CodeBlock compilation and installation should be simplified and rationalized
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
2
3         CodeBlock compilation and installation should be simplified and rationalized
4         https://bugs.webkit.org/show_bug.cgi?id=120326
5
6         Reviewed by Oliver Hunt.
7         
8         Rolling r154804 back in after fixing no-LLInt build.
9         
10         Previously Executable owned the code for generating JIT code; you always had
11         to go through Executable. But often you also had to go through CodeBlock,
12         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
13         So you'd ask CodeBlock to do something, which would dispatch through a
14         virtual method that would select the appropriate Executable subtype's method.
15         This all meant that the same code would often be duplicated, because most of
16         the work needed to compile something was identical regardless of code type.
17         But then we tried to fix this, by having templatized helpers in
18         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
19         out what happened when you asked for something to be compiled, you'd go on a
20         wild ride that started with CodeBlock, touched upon Executable, and then
21         ricocheted into either ExecutionHarness or JITDriver (likely both).
22         
23         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
24         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
25         done once the compilation finished.
26         
27         Also, most of the DFG JIT drivers assumed that they couldn't install the
28         JITCode into the CodeBlock directly - instead they would return it via a
29         reference, which happened to be a reference to the JITCode pointer in
30         Executable. This was super weird.
31         
32         Finally, there was no notion of compiling code into a special CodeBlock that
33         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
34         entry.
35         
36         This patch solves these problems by reducing all of that complexity into just
37         three primitives:
38         
39         - Executable::newCodeBlock(). This gives you a new code block, either for call
40           or for construct, and either to serve as the baseline code or the optimized
41           code. The new code block is then owned by the caller; Executable doesn't
42           register it anywhere. The new code block has no JITCode and isn't callable,
43           but it has all of the bytecode.
44         
45         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
46           produces a JITCode, and then installs the JITCode into the CodeBlock. This
47           method takes a JITType, and always compiles with that JIT. If you ask for
48           JITCode::InterpreterThunk then you'll get JITCode that just points to the
49           LLInt entrypoints. Once this returns, it is possible to call into the
50           CodeBlock if you do so manually - but the Executable still won't know about
51           it so JS calls to that Executable will still be routed to whatever CodeBlock
52           is associated with the Executable.
53         
54         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
55           entry for that Executable. This involves unlinking the Executable's last
56           CodeBlock, if there was one. This also tells the GC about any effect on
57           memory usage and does a bunch of weird data structure rewiring, since
58           Executable caches some of CodeBlock's fields for the benefit of virtual call
59           fast paths.
60         
61         This functionality is then wrapped around three convenience methods:
62         
63         - Executable::prepareForExecution(). If there is no code block for that
64           Executable, then one is created (newCodeBlock()), compiled
65           (CodeBlock::prepareForExecution()) and installed (installCode()).
66         
67         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
68           can serve as an optimized replacement of the current one.
69         
70         - CodeBlock::install(). Asks the Executable to install this code block.
71         
72         This patch allows me to kill *a lot* of code and to remove a lot of
73         specializations for functions vs. not-functions, and a lot of places where we
74         pass around JITCode references and such. ExecutionHarness and JITDriver are
75         both gone. Overall this patch has more red than green.
76         
77         It also allows me to work on FTL OSR entry and tier-up:
78         
79         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
80           to do some compilation, but it will require the DFG::Worklist to do
81           something different than what JITStubs.cpp would want, once the compilation
82           finishes. This patch introduces a callback mechanism for that purpose.
83         
84         - FTL OSR entry: this will involve creating a special auto-jettisoned
85           CodeBlock that is used only for FTL OSR entry. The new set of primitives
86           allows for this: Executable can vend you a fresh new CodeBlock, and you can
87           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
88           can take that CodeBlock and compile it yourself. Previously the act of
89           producing a CodeBlock-for-optimization and the act of compiling code for it
90           were tightly coupled; now you can separate them and you can create such
91           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
92
93         * CMakeLists.txt:
94         * GNUmakefile.list.am:
95         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
96         * JavaScriptCore.xcodeproj/project.pbxproj:
97         * Target.pri:
98         * bytecode/CodeBlock.cpp:
99         (JSC::CodeBlock::unlinkIncomingCalls):
100         (JSC::CodeBlock::prepareForExecutionImpl):
101         (JSC::CodeBlock::prepareForExecution):
102         (JSC::CodeBlock::prepareForExecutionAsynchronously):
103         (JSC::CodeBlock::install):
104         (JSC::CodeBlock::newReplacement):
105         (JSC::FunctionCodeBlock::jettisonImpl):
106         * bytecode/CodeBlock.h:
107         (JSC::CodeBlock::hasBaselineJITProfiling):
108         * bytecode/DeferredCompilationCallback.cpp: Added.
109         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
110         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
111         * bytecode/DeferredCompilationCallback.h: Added.
