DFG optimizes out strict mode arguments tear off
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG optimizes out strict mode arguments tear off
4         https://bugs.webkit.org/show_bug.cgi?id=119504
5
6         Reviewed by Mark Hahnenberg and Oliver Hunt.
7         
8         Don't do the optimization for strict mode.
9
10         * dfg/DFGArgumentsSimplificationPhase.cpp:
11         (JSC::DFG::ArgumentsSimplificationPhase::run):
12         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
13
14 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
15
16         [JSC] x86: improve code generation for xxxTest32
17         https://bugs.webkit.org/show_bug.cgi?id=119876
18
19         Reviewed by Geoffrey Garen.
20
21         Try to use testb whenever possible when testing for an immediate value.
22
23         When the input is an address and an offset, we can tweak the mask
24         and offset to be able to generate testb for any byte of the mask.
25
26         When the input is a register, we can use testb if we are only interested
27         in testing the low bits.
28
29         * assembler/MacroAssemblerX86Common.h:
30         (JSC::MacroAssemblerX86Common::branchTest32):
31         (JSC::MacroAssemblerX86Common::test32):
32         (JSC::MacroAssemblerX86Common::generateTest32):
33
34 2013-08-16  Mark Lam  <mark.lam@apple.com>
35
36         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
37         error message that an object is not a constructor though it expects a function
38
39         Reviewed by Michael Saboff.
40
41         * jit/JITStubs.cpp:
42         (JSC::DEFINE_STUB_FUNCTION):
43
44 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
45
46         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
47         https://bugs.webkit.org/show_bug.cgi?id=119897
48
49         Reviewed by Oliver Hunt.
50         
51         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
52         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
53         to turn objects into dictionaries when you're storing using bracket syntax or using
54         eval is still in place.
55
56         * bytecode/CodeBlock.h:
57         (JSC::CodeBlock::putByIdContext):
58         * dfg/DFGOperations.cpp:
59         * jit/JITStubs.cpp:
60         (JSC::DEFINE_STUB_FUNCTION):
61         * llint/LLIntSlowPaths.cpp:
62         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
63         * runtime/JSObject.h:
64         (JSC::JSObject::putDirectInternal):
65         * runtime/PutPropertySlot.h:
66         (JSC::PutPropertySlot::PutPropertySlot):
67         (JSC::PutPropertySlot::context):
68         * runtime/Structure.cpp:
69         (JSC::Structure::addPropertyTransition):
70         * runtime/Structure.h:
71
72 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
73
74         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
75
76         Reviewed by Allan Sandfeld Jensen.
77
78         ctiVMHandleException must jump/return using register ra (r31).
79
80         * jit/JITStubsMIPS.h:
81
82 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
83
84         <https://webkit.org/b/119879> Fix sh4 build after r154156.
85
86         Reviewed by Allan Sandfeld Jensen.
87
88         Fix typo in JITStubsSH4.h file.
89
90         * jit/JITStubsSH4.h:
91
92 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
93
94         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
95
96         Reviewed by Oliver Hunt.
97
98         The concurrent compilation thread should interact minimally with the Heap, including not 
99         triggering WriteBarriers. This is a prerequisite for generational GC.
100
101         * JavaScriptCore.xcodeproj/project.pbxproj:
102         * bytecode/CodeBlock.cpp:
103         (JSC::CodeBlock::addOrFindConstant):
104         (JSC::CodeBlock::findConstant):
105         * bytecode/CodeBlock.h:
106         (JSC::CodeBlock::addConstantLazily):
107         * dfg/DFGByteCodeParser.cpp:
108         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
109         (JSC::DFG::ByteCodeParser::constantUndefined):
110         (JSC::DFG::ByteCodeParser::constantNull):
111         (JSC::DFG::ByteCodeParser::one):
112         (JSC::DFG::ByteCodeParser::constantNaN):
113         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
114         * dfg/DFGCommonData.cpp:
115         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
116         * dfg/DFGCommonData.h:
117         * dfg/DFGDesiredTransitions.cpp: Added.
118         (JSC::DFG::DesiredTransition::DesiredTransition):
119         (JSC::DFG::DesiredTransition::reallyAdd):
120         (JSC::DFG::DesiredTransitions::DesiredTransitions):
121         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
122         (JSC::DFG::DesiredTransitions::addLazily):
123         (JSC::DFG::DesiredTransitions::reallyAdd):
124         * dfg/DFGDesiredTransitions.h: Added.
125         * dfg/DFGDesiredWeakReferences.cpp: Added.
126         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
127         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
128         (JSC::DFG::DesiredWeakReferences::addLazily):
129         (JSC::DFG::DesiredWeakReferences::reallyAdd):
130         * dfg/DFGDesiredWeakReferences.h: Added.
131         * dfg/DFGDesiredWriteBarriers.cpp: Added.
132         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
133         (JSC::DFG::DesiredWriteBarrier::trigger):
134         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
135         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
136         (JSC::DFG::DesiredWriteBarriers::addImpl):
137         (JSC::DFG::DesiredWriteBarriers::trigger):
138         * dfg/DFGDesiredWriteBarriers.h: Added.
139         (JSC::DFG::DesiredWriteBarriers::add):
140         (JSC::DFG::initializeLazyWriteBarrier):
141         * dfg/DFGFixupPhase.cpp:
142         (JSC::DFG::FixupPhase::truncateConstantToInt32):
143         * dfg/DFGGraph.h:
144         (JSC::DFG::Graph::convertToConstant):
145         * dfg/DFGJITCompiler.h:
146         (JSC::DFG::JITCompiler::addWeakReference):
147         * dfg/DFGPlan.cpp:
148         (JSC::DFG::Plan::Plan):
149         (JSC::DFG::Plan::reallyAdd):
150         * dfg/DFGPlan.h:
151         * dfg/DFGSpeculativeJIT32_64.cpp:
152         (JSC::DFG::SpeculativeJIT::compile):
153         * dfg/DFGSpeculativeJIT64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155         * runtime/WriteBarrier.h:
156         (JSC::WriteBarrierBase::set):
157         (JSC::WriteBarrier::WriteBarrier):
158
159 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
160
161         Fix x86 32bits build after r154158
162
163         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
164
165 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
166
167         Build fix attempt after r154156.
168
169         * jit/JITStubs.cpp:
170         (JSC::cti_vm_handle_exception): encode!
171
172 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
173
174         [JSC] x86: Use inc and dec when possible
175         https://bugs.webkit.org/show_bug.cgi?id=119831
176
177         Reviewed by Geoffrey Garen.
178
179         When incrementing or decrementing by an immediate of 1, use the insctructions
180         inc and dec instead of add and sub.
181         The instructions have good timing and their encoding is smaller.
182
183         * assembler/MacroAssemblerX86Common.h:
184         (JSC::MacroAssemblerX86_64::add32):
185         (JSC::MacroAssemblerX86_64::sub32):
186         * assembler/MacroAssemblerX86_64.h:
187         (JSC::MacroAssemblerX86_64::add64):
188         (JSC::MacroAssemblerX86_64::sub64):
189         * assembler/X86Assembler.h:
190         (JSC::X86Assembler::dec_r):
191         (JSC::X86Assembler::decq_r):
192         (JSC::X86Assembler::inc_r):
193         (JSC::X86Assembler::incq_r):
194
195 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
196
197         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
198         https://bugs.webkit.org/show_bug.cgi?id=119874
199
200         Reviewed by Oliver Hunt and Mark Hahnenberg.
201         
202         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
203         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
204         sometimes for typed array length accesses, and the FixupPhase assuming that a
205         ForceExit ArrayMode means that it should continue using a generic GetById.
206
207         This fixes the confusion.
208
209         * dfg/DFGFixupPhase.cpp:
210         (JSC::DFG::FixupPhase::fixupNode):
211
212 2013-08-15  Mark Lam  <mark.lam@apple.com>
213
214         Fix crash when performing activation tearoff.
215         https://bugs.webkit.org/show_bug.cgi?id=119848
216
217         Reviewed by Oliver Hunt.
218
219         The activation tearoff crash was due to a bug in the baseline JIT.
220         If we have a scenario where the a baseline JIT frame calls a LLINT
221         frame, an exception may be thrown while in the LLINT.
222
223         Interpreter::throwException() which handles the exception will unwind
224         all frames until it finds a catcher or sees a host frame. When we
225         return from the LLINT to the baseline JIT code, the baseline JIT code
226         errorneously sets topCallFrame to the value in its call frame register,
227         and starts unwinding the stack frames that have already been unwound.
228
229         The fix is:
230         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
231            This is a more accurate description of what this runtime function
232            is supposed to do i.e. it handles the exception which include doing
233            nothing (if there are no more frames to unwind).
234         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
235            set on it.
236         3. Reloading the call frame register from topCallFrame when we're
237            returning from a callee and detect exception handling in progress.
238
239         * interpreter/Interpreter.cpp:
240         (JSC::Interpreter::unwindCallFrame):
241         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
242         (JSC::Interpreter::getStackTrace):
243         * interpreter/Interpreter.h:
244         (JSC::TopCallFrameSetter::TopCallFrameSetter):
245         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
246         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
247         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
248         * jit/JIT.h:
249         * jit/JITExceptions.cpp:
250         (JSC::uncaughtExceptionHandler):
251         - Convenience function to get the handler for uncaught exceptions.
252         * jit/JITExceptions.h:
253         * jit/JITInlines.h:
254         (JSC::JIT::reloadCallFrameFromTopCallFrame):
255         * jit/JITOpcodes32_64.cpp:
256         (JSC::JIT::privateCompileCTINativeCall):
257         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
258         * jit/JITStubs.cpp:
259         (JSC::throwExceptionFromOpCall):
260         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
261         (JSC::cti_vm_handle_exception):
262         - Check for the case when there are no more frames to unwind.
263         * jit/JITStubs.h:
264         * jit/JITStubsARM.h:
265         * jit/JITStubsARMv7.h:
266         * jit/JITStubsMIPS.h:
267         * jit/JITStubsSH4.h:
268         * jit/JITStubsX86.h:
269         * jit/JITStubsX86_64.h:
270         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
271         * jit/SlowPathCall.h:
272         (JSC::JITSlowPathCall::call):
273         - reload cfr from topcallFrame when handling an exception.
274         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
275         * jit/ThunkGenerators.cpp:
276         (JSC::nativeForGenerator):
277         * llint/LowLevelInterpreter32_64.asm:
278         * llint/LowLevelInterpreter64.asm:
279         - reload cfr from topcallFrame when handling an exception.
280         * runtime/VM.cpp:
281         (JSC::VM::VM):
282         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
283
284 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
285
286         Remove some code duplication.
287         
288         Rubber stamped by Mark Hahnenberg.
289
290         * runtime/JSDataViewPrototype.cpp:
291         (JSC::getData):
292         (JSC::setData):
293
294 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
295
296         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
297         https://bugs.webkit.org/show_bug.cgi?id=119794
298
299         Reviewed by Filip Pizlo.
300
301         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
302
303         * dfg/DFGUseKind.h:
304         (JSC::DFG::isNumerical):
305         (JSC::DFG::isDouble):
306
307 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
308
309         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
310
311         Rubber stamped by Oliver Hunt.
312         
313         This was causing some test crashes for me.
314
315         * dfg/DFGCapabilities.cpp:
316         (JSC::DFG::capabilityLevel):
317
318 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
319
320         [Windows] Clear up improper export declaration.
321
322         * runtime/ArrayBufferView.h:
323
324 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
325
326         Unreviewed, remove some unnecessary periods from exceptions.
327
328         * runtime/JSDataViewPrototype.cpp:
329         (JSC::getData):
330         (JSC::setData):
331
332 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
333
334         Unreviewed, fix 32-bit build.
335
336         * dfg/DFGSpeculativeJIT32_64.cpp:
337         (JSC::DFG::SpeculativeJIT::compile):
338
339 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
340
341         Typed arrays should be rewritten
342         https://bugs.webkit.org/show_bug.cgi?id=119064
343
344         Reviewed by Oliver Hunt.
345         
346         Typed arrays were previously deficient in several major ways:
347         
348         - They were defined separately in WebCore and in the jsc shell. The two
349           implementations were different, and the jsc shell one was basically wrong.
350           The WebCore one was quite awful, also.
351         
352         - Typed arrays were not visible to the JIT except through some weird hooks.
353           For example, the JIT could not ask "what is the Structure that this typed
354           array would have if I just allocated it from this global object". Also,
355           it was difficult to wire any of the typed array intrinsics, because most
356           of the functionality wasn't visible anywhere in JSC.
357         
358         - Typed array allocation was brain-dead. Allocating a typed array involved
359           two JS objects, two GC weak handles, and three malloc allocations.
360         
361         - Neutering. It involved keeping tabs on all native views but not the view
362           wrappers, even though the native views can autoneuter just by asking the
363           buffer if it was neutered anytime you touch them; while the JS view
364           wrappers are the ones that you really want to reach out to.
365         
366         - Common case-ing. Most typed arrays have one buffer and one view, and
367           usually nobody touches the buffer. Yet we created all of that stuff
368           anyway, using data structures optimized for the case where you had a lot
369           of views.
370         
371         - Semantic goofs. Typed arrays should, in the future, behave like ES
372           features rather than DOM features, for example when it comes to exceptions.
373           Firefox already does this and I agree with them.
374         
375         This patch cleanses our codebase of these sins:
376         
377         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
378           management of native references to buffers is left to WebCore.
379         
380         - Allocating a typed array requires either two GC allocations (a cell and a
381           copied storage vector) or one GC allocation, a malloc allocation, and a
382           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
383           latter). The latter is only used for oversize arrays. Remember that before
384           it was 7 allocations no matter what.
385         
386         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
387           mode/length, void* vector. Before it was a lot more than that - remember,
388           there were five additional objects that did absolutely nothing for anybody.
389         
390         - Native views aren't tracked by the buffer, or by the wrappers. They are
391           transient. In the future we'll probably switch to not even having them be
392           malloc'd.
393         
394         - Native array buffers have an efficient way of tracking all of their JS view
395           wrappers, both for neutering, and for lifecycle management. The GC
396           special-cases native array buffers. This saves a bunch of grief; for example
397           it means that a JS view wrapper can refer to its buffer via the butterfly,
398           which would be dead by the time we went to finalize.
399         
400         - Typed array semantics now match Firefox, which also happens to be where the
401           standards are going. The discussion on webkit-dev seemed to confirm that
402           Chrome is also heading in this direction. This includes making
403           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
404           ArrayBufferView as a JS-visible construct.
405         
406         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
407         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
408         further typed array optimizations in the JSC JITs, including inlining typed
409         array allocation, inlining more of the accessors, reducing the cost of type
410         checks, etc.
411         
412         An additional property of this patch is that typed arrays are mostly
413         implemented using templates. This deduplicates a bunch of code, but does mean
414         that we need some hacks for exporting s_info's of template classes. See
415         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
416         low-impact compared to code duplication.
417         
418         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
419
420         * CMakeLists.txt:
421         * DerivedSources.make:
422         * GNUmakefile.list.am:
423         * JSCTypedArrayStubs.h: Removed.
424         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
425         * JavaScriptCore.xcodeproj/project.pbxproj:
426         * Target.pri:
427         * bytecode/ByValInfo.h:
428         (JSC::hasOptimizableIndexingForClassInfo):
429         (JSC::jitArrayModeForClassInfo):
430         (JSC::typedArrayTypeForJITArrayMode):
431         * bytecode/SpeculatedType.cpp:
432         (JSC::speculationFromClassInfo):
433         * dfg/DFGArrayMode.cpp:
434         (JSC::DFG::toTypedArrayType):
435         * dfg/DFGArrayMode.h:
436         (JSC::DFG::ArrayMode::typedArrayType):
437         * dfg/DFGSpeculativeJIT.cpp:
438         (JSC::DFG::SpeculativeJIT::checkArray):
439         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
440         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
441         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
442         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
443         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
444         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
445         * dfg/DFGSpeculativeJIT.h:
446         * dfg/DFGSpeculativeJIT32_64.cpp:
447         (JSC::DFG::SpeculativeJIT::compile):
448         * dfg/DFGSpeculativeJIT64.cpp:
449         (JSC::DFG::SpeculativeJIT::compile):
450         * heap/CopyToken.h:
451         * heap/DeferGC.h:
452         (JSC::DeferGCForAWhile::DeferGCForAWhile):
453         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
454         * heap/GCIncomingRefCounted.h: Added.
455         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
456         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
457         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
458         (JSC::GCIncomingRefCounted::incomingReferenceAt):
459         (JSC::GCIncomingRefCounted::singletonFlag):
460         (JSC::GCIncomingRefCounted::hasVectorOfCells):
461         (JSC::GCIncomingRefCounted::hasAnyIncoming):
462         (JSC::GCIncomingRefCounted::hasSingleton):
463         (JSC::GCIncomingRefCounted::singleton):
464         (JSC::GCIncomingRefCounted::vectorOfCells):
465         * heap/GCIncomingRefCountedInlines.h: Added.
