https://bugs.webkit.org/show_bug.cgi?id=120052
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=120052
4         Remove custom getOwnPropertyDescriptor for JSProxy
5
6         Reviewed by Geoff Garen.
7
8         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
9         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
10         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
11         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
12         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
13
14         * runtime/JSProxy.cpp:
15             - Remove custom getOwnPropertyDescriptor implementation.
16         * runtime/PropertyDescriptor.h:
17             - Modify own property access check to perform toThis conversion.
18
19 2013-08-20  Alex Christensen  <achristensen@apple.com>
20
21         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
22         https://bugs.webkit.org/show_bug.cgi?id=119512
23
24         Reviewed by Brent Fulgham.
25
26         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
27         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
28         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
29         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
30         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
31         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
32         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
33         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
34
35 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
36
37         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
38
39         Reviewed by Allan Sandfeld Jensen.
40
41         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
42         instructions and two constants now DFG is enabled for sh4 architecture.
43         These missing ensureSpace calls lead to random crashes.
44
45         * assembler/MacroAssemblerSH4.h:
46         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
47
48 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
49
50         https://bugs.webkit.org/show_bug.cgi?id=120034
51         Remove custom getOwnPropertyDescriptor for global objects
52
53         Reviewed by Geoff Garen.
54
55         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
56
57         * runtime/JSGlobalObject.cpp:
58             - Remove custom getOwnPropertyDescriptor implementation.
59         * runtime/JSSymbolTableObject.h:
60         (JSC::symbolTableGet):
61             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
62         * runtime/PropertyDescriptor.h:
63             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
64         * runtime/PropertySlot.h:
65         (JSC::PropertySlot::setUndefined):
66             - This is used by WebCore when blocking access to properties on cross-frame access.
67               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
68
69 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
70
71         DFG should inline typedArray.byteOffset
72         https://bugs.webkit.org/show_bug.cgi?id=119962
73
74         Reviewed by Oliver Hunt.
75         
76         This adds a new node, GetTypedArrayByteOffset, which inlines
77         typedArray.byteOffset.
78         
79         Also, I improved a bunch of the clobbering logic related to typed arrays
80         and clobbering in general. For example, PutByOffset/PutStructure are not
81         clobber-world so they can be handled by most default cases in CSE. Also,
82         It's better to use the 'Class_field' notation for typed arrays now that
83         they no longer involve magical descriptor thingies.
84
85         * bytecode/SpeculatedType.h:
86         * dfg/DFGAbstractHeap.h:
87         * dfg/DFGAbstractInterpreterInlines.h:
88         (JSC::DFG::::executeEffects):
89         * dfg/DFGArrayMode.h:
90         (JSC::DFG::neverNeedsStorage):
91         * dfg/DFGCSEPhase.cpp:
92         (JSC::DFG::CSEPhase::getByValLoadElimination):
93         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
94         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
95         (JSC::DFG::CSEPhase::checkArrayElimination):
96         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
97         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
98         (JSC::DFG::CSEPhase::performNodeCSE):
99         * dfg/DFGClobberize.h:
100         (JSC::DFG::clobberize):
101         * dfg/DFGFixupPhase.cpp:
102         (JSC::DFG::FixupPhase::fixupNode):
103         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
104         (JSC::DFG::FixupPhase::convertToGetArrayLength):
105         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
106         * dfg/DFGNodeType.h:
107         * dfg/DFGPredictionPropagationPhase.cpp:
108         (JSC::DFG::PredictionPropagationPhase::propagate):
109         * dfg/DFGSafeToExecute.h:
110         (JSC::DFG::safeToExecute):
111         * dfg/DFGSpeculativeJIT.cpp:
112         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
113         * dfg/DFGSpeculativeJIT.h:
114         * dfg/DFGSpeculativeJIT32_64.cpp:
115         (JSC::DFG::SpeculativeJIT::compile):
116         * dfg/DFGSpeculativeJIT64.cpp:
117         (JSC::DFG::SpeculativeJIT::compile):
118         * dfg/DFGTypeCheckHoistingPhase.cpp:
119         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
120         * runtime/ArrayBuffer.h:
121         (JSC::ArrayBuffer::offsetOfData):
122         * runtime/Butterfly.h:
123         (JSC::Butterfly::offsetOfArrayBuffer):
124         * runtime/IndexingHeader.h:
125         (JSC::IndexingHeader::offsetOfArrayBuffer):
126
127 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
128
129         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
130
131         Reviewed by Geoffrey Garen.
132
133         * dfg/DFGByteCodeParser.cpp:
134         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
135
136 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
137
138         https://bugs.webkit.org/show_bug.cgi?id=119995
139         Start removing custom implementations of getOwnPropertyDescriptor
140
141         Reviewed by Oliver Hunt.
142
143         This can now typically implemented in terms of getOwnPropertySlot.
144         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
145         Switch over most classes in JSC & the WebCore bindings generator to use this.
146
147         * API/JSCallbackObjectFunctions.h:
148         * debugger/DebuggerActivation.cpp:
149         * runtime/Arguments.cpp:
150         * runtime/ArrayConstructor.cpp:
151         * runtime/ArrayPrototype.cpp:
152         * runtime/BooleanPrototype.cpp:
153         * runtime/DateConstructor.cpp:
154         * runtime/DatePrototype.cpp:
155         * runtime/ErrorPrototype.cpp:
156         * runtime/JSActivation.cpp:
157         * runtime/JSArray.cpp:
158         * runtime/JSArrayBuffer.cpp:
159         * runtime/JSArrayBufferView.cpp:
160         * runtime/JSCell.cpp:
161         * runtime/JSDataView.cpp:
162         * runtime/JSDataViewPrototype.cpp:
163         * runtime/JSFunction.cpp:
164         * runtime/JSGenericTypedArrayViewInlines.h:
165         * runtime/JSNotAnObject.cpp:
166         * runtime/JSONObject.cpp:
167         * runtime/JSObject.cpp:
168         * runtime/NamePrototype.cpp:
169         * runtime/NumberConstructor.cpp:
170         * runtime/NumberPrototype.cpp:
171         * runtime/ObjectConstructor.cpp:
172             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
173         * runtime/PropertyDescriptor.h:
174             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
175         * runtime/PropertySlot.h:
176         (JSC::PropertySlot::isValue):
177         (JSC::PropertySlot::isGetter):
178         (JSC::PropertySlot::isCustom):
179         (JSC::PropertySlot::isCacheableValue):
180         (JSC::PropertySlot::isCacheableGetter):
181         (JSC::PropertySlot::isCacheableCustom):
182         (JSC::PropertySlot::attributes):
183         (JSC::PropertySlot::getterSetter):
184             - Add accessors necessary to convert PropertySlot to descriptor.
185         * runtime/RegExpConstructor.cpp:
186         * runtime/RegExpMatchesArray.cpp:
187         * runtime/RegExpMatchesArray.h:
188         * runtime/RegExpObject.cpp:
189         * runtime/RegExpPrototype.cpp:
190         * runtime/StringConstructor.cpp:
191         * runtime/StringObject.cpp:
192             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
193
194 2013-08-19  Michael Saboff  <msaboff@apple.com>
195
196         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
197
198         Reviewed by Sam Weinig.
199
200         * dfg/DFGSpeculativeJIT32_64.cpp:
201         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
202         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
203         all versions of fillSpeculateBoolean().
204
205 2013-08-19  Michael Saboff  <msaboff@apple.com>
206
207         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
208
209         Reviewed by Benjamin Poulain.
210
211         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
212         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
213
214         * assembler/MacroAssemblerX86Common.h:
215         (JSC::MacroAssemblerX86Common::branchTest32):
216
217 2013-08-16  Oliver Hunt  <oliver@apple.com>
218
219         <https://webkit.org/b/119860> Crash during exception unwinding
220
221         Reviewed by Filip Pizlo.
222
223         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
224         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
225
226         We need this so that Throw and ThrowReferenceError no longer need to be treated as
227         terminals and the subsequent flush keeps the activation (and other registers) live.
228
229         * dfg/DFGAbstractInterpreterInlines.h:
230         (JSC::DFG::::executeEffects):
231         * dfg/DFGByteCodeParser.cpp:
232         (JSC::DFG::ByteCodeParser::parseBlock):
233         * dfg/DFGClobberize.h:
234         (JSC::DFG::clobberize):
235         * dfg/DFGFixupPhase.cpp:
236         (JSC::DFG::FixupPhase::fixupNode):
237         * dfg/DFGNode.h:
238         (JSC::DFG::Node::isTerminal):
239         * dfg/DFGNodeType.h:
240         * dfg/DFGPredictionPropagationPhase.cpp:
241         (JSC::DFG::PredictionPropagationPhase::propagate):
242         * dfg/DFGSafeToExecute.h:
243         (JSC::DFG::safeToExecute):
244         * dfg/DFGSpeculativeJIT32_64.cpp:
245         (JSC::DFG::SpeculativeJIT::compile):
246         * dfg/DFGSpeculativeJIT64.cpp:
247         (JSC::DFG::SpeculativeJIT::compile):
248
249 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
250
251         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
252
253         Reviewed by Oliver Hunt.
254
255         Guard the compilation of these files only if DFG_JIT is enabled.
256
257         * dfg/DFGDesiredTransitions.cpp:
258         * dfg/DFGDesiredTransitions.h:
259         * dfg/DFGDesiredWeakReferences.cpp:
260         * dfg/DFGDesiredWeakReferences.h:
261         * dfg/DFGDesiredWriteBarriers.cpp:
262         * dfg/DFGDesiredWriteBarriers.h:
263
264 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
265
266         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
267         https://bugs.webkit.org/show_bug.cgi?id=119961
268
269         Reviewed by Mark Hahnenberg.
270
271         * dfg/DFGFixupPhase.cpp:
272         (JSC::DFG::FixupPhase::fixupNode):
273
274 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
275
276         https://bugs.webkit.org/show_bug.cgi?id=119972
277         Add attributes field to PropertySlot
278
279         Reviewed by Geoff Garen.
280
281         For all JSC types, this makes getOwnPropertyDescriptor redundant.
282         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
283         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
284
285         No performance impact.
286
287         * runtime/PropertySlot.h:
288         (JSC::PropertySlot::setValue):
289         (JSC::PropertySlot::setCustom):
290         (JSC::PropertySlot::setCacheableCustom):
291         (JSC::PropertySlot::setCustomIndex):
292         (JSC::PropertySlot::setGetterSlot):
293         (JSC::PropertySlot::setCacheableGetterSlot):
294             - These mathods now all require 'attributes'.
295         * runtime/JSObject.h:
296         (JSC::JSObject::getDirect):
297         (JSC::JSObject::getDirectOffset):
298         (JSC::JSObject::inlineGetOwnPropertySlot):
299             - Added variants of getDirect, getDirectOffset that return the attributes.
300         * API/JSCallbackObjectFunctions.h:
301         (JSC::::getOwnPropertySlot):
302         * runtime/Arguments.cpp:
303         (JSC::Arguments::getOwnPropertySlotByIndex):
304         (JSC::Arguments::getOwnPropertySlot):
305         * runtime/JSActivation.cpp:
306         (JSC::JSActivation::symbolTableGet):
307         (JSC::JSActivation::getOwnPropertySlot):
308         * runtime/JSArray.cpp:
309         (JSC::JSArray::getOwnPropertySlot):
310         * runtime/JSArrayBuffer.cpp:
311         (JSC::JSArrayBuffer::getOwnPropertySlot):
312         * runtime/JSArrayBufferView.cpp:
313         (JSC::JSArrayBufferView::getOwnPropertySlot):
314         * runtime/JSDataView.cpp:
315         (JSC::JSDataView::getOwnPropertySlot):
316         * runtime/JSFunction.cpp:
317         (JSC::JSFunction::getOwnPropertySlot):
318         * runtime/JSGenericTypedArrayViewInlines.h:
319         (JSC::::getOwnPropertySlot):
320         (JSC::::getOwnPropertySlotByIndex):
321         * runtime/JSObject.cpp:
322         (JSC::JSObject::getOwnPropertySlotByIndex):
323         (JSC::JSObject::fillGetterPropertySlot):
324         * runtime/JSString.h:
325         (JSC::JSString::getStringPropertySlot):
326         * runtime/JSSymbolTableObject.h:
327         (JSC::symbolTableGet):
328         * runtime/Lookup.cpp:
329         (JSC::setUpStaticFunctionSlot):
330         * runtime/Lookup.h:
331         (JSC::getStaticPropertySlot):
332         (JSC::getStaticPropertyDescriptor):
333         (JSC::getStaticValueSlot):
334         (JSC::getStaticValueDescriptor):
335         * runtime/RegExpObject.cpp:
336         (JSC::RegExpObject::getOwnPropertySlot):
337         * runtime/SparseArrayValueMap.cpp:
338         (JSC::SparseArrayEntry::get):
339             - Pass attributes to PropertySlot::set* methods.
340
341 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
342
343         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
344
345         Reviewed by Filip Pizlo.
346
347         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
348         Vector of WriteBarriers rather than the specific address. The fact that we were 
349         arbitrarily storing into a Vector's backing store for constants at the end of 
350         compilation after the Vector could have resized was causing crashes.
351
352         * bytecode/CodeBlock.h:
353         (JSC::CodeBlock::constants):
354         (JSC::CodeBlock::addConstantLazily):
355         * dfg/DFGByteCodeParser.cpp:
356         (JSC::DFG::ByteCodeParser::addConstant):
357         * dfg/DFGDesiredWriteBarriers.cpp:
358         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
359         (JSC::DFG::DesiredWriteBarrier::trigger):
360         (JSC::DFG::initializeLazyWriteBarrierForConstant):
361         * dfg/DFGDesiredWriteBarriers.h:
362         (JSC::DFG::DesiredWriteBarriers::add):
363         * dfg/DFGFixupPhase.cpp:
364         (JSC::DFG::FixupPhase::truncateConstantToInt32):
365         * dfg/DFGGraph.h:
366         (JSC::DFG::Graph::constantRegisterForConstant):
367
368 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
369
370         DFG should optimize typedArray.byteLength
371         https://bugs.webkit.org/show_bug.cgi?id=119909
372
373         Reviewed by Oliver Hunt.
374         
375         This adds typedArray.byteLength inlining to the DFG, and does so without changing
376         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
377         legal since the byteLength of a typed array cannot exceed
378         numeric_limits<int32_t>::max().
379
380         * bytecode/SpeculatedType.cpp:
381         (JSC::typedArrayTypeFromSpeculation):
382         * bytecode/SpeculatedType.h:
383         * dfg/DFGArrayMode.cpp:
384         (JSC::DFG::toArrayType):
385         * dfg/DFGArrayMode.h:
386         * dfg/DFGFixupPhase.cpp:
387         (JSC::DFG::FixupPhase::fixupNode):
388         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
389         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
390         (JSC::DFG::FixupPhase::convertToGetArrayLength):
391         (JSC::DFG::FixupPhase::prependGetArrayLength):
392         * dfg/DFGGraph.h:
393         (JSC::DFG::Graph::constantRegisterForConstant):
394         (JSC::DFG::Graph::convertToConstant):
395         * runtime/TypedArrayType.h:
396         (JSC::logElementSize):
397         (JSC::elementSize):
398
399 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
400
401         DFG optimizes out strict mode arguments tear off
402         https://bugs.webkit.org/show_bug.cgi?id=119504
403
404         Reviewed by Mark Hahnenberg and Oliver Hunt.
405         
406         Don't do the optimization for strict mode.
407
408         * dfg/DFGArgumentsSimplificationPhase.cpp:
409         (JSC::DFG::ArgumentsSimplificationPhase::run):
410         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
411
412 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
413
414         [JSC] x86: improve code generation for xxxTest32
415         https://bugs.webkit.org/show_bug.cgi?id=119876
416
417         Reviewed by Geoffrey Garen.
418
419         Try to use testb whenever possible when testing for an immediate value.
420
421         When the input is an address and an offset, we can tweak the mask
422         and offset to be able to generate testb for any byte of the mask.
423
424         When the input is a register, we can use testb if we are only interested
425         in testing the low bits.
426
427         * assembler/MacroAssemblerX86Common.h:
428         (JSC::MacroAssemblerX86Common::branchTest32):
429         (JSC::MacroAssemblerX86Common::test32):
430         (JSC::MacroAssemblerX86Common::generateTest32):
431
432 2013-08-16  Mark Lam  <mark.lam@apple.com>
433
434         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
435         error message that an object is not a constructor though it expects a function
436
437         Reviewed by Michael Saboff.
438
439         * jit/JITStubs.cpp:
440         (JSC::DEFINE_STUB_FUNCTION):
441
442 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
443
444         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
445         https://bugs.webkit.org/show_bug.cgi?id=119897
446
447         Reviewed by Oliver Hunt.
448         
449         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
450         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
451         to turn objects into dictionaries when you're storing using bracket syntax or using
452         eval is still in place.
