[CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-12-10  Alexis Menard  <alexis@webkit.org>
2
3         [CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag.
4         https://bugs.webkit.org/show_bug.cgi?id=104539
5
6         Reviewed by Antonio Gomes.
7
8         As discussed on webkit-dev it is not needed to keep this feature flag 
9         as support for <position> type is a small feature that is already 
10         implemented by three other UAs. It was useful while landing this 
11         feature as partial bits were landed one after one.
12
13         * Configurations/FeatureDefines.xcconfig:
14
15 2012-12-09  Filip Pizlo  <fpizlo@apple.com>
16
17         DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation()
18         https://bugs.webkit.org/show_bug.cgi?id=104500
19
20         Reviewed by Oliver Hunt.
21
22         Slight across-the-board speed-up.
23
24         * dfg/DFGAbstractState.cpp:
25         (JSC::DFG::AbstractState::execute):
26         * dfg/DFGFixupPhase.cpp:
27         (JSC::DFG::FixupPhase::fixupNode):
28
29 2012-12-08  Filip Pizlo  <fpizlo@apple.com>
30
31         JSC should scale the optimization threshold for a code block according to the cost of compiling it
32         https://bugs.webkit.org/show_bug.cgi?id=104406
33
34         Reviewed by Oliver Hunt.
35
36         We've long known that we want to scale the execution count threshold needed for the DFG
37         to kick in to scale according to some estimate of the cost of compiling that code block.
38         This institutes a relationship like this:
39         
40         threshold = thresholdSetting * (a * sqrt(instructionCount + b) + abs(c * instructionCount) + d
41         
42         Where a, b, c, d are coefficients derived from fitting the above expression to various
43         data points, which I chose based on looking at one benchmark (3d-cube) and from my
44         own intuitions.
45         
46         Making this work well also required changing the thresholdForOptimizeAfterLongWarmUp
47         from 5000 to 1000.
48         
49         This is a >1% speed-up on SunSpider, a >3% speed-up on V8Spider, ~1% speed-up on V8v7,
50         neutral on Octane, and neutral on Kraken.
51         
52         I also out-of-lined a bunch of methods related to these heuristics, because I couldn't
53         stand having them defined in the header anymore. I also made improvements to debugging
54         code because I needed it for tuning this change.
55
56         * CMakeLists.txt:
57         * GNUmakefile.list.am:
58         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
59         * JavaScriptCore.xcodeproj/project.pbxproj:
60         * Target.pri:
61         * bytecode/CodeBlock.cpp:
62         (JSC::CodeBlock::sourceCodeForTools):
63         (JSC::CodeBlock::sourceCodeOnOneLine):
64         (JSC::CodeBlock::dumpBytecode):
65         (JSC::CodeBlock::CodeBlock):
66         (JSC::CodeBlock::reoptimizationRetryCounter):
67         (JSC::CodeBlock::countReoptimization):
68         (JSC::CodeBlock::optimizationThresholdScalingFactor):
69         (JSC::clipThreshold):
70         (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
71         (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
72         (JSC::CodeBlock::counterValueForOptimizeSoon):
73         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
74         (JSC::CodeBlock::optimizeNextInvocation):
75         (JSC::CodeBlock::dontOptimizeAnytimeSoon):
76         (JSC::CodeBlock::optimizeAfterWarmUp):
77         (JSC::CodeBlock::optimizeAfterLongWarmUp):
78         (JSC::CodeBlock::optimizeSoon):
79         (JSC::CodeBlock::adjustedExitCountThreshold):
80         (JSC::CodeBlock::exitCountThresholdForReoptimization):
81         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
82         (JSC::CodeBlock::shouldReoptimizeNow):
83         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
84         * bytecode/CodeBlock.h:
85         * bytecode/ExecutionCounter.cpp:
86         (JSC::ExecutionCounter::hasCrossedThreshold):
87         * bytecode/ReduceWhitespace.cpp: Added.
88         (JSC::reduceWhitespace):
89         * bytecode/ReduceWhitespace.h: Added.
90         * dfg/DFGCapabilities.cpp:
91         (JSC::DFG::mightCompileEval):
92         (JSC::DFG::mightCompileProgram):
93         (JSC::DFG::mightCompileFunctionForCall):
94         (JSC::DFG::mightCompileFunctionForConstruct):
95         (JSC::DFG::mightInlineFunctionForCall):
96         (JSC::DFG::mightInlineFunctionForConstruct):
97         * dfg/DFGCapabilities.h:
98         * dfg/DFGDisassembler.cpp:
99         (JSC::DFG::Disassembler::dumpHeader):
100         * dfg/DFGOSREntry.cpp:
101         (JSC::DFG::prepareOSREntry):
102         * jit/JITDisassembler.cpp:
103         (JSC::JITDisassembler::dumpHeader):
104         * jit/JITStubs.cpp:
105         (JSC::DEFINE_STUB_FUNCTION):
106         * llint/LLIntSlowPaths.cpp:
107         (JSC::LLInt::entryOSR):
108         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
109         * profiler/ProfilerDatabase.cpp:
110         (JSC::Profiler::Database::ensureBytecodesFor):
111         * runtime/Options.h:
112
113 2012-12-07  Jonathan Liu  <net147@gmail.com>
114
115         Add missing forward declaration for JSC::ArrayAllocationProfile
116         https://bugs.webkit.org/show_bug.cgi?id=104425
117
118         Reviewed by Kentaro Hara.
119
120         The header for the JSC::ArrayConstructor class is missing a forward
121         declaration for the JSC::ArrayAllocationProfile class which causes
122         compilation to fail when compiling with MinGW-w64.
123
124         * runtime/ArrayConstructor.h:
125         (JSC):
126
127 2012-12-07  Jonathan Liu  <net147@gmail.com>
128
129         Add missing const qualifier to JSC::CodeBlock::getJITType()
130         https://bugs.webkit.org/show_bug.cgi?id=104424
131
132         Reviewed by Laszlo Gombos.
133
134         JSC::CodeBlock::getJITType() has the const qualifier when JIT is
135         enabled but is missing the const qualifier when JIT is disabled.
136
137         * bytecode/CodeBlock.h:
138         (JSC::CodeBlock::getJITType):
139
140 2012-12-07  Oliver Hunt  <oliver@apple.com>
141
142         Make function code cache proportional to main codeblock cache
143         https://bugs.webkit.org/show_bug.cgi?id=104420
144
145         Reviewed by Geoffrey Garen.
146
147         Makes the constants determining the recently used function cache proportional
148         to the number of root codeblocks in the cache.  Also renames the constants to
149         make them more clear.
150      
151         * runtime/CodeCache.h:
152
153 2012-12-06  Filip Pizlo  <fpizlo@apple.com>
154
155         Strange results calculating a square root in a loop
156         https://bugs.webkit.org/show_bug.cgi?id=104247
157         <rdar://problem/12826880>
158
159         Reviewed by Oliver Hunt.
160
161         Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks
162         under the merge. This fixes the assertion, and is also cleaner: our general rule is
163         to not "revive" things that we've already proved to be dead.
164         
165         Also fixed some rotted debug code.
166
167         * dfg/DFGCFGSimplificationPhase.cpp:
168         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
169         * dfg/DFGStructureCheckHoistingPhase.cpp:
170         (JSC::DFG::StructureCheckHoistingPhase::run):
171
172 2012-12-07  Geoffrey Garen  <ggaren@apple.com>
173
174         Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
175         https://bugs.webkit.org/show_bug.cgi?id=104321
176         <rdar://problem/12770497>
177
178         Reviewed by Sam Weinig.
179
180         Work around a JSValueUnprotect(NULL) in Evernote.
181
182         * API/JSValueRef.cpp:
183         (evernoteHackNeeded):
184         (JSValueUnprotect):
185
186 2012-12-06  Filip Pizlo  <fpizlo@apple.com>
187
188         Incorrect inequality for checking whether a statement is within bounds of a handler
189         https://bugs.webkit.org/show_bug.cgi?id=104313
190         <rdar://problem/12808934>
191
192         Reviewed by Geoffrey Garen.
193
194         The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
195         used for checking whether a handler is pertinent to the current instruction. '<' is
196         correct, but '<=' isn't, since the 'end' is not inclusive.
197         
198         Also found, and addressed, a benign goof in how the finally inliner works: sometimes
199         we will have end > start. This falls out naturally from how the inliner works and how
200         we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
201         future confusion, I added a comment and some code to prune those handlers out. Because
202         of how the handler resolution works, these handlers would have been skipped anyway.
203         
204         Also made various fixes to debugging code, which was necessary for tracking this down.
205
206         * bytecode/CodeBlock.cpp:
207         (JSC::CodeBlock::dumpBytecode):
208         (JSC::CodeBlock::handlerForBytecodeOffset):
209         * bytecompiler/BytecodeGenerator.cpp:
210         (JSC::BytecodeGenerator::generate):
211         * bytecompiler/Label.h:
212         (JSC::Label::bind):
213         * interpreter/Interpreter.cpp:
214         (JSC::Interpreter::throwException):
215         * llint/LLIntExceptions.cpp:
216         (JSC::LLInt::interpreterThrowInCaller):
217         (JSC::LLInt::returnToThrow):
218         (JSC::LLInt::callToThrow):
219         * llint/LLIntSlowPaths.cpp:
220         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
221         (JSC::LLInt::handleHostCall):
222
223 2012-12-06  Rick Byers  <rbyers@chromium.org>
224
225         CSS cursor property should support webkit-image-set
226         https://bugs.webkit.org/show_bug.cgi?id=99493
227
228         Reviewed by Beth Dakin.
229
230         Add ENABLE_MOUSE_CURSOR_SCALE (disabled by default)
231
232         * Configurations/FeatureDefines.xcconfig:
233
234 2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>
235
236         [CMake] Consolidate list of files to build for JavaScriptCore
237         https://bugs.webkit.org/show_bug.cgi?id=104287
238
239         Reviewed by Gyuyoung Kim.
240
241         Add MemoryStatistics.cpp and ExecutableAllocator.cpp to the common
242         list of files and remove them from the port specific lists.
243
244         * CMakeLists.txt:
245         * PlatformBlackBerry.cmake:
246         * PlatformEfl.cmake:
247         * PlatformWinCE.cmake:
248
249 2012-12-06  Oliver Hunt  <oliver@apple.com>
250
251         Tell heap that we've released all the compiled code.
252
253         Reviewed by Geoff Garen.
254
255         When we discard compiled code, inform the heap that we've
256         released an entire object graph.  This informs the heap that
257         it might want to perform a GC soon.
258
259         * runtime/JSGlobalData.cpp:
260         (JSC::JSGlobalData::discardAllCode):
261
262 2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>
263
264         [EFL] Remove ENABLE_GLIB_SUPPORT CMake variable
265         https://bugs.webkit.org/show_bug.cgi?id=104278
266
267         Reviewed by Brent Fulgham.
268
269         The conditional is not required as it is always set for EFL.
270
271         * PlatformEfl.cmake:
272
273 2012-12-06  Oliver Hunt  <oliver@apple.com>
274
275         Build fix, last patch rolled out logic that is now needed on ToT.
276
277         * parser/ASTBuilder.h:
278         (ASTBuilder):
279         (JSC::ASTBuilder::setFunctionStart):
280         * parser/Nodes.h:
281         (JSC::FunctionBodyNode::setFunctionStart):
282         (JSC::FunctionBodyNode::functionStart):
283         (FunctionBodyNode):
284         * parser/Parser.cpp:
285         (JSC::::parseFunctionInfo):
286         * parser/SyntaxChecker.h:
287         (JSC::SyntaxChecker::setFunctionStart):
288
289 2012-12-05  Oliver Hunt  <oliver@apple.com>
290
291         Remove harmful string->function cache
292         https://bugs.webkit.org/show_bug.cgi?id=104193
293
294         Reviewed by Alexey Proskuryakov.
295
296         Remove the string->function code cache that turned out to actually
297         be quite harmful.
298
299         * runtime/CodeCache.cpp:
300         (JSC::CodeCache::getFunctionCodeBlock):
301         * runtime/CodeCache.h:
302         (JSC::CodeCache::clear):
303
304 2012-12-05  Halton Huo  <halton.huo@intel.com>
305
306         [CMake] Unify coding style for CMake files
307         https://bugs.webkit.org/show_bug.cgi?id=103605
308
309         Reviewed by Laszlo Gombos.
310
311         Update cmake files(.cmake, CMakeLists.txt) with following style rules:
312         1. Indentation
313         1.1 Use spaces, not tabs.
314         1.2 Four spaces as indent.
315         2. Spacing
316         2.1 Place one space between control statements and their parentheses.
317             For eg, if (), else (), elseif (), endif (), foreach (),
318             endforeach (), while (), endwhile (), break ().
319         2.2 Do not place spaces between function and macro statements and
320             their parentheses. For eg, macro(), endmacro(), function(),
321             endfunction().
322         2.3 Do not place spaces between a command or function or macro and its
323             parentheses, or between a parenthesis and its content. For eg,
324             message("testing") not message( "testing") or message ("testing" )
325         2.4 No space at line ending.
326         3. Lowercase when call commands macros and functions. For eg,
327            add_executable() not ADD_EXECUTABLE(), set() not SET().
328
329         * CMakeLists.txt:
330         * PlatformBlackBerry.cmake:
331         * PlatformEfl.cmake:
332         * PlatformWinCE.cmake:
333         * shell/CMakeLists.txt:
334         * shell/PlatformBlackBerry.cmake:
335         * shell/PlatformEfl.cmake:
336         * shell/PlatformWinCE.cmake:
337
338 2012-12-05  Oliver Hunt  <oliver@apple.com>
339
340         Empty parse cache when receiving a low memory warning
341         https://bugs.webkit.org/show_bug.cgi?id=104161
342
343         Reviewed by Filip Pizlo.
344
345         This adds a function to the globaldata to empty all code related data
346         structures (code in the heap and the code cache).
347         It also adds a function to allow the CodeCache to actually be cleared
348         at all. 
349
350         * runtime/CodeCache.h:
351         (CacheMap):
352         (JSC::CacheMap::clear):
353         (JSC::CodeCache::clear):
354         (CodeCache):
355         * runtime/JSGlobalData.cpp:
356         (JSC::JSGlobalData::discardAllCode):
357         (JSC):
358         * runtime/JSGlobalData.h:
359         (JSGlobalData):
360
361 2012-12-05  Filip Pizlo  <fpizlo@apple.com>
362
363         JSC profiler should not count executions of op_call_put_result because doing so changes DFG codegen
364         https://bugs.webkit.org/show_bug.cgi?id=104102
365
366         Reviewed by Oliver Hunt.
367
368         This removes op_call_put_result from profiling, since profiling it has an effect on
369         codegen. This fix enables all of SunSpider, V8, and Kraken to be profiled with the
370         new profiler.
371         
372         To make this all fit together, the profiler now also reports in its output the exact
373         bytecode opcode name for each instruction (in addition to the stringified dump of that
374         bytecode), so that tools that grok the output can take note of op_call_put_result and
375         work around the fact that it has no counts.
376
377         * dfg/DFGByteCodeParser.cpp:
378         (JSC::DFG::ByteCodeParser::parseBlock):
379         (JSC::DFG::ByteCodeParser::parseCodeBlock):
380         * dfg/DFGDriver.cpp:
381         (JSC::DFG::compile):
382         * jit/JIT.cpp:
383         (JSC::JIT::privateCompileMainPass):
384         * profiler/ProfilerBytecode.cpp:
385         (JSC::Profiler::Bytecode::toJS):
386         * profiler/ProfilerBytecode.h:
387         (JSC::Profiler::Bytecode::Bytecode):
388         (JSC::Profiler::Bytecode::opcodeID):
389         (Bytecode):
390         * profiler/ProfilerDatabase.cpp:
391         (JSC::Profiler::Database::ensureBytecodesFor):
392         * runtime/CommonIdentifiers.h:
393
394 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
395
396         display-profiler-output should be able to show source code
397         https://bugs.webkit.org/show_bug.cgi?id=104073
398
399         Reviewed by Oliver Hunt.
400
401         Modify the profiler database to store source code. For functions, we store the
402         function including the function signature.
403
404         * bytecode/CodeBlock.h:
405         (JSC::CodeBlock::unlinkedCodeBlock):
406         (CodeBlock):
407         * profiler/ProfilerBytecodes.cpp:
408         (JSC::Profiler::Bytecodes::Bytecodes):
409         (JSC::Profiler::Bytecodes::toJS):
410         * profiler/ProfilerBytecodes.h:
411         (Bytecodes):
412         (JSC::Profiler::Bytecodes::sourceCode):
413         * profiler/ProfilerDatabase.cpp:
414         (JSC::Profiler::Database::addBytecodes):
415         (JSC::Profiler::Database::ensureBytecodesFor):
416         * profiler/ProfilerDatabase.h:
417         (Database):
418         * runtime/CommonIdentifiers.h:
419         * runtime/Executable.h:
420         (FunctionExecutable):
421         (JSC::FunctionExecutable::unlinkedExecutable):
422
423 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
424
425         JSC should be able to report profiling data associated with the IR dumps and disassembly
426         https://bugs.webkit.org/show_bug.cgi?id=102999
427
428         Reviewed by Gavin Barraclough.
429
430         Added a new profiler to JSC. It's simply called "Profiler" in anticipation of it
431         ultimately replacing the previous profiling infrastructure. This profiler counts the
432         number of times that a bytecode executes in various engines, and will record both the
433         counts and all disassembly and bytecode dumps, into a database that can be at any
434         time turned into either a JS object using any global object or global data of your
435         choice, or can be turned into a JSON string, or saved to a file.