466         (JSC::::addIncomingReference):
467         (JSC::::filterIncomingReferences):
468         * heap/GCIncomingRefCountedSet.h: Added.
469         (JSC::GCIncomingRefCountedSet::size):
470         * heap/GCIncomingRefCountedSetInlines.h: Added.
471         (JSC::::GCIncomingRefCountedSet):
472         (JSC::::~GCIncomingRefCountedSet):
473         (JSC::::addReference):
474         (JSC::::sweep):
475         (JSC::::removeAll):
476         (JSC::::removeDead):
477         * heap/Heap.cpp:
478         (JSC::Heap::addReference):
479         (JSC::Heap::extraSize):
480         (JSC::Heap::size):
481         (JSC::Heap::capacity):
482         (JSC::Heap::collect):
483         (JSC::Heap::decrementDeferralDepth):
484         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
485         * heap/Heap.h:
486         * interpreter/CallFrame.h:
487         (JSC::ExecState::dataViewTable):
488         * jit/JIT.h:
489         * jit/JITPropertyAccess.cpp:
490         (JSC::JIT::privateCompileGetByVal):
491         (JSC::JIT::privateCompilePutByVal):
492         (JSC::JIT::emitIntTypedArrayGetByVal):
493         (JSC::JIT::emitFloatTypedArrayGetByVal):
494         (JSC::JIT::emitIntTypedArrayPutByVal):
495         (JSC::JIT::emitFloatTypedArrayPutByVal):
496         * jsc.cpp:
497         (GlobalObject::finishCreation):
498         * runtime/ArrayBuffer.cpp:
499         (JSC::ArrayBuffer::transfer):
500         * runtime/ArrayBuffer.h:
501         (JSC::ArrayBuffer::createAdopted):
502         (JSC::ArrayBuffer::ArrayBuffer):
503         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
504         (JSC::ArrayBuffer::pin):
505         (JSC::ArrayBuffer::unpin):
506         (JSC::ArrayBufferContents::tryAllocate):
507         * runtime/ArrayBufferView.cpp:
508         (JSC::ArrayBufferView::ArrayBufferView):
509         (JSC::ArrayBufferView::~ArrayBufferView):
510         (JSC::ArrayBufferView::setNeuterable):
511         * runtime/ArrayBufferView.h:
512         (JSC::ArrayBufferView::isNeutered):
513         (JSC::ArrayBufferView::buffer):
514         (JSC::ArrayBufferView::baseAddress):
515         (JSC::ArrayBufferView::byteOffset):
516         (JSC::ArrayBufferView::verifySubRange):
517         (JSC::ArrayBufferView::clampOffsetAndNumElements):
518         (JSC::ArrayBufferView::calculateOffsetAndLength):
519         * runtime/ClassInfo.h:
520         * runtime/CommonIdentifiers.h:
521         * runtime/DataView.cpp: Added.
522         (JSC::DataView::DataView):
523         (JSC::DataView::create):
524         (JSC::DataView::wrap):
525         * runtime/DataView.h: Added.
526         (JSC::DataView::byteLength):
527         (JSC::DataView::getType):
528         (JSC::DataView::get):
529         (JSC::DataView::set):
530         * runtime/Float32Array.h:
531         * runtime/Float64Array.h:
532         * runtime/GenericTypedArrayView.h: Added.
533         (JSC::GenericTypedArrayView::data):
534         (JSC::GenericTypedArrayView::set):
535         (JSC::GenericTypedArrayView::setRange):
536         (JSC::GenericTypedArrayView::zeroRange):
537         (JSC::GenericTypedArrayView::zeroFill):
538         (JSC::GenericTypedArrayView::length):
539         (JSC::GenericTypedArrayView::byteLength):
540         (JSC::GenericTypedArrayView::item):
541         (JSC::GenericTypedArrayView::checkInboundData):
542         (JSC::GenericTypedArrayView::getType):
543         * runtime/GenericTypedArrayViewInlines.h: Added.
544         (JSC::::GenericTypedArrayView):
545         (JSC::::create):
546         (JSC::::createUninitialized):
547         (JSC::::subarray):
548         (JSC::::wrap):
549         * runtime/IndexingHeader.h:
550         (JSC::IndexingHeader::arrayBuffer):
551         (JSC::IndexingHeader::setArrayBuffer):
552         * runtime/Int16Array.h:
553         * runtime/Int32Array.h:
554         * runtime/Int8Array.h:
555         * runtime/JSArrayBuffer.cpp: Added.
556         (JSC::JSArrayBuffer::JSArrayBuffer):
557         (JSC::JSArrayBuffer::finishCreation):
558         (JSC::JSArrayBuffer::create):
559         (JSC::JSArrayBuffer::createStructure):
560         (JSC::JSArrayBuffer::getOwnPropertySlot):
561         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
562         (JSC::JSArrayBuffer::put):
563         (JSC::JSArrayBuffer::defineOwnProperty):
564         (JSC::JSArrayBuffer::deleteProperty):
565         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
566         * runtime/JSArrayBuffer.h: Added.
567         (JSC::JSArrayBuffer::impl):
568         (JSC::toArrayBuffer):
569         * runtime/JSArrayBufferConstructor.cpp: Added.
570         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
571         (JSC::JSArrayBufferConstructor::finishCreation):
572         (JSC::JSArrayBufferConstructor::create):
573         (JSC::JSArrayBufferConstructor::createStructure):
574         (JSC::constructArrayBuffer):
575         (JSC::JSArrayBufferConstructor::getConstructData):
576         (JSC::JSArrayBufferConstructor::getCallData):
577         * runtime/JSArrayBufferConstructor.h: Added.
578         * runtime/JSArrayBufferPrototype.cpp: Added.
579         (JSC::arrayBufferProtoFuncSlice):
580         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
581         (JSC::JSArrayBufferPrototype::finishCreation):
582         (JSC::JSArrayBufferPrototype::create):
583         (JSC::JSArrayBufferPrototype::createStructure):
584         * runtime/JSArrayBufferPrototype.h: Added.
585         * runtime/JSArrayBufferView.cpp: Added.
586         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
587         (JSC::JSArrayBufferView::JSArrayBufferView):
588         (JSC::JSArrayBufferView::finishCreation):
589         (JSC::JSArrayBufferView::getOwnPropertySlot):
590         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
591         (JSC::JSArrayBufferView::put):
592         (JSC::JSArrayBufferView::defineOwnProperty):
593         (JSC::JSArrayBufferView::deleteProperty):
594         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
595         (JSC::JSArrayBufferView::finalize):
596         * runtime/JSArrayBufferView.h: Added.
597         (JSC::JSArrayBufferView::sizeOf):
598         (JSC::JSArrayBufferView::ConstructionContext::operator!):
599         (JSC::JSArrayBufferView::ConstructionContext::structure):
600         (JSC::JSArrayBufferView::ConstructionContext::vector):
601         (JSC::JSArrayBufferView::ConstructionContext::length):
602         (JSC::JSArrayBufferView::ConstructionContext::mode):
603         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
604         (JSC::JSArrayBufferView::mode):
605         (JSC::JSArrayBufferView::vector):
606         (JSC::JSArrayBufferView::length):
607         (JSC::JSArrayBufferView::offsetOfVector):
608         (JSC::JSArrayBufferView::offsetOfLength):
609         (JSC::JSArrayBufferView::offsetOfMode):
610         * runtime/JSArrayBufferViewInlines.h: Added.
611         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
612         (JSC::JSArrayBufferView::buffer):
613         (JSC::JSArrayBufferView::impl):
614         (JSC::JSArrayBufferView::neuter):
615         (JSC::JSArrayBufferView::byteOffset):
616         * runtime/JSCell.cpp:
617         (JSC::JSCell::slowDownAndWasteMemory):
618         (JSC::JSCell::getTypedArrayImpl):
619         * runtime/JSCell.h:
620         * runtime/JSDataView.cpp: Added.
621         (JSC::JSDataView::JSDataView):
622         (JSC::JSDataView::create):
623         (JSC::JSDataView::createUninitialized):
624         (JSC::JSDataView::set):
625         (JSC::JSDataView::typedImpl):
626         (JSC::JSDataView::getOwnPropertySlot):
627         (JSC::JSDataView::getOwnPropertyDescriptor):
628         (JSC::JSDataView::slowDownAndWasteMemory):
629         (JSC::JSDataView::getTypedArrayImpl):
630         (JSC::JSDataView::createStructure):
631         * runtime/JSDataView.h: Added.
632         * runtime/JSDataViewPrototype.cpp: Added.
633         (JSC::JSDataViewPrototype::JSDataViewPrototype):
634         (JSC::JSDataViewPrototype::create):
635         (JSC::JSDataViewPrototype::createStructure):
636         (JSC::JSDataViewPrototype::getOwnPropertySlot):
637         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
638         (JSC::getData):
639         (JSC::setData):
640         (JSC::dataViewProtoFuncGetInt8):
641         (JSC::dataViewProtoFuncGetInt16):
642         (JSC::dataViewProtoFuncGetInt32):
643         (JSC::dataViewProtoFuncGetUint8):
644         (JSC::dataViewProtoFuncGetUint16):
645         (JSC::dataViewProtoFuncGetUint32):
646         (JSC::dataViewProtoFuncGetFloat32):
647         (JSC::dataViewProtoFuncGetFloat64):
648         (JSC::dataViewProtoFuncSetInt8):
649         (JSC::dataViewProtoFuncSetInt16):
650         (JSC::dataViewProtoFuncSetInt32):
651         (JSC::dataViewProtoFuncSetUint8):
652         (JSC::dataViewProtoFuncSetUint16):
653         (JSC::dataViewProtoFuncSetUint32):
654         (JSC::dataViewProtoFuncSetFloat32):
655         (JSC::dataViewProtoFuncSetFloat64):
656         * runtime/JSDataViewPrototype.h: Added.
657         * runtime/JSFloat32Array.h: Added.
658         * runtime/JSFloat64Array.h: Added.
659         * runtime/JSGenericTypedArrayView.h: Added.
660         (JSC::JSGenericTypedArrayView::byteLength):
661         (JSC::JSGenericTypedArrayView::byteSize):
662         (JSC::JSGenericTypedArrayView::typedVector):
663         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
664         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
665         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
666         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
667         (JSC::JSGenericTypedArrayView::getIndexQuickly):
668         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
669         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
670         (JSC::JSGenericTypedArrayView::setIndexQuickly):
671         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
672         (JSC::JSGenericTypedArrayView::typedImpl):
673         (JSC::JSGenericTypedArrayView::createStructure):
674         (JSC::JSGenericTypedArrayView::info):
675         (JSC::toNativeTypedView):
676         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
677         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
678         (JSC::::JSGenericTypedArrayViewConstructor):
679         (JSC::::finishCreation):
680         (JSC::::create):
681         (JSC::::createStructure):
682         (JSC::constructGenericTypedArrayView):
683         (JSC::::getConstructData):
684         (JSC::::getCallData):
685         * runtime/JSGenericTypedArrayViewInlines.h: Added.
686         (JSC::::JSGenericTypedArrayView):
687         (JSC::::create):
688         (JSC::::createUninitialized):
689         (JSC::::validateRange):
690         (JSC::::setWithSpecificType):
691         (JSC::::set):
692         (JSC::::getOwnPropertySlot):
693         (JSC::::getOwnPropertyDescriptor):
694         (JSC::::put):
695         (JSC::::defineOwnProperty):
696         (JSC::::deleteProperty):
697         (JSC::::getOwnPropertySlotByIndex):
698         (JSC::::putByIndex):
699         (JSC::::deletePropertyByIndex):
700         (JSC::::getOwnNonIndexPropertyNames):
701         (JSC::::getOwnPropertyNames):
702         (JSC::::visitChildren):
703         (JSC::::copyBackingStore):
704         (JSC::::slowDownAndWasteMemory):
705         (JSC::::getTypedArrayImpl):
706         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
707         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
708         (JSC::genericTypedArrayViewProtoFuncSet):
709         (JSC::genericTypedArrayViewProtoFuncSubarray):
710         (JSC::::JSGenericTypedArrayViewPrototype):
711         (JSC::::finishCreation):
712         (JSC::::create):
713         (JSC::::createStructure):
714         * runtime/JSGlobalObject.cpp:
715         (JSC::JSGlobalObject::reset):
716         (JSC::JSGlobalObject::visitChildren):
717         * runtime/JSGlobalObject.h:
718         (JSC::JSGlobalObject::arrayBufferPrototype):
719         (JSC::JSGlobalObject::arrayBufferStructure):
720         (JSC::JSGlobalObject::typedArrayStructure):
721         * runtime/JSInt16Array.h: Added.
722         * runtime/JSInt32Array.h: Added.
723         * runtime/JSInt8Array.h: Added.
724         * runtime/JSTypedArrayConstructors.cpp: Added.
725         * runtime/JSTypedArrayConstructors.h: Added.
726         * runtime/JSTypedArrayPrototypes.cpp: Added.
727         * runtime/JSTypedArrayPrototypes.h: Added.
728         * runtime/JSTypedArrays.cpp: Added.
729         * runtime/JSTypedArrays.h: Added.
730         * runtime/JSUint16Array.h: Added.
731         * runtime/JSUint32Array.h: Added.
732         * runtime/JSUint8Array.h: Added.
733         * runtime/JSUint8ClampedArray.h: Added.
734         * runtime/Operations.h:
735         * runtime/Options.h:
736         * runtime/SimpleTypedArrayController.cpp: Added.
737         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
738         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
739         (JSC::SimpleTypedArrayController::toJS):
740         * runtime/SimpleTypedArrayController.h: Added.
741         * runtime/Structure.h:
742         (JSC::Structure::couldHaveIndexingHeader):
743         * runtime/StructureInlines.h:
744         (JSC::Structure::hasIndexingHeader):
745         * runtime/TypedArrayAdaptors.h: Added.
746         (JSC::IntegralTypedArrayAdaptor::toNative):
747         (JSC::IntegralTypedArrayAdaptor::toJSValue):
748         (JSC::IntegralTypedArrayAdaptor::toDouble):
749         (JSC::FloatTypedArrayAdaptor::toNative):
750         (JSC::FloatTypedArrayAdaptor::toJSValue):
751         (JSC::FloatTypedArrayAdaptor::toDouble):
752         (JSC::Uint8ClampedAdaptor::toNative):
753         (JSC::Uint8ClampedAdaptor::toJSValue):
754         (JSC::Uint8ClampedAdaptor::toDouble):
755         (JSC::Uint8ClampedAdaptor::clamp):
756         * runtime/TypedArrayController.cpp: Added.
757         (JSC::TypedArrayController::TypedArrayController):
758         (JSC::TypedArrayController::~TypedArrayController):
759         * runtime/TypedArrayController.h: Added.
760         * runtime/TypedArrayDescriptor.h: Removed.
761         * runtime/TypedArrayInlines.h: Added.
762         * runtime/TypedArrayType.cpp: Added.
763         (JSC::classInfoForType):
764         (WTF::printInternal):
765         * runtime/TypedArrayType.h: Added.
766         (JSC::toIndex):
767         (JSC::isTypedView):
768         (JSC::elementSize):
769         (JSC::isInt):
770         (JSC::isFloat):
771         (JSC::isSigned):
772         (JSC::isClamped):
773         * runtime/TypedArrays.h: Added.
774         * runtime/Uint16Array.h:
775         * runtime/Uint32Array.h:
776         * runtime/Uint8Array.h:
777         * runtime/Uint8ClampedArray.h:
778         * runtime/VM.cpp:
779         (JSC::VM::VM):
780         (JSC::VM::~VM):
781         * runtime/VM.h:
782
783 2013-08-15  Oliver Hunt  <oliver@apple.com>
784
785         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
786
787         Reviewed by Filip Pizlo.
788
789         Make sure dfgCapabilities doesn't report a Dynamic put as
790         being compilable when we don't actually support it.  
791
792         * bytecode/CodeBlock.cpp:
793         (JSC::CodeBlock::dumpBytecode):
794         * dfg/DFGCapabilities.cpp:
795         (JSC::DFG::capabilityLevel):
796
797 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
798
799         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
800         https://bugs.webkit.org/show_bug.cgi?id=119847
801
802         Reviewed by Oliver Hunt.
803
804         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
805         * runtime/ArrayBufferView.h: Ditto.