112         * dfg/DFGDriver.cpp:
113         (JSC::DFG::tryCompile):
114         * dfg/DFGDriver.h:
115         (JSC::DFG::tryCompile):
116         * dfg/DFGFailedFinalizer.cpp:
117         (JSC::DFG::FailedFinalizer::finalize):
118         (JSC::DFG::FailedFinalizer::finalizeFunction):
119         * dfg/DFGFailedFinalizer.h:
120         * dfg/DFGFinalizer.h:
121         * dfg/DFGJITFinalizer.cpp:
122         (JSC::DFG::JITFinalizer::finalize):
123         (JSC::DFG::JITFinalizer::finalizeFunction):
124         * dfg/DFGJITFinalizer.h:
125         * dfg/DFGOSRExitPreparation.cpp:
126         (JSC::DFG::prepareCodeOriginForOSRExit):
127         * dfg/DFGOperations.cpp:
128         * dfg/DFGPlan.cpp:
129         (JSC::DFG::Plan::Plan):
130         (JSC::DFG::Plan::compileInThreadImpl):
131         (JSC::DFG::Plan::notifyReady):
132         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
133         (JSC::DFG::Plan::finalizeAndNotifyCallback):
134         * dfg/DFGPlan.h:
135         * dfg/DFGSpeculativeJIT32_64.cpp:
136         (JSC::DFG::SpeculativeJIT::compile):
137         * dfg/DFGWorklist.cpp:
138         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
139         (JSC::DFG::Worklist::runThread):
140         * ftl/FTLJITFinalizer.cpp:
141         (JSC::FTL::JITFinalizer::finalize):
142         (JSC::FTL::JITFinalizer::finalizeFunction):
143         * ftl/FTLJITFinalizer.h:
144         * heap/Heap.h:
145         (JSC::Heap::isDeferred):
146         * interpreter/Interpreter.cpp:
147         (JSC::Interpreter::execute):
148         (JSC::Interpreter::executeCall):
149         (JSC::Interpreter::executeConstruct):
150         (JSC::Interpreter::prepareForRepeatCall):
151         * jit/JITDriver.h: Removed.
152         * jit/JITStubs.cpp:
153         (JSC::DEFINE_STUB_FUNCTION):
154         (JSC::jitCompileFor):
155         (JSC::lazyLinkFor):
156         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
157         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
158         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
159         (JSC::JITToDFGDeferredCompilationCallback::create):
160         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
161         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
162         * jit/JITToDFGDeferredCompilationCallback.h: Added.
163         * llint/LLIntEntrypoints.cpp:
164         (JSC::LLInt::setFunctionEntrypoint):
165         (JSC::LLInt::setEvalEntrypoint):
166         (JSC::LLInt::setProgramEntrypoint):
167         * llint/LLIntEntrypoints.h:
168         * llint/LLIntSlowPaths.cpp:
169         (JSC::LLInt::jitCompileAndSetHeuristics):
170         (JSC::LLInt::setUpCall):
171         * runtime/ArrayPrototype.cpp:
172         (JSC::isNumericCompareFunction):
173         * runtime/CommonSlowPaths.cpp:
174         * runtime/CompilationResult.cpp:
175         (WTF::printInternal):
176         * runtime/CompilationResult.h:
177         * runtime/Executable.cpp:
178         (JSC::ScriptExecutable::installCode):
179         (JSC::ScriptExecutable::newCodeBlockFor):
180         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
181         (JSC::ScriptExecutable::prepareForExecutionImpl):
182         * runtime/Executable.h:
183         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
184         (JSC::ExecutableBase::offsetOfNumParametersFor):
185         (JSC::ScriptExecutable::prepareForExecution):
186         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
187         * runtime/ExecutionHarness.h: Removed.
188
189 2013-08-29  Mark Lam  <mark.lam@apple.com>
190
191         Change StackIterator to not require writes to the JS stack.
192         https://bugs.webkit.org/show_bug.cgi?id=119657.
193
194         Reviewed by Geoffrey Garen.
195
196         * GNUmakefile.list.am:
197         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
198         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
199         * JavaScriptCore.xcodeproj/project.pbxproj:
200         * interpreter/CallFrame.h:
201         - Removed references to StackIteratorPrivate.h.
202         * interpreter/StackIterator.cpp:
203         (JSC::StackIterator::numberOfFrames):
204         (JSC::StackIterator::gotoFrameAtIndex):
205         (JSC::StackIterator::gotoNextFrame):
206         (JSC::StackIterator::resetIterator):
207         (JSC::StackIterator::find):
208         (JSC::StackIterator::readFrame):
209         (JSC::StackIterator::readNonInlinedFrame):
210         - Reads in the current CallFrame's data for non-inlined frames.
211         (JSC::inlinedFrameOffset):
212         - Convenience function to compute the inlined frame offset based on the
213           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
214           Otherwise, it's an inlined frame.
215         (JSC::StackIterator::readInlinedFrame):
216         - Determines the inlined frame's caller frame. Will read in the caller
217           frame if it is also an inlined frame i.e. we haven't reached the
218           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
219           read on the outer most frame.
220           This is based on the old StackIterator::Frame::logicalFrame().
221         (JSC::StackIterator::updateFrame):
222         - Reads the data of the caller frame of the current one. This function
223           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
224           but is now simplified because it delegates to the readInlinedFrame()
225           to get the caller for inlined frames.
226         (JSC::StackIterator::Frame::arguments):
227         - Fixed to use the inlined frame versions of Arguments::create() and
228           Arguments::tearOff() when the frame is an inlined frame.
229         (JSC::StackIterator::Frame::print):
230         (debugPrintCallFrame):
231         (debugPrintStack):
232         - Because sometimes, we want to see the whole stack while debugging.