453
454         * bytecode/CodeBlock.h:
455         (JSC::CodeBlock::putByIdContext):
456         * dfg/DFGOperations.cpp:
457         * jit/JITStubs.cpp:
458         (JSC::DEFINE_STUB_FUNCTION):
459         * llint/LLIntSlowPaths.cpp:
460         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
461         * runtime/JSObject.h:
462         (JSC::JSObject::putDirectInternal):
463         * runtime/PutPropertySlot.h:
464         (JSC::PutPropertySlot::PutPropertySlot):
465         (JSC::PutPropertySlot::context):
466         * runtime/Structure.cpp:
467         (JSC::Structure::addPropertyTransition):
468         * runtime/Structure.h:
469
470 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
471
472         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
473
474         Reviewed by Allan Sandfeld Jensen.
475
476         ctiVMHandleException must jump/return using register ra (r31).
477
478         * jit/JITStubsMIPS.h:
479
480 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
481
482         <https://webkit.org/b/119879> Fix sh4 build after r154156.
483
484         Reviewed by Allan Sandfeld Jensen.
485
486         Fix typo in JITStubsSH4.h file.
487
488         * jit/JITStubsSH4.h:
489
490 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
491
492         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
493
494         Reviewed by Oliver Hunt.
495
496         The concurrent compilation thread should interact minimally with the Heap, including not 
497         triggering WriteBarriers. This is a prerequisite for generational GC.
498
499         * JavaScriptCore.xcodeproj/project.pbxproj:
500         * bytecode/CodeBlock.cpp:
501         (JSC::CodeBlock::addOrFindConstant):
502         (JSC::CodeBlock::findConstant):
503         * bytecode/CodeBlock.h:
504         (JSC::CodeBlock::addConstantLazily):
505         * dfg/DFGByteCodeParser.cpp:
506         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
507         (JSC::DFG::ByteCodeParser::constantUndefined):
508         (JSC::DFG::ByteCodeParser::constantNull):
509         (JSC::DFG::ByteCodeParser::one):
510         (JSC::DFG::ByteCodeParser::constantNaN):
511         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
512         * dfg/DFGCommonData.cpp:
513         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
514         * dfg/DFGCommonData.h:
515         * dfg/DFGDesiredTransitions.cpp: Added.
516         (JSC::DFG::DesiredTransition::DesiredTransition):
517         (JSC::DFG::DesiredTransition::reallyAdd):
518         (JSC::DFG::DesiredTransitions::DesiredTransitions):
519         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
520         (JSC::DFG::DesiredTransitions::addLazily):
521         (JSC::DFG::DesiredTransitions::reallyAdd):
522         * dfg/DFGDesiredTransitions.h: Added.
523         * dfg/DFGDesiredWeakReferences.cpp: Added.
524         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
525         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
526         (JSC::DFG::DesiredWeakReferences::addLazily):
527         (JSC::DFG::DesiredWeakReferences::reallyAdd):
528         * dfg/DFGDesiredWeakReferences.h: Added.
529         * dfg/DFGDesiredWriteBarriers.cpp: Added.
530         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
531         (JSC::DFG::DesiredWriteBarrier::trigger):
532         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
533         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
534         (JSC::DFG::DesiredWriteBarriers::addImpl):
535         (JSC::DFG::DesiredWriteBarriers::trigger):
536         * dfg/DFGDesiredWriteBarriers.h: Added.
537         (JSC::DFG::DesiredWriteBarriers::add):
538         (JSC::DFG::initializeLazyWriteBarrier):
539         * dfg/DFGFixupPhase.cpp:
540         (JSC::DFG::FixupPhase::truncateConstantToInt32):
541         * dfg/DFGGraph.h:
542         (JSC::DFG::Graph::convertToConstant):
543         * dfg/DFGJITCompiler.h:
544         (JSC::DFG::JITCompiler::addWeakReference):
545         * dfg/DFGPlan.cpp:
546         (JSC::DFG::Plan::Plan):
547         (JSC::DFG::Plan::reallyAdd):
548         * dfg/DFGPlan.h:
549         * dfg/DFGSpeculativeJIT32_64.cpp:
550         (JSC::DFG::SpeculativeJIT::compile):
551         * dfg/DFGSpeculativeJIT64.cpp:
552         (JSC::DFG::SpeculativeJIT::compile):
553         * runtime/WriteBarrier.h:
554         (JSC::WriteBarrierBase::set):
555         (JSC::WriteBarrier::WriteBarrier):
556
557 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
558
559         Fix x86 32bits build after r154158
560
561         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
562
563 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
564
565         Build fix attempt after r154156.
566
567         * jit/JITStubs.cpp:
568         (JSC::cti_vm_handle_exception): encode!
569
570 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
571
572         [JSC] x86: Use inc and dec when possible
573         https://bugs.webkit.org/show_bug.cgi?id=119831
574
575         Reviewed by Geoffrey Garen.
576
577         When incrementing or decrementing by an immediate of 1, use the insctructions
578         inc and dec instead of add and sub.
579         The instructions have good timing and their encoding is smaller.
580
581         * assembler/MacroAssemblerX86Common.h:
582         (JSC::MacroAssemblerX86_64::add32):
583         (JSC::MacroAssemblerX86_64::sub32):
584         * assembler/MacroAssemblerX86_64.h:
585         (JSC::MacroAssemblerX86_64::add64):
586         (JSC::MacroAssemblerX86_64::sub64):
587         * assembler/X86Assembler.h:
588         (JSC::X86Assembler::dec_r):
589         (JSC::X86Assembler::decq_r):
590         (JSC::X86Assembler::inc_r):
591         (JSC::X86Assembler::incq_r):
592
593 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
594
595         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
596         https://bugs.webkit.org/show_bug.cgi?id=119874
597
598         Reviewed by Oliver Hunt and Mark Hahnenberg.
599         
600         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
601         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
602         sometimes for typed array length accesses, and the FixupPhase assuming that a
603         ForceExit ArrayMode means that it should continue using a generic GetById.
604
605         This fixes the confusion.
606
607         * dfg/DFGFixupPhase.cpp:
608         (JSC::DFG::FixupPhase::fixupNode):
609
610 2013-08-15  Mark Lam  <mark.lam@apple.com>
611
612         Fix crash when performing activation tearoff.
613         https://bugs.webkit.org/show_bug.cgi?id=119848
614
615         Reviewed by Oliver Hunt.
616
617         The activation tearoff crash was due to a bug in the baseline JIT.
618         If we have a scenario where the a baseline JIT frame calls a LLINT
619         frame, an exception may be thrown while in the LLINT.
620
621         Interpreter::throwException() which handles the exception will unwind
622         all frames until it finds a catcher or sees a host frame. When we
623         return from the LLINT to the baseline JIT code, the baseline JIT code
624         errorneously sets topCallFrame to the value in its call frame register,
625         and starts unwinding the stack frames that have already been unwound.
626
627         The fix is:
628         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
629            This is a more accurate description of what this runtime function
630            is supposed to do i.e. it handles the exception which include doing
631            nothing (if there are no more frames to unwind).
632         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
633            set on it.
634         3. Reloading the call frame register from topCallFrame when we're
635            returning from a callee and detect exception handling in progress.
636
637         * interpreter/Interpreter.cpp:
638         (JSC::Interpreter::unwindCallFrame):
639         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
640         (JSC::Interpreter::getStackTrace):
641         * interpreter/Interpreter.h:
642         (JSC::TopCallFrameSetter::TopCallFrameSetter):
643         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
644         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
645         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
646         * jit/JIT.h:
647         * jit/JITExceptions.cpp:
648         (JSC::uncaughtExceptionHandler):
649         - Convenience function to get the handler for uncaught exceptions.
650         * jit/JITExceptions.h:
651         * jit/JITInlines.h:
652         (JSC::JIT::reloadCallFrameFromTopCallFrame):
653         * jit/JITOpcodes32_64.cpp:
654         (JSC::JIT::privateCompileCTINativeCall):
655         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
656         * jit/JITStubs.cpp:
657         (JSC::throwExceptionFromOpCall):
658         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
659         (JSC::cti_vm_handle_exception):
660         - Check for the case when there are no more frames to unwind.
661         * jit/JITStubs.h:
662         * jit/JITStubsARM.h:
663         * jit/JITStubsARMv7.h:
664         * jit/JITStubsMIPS.h:
665         * jit/JITStubsSH4.h:
666         * jit/JITStubsX86.h:
667         * jit/JITStubsX86_64.h:
668         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
669         * jit/SlowPathCall.h:
670         (JSC::JITSlowPathCall::call):
671         - reload cfr from topcallFrame when handling an exception.
672         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
673         * jit/ThunkGenerators.cpp:
674         (JSC::nativeForGenerator):
675         * llint/LowLevelInterpreter32_64.asm:
676         * llint/LowLevelInterpreter64.asm:
677         - reload cfr from topcallFrame when handling an exception.
678         * runtime/VM.cpp:
679         (JSC::VM::VM):
680         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
681
682 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
683
684         Remove some code duplication.
685         
686         Rubber stamped by Mark Hahnenberg.
687
688         * runtime/JSDataViewPrototype.cpp:
689         (JSC::getData):
690         (JSC::setData):
691
692 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
693
694         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
695         https://bugs.webkit.org/show_bug.cgi?id=119794
696
697         Reviewed by Filip Pizlo.
698
699         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
700
701         * dfg/DFGUseKind.h:
702         (JSC::DFG::isNumerical):
703         (JSC::DFG::isDouble):
704
705 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
706
707         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
708
709         Rubber stamped by Oliver Hunt.
710         
711         This was causing some test crashes for me.
712
713         * dfg/DFGCapabilities.cpp:
714         (JSC::DFG::capabilityLevel):
715
716 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
717
718         [Windows] Clear up improper export declaration.
719
720         * runtime/ArrayBufferView.h:
721
722 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
723
724         Unreviewed, remove some unnecessary periods from exceptions.
725
726         * runtime/JSDataViewPrototype.cpp:
727         (JSC::getData):
728         (JSC::setData):
729
730 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
731
732         Unreviewed, fix 32-bit build.
733
734         * dfg/DFGSpeculativeJIT32_64.cpp:
735         (JSC::DFG::SpeculativeJIT::compile):
736
737 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
738
739         Typed arrays should be rewritten
740         https://bugs.webkit.org/show_bug.cgi?id=119064
741
742         Reviewed by Oliver Hunt.
743         
744         Typed arrays were previously deficient in several major ways:
745         
746         - They were defined separately in WebCore and in the jsc shell. The two
747           implementations were different, and the jsc shell one was basically wrong.
748           The WebCore one was quite awful, also.
749         
750         - Typed arrays were not visible to the JIT except through some weird hooks.
751           For example, the JIT could not ask "what is the Structure that this typed
752           array would have if I just allocated it from this global object". Also,
753           it was difficult to wire any of the typed array intrinsics, because most
754           of the functionality wasn't visible anywhere in JSC.
755         
756         - Typed array allocation was brain-dead. Allocating a typed array involved
757           two JS objects, two GC weak handles, and three malloc allocations.
758         
759         - Neutering. It involved keeping tabs on all native views but not the view
760           wrappers, even though the native views can autoneuter just by asking the
761           buffer if it was neutered anytime you touch them; while the JS view
762           wrappers are the ones that you really want to reach out to.
763         
764         - Common case-ing. Most typed arrays have one buffer and one view, and
765           usually nobody touches the buffer. Yet we created all of that stuff
766           anyway, using data structures optimized for the case where you had a lot
767           of views.
768         
769         - Semantic goofs. Typed arrays should, in the future, behave like ES
770           features rather than DOM features, for example when it comes to exceptions.
771           Firefox already does this and I agree with them.
772         
773         This patch cleanses our codebase of these sins:
774         
775         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
776           management of native references to buffers is left to WebCore.
777         
778         - Allocating a typed array requires either two GC allocations (a cell and a
779           copied storage vector) or one GC allocation, a malloc allocation, and a
780           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
781           latter). The latter is only used for oversize arrays. Remember that before
782           it was 7 allocations no matter what.
783         
784         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
785           mode/length, void* vector. Before it was a lot more than that - remember,
786           there were five additional objects that did absolutely nothing for anybody.
787         
788         - Native views aren't tracked by the buffer, or by the wrappers. They are
789           transient. In the future we'll probably switch to not even having them be
790           malloc'd.
791         
792         - Native array buffers have an efficient way of tracking all of their JS view
793           wrappers, both for neutering, and for lifecycle management. The GC
794           special-cases native array buffers. This saves a bunch of grief; for example
795           it means that a JS view wrapper can refer to its buffer via the butterfly,
796           which would be dead by the time we went to finalize.
797         
798         - Typed array semantics now match Firefox, which also happens to be where the
799           standards are going. The discussion on webkit-dev seemed to confirm that
800           Chrome is also heading in this direction. This includes making
801           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
802           ArrayBufferView as a JS-visible construct.
803         
804         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
805         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
806         further typed array optimizations in the JSC JITs, including inlining typed
807         array allocation, inlining more of the accessors, reducing the cost of type
808         checks, etc.
809         
810         An additional property of this patch is that typed arrays are mostly
811         implemented using templates. This deduplicates a bunch of code, but does mean
812         that we need some hacks for exporting s_info's of template classes. See
813         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
814         low-impact compared to code duplication.
815         
816         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
817
818         * CMakeLists.txt:
819         * DerivedSources.make:
820         * GNUmakefile.list.am:
821         * JSCTypedArrayStubs.h: Removed.
822         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
823         * JavaScriptCore.xcodeproj/project.pbxproj:
824         * Target.pri:
825         * bytecode/ByValInfo.h:
826         (JSC::hasOptimizableIndexingForClassInfo):
827         (JSC::jitArrayModeForClassInfo):
828         (JSC::typedArrayTypeForJITArrayMode):
829         * bytecode/SpeculatedType.cpp:
830         (JSC::speculationFromClassInfo):
831         * dfg/DFGArrayMode.cpp:
832         (JSC::DFG::toTypedArrayType):
833         * dfg/DFGArrayMode.h:
834         (JSC::DFG::ArrayMode::typedArrayType):
835         * dfg/DFGSpeculativeJIT.cpp:
836         (JSC::DFG::SpeculativeJIT::checkArray):
837         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
838         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
839         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
840         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
841         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
842         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
843         * dfg/DFGSpeculativeJIT.h:
844         * dfg/DFGSpeculativeJIT32_64.cpp:
845         (JSC::DFG::SpeculativeJIT::compile):
846         * dfg/DFGSpeculativeJIT64.cpp:
847         (JSC::DFG::SpeculativeJIT::compile):
848         * heap/CopyToken.h:
849         * heap/DeferGC.h:
850         (JSC::DeferGCForAWhile::DeferGCForAWhile):
851         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
852         * heap/GCIncomingRefCounted.h: Added.
853         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
854         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
855         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
856         (JSC::GCIncomingRefCounted::incomingReferenceAt):
857         (JSC::GCIncomingRefCounted::singletonFlag):
858         (JSC::GCIncomingRefCounted::hasVectorOfCells):
859         (JSC::GCIncomingRefCounted::hasAnyIncoming):
860         (JSC::GCIncomingRefCounted::hasSingleton):
861         (JSC::GCIncomingRefCounted::singleton):
862         (JSC::GCIncomingRefCounted::vectorOfCells):
863         * heap/GCIncomingRefCountedInlines.h: Added.
864         (JSC::::addIncomingReference):
865         (JSC::::filterIncomingReferences):
866         * heap/GCIncomingRefCountedSet.h: Added.
867         (JSC::GCIncomingRefCountedSet::size):
868         * heap/GCIncomingRefCountedSetInlines.h: Added.
869         (JSC::::GCIncomingRefCountedSet):
870         (JSC::::~GCIncomingRefCountedSet):
871         (JSC::::addReference):
872         (JSC::::sweep):
873         (JSC::::removeAll):
874         (JSC::::removeDead):
875         * heap/Heap.cpp:
876         (JSC::Heap::addReference):
877         (JSC::Heap::extraSize):
878         (JSC::Heap::size):
879         (JSC::Heap::capacity):
880         (JSC::Heap::collect):
881         (JSC::Heap::decrementDeferralDepth):
882         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
883         * heap/Heap.h:
884         * interpreter/CallFrame.h:
885         (JSC::ExecState::dataViewTable):
886         * jit/JIT.h:
887         * jit/JITPropertyAccess.cpp:
888         (JSC::JIT::privateCompileGetByVal):
889         (JSC::JIT::privateCompilePutByVal):
890         (JSC::JIT::emitIntTypedArrayGetByVal):
891         (JSC::JIT::emitFloatTypedArrayGetByVal):
892         (JSC::JIT::emitIntTypedArrayPutByVal):
893         (JSC::JIT::emitFloatTypedArrayPutByVal):
894         * jsc.cpp:
895         (GlobalObject::finishCreation):
896         * runtime/ArrayBuffer.cpp:
897         (JSC::ArrayBuffer::transfer):
898         * runtime/ArrayBuffer.h:
899         (JSC::ArrayBuffer::createAdopted):
900         (JSC::ArrayBuffer::ArrayBuffer):
901         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
902         (JSC::ArrayBuffer::pin):
903         (JSC::ArrayBuffer::unpin):
904         (JSC::ArrayBufferContents::tryAllocate):
905         * runtime/ArrayBufferView.cpp:
906         (JSC::ArrayBufferView::ArrayBufferView):
907         (JSC::ArrayBufferView::~ArrayBufferView):
908         (JSC::ArrayBufferView::setNeuterable):
909         * runtime/ArrayBufferView.h:
910         (JSC::ArrayBufferView::isNeutered):
911         (JSC::ArrayBufferView::buffer):
912         (JSC::ArrayBufferView::baseAddress):
913         (JSC::ArrayBufferView::byteOffset):
914         (JSC::ArrayBufferView::verifySubRange):
915         (JSC::ArrayBufferView::clampOffsetAndNumElements):
916         (JSC::ArrayBufferView::calculateOffsetAndLength):
917         * runtime/ClassInfo.h:
918         * runtime/CommonIdentifiers.h:
919         * runtime/DataView.cpp: Added.
