Refactor ShadowRoot exception handling
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-01-29  Oliver Hunt  <oliver@apple.com>
2
3         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
4         https://bugs.webkit.org/show_bug.cgi?id=108097
5
6         Reviewed by Geoffrey Garen.
7
8         LiteralParser was accepting a bogus 'var a.b = c' statement
9
10         * runtime/LiteralParser.cpp:
11         (JSC::::tryJSONPParse):
12
13 2013-01-29  Oliver Hunt  <oliver@apple.com>
14
15         Force debug builds to do bounds checks on contiguous property storage
16         https://bugs.webkit.org/show_bug.cgi?id=108212
17
18         Reviewed by Mark Hahnenberg.
19
20         Add a ContiguousData type that we use to represent contiguous property
21         storage.  In release builds it is simply a pointer to the correct type,
22         but in debug builds it also carries the data length and performs bounds
23         checks.  This means we don't have to add as many manual bounds assertions
24         when performing operations over contiguous data.
25
26         * dfg/DFGOperations.cpp:
27         * runtime/ArrayStorage.h:
28         (ArrayStorage):
29         (JSC::ArrayStorage::vector):
30         * runtime/Butterfly.h:
31         (JSC::ContiguousData::ContiguousData):
32         (ContiguousData):
33         (JSC::ContiguousData::operator[]):
34         (JSC::ContiguousData::data):
35         (JSC::ContiguousData::length):
36         (JSC):
37         (JSC::Butterfly::contiguousInt32):
38         (Butterfly):
39         (JSC::Butterfly::contiguousDouble):
40         (JSC::Butterfly::contiguous):
41         * runtime/JSArray.cpp:
42         (JSC::JSArray::sortNumericVector):
43         (ContiguousTypeAccessor):
44         (JSC::ContiguousTypeAccessor::getAsValue):
45         (JSC::ContiguousTypeAccessor::setWithValue):
46         (JSC::ContiguousTypeAccessor::replaceDataReference):
47         (JSC):
48         (JSC::JSArray::sortCompactedVector):
49         (JSC::JSArray::sort):
50         (JSC::JSArray::fillArgList):
51         (JSC::JSArray::copyToArguments):
52         * runtime/JSArray.h:
53         (JSArray):
54         * runtime/JSObject.cpp:
55         (JSC::JSObject::copyButterfly):
56         (JSC::JSObject::visitButterfly):
57         (JSC::JSObject::createInitialInt32):
58         (JSC::JSObject::createInitialDouble):
59         (JSC::JSObject::createInitialContiguous):
60         (JSC::JSObject::convertUndecidedToInt32):
61         (JSC::JSObject::convertUndecidedToDouble):
62         (JSC::JSObject::convertUndecidedToContiguous):
63         (JSC::JSObject::convertInt32ToDouble):
64         (JSC::JSObject::convertInt32ToContiguous):
65         (JSC::JSObject::genericConvertDoubleToContiguous):
66         (JSC::JSObject::convertDoubleToContiguous):
67         (JSC::JSObject::rageConvertDoubleToContiguous):
68         (JSC::JSObject::ensureInt32Slow):
69         (JSC::JSObject::ensureDoubleSlow):
70         (JSC::JSObject::ensureContiguousSlow):
71         (JSC::JSObject::rageEnsureContiguousSlow):
72         (JSC::JSObject::ensureLengthSlow):
73         * runtime/JSObject.h:
74         (JSC::JSObject::ensureInt32):
75         (JSC::JSObject::ensureDouble):
76         (JSC::JSObject::ensureContiguous):
77         (JSC::JSObject::rageEnsureContiguous):
78         (JSObject):
79         (JSC::JSObject::indexingData):
80         (JSC::JSObject::currentIndexingData):
81
82 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
83
84         [Windows, WinCairo] Unreviewed build fix after r141050
85
86         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
87         to match JavaScriptCore.vcproj version.
88
89 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
90
91         [Qt] Implement GCActivityCallback
92         https://bugs.webkit.org/show_bug.cgi?id=103998
93
94         Reviewed by Simon Hausmann.
95
96         Implements the activity triggered garbage collector.
97
98         * runtime/GCActivityCallback.cpp:
99         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
100         (JSC::DefaultGCActivityCallback::scheduleTimer):
101         (JSC::DefaultGCActivityCallback::cancelTimer):
102         * runtime/GCActivityCallback.h:
103         (GCActivityCallback):
104         (DefaultGCActivityCallback):
105
106 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
107
108         Compilation warning in JSC
109         https://bugs.webkit.org/show_bug.cgi?id=108178
110
111         Reviewed by Kentaro Hara.
112
113         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
114
115         * runtime/Structure.cpp:
116         (JSC::Structure::Structure):
117
118 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
119
120         [Qt] Fix the JSC build on Mac
121
122         Unreviewed, build fix.
123
124         * heap/HeapTimer.h:
125         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
126
127 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
128
129         [Qt] Implement IncrementalSweeper and HeapTimer
130         https://bugs.webkit.org/show_bug.cgi?id=103996
131
132         Reviewed by Simon Hausmann.
133
134         Implements the incremental sweeping garbage collection for the Qt platform.
135
136         * heap/HeapTimer.cpp:
137         (JSC::HeapTimer::HeapTimer):
138         (JSC::HeapTimer::~HeapTimer):
139         (JSC::HeapTimer::timerEvent):
140         (JSC::HeapTimer::synchronize):
141         (JSC::HeapTimer::invalidate):
142         (JSC::HeapTimer::didStartVMShutdown):
143         * heap/HeapTimer.h:
144         (HeapTimer):
145         * heap/IncrementalSweeper.cpp:
146         (JSC::IncrementalSweeper::IncrementalSweeper):
147         (JSC::IncrementalSweeper::scheduleTimer):
148         * heap/IncrementalSweeper.h:
149         (IncrementalSweeper):
150
151 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
152
153         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
154         https://bugs.webkit.org/show_bug.cgi?id=106868
155
156         Reviewed by Oliver Hunt.
157         
158         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
159         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
160         for debugging (Node::index(), which is not guaranteed to be O(1)).
161         
162         1% speed-up on SunSpider, presumably because this improves compile times.
163
164         * CMakeLists.txt:
165         * GNUmakefile.list.am:
166         * JavaScriptCore.xcodeproj/project.pbxproj:
167         * Target.pri:
168         * bytecode/DataFormat.h:
169         (JSC::dataFormatToString):
170         * dfg/DFGAbstractState.cpp:
171         (JSC::DFG::AbstractState::initialize):
172         (JSC::DFG::AbstractState::booleanResult):
173         (JSC::DFG::AbstractState::execute):
174         (JSC::DFG::AbstractState::mergeStateAtTail):
175         (JSC::DFG::AbstractState::mergeToSuccessors):
176         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
177         (JSC::DFG::AbstractState::dump):
178         * dfg/DFGAbstractState.h:
179         (DFG):
180         (JSC::DFG::AbstractState::forNode):
181         (AbstractState):
182         (JSC::DFG::AbstractState::speculateInt32Unary):
183         (JSC::DFG::AbstractState::speculateNumberUnary):
184         (JSC::DFG::AbstractState::speculateBooleanUnary):
185         (JSC::DFG::AbstractState::speculateInt32Binary):
186         (JSC::DFG::AbstractState::speculateNumberBinary):
187         (JSC::DFG::AbstractState::trySetConstant):
188         * dfg/DFGAbstractValue.h:
189         (AbstractValue):
190         * dfg/DFGAdjacencyList.h:
191         (JSC::DFG::AdjacencyList::AdjacencyList):
192         (JSC::DFG::AdjacencyList::initialize):
193         * dfg/DFGAllocator.h: Added.
194         (DFG):
195         (Allocator):
196         (JSC::DFG::Allocator::Region::size):
197         (JSC::DFG::Allocator::Region::headerSize):
198         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
199         (JSC::DFG::Allocator::Region::data):
200         (JSC::DFG::Allocator::Region::isInThisRegion):
201         (JSC::DFG::Allocator::Region::regionFor):
202         (Region):
203         (JSC::DFG::::Allocator):
204         (JSC::DFG::::~Allocator):
205         (JSC::DFG::::allocate):
206         (JSC::DFG::::free):
207         (JSC::DFG::::freeAll):
208         (JSC::DFG::::reset):
209         (JSC::DFG::::indexOf):
210         (JSC::DFG::::allocatorOf):
211         (JSC::DFG::::bumpAllocate):
212         (JSC::DFG::::freeListAllocate):
213         (JSC::DFG::::allocateSlow):
214         (JSC::DFG::::freeRegionsStartingAt):
215         (JSC::DFG::::startBumpingIn):
216         * dfg/DFGArgumentsSimplificationPhase.cpp:
217         (JSC::DFG::ArgumentsSimplificationPhase::run):
218         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
219         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
220         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
221         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
222         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
223         * dfg/DFGArrayMode.cpp:
224         (JSC::DFG::ArrayMode::originalArrayStructure):
225         (JSC::DFG::ArrayMode::alreadyChecked):
226         * dfg/DFGArrayMode.h:
227         (ArrayMode):
228         * dfg/DFGArrayifySlowPathGenerator.h:
229         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
230         * dfg/DFGBasicBlock.h:
231         (JSC::DFG::BasicBlock::node):
232         (JSC::DFG::BasicBlock::isInPhis):
233         (JSC::DFG::BasicBlock::isInBlock):
234         (BasicBlock):
235         * dfg/DFGBasicBlockInlines.h:
236         (DFG):
237         * dfg/DFGByteCodeParser.cpp:
238         (ByteCodeParser):
239         (JSC::DFG::ByteCodeParser::getDirect):
240         (JSC::DFG::ByteCodeParser::get):
241         (JSC::DFG::ByteCodeParser::setDirect):
242         (JSC::DFG::ByteCodeParser::set):
243         (JSC::DFG::ByteCodeParser::setPair):
244         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
245         (JSC::DFG::ByteCodeParser::getLocal):
246         (JSC::DFG::ByteCodeParser::setLocal):
247         (JSC::DFG::ByteCodeParser::getArgument):
248         (JSC::DFG::ByteCodeParser::setArgument):
249         (JSC::DFG::ByteCodeParser::flushDirect):
250         (JSC::DFG::ByteCodeParser::getToInt32):
251         (JSC::DFG::ByteCodeParser::toInt32):
252         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
253         (JSC::DFG::ByteCodeParser::getJSConstant):
254         (JSC::DFG::ByteCodeParser::getCallee):
255         (JSC::DFG::ByteCodeParser::getThis):
256         (JSC::DFG::ByteCodeParser::setThis):
257         (JSC::DFG::ByteCodeParser::isJSConstant):
258         (JSC::DFG::ByteCodeParser::isInt32Constant):
259         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
260         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
261         (JSC::DFG::ByteCodeParser::constantUndefined):
262         (JSC::DFG::ByteCodeParser::constantNull):
263         (JSC::DFG::ByteCodeParser::one):
264         (JSC::DFG::ByteCodeParser::constantNaN):
265         (JSC::DFG::ByteCodeParser::cellConstant):
266         (JSC::DFG::ByteCodeParser::addToGraph):
267         (JSC::DFG::ByteCodeParser::insertPhiNode):
268         (JSC::DFG::ByteCodeParser::addVarArgChild):
269         (JSC::DFG::ByteCodeParser::addCall):
270         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
271         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
272         (JSC::DFG::ByteCodeParser::getPrediction):
273         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
274         (JSC::DFG::ByteCodeParser::makeSafe):
275         (JSC::DFG::ByteCodeParser::makeDivSafe):
276         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
277         (ConstantRecord):
278         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
279         (PhiStackEntry):
280         (JSC::DFG::ByteCodeParser::handleCall):
281         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
282         (JSC::DFG::ByteCodeParser::handleInlining):
283         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
284         (JSC::DFG::ByteCodeParser::handleMinMax):
285         (JSC::DFG::ByteCodeParser::handleIntrinsic):
286         (JSC::DFG::ByteCodeParser::handleGetByOffset):
287         (JSC::DFG::ByteCodeParser::handleGetById):
288         (JSC::DFG::ByteCodeParser::getScope):
289         (JSC::DFG::ByteCodeParser::parseResolveOperations):
290         (JSC::DFG::ByteCodeParser::parseBlock):
291         (JSC::DFG::ByteCodeParser::processPhiStack):
292         (JSC::DFG::ByteCodeParser::linkBlock):
293         (JSC::DFG::ByteCodeParser::parseCodeBlock):
294         (JSC::DFG::ByteCodeParser::parse):
295         * dfg/DFGCFAPhase.cpp:
296         (JSC::DFG::CFAPhase::performBlockCFA):
297         * dfg/DFGCFGSimplificationPhase.cpp:
298         (JSC::DFG::CFGSimplificationPhase::run):
299         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
300         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
301         (JSC::DFG::CFGSimplificationPhase::fixPhis):
302         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
303         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
304         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
305         (OperandSubstitution):
306         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
307         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
308         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
309         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
310         * dfg/DFGCSEPhase.cpp:
311         (JSC::DFG::CSEPhase::canonicalize):
312         (JSC::DFG::CSEPhase::endIndexForPureCSE):
313         (JSC::DFG::CSEPhase::pureCSE):
314         (JSC::DFG::CSEPhase::constantCSE):
315         (JSC::DFG::CSEPhase::weakConstantCSE):
316         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
317         (JSC::DFG::CSEPhase::getArrayLengthElimination):
318         (JSC::DFG::CSEPhase::globalVarLoadElimination):
319         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
320         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
321         (JSC::DFG::CSEPhase::globalVarStoreElimination):
322         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
323         (JSC::DFG::CSEPhase::getByValLoadElimination):
324         (JSC::DFG::CSEPhase::checkFunctionElimination):
325         (JSC::DFG::CSEPhase::checkExecutableElimination):
326         (JSC::DFG::CSEPhase::checkStructureElimination):
327         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
328         (JSC::DFG::CSEPhase::putStructureStoreElimination):
329         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
330         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
331         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
332         (JSC::DFG::CSEPhase::checkArrayElimination):
333         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
334         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
335         (JSC::DFG::CSEPhase::getLocalLoadElimination):
336         (JSC::DFG::CSEPhase::setLocalStoreElimination):
337         (JSC::DFG::CSEPhase::performSubstitution):
338         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
339         (JSC::DFG::CSEPhase::setReplacement):
340         (JSC::DFG::CSEPhase::eliminate):
341         (JSC::DFG::CSEPhase::performNodeCSE):
342         (JSC::DFG::CSEPhase::performBlockCSE):
343         (CSEPhase):
344         * dfg/DFGCommon.cpp: Added.
345         (DFG):
346         (JSC::DFG::NodePointerTraits::dump):
347         * dfg/DFGCommon.h:
348         (DFG):
349         (JSC::DFG::NodePointerTraits::defaultValue):
350         (NodePointerTraits):
351         (JSC::DFG::verboseCompilationEnabled):
352         (JSC::DFG::shouldDumpGraphAtEachPhase):
353         (JSC::DFG::validationEnabled):
354         * dfg/DFGConstantFoldingPhase.cpp:
355         (JSC::DFG::ConstantFoldingPhase::foldConstants):
356         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
357         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
358         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
359         * dfg/DFGDisassembler.cpp:
360         (JSC::DFG::Disassembler::Disassembler):
361         (JSC::DFG::Disassembler::createDumpList):
362         (JSC::DFG::Disassembler::dumpDisassembly):
363         * dfg/DFGDisassembler.h:
364         (JSC::DFG::Disassembler::setForNode):
365         (Disassembler):
366         * dfg/DFGDriver.cpp:
367         (JSC::DFG::compile):
368         * dfg/DFGEdge.cpp: Added.