436         
437         Currently the only use of this is the new '-p <file>' flag to the jsc command-line.
438         
439         The profiler is always compiled in and normally incurs no execution time cost, but is
440         only activated when you create a Profiler::Database and install it in
441         JSGlobalData::m_perBytecodeProfiler. From that point on, all code blocks will be
442         compiled along with disassembly and bytecode dumps stored into the Profiler::Database,
443         and all code blocks will have execution counts, which are also stored in the database.
444         The database will continue to keep information about code blocks alive even after they
445         are otherwise GC'd.
446         
447         This currently still has some glitches, like the fact that it only counts executions
448         in the JITs. Doing execution counting in the LLInt might require a bit of a rethink
449         about how the counting is expressed - currently it is implicit in bytecode, so there
450         is no easy way to "turn it on" in the LLInt. Also, right now there is no information
451         recorded about OSR exits or out-of-line stubs. But, even so, it's quite cool, and
452         gives you a peek into what JSC is doing that would otherwise not be possible.
453
454         * CMakeLists.txt:
455         * GNUmakefile.list.am:
456         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
457         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459         * Target.pri:
460         * bytecode/CodeBlock.cpp:
461         (JSC::CodeBlock::~CodeBlock):
462         * bytecode/CodeBlock.h:
463         (CodeBlock):
464         (JSC::CodeBlock::baselineVersion):
465         * bytecode/CodeOrigin.cpp:
466         (JSC::InlineCallFrame::baselineCodeBlock):
467         (JSC):
468         * bytecode/CodeOrigin.h:
469         (InlineCallFrame):
470         * dfg/DFGAbstractState.cpp:
471         (JSC::DFG::AbstractState::execute):
472         * dfg/DFGByteCodeParser.cpp:
473         (JSC::DFG::ByteCodeParser::parseBlock):
474         * dfg/DFGDisassembler.cpp:
475         (JSC::DFG::Disassembler::dump):
476         (DFG):
477         (JSC::DFG::Disassembler::reportToProfiler):
478         (JSC::DFG::Disassembler::dumpHeader):
479         (JSC::DFG::Disassembler::append):
480         (JSC::DFG::Disassembler::createDumpList):
481         * dfg/DFGDisassembler.h:
482         (Disassembler):
483         (JSC::DFG::Disassembler::DumpedOp::DumpedOp):
484         (DumpedOp):
485         * dfg/DFGGraph.cpp:
486         (JSC::DFG::Graph::Graph):
487         (JSC::DFG::Graph::dumpCodeOrigin):
488         (JSC::DFG::Graph::dump):
489         * dfg/DFGGraph.h:
490         (Graph):
491         * dfg/DFGJITCompiler.cpp:
492         (JSC::DFG::JITCompiler::JITCompiler):
493         (JSC::DFG::JITCompiler::compile):
494         (JSC::DFG::JITCompiler::compileFunction):
495         * dfg/DFGNode.h:
496         (Node):
497         (JSC::DFG::Node::hasExecutionCounter):
498         (JSC::DFG::Node::executionCounter):
499         * dfg/DFGNodeType.h:
500         (DFG):
501         * dfg/DFGPredictionPropagationPhase.cpp:
502         (JSC::DFG::PredictionPropagationPhase::propagate):
503         * dfg/DFGSpeculativeJIT32_64.cpp:
504         (JSC::DFG::SpeculativeJIT::compile):
505         * dfg/DFGSpeculativeJIT64.cpp:
506         (JSC::DFG::SpeculativeJIT::compile):
507         * jit/JIT.cpp:
508         (JSC::JIT::JIT):
509         (JSC::JIT::privateCompileMainPass):
510         (JSC::JIT::privateCompile):
511         * jit/JIT.h:
512         (JIT):
513         * jit/JITDisassembler.cpp:
514         (JSC::JITDisassembler::dump):
515         (JSC::JITDisassembler::reportToProfiler):
516         (JSC):
517         (JSC::JITDisassembler::dumpHeader):
518         (JSC::JITDisassembler::firstSlowLabel):
519         (JSC::JITDisassembler::dumpVectorForInstructions):
520         (JSC::JITDisassembler::dumpForInstructions):
521         (JSC::JITDisassembler::reportInstructions):
522         * jit/JITDisassembler.h:
523         (JITDisassembler):
524         (DumpedOp):
525         * jsc.cpp:
526         (CommandLine::CommandLine):
527         (CommandLine):
528         (printUsageStatement):
529         (CommandLine::parseArguments):
530         (jscmain):
531         * profiler/ProfilerBytecode.cpp: Added.
532         (Profiler):
533         (JSC::Profiler::Bytecode::toJS):
534         * profiler/ProfilerBytecode.h: Added.
535         (Profiler):
536         (Bytecode):
537         (JSC::Profiler::Bytecode::Bytecode):
538         (JSC::Profiler::Bytecode::bytecodeIndex):
539         (JSC::Profiler::Bytecode::description):
540         (JSC::Profiler::getBytecodeIndexForBytecode):
541         * profiler/ProfilerBytecodes.cpp: Added.
542         (Profiler):
543         (JSC::Profiler::Bytecodes::Bytecodes):
544         (JSC::Profiler::Bytecodes::~Bytecodes):
545         (JSC::Profiler::Bytecodes::indexForBytecodeIndex):
546         (JSC::Profiler::Bytecodes::forBytecodeIndex):
547         (JSC::Profiler::Bytecodes::dump):
548         (JSC::Profiler::Bytecodes::toJS):
549         * profiler/ProfilerBytecodes.h: Added.
550         (Profiler):
551         (Bytecodes):
552         (JSC::Profiler::Bytecodes::append):
553         (JSC::Profiler::Bytecodes::id):
554         (JSC::Profiler::Bytecodes::hash):
555         (JSC::Profiler::Bytecodes::size):
556         (JSC::Profiler::Bytecodes::at):
557         * profiler/ProfilerCompilation.cpp: Added.
558         (Profiler):
559         (JSC::Profiler::Compilation::Compilation):
560         (JSC::Profiler::Compilation::~Compilation):
561         (JSC::Profiler::Compilation::addDescription):
562         (JSC::Profiler::Compilation::executionCounterFor):
563         (JSC::Profiler::Compilation::toJS):
564         * profiler/ProfilerCompilation.h: Added.
565         (Profiler):
566         (Compilation):
567         (JSC::Profiler::Compilation::bytecodes):
568         (JSC::Profiler::Compilation::kind):
569         * profiler/ProfilerCompilationKind.cpp: Added.
570         (WTF):
571         (WTF::printInternal):
572         * profiler/ProfilerCompilationKind.h: Added.
573         (Profiler):
574         (WTF):
575         * profiler/ProfilerCompiledBytecode.cpp: Added.
576         (Profiler):
577         (JSC::Profiler::CompiledBytecode::CompiledBytecode):
578         (JSC::Profiler::CompiledBytecode::~CompiledBytecode):
579         (JSC::Profiler::CompiledBytecode::toJS):
580         * profiler/ProfilerCompiledBytecode.h: Added.
581         (Profiler):
582         (CompiledBytecode):
583         (JSC::Profiler::CompiledBytecode::originStack):
584         (JSC::Profiler::CompiledBytecode::description):
585         * profiler/ProfilerDatabase.cpp: Added.
586         (Profiler):
587         (JSC::Profiler::Database::Database):
588         (JSC::Profiler::Database::~Database):
589         (JSC::Profiler::Database::addBytecodes):
590         (JSC::Profiler::Database::ensureBytecodesFor):
591         (JSC::Profiler::Database::notifyDestruction):
592         (JSC::Profiler::Database::newCompilation):
593         (JSC::Profiler::Database::toJS):
594         (JSC::Profiler::Database::toJSON):
595         (JSC::Profiler::Database::save):
596         * profiler/ProfilerDatabase.h: Added.
597         (Profiler):
598         (Database):
599         * profiler/ProfilerExecutionCounter.h: Added.
600         (Profiler):
601         (ExecutionCounter):
602         (JSC::Profiler::ExecutionCounter::ExecutionCounter):
603         (JSC::Profiler::ExecutionCounter::address):
604         (JSC::Profiler::ExecutionCounter::count):
605         * profiler/ProfilerOrigin.cpp: Added.
606         (Profiler):
607         (JSC::Profiler::Origin::Origin):
608         (JSC::Profiler::Origin::dump):
609         (JSC::Profiler::Origin::toJS):
610         * profiler/ProfilerOrigin.h: Added.
611         (JSC):
612         (Profiler):
613         (Origin):
614         (JSC::Profiler::Origin::Origin):
615         (JSC::Profiler::Origin::operator!):
616         (JSC::Profiler::Origin::bytecodes):
617         (JSC::Profiler::Origin::bytecodeIndex):
618         (JSC::Profiler::Origin::operator!=):
619         (JSC::Profiler::Origin::operator==):
620         (JSC::Profiler::Origin::hash):
621         (JSC::Profiler::Origin::isHashTableDeletedValue):
622         (JSC::Profiler::OriginHash::hash):
623         (JSC::Profiler::OriginHash::equal):
624         (OriginHash):
625         (WTF):
626         * profiler/ProfilerOriginStack.cpp: Added.
627         (Profiler):
628         (JSC::Profiler::OriginStack::OriginStack):
629         (JSC::Profiler::OriginStack::~OriginStack):
630         (JSC::Profiler::OriginStack::append):
631         (JSC::Profiler::OriginStack::operator==):
632         (JSC::Profiler::OriginStack::hash):
633         (JSC::Profiler::OriginStack::dump):
634         (JSC::Profiler::OriginStack::toJS):
635         * profiler/ProfilerOriginStack.h: Added.
636         (JSC):
637         (Profiler):
638         (OriginStack):
639         (JSC::Profiler::OriginStack::OriginStack):
640         (JSC::Profiler::OriginStack::operator!):
641         (JSC::Profiler::OriginStack::size):
642         (JSC::Profiler::OriginStack::fromBottom):
643         (JSC::Profiler::OriginStack::fromTop):
644         (JSC::Profiler::OriginStack::isHashTableDeletedValue):
645         (JSC::Profiler::OriginStackHash::hash):
646         (JSC::Profiler::OriginStackHash::equal):
647         (OriginStackHash):
648         (WTF):
649         * runtime/CommonIdentifiers.h:
650         * runtime/ExecutionHarness.h:
651         (JSC::prepareForExecution):
652         (JSC::prepareFunctionForExecution):
653         * runtime/JSGlobalData.cpp:
654         (JSC::JSGlobalData::JSGlobalData):
655         (JSC::JSGlobalData::~JSGlobalData):
656         * runtime/JSGlobalData.h:
657         (JSGlobalData):
658         * runtime/Options.h:
659         (JSC):
660
661 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
662
663         Rename Profiler to LegacyProfiler
664         https://bugs.webkit.org/show_bug.cgi?id=104031
665
666         Rubber stamped by Mark Hahnenberg
667
668         Make room in the namespace for https://bugs.webkit.org/show_bug.cgi?id=102999.
669
670         * API/JSProfilerPrivate.cpp:
671         (JSStartProfiling):
672         (JSEndProfiling):
673         * CMakeLists.txt:
674         * GNUmakefile.list.am:
675         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
676         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
677         * JavaScriptCore.xcodeproj/project.pbxproj:
678         * Target.pri:
679         * interpreter/Interpreter.cpp:
680         (JSC::Interpreter::throwException):
681         (JSC::Interpreter::execute):
682         (JSC::Interpreter::executeCall):
683         (JSC::Interpreter::executeConstruct):
684         * jit/JIT.h:
685         * jit/JITCode.h:
686         * jit/JITStubs.cpp:
687         (JSC::DEFINE_STUB_FUNCTION):
688         * jit/JITStubs.h:
689         (JSC):
690         * llint/LLIntSlowPaths.cpp:
691         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
692         * profiler/LegacyProfiler.cpp: Added.
693         (JSC):
694         (JSC::LegacyProfiler::profiler):
695         (JSC::LegacyProfiler::startProfiling):
696         (JSC::LegacyProfiler::stopProfiling):
697         (JSC::dispatchFunctionToProfiles):
698         (JSC::LegacyProfiler::willExecute):
699         (JSC::LegacyProfiler::didExecute):
700         (JSC::LegacyProfiler::exceptionUnwind):
701         (JSC::LegacyProfiler::createCallIdentifier):
702         (JSC::createCallIdentifierFromFunctionImp):
703         * profiler/LegacyProfiler.h: Added.
704         (JSC):
705         (LegacyProfiler):
706         (JSC::LegacyProfiler::currentProfiles):
707         * profiler/ProfileGenerator.cpp:
708         (JSC::ProfileGenerator::addParentForConsoleStart):
709         * profiler/ProfileNode.cpp:
710         * profiler/Profiler.cpp: Removed.
711         * profiler/Profiler.h: Removed.
712         * runtime/JSGlobalData.h:
713         (JSC):
714         (JSC::JSGlobalData::enabledProfiler):
715         (JSGlobalData):
716         * runtime/JSGlobalObject.cpp:
717         (JSC::JSGlobalObject::~JSGlobalObject):
718
719 2012-12-03  Filip Pizlo  <fpizlo@apple.com>
720
721         DFG should inline code blocks that use scoped variable access
722         https://bugs.webkit.org/show_bug.cgi?id=103974
723
724         Reviewed by Oliver Hunt.
725
726         This mostly just turns on something we could have done all along, but also adds a few key
727         necessities to make this right:
728         
729         1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the
730            scope is constant.
731         
732         2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar.
733         
734         This is not meant to be a speed-up on major benchmarks since we don't yet inline most
735         closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster.
736
737         * dfg/DFGAbstractState.cpp:
738         (JSC::DFG::AbstractState::execute):
739         * dfg/DFGByteCodeParser.cpp:
740         (JSC::DFG::ByteCodeParser::getScope):
741         (JSC::DFG::ByteCodeParser::parseResolveOperations):
742         * dfg/DFGCSEPhase.cpp:
743         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
744         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
745         (JSC::DFG::CSEPhase::getLocalLoadElimination):
746         (JSC::DFG::CSEPhase::setLocalStoreElimination):
747         * dfg/DFGCapabilities.h:
748         (JSC::DFG::canInlineResolveOperations):
749
750 2012-12-03  Filip Pizlo  <fpizlo@apple.com>
751
752         Replace JSValue::description() with JSValue::dump(PrintStream&)
753         https://bugs.webkit.org/show_bug.cgi?id=103866
754
755         Reviewed by Darin Adler.
756
757         JSValue now has a dump() method. Anywhere that you would have wanted to use
758         description(), you can either do toCString(value).data(), or if the callee
759         is a print()/dataLog() method then you just pass the value directly.
760
761         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
762         * bytecode/CodeBlock.cpp:
763         (JSC::valueToSourceString):
764         (JSC::CodeBlock::finalizeUnconditionally):
765         * bytecode/ValueProfile.h:
766         (JSC::ValueProfileBase::dump):
767         * bytecode/ValueRecovery.h:
768         (JSC::ValueRecovery::dump):
769         * dfg/DFGAbstractValue.h:
770         (JSC::DFG::AbstractValue::dump):
771         * dfg/DFGGraph.cpp:
772         (JSC::DFG::Graph::dump):
773         * interpreter/Interpreter.cpp:
774         (JSC::Interpreter::dumpRegisters):
775         * jsc.cpp:
776         (functionDescribe):
777         * llint/LLIntSlowPaths.cpp:
778         (JSC::LLInt::llint_trace_value):
779         * runtime/JSValue.cpp:
780         (JSC::JSValue::dump):
781         * runtime/JSValue.h:
782
783 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
784
785         jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
786         https://bugs.webkit.org/show_bug.cgi?id=104020
787         <rdar://problem/12802478>
788
789         Reviewed by Mark Hahnenberg.
790
791         Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
792         and that is indeed the contract of ArrayBuffer and TypedArrayBase.
793
794         * JSCTypedArrayStubs.h:
795         (JSC):
796
797 2012-12-03  Peter Rybin  <prybin@chromium.org>
798
799         Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
800         https://bugs.webkit.org/show_bug.cgi?id=103254
801
802         Reviewed by Pavel Feldman.
803
804         Missing symbol WTFReportFatalError is added to the linker list.
805
806         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
807
808 2012-12-03  Alexis Menard  <alexis@webkit.org>
809
810         [Mac] Enable CSS3 background-position offset by default.
811         https://bugs.webkit.org/show_bug.cgi?id=103905
812
813         Reviewed by Simon Fraser.
814
815         Turn the flag on by default.
816
817         * Configurations/FeatureDefines.xcconfig:
818
819 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
820
821         DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
822         https://bugs.webkit.org/show_bug.cgi?id=103858
823
824         Reviewed by Gavin Barraclough.
825
826         A rage conversion from double to contiguous is one where you try to convert each
827         double to an int32.