806
807 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
808
809         https://bugs.webkit.org/show_bug.cgi?id=119843
810         PropertySlot::setValue is ambiguous
811
812         Reviewed by Geoff Garen.
813
814         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
815         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
816         Unify on always providing the object, and remove the version that just takes a value.
817         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
818         Provide a version of setValue that takes a JSString as the owner of the property.
819         We won't store this, but it makes it clear that this interface should only be used from JSString.
820
821         * API/JSCallbackObjectFunctions.h:
822         (JSC::::getOwnPropertySlot):
823         * JSCTypedArrayStubs.h:
824         * runtime/Arguments.cpp:
825         (JSC::Arguments::getOwnPropertySlotByIndex):
826         (JSC::Arguments::getOwnPropertySlot):
827         * runtime/JSActivation.cpp:
828         (JSC::JSActivation::symbolTableGet):
829         (JSC::JSActivation::getOwnPropertySlot):
830         * runtime/JSArray.cpp:
831         (JSC::JSArray::getOwnPropertySlot):
832         * runtime/JSObject.cpp:
833         (JSC::JSObject::getOwnPropertySlotByIndex):
834         * runtime/JSString.h:
835         (JSC::JSString::getStringPropertySlot):
836         * runtime/JSSymbolTableObject.h:
837         (JSC::symbolTableGet):
838         * runtime/SparseArrayValueMap.cpp:
839         (JSC::SparseArrayEntry::get):
840             - Pass object containing property to PropertySlot::setValue
841         * runtime/PropertySlot.h:
842         (JSC::PropertySlot::setValue):
843             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
844         (JSC::PropertySlot::setUndefined):
845             - removed setValue(JSValue), added setValue(JSString*, JSValue)
846
847 2013-08-15  Oliver Hunt  <oliver@apple.com>
848
849         Remove bogus assertion.
850
851         RS=Filip Pizlo
852
853         * dfg/DFGAbstractInterpreterInlines.h:
854         (JSC::DFG::::executeEffects):
855
856 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
857
858         REGRESSION(r148790) Made 7 tests fail on x86 32bit
859         https://bugs.webkit.org/show_bug.cgi?id=114913
860
861         Reviewed by Filip Pizlo.
862
863         The X87 register was not freed before some calls. Instead
864         of inserting resetX87Registers to the last call sites,
865         the two X87 registers are now freed in every call.
866
867         * llint/LowLevelInterpreter32_64.asm:
868         * llint/LowLevelInterpreter64.asm:
869         * offlineasm/instructions.rb:
870         * offlineasm/x86.rb:
871
872 2013-08-14  Michael Saboff  <msaboff@apple.com>
873
874         Fixed jit on Win64.
875         https://bugs.webkit.org/show_bug.cgi?id=119601
876
877         Reviewed by Oliver Hunt.
878
879         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
880         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
881         * jit/SlowPathCall.h:
882         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
883
884 2013-08-14  Alex Christensen  <achristensen@apple.com>
885
886         Compile fix for Win64 with jit disabled.
887         https://bugs.webkit.org/show_bug.cgi?id=119804
888
889         Reviewed by Michael Saboff.
890
891         * offlineasm/cloop.rb: Added std:: before isnan.
892
893 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
894
895         DFG_JIT implementation for sh4 architecture.
896         https://bugs.webkit.org/show_bug.cgi?id=119737
897
898         Reviewed by Oliver Hunt.
899
900         * assembler/MacroAssemblerSH4.h:
901         (JSC::MacroAssemblerSH4::invert):
902         (JSC::MacroAssemblerSH4::add32):
903         (JSC::MacroAssemblerSH4::and32):
904         (JSC::MacroAssemblerSH4::lshift32):
905         (JSC::MacroAssemblerSH4::mul32):
906         (JSC::MacroAssemblerSH4::or32):
907         (JSC::MacroAssemblerSH4::rshift32):
908         (JSC::MacroAssemblerSH4::sub32):
909         (JSC::MacroAssemblerSH4::xor32):
910         (JSC::MacroAssemblerSH4::store32):
911         (JSC::MacroAssemblerSH4::swapDouble):
912         (JSC::MacroAssemblerSH4::storeDouble):
913         (JSC::MacroAssemblerSH4::subDouble):
914         (JSC::MacroAssemblerSH4::mulDouble):
915         (JSC::MacroAssemblerSH4::divDouble):
916         (JSC::MacroAssemblerSH4::negateDouble):
917         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
918         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
919         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
920         (JSC::MacroAssemblerSH4::swap):
921         (JSC::MacroAssemblerSH4::jump):
922         (JSC::MacroAssemblerSH4::branchNeg32):
923         (JSC::MacroAssemblerSH4::branchAdd32):
924         (JSC::MacroAssemblerSH4::branchMul32):
925         (JSC::MacroAssemblerSH4::urshift32):
926         * assembler/SH4Assembler.h:
927         (JSC::SH4Assembler::SH4Assembler):
928         (JSC::SH4Assembler::labelForWatchpoint):
929         (JSC::SH4Assembler::label):
930         (JSC::SH4Assembler::debugOffset):
931         * dfg/DFGAssemblyHelpers.h:
932         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
933         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
934         (JSC::DFG::AssemblyHelpers::debugCall):
935         * dfg/DFGCCallHelpers.h:
936         (JSC::DFG::CCallHelpers::setupArguments):
937         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
938         * dfg/DFGFPRInfo.h:
939         (JSC::DFG::FPRInfo::toRegister):
940         (JSC::DFG::FPRInfo::toIndex):
941         (JSC::DFG::FPRInfo::debugName):
942         * dfg/DFGGPRInfo.h:
943         (JSC::DFG::GPRInfo::toRegister):
944         (JSC::DFG::GPRInfo::toIndex):
945         (JSC::DFG::GPRInfo::debugName):
946         * dfg/DFGOperations.cpp:
947         * dfg/DFGSpeculativeJIT.h:
948         (JSC::DFG::SpeculativeJIT::callOperation):
949         * jit/JITStubs.h:
950         * jit/JITStubsSH4.h:
951
952 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
953
954         Unreviewed, fix build.
955
956         * API/JSValue.mm:
957         (isDate):
958         (isArray):
959         * API/JSWrapperMap.mm:
960         (tryUnwrapObjcObject):
961         * API/ObjCCallbackFunction.mm:
962         (tryUnwrapBlock):
963
964 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
965
966         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
967         https://bugs.webkit.org/show_bug.cgi?id=119770
968
969         Reviewed by Mark Hahnenberg.
970
971         * API/JSCallbackConstructor.cpp:
972         (JSC::JSCallbackConstructor::finishCreation):
973         * API/JSCallbackConstructor.h:
974         (JSC::JSCallbackConstructor::createStructure):
975         * API/JSCallbackFunction.cpp:
976         (JSC::JSCallbackFunction::finishCreation):
977         * API/JSCallbackFunction.h:
978         (JSC::JSCallbackFunction::createStructure):
979         * API/JSCallbackObject.cpp:
980         (JSC::::createStructure):
981         * API/JSCallbackObject.h:
982         (JSC::JSCallbackObject::visitChildren):
983         * API/JSCallbackObjectFunctions.h:
984         (JSC::::asCallbackObject):
985         (JSC::::finishCreation):
986         * API/JSObjectRef.cpp:
987         (JSObjectGetPrivate):
988         (JSObjectSetPrivate):
989         (JSObjectGetPrivateProperty):
990         (JSObjectSetPrivateProperty):
991         (JSObjectDeletePrivateProperty):
992         * API/JSValueRef.cpp:
993         (JSValueIsObjectOfClass):
994         * API/JSWeakObjectMapRefPrivate.cpp:
995         * API/ObjCCallbackFunction.h:
996         (JSC::ObjCCallbackFunction::createStructure):
997         * JSCTypedArrayStubs.h:
998         * bytecode/CallLinkStatus.cpp:
999         (JSC::CallLinkStatus::CallLinkStatus):
1000         (JSC::CallLinkStatus::function):
1001         (JSC::CallLinkStatus::internalFunction):
1002         * bytecode/CodeBlock.h:
1003         (JSC::baselineCodeBlockForInlineCallFrame):
1004         * bytecode/SpeculatedType.cpp:
1005         (JSC::speculationFromClassInfo):
1006         * bytecode/UnlinkedCodeBlock.cpp:
1007         (JSC::UnlinkedFunctionExecutable::visitChildren):
1008         (JSC::UnlinkedCodeBlock::visitChildren):
1009         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1010         * bytecode/UnlinkedCodeBlock.h:
1011         (JSC::UnlinkedFunctionExecutable::createStructure):
1012         (JSC::UnlinkedProgramCodeBlock::createStructure):
1013         (JSC::UnlinkedEvalCodeBlock::createStructure):
1014         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1015         * debugger/Debugger.cpp:
1016         * debugger/DebuggerActivation.cpp:
1017         (JSC::DebuggerActivation::visitChildren):
1018         * debugger/DebuggerActivation.h:
1019         (JSC::DebuggerActivation::createStructure):
1020         * debugger/DebuggerCallFrame.cpp:
1021         (JSC::DebuggerCallFrame::functionName):
1022         * dfg/DFGAbstractInterpreterInlines.h:
1023         (JSC::DFG::::executeEffects):
1024         * dfg/DFGByteCodeParser.cpp:
1025         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1026         (JSC::DFG::ByteCodeParser::parseBlock):
1027         * dfg/DFGFixupPhase.cpp:
1028         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1029         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1030         * dfg/DFGGraph.cpp:
1031         (JSC::DFG::Graph::dump):
1032         * dfg/DFGGraph.h:
1033         (JSC::DFG::Graph::isInternalFunctionConstant):
1034         * dfg/DFGOperations.cpp:
1035         * dfg/DFGSpeculativeJIT.cpp:
1036         (JSC::DFG::SpeculativeJIT::checkArray):
1037         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1038         * dfg/DFGThunks.cpp:
1039         (JSC::DFG::virtualForThunkGenerator):
1040         * interpreter/Interpreter.cpp:
1041         (JSC::loadVarargs):
1042         * jsc.cpp:
1043         (GlobalObject::createStructure):
1044         * profiler/LegacyProfiler.cpp:
1045         (JSC::LegacyProfiler::createCallIdentifier):
1046         * runtime/Arguments.cpp:
1047         (JSC::Arguments::visitChildren):
1048         * runtime/Arguments.h:
1049         (JSC::Arguments::createStructure):
1050         (JSC::asArguments):
1051         (JSC::Arguments::finishCreation):
1052         * runtime/ArrayConstructor.cpp:
1053         (JSC::arrayConstructorIsArray):
1054         * runtime/ArrayConstructor.h:
1055         (JSC::ArrayConstructor::createStructure):
1056         * runtime/ArrayPrototype.cpp:
1057         (JSC::ArrayPrototype::finishCreation):
1058         (JSC::arrayProtoFuncConcat):
1059         (JSC::attemptFastSort):
1060         * runtime/ArrayPrototype.h:
1061         (JSC::ArrayPrototype::createStructure):
1062         * runtime/BooleanConstructor.h:
1063         (JSC::BooleanConstructor::createStructure):
1064         * runtime/BooleanObject.cpp:
1065         (JSC::BooleanObject::finishCreation):
1066         * runtime/BooleanObject.h:
1067         (JSC::BooleanObject::createStructure):
1068         (JSC::asBooleanObject):
1069         * runtime/BooleanPrototype.cpp:
1070         (JSC::BooleanPrototype::finishCreation):
1071         (JSC::booleanProtoFuncToString):
1072         (JSC::booleanProtoFuncValueOf):
1073         * runtime/BooleanPrototype.h:
1074         (JSC::BooleanPrototype::createStructure):
1075         * runtime/DateConstructor.cpp:
1076         (JSC::constructDate):
1077         * runtime/DateConstructor.h:
1078         (JSC::DateConstructor::createStructure):
1079         * runtime/DateInstance.cpp:
1080         (JSC::DateInstance::finishCreation):
1081         * runtime/DateInstance.h:
1082         (JSC::DateInstance::createStructure):
1083         (JSC::asDateInstance):
1084         * runtime/DatePrototype.cpp:
1085         (JSC::formateDateInstance):
1086         (JSC::DatePrototype::finishCreation):
1087         (JSC::dateProtoFuncToISOString):
1088         (JSC::dateProtoFuncToLocaleString):
1089         (JSC::dateProtoFuncToLocaleDateString):
1090         (JSC::dateProtoFuncToLocaleTimeString):
1091         (JSC::dateProtoFuncGetTime):
1092         (JSC::dateProtoFuncGetFullYear):
1093         (JSC::dateProtoFuncGetUTCFullYear):
1094         (JSC::dateProtoFuncGetMonth):
1095         (JSC::dateProtoFuncGetUTCMonth):
1096         (JSC::dateProtoFuncGetDate):
1097         (JSC::dateProtoFuncGetUTCDate):
1098         (JSC::dateProtoFuncGetDay):
1099         (JSC::dateProtoFuncGetUTCDay):
1100         (JSC::dateProtoFuncGetHours):
1101         (JSC::dateProtoFuncGetUTCHours):
1102         (JSC::dateProtoFuncGetMinutes):
1103         (JSC::dateProtoFuncGetUTCMinutes):
1104         (JSC::dateProtoFuncGetSeconds):
1105         (JSC::dateProtoFuncGetUTCSeconds):
1106         (JSC::dateProtoFuncGetMilliSeconds):
1107         (JSC::dateProtoFuncGetUTCMilliseconds):
1108         (JSC::dateProtoFuncGetTimezoneOffset):
1109         (JSC::dateProtoFuncSetTime):
1110         (JSC::setNewValueFromTimeArgs):
1111         (JSC::setNewValueFromDateArgs):
1112         (JSC::dateProtoFuncSetYear):
1113         (JSC::dateProtoFuncGetYear):
1114         * runtime/DatePrototype.h:
1115         (JSC::DatePrototype::createStructure):
1116         * runtime/Error.h:
1117         (JSC::StrictModeTypeErrorFunction::createStructure):
1118         * runtime/ErrorConstructor.h:
1119         (JSC::ErrorConstructor::createStructure):
1120         * runtime/ErrorInstance.cpp:
1121         (JSC::ErrorInstance::finishCreation):
1122         * runtime/ErrorInstance.h:
1123         (JSC::ErrorInstance::createStructure):
1124         * runtime/ErrorPrototype.cpp:
1125         (JSC::ErrorPrototype::finishCreation):
1126         * runtime/ErrorPrototype.h:
1127         (JSC::ErrorPrototype::createStructure):
1128         * runtime/ExceptionHelpers.cpp:
1129         (JSC::isTerminatedExecutionException):
1130         * runtime/ExceptionHelpers.h:
1131         (JSC::TerminatedExecutionError::createStructure):
1132         * runtime/Executable.cpp:
1133         (JSC::EvalExecutable::visitChildren):
1134         (JSC::ProgramExecutable::visitChildren):
1135         (JSC::FunctionExecutable::visitChildren):
1136         (JSC::ExecutableBase::hashFor):
1137         * runtime/Executable.h:
1138         (JSC::ExecutableBase::createStructure):
1139         (JSC::NativeExecutable::createStructure):
1140         (JSC::EvalExecutable::createStructure):
1141         (JSC::ProgramExecutable::createStructure):
1142         (JSC::FunctionExecutable::compileFor):
1143         (JSC::FunctionExecutable::compileOptimizedFor):
1144         (JSC::FunctionExecutable::createStructure):
1145         * runtime/FunctionConstructor.h:
1146         (JSC::FunctionConstructor::createStructure):
1147         * runtime/FunctionPrototype.cpp:
1148         (JSC::functionProtoFuncToString):
1149         (JSC::functionProtoFuncApply):
1150         (JSC::functionProtoFuncBind):
1151         * runtime/FunctionPrototype.h:
1152         (JSC::FunctionPrototype::createStructure):
1153         * runtime/GetterSetter.cpp:
1154         (JSC::GetterSetter::visitChildren):
1155         * runtime/GetterSetter.h:
1156         (JSC::GetterSetter::createStructure):
1157         * runtime/InternalFunction.cpp:
1158         (JSC::InternalFunction::finishCreation):
1159         * runtime/InternalFunction.h:
1160         (JSC::InternalFunction::createStructure):
1161         (JSC::asInternalFunction):
1162         * runtime/JSAPIValueWrapper.h:
1163         (JSC::JSAPIValueWrapper::createStructure):
1164         * runtime/JSActivation.cpp:
1165         (JSC::JSActivation::visitChildren):
1166         (JSC::JSActivation::argumentsGetter):
1167         * runtime/JSActivation.h:
1168         (JSC::JSActivation::createStructure):
1169         (JSC::asActivation):
1170         * runtime/JSArray.h:
1171         (JSC::JSArray::createStructure):
1172         (JSC::asArray):
1173         (JSC::isJSArray):
1174         * runtime/JSBoundFunction.cpp:
1175         (JSC::JSBoundFunction::finishCreation):
1176         (JSC::JSBoundFunction::visitChildren):
1177         * runtime/JSBoundFunction.h:
1178         (JSC::JSBoundFunction::createStructure):
1179         * runtime/JSCJSValue.cpp:
1180         (JSC::JSValue::dumpInContext):
1181         * runtime/JSCJSValueInlines.h:
1182         (JSC::JSValue::isFunction):
1183         * runtime/JSCell.h:
1184         (JSC::jsCast):
1185         (JSC::jsDynamicCast):
1186         * runtime/JSCellInlines.h:
1187         (JSC::allocateCell):
1188         * runtime/JSFunction.cpp:
1189         (JSC::JSFunction::finishCreation):
1190         (JSC::JSFunction::visitChildren):
1191         (JSC::skipOverBoundFunctions):
