype.cpp:
2214         (JSC::formateDateInstance):
2215         (JSC::DatePrototype::finishCreation):
2216         (JSC::dateProtoFuncToISOString):
2217         (JSC::dateProtoFuncToLocaleString):
2218         (JSC::dateProtoFuncToLocaleDateString):
2219         (JSC::dateProtoFuncToLocaleTimeString):
2220         (JSC::dateProtoFuncGetTime):
2221         (JSC::dateProtoFuncGetFullYear):
2222         (JSC::dateProtoFuncGetUTCFullYear):
2223         (JSC::dateProtoFuncGetMonth):
2224         (JSC::dateProtoFuncGetUTCMonth):
2225         (JSC::dateProtoFuncGetDate):
2226         (JSC::dateProtoFuncGetUTCDate):
2227         (JSC::dateProtoFuncGetDay):
2228         (JSC::dateProtoFuncGetUTCDay):
2229         (JSC::dateProtoFuncGetHours):
2230         (JSC::dateProtoFuncGetUTCHours):
2231         (JSC::dateProtoFuncGetMinutes):
2232         (JSC::dateProtoFuncGetUTCMinutes):
2233         (JSC::dateProtoFuncGetSeconds):
2234         (JSC::dateProtoFuncGetUTCSeconds):
2235         (JSC::dateProtoFuncGetMilliSeconds):
2236         (JSC::dateProtoFuncGetUTCMilliseconds):
2237         (JSC::dateProtoFuncGetTimezoneOffset):
2238         (JSC::dateProtoFuncSetTime):
2239         (JSC::setNewValueFromTimeArgs):
2240         (JSC::setNewValueFromDateArgs):
2241         (JSC::dateProtoFuncSetYear):
2242         (JSC::dateProtoFuncGetYear):
2243         * runtime/DatePrototype.h:
2244         (JSC::DatePrototype::createStructure):
2245         * runtime/Error.h:
2246         (JSC::StrictModeTypeErrorFunction::createStructure):
2247         * runtime/ErrorConstructor.h:
2248         (JSC::ErrorConstructor::createStructure):
2249         * runtime/ErrorInstance.cpp:
2250         (JSC::ErrorInstance::finishCreation):
2251         * runtime/ErrorInstance.h:
2252         (JSC::ErrorInstance::createStructure):
2253         * runtime/ErrorPrototype.cpp:
2254         (JSC::ErrorPrototype::finishCreation):
2255         * runtime/ErrorPrototype.h:
2256         (JSC::ErrorPrototype::createStructure):
2257         * runtime/ExceptionHelpers.cpp:
2258         (JSC::isTerminatedExecutionException):
2259         * runtime/ExceptionHelpers.h:
2260         (JSC::TerminatedExecutionError::createStructure):
2261         * runtime/Executable.cpp:
2262         (JSC::EvalExecutable::visitChildren):
2263         (JSC::ProgramExecutable::visitChildren):
2264         (JSC::FunctionExecutable::visitChildren):
2265         (JSC::ExecutableBase::hashFor):
2266         * runtime/Executable.h:
2267         (JSC::ExecutableBase::createStructure):
2268         (JSC::NativeExecutable::createStructure):
2269         (JSC::EvalExecutable::createStructure):
2270         (JSC::ProgramExecutable::createStructure):
2271         (JSC::FunctionExecutable::compileFor):
2272         (JSC::FunctionExecutable::compileOptimizedFor):
2273         (JSC::FunctionExecutable::createStructure):
2274         * runtime/FunctionConstructor.h:
2275         (JSC::FunctionConstructor::createStructure):
2276         * runtime/FunctionPrototype.cpp:
2277         (JSC::functionProtoFuncToString):
2278         (JSC::functionProtoFuncApply):
2279         (JSC::functionProtoFuncBind):
2280         * runtime/FunctionPrototype.h:
2281         (JSC::FunctionPrototype::createStructure):
2282         * runtime/GetterSetter.cpp:
2283         (JSC::GetterSetter::visitChildren):
2284         * runtime/GetterSetter.h:
2285         (JSC::GetterSetter::createStructure):
2286         * runtime/InternalFunction.cpp:
2287         (JSC::InternalFunction::finishCreation):
2288         * runtime/InternalFunction.h:
2289         (JSC::InternalFunction::createStructure):
2290         (JSC::asInternalFunction):
2291         * runtime/JSAPIValueWrapper.h:
2292         (JSC::JSAPIValueWrapper::createStructure):
2293         * runtime/JSActivation.cpp:
2294         (JSC::JSActivation::visitChildren):
2295         (JSC::JSActivation::argumentsGetter):
2296         * runtime/JSActivation.h:
2297         (JSC::JSActivation::createStructure):
2298         (JSC::asActivation):
2299         * runtime/JSArray.h:
2300         (JSC::JSArray::createStructure):
2301         (JSC::asArray):
2302         (JSC::isJSArray):
2303         * runtime/JSBoundFunction.cpp:
2304         (JSC::JSBoundFunction::finishCreation):
2305         (JSC::JSBoundFunction::visitChildren):
2306         * runtime/JSBoundFunction.h:
2307         (JSC::JSBoundFunction::createStructure):
2308         * runtime/JSCJSValue.cpp:
2309         (JSC::JSValue::dumpInContext):
2310         * runtime/JSCJSValueInlines.h:
2311         (JSC::JSValue::isFunction):
2312         * runtime/JSCell.h:
2313         (JSC::jsCast):
2314         (JSC::jsDynamicCast):
2315         * runtime/JSCellInlines.h:
2316         (JSC::allocateCell):
2317         * runtime/JSFunction.cpp:
2318         (JSC::JSFunction::finishCreation):
2319         (JSC::JSFunction::visitChildren):
2320         (JSC::skipOverBoundFunctions):
2321         (JSC::JSFunction::callerGetter):
2322         * runtime/JSFunction.h:
2323         (JSC::JSFunction::createStructure):
2324         * runtime/JSGlobalObject.cpp:
2325         (JSC::JSGlobalObject::visitChildren):
2326         (JSC::slowValidateCell):
2327         * runtime/JSGlobalObject.h:
2328         (JSC::JSGlobalObject::createStructure):
2329         * runtime/JSNameScope.cpp:
2330         (JSC::JSNameScope::visitChildren):
2331         * runtime/JSNameScope.h:
2332         (JSC::JSNameScope::createStructure):
2333         * runtime/JSNotAnObject.h:
2334         (JSC::JSNotAnObject::createStructure):
2335         * runtime/JSONObject.cpp:
2336         (JSC::JSONObject::finishCreation):
2337         (JSC::unwrapBoxedPrimitive):
2338         (JSC::Stringifier::Stringifier):
2339         (JSC::Stringifier::appendStringifiedValue):
2340         (JSC::Stringifier::Holder::Holder):