828
829         This is probably not the last we'll hear of rage conversion from double to contiguous.
830         It may be better to do this right during parsing, which will result in fewer cases of
831         Arrayification. But even so, this looks like a straight win already - 1% speed-up on
832         Kraken, no major regression anywhere else.
833
834         * dfg/DFGAbstractState.cpp:
835         (JSC::DFG::AbstractState::execute):
836         * dfg/DFGArrayMode.cpp:
837         (JSC::DFG::ArrayMode::refine):
838         (JSC::DFG::arrayConversionToString):
839         (JSC::DFG::ArrayMode::dump):
840         (WTF):
841         (WTF::printInternal):
842         * dfg/DFGArrayMode.h:
843         (JSC::DFG::ArrayMode::withConversion):
844         (ArrayMode):
845         (JSC::DFG::ArrayMode::doesConversion):
846         (WTF):
847         * dfg/DFGFixupPhase.cpp:
848         (JSC::DFG::FixupPhase::fixupBlock):
849         (JSC::DFG::FixupPhase::fixupNode):
850         (JSC::DFG::FixupPhase::checkArray):
851         (FixupPhase):
852         * dfg/DFGGraph.cpp:
853         (JSC::DFG::Graph::dump):
854         * dfg/DFGNodeFlags.h:
855         (DFG):
856         * dfg/DFGOperations.cpp:
857         * dfg/DFGOperations.h:
858         * dfg/DFGPredictionPropagationPhase.cpp:
859         (JSC::DFG::PredictionPropagationPhase::propagate):
860         * dfg/DFGSpeculativeJIT.cpp:
861         (JSC::DFG::SpeculativeJIT::arrayify):
862         * dfg/DFGStructureCheckHoistingPhase.cpp:
863         (JSC::DFG::StructureCheckHoistingPhase::run):
864         * runtime/JSObject.cpp:
865         (JSC):
866         (JSC::JSObject::genericConvertDoubleToContiguous):
867         (JSC::JSObject::convertDoubleToContiguous):
868         (JSC::JSObject::rageConvertDoubleToContiguous):
869         (JSC::JSObject::ensureContiguousSlow):
870         (JSC::JSObject::rageEnsureContiguousSlow):
871         * runtime/JSObject.h:
872         (JSObject):
873         (JSC::JSObject::rageEnsureContiguous):
874
875 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
876
877         DFG CSE should not keep alive things that aren't relevant to OSR
878         https://bugs.webkit.org/show_bug.cgi?id=103849
879
880         Reviewed by Oliver Hunt.
881
882         Most Phantom nodes are inserted by CSE, and by default have the same children as the
883         node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
884         those it creates and those that were created by other phases) to see if they have
885         children that are redundant - i.e. children that are not interesting to OSR, which
886         is the only reason why Phantoms exist in the first place. Being relevant to OSR is
887         defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
888         your definition and the Phantom there was a SetLocal that referred to you.
889         
890         This is a slight speed-up in a few places.
891
892         * dfg/DFGCSEPhase.cpp:
893         (JSC::DFG::CSEPhase::CSEPhase):
894         (JSC::DFG::CSEPhase::run):
895         (JSC::DFG::CSEPhase::performSubstitution):
896         (CSEPhase):
897         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
898         (JSC::DFG::CSEPhase::setReplacement):
899         (JSC::DFG::CSEPhase::eliminate):
900         (JSC::DFG::CSEPhase::performNodeCSE):
901         (JSC::DFG::CSEPhase::performBlockCSE):
902
903 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
904
905         It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
906         https://bugs.webkit.org/show_bug.cgi?id=103848
907
908         Reviewed by Sam Weinig.
909
910         Fix random dataLog() and print() statements.
911
912         * dfg/DFGArgumentsSimplificationPhase.cpp:
913         (JSC::DFG::ArgumentsSimplificationPhase::run):
914         * dfg/DFGByteCodeParser.cpp:
915         (JSC::DFG::ByteCodeParser::parseCodeBlock):
916         * dfg/DFGGraph.cpp:
917         (JSC::DFG::Graph::dumpBlockHeader):
918         * dfg/DFGPredictionPropagationPhase.cpp:
919         (JSC::DFG::PredictionPropagationPhase::propagate):
920         * dfg/DFGStructureCheckHoistingPhase.cpp:
921         (JSC::DFG::StructureCheckHoistingPhase::run):
922
923 2012-12-01  Filip Pizlo  <fpizlo@apple.com>
924
925         CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
926         https://bugs.webkit.org/show_bug.cgi?id=103832
927
928         Reviewed by Oliver Hunt.
929
930         Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.
931
932         * bytecode/CodeBlock.cpp:
933         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
934         (JSC::CodeBlock::printUnaryOp):
935         (JSC::CodeBlock::printBinaryOp):
936         (JSC::CodeBlock::printConditionalJump):
937         (JSC::CodeBlock::printGetByIdOp):
938         (JSC::dumpStructure):
939         (JSC::dumpChain):
940         (JSC::CodeBlock::printGetByIdCacheStatus):
941         (JSC::CodeBlock::printCallOp):
942         (JSC::CodeBlock::printPutByIdOp):
943         (JSC::CodeBlock::printStructure):
944         (JSC::CodeBlock::printStructures):
945         (JSC::CodeBlock::dumpBytecode):
946         * bytecode/CodeBlock.h:
947         (CodeBlock):
948         * jit/JITDisassembler.cpp:
949         (JSC::JITDisassembler::dumpForInstructions):
950
951 2012-11-30  Pierre Rossi  <pierre.rossi@gmail.com>
952
953         [Qt] Unreviewed speculative Mac build fix after r136232
954
955         Update the include path so that LLIntAssembly.h is picked up.
956         The bot didn't break until later when a clean build was triggered.
957
958         * JavaScriptCore.pri:
959
960 2012-11-30  Oliver Hunt  <oliver@apple.com>
961
962         Optimise more cases of op_typeof
963         https://bugs.webkit.org/show_bug.cgi?id=103783
964
965         Reviewed by Mark Hahnenberg.
966
967         Increase our coverage of typeof based typechecks by
968         making sure that the codegenerators always uses
969         consistent operand ordering when feeding typeof operations
970         into equality operations.
971
972         * bytecompiler/NodesCodegen.cpp:
973         (JSC::BinaryOpNode::emitBytecode):
974         (JSC::EqualNode::emitBytecode):
975         (JSC::StrictEqualNode::emitBytecode):
976
977 2012-11-30  Filip Pizlo  <fpizlo@apple.com>
978
979         Rationalize and clean up DFG handling of scoped accesses
980         https://bugs.webkit.org/show_bug.cgi?id=103715
981
982         Reviewed by Oliver Hunt.
983
984         Previously, we had a GetScope node that specified the depth to which you wanted
985         to travel to get a JSScope, and the backend implementation of the node would
986         perform all of the necessary footwork, including potentially skipping the top
987         scope if necessary, and doing however many loads were needed. But there were
988         strange things. First, if you had accesses at different scope depths, then the
989         loads to get to the common depth could not be CSE'd - CSE would match only
990         GetScope's that had identical depth. Second, GetScope would be emitted even if
991         we already had the scope, for example in put_to_base. And finally, even though
992         the ResolveOperations could tell us whether or not we had to skip the top scope,
993         the backend would recompute this information itself, often pessimistically.
994         
995         This eliminates GetScope and replaces it with the following:
996         
997         GetMyScope: just get the JSScope from the call frame header. This will forever
998         mean getting the JSScope associated with the machine call frame; it will not
999         mean getting the scope of an inlined function. Or at least that's the intent.
1000         
1001         SkipTopScope: check if there is an activation, and if so, skip a scope. This
1002         takes a scope as a child and returns a scope.
1003         
1004         SkipScope: skip one scope level.
1005         
1006         The bytecode parser now emits the right combination of the above, and
1007         potentially emits multiple SkipScope's, based on the ResolveOperations.
1008         
1009         This change also includes some fixups to debug logging. We now always print
1010         the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
1011         and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
1012         
1013         This is performance-neutral. It's just meant to be a clean-up.
1014
1015         * bytecode/CodeBlock.cpp:
1016         (JSC::CodeBlock::dumpAssumingJITType):
1017         * bytecode/CodeOrigin.cpp:
1018         (JSC::CodeOrigin::inlineStack):
1019         (JSC::CodeOrigin::dump):
1020         (JSC):
1021         (JSC::InlineCallFrame::dump):
1022         * bytecode/CodeOrigin.h:
1023         (CodeOrigin):
1024         (InlineCallFrame):
1025         * dfg/DFGAbstractState.cpp:
1026         (JSC::DFG::AbstractState::execute):
1027         * dfg/DFGByteCodeParser.cpp:
1028         (ByteCodeParser):
1029         (JSC::DFG::ByteCodeParser::getScope):
1030         (DFG):
1031         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1032         (JSC::DFG::ByteCodeParser::parseBlock):
1033         * dfg/DFGCSEPhase.cpp:
1034         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1035         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1036         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
1037         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1038         (JSC::DFG::CSEPhase::performNodeCSE):
1039         * dfg/DFGDisassembler.cpp:
1040         (JSC::DFG::Disassembler::dump):
1041         * dfg/DFGGraph.cpp:
1042         (JSC::DFG::Graph::dumpCodeOrigin):
1043         (JSC::DFG::Graph::dumpBlockHeader):
1044         * dfg/DFGNode.h:
1045         (Node):
1046         * dfg/DFGNodeType.h:
1047         (DFG):
1048         * dfg/DFGPredictionPropagationPhase.cpp:
1049         (JSC::DFG::PredictionPropagationPhase::propagate):
1050         * dfg/DFGSpeculativeJIT32_64.cpp:
1051         (JSC::DFG::SpeculativeJIT::compile):
1052         * dfg/DFGSpeculativeJIT64.cpp:
1053         (JSC::DFG::SpeculativeJIT::compile):
1054         * jit/JITDisassembler.cpp:
1055         (JSC::JITDisassembler::dump):
1056
1057 2012-11-30  Oliver Hunt  <oliver@apple.com>
1058
1059         Add direct string->function code cache
1060         https://bugs.webkit.org/show_bug.cgi?id=103764
1061
1062         Reviewed by Michael Saboff.
1063
1064         A fairly logically simple patch.  We now track the start of the
1065         unique portion of a functions body, and use that as our key for
1066         unlinked function code.  This allows us to cache identical code
1067         in different contexts, leading to a small but consistent improvement
1068         on the benchmarks we track.
1069
1070         * bytecode/UnlinkedCodeBlock.cpp:
1071         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1072         * bytecode/UnlinkedCodeBlock.h:
1073         (JSC::UnlinkedFunctionExecutable::functionStartOffset):
1074         (UnlinkedFunctionExecutable):
1075         * parser/ASTBuilder.h:
1076         (ASTBuilder):
1077         (JSC::ASTBuilder::setFunctionStart):
1078         * parser/Nodes.cpp:
1079         * parser/Nodes.h:
1080         (JSC::FunctionBodyNode::setFunctionStart):
1081         (JSC::FunctionBodyNode::functionStart):
1082         (FunctionBodyNode):
1083         * parser/Parser.cpp:
1084         (JSC::::parseFunctionInfo):
1085         * parser/Parser.h:
1086         (JSC::Parser::findCachedFunctionInfo):
1087         * parser/SyntaxChecker.h:
1088         (JSC::SyntaxChecker::setFunctionStart):
1089         * runtime/CodeCache.cpp:
1090         (JSC::CodeCache::generateFunctionCodeBlock):
1091         (JSC::CodeCache::getFunctionCodeBlock):
1092         (JSC::CodeCache::usedFunctionCode):
1093         * runtime/CodeCache.h:
1094
1095 2012-11-30  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1096
1097         Crash in conversion of empty OpaqueJSString to Identifier 
1098         https://bugs.webkit.org/show_bug.cgi?id=101867
1099
1100         Reviewed by Michael Saboff.
1101
1102         The constructor call used for both null and empty OpaqueJSStrings results
1103         in an assertion voilation and crash. This patch instead uses the Identifier
1104         constructors which are specifically for null and empty Identifier.
1105
1106         * API/OpaqueJSString.cpp:
1107         (OpaqueJSString::identifier):
1108
1109 2012-11-30  Tor Arne Vestbø  <tor.arne.vestbo@digia.com>
1110
1111         [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac
1112
1113         Otherwise we'll end up using the same LLIntAssembly.h for both build
1114         configs of JavaScriptCore -- one of them which will be for the wrong
1115         config.
1116
1117         Reviewed by Simon Hausmann.
1118
1119         * LLIntOffsetsExtractor.pro:
1120
1121 2012-11-30  Julien BRIANCEAU   <jbrianceau@nds.com>
1122
1123         [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
1124         https://bugs.webkit.org/show_bug.cgi?id=103378
1125
1126         Reviewed by Filip Pizlo.
1127
1128         * assembler/MacroAssemblerSH4.h:
1129         (JSC::MacroAssemblerSH4::branchTest32):
1130         (JSC::MacroAssemblerSH4::branchAdd32):
1131         (JSC::MacroAssemblerSH4::branchMul32):
1132         (JSC::MacroAssemblerSH4::branchSub32):
1133         (JSC::MacroAssemblerSH4::branchOr32):
1134
1135 2012-11-29  Rafael Weinstein  <rafaelw@chromium.org>
1136
1137         [HTMLTemplateElement] Add feature flag
1138         https://bugs.webkit.org/show_bug.cgi?id=103694
1139
1140         Reviewed by Adam Barth.
1141
1142         This flag will guard the implementation of the HTMLTemplateElement.
1143         http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html
1144
1145         * Configurations/FeatureDefines.xcconfig:
1146
1147 2012-11-29  Filip Pizlo  <fpizlo@apple.com>
1148
1149         It should be easy to find code blocks in debug dumps
1150         https://bugs.webkit.org/show_bug.cgi?id=103623
1151
1152         Reviewed by Goeffrey Garen.
1153
1154         This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
1155         it lazily so that it only impacts run-time when debug support is enabled. We stringify
1156         it smartly so that it's short and easy to type. We base it on the source code so that
1157         the optimization level is irrelevant. And, we use SHA1 since it's already in our code
1158         base. Now, when a piece of code wants to print some debugging to say that it's operating
1159         on some code block, it can use this CodeBlockHash instead of memory addresses.
1160
1161         This also takes CodeBlock debugging into the new world of print() and dataLog(). In
1162         particular, CodeBlock::dump() corresponds to the thing you want printed if you do:
1163
1164         dataLog("I heart ", *myCodeBlock);
1165
1166         Probably, you want to just print some identifying information at this point rather than
1167         the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
1168         CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
1169         a few little tidbits.
1170         
1171         Here's an example of CodeBlock::dump() output:
1172         
1173         EkILzr:[0x103883a00, BaselineFunctionCall]
1174         
1175         EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
1176         part is self-explanatory.
1177
1178         Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
1179         breakage. As such CodeBlockHash has all of the comparison operator overloads. When
1180         bisecting in DFGDriver.cpp, you can now say things like:
1181         
1182         if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
1183             return false;
1184         
1185         And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
1186         is life when you use base 62 to encode a 32-bit number.
1187
1188         * CMakeLists.txt:
1189         * GNUmakefile.list.am:
1190         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1191         * JavaScriptCore.xcodeproj/project.pbxproj:
1192         * Target.pri:
1193         * bytecode/CallLinkInfo.h:
1194         (CallLinkInfo):
1195         (JSC::CallLinkInfo::specializationKind):
1196         * bytecode/CodeBlock.cpp:
1197         (JSC::CodeBlock::hash):
1198         (JSC):
1199         (JSC::CodeBlock::dumpAssumingJITType):
1200         (JSC::CodeBlock::dump):
1201         (JSC::CodeBlock::dumpBytecode):
1202         (JSC::CodeBlock::CodeBlock):
1203         (JSC::CodeBlock::finalizeUnconditionally):
1204         (JSC::CodeBlock::resetStubInternal):
1205         (JSC::CodeBlock::reoptimize):
1206         (JSC::ProgramCodeBlock::jettison):
1207         (JSC::EvalCodeBlock::jettison):
1208         (JSC::FunctionCodeBlock::jettison):
1209         (JSC::CodeBlock::shouldOptimizeNow):
1210         (JSC::CodeBlock::tallyFrequentExitSites):
1211         (JSC::CodeBlock::dumpValueProfiles):
1212         * bytecode/CodeBlock.h:
1213         (JSC::CodeBlock::specializationKind):
1214         (CodeBlock):
1215         (JSC::CodeBlock::getJITType):
1216         * bytecode/CodeBlockHash.cpp: Added.
1217         (JSC):
1218         (JSC::CodeBlockHash::CodeBlockHash):
1219         (JSC::CodeBlockHash::dump):
1220         * bytecode/CodeBlockHash.h: Added.
1221         (JSC):
1222         (CodeBlockHash):
1223         (JSC::CodeBlockHash::CodeBlockHash):
1224         (JSC::CodeBlockHash::hash):
1225         (JSC::CodeBlockHash::operator==):
1226         (JSC::CodeBlockHash::operator!=):
1227         (JSC::CodeBlockHash::operator<):
1228         (JSC::CodeBlockHash::operator>):
1229         (JSC::CodeBlockHash::operator<=):
1230         (JSC::CodeBlockHash::operator>=):
1231         * bytecode/CodeBlockWithJITType.h: Added.
1232         (JSC):
1233         (CodeBlockWithJITType):
1234         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
1235         (JSC::CodeBlockWithJITType::dump):
1236         * bytecode/CodeOrigin.cpp: Added.
1237         (JSC):
1238         (JSC::CodeOrigin::inlineDepthForCallFrame):
1239         (JSC::CodeOrigin::inlineDepth):
1240         (JSC::CodeOrigin::inlineStack):
1241         (JSC::InlineCallFrame::hash):
1242         * bytecode/CodeOrigin.h:
1243         (InlineCallFrame):
1244         (JSC::InlineCallFrame::specializationKind):
1245         (JSC):
1246         * bytecode/CodeType.cpp: Added.