920         (JSC::DataView::DataView):
921         (JSC::DataView::create):
922         (JSC::DataView::wrap):
923         * runtime/DataView.h: Added.
924         (JSC::DataView::byteLength):
925         (JSC::DataView::getType):
926         (JSC::DataView::get):
927         (JSC::DataView::set):
928         * runtime/Float32Array.h:
929         * runtime/Float64Array.h:
930         * runtime/GenericTypedArrayView.h: Added.
931         (JSC::GenericTypedArrayView::data):
932         (JSC::GenericTypedArrayView::set):
933         (JSC::GenericTypedArrayView::setRange):
934         (JSC::GenericTypedArrayView::zeroRange):
935         (JSC::GenericTypedArrayView::zeroFill):
936         (JSC::GenericTypedArrayView::length):
937         (JSC::GenericTypedArrayView::byteLength):
938         (JSC::GenericTypedArrayView::item):
939         (JSC::GenericTypedArrayView::checkInboundData):
940         (JSC::GenericTypedArrayView::getType):
941         * runtime/GenericTypedArrayViewInlines.h: Added.
942         (JSC::::GenericTypedArrayView):
943         (JSC::::create):
944         (JSC::::createUninitialized):
945         (JSC::::subarray):
946         (JSC::::wrap):
947         * runtime/IndexingHeader.h:
948         (JSC::IndexingHeader::arrayBuffer):
949         (JSC::IndexingHeader::setArrayBuffer):
950         * runtime/Int16Array.h:
951         * runtime/Int32Array.h:
952         * runtime/Int8Array.h:
953         * runtime/JSArrayBuffer.cpp: Added.
954         (JSC::JSArrayBuffer::JSArrayBuffer):
955         (JSC::JSArrayBuffer::finishCreation):
956         (JSC::JSArrayBuffer::create):
957         (JSC::JSArrayBuffer::createStructure):
958         (JSC::JSArrayBuffer::getOwnPropertySlot):
959         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
960         (JSC::JSArrayBuffer::put):
961         (JSC::JSArrayBuffer::defineOwnProperty):
962         (JSC::JSArrayBuffer::deleteProperty):
963         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
964         * runtime/JSArrayBuffer.h: Added.
965         (JSC::JSArrayBuffer::impl):
966         (JSC::toArrayBuffer):
967         * runtime/JSArrayBufferConstructor.cpp: Added.
968         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
969         (JSC::JSArrayBufferConstructor::finishCreation):
970         (JSC::JSArrayBufferConstructor::create):
971         (JSC::JSArrayBufferConstructor::createStructure):
972         (JSC::constructArrayBuffer):
973         (JSC::JSArrayBufferConstructor::getConstructData):
974         (JSC::JSArrayBufferConstructor::getCallData):
975         * runtime/JSArrayBufferConstructor.h: Added.
976         * runtime/JSArrayBufferPrototype.cpp: Added.
977         (JSC::arrayBufferProtoFuncSlice):
978         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
979         (JSC::JSArrayBufferPrototype::finishCreation):
980         (JSC::JSArrayBufferPrototype::create):
981         (JSC::JSArrayBufferPrototype::createStructure):
982         * runtime/JSArrayBufferPrototype.h: Added.
983         * runtime/JSArrayBufferView.cpp: Added.
984         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
985         (JSC::JSArrayBufferView::JSArrayBufferView):
986         (JSC::JSArrayBufferView::finishCreation):
987         (JSC::JSArrayBufferView::getOwnPropertySlot):
988         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
989         (JSC::JSArrayBufferView::put):
990         (JSC::JSArrayBufferView::defineOwnProperty):
991         (JSC::JSArrayBufferView::deleteProperty):
992         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
993         (JSC::JSArrayBufferView::finalize):
994         * runtime/JSArrayBufferView.h: Added.
995         (JSC::JSArrayBufferView::sizeOf):
996         (JSC::JSArrayBufferView::ConstructionContext::operator!):
997         (JSC::JSArrayBufferView::ConstructionContext::structure):
998         (JSC::JSArrayBufferView::ConstructionContext::vector):
999         (JSC::JSArrayBufferView::ConstructionContext::length):
1000         (JSC::JSArrayBufferView::ConstructionContext::mode):
1001         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1002         (JSC::JSArrayBufferView::mode):
1003         (JSC::JSArrayBufferView::vector):
1004         (JSC::JSArrayBufferView::length):
1005         (JSC::JSArrayBufferView::offsetOfVector):
1006         (JSC::JSArrayBufferView::offsetOfLength):
1007         (JSC::JSArrayBufferView::offsetOfMode):
1008         * runtime/JSArrayBufferViewInlines.h: Added.
1009         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1010         (JSC::JSArrayBufferView::buffer):
1011         (JSC::JSArrayBufferView::impl):
1012         (JSC::JSArrayBufferView::neuter):
1013         (JSC::JSArrayBufferView::byteOffset):
1014         * runtime/JSCell.cpp:
1015         (JSC::JSCell::slowDownAndWasteMemory):
1016         (JSC::JSCell::getTypedArrayImpl):
1017         * runtime/JSCell.h:
1018         * runtime/JSDataView.cpp: Added.
1019         (JSC::JSDataView::JSDataView):
1020         (JSC::JSDataView::create):
1021         (JSC::JSDataView::createUninitialized):
1022         (JSC::JSDataView::set):
1023         (JSC::JSDataView::typedImpl):
1024         (JSC::JSDataView::getOwnPropertySlot):
1025         (JSC::JSDataView::getOwnPropertyDescriptor):
1026         (JSC::JSDataView::slowDownAndWasteMemory):
1027         (JSC::JSDataView::getTypedArrayImpl):
1028         (JSC::JSDataView::createStructure):
1029         * runtime/JSDataView.h: Added.
1030         * runtime/JSDataViewPrototype.cpp: Added.
1031         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1032         (JSC::JSDataViewPrototype::create):
1033         (JSC::JSDataViewPrototype::createStructure):
1034         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1035         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1036         (JSC::getData):
1037         (JSC::setData):
1038         (JSC::dataViewProtoFuncGetInt8):
1039         (JSC::dataViewProtoFuncGetInt16):
1040         (JSC::dataViewProtoFuncGetInt32):
1041         (JSC::dataViewProtoFuncGetUint8):
1042         (JSC::dataViewProtoFuncGetUint16):
1043         (JSC::dataViewProtoFuncGetUint32):
1044         (JSC::dataViewProtoFuncGetFloat32):
1045         (JSC::dataViewProtoFuncGetFloat64):
1046         (JSC::dataViewProtoFuncSetInt8):
1047         (JSC::dataViewProtoFuncSetInt16):
1048         (JSC::dataViewProtoFuncSetInt32):
1049         (JSC::dataViewProtoFuncSetUint8):
1050         (JSC::dataViewProtoFuncSetUint16):
1051         (JSC::dataViewProtoFuncSetUint32):
1052         (JSC::dataViewProtoFuncSetFloat32):
1053         (JSC::dataViewProtoFuncSetFloat64):
1054         * runtime/JSDataViewPrototype.h: Added.
1055         * runtime/JSFloat32Array.h: Added.
1056         * runtime/JSFloat64Array.h: Added.
1057         * runtime/JSGenericTypedArrayView.h: Added.
1058         (JSC::JSGenericTypedArrayView::byteLength):
1059         (JSC::JSGenericTypedArrayView::byteSize):
1060         (JSC::JSGenericTypedArrayView::typedVector):
1061         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1062         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1063         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1064         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1065         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1066         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1067         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1068         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1069         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1070         (JSC::JSGenericTypedArrayView::typedImpl):
1071         (JSC::JSGenericTypedArrayView::createStructure):
1072         (JSC::JSGenericTypedArrayView::info):
1073         (JSC::toNativeTypedView):
1074         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1075         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1076         (JSC::::JSGenericTypedArrayViewConstructor):
1077         (JSC::::finishCreation):
1078         (JSC::::create):
1079         (JSC::::createStructure):
1080         (JSC::constructGenericTypedArrayView):
1081         (JSC::::getConstructData):
1082         (JSC::::getCallData):
1083         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1084         (JSC::::JSGenericTypedArrayView):
1085         (JSC::::create):
1086         (JSC::::createUninitialized):
1087         (JSC::::validateRange):
1088         (JSC::::setWithSpecificType):
1089         (JSC::::set):
1090         (JSC::::getOwnPropertySlot):
1091         (JSC::::getOwnPropertyDescriptor):
1092         (JSC::::put):
1093         (JSC::::defineOwnProperty):
1094         (JSC::::deleteProperty):
1095         (JSC::::getOwnPropertySlotByIndex):
1096         (JSC::::putByIndex):
1097         (JSC::::deletePropertyByIndex):
1098         (JSC::::getOwnNonIndexPropertyNames):
1099         (JSC::::getOwnPropertyNames):
1100         (JSC::::visitChildren):
1101         (JSC::::copyBackingStore):
1102         (JSC::::slowDownAndWasteMemory):
1103         (JSC::::getTypedArrayImpl):
1104         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1105         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1106         (JSC::genericTypedArrayViewProtoFuncSet):
1107         (JSC::genericTypedArrayViewProtoFuncSubarray):
1108         (JSC::::JSGenericTypedArrayViewPrototype):
1109         (JSC::::finishCreation):
1110         (JSC::::create):
1111         (JSC::::createStructure):
1112         * runtime/JSGlobalObject.cpp:
1113         (JSC::JSGlobalObject::reset):
1114         (JSC::JSGlobalObject::visitChildren):
1115         * runtime/JSGlobalObject.h:
1116         (JSC::JSGlobalObject::arrayBufferPrototype):
1117         (JSC::JSGlobalObject::arrayBufferStructure):
1118         (JSC::JSGlobalObject::typedArrayStructure):
1119         * runtime/JSInt16Array.h: Added.
1120         * runtime/JSInt32Array.h: Added.
1121         * runtime/JSInt8Array.h: Added.
1122         * runtime/JSTypedArrayConstructors.cpp: Added.
1123         * runtime/JSTypedArrayConstructors.h: Added.
1124         * runtime/JSTypedArrayPrototypes.cpp: Added.
1125         * runtime/JSTypedArrayPrototypes.h: Added.
1126         * runtime/JSTypedArrays.cpp: Added.
1127         * runtime/JSTypedArrays.h: Added.
1128         * runtime/JSUint16Array.h: Added.
1129         * runtime/JSUint32Array.h: Added.
1130         * runtime/JSUint8Array.h: Added.
1131         * runtime/JSUint8ClampedArray.h: Added.
1132         * runtime/Operations.h:
1133         * runtime/Options.h:
1134         * runtime/SimpleTypedArrayController.cpp: Added.
1135         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1136         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1137         (JSC::SimpleTypedArrayController::toJS):
1138         * runtime/SimpleTypedArrayController.h: Added.
1139         * runtime/Structure.h:
1140         (JSC::Structure::couldHaveIndexingHeader):
1141         * runtime/StructureInlines.h:
1142         (JSC::Structure::hasIndexingHeader):
1143         * runtime/TypedArrayAdaptors.h: Added.
1144         (JSC::IntegralTypedArrayAdaptor::toNative):
1145         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1146         (JSC::IntegralTypedArrayAdaptor::toDouble):
1147         (JSC::FloatTypedArrayAdaptor::toNative):
1148         (JSC::FloatTypedArrayAdaptor::toJSValue):
1149         (JSC::FloatTypedArrayAdaptor::toDouble):
1150         (JSC::Uint8ClampedAdaptor::toNative):
1151         (JSC::Uint8ClampedAdaptor::toJSValue):
1152         (JSC::Uint8ClampedAdaptor::toDouble):
1153         (JSC::Uint8ClampedAdaptor::clamp):
1154         * runtime/TypedArrayController.cpp: Added.
1155         (JSC::TypedArrayController::TypedArrayController):
1156         (JSC::TypedArrayController::~TypedArrayController):
1157         * runtime/TypedArrayController.h: Added.
1158         * runtime/TypedArrayDescriptor.h: Removed.
1159         * runtime/TypedArrayInlines.h: Added.
1160         * runtime/TypedArrayType.cpp: Added.
1161         (JSC::classInfoForType):
1162         (WTF::printInternal):
1163         * runtime/TypedArrayType.h: Added.
1164         (JSC::toIndex):
1165         (JSC::isTypedView):
1166         (JSC::elementSize):
1167         (JSC::isInt):
1168         (JSC::isFloat):
1169         (JSC::isSigned):
1170         (JSC::isClamped):
1171         * runtime/TypedArrays.h: Added.
1172         * runtime/Uint16Array.h:
1173         * runtime/Uint32Array.h:
1174         * runtime/Uint8Array.h:
1175         * runtime/Uint8ClampedArray.h:
1176         * runtime/VM.cpp:
1177         (JSC::VM::VM):
1178         (JSC::VM::~VM):
1179         * runtime/VM.h:
1180
1181 2013-08-15  Oliver Hunt  <oliver@apple.com>
1182
1183         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1184
1185         Reviewed by Filip Pizlo.
1186
1187         Make sure dfgCapabilities doesn't report a Dynamic put as
1188         being compilable when we don't actually support it.  
1189
1190         * bytecode/CodeBlock.cpp:
1191         (JSC::CodeBlock::dumpBytecode):
1192         * dfg/DFGCapabilities.cpp:
1193         (JSC::DFG::capabilityLevel):
1194
1195 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1196
1197         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1198         https://bugs.webkit.org/show_bug.cgi?id=119847
1199
1200         Reviewed by Oliver Hunt.
1201
1202         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1203         * runtime/ArrayBufferView.h: Ditto.
1204
1205 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1206
1207         https://bugs.webkit.org/show_bug.cgi?id=119843
1208         PropertySlot::setValue is ambiguous
1209
1210         Reviewed by Geoff Garen.
1211
1212         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1213         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1214         Unify on always providing the object, and remove the version that just takes a value.
1215         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1216         Provide a version of setValue that takes a JSString as the owner of the property.
1217         We won't store this, but it makes it clear that this interface should only be used from JSString.
1218
1219         * API/JSCallbackObjectFunctions.h:
1220         (JSC::::getOwnPropertySlot):
1221         * JSCTypedArrayStubs.h:
1222         * runtime/Arguments.cpp:
1223         (JSC::Arguments::getOwnPropertySlotByIndex):
1224         (JSC::Arguments::getOwnPropertySlot):
1225         * runtime/JSActivation.cpp:
1226         (JSC::JSActivation::symbolTableGet):
1227         (JSC::JSActivation::getOwnPropertySlot):
1228         * runtime/JSArray.cpp:
1229         (JSC::JSArray::getOwnPropertySlot):
1230         * runtime/JSObject.cpp:
1231         (JSC::JSObject::getOwnPropertySlotByIndex):
1232         * runtime/JSString.h:
1233         (JSC::JSString::getStringPropertySlot):
1234         * runtime/JSSymbolTableObject.h:
1235         (JSC::symbolTableGet):
1236         * runtime/SparseArrayValueMap.cpp:
1237         (JSC::SparseArrayEntry::get):
1238             - Pass object containing property to PropertySlot::setValue
1239         * runtime/PropertySlot.h:
1240         (JSC::PropertySlot::setValue):
1241             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1242         (JSC::PropertySlot::setUndefined):
1243             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1244
1245 2013-08-15  Oliver Hunt  <oliver@apple.com>
1246
1247         Remove bogus assertion.
1248
1249         RS=Filip Pizlo
1250
1251         * dfg/DFGAbstractInterpreterInlines.h:
1252         (JSC::DFG::::executeEffects):
1253
1254 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1255
1256         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1257         https://bugs.webkit.org/show_bug.cgi?id=114913
1258
1259         Reviewed by Filip Pizlo.
1260
1261         The X87 register was not freed before some calls. Instead
1262         of inserting resetX87Registers to the last call sites,
1263         the two X87 registers are now freed in every call.
1264
1265         * llint/LowLevelInterpreter32_64.asm:
1266         * llint/LowLevelInterpreter64.asm:
1267         * offlineasm/instructions.rb:
1268         * offlineasm/x86.rb:
1269
1270 2013-08-14  Michael Saboff  <msaboff@apple.com>
1271
1272         Fixed jit on Win64.
1273         https://bugs.webkit.org/show_bug.cgi?id=119601
1274
1275         Reviewed by Oliver Hunt.
1276
1277         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1278         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1279         * jit/SlowPathCall.h:
1280         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1281
1282 2013-08-14  Alex Christensen  <achristensen@apple.com>
1283
1284         Compile fix for Win64 with jit disabled.
1285         https://bugs.webkit.org/show_bug.cgi?id=119804
1286
1287         Reviewed by Michael Saboff.
1288
1289         * offlineasm/cloop.rb: Added std:: before isnan.