233         * interpreter/StackIterator.h:
234         (JSC::StackIterator::Frame::argumentCount):
235         (JSC::StackIterator::Frame::callerFrame):
236         (JSC::StackIterator::Frame::callee):
237         (JSC::StackIterator::Frame::scope):
238         (JSC::StackIterator::Frame::codeBlock):
239         (JSC::StackIterator::Frame::bytecodeOffset):
240         (JSC::StackIterator::Frame::inlinedFrameInfo):
241         (JSC::StackIterator::Frame::isJSFrame):
242         (JSC::StackIterator::Frame::isInlinedFrame):
243         (JSC::StackIterator::Frame::callFrame):
244         (JSC::StackIterator::Frame::Frame):
245         (JSC::StackIterator::Frame::~Frame):
246         - StackIterator::Frame now caches commonly used accessed values from
247           the CallFrame. It still delegates argument queries to the CallFrame.
248         (JSC::StackIterator::operator*):
249         (JSC::StackIterator::operator->):
250         (JSC::StackIterator::operator!=):
251         (JSC::StackIterator::operator++):
252         (JSC::StackIterator::end):
253         (JSC::StackIterator::operator==):
254         * interpreter/StackIteratorPrivate.h: Removed.
255
256 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
257
258         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
259         https://bugs.webkit.org/show_bug.cgi?id=120472
260
261         Reviewed by Filip Pizlo.
262         
263         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
264         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
265         throwException can be called when topCallFrame is set.
266         * llint/LLIntSlowPaths.cpp:
267         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
268         * runtime/CommonSlowPaths.cpp:
269         (JSC::SLOW_PATH_DECL):
270         * runtime/CommonSlowPathsExceptions.cpp:
271         (JSC::CommonSlowPaths::interpreterThrowInCaller):
272         * runtime/CommonSlowPathsExceptions.h:
273
274         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
275         to throw errors. It unwinds the stack in order to report them. 
276         * dfg/DFGOperations.cpp:
277         * jit/JITExceptions.cpp:
278         (JSC::genericUnwind):
279         (JSC::jitThrowNew):
280         (JSC::jitThrow):
281         * jit/JITExceptions.h:
282         * llint/LLIntExceptions.cpp:
283         (JSC::LLInt::doThrow):
284     
285 2013-08-29  Commit Queue  <commit-queue@webkit.org>
286
287         Unreviewed, rolling out r154804.
288         http://trac.webkit.org/changeset/154804
289         https://bugs.webkit.org/show_bug.cgi?id=120477
290
291         Broke Windows build (assumes LLInt features not enabled on
292         this build) (Requested by bfulgham on #webkit).
293
294         * CMakeLists.txt:
295         * GNUmakefile.list.am:
296         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
297         * JavaScriptCore.xcodeproj/project.pbxproj:
298         * Target.pri:
299         * bytecode/CodeBlock.cpp:
300         (JSC::CodeBlock::linkIncomingCall):
301         (JSC::CodeBlock::unlinkIncomingCalls):
302         (JSC::CodeBlock::reoptimize):
303         (JSC::ProgramCodeBlock::replacement):
304         (JSC::EvalCodeBlock::replacement):
305         (JSC::FunctionCodeBlock::replacement):
306         (JSC::ProgramCodeBlock::compileOptimized):
307         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
308         (JSC::EvalCodeBlock::compileOptimized):
309         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
310         (JSC::FunctionCodeBlock::compileOptimized):
311         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
312         (JSC::ProgramCodeBlock::jitCompileImpl):
313         (JSC::EvalCodeBlock::jitCompileImpl):
314         (JSC::FunctionCodeBlock::jitCompileImpl):
315         * bytecode/CodeBlock.h:
316         (JSC::CodeBlock::jitType):
317         (JSC::CodeBlock::jitCompile):
318         * bytecode/DeferredCompilationCallback.cpp: Removed.
319         * bytecode/DeferredCompilationCallback.h: Removed.
320         * dfg/DFGDriver.cpp:
321         (JSC::DFG::compile):
322         (JSC::DFG::tryCompile):
323         (JSC::DFG::tryCompileFunction):
324         (JSC::DFG::tryFinalizePlan):
325         * dfg/DFGDriver.h:
326         (JSC::DFG::tryCompile):
327         (JSC::DFG::tryCompileFunction):
328         (JSC::DFG::tryFinalizePlan):
329         * dfg/DFGFailedFinalizer.cpp:
330         (JSC::DFG::FailedFinalizer::finalize):
331         (JSC::DFG::FailedFinalizer::finalizeFunction):
332         * dfg/DFGFailedFinalizer.h:
333         * dfg/DFGFinalizer.h:
334         * dfg/DFGJITFinalizer.cpp:
335         (JSC::DFG::JITFinalizer::finalize):
336         (JSC::DFG::JITFinalizer::finalizeFunction):
337         * dfg/DFGJITFinalizer.h:
338         * dfg/DFGOSRExitPreparation.cpp:
339         (JSC::DFG::prepareCodeOriginForOSRExit):
340         * dfg/DFGOperations.cpp:
341         * dfg/DFGPlan.cpp:
342         (JSC::DFG::Plan::Plan):
343         (JSC::DFG::Plan::compileInThreadImpl):
344         (JSC::DFG::Plan::finalize):
345         * dfg/DFGPlan.h:
346         * dfg/DFGSpeculativeJIT32_64.cpp:
347         (JSC::DFG::SpeculativeJIT::compile):
348         * dfg/DFGWorklist.cpp:
349         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
350         (JSC::DFG::Worklist::runThread):
351         * ftl/FTLJITFinalizer.cpp:
352         (JSC::FTL::JITFinalizer::finalize):
353         (JSC::FTL::JITFinalizer::finalizeFunction):
354         * ftl/FTLJITFinalizer.h:
355         * heap/Heap.h:
356         * interpreter/Interpreter.cpp:
357         (JSC::Interpreter::execute):
358         (JSC::Interpreter::executeCall):
359         (JSC::Interpreter::executeConstruct):
360         (JSC::Interpreter::prepareForRepeatCall):
361         * jit/JITDriver.h: Added.