2341         (JSC::Walker::walk):
2342         (JSC::JSONProtoFuncStringify):
2343         * runtime/JSONObject.h:
2344         (JSC::JSONObject::createStructure):
2345         * runtime/JSObject.cpp:
2346         (JSC::getCallableObjectSlow):
2347         (JSC::JSObject::visitChildren):
2348         (JSC::JSObject::copyBackingStore):
2349         (JSC::JSFinalObject::visitChildren):
2350         (JSC::JSObject::ensureInt32Slow):
2351         (JSC::JSObject::ensureDoubleSlow):
2352         (JSC::JSObject::ensureContiguousSlow):
2353         (JSC::JSObject::ensureArrayStorageSlow):
2354         * runtime/JSObject.h:
2355         (JSC::JSObject::finishCreation):
2356         (JSC::JSObject::createStructure):
2357         (JSC::JSNonFinalObject::createStructure):
2358         (JSC::JSFinalObject::createStructure):
2359         (JSC::isJSFinalObject):
2360         * runtime/JSPropertyNameIterator.cpp:
2361         (JSC::JSPropertyNameIterator::visitChildren):
2362         * runtime/JSPropertyNameIterator.h:
2363         (JSC::JSPropertyNameIterator::createStructure):
2364         * runtime/JSProxy.cpp:
2365         (JSC::JSProxy::visitChildren):
2366         * runtime/JSProxy.h:
2367         (JSC::JSProxy::createStructure):
2368         * runtime/JSScope.cpp:
2369         (JSC::JSScope::visitChildren):
2370         * runtime/JSSegmentedVariableObject.cpp:
2371         (JSC::JSSegmentedVariableObject::visitChildren):
2372         * runtime/JSString.h:
2373         (JSC::JSString::createStructure):
2374         (JSC::isJSString):
2375         * runtime/JSSymbolTableObject.cpp:
2376         (JSC::JSSymbolTableObject::visitChildren):
2377         * runtime/JSVariableObject.h:
2378         * runtime/JSWithScope.cpp:
2379         (JSC::JSWithScope::visitChildren):
2380         * runtime/JSWithScope.h:
2381         (JSC::JSWithScope::createStructure):
2382         * runtime/JSWrapperObject.cpp:
2383         (JSC::JSWrapperObject::visitChildren):
2384         * runtime/JSWrapperObject.h:
2385         (JSC::JSWrapperObject::createStructure):
2386         * runtime/MathObject.cpp:
2387         (JSC::MathObject::finishCreation):
2388         * runtime/MathObject.h:
2389         (JSC::MathObject::createStructure):
2390         * runtime/NameConstructor.h:
2391         (JSC::NameConstructor::createStructure):
2392         * runtime/NameInstance.h:
2393         (JSC::NameInstance::createStructure):
2394         (JSC::NameInstance::finishCreation):
2395         * runtime/NamePrototype.cpp:
2396         (JSC::NamePrototype::finishCreation):
2397         (JSC::privateNameProtoFuncToString):
2398         * runtime/NamePrototype.h:
2399         (JSC::NamePrototype::createStructure):
2400         * runtime/NativeErrorConstructor.cpp:
2401         (JSC::NativeErrorConstructor::visitChildren):
2402         * runtime/NativeErrorConstructor.h:
2403         (JSC::NativeErrorConstructor::createStructure):
2404         (JSC::NativeErrorConstructor::finishCreation):
2405         * runtime/NumberConstructor.cpp:
2406         (JSC::NumberConstructor::finishCreation):
2407         * runtime/NumberConstructor.h:
2408         (JSC::NumberConstructor::createStructure):
2409         * runtime/NumberObject.cpp:
2410         (JSC::NumberObject::finishCreation):
2411         * runtime/NumberObject.h:
2412         (JSC::NumberObject::createStructure):
2413         * runtime/NumberPrototype.cpp:
2414         (JSC::NumberPrototype::finishCreation):
2415         * runtime/NumberPrototype.h:
2416         (JSC::NumberPrototype::createStructure):
2417         * runtime/ObjectConstructor.h:
2418         (JSC::ObjectConstructor::createStructure):
2419         * runtime/ObjectPrototype.cpp:
2420         (JSC::ObjectPrototype::finishCreation):
2421         * runtime/ObjectPrototype.h:
2422         (JSC::ObjectPrototype::createStructure):
2423         * runtime/PropertyMapHashTable.h:
2424         (JSC::PropertyTable::createStructure):
2425         * runtime/PropertyTable.cpp:
2426         (JSC::PropertyTable::visitChildren):
2427         * runtime/RegExp.h:
2428         (JSC::RegExp::createStructure):
2429         * runtime/RegExpConstructor.cpp:
2430         (JSC::RegExpConstructor::finishCreation):
2431         (JSC::RegExpConstructor::visitChildren):
2432         (JSC::constructRegExp):
2433         * runtime/RegExpConstructor.h:
2434         (JSC::RegExpConstructor::createStructure):
2435         (JSC::asRegExpConstructor):
2436         * runtime/RegExpMatchesArray.cpp:
2437         (JSC::RegExpMatchesArray::visitChildren):
2438         * runtime/RegExpMatchesArray.h:
2439         (JSC::RegExpMatchesArray::createStructure):
2440         * runtime/RegExpObject.cpp:
2441         (JSC::RegExpObject::finishCreation):
2442         (JSC::RegExpObject::visitChildren):
2443         * runtime/RegExpObject.h:
2444         (JSC::RegExpObject::createStructure):
2445         (JSC::asRegExpObject):
2446         * runtime/RegExpPrototype.cpp:
2447         (JSC::regExpProtoFuncTest):
2448         (JSC::regExpProtoFuncExec):
2449         (JSC::regExpProtoFuncCompile):
2450         (JSC::regExpProtoFuncToString):
2451         * runtime/RegExpPrototype.h:
2452         (JSC::RegExpPrototype::createStructure):
2453         * runtime/SparseArrayValueMap.cpp:
2454         (JSC::SparseArrayValueMap::createStructure):
2455         * runtime/SparseArrayValueMap.h:
2456         * runtime/StrictEvalActivation.h:
2457         (JSC::StrictEvalActivation::createStructure):
2458         * runtime/StringConstructor.h:
2459         (JSC::StringConstructor::createStructure):
2460         * runtime/StringObject.cpp:
2461         (JSC::StringObject::finishCreation):
2462         * runtime/StringObject.h:
2463         (JSC::StringObject::createStructure):
2464         (JSC::asStringObject):
2465         * runtime/StringPrototype.cpp:
2466         (JSC::StringPrototype::finishCreation):
2467         (JSC::stringProtoFuncReplace):
2468         (JSC::stringProtoFuncToString):
2469         (JSC::stringProtoFuncMatch):
2470         (JSC::stringProtoFuncSearch):
2471         (JSC::stringProtoFuncSplit):
2472         * runtime/StringPrototype.h:
2473         (JSC::StringPrototype::createStructure):
2474         * runtime/Structure.cpp:
2475         (JSC::Structure::Structure):
2476         (JSC::Structure::materializePropertyMap):
2477         (JSC::Structure::get):
2478         (JSC::Structure::visitChildren):
2479         * runtime/Structure.h:
2480         (JSC::Structure::typeInfo):
2481         (JSC::Structure::previousID):
2482         (JSC::Structure::outOfLineSize):
2483         (JSC::Structure::totalStorageCapacity):
2484         (JSC::Structure::materializePropertyMapIfNecessary):
2485         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2486         * runtime/StructureChain.cpp:
2487         (JSC::StructureChain::visitChildren):
2488         * runtime/StructureChain.h:
2489         (JSC::StructureChain::createStructure):
2490         * runtime/StructureInlines.h:
2491         (JSC::Structure::get):
2492         * runtime/StructureRareData.cpp:
2493         (JSC::StructureRareData::createStructure):
2494         (JSC::StructureRareData::visitChildren):
2495         * runtime/StructureRareData.h:
2496         * runtime/SymbolTable.h:
2497         (JSC::SharedSymbolTable::createStructure):
2498         * runtime/VM.cpp:
2499         (JSC::VM::VM):
2500         (JSC::StackPreservingRecompiler::operator()):
2501         (JSC::VM::releaseExecutableMemory):
2502         * runtime/WriteBarrier.h:
2503         (JSC::validateCell):
2504         * testRegExp.cpp:
2505         (GlobalObject::createStructure):
2506
2507 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2508
2509         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2510         https://bugs.webkit.org/show_bug.cgi?id=119762
2511
2512         Reviewed by Geoffrey Garen.
2513
2514         * heap/Heap.cpp:
2515         (JSC::Heap::Heap):
2516         (JSC::Heap::markRoots):
2517         (JSC::Heap::collect):
2518         * jsc.cpp:
2519         (StopWatch::start):
2520         (StopWatch::stop):
2521         * testRegExp.cpp:
2522         (StopWatch::start):
2523         (StopWatch::stop):
2524
2525 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2526
2527         [sh4] Prepare LLINT for DFG_JIT implementation.
2528         https://bugs.webkit.org/show_bug.cgi?id=119755
2529
2530         Reviewed by Oliver Hunt.
2531
2532         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2533         * offlineasm/sh4.rb:
2534             - Handle storeb opcode.
2535             - Make relative jumps when possible using braf opcode.
2536             - Update bmulio implementation to be consistent with baseline JIT.
2537             - Remove useless code from leap opcode.
2538             - Fix incorrect comment.
2539
2540 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2541
2542         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2543         https://bugs.webkit.org/show_bug.cgi?id=119758
2544
2545         Reviewed by Oliver Hunt.
2546
2547         * assembler/MacroAssemblerSH4.h:
2548             - Introduce a loadEffectiveAddress function to avoid code duplication.
2549             - Add ASSERTs and clean code.
2550         * assembler/SH4Assembler.h:
2551             - Prepare DFG_JIT implementation.
2552             - Add ASSERTs.
2553         * jit/JITStubs.cpp:
2554             - Add SH4 specific call for assertions.
2555         * jit/JITStubs.h:
2556             - Cosmetic change.
2557         * jit/JITStubsSH4.h:
2558             - Use constants to be more flexible with sh4 JIT stack frame.
2559         * jit/JSInterfaceJIT.h:
2560             - Cosmetic change.
2561
2562 2013-08-13  Oliver Hunt  <oliver@apple.com>
2563
2564         Harden executeConstruct against incorrect return types from host functions
2565         https://bugs.webkit.org/show_bug.cgi?id=119757
2566
2567         Reviewed by Mark Hahnenberg.
2568
2569         Add logic to guard against bogus return types.  There doesn't seem to be any
2570         class in webkit that does this wrong, but the typed array stubs in debug JSC
2571         do exhibit this bad behaviour.
2572
2573         * interpreter/Interpreter.cpp:
2574         (JSC::Interpreter::executeConstruct):
2575
2576 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2577
2578         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2579         https://bugs.webkit.org/show_bug.cgi?id=119736
2580
2581         Reviewed by Anders Carlsson.
2582
2583         Don't force C++11 mode off anymore.
2584
2585         * Target.pri:
2586
2587 2013-08-12  Oliver Hunt  <oliver@apple.com>
2588
2589         Remove CodeBlock's notion of adding identifiers entirely
2590         https://bugs.webkit.org/show_bug.cgi?id=119708
2591
2592         Reviewed by Geoffrey Garen.
2593
2594         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2595         Move the addition of identifiers to DFGPlan::reallyAdd
2596
2597         * bytecode/CodeBlock.h:
2598         * dfg/DFGDesiredIdentifiers.cpp:
2599         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2600         * dfg/DFGDesiredIdentifiers.h:
2601         * dfg/DFGPlan.cpp:
2602         (JSC::DFG::Plan::reallyAdd):
2603         (JSC::DFG::Plan::finalize):
2604         * dfg/DFGPlan.h:
2605
2606 2013-08-12  Oliver Hunt  <oliver@apple.com>
2607
2608         Build fix
2609
2610         * runtime/JSCell.h:
2611
2612 2013-08-12  Oliver Hunt  <oliver@apple.com>
2613
2614         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2615         https://bugs.webkit.org/show_bug.cgi?id=119705