1290
1291 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1292
1293         DFG_JIT implementation for sh4 architecture.
1294         https://bugs.webkit.org/show_bug.cgi?id=119737
1295
1296         Reviewed by Oliver Hunt.
1297
1298         * assembler/MacroAssemblerSH4.h:
1299         (JSC::MacroAssemblerSH4::invert):
1300         (JSC::MacroAssemblerSH4::add32):
1301         (JSC::MacroAssemblerSH4::and32):
1302         (JSC::MacroAssemblerSH4::lshift32):
1303         (JSC::MacroAssemblerSH4::mul32):
1304         (JSC::MacroAssemblerSH4::or32):
1305         (JSC::MacroAssemblerSH4::rshift32):
1306         (JSC::MacroAssemblerSH4::sub32):
1307         (JSC::MacroAssemblerSH4::xor32):
1308         (JSC::MacroAssemblerSH4::store32):
1309         (JSC::MacroAssemblerSH4::swapDouble):
1310         (JSC::MacroAssemblerSH4::storeDouble):
1311         (JSC::MacroAssemblerSH4::subDouble):
1312         (JSC::MacroAssemblerSH4::mulDouble):
1313         (JSC::MacroAssemblerSH4::divDouble):
1314         (JSC::MacroAssemblerSH4::negateDouble):
1315         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1316         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1317         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1318         (JSC::MacroAssemblerSH4::swap):
1319         (JSC::MacroAssemblerSH4::jump):
1320         (JSC::MacroAssemblerSH4::branchNeg32):
1321         (JSC::MacroAssemblerSH4::branchAdd32):
1322         (JSC::MacroAssemblerSH4::branchMul32):
1323         (JSC::MacroAssemblerSH4::urshift32):
1324         * assembler/SH4Assembler.h:
1325         (JSC::SH4Assembler::SH4Assembler):
1326         (JSC::SH4Assembler::labelForWatchpoint):
1327         (JSC::SH4Assembler::label):
1328         (JSC::SH4Assembler::debugOffset):
1329         * dfg/DFGAssemblyHelpers.h:
1330         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1331         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1332         (JSC::DFG::AssemblyHelpers::debugCall):
1333         * dfg/DFGCCallHelpers.h:
1334         (JSC::DFG::CCallHelpers::setupArguments):
1335         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1336         * dfg/DFGFPRInfo.h:
1337         (JSC::DFG::FPRInfo::toRegister):
1338         (JSC::DFG::FPRInfo::toIndex):
1339         (JSC::DFG::FPRInfo::debugName):
1340         * dfg/DFGGPRInfo.h:
1341         (JSC::DFG::GPRInfo::toRegister):
1342         (JSC::DFG::GPRInfo::toIndex):
1343         (JSC::DFG::GPRInfo::debugName):
1344         * dfg/DFGOperations.cpp:
1345         * dfg/DFGSpeculativeJIT.h:
1346         (JSC::DFG::SpeculativeJIT::callOperation):
1347         * jit/JITStubs.h:
1348         * jit/JITStubsSH4.h:
1349
1350 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1351
1352         Unreviewed, fix build.
1353
1354         * API/JSValue.mm:
1355         (isDate):
1356         (isArray):
1357         * API/JSWrapperMap.mm:
1358         (tryUnwrapObjcObject):
1359         * API/ObjCCallbackFunction.mm:
1360         (tryUnwrapBlock):
1361
1362 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1363
1364         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1365         https://bugs.webkit.org/show_bug.cgi?id=119770
1366
1367         Reviewed by Mark Hahnenberg.
1368
1369         * API/JSCallbackConstructor.cpp:
1370         (JSC::JSCallbackConstructor::finishCreation):
1371         * API/JSCallbackConstructor.h:
1372         (JSC::JSCallbackConstructor::createStructure):
1373         * API/JSCallbackFunction.cpp:
1374         (JSC::JSCallbackFunction::finishCreation):
1375         * API/JSCallbackFunction.h:
1376         (JSC::JSCallbackFunction::createStructure):
1377         * API/JSCallbackObject.cpp:
1378         (JSC::::createStructure):
1379         * API/JSCallbackObject.h:
1380         (JSC::JSCallbackObject::visitChildren):
1381         * API/JSCallbackObjectFunctions.h:
1382         (JSC::::asCallbackObject):
1383         (JSC::::finishCreation):
1384         * API/JSObjectRef.cpp:
1385         (JSObjectGetPrivate):
1386         (JSObjectSetPrivate):
1387         (JSObjectGetPrivateProperty):
1388         (JSObjectSetPrivateProperty):
1389         (JSObjectDeletePrivateProperty):
1390         * API/JSValueRef.cpp:
1391         (JSValueIsObjectOfClass):
1392         * API/JSWeakObjectMapRefPrivate.cpp:
1393         * API/ObjCCallbackFunction.h:
1394         (JSC::ObjCCallbackFunction::createStructure):
1395         * JSCTypedArrayStubs.h:
1396         * bytecode/CallLinkStatus.cpp:
1397         (JSC::CallLinkStatus::CallLinkStatus):
1398         (JSC::CallLinkStatus::function):
1399         (JSC::CallLinkStatus::internalFunction):
1400         * bytecode/CodeBlock.h:
1401         (JSC::baselineCodeBlockForInlineCallFrame):
1402         * bytecode/SpeculatedType.cpp:
1403         (JSC::speculationFromClassInfo):
1404         * bytecode/UnlinkedCodeBlock.cpp:
1405         (JSC::UnlinkedFunctionExecutable::visitChildren):
1406         (JSC::UnlinkedCodeBlock::visitChildren):
1407         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1408         * bytecode/UnlinkedCodeBlock.h:
1409         (JSC::UnlinkedFunctionExecutable::createStructure):
1410         (JSC::UnlinkedProgramCodeBlock::createStructure):
1411         (JSC::UnlinkedEvalCodeBlock::createStructure):
1412         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1413         * debugger/Debugger.cpp:
1414         * debugger/DebuggerActivation.cpp:
1415         (JSC::DebuggerActivation::visitChildren):
1416         * debugger/DebuggerActivation.h:
1417         (JSC::DebuggerActivation::createStructure):
1418         * debugger/DebuggerCallFrame.cpp:
1419         (JSC::DebuggerCallFrame::functionName):
1420         * dfg/DFGAbstractInterpreterInlines.h:
1421         (JSC::DFG::::executeEffects):
1422         * dfg/DFGByteCodeParser.cpp:
1423         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1424         (JSC::DFG::ByteCodeParser::parseBlock):
1425         * dfg/DFGFixupPhase.cpp:
1426         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1427         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1428         * dfg/DFGGraph.cpp:
1429         (JSC::DFG::Graph::dump):
1430         * dfg/DFGGraph.h:
1431         (JSC::DFG::Graph::isInternalFunctionConstant):
1432         * dfg/DFGOperations.cpp:
1433         * dfg/DFGSpeculativeJIT.cpp:
1434         (JSC::DFG::SpeculativeJIT::checkArray):
1435         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1436         * dfg/DFGThunks.cpp:
1437         (JSC::DFG::virtualForThunkGenerator):
1438         * interpreter/Interpreter.cpp:
1439         (JSC::loadVarargs):
1440         * jsc.cpp:
1441         (GlobalObject::createStructure):
1442         * profiler/LegacyProfiler.cpp:
1443         (JSC::LegacyProfiler::createCallIdentifier):
1444         * runtime/Arguments.cpp:
1445         (JSC::Arguments::visitChildren):
1446         * runtime/Arguments.h:
1447         (JSC::Arguments::createStructure):
1448         (JSC::asArguments):
1449         (JSC::Arguments::finishCreation):
1450         * runtime/ArrayConstructor.cpp:
1451         (JSC::arrayConstructorIsArray):
1452         * runtime/ArrayConstructor.h:
1453         (JSC::ArrayConstructor::createStructure):
1454         * runtime/ArrayPrototype.cpp:
1455         (JSC::ArrayPrototype::finishCreation):
1456         (JSC::arrayProtoFuncConcat):
1457         (JSC::attemptFastSort):
1458         * runtime/ArrayPrototype.h:
1459         (JSC::ArrayPrototype::createStructure):
1460         * runtime/BooleanConstructor.h:
1461         (JSC::BooleanConstructor::createStructure):
1462         * runtime/BooleanObject.cpp:
1463         (JSC::BooleanObject::finishCreation):
1464         * runtime/BooleanObject.h:
1465         (JSC::BooleanObject::createStructure):
1466         (JSC::asBooleanObject):
1467         * runtime/BooleanPrototype.cpp:
1468         (JSC::BooleanPrototype::finishCreation):
1469         (JSC::booleanProtoFuncToString):
1470         (JSC::booleanProtoFuncValueOf):
1471         * runtime/BooleanPrototype.h:
1472         (JSC::BooleanPrototype::createStructure):
1473         * runtime/DateConstructor.cpp:
1474         (JSC::constructDate):
1475         * runtime/DateConstructor.h:
1476         (JSC::DateConstructor::createStructure):
1477         * runtime/DateInstance.cpp:
1478         (JSC::DateInstance::finishCreation):
1479         * runtime/DateInstance.h:
1480         (JSC::DateInstance::createStructure):
1481         (JSC::asDateInstance):
1482         * runtime/DatePrototype.cpp:
1483         (JSC::formateDateInstance):
1484         (JSC::DatePrototype::finishCreation):
1485         (JSC::dateProtoFuncToISOString):
1486         (JSC::dateProtoFuncToLocaleString):
1487         (JSC::dateProtoFuncToLocaleDateString):
1488         (JSC::dateProtoFuncToLocaleTimeString):
1489         (JSC::dateProtoFuncGetTime):
1490         (JSC::dateProtoFuncGetFullYear):
1491         (JSC::dateProtoFuncGetUTCFullYear):
1492         (JSC::dateProtoFuncGetMonth):
1493         (JSC::dateProtoFuncGetUTCMonth):
1494         (JSC::dateProtoFuncGetDate):
1495         (JSC::dateProtoFuncGetUTCDate):
1496         (JSC::dateProtoFuncGetDay):
1497         (JSC::dateProtoFuncGetUTCDay):
1498         (JSC::dateProtoFuncGetHours):
1499         (JSC::dateProtoFuncGetUTCHours):
1500         (JSC::dateProtoFuncGetMinutes):
1501         (JSC::dateProtoFuncGetUTCMinutes):
1502         (JSC::dateProtoFuncGetSeconds):
1503         (JSC::dateProtoFuncGetUTCSeconds):
1504         (JSC::dateProtoFuncGetMilliSeconds):
1505         (JSC::dateProtoFuncGetUTCMilliseconds):
1506         (JSC::dateProtoFuncGetTimezoneOffset):
1507         (JSC::dateProtoFuncSetTime):
1508         (JSC::setNewValueFromTimeArgs):
1509         (JSC::setNewValueFromDateArgs):
1510         (JSC::dateProtoFuncSetYear):
1511         (JSC::dateProtoFuncGetYear):
1512         * runtime/DatePrototype.h:
1513         (JSC::DatePrototype::createStructure):
1514         * runtime/Error.h:
1515         (JSC::StrictModeTypeErrorFunction::createStructure):
1516         * runtime/ErrorConstructor.h:
1517         (JSC::ErrorConstructor::createStructure):
1518         * runtime/ErrorInstance.cpp:
1519         (JSC::ErrorInstance::finishCreation):
1520         * runtime/ErrorInstance.h:
1521         (JSC::ErrorInstance::createStructure):
1522         * runtime/ErrorPrototype.cpp:
1523         (JSC::ErrorPrototype::finishCreation):
1524         * runtime/ErrorPrototype.h:
1525         (JSC::ErrorPrototype::createStructure):
1526         * runtime/ExceptionHelpers.cpp:
1527         (JSC::isTerminatedExecutionException):
1528         * runtime/ExceptionHelpers.h:
1529         (JSC::TerminatedExecutionError::createStructure):
1530         * runtime/Executable.cpp:
1531         (JSC::EvalExecutable::visitChildren):
1532         (JSC::ProgramExecutable::visitChildren):
1533         (JSC::FunctionExecutable::visitChildren):
1534         (JSC::ExecutableBase::hashFor):
1535         * runtime/Executable.h:
1536         (JSC::ExecutableBase::createStructure):
1537         (JSC::NativeExecutable::createStructure):
1538         (JSC::EvalExecutable::createStructure):
1539         (JSC::ProgramExecutable::createStructure):
1540         (JSC::FunctionExecutable::compileFor):
1541         (JSC::FunctionExecutable::compileOptimizedFor):
1542         (JSC::FunctionExecutable::createStructure):
1543         * runtime/FunctionConstructor.h:
1544         (JSC::FunctionConstructor::createStructure):
1545         * runtime/FunctionPrototype.cpp:
1546         (JSC::functionProtoFuncToString):
1547         (JSC::functionProtoFuncApply):
1548         (JSC::functionProtoFuncBind):
1549         * runtime/FunctionPrototype.h:
1550         (JSC::FunctionPrototype::createStructure):
1551         * runtime/GetterSetter.cpp:
1552         (JSC::GetterSetter::visitChildren):
1553         * runtime/GetterSetter.h:
1554         (JSC::GetterSetter::createStructure):
1555         * runtime/InternalFunction.cpp:
1556         (JSC::InternalFunction::finishCreation):
1557         * runtime/InternalFunction.h:
1558         (JSC::InternalFunction::createStructure):
1559         (JSC::asInternalFunction):
1560         * runtime/JSAPIValueWrapper.h:
1561         (JSC::JSAPIValueWrapper::createStructure):
1562         * runtime/JSActivation.cpp:
1563         (JSC::JSActivation::visitChildren):
1564         (JSC::JSActivation::argumentsGetter):
1565         * runtime/JSActivation.h:
1566         (JSC::JSActivation::createStructure):
1567         (JSC::asActivation):
1568         * runtime/JSArray.h:
1569         (JSC::JSArray::createStructure):
1570         (JSC::asArray):
1571         (JSC::isJSArray):
1572         * runtime/JSBoundFunction.cpp:
1573         (JSC::JSBoundFunction::finishCreation):
1574         (JSC::JSBoundFunction::visitChildren):
1575         * runtime/JSBoundFunction.h:
1576         (JSC::JSBoundFunction::createStructure):
1577         * runtime/JSCJSValue.cpp:
1578         (JSC::JSValue::dumpInContext):
1579         * runtime/JSCJSValueInlines.h:
1580         (JSC::JSValue::isFunction):
1581         * runtime/JSCell.h:
1582         (JSC::jsCast):
1583         (JSC::jsDynamicCast):
1584         * runtime/JSCellInlines.h:
1585         (JSC::allocateCell):
1586         * runtime/JSFunction.cpp:
1587         (JSC::JSFunction::finishCreation):
1588         (JSC::JSFunction::visitChildren):
1589         (JSC::skipOverBoundFunctions):
1590         (JSC::JSFunction::callerGetter):
1591         * runtime/JSFunction.h:
1592         (JSC::JSFunction::createStructure):
1593         * runtime/JSGlobalObject.cpp:
1594         (JSC::JSGlobalObject::visitChildren):
1595         (JSC::slowValidateCell):
1596         * runtime/JSGlobalObject.h:
1597         (JSC::JSGlobalObject::createStructure):
1598         * runtime/JSNameScope.cpp:
1599         (JSC::JSNameScope::visitChildren):
1600         * runtime/JSNameScope.h:
1601         (JSC::JSNameScope::createStructure):
1602         * runtime/JSNotAnObject.h:
1603         (JSC::JSNotAnObject::createStructure):
1604         * runtime/JSONObject.cpp:
1605         (JSC::JSONObject::finishCreation):
1606         (JSC::unwrapBoxedPrimitive):
1607         (JSC::Stringifier::Stringifier):
1608         (JSC::Stringifier::appendStringifiedValue):
1609         (JSC::Stringifier::Holder::Holder):
1610         (JSC::Walker::walk):
1611         (JSC::JSONProtoFuncStringify):
1612         * runtime/JSONObject.h:
1613         (JSC::JSONObject::createStructure):
1614         * runtime/JSObject.cpp:
1615         (JSC::getCallableObjectSlow):
1616         (JSC::JSObject::visitChildren):
1617         (JSC::JSObject::copyBackingStore):
1618         (JSC::JSFinalObject::visitChildren):
1619         (JSC::JSObject::ensureInt32Slow):
1620         (JSC::JSObject::ensureDoubleSlow):
1621         (JSC::JSObject::ensureContiguousSlow):
1622         (JSC::JSObject::ensureArrayStorageSlow):
1623         * runtime/JSObject.h:
1624         (JSC::JSObject::finishCreation):
1625         (JSC::JSObject::createStructure):
1626         (JSC::JSNonFinalObject::createStructure):
1627         (JSC::JSFinalObject::createStructure):
1628         (JSC::isJSFinalObject):
1629         * runtime/JSPropertyNameIterator.cpp:
1630         (JSC::JSPropertyNameIterator::visitChildren):
1631         * runtime/JSPropertyNameIterator.h:
1632         (JSC::JSPropertyNameIterator::createStructure):
1633         * runtime/JSProxy.cpp:
1634         (JSC::JSProxy::visitChildren):
1635         * runtime/JSProxy.h:
1636         (JSC::JSProxy::createStructure):
1637         * runtime/JSScope.cpp:
1638         (JSC::JSScope::visitChildren):
1639         * runtime/JSSegmentedVariableObject.cpp:
1640         (JSC::JSSegmentedVariableObject::visitChildren):
1641         * runtime/JSString.h:
1642         (JSC::JSString::createStructure):
1643         (JSC::isJSString):
1644         * runtime/JSSymbolTableObject.cpp:
1645         (JSC::JSSymbolTableObject::visitChildren):
1646         * runtime/JSVariableObject.h:
1647         * runtime/JSWithScope.cpp:
1648         (JSC::JSWithScope::visitChildren):
1649         * runtime/JSWithScope.h:
1650         (JSC::JSWithScope::createStructure):
1651         * runtime/JSWrapperObject.cpp:
1652         (JSC::JSWrapperObject::visitChildren):
1653         * runtime/JSWrapperObject.h:
1654         (JSC::JSWrapperObject::createStructure):
1655         * runtime/MathObject.cpp:
1656         (JSC::MathObject::finishCreation):
1657         * runtime/MathObject.h:
1658         (JSC::MathObject::createStructure):
1659         * runtime/NameConstructor.h:
1660         (JSC::NameConstructor::createStructure):