1192         (JSC::JSFunction::callerGetter):
1193         * runtime/JSFunction.h:
1194         (JSC::JSFunction::createStructure):
1195         * runtime/JSGlobalObject.cpp:
1196         (JSC::JSGlobalObject::visitChildren):
1197         (JSC::slowValidateCell):
1198         * runtime/JSGlobalObject.h:
1199         (JSC::JSGlobalObject::createStructure):
1200         * runtime/JSNameScope.cpp:
1201         (JSC::JSNameScope::visitChildren):
1202         * runtime/JSNameScope.h:
1203         (JSC::JSNameScope::createStructure):
1204         * runtime/JSNotAnObject.h:
1205         (JSC::JSNotAnObject::createStructure):
1206         * runtime/JSONObject.cpp:
1207         (JSC::JSONObject::finishCreation):
1208         (JSC::unwrapBoxedPrimitive):
1209         (JSC::Stringifier::Stringifier):
1210         (JSC::Stringifier::appendStringifiedValue):
1211         (JSC::Stringifier::Holder::Holder):
1212         (JSC::Walker::walk):
1213         (JSC::JSONProtoFuncStringify):
1214         * runtime/JSONObject.h:
1215         (JSC::JSONObject::createStructure):
1216         * runtime/JSObject.cpp:
1217         (JSC::getCallableObjectSlow):
1218         (JSC::JSObject::visitChildren):
1219         (JSC::JSObject::copyBackingStore):
1220         (JSC::JSFinalObject::visitChildren):
1221         (JSC::JSObject::ensureInt32Slow):
1222         (JSC::JSObject::ensureDoubleSlow):
1223         (JSC::JSObject::ensureContiguousSlow):
1224         (JSC::JSObject::ensureArrayStorageSlow):
1225         * runtime/JSObject.h:
1226         (JSC::JSObject::finishCreation):
1227         (JSC::JSObject::createStructure):
1228         (JSC::JSNonFinalObject::createStructure):
1229         (JSC::JSFinalObject::createStructure):
1230         (JSC::isJSFinalObject):
1231         * runtime/JSPropertyNameIterator.cpp:
1232         (JSC::JSPropertyNameIterator::visitChildren):
1233         * runtime/JSPropertyNameIterator.h:
1234         (JSC::JSPropertyNameIterator::createStructure):
1235         * runtime/JSProxy.cpp:
1236         (JSC::JSProxy::visitChildren):
1237         * runtime/JSProxy.h:
1238         (JSC::JSProxy::createStructure):
1239         * runtime/JSScope.cpp:
1240         (JSC::JSScope::visitChildren):
1241         * runtime/JSSegmentedVariableObject.cpp:
1242         (JSC::JSSegmentedVariableObject::visitChildren):
1243         * runtime/JSString.h:
1244         (JSC::JSString::createStructure):
1245         (JSC::isJSString):
1246         * runtime/JSSymbolTableObject.cpp:
1247         (JSC::JSSymbolTableObject::visitChildren):
1248         * runtime/JSVariableObject.h:
1249         * runtime/JSWithScope.cpp:
1250         (JSC::JSWithScope::visitChildren):
1251         * runtime/JSWithScope.h:
1252         (JSC::JSWithScope::createStructure):
1253         * runtime/JSWrapperObject.cpp:
1254         (JSC::JSWrapperObject::visitChildren):
1255         * runtime/JSWrapperObject.h:
1256         (JSC::JSWrapperObject::createStructure):
1257         * runtime/MathObject.cpp:
1258         (JSC::MathObject::finishCreation):
1259         * runtime/MathObject.h:
1260         (JSC::MathObject::createStructure):
1261         * runtime/NameConstructor.h:
1262         (JSC::NameConstructor::createStructure):
1263         * runtime/NameInstance.h:
1264         (JSC::NameInstance::createStructure):
1265         (JSC::NameInstance::finishCreation):
1266         * runtime/NamePrototype.cpp:
1267         (JSC::NamePrototype::finishCreation):
1268         (JSC::privateNameProtoFuncToString):
1269         * runtime/NamePrototype.h:
1270         (JSC::NamePrototype::createStructure):
1271         * runtime/NativeErrorConstructor.cpp:
1272         (JSC::NativeErrorConstructor::visitChildren):
1273         * runtime/NativeErrorConstructor.h:
1274         (JSC::NativeErrorConstructor::createStructure):
1275         (JSC::NativeErrorConstructor::finishCreation):
1276         * runtime/NumberConstructor.cpp:
1277         (JSC::NumberConstructor::finishCreation):
1278         * runtime/NumberConstructor.h:
1279         (JSC::NumberConstructor::createStructure):
1280         * runtime/NumberObject.cpp:
1281         (JSC::NumberObject::finishCreation):
1282         * runtime/NumberObject.h:
1283         (JSC::NumberObject::createStructure):
1284         * runtime/NumberPrototype.cpp:
1285         (JSC::NumberPrototype::finishCreation):
1286         * runtime/NumberPrototype.h:
1287         (JSC::NumberPrototype::createStructure):
1288         * runtime/ObjectConstructor.h:
1289         (JSC::ObjectConstructor::createStructure):
1290         * runtime/ObjectPrototype.cpp:
1291         (JSC::ObjectPrototype::finishCreation):
1292         * runtime/ObjectPrototype.h:
1293         (JSC::ObjectPrototype::createStructure):
1294         * runtime/PropertyMapHashTable.h:
1295         (JSC::PropertyTable::createStructure):
1296         * runtime/PropertyTable.cpp:
1297         (JSC::PropertyTable::visitChildren):
1298         * runtime/RegExp.h:
1299         (JSC::RegExp::createStructure):
1300         * runtime/RegExpConstructor.cpp:
1301         (JSC::RegExpConstructor::finishCreation):
1302         (JSC::RegExpConstructor::visitChildren):
1303         (JSC::constructRegExp):
1304         * runtime/RegExpConstructor.h:
1305         (JSC::RegExpConstructor::createStructure):
1306         (JSC::asRegExpConstructor):
1307         * runtime/RegExpMatchesArray.cpp:
1308         (JSC::RegExpMatchesArray::visitChildren):
1309         * runtime/RegExpMatchesArray.h:
1310         (JSC::RegExpMatchesArray::createStructure):
1311         * runtime/RegExpObject.cpp:
1312         (JSC::RegExpObject::finishCreation):
1313         (JSC::RegExpObject::visitChildren):
1314         * runtime/RegExpObject.h:
1315         (JSC::RegExpObject::createStructure):
1316         (JSC::asRegExpObject):
1317         * runtime/RegExpPrototype.cpp:
1318         (JSC::regExpProtoFuncTest):
1319         (JSC::regExpProtoFuncExec):
1320         (JSC::regExpProtoFuncCompile):
1321         (JSC::regExpProtoFuncToString):
1322         * runtime/RegExpPrototype.h:
1323         (JSC::RegExpPrototype::createStructure):
1324         * runtime/SparseArrayValueMap.cpp:
1325         (JSC::SparseArrayValueMap::createStructure):
1326         * runtime/SparseArrayValueMap.h:
1327         * runtime/StrictEvalActivation.h:
1328         (JSC::StrictEvalActivation::createStructure):
1329         * runtime/StringConstructor.h:
1330         (JSC::StringConstructor::createStructure):
1331         * runtime/StringObject.cpp:
1332         (JSC::StringObject::finishCreation):
1333         * runtime/StringObject.h:
1334         (JSC::StringObject::createStructure):
1335         (JSC::asStringObject):
1336         * runtime/StringPrototype.cpp:
1337         (JSC::StringPrototype::finishCreation):
1338         (JSC::stringProtoFuncReplace):
1339         (JSC::stringProtoFuncToString):
1340         (JSC::stringProtoFuncMatch):
1341         (JSC::stringProtoFuncSearch):
1342         (JSC::stringProtoFuncSplit):
1343         * runtime/StringPrototype.h:
1344         (JSC::StringPrototype::createStructure):
1345         * runtime/Structure.cpp:
1346         (JSC::Structure::Structure):
1347         (JSC::Structure::materializePropertyMap):
1348         (JSC::Structure::get):
1349         (JSC::Structure::visitChildren):
1350         * runtime/Structure.h:
1351         (JSC::Structure::typeInfo):
1352         (JSC::Structure::previousID):
1353         (JSC::Structure::outOfLineSize):
1354         (JSC::Structure::totalStorageCapacity):
1355         (JSC::Structure::materializePropertyMapIfNecessary):
1356         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1357         * runtime/StructureChain.cpp:
1358         (JSC::StructureChain::visitChildren):
1359         * runtime/StructureChain.h:
1360         (JSC::StructureChain::createStructure):
1361         * runtime/StructureInlines.h:
1362         (JSC::Structure::get):
1363         * runtime/StructureRareData.cpp:
1364         (JSC::StructureRareData::createStructure):
1365         (JSC::StructureRareData::visitChildren):
1366         * runtime/StructureRareData.h:
1367         * runtime/SymbolTable.h:
1368         (JSC::SharedSymbolTable::createStructure):
1369         * runtime/VM.cpp:
1370         (JSC::VM::VM):
1371         (JSC::StackPreservingRecompiler::operator()):
1372         (JSC::VM::releaseExecutableMemory):
1373         * runtime/WriteBarrier.h:
1374         (JSC::validateCell):
1375         * testRegExp.cpp:
1376         (GlobalObject::createStructure):
1377
1378 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1379
1380         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1381         https://bugs.webkit.org/show_bug.cgi?id=119762
1382
1383         Reviewed by Geoffrey Garen.
1384
1385         * heap/Heap.cpp:
1386         (JSC::Heap::Heap):
1387         (JSC::Heap::markRoots):
1388         (JSC::Heap::collect):
1389         * jsc.cpp:
1390         (StopWatch::start):
1391         (StopWatch::stop):
1392         * testRegExp.cpp:
1393         (StopWatch::start):
1394         (StopWatch::stop):
1395
1396 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1397
1398         [sh4] Prepare LLINT for DFG_JIT implementation.
1399         https://bugs.webkit.org/show_bug.cgi?id=119755
1400
1401         Reviewed by Oliver Hunt.
1402
1403         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1404         * offlineasm/sh4.rb:
1405             - Handle storeb opcode.
1406             - Make relative jumps when possible using braf opcode.
1407             - Update bmulio implementation to be consistent with baseline JIT.
1408             - Remove useless code from leap opcode.
1409             - Fix incorrect comment.
1410
1411 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1412
1413         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1414         https://bugs.webkit.org/show_bug.cgi?id=119758
1415
1416         Reviewed by Oliver Hunt.
1417
1418         * assembler/MacroAssemblerSH4.h:
1419             - Introduce a loadEffectiveAddress function to avoid code duplication.
1420             - Add ASSERTs and clean code.
1421         * assembler/SH4Assembler.h:
1422             - Prepare DFG_JIT implementation.
1423             - Add ASSERTs.
1424         * jit/JITStubs.cpp:
1425             - Add SH4 specific call for assertions.
1426         * jit/JITStubs.h:
1427             - Cosmetic change.
1428         * jit/JITStubsSH4.h:
1429             - Use constants to be more flexible with sh4 JIT stack frame.
1430         * jit/JSInterfaceJIT.h:
1431             - Cosmetic change.
1432
1433 2013-08-13  Oliver Hunt  <oliver@apple.com>
1434
1435         Harden executeConstruct against incorrect return types from host functions
1436         https://bugs.webkit.org/show_bug.cgi?id=119757
1437
1438         Reviewed by Mark Hahnenberg.
1439
1440         Add logic to guard against bogus return types.  There doesn't seem to be any
1441         class in webkit that does this wrong, but the typed array stubs in debug JSC
1442         do exhibit this bad behaviour.
1443
1444         * interpreter/Interpreter.cpp:
1445         (JSC::Interpreter::executeConstruct):
1446
1447 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1448
1449         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1450         https://bugs.webkit.org/show_bug.cgi?id=119736
1451
1452         Reviewed by Anders Carlsson.
1453
1454         Don't force C++11 mode off anymore.
1455
1456         * Target.pri:
1457
1458 2013-08-12  Oliver Hunt  <oliver@apple.com>
1459
1460         Remove CodeBlock's notion of adding identifiers entirely
1461         https://bugs.webkit.org/show_bug.cgi?id=119708
1462
1463         Reviewed by Geoffrey Garen.
1464
1465         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1466         Move the addition of identifiers to DFGPlan::reallyAdd
1467
1468         * bytecode/CodeBlock.h:
1469         * dfg/DFGDesiredIdentifiers.cpp:
1470         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1471         * dfg/DFGDesiredIdentifiers.h:
1472         * dfg/DFGPlan.cpp:
1473         (JSC::DFG::Plan::reallyAdd):
1474         (JSC::DFG::Plan::finalize):
1475         * dfg/DFGPlan.h:
1476
1477 2013-08-12  Oliver Hunt  <oliver@apple.com>
1478
1479         Build fix
1480
1481         * runtime/JSCell.h:
1482
1483 2013-08-12  Oliver Hunt  <oliver@apple.com>
1484
1485         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1486         https://bugs.webkit.org/show_bug.cgi?id=119705
1487
1488         Reviewed by Geoffrey Garen.
1489
1490         Relatively trivial refactoring
1491
1492         * bytecode/CodeBlock.h:
1493         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1494         (JSC::CodeBlock::addAdditionalIdentifier):
1495         (JSC::CodeBlock::identifier):
1496         (JSC::CodeBlock::numberOfIdentifiers):
1497         * dfg/DFGCommonData.h:
1498
1499 2013-08-12  Oliver Hunt  <oliver@apple.com>
1500
1501         Stop making unnecessary copy of CodeBlock Identifier Vector
1502         https://bugs.webkit.org/show_bug.cgi?id=119702
1503
1504         Reviewed by Michael Saboff.
1505
1506         Make CodeBlock simply use a separate Vector for additional Identifiers
1507         and use the UnlinkedCodeBlock for the initial set of identifiers.
1508
1509         * bytecode/CodeBlock.cpp:
1510         (JSC::CodeBlock::printGetByIdOp):
1511         (JSC::dumpStructure):
1512         (JSC::dumpChain):
1513         (JSC::CodeBlock::printGetByIdCacheStatus):
1514         (JSC::CodeBlock::printPutByIdOp):
1515         (JSC::CodeBlock::dumpBytecode):
1516         (JSC::CodeBlock::CodeBlock):
1517         (JSC::CodeBlock::shrinkToFit):
1518         * bytecode/CodeBlock.h:
1519         (JSC::CodeBlock::numberOfIdentifiers):
1520         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1521         (JSC::CodeBlock::addAdditionalIdentifier):
1522         (JSC::CodeBlock::identifier):
1523         * dfg/DFGDesiredIdentifiers.cpp:
1524         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1525         * jit/JIT.h:
1526         * jit/JITOpcodes.cpp:
1527         (JSC::JIT::emitSlow_op_get_arguments_length):
1528         * jit/JITPropertyAccess.cpp:
1529         (JSC::JIT::emit_op_get_by_id):
1530         (JSC::JIT::compileGetByIdHotPath):
1531         (JSC::JIT::emitSlow_op_get_by_id):
1532         (JSC::JIT::compileGetByIdSlowCase):
1533         (JSC::JIT::emitSlow_op_put_by_id):
1534         * jit/JITPropertyAccess32_64.cpp:
1535         (JSC::JIT::emit_op_get_by_id):
1536         (JSC::JIT::compileGetByIdHotPath):
1537         (JSC::JIT::compileGetByIdSlowCase):
1538         * jit/JITStubs.cpp:
1539         (JSC::DEFINE_STUB_FUNCTION):
1540         * llint/LLIntSlowPaths.cpp:
1541         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1542
1543 2013-08-08  Mark Lam  <mark.lam@apple.com>
1544
1545         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1546         https://bugs.webkit.org/show_bug.cgi?id=119575.
1547
1548         Reviewed by Oliver Hunt.
1549
1550         * interpreter/Interpreter.h:
1551         - Made getStackTrace() private.
1552         * interpreter/StackIterator.cpp:
1553         (JSC::StackIterator::StackIterator):
1554         (JSC::StackIterator::numberOfFrames):
1555         - Computes the number of frames by iterating through the whole stack
1556           from the starting frame. The iterator will save its current frame
1557           position before counting the frames, and then restoring it after
1558           the counting.
1559         (JSC::StackIterator::gotoFrameAtIndex):
1560         (JSC::StackIterator::gotoNextFrame):
1561         (JSC::StackIterator::resetIterator):
1562         - Points the iterator to the starting frame.
1563         * interpreter/StackIteratorPrivate.h:
1564
1565 2013-08-08  Mark Lam  <mark.lam@apple.com>
1566
1567         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1568         the Interpreter class.
1569         https://bugs.webkit.org/show_bug.cgi?id=119576.
1570
1571         Reviewed by Oliver Hunt.
1572
1573         This change is needed to prepare for making Interpreter::getStackTrace()
1574         private. It does not change the behavior of the code, only the lexical
1575         scoping.
1576
1577         * interpreter/Interpreter.h:
1578         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1579         * runtime/ErrorConstructor.cpp:
1580         (JSC::Interpreter::constructWithErrorConstructor):
1581         (JSC::ErrorConstructor::getConstructData):
1582         (JSC::Interpreter::callErrorConstructor):
1583         (JSC::ErrorConstructor::getCallData):
1584         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1585           directly. So, we moved the helper functions into the Interpreter
1586           class.