362         (JSC::jitCompileIfAppropriateImpl):
363         (JSC::jitCompileFunctionIfAppropriateImpl):
364         (JSC::jitCompileIfAppropriate):
365         (JSC::jitCompileFunctionIfAppropriate):
366         * jit/JITStubs.cpp:
367         (JSC::DEFINE_STUB_FUNCTION):
368         (JSC::jitCompileFor):
369         (JSC::lazyLinkFor):
370         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
371         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
372         * llint/LLIntEntrypoints.cpp:
373         (JSC::LLInt::getFunctionEntrypoint):
374         (JSC::LLInt::getEvalEntrypoint):
375         (JSC::LLInt::getProgramEntrypoint):
376         * llint/LLIntEntrypoints.h:
377         (JSC::LLInt::getEntrypoint):
378         * llint/LLIntSlowPaths.cpp:
379         (JSC::LLInt::jitCompileAndSetHeuristics):
380         (JSC::LLInt::setUpCall):
381         * runtime/ArrayPrototype.cpp:
382         (JSC::isNumericCompareFunction):
383         * runtime/CommonSlowPaths.cpp:
384         * runtime/CompilationResult.cpp:
385         (WTF::printInternal):
386         * runtime/CompilationResult.h:
387         * runtime/Executable.cpp:
388         (JSC::EvalExecutable::compileOptimized):
389         (JSC::EvalExecutable::jitCompile):
390         (JSC::EvalExecutable::compileInternal):
391         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
392         (JSC::ProgramExecutable::compileOptimized):
393         (JSC::ProgramExecutable::jitCompile):
394         (JSC::ProgramExecutable::compileInternal):
395         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
396         (JSC::FunctionExecutable::compileOptimizedForCall):
397         (JSC::FunctionExecutable::compileOptimizedForConstruct):
398         (JSC::FunctionExecutable::jitCompileForCall):
399         (JSC::FunctionExecutable::jitCompileForConstruct):
400         (JSC::FunctionExecutable::produceCodeBlockFor):
401         (JSC::FunctionExecutable::compileForCallInternal):
402         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
403         (JSC::FunctionExecutable::compileForConstructInternal):
404         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
405         * runtime/Executable.h:
406         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
407         (JSC::ExecutableBase::offsetOfNumParametersFor):
408         (JSC::ExecutableBase::catchRoutineFor):
409         (JSC::EvalExecutable::compile):
410         (JSC::ProgramExecutable::compile):
411         (JSC::FunctionExecutable::compileForCall):
412         (JSC::FunctionExecutable::compileForConstruct):
413         (JSC::FunctionExecutable::compileFor):
414         (JSC::FunctionExecutable::compileOptimizedFor):
415         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
416         (JSC::FunctionExecutable::jitCompileFor):
417         * runtime/ExecutionHarness.h: Added.
418         (JSC::prepareForExecutionImpl):
419         (JSC::prepareFunctionForExecutionImpl):
420         (JSC::installOptimizedCode):
421         (JSC::prepareForExecution):
422         (JSC::prepareFunctionForExecution):
423         (JSC::replaceWithDeferredOptimizedCode):
424
425 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
426
427         CodeBlock compilation and installation should be simplified and rationalized
428         https://bugs.webkit.org/show_bug.cgi?id=120326
429
430         Reviewed by Oliver Hunt.
431         
432         Previously Executable owned the code for generating JIT code; you always had
433         to go through Executable. But often you also had to go through CodeBlock,
434         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
435         So you'd ask CodeBlock to do something, which would dispatch through a
436         virtual method that would select the appropriate Executable subtype's method.
437         This all meant that the same code would often be duplicated, because most of
438         the work needed to compile something was identical regardless of code type.
439         But then we tried to fix this, by having templatized helpers in
440         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
441         out what happened when you asked for something to be compiled, you'd go on a
442         wild ride that started with CodeBlock, touched upon Executable, and then
443         ricocheted into either ExecutionHarness or JITDriver (likely both).
444         
445         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
446         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
447         done once the compilation finished.