1661         * runtime/NameInstance.h:
1662         (JSC::NameInstance::createStructure):
1663         (JSC::NameInstance::finishCreation):
1664         * runtime/NamePrototype.cpp:
1665         (JSC::NamePrototype::finishCreation):
1666         (JSC::privateNameProtoFuncToString):
1667         * runtime/NamePrototype.h:
1668         (JSC::NamePrototype::createStructure):
1669         * runtime/NativeErrorConstructor.cpp:
1670         (JSC::NativeErrorConstructor::visitChildren):
1671         * runtime/NativeErrorConstructor.h:
1672         (JSC::NativeErrorConstructor::createStructure):
1673         (JSC::NativeErrorConstructor::finishCreation):
1674         * runtime/NumberConstructor.cpp:
1675         (JSC::NumberConstructor::finishCreation):
1676         * runtime/NumberConstructor.h:
1677         (JSC::NumberConstructor::createStructure):
1678         * runtime/NumberObject.cpp:
1679         (JSC::NumberObject::finishCreation):
1680         * runtime/NumberObject.h:
1681         (JSC::NumberObject::createStructure):
1682         * runtime/NumberPrototype.cpp:
1683         (JSC::NumberPrototype::finishCreation):
1684         * runtime/NumberPrototype.h:
1685         (JSC::NumberPrototype::createStructure):
1686         * runtime/ObjectConstructor.h:
1687         (JSC::ObjectConstructor::createStructure):
1688         * runtime/ObjectPrototype.cpp:
1689         (JSC::ObjectPrototype::finishCreation):
1690         * runtime/ObjectPrototype.h:
1691         (JSC::ObjectPrototype::createStructure):
1692         * runtime/PropertyMapHashTable.h:
1693         (JSC::PropertyTable::createStructure):
1694         * runtime/PropertyTable.cpp:
1695         (JSC::PropertyTable::visitChildren):
1696         * runtime/RegExp.h:
1697         (JSC::RegExp::createStructure):
1698         * runtime/RegExpConstructor.cpp:
1699         (JSC::RegExpConstructor::finishCreation):
1700         (JSC::RegExpConstructor::visitChildren):
1701         (JSC::constructRegExp):
1702         * runtime/RegExpConstructor.h:
1703         (JSC::RegExpConstructor::createStructure):
1704         (JSC::asRegExpConstructor):
1705         * runtime/RegExpMatchesArray.cpp:
1706         (JSC::RegExpMatchesArray::visitChildren):
1707         * runtime/RegExpMatchesArray.h:
1708         (JSC::RegExpMatchesArray::createStructure):
1709         * runtime/RegExpObject.cpp:
1710         (JSC::RegExpObject::finishCreation):
1711         (JSC::RegExpObject::visitChildren):
1712         * runtime/RegExpObject.h:
1713         (JSC::RegExpObject::createStructure):
1714         (JSC::asRegExpObject):
1715         * runtime/RegExpPrototype.cpp:
1716         (JSC::regExpProtoFuncTest):
1717         (JSC::regExpProtoFuncExec):
1718         (JSC::regExpProtoFuncCompile):
1719         (JSC::regExpProtoFuncToString):
1720         * runtime/RegExpPrototype.h:
1721         (JSC::RegExpPrototype::createStructure):
1722         * runtime/SparseArrayValueMap.cpp:
1723         (JSC::SparseArrayValueMap::createStructure):
1724         * runtime/SparseArrayValueMap.h:
1725         * runtime/StrictEvalActivation.h:
1726         (JSC::StrictEvalActivation::createStructure):
1727         * runtime/StringConstructor.h:
1728         (JSC::StringConstructor::createStructure):
1729         * runtime/StringObject.cpp:
1730         (JSC::StringObject::finishCreation):
1731         * runtime/StringObject.h:
1732         (JSC::StringObject::createStructure):
1733         (JSC::asStringObject):
1734         * runtime/StringPrototype.cpp:
1735         (JSC::StringPrototype::finishCreation):
1736         (JSC::stringProtoFuncReplace):
1737         (JSC::stringProtoFuncToString):
1738         (JSC::stringProtoFuncMatch):
1739         (JSC::stringProtoFuncSearch):
1740         (JSC::stringProtoFuncSplit):
1741         * runtime/StringPrototype.h:
1742         (JSC::StringPrototype::createStructure):
1743         * runtime/Structure.cpp:
1744         (JSC::Structure::Structure):
1745         (JSC::Structure::materializePropertyMap):
1746         (JSC::Structure::get):
1747         (JSC::Structure::visitChildren):
1748         * runtime/Structure.h:
1749         (JSC::Structure::typeInfo):
1750         (JSC::Structure::previousID):
1751         (JSC::Structure::outOfLineSize):
1752         (JSC::Structure::totalStorageCapacity):
1753         (JSC::Structure::materializePropertyMapIfNecessary):
1754         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1755         * runtime/StructureChain.cpp:
1756         (JSC::StructureChain::visitChildren):
1757         * runtime/StructureChain.h:
1758         (JSC::StructureChain::createStructure):
1759         * runtime/StructureInlines.h:
1760         (JSC::Structure::get):
1761         * runtime/StructureRareData.cpp:
1762         (JSC::StructureRareData::createStructure):
1763         (JSC::StructureRareData::visitChildren):
1764         * runtime/StructureRareData.h:
1765         * runtime/SymbolTable.h:
1766         (JSC::SharedSymbolTable::createStructure):
1767         * runtime/VM.cpp:
1768         (JSC::VM::VM):
1769         (JSC::StackPreservingRecompiler::operator()):
1770         (JSC::VM::releaseExecutableMemory):
1771         * runtime/WriteBarrier.h:
1772         (JSC::validateCell):
1773         * testRegExp.cpp:
1774         (GlobalObject::createStructure):
1775
1776 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1777
1778         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1779         https://bugs.webkit.org/show_bug.cgi?id=119762
1780
1781         Reviewed by Geoffrey Garen.
1782
1783         * heap/Heap.cpp:
1784         (JSC::Heap::Heap):
1785         (JSC::Heap::markRoots):
1786         (JSC::Heap::collect):
1787         * jsc.cpp:
1788         (StopWatch::start):
1789         (StopWatch::stop):
1790         * testRegExp.cpp:
1791         (StopWatch::start):
1792         (StopWatch::stop):
1793
1794 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1795
1796         [sh4] Prepare LLINT for DFG_JIT implementation.
1797         https://bugs.webkit.org/show_bug.cgi?id=119755
1798
1799         Reviewed by Oliver Hunt.
1800
1801         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1802         * offlineasm/sh4.rb:
1803             - Handle storeb opcode.
1804             - Make relative jumps when possible using braf opcode.
1805             - Update bmulio implementation to be consistent with baseline JIT.
1806             - Remove useless code from leap opcode.
1807             - Fix incorrect comment.
1808
1809 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1810
1811         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1812         https://bugs.webkit.org/show_bug.cgi?id=119758
1813
1814         Reviewed by Oliver Hunt.
1815
1816         * assembler/MacroAssemblerSH4.h:
1817             - Introduce a loadEffectiveAddress function to avoid code duplication.
1818             - Add ASSERTs and clean code.
1819         * assembler/SH4Assembler.h:
1820             - Prepare DFG_JIT implementation.
1821             - Add ASSERTs.
1822         * jit/JITStubs.cpp:
1823             - Add SH4 specific call for assertions.
1824         * jit/JITStubs.h:
1825             - Cosmetic change.
1826         * jit/JITStubsSH4.h:
1827             - Use constants to be more flexible with sh4 JIT stack frame.
1828         * jit/JSInterfaceJIT.h:
1829             - Cosmetic change.
1830
1831 2013-08-13  Oliver Hunt  <oliver@apple.com>
1832
1833         Harden executeConstruct against incorrect return types from host functions
1834         https://bugs.webkit.org/show_bug.cgi?id=119757
1835
1836         Reviewed by Mark Hahnenberg.
1837
1838         Add logic to guard against bogus return types.  There doesn't seem to be any
1839         class in webkit that does this wrong, but the typed array stubs in debug JSC
1840         do exhibit this bad behaviour.
1841
1842         * interpreter/Interpreter.cpp:
1843         (JSC::Interpreter::executeConstruct):
1844
1845 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1846
1847         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1848         https://bugs.webkit.org/show_bug.cgi?id=119736
1849
1850         Reviewed by Anders Carlsson.
1851
1852         Don't force C++11 mode off anymore.
1853
1854         * Target.pri:
1855
1856 2013-08-12  Oliver Hunt  <oliver@apple.com>
1857
1858         Remove CodeBlock's notion of adding identifiers entirely
1859         https://bugs.webkit.org/show_bug.cgi?id=119708
1860
1861         Reviewed by Geoffrey Garen.
1862
1863         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1864         Move the addition of identifiers to DFGPlan::reallyAdd
1865
1866         * bytecode/CodeBlock.h:
1867         * dfg/DFGDesiredIdentifiers.cpp:
1868         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1869         * dfg/DFGDesiredIdentifiers.h:
1870         * dfg/DFGPlan.cpp:
1871         (JSC::DFG::Plan::reallyAdd):
1872         (JSC::DFG::Plan::finalize):
1873         * dfg/DFGPlan.h:
1874
1875 2013-08-12  Oliver Hunt  <oliver@apple.com>
1876
1877         Build fix
1878
1879         * runtime/JSCell.h:
1880
1881 2013-08-12  Oliver Hunt  <oliver@apple.com>
1882
1883         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1884         https://bugs.webkit.org/show_bug.cgi?id=119705
1885
1886         Reviewed by Geoffrey Garen.
1887
1888         Relatively trivial refactoring
1889
1890         * bytecode/CodeBlock.h:
1891         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1892         (JSC::CodeBlock::addAdditionalIdentifier):
1893         (JSC::CodeBlock::identifier):
1894         (JSC::CodeBlock::numberOfIdentifiers):
1895         * dfg/DFGCommonData.h:
1896
1897 2013-08-12  Oliver Hunt  <oliver@apple.com>
1898
1899         Stop making unnecessary copy of CodeBlock Identifier Vector
1900         https://bugs.webkit.org/show_bug.cgi?id=119702
1901
1902         Reviewed by Michael Saboff.
1903
1904         Make CodeBlock simply use a separate Vector for additional Identifiers
1905         and use the UnlinkedCodeBlock for the initial set of identifiers.
1906
1907         * bytecode/CodeBlock.cpp:
1908         (JSC::CodeBlock::printGetByIdOp):
1909         (JSC::dumpStructure):
1910         (JSC::dumpChain):
1911         (JSC::CodeBlock::printGetByIdCacheStatus):
1912         (JSC::CodeBlock::printPutByIdOp):
1913         (JSC::CodeBlock::dumpBytecode):
1914         (JSC::CodeBlock::CodeBlock):
1915         (JSC::CodeBlock::shrinkToFit):
1916         * bytecode/CodeBlock.h:
1917         (JSC::CodeBlock::numberOfIdentifiers):
1918         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1919         (JSC::CodeBlock::addAdditionalIdentifier):
1920         (JSC::CodeBlock::identifier):
1921         * dfg/DFGDesiredIdentifiers.cpp:
1922         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1923         * jit/JIT.h:
1924         * jit/JITOpcodes.cpp:
1925         (JSC::JIT::emitSlow_op_get_arguments_length):
1926         * jit/JITPropertyAccess.cpp:
1927         (JSC::JIT::emit_op_get_by_id):
1928         (JSC::JIT::compileGetByIdHotPath):
1929         (JSC::JIT::emitSlow_op_get_by_id):
1930         (JSC::JIT::compileGetByIdSlowCase):
1931         (JSC::JIT::emitSlow_op_put_by_id):
1932         * jit/JITPropertyAccess32_64.cpp:
1933         (JSC::JIT::emit_op_get_by_id):
1934         (JSC::JIT::compileGetByIdHotPath):
1935         (JSC::JIT::compileGetByIdSlowCase):
1936         * jit/JITStubs.cpp:
1937         (JSC::DEFINE_STUB_FUNCTION):
1938         * llint/LLIntSlowPaths.cpp:
1939         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1940
1941 2013-08-08  Mark Lam  <mark.lam@apple.com>
1942
1943         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1944         https://bugs.webkit.org/show_bug.cgi?id=119575.
1945
1946         Reviewed by Oliver Hunt.
1947
1948         * interpreter/Interpreter.h:
1949         - Made getStackTrace() private.
1950         * interpreter/StackIterator.cpp:
1951         (JSC::StackIterator::StackIterator):
1952         (JSC::StackIterator::numberOfFrames):
1953         - Computes the number of frames by iterating through the whole stack
1954           from the starting frame. The iterator will save its current frame
1955           position before counting the frames, and then restoring it after
1956           the counting.
1957         (JSC::StackIterator::gotoFrameAtIndex):
1958         (JSC::StackIterator::gotoNextFrame):
1959         (JSC::StackIterator::resetIterator):
1960         - Points the iterator to the starting frame.
1961         * interpreter/StackIteratorPrivate.h:
1962
1963 2013-08-08  Mark Lam  <mark.lam@apple.com>
1964
1965         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1966         the Interpreter class.
1967         https://bugs.webkit.org/show_bug.cgi?id=119576.
1968
1969         Reviewed by Oliver Hunt.
1970
1971         This change is needed to prepare for making Interpreter::getStackTrace()
1972         private. It does not change the behavior of the code, only the lexical
1973         scoping.
1974
1975         * interpreter/Interpreter.h:
1976         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1977         * runtime/ErrorConstructor.cpp:
1978         (JSC::Interpreter::constructWithErrorConstructor):
1979         (JSC::ErrorConstructor::getConstructData):
1980         (JSC::Interpreter::callErrorConstructor):
1981         (JSC::ErrorConstructor::getCallData):
1982         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1983           directly. So, we moved the helper functions into the Interpreter
1984           class.
1985         * runtime/NativeErrorConstructor.cpp:
1986         (JSC::Interpreter::constructWithNativeErrorConstructor):
1987         (JSC::NativeErrorConstructor::getConstructData):
1988         (JSC::Interpreter::callNativeErrorConstructor):
1989         (JSC::NativeErrorConstructor::getCallData):
1990         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1991           directly. So, we moved the helper functions into the Interpreter
1992           class.
1993
1994 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1995
1996         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1997         https://bugs.webkit.org/show_bug.cgi?id=119555
1998
1999         Reviewed by Geoffrey Garen.
2000
2001         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2002         This was causing crashes on maps.google.com in 32-bit debug builds.
2003
2004         * dfg/DFGSpeculativeJIT32_64.cpp:
2005         (JSC::DFG::SpeculativeJIT::compile):
2006
2007 2013-08-06  Michael Saboff  <msaboff@apple.com>
2008
2009         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2010         https://bugs.webkit.org/show_bug.cgi?id=119405
2011
2012         Reviewed by Geoffrey Garen.
2013
2014         * dfg/DFGSpeculativeJIT.cpp:
2015         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2016         ourselves to save a register and then load from it.
2017
2018 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2019
2020         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2021         https://bugs.webkit.org/show_bug.cgi?id=119528
2022
2023         Reviewed by Geoffrey Garen.
2024
2025         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2026         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2027         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2028         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2029         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2030
2031         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2032
2033         * bytecode/CodeBlock.cpp:
2034         (JSC::CodeBlock::finalizeUnconditionally):
2035         * dfg/DFGDriver.cpp:
2036         (JSC::DFG::compile):
2037         * dfg/DFGFixupPhase.cpp:
2038         (JSC::DFG::FixupPhase::fixupNode):
2039         * dfg/DFGGraph.cpp:
2040         (JSC::DFG::Graph::dump):
2041         * dfg/DFGSpeculativeJIT64.cpp:
2042         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2043         * runtime/JSObject.h:
2044         (JSC::JSObject::getIndexQuickly):
2045         (JSC::JSObject::tryGetIndexQuickly):
2046
2047 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2048
2049         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2050
2051         Unreviewed.
2052
2053         Ensure llint symbols are in source order.
2054
2055         * JavaScriptCore.order:
2056
2057 2013-08-06  Mark Lam  <mark.lam@apple.com>
2058
2059         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2060         https://bugs.webkit.org/show_bug.cgi?id=119532.