1587         * runtime/NativeErrorConstructor.cpp:
1588         (JSC::Interpreter::constructWithNativeErrorConstructor):
1589         (JSC::NativeErrorConstructor::getConstructData):
1590         (JSC::Interpreter::callNativeErrorConstructor):
1591         (JSC::NativeErrorConstructor::getCallData):
1592         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1593           directly. So, we moved the helper functions into the Interpreter
1594           class.
1595
1596 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1597
1598         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1599         https://bugs.webkit.org/show_bug.cgi?id=119555
1600
1601         Reviewed by Geoffrey Garen.
1602
1603         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1604         This was causing crashes on maps.google.com in 32-bit debug builds.
1605
1606         * dfg/DFGSpeculativeJIT32_64.cpp:
1607         (JSC::DFG::SpeculativeJIT::compile):
1608
1609 2013-08-06  Michael Saboff  <msaboff@apple.com>
1610
1611         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1612         https://bugs.webkit.org/show_bug.cgi?id=119405
1613
1614         Reviewed by Geoffrey Garen.
1615
1616         * dfg/DFGSpeculativeJIT.cpp:
1617         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1618         ourselves to save a register and then load from it.
1619
1620 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1621
1622         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1623         https://bugs.webkit.org/show_bug.cgi?id=119528
1624
1625         Reviewed by Geoffrey Garen.
1626
1627         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1628         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1629         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1630         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1631         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1632
1633         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1634
1635         * bytecode/CodeBlock.cpp:
1636         (JSC::CodeBlock::finalizeUnconditionally):
1637         * dfg/DFGDriver.cpp:
1638         (JSC::DFG::compile):
1639         * dfg/DFGFixupPhase.cpp:
1640         (JSC::DFG::FixupPhase::fixupNode):
1641         * dfg/DFGGraph.cpp:
1642         (JSC::DFG::Graph::dump):
1643         * dfg/DFGSpeculativeJIT64.cpp:
1644         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1645         * runtime/JSObject.h:
1646         (JSC::JSObject::getIndexQuickly):
1647         (JSC::JSObject::tryGetIndexQuickly):
1648
1649 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1650
1651         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1652
1653         Unreviewed.
1654
1655         Ensure llint symbols are in source order.
1656
1657         * JavaScriptCore.order:
1658
1659 2013-08-06  Mark Lam  <mark.lam@apple.com>
1660
1661         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1662         https://bugs.webkit.org/show_bug.cgi?id=119532.
1663
1664         Reviewed by Oliver Hunt.
1665
1666         * parser/Parser.cpp:
1667         (JSC::::Parser):
1668         - Just need to initialize the Parser's JSTokenLocation's initial line and
1669           startOffset as well during Parser construction.
1670
1671 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1672
1673         Update Order Files for Safari
1674         <rdar://problem/14517392>
1675
1676         Unreviewed.
1677
1678         * JavaScriptCore.order:
1679
1680 2013-08-04  Sam Weinig  <sam@webkit.org>
1681
1682         Remove support for HTML5 MicroData
1683         https://bugs.webkit.org/show_bug.cgi?id=119480
1684
1685         Reviewed by Anders Carlsson.
1686
1687         * Configurations/FeatureDefines.xcconfig:
1688
1689 2013-08-05  Oliver Hunt  <oliver@apple.com>
1690
1691         Delay Arguments creation in strict mode
1692         https://bugs.webkit.org/show_bug.cgi?id=119505
1693
1694         Reviewed by Geoffrey Garen.
1695
1696         Make use of the write tracking performed by the parser to
1697         allow us to know if we're modifying the parameters to a function.
1698         Then use that information to make strict mode function opt out
1699         of eager arguments creation.
1700
1701         * bytecompiler/BytecodeGenerator.cpp:
1702         (JSC::BytecodeGenerator::BytecodeGenerator):
1703         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1704         (JSC::BytecodeGenerator::emitReturn):
1705         * bytecompiler/BytecodeGenerator.h:
1706         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1707         * parser/Nodes.h:
1708         (JSC::ScopeNode::modifiesParameter):
1709         * parser/Parser.cpp:
1710         (JSC::::parseInner):
1711         * parser/Parser.h:
1712         (JSC::Scope::declareParameter):
1713         (JSC::Scope::getCapturedVariables):
1714         (JSC::Parser::declareWrite):
1715         * parser/ParserModes.h:
1716
1717 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1718
1719         Remove useless code from COMPILER(RVCT) JITStubs
1720         https://bugs.webkit.org/show_bug.cgi?id=119521
1721
1722         Reviewed by Geoffrey Garen.
1723
1724         * jit/JITStubsARMv7.h:
1725         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1726         (JSC::ctiOpThrowNotCaught): Ditto.
1727
1728 2013-07-23  David Farler  <dfarler@apple.com>
1729
1730         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1731         https://bugs.webkit.org/show_bug.cgi?id=117762
1732
1733         Reviewed by Mark Rowe.
1734
1735         * Configurations/DebugRelease.xcconfig:
1736         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1737         * Configurations/JavaScriptCore.xcconfig:
1738         Add ASAN_OTHER_LDFLAGS.
1739         * Configurations/ToolExecutable.xcconfig:
1740         Don't use ASAN for build tools.
1741
1742 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1743
1744         Build fix for ARM MSVC after r153222 and r153648.
1745
1746         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1747
1748 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1749
1750         Build fix for ARM MSVC after r150109.
1751
1752         Read the stub template from a header files instead of the JITStubs.cpp.
1753
1754         * CMakeLists.txt:
1755         * DerivedSources.pri:
1756         * create_jit_stubs:
1757
1758 2013-08-05  Oliver Hunt  <oliver@apple.com>
1759
1760         Move TypedArray implementation into JSC
1761         https://bugs.webkit.org/show_bug.cgi?id=119489
1762
1763         Reviewed by Filip Pizlo.
1764
1765         Move TypedArray implementation into JSC in advance of re-implementation
1766
1767         * GNUmakefile.list.am:
1768         * JSCTypedArrayStubs.h:
1769         * JavaScriptCore.xcodeproj/project.pbxproj:
1770         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1771         (JSC::ArrayBuffer::transfer):
1772         (JSC::ArrayBuffer::addView):
1773         (JSC::ArrayBuffer::removeView):
1774         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1775         (JSC::ArrayBufferContents::ArrayBufferContents):
1776         (JSC::ArrayBufferContents::data):
1777         (JSC::ArrayBufferContents::sizeInBytes):
1778         (JSC::ArrayBufferContents::transfer):
1779         (JSC::ArrayBufferContents::copyTo):
1780         (JSC::ArrayBuffer::isNeutered):
1781         (JSC::ArrayBuffer::~ArrayBuffer):
1782         (JSC::ArrayBuffer::clampValue):
1783         (JSC::ArrayBuffer::create):
1784         (JSC::ArrayBuffer::createUninitialized):
1785         (JSC::ArrayBuffer::ArrayBuffer):
1786         (JSC::ArrayBuffer::data):
1787         (JSC::ArrayBuffer::byteLength):
1788         (JSC::ArrayBuffer::slice):
1789         (JSC::ArrayBuffer::sliceImpl):
1790         (JSC::ArrayBuffer::clampIndex):
1791         (JSC::ArrayBufferContents::tryAllocate):
1792         (JSC::ArrayBufferContents::~ArrayBufferContents):
1793         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1794         (JSC::ArrayBufferView::ArrayBufferView):
1795         (JSC::ArrayBufferView::~ArrayBufferView):
1796         (JSC::ArrayBufferView::neuter):
1797         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1798         (JSC::ArrayBufferView::buffer):
1799         (JSC::ArrayBufferView::baseAddress):
1800         (JSC::ArrayBufferView::byteOffset):
1801         (JSC::ArrayBufferView::setNeuterable):
1802         (JSC::ArrayBufferView::isNeuterable):
1803         (JSC::ArrayBufferView::verifySubRange):
1804         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1805         (JSC::ArrayBufferView::setImpl):
1806         (JSC::ArrayBufferView::setRangeImpl):
1807         (JSC::ArrayBufferView::zeroRangeImpl):
1808         (JSC::ArrayBufferView::calculateOffsetAndLength):
1809         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1810         (JSC::Float32Array::set):
1811         (JSC::Float32Array::getType):
1812         (JSC::Float32Array::create):
1813         (JSC::Float32Array::createUninitialized):
1814         (JSC::Float32Array::Float32Array):
1815         (JSC::Float32Array::subarray):
1816         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1817         (JSC::Float64Array::set):
1818         (JSC::Float64Array::getType):
1819         (JSC::Float64Array::create):
1820         (JSC::Float64Array::createUninitialized):
1821         (JSC::Float64Array::Float64Array):
1822         (JSC::Float64Array::subarray):
1823         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1824         (JSC::Int16Array::getType):
1825         (JSC::Int16Array::create):
1826         (JSC::Int16Array::createUninitialized):
1827         (JSC::Int16Array::Int16Array):
1828         (JSC::Int16Array::subarray):
1829         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1830         (JSC::Int32Array::getType):
1831         (JSC::Int32Array::create):
1832         (JSC::Int32Array::createUninitialized):
1833         (JSC::Int32Array::Int32Array):
1834         (JSC::Int32Array::subarray):
1835         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1836         (JSC::Int8Array::getType):
1837         (JSC::Int8Array::create):
1838         (JSC::Int8Array::createUninitialized):
1839         (JSC::Int8Array::Int8Array):
1840         (JSC::Int8Array::subarray):
1841         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1842         (JSC::IntegralTypedArrayBase::set):
1843         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1844         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1845         (JSC::TypedArrayBase::data):
1846         (JSC::TypedArrayBase::set):
1847         (JSC::TypedArrayBase::setRange):
1848         (JSC::TypedArrayBase::zeroRange):
1849         (JSC::TypedArrayBase::length):
1850         (JSC::TypedArrayBase::byteLength):
1851         (JSC::TypedArrayBase::item):
1852         (JSC::TypedArrayBase::checkInboundData):
1853         (JSC::TypedArrayBase::TypedArrayBase):
1854         (JSC::TypedArrayBase::create):
1855         (JSC::TypedArrayBase::createUninitialized):
1856         (JSC::TypedArrayBase::subarrayImpl):
1857         (JSC::TypedArrayBase::neuter):
1858         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1859         (JSC::Uint16Array::getType):
1860         (JSC::Uint16Array::create):
1861         (JSC::Uint16Array::createUninitialized):
1862         (JSC::Uint16Array::Uint16Array):
1863         (JSC::Uint16Array::subarray):
1864         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1865         (JSC::Uint32Array::getType):
1866         (JSC::Uint32Array::create):
1867         (JSC::Uint32Array::createUninitialized):
1868         (JSC::Uint32Array::Uint32Array):
1869         (JSC::Uint32Array::subarray):
1870         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1871         (JSC::Uint8Array::getType):
1872         (JSC::Uint8Array::create):
1873         (JSC::Uint8Array::createUninitialized):
1874         (JSC::Uint8Array::Uint8Array):
1875         (JSC::Uint8Array::subarray):
1876         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1877         (JSC::Uint8ClampedArray::getType):
1878         (JSC::Uint8ClampedArray::create):
1879         (JSC::Uint8ClampedArray::createUninitialized):
1880         (JSC::Uint8ClampedArray::zeroFill):
1881         (JSC::Uint8ClampedArray::set):
1882         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1883         (JSC::Uint8ClampedArray::subarray):
1884         * runtime/VM.h:
1885
1886 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1887
1888         Copied space should be able to handle more than one copied backing store per JSCell
1889         https://bugs.webkit.org/show_bug.cgi?id=119471
1890
1891         Reviewed by Mark Hahnenberg.
1892         
1893         This allows a cell to call copyLater() multiple times for multiple different
1894         backing stores, and then have copyBackingStore() called exactly once for each
1895         of those. A token tells it which backing store to copy. All backing stores
1896         must be named using the CopyToken, an enumeration which currently cannot
1897         exceed eight entries.
1898         
1899         When copyBackingStore() is called, it's up to the callee to (a) use the token
1900         to decide what to copy and (b) call its base class's copyBackingStore() in
1901         case the base class had something that needed copying. The only exception is
1902         that JSCell never asks anything to be copied, and so if your base is JSCell
1903         then you don't have to do anything.
1904
1905         * GNUmakefile.list.am:
1906         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1907         * JavaScriptCore.xcodeproj/project.pbxproj:
1908         * heap/CopiedBlock.h:
1909         * heap/CopiedBlockInlines.h:
1910         (JSC::CopiedBlock::reportLiveBytes):
1911         * heap/CopyToken.h: Added.
1912         * heap/CopyVisitor.cpp:
1913         (JSC::CopyVisitor::copyFromShared):
1914         * heap/CopyVisitor.h:
1915         * heap/CopyVisitorInlines.h:
1916         (JSC::CopyVisitor::visitItem):
1917         * heap/CopyWorkList.h:
1918         (JSC::CopyWorklistItem::CopyWorklistItem):
1919         (JSC::CopyWorklistItem::cell):
1920         (JSC::CopyWorklistItem::token):
1921         (JSC::CopyWorkListSegment::get):
1922         (JSC::CopyWorkListSegment::append):
1923         (JSC::CopyWorkListSegment::data):
1924         (JSC::CopyWorkListIterator::get):
1925         (JSC::CopyWorkListIterator::operator*):
1926         (JSC::CopyWorkListIterator::operator->):
1927         (JSC::CopyWorkList::append):
1928         * heap/SlotVisitor.h:
1929         * heap/SlotVisitorInlines.h:
1930         (JSC::SlotVisitor::copyLater):
1931         * runtime/ClassInfo.h:
1932         * runtime/JSCell.cpp:
1933         (JSC::JSCell::copyBackingStore):
1934         * runtime/JSCell.h:
1935         * runtime/JSObject.cpp:
1936         (JSC::JSObject::visitButterfly):
1937         (JSC::JSObject::copyBackingStore):
1938         * runtime/JSObject.h:
1939
1940 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1941
1942         [Automake] Define ENABLE_JIT through the Autoconf header
1943         https://bugs.webkit.org/show_bug.cgi?id=119445
1944
1945         Reviewed by Martin Robinson.
1946
1947         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1948
1949 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1950
1951         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1952         https://bugs.webkit.org/show_bug.cgi?id=119470
1953
1954         Reviewed by Oliver Hunt.
1955         
1956         Structure can still tell you if the object "could" (in the conservative sense)
1957         have an indexing header; that's used by the compiler.
1958         
1959         Most of the time if you want to know if there's an indexing header, you ask the
1960         JSObject.
1961         
1962         In some cases, the JSObject wants to know if it would have an indexing header if
1963         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1964
1965         * dfg/DFGRepatch.cpp:
1966         (JSC::DFG::tryCachePutByID):
1967         (JSC::DFG::tryBuildPutByIdList):
1968         * dfg/DFGSpeculativeJIT.cpp:
1969         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1970         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1971         * runtime/ButterflyInlines.h:
1972         (JSC::Butterfly::create):
1973         (JSC::Butterfly::growPropertyStorage):
1974         (JSC::Butterfly::growArrayRight):
1975         (JSC::Butterfly::resizeArray):
1976         * runtime/JSObject.cpp:
1977         (JSC::JSObject::copyButterfly):
1978         (JSC::JSObject::visitButterfly):
1979         * runtime/JSObject.h:
1980         (JSC::JSObject::hasIndexingHeader):
1981         (JSC::JSObject::setButterfly):
1982         * runtime/Structure.h:
1983         (JSC::Structure::couldHaveIndexingHeader):
1984         (JSC::Structure::hasIndexingHeader):
1985
1986 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1987
1988         Give the error object's stack property accessor attributes.
1989         https://bugs.webkit.org/show_bug.cgi?id=119404
1990
1991         Reviewed by Geoffrey Garen.
1992         
1993         Changed the attributes of error object's stack property to allow developers to write
1994         and delete the stack property. This will match the functionality of Chrome. Firefox  
1995         allows developers to write the error's stack, but not delete it. 
1996
1997         * interpreter/Interpreter.cpp:
1998         (JSC::Interpreter::addStackTraceIfNecessary):
1999         * runtime/ErrorInstance.cpp:
2000         (JSC::ErrorInstance::finishCreation):
2001
2002 2013-08-02  Oliver Hunt  <oliver@apple.com>
2003
2004         Incorrect type speculation reported by ToPrimitive
2005         https://bugs.webkit.org/show_bug.cgi?id=119458
2006
2007         Reviewed by Mark Hahnenberg.
2008
2009         Make sure that we report the correct type possibilities for the output
2010         from ToPrimitive
2011
2012         * dfg/DFGAbstractInterpreterInlines.h:
2013         (JSC::DFG::::executeEffects):
2014
2015 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2016
2017         Remove no-arguments constructor to PropertySlot
2018         https://bugs.webkit.org/show_bug.cgi?id=119460
2019
2020         Reviewed by Geoff Garen.
2021
2022         This constructor was unsafe if getValue is subsequently called,
2023         and the property is a getter. Simplest to just remove it.