369         (DFG):
370         (JSC::DFG::Edge::dump):
371         * dfg/DFGEdge.h:
372         (JSC::DFG::Edge::Edge):
373         (JSC::DFG::Edge::node):
374         (JSC::DFG::Edge::operator*):
375         (JSC::DFG::Edge::operator->):
376         (Edge):
377         (JSC::DFG::Edge::setNode):
378         (JSC::DFG::Edge::useKind):
379         (JSC::DFG::Edge::setUseKind):
380         (JSC::DFG::Edge::isSet):
381         (JSC::DFG::Edge::shift):
382         (JSC::DFG::Edge::makeWord):
383         (JSC::DFG::operator==):
384         (JSC::DFG::operator!=):
385         * dfg/DFGFixupPhase.cpp:
386         (JSC::DFG::FixupPhase::fixupBlock):
387         (JSC::DFG::FixupPhase::fixupNode):
388         (JSC::DFG::FixupPhase::checkArray):
389         (JSC::DFG::FixupPhase::blessArrayOperation):
390         (JSC::DFG::FixupPhase::fixIntEdge):
391         (JSC::DFG::FixupPhase::fixDoubleEdge):
392         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
393         (FixupPhase):
394         * dfg/DFGGenerationInfo.h:
395         (JSC::DFG::GenerationInfo::GenerationInfo):
396         (JSC::DFG::GenerationInfo::initConstant):
397         (JSC::DFG::GenerationInfo::initInteger):
398         (JSC::DFG::GenerationInfo::initJSValue):
399         (JSC::DFG::GenerationInfo::initCell):
400         (JSC::DFG::GenerationInfo::initBoolean):
401         (JSC::DFG::GenerationInfo::initDouble):
402         (JSC::DFG::GenerationInfo::initStorage):
403         (GenerationInfo):
404         (JSC::DFG::GenerationInfo::node):
405         (JSC::DFG::GenerationInfo::noticeOSRBirth):
406         (JSC::DFG::GenerationInfo::use):
407         (JSC::DFG::GenerationInfo::appendFill):
408         (JSC::DFG::GenerationInfo::appendSpill):
409         * dfg/DFGGraph.cpp:
410         (JSC::DFG::Graph::Graph):
411         (JSC::DFG::Graph::~Graph):
412         (DFG):
413         (JSC::DFG::Graph::dumpCodeOrigin):
414         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
415         (JSC::DFG::Graph::printNodeWhiteSpace):
416         (JSC::DFG::Graph::dump):
417         (JSC::DFG::Graph::dumpBlockHeader):
418         (JSC::DFG::Graph::refChildren):
419         (JSC::DFG::Graph::derefChildren):
420         (JSC::DFG::Graph::predictArgumentTypes):
421         (JSC::DFG::Graph::collectGarbage):
422         (JSC::DFG::Graph::determineReachability):
423         (JSC::DFG::Graph::resetExitStates):
424         * dfg/DFGGraph.h:
425         (Graph):
426         (JSC::DFG::Graph::ref):
427         (JSC::DFG::Graph::deref):
428         (JSC::DFG::Graph::changeChild):
429         (JSC::DFG::Graph::compareAndSwap):
430         (JSC::DFG::Graph::clearAndDerefChild):
431         (JSC::DFG::Graph::clearAndDerefChild1):
432         (JSC::DFG::Graph::clearAndDerefChild2):
433         (JSC::DFG::Graph::clearAndDerefChild3):
434         (JSC::DFG::Graph::convertToConstant):
435         (JSC::DFG::Graph::getJSConstantSpeculation):
436         (JSC::DFG::Graph::addSpeculationMode):
437         (JSC::DFG::Graph::valueAddSpeculationMode):
438         (JSC::DFG::Graph::arithAddSpeculationMode):
439         (JSC::DFG::Graph::addShouldSpeculateInteger):
440         (JSC::DFG::Graph::mulShouldSpeculateInteger):
441         (JSC::DFG::Graph::negateShouldSpeculateInteger):
442         (JSC::DFG::Graph::isConstant):
443         (JSC::DFG::Graph::isJSConstant):
444         (JSC::DFG::Graph::isInt32Constant):
445         (JSC::DFG::Graph::isDoubleConstant):
446         (JSC::DFG::Graph::isNumberConstant):
447         (JSC::DFG::Graph::isBooleanConstant):
448         (JSC::DFG::Graph::isCellConstant):
449         (JSC::DFG::Graph::isFunctionConstant):
450         (JSC::DFG::Graph::isInternalFunctionConstant):
451         (JSC::DFG::Graph::valueOfJSConstant):
452         (JSC::DFG::Graph::valueOfInt32Constant):
453         (JSC::DFG::Graph::valueOfNumberConstant):
454         (JSC::DFG::Graph::valueOfBooleanConstant):
455         (JSC::DFG::Graph::valueOfFunctionConstant):
456         (JSC::DFG::Graph::valueProfileFor):
457         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
458         (JSC::DFG::Graph::numSuccessors):
459         (JSC::DFG::Graph::successor):
460         (JSC::DFG::Graph::successorForCondition):
461         (JSC::DFG::Graph::isPredictedNumerical):
462         (JSC::DFG::Graph::byValIsPure):
463         (JSC::DFG::Graph::clobbersWorld):
464         (JSC::DFG::Graph::varArgNumChildren):
465         (JSC::DFG::Graph::numChildren):
466         (JSC::DFG::Graph::varArgChild):
467         (JSC::DFG::Graph::child):
468         (JSC::DFG::Graph::voteNode):
469         (JSC::DFG::Graph::voteChildren):
470         (JSC::DFG::Graph::substitute):
471         (JSC::DFG::Graph::substituteGetLocal):
472         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
473         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
474         * dfg/DFGInsertionSet.h:
475         (JSC::DFG::Insertion::Insertion):
476         (JSC::DFG::Insertion::element):
477         (Insertion):
478         (JSC::DFG::InsertionSet::insert):
479         (InsertionSet):
480         * dfg/DFGJITCompiler.cpp:
481         * dfg/DFGJITCompiler.h:
482         (JSC::DFG::JITCompiler::setForNode):
483         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
484         (JSC::DFG::JITCompiler::noticeOSREntry):
485         * dfg/DFGLongLivedState.cpp: Added.
486         (DFG):
487         (JSC::DFG::LongLivedState::LongLivedState):
488         (JSC::DFG::LongLivedState::~LongLivedState):
489         (JSC::DFG::LongLivedState::shrinkToFit):
490         * dfg/DFGLongLivedState.h: Added.
491         (DFG):
492         (LongLivedState):
493         * dfg/DFGMinifiedID.h:
494         (JSC::DFG::MinifiedID::MinifiedID):
495         (JSC::DFG::MinifiedID::node):
496         * dfg/DFGMinifiedNode.cpp:
497         (JSC::DFG::MinifiedNode::fromNode):
498         * dfg/DFGMinifiedNode.h:
499         (MinifiedNode):
500         * dfg/DFGNode.cpp: Added.
501         (DFG):
502         (JSC::DFG::Node::index):
503         (WTF):
504         (WTF::printInternal):
505         * dfg/DFGNode.h:
506         (DFG):
507         (JSC::DFG::Node::Node):
508         (Node):
509         (JSC::DFG::Node::convertToGetByOffset):
510         (JSC::DFG::Node::convertToPutByOffset):
511         (JSC::DFG::Node::ref):
512         (JSC::DFG::Node::shouldSpeculateInteger):
513         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
514         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
515         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
516         (JSC::DFG::Node::shouldSpeculateNumber):
517         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
518         (JSC::DFG::Node::shouldSpeculateFinalObject):
519         (JSC::DFG::Node::shouldSpeculateArray):
520         (JSC::DFG::Node::dumpChildren):
521         (WTF):
522         * dfg/DFGNodeAllocator.h: Added.
523         (DFG):
524         (operator new ):
525         * dfg/DFGOSRExit.cpp:
526         (JSC::DFG::OSRExit::OSRExit):
527         * dfg/DFGOSRExit.h:
528         (OSRExit):
529         (SpeculationFailureDebugInfo):
530         * dfg/DFGOSRExitCompiler.cpp:
531         * dfg/DFGOSRExitCompiler32_64.cpp:
532         (JSC::DFG::OSRExitCompiler::compileExit):
533         * dfg/DFGOSRExitCompiler64.cpp:
534         (JSC::DFG::OSRExitCompiler::compileExit):
535         * dfg/DFGOperations.cpp:
536         * dfg/DFGPhase.cpp:
537         (DFG):
538         (JSC::DFG::Phase::beginPhase):
539         (JSC::DFG::Phase::endPhase):
540         * dfg/DFGPhase.h:
541         (Phase):
542         (JSC::DFG::runAndLog):
543         * dfg/DFGPredictionPropagationPhase.cpp:
544         (JSC::DFG::PredictionPropagationPhase::setPrediction):
545         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
546         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
547         (JSC::DFG::PredictionPropagationPhase::isNotZero):
548         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
549         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
550         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
551         (JSC::DFG::PredictionPropagationPhase::propagate):
552         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
553         (JSC::DFG::PredictionPropagationPhase::propagateForward):
554         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
555         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
556         (PredictionPropagationPhase):
557         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
558         * dfg/DFGScoreBoard.h:
559         (JSC::DFG::ScoreBoard::ScoreBoard):
560         (JSC::DFG::ScoreBoard::use):
561         (JSC::DFG::ScoreBoard::useIfHasResult):
562         (ScoreBoard):
563         * dfg/DFGSilentRegisterSavePlan.h:
564         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
565         (JSC::DFG::SilentRegisterSavePlan::node):
566         (SilentRegisterSavePlan):
567         * dfg/DFGSlowPathGenerator.h:
568         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
569         (JSC::DFG::SlowPathGenerator::generate):
570         (SlowPathGenerator):
571         * dfg/DFGSpeculativeJIT.cpp:
572         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
573         (JSC::DFG::SpeculativeJIT::speculationCheck):
574         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
575         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
576         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
577         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
578         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
579         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
580         (JSC::DFG::SpeculativeJIT::silentSpill):
581         (JSC::DFG::SpeculativeJIT::silentFill):
582         (JSC::DFG::SpeculativeJIT::checkArray):
583         (JSC::DFG::SpeculativeJIT::arrayify):
584         (JSC::DFG::SpeculativeJIT::fillStorage):
585         (JSC::DFG::SpeculativeJIT::useChildren):
586         (JSC::DFG::SpeculativeJIT::isStrictInt32):
587         (JSC::DFG::SpeculativeJIT::isKnownInteger):
588         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
589         (JSC::DFG::SpeculativeJIT::isKnownCell):
590         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
591         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
592         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
593         (JSC::DFG::SpeculativeJIT::writeBarrier):
594         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
595         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
596         (JSC::DFG::GPRTemporary::GPRTemporary):
597         (JSC::DFG::FPRTemporary::FPRTemporary):
598         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
599         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
600         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
601         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
602         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
603         (JSC::DFG::SpeculativeJIT::compileMovHint):
604         (JSC::DFG::SpeculativeJIT::compile):
605         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
606         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
607         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
608         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
609         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
610         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
611         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
612         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
613         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
614         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
615         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
616         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
617         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
618         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
619         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
620         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
621         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
622         (JSC::DFG::SpeculativeJIT::compileAdd):
623         (JSC::DFG::SpeculativeJIT::compileArithSub):
624         (JSC::DFG::SpeculativeJIT::compileArithNegate):
625         (JSC::DFG::SpeculativeJIT::compileArithMul):
626         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
627         (JSC::DFG::SpeculativeJIT::compileArithMod):
628         (JSC::DFG::SpeculativeJIT::compare):
629         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
630         (JSC::DFG::SpeculativeJIT::compileStrictEq):
631         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
632         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
633         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
634         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
635         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
636         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
637         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
638         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
639         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
640         * dfg/DFGSpeculativeJIT.h:
641         (SpeculativeJIT):
642         (JSC::DFG::SpeculativeJIT::canReuse):
643         (JSC::DFG::SpeculativeJIT::isFilled):
644         (JSC::DFG::SpeculativeJIT::isFilledDouble):
645         (JSC::DFG::SpeculativeJIT::use):
646         (JSC::DFG::SpeculativeJIT::isConstant):
647         (JSC::DFG::SpeculativeJIT::isJSConstant):
648         (JSC::DFG::SpeculativeJIT::isInt32Constant):
649         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
650         (JSC::DFG::SpeculativeJIT::isNumberConstant):
651         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
652         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
653         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
654         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
655         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
656         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
657         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
658         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
659         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
660         (JSC::DFG::SpeculativeJIT::isNullConstant):
661         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
662         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
663         (JSC::DFG::SpeculativeJIT::integerResult):
664         (JSC::DFG::SpeculativeJIT::noResult):
665         (JSC::DFG::SpeculativeJIT::cellResult):
666         (JSC::DFG::SpeculativeJIT::booleanResult):
667         (JSC::DFG::SpeculativeJIT::jsValueResult):
668         (JSC::DFG::SpeculativeJIT::storageResult):
669         (JSC::DFG::SpeculativeJIT::doubleResult):
670         (JSC::DFG::SpeculativeJIT::initConstantInfo):
671         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
672         (JSC::DFG::SpeculativeJIT::isInteger):
673         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
674         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
675         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
676         (JSC::DFG::IntegerOperand::IntegerOperand):
677         (JSC::DFG::IntegerOperand::node):
678         (JSC::DFG::IntegerOperand::gpr):
679         (JSC::DFG::IntegerOperand::use):
680         (IntegerOperand):
681         (JSC::DFG::DoubleOperand::DoubleOperand):
682         (JSC::DFG::DoubleOperand::node):
683         (JSC::DFG::DoubleOperand::fpr):
684         (JSC::DFG::DoubleOperand::use):
685         (DoubleOperand):
686         (JSC::DFG::JSValueOperand::JSValueOperand):
687         (JSC::DFG::JSValueOperand::node):
688         (JSC::DFG::JSValueOperand::gpr):
689         (JSC::DFG::JSValueOperand::fill):
690         (JSC::DFG::JSValueOperand::use):
691         (JSValueOperand):
692         (JSC::DFG::StorageOperand::StorageOperand):
693         (JSC::DFG::StorageOperand::node):
694         (JSC::DFG::StorageOperand::gpr):
695         (JSC::DFG::StorageOperand::use):
696         (StorageOperand):
697         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
698         (JSC::DFG::SpeculateIntegerOperand::node):
699         (JSC::DFG::SpeculateIntegerOperand::gpr):
700         (JSC::DFG::SpeculateIntegerOperand::use):
701         (SpeculateIntegerOperand):
702         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
703         (JSC::DFG::SpeculateStrictInt32Operand::node):
704         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
705         (JSC::DFG::SpeculateStrictInt32Operand::use):
706         (SpeculateStrictInt32Operand):
707         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
708         (JSC::DFG::SpeculateDoubleOperand::node):
709         (JSC::DFG::SpeculateDoubleOperand::fpr):
710         (JSC::DFG::SpeculateDoubleOperand::use):
711         (SpeculateDoubleOperand):
712         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
713         (JSC::DFG::SpeculateCellOperand::node):
714         (JSC::DFG::SpeculateCellOperand::gpr):
715         (JSC::DFG::SpeculateCellOperand::use):
716         (SpeculateCellOperand):
717         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
718         (JSC::DFG::SpeculateBooleanOperand::node):
719         (JSC::DFG::SpeculateBooleanOperand::gpr):
720         (JSC::DFG::SpeculateBooleanOperand::use):
721         (SpeculateBooleanOperand):
722         * dfg/DFGSpeculativeJIT32_64.cpp:
723         (JSC::DFG::SpeculativeJIT::fillInteger):
724         (JSC::DFG::SpeculativeJIT::fillDouble):
725         (JSC::DFG::SpeculativeJIT::fillJSValue):
726         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
727         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
728         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
729         (JSC::DFG::SpeculativeJIT::cachedPutById):
730         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
731         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
732         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
733         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
734         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
735         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
736         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
737         (JSC::DFG::SpeculativeJIT::emitCall):
738         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
739         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
740         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
741         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
742         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
743         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
744         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
745         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
746         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
747         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
748         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
749         (JSC::DFG::SpeculativeJIT::compileValueAdd):
750         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
751         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
752         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
753         (JSC::DFG::SpeculativeJIT::emitBranch):
754         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
755         (JSC::DFG::SpeculativeJIT::compile):
756         * dfg/DFGSpeculativeJIT64.cpp:
757         (JSC::DFG::SpeculativeJIT::fillInteger):
758         (JSC::DFG::SpeculativeJIT::fillDouble):
759         (JSC::DFG::SpeculativeJIT::fillJSValue):
760         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
761         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
762         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
763         (JSC::DFG::SpeculativeJIT::cachedPutById):
764         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
765         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
766         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
767         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
768         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
769         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
770         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
771         (JSC::DFG::SpeculativeJIT::emitCall):
772         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
773         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
774         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
775         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
776         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
777         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
778         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
779         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
780         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
781         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
782         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
783         (JSC::DFG::SpeculativeJIT::compileValueAdd):
784         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
785         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
786         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
787         (JSC::DFG::SpeculativeJIT::emitBranch):
788         (JSC::DFG::SpeculativeJIT::compile):
789         * dfg/DFGStructureAbstractValue.h:
790         (StructureAbstractValue):
791         * dfg/DFGStructureCheckHoistingPhase.cpp:
792         (JSC::DFG::StructureCheckHoistingPhase::run):
793         * dfg/DFGValidate.cpp:
794         (DFG):
795         (Validate):
796         (JSC::DFG::Validate::validate):
797         (JSC::DFG::Validate::reportValidationContext):
798         * dfg/DFGValidate.h:
799         * dfg/DFGValueSource.cpp:
800         (JSC::DFG::ValueSource::dump):
801         * dfg/DFGValueSource.h:
802         (JSC::DFG::ValueSource::ValueSource):
803         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
804         (JSC::DFG::VirtualRegisterAllocationPhase::run):
805         * runtime/FunctionExecutableDump.cpp: Added.
806         (JSC):
807         (JSC::FunctionExecutableDump::dump):
808         * runtime/FunctionExecutableDump.h: Added.
809         (JSC):
810         (FunctionExecutableDump):
811         (JSC::FunctionExecutableDump::FunctionExecutableDump):
812         * runtime/JSGlobalData.cpp:
813         (JSC::JSGlobalData::JSGlobalData):
814         * runtime/JSGlobalData.h:
815         (JSC):
816         (DFG):
817         (JSGlobalData):
818         * runtime/Options.h:
819         (JSC):
820
821 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
822
823         Collapse testing for a list of PLATFORM() into OS() and USE() tests
824         https://bugs.webkit.org/show_bug.cgi?id=108018
825
826         Reviewed by Eric Seidel.
827
828         No functional change as "OS(DARWIN) && USE(CF)" equals to the
829         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
830         is not using JavaScriptCore. 