2616
2617         Reviewed by Geoffrey Garen.
2618
2619         Relatively trivial refactoring
2620
2621         * bytecode/CodeBlock.h:
2622         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2623         (JSC::CodeBlock::addAdditionalIdentifier):
2624         (JSC::CodeBlock::identifier):
2625         (JSC::CodeBlock::numberOfIdentifiers):
2626         * dfg/DFGCommonData.h:
2627
2628 2013-08-12  Oliver Hunt  <oliver@apple.com>
2629
2630         Stop making unnecessary copy of CodeBlock Identifier Vector
2631         https://bugs.webkit.org/show_bug.cgi?id=119702
2632
2633         Reviewed by Michael Saboff.
2634
2635         Make CodeBlock simply use a separate Vector for additional Identifiers
2636         and use the UnlinkedCodeBlock for the initial set of identifiers.
2637
2638         * bytecode/CodeBlock.cpp:
2639         (JSC::CodeBlock::printGetByIdOp):
2640         (JSC::dumpStructure):
2641         (JSC::dumpChain):
2642         (JSC::CodeBlock::printGetByIdCacheStatus):
2643         (JSC::CodeBlock::printPutByIdOp):
2644         (JSC::CodeBlock::dumpBytecode):
2645         (JSC::CodeBlock::CodeBlock):
2646         (JSC::CodeBlock::shrinkToFit):
2647         * bytecode/CodeBlock.h:
2648         (JSC::CodeBlock::numberOfIdentifiers):
2649         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2650         (JSC::CodeBlock::addAdditionalIdentifier):
2651         (JSC::CodeBlock::identifier):
2652         * dfg/DFGDesiredIdentifiers.cpp:
2653         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2654         * jit/JIT.h:
2655         * jit/JITOpcodes.cpp:
2656         (JSC::JIT::emitSlow_op_get_arguments_length):
2657         * jit/JITPropertyAccess.cpp:
2658         (JSC::JIT::emit_op_get_by_id):
2659         (JSC::JIT::compileGetByIdHotPath):
2660         (JSC::JIT::emitSlow_op_get_by_id):
2661         (JSC::JIT::compileGetByIdSlowCase):
2662         (JSC::JIT::emitSlow_op_put_by_id):
2663         * jit/JITPropertyAccess32_64.cpp:
2664         (JSC::JIT::emit_op_get_by_id):
2665         (JSC::JIT::compileGetByIdHotPath):
2666         (JSC::JIT::compileGetByIdSlowCase):
2667         * jit/JITStubs.cpp:
2668         (JSC::DEFINE_STUB_FUNCTION):
2669         * llint/LLIntSlowPaths.cpp:
2670         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2671
2672 2013-08-08  Mark Lam  <mark.lam@apple.com>
2673
2674         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2675         https://bugs.webkit.org/show_bug.cgi?id=119575.
2676
2677         Reviewed by Oliver Hunt.
2678
2679         * interpreter/Interpreter.h:
2680         - Made getStackTrace() private.
2681         * interpreter/StackIterator.cpp:
2682         (JSC::StackIterator::StackIterator):
2683         (JSC::StackIterator::numberOfFrames):
2684         - Computes the number of frames by iterating through the whole stack
2685           from the starting frame. The iterator will save its current frame
2686           position before counting the frames, and then restoring it after
2687           the counting.
2688         (JSC::StackIterator::gotoFrameAtIndex):
2689         (JSC::StackIterator::gotoNextFrame):
2690         (JSC::StackIterator::resetIterator):
2691         - Points the iterator to the starting frame.
2692         * interpreter/StackIteratorPrivate.h:
2693
2694 2013-08-08  Mark Lam  <mark.lam@apple.com>
2695
2696         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2697         the Interpreter class.
2698         https://bugs.webkit.org/show_bug.cgi?id=119576.
2699
2700         Reviewed by Oliver Hunt.
2701
2702         This change is needed to prepare for making Interpreter::getStackTrace()
2703         private. It does not change the behavior of the code, only the lexical
2704         scoping.
2705
2706         * interpreter/Interpreter.h:
2707         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2708         * runtime/ErrorConstructor.cpp:
2709         (JSC::Interpreter::constructWithErrorConstructor):
2710         (JSC::ErrorConstructor::getConstructData):
2711         (JSC::Interpreter::callErrorConstructor):
2712         (JSC::ErrorConstructor::getCallData):
2713         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2714           directly. So, we moved the helper functions into the Interpreter
2715           class.
2716         * runtime/NativeErrorConstructor.cpp:
2717         (JSC::Interpreter::constructWithNativeErrorConstructor):
2718         (JSC::NativeErrorConstructor::getConstructData):
2719         (JSC::Interpreter::callNativeErrorConstructor):
2720         (JSC::NativeErrorConstructor::getCallData):
2721         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2722           directly. So, we moved the helper functions into the Interpreter
2723           class.
2724
2725 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2726
2727         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2728         https://bugs.webkit.org/show_bug.cgi?id=119555
2729
2730         Reviewed by Geoffrey Garen.
2731
2732         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2733         This was causing crashes on maps.google.com in 32-bit debug builds.
2734
2735         * dfg/DFGSpeculativeJIT32_64.cpp:
2736         (JSC::DFG::SpeculativeJIT::compile):
2737
2738 2013-08-06  Michael Saboff  <msaboff@apple.com>
2739
2740         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2741         https://bugs.webkit.org/show_bug.cgi?id=119405
2742
2743         Reviewed by Geoffrey Garen.
2744
2745         * dfg/DFGSpeculativeJIT.cpp:
2746         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2747         ourselves to save a register and then load from it.