2024
2025         * runtime/Arguments.cpp:
2026         (JSC::Arguments::defineOwnProperty):
2027         * runtime/JSActivation.cpp:
2028         (JSC::JSActivation::getOwnPropertyDescriptor):
2029         * runtime/JSFunction.cpp:
2030         (JSC::JSFunction::getOwnPropertyDescriptor):
2031         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2032         (JSC::JSFunction::put):
2033         (JSC::JSFunction::defineOwnProperty):
2034         * runtime/JSGlobalObject.cpp:
2035         (JSC::JSGlobalObject::defineOwnProperty):
2036         * runtime/JSGlobalObject.h:
2037         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2038         * runtime/JSNameScope.cpp:
2039         (JSC::JSNameScope::put):
2040         * runtime/JSONObject.cpp:
2041         (JSC::Stringifier::Holder::appendNextProperty):
2042         (JSC::Walker::walk):
2043         * runtime/JSObject.cpp:
2044         (JSC::JSObject::hasProperty):
2045         (JSC::JSObject::hasOwnProperty):
2046         (JSC::JSObject::reifyStaticFunctionsForDelete):
2047         * runtime/Lookup.h:
2048         (JSC::getStaticPropertyDescriptor):
2049         (JSC::getStaticFunctionDescriptor):
2050         (JSC::getStaticValueDescriptor):
2051         * runtime/ObjectConstructor.cpp:
2052         (JSC::defineProperties):
2053         * runtime/PropertySlot.h:
2054
2055 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2056
2057         DFG validation can cause assertion failures due to dumping
2058         https://bugs.webkit.org/show_bug.cgi?id=119456
2059
2060         Reviewed by Geoffrey Garen.
2061
2062         * bytecode/CodeBlock.cpp:
2063         (JSC::CodeBlock::hasHash):
2064         (JSC::CodeBlock::isSafeToComputeHash):
2065         (JSC::CodeBlock::hash):
2066         (JSC::CodeBlock::dumpAssumingJITType):
2067         * bytecode/CodeBlock.h:
2068
2069 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2070
2071         Have vm's exceptionStack match java's vm's exceptionStack.
2072         https://bugs.webkit.org/show_bug.cgi?id=119362
2073
2074         Reviewed by Geoffrey Garen.
2075         
2076         The error object's stack is only updated if it does not exist yet. This matches 
2077         the functionality of other browsers, and Java VMs. 
2078
2079         * interpreter/Interpreter.cpp:
2080         (JSC::Interpreter::addStackTraceIfNecessary):
2081         (JSC::Interpreter::throwException):
2082         * runtime/VM.cpp:
2083         (JSC::VM::clearExceptionStack):
2084         * runtime/VM.h:
2085         (JSC::VM::lastExceptionStack):
2086
2087 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2088
2089         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2090         https://bugs.webkit.org/show_bug.cgi?id=119447
2091
2092         Reviewed by Geoffrey Garen.
2093
2094         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2095         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2096         r153583 (sh4) and r153648 (ARM).
2097
2098         * jit/JITStubsMIPS.h:
2099
2100 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2101
2102         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2103         https://bugs.webkit.org/show_bug.cgi?id=119422
2104
2105         Reviewed by Oliver Hunt.
2106         
2107         This simplifies some code and also allows Structure to claim that an object
2108         has an indexing header even if it doesn't have indexed properties.
2109         
2110         I also changed some calls to use hasIndexedProperties() since in some cases,
2111         that's what we actually meant. Currently the two are synonyms.
2112
2113         * dfg/DFGRepatch.cpp:
2114         (JSC::DFG::tryCachePutByID):
2115         (JSC::DFG::tryBuildPutByIdList):
2116         * dfg/DFGSpeculativeJIT.cpp:
2117         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2118         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2119         * runtime/ButterflyInlines.h:
2120         (JSC::Butterfly::create):
2121         (JSC::Butterfly::growPropertyStorage):
2122         (JSC::Butterfly::growArrayRight):
2123         (JSC::Butterfly::resizeArray):
2124         * runtime/IndexingType.h:
2125         * runtime/JSObject.cpp:
2126         (JSC::JSObject::copyButterfly):
2127         (JSC::JSObject::visitButterfly):
2128         (JSC::JSObject::setPrototype):
2129         * runtime/JSObject.h:
2130         (JSC::JSObject::setButterfly):
2131         * runtime/JSPropertyNameIterator.cpp:
2132         (JSC::JSPropertyNameIterator::create):
2133         * runtime/Structure.h:
2134         (JSC::Structure::hasIndexingHeader):
2135
2136 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2137
2138         REGRESSION: ARM still crashes after change set r153612.
2139         https://bugs.webkit.org/show_bug.cgi?id=119433
2140
2141         Reviewed by Michael Saboff.
2142
2143         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2144         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2145         for sh4 architecture.
2146
2147         * jit/JITStubsARM.h:
2148         * jit/JITStubsARMv7.h:
2149
2150 2013-08-02  Michael Saboff  <msaboff@apple.com>
2151
2152         REGRESSION(r153612): It made jsc and layout tests crash
2153         https://bugs.webkit.org/show_bug.cgi?id=119440
2154
2155         Reviewed by Csaba Osztrogonác.
2156
2157         Made the changes if changeset r153612 only apply to 32 bit builds.
2158
2159         * jit/JITExceptions.cpp:
2160         * jit/JITExceptions.h:
2161         * jit/JITStubs.cpp:
2162         (JSC::cti_vm_throw_slowpath):
2163         * jit/JITStubs.h:
2164
2165 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2166
2167         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2168
2169         * CMakeLists.txt:
2170
2171 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2172
2173         [Forms: color] <input type='color'> popover color well implementation
2174         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2175
2176         Reviewed by Benjamin Poulain.
2177
2178         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2179
2180 2013-08-01  Oliver Hunt  <oliver@apple.com>
2181
2182         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2183         https://bugs.webkit.org/show_bug.cgi?id=119408
2184
2185         Reviewed by Filip Pizlo.
2186
2187         Construct ToString and Phantom nodes in advance of MakeRope
2188         nodes to ensure that ordering is ensured, and correct values
2189         will be reified on OSR exit.
2190
2191         * dfg/DFGByteCodeParser.cpp:
2192         (JSC::DFG::ByteCodeParser::parseBlock):
2193
2194 2013-08-01  Michael Saboff  <msaboff@apple.com>
2195
2196         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2197         https://bugs.webkit.org/show_bug.cgi?id=119140
2198
2199         Reviewed by Filip Pizlo.
2200
2201         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2202
2203         * jit/JITExceptions.cpp:
2204         (JSC::encode):
2205         * jit/JITExceptions.h:
2206         * jit/JITStubs.cpp:
2207         (JSC::cti_vm_throw_slowpath):
2208         * jit/JITStubs.h:
2209
2210 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2211
2212         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2213         https://bugs.webkit.org/show_bug.cgi?id=119391
2214
2215         Reviewed by Csaba Osztrogonác.
2216
2217         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2218             - Call frame is in r14 register.
2219             - Do not restore registers from JIT stack frame here.
2220
2221 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2222
2223         More cleanup in PropertySlot
2224         https://bugs.webkit.org/show_bug.cgi?id=119359
2225
2226         Reviewed by Geoff Garen.
2227
2228         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2229         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2230
2231         * dfg/DFGRepatch.cpp:
2232         (JSC::DFG::tryCacheGetByID):
2233         (JSC::DFG::tryBuildGetByIDList):
2234             - No need to ASSERT slotBase is an object.
2235         * jit/JITStubs.cpp:
2236         (JSC::tryCacheGetByID):
2237         (JSC::DEFINE_STUB_FUNCTION):
2238             - No need to ASSERT slotBase is an object.
2239         * runtime/JSObject.cpp:
2240         (JSC::JSObject::getOwnPropertySlotByIndex):
2241         (JSC::JSObject::fillGetterPropertySlot):
2242             - Pass an object through to setGetterSlot.
2243         * runtime/JSObject.h:
2244         (JSC::PropertySlot::getValue):
2245             - Moved from PropertySlot (need to know anout JSObject).
2246         * runtime/PropertySlot.cpp:
2247         (JSC::PropertySlot::functionGetter):
2248             - update per member name changes
2249         * runtime/PropertySlot.h:
2250         (JSC::PropertySlot::PropertySlot):
2251             - Argument to constructor set to 'thisValue'.
2252         (JSC::PropertySlot::slotBase):
2253             - This returns a JSObject*.
2254         (JSC::PropertySlot::setValue):
2255         (JSC::PropertySlot::setCustom):
2256         (JSC::PropertySlot::setCacheableCustom):
2257         (JSC::PropertySlot::setCustomIndex):
2258         (JSC::PropertySlot::setGetterSlot):
2259         (JSC::PropertySlot::setCacheableGetterSlot):
2260             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2261         * runtime/SparseArrayValueMap.cpp:
2262         (JSC::SparseArrayEntry::get):
2263             - Pass an object through to setGetterSlot.
2264         * runtime/SparseArrayValueMap.h:
2265             - Pass an object through to setGetterSlot.
2266
2267 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2268
2269         Reduce JSC API static value setter/getter overhead.
2270         https://bugs.webkit.org/show_bug.cgi?id=119277
2271
2272         Reviewed by Geoffrey Garen.
2273
2274         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2275         need to get called every time when set or get the static value.
2276
2277         * API/JSCallbackObjectFunctions.h:
2278         (JSC::::put):
2279         (JSC::::putByIndex):
2280         (JSC::::getStaticValue):
2281         * API/JSClassRef.cpp:
2282         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2283         * API/JSClassRef.h:
2284         (StaticValueEntry::StaticValueEntry):
2285
2286 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2287
2288         Use emptyString instead of String("")
2289         https://bugs.webkit.org/show_bug.cgi?id=119335
2290
2291         Reviewed by Darin Adler.
2292
2293         Use emptyString() instead of String("") because it is better style and
2294         faster. This is a followup to r116908, removing all occurrences of
2295         String("") from WebKit.
2296
2297         * runtime/RegExpConstructor.cpp:
2298         (JSC::constructRegExp):
2299         * runtime/RegExpPrototype.cpp:
2300         (JSC::regExpProtoFuncCompile):
2301         * runtime/StringPrototype.cpp:
2302         (JSC::stringProtoFuncMatch):
2303         (JSC::stringProtoFuncSearch):
2304
2305 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2306
2307         <input type=color> Mac UI behaviour
2308         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2309
2310         Reviewed by Brady Eidson.
2311
2312         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2313
2314 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2315
2316         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2317         https://bugs.webkit.org/show_bug.cgi?id=119349
2318
2319         Reviewed by Geoffrey Garen.
2320
2321         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2322         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2323         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2324         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2325         JIT then this resizing never happens and we crash at link time in the DFG.
2326
2327         We can fix this by also doing the resize in the DFG to catch this case.
2328
2329         * dfg/DFGJITCompiler.cpp:
2330         (JSC::DFG::JITCompiler::link):
2331
2332 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2333
2334         Speculative Windows build fix.
2335
2336         Reviewed by NOBODY
2337
2338         * runtime/JSString.cpp:
2339         (JSC::JSRopeString::getIndexSlowCase):
2340         * runtime/JSString.h:
2341
2342 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2343
2344         Some cleanup in JSValue::get
2345         https://bugs.webkit.org/show_bug.cgi?id=119343
2346
2347         Reviewed by Geoff Garen.
2348
2349         JSValue::get is implemented to:
2350             1) Check if the value is a cell – if not, synthesize a prototype to search,
2351             2) call getOwnPropertySlot on the cell,
2352             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2353         By all rights this should crash when passed a string and accessing a property that does not exist, because
2354         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2355         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2356         prototype chain, and faking out a return value of undefined if no property is found.
2357
2358         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2359         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2360
2361         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2362         slots anyway.
2363
2364         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2365
2366 2013-07-31  Michael Saboff  <msaboff@apple.com>
2367
2368         [Win] JavaScript crash.
2369         https://bugs.webkit.org/show_bug.cgi?id=119339
2370
2371         Reviewed by Mark Hahnenberg.
2372
2373         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2374         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2375
2376 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2377
2378         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2379         https://bugs.webkit.org/show_bug.cgi?id=119281
2380
2381         Reviewed by Geoffrey Garen.
2382
2383         This leads to out of bounds accesses and subsequent crashes.
2384
2385         * dfg/DFGSpeculativeJIT.cpp:
2386         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2387         * dfg/DFGSpeculativeJIT64.cpp:
2388         (JSC::DFG::SpeculativeJIT::compile):
2389
2390 2013-07-30  Oliver Hunt  <oliver@apple.com>
2391
2392         Add an assertion to SpeculateCellOperand
2393         https://bugs.webkit.org/show_bug.cgi?id=119276
2394
2395         Reviewed by Michael Saboff.
2396
2397         More assertions are better
2398
2399         * dfg/DFGSpeculativeJIT64.cpp:
2400         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2401         (JSC::DFG::SpeculativeJIT::compile):
2402
2403 2013-07-30  Mark Lam  <mark.lam@apple.com>
2404
2405         Fix problems with divot and lineStart mismatches.
2406         https://bugs.webkit.org/show_bug.cgi?id=118662.
2407
2408         Reviewed by Oliver Hunt.
2409
2410         r152494 added the recording of lineStart values for divot positions.
2411         This is needed for the computation of column numbers. Similarly, it also
2412         added the recording of line numbers for the divot positions. One problem
2413         with the approach taken was that the line and lineStart values were
2414         recorded independently, and hence were not always guaranteed to be
2415         sampled at the same place that the divot position is recorded. This
2416         resulted in potential mismatches that cause some assertions to fail.
2417
2418         The solution is to introduce a JSTextPosition abstraction that records
2419         the divot position, line, and lineStart as a single quantity. Wherever
2420         we record the divot position as an unsigned int previously, we now record
2421         its JSTextPosition which captures all 3 values in one go. This ensures
2422         that the captured line and lineStart will always match the captured divot
2423         position.
2424
2425         * bytecompiler/BytecodeGenerator.cpp:
2426         (JSC::BytecodeGenerator::emitCall):
2427         (JSC::BytecodeGenerator::emitCallEval):
2428         (JSC::BytecodeGenerator::emitCallVarargs):
2429         (JSC::BytecodeGenerator::emitConstruct):
2430         (JSC::BytecodeGenerator::emitDebugHook):
2431         - Use JSTextPosition instead of passing line and lineStart explicitly.
2432         * bytecompiler/BytecodeGenerator.h:
2433         (JSC::BytecodeGenerator::emitExpressionInfo):
2434         - Use JSTextPosition instead of passing line and lineStart explicitly.
2435         * bytecompiler/NodesCodegen.cpp:
2436         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2437         (JSC::ResolveNode::emitBytecode):
2438         (JSC::BracketAccessorNode::emitBytecode):
2439         (JSC::DotAccessorNode::emitBytecode):
2440         (JSC::NewExprNode::emitBytecode):
2441         (JSC::EvalFunctionCallNode::emitBytecode):
2442         (JSC::FunctionCallValueNode::emitBytecode):
2443         (JSC::FunctionCallResolveNode::emitBytecode):
2444         (JSC::FunctionCallBracketNode::emitBytecode):
2445         (JSC::FunctionCallDotNode::emitBytecode):
2446         (JSC::CallFunctionCallDotNode::emitBytecode):
2447         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2448         (JSC::PostfixNode::emitResolve):
2449         (JSC::PostfixNode::emitBracket):
2450         (JSC::PostfixNode::emitDot):
2451         (JSC::DeleteResolveNode::emitBytecode):
2452         (JSC::DeleteBracketNode::emitBytecode):
2453         (JSC::DeleteDotNode::emitBytecode):
2454         (JSC::PrefixNode::emitResolve):
2455         (JSC::PrefixNode::emitBracket):
2456         (JSC::PrefixNode::emitDot):
2457         (JSC::UnaryOpNode::emitBytecode):
2458         (JSC::BinaryOpNode::emitStrcat):
2459         (JSC::BinaryOpNode::emitBytecode):
2460         (JSC::ThrowableBinaryOpNode::emitBytecode):
2461         (JSC::InstanceOfNode::emitBytecode):
2462         (JSC::emitReadModifyAssignment):
2463         (JSC::ReadModifyResolveNode::emitBytecode):
2464         (JSC::AssignResolveNode::emitBytecode):
2465         (JSC::AssignDotNode::emitBytecode):
2466         (JSC::ReadModifyDotNode::emitBytecode):
2467         (JSC::AssignBracketNode::emitBytecode):
2468         (JSC::ReadModifyBracketNode::emitBytecode):
2469         (JSC::ForInNode::emitBytecode):
2470         (JSC::WithNode::emitBytecode):
2471         (JSC::ThrowNode::emitBytecode):
2472         - Use JSTextPosition instead of passing line and lineStart explicitly.