1247         (WTF):
1248         (WTF::printInternal):
1249         * bytecode/CodeType.h:
1250         (WTF):
1251         * bytecode/ExecutionCounter.cpp:
1252         (JSC::ExecutionCounter::dump):
1253         * bytecode/ExecutionCounter.h:
1254         (ExecutionCounter):
1255         * dfg/DFGByteCodeParser.cpp:
1256         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1257         * dfg/DFGDisassembler.cpp:
1258         (JSC::DFG::Disassembler::dump):
1259         * dfg/DFGGraph.cpp:
1260         (JSC::DFG::Graph::dumpCodeOrigin):
1261         * dfg/DFGOSRExitCompiler.cpp:
1262         * dfg/DFGOperations.cpp:
1263         * dfg/DFGRepatch.cpp:
1264         (JSC::DFG::generateProtoChainAccessStub):
1265         (JSC::DFG::tryCacheGetByID):
1266         (JSC::DFG::tryBuildGetByIDList):
1267         (JSC::DFG::emitPutReplaceStub):
1268         (JSC::DFG::emitPutTransitionStub):
1269         (JSC::DFG::dfgLinkClosureCall):
1270         * interpreter/Interpreter.cpp:
1271         (JSC::Interpreter::dumpCallFrame):
1272         * jit/JITCode.cpp: Added.
1273         (WTF):
1274         (WTF::printInternal):
1275         * jit/JITCode.h:
1276         (JSC::JITCode::jitType):
1277         (WTF):
1278         * jit/JITDisassembler.cpp:
1279         (JSC::JITDisassembler::dump):
1280         (JSC::JITDisassembler::dumpForInstructions):
1281         * jit/JITPropertyAccess.cpp:
1282         (JSC::JIT::privateCompilePutByIdTransition):
1283         (JSC::JIT::privateCompilePatchGetArrayLength):
1284         (JSC::JIT::privateCompileGetByIdProto):
1285         (JSC::JIT::privateCompileGetByIdSelfList):
1286         (JSC::JIT::privateCompileGetByIdProtoList):
1287         (JSC::JIT::privateCompileGetByIdChainList):
1288         (JSC::JIT::privateCompileGetByIdChain):
1289         (JSC::JIT::privateCompileGetByVal):
1290         (JSC::JIT::privateCompilePutByVal):
1291         * jit/JITPropertyAccess32_64.cpp:
1292         (JSC::JIT::privateCompilePutByIdTransition):
1293         (JSC::JIT::privateCompilePatchGetArrayLength):
1294         (JSC::JIT::privateCompileGetByIdProto):
1295         (JSC::JIT::privateCompileGetByIdSelfList):
1296         (JSC::JIT::privateCompileGetByIdProtoList):
1297         (JSC::JIT::privateCompileGetByIdChainList):
1298         (JSC::JIT::privateCompileGetByIdChain):
1299         * jit/JITStubs.cpp:
1300         (JSC::DEFINE_STUB_FUNCTION):
1301         * runtime/CodeSpecializationKind.cpp: Added.
1302         (WTF):
1303         (WTF::printInternal):
1304         * runtime/CodeSpecializationKind.h:
1305         (JSC::specializationFromIsCall):
1306         (JSC):
1307         (JSC::specializationFromIsConstruct):
1308         (WTF):
1309         * runtime/Executable.cpp:
1310         (JSC::ExecutableBase::hashFor):
1311         (JSC):
1312         (JSC::NativeExecutable::hashFor):
1313         (JSC::ScriptExecutable::hashFor):
1314         * runtime/Executable.h:
1315         (ExecutableBase):
1316         (NativeExecutable):
1317         (ScriptExecutable):
1318         (JSC::ScriptExecutable::source):
1319
1320 2012-11-29  Michael Saboff  <msaboff@apple.com>
1321
1322         Speculative Windows build fix after r136086.
1323
1324         Unreviewed build fix.
1325
1326         Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
1327         export list since the symbol was removed in r136086.
1328
1329         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1330
1331 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
1332
1333         SpeculatedType dumping should not use the static char buffer[thingy] idiom
1334         https://bugs.webkit.org/show_bug.cgi?id=103584
1335
1336         Reviewed by Michael Saboff.
1337
1338         Changed SpeculatedType to be "dumpable" by saying things like:
1339         
1340         dataLog("thingy = ", SpeculationDump(thingy))
1341         
1342         Removed the old stringification functions, and changed all code that referred to them
1343         to use the new dataLog()/print() style.
1344
1345         * CMakeLists.txt:
1346         * GNUmakefile.list.am:
1347         * JavaScriptCore.xcodeproj/project.pbxproj:
1348         * Target.pri:
1349         * bytecode/SpeculatedType.cpp:
1350         (JSC::dumpSpeculation):
1351         (JSC::speculationToAbbreviatedString):
1352         (JSC::dumpSpeculationAbbreviated):
1353         * bytecode/SpeculatedType.h:
1354         * bytecode/ValueProfile.h:
1355         (JSC::ValueProfileBase::dump):
1356         * bytecode/VirtualRegister.h:
1357         (WTF::printInternal):
1358         * dfg/DFGAbstractValue.h:
1359         (JSC::DFG::AbstractValue::dump):
1360         * dfg/DFGByteCodeParser.cpp:
1361         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1362         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1363         * dfg/DFGGraph.cpp:
1364         (JSC::DFG::Graph::dump):
1365         (JSC::DFG::Graph::predictArgumentTypes):
1366         * dfg/DFGGraph.h:
1367         (Graph):
1368         * dfg/DFGStructureAbstractValue.h:
1369         * dfg/DFGVariableAccessDataDump.cpp: Added.
1370         (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
1371         (JSC::DFG::VariableAccessDataDump::dump):
1372         * dfg/DFGVariableAccessDataDump.h: Added.
1373         (VariableAccessDataDump):
1374
1375 2012-11-28  Michael Saboff  <msaboff@apple.com>
1376
1377         Change Bytecompiler s_dumpsGeneratedCode to an Options value
1378         https://bugs.webkit.org/show_bug.cgi?id=103588
1379
1380         Reviewed by Filip Pizlo.
1381
1382         Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.
1383
1384         * bytecode/CodeBlock.cpp:
1385         (JSC::CodeBlock::CodeBlock):
1386         * bytecompiler/BytecodeGenerator.cpp:
1387         * bytecompiler/BytecodeGenerator.h:
1388         * jsc.cpp:
1389         (runWithScripts):
1390         * runtime/Options.h:
1391
1392 2012-11-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1393
1394         Copying phase should use work lists
1395         https://bugs.webkit.org/show_bug.cgi?id=101390
1396
1397         Reviewed by Filip Pizlo.
1398
1399         * JavaScriptCore.xcodeproj/project.pbxproj:
1400         * heap/BlockAllocator.cpp:
1401         (JSC::BlockAllocator::BlockAllocator):
1402         * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
1403         (BlockAllocator):
1404         (JSC::CopyWorkListSegment):
1405         * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
1406         phase to copy their backing stores.
1407         (CopiedBlock):
1408         (JSC::CopiedBlock::CopiedBlock): 
1409         (JSC::CopiedBlock::didSurviveGC):
1410         (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're 
1411         responsible for evacuating, we no longer need any of that fancy compare and swap stuff. 
1412         (JSC::CopiedBlock::pin):
1413         (JSC::CopiedBlock::hasWorkList): 
1414         (JSC::CopiedBlock::workList):
1415         * heap/CopiedBlockInlines.h: Added.
1416         (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
1417         we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
1418         * heap/CopiedSpace.h:
1419         (CopiedSpace):
1420         * heap/CopiedSpaceInlines.h:
1421         (JSC::CopiedSpace::pin):
1422         * heap/CopyVisitor.cpp:
1423         (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
1424         blocks' CopyWorkLists.
1425         * heap/CopyVisitor.h:
1426         (CopyVisitor):
1427         * heap/CopyVisitorInlines.h:
1428         (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from 
1429         a CopiedBlock's CopyWorkList.
1430         (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done 
1431         evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
1432         * heap/CopyWorkList.h: Added.
1433         (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
1434         (JSC::CopyWorkListSegment::create):
1435         (JSC::CopyWorkListSegment::size):
1436         (JSC::CopyWorkListSegment::isFull):
1437         (JSC::CopyWorkListSegment::get):
1438         (JSC::CopyWorkListSegment::append):
1439         (JSC::CopyWorkListSegment::CopyWorkListSegment):
1440         (JSC::CopyWorkListSegment::data):
1441         (JSC::CopyWorkListSegment::endOfBlock):
1442         (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
1443         that make up each CopyWorkList.
1444         (JSC::CopyWorkListIterator::get):
1445         (JSC::CopyWorkListIterator::operator*):
1446         (JSC::CopyWorkListIterator::operator->):
1447         (JSC::CopyWorkListIterator::operator++):
1448         (JSC::CopyWorkListIterator::operator==):
1449         (JSC::CopyWorkListIterator::operator!=):
1450         (JSC::CopyWorkListIterator::CopyWorkListIterator):
1451         (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
1452         (JSC::CopyWorkList::CopyWorkList):
1453         (JSC::CopyWorkList::~CopyWorkList):
1454         (JSC::CopyWorkList::append):
1455         (JSC::CopyWorkList::begin):
1456         (JSC::CopyWorkList::end):
1457         * heap/GCThreadSharedData.cpp:
1458         (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
1459         (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for 
1460         iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and 
1461         recycled throughout the copying phase.
1462         * heap/GCThreadSharedData.h:
1463         (GCThreadSharedData): 
1464         * heap/Heap.h:
1465         (Heap):
1466         * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it 
1467         in a CopyWorkList to revisit later during the copying phase.
1468         * heap/SlotVisitorInlines.h:
1469         (JSC::SlotVisitor::copyLater):
1470         * runtime/JSObject.cpp:
1471         (JSC::JSObject::visitButterfly):
1472
1473 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
1474
1475         Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
1476         https://bugs.webkit.org/show_bug.cgi?id=103492
1477
1478         Reviewed by Mark Hahnenberg.
1479
1480         Switched disassembly code to use PrintStream&, and to use print() rather than printf().
1481
1482         * dfg/DFGDisassembler.cpp:
1483         (JSC::DFG::Disassembler::dump):
1484         (DFG):
1485         (JSC::DFG::Disassembler::dumpDisassembly):
1486         * dfg/DFGDisassembler.h:
1487         (Disassembler):
1488         * dfg/DFGGraph.cpp:
1489         (JSC::DFG::printWhiteSpace):
1490         (JSC::DFG::Graph::dumpCodeOrigin):
1491         (JSC::DFG::Graph::printNodeWhiteSpace):
1492         (JSC::DFG::Graph::dump):
1493         (DFG):
1494         (JSC::DFG::Graph::dumpBlockHeader):
1495         * dfg/DFGGraph.h:
1496         (Graph):
1497         * jit/JITDisassembler.cpp:
1498         (JSC::JITDisassembler::dump):
1499         (JSC::JITDisassembler::dumpForInstructions):
1500         (JSC::JITDisassembler::dumpDisassembly):
1501         * jit/JITDisassembler.h:
1502         (JITDisassembler):
1503
1504 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
1505
1506         It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
1507         https://bugs.webkit.org/show_bug.cgi?id=103009
1508
1509         Reviewed by Michael Saboff.
1510
1511         Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
1512         one place: dumping of abstract values. This is mainly just to ensure that the code I
1513         added to WTF is actually doing things.
1514
1515         * bytecode/CodeBlock.cpp:
1516         (JSC::CodeBlock::dump):
1517         * dfg/DFGAbstractValue.h:
1518         (JSC::DFG::AbstractValue::dump):
1519         (WTF):
1520         (WTF::printInternal):
1521         * dfg/DFGStructureAbstractValue.h:
1522         (JSC::DFG::StructureAbstractValue::dump):
1523         (WTF):
1524         (WTF::printInternal):
1525
1526 2012-11-28  Oliver Hunt  <oliver@apple.com>
1527
1528         Make source cache include more information about the function extent.
1529         https://bugs.webkit.org/show_bug.cgi?id=103552
1530
1531         Reviewed by Gavin Barraclough.
1532
1533         Add a bit more information to the source cache.
1534
1535         * parser/Parser.cpp:
1536         (JSC::::parseFunctionInfo):
1537            Store the function start offset
1538         * parser/SourceProviderCacheItem.h:
1539         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1540         (SourceProviderCacheItem):
1541            Add additional field for the start of the real function string, and re-arrange
1542            fields to avoid growing the struct.
1543
1544 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
1545
1546         Convert some remaining uses of FILE* to PrintStream&.
1547
1548         Rubber stamped by Mark Hahnenberg.
1549
1550         * bytecode/ValueProfile.h:
1551         (JSC::ValueProfileBase::dump):
1552         * bytecode/ValueRecovery.h:
1553         (JSC::ValueRecovery::dump):
1554         * dfg/DFGByteCodeParser.cpp:
1555         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1556         * dfg/DFGNode.h:
1557         (JSC::DFG::Node::dumpChildren):
1558
1559 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
1560
1561         Fix indentation in JSValue.h
1562
1563         Rubber stamped by Mark Hahnenberg.
1564
1565         * runtime/JSValue.h:
1566
1567 2012-11-26  Filip Pizlo  <fpizlo@apple.com>
1568
1569         DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
1570         https://bugs.webkit.org/show_bug.cgi?id=103353
1571
1572         Reviewed by Oliver Hunt and Gavin Barraclough.
1573
1574         Made it possible to use forward speculations for most of the operand classes. Changed the conditional
1575         direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
1576         to use forward speculations and got rid of its half-baked version of same.
1577         
1578         Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.
1579
1580         * dfg/DFGByteCodeParser.cpp:
1581         (JSC::DFG::ByteCodeParser::parseBlock):
1582         * dfg/DFGDisassembler.cpp:
1583         (JSC::DFG::Disassembler::dump):
1584         * dfg/DFGDriver.cpp:
1585         (JSC::DFG::compile):
1586         * dfg/DFGSpeculativeJIT.cpp:
1587         (JSC::DFG::SpeculativeJIT::speculationCheck):
1588         (DFG):
1589         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1590         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1591         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1592         (JSC::DFG::SpeculativeJIT::fillStorage):
1593         * dfg/DFGSpeculativeJIT.h:
1594         (SpeculativeJIT):
1595         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1596         (JSC::DFG::SpeculateIntegerOperand::gpr):
1597         (SpeculateIntegerOperand):
1598         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1599         (JSC::DFG::SpeculateDoubleOperand::fpr):
1600         (SpeculateDoubleOperand):
1601         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1602         (JSC::DFG::SpeculateCellOperand::gpr):
1603         (SpeculateCellOperand):
1604         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1605         (JSC::DFG::SpeculateBooleanOperand::gpr):
1606         (SpeculateBooleanOperand):
1607         * dfg/DFGSpeculativeJIT32_64.cpp:
1608         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1609         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1610         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1611         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1612         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1613         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1614         (JSC::DFG::SpeculativeJIT::compile):
1615         * dfg/DFGSpeculativeJIT64.cpp:
1616         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1617         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1618         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1619         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1620         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1621         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1622         (JSC::DFG::SpeculativeJIT::compile):
1623         * runtime/Options.h:
1624         (JSC):
1625
1626 2012-11-26  Daniel Bates  <dbates@webkit.org>
1627
1628         Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
1629         <https://bugs.webkit.org/show_bug.cgi?id=103303>
1630
1631         Reviewed by Simon Fraser.
1632
1633         Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().
1634
1635         * runtime/StringPrototype.cpp:
1636         (JSC::jsSpliceSubstringsWithSeparators):
1637
1638 2012-11-26  Daniel Bates  <dbates@webkit.org>
1639
1640         JavaScript fails to handle String.replace() with large replacement string
1641         https://bugs.webkit.org/show_bug.cgi?id=102956
1642         <rdar://problem/12738012>
1643
1644         Reviewed by Oliver Hunt.
1645
1646         Fix an issue where we didn't check for overflow when computing the length
1647         of the result of String.replace() with a large replacement string.
1648
1649         * runtime/StringPrototype.cpp:
1650         (JSC::jsSpliceSubstringsWithSeparators):
1651
1652 2012-11-26  Zeno Albisser  <zeno@webkit.org>
1653
1654         [Qt] Fix the LLInt build on Mac
1655         https://bugs.webkit.org/show_bug.cgi?id=97587
1656
1657         Reviewed by Simon Hausmann.
1658
1659         * DerivedSources.pri:
1660         * JavaScriptCore.pro:
1661
1662 2012-11-26  Oliver Hunt  <oliver@apple.com>
1663
1664         32-bit build fix.  Move the method decalration outside of the X86_64 only section.
1665
1666         * assembler/MacroAssembler.h:
1667         (MacroAssembler):
1668         (JSC::MacroAssembler::shouldConsiderBlinding):
1669
1670 2012-11-26  Oliver Hunt  <oliver@apple.com>
1671
1672         Don't blind all the things.
1673         https://bugs.webkit.org/show_bug.cgi?id=102572
1674
1675         Reviewed by Gavin Barraclough.
1676
1677         No longer blind all the constants in the instruction stream.  We use a
1678         simple non-deterministic filter to avoid blinding everything.  Also modified
1679         the basic integer blinding logic to avoid blinding small negative values.