2748
2749 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2750
2751         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2752         https://bugs.webkit.org/show_bug.cgi?id=119528
2753
2754         Reviewed by Geoffrey Garen.
2755
2756         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2757         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2758         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2759         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2760         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2761
2762         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2763
2764         * bytecode/CodeBlock.cpp:
2765         (JSC::CodeBlock::finalizeUnconditionally):
2766         * dfg/DFGDriver.cpp:
2767         (JSC::DFG::compile):
2768         * dfg/DFGFixupPhase.cpp:
2769         (JSC::DFG::FixupPhase::fixupNode):
2770         * dfg/DFGGraph.cpp:
2771         (JSC::DFG::Graph::dump):
2772         * dfg/DFGSpeculativeJIT64.cpp:
2773         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2774         * runtime/JSObject.h:
2775         (JSC::JSObject::getIndexQuickly):
2776         (JSC::JSObject::tryGetIndexQuickly):
2777
2778 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2779
2780         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2781
2782         Unreviewed.
2783
2784         Ensure llint symbols are in source order.
2785
2786         * JavaScriptCore.order:
2787
2788 2013-08-06  Mark Lam  <mark.lam@apple.com>
2789
2790         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2791         https://bugs.webkit.org/show_bug.cgi?id=119532.
2792
2793         Reviewed by Oliver Hunt.
2794
2795         * parser/Parser.cpp:
2796         (JSC::::Parser):
2797         - Just need to initialize the Parser's JSTokenLocation's initial line and
2798           startOffset as well during Parser construction.
2799
2800 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2801
2802         Update Order Files for Safari
2803         <rdar://problem/14517392>
2804
2805         Unreviewed.
2806
2807         * JavaScriptCore.order:
2808
2809 2013-08-04  Sam Weinig  <sam@webkit.org>
2810
2811         Remove support for HTML5 MicroData
2812         https://bugs.webkit.org/show_bug.cgi?id=119480
2813
2814         Reviewed by Anders Carlsson.
2815
2816         * Configurations/FeatureDefines.xcconfig:
2817
2818 2013-08-05  Oliver Hunt  <oliver@apple.com>
2819
2820         Delay Arguments creation in strict mode
2821         https://bugs.webkit.org/show_bug.cgi?id=119505
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         Make use of the write tracking performed by the parser to
2826         allow us to know if we're modifying the parameters to a function.
2827         Then use that information to make strict mode function opt out
2828         of eager arguments creation.
2829
2830         * bytecompiler/BytecodeGenerator.cpp:
2831         (JSC::BytecodeGenerator::BytecodeGenerator):
2832         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2833         (JSC::BytecodeGenerator::emitReturn):
2834         * bytecompiler/BytecodeGenerator.h:
2835         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2836         * parser/Nodes.h:
2837         (JSC::ScopeNode::modifiesParameter):
2838         * parser/Parser.cpp:
2839         (JSC::::parseInner):
2840         * parser/Parser.h:
2841         (JSC::Scope::declareParameter):
2842         (JSC::Scope::getCapturedVariables):
2843         (JSC::Parser::declareWrite):
2844         * parser/ParserModes.h:
2845
2846 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2847
2848         Remove useless code from COMPILER(RVCT) JITStubs
2849         https://bugs.webkit.org/show_bug.cgi?id=119521
2850
2851         Reviewed by Geoffrey Garen.
2852
2853         * jit/JITStubsARMv7.h:
2854         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2855         (JSC::ctiOpThrowNotCaught): Ditto.
2856
2857 2013-07-23  David Farler  <dfarler@apple.com>
2858
2859         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2860         https://bugs.webkit.org/show_bug.cgi?id=117762
2861
2862         Reviewed by Mark Rowe.
2863
2864         * Configurations/DebugRelease.xcconfig:
2865         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2866         * Configurations/JavaScriptCore.xcconfig:
2867         Add ASAN_OTHER_LDFLAGS.
2868         * Configurations/ToolExecutable.xcconfig:
2869         Don't use ASAN for build tools.
2870
2871 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2872
2873         Build fix for ARM MSVC after r153222 and r153648.
2874
2875         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2876
2877 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2878
2879         Build fix for ARM MSVC after r150109.
2880
2881         Read the stub template from a header files instead of the JITStubs.cpp.
2882
2883         * CMakeLists.txt:
2884         * DerivedSources.pri:
2885         * create_jit_stubs:
2886
2887 2013-08-05  Oliver Hunt  <oliver@apple.com>
2888
2889         Move TypedArray implementation into JSC
2890         https://bugs.webkit.org/show_bug.cgi?id=119489
2891
2892         Reviewed by Filip Pizlo.
2893
2894         Move TypedArray implementation into JSC in advance of re-implementation
2895
2896         * GNUmakefile.list.am:
2897         * JSCTypedArrayStubs.h:
2898         * JavaScriptCore.xcodeproj/project.pbxproj:
2899         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2900         (JSC::ArrayBuffer::transfer):
2901         (JSC::ArrayBuffer::addView):
2902         (JSC::ArrayBuffer::removeView):
2903         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2904         (JSC::ArrayBufferContents::ArrayBufferContents):
2905         (JSC::ArrayBufferContents::data):
2906         (JSC::ArrayBufferContents::sizeInBytes):
2907         (JSC::ArrayBufferContents::transfer):
2908         (JSC::ArrayBufferContents::copyTo):
2909         (JSC::ArrayBuffer::isNeutered):
2910         (JSC::ArrayBuffer::~ArrayBuffer):
2911         (JSC::ArrayBuffer::clampValue):
2912         (JSC::ArrayBuffer::create):
2913         (JSC::ArrayBuffer::createUninitialized):
2914         (JSC::ArrayBuffer::ArrayBuffer):
2915         (JSC::ArrayBuffer::data):
2916         (JSC::ArrayBuffer::byteLength):
2917         (JSC::ArrayBuffer::slice):
2918         (JSC::ArrayBuffer::sliceImpl):
2919         (JSC::ArrayBuffer::clampIndex):
2920         (JSC::ArrayBufferContents::tryAllocate):
2921         (JSC::ArrayBufferContents::~ArrayBufferContents):
2922         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2923         (JSC::ArrayBufferView::ArrayBufferView):
2924         (JSC::ArrayBufferView::~ArrayBufferView):
2925         (JSC::ArrayBufferView::neuter):
2926         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2927         (JSC::ArrayBufferView::buffer):
2928         (JSC::ArrayBufferView::baseAddress):
2929         (JSC::ArrayBufferView::byteOffset):
2930         (JSC::ArrayBufferView::setNeuterable):
2931         (JSC::ArrayBufferView::isNeuterable):
2932         (JSC::ArrayBufferView::verifySubRange):