2473         * parser/ASTBuilder.h:
2474         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2475         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2476         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2477         (JSC::ASTBuilder::createResolve):
2478         (JSC::ASTBuilder::createBracketAccess):
2479         (JSC::ASTBuilder::createDotAccess):
2480         (JSC::ASTBuilder::createRegExp):
2481         (JSC::ASTBuilder::createNewExpr):
2482         (JSC::ASTBuilder::createAssignResolve):
2483         (JSC::ASTBuilder::createExprStatement):
2484         (JSC::ASTBuilder::createForInLoop):
2485         (JSC::ASTBuilder::createReturnStatement):
2486         (JSC::ASTBuilder::createBreakStatement):
2487         (JSC::ASTBuilder::createContinueStatement):
2488         (JSC::ASTBuilder::createLabelStatement):
2489         (JSC::ASTBuilder::createWithStatement):
2490         (JSC::ASTBuilder::createThrowStatement):
2491         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2492         (JSC::ASTBuilder::appendUnaryToken):
2493         (JSC::ASTBuilder::unaryTokenStackLastStart):
2494         (JSC::ASTBuilder::assignmentStackAppend):
2495         (JSC::ASTBuilder::createAssignment):
2496         (JSC::ASTBuilder::setExceptionLocation):
2497         (JSC::ASTBuilder::makeDeleteNode):
2498         (JSC::ASTBuilder::makeFunctionCallNode):
2499         (JSC::ASTBuilder::makeBinaryNode):
2500         (JSC::ASTBuilder::makeAssignNode):
2501         (JSC::ASTBuilder::makePrefixNode):
2502         (JSC::ASTBuilder::makePostfixNode):
2503         - Use JSTextPosition instead of passing line and lineStart explicitly.
2504         * parser/Lexer.cpp:
2505         (JSC::::lex):
2506         - Added support for capturing the appropriate JSTextPositions instead
2507           of just the character offset.
2508         * parser/Lexer.h:
2509         (JSC::Lexer::currentPosition):
2510         (JSC::::lexExpectIdentifier):
2511         - Added support for capturing the appropriate JSTextPositions instead
2512           of just the character offset.
2513         * parser/NodeConstructors.h:
2514         (JSC::Node::Node):
2515         (JSC::ResolveNode::ResolveNode):
2516         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2517         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2518         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2519         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2520         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2521         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2522         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2523         (JSC::PostfixNode::PostfixNode):
2524         (JSC::DeleteResolveNode::DeleteResolveNode):
2525         (JSC::DeleteBracketNode::DeleteBracketNode):
2526         (JSC::DeleteDotNode::DeleteDotNode):
2527         (JSC::PrefixNode::PrefixNode):
2528         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2529         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2530         (JSC::AssignBracketNode::AssignBracketNode):
2531         (JSC::AssignDotNode::AssignDotNode):
2532         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2533         (JSC::AssignErrorNode::AssignErrorNode):
2534         (JSC::WithNode::WithNode):
2535         (JSC::ForInNode::ForInNode):
2536         - Use JSTextPosition instead of passing line and lineStart explicitly.
2537         * parser/Nodes.cpp:
2538         (JSC::StatementNode::setLoc):
2539         - Use JSTextPosition instead of passing line and lineStart explicitly.
2540         * parser/Nodes.h:
2541         (JSC::Node::lineNo):
2542         (JSC::Node::startOffset):
2543         (JSC::Node::lineStartOffset):
2544         (JSC::Node::position):
2545         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2546         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2547         (JSC::ThrowableExpressionData::divot):
2548         (JSC::ThrowableExpressionData::divotStart):
2549         (JSC::ThrowableExpressionData::divotEnd):
2550         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2551         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2552         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2553         (JSC::ThrowableSubExpressionData::subexpressionStart):
2554         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2555         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2556         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2557         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2558         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2559         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2560         - Use JSTextPosition instead of passing line and lineStart explicitly.
2561         * parser/Parser.cpp:
2562         (JSC::::Parser):
2563         (JSC::::parseInner):
2564         - Use JSTextPosition instead of passing line and lineStart explicitly.
2565         (JSC::::didFinishParsing):
2566         - Remove setting of m_lastLine value. We always pass in the value from
2567           m_lastLine anyway. So, this assignment is effectively a nop.
2568         (JSC::::parseVarDeclaration):
2569         (JSC::::parseVarDeclarationList):
2570         (JSC::::parseForStatement):
2571         (JSC::::parseBreakStatement):
2572         (JSC::::parseContinueStatement):
2573         (JSC::::parseReturnStatement):
2574         (JSC::::parseThrowStatement):
2575         (JSC::::parseWithStatement):
2576         (JSC::::parseTryStatement):
2577         (JSC::::parseBlockStatement):
2578         (JSC::::parseFunctionDeclaration):
2579         (JSC::LabelInfo::LabelInfo):
2580         (JSC::::parseExpressionOrLabelStatement):
2581         (JSC::::parseExpressionStatement):
2582         (JSC::::parseAssignmentExpression):
2583         (JSC::::parseBinaryExpression):
2584         (JSC::::parseProperty):
2585         (JSC::::parsePrimaryExpression):
2586         (JSC::::parseMemberExpression):
2587         (JSC::::parseUnaryExpression):
2588         - Use JSTextPosition instead of passing line and lineStart explicitly.
2589         * parser/Parser.h:
2590         (JSC::Parser::next):
2591         (JSC::Parser::nextExpectIdentifier):
2592         (JSC::Parser::getToken):
2593         (JSC::Parser::tokenStartPosition):
2594         (JSC::Parser::tokenEndPosition):
2595         (JSC::Parser::lastTokenEndPosition):
2596         (JSC::::parse):
2597         - Use JSTextPosition instead of passing line and lineStart explicitly.
2598         * parser/ParserTokens.h:
2599         (JSC::JSTextPosition::JSTextPosition):
2600         (JSC::JSTextPosition::operator+):
2601         (JSC::JSTextPosition::operator-):
2602         (JSC::JSTextPosition::operator int):
2603         - Added JSTextPosition.
2604         * parser/SyntaxChecker.h:
2605         (JSC::SyntaxChecker::makeFunctionCallNode):
2606         (JSC::SyntaxChecker::makeAssignNode):
2607         (JSC::SyntaxChecker::makePrefixNode):
2608         (JSC::SyntaxChecker::makePostfixNode):
2609         (JSC::SyntaxChecker::makeDeleteNode):
2610         (JSC::SyntaxChecker::createResolve):
2611         (JSC::SyntaxChecker::createBracketAccess):
2612         (JSC::SyntaxChecker::createDotAccess):
2613         (JSC::SyntaxChecker::createRegExp):
2614         (JSC::SyntaxChecker::createNewExpr):
2615         (JSC::SyntaxChecker::createAssignResolve):
2616         (JSC::SyntaxChecker::createForInLoop):
2617         (JSC::SyntaxChecker::createReturnStatement):
2618         (JSC::SyntaxChecker::createBreakStatement):
2619         (JSC::SyntaxChecker::createContinueStatement):
2620         (JSC::SyntaxChecker::createWithStatement):
2621         (JSC::SyntaxChecker::createLabelStatement):
2622         (JSC::SyntaxChecker::createThrowStatement):
2623         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2624         (JSC::SyntaxChecker::operatorStackPop):
2625         - Use JSTextPosition instead of passing line and lineStart explicitly.
2626
2627 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2628
2629         Unreviewed. Fix make distcheck.
2630
2631         * GNUmakefile.list.am: Add missing files to compilation.
2632         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2633         include FTL header files not included in the compilation.
2634         * dfg/DFGDriver.cpp: Ditto.
2635         * dfg/DFGPlan.cpp: Ditto.
2636
2637 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2638
2639         Eager stack trace for error objects.
2640         https://bugs.webkit.org/show_bug.cgi?id=118918
2641
2642         Reviewed by Geoffrey Garen.
2643         
2644         Chrome and Firefox give error objects the stack property and we wanted to match
2645         that functionality. This allows developers to see the stack without throwing an object.
2646
2647         * runtime/ErrorInstance.cpp:
2648         (JSC::ErrorInstance::finishCreation):
2649          For error objects that are not thrown as an exception, we pass the stackTrace in 
2650          as a parameter. This allows the error object to have the stack property.
2651         
2652         * interpreter/Interpreter.cpp:
2653         (JSC::stackTraceAsString):
2654         Helper function used to eliminate duplicate code.
2655
2656         (JSC::Interpreter::addStackTraceIfNecessary):
2657         When an error object is created by the user the vm->exceptionStack is not set.
2658         If the user throws this error object later the stack that is in the error object 
2659         may not be the correct stack for the throw, so when we set the vm->exception stack,
2660         the stack property on the error object is set as well.
2661         
2662         * runtime/ErrorConstructor.cpp:
2663         (JSC::constructWithErrorConstructor):
2664         (JSC::callErrorConstructor):
2665         * runtime/NativeErrorConstructor.cpp:
2666         (JSC::constructWithNativeErrorConstructor):
2667         (JSC::callNativeErrorConstructor):
2668         These functions indicate that the user created an error object. For all error objects 
2669         that the user explicitly creates, the topCallFrame is at a new frame created to 
2670         handle the user's call. In this case though, the error object needs the caller's 
2671         frame to create the stack trace correctly.
2672         
2673         * interpreter/Interpreter.h:
2674         * runtime/ErrorInstance.h:
2675         (JSC::ErrorInstance::create):
2676
2677 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2678
2679         Some cleanup in PropertySlot
2680         https://bugs.webkit.org/show_bug.cgi?id=119189
2681
2682         Reviewed by Geoff Garen.
2683
2684         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2685         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2686         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2687         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2688         (this is invalidOffset if not cacheable).
2689
2690             * Internally, always track the type of the property using an enum value, PropertyType.
2691             * Use m_offset to indicate cacheable.
2692             * Keep the external interface (CachedPropertyType) unchanged.
2693             * Better pack data into the m_data union.
2694
2695         Performance neutral.
2696
2697         * dfg/DFGRepatch.cpp:
2698         (JSC::DFG::tryCacheGetByID):
2699         (JSC::DFG::tryBuildGetByIDList):
2700             - cachedPropertyType() -> isCacheable*()
2701         * jit/JITPropertyAccess.cpp:
2702         (JSC::JIT::privateCompileGetByIdProto):
2703         (JSC::JIT::privateCompileGetByIdSelfList):
2704         (JSC::JIT::privateCompileGetByIdProtoList):
2705         (JSC::JIT::privateCompileGetByIdChainList):
2706         (JSC::JIT::privateCompileGetByIdChain):
2707             - cachedPropertyType() -> isCacheable*()
2708         * jit/JITPropertyAccess32_64.cpp:
2709         (JSC::JIT::privateCompileGetByIdProto):
2710         (JSC::JIT::privateCompileGetByIdSelfList):
2711         (JSC::JIT::privateCompileGetByIdProtoList):
2712         (JSC::JIT::privateCompileGetByIdChainList):
2713         (JSC::JIT::privateCompileGetByIdChain):
2714             - cachedPropertyType() -> isCacheable*()
2715         * jit/JITStubs.cpp:
2716         (JSC::tryCacheGetByID):
2717             - cachedPropertyType() -> isCacheable*()
2718         * llint/LLIntSlowPaths.cpp:
2719         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2720             - cachedPropertyType() -> isCacheable*()
2721         * runtime/PropertySlot.cpp:
2722         (JSC::PropertySlot::functionGetter):
2723             - refactoring described above.
2724         * runtime/PropertySlot.h:
2725         (JSC::PropertySlot::PropertySlot):
2726         (JSC::PropertySlot::getValue):
2727         (JSC::PropertySlot::isCacheable):
2728         (JSC::PropertySlot::isCacheableValue):
2729         (JSC::PropertySlot::isCacheableGetter):
2730         (JSC::PropertySlot::isCacheableCustom):
2731         (JSC::PropertySlot::cachedOffset):
2732         (JSC::PropertySlot::customGetter):
2733         (JSC::PropertySlot::setValue):
2734         (JSC::PropertySlot::setCustom):
2735         (JSC::PropertySlot::setCacheableCustom):
2736         (JSC::PropertySlot::setCustomIndex):
2737         (JSC::PropertySlot::setGetterSlot):
2738         (JSC::PropertySlot::setCacheableGetterSlot):
2739         (JSC::PropertySlot::setUndefined):
2740         (JSC::PropertySlot::slotBase):
2741         (JSC::PropertySlot::setBase):
2742             - refactoring described above.
2743
2744 2013-07-28  Oliver Hunt  <oliver@apple.com>
2745
2746         REGRESSION: Crash when opening Facebook.com
2747         https://bugs.webkit.org/show_bug.cgi?id=119155
2748
2749         Reviewed by Andreas Kling.
2750
2751         Scope nodes are always objects, so we should be using SpecObjectOther
2752         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2753         contradiction in the CFA, resulting in bogus codegen.
2754
2755         * dfg/DFGAbstractInterpreterInlines.h:
2756         (JSC::DFG::::executeEffects):
2757         * dfg/DFGPredictionPropagationPhase.cpp:
2758         (JSC::DFG::PredictionPropagationPhase::propagate):
2759
2760 2013-07-26  Oliver Hunt  <oliver@apple.com>
2761
2762         REGRESSION(FTL?): Crashes in plugin tests
2763         https://bugs.webkit.org/show_bug.cgi?id=119141
2764
2765         Reviewed by Michael Saboff.
2766
2767         Re-export getStackTrace
2768
2769         * interpreter/Interpreter.h:
2770
2771 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2772
2773         REGRESSION: Crash when opening a message on Gmail
2774         https://bugs.webkit.org/show_bug.cgi?id=119105
2775
2776         Reviewed by Oliver Hunt and Mark Hahnenberg.
2777         
2778         - GetById patching in the DFG needs to be more disciplined about how it derives the
2779           slow path.
2780         
2781         - Fix some dumping code thread safety issues.
2782
2783         * bytecode/CallLinkStatus.cpp:
2784         (JSC::CallLinkStatus::dump):
2785         * bytecode/CodeBlock.cpp:
2786         (JSC::CodeBlock::dumpBytecode):
2787         * dfg/DFGRepatch.cpp:
2788         (JSC::DFG::getPolymorphicStructureList):
2789         (JSC::DFG::tryBuildGetByIDList):
2790
2791 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2792
2793         [mips] Fix LLINT build for mips backend
2794         https://bugs.webkit.org/show_bug.cgi?id=119152
2795
2796         Reviewed by Oliver Hunt.
2797
2798         * offlineasm/mips.rb:
2799
2800 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2801
2802         Setting a large numeric property on an object causes it to allocate a huge backing store
2803         https://bugs.webkit.org/show_bug.cgi?id=118914
2804
2805         Reviewed by Geoffrey Garen.
2806
2807         There are two distinct actions that we're trying to optimize for:
2808
2809         new Array(100000);
2810
2811         and:
2812
2813         a = [];
2814         a[100000] = 42;
2815         
2816         In the first case, the programmer has indicated that they expect this Array to be very big, 
2817         so they should get a contiguous array up until some threshold, above which we perform density 
2818         calculations to see if it is indeed dense enough to warrant being contiguous.
2819         
2820         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2821         we should be more conservative and assume it should be sparse until we've proven otherwise.
2822         
2823         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2824         between them for the purposes of not over-allocating large backing stores like we see on 
2825         http://www.peekanalytics.com/burgerjoints/
2826         
2827         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2828         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2829         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2830         map instead. So for example, in the second case above the empty array has a blank indexing 
2831         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2832
2833         This fix is ~800x speedup on the accompanying regression test :-o
2834
2835         * runtime/ArrayConventions.h:
2836         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2837         * runtime/JSObject.cpp:
2838         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2839         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2840         (JSC::JSObject::putByIndexBeyondVectorLength):
2841         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2842
2843 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2844
2845         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2846         https://bugs.webkit.org/show_bug.cgi?id=119148
2847
2848         Reviewed by Csaba Osztrogonác.
2849
2850         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2851         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2852         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2853         code duplication.
2854
2855 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2856
2857         REGRESSION(FTL): Crash in sh4 baseline JIT.
2858         https://bugs.webkit.org/show_bug.cgi?id=119138
2859
2860         Reviewed by Csaba Osztrogonác.
2861
2862         This crash is due to incomplete report of r150146 and r148474.
2863
2864         * jit/JITStubsSH4.h:
2865
2866 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2867
2868         Unreviewed.
2869
2870         * Target.pri: Adding missing DFG files to the Qt build.
2871
2872 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2873
2874         GTK and Qt buildfix after the intrusive win buildfix r153360.
2875
2876         * GNUmakefile.list.am:
2877         * Target.pri:
2878
2879 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2880
2881         Unreviewed, fix build break after r153360.
2882
2883         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2884
2885 2013-07-25  Roger Fong  <roger_fong@apple.com>
2886
2887         Unreviewed build fix, AppleWin port.
2888
2889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2890         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2891         * JavaScriptCore.vcxproj/copy-files.cmd:
2892
2893 2013-07-25  Roger Fong  <roger_fong@apple.com>
2894
2895         Unreviewed. Followup to r153360.
2896
2897         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2899
2900 2013-07-25  Michael Saboff  <msaboff@apple.com>
2901
2902         [Windows] Speculative build fix.