1680
1681         * assembler/MacroAssembler.h:
1682         (MacroAssembler):
1683         (JSC::MacroAssembler::shouldConsiderBlinding):
1684         (JSC::MacroAssembler::shouldBlind):
1685
1686 2012-11-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1687
1688         JSObject::copyButterfly doesn't handle undecided indexing types correctly
1689         https://bugs.webkit.org/show_bug.cgi?id=102573
1690
1691         Reviewed by Filip Pizlo.
1692
1693         We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 
1694         during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 
1695         types. We should just do the actual memcpy from the old block to the new one. 
1696
1697         * runtime/JSObject.cpp:
1698         (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
1699
1700 2012-11-26  Julien BRIANCEAU   <jbrianceau@nds.com>
1701
1702         [sh4] JavaScriptCore JIT build is broken since r135330
1703         Add missing implementation for sh4 arch.
1704         https://bugs.webkit.org/show_bug.cgi?id=103145
1705
1706         Reviewed by Oliver Hunt.
1707
1708         * assembler/MacroAssemblerSH4.h:
1709         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
1710         (MacroAssemblerSH4):
1711         (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
1712         (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
1713         (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
1714         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
1715         * assembler/SH4Assembler.h:
1716         (JSC::SH4Assembler::revertJump):
1717         (SH4Assembler):
1718         (JSC::SH4Assembler::printInstr):
1719
1720 2012-11-26  Yuqiang Xian  <yuqiang.xian@intel.com>
1721
1722         Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
1723         https://bugs.webkit.org/show_bug.cgi?id=100909
1724
1725         Reviewed by Brent Fulgham.
1726
1727         This is a (trivial) fix after r132701.
1728
1729         * dfg/DFGOSRExitCompiler64.cpp:
1730         (JSC::DFG::OSRExitCompiler::compileExit):
1731
1732 2012-11-26  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
1733
1734         [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
1735         https://bugs.webkit.org/show_bug.cgi?id=98857
1736
1737         Reviewed by Zoltan Herczeg.
1738
1739         Implement a new version of patchableBranch32 to fix crashing JSC
1740         tests.
1741
1742         * assembler/MacroAssembler.h:
1743         (MacroAssembler):
1744         * assembler/MacroAssemblerARM.h:
1745         (JSC::MacroAssemblerARM::patchableBranch32):
1746         (MacroAssemblerARM):
1747
1748 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1749
1750         Any function that can log things should be able to easily log them to a memory buffer as well
1751         https://bugs.webkit.org/show_bug.cgi?id=103000
1752
1753         Reviewed by Sam Weinig.
1754
1755         Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.
1756
1757         * bytecode/Operands.h:
1758         (JSC::OperandValueTraits::dump):
1759         (JSC::dumpOperands):
1760         (JSC):
1761         * dfg/DFGAbstractState.cpp:
1762         (JSC::DFG::AbstractState::dump):
1763         * dfg/DFGAbstractState.h:
1764         (AbstractState):
1765         * dfg/DFGAbstractValue.h:
1766         (JSC::DFG::AbstractValue::dump):
1767         * dfg/DFGCommon.h:
1768         (JSC::DFG::NodeIndexTraits::dump):
1769         * dfg/DFGStructureAbstractValue.h:
1770         (JSC::DFG::StructureAbstractValue::dump):
1771         * dfg/DFGVariableEvent.cpp:
1772         (JSC::DFG::VariableEvent::dump):
1773         (JSC::DFG::VariableEvent::dumpFillInfo):
1774         (JSC::DFG::VariableEvent::dumpSpillInfo):
1775         * dfg/DFGVariableEvent.h:
1776         (VariableEvent):
1777         * disassembler/Disassembler.h:
1778         (JSC):
1779         (JSC::tryToDisassemble):
1780         * disassembler/UDis86Disassembler.cpp:
1781         (JSC::tryToDisassemble):
1782
1783 2012-11-23  Alexis Menard  <alexis@webkit.org>
1784
1785         [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
1786         https://bugs.webkit.org/show_bug.cgi?id=102104
1787
1788         Reviewed by Julien Chaffraix.
1789
1790         Protect the new feature behind a feature flag.
1791
1792         * Configurations/FeatureDefines.xcconfig:
1793
1794 2012-11-23  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
1795
1796         Fix the ARM traditional build after r135330
1797         https://bugs.webkit.org/show_bug.cgi?id=102871
1798
1799         Reviewed by Zoltan Herczeg.
1800
1801         Added missing functionality to traditional ARM architecture.
1802
1803         * assembler/ARMAssembler.h:
1804         (JSC::ARMAssembler::revertJump):
1805         (ARMAssembler):
1806         * assembler/MacroAssemblerARM.h:
1807         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1808         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1809         (MacroAssemblerARM):
1810         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1811
1812 2012-11-16  Yury Semikhatsky  <yurys@chromium.org>
1813
1814         Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
1815         https://bugs.webkit.org/show_bug.cgi?id=102510
1816
1817         Reviewed by Pavel Feldman.
1818
1819         Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp
1820
1821         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1822
1823 2012-11-23  Julien BRIANCEAU   <jbrianceau@nds.com>
1824
1825         [sh4] JavaScriptCore JIT build is broken since r130839
1826         Add missing implementation for sh4 arch.
1827         https://bugs.webkit.org/show_bug.cgi?id=101479
1828
1829         Reviewed by Filip Pizlo.
1830
1831         * assembler/MacroAssemblerSH4.h:
1832         (JSC::MacroAssemblerSH4::load8Signed):
1833         (MacroAssemblerSH4):
1834         (JSC::MacroAssemblerSH4::load16Signed):
1835         (JSC::MacroAssemblerSH4::store8):
1836         (JSC::MacroAssemblerSH4::store16):
1837         (JSC::MacroAssemblerSH4::moveDoubleToInts):
1838         (JSC::MacroAssemblerSH4::moveIntsToDouble):
1839         (JSC::MacroAssemblerSH4::loadFloat):
1840         (JSC::MacroAssemblerSH4::loadDouble):
1841         (JSC::MacroAssemblerSH4::storeFloat):
1842         (JSC::MacroAssemblerSH4::storeDouble):
1843         (JSC::MacroAssemblerSH4::addDouble):
1844         (JSC::MacroAssemblerSH4::convertFloatToDouble):
1845         (JSC::MacroAssemblerSH4::convertDoubleToFloat):
1846         (JSC::MacroAssemblerSH4::urshift32):
1847         * assembler/SH4Assembler.h:
1848         (JSC::SH4Assembler::sublRegReg):
1849         (JSC::SH4Assembler::subvlRegReg):
1850         (JSC::SH4Assembler::floatfpulfrn):
1851         (JSC::SH4Assembler::fldsfpul):
1852         (JSC::SH4Assembler::fstsfpul):
1853         (JSC::SH4Assembler::dcnvsd):
1854         (SH4Assembler):
1855         (JSC::SH4Assembler::movbRegMem):
1856         (JSC::SH4Assembler::sizeOfConstantPool):
1857         (JSC::SH4Assembler::linkJump):
1858         (JSC::SH4Assembler::printInstr):
1859         (JSC::SH4Assembler::printBlockInstr):
1860
1861 2012-11-22  Balazs Kilvady  <kilvadyb@homejinni.com>
1862
1863         Fix the MIPS build after r135330
1864         https://bugs.webkit.org/show_bug.cgi?id=102872
1865
1866         Reviewed by Gavin Barraclough.
1867
1868         Revert/replace functions added to MIPS port.
1869
1870         * assembler/MIPSAssembler.h:
1871         (JSC::MIPSAssembler::revertJumpToMove):
1872         (MIPSAssembler):
1873         (JSC::MIPSAssembler::replaceWithJump):
1874         * assembler/MacroAssemblerMIPS.h:
1875         (MacroAssemblerMIPS):
1876         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1877         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1878         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1879
1880 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1881
1882         Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
1883         https://bugs.webkit.org/show_bug.cgi?id=103001
1884
1885         Rubber stamped by Dan Bernstein.
1886
1887         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1888         * assembler/LinkBuffer.cpp:
1889         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1890         (JSC::LinkBuffer::dumpLinkStatistics):
1891         (JSC::LinkBuffer::dumpCode):
1892         * assembler/LinkBuffer.h:
1893         (JSC):
1894         * assembler/SH4Assembler.h:
1895         (JSC::SH4Assembler::vprintfStdoutInstr):
1896         * bytecode/CodeBlock.cpp:
1897         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
1898         (JSC::CodeBlock::printUnaryOp):
1899         (JSC::CodeBlock::printBinaryOp):
1900         (JSC::CodeBlock::printConditionalJump):
1901         (JSC::CodeBlock::printGetByIdOp):
1902         (JSC::dumpStructure):
1903         (JSC::dumpChain):
1904         (JSC::CodeBlock::printGetByIdCacheStatus):
1905         (JSC::CodeBlock::printCallOp):
1906         (JSC::CodeBlock::printPutByIdOp):
1907         (JSC::CodeBlock::printStructure):
1908         (JSC::CodeBlock::printStructures):
1909         (JSC::CodeBlock::dump):
1910         (JSC::CodeBlock::dumpStatistics):
1911         (JSC::CodeBlock::finalizeUnconditionally):
1912         (JSC::CodeBlock::resetStubInternal):
1913         (JSC::CodeBlock::reoptimize):
1914         (JSC::ProgramCodeBlock::jettison):
1915         (JSC::EvalCodeBlock::jettison):
1916         (JSC::FunctionCodeBlock::jettison):
1917         (JSC::CodeBlock::shouldOptimizeNow):
1918         (JSC::CodeBlock::tallyFrequentExitSites):
1919         (JSC::CodeBlock::dumpValueProfiles):
1920         * bytecode/Opcode.cpp:
1921         (JSC::OpcodeStats::~OpcodeStats):
1922         * bytecode/SamplingTool.cpp:
1923         (JSC::SamplingFlags::stop):
1924         (JSC::SamplingRegion::dumpInternal):
1925         (JSC::SamplingTool::dump):
1926         * dfg/DFGAbstractState.cpp:
1927         (JSC::DFG::AbstractState::initialize):
1928         (JSC::DFG::AbstractState::endBasicBlock):
1929         (JSC::DFG::AbstractState::mergeStateAtTail):
1930         (JSC::DFG::AbstractState::mergeToSuccessors):
1931         * dfg/DFGAbstractValue.h:
1932         (JSC::DFG::AbstractValue::dump):
1933         * dfg/DFGArgumentsSimplificationPhase.cpp:
1934         (JSC::DFG::ArgumentsSimplificationPhase::run):
1935         * dfg/DFGByteCodeParser.cpp:
1936         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1937         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1938         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1939         (JSC::DFG::ByteCodeParser::makeSafe):
1940         (JSC::DFG::ByteCodeParser::makeDivSafe):
1941         (JSC::DFG::ByteCodeParser::handleCall):
1942         (JSC::DFG::ByteCodeParser::handleInlining):
1943         (JSC::DFG::ByteCodeParser::parseBlock):
1944         (JSC::DFG::ByteCodeParser::processPhiStack):
1945         (JSC::DFG::ByteCodeParser::linkBlock):
1946         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1947         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1948         (JSC::DFG::ByteCodeParser::parse):
1949         * dfg/DFGCFAPhase.cpp:
1950         (JSC::DFG::CFAPhase::performBlockCFA):
1951         (JSC::DFG::CFAPhase::performForwardCFA):
1952         * dfg/DFGCFGSimplificationPhase.cpp:
1953         (JSC::DFG::CFGSimplificationPhase::run):
1954         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1955         (JSC::DFG::CFGSimplificationPhase::fixPhis):
1956         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
1957         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1958         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1959         * dfg/DFGCSEPhase.cpp:
1960         (JSC::DFG::CSEPhase::endIndexForPureCSE):
1961         (JSC::DFG::CSEPhase::setReplacement):
1962         (JSC::DFG::CSEPhase::eliminate):
1963         (JSC::DFG::CSEPhase::performNodeCSE):
1964         * dfg/DFGCapabilities.cpp:
1965         (JSC::DFG::debugFail):
1966         * dfg/DFGConstantFoldingPhase.cpp:
1967         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1968         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1969         * dfg/DFGDisassembler.cpp:
1970         (JSC::DFG::Disassembler::dump):
1971         * dfg/DFGDriver.cpp:
1972         (JSC::DFG::compile):
1973         * dfg/DFGFixupPhase.cpp:
1974         (JSC::DFG::FixupPhase::fixupNode):
1975         (JSC::DFG::FixupPhase::fixDoubleEdge):
1976         * dfg/DFGGraph.cpp:
1977         (JSC::DFG::printWhiteSpace):
1978         (JSC::DFG::Graph::dumpCodeOrigin):
1979         (JSC::DFG::Graph::dump):
1980         (JSC::DFG::Graph::dumpBlockHeader):
1981         (JSC::DFG::Graph::predictArgumentTypes):
1982         * dfg/DFGJITCompiler.cpp:
1983         (JSC::DFG::JITCompiler::link):
1984         * dfg/DFGOSREntry.cpp:
1985         (JSC::DFG::prepareOSREntry):
1986         * dfg/DFGOSRExitCompiler.cpp:
1987         * dfg/DFGOSRExitCompiler32_64.cpp:
1988         (JSC::DFG::OSRExitCompiler::compileExit):
1989         * dfg/DFGOSRExitCompiler64.cpp:
1990         (JSC::DFG::OSRExitCompiler::compileExit):
1991         * dfg/DFGOperations.cpp:
1992         * dfg/DFGPhase.cpp:
1993         (JSC::DFG::Phase::beginPhase):
1994         * dfg/DFGPhase.h:
1995         (JSC::DFG::runAndLog):
1996         * dfg/DFGPredictionPropagationPhase.cpp:
1997         (JSC::DFG::PredictionPropagationPhase::propagate):
1998         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1999         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
2000         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2001         * dfg/DFGRegisterBank.h:
2002         (JSC::DFG::RegisterBank::dump):
2003         * dfg/DFGScoreBoard.h:
2004         (JSC::DFG::ScoreBoard::use):
2005         (JSC::DFG::ScoreBoard::dump):
2006         * dfg/DFGSlowPathGenerator.h:
2007         (JSC::DFG::SlowPathGenerator::generate):
2008         * dfg/DFGSpeculativeJIT.cpp:
2009         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2010         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
2011         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2012         (JSC::DFG::SpeculativeJIT::dump):
2013         (JSC::DFG::SpeculativeJIT::checkConsistency):
2014         (JSC::DFG::SpeculativeJIT::compile):
2015         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2016         * dfg/DFGSpeculativeJIT32_64.cpp:
2017         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2018         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2019         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2020         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2021         * dfg/DFGSpeculativeJIT64.cpp:
2022         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2023         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2024         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2025         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2026         * dfg/DFGStructureCheckHoistingPhase.cpp:
2027         (JSC::DFG::StructureCheckHoistingPhase::run):
2028         * dfg/DFGValidate.cpp:
2029         (Validate):
2030         (JSC::DFG::Validate::reportValidationContext):
2031         (JSC::DFG::Validate::dumpData):
2032         (JSC::DFG::Validate::dumpGraphIfAppropriate):
2033         * dfg/DFGVariableEventStream.cpp:
2034         (JSC::DFG::VariableEventStream::logEvent):
2035         (JSC::DFG::VariableEventStream::reconstruct):
2036         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2037         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2038         * heap/Heap.cpp:
2039         * heap/HeapStatistics.cpp:
2040         (JSC::HeapStatistics::logStatistics):
2041         (JSC::HeapStatistics::showObjectStatistics):
2042         * heap/MarkStack.h:
2043         * heap/MarkedBlock.h:
2044         * heap/SlotVisitor.cpp:
2045         (JSC::SlotVisitor::validate):
2046         * interpreter/CallFrame.cpp:
2047         (JSC::CallFrame::dumpCaller):
2048         * interpreter/Interpreter.cpp:
2049         (JSC::Interpreter::dumpRegisters):
2050         * jit/JIT.cpp:
2051         (JSC::JIT::privateCompileMainPass):
2052         (JSC::JIT::privateCompileSlowCases):
2053         (JSC::JIT::privateCompile):
2054         * jit/JITDisassembler.cpp:
2055         (JSC::JITDisassembler::dump):
2056         (JSC::JITDisassembler::dumpForInstructions):
2057         * jit/JITStubRoutine.h:
2058         (JSC):
2059         * jit/JITStubs.cpp:
2060         (JSC::DEFINE_STUB_FUNCTION):
2061         * jit/JumpReplacementWatchpoint.cpp:
2062         (JSC::JumpReplacementWatchpoint::fireInternal):
2063         * llint/LLIntExceptions.cpp:
2064         (JSC::LLInt::interpreterThrowInCaller):
2065         (JSC::LLInt::returnToThrow):
2066         (JSC::LLInt::callToThrow):
2067         * llint/LLIntSlowPaths.cpp:
2068         (JSC::LLInt::llint_trace_operand):
2069         (JSC::LLInt::llint_trace_value):
2070         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2071         (JSC::LLInt::traceFunctionPrologue):
2072         (JSC::LLInt::jitCompileAndSetHeuristics):
2073         (JSC::LLInt::entryOSR):
2074         (JSC::LLInt::handleHostCall):
2075         (JSC::LLInt::setUpCall):
2076         * profiler/Profile.cpp:
2077         (JSC::Profile::debugPrintData):
2078         (JSC::Profile::debugPrintDataSampleStyle):
2079         * profiler/ProfileNode.cpp:
2080         (JSC::ProfileNode::debugPrintData):
2081         (JSC::ProfileNode::debugPrintDataSampleStyle):
2082         * runtime/JSGlobalData.cpp:
2083         (JSC::JSGlobalData::dumpRegExpTrace):
2084         * runtime/RegExp.cpp:
2085         (JSC::RegExp::matchCompareWithInterpreter):
2086         * runtime/SamplingCounter.cpp:
2087         (JSC::AbstractSamplingCounter::dump):
2088         * runtime/Structure.cpp:
2089         (JSC::Structure::dumpStatistics):
2090         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
2091         * tools/CodeProfile.cpp:
2092         (JSC::CodeProfile::report):
2093         * tools/ProfileTreeNode.h:
2094         (JSC::ProfileTreeNode::dumpInternal):
2095         * yarr/YarrInterpreter.cpp:
2096         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2097
2098 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
2099
2100         It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
2101         https://bugs.webkit.org/show_bug.cgi?id=103010
2102
2103         Reviewed by Anders Carlsson.
2104
2105         You can still say tryToDisassemble(), which will tell you if it failed; you can then
2106         decide what to do instead. But it's better to say disassemble(), which will just print
2107         the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
2108         since that's what all previous users of tryToDisassemble() would have done in some
2109         form or another.