448         
449         Also, most of the DFG JIT drivers assumed that they couldn't install the
450         JITCode into the CodeBlock directly - instead they would return it via a
451         reference, which happened to be a reference to the JITCode pointer in
452         Executable. This was super weird.
453         
454         Finally, there was no notion of compiling code into a special CodeBlock that
455         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
456         entry.
457         
458         This patch solves these problems by reducing all of that complexity into just
459         three primitives:
460         
461         - Executable::newCodeBlock(). This gives you a new code block, either for call
462           or for construct, and either to serve as the baseline code or the optimized
463           code. The new code block is then owned by the caller; Executable doesn't
464           register it anywhere. The new code block has no JITCode and isn't callable,
465           but it has all of the bytecode.
466         
467         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
468           produces a JITCode, and then installs the JITCode into the CodeBlock. This
469           method takes a JITType, and always compiles with that JIT. If you ask for
470           JITCode::InterpreterThunk then you'll get JITCode that just points to the
471           LLInt entrypoints. Once this returns, it is possible to call into the
472           CodeBlock if you do so manually - but the Executable still won't know about
473           it so JS calls to that Executable will still be routed to whatever CodeBlock
474           is associated with the Executable.
475         
476         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
477           entry for that Executable. This involves unlinking the Executable's last
478           CodeBlock, if there was one. This also tells the GC about any effect on
479           memory usage and does a bunch of weird data structure rewiring, since
480           Executable caches some of CodeBlock's fields for the benefit of virtual call
481           fast paths.
482         
483         This functionality is then wrapped around three convenience methods:
484         
485         - Executable::prepareForExecution(). If there is no code block for that
486           Executable, then one is created (newCodeBlock()), compiled
487           (CodeBlock::prepareForExecution()) and installed (installCode()).
488         
489         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
490           can serve as an optimized replacement of the current one.
491         
492         - CodeBlock::install(). Asks the Executable to install this code block.
493         
494         This patch allows me to kill *a lot* of code and to remove a lot of
495         specializations for functions vs. not-functions, and a lot of places where we
496         pass around JITCode references and such. ExecutionHarness and JITDriver are
497         both gone. Overall this patch has more red than green.
498         
499         It also allows me to work on FTL OSR entry and tier-up:
500         
501         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
502           to do some compilation, but it will require the DFG::Worklist to do
503           something different than what JITStubs.cpp would want, once the compilation
504           finishes. This patch introduces a callback mechanism for that purpose.
505         
506         - FTL OSR entry: this will involve creating a special auto-jettisoned
507           CodeBlock that is used only for FTL OSR entry. The new set of primitives
508           allows for this: Executable can vend you a fresh new CodeBlock, and you can
509           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
510           can take that CodeBlock and compile it yourself. Previously the act of
511           producing a CodeBlock-for-optimization and the act of compiling code for it
512           were tightly coupled; now you can separate them and you can create such
513           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
514
515         * CMakeLists.txt:
516         * GNUmakefile.list.am:
517         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
518         * JavaScriptCore.xcodeproj/project.pbxproj:
519         * Target.pri:
520         * bytecode/CodeBlock.cpp:
521         (JSC::CodeBlock::prepareForExecution):
522         (JSC::CodeBlock::install):
523         (JSC::CodeBlock::newReplacement):
524         (JSC::FunctionCodeBlock::jettisonImpl):
525         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
526         * bytecode/CodeBlock.h:
527         (JSC::CodeBlock::hasBaselineJITProfiling):
528         * bytecode/DeferredCompilationCallback.cpp: Added.
529         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
530         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
531         * bytecode/DeferredCompilationCallback.h: Added.
532         * dfg/DFGDriver.cpp:
533         (JSC::DFG::tryCompile):
534         * dfg/DFGDriver.h:
535         (JSC::DFG::tryCompile):
536         * dfg/DFGFailedFinalizer.cpp:
537         (JSC::DFG::FailedFinalizer::finalize):
538         (JSC::DFG::FailedFinalizer::finalizeFunction):
539         * dfg/DFGFailedFinalizer.h:
540         * dfg/DFGFinalizer.h:
541         * dfg/DFGJITFinalizer.cpp:
542         (JSC::DFG::JITFinalizer::finalize):
543         (JSC::DFG::JITFinalizer::finalizeFunction):
544         * dfg/DFGJITFinalizer.h:
545         * dfg/DFGOSRExitPreparation.cpp:
546         (JSC::DFG::prepareCodeOriginForOSRExit):
547         * dfg/DFGOperations.cpp:
548         * dfg/DFGPlan.cpp:
549         (JSC::DFG::Plan::Plan):
550         (JSC::DFG::Plan::compileInThreadImpl):
551         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
552         (JSC::DFG::Plan::finalizeAndNotifyCallback):
553         * dfg/DFGPlan.h:
554         * dfg/DFGWorklist.cpp:
555         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
556         * ftl/FTLJITFinalizer.cpp:
557         (JSC::FTL::JITFinalizer::finalize):
558         (JSC::FTL::JITFinalizer::finalizeFunction):
559         * ftl/FTLJITFinalizer.h:
560         * heap/Heap.h:
561         (JSC::Heap::isDeferred):
562         * interpreter/Interpreter.cpp:
563         (JSC::Interpreter::execute):
564         (JSC::Interpreter::executeCall):
565         (JSC::Interpreter::executeConstruct):
566         (JSC::Interpreter::prepareForRepeatCall):
567         * jit/JITDriver.h: Removed.