2903
2904         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2905         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2906
2907         * JavaScriptCore.xcodeproj/project.pbxproj:
2908         * llint/LLIntExceptions.cpp:
2909         * llint/LLIntExceptions.h:
2910         * llint/LLIntSlowPaths.cpp:
2911         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2912         * runtime/CommonSlowPaths.cpp:
2913         (JSC::SLOW_PATH_DECL):
2914         * runtime/CommonSlowPathsExceptions.cpp: Added.
2915         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2916         * runtime/CommonSlowPathsExceptions.h: Added.
2917
2918 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2919
2920         [Windows] Unreviewed build fix.
2921
2922         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2923         parser/SourceCode.h,.cpp.
2924         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2925
2926 2013-07-25  Anders Carlsson  <andersca@apple.com>
2927
2928         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2929         https://bugs.webkit.org/show_bug.cgi?id=119108
2930
2931         Reviewed by Mark Hahnenberg.
2932
2933         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2934
2935         * heap/CopiedSpace.cpp:
2936         (JSC::CopiedSpace::tryAllocateSlowCase):
2937         * heap/Heap.cpp:
2938         (JSC::Heap::protect):
2939         (JSC::Heap::unprotect):
2940         (JSC::Heap::collect):
2941         * heap/MarkedAllocator.cpp:
2942         (JSC::MarkedAllocator::allocateSlowCase):
2943         * runtime/JSGlobalObject.cpp:
2944         (JSC::JSGlobalObject::init):
2945         * runtime/VM.h:
2946         (JSC::VM::currentThreadIsHoldingAPILock):
2947
2948 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2949
2950         REGRESSION(FTL): Most layout tests crashes
2951         https://bugs.webkit.org/show_bug.cgi?id=119089
2952
2953         Reviewed by Oliver Hunt.
2954
2955         * runtime/ExecutionHarness.h:
2956         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2957         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2958         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2959         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2960         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2961         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2962
2963 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2964
2965         [Windows] Unreviewed build fix.
2966
2967         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2968         include path.
2969
2970 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2971
2972         [Windows] Unreviewed build fix.
2973
2974         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2975         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2976         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2977
2978 2013-07-25  Oliver Hunt  <oliver@apple.com>
2979
2980         Make all jit & non-jit combos build cleanly
2981         https://bugs.webkit.org/show_bug.cgi?id=119102
2982
2983         Reviewed by Anders Carlsson.
2984
2985         * bytecode/CodeBlock.cpp:
2986         (JSC::CodeBlock::counterValueForOptimizeSoon):
2987         * bytecode/CodeBlock.h:
2988         (JSC::CodeBlock::optimizeAfterWarmUp):
2989         (JSC::CodeBlock::numberOfDFGCompiles):
2990
2991 2013-07-25  Oliver Hunt  <oliver@apple.com>
2992
2993         32 bit portion of load validation logic
2994         https://bugs.webkit.org/show_bug.cgi?id=118878
2995
2996         Reviewed by NOBODY (Build fix).
2997
2998         * dfg/DFGSpeculativeJIT32_64.cpp:
2999         (JSC::DFG::SpeculativeJIT::compile):
3000
3001 2013-07-25  Oliver Hunt  <oliver@apple.com>
3002
3003         More 32bit build fixes
3004
3005         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3006
3007         * API/APICallbackFunction.h:
3008         (JSC::APICallbackFunction::call):
3009         * bytecode/CodeBlock.cpp:
3010         * runtime/Structure.cpp:
3011
3012 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3013
3014         Optimize the thread locks for API Shims
3015         https://bugs.webkit.org/show_bug.cgi?id=118573
3016
3017         Reviewed by Geoffrey Garen.
3018
3019         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3020         only used by WebCore's main thread).
3021
3022         * API/APIShims.h:
3023         (JSC::APIEntryShim::APIEntryShim):
3024         (JSC::APICallbackShim::APICallbackShim):
3025         * runtime/JSLock.cpp:
3026         (JSC::JSLockHolder::JSLockHolder):
3027         (JSC::JSLockHolder::init):
3028         (JSC::JSLockHolder::~JSLockHolder):
3029         (JSC::JSLock::DropAllLocks::DropAllLocks):
3030         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3031         * runtime/VM.cpp:
3032         (JSC::VM::VM):
3033         * runtime/VM.h:
3034
3035 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3036
3037         Unreviewed build fix after r153218.
3038
3039         Broke the EFL port build with gcc 4.7.
3040
3041         * interpreter/StackIterator.cpp:
3042         (JSC::printif):
3043
3044 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3045
3046         Build fix: add missing #include.
3047         https://bugs.webkit.org/show_bug.cgi?id=119087
3048
3049         Reviewed by Allan Sandfeld Jensen.
3050
3051         * bytecode/ArrayProfile.cpp:
3052
3053 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3054
3055         Unreviewed, build fix on the EFL port.
3056
3057         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3058
3059 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3060
3061         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3062         https://bugs.webkit.org/show_bug.cgi?id=119083
3063
3064         Reviewed by Allan Sandfeld Jensen.
3065
3066         * assembler/MacroAssemblerSH4.h:
3067         (JSC::MacroAssemblerSH4::store8):
3068
3069 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3070
3071         [Qt] Fix test build after FTL upstream
3072
3073         Unreviewed build fix.
3074
3075         * Target.pri:
3076
3077 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3078
3079         [Qt] Build fix after FTL.
3080
3081         Un Reviewed build fix.
3082
3083         * Target.pri:
3084         * interpreter/StackIterator.cpp:
3085         (JSC::StackIterator::Frame::print):
3086
3087 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3088
3089         Unreviewed build fix after FTL upstream.
3090
3091         * dfg/DFGWorklist.cpp:
3092         (JSC::DFG::Worklist::~Worklist):
3093
3094 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3095
3096         Unreviewed, build fix on the EFL port.
3097
3098         * CMakeLists.txt:
3099         Added SourceCode.cpp and removed BlackBerry file.
3100         * jit/JITCode.h:
3101         (JSC::JITCode::nextTierJIT):
3102         Fixed to build break because of -Werror=return-type
3103         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3104         * runtime/JSScope.h:
3105         (JSC::makeType):
3106         Fixed to build break because of -Werror=return-type
3107
3108 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3109
3110         Unreviewed build fixing after FTL upstream.
3111
3112         * runtime/Executable.cpp:
3113         (JSC::FunctionExecutable::produceCodeBlockFor):
3114
3115 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3116
3117         Add missing implementation of bxxxnz in sh4 LLINT.
3118         https://bugs.webkit.org/show_bug.cgi?id=119079
3119
3120         Reviewed by Allan Sandfeld Jensen.
3121
3122         * offlineasm/sh4.rb:
3123
3124 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3125
3126         Unreviewed, build fix on the Qt port.
3127
3128         * Target.pri: Add additional build files for the FTL.
3129
3130 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3131
3132         Unreviewed buildfix after FTL upstream..
3133
3134         * interpreter/StackIterator.cpp:
3135         (JSC::StackIterator::Frame::codeType):
3136         (JSC::StackIterator::Frame::functionName):
3137         (JSC::StackIterator::Frame::sourceURL):
3138         (JSC::StackIterator::Frame::logicalFrame):
3139
3140 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3141
3142         Unreviewed.
3143
3144         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3145         method is not left undefined, causing build failures on (at least) the GTK port.
3146
3147 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3148
3149         Unreviewed, further build fixing on the GTK port.
3150
3151         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3152
3153 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3154
3155         Unreviewed GTK build fixing.
3156
3157         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3158         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3159
3160 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3161
3162         Buildfix after this error:
3163         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3164
3165         * dfg/DFGPlan.cpp:
3166         (JSC::DFG::Plan::compileInThread):
3167
3168 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3169
3170         One more buildfix after FTL upstream.
3171
3172         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3173
3174         * dfg/DFGLazyJSValue.cpp:
3175         (JSC::DFG::LazyJSValue::getValue):
3176         (JSC::DFG::LazyJSValue::strictEqual):
3177
3178 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3179
3180         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3181         https://bugs.webkit.org/show_bug.cgi?id=119076
3182
3183         Reviewed by Allan Sandfeld Jensen.
3184
3185         * offlineasm/mips.rb:
3186         * offlineasm/sh4.rb:
3187
3188 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3189
3190         Unreviewed GTK build fix.
3191
3192         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3193
3194 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3195
3196         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3197         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3198
3199         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3200
3201 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3202
3203         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3204
3205         * GNUmakefile.am:
3206         * GNUmakefile.list.am:
3207
3208 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3209
3210         Unreviewed buildfix after FTL upstream.
3211
3212         * runtime/JSScope.h:
3213         (JSC::needsVarInjectionChecks):
3214
3215 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3216
3217         One more fix after FTL upstream.
3218
3219         * Target.pri:
3220         * bytecode/CodeBlock.h:
3221         * bytecode/GetByIdStatus.h:
3222         (JSC::GetByIdStatus::GetByIdStatus):
3223
3224 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3225
3226         Unreviewed buildfix after FTL upstream.
3227
3228         Add ftl directory as include path.
3229
3230         * CMakeLists.txt:
3231         * JavaScriptCore.pri:
3232
3233 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3234
3235         Unreviewed buildfix after FTL upstream for non C++11 builds.
3236
3237         * interpreter/CallFrame.h:
3238         * interpreter/StackIteratorPrivate.h:
3239         (JSC::StackIterator::end):
3240
3241 2013-07-24  Oliver Hunt  <oliver@apple.com>
3242
3243         Endeavour to fix CMakelist builds
3244
3245         * CMakeLists.txt:
3246
3247 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3248
3249         fourthTier: DFG IR dumps should be easier to read
3250         https://bugs.webkit.org/show_bug.cgi?id=119050
3251
3252         Reviewed by Mark Hahnenberg.
3253         
3254         Added a DumpContext that includes support for printing an endnote
3255         that describes all structures in full, while the main flow of the
3256         dump just uses made-up names for the structures. This is helpful
3257         since Structure::dump() may print a lot. The stuff it prints is
3258         useful, but if it's all inline with the surrounding thing you're        
3259         dumping (often, a node in the DFG), then you get a ridiculously
3260         long print-out. All classes that dump structures (including
3261         Structure itself) now have dumpInContext() methods that use
3262         inContext() for dumping anything that might transitively print a
3263         structure. If Structure::dumpInContext() is called with a NULL
3264         context, it just uses dump() like before. Hence you don't have to
3265         know anything about DumpContext unless you want to.
3266         
3267         inContext(*structure, context) dumps something like %B4:Array,
3268         and the endnote will have something like:
3269         
3270             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3271         
3272         where B4 is the inferred name that StringHashDumpContext came up
3273         with.
3274         
3275         Also shortened a bunch of other dumps, removing information that
3276         isn't so important.
3277         
3278         * JavaScriptCore.xcodeproj/project.pbxproj:
3279         * bytecode/ArrayProfile.cpp:
3280         (JSC::dumpArrayModes):
3281         * bytecode/CodeBlockHash.cpp:
3282         (JSC):
3283         (JSC::CodeBlockHash::CodeBlockHash):
3284         (JSC::CodeBlockHash::dump):
3285         * bytecode/CodeOrigin.cpp:
3286         (JSC::CodeOrigin::dumpInContext):
3287         (JSC):
3288         (JSC::InlineCallFrame::dumpInContext):
3289         (JSC::InlineCallFrame::dump):
3290         * bytecode/CodeOrigin.h:
3291         (CodeOrigin):
3292         (InlineCallFrame):
3293         * bytecode/Operands.h:
3294         (JSC::OperandValueTraits::isEmptyForDump):
3295         (Operands):
3296         (JSC::Operands::dump):
3297         (JSC):
3298         * bytecode/OperandsInlines.h: Added.
3299         (JSC):
3300         (JSC::::dumpInContext):
3301         * bytecode/StructureSet.h:
3302         (JSC::StructureSet::dumpInContext):
3303         (JSC::StructureSet::dump):
3304         (StructureSet):
3305         * dfg/DFGAbstractValue.cpp:
3306         (JSC::DFG::AbstractValue::dump):
3307         (DFG):
3308         (JSC::DFG::AbstractValue::dumpInContext):
3309         * dfg/DFGAbstractValue.h:
3310         (JSC::DFG::AbstractValue::operator!):
3311         (AbstractValue):
3312         * dfg/DFGCFAPhase.cpp:
3313         (JSC::DFG::CFAPhase::performBlockCFA):
3314         * dfg/DFGCommon.cpp:
3315         * dfg/DFGCommon.h:
3316         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3317         * dfg/DFGDisassembler.cpp:
3318         (JSC::DFG::Disassembler::createDumpList):
3319         * dfg/DFGDisassembler.h:
3320         (Disassembler):
3321         * dfg/DFGFlushFormat.h:
3322         (WTF::inContext):
3323         (WTF):
3324         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3325         * dfg/DFGGraph.cpp:
3326         (JSC::DFG::Graph::dumpCodeOrigin):
3327         (JSC::DFG::Graph::dump):
3328         (JSC::DFG::Graph::dumpBlockHeader):
3329         * dfg/DFGGraph.h:
3330         (Graph):
3331         * dfg/DFGLazyJSValue.cpp:
3332         (JSC::DFG::LazyJSValue::dumpInContext):
3333         (JSC::DFG::LazyJSValue::dump):
3334         (DFG):
3335         * dfg/DFGLazyJSValue.h:
3336         (LazyJSValue):
3337         * dfg/DFGNode.h:
3338         (JSC::DFG::nodeMapDump):
3339         (WTF::inContext):
3340         (WTF):
3341         * dfg/DFGOSRExitCompiler32_64.cpp:
3342         (JSC::DFG::OSRExitCompiler::compileExit):
3343         * dfg/DFGOSRExitCompiler64.cpp:
3344         (JSC::DFG::OSRExitCompiler::compileExit):
3345         * dfg/DFGStructureAbstractValue.h:
3346         (JSC::DFG::StructureAbstractValue::dumpInContext):
3347         (JSC::DFG::StructureAbstractValue::dump):
3348         (StructureAbstractValue):
3349         * ftl/FTLExitValue.cpp:
3350         (JSC::FTL::ExitValue::dumpInContext):
3351         (JSC::FTL::ExitValue::dump):
3352         (FTL):
3353         * ftl/FTLExitValue.h:
3354         (ExitValue):
3355         * ftl/FTLLowerDFGToLLVM.cpp:
3356         * ftl/FTLValueSource.cpp:
3357         (JSC::FTL::ValueSource::dumpInContext):
3358         (FTL):
3359         * ftl/FTLValueSource.h:
3360         (ValueSource):
3361         * runtime/DumpContext.cpp: Added.
3362         (JSC):
3363         (JSC::DumpContext::DumpContext):
3364         (JSC::DumpContext::~DumpContext):
3365         (JSC::DumpContext::isEmpty):
3366         (JSC::DumpContext::dump):
3367         * runtime/DumpContext.h: Added.
3368         (JSC):
3369         (DumpContext):
3370         * runtime/JSCJSValue.cpp:
3371         (JSC::JSValue::dump):
3372         (JSC):
3373         (JSC::JSValue::dumpInContext):
3374         * runtime/JSCJSValue.h:
3375         (JSC):
3376         (JSValue):
3377         * runtime/Structure.cpp:
3378         (JSC::Structure::dumpInContext):
3379         (JSC):
3380         (JSC::Structure::dumpBrief):
3381         (JSC::Structure::dumpContextHeader):
3382         * runtime/Structure.h:
3383         (JSC):
3384         (Structure):
3385
3386 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3387
3388         fourthTier: DFG should do a high-level LICM before going to FTL
3389         https://bugs.webkit.org/show_bug.cgi?id=118749
3390
3391         Reviewed by Oliver Hunt.
3392         
3393         Implements LICM hoisting for nodes that never write anything and never read
3394         things that are clobbered by the loop. There are some other preconditions for
3395         hoisting, see DFGLICMPhase.cpp.
3396
3397         Also did a few fixes:
3398         
3399         - ClobberSet::add was failing to switch Super entries to Direct entries in
3400           some cases.
3401         
3402         - DFGClobberize.cpp needed to #include "Operations.h".
3403         
3404         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3405         
3406         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3407           Knowing the indexInBlock is an optional optimization that all other clients
3408           of AI still opt into, but LICM doesn't.
3409         
3410         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3411
3412         * JavaScriptCore.xcodeproj/project.pbxproj:
3413         * dfg/DFGAbstractInterpreter.h:
3414         (AbstractInterpreter):
3415         * dfg/DFGAbstractInterpreterInlines.h:
3416         (JSC::DFG::::executeEffects):
3417         (JSC::DFG::::execute):
3418         (DFG):
3419         (JSC::DFG::::clobberWorld):
3420         (JSC::DFG::::clobberStructures):
3421         * dfg/DFGAtTailAbstractState.cpp: Added.
3422         (DFG):
3423         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3424         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3425         (JSC::DFG::AtTailAbstractState::createValueForNode):
3426         (J