831
832         * runtime/DatePrototype.cpp:
833         (JSC):
834
835 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
836
837         Static size inference for JavaScript objects
838         https://bugs.webkit.org/show_bug.cgi?id=108093
839
840         Reviewed by Phil Pizlo.
841
842         * API/JSObjectRef.cpp:
843         * JavaScriptCore.order:
844         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
845
846         * bytecode/CodeBlock.cpp:
847         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
848         have an extra inferredInlineCapacity argument. This is the statically
849         inferred inline capacity, just from analyzing source text. op_new_object
850         also gets a pointer to an allocation profile. (For op_create_this, the
851         profile is in the construtor function.)
852
853         (JSC::CodeBlock::CodeBlock): Link op_new_object.
854
855         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
856
857         * bytecode/CodeBlock.h:
858         (CodeBlock): Removed some dead code. Added object allocation profiles.
859
860         * bytecode/Instruction.h:
861         (JSC): New union type, since an instruction operand may point to an
862         object allocation profile now.
863
864         * bytecode/ObjectAllocationProfile.h: Added.
865         (JSC):
866         (ObjectAllocationProfile):
867         (JSC::ObjectAllocationProfile::offsetOfAllocator):
868         (JSC::ObjectAllocationProfile::offsetOfStructure):
869         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
870         (JSC::ObjectAllocationProfile::isNull):
871         (JSC::ObjectAllocationProfile::initialize):
872         (JSC::ObjectAllocationProfile::structure):
873         (JSC::ObjectAllocationProfile::inlineCapacity):
874         (JSC::ObjectAllocationProfile::clear):
875         (JSC::ObjectAllocationProfile::visitAggregate):
876         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
877         for tracking a prediction about object allocation: structure, inline
878         capacity, allocator to use.
879
880         * bytecode/Opcode.h:
881         (JSC):
882         (JSC::padOpcodeName): Updated instruction sizes.
883
884         * bytecode/UnlinkedCodeBlock.cpp:
885         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
886         * bytecode/UnlinkedCodeBlock.h:
887         (JSC):
888         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
889         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
890         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
891
892         * bytecompiler/BytecodeGenerator.cpp:
893         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
894         end of codegen, since this is our last opportunity.
895
896         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
897         analyzer to bytecode generation. It tracks initializing assignments and
898         makes a guess about how many will happen.
899
900         (JSC::BytecodeGenerator::newObjectAllocationProfile):
901         (JSC):
902         (JSC::BytecodeGenerator::emitProfiledOpcode):
903         (JSC::BytecodeGenerator::emitMove):
904         (JSC::BytecodeGenerator::emitResolve):
905         (JSC::BytecodeGenerator::emitResolveBase):
906         (JSC::BytecodeGenerator::emitResolveBaseForPut):
907         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
908         (JSC::BytecodeGenerator::emitResolveWithThis):
909         (JSC::BytecodeGenerator::emitGetById):
910         (JSC::BytecodeGenerator::emitPutById):
911         (JSC::BytecodeGenerator::emitDirectPutById):
912         (JSC::BytecodeGenerator::emitPutGetterSetter):
913         (JSC::BytecodeGenerator::emitGetArgumentByVal):
914         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
915         analyzer, so it can observe allocations and stores.
916
917         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
918         function because it was a significant amount of logic, and I wanted to
919         add to it.
920
921         (JSC::BytecodeGenerator::emitNewObject):
922         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
923         (JSC::BytecodeGenerator::emitCall):
924         (JSC::BytecodeGenerator::emitCallVarargs):
925         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
926         to track their stores, in case a store kills a profiled allocation. Since
927         profiled opcodes are basically the only interesting stores we do, this
928         is a convenient place to notice any store that might kill an allocation.
929
930         * bytecompiler/BytecodeGenerator.h:
931         (BytecodeGenerator): As above.
932
933         * bytecompiler/StaticPropertyAnalysis.h: Added.
934         (JSC):
935         (StaticPropertyAnalysis):
936         (JSC::StaticPropertyAnalysis::create):
937         (JSC::StaticPropertyAnalysis::addPropertyIndex):
938         (JSC::StaticPropertyAnalysis::record):
939         (JSC::StaticPropertyAnalysis::propertyIndexCount):
940         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
941         class for tracking allocations and stores.
942
943         * bytecompiler/StaticPropertyAnalyzer.h: Added.
944         (StaticPropertyAnalyzer):
945         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
946         (JSC::StaticPropertyAnalyzer::createThis):
947         (JSC::StaticPropertyAnalyzer::newObject):
948         (JSC::StaticPropertyAnalyzer::putById):
949         (JSC::StaticPropertyAnalyzer::mov):
950         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
951         and stores and making an inline capacity guess. The heuristics here are
952         intentionally minimal because we don't want this one class to try to
953         re-create something like a DFG or a runtime analysis. If we discover that
954         we need those kinds of analyses, we should just replace this class with
955         something else.
956
957         This class tracks multiple registers that alias the same object -- that
958         happens a lot, when moving locals into temporary registers -- but it
959         doesn't track control flow or multiple objects that alias the same register.
960
961         * dfg/DFGAbstractState.cpp:
962         (JSC::DFG::AbstractState::execute): Updated for rename.
963
964         * dfg/DFGByteCodeParser.cpp:
965         (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
966         allocation profile.
967
968         * dfg/DFGNode.h:
969         (JSC::DFG::Node::hasInlineCapacity):
970         (Node):
971         (JSC::DFG::Node::inlineCapacity):
972         (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
973         inline capacity for an allocation.
974
975         * dfg/DFGNodeType.h:
976         (DFG): Updated for rename.
977
978         * dfg/DFGOperations.cpp: Updated for interface change.
979
980         * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
981         an argument. This is the simplest way, since it's stored as a bytecode operand.
982
983         * dfg/DFGPredictionPropagationPhase.cpp:
984         (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
985
986         * dfg/DFGRepatch.cpp:
987         (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
988         appears when doing an inline cached load for property number 64 on a 32-bit
989         system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
990         offset of the 64bit JSValue -- but we'll actually issue two loads, one for
991         the payload at that offset, and one for the tag at that offset + 4. We need
992         to ensure that both loads have a compact representation, or we'll corrupt
993         the instruction stream.
994
995         * dfg/DFGSpeculativeJIT.cpp:
996         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
997         * dfg/DFGSpeculativeJIT.h:
998         (JSC::DFG::SpeculativeJIT::callOperation):
999         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1000         (SpeculativeJIT):
1001         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1002         * dfg/DFGSpeculativeJIT32_64.cpp:
1003         (JSC::DFG::SpeculativeJIT::compile):
1004         * dfg/DFGSpeculativeJIT64.cpp:
1005         (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
1006         passing an allocator to our allocation function, and/or passing a Structure
1007         as a register instead of an immediate.
1008
1009         * heap/MarkedAllocator.h:
1010         (DFG):
1011         (MarkedAllocator):
1012         (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
1013         JIT code generation of allocation from an arbitrary allocator.
1014
1015         * jit/JIT.h:
1016         (JSC):
1017         * jit/JITInlines.h:
1018         (JSC):
1019         (JSC::JIT::emitAllocateJSObject):
1020         * jit/JITOpcodes.cpp:
1021         (JSC::JIT::emit_op_new_object):
1022         (JSC::JIT::emitSlow_op_new_object):
1023         (JSC::JIT::emit_op_create_this):
1024         (JSC::JIT::emitSlow_op_create_this):
1025         * jit/JITOpcodes32_64.cpp:
1026         (JSC::JIT::emit_op_new_object):
1027         (JSC::JIT::emitSlow_op_new_object):
1028         (JSC::JIT::emit_op_create_this):
1029         (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
1030
1031         * jit/JITStubs.cpp:
1032         (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
1033
1034         (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
1035
1036         * llint/LLIntData.cpp:
1037         (JSC::LLInt::Data::performAssertions): Updated for interface changes.
1038
1039         * llint/LLIntSlowPaths.cpp:
1040         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1041         * llint/LowLevelInterpreter.asm:
1042         * llint/LowLevelInterpreter32_64.asm:
1043         * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
1044
1045         * profiler/ProfilerBytecode.cpp:
1046         * profiler/ProfilerBytecodes.cpp:
1047         * profiler/ProfilerCompilation.cpp:
1048         * profiler/ProfilerCompiledBytecode.cpp:
1049         * profiler/ProfilerDatabase.cpp:
1050         * profiler/ProfilerOSRExit.cpp:
1051         * profiler/ProfilerOrigin.cpp:
1052         * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
1053         because that's where createEmptyObject() lives now.
1054
1055         * runtime/Executable.h:
1056         (JSC::JSFunction::JSFunction): Updated for rename.
1057
1058         * runtime/JSCellInlines.h:
1059         (JSC::allocateCell): Updated to match the allocator selection code in
1060         the JIT, so it's clearer that both are correct.
1061
1062         * runtime/JSFunction.cpp:
1063         (JSC::JSFunction::JSFunction):
1064         (JSC::JSFunction::createAllocationProfile):
1065         (JSC::JSFunction::visitChildren):
1066         (JSC::JSFunction::getOwnPropertySlot):
1067         (JSC::JSFunction::put):
1068         (JSC::JSFunction::defineOwnProperty):
1069         (JSC::JSFunction::getConstructData):
1070         * runtime/JSFunction.h:
1071         (JSC::JSFunction::offsetOfScopeChain):
1072         (JSC::JSFunction::offsetOfExecutable):
1073         (JSC::JSFunction::offsetOfAllocationProfile):
1074         (JSC::JSFunction::allocationProfile):
1075         (JSFunction):
1076         (JSC::JSFunction::tryGetAllocationProfile):
1077         (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
1078         data member to be an ObjectAllocationProfile, which includes a pointer
1079         to the desired allocator. This simplifies JIT code, since we don't have
1080         to compute the allocator on the fly. I verified by code inspection that
1081         JSFunction is still only 64 bytes.
1082
1083         * runtime/JSGlobalObject.cpp:
1084         (JSC::JSGlobalObject::reset):
1085         (JSC::JSGlobalObject::visitChildren):
1086         * runtime/JSGlobalObject.h:
1087         (JSGlobalObject):
1088         (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
1089         object structure anymore, because now clients need to specify how much
1090         inline capacity they want.
1091
1092         * runtime/JSONObject.cpp:
1093         * runtime/JSObject.h:
1094         (JSC):
1095         (JSFinalObject):
1096         (JSC::JSFinalObject::defaultInlineCapacity):
1097         (JSC::JSFinalObject::maxInlineCapacity):
1098         (JSC::JSFinalObject::createStructure): A little refactoring to try to 
1099         clarify where some of these constants derive from.
1100
1101         (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
1102
1103         * runtime/JSProxy.cpp:
1104         (JSC::JSProxy::setTarget): Ugly, but effective.
1105
1106         * runtime/LiteralParser.cpp:
1107         * runtime/ObjectConstructor.cpp:
1108         (JSC::constructObject):
1109         (JSC::constructWithObjectConstructor):
1110         (JSC::callObjectConstructor):
1111         (JSC::objectConstructorCreate): Updated for interface changes.
1112
1113         * runtime/ObjectConstructor.h:
1114         (JSC::constructEmptyObject): Clarified your options for how to allocate
1115         an empty object, to emphasize what things can actually vary.
1116
1117         * runtime/PropertyOffset.h: These constants have moved because they're
1118         really higher level concepts to do with the layout of objects and the
1119         collector. PropertyOffset is just an abstract number line, independent
1120         of those things.
1121
1122         * runtime/PrototypeMap.cpp:
1123         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1124         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1125         * runtime/PrototypeMap.h:
1126         (PrototypeMap): The map key is now a pair of prototype and inline capacity,
1127         since Structure encodes inline capacity.
1128
1129         * runtime/Structure.cpp:
1130         (JSC::Structure::Structure):
1131         (JSC::Structure::materializePropertyMap):
1132         (JSC::Structure::addPropertyTransition):
1133         (JSC::Structure::nonPropertyTransition):
1134         (JSC::Structure::copyPropertyTableForPinning):
1135         * runtime/Structure.h:
1136         (Structure):
1137         (JSC::Structure::totalStorageSize):
1138         (JSC::Structure::transitionCount):
1139         (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
1140         up after enabling variable-sized inline capacities: we were passing our
1141         type info where our inline capacity was expected. The compiler didn't
1142         notice because both have type int :(.
1143
1144 2013-01-28  Oliver Hunt  <oliver@apple.com>
1145
1146         Add more assertions to the property storage use in arrays
1147         https://bugs.webkit.org/show_bug.cgi?id=107728
1148
1149         Reviewed by Filip Pizlo.
1150
1151         Add a bunch of assertions to array and object butterfly
1152         usage.  This should make debugging somewhat easier.
1153
1154         I also converted a couple of assertions to release asserts
1155         as they were so low cost it seemed a sensible thing to do.
1156
1157         * runtime/JSArray.cpp:
1158         (JSC::JSArray::sortVector):
1159         (JSC::JSArray::compactForSorting):
1160         * runtime/JSObject.h:
1161         (JSC::JSObject::getHolyIndexQuickly):
1162
1163 2013-01-28  Adam Barth  <abarth@webkit.org>
1164
1165         Remove webkitNotifications.createHTMLNotification
1166         https://bugs.webkit.org/show_bug.cgi?id=107598
1167
1168         Reviewed by Benjamin Poulain.
1169
1170         * Configurations/FeatureDefines.xcconfig:
1171
1172 2013-01-28  Michael Saboff  <msaboff@apple.com>
1173
1174         Cleanup ARM version of debugName() in DFGFPRInfo.h
1175         https://bugs.webkit.org/show_bug.cgi?id=108090
1176
1177         Reviewed by David Kilzer.
1178
1179         Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
1180
1181         * dfg/DFGFPRInfo.h:
1182         (JSC::DFG::FPRInfo::debugName):
1183
1184 2013-01-27  Andreas Kling  <akling@apple.com>
1185
1186         JSC: FunctionParameters are memory hungry.
1187         <http://webkit.org/b/108033>
1188         <rdar://problem/13094803>
1189
1190         Reviewed by Sam Weinig.
1191
1192         Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
1193         with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
1194         roughly in half.
1195
1196         2.73 MB progression on Membuster3.
1197
1198         * bytecode/UnlinkedCodeBlock.cpp:
1199         (JSC::UnlinkedFunctionExecutable::paramString):
1200         * bytecompiler/BytecodeGenerator.cpp:
1201         (JSC::BytecodeGenerator::BytecodeGenerator):
1202         * parser/Nodes.cpp:
1203         (JSC::FunctionParameters::create):
1204         (JSC::FunctionParameters::FunctionParameters):
1205         (JSC::FunctionParameters::~FunctionParameters):
1206         * parser/Nodes.h:
1207         (FunctionParameters):
1208         (JSC::FunctionParameters::size):
1209         (JSC::FunctionParameters::at):
1210         (JSC::FunctionParameters::identifiers):
1211
1212 2013-01-27  Andreas Kling  <akling@apple.com>
1213
1214         JSC: SourceProviderCache is memory hungry.
1215         <http://webkit.org/b/108029>
1216         <rdar://problem/13094806>
1217
1218         Reviewed by Sam Weinig.
1219
1220         Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
1221         Since the lists never change after the object is created, there's no need to keep them in Vectors
1222         and we can instead create the whole cache item in a single allocation.
1223
1224         13.37 MB progression on Membuster3.
1225
1226         * parser/Parser.cpp:
1227         (JSC::::parseFunctionInfo):
1228         * parser/Parser.h:
1229         (JSC::Scope::copyCapturedVariablesToVector):
1230         (JSC::Scope::fillParametersForSourceProviderCache):
1231         (JSC::Scope::restoreFromSourceProviderCache):
1232         * parser/SourceProviderCacheItem.h:
1233         (SourceProviderCacheItemCreationParameters):
1234         (SourceProviderCacheItem):
1235         (JSC::SourceProviderCacheItem::approximateByteSize):
1236         (JSC::SourceProviderCacheItem::usedVariables):
1237         (JSC::SourceProviderCacheItem::writtenVariables):
1238         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
1239         (JSC::SourceProviderCacheItem::create):
1240         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1241
1242 2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
1243
1244         Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
1245         https://bugs.webkit.org/show_bug.cgi?id=106740
1246
1247         Reviewed by Benjamin Poulain.
1248
1249         * config.h:
1250
1251 2013-01-25  Filip Pizlo  <fpizlo@apple.com>
1252
1253         DFG variable event stream shouldn't use NodeIndex
1254         https://bugs.webkit.org/show_bug.cgi?id=107996
1255
1256         Reviewed by Oliver Hunt.
1257         
1258         Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
1259         Internally it currently uses a NodeIndex, but we could change this without having
1260         to recode all of the users of MinifiedID. This effectively decouples the OSR exit
1261         compiler's way of identifying nodes from the speculative JIT's way of identifying
1262         nodes, and should make it easier to make changes to the speculative JIT's internals
1263         in the future.
1264         
1265         Also changed variable event stream logging to exclude information about births and
1266         deaths of constants, since the OSR exit compiler never cares about which register
1267         holds a constant; if a value is constant then the OSR exit compiler can reify it.
1268         
1269         Also changed the variable event stream's value recovery computation to use a
1270         HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
1271         
1272         This appears to be performance-neutral. It's primarily meant as a small step
1273         towards https://bugs.webkit.org/show_bug.cgi?id=106868.