568         * jit/JITStubs.cpp:
569         (JSC::DEFINE_STUB_FUNCTION):
570         (JSC::jitCompileFor):
571         (JSC::lazyLinkFor):
572         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
573         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
574         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
575         (JSC::JITToDFGDeferredCompilationCallback::create):
576         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
577         * jit/JITToDFGDeferredCompilationCallback.h: Added.
578         * llint/LLIntEntrypoints.cpp:
579         (JSC::LLInt::setFunctionEntrypoint):
580         (JSC::LLInt::setEvalEntrypoint):
581         (JSC::LLInt::setProgramEntrypoint):
582         * llint/LLIntEntrypoints.h:
583         * llint/LLIntSlowPaths.cpp:
584         (JSC::LLInt::jitCompileAndSetHeuristics):
585         (JSC::LLInt::setUpCall):
586         * runtime/ArrayPrototype.cpp:
587         (JSC::isNumericCompareFunction):
588         * runtime/CommonSlowPaths.cpp:
589         * runtime/CompilationResult.cpp:
590         (WTF::printInternal):
591         * runtime/CompilationResult.h:
592         * runtime/Executable.cpp:
593         (JSC::ScriptExecutable::installCode):
594         (JSC::ScriptExecutable::newCodeBlockFor):
595         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
596         (JSC::ScriptExecutable::prepareForExecutionImpl):
597         * runtime/Executable.h:
598         (JSC::ScriptExecutable::prepareForExecution):
599         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
600         * runtime/ExecutionHarness.h: Removed.
601
602 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
603
604         https://bugs.webkit.org/show_bug.cgi?id=119548
605         Refactoring Exception throws.
606         
607         Reviewed by Geoffrey Garen.
608         
609         Gardening of exception throws. The act of throwing an exception was being handled in 
610         different ways depending on whether the code was running in the LLint, Baseline JIT, 
611         or the DFG Jit. This made development in the vm exception and error objects difficult.
612         
613          * runtime/VM.cpp:
614         (JSC::appendSourceToError): 
615         This function moved from the interpreter into the VM. It views the developers code
616         (if there is a codeBlock) to extract what was trying to be evaluated when the error
617         occurred.
618         
619         (JSC::VM::throwException):
620         This function takes in the error object and sets the following:
621             1: The VM's exception stack
622             2: The VM's exception 
623             3: Appends extra information on the error message(via appendSourceToError)
624             4: The error object's line number
625             5: The error object's column number
626             6: The error object's sourceURL
627             7: The error object's stack trace (unless it already exists because the developer 
628                 created the error object). 
629
630         (JSC::VM::getExceptionInfo):
631         (JSC::VM::setExceptionInfo):
632         (JSC::VM::clearException):
633         (JSC::clearExceptionStack):
634         * runtime/VM.h:
635         (JSC::VM::exceptionOffset):
636         (JSC::VM::exception):
637         (JSC::VM::addressOfException):
638         (JSC::VM::exceptionStack):
639         VM exception and exceptionStack are now private data members.
640
641         * interpreter/Interpreter.h:
642         (JSC::ClearExceptionScope::ClearExceptionScope):
643         Created this structure to temporarily clear the exception within the VM. This 
644         needed to see if addition errors occur when setting the debugger as we are 
645         unwinding the stack.
646
647          * interpreter/Interpreter.cpp:
648         (JSC::Interpreter::unwind): 
649         Removed the code that would try to add error information if it did not exist. 
650         All of this functionality has moved into the VM and all error information is set 
651         at the time the error occurs. 