2933         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2934         (JSC::ArrayBufferView::setImpl):
2935         (JSC::ArrayBufferView::setRangeImpl):
2936         (JSC::ArrayBufferView::zeroRangeImpl):
2937         (JSC::ArrayBufferView::calculateOffsetAndLength):
2938         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2939         (JSC::Float32Array::set):
2940         (JSC::Float32Array::getType):
2941         (JSC::Float32Array::create):
2942         (JSC::Float32Array::createUninitialized):
2943         (JSC::Float32Array::Float32Array):
2944         (JSC::Float32Array::subarray):
2945         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2946         (JSC::Float64Array::set):
2947         (JSC::Float64Array::getType):
2948         (JSC::Float64Array::create):
2949         (JSC::Float64Array::createUninitialized):
2950         (JSC::Float64Array::Float64Array):
2951         (JSC::Float64Array::subarray):
2952         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2953         (JSC::Int16Array::getType):
2954         (JSC::Int16Array::create):
2955         (JSC::Int16Array::createUninitialized):
2956         (JSC::Int16Array::Int16Array):
2957         (JSC::Int16Array::subarray):
2958         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2959         (JSC::Int32Array::getType):
2960         (JSC::Int32Array::create):
2961         (JSC::Int32Array::createUninitialized):
2962         (JSC::Int32Array::Int32Array):
2963         (JSC::Int32Array::subarray):
2964         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2965         (JSC::Int8Array::getType):
2966         (JSC::Int8Array::create):
2967         (JSC::Int8Array::createUninitialized):
2968         (JSC::Int8Array::Int8Array):
2969         (JSC::Int8Array::subarray):
2970         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2971         (JSC::IntegralTypedArrayBase::set):
2972         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2973         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2974         (JSC::TypedArrayBase::data):
2975         (JSC::TypedArrayBase::set):
2976         (JSC::TypedArrayBase::setRange):
2977         (JSC::TypedArrayBase::zeroRange):
2978         (JSC::TypedArrayBase::length):
2979         (JSC::TypedArrayBase::byteLength):
2980         (JSC::TypedArrayBase::item):
2981         (JSC::TypedArrayBase::checkInboundData):
2982         (JSC::TypedArrayBase::TypedArrayBase):
2983         (JSC::TypedArrayBase::create):
2984         (JSC::TypedArrayBase::createUninitialized):
2985         (JSC::TypedArrayBase::subarrayImpl):
2986         (JSC::TypedArrayBase::neuter):
2987         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2988         (JSC::Uint16Array::getType):
2989         (JSC::Uint16Array::create):
2990         (JSC::Uint16Array::createUninitialized):
2991         (JSC::Uint16Array::Uint16Array):
2992         (JSC::Uint16Array::subarray):
2993         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2994         (JSC::Uint32Array::getType):
2995         (JSC::Uint32Array::create):
2996         (JSC::Uint32Array::createUninitialized):
2997         (JSC::Uint32Array::Uint32Array):
2998         (JSC::Uint32Array::subarray):
2999         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
3000         (JSC::Uint8Array::getType):
3001         (JSC::Uint8Array::create):
3002         (JSC::Uint8Array::createUninitialized):
3003         (JSC::Uint8Array::Uint8Array):
3004         (JSC::Uint8Array::subarray):
3005         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
3006         (JSC::Uint8ClampedArray::getType):
3007         (JSC::Uint8ClampedArray::create):
3008         (JSC::Uint8ClampedArray::createUninitialized):
3009         (JSC::Uint8ClampedArray::zeroFill):
3010         (JSC::Uint8ClampedArray::set):
3011         (JSC::Uint8ClampedArray::Uint8ClampedArray):
3012         (JSC::Uint8ClampedArray::subarray):
3013         * runtime/VM.h:
3014
3015 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Copied space should be able to handle more than one copied backing store per JSCell
3018         https://bugs.webkit.org/show_bug.cgi?id=119471
3019
3020         Reviewed by Mark Hahnenberg.
3021         
3022         This allows a cell to call copyLater() multiple times for multiple different
3023         backing stores, and then have copyBackingStore() called exactly once for each
3024         of those. A token tells it which backing store to copy. All backing stores
3025         must be named using the CopyToken, an enumeration which currently cannot
3026         exceed eight entries.
3027         
3028         When copyBackingStore() is called, it's up to the callee to (a) use the token
3029         to decide what to copy and (b) call its base class's copyBackingStore() in
3030         case the base class had something that needed copying. The only exception is
3031         that JSCell never asks anything to be copied, and so if your base is JSCell
3032         then you don't have to do anything.
3033
3034         * GNUmakefile.list.am:
3035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3036         * JavaScriptCore.xcodeproj/project.pbxproj:
3037         * heap/CopiedBlock.h:
3038         * heap/CopiedBlockInlines.h:
3039         (JSC::CopiedBlock::reportLiveBytes):
3040         * heap/CopyToken.h: Added.
3041         * heap/CopyVisitor.cpp:
3042         (JSC::CopyVisitor::copyFromShared):
3043         * heap/CopyVisitor.h:
3044         * heap/CopyVisitorInlines.h:
3045         (JSC::CopyVisitor::visitItem):
3046         * heap/CopyWorkList.h:
3047         (JSC::CopyWorklistItem::CopyWorklistItem):
3048         (JSC::CopyWorklistItem::cell):
3049         (JSC::CopyWorklistItem::token):
3050         (JSC::CopyWorkListSegment::get):
3051         (JSC::CopyWorkListSegment::append):
3052         (JSC::CopyWorkListSegment::data):
3053         (JSC::CopyWorkListIterator::get):
3054         (JSC::CopyWorkListIterator::operator*):
3055         (JSC::CopyWorkListIterator::operator->):
3056         (JSC::CopyWorkList::append):
3057         * heap/SlotVisitor.h:
3058         * heap/SlotVisitorInlines.h:
3059         (JSC::SlotVisitor::copyLater):
3060         * runtime/ClassInfo.h:
3061         * runtime/JSCell.cpp:
3062         (JSC::JSCell::copyBackingStore):
3063         * runtime/JSCell.h:
3064         * runtime/JSObject.cpp:
3065         (JSC::JSObject::visitButterfly):
3066         (JSC::JSObject::copyBackingStore):
3067         * runtime/JSObject.h:
3068
3069 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
3070
3071         [Automake] Define ENABLE_JIT through the Autoconf header
3072         https://bugs.webkit.org/show_bug.cgi?id=119445
3073
3074         Reviewed by Martin Robinson.
3075
3076         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
3077
3078 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3079
3080         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
3081         https://bugs.webkit.org/show_bug.cgi?id=119470
3082
3083         Reviewed by Oliver Hunt.
3084         
3085         Structure can still tell you if the object "could" (in the conservative sense)
3086         have an indexing header; that's used by the compiler.