1274
1275         * GNUmakefile.list.am:
1276         * JavaScriptCore.xcodeproj/project.pbxproj:
1277         * dfg/DFGGenerationInfo.h:
1278         (JSC::DFG::GenerationInfo::GenerationInfo):
1279         (JSC::DFG::GenerationInfo::initConstant):
1280         (JSC::DFG::GenerationInfo::initInteger):
1281         (JSC::DFG::GenerationInfo::initJSValue):
1282         (JSC::DFG::GenerationInfo::initCell):
1283         (JSC::DFG::GenerationInfo::initBoolean):
1284         (JSC::DFG::GenerationInfo::initDouble):
1285         (JSC::DFG::GenerationInfo::initStorage):
1286         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1287         (JSC::DFG::GenerationInfo::use):
1288         (JSC::DFG::GenerationInfo::appendFill):
1289         (JSC::DFG::GenerationInfo::appendSpill):
1290         (GenerationInfo):
1291         * dfg/DFGJITCompiler.cpp:
1292         (JSC::DFG::JITCompiler::link):
1293         * dfg/DFGMinifiedGraph.h:
1294         (JSC::DFG::MinifiedGraph::at):
1295         (MinifiedGraph):
1296         * dfg/DFGMinifiedID.h: Added.
1297         (DFG):
1298         (MinifiedID):
1299         (JSC::DFG::MinifiedID::MinifiedID):
1300         (JSC::DFG::MinifiedID::operator!):
1301         (JSC::DFG::MinifiedID::nodeIndex):
1302         (JSC::DFG::MinifiedID::operator==):
1303         (JSC::DFG::MinifiedID::operator!=):
1304         (JSC::DFG::MinifiedID::operator<):
1305         (JSC::DFG::MinifiedID::operator>):
1306         (JSC::DFG::MinifiedID::operator<=):
1307         (JSC::DFG::MinifiedID::operator>=):
1308         (JSC::DFG::MinifiedID::hash):
1309         (JSC::DFG::MinifiedID::dump):
1310         (JSC::DFG::MinifiedID::isHashTableDeletedValue):
1311         (JSC::DFG::MinifiedID::invalidID):
1312         (JSC::DFG::MinifiedID::otherInvalidID):
1313         (JSC::DFG::MinifiedID::fromBits):
1314         (JSC::DFG::MinifiedIDHash::hash):
1315         (JSC::DFG::MinifiedIDHash::equal):
1316         (MinifiedIDHash):
1317         (WTF):
1318         * dfg/DFGMinifiedNode.cpp:
1319         (JSC::DFG::MinifiedNode::fromNode):
1320         * dfg/DFGMinifiedNode.h:
1321         (JSC::DFG::MinifiedNode::id):
1322         (JSC::DFG::MinifiedNode::child1):
1323         (JSC::DFG::MinifiedNode::getID):
1324         (JSC::DFG::MinifiedNode::compareByNodeIndex):
1325         (MinifiedNode):
1326         * dfg/DFGSpeculativeJIT.cpp:
1327         (JSC::DFG::SpeculativeJIT::compileMovHint):
1328         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1329         * dfg/DFGSpeculativeJIT.h:
1330         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
1331         * dfg/DFGValueSource.cpp:
1332         (JSC::DFG::ValueSource::dump):
1333         * dfg/DFGValueSource.h:
1334         (JSC::DFG::ValueSource::ValueSource):
1335         (JSC::DFG::ValueSource::isSet):
1336         (JSC::DFG::ValueSource::kind):
1337         (JSC::DFG::ValueSource::id):
1338         (ValueSource):
1339         (JSC::DFG::ValueSource::idFromKind):
1340         (JSC::DFG::ValueSource::kindFromID):
1341         * dfg/DFGVariableEvent.cpp:
1342         (JSC::DFG::VariableEvent::dump):
1343         (JSC::DFG::VariableEvent::dumpFillInfo):
1344         (JSC::DFG::VariableEvent::dumpSpillInfo):
1345         * dfg/DFGVariableEvent.h:
1346         (JSC::DFG::VariableEvent::fillGPR):
1347         (JSC::DFG::VariableEvent::fillPair):
1348         (JSC::DFG::VariableEvent::fillFPR):
1349         (JSC::DFG::VariableEvent::spill):
1350         (JSC::DFG::VariableEvent::death):
1351         (JSC::DFG::VariableEvent::movHint):
1352         (JSC::DFG::VariableEvent::id):
1353         (VariableEvent):
1354         * dfg/DFGVariableEventStream.cpp:
1355         (DFG):
1356         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1357         (JSC::DFG::VariableEventStream::reconstruct):
1358         * dfg/DFGVariableEventStream.h:
1359         (VariableEventStream):
1360
1361 2013-01-25  Roger Fong  <roger_fong@apple.com>
1362
1363         Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
1364
1365         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
1366         * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
1367         * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
1368         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
1369         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
1370         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
1371         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
1372         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1373         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
1374         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
1375         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
1376         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
1377         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1378         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
1379         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
1380         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
1381         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
1382         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
1383         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
1384
1385 2013-01-24  Roger Fong  <roger_fong@apple.com>
1386
1387         VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
1388         https://bugs.webkit.org/show_bug.cgi?id=106987
1389
1390         Reviewed by Brent Fulgham.
1391
1392         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
1393         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
1394         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1395         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
1396         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1397         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1398         * JavaScriptCore.vcxproj/jsc/jscDebug.props:
1399         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
1400         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
1401         * JavaScriptCore.vcxproj/testRegExp: Added.
1402         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
1403         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
1404         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
1405         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
1406         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
1407         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
1408         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
1409         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
1410         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
1411         * JavaScriptCore.vcxproj/testapi: Added.
1412         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
1413         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
1414         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
1415         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
1416         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
1417         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
1418         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
1419         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
1420         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
1421
1422 2013-01-24  Roger Fong  <roger_fong@apple.com>
1423
1424         Unreviewed. Windows build fix.
1425
1426         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1427
1428 2013-01-24  Filip Pizlo  <fpizlo@apple.com>
1429
1430         DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
1431         https://bugs.webkit.org/show_bug.cgi?id=107860
1432
1433         Reviewed by Mark Hahnenberg.
1434
1435         * dfg/DFGJITCompiler.h:
1436         (JITCompiler):
1437         * dfg/DFGSpeculativeJIT64.cpp:
1438         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1439         (JSC::DFG::SpeculativeJIT::emitBranch):
1440
1441 2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>
1442
1443         Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
1444         https://bugs.webkit.org/show_bug.cgi?id=107327
1445
1446         Reviewed by Filip Pizlo.
1447
1448         We're renaming these two files, so we have to replace the names everywhere.
1449
1450         * API/APICast.h:
1451         * API/APIJSValue.h: Removed.
1452         * API/JSBlockAdaptor.mm:
1453         * API/JSStringRefCF.cpp:
1454         * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
1455         * API/JSValue.mm:
1456         * API/JSValueInternal.h:
1457         * API/JSValueRef.cpp:
1458         * API/JSWeakObjectMapRefPrivate.cpp:
1459         * API/JavaScriptCore.h:
1460         * CMakeLists.txt:
1461         * GNUmakefile.list.am:
1462         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1463         * JavaScriptCore.xcodeproj/project.pbxproj:
1464         * Target.pri:
1465         * bytecode/CallLinkStatus.h:
1466         * bytecode/CodeBlock.cpp:
1467         * bytecode/MethodOfGettingAValueProfile.h:
1468         * bytecode/ResolveGlobalStatus.cpp:
1469         * bytecode/ResolveGlobalStatus.h:
1470         * bytecode/SpeculatedType.h:
1471         * bytecode/ValueRecovery.h:
1472         * dfg/DFGByteCodeParser.cpp:
1473         * dfg/DFGJITCompiler.cpp:
1474         * dfg/DFGNode.h:
1475         * dfg/DFGSpeculativeJIT.cpp:
1476         * dfg/DFGSpeculativeJIT64.cpp:
1477         * heap/CopiedBlock.h:
1478         * heap/HandleStack.cpp:
1479         * heap/HandleTypes.h:
1480         * heap/WeakImpl.h:
1481         * interpreter/Interpreter.h:
1482         * interpreter/Register.h:
1483         * interpreter/VMInspector.h:
1484         * jit/HostCallReturnValue.cpp:
1485         * jit/HostCallReturnValue.h:
1486         * jit/JITCode.h:
1487         * jit/JITExceptions.cpp:
1488         * jit/JITExceptions.h:
1489         * jit/JSInterfaceJIT.h:
1490         * llint/LLIntCLoop.h:
1491         * llint/LLIntData.h:
1492         * llint/LLIntSlowPaths.cpp:
1493         * profiler/ProfilerBytecode.h:
1494         * profiler/ProfilerBytecodeSequence.h:
1495         * profiler/ProfilerBytecodes.h:
1496         * profiler/ProfilerCompilation.h:
1497         * profiler/ProfilerCompiledBytecode.h:
1498         * profiler/ProfilerDatabase.h:
1499         * profiler/ProfilerOSRExit.h:
1500         * profiler/ProfilerOSRExitSite.h:
1501         * profiler/ProfilerOrigin.h:
1502         * profiler/ProfilerOriginStack.h:
1503         * runtime/ArgList.cpp:
1504         * runtime/CachedTranscendentalFunction.h:
1505         * runtime/CallData.h:
1506         * runtime/Completion.h:
1507         * runtime/ConstructData.h:
1508         * runtime/DateConstructor.cpp:
1509         * runtime/DateInstance.cpp:
1510         * runtime/DatePrototype.cpp:
1511         * runtime/JSAPIValueWrapper.h:
1512         * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
1513         * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
1514         (JSValue):
1515         * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
1516         * runtime/JSGlobalData.h:
1517         * runtime/JSGlobalObject.cpp:
1518         * runtime/JSGlobalObjectFunctions.h:
1519         * runtime/JSStringJoiner.h:
1520         * runtime/JSValue.cpp: Removed.
1521         * runtime/JSValue.h: Removed.
1522         * runtime/JSValueInlines.h: Removed.
1523         * runtime/LiteralParser.h:
1524         * runtime/Operations.h:
1525         * runtime/PropertyDescriptor.h:
1526         * runtime/PropertySlot.h:
1527         * runtime/Protect.h:
1528         * runtime/RegExpPrototype.cpp:
1529         * runtime/Structure.h:
1530
1531 2013-01-23  Oliver Hunt  <oliver@apple.com>
1532
1533         Harden JSC a bit with RELEASE_ASSERT
1534         https://bugs.webkit.org/show_bug.cgi?id=107766
1535
1536         Reviewed by Mark Hahnenberg.
1537
1538         Went through and replaced a pile of ASSERTs that were covering
1539         significantly important details (bounds checks, etc) where
1540         having the checks did not impact release performance in any
1541         measurable way.
1542
1543         * API/JSContextRef.cpp:
1544         (JSContextCreateBacktrace):
1545         * assembler/MacroAssembler.h:
1546         (JSC::MacroAssembler::branchAdd32):
1547         (JSC::MacroAssembler::branchMul32):
1548         * bytecode/CodeBlock.cpp:
1549         (JSC::CodeBlock::dumpBytecode):
1550         (JSC::CodeBlock::handlerForBytecodeOffset):
1551         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1552         (JSC::CodeBlock::bytecodeOffset):
1553         * bytecode/CodeBlock.h:
1554         (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
1555         (JSC::CodeBlock::bytecodeOffset):
1556         (JSC::CodeBlock::exceptionHandler):
1557         (JSC::CodeBlock::codeOrigin):
1558         (JSC::CodeBlock::immediateSwitchJumpTable):
1559         (JSC::CodeBlock::characterSwitchJumpTable):
1560         (JSC::CodeBlock::stringSwitchJumpTable):
1561         (JSC::CodeBlock::setIdentifiers):
1562         (JSC::baselineCodeBlockForInlineCallFrame):
1563         (JSC::ExecState::uncheckedR):
1564         * bytecode/CodeOrigin.cpp:
1565         (JSC::CodeOrigin::inlineStack):
1566         * bytecode/CodeOrigin.h:
1567         (JSC::CodeOrigin::CodeOrigin):
1568         * dfg/DFGCSEPhase.cpp:
1569         * dfg/DFGOSRExit.cpp:
1570         * dfg/DFGScratchRegisterAllocator.h:
1571         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1572         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1573         * dfg/DFGSpeculativeJIT.h:
1574         (JSC::DFG::SpeculativeJIT::allocate):
1575         (JSC::DFG::SpeculativeJIT::spill):
1576         (JSC::DFG::SpeculativeJIT::integerResult):
1577         * dfg/DFGSpeculativeJIT64.cpp:
1578         (JSC::DFG::SpeculativeJIT::fillInteger):
1579         (JSC::DFG::SpeculativeJIT::fillDouble):
1580         (JSC::DFG::SpeculativeJIT::fillJSValue):
1581         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1582         (JSC::DFG::SpeculativeJIT::emitCall):
1583         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1584         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1585         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1586         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1587         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1588         (JSC::DFG::SpeculativeJIT::compile):
1589         * dfg/DFGValueSource.h:
1590         (JSC::DFG::dataFormatToValueSourceKind):
1591         (JSC::DFG::ValueSource::ValueSource):
1592         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1593         * heap/BlockAllocator.cpp:
1594         (JSC::BlockAllocator::BlockAllocator):
1595         (JSC::BlockAllocator::releaseFreeRegions):
1596         (JSC::BlockAllocator::blockFreeingThreadMain):
1597         * heap/Heap.cpp:
1598         (JSC::Heap::lastChanceToFinalize):
1599         (JSC::Heap::collect):
1600         * interpreter/Interpreter.cpp:
1601         (JSC::Interpreter::throwException):
1602         (JSC::Interpreter::execute):
1603         * jit/GCAwareJITStubRoutine.cpp:
1604         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
1605         * jit/JIT.cpp:
1606         (JSC::JIT::privateCompileMainPass):
1607         (JSC::JIT::privateCompileSlowCases):
1608         * jit/JITExceptions.cpp:
1609         (JSC::genericThrow):
1610         * jit/JITInlines.h:
1611         (JSC::JIT::emitLoad):
1612         * jit/JITOpcodes.cpp:
1613         (JSC::JIT::emit_op_end):
1614         (JSC::JIT::emit_resolve_operations):
1615         * jit/JITStubRoutine.cpp:
1616         (JSC::JITStubRoutine::observeZeroRefCount):
1617         * jit/JITStubs.cpp:
1618         (JSC::returnToThrowTrampoline):
1619         * runtime/Arguments.cpp:
1620         (JSC::Arguments::getOwnPropertySlot):
1621         (JSC::Arguments::getOwnPropertyDescriptor):
1622         (JSC::Arguments::deleteProperty):
1623         (JSC::Arguments::defineOwnProperty):
1624         (JSC::Arguments::didTearOffActivation):
1625         * runtime/ArrayPrototype.cpp:
1626         (JSC::shift):
1627         (JSC::unshift):
1628         (JSC::arrayProtoFuncLastIndexOf):
1629         * runtime/ButterflyInlines.h:
1630         (JSC::Butterfly::growPropertyStorage):
1631         * runtime/CodeCache.cpp:
1632         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1633         * runtime/CodeCache.h:
1634         (JSC::CacheMap::add):
1635         * runtime/Completion.cpp:
1636         (JSC::checkSyntax):
1637         (JSC::evaluate):
1638         * runtime/Executable.cpp:
1639         (JSC::FunctionExecutable::FunctionExecutable):
1640         (JSC::EvalExecutable::unlinkCalls):
1641         (JSC::ProgramExecutable::compileOptimized):
1642         (JSC::ProgramExecutable::unlinkCalls):
1643         (JSC::ProgramExecutable::initializeGlobalProperties):
1644         (JSC::FunctionExecutable::baselineCodeBlockFor):
1645         (JSC::FunctionExecutable::compileOptimizedForCall):
1646         (JSC::FunctionExecutable::compileOptimizedForConstruct):
1647         (JSC::FunctionExecutable::compileForCallInternal):
1648         (JSC::FunctionExecutable::compileForConstructInternal):
1649         (JSC::FunctionExecutable::unlinkCalls):
1650         (JSC::NativeExecutable::hashFor):
1651         * runtime/Executable.h:
1652         (JSC::EvalExecutable::compile):
1653         (JSC::ProgramExecutable::compile):
1654         (JSC::FunctionExecutable::compileForCall):
1655         (JSC::FunctionExecutable::compileForConstruct):
1656         * runtime/IndexingHeader.h:
1657         (JSC::IndexingHeader::setVectorLength):
1658         * runtime/JSArray.cpp:
1659         (JSC::JSArray::pop):
1660         (JSC::JSArray::shiftCountWithArrayStorage):
1661         (JSC::JSArray::shiftCountWithAnyIndexingType):
1662         (JSC::JSArray::unshiftCountWithArrayStorage):
1663         * runtime/JSGlobalObjectFunctions.cpp:
1664         (JSC::jsStrDecimalLiteral):
1665         * runtime/JSObject.cpp:
1666         (JSC::JSObject::copyButterfly):
1667         (JSC::JSObject::defineOwnIndexedProperty):
1668         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1669         * runtime/JSString.cpp:
1670         (JSC::JSRopeString::getIndexSlowCase):
1671         * yarr/YarrInterpreter.cpp:
1672         (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
1673
1674 2013-01-23  Filip Pizlo  <fpizlo@apple.com>
1675
1676         Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
1677         https://bugs.webkit.org/show_bug.cgi?id=107750
1678         <rdar://problem/12387265>
1679
1680         Reviewed by Mark Hahnenberg.
1681         
1682         The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
1683         for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
1684         GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
1685         checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
1686         GetLocal we are eliminating, then we allow redundant GetLocals.
1687
1688         * dfg/DFGConstantFoldingPhase.cpp:
1689         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1690         (ConstantFoldingPhase):
1691         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1692
1693 2013-01-23  Oliver Hunt  <oliver@apple.com>
1694
1695         Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
1696         https://bugs.webkit.org/show_bug.cgi?id=107736
1697
1698         Reviewed by Mark Hahnenberg.
1699
1700         Mechanical change with no performance impact.
1701
1702         * API/JSBlockAdaptor.mm:
1703         (BlockArgumentTypeDelegate::typeVoid):
1704         * API/JSCallbackObjectFunctions.h:
1705         (JSC::::construct):
1706         (JSC::::call):
1707         * API/JSScriptRef.cpp:
1708         * API/ObjCCallbackFunction.mm:
1709         (ArgumentTypeDelegate::typeVoid):
1710         * assembler/ARMv7Assembler.h:
1711         (JSC::ARMv7Assembler::link):
1712         (JSC::ARMv7Assembler::replaceWithLoad):
1713         (JSC::ARMv7Assembler::replaceWithAddressComputation):
1714         * assembler/MacroAssembler.h:
1715         (JSC::MacroAssembler::invert):
1716         * assembler/MacroAssemblerARM.h:
1717         (JSC::MacroAssemblerARM::countLeadingZeros32):
1718         (JSC::MacroAssemblerARM::divDouble):
1719         * assembler/MacroAssemblerMIPS.h:
1720         (JSC::MacroAssemblerMIPS::absDouble):
1721         (JSC::MacroAssemblerMIPS::replaceWithJump):
1722         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
1723         * assembler/MacroAssemblerSH4.h:
1724         (JSC::MacroAssemblerSH4::absDouble):
1725         (JSC::MacroAssemblerSH4::replaceWithJump):
1726         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
1727         * assembler/SH4Assembler.h:
1728         (JSC::SH4Assembler::shllImm8r):
1729         (JSC::SH4Assembler::shlrImm8r):
1730         (JSC::SH4Assembler::cmplRegReg):
1731         (JSC::SH4Assembler::branch):
1732         * assembler/X86Assembler.h:
1733         (JSC::X86Assembler::replaceWithLoad):
1734         (JSC::X86Assembler::replaceWithAddressComputation):
1735         * bytecode/CallLinkInfo.cpp:
1736         (JSC::CallLinkInfo::unlink):
1737         * bytecode/CodeBlock.cpp:
1738         (JSC::debugHookName):
1739         (JSC::CodeBlock::printGetByIdOp):
1740         (JSC::CodeBlock::printGetByIdCacheStatus):
1741         (JSC::CodeBlock::visitAggregate):
1742         (JSC::CodeBlock::finalizeUnconditionally):
1743         (JSC::CodeBlock::usesOpcode):
1744         * bytecode/DataFormat.h:
1745         (JSC::needDataFormatConversion):
1746         * bytecode/ExitKind.cpp:
1747         (JSC::exitKindToString):
1748         (JSC::exitKindIsCountable):
1749         * bytecode/MethodOfGettingAValueProfile.cpp:
1750         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
1751         * bytecode/Opcode.h:
1752         (JSC::opcodeLength):
1753         * bytecode/PolymorphicPutByIdList.cpp:
1754         (JSC::PutByIdAccess::fromStructureStubInfo):
1755         (JSC::PutByIdAccess::visitWeak):
1756         * bytecode/StructureStubInfo.cpp:
1757         (JSC::StructureStubInfo::deref):
1758         * bytecompiler/BytecodeGenerator.cpp:
1759         (JSC::ResolveResult::checkValidity):
1760         (JSC::BytecodeGenerator::emitGetLocalVar):
1761         (JSC::BytecodeGenerator::beginSwitch):
1762         * bytecompiler/NodesCodegen.cpp:
1763         (JSC::BinaryOpNode::emitBytecode):
1764         (JSC::emitReadModifyAssignment):
1765         * dfg/DFGAbstractState.cpp:
1766         (JSC::DFG::AbstractState::execute):
1767         (JSC::DFG::AbstractState::mergeStateAtTail):
1768         (JSC::DFG::AbstractState::mergeToSuccessors):
1769         * dfg/DFGByteCodeParser.cpp:
1770         (JSC::DFG::ByteCodeParser::makeSafe):
1771         (JSC::DFG::ByteCodeParser::parseBlock):
1772         * dfg/DFGCFGSimplificationPhase.cpp:
1773         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1774         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1775         * dfg/DFGCSEPhase.cpp:
1776         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1777         * dfg/DFGCapabilities.cpp:
1778         (JSC::DFG::canHandleOpcodes):
1779         * dfg/DFGCommon.h:
1780         (JSC::DFG::useKindToString):
1781         * dfg/DFGDoubleFormatState.h:
1782         (JSC::DFG::mergeDoubleFormatStates):
1783         (JSC::DFG::doubleFormatStateToString):
1784         * dfg/DFGFixupPhase.cpp:
1785         (JSC::DFG::FixupPhase::blessArrayOperation):
1786         * dfg/DFGGraph.h:
1787         (JSC::DFG::Graph::clobbersWorld):
1788         * dfg/DFGNode.h:
1789         (JSC::DFG::Node::valueOfJSConstant):
1790         (JSC::DFG::Node::successor):
1791         * dfg/DFGNodeFlags.cpp:
1792         (JSC::DFG::nodeFlagsAsString):
1793         * dfg/DFGNodeType.h:
1794         (JSC::DFG::defaultFlags):
1795         * dfg/DFGRepatch.h:
1796         (JSC::DFG::dfgResetGetByID):
1797         (JSC::DFG::dfgResetPutByID):
1798         * dfg/DFGSlowPathGenerator.h:
1799         (JSC::DFG::SlowPathGenerator::call):
1800         * dfg/DFGSpeculativeJIT.cpp:
1801         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1802         (JSC::DFG::SpeculativeJIT::silentSpill):
1803         (JSC::DFG::SpeculativeJIT::silentFill):
1804         (JSC::DFG::SpeculativeJIT::checkArray):
1805         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1806         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1807         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1808         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1809         * dfg/DFGSpeculativeJIT.h:
1810         (JSC::DFG::SpeculativeJIT::bitOp):
1811         (JSC::DFG::SpeculativeJIT::shiftOp):
1812         (JSC::DFG::SpeculativeJIT::integerResult):
1813         * dfg/DFGSpeculativeJIT32_64.cpp:
1814         (JSC::DFG::SpeculativeJIT::fillInteger):
1815         (JSC::DFG::SpeculativeJIT::fillDouble):
1816         (JSC::DFG::SpeculativeJIT::fillJSValue):
1817         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1818         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1819         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1820         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1821         (JSC::DFG::SpeculativeJIT::compile):
1822         * dfg/DFGSpeculativeJIT64.cpp:
1823         (JSC::DFG::SpeculativeJIT::fillInteger):
1824         (JSC::DFG::SpeculativeJIT::fillDouble):
1825         (JSC::DFG::SpeculativeJIT::fillJSValue):
1826         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1827         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1828         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1829         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1830         (JSC::DFG::SpeculativeJIT::compile):
1831         * dfg/DFGStructureCheckHoistingPhase.cpp:
1832         (JSC::DFG::StructureCheckHoistingPhase::run):
1833         * dfg/DFGValueSource.h:
1834         (JSC::DFG::ValueSource::valueRecovery):
1835         * dfg/DFGVariableEvent.cpp:
1836         (JSC::DFG::VariableEvent::dump):
1837         * dfg/DFGVariableEventStream.cpp:
1838         (JSC::DFG::VariableEventStream::reconstruct):
1839         * heap/BlockAllocator.h:
1840         (JSC::BlockAllocator::regionSetFor):
1841         * heap/GCThread.cpp:
1842         (JSC::GCThread::gcThreadMain):
1843         * heap/MarkedBlock.cpp:
1844         (JSC::MarkedBlock::sweepHelper):
1845         * heap/MarkedBlock.h:
1846         (JSC::MarkedBlock::isLive):
1847         * interpreter/CallFrame.h:
1848         (JSC::ExecState::inlineCallFrame):
1849         * interpreter/Interpreter.cpp:
1850         (JSC::getCallerInfo):
1851         (JSC::getStackFrameCodeType):
1852         (JSC::Interpreter::execute):
1853         * jit/ExecutableAllocatorFixedVMPool.cpp:
1854         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
1855         * jit/JIT.cpp:
1856         (JSC::JIT::privateCompileMainPass):
1857         (JSC::JIT::privateCompileSlowCases):
1858         (JSC::JIT::privateCompile):
1859         * jit/JITArithmetic.cpp:
1860         (JSC::JIT::emitSlow_op_mod):
1861         * jit/JITArithmetic32_64.cpp:
1862         (JSC::JIT::emitBinaryDoubleOp):
1863         (JSC::JIT::emitSlow_op_mod):
1864         * jit/JITPropertyAccess.cpp:
1865         (JSC::JIT::isDirectPutById):
1866         * jit/JITStubs.cpp:
1867         (JSC::getPolymorphicAccessStructureListSlot):
1868         (JSC::DEFINE_STUB_FUNCTION):
1869         * llint/LLIntSlowPaths.cpp:
1870         (JSC::LLInt::jitCompileAndSetHeuristics):
1871         * parser/Lexer.cpp:
1872         (JSC::::lex):
1873         * parser/Nodes.h:
1874         (JSC::ExpressionNode::emitBytecodeInConditionContext):
1875         * parser/Parser.h:
1876         (JSC::Parser::getTokenName):
1877         (JSC::Parser::updateErrorMessageSpecialCase):
1878         * parser/SyntaxChecker.h:
1879         (JSC::SyntaxChecker::operatorStackPop):
1880         * runtime/Arguments.cpp:
1881         (JSC::Arguments::tearOffForInlineCallFrame):
1882         * runtime/DatePrototype.cpp:
1883         (JSC::formatLocaleDate):
1884         * runtime/Executable.cpp:
1885         (JSC::samplingDescription):
1886         * runtime/Executable.h:
1887         (JSC::ScriptExecutable::unlinkCalls):
1888         * runtime/Identifier.cpp:
1889         (JSC):
1890         * runtime/InternalFunction.cpp:
1891         (JSC::InternalFunction::getCallData):
1892         * runtime/JSArray.cpp:
1893         (JSC::JSArray::push):
1894         (JSC::JSArray::sort):
1895         * runtime/JSCell.cpp:
1896         (JSC::JSCell::defaultValue):
1897         (JSC::JSCell::getOwnPropertyNames):
1898         (JSC::JSCell::getOwnNonIndexPropertyNames):
1899         (JSC::JSCell::className):
1900         (JSC::JSCell::getPropertyNames):
1901         (JSC::JSCell::customHasInstance):
1902         (JSC::JSCell::putDirectVirtual):
1903         (JSC::JSCell::defineOwnProperty):
1904         (JSC::JSCell::getOwnPropertyDescriptor):
1905         * runtime/JSCell.h:
1906         (JSCell):
1907         * runtime/JSNameScope.cpp:
1908         (JSC::JSNameScope::put):
1909         * runtime/JSObject.cpp:
1910         (JSC::JSObject::getOwnPropertySlotByIndex):
1911         (JSC::JSObject::putByIndex):
1912         (JSC::JSObject::ensureArrayStorageSlow):
1913         (JSC::JSObject::deletePropertyByIndex):
1914         (JSC::JSObject::getOwnPropertyNames):
1915         (JSC::JSObject::putByIndexBeyondVectorLength):
1916         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1917         (JSC::JSObject::getOwnPropertyDescriptor):
1918         * runtime/JSObject.h:
1919         (JSC::JSObject::canGetIndexQuickly):
1920         (JSC::JSObject::getIndexQuickly):
1921         (JSC::JSObject::tryGetIndexQuickly):
1922         (JSC::JSObject::canSetIndexQuickly):
1923         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
1924         (JSC::JSObject::setIndexQuickly):
1925         (JSC::JSObject::initializeIndex):
1926         (JSC::JSObject::hasSparseMap):
1927         (JSC::JSObject::inSparseIndexingMode):
1928         * runtime/JSScope.cpp:
1929         (JSC::JSScope::isDynamicScope):
1930         * runtime/JSSymbolTableObject.cpp:
1931         (JSC::JSSymbolTableObject::putDirectVirtual):
1932         * runtime/JSSymbolTableObject.h:
1933         (JSSymbolTableObject):
1934         * runtime/LiteralParser.cpp:
1935         (JSC::::parse):
1936         * runtime/RegExp.cpp:
1937         (JSC::RegExp::compile):
1938         (JSC::RegExp::compileMatchOnly):
1939         * runtime/StructureTransitionTable.h:
1940         (JSC::newIndexingType):
1941         * tools/CodeProfile.cpp:
1942         (JSC::CodeProfile::sample):
1943         * yarr/YarrCanonicalizeUCS2.h:
1944         (JSC::Yarr::getCanonicalPair):
1945         (JSC::Yarr::areCanonicallyEquivalent):
1946         * yarr/YarrInterpreter.cpp:
1947         (JSC::Yarr::Interpreter::matchCharacterClass):
1948         (JSC::Yarr::Interpreter::matchBackReference):
1949         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
1950         (JSC::Yarr::Interpreter::matchParentheses):
1951         (JSC::Yarr::Interpreter::backtrackParentheses):
1952         (JSC::Yarr::Interpreter::matchDisjunction):
1953         * yarr/YarrJIT.cpp:
1954         (JSC::Yarr::YarrGenerator::generateTerm):
1955         (JSC::Yarr::YarrGenerator::backtrackTerm):
1956         * yarr/YarrParser.h:
1957         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
1958         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
1959         * yarr/YarrPattern.cpp:
1960         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1961
1962 2013-01-23  Tony Chang  <tony@chromium.org>
1963
1964         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
1965
1966         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
1967         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
1968
1969 2013-01-23  Oliver Hunt  <oliver@apple.com>
1970
1971         Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
1972         https://bugs.webkit.org/show_bug.cgi?id=107726
1973
1974         Reviewed by Filip Pizlo.
1975
1976         Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
1977
1978         * assembler/MacroAssembler.h:
1979         (JSC::MacroAssembler::branchAdd32):
1980         (JSC::MacroAssembler::branchMul32):
1981         * bytecode/CodeBlockHash.cpp:
1982         (JSC::CodeBlockHash::CodeBlockHash):
1983         * heap/BlockAllocator.h:
1984         (JSC::Region::create):
1985         (JSC::Region::createCustomSize):
1986         * heap/GCAssertions.h:
1987         * heap/HandleSet.cpp:
1988         (JSC::HandleSet::visitStrongHandles):
1989         (JSC::HandleSet::writeBarrier):
1990         * heap/HandleSet.h:
1991         (JSC::HandleSet::allocate):
1992         * heap/Heap.cpp:
1993         (JSC::Heap::collect):
1994         * heap/SlotVisitor.cpp:
1995         (JSC::SlotVisitor::validate):
1996         * interpreter/Interpreter.cpp:
1997         (JSC::Interpreter::execute):
1998         * jit/ExecutableAllocator.cpp:
1999         (JSC::DemandExecutableAllocator::allocateNewSpace):
2000         (JSC::ExecutableAllocator::allocate):
2001         * jit/ExecutableAllocator.h:
2002         (JSC::roundUpAllocationSize):
2003         * jit/ExecutableAllocatorFixedVMPool.cpp:
2004         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2005         (JSC::ExecutableAllocator::allocate):
2006         * runtime/ButterflyInlines.h:
2007         (JSC::Butterfly::createUninitialized):
2008         * runtime/Completion.cpp:
2009         (JSC::evaluate):
2010         * runtime/JSArray.h:
2011         (JSC::constructArray):
2012         * runtime/JSGlobalObject.cpp:
2013         (JSC::slowValidateCell):
2014         * runtime/JSObject.cpp:
2015         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2016         (JSC::JSObject::createArrayStorage):
2017         * tools/TieredMMapArray.h:
2018         (JSC::TieredMMapArray::append):
2019         * yarr/YarrInterpreter.cpp:
2020         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2021         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2022         (JSC::Yarr::Interpreter::InputStream::readChecked):
2023         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2024         (JSC::Yarr::Interpreter::InputStream::atEnd):
2025         (JSC::Yarr::Interpreter::interpret):
2026
2027 2013-01-22  Filip Pizlo  <fpizlo@apple.com>
2028
2029         Convert CSE phase to not rely too much on NodeIndex
2030         https://bugs.webkit.org/show_bug.cgi?id=107616
2031
2032         Reviewed by Geoffrey Garen.
2033         
2034         - Instead of looping over the graph (which assumes that you can simply loop over all
2035           nodes without considering blocks first) to reset node.replacement, do that in the
2036           loop that sets up relevantToOSR, just before running CSE on the block.