2110
2111         * CMakeLists.txt:
2112         * GNUmakefile.list.am:
2113         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2114         * JavaScriptCore.xcodeproj/project.pbxproj:
2115         * Target.pri:
2116         * assembler/LinkBuffer.cpp:
2117         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2118         * dfg/DFGDisassembler.cpp:
2119         (JSC::DFG::Disassembler::dumpDisassembly):
2120         * disassembler/Disassembler.cpp: Added.
2121         (JSC):
2122         (JSC::disassemble):
2123         * disassembler/Disassembler.h:
2124         (JSC):
2125         * jit/JITDisassembler.cpp:
2126         (JSC::JITDisassembler::dumpDisassembly):
2127
2128 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
2129
2130         dumpOperands() claims that it needs a non-const Operands& when that is completely false
2131         https://bugs.webkit.org/show_bug.cgi?id=103005
2132
2133         Reviewed by Eric Carlson.
2134
2135         * bytecode/Operands.h:
2136         (JSC::dumpOperands):
2137         (JSC):
2138
2139 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
2140
2141         Baseline JIT's disassembly should be just as pretty as the DFG's
2142         https://bugs.webkit.org/show_bug.cgi?id=102873
2143
2144         Reviewed by Sam Weinig.
2145
2146         Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
2147         some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
2148         iterator makes no sense) and stream-lined some things (you don't actually need a
2149         full-fledged ExecState* to dump bytecode).
2150
2151         * CMakeLists.txt:
2152         * GNUmakefile.list.am:
2153         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2154         * JavaScriptCore.xcodeproj/project.pbxproj:
2155         * Target.pri:
2156         * bytecode/CodeBlock.cpp:
2157         (JSC::CodeBlock::printUnaryOp):
2158         (JSC::CodeBlock::printBinaryOp):
2159         (JSC::CodeBlock::printConditionalJump):
2160         (JSC::CodeBlock::printGetByIdOp):
2161         (JSC::CodeBlock::printCallOp):
2162         (JSC::CodeBlock::printPutByIdOp):
2163         (JSC::CodeBlock::dump):
2164         (JSC):
2165         (JSC::CodeBlock::CodeBlock):
2166         * bytecode/CodeBlock.h:
2167         (CodeBlock):
2168         * interpreter/Interpreter.cpp:
2169         (JSC::Interpreter::dumpCallFrame):
2170         * jit/JIT.cpp:
2171         (JSC::JIT::privateCompileMainPass):
2172         (JSC::JIT::privateCompileSlowCases):
2173         (JSC::JIT::privateCompile):
2174         * jit/JIT.h:
2175         (JIT):
2176         * jit/JITDisassembler.cpp: Added.
2177         (JSC):
2178         (JSC::JITDisassembler::JITDisassembler):
2179         (JSC::JITDisassembler::~JITDisassembler):
2180         (JSC::JITDisassembler::dump):
2181         (JSC::JITDisassembler::dumpForInstructions):
2182         (JSC::JITDisassembler::dumpDisassembly):
2183         * jit/JITDisassembler.h: Added.
2184         (JSC):
2185         (JITDisassembler):
2186         (JSC::JITDisassembler::setStartOfCode):
2187         (JSC::JITDisassembler::setForBytecodeMainPath):
2188         (JSC::JITDisassembler::setForBytecodeSlowPath):
2189         (JSC::JITDisassembler::setEndOfSlowPath):
2190         (JSC::JITDisassembler::setEndOfCode):
2191
2192 2012-11-21  Daniel Bates  <dbates@webkit.org>
2193
2194         JavaScript fails to concatenate large strings
2195         <https://bugs.webkit.org/show_bug.cgi?id=102963>
2196
2197         Reviewed by Michael Saboff.
2198
2199         Fixes an issue where we inadvertently didn't check the length of
2200         a JavaScript string for overflow.
2201
2202         * runtime/Operations.h:
2203         (JSC::jsString):
2204         (JSC::jsStringFromArguments):
2205
2206 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
2207
2208         DFG should be able to cache closure calls (part 2/2)
2209         https://bugs.webkit.org/show_bug.cgi?id=102662
2210
2211         Reviewed by Gavin Barraclough.
2212
2213         Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
2214         stay the same. This is accomplished by replacing the branch that compares against a constant
2215         JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
2216         and jumps slow directly to the virtual call thunk.
2217
2218         Looks like a 1% win on V8v7.
2219
2220         * CMakeLists.txt:
2221         * GNUmakefile.list.am:
2222         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2223         * JavaScriptCore.xcodeproj/project.pbxproj:
2224         * Target.pri:
2225         * bytecode/CallLinkInfo.cpp:
2226         (JSC::CallLinkInfo::unlink):
2227         * bytecode/CallLinkInfo.h:
2228         (CallLinkInfo):
2229         (JSC::CallLinkInfo::isLinked):
2230         (JSC::getCallLinkInfoBytecodeIndex):
2231         * bytecode/CodeBlock.cpp:
2232         (JSC::CodeBlock::finalizeUnconditionally):
2233         (JSC):
2234         (JSC::CodeBlock::findClosureCallForReturnPC):
2235         (JSC::CodeBlock::bytecodeOffset):
2236         (JSC::CodeBlock::codeOriginForReturn):
2237         * bytecode/CodeBlock.h:
2238         (JSC::CodeBlock::getCallLinkInfo):
2239         (CodeBlock):
2240         (JSC::CodeBlock::isIncomingCallAlreadyLinked):
2241         * dfg/DFGJITCompiler.cpp:
2242         (JSC::DFG::JITCompiler::link):
2243         * dfg/DFGJITCompiler.h:
2244         (JSC::DFG::JITCompiler::addJSCall):
2245         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
2246         (JSCallRecord):
2247         * dfg/DFGOperations.cpp:
2248         * dfg/DFGOperations.h:
2249         * dfg/DFGRepatch.cpp:
2250         (JSC::DFG::linkSlowFor):
2251         (DFG):
2252         (JSC::DFG::dfgLinkFor):
2253         (JSC::DFG::dfgLinkSlowFor):
2254         (JSC::DFG::dfgLinkClosureCall):
2255         * dfg/DFGRepatch.h:
2256         (DFG):
2257         * dfg/DFGSpeculativeJIT32_64.cpp:
2258         (JSC::DFG::SpeculativeJIT::emitCall):
2259         * dfg/DFGSpeculativeJIT64.cpp:
2260         (JSC::DFG::SpeculativeJIT::emitCall):
2261         * dfg/DFGThunks.cpp:
2262         (DFG):
2263         (JSC::DFG::linkClosureCallThunkGenerator):
2264         * dfg/DFGThunks.h:
2265         (DFG):
2266         * heap/Heap.h:
2267         (Heap):
2268         (JSC::Heap::jitStubRoutines):
2269         * heap/JITStubRoutineSet.h:
2270         (JSC::JITStubRoutineSet::size):
2271         (JSC::JITStubRoutineSet::at):
2272         (JITStubRoutineSet):
2273         * jit/ClosureCallStubRoutine.cpp: Added.
2274         (JSC):
2275         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
2276         (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
2277         (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
2278         * jit/ClosureCallStubRoutine.h: Added.
2279         (JSC):
2280         (ClosureCallStubRoutine):
2281         (JSC::ClosureCallStubRoutine::structure):
2282         (JSC::ClosureCallStubRoutine::executable):
2283         (JSC::ClosureCallStubRoutine::codeOrigin):
2284         * jit/GCAwareJITStubRoutine.cpp:
2285         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2286         * jit/GCAwareJITStubRoutine.h:
2287         (GCAwareJITStubRoutine):
2288         (JSC::GCAwareJITStubRoutine::isClosureCall):
2289         * jit/JIT.cpp:
2290         (JSC::JIT::privateCompile):
2291
2292 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
2293
2294         DFG should be able to cache closure calls (part 1/2)
2295         https://bugs.webkit.org/show_bug.cgi?id=102662
2296
2297         Reviewed by Gavin Barraclough.
2298
2299         Add ability to revert a jump replacement back to
2300         branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
2301         a mandatory piece of functionality for all assemblers. I also renamed some of
2302         the functions for reverting jump replacements back to
2303         patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
2304         confusion.
2305
2306         * assembler/ARMv7Assembler.h:
2307         (JSC::ARMv7Assembler::BadReg):
2308         (ARMv7Assembler):
2309         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2310         * assembler/LinkBuffer.h:
2311         (JSC):
2312         * assembler/MacroAssemblerARMv7.h:
2313         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
2314         (MacroAssemblerARMv7):
2315         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
2316         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
2317         * assembler/MacroAssemblerX86.h:
2318         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
2319         (MacroAssemblerX86):
2320         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
2321         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
2322         * assembler/MacroAssemblerX86_64.h:
2323         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
2324         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
2325         (MacroAssemblerX86_64):
2326         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
2327         * assembler/RepatchBuffer.h:
2328         (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
2329         (RepatchBuffer):
2330         (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
2331         (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
2332         * assembler/X86Assembler.h:
2333         (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
2334         (X86Assembler):
2335         * dfg/DFGRepatch.cpp:
2336         (JSC::DFG::replaceWithJump):
2337         (JSC::DFG::dfgResetGetByID):
2338         (JSC::DFG::dfgResetPutByID):
2339
2340 2012-11-20  Yong Li  <yoli@rim.com>
2341
2342         [ARMv7] Neither linkCall() nor linkPointer() should flush code.
2343         https://bugs.webkit.org/show_bug.cgi?id=99213
2344
2345         Reviewed by George Staikos.
2346
2347         LinkBuffer doesn't need to flush code during linking. It will
2348         eventually flush the whole executable. Fixing this gives >%5
2349         sunspider boost (on QNX).
2350
2351         Also make replaceWithLoad() and replaceWithAddressComputation() flush
2352         only when necessary.
2353
2354         * assembler/ARMv7Assembler.h:
2355         (JSC::ARMv7Assembler::linkCall):
2356         (JSC::ARMv7Assembler::linkPointer):
2357         (JSC::ARMv7Assembler::relinkCall):
2358         (JSC::ARMv7Assembler::repatchInt32):
2359         (JSC::ARMv7Assembler::repatchPointer):
2360         (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
2361         (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
2362         (JSC::ARMv7Assembler::setInt32):
2363         (JSC::ARMv7Assembler::setPointer):
2364
2365 2012-11-19  Filip Pizlo  <fpizlo@apple.com>
2366
2367         Remove support for ARMv7 errata from the jump code
2368         https://bugs.webkit.org/show_bug.cgi?id=102759
2369
2370         Reviewed by Oliver Hunt.
2371
2372         The jump replacement code was wrong to begin with since it wasn't doing
2373         a cache flush on the inserted padding. And, to my knowledge, we don't need
2374         this anymore, so this patch removes all errata code from the ARMv7 port.
2375
2376         * assembler/ARMv7Assembler.h:
2377         (JSC::ARMv7Assembler::computeJumpType):
2378         (JSC::ARMv7Assembler::replaceWithJump):
2379         (JSC::ARMv7Assembler::maxJumpReplacementSize):
2380         (JSC::ARMv7Assembler::canBeJumpT3):
2381         (JSC::ARMv7Assembler::canBeJumpT4):
2382
2383 2012-11-19  Patrick Gansterer  <paroga@webkit.org>
2384
2385         [CMake] Create JavaScriptCore ForwardingHeaders
2386         https://bugs.webkit.org/show_bug.cgi?id=92665
2387
2388         Reviewed by Brent Fulgham.
2389
2390         When using CMake to build the Windows port, we need
2391         to generate the forwarding headers with it too.
2392
2393         * CMakeLists.txt:
2394
2395 2012-11-19  Kihong Kwon  <kihong.kwon@samsung.com>
2396
2397         Add PROXIMITY_EVENTS feature
2398         https://bugs.webkit.org/show_bug.cgi?id=102658
2399
2400         Reviewed by Kentaro Hara.
2401
2402         Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.
2403
2404         * Configurations/FeatureDefines.xcconfig:
2405
2406 2012-11-18  Dan Bernstein  <mitz@apple.com>
2407
2408         Try to fix the DFG build after r135099.
2409
2410         * dfg/DFGCommon.h:
2411         (JSC::DFG::shouldShowDisassembly):
2412
2413 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
2414
2415         Unreviewed, build fix for !ENABLE(DFG_JIT).
2416
2417         * dfg/DFGCommon.h:
2418         (JSC::DFG::shouldShowDisassembly):
2419         (DFG):
2420
2421 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
2422
2423         JSC should have more logging in structure-related code
2424         https://bugs.webkit.org/show_bug.cgi?id=102630
2425
2426         Reviewed by Simon Fraser.
2427
2428         - JSValue::description() now tells you if something is a structure, and if so,
2429           what kind of structure it is.
2430         
2431         - Jettisoning logic now tells you why things are being jettisoned.
2432         
2433         - It's now possible to turn off GC-triggered jettisoning entirely.
2434
2435         * bytecode/CodeBlock.cpp:
2436         (JSC::CodeBlock::finalizeUnconditionally):
2437         (JSC::CodeBlock::reoptimize):
2438         (JSC::ProgramCodeBlock::jettison):
2439         (JSC::EvalCodeBlock::jettison):
2440         (JSC::FunctionCodeBlock::jettison):
2441         * bytecode/CodeBlock.h:
2442         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
2443         * runtime/JSValue.cpp:
2444         (JSC::JSValue::description):
2445         * runtime/Options.h:
2446         (JSC):
2447
2448 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
2449
2450         DFG constant folding phase should say 'changed = true' whenever it changes the graph
2451         https://bugs.webkit.org/show_bug.cgi?id=102550
2452
2453         Rubber stamped by Mark Hahnenberg.
2454
2455         * dfg/DFGConstantFoldingPhase.cpp:
2456         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2457
2458 2012-11-17  Elliott Sprehn  <esprehn@chromium.org>
2459
2460         Expose JSObject removeDirect and PrivateName to WebCore
2461         https://bugs.webkit.org/show_bug.cgi?id=102546
2462
2463         Reviewed by Geoffrey Garen.
2464
2465         Export removeDirect for use in WebCore so JSDependentRetained works.
2466
2467         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2468
2469 2012-11-16  Filip Pizlo  <fpizlo@apple.com>
2470
2471         Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
2472         https://bugs.webkit.org/show_bug.cgi?id=102327
2473
2474         Reviewed by Mark Hahnenberg.
2475
2476         If the profiler tells us that a GetById or PutById may be polymorphic but our
2477         control flow analysis proves that it isn't, we should trust the control flow
2478         analysis over the profiler. This arises in cases where GetById or PutById were
2479         inlined: the inlined function may have been called from other places that led
2480         to polymorphism, but in the current inlined context, there is no polymorphism.
2481
2482         * bytecode/CodeBlock.cpp:
2483         (JSC::CodeBlock::dump):
2484         * bytecode/GetByIdStatus.cpp:
2485         (JSC::GetByIdStatus::computeFor):
2486         (JSC):
2487         * bytecode/GetByIdStatus.h:
2488         (JSC::GetByIdStatus::GetByIdStatus):
2489         (GetByIdStatus):
2490         * bytecode/PutByIdStatus.cpp:
2491         (JSC::PutByIdStatus::computeFor):
2492         (JSC):
2493         * bytecode/PutByIdStatus.h:
2494         (JSC):
2495         (JSC::PutByIdStatus::PutByIdStatus):
2496         (PutByIdStatus):
2497         * dfg/DFGAbstractState.cpp:
2498         (JSC::DFG::AbstractState::execute):
2499         * dfg/DFGAbstractValue.h:
2500         (JSC::DFG::AbstractValue::bestProvenStructure):
2501         (AbstractValue):
2502         * dfg/DFGConstantFoldingPhase.cpp:
2503         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2504         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2505         (ConstantFoldingPhase):
2506         * dfg/DFGNode.h:
2507         (JSC::DFG::Node::convertToGetByOffset):
2508         (Node):
2509         (JSC::DFG::Node::convertToPutByOffset):
2510         (JSC::DFG::Node::hasStorageResult):
2511         * runtime/JSGlobalObject.h:
2512         (JSC::Structure::prototypeChain):
2513         (JSC):
2514         (JSC::Structure::isValid):
2515         * runtime/Operations.h:
2516         (JSC::isPrototypeChainNormalized):
2517         (JSC):
2518         * runtime/Structure.h:
2519         (Structure):
2520         (JSC::Structure::transitionDidInvolveSpecificValue):
2521
2522 2012-11-16  Tony Chang  <tony@chromium.org>
2523
2524         Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
2525         https://bugs.webkit.org/show_bug.cgi?id=102554
2526
2527         Reviewed by Andreas Kling.
2528
2529         As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
2530         we're going to revist this feature once additional vendor support is
2531         achieved.