2061
2062         Reviewed by Oliver Hunt.
2063
2064         * parser/Parser.cpp:
2065         (JSC::::Parser):
2066         - Just need to initialize the Parser's JSTokenLocation's initial line and
2067           startOffset as well during Parser construction.
2068
2069 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2070
2071         Update Order Files for Safari
2072         <rdar://problem/14517392>
2073
2074         Unreviewed.
2075
2076         * JavaScriptCore.order:
2077
2078 2013-08-04  Sam Weinig  <sam@webkit.org>
2079
2080         Remove support for HTML5 MicroData
2081         https://bugs.webkit.org/show_bug.cgi?id=119480
2082
2083         Reviewed by Anders Carlsson.
2084
2085         * Configurations/FeatureDefines.xcconfig:
2086
2087 2013-08-05  Oliver Hunt  <oliver@apple.com>
2088
2089         Delay Arguments creation in strict mode
2090         https://bugs.webkit.org/show_bug.cgi?id=119505
2091
2092         Reviewed by Geoffrey Garen.
2093
2094         Make use of the write tracking performed by the parser to
2095         allow us to know if we're modifying the parameters to a function.
2096         Then use that information to make strict mode function opt out
2097         of eager arguments creation.
2098
2099         * bytecompiler/BytecodeGenerator.cpp:
2100         (JSC::BytecodeGenerator::BytecodeGenerator):
2101         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2102         (JSC::BytecodeGenerator::emitReturn):
2103         * bytecompiler/BytecodeGenerator.h:
2104         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2105         * parser/Nodes.h:
2106         (JSC::ScopeNode::modifiesParameter):
2107         * parser/Parser.cpp:
2108         (JSC::::parseInner):
2109         * parser/Parser.h:
2110         (JSC::Scope::declareParameter):
2111         (JSC::Scope::getCapturedVariables):
2112         (JSC::Parser::declareWrite):
2113         * parser/ParserModes.h:
2114
2115 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2116
2117         Remove useless code from COMPILER(RVCT) JITStubs
2118         https://bugs.webkit.org/show_bug.cgi?id=119521
2119
2120         Reviewed by Geoffrey Garen.
2121
2122         * jit/JITStubsARMv7.h:
2123         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2124         (JSC::ctiOpThrowNotCaught): Ditto.
2125
2126 2013-07-23  David Farler  <dfarler@apple.com>
2127
2128         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2129         https://bugs.webkit.org/show_bug.cgi?id=117762
2130
2131         Reviewed by Mark Rowe.
2132
2133         * Configurations/DebugRelease.xcconfig:
2134         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2135         * Configurations/JavaScriptCore.xcconfig:
2136         Add ASAN_OTHER_LDFLAGS.
2137         * Configurations/ToolExecutable.xcconfig:
2138         Don't use ASAN for build tools.
2139
2140 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2141
2142         Build fix for ARM MSVC after r153222 and r153648.
2143
2144         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2145
2146 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2147
2148         Build fix for ARM MSVC after r150109.
2149
2150         Read the stub template from a header files instead of the JITStubs.cpp.
2151
2152         * CMakeLists.txt:
2153         * DerivedSources.pri:
2154         * create_jit_stubs:
2155
2156 2013-08-05  Oliver Hunt  <oliver@apple.com>
2157
2158         Move TypedArray implementation into JSC
2159         https://bugs.webkit.org/show_bug.cgi?id=119489
2160
2161         Reviewed by Filip Pizlo.
2162
2163         Move TypedArray implementation into JSC in advance of re-implementation
2164
2165         * GNUmakefile.list.am:
2166         * JSCTypedArrayStubs.h:
2167         * JavaScriptCore.xcodeproj/project.pbxproj:
2168         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2169         (JSC::ArrayBuffer::transfer):
2170         (JSC::ArrayBuffer::addView):
2171         (JSC::ArrayBuffer::removeView):
2172         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2173         (JSC::ArrayBufferContents::ArrayBufferContents):
2174         (JSC::ArrayBufferContents::data):
2175         (JSC::ArrayBufferContents::sizeInBytes):
2176         (JSC::ArrayBufferContents::transfer):
2177         (JSC::ArrayBufferContents::copyTo):
2178         (JSC::ArrayBuffer::isNeutered):
2179         (JSC::ArrayBuffer::~ArrayBuffer):
2180         (JSC::ArrayBuffer::clampValue):
2181         (JSC::ArrayBuffer::create):
2182         (JSC::ArrayBuffer::createUninitialized):
2183         (JSC::ArrayBuffer::ArrayBuffer):
2184         (JSC::ArrayBuffer::data):
2185         (JSC::ArrayBuffer::byteLength):
2186         (JSC::ArrayBuffer::slice):
2187         (JSC::ArrayBuffer::sliceImpl):
2188         (JSC::ArrayBuffer::clampIndex):
2189         (JSC::ArrayBufferContents::tryAllocate):
2190         (JSC::ArrayBufferContents::~ArrayBufferContents):
2191         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2192         (JSC::ArrayBufferView::ArrayBufferView):
2193         (JSC::ArrayBufferView::~ArrayBufferView):
2194         (JSC::ArrayBufferView::neuter):
2195         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2196         (JSC::ArrayBufferView::buffer):
2197         (JSC::ArrayBufferView::baseAddress):
2198         (JSC::ArrayBufferView::byteOffset):
2199         (JSC::ArrayBufferView::setNeuterable):
2200         (JSC::ArrayBufferView::isNeuterable):
2201         (JSC::ArrayBufferView::verifySubRange):
2202         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2203         (JSC::ArrayBufferView::setImpl):
2204         (JSC::ArrayBufferView::setRangeImpl):
2205         (JSC::ArrayBufferView::zeroRangeImpl):
2206         (JSC::ArrayBufferView::calculateOffsetAndLength):
2207         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2208         (JSC::Float32Array::set):
2209         (JSC::Float32Array::getType):
2210         (JSC::Float32Array::create):
2211         (JSC::Float32Array::createUninitialized):
2212         (JSC::Float32Array::Float32Array):
2213         (JSC::Float32Array::subarray):
2214         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2215         (JSC::Float64Array::set):
2216         (JSC::Float64Array::getType):
2217         (JSC::Float64Array::create):
2218         (JSC::Float64Array::createUninitialized):
2219         (JSC::Float64Array::Float64Array):
2220         (JSC::Float64Array::subarray):
2221         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2222         (JSC::Int16Array::getType):
2223         (JSC::Int16Array::create):
2224         (JSC::Int16Array::createUninitialized):
2225         (JSC::Int16Array::Int16Array):
2226         (JSC::Int16Array::subarray):
2227         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2228         (JSC::Int32Array::getType):
2229         (JSC::Int32Array::create):
2230         (JSC::Int32Array::createUninitialized):
2231         (JSC::Int32Array::Int32Array):
2232         (JSC::Int32Array::subarray):
2233         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2234         (JSC::Int8Array::getType):
2235         (JSC::Int8Array::create):
2236         (JSC::Int8Array::createUninitialized):
2237         (JSC::Int8Array::Int8Array):
2238         (JSC::Int8Array::subarray):
2239         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2240         (JSC::IntegralTypedArrayBase::set):
2241         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2242         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2243         (JSC::TypedArrayBase::data):
2244         (JSC::TypedArrayBase::set):
2245         (JSC::TypedArrayBase::setRange):
2246         (JSC::TypedArrayBase::zeroRange):
2247         (JSC::TypedArrayBase::length):
2248         (JSC::TypedArrayBase::byteLength):
2249         (JSC::TypedArrayBase::item):
2250         (JSC::TypedArrayBase::checkInboundData):
2251         (JSC::TypedArrayBase::TypedArrayBase):
2252         (JSC::TypedArrayBase::create):
2253         (JSC::TypedArrayBase::createUninitialized):
2254         (JSC::TypedArrayBase::subarrayImpl):
2255         (JSC::TypedArrayBase::neuter):
2256         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2257         (JSC::Uint16Array::getType):
2258         (JSC::Uint16Array::create):
2259         (JSC::Uint16Array::createUninitialized):
2260         (JSC::Uint16Array::Uint16Array):
2261         (JSC::Uint16Array::subarray):
2262         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2263         (JSC::Uint32Array::getType):
2264         (JSC::Uint32Array::create):
2265         (JSC::Uint32Array::createUninitialized):
2266         (JSC::Uint32Array::Uint32Array):
2267         (JSC::Uint32Array::subarray):
2268         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2269         (JSC::Uint8Array::getType):
2270         (JSC::Uint8Array::create):
2271         (JSC::Uint8Array::createUninitialized):
2272         (JSC::Uint8Array::Uint8Array):
2273         (JSC::Uint8Array::subarray):
2274         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2275         (JSC::Uint8ClampedArray::getType):
2276         (JSC::Uint8ClampedArray::create):
2277         (JSC::Uint8ClampedArray::createUninitialized):
2278         (JSC::Uint8ClampedArray::zeroFill):
2279         (JSC::Uint8ClampedArray::set):
2280         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2281         (JSC::Uint8ClampedArray::subarray):
2282         * runtime/VM.h:
2283
2284 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2285
2286         Copied space should be able to handle more than one copied backing store per JSCell
2287         https://bugs.webkit.org/show_bug.cgi?id=119471
2288
2289         Reviewed by Mark Hahnenberg.
2290         
2291         This allows a cell to call copyLater() multiple times for multiple different
2292         backing stores, and then have copyBackingStore() called exactly once for each
2293         of those. A token tells it which backing store to copy. All backing stores
2294         must be named using the CopyToken, an enumeration which currently cannot
2295         exceed eight entries.
2296         
2297         When copyBackingStore() is called, it's up to the callee to (a) use the token
2298         to decide what to copy and (b) call its base class's copyBackingStore() in
2299         case the base class had something that needed copying. The only exception is
2300         that JSCell never asks anything to be copied, and so if your base is JSCell
2301         then you don't have to do anything.
2302
2303         * GNUmakefile.list.am:
2304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2305         * JavaScriptCore.xcodeproj/project.pbxproj:
2306         * heap/CopiedBlock.h:
2307         * heap/CopiedBlockInlines.h:
2308         (JSC::CopiedBlock::reportLiveBytes):
2309         * heap/CopyToken.h: Added.
2310         * heap/CopyVisitor.cpp:
2311         (JSC::CopyVisitor::copyFromShared):
2312         * heap/CopyVisitor.h:
2313         * heap/CopyVisitorInlines.h:
2314         (JSC::CopyVisitor::visitItem):
2315         * heap/CopyWorkList.h:
2316         (JSC::CopyWorklistItem::CopyWorklistItem):
2317         (JSC::CopyWorklistItem::cell):
2318         (JSC::CopyWorklistItem::token):
2319         (JSC::CopyWorkListSegment::get):
2320         (JSC::CopyWorkListSegment::append):
2321         (JSC::CopyWorkListSegment::data):
2322         (JSC::CopyWorkListIterator::get):
2323         (JSC::CopyWorkListIterator::operator*):
2324         (JSC::CopyWorkListIterator::operator->):
2325         (JSC::CopyWorkList::append):
2326         * heap/SlotVisitor.h:
2327         * heap/SlotVisitorInlines.h:
2328         (JSC::SlotVisitor::copyLater):
2329         * runtime/ClassInfo.h:
2330         * runtime/JSCell.cpp:
2331         (JSC::JSCell::copyBackingStore):
2332         * runtime/JSCell.h:
2333         * runtime/JSObject.cpp:
2334         (JSC::JSObject::visitButterfly):
2335         (JSC::JSObject::copyBackingStore):
2336         * runtime/JSObject.h:
2337
2338 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2339
2340         [Automake] Define ENABLE_JIT through the Autoconf header
2341         https://bugs.webkit.org/show_bug.cgi?id=119445
2342
2343         Reviewed by Martin Robinson.
2344
2345         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2346
2347 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2348
2349         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2350         https://bugs.webkit.org/show_bug.cgi?id=119470
2351
2352         Reviewed by Oliver Hunt.
2353         
2354         Structure can still tell you if the object "could" (in the conservative sense)
2355         have an indexing header; that's used by the compiler.
2356         
2357         Most of the time if you want to know if there's an indexing header, you ask the
2358         JSObject.
2359         
2360         In some cases, the JSObject wants to know if it would have an indexing header if
2361         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2362
2363         * dfg/DFGRepatch.cpp:
2364         (JSC::DFG::tryCachePutByID):
2365         (JSC::DFG::tryBuildPutByIdList):
2366         * dfg/DFGSpeculativeJIT.cpp:
2367         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2368         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2369         * runtime/ButterflyInlines.h:
2370         (JSC::Butterfly::create):
2371         (JSC::Butterfly::growPropertyStorage):
2372         (JSC::Butterfly::growArrayRight):
2373         (JSC::Butterfly::resizeArray):
2374         * runtime/JSObject.cpp:
2375         (JSC::JSObject::copyButterfly):
2376         (JSC::JSObject::visitButterfly):
2377         * runtime/JSObject.h:
2378         (JSC::JSObject::hasIndexingHeader):
2379         (JSC::JSObject::setButterfly):
2380         * runtime/Structure.h:
2381         (JSC::Structure::couldHaveIndexingHeader):
2382         (JSC::Structure::hasIndexingHeader):
2383
2384 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2385
2386         Give the error object's stack property accessor attributes.
2387         https://bugs.webkit.org/show_bug.cgi?id=119404
2388
2389         Reviewed by Geoffrey Garen.
2390         
2391         Changed the attributes of error object's stack property to allow developers to write
2392         and delete the stack property. This will match the functionality of Chrome. Firefox  
2393         allows developers to write the error's stack, but not delete it. 
2394
2395         * interpreter/Interpreter.cpp:
2396         (JSC::Interpreter::addStackTraceIfNecessary):
2397         * runtime/ErrorInstance.cpp:
2398         (JSC::ErrorInstance::finishCreation):
2399
2400 2013-08-02  Oliver Hunt  <oliver@apple.com>
2401
2402         Incorrect type speculation reported by ToPrimitive
2403         https://bugs.webkit.org/show_bug.cgi?id=119458
2404
2405         Reviewed by Mark Hahnenberg.
2406
2407         Make sure that we report the correct type possibilities for the output
2408         from ToPrimitive
2409
2410         * dfg/DFGAbstractInterpreterInlines.h:
2411         (JSC::DFG::::executeEffects):
2412
2413 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2414
2415         Remove no-arguments constructor to PropertySlot
2416         https://bugs.webkit.org/show_bug.cgi?id=119460
2417
2418         Reviewed by Geoff Garen.
2419
2420         This constructor was unsafe if getValue is subsequently called,
2421         and the property is a getter. Simplest to just remove it.
2422
2423         * runtime/Arguments.cpp:
2424         (JSC::Arguments::defineOwnProperty):
2425         * runtime/JSActivation.cpp:
2426         (JSC::JSActivation::getOwnPropertyDescriptor):
2427         * runtime/JSFunction.cpp:
2428         (JSC::JSFunction::getOwnPropertyDescriptor):
2429         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2430         (JSC::JSFunction::put):
2431         (JSC::JSFunction::defineOwnProperty):
2432         * runtime/JSGlobalObject.cpp:
2433         (JSC::JSGlobalObject::defineOwnProperty):
2434         * runtime/JSGlobalObject.h:
2435         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2436         * runtime/JSNameScope.cpp:
2437         (JSC::JSNameScope::put):
2438         * runtime/JSONObject.cpp:
2439         (JSC::Stringifier::Holder::appendNextProperty):
2440         (JSC::Walker::walk):
2441         * runtime/JSObject.cpp:
2442         (JSC::JSObject::hasProperty):
2443         (JSC::JSObject::hasOwnProperty):
2444         (JSC::JSObject::reifyStaticFunctionsForDelete):
2445         * runtime/Lookup.h:
2446         (JSC::getStaticPropertyDescriptor):
2447         (JSC::getStaticFunctionDescriptor):
2448         (JSC::getStaticValueDescriptor):
2449         * runtime/ObjectConstructor.cpp:
2450         (JSC::defineProperties):
2451         * runtime/PropertySlot.h:
2452
2453 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2454
2455         DFG validation can cause assertion failures due to dumping
2456         https://bugs.webkit.org/show_bug.cgi?id=119456
2457
2458         Reviewed by Geoffrey Garen.
2459
2460         * bytecode/CodeBlock.cpp:
2461         (JSC::CodeBlock::hasHash):
2462         (JSC::CodeBlock::isSafeToComputeHash):
2463         (JSC::CodeBlock::hash):
2464         (JSC::CodeBlock::dumpAssumingJITType):
2465         * bytecode/CodeBlock.h:
2466
2467 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2468
2469         Have vm's exceptionStack match java's vm's exceptionStack.
2470         https://bugs.webkit.org/show_bug.cgi?id=119362
2471
2472         Reviewed by Geoffrey Garen.
2473         
2474         The error object's stack is only updated if it does not exist yet. This matches 
2475         the functionality of other browsers, and Java VMs. 
2476
2477         * interpreter/Interpreter.cpp:
2478         (JSC::Interpreter::addStackTraceIfNecessary):
2479         (JSC::Interpreter::throwException):
2480         * runtime/VM.cpp:
2481         (JSC::VM::clearExceptionStack):
2482         * runtime/VM.h:
2483         (JSC::VM::lastExceptionStack):
2484
2485 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2486
2487         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2488         https://bugs.webkit.org/show_bug.cgi?id=119447
2489
2490         Reviewed by Geoffrey Garen.
2491
2492         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2493         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2494         r153583 (sh4) and r153648 (ARM).