2037         
2038         - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
2039           NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
2040           some reshuffling to fit it in.
2041
2042         * dfg/DFGCSEPhase.cpp:
2043         (JSC::DFG::CSEPhase::CSEPhase):
2044         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2045         (JSC::DFG::CSEPhase::performNodeCSE):
2046         (JSC::DFG::CSEPhase::performBlockCSE):
2047         (CSEPhase):
2048         * dfg/DFGNodeFlags.h:
2049         (DFG):
2050         * dfg/DFGNodeType.h:
2051         (DFG):
2052
2053 2013-01-21  Kentaro Hara  <haraken@chromium.org>
2054
2055         Implement UIEvent constructor
2056         https://bugs.webkit.org/show_bug.cgi?id=107430
2057
2058         Reviewed by Adam Barth.
2059
2060         Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
2061
2062         UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
2063         which is enabled on Safari and Chromium for now.
2064
2065         * Configurations/FeatureDefines.xcconfig:
2066
2067 2013-01-22  Roger Fong  <roger_fong@apple.com>
2068
2069         Unreviewed VS2010 build fix following r140259.
2070
2071         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2072         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2073
2074 2013-01-22  Roger Fong  <roger_fong@apple.com>
2075
2076         JavaScriptCore property sheets, project files and modified build scripts.
2077         https://bugs.webkit.org/show_bug.cgi?id=106987
2078
2079         Reviewed by Brent Fulgham.
2080
2081         * JavaScriptCore.vcxproj: Added.
2082         * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
2083         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
2084         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
2085         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
2086         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
2087         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
2088         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
2089         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
2090         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
2091         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
2092         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
2093         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
2094         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
2095         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
2096         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
2097         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
2098         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
2099         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
2100         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
2101         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
2102         * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
2103         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
2104         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2105         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
2106         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
2107         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2108         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
2109         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2110         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
2111         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
2112         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2113         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
2114         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
2115         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
2116         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
2117         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
2118         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
2119         * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
2120         * JavaScriptCore.vcxproj/copy-files.cmd: Added.
2121         * JavaScriptCore.vcxproj/jsc: Added.
2122         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
2123         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
2124         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
2125         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
2126         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
2127         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
2128         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
2129         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
2130         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
2131         * config.h:
2132
2133 2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>
2134
2135         [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
2136         https://bugs.webkit.org/show_bug.cgi?id=107230
2137
2138         Reviewed by David Kilzer.
2139
2140         * Configurations/FeatureDefines.xcconfig:
2141
2142 2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>
2143
2144         Yarr JIT isn't big endian compatible
2145         https://bugs.webkit.org/show_bug.cgi?id=102897
2146
2147         Reviewed by Oliver Hunt.
2148
2149         This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
2150
2151         * yarr/YarrJIT.cpp:
2152         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2153
2154 2013-01-22  David Kilzer  <ddkilzer@apple.com>
2155
2156         Fix DateMath.cpp to compile with -Wshorten-64-to-32
2157         <http://webkit.org/b/107503>
2158
2159         Reviewed by Darin Adler.
2160
2161         * runtime/JSDateMath.cpp:
2162         (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
2163         static_cast<int>().
2164
2165 2013-01-22  Tim Horton  <timothy_horton@apple.com>
2166
2167         PDFPlugin: Build PDFPlugin everywhere, enable at runtime
2168         https://bugs.webkit.org/show_bug.cgi?id=107117
2169
2170         Reviewed by Alexey Proskuryakov.
2171
2172         Since PDFLayerController SPI is all forward-declared, the plugin should build
2173         on all Mac platforms, and can be enabled at runtime.
2174
2175         * Configurations/FeatureDefines.xcconfig:
2176
2177 2013-01-21  Justin Schuh  <jschuh@chromium.org>
2178
2179         [CHROMIUM] Suppress c4267 build warnings for Win64 targets
2180         https://bugs.webkit.org/show_bug.cgi?id=107499
2181
2182         Reviewed by Abhishek Arya.
2183
2184         * JavaScriptCore.gyp/JavaScriptCore.gyp:
2185
2186 2013-01-21  Dirk Schulze  <dschulze@adobe.com>
2187
2188         Add build flag for Canvas's Path object (disabled by default)
2189         https://bugs.webkit.org/show_bug.cgi?id=107473
2190
2191         Reviewed by Dean Jackson.
2192
2193         Add CANVAS_PATH build flag to build systems.
2194
2195         * Configurations/FeatureDefines.xcconfig:
2196
2197 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2198
2199         Weak GC maps should be easier to use
2200         https://bugs.webkit.org/show_bug.cgi?id=107312
2201
2202         Reviewed by Sam Weinig.
2203
2204         Follow-up fix.
2205
2206         * runtime/PrototypeMap.cpp:
2207         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
2208         ASSERT, which was disabled because of a bug in WeakGCMap.
2209
2210         * runtime/WeakGCMap.h:
2211         (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
2212         a PassWeak() clears itself when passed to another function. So, we pass
2213         nullptr instead, and fix things up afterwards.
2214
2215 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2216
2217         Unreviewed.
2218
2219         Temporarily disabling this ASSERT to get the bots green
2220         while I investigate a fix.
2221
2222         * runtime/PrototypeMap.cpp:
2223         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2224
2225 2013-01-20  Filip Pizlo  <fpizlo@apple.com>
2226
2227         Inserting a node into the DFG graph should not require five lines of code
2228         https://bugs.webkit.org/show_bug.cgi?id=107381
2229
2230         Reviewed by Sam Weinig.
2231         
2232         This adds fairly comprehensive support for inserting a node into a DFG graph in one
2233         method call. A common example of this is:
2234         
2235         m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
2236         
2237         The arguments to insert() specify what reference counting you need to have happen
2238         (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
2239         that was created), the prediction to set (SpecNone is a common default), followed by
2240         the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
2241         (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
2242         function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
2243         non-recursively ref() the node being created if the flags say NodeMustGenerate.
2244         
2245         In all, this new mechanism retains the flexibility of the old approach (you get to
2246         manage ref counts yourself, albeit in less code) while ensuring that most code that adds
2247         nodes to the graph now needs less code to do it.
2248         
2249         In the future, we should revisit the reference counting methodology in the DFG: we could
2250         do like most compilers and get rid of it entirely, or we could make it automatic. This
2251         patch doesn't attempt to make any such major changes, and only seeks to simplify the
2252         technique we were already using (manual ref counting).
2253
2254         * GNUmakefile.list.am:
2255         * JavaScriptCore.xcodeproj/project.pbxproj:
2256         * bytecode/Operands.h:
2257         (JSC::dumpOperands):
2258         * dfg/DFGAdjacencyList.h:
2259         (AdjacencyList):
2260         (JSC::DFG::AdjacencyList::kind):
2261         * dfg/DFGArgumentsSimplificationPhase.cpp:
2262         (JSC::DFG::ArgumentsSimplificationPhase::run):
2263         * dfg/DFGBasicBlock.h:
2264         (DFG):
2265         (BasicBlock):
2266         * dfg/DFGBasicBlockInlines.h: Added.
2267         (DFG):
2268         * dfg/DFGCFGSimplificationPhase.cpp:
2269         (JSC::DFG::CFGSimplificationPhase::run):
2270         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2271         * dfg/DFGCommon.h:
2272         * dfg/DFGConstantFoldingPhase.cpp:
2273         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
2274         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2275         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2276         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
2277         (ConstantFoldingPhase):
2278         * dfg/DFGFixupPhase.cpp:
2279         (JSC::DFG::FixupPhase::FixupPhase):
2280         (JSC::DFG::FixupPhase::fixupBlock):
2281         (JSC::DFG::FixupPhase::fixupNode):
2282         (FixupPhase):
2283         (JSC::DFG::FixupPhase::checkArray):
2284         (JSC::DFG::FixupPhase::blessArrayOperation):
2285         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2286         * dfg/DFGGraph.h:
2287         (JSC::DFG::Graph::ref):
2288         (Graph):
2289         * dfg/DFGInsertionSet.h:
2290         (DFG):
2291         (JSC::DFG::Insertion::Insertion):
2292         (JSC::DFG::Insertion::element):
2293         (Insertion):
2294         (JSC::DFG::InsertionSet::InsertionSet):
2295         (JSC::DFG::InsertionSet::insert):
2296         (InsertionSet):
2297         (JSC::DFG::InsertionSet::execute):
2298         * dfg/DFGNode.h:
2299         (JSC::DFG::Node::Node):
2300         (Node):
2301         * dfg/DFGStructureCheckHoistingPhase.cpp:
2302         (JSC::DFG::StructureCheckHoistingPhase::run):
2303         * dfg/DFGVariadicFunction.h: Added.
2304
2305 2013-01-19  Geoffrey Garen  <ggaren@apple.com>
2306
2307         Track inheritance structures in a side table, instead of using a private
2308         name in each prototype
2309         https://bugs.webkit.org/show_bug.cgi?id=107378
2310
2311         Reviewed by Sam Weinig and Phil Pizlo.
2312
2313         This is a step toward object size inference.
2314
2315         Using a side table frees us to use a more complex key (a pair of
2316         prototype and expected inline capacity).
2317
2318         It also avoids ruining inline caches for prototypes. (Adding a new private
2319         name for a new inline capacity would change the prototype's structure,
2320         possibly firing watchpoints, making inline caches go polymorphic, and
2321         generally causing us to have a bad time.)
2322
2323         * CMakeLists.txt:
2324         * GNUmakefile.list.am:
2325         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2326         * JavaScriptCore.xcodeproj/project.pbxproj:
2327         * Target.pri: Buildage.
2328
2329         * runtime/ArrayPrototype.cpp:
2330         (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
2331
2332         * runtime/JSFunction.cpp:
2333         (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
2334
2335         (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
2336         forgot to visit one of its data members (m_cachedInheritorID). This
2337         wasn't a user-visible problem before because JSFunction would always
2338         visit its .prototype property, which visited its m_cachedInheritorID.
2339         But now, function.prototype only weakly owns function.m_cachedInheritorID.
2340
2341         * runtime/JSGlobalData.h:
2342         (JSGlobalData): Added the map, taking care to make sure that its
2343         destructor would run after the heap destructor.
2344
2345         * runtime/JSGlobalObject.cpp:
2346         (JSC::JSGlobalObject::reset): Updated to use new side table API.
2347
2348         * runtime/JSObject.cpp:
2349         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2350         (JSC::JSObject::setPrototype):
2351         * runtime/JSObject.h:
2352         (JSObject): Updated to use new side table API, and removed lots of code
2353         that used to manage the per-object private name.
2354
2355         * runtime/JSProxy.cpp:
2356         (JSC::JSProxy::setTarget):
2357         * runtime/ObjectConstructor.cpp:
2358         (JSC::objectConstructorCreate):
2359         * runtime/ObjectPrototype.cpp:
2360         (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
2361
2362         * runtime/PrototypeMap.cpp: Added.
2363         (JSC):
2364         (JSC::PrototypeMap::addPrototype):
2365         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2366         * runtime/PrototypeMap.h: Added.
2367         (PrototypeMap):
2368         (JSC::PrototypeMap::isPrototype):
2369         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
2370         This is a simple weak map, mapping an object to the structure you should
2371         use when inheriting from that object. (In future, inline capacity will
2372         be a part of the mapping.)
2373
2374         I used two maps to preserve existing behavior that allowed us to speculate
2375         about an object becoming a prototype, even if it wasn't one at the moment.
2376         However, I suspect that behavior can be removed without harm.
2377
2378         * runtime/WeakGCMap.h:
2379         (JSC::WeakGCMap::contains):
2380         (WeakGCMap): I would rate myself a 6 / 10 in C++.
2381
2382 2013-01-18  Dan Bernstein  <mitz@apple.com>
2383
2384         Removed duplicate references to two headers in the project files.
2385
2386         Rubber-stamped by Mark Rowe.
2387
2388         * JavaScriptCore.xcodeproj/project.pbxproj:
2389
2390 2013-01-18  Michael Saboff  <msaboff@apple.com>
2391
2392         Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
2393         Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
2394
2395         * dfg/DFGFixupPhase.cpp:
2396         (JSC::DFG::FixupPhase::fixupNode):
2397
2398 2013-01-18  Michael Saboff  <msaboff@apple.com>
2399
2400         Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
2401
2402         * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
2403
2404 2013-01-18  Michael Saboff  <msaboff@apple.com>
2405
2406         Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
2407         https://bugs.webkit.org/show_bug.cgi?id=107340
2408
2409         Reviewed by Filip Pizlo.
2410
2411         Due to the change landed in r140201, more nodes might end up
2412         generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
2413         constant path of compileInt32ToDouble() to use the more
2414         restrictive isInt32Constant() check on the input.  This check was
2415         the same as the existing ASSERT() so the ASSERT was eliminated.
2416
2417         * dfg/DFGSpeculativeJIT.cpp:
2418         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2419
2420 2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>
2421
2422         Weak GC maps should be easier to use
2423         https://bugs.webkit.org/show_bug.cgi?id=107312
2424
2425         Reviewed by Ryosuke Niwa.
2426
2427         Build fix for linux platforms after r140194.
2428
2429         * runtime/WeakGCMap.h:
2430         (WeakGCMap):
2431
2432 2013-01-18  Michael Saboff  <msaboff@apple.com>
2433
2434         Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
2435         https://bugs.webkit.org/show_bug.cgi?id=107321
2436
2437         Reviewed by  Filip Pizlo.
2438
2439         Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
2440         an ArithDiv node with integer inputs and output for platforms that don't have integer division.
2441         Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
2442         without any further checks.
2443
2444         * dfg/DFGFixupPhase.cpp:
2445         (JSC::DFG::FixupPhase::fixupNode):
2446         (JSC::DFG::FixupPhase::fixDoubleEdge):
2447         (FixupPhase):
2448         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2449
2450 2013-01-18  Michael Saboff  <msaboff@apple.com>
2451
2452         Fix up of ArithDiv nodes for non-x86 CPUs is broken
2453         https://bugs.webkit.org/show_bug.cgi?id=107309
2454
2455         Reviewed by  Filip Pizlo.
2456
2457         Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
2458
2459         * dfg/DFGFixupPhase.cpp:
2460         (JSC::DFG::FixupPhase::fixDoubleEdge):
2461
2462 2013-01-18  Dan Bernstein  <mitz@apple.com>
2463
2464         Tried to fix the build after r140194.
2465
2466         * API/JSWrapperMap.mm:
2467         (-[JSWrapperMap wrapperForObject:]):
2468
2469 2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2470
2471         Objective-C API: Update documentation for JSValue and JSContext
2472         https://bugs.webkit.org/show_bug.cgi?id=107313
2473
2474         Reviewed by Geoffrey Garen.
2475
2476         After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
2477
2478         * API/APIJSValue.h:
2479         * API/JSContext.h:
2480
2481 2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>
2482
2483         r134080 causes heap problem on linux systems where PAGESIZE != 4096
2484         https://bugs.webkit.org/show_bug.cgi?id=102828
2485
2486         Reviewed by Mark Hahnenberg.
2487
2488         Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
2489
2490         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2491         * heap/MarkStack.cpp:
2492         (JSC):
2493         (JSC::MarkStackArray::MarkStackArray):
2494         (JSC::MarkStackArray::expand):
2495         (JSC::MarkStackArray::donateSomeCellsTo):
2496         (JSC::MarkStackArray::stealSomeCellsFrom):
2497         * heap/MarkStack.h:
2498         (JSC::MarkStackSegment::data):
2499         (CapacityFromSize):
2500         (MarkStackArray):
2501         * heap/MarkStackInlines.h:
2502         (JSC::MarkStackArray::setTopForFullSegment):
2503         (JSC::MarkStackArray::append):
2504         (JSC::MarkStackArray::isEmpty):
2505         (JSC::MarkStackArray::size):
2506         * runtime/Options.h:
2507         (JSC):
2508
2509 2013-01-18  Geoffrey Garen  <ggaren@apple.com>
2510
2511         Weak GC maps should be easier to use
2512         https://bugs.webkit.org/show_bug.cgi?id=107312
2513
2514         Reviewed by Sam Weinig.
2515
2516         This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
2517         items from the map, and to instead have the map automatically remove
2518         stale items itself upon insertion. This has a few advantages:
2519
2520         (1) WeakGCMap is now compatible with all the specializations you would
2521         use for HashMap.
2522
2523         (2) There's no need for clients to write special finalization munging
2524         functions.
2525
2526         (3) Clients can specify custom value finalizers if they like.
2527
2528         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
2529
2530         * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
2531         data, since we've reduced interdependency.
2532
2533         * heap/Handle.h: No more need to forward declare, since we've reduced
2534         interdependency.
2535
2536         * heap/Weak.h:
2537         (Weak): Use explicit so we can assign directly to a weak map iterator
2538         without ambiguity between Weak<T> and PassWeak<T>.
2539
2540         * runtime/Structure.cpp:
2541         (JSC::StructureTransitionTable::add): See above.
2542
2543         * runtime/Structure.h:
2544         (JSC):
2545         * runtime/StructureTransitionTable.h:
2546         (StructureTransitionTable): Bad code goes away, programmer happy.