3087         
3088         Most of the time if you want to know if there's an indexing header, you ask the
3089         JSObject.
3090         
3091         In some cases, the JSObject wants to know if it would have an indexing header if
3092         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3093
3094         * dfg/DFGRepatch.cpp:
3095         (JSC::DFG::tryCachePutByID):
3096         (JSC::DFG::tryBuildPutByIdList):
3097         * dfg/DFGSpeculativeJIT.cpp:
3098         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3099         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3100         * runtime/ButterflyInlines.h:
3101         (JSC::Butterfly::create):
3102         (JSC::Butterfly::growPropertyStorage):
3103         (JSC::Butterfly::growArrayRight):
3104         (JSC::Butterfly::resizeArray):
3105         * runtime/JSObject.cpp:
3106         (JSC::JSObject::copyButterfly):
3107         (JSC::JSObject::visitButterfly):
3108         * runtime/JSObject.h:
3109         (JSC::JSObject::hasIndexingHeader):
3110         (JSC::JSObject::setButterfly):
3111         * runtime/Structure.h:
3112         (JSC::Structure::couldHaveIndexingHeader):
3113         (JSC::Structure::hasIndexingHeader):
3114
3115 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3116
3117         Give the error object's stack property accessor attributes.
3118         https://bugs.webkit.org/show_bug.cgi?id=119404
3119
3120         Reviewed by Geoffrey Garen.
3121         
3122         Changed the attributes of error object's stack property to allow developers to write
3123         and delete the stack property. This will match the functionality of Chrome. Firefox  
3124         allows developers to write the error's stack, but not delete it. 
3125
3126         * interpreter/Interpreter.cpp:
3127         (JSC::Interpreter::addStackTraceIfNecessary):
3128         * runtime/ErrorInstance.cpp:
3129         (JSC::ErrorInstance::finishCreation):
3130
3131 2013-08-02  Oliver Hunt  <oliver@apple.com>
3132
3133         Incorrect type speculation reported by ToPrimitive
3134         https://bugs.webkit.org/show_bug.cgi?id=119458
3135
3136         Reviewed by Mark Hahnenberg.
3137
3138         Make sure that we report the correct type possibilities for the output
3139         from ToPrimitive
3140
3141         * dfg/DFGAbstractInterpreterInlines.h:
3142         (JSC::DFG::::executeEffects):
3143
3144 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3145
3146         Remove no-arguments constructor to PropertySlot
3147         https://bugs.webkit.org/show_bug.cgi?id=119460
3148
3149         Reviewed by Geoff Garen.
3150
3151         This constructor was unsafe if getValue is subsequently called,
3152         and the property is a getter. Simplest to just remove it.
3153
3154         * runtime/Arguments.cpp:
3155         (JSC::Arguments::defineOwnProperty):
3156         * runtime/JSActivation.cpp:
3157         (JSC::JSActivation::getOwnPropertyDescriptor):
3158         * runtime/JSFunction.cpp:
3159         (JSC::JSFunction::getOwnPropertyDescriptor):
3160         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3161         (JSC::JSFunction::put):
3162         (JSC::JSFunction::defineOwnProperty):
3163         * runtime/JSGlobalObject.cpp:
3164         (JSC::JSGlobalObject::defineOwnProperty):
3165         * runtime/JSGlobalObject.h:
3166         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3167         * runtime/JSNameScope.cpp:
3168         (JSC::JSNameScope::put):
3169         * runtime/JSONObject.cpp:
3170         (JSC::Stringifier::Holder::appendNextProperty):
3171         (JSC::Walker::walk):
3172         * runtime/JSObject.cpp:
3173         (JSC::JSObject::hasProperty):
3174         (JSC::JSObject::hasOwnProperty):
3175         (JSC::JSObject::reifyStaticFunctionsForDelete):
3176         * runtime/Lookup.h:
3177         (JSC::getStaticPropertyDescriptor):
3178         (JSC::getStaticFunctionDescriptor):
3179         (JSC::getStaticValueDescriptor):
3180         * runtime/ObjectConstructor.cpp:
3181         (JSC::defineProperties):
3182         * runtime/PropertySlot.h:
3183
3184 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3185
3186         DFG validation can cause assertion failures due to dumping
3187         https://bugs.webkit.org/show_bug.cgi?id=119456
3188
3189         Reviewed by Geoffrey Garen.
3190
3191         * bytecode/CodeBlock.cpp:
3192         (JSC::CodeBlock::hasHash):
3193         (JSC::CodeBlock::isSafeToComputeHash):
3194         (JSC::CodeBlock::hash):
3195         (JSC::CodeBlock::dumpAssumingJITType):
3196         * bytecode/CodeBlock.h:
3197
3198 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3199
3200         Have vm's exceptionStack match java's vm's exceptionStack.
3201         https://bugs.webkit.org/show_bug.cgi?id=119362
3202
3203         Reviewed by Geoffrey Garen.
3204         
3205         The error object's stack is only updated if it does not exist yet. This matches 
3206         the functionality of other browsers, and Java VMs. 
3207
3208         * interpreter/Interpreter.cpp:
3209         (JSC::Interpreter::addStackTraceIfNecessary):
3210         (JSC::Interpreter::throwException):
3211         * runtime/VM.cpp:
3212         (JSC::VM::clearExceptionStack):
3213         * runtime/VM.h:
3214         (JSC::VM::lastExceptionStack):
3215
3216 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3217
3218         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3219         https://bugs.webkit.org/show_bug.cgi?id=119447
3220
3221         Reviewed by Geoffrey Garen.
3222
3223         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3224         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3225         r153583 (sh4) and r153648 (ARM).
3226
3227         * jit/JITStubsMIPS.h:
3228
3229 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3230
3231         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3232         https://bugs.webkit.org/show_bug.cgi?id=119422
3233
3234         Reviewed by Oliver Hunt.
3235         
3236         This simplifies some code and also allows Structure to claim that an object
3237         has an indexing header even if it doesn't have indexed properties.
3238         
3239         I also changed some calls to use hasIndexedProperties() since in some cases,
3240         that's what we actually meant. Currently the two are synonyms.