2532
2533         * Configurations/FeatureDefines.xcconfig:
2534
2535 2012-11-16  Patrick Gansterer  <paroga@webkit.org>
2536
2537         Build fix for WinCE after r133688.
2538
2539         Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.
2540
2541         * runtime/CodeCache.h:
2542         (JSC::CacheMap::CacheMap):
2543
2544 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
2545
2546         ClassInfo.h should have correct indentation.
2547
2548         Rubber stamped by Mark Hahnenberg.
2549
2550         ClassInfo.h had some true creativity in its use of whitespace. Some things within
2551         the namespace were indented four spaces and others where not. One #define had its
2552         contents indented four spaces, while another didn't. I applied the following rule:
2553         
2554         - Non-macro things in the namespace should not be indented (that's our current
2555           accepted practice).
2556         
2557         - Macros should never be indented but if they are multi-line then their subsequent
2558           bodies should be indented four spaces. I believe that is consistent with what we
2559           do elsewhere.
2560
2561         * runtime/ClassInfo.h:
2562         (JSC):
2563         (MethodTable):
2564         (ClassInfo):
2565         (JSC::ClassInfo::propHashTable):
2566         (JSC::ClassInfo::isSubClassOf):
2567         (JSC::ClassInfo::hasStaticProperties):
2568
2569 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
2570
2571         DFG should copy propagate trivially no-op ConvertThis
2572         https://bugs.webkit.org/show_bug.cgi?id=102445
2573
2574         Reviewed by Oliver Hunt.
2575
2576         Copy propagation is always a good thing, since it reveals must-alias relationships
2577         to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
2578         converting it to an Identity node (which is done by the constant folder since it
2579         has access to CFA results) and then performing substitution of references to
2580         Identity with references to Identity's child in the CSE.
2581         
2582         I'm not aiming for a big speed-up here; I just think that this will be useful for
2583         the work on https://bugs.webkit.org/show_bug.cgi?id=102327.
2584
2585         * dfg/DFGAbstractState.cpp:
2586         (JSC::DFG::AbstractState::execute):
2587         * dfg/DFGCSEPhase.cpp:
2588         (JSC::DFG::CSEPhase::performNodeCSE):
2589         * dfg/DFGConstantFoldingPhase.cpp:
2590         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2591         * dfg/DFGNodeType.h:
2592         (DFG):
2593         * dfg/DFGPredictionPropagationPhase.cpp:
2594         (JSC::DFG::PredictionPropagationPhase::propagate):
2595         * dfg/DFGSpeculativeJIT32_64.cpp:
2596         (JSC::DFG::SpeculativeJIT::compile):
2597         * dfg/DFGSpeculativeJIT64.cpp:
2598         (JSC::DFG::SpeculativeJIT::compile):
2599
2600 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
2601
2602         CallData.h should have correct indentation.
2603
2604         Rubber stamped by Mark Hahneberg.
2605
2606         * runtime/CallData.h:
2607         (JSC):
2608
2609 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
2610
2611         Remove methodCallDummy since it is not used anymore.
2612
2613         Rubber stamped by Mark Hahnenberg.
2614
2615         * runtime/JSGlobalObject.cpp:
2616         (JSC::JSGlobalObject::reset):
2617         (JSC):
2618         (JSC::JSGlobalObject::visitChildren):
2619         * runtime/JSGlobalObject.h:
2620         (JSGlobalObject):
2621
2622 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Structure should be able to easily tell if the prototype chain might intercept a store
2625         https://bugs.webkit.org/show_bug.cgi?id=102326
2626
2627         Reviewed by Geoffrey Garen.
2628
2629         This improves our ability to reason about the correctness of the more optimized
2630         prototype chain walk in JSObject::put(), while also making it straight forward to
2631         check if the prototype chain will do strange things to a property store by just
2632         looking at the structure.
2633
2634         * runtime/JSObject.cpp:
2635         (JSC::JSObject::put):
2636         * runtime/Structure.cpp:
2637         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2638         (JSC):
2639         * runtime/Structure.h:
2640         (Structure):
2641
2642 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
2643
2644         [CMake] Do not regenerate LLIntAssembly.h on every incremental build
2645         https://bugs.webkit.org/show_bug.cgi?id=102248
2646
2647         Reviewed by Kenneth Rohde Christiansen.
2648
2649         Update LLIntAssembly.h's mtime after running asm.rb to make the build
2650         system dependency tracking consistent.
2651
2652         * CMakeLists.txt:
2653
2654 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
2655
2656         Fix compiler warnings about signed/unsigned comparison on i386
2657         https://bugs.webkit.org/show_bug.cgi?id=102249
2658
2659         Reviewed by Kenneth Rohde Christiansen.
2660
2661         Add casting to unsigned to shut up gcc warnings. Build was broken on
2662         JSVALUE32_64 ports compiling with -Werror.
2663
2664         * llint/LLIntData.cpp:
2665         (JSC::LLInt::Data::performAssertions):
2666
2667 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
2668
2669         [Windows, WinCairo] Unreviewed build fix.
2670
2671         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2672         Missed one of the exports that was part of the WebKit2.def.
2673
2674 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
2675
2676         [Windows, WinCairo] Correct build failure.
2677         https://bugs.webkit.org/show_bug.cgi?id=102302
2678
2679         WebCore symbols were mistakenly added to the JavaScriptCore
2680         library definition file.
2681
2682         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
2683         WebCore symbols that were incorrectly added to the export file.
2684
2685 2012-11-14  Mark Lam  <mark.lam@apple.com>
2686
2687         Change JSEventListener::m_jsFunction to be a weak ref.
2688         https://bugs.webkit.org/show_bug.cgi?id=101989.
2689
2690         Reviewed by Geoffrey Garen.
2691
2692         Added infrastructure for scanning weak ref slots.
2693
2694         * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
2695         * heap/SlotVisitor.h:
2696         (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
2697         * heap/SlotVisitorInlines.h: Added #include "Weak.h".
2698         (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
2699         * heap/Weak.h:
2700         (JSC::operator==): Added operator==() for Weak.
2701         * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
2702         * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".
2703
2704 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
2705
2706         Read-only properties created with putDirect() should tell the structure that there are read-only properties
2707         https://bugs.webkit.org/show_bug.cgi?id=102292
2708
2709         Reviewed by Gavin Barraclough.
2710
2711         This mostly affects things like function.length.
2712
2713         * runtime/JSObject.h:
2714         (JSC::JSObject::putDirectInternal):
2715
2716 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
2717
2718         Don't access Node& after adding nodes to the graph.
2719         https://bugs.webkit.org/show_bug.cgi?id=102005
2720
2721         Reviewed by Oliver Hunt.
2722
2723         * dfg/DFGFixupPhase.cpp:
2724         (JSC::DFG::FixupPhase::fixupNode):
2725
2726 2012-11-14  Valery Ignatyev  <valery.ignatyev@ispras.ru>
2727
2728         Replace (typeof(x) != <"object", "undefined", ...>) with
2729         !(typeof(x) == <"object",..>). Later is_object, is_<...>  bytecode operation
2730         will be used.
2731
2732         https://bugs.webkit.org/show_bug.cgi?id=98893
2733
2734         Reviewed by Filip Pizlo.
2735
2736         This eliminates expensive  typeof implementation and
2737         allows to use DFG optimizations, which doesn't support 'typeof'.
2738
2739         * bytecompiler/NodesCodegen.cpp:
2740         (JSC::BinaryOpNode::emitBytecode):
2741
2742 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
2743
2744         [Qt][ARM]REGRESSION(r133985): It broke the build
2745         https://bugs.webkit.org/show_bug.cgi?id=101740
2746
2747         Reviewed by Csaba Osztrogonác.
2748
2749         Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
2750         This information was passed as a template parameter.        
2751
2752         * jit/JIT.h:
2753         (JSC::JIT::emitInt32PutByVal):
2754         (JSC::JIT::emitDoublePutByVal):
2755         (JSC::JIT::emitContiguousPutByVal):
2756         (JIT):
2757         * jit/JITPropertyAccess.cpp:
2758         (JSC::JIT::emitGenericContiguousPutByVal):
2759         * jit/JITPropertyAccess32_64.cpp:
2760         (JSC::JIT::emitGenericContiguousPutByVal):
2761
2762 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
2763
2764         Fix the MIPS build after r134332
2765         https://bugs.webkit.org/show_bug.cgi?id=102227
2766
2767         Reviewed by Csaba Osztrogonác.
2768
2769         Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.
2770
2771         * assembler/MacroAssemblerMIPS.h:
2772         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
2773         (MacroAssemblerMIPS):
2774         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
2775         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
2776
2777 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
2778
2779         Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
2780         https://bugs.webkit.org/show_bug.cgi?id=102206
2781
2782         Reviewed by Csaba Osztrogonác.
2783
2784         Add a return value for the function to suppress the warning.
2785
2786         * assembler/MacroAssemblerARM.h:
2787         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2788
2789 2012-11-14  Sheriff Bot  <webkit.review.bot@gmail.com>
2790
2791         Unreviewed, rolling out r134599.
2792         http://trac.webkit.org/changeset/134599
2793         https://bugs.webkit.org/show_bug.cgi?id=102225
2794
2795         It broke the 32 bit EFL build (Requested by Ossy on #webkit).
2796
2797         * jit/JITPropertyAccess.cpp:
2798         * jit/JITPropertyAccess32_64.cpp:
2799         (JSC):
2800         (JSC::JIT::emitGenericContiguousPutByVal):
2801
2802 2012-11-14  Balazs Kilvady  <kilvadyb@homejinni.com>
2803
2804         [Qt][ARM]REGRESSION(r133985): It broke the build
2805         https://bugs.webkit.org/show_bug.cgi?id=101740
2806
2807         Reviewed by Csaba Osztrogonác.
2808
2809         Template function body moved to fix VALUE_PROFILER disabled case.
2810
2811         * jit/JITPropertyAccess.cpp:
2812         (JSC):
2813         (JSC::JIT::emitGenericContiguousPutByVal):
2814         * jit/JITPropertyAccess32_64.cpp:
2815
2816 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
2817
2818         DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
2819         https://bugs.webkit.org/show_bug.cgi?id=102017
2820
2821         Reviewed by Geoffrey Garen.
2822
2823         This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
2824         NewObject to take a structure as an operand (previously it implicitly used the owning
2825         global object's empty object structure). Any GetCallee where the callee is predictable
2826         is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
2827         where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
2828         followed by a NewObject. NewObject already accounts for the structure it uses for object
2829         creation in the CFA.
2830
2831         * dfg/DFGAbstractState.cpp:
2832         (JSC::DFG::AbstractState::execute):
2833         * dfg/DFGByteCodeParser.cpp:
2834         (JSC::DFG::ByteCodeParser::parseBlock):
2835         * dfg/DFGCSEPhase.cpp:
2836         (JSC::DFG::CSEPhase::checkFunctionElimination):
2837         * dfg/DFGGraph.cpp:
2838         (JSC::DFG::Graph::dump):
2839         * dfg/DFGNode.h:
2840         (JSC::DFG::Node::hasFunction):
2841         (JSC::DFG::Node::function):
2842         (JSC::DFG::Node::hasStructure):
2843         * dfg/DFGNodeType.h:
2844         (DFG):
2845         * dfg/DFGOperations.cpp:
2846         * dfg/DFGOperations.h:
2847         * dfg/DFGPredictionPropagationPhase.cpp:
2848         (JSC::DFG::PredictionPropagationPhase::propagate):
2849         * dfg/DFGSpeculativeJIT.h:
2850         (JSC::DFG::SpeculativeJIT::callOperation):
2851         * dfg/DFGSpeculativeJIT32_64.cpp:
2852         (JSC::DFG::SpeculativeJIT::compile):
2853         * dfg/DFGSpeculativeJIT64.cpp:
2854         (JSC::DFG::SpeculativeJIT::compile):
2855         * runtime/Executable.h:
2856         (JSC::JSFunction::JSFunction):
2857         * runtime/JSBoundFunction.cpp:
2858         (JSC):
2859         * runtime/JSFunction.cpp:
2860         (JSC::JSFunction::JSFunction):
2861         (JSC::JSFunction::put):
2862         (JSC::JSFunction::defineOwnProperty):
2863         * runtime/JSFunction.h:
2864         (JSC::JSFunction::tryGetKnownInheritorID):
2865         (JSFunction):
2866         (JSC::JSFunction::addInheritorIDWatchpoint):
2867
2868 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
2869
2870         JSFunction and its descendants should be destructible
2871         https://bugs.webkit.org/show_bug.cgi?id=102062
2872
2873         Reviewed by Mark Hahnenberg.
2874
2875         This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
2876         future, we could make JSFunction non-destructible again by making a version of
2877         WatchpointSet that is entirely GC'd, but this seems like overkill for now.
2878         
2879         This is performance-neutral.
2880
2881         * runtime/JSBoundFunction.cpp:
2882         (JSC::JSBoundFunction::destroy):
2883         (JSC):
2884         * runtime/JSBoundFunction.h:
2885         (JSBoundFunction):
2886         * runtime/JSFunction.cpp:
2887         (JSC):
2888         (JSC::JSFunction::destroy):
2889         * runtime/JSFunction.h:
2890         (JSFunction):
2891
2892 2012-11-13  Cosmin Truta  <ctruta@rim.com>
2893
2894         Uninitialized fields in class JSLock
2895         https://bugs.webkit.org/show_bug.cgi?id=101695
2896
2897         Reviewed by Mark Hahnenberg.
2898
2899         Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.
2900
2901         * runtime/JSLock.cpp:
2902         (JSC::JSLock::JSLock):
2903
2904 2012-11-13  Peter Gal  <galpeter@inf.u-szeged.hu>
2905
2906         Fix the ARM traditional build after r134332
2907         https://bugs.webkit.org/show_bug.cgi?id=102044
2908
2909         Reviewed by Zoltan Herczeg.
2910
2911         Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.
2912
2913         * assembler/MacroAssemblerARM.h:
2914         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
2915         (MacroAssemblerARM):
2916         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2917         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
2918
2919 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2920
2921         op_get_callee should have value profiling
2922         https://bugs.webkit.org/show_bug.cgi?id=102047
2923
2924         Reviewed by Sam Weinig.
2925
2926         This will allow us to detect if the callee is always the same, which is probably
2927         the common case for a lot of constructors.
2928
2929         * bytecode/CodeBlock.cpp:
2930         (JSC::CodeBlock::CodeBlock):
2931         * bytecode/Opcode.h:
2932         (JSC):
2933         (JSC::padOpcodeName):
2934         * bytecompiler/BytecodeGenerator.cpp:
2935         (JSC::BytecodeGenerator::BytecodeGenerator):
2936         * jit/JITOpcodes.cpp:
2937         (JSC::JIT::emit_op_get_callee):
2938         * jit/JITOpcodes32_64.cpp:
2939         (JSC::JIT::emit_op_get_callee):
2940         * llint/LowLevelInterpreter32_64.asm:
2941         * llint/LowLevelInterpreter64.asm:
2942
2943 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2944
2945         The act of getting the callee during 'this' construction should be explicit in bytecode
2946         https://bugs.webkit.org/show_bug.cgi?id=102016
2947
2948         Reviewed by Michael Saboff.
2949
2950         This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes
2951         changes to have create_this use the result of get_callee.
2952         
2953         No performance or behavioral impact. This is just meant to allow us to profile
2954         get_callee in the future.
2955
2956         * bytecode/CodeBlock.cpp:
2957         (JSC::CodeBlock::dump):
2958         * bytecode/Opcode.h:
2959         (JSC):
2960         (JSC::padOpcodeName):
2961         * bytecompiler/BytecodeGenerator.cpp:
2962         (JSC::BytecodeGenerator::BytecodeGenerator):
2963         * dfg/DFGByteCodeParser.cpp:
2964         (JSC::DFG::ByteCodeParser::parseBlock):
2965         * dfg/DFGCapabilities.h:
2966         (JSC::DFG::canCompileOpcode):
2967         * jit/JIT.cpp:
2968         (JSC::JIT::privateCompileMainPass):
2969         * jit/JIT.h:
2970         (JIT):
2971         * jit/JITOpcodes.cpp:
2972         (JSC::JIT::emit_op_get_callee):
2973         (JSC):
2974         (JSC::JIT::emit_op_create_this):
2975         * jit/JITOpcodes32_64.cpp:
2976         (JSC::JIT::emit_op_get_callee):
2977         (JSC):
2978         (JSC::JIT::emit_op_create_this):
2979         * llint/LLIntSlowPaths.cpp:
2980         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2981         * llint/LowLevelInterpreter32_64.asm:
2982         * llint/LowLevelInterpreter64.asm:
2983
2984 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2985
2986         Unreviewed, fix ARMv7 build.
2987
2988         * assembler/MacroAssemblerARMv7.h:
2989         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
2990         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2991
2992 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2993
2994         Patching of jumps to stubs should use jump replacement rather than branch destination overwrite
2995         https://bugs.webkit.org/show_bug.cgi?id=101909
2996
2997         Reviewed by Geoffrey Garen.
2998
2999         This saves a few instructions in inline cases, on those architectures where it is
3000         easy to figure out where to put the jump replacement. Sub-1% speed-up across the
3001         board.