2547
2548         * runtime/WeakGCMap.h:
2549         (JSC):
2550         (WeakGCMap):
2551         (JSC::WeakGCMap::WeakGCMap):
2552         (JSC::WeakGCMap::set):
2553         (JSC::WeakGCMap::add):
2554         (JSC::WeakGCMap::find):
2555         (JSC::WeakGCMap::contains):
2556         (JSC::WeakGCMap::gcMap):
2557         (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
2558         function that might observe a Weak<T> that has died, just enough to
2559         make such items appear as if they are not in the table.
2560
2561 2013-01-18  Michael Saboff  <msaboff@apple.com>
2562
2563         Refactor isPowerOf2() and add getLSBSet()
2564         https://bugs.webkit.org/show_bug.cgi?id=107306
2565
2566         Reviewed by Filip Pizlo.
2567
2568         Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
2569
2570         * runtime/PropertyMapHashTable.h:
2571         (JSC::isPowerOf2):
2572
2573 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2574
2575         Objective-C API: Clean up JSValue.mm
2576         https://bugs.webkit.org/show_bug.cgi?id=107163
2577
2578         Reviewed by Darin Adler.
2579
2580         m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 
2581         on every API call.  In the head of just about every method in JSValue.mm we're doing:
2582
2583         JSContext *context = [self context];
2584         if (!context)
2585             return nil;
2586
2587         This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.  
2588         We can just delete all these lines from all functions doing this, and where they were referring to the local 
2589         variable 'context', instead we can just access m_context directly.
2590
2591         Since we're already going to be modifying most of JSValue.mm, we'll also do the following:
2592
2593         1) context @property is no longer weak – the context property is declared as:
2594
2595             @property(readonly, weak) JSContext *context;
2596
2597         This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading. 
2598         We should change it to:
2599
2600             @property(readonly, retain) JSContext *context;
2601
2602         2) the JSContext ivar and accessor can be automatically generated.  Since we're no longer doing anything 
2603         special with m_context, we can just let the compiler handle the ivar for us.  We'll delete:
2604
2605             JSContext *m_context;
2606
2607         and:
2608
2609             - (JSContext *)context
2610             {
2611                 return m_context;
2612         
2613             }
2614
2615         and find&replace "m_context" to "_context" in JSValue.mm.
2616
2617         * API/APIJSValue.h:
2618         * API/JSValue.mm:
2619         (-[JSValue toObject]):
2620         (-[JSValue toBool]):
2621         (-[JSValue toDouble]):
2622         (-[JSValue toNumber]):
2623         (-[JSValue toString]):
2624         (-[JSValue toDate]):
2625         (-[JSValue toArray]):
2626         (-[JSValue toDictionary]):
2627         (-[JSValue valueForProperty:]):
2628         (-[JSValue setValue:forProperty:]):
2629         (-[JSValue deleteProperty:]):
2630         (-[JSValue hasProperty:]):
2631         (-[JSValue defineProperty:descriptor:]):
2632         (-[JSValue valueAtIndex:]):
2633         (-[JSValue setValue:atIndex:]):
2634         (-[JSValue isUndefined]):
2635         (-[JSValue isNull]):
2636         (-[JSValue isBoolean]):
2637         (-[JSValue isNumber]):
2638         (-[JSValue isString]):
2639         (-[JSValue isObject]):
2640         (-[JSValue isEqualToObject:]):
2641         (-[JSValue isEqualWithTypeCoercionToObject:]):
2642         (-[JSValue isInstanceOf:]):
2643         (-[JSValue callWithArguments:]):
2644         (-[JSValue constructWithArguments:]):
2645         (-[JSValue invokeMethod:withArguments:]):
2646         (-[JSValue objectForKeyedSubscript:]):
2647         (-[JSValue setObject:forKeyedSubscript:]):
2648         (-[JSValue initWithValue:inContext:]):
2649         (-[JSValue dealloc]):
2650         (-[JSValue description]):
2651
2652 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2653
2654         Objective-C API: Clean up JSValue
2655         https://bugs.webkit.org/show_bug.cgi?id=107156
2656
2657         Reviewed by Oliver Hunt.
2658
2659         JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.  
2660         These exist to handle the context going away before the value does; the context needs to be able to unprotect 
2661         values early.  Since the value is now keeping the context alive there is no longer any danger of this happening; 
2662         instead we should just protect/unprotect the value in JSValue's init/dealloc methods.
2663
2664         * API/JSContext.mm:
2665         (-[JSContext dealloc]):
2666         * API/JSContextInternal.h:
2667         * API/JSValue.mm:
2668         (-[JSValue initWithValue:inContext:]):
2669         (-[JSValue dealloc]):
2670
2671 2013-01-17  Filip Pizlo  <fpizlo@apple.com>
2672
2673         DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants
2674         https://bugs.webkit.org/show_bug.cgi?id=107147
2675
2676         Reviewed by Mark Hahnenberg.
2677         
2678         This small refactoring will enable a world where ref() returns Node*, which is useful for
2679         https://bugs.webkit.org/show_bug.cgi?id=106868.  Also, while this refactoring does lead to
2680         slightly less terse code, it's also slightly more self-explanatory.  I could never quite
2681         remember what the meaning of the bool return from ref() and deref() was.
2682
2683         * dfg/DFGGraph.cpp:
2684         (JSC::DFG::Graph::collectGarbage):
2685         * dfg/DFGGraph.h:
2686         (JSC::DFG::Graph::ref):
2687         (JSC::DFG::Graph::deref):
2688         * dfg/DFGNode.h:
2689         (JSC::DFG::Node::ref):
2690         (Node):
2691         (JSC::DFG::Node::postfixRef):
2692         (JSC::DFG::Node::deref):
2693         (JSC::DFG::Node::postfixDeref):
2694
2695 2013-01-17  Alexey Proskuryakov  <ap@apple.com>
2696
2697         Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up
2698         in svn stat.
2699
2700         * disassembler/udis86: Added property svn:ignore.
2701
2702 2013-01-16  Filip Pizlo  <fpizlo@apple.com>
2703
2704         DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
2705         https://bugs.webkit.org/show_bug.cgi?id=107081
2706
2707         Reviewed by Michael Saboff.
2708
2709         This bug led to the 32_64 backend emitting contiguous allocation code to allocate
2710         ArrayStorage arrays. This then led to all manner of heap corruption, since
2711         subsequent array accesses would be accessing the contiguous array "as if" it was
2712         an arraystorage array.
2713
2714         * dfg/DFGSpeculativeJIT32_64.cpp:
2715         (JSC::DFG::SpeculativeJIT::compile):
2716
2717 2013-01-16  Jonathan Liu  <net147@gmail.com>
2718
2719         Add missing sys/mman.h include on Mac
2720         https://bugs.webkit.org/show_bug.cgi?id=98089
2721
2722         Reviewed by Darin Adler.
2723
2724         The madvise function and MADV_FREE constant require sys/mman.h.
2725
2726         * jit/ExecutableAllocatorFixedVMPool.cpp:
2727
2728 2013-01-15  Michael Saboff  <msaboff@apple.com>
2729
2730         DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
2731         https://bugs.webkit.org/show_bug.cgi?id=106978
2732
2733         Reviewed by Filip Pizlo.
2734
2735         Changed the numerator equal to -2^31 check to just return if we expect an integer
2736         result, since the check is after we have determined that the denominator is -1.
2737         The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.
2738
2739         * dfg/DFGSpeculativeJIT.cpp:
2740         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
2741
2742 2013-01-15  Levi Weintraub  <leviw@chromium.org>
2743
2744         Unreviewed, rolling out r139792.
2745         http://trac.webkit.org/changeset/139792
2746         https://bugs.webkit.org/show_bug.cgi?id=106970
2747
2748         Broke the windows build.
2749
2750         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
2751
2752 2013-01-15  Pratik Solanki  <psolanki@apple.com>
2753
2754         Use MADV_FREE_REUSABLE to return JIT memory to OS
2755         https://bugs.webkit.org/show_bug.cgi?id=106830
2756         <rdar://problem/11437701>
2757
2758         Reviewed by Geoffrey Garen.
2759
2760         Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug
2761         fixed.
2762
2763         * jit/ExecutableAllocatorFixedVMPool.cpp:
2764         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
2765
2766 2013-01-15  Levi Weintraub  <leviw@chromium.org>
2767
2768         Unreviewed, rolling out r139790.
2769         http://trac.webkit.org/changeset/139790
2770         https://bugs.webkit.org/show_bug.cgi?id=106948
2771
2772         The patch is failing its own test.
2773
2774         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
2775
2776 2013-01-15  Zan Dobersek  <zandobersek@gmail.com>
2777
2778         [Autotools] Unify JavaScriptCore sources list, regardless of target OS
2779         https://bugs.webkit.org/show_bug.cgi?id=106007
2780
2781         Reviewed by Gustavo Noronha Silva.
2782
2783         Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target
2784         in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED
2785         feature define. This define is only used on 64-bit architecture and indirectly depends
2786         on enabling either JIT or YARR JIT feature. Both of these defines are disabled on
2787         Windows OS when using 64-bit architecture so there's no need to add this target to
2788         sources only when the target OS is Windows.
2789
2790         * GNUmakefile.list.am:
2791
2792 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2793
2794         DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value
2795         https://bugs.webkit.org/show_bug.cgi?id=106727
2796
2797         Reviewed by Oliver Hunt.
2798         
2799         The problem was this statement:
2800         
2801         if (m_value != other.m_value)
2802             m_value = JSValue();
2803         
2804         This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other
2805         abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its
2806         claim that it has been proven to be constant. But this misses the special case that if the other abstract value is
2807         completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change
2808         this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it
2809         didn't have to.
2810         
2811         This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently
2812         precise as often as possible.
2813
2814         * dfg/DFGAbstractValue.h:
2815         (JSC::DFG::AbstractValue::merge):
2816
2817 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2818
2819         Python implementation reports "MemoryError" instead of doing things
2820         https://bugs.webkit.org/show_bug.cgi?id=106690
2821
2822         Reviewed by Oliver Hunt.
2823         
2824         The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to
2825         be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it
2826         doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the
2827         variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the
2828         variable is used in the next block then the next block will have a reference to the last mention in our block unless
2829         that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that
2830         the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible
2831         refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the
2832         variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us.
2833         Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible
2834         for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if
2835         there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the
2836         parser.
2837         
2838         This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't
2839         matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in
2840         the next block, so we must merge it no matter what.
2841         
2842         Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next
2843         to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps
2844         that involve a lot of variables.
2845
2846         * bytecode/Operands.h:
2847         (JSC::dumpOperands):
2848         * dfg/DFGAbstractState.cpp:
2849         (JSC::DFG::AbstractState::mergeStateAtTail):
2850
2851 2013-01-14  Roger Fong  <roger_fong@apple.com>
2852
2853         Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541.
2854
2855         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2856
2857 2013-01-13  Filip Pizlo  <fpizlo@apple.com>
2858
2859         DFG phases that store per-node information should store it in Node itself rather than using a secondary vector
2860         https://bugs.webkit.org/show_bug.cgi?id=106753
2861
2862         Reviewed by Geoffrey Garen.
2863
2864         * dfg/DFGAbstractState.cpp:
2865         (JSC::DFG::AbstractState::AbstractState):
2866         (JSC::DFG::AbstractState::beginBasicBlock):
2867         (JSC::DFG::AbstractState::dump):
2868         * dfg/DFGAbstractState.h:
2869         (JSC::DFG::AbstractState::forNode):
2870         (AbstractState):
2871         * dfg/DFGCFGSimplificationPhase.cpp:
2872         * dfg/DFGCSEPhase.cpp:
2873         (JSC::DFG::CSEPhase::CSEPhase):
2874         (JSC::DFG::CSEPhase::performSubstitution):
2875         (JSC::DFG::CSEPhase::setReplacement):
2876         (CSEPhase):
2877         * dfg/DFGNode.h:
2878         (Node):
2879
2880 2013-01-12  Tim Horton  <timothy_horton@apple.com>
2881
2882         Unreviewed build fix.
2883
2884         * API/JSBlockAdaptor.mm:
2885         * API/JSContext.mm:
2886         * API/JSValue.mm:
2887
2888 2013-01-12  Csaba Osztrogonác  <ossy@webkit.org>
2889
2890         Unreviewed 64 bit buildfix after r139496.
2891
2892         * dfg/DFGOperations.cpp:
2893
2894 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2895
2896         Unreviewed, speculative build fix.
2897
2898         * API/JSWrapperMap.mm:
2899
2900 2013-01-10  Filip Pizlo  <fpizlo@apple.com>
2901
2902         JITThunks should not compile only because of luck
2903         https://bugs.webkit.org/show_bug.cgi?id=105696
2904
2905         Rubber stamped by Sam Weinig and Geoffrey Garen.
2906         
2907         This patch was supposed to just move JITThunks into its own file. But then I
2908         realized that there is a horrible circular dependency chain between JSCell,
2909         JSGlobalData, CallFrame, and Weak, which only works because of magical include
2910         order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
2911         before it includes JSCell or JSValue.
2912         
2913         I first tried to just get JITThunks.h to just magically do the same pointless
2914         includes that JITStubs.h had, but then I decided to actually fix the underflying
2915         problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
2916         JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
2917         Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
2918         also gave me an opportunity to move JSValue inline methods from JSCell.h into
2919         JSValueInlines.h. But to make this really work, I needed to remove includes of
2920         *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
2921         which defeats the whole entire purpose of having an Inlines.h file), and I needed
2922         to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
2923         having .cpp files include Operations.h. In future, if you're adding a .cpp file
2924         to JSC, you'll almost certainly have to include Operations.h unless you enjoy
2925         link errors.
2926
2927         * API/JSBase.cpp:
2928         * API/JSCallbackConstructor.cpp:
2929         * API/JSCallbackFunction.cpp:
2930         * API/JSCallbackObject.cpp:
2931         * API/JSClassRef.cpp:
2932         * API/JSContextRef.cpp:
2933         * API/JSObjectRef.cpp:
2934         * API/JSScriptRef.cpp:
2935         * API/JSWeakObjectMapRefPrivate.cpp:
2936         * JSCTypedArrayStubs.h:
2937         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2938         * JavaScriptCore.xcodeproj/project.pbxproj:
2939         * bytecode/ArrayAllocationProfile.cpp:
2940         * bytecode/CodeBlock.cpp:
2941         * bytecode/GetByIdStatus.cpp:
2942         * bytecode/LazyOperandValueProfile.cpp:
2943         * bytecode/ResolveGlobalStatus.cpp:
2944         * bytecode/SpeculatedType.cpp:
2945         * bytecode/UnlinkedCodeBlock.cpp:
2946         * bytecompiler/BytecodeGenerator.cpp:
2947         * debugger/Debugger.cpp:
2948         * debugger/DebuggerActivation.cpp:
2949         * debugger/DebuggerCallFrame.cpp:
2950         * dfg/DFGArgumentsSimplificationPhase.cpp:
2951         * dfg/DFGArrayMode.cpp:
2952         * dfg/DFGByteCodeParser.cpp:
2953         * dfg/DFGConstantFoldingPhase.cpp:
2954         * dfg/DFGDriver.cpp:
2955         * dfg/DFGFixupPhase.cpp:
2956         * dfg/DFGGraph.cpp:
2957         * dfg/DFGJITCompiler.cpp:
2958         * dfg/DFGOSREntry.cpp:
2959         * dfg/DFGOSRExitCompiler.cpp:
2960         * dfg/DFGOSRExitCompiler32_64.cpp:
2961         * dfg/DFGOSRExitCompiler64.cpp:
2962         * dfg/DFGPredictionPropagationPhase.cpp:
2963         * dfg/DFGSpeculativeJIT.cpp:
2964         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2965         (DFG):
2966         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2967         (JSC::DFG::SpeculativeJIT::silentSpill):
2968         (JSC::DFG::SpeculativeJIT::silentFill):
2969         * dfg/DFGSpeculativeJIT.h:
2970         (SpeculativeJIT):
2971         * dfg/DFGSpeculativeJIT32_64.cpp:
2972         * dfg/DFGSpeculativeJIT64.cpp:
2973         * dfg/DFGStructureCheckHoistingPhase.cpp:
2974         * dfg/DFGVariableEventStream.cpp:
2975         * heap/CopiedBlock.h:
2976         * heap/CopiedSpace.cpp:
2977         * heap/HandleSet.cpp:
2978         * heap/Heap.cpp:
2979         * heap/HeapStatistics.cpp:
2980         * heap/SlotVisitor.cpp:
2981         * heap/WeakBlock.cpp:
2982         * interpreter/CallFrame.cpp:
2983         * interpreter/CallFrame.h:
2984         * jit/ClosureCallStubRoutine.cpp:
2985         * jit/GCAwareJITStubRoutine.cpp:
2986         * jit/JIT.cpp:
2987         * jit/JITArithmetic.cpp:
2988         * jit/JITArithmetic32_64.cpp:
2989         * jit/JITCall.cpp:
2990         * jit/JITCall32_64.cpp:
2991         * jit/JITCode.h:
2992         * jit/JITExceptions.cpp:
2993         * jit/JITStubs.h:
2994         * jit/JITThunks.h:
2995         * jsc.cpp:
2996         * llint/LLIntExceptions.cpp:
2997         * profiler/LegacyProfiler.cpp:
2998         * profiler/ProfileGenerator.cpp:
2999         * profiler/ProfilerBytecode.cpp:
3000         * profiler/ProfilerBytecodeSequence.cpp:
3001         * profiler/ProfilerBytecodes.cpp:
3002         * profiler/ProfilerCompilation.cpp:
3003         * profiler/ProfilerCompiledBytecode.cpp:
3004         * profiler/ProfilerDatabase.cpp:
3005         * profiler/ProfilerOSRExit.cpp:
3006         * profiler/ProfilerOSRExitSite.cpp:
3007         * profiler/ProfilerOrigin.cpp:
3008         * profiler/ProfilerOriginStack.cpp:
3009         * profiler/ProfilerProfiledBytecodes.cpp:
3010         * runtime/ArgList.cpp:
3011         * runtime/Arguments.cpp:
3012         * runtime/ArrayConstructor.cpp:
3013         * runtime/BooleanConstructor.cpp:
3014         * runtime/BooleanObject.cpp:
3015         * runtime/BooleanPrototype.cpp:
3016         * runtime/CallData.cpp:
3017         * runtime/CodeCache.cpp:
3018         * runtime/Completion.cpp:
3019         * runtime/ConstructData.cpp:
3020         * runtime/DateConstructor.cpp:
3021         * runtime/DateInstance.cpp:
3022         * runtime/DatePrototype.cpp:
3023         * runtime/Error.cpp:
3024         * runtime/ErrorConstructor.cpp:
3025         * runtime/ErrorInstance.cpp:
3026         * runtime/ErrorPrototype.cpp:
3027         * runtime/ExceptionHelpers.cpp:
3028         * runtime/Executable.cpp:
3029         * runtime/FunctionConstructor.cpp:
3030         * runtime/FunctionPrototype.cpp:
3031         * runtime/GetterSetter.cpp:
3032         * runtime/Identifier.cpp:
3033         * runtime/InternalFunction.cpp:
3034         * runtime/JSActivation.cpp:
3035         * runtime/JSBoundFunction.cpp:
3036         * runtime/JSCell.cpp:
3037         * runtime/JSCell.h:
3038         (JSC):
3039         * runtime/JSCellInlines.h: Added.