2495
2496         * jit/JITStubsMIPS.h:
2497
2498 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2499
2500         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2501         https://bugs.webkit.org/show_bug.cgi?id=119422
2502
2503         Reviewed by Oliver Hunt.
2504         
2505         This simplifies some code and also allows Structure to claim that an object
2506         has an indexing header even if it doesn't have indexed properties.
2507         
2508         I also changed some calls to use hasIndexedProperties() since in some cases,
2509         that's what we actually meant. Currently the two are synonyms.
2510
2511         * dfg/DFGRepatch.cpp:
2512         (JSC::DFG::tryCachePutByID):
2513         (JSC::DFG::tryBuildPutByIdList):
2514         * dfg/DFGSpeculativeJIT.cpp:
2515         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2516         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2517         * runtime/ButterflyInlines.h:
2518         (JSC::Butterfly::create):
2519         (JSC::Butterfly::growPropertyStorage):
2520         (JSC::Butterfly::growArrayRight):
2521         (JSC::Butterfly::resizeArray):
2522         * runtime/IndexingType.h:
2523         * runtime/JSObject.cpp:
2524         (JSC::JSObject::copyButterfly):
2525         (JSC::JSObject::visitButterfly):
2526         (JSC::JSObject::setPrototype):
2527         * runtime/JSObject.h:
2528         (JSC::JSObject::setButterfly):
2529         * runtime/JSPropertyNameIterator.cpp:
2530         (JSC::JSPropertyNameIterator::create):
2531         * runtime/Structure.h:
2532         (JSC::Structure::hasIndexingHeader):
2533
2534 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2535
2536         REGRESSION: ARM still crashes after change set r153612.
2537         https://bugs.webkit.org/show_bug.cgi?id=119433
2538
2539         Reviewed by Michael Saboff.
2540
2541         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2542         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2543         for sh4 architecture.
2544
2545         * jit/JITStubsARM.h:
2546         * jit/JITStubsARMv7.h:
2547
2548 2013-08-02  Michael Saboff  <msaboff@apple.com>
2549
2550         REGRESSION(r153612): It made jsc and layout tests crash
2551         https://bugs.webkit.org/show_bug.cgi?id=119440
2552
2553         Reviewed by Csaba Osztrogonác.
2554
2555         Made the changes if changeset r153612 only apply to 32 bit builds.
2556
2557         * jit/JITExceptions.cpp:
2558         * jit/JITExceptions.h:
2559         * jit/JITStubs.cpp:
2560         (JSC::cti_vm_throw_slowpath):
2561         * jit/JITStubs.h:
2562
2563 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2564
2565         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2566
2567         * CMakeLists.txt:
2568
2569 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2570
2571         [Forms: color] <input type='color'> popover color well implementation
2572         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2573
2574         Reviewed by Benjamin Poulain.
2575
2576         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2577
2578 2013-08-01  Oliver Hunt  <oliver@apple.com>
2579
2580         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2581         https://bugs.webkit.org/show_bug.cgi?id=119408
2582
2583         Reviewed by Filip Pizlo.
2584
2585         Construct ToString and Phantom nodes in advance of MakeRope
2586         nodes to ensure that ordering is ensured, and correct values
2587         will be reified on OSR exit.
2588
2589         * dfg/DFGByteCodeParser.cpp:
2590         (JSC::DFG::ByteCodeParser::parseBlock):
2591
2592 2013-08-01  Michael Saboff  <msaboff@apple.com>
2593
2594         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2595         https://bugs.webkit.org/show_bug.cgi?id=119140
2596
2597         Reviewed by Filip Pizlo.
2598
2599         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2600
2601         * jit/JITExceptions.cpp:
2602         (JSC::encode):
2603         * jit/JITExceptions.h:
2604         * jit/JITStubs.cpp:
2605         (JSC::cti_vm_throw_slowpath):
2606         * jit/JITStubs.h:
2607
2608 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2609
2610         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2611         https://bugs.webkit.org/show_bug.cgi?id=119391
2612
2613         Reviewed by Csaba Osztrogonác.
2614
2615         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2616             - Call frame is in r14 register.
2617             - Do not restore registers from JIT stack frame here.
2618
2619 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2620
2621         More cleanup in PropertySlot
2622         https://bugs.webkit.org/show_bug.cgi?id=119359
2623
2624         Reviewed by Geoff Garen.
2625
2626         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2627         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2628
2629         * dfg/DFGRepatch.cpp:
2630         (JSC::DFG::tryCacheGetByID):
2631         (JSC::DFG::tryBuildGetByIDList):
2632             - No need to ASSERT slotBase is an object.
2633         * jit/JITStubs.cpp:
2634         (JSC::tryCacheGetByID):
2635         (JSC::DEFINE_STUB_FUNCTION):
2636             - No need to ASSERT slotBase is an object.
2637         * runtime/JSObject.cpp:
2638         (JSC::JSObject::getOwnPropertySlotByIndex):
2639         (JSC::JSObject::fillGetterPropertySlot):
2640             - Pass an object through to setGetterSlot.
2641         * runtime/JSObject.h:
2642         (JSC::PropertySlot::getValue):
2643             - Moved from PropertySlot (need to know anout JSObject).
2644         * runtime/PropertySlot.cpp:
2645         (JSC::PropertySlot::functionGetter):
2646             - update per member name changes
2647         * runtime/PropertySlot.h:
2648         (JSC::PropertySlot::PropertySlot):
2649             - Argument to constructor set to 'thisValue'.
2650         (JSC::PropertySlot::slotBase):
2651             - This returns a JSObject*.
2652         (JSC::PropertySlot::setValue):
2653         (JSC::PropertySlot::setCustom):
2654         (JSC::PropertySlot::setCacheableCustom):
2655         (JSC::PropertySlot::setCustomIndex):
2656         (JSC::PropertySlot::setGetterSlot):
2657         (JSC::PropertySlot::setCacheableGetterSlot):
2658             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2659         * runtime/SparseArrayValueMap.cpp:
2660         (JSC::SparseArrayEntry::get):
2661             - Pass an object through to setGetterSlot.
2662         * runtime/SparseArrayValueMap.h:
2663             - Pass an object through to setGetterSlot.
2664
2665 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2666
2667         Reduce JSC API static value setter/getter overhead.
2668         https://bugs.webkit.org/show_bug.cgi?id=119277
2669
2670         Reviewed by Geoffrey Garen.
2671
2672         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2673         need to get called every time when set or get the static value.
2674
2675         * API/JSCallbackObjectFunctions.h:
2676         (JSC::::put):
2677         (JSC::::putByIndex):
2678         (JSC::::getStaticValue):
2679         * API/JSClassRef.cpp:
2680         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2681         * API/JSClassRef.h:
2682         (StaticValueEntry::StaticValueEntry):
2683
2684 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2685
2686         Use emptyString instead of String("")
2687         https://bugs.webkit.org/show_bug.cgi?id=119335
2688
2689         Reviewed by Darin Adler.
2690
2691         Use emptyString() instead of String("") because it is better style and
2692         faster. This is a followup to r116908, removing all occurrences of
2693         String("") from WebKit.
2694
2695         * runtime/RegExpConstructor.cpp:
2696         (JSC::constructRegExp):
2697         * runtime/RegExpPrototype.cpp:
2698         (JSC::regExpProtoFuncCompile):
2699         * runtime/StringPrototype.cpp:
2700         (JSC::stringProtoFuncMatch):
2701         (JSC::stringProtoFuncSearch):
2702
2703 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2704
2705         <input type=color> Mac UI behaviour
2706         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2707
2708         Reviewed by Brady Eidson.
2709
2710         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2711
2712 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2713
2714         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2715         https://bugs.webkit.org/show_bug.cgi?id=119349
2716
2717         Reviewed by Geoffrey Garen.
2718
2719         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2720         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2721         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2722         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2723         JIT then this resizing never happens and we crash at link time in the DFG.
2724
2725         We can fix this by also doing the resize in the DFG to catch this case.
2726
2727         * dfg/DFGJITCompiler.cpp:
2728         (JSC::DFG::JITCompiler::link):
2729
2730 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2731
2732         Speculative Windows build fix.
2733
2734         Reviewed by NOBODY
2735
2736         * runtime/JSString.cpp:
2737         (JSC::JSRopeString::getIndexSlowCase):
2738         * runtime/JSString.h:
2739
2740 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2741
2742         Some cleanup in JSValue::get
2743         https://bugs.webkit.org/show_bug.cgi?id=119343
2744
2745         Reviewed by Geoff Garen.
2746
2747         JSValue::get is implemented to:
2748             1) Check if the value is a cell – if not, synthesize a prototype to search,
2749             2) call getOwnPropertySlot on the cell,
2750             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2751         By all rights this should crash when passed a string and accessing a property that does not exist, because
2752         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2753         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2754         prototype chain, and faking out a return value of undefined if no property is found.
2755
2756         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2757         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2758
2759         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2760         slots anyway.
2761
2762         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2763
2764 2013-07-31  Michael Saboff  <msaboff@apple.com>
2765
2766         [Win] JavaScript crash.
2767         https://bugs.webkit.org/show_bug.cgi?id=119339
2768
2769         Reviewed by Mark Hahnenberg.
2770
2771         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2772         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2773
2774 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2775
2776         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2777         https://bugs.webkit.org/show_bug.cgi?id=119281
2778
2779         Reviewed by Geoffrey Garen.
2780
2781         This leads to out of bounds accesses and subsequent crashes.
2782
2783         * dfg/DFGSpeculativeJIT.cpp:
2784         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2785         * dfg/DFGSpeculativeJIT64.cpp:
2786         (JSC::DFG::SpeculativeJIT::compile):
2787
2788 2013-07-30  Oliver Hunt  <oliver@apple.com>
2789
2790         Add an assertion to SpeculateCellOperand
2791         https://bugs.webkit.org/show_bug.cgi?id=119276
2792
2793         Reviewed by Michael Saboff.
2794
2795         More assertions are better
2796
2797         * dfg/DFGSpeculativeJIT64.cpp:
2798         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2799         (JSC::DFG::SpeculativeJIT::compile):
2800
2801 2013-07-30  Mark Lam  <mark.lam@apple.com>
2802
2803         Fix problems with divot and lineStart mismatches.
2804         https://bugs.webkit.org/show_bug.cgi?id=118662.
2805
2806         Reviewed by Oliver Hunt.
2807
2808         r152494 added the recording of lineStart values for divot positions.
2809         This is needed for the computation of column numbers. Similarly, it also
2810         added the recording of line numbers for the divot positions. One problem
2811         with the approach taken was that the line and lineStart values were
2812         recorded independently, and hence were not always guaranteed to be
2813         sampled at the same place that the divot position is recorded. This
2814         resulted in potential mismatches that cause some assertions to fail.
2815
2816         The solution is to introduce a JSTextPosition abstraction that records
2817         the divot position, line, and lineStart as a single quantity. Wherever
2818         we record the divot position as an unsigned int previously, we now record
2819         its JSTextPosition which captures all 3 values in one go. This ensures
2820         that the captured line and lineStart will always match the captured divot
2821         position.
2822
2823         * bytecompiler/BytecodeGenerator.cpp:
2824         (JSC::BytecodeGenerator::emitCall):
2825         (JSC::BytecodeGenerator::emitCallEval):
2826         (JSC::BytecodeGenerator::emitCallVarargs):
2827         (JSC::BytecodeGenerator::emitConstruct):
2828         (JSC::BytecodeGenerator::emitDebugHook):
2829         - Use JSTextPosition instead of passing line and lineStart explicitly.
2830         * bytecompiler/BytecodeGenerator.h:
2831         (JSC::BytecodeGenerator::emitExpressionInfo):
2832         - Use JSTextPosition instead of passing line and lineStart explicitly.
2833         * bytecompiler/NodesCodegen.cpp:
2834         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2835         (JSC::ResolveNode::emitBytecode):
2836         (JSC::BracketAccessorNode::emitBytecode):
2837         (JSC::DotAccessorNode::emitBytecode):
2838         (JSC::NewExprNode::emitBytecode):
2839         (JSC::EvalFunctionCallNode::emitBytecode):
2840         (JSC::FunctionCallValueNode::emitBytecode):
2841         (JSC::FunctionCallResolveNode::emitBytecode):
2842         (JSC::FunctionCallBracketNode::emitBytecode):
2843         (JSC::FunctionCallDotNode::emitBytecode):
2844         (JSC::CallFunctionCallDotNode::emitBytecode):
2845         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2846         (JSC::PostfixNode::emitResolve):
2847         (JSC::PostfixNode::emitBracket):
2848         (JSC::PostfixNode::emitDot):
2849         (JSC::DeleteResolveNode::emitBytecode):
2850         (JSC::DeleteBracketNode::emitBytecode):
2851         (JSC::DeleteDotNode::emitBytecode):
2852         (JSC::PrefixNode::emitResolve):
2853         (JSC::PrefixNode::emitBracket):
2854         (JSC::PrefixNode::emitDot):
2855         (JSC::UnaryOpNode::emitBytecode):
2856         (JSC::BinaryOpNode::emitStrcat):
2857         (JSC::BinaryOpNode::emitBytecode):
2858         (JSC::ThrowableBinaryOpNode::emitBytecode):
2859         (JSC::InstanceOfNode::emitBytecode):
2860         (JSC::emitReadModifyAssignment):
2861         (JSC::ReadModifyResolveNode::emitBytecode):
2862         (JSC::AssignResolveNode::emitBytecode):
2863         (JSC::AssignDotNode::emitBytecode):
2864         (JSC::ReadModifyDotNode::emitBytecode):
2865         (JSC::AssignBracketNode::emitBytecode):
2866         (JSC::ReadModifyBracketNode::emitBytecode):
2867         (JSC::ForInNode::emitBytecode):
2868         (JSC::WithNode::emitBytecode):
2869         (JSC::ThrowNode::emitBytecode):
2870         - Use JSTextPosition instead of passing line and lineStart explicitly.
2871         * parser/ASTBuilder.h:
2872         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2873         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2874         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2875         (JSC::ASTBuilder::createResolve):
2876         (JSC::ASTBuilder::createBracketAccess):
2877         (JSC::ASTBuilder::createDotAccess):
2878         (JSC::ASTBuilder::createRegExp):
2879         (JSC::ASTBuilder::createNewExpr):
2880         (JSC::ASTBuilder::createAssignResolve):
2881         (JSC::ASTBuilder::createExprStatement):
2882         (JSC::ASTBuilder::createForInLoop):
2883         (JSC::ASTBuilder::createReturnStatement):
2884         (JSC::ASTBuilder::createBreakStatement):
2885         (JSC::ASTBuilder::createContinueStatement):
2886         (JSC::ASTBuilder::createLabelStatement):
2887         (JSC::ASTBuilder::createWithStatement):
2888         (JSC::ASTBuilder::createThrowStatement):
2889         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2890         (JSC::ASTBuilder::appendUnaryToken):
2891         (JSC::ASTBuilder::unaryTokenStackLastStart):
2892         (JSC::ASTBuilder::assignmentStackAppend):
2893         (JSC::ASTBuilder::createAssignment):
2894         (JSC::ASTBuilder::setExceptionLocation):
2895         (JSC::ASTBuilder::makeDeleteNode):
2896         (JSC::ASTBuilder::makeFunctionCallNode):
2897         (JSC::ASTBuilder::makeBinaryNode):
2898         (JSC::ASTBuilder::makeAssignNode):
2899         (JSC::ASTBuilder::makePrefixNode):
2900         (JSC::ASTBuilder::makePostfixNode):
2901         - Use JSTextPosition instead of passing line and lineStart explicitly.
2902         * parser/Lexer.cpp:
2903         (JSC::::lex):
2904         - Added support for capturing the appropriate JSTextPositions instead
2905           of just the character offset.
2906         * parser/Lexer.h:
2907         (JSC::Lexer::currentPosition):
2908         (JSC::::lexExpectIdentifier):
2909         - Added support for capturing the appropriate JSTextPositions instead
2910           of just the character offset.
2911         * parser/NodeConstructors.h:
2912         (JSC::Node::Node):
2913         (JSC::ResolveNode::ResolveNode):
2914         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2915         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2916         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2917         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2918         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2919         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2920         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2921         (JSC::PostfixNode::PostfixNode):
2922         (JSC::DeleteResolveNode::DeleteResolveNode):
2923         (JSC::DeleteBracketNode::DeleteBracketNode):
2924         (JSC::DeleteDotNode::DeleteDotNode):
2925         (JSC::PrefixNode::PrefixNode):
2926         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2927         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2928         (JSC::AssignBracketNode::AssignBracketNode):
2929         (JSC::AssignDotNode::AssignDotNode):
2930         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2931         (JSC::AssignErrorNode::AssignErrorNode):
2932         (JSC::WithNode::WithNode):
2933         (JSC::ForInNode::ForInNode):
2934         - Use JSTextPosition instead of passing line and lineStart explicitly.
2935         * parser/Nodes.cpp:
2936         (JSC::StatementNode::setLoc):
2937         - Use JSTextPosition instead of passing line and lineStart explicitly.