3002
3003         * assembler/MacroAssemblerARMv7.h:
3004         (MacroAssemblerARMv7):
3005         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch):
3006         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
3007         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
3008         * assembler/MacroAssemblerX86.h:
3009         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch):
3010         (MacroAssemblerX86):
3011         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch):
3012         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
3013         * assembler/MacroAssemblerX86_64.h:
3014         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch):
3015         (MacroAssemblerX86_64):
3016         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch):
3017         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
3018         * assembler/RepatchBuffer.h:
3019         (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch):
3020         (RepatchBuffer):
3021         (JSC::RepatchBuffer::replaceWithJump):
3022         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch):
3023         * assembler/X86Assembler.h:
3024         (X86Assembler):
3025         (JSC::X86Assembler::revertJumpTo_movq_i64r):
3026         (JSC::X86Assembler::revertJumpTo_cmpl_im_force32):
3027         (X86InstructionFormatter):
3028         * bytecode/StructureStubInfo.h:
3029         * dfg/DFGRepatch.cpp:
3030         (JSC::DFG::replaceWithJump):
3031         (DFG):
3032         (JSC::DFG::tryCacheGetByID):
3033         (JSC::DFG::tryBuildGetByIDList):
3034         (JSC::DFG::tryBuildGetByIDProtoList):
3035         (JSC::DFG::tryCachePutByID):
3036         (JSC::DFG::dfgResetGetByID):
3037         (JSC::DFG::dfgResetPutByID):
3038
3039 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
3040
3041         DFG ArithMul overflow check elimination is too aggressive
3042         https://bugs.webkit.org/show_bug.cgi?id=101871
3043
3044         Reviewed by Oliver Hunt.
3045
3046         The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0)
3047         only holds if a * b < 2^53. So, I changed it to only enable the optimization
3048         when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole
3049         analysis to prove the inequality. I considered writing an epic forward flow
3050         formulation that tracks the ranges of integer values but then I thought better
3051         of it.
3052         
3053         This also rewires the ArithMul integer speculation logic. Previously, we would
3054         assume that an ArithMul was only UsedAsNumber if it escaped, and separately we
3055         would decide whether to speculate integer based on a proof of the <2^22
3056         inequality. Now, we treat the double rounding behavior of ArithMul as if the
3057         result was UsedAsNumber even if it did not escape. Then we try to prove that
3058         double rounding cannot happen by attemping to prove that a < 2^22. This then
3059         feeds back into the decision of whether or not to speculate integer (if we fail
3060         to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then
3061         that forces double speculation).
3062         
3063         No performance impact. It just fixes a bug.
3064
3065         * dfg/DFGGraph.h:
3066         (JSC::DFG::Graph::mulShouldSpeculateInteger):
3067         * dfg/DFGPredictionPropagationPhase.cpp:
3068         (PredictionPropagationPhase):
3069         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
3070         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
3071         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
3072         (JSC::DFG::PredictionPropagationPhase::propagate):
3073
3074 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
3075
3076         DFG should not emit function checks if we've already proved that the operand is that exact function
3077         https://bugs.webkit.org/show_bug.cgi?id=101885
3078
3079         Reviewed by Oliver Hunt.
3080
3081         * dfg/DFGAbstractState.cpp:
3082         (JSC::DFG::AbstractState::execute):
3083         * dfg/DFGAbstractValue.h:
3084         (JSC::DFG::AbstractValue::filterByValue):
3085         (AbstractValue):
3086         * dfg/DFGConstantFoldingPhase.cpp:
3087         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3088
3089 2012-11-12  Kentaro Hara  <haraken@chromium.org>
3090
3091         [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom]
3092         https://bugs.webkit.org/show_bug.cgi?id=101892
3093
3094         Reviewed by Adam Barth.
3095
3096         Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID.
3097
3098         * profiler/ProfileNode.h:
3099         (JSC::ProfileNode::callUID):
3100
3101 2012-11-12  Carlos Garcia Campos  <cgarcia@igalia.com>
3102
3103         Unreviewed. Fix make distcheck.
3104
3105         * GNUmakefile.list.am: Add missing header.
3106
3107 2012-11-11  Michael Pruett  <michael@68k.org>
3108
3109         Fix assertion failure in JSObject::tryGetIndexQuickly()
3110         https://bugs.webkit.org/show_bug.cgi?id=101869
3111
3112         Reviewed by Filip Pizlo.
3113
3114         Currently JSObject::tryGetIndexQuickly() triggers an assertion
3115         failure when the object has an undecided indexing type. This
3116         case should be treated the same as a blank indexing type.
3117
3118         * runtime/JSObject.h:
3119         (JSC::JSObject::tryGetIndexQuickly):
3120
3121 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
3122
3123         DFG register allocation should be greedy rather than round-robin
3124         https://bugs.webkit.org/show_bug.cgi?id=101870
3125
3126         Reviewed by Geoffrey Garen.
3127
3128         This simplifies the code, reduces some code duplication, and shows some slight
3129         performance improvements in a few places, likely due to the fact that lower-numered
3130         registers also typically have smaller encodings.
3131
3132         * dfg/DFGRegisterBank.h:
3133         (JSC::DFG::RegisterBank::RegisterBank):
3134         (JSC::DFG::RegisterBank::tryAllocate):
3135         (JSC::DFG::RegisterBank::allocate):
3136         (JSC::DFG::RegisterBank::allocateInternal):
3137         (RegisterBank):
3138
3139 2012-11-11  Kenichi Ishibashi  <bashi@chromium.org>
3140
3141         WTFString::utf8() should have a mode of conversion to use replacement character
3142         https://bugs.webkit.org/show_bug.cgi?id=101678
3143
3144         Reviewed by Alexey Proskuryakov.
3145
3146         Follow the change on String::utf8()
3147
3148         * runtime/JSGlobalObjectFunctions.cpp:
3149         (JSC::encode): Pass String::StrictConversion instead of true to String::utf8().
3150
3151 2012-11-10  Filip Pizlo  <fpizlo@apple.com>
3152
3153         DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time
3154         https://bugs.webkit.org/show_bug.cgi?id=101718
3155
3156         Reviewed by Geoffrey Garen.
3157
3158         If we're reading from a JSArray in double mode, where the array's structure is
3159         primordial (all aspects of the structure are unchanged except for indexing type),
3160         and the result of the load is used in arithmetic that is known to not distinguish
3161         between NaN and undefined, then we should not emit a NaN check. Looks like a 5%
3162         win on navier-stokes.
3163         
3164         Also fixed an OpInfo initialization goof for String ops that was revealed by this
3165         change.
3166
3167         * dfg/DFGAbstractState.cpp:
3168         (JSC::DFG::AbstractState::execute):
3169         * dfg/DFGArrayMode.cpp:
3170         (JSC::DFG::arraySpeculationToString):
3171         * dfg/DFGArrayMode.h:
3172         (JSC::DFG::ArrayMode::isSaneChain):
3173         (ArrayMode):
3174         (JSC::DFG::ArrayMode::isInBounds):
3175         * dfg/DFGByteCodeParser.cpp:
3176         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3177         * dfg/DFGFixupPhase.cpp:
3178         (JSC::DFG::FixupPhase::fixupNode):
3179         * dfg/DFGNodeFlags.cpp:
3180         (JSC::DFG::nodeFlagsAsString):
3181         * dfg/DFGNodeFlags.h:
3182         (DFG):
3183         * dfg/DFGPredictionPropagationPhase.cpp:
3184         (JSC::DFG::PredictionPropagationPhase::propagate):
3185         * dfg/DFGSpeculativeJIT32_64.cpp:
3186         (JSC::DFG::SpeculativeJIT::compile):
3187         * dfg/DFGSpeculativeJIT64.cpp:
3188         (JSC::DFG::SpeculativeJIT::compile):
3189         * runtime/JSGlobalObject.cpp:
3190         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3191         (JSC):
3192         * runtime/JSGlobalObject.h:
3193         (JSGlobalObject):
3194
3195 2012-11-10  Filip Pizlo  <fpizlo@apple.com>
3196
3197         DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
3198         https://bugs.webkit.org/show_bug.cgi?id=101511
3199
3200         Reviewed by Geoffrey Garen.
3201         
3202         This is the second attempt at this patch, which fixes the !"" case.
3203
3204         To make life easier, this moves BranchDirection into BasicBlock so that after
3205         running the CFA, we always know, for each block, what direction the CFA
3206         proved. CFG simplification now both uses and preserves cfaBranchDirection in
3207         its transformations.
3208         
3209         Also made both LogicalNot and Branch check whether the operand is a known cell
3210         with a known structure, and if so, made them do the appropriate folding.
3211         
3212         5% speed-up on V8/raytrace because it makes raytrace's own null checks
3213         evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
3214         that we were already doing structure check hoisting.
3215
3216         * JavaScriptCore.xcodeproj/project.pbxproj:
3217         * dfg/DFGAbstractState.cpp:
3218         (JSC::DFG::AbstractState::endBasicBlock):
3219         (JSC::DFG::AbstractState::execute):
3220         (JSC::DFG::AbstractState::mergeToSuccessors):
3221         * dfg/DFGAbstractState.h:
3222         (AbstractState):
3223         * dfg/DFGBasicBlock.h:
3224         (JSC::DFG::BasicBlock::BasicBlock):
3225         (BasicBlock):
3226         * dfg/DFGBranchDirection.h: Added.
3227         (DFG):
3228         (JSC::DFG::branchDirectionToString):
3229         (JSC::DFG::isKnownDirection):
3230         (JSC::DFG::branchCondition):
3231         * dfg/DFGCFGSimplificationPhase.cpp:
3232         (JSC::DFG::CFGSimplificationPhase::run):
3233         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3234
3235 2012-11-10  Sheriff Bot  <webkit.review.bot@gmail.com>
3236
3237         Unreviewed, rolling out r133971.
3238         http://trac.webkit.org/changeset/133971
3239         https://bugs.webkit.org/show_bug.cgi?id=101839
3240
3241         Causes WebProcess to hang at 100% on www.apple.com (Requested
3242         by kling on #webkit).
3243
3244         * JavaScriptCore.xcodeproj/project.pbxproj:
3245         * dfg/DFGAbstractState.cpp:
3246         (JSC::DFG::AbstractState::endBasicBlock):
3247         (JSC::DFG::AbstractState::execute):
3248         (JSC::DFG::AbstractState::mergeToSuccessors):
3249         * dfg/DFGAbstractState.h:
3250         (JSC::DFG::AbstractState::branchDirectionToString):
3251         (AbstractState):
3252         * dfg/DFGBasicBlock.h:
3253         (JSC::DFG::BasicBlock::BasicBlock):
3254         (BasicBlock):
3255         * dfg/DFGBranchDirection.h: Removed.
3256         * dfg/DFGCFGSimplificationPhase.cpp:
3257         (JSC::DFG::CFGSimplificationPhase::run):
3258         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3259
3260 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3261
3262         If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
3263         https://bugs.webkit.org/show_bug.cgi?id=101720
3264
3265         Reviewed by Mark Hahnenberg.
3266
3267         Previously, "original" arrays was just a hint that we could find the structure
3268         of the array if we needed to even if the array profile didn't have it due to
3269         polymorphism. Now, "original" arrays are a property that is actually checked:
3270         if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
3271         can be sure that the code performing the access is dealing with not just a
3272         JSArray, but a JSArray that has no named properties, no indexed accessors, and
3273         the ArrayPrototype as its prototype. This will be useful for optimizations that
3274         are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.
3275
3276         * dfg/DFGAbstractState.cpp:
3277         (JSC::DFG::AbstractState::execute):
3278         * dfg/DFGArrayMode.cpp:
3279         (JSC::DFG::ArrayMode::originalArrayStructure):
3280         (DFG):
3281         (JSC::DFG::ArrayMode::alreadyChecked):
3282         * dfg/DFGArrayMode.h:
3283         (JSC):
3284         (DFG):
3285         (JSC::DFG::ArrayMode::withProfile):
3286         (ArrayMode):
3287         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
3288         * dfg/DFGConstantFoldingPhase.cpp:
3289         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3290         * dfg/DFGFixupPhase.cpp:
3291         (JSC::DFG::FixupPhase::checkArray):
3292         * dfg/DFGSpeculativeJIT.cpp:
3293         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3294         (JSC::DFG::SpeculativeJIT::checkArray):
3295         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3296         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3297         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3298         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3299         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3300         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
3301
3302 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3303
3304         Fix indentation of BooleanPrototype.h
3305
3306         Rubber stamped by Mark Hahnenberg.
3307
3308         * runtime/BooleanPrototype.h:
3309
3310 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3311
3312         Fix indentation of BooleanObject.h
3313
3314         Rubber stamped by Mark Hahnenberg.
3315
3316         * runtime/BooleanObject.h:
3317
3318 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3319
3320         Fix indentation of BooleanConstructor.h
3321
3322         Rubber stamped by Mark Hahnenberg.
3323
3324         * runtime/BooleanConstructor.h:
3325
3326 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3327
3328         Fix indentation of BatchedTransitionOptimizer.h
3329
3330         Rubber stamped by Mark Hahnenberg.
3331
3332         * runtime/BatchedTransitionOptimizer.h:
3333
3334 2012-11-09  Oliver Hunt  <oliver@apple.com>
3335
3336         So Thingy probably isn't the best name for a class, so
3337         renamed to CacheMap.
3338
3339         RS=Geoff
3340
3341         * runtime/CodeCache.h:
3342         (JSC::CacheMap::CacheMap):
3343
3344 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
3345
3346         ArrayPrototype should start out with a blank indexing type
3347         https://bugs.webkit.org/show_bug.cgi?id=101719
3348
3349         Reviewed by Mark Hahnenberg.
3350
3351         This allows us to track if the array prototype ever ends up with indexed
3352         properties.
3353
3354         * runtime/ArrayPrototype.cpp:
3355         (JSC::ArrayPrototype::create):
3356         (JSC::ArrayPrototype::ArrayPrototype):
3357         * runtime/ArrayPrototype.h:
3358         (ArrayPrototype):
3359         (JSC::ArrayPrototype::createStructure):
3360
3361 2012-11-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3362
3363         MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator
3364         https://bugs.webkit.org/show_bug.cgi?id=101642
3365
3366         Reviewed by Filip Pizlo.
3367
3368         MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support 
3369         for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator.
3370
3371         * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments.
3372         (JSC):
3373         (JSC::MarkStackSegment):
3374         * heap/GCThreadSharedData.cpp:
3375         (JSC::GCThreadSharedData::GCThreadSharedData):
3376         (JSC::GCThreadSharedData::reset):
3377         * heap/GCThreadSharedData.h:
3378         (GCThreadSharedData):
3379         * heap/MarkStack.cpp: 
3380         (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor 
3381         all the places that used the old custom tail/previous logic.
3382         (JSC::MarkStackArray::~MarkStackArray):
3383         (JSC::MarkStackArray::expand):
3384         (JSC::MarkStackArray::refill):
3385         (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list.
3386         (JSC::MarkStackArray::stealSomeCellsFrom): Ditto.
3387         * heap/MarkStack.h:
3388         (JSC):
3389         (MarkStackSegment):
3390         (JSC::MarkStackSegment::MarkStackSegment):
3391         (JSC::MarkStackSegment::sizeFromCapacity):
3392         (MarkStackArray):
3393         * heap/MarkStackInlines.h:
3394         (JSC::MarkStackSegment::create):
3395         (JSC):
3396         (JSC::MarkStackArray::postIncTop):
3397         (JSC::MarkStackArray::preDecTop):
3398         (JSC::MarkStackArray::setTopForFullSegment):
3399         (JSC::MarkStackArray::setTopForEmptySegment):
3400         (JSC::MarkStackArray::top):
3401         (JSC::MarkStackArray::validatePrevious):
3402         (JSC::MarkStackArray::append):
3403         (JSC::MarkStackArray::removeLast):
3404         (JSC::MarkStackArray::isEmpty):
3405         (JSC::MarkStackArray::size):
3406         * heap/SlotVisitor.cpp:
3407         (JSC::SlotVisitor::SlotVisitor):
3408
3409 2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
3410
3411         [Qt] r133953 broke the ARM_TRADITIONAL build
3412         https://bugs.webkit.org/show_bug.cgi?id=101706
3413
3414         Reviewed by Csaba Osztrogonác.
3415
3416         Fix for both hardfp and softfp.
3417
3418         * dfg/DFGCCallHelpers.h:
3419         (CCallHelpers):
3420         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3421
3422 2012-11-09  Sheriff Bot  <webkit.review.bot@gmail.com>
3423
3424         Unreviewed, rolling out r134051.
3425         http://trac.webkit.org/changeset/134051
3426         https://bugs.webkit.org/show_bug.cgi?id=101757
3427
3428         It didn't fix the build (Requested by Ossy on #webkit).
3429
3430         * dfg/DFGCCallHelpers.h:
3431         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3432
3433 2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
3434
3435         [Qt] r133953 broke the ARM_TRADITIONAL build
3436         https://bugs.webkit.org/show_bug.cgi?id=101706
3437
3438         Reviewed by Csaba Osztrogonác.
3439
3440         Fix the ARM_TRADITIONAL build after r133953