3040         (JSC):
3041         (JSC::JSCell::JSCell):
3042         (JSC::JSCell::finishCreation):
3043         (JSC::JSCell::structure):
3044         (JSC::JSCell::visitChildren):
3045         (JSC::allocateCell):
3046         (JSC::isZapped):
3047         (JSC::JSCell::isObject):
3048         (JSC::JSCell::isString):
3049         (JSC::JSCell::isGetterSetter):
3050         (JSC::JSCell::isProxy):
3051         (JSC::JSCell::isAPIValueWrapper):
3052         (JSC::JSCell::setStructure):
3053         (JSC::JSCell::methodTable):
3054         (JSC::JSCell::inherits):
3055         (JSC::JSCell::fastGetOwnPropertySlot):
3056         (JSC::JSCell::fastGetOwnProperty):
3057         (JSC::JSCell::toBoolean):
3058         * runtime/JSDateMath.cpp:
3059         * runtime/JSFunction.cpp:
3060         * runtime/JSFunction.h:
3061         (JSC):
3062         * runtime/JSGlobalData.h:
3063         (JSC):
3064         (JSGlobalData):
3065         * runtime/JSGlobalObject.cpp:
3066         * runtime/JSGlobalObjectFunctions.cpp:
3067         * runtime/JSLock.cpp:
3068         * runtime/JSNameScope.cpp:
3069         * runtime/JSNotAnObject.cpp:
3070         * runtime/JSONObject.cpp:
3071         * runtime/JSObject.h:
3072         (JSC):
3073         * runtime/JSProxy.cpp:
3074         * runtime/JSScope.cpp:
3075         * runtime/JSSegmentedVariableObject.cpp:
3076         * runtime/JSString.h:
3077         (JSC):
3078         * runtime/JSStringJoiner.cpp:
3079         * runtime/JSSymbolTableObject.cpp:
3080         * runtime/JSValue.cpp:
3081         * runtime/JSValueInlines.h:
3082         (JSC::JSValue::toInt32):
3083         (JSC::JSValue::toUInt32):
3084         (JSC):
3085         (JSC::JSValue::isUInt32):
3086         (JSC::JSValue::asUInt32):
3087         (JSC::JSValue::asNumber):
3088         (JSC::jsNaN):
3089         (JSC::JSValue::JSValue):
3090         (JSC::JSValue::encode):
3091         (JSC::JSValue::decode):
3092         (JSC::JSValue::operator bool):
3093         (JSC::JSValue::operator==):
3094         (JSC::JSValue::operator!=):
3095         (JSC::JSValue::isEmpty):
3096         (JSC::JSValue::isUndefined):
3097         (JSC::JSValue::isNull):
3098         (JSC::JSValue::isUndefinedOrNull):
3099         (JSC::JSValue::isCell):
3100         (JSC::JSValue::isInt32):
3101         (JSC::JSValue::isDouble):
3102         (JSC::JSValue::isTrue):
3103         (JSC::JSValue::isFalse):
3104         (JSC::JSValue::tag):
3105         (JSC::JSValue::payload):
3106         (JSC::JSValue::asInt32):
3107         (JSC::JSValue::asDouble):
3108         (JSC::JSValue::asCell):
3109         (JSC::JSValue::isNumber):
3110         (JSC::JSValue::isBoolean):
3111         (JSC::JSValue::asBoolean):
3112         (JSC::reinterpretDoubleToInt64):
3113         (JSC::reinterpretInt64ToDouble):
3114         (JSC::JSValue::isString):
3115         (JSC::JSValue::isPrimitive):
3116         (JSC::JSValue::isGetterSetter):
3117         (JSC::JSValue::isObject):
3118         (JSC::JSValue::getString):
3119         (JSC::::getString):
3120         (JSC::JSValue::getObject):
3121         (JSC::JSValue::getUInt32):
3122         (JSC::JSValue::toPrimitive):
3123         (JSC::JSValue::getPrimitiveNumber):
3124         (JSC::JSValue::toNumber):
3125         (JSC::JSValue::toObject):
3126         (JSC::JSValue::isFunction):
3127         (JSC::JSValue::inherits):
3128         (JSC::JSValue::toThisObject):
3129         (JSC::JSValue::get):
3130         (JSC::JSValue::put):
3131         (JSC::JSValue::putByIndex):
3132         (JSC::JSValue::structureOrUndefined):
3133         (JSC::JSValue::equal):
3134         (JSC::JSValue::equalSlowCaseInline):
3135         (JSC::JSValue::strictEqualSlowCaseInline):
3136         (JSC::JSValue::strictEqual):
3137         * runtime/JSVariableObject.cpp:
3138         * runtime/JSWithScope.cpp:
3139         * runtime/JSWrapperObject.cpp:
3140         * runtime/LiteralParser.cpp:
3141         * runtime/Lookup.cpp:
3142         * runtime/NameConstructor.cpp:
3143         * runtime/NameInstance.cpp:
3144         * runtime/NamePrototype.cpp:
3145         * runtime/NativeErrorConstructor.cpp:
3146         * runtime/NativeErrorPrototype.cpp:
3147         * runtime/NumberConstructor.cpp:
3148         * runtime/NumberObject.cpp:
3149         * runtime/ObjectConstructor.cpp:
3150         * runtime/ObjectPrototype.cpp:
3151         * runtime/Operations.h:
3152         (JSC):
3153         * runtime/PropertySlot.cpp:
3154         * runtime/RegExp.cpp:
3155         * runtime/RegExpCache.cpp:
3156         * runtime/RegExpCachedResult.cpp:
3157         * runtime/RegExpConstructor.cpp:
3158         * runtime/RegExpMatchesArray.cpp:
3159         * runtime/RegExpObject.cpp:
3160         * runtime/RegExpPrototype.cpp:
3161         * runtime/SmallStrings.cpp:
3162         * runtime/SparseArrayValueMap.cpp:
3163         * runtime/StrictEvalActivation.cpp:
3164         * runtime/StringConstructor.cpp:
3165         * runtime/StringObject.cpp:
3166         * runtime/StringRecursionChecker.cpp:
3167         * runtime/Structure.h:
3168         (JSC):
3169         * runtime/StructureChain.cpp:
3170         * runtime/TimeoutChecker.cpp:
3171         * testRegExp.cpp:
3172
3173 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3174
3175         If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
3176         https://bugs.webkit.org/show_bug.cgi?id=106724
3177
3178         Reviewed by Oliver Hunt.
3179         
3180         In cases where we were getting it wrong, I think it was benign because we would either already have an
3181         OSR exit prior to there, or the operand would be a constant.  But still, it's good to get this right.
3182
3183         * dfg/DFGByteCodeParser.cpp:
3184         (JSC::DFG::ByteCodeParser::parseBlock):
3185
3186 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3187
3188         Phantom(GetLocal) should be treated as relevant to OSR
3189         https://bugs.webkit.org/show_bug.cgi?id=106715
3190
3191         Reviewed by Mark Hahnenberg.
3192
3193         * dfg/DFGCSEPhase.cpp:
3194         (JSC::DFG::CSEPhase::performBlockCSE):
3195
3196 2013-01-11  Pratik Solanki  <psolanki@apple.com>
3197
3198         Fix function name typo ProgramExecutable::initalizeGlobalProperties()
3199         https://bugs.webkit.org/show_bug.cgi?id=106701
3200
3201         Reviewed by Geoffrey Garen.
3202
3203         * interpreter/Interpreter.cpp:
3204         (JSC::Interpreter::execute):
3205         * runtime/Executable.cpp:
3206         (JSC::ProgramExecutable::initializeGlobalProperties):
3207         * runtime/Executable.h:
3208
3209 2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3210
3211         testapi is failing with a block-related error in the Objc API
3212         https://bugs.webkit.org/show_bug.cgi?id=106055
3213
3214         Reviewed by Filip Pizlo.
3215
3216         Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool.
3217
3218         * API/ObjCCallbackFunction.mm:
3219         (blockSignatureContainsClass):
3220
3221 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3222
3223         Add a run-time option to print bytecode at DFG compile time
3224         https://bugs.webkit.org/show_bug.cgi?id=106704
3225
3226         Reviewed by Mark Hahnenberg.
3227
3228         * dfg/DFGByteCodeParser.cpp:
3229         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3230         * runtime/Options.h:
3231         (JSC):
3232
3233 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3234
3235         It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state
3236         https://bugs.webkit.org/show_bug.cgi?id=106700
3237
3238         Reviewed by Mark Hahnenberg.
3239
3240         * dfg/DFGAssemblyHelpers.h:
3241         (DFG):
3242         (JSC::DFG::AssemblyHelpers::debugCall):
3243         * dfg/DFGCommon.h:
3244         * dfg/DFGOSRExit.h:
3245         (DFG):
3246         * dfg/DFGOSRExitCompiler32_64.cpp:
3247         (JSC::DFG::OSRExitCompiler::compileExit):
3248         * dfg/DFGOSRExitCompiler64.cpp:
3249         (JSC::DFG::OSRExitCompiler::compileExit):
3250         * dfg/DFGOperations.cpp:
3251         * dfg/DFGOperations.h:
3252         * runtime/Options.h:
3253         (JSC):
3254
3255 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3256
3257         Removed getDirectLocation and offsetForLocation and all their uses
3258         https://bugs.webkit.org/show_bug.cgi?id=106692
3259
3260         Reviewed by Filip Pizlo.
3261
3262         getDirectLocation() and its associated offsetForLocation() relied on
3263         detailed knowledge of the rules of PropertyOffset, JSObject, and
3264         Structure, which is a hard thing to reverse-engineer reliably. Luckily,
3265         it wasn't needed, and all clients either wanted a true value or a
3266         PropertyOffset. So, I refactored accordingly.
3267
3268         * dfg/DFGOperations.cpp: Renamed putDirectOffset to putDirect, to clarify
3269         that we are not putting an offset.
3270
3271         * runtime/JSActivation.cpp:
3272         (JSC::JSActivation::getOwnPropertySlot): Get a value instead of a value
3273         pointer, since we never wanted a pointer to begin with.
3274
3275         * runtime/JSFunction.cpp:
3276         (JSC::JSFunction::getOwnPropertySlot): Use a PropertyOffset instead of a pointer,
3277         so we don't have to reverse-engineer the offset from the pointer.
3278
3279         * runtime/JSObject.cpp:
3280         (JSC::JSObject::put):
3281         (JSC::JSObject::resetInheritorID):
3282         (JSC::JSObject::inheritorID):
3283         (JSC::JSObject::removeDirect):
3284         (JSC::JSObject::fillGetterPropertySlot):
3285         (JSC::JSObject::getOwnPropertyDescriptor): Renamed getDirectOffset and
3286         putDirectOffset, as explaind above. We want to use the name "getDirectOffset"
3287         for when the thing you're getting is the offset.
3288
3289         * runtime/JSObject.h:
3290         (JSC::JSObject::getDirect):
3291         (JSC::JSObject::getDirectOffset): Changed getDirectLocation to getDirectOffset,
3292         since clients really wants PropertyOffsets and not locations.
3293
3294         (JSObject::offsetForLocation): Removed this function because it was hard
3295         to get right.
3296
3297         (JSC::JSObject::putDirect):
3298         (JSC::JSObject::putDirectUndefined):
3299         (JSC::JSObject::inlineGetOwnPropertySlot):
3300         (JSC::JSObject::putDirectInternal):
3301         (JSC::JSObject::putDirectWithoutTransition):
3302         * runtime/JSScope.cpp:
3303         (JSC::executeResolveOperations):
3304         (JSC::JSScope::resolvePut):
3305         * runtime/JSValue.cpp:
3306         (JSC::JSValue::putToPrimitive): Updated for renames.
3307
3308         * runtime/Lookup.cpp:
3309         (JSC::setUpStaticFunctionSlot): Use a PropertyOffset instead of a pointer,
3310         so we don't have to reverse-engineer the offset from the pointer.
3311
3312         * runtime/Structure.cpp:
3313         (JSC::Structure::flattenDictionaryStructure): Updated for renames.
3314
3315 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3316
3317         Removed an unused version of getDirectLocation
3318         https://bugs.webkit.org/show_bug.cgi?id=106691
3319
3320         Reviewed by Gavin Barraclough.
3321
3322         getDirectLocation is a weird operation. Removing the unused version is
3323         the easy part.
3324
3325         * runtime/JSObject.h:
3326         (JSObject):
3327
3328 2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3329
3330         Objective-C objects that are passed to JavaScript leak (until the JSContext is destroyed)
3331         https://bugs.webkit.org/show_bug.cgi?id=106056
3332
3333         Reviewed by Darin Adler.
3334
3335         * API/APIJSValue.h:
3336         * API/JSValue.mm: Make the reference to the JSContext strong.
3337         (-[JSValue context]):
3338         (-[JSValue initWithValue:inContext:]):
3339         (-[JSValue dealloc]):
3340         * API/JSWrapperMap.mm: Make the reference back from wrappers to Obj-C objects weak instead of strong.
3341         Also add an explicit WeakGCMap in the JSWrapperMap rather than using Obj-C associated object API which 
3342         was causing memory leaks.
3343         (wrapperClass):
3344         (-[JSObjCClassInfo wrapperForObject:]):
3345         (-[JSWrapperMap initWithContext:]):
3346         (-[JSWrapperMap dealloc]):
3347         (-[JSWrapperMap wrapperForObject:]):
3348
3349 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3350
3351         Fixed some bogus PropertyOffset ASSERTs
3352         https://bugs.webkit.org/show_bug.cgi?id=106686
3353
3354         Reviewed by Gavin Barraclough.
3355
3356         The ASSERTs were passing a JSType instead of an inlineCapacity, due to
3357         an incomplete refactoring.
3358
3359         The compiler didn't catch this because both types are int underneath.
3360
3361         * runtime/JSObject.h:
3362         (JSC::JSObject::getDirect):
3363         (JSC::JSObject::getDirectLocation):
3364         (JSC::JSObject::offsetForLocation):
3365         * runtime/Structure.cpp:
3366         (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
3367         our inline capacity, as we intended.
3368
3369 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3370
3371         Rename propertyOffsetFor => offsetForPropertyNumber
3372         https://bugs.webkit.org/show_bug.cgi?id=106685
3373
3374         Reviewed by Gavin Barraclough.
3375
3376         Since the argument is just a typedef and not an object, I wanted to clarify the meaning.
3377
3378         * runtime/PropertyMapHashTable.h:
3379         (JSC::PropertyTable::nextOffset): Updated for rename.
3380
3381         * runtime/PropertyOffset.h:
3382         (JSC::offsetForPropertyNumber): Renamed. Also changed some PropertyOffset variables
3383         to plain ints, because they're not actually on the PropertyOffsets number line.
3384
3385         * runtime/Structure.cpp:
3386         (JSC::Structure::flattenDictionaryStructure):
3387         * runtime/Structure.h:
3388         (JSC::Structure::lastValidOffset): Updated for rename.
3389
3390 2013-01-10  Zan Dobersek  <zandobersek@gmail.com>
3391
3392         Remove the ENABLE_ANIMATION_API feature define occurences
3393         https://bugs.webkit.org/show_bug.cgi?id=106544
3394
3395         Reviewed by Simon Fraser.
3396
3397         The Animation API code was removed in r137243. The ENABLE_ANIMATION_API