652
653         The rest of these functions reference the new calling convention to throw an error.
654
655         * API/APICallbackFunction.h:
656         (JSC::APICallbackFunction::call):
657         * API/JSCallbackConstructor.cpp:
658         (JSC::constructJSCallback):
659         * API/JSCallbackObjectFunctions.h:
660         (JSC::::getOwnPropertySlot):
661         (JSC::::defaultValue):
662         (JSC::::put):
663         (JSC::::putByIndex):
664         (JSC::::deleteProperty):
665         (JSC::::construct):
666         (JSC::::customHasInstance):
667         (JSC::::call):
668         (JSC::::getStaticValue):
669         (JSC::::staticFunctionGetter):
670         (JSC::::callbackGetter):
671         * debugger/Debugger.cpp:
672         (JSC::evaluateInGlobalCallFrame):
673         * debugger/DebuggerCallFrame.cpp:
674         (JSC::DebuggerCallFrame::evaluate):
675         * dfg/DFGAssemblyHelpers.h:
676         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
677         * dfg/DFGOperations.cpp:
678         (JSC::DFG::operationPutByValInternal):
679         * ftl/FTLLowerDFGToLLVM.cpp:
680         (JSC::FTL::LowerDFGToLLVM::callCheck):
681         * heap/Heap.cpp:
682         (JSC::Heap::markRoots):
683         * interpreter/CallFrame.h:
684         (JSC::ExecState::clearException):
685         (JSC::ExecState::exception):
686         (JSC::ExecState::hadException):
687         * interpreter/Interpreter.cpp:
688         (JSC::eval):
689         (JSC::loadVarargs):
690         (JSC::stackTraceAsString):
691         (JSC::Interpreter::execute):
692         (JSC::Interpreter::executeCall):
693         (JSC::Interpreter::executeConstruct):
694         (JSC::Interpreter::prepareForRepeatCall):
695         * interpreter/Interpreter.h:
696         (JSC::ClearExceptionScope::ClearExceptionScope):
697         * jit/JITCode.cpp:
698         (JSC::JITCode::execute):
699         * jit/JITExceptions.cpp:
700         (JSC::genericThrow):
701         * jit/JITOpcodes.cpp:
702         (JSC::JIT::emit_op_catch):
703         * jit/JITOpcodes32_64.cpp:
704         (JSC::JIT::privateCompileCTINativeCall):
705         (JSC::JIT::emit_op_catch):
706         * jit/JITStubs.cpp:
707         (JSC::returnToThrowTrampoline):
708         (JSC::throwExceptionFromOpCall):
709         (JSC::DEFINE_STUB_FUNCTION):
710         (JSC::jitCompileFor):
711         (JSC::lazyLinkFor):
712         (JSC::putByVal):
713         (JSC::cti_vm_handle_exception):
714         * jit/SlowPathCall.h:
715         (JSC::JITSlowPathCall::call):
716         * jit/ThunkGenerators.cpp:
717         (JSC::nativeForGenerator):
718         * jsc.cpp:
719         (functionRun):
720         (functionLoad):
721         (functionCheckSyntax):
722         * llint/LLIntExceptions.cpp:
723         (JSC::LLInt::doThrow):
724         (JSC::LLInt::returnToThrow):
725         (JSC::LLInt::callToThrow):
726         * llint/LLIntSlowPaths.cpp:
727         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
728         * llint/LowLevelInterpreter.cpp:
729         (JSC::CLoop::execute):
730         * llint/LowLevelInterpreter32_64.asm:
731         * llint/LowLevelInterpreter64.asm:
732         * runtime/ArrayConstructor.cpp:
733         (JSC::constructArrayWithSizeQuirk):
734         * runtime/CommonSlowPaths.cpp:
735         (JSC::SLOW_PATH_DECL):
736         * runtime/CommonSlowPaths.h:
737         (JSC::CommonSlowPaths::opIn):
738         * runtime/CommonSlowPathsExceptions.cpp:
739         (JSC::CommonSlowPaths::interpreterThrowInCaller):
740         * runtime/Completion.cpp:
741         (JSC::evaluate):
742         * runtime/Error.cpp:
743         (JSC::addErrorInfo):
744         (JSC::throwTypeError):
745         (JSC::throwSyntaxError):
746         * runtime/Error.h:
747         (JSC::throwVMError):
748         * runtime/ExceptionHelpers.cpp:
749         (JSC::throwOutOfMemoryError):
750         (JSC::throwStackOverflowError):
751         (JSC::throwTerminatedExecutionException):
752         * runtime/Executable.cpp:
753         (JSC::EvalExecutable::create):
754         (JSC::FunctionExecutable::produceCodeBlockFor):
755         * runtime/FunctionConstructor.cpp:
756         (JSC::constructFunction):
757         (JSC::constructFunctionSkippingEvalEnabledCheck):
758         * runtime/JSArray.cpp:
759         (JSC::JSArray::defineOwnProperty):
760         (JSC::JSArray::put):
761         (JSC::JSArray::push):
762         * runtime/JSCJSValue.cpp:
763         (JSC::JSValue::toObjectSlowCase):
764         (JSC::JSValue::synthesizePrototype):
765         (JSC::JSValue::putToPrimitive):
766         * runtime/JSFunction.cpp:
767         (JSC::JSFunction::defineOwnProperty):
768         * runtime/JSGenericTypedArrayViewInlines.h:
769         (JSC::::create):
770         (JSC::::createUninitialized):
771         (JSC::::validateRange):
772         (JSC::::setWithSpecificType):
773         * runtime/JSGlobalObjectFunctions.cpp:
774         (JSC::encode):
775         (JSC::decode):
776         (JSC::globalFuncProtoSetter):
777         * runtime/JSNameScope.cpp:
778         (JSC::JSNameScope::put):
779         * runtime/JSONObject.cpp:
780         (JSC::Stringifier::appendStringifiedValue):
781         (JSC::Walker::walk):
782         * runtime/JSObject.cpp:
783         (JSC::JSObject::put):
784         (JSC::JSObject::defaultValue):
785         (JSC::JSObject::hasInstance):
786         (JSC::JSObject::defaultHasInstance):
787         (JSC::JSObject::defineOwnNonIndexProperty):
788         (JSC::throwTypeError):
789         * runtime/ObjectConstructor.cpp:
790         (JSC::toPropertyDescriptor):
791         * runtime/RegExpConstructor.cpp:
792         (JSC::constructRegExp):
793         * runtime/StringObject.cpp:
794         (JSC::StringObject::defineOwnProperty):
795         * runtime/StringRecursionChecker.cpp:
796         (JSC::StringRecursionChecker::throwStackOverflowError):
797
798 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
799
800         [GTK] Add support for building JSC with FTL JIT enabled
801         https://bugs.webkit.org/show_bug.cgi?id=120270
802
803         Reviewed by Filip Pizlo.
804
805         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
806         compiler flags for the JSC library.