2938         * parser/Nodes.h:
2939         (JSC::Node::lineNo):
2940         (JSC::Node::startOffset):
2941         (JSC::Node::lineStartOffset):
2942         (JSC::Node::position):
2943         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2944         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2945         (JSC::ThrowableExpressionData::divot):
2946         (JSC::ThrowableExpressionData::divotStart):
2947         (JSC::ThrowableExpressionData::divotEnd):
2948         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2949         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2950         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2951         (JSC::ThrowableSubExpressionData::subexpressionStart):
2952         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2953         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2954         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2955         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2956         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2957         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2958         - Use JSTextPosition instead of passing line and lineStart explicitly.
2959         * parser/Parser.cpp:
2960         (JSC::::Parser):
2961         (JSC::::parseInner):
2962         - Use JSTextPosition instead of passing line and lineStart explicitly.
2963         (JSC::::didFinishParsing):
2964         - Remove setting of m_lastLine value. We always pass in the value from
2965           m_lastLine anyway. So, this assignment is effectively a nop.
2966         (JSC::::parseVarDeclaration):
2967         (JSC::::parseVarDeclarationList):
2968         (JSC::::parseForStatement):
2969         (JSC::::parseBreakStatement):
2970         (JSC::::parseContinueStatement):
2971         (JSC::::parseReturnStatement):
2972         (JSC::::parseThrowStatement):
2973         (JSC::::parseWithStatement):
2974         (JSC::::parseTryStatement):
2975         (JSC::::parseBlockStatement):
2976         (JSC::::parseFunctionDeclaration):
2977         (JSC::LabelInfo::LabelInfo):
2978         (JSC::::parseExpressionOrLabelStatement):
2979         (JSC::::parseExpressionStatement):
2980         (JSC::::parseAssignmentExpression):
2981         (JSC::::parseBinaryExpression):
2982         (JSC::::parseProperty):
2983         (JSC::::parsePrimaryExpression):
2984         (JSC::::parseMemberExpression):
2985         (JSC::::parseUnaryExpression):
2986         - Use JSTextPosition instead of passing line and lineStart explicitly.
2987         * parser/Parser.h:
2988         (JSC::Parser::next):
2989         (JSC::Parser::nextExpectIdentifier):
2990         (JSC::Parser::getToken):
2991         (JSC::Parser::tokenStartPosition):
2992         (JSC::Parser::tokenEndPosition):
2993         (JSC::Parser::lastTokenEndPosition):
2994         (JSC::::parse):
2995         - Use JSTextPosition instead of passing line and lineStart explicitly.
2996         * parser/ParserTokens.h:
2997         (JSC::JSTextPosition::JSTextPosition):
2998         (JSC::JSTextPosition::operator+):
2999         (JSC::JSTextPosition::operator-):
3000         (JSC::JSTextPosition::operator int):
3001         - Added JSTextPosition.
3002         * parser/SyntaxChecker.h:
3003         (JSC::SyntaxChecker::makeFunctionCallNode):
3004         (JSC::SyntaxChecker::makeAssignNode):
3005         (JSC::SyntaxChecker::makePrefixNode):
3006         (JSC::SyntaxChecker::makePostfixNode):
3007         (JSC::SyntaxChecker::makeDeleteNode):
3008         (JSC::SyntaxChecker::createResolve):
3009         (JSC::SyntaxChecker::createBracketAccess):
3010         (JSC::SyntaxChecker::createDotAccess):
3011         (JSC::SyntaxChecker::createRegExp):
3012         (JSC::SyntaxChecker::createNewExpr):
3013         (JSC::SyntaxChecker::createAssignResolve):
3014         (JSC::SyntaxChecker::createForInLoop):
3015         (JSC::SyntaxChecker::createReturnStatement):
3016         (JSC::SyntaxChecker::createBreakStatement):
3017         (JSC::SyntaxChecker::createContinueStatement):
3018         (JSC::SyntaxChecker::createWithStatement):
3019         (JSC::SyntaxChecker::createLabelStatement):
3020         (JSC::SyntaxChecker::createThrowStatement):
3021         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3022         (JSC::SyntaxChecker::operatorStackPop):
3023         - Use JSTextPosition instead of passing line and lineStart explicitly.
3024
3025 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3026
3027         Unreviewed. Fix make distcheck.
3028
3029         * GNUmakefile.list.am: Add missing files to compilation.
3030         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3031         include FTL header files not included in the compilation.
3032         * dfg/DFGDriver.cpp: Ditto.
3033         * dfg/DFGPlan.cpp: Ditto.
3034
3035 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3036
3037         Eager stack trace for error objects.
3038         https://bugs.webkit.org/show_bug.cgi?id=118918
3039
3040         Reviewed by Geoffrey Garen.
3041         
3042         Chrome and Firefox give error objects the stack property and we wanted to match
3043         that functionality. This allows developers to see the stack without throwing an object.
3044
3045         * runtime/ErrorInstance.cpp:
3046         (JSC::ErrorInstance::finishCreation):
3047          For error objects that are not thrown as an exception, we pass the stackTrace in 
3048          as a parameter. This allows the error object to have the stack property.
3049         
3050         * interpreter/Interpreter.cpp:
3051         (JSC::stackTraceAsString):
3052         Helper function used to eliminate duplicate code.
3053
3054         (JSC::Interpreter::addStackTraceIfNecessary):
3055         When an error object is created by the user the vm->exceptionStack is not set.
3056         If the user throws this error object later the stack that is in the error object 
3057         may not be the correct stack for the throw, so when we set the vm->exception stack,
3058         the stack property on the error object is set as well.
3059         
3060         * runtime/ErrorConstructor.cpp:
3061         (JSC::constructWithErrorConstructor):
3062         (JSC::callErrorConstructor):
3063         * runtime/NativeErrorConstructor.cpp:
3064         (JSC::constructWithNativeErrorConstructor):
3065         (JSC::callNativeErrorConstructor):
3066         These functions indicate that the user created an error object. For all error objects 
3067         that the user explicitly creates, the topCallFrame is at a new frame created to 
3068         handle the user's call. In this case though, the error object needs the caller's 
3069         frame to create the stack trace correctly.
3070         
3071         * interpreter/Interpreter.h:
3072         * runtime/ErrorInstance.h:
3073         (JSC::ErrorInstance::create):
3074
3075 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3076
3077         Some cleanup in PropertySlot
3078         https://bugs.webkit.org/show_bug.cgi?id=119189
3079
3080         Reviewed by Geoff Garen.
3081
3082         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3083         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3084         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3085         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3086         (this is invalidOffset if not cacheable).
3087
3088             * Internally, always track the type of the property using an enum value, PropertyType.
3089             * Use m_offset to indicate cacheable.
3090             * Keep the external interface (CachedPropertyType) unchanged.
3091             * Better pack data into the m_data union.
3092
3093         Performance neutral.
3094
3095         * dfg/DFGRepatch.cpp:
3096         (JSC::DFG::tryCacheGetByID):
3097         (JSC::DFG::tryBuildGetByIDList):
3098             - cachedPropertyType() -> isCacheable*()
3099         * jit/JITPropertyAccess.cpp:
3100         (JSC::JIT::privateCompileGetByIdProto):
3101         (JSC::JIT::privateCompileGetByIdSelfList):
3102         (JSC::JIT::privateCompileGetByIdProtoList):
3103         (JSC::JIT::privateCompileGetByIdChainList):
3104         (JSC::JIT::privateCompileGetByIdChain):
3105             - cachedPropertyType() -> isCacheable*()
3106         * jit/JITPropertyAccess32_64.cpp:
3107         (JSC::JIT::privateCompileGetByIdProto):
3108         (JSC::JIT::privateCompileGetByIdSelfList):
3109         (JSC::JIT::privateCompileGetByIdProtoList):
3110         (JSC::JIT::privateCompileGetByIdChainList):
3111         (JSC::JIT::privateCompileGetByIdChain):
3112             - cachedPropertyType() -> isCacheable*()
3113         * jit/JITStubs.cpp:
3114         (JSC::tryCacheGetByID):
3115             - cachedPropertyType() -> isCacheable*()
3116         * llint/LLIntSlowPaths.cpp:
3117         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3118             - cachedPropertyType() -> isCacheable*()
3119         * runtime/PropertySlot.cpp:
3120         (JSC::PropertySlot::functionGetter):
3121             - refactoring described above.
3122         * runtime/PropertySlot.h:
3123         (JSC::PropertySlot::PropertySlot):
3124         (JSC::PropertySlot::getValue):
3125         (JSC::PropertySlot::isCacheable):
3126         (JSC::PropertySlot::isCacheableValue):
3127         (JSC::PropertySlot::isCacheableGetter):
3128         (JSC::PropertySlot::isCacheableCustom):
3129         (JSC::PropertySlot::cachedOffset):
3130         (JSC::PropertySlot::customGetter):
3131         (JSC::PropertySlot::setValue):
3132         (JSC::PropertySlot::setCustom):
3133         (JSC::PropertySlot::setCacheableCustom):
3134         (JSC::PropertySlot::setCustomIndex):
3135         (JSC::PropertySlot::setGetterSlot):
3136         (JSC::PropertySlot::setCacheableGetterSlot):
3137         (JSC::PropertySlot::setUndefined):
3138         (JSC::PropertySlot::slotBase):
3139         (JSC::PropertySlot::setBase):
3140             - refactoring described above.
3141
3142 2013-07-28  Oliver Hunt  <oliver@apple.com>
3143
3144         REGRESSION: Crash when opening Facebook.com
3145         https://bugs.webkit.org/show_bug.cgi?id=119155
3146
3147         Reviewed by Andreas Kling.
3148
3149         Scope nodes are always objects, so we should be using SpecObjectOther
3150         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3151         contradiction in the CFA, resulting in bogus codegen.
3152
3153         * dfg/DFGAbstractInterpreterInlines.h:
3154         (JSC::DFG::::executeEffects):
3155         * dfg/DFGPredictionPropagationPhase.cpp:
3156         (JSC::DFG::PredictionPropagationPhase::propagate):
3157
3158 2013-07-26  Oliver Hunt  <oliver@apple.com>
3159
3160         REGRESSION(FTL?): Crashes in plugin tests
3161         https://bugs.webkit.org/show_bug.cgi?id=119141
3162
3163         Reviewed by Michael Saboff.
3164
3165         Re-export getStackTrace
3166
3167         * interpreter/Interpreter.h:
3168
3169 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3170
3171         REGRESSION: Crash when opening a message on Gmail
3172         https://bugs.webkit.org/show_bug.cgi?id=119105
3173
3174         Reviewed by Oliver Hunt and Mark Hahnenberg.
3175         
3176         - GetById patching in the DFG needs to be more disciplined about how it derives the
3177           slow path.
3178         
3179         - Fix some dumping code thread safety issues.
3180
3181         * bytecode/CallLinkStatus.cpp:
3182         (JSC::CallLinkStatus::dump):
3183         * bytecode/CodeBlock.cpp:
3184         (JSC::CodeBlock::dumpBytecode):
3185         * dfg/DFGRepatch.cpp:
3186         (JSC::DFG::getPolymorphicStructureList):
3187         (JSC::DFG::tryBuildGetByIDList):
3188
3189 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3190
3191         [mips] Fix LLINT build for mips backend
3192         https://bugs.webkit.org/show_bug.cgi?id=119152
3193
3194         Reviewed by Oliver Hunt.
3195
3196         * offlineasm/mips.rb:
3197
3198 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3199
3200         Setting a large numeric property on an object causes it to allocate a huge backing store
3201         https://bugs.webkit.org/show_bug.cgi?id=118914
3202
3203         Reviewed by Geoffrey Garen.
3204
3205         There are two distinct actions that we're trying to optimize for:
3206
3207         new Array(100000);
3208
3209         and:
3210
3211         a = [];
3212         a[100000] = 42;
3213         
3214         In the first case, the programmer has indicated that they expect this Array to be very big, 
3215         so they should get a contiguous array up until some threshold, above which we perform density 
3216         calculations to see if it is indeed dense enough to warrant being contiguous.
3217         
3218         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3219         we should be more conservative and assume it should be sparse until we've proven otherwise.
3220         
3221         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3222         between them for the purposes of not over-allocating large backing stores like we see on 
3223         http://www.peekanalytics.com/burgerjoints/
3224         
3225         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3226         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3227         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3228         map instead. So for example, in the second case above the empty array has a blank indexing 
3229         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3230
3231         This fix is ~800x speedup on the accompanying regression test :-o
3232
3233         * runtime/ArrayConventions.h:
3234         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3235         * runtime/JSObject.cpp:
3236         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3237         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3238         (JSC::JSObject::putByIndexBeyondVectorLength):
3239         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3240
3241 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3242
3243         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3244         https://bugs.webkit.org/show_bug.cgi?id=119148
3245
3246         Reviewed by Csaba Osztrogonác.
3247
3248         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3249         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3250         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3251         code duplication.
3252
3253 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3254
3255         REGRESSION(FTL): Crash in sh4 baseline JIT.
3256         https://bugs.webkit.org/show_bug.cgi?id=119138
3257
3258         Reviewed by Csaba Osztrogonác.
3259
3260         This crash is due to incomplete report of r150146 and r148474.
3261
3262         * jit/JITStubsSH4.h:
3263
3264 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3265
3266         Unreviewed.
3267
3268         * Target.pri: Adding missing DFG files to the Qt build.
3269
3270 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3271
3272         GTK and Qt buildfix after the intrusive win buildfix r153360.
3273
3274         * GNUmakefile.list.am:
3275         * Target.pri:
3276
3277 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3278
3279         Unreviewed, fix build break after r153360.
3280
3281         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3282
3283 2013-07-25  Roger Fong  <roger_fong@apple.com>
3284
3285         Unreviewed build fix, AppleWin port.
3286
3287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3288         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3289         * JavaScriptCore.vcxproj/copy-files.cmd:
3290
3291 2013-07-25  Roger Fong  <roger_fong@apple.com>
3292
3293         Unreviewed. Followup to r153360.
3294
3295         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3296         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3297
3298 2013-07-25  Michael Saboff  <msaboff@apple.com>
3299
3300         [Windows] Speculative build fix.
3301
3302         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3303         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3304
3305         * JavaScriptCore.xcodeproj/project.pbxproj:
3306         * llint/LLIntExceptions.cpp:
3307         * llint/LLIntExceptions.h:
3308         * llint/LLIntSlowPaths.cpp:
3309         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3310         * runtime/CommonSlowPaths.cpp:
3311         (JSC::SLOW_PATH_DECL):
3312         * runtime/CommonSlowPathsExceptions.cpp: Added.
3313         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3314         * runtime/CommonSlowPathsExceptions.h: Added.
3315
3316 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3317
3318         [Windows] Unreviewed build fix.
3319
3320         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3321         parser/SourceCode.h,.cpp.
3322         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3323
3324 2013-07-25  Anders Carlsson  <andersca@apple.com>
3325
3326         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3327         https://bugs.webkit.org/show_bug.cgi?id=119108
3328
3329         Reviewed by Mark Hahnenberg.
3330
3331         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3332
3333         * heap/CopiedSpace.cpp:
3334         (JSC::CopiedSpace::tryAllocateSlowCase):
3335         * heap/Heap.cpp:
3336         (JSC::Heap::protect):
3337         (JSC::Heap::unprotect):
3338         (JSC::Heap::collect):
3339         * heap/MarkedAllocator.cpp:
3340         (JSC::MarkedAllocator::allocateSlowCase):
3341         * runtime/JSGlobalObject.cpp:
3342         (JSC::JSGlobalObject::init):
3343         * runtime/VM.h:
3344         (JSC::VM::currentThreadIsHoldingAPILock):
3345
3346 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3347
3348         REGRESSION(FTL): Most layout tests crashes
3349         https://bugs.webkit.org/show_bug.cgi?id=119089
3350
3351         Reviewed by Oliver Hunt.
3352
3353         * runtime/ExecutionHarness.h:
3354         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3355         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3356         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3357         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3358         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3359         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3360
3361 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3362
3363         [Windows] Unreviewed build fix.
3364
3365         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3366         include path.
3367
3368 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3369
3370         [Windows] Unreviewed build fix.
3371
3372         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3373         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3374         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3375
3376 2013-07-25  Oliver Hunt  <oliver@apple.com>
3377
3378         Make all jit & non-jit combos build cleanly
3379         https://bugs.webkit.org/show_bug.cgi?id=119102
3380
3381         Reviewed by Anders Carlsson.
3382
3383         * bytecode/CodeBlock.cpp:
3384         (JSC::CodeBlock::counterValueForOptimizeSoon):
3385         * bytecode/CodeBlock.h:
3386         (JSC::CodeBlock::optimizeAfterWarmUp):
3387         (JSC::CodeBlock::numberOfDFGCompiles):
3388
3389 2013-07-25  Oliver Hunt  <oliver@apple.com>
3390
3391         32 bit portion of load validation logic
3392         https://bugs.webkit.org/show_bug.cgi?id=118878
3393
3394         Reviewed by NOBODY (Build fix).
3395
3396         * dfg/DFGSpeculativeJIT32_64.cpp:
3397         (JSC::DFG::SpeculativeJIT::compile):
3398
3399 2013-07-25  Oliver Hunt  <oliver@apple.com>
3400
3401         More 32bit build fixes
3402
3403         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3404