3241
3242         * dfg/DFGRepatch.cpp:
3243         (JSC::DFG::tryCachePutByID):
3244         (JSC::DFG::tryBuildPutByIdList):
3245         * dfg/DFGSpeculativeJIT.cpp:
3246         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3247         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3248         * runtime/ButterflyInlines.h:
3249         (JSC::Butterfly::create):
3250         (JSC::Butterfly::growPropertyStorage):
3251         (JSC::Butterfly::growArrayRight):
3252         (JSC::Butterfly::resizeArray):
3253         * runtime/IndexingType.h:
3254         * runtime/JSObject.cpp:
3255         (JSC::JSObject::copyButterfly):
3256         (JSC::JSObject::visitButterfly):
3257         (JSC::JSObject::setPrototype):
3258         * runtime/JSObject.h:
3259         (JSC::JSObject::setButterfly):
3260         * runtime/JSPropertyNameIterator.cpp:
3261         (JSC::JSPropertyNameIterator::create):
3262         * runtime/Structure.h:
3263         (JSC::Structure::hasIndexingHeader):
3264
3265 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3266
3267         REGRESSION: ARM still crashes after change set r153612.
3268         https://bugs.webkit.org/show_bug.cgi?id=119433
3269
3270         Reviewed by Michael Saboff.
3271
3272         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3273         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3274         for sh4 architecture.
3275
3276         * jit/JITStubsARM.h:
3277         * jit/JITStubsARMv7.h:
3278
3279 2013-08-02  Michael Saboff  <msaboff@apple.com>
3280
3281         REGRESSION(r153612): It made jsc and layout tests crash
3282         https://bugs.webkit.org/show_bug.cgi?id=119440
3283
3284         Reviewed by Csaba Osztrogonác.
3285
3286         Made the changes if changeset r153612 only apply to 32 bit builds.
3287
3288         * jit/JITExceptions.cpp:
3289         * jit/JITExceptions.h:
3290         * jit/JITStubs.cpp:
3291         (JSC::cti_vm_throw_slowpath):
3292         * jit/JITStubs.h:
3293
3294 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3295
3296         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3297
3298         * CMakeLists.txt:
3299
3300 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3301
3302         [Forms: color] <input type='color'> popover color well implementation
3303         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3304
3305         Reviewed by Benjamin Poulain.
3306
3307         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3308
3309 2013-08-01  Oliver Hunt  <oliver@apple.com>
3310
3311         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3312         https://bugs.webkit.org/show_bug.cgi?id=119408
3313
3314         Reviewed by Filip Pizlo.
3315
3316         Construct ToString and Phantom nodes in advance of MakeRope
3317         nodes to ensure that ordering is ensured, and correct values
3318         will be reified on OSR exit.
3319
3320         * dfg/DFGByteCodeParser.cpp:
3321         (JSC::DFG::ByteCodeParser::parseBlock):
3322
3323 2013-08-01  Michael Saboff  <msaboff@apple.com>
3324
3325         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3326         https://bugs.webkit.org/show_bug.cgi?id=119140
3327
3328         Reviewed by Filip Pizlo.
3329
3330         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3331
3332         * jit/JITExceptions.cpp:
3333         (JSC::encode):
3334         * jit/JITExceptions.h:
3335         * jit/JITStubs.cpp:
3336         (JSC::cti_vm_throw_slowpath):
3337         * jit/JITStubs.h:
3338
3339 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3340
3341         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3342         https://bugs.webkit.org/show_bug.cgi?id=119391
3343
3344         Reviewed by Csaba Osztrogonác.
3345
3346         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3347             - Call frame is in r14 register.
3348             - Do not restore registers from JIT stack frame here.
3349
3350 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3351
3352         More cleanup in PropertySlot
3353         https://bugs.webkit.org/show_bug.cgi?id=119359
3354
3355         Reviewed by Geoff Garen.
3356
3357         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3358         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3359
3360         * dfg/DFGRepatch.cpp:
3361         (JSC::DFG::tryCacheGetByID):
3362         (JSC::DFG::tryBuildGetByIDList):
3363             - No need to ASSERT slotBase is an object.
3364         * jit/JITStubs.cpp:
3365         (JSC::tryCacheGetByID):
3366         (JSC::DEFINE_STUB_FUNCTION):
3367             - No need to ASSERT slotBase is an object.
3368         * runtime/JSObject.cpp:
3369         (JSC::JSObject::getOwnPropertySlotByIndex):
3370         (JSC::JSObject::fillGetterPropertySlot):
3371             - Pass an object through to setGetterSlot.
3372         * runtime/JSObject.h:
3373         (JSC::PropertySlot::getValue):
3374             - Moved from PropertySlot (need to know anout JSObject).
3375         * runtime/PropertySlot.cpp:
3376         (JSC::PropertySlot::functionGetter):
3377             - update per member name changes
3378         * runtime/PropertySlot.h:
3379         (JSC::PropertySlot::PropertySlot):
3380             - Argument to constructor set to 'thisValue'.
3381         (JSC::PropertySlot::slotBase):
3382             - This returns a JSObject*.
3383         (JSC::PropertySlot::setValue):
3384         (JSC::PropertySlot::setCustom):
3385         (JSC::PropertySlot::setCacheableCustom):
3386         (JSC::PropertySlot::setCustomIndex):
3387         (JSC::PropertySlot::setGetterSlot):
3388         (JSC::PropertySlot::setCacheableGetterSlot):
3389             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3390         * runtime/SparseArrayValueMap.cpp:
3391         (JSC::SparseArrayEntry::get):
3392             - Pass an object through to setGetterSlot.
3393         * runtime/SparseArrayValueMap.h:
3394             - Pass an object through to setGetterSlot.
3395
3396 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3397
3398         Reduce JSC API static value setter/getter overhead.
3399         https://bugs.webkit.org/show_bug.cgi?id=119277
3400
3401         Reviewed by Geoffrey Garen.
3402
3403         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3404         need to get called every time when set or get the static value.
3405
3406         * API/JSCallbackObjectFunctions.h:
3407         (JSC::::put):
3408         (JSC::::putByIndex):
3409         (JSC::::getStaticValue):
3410         * API/JSClassRef.cpp:
3411         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3412         * API/JSClassRef.h:
3413         (StaticValueEntry::StaticValueEntry):
3414
3415 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3416