807         * GNUmakefile.list.am: Add the missing build targets.
808         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
809         failures when using the Clang compiler with the libstdc++ standard library.
810         (JSC::FTL::mdKindID):
811         (JSC::FTL::mdString):
812
813 2013-08-23  Andy Estes  <aestes@apple.com>
814
815         Fix issues found by the Clang Static Analyzer
816         https://bugs.webkit.org/show_bug.cgi?id=120230
817
818         Reviewed by Darin Adler.
819
820         * API/JSValue.mm:
821         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
822         * API/ObjCCallbackFunction.mm:
823         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
824         release m_invocation's target since NSInvocation will do it for us on
825         -dealloc.
826         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
827         and -release our reference to the copied block.
828         * API/tests/minidom.c:
829         (createStringWithContentsOfFile): Free buffer before returning.
830         * API/tests/testapi.c:
831         (createStringWithContentsOfFile): Ditto.
832
833 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
834
835         [Windows] Unreviewed build fix after r154629.
836
837         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
838         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
839
840 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
841
842         Windows build fix attempt after r154629.
843
844         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
845
846 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
847
848         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
849         https://bugs.webkit.org/show_bug.cgi?id=120278
850
851         Reviewed by Geoffrey Garen.
852
853         * runtime/JSObject.cpp:
854         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
855
856 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
857
858         Fix indention of Executable.h.
859
860         Rubber stamped by Mark Hahnenberg.
861
862         * runtime/Executable.h:
863
864 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
865
866         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
867         https://bugs.webkit.org/show_bug.cgi?id=120314
868
869         Reviewed by Darin Adler.
870
871         Currently with the way that defineProperty works, we leave a stray low bit set in 
872         PropertyDescriptor::m_attributes in the following code:
873
874         var o = {};
875         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
876         
877         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
878         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
879         but only the top three bits mean anything. Even in the case above, the top three bits are set 
880         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
881
882         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
883         framework's public C API, it's safer to just change how we calculate the default value, which is
884         where the weirdness was originating from in the first place.
885
886         * runtime/PropertyDescriptor.cpp:
887
888 2013-08-24  Sam Weinig  <sam@webkit.org>
889
890         Add support for Promises
891         https://bugs.webkit.org/show_bug.cgi?id=120260
892
893         Reviewed by Darin Adler.
894
895         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
896         - Despite Promises being defined in the DOM, the implementation is being put in JSC
897           in preparation for the Promises eventually being defined in ECMAScript.
898
899         * CMakeLists.txt:
900         * DerivedSources.make:
901         * DerivedSources.pri:
902         * GNUmakefile.list.am:
903         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
904         * JavaScriptCore.xcodeproj/project.pbxproj:
905         * Target.pri:
906         Add new files.
907
908         * jsc.cpp:
909         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
910         you can't quite use Promises with with the command line tool yet.
911     
912         * interpreter/CallFrame.h:
913         (JSC::ExecState::promisePrototypeTable):
914         (JSC::ExecState::promiseConstructorTable):
915         (JSC::ExecState::promiseResolverPrototypeTable):
916         * runtime/VM.cpp:
917         (JSC::VM::VM):
918         (JSC::VM::~VM):
919         * runtime/VM.h:
920         Add supporting code for the new static lookup tables.
921
922         * runtime/CommonIdentifiers.h:
923         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
924
925         * runtime/JSGlobalObject.cpp:
926         (JSC::JSGlobalObject::reset):
927         (JSC::JSGlobalObject::visitChildren):
928         Add supporting code Promise and PromiseResolver's constructors and structures.
929
930         * runtime/JSGlobalObject.h:
931         (JSC::TaskContext::~TaskContext):
932         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
933
934         (JSC::JSGlobalObject::promisePrototype):
935         (JSC::JSGlobalObject::promiseResolverPrototype):
936         (JSC::JSGlobalObject::promiseStructure):
937         (JSC::JSGlobalObject::promiseResolverStructure):
938         (JSC::JSGlobalObject::promiseCallbackStructure):
939         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
940         Add supporting code Promise and PromiseResolver's constructors and structures.
941
942         * runtime/JSPromise.cpp: Added.
943         * runtime/JSPromise.h: Added.
944         * runtime/JSPromiseCallback.cpp: Added.
945         * runtime/JSPromiseCallback.h: Added.
946         * runtime/JSPromiseConstructor.cpp: Added.
947         * runtime/JSPromiseConstructor.h: Added.
948         * runtime/JSPromisePrototype.cpp: Added.
949         * runtime/JSPromisePrototype.h: Added.
950         * runtime/JSPromiseResolver.cpp: Added.
951         * runtime/JSPromiseResolver.h: Added.
952         * runtime/JSPromiseResolverConstructor.cpp: Added.
953         * runtime/JSPromiseResolverConstructor.h: Added.
954         * runtime/JSPromiseResolverPrototype.cpp: Added.
955         * runtime/JSPromiseResolverPrototype.h: Added.
956         Add Promise implementation.
957
958 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
959
960         Plenty of -Wcast-align warnings in KeywordLookup.h
961         https://bugs.webkit.org/show_bug.cgi?id=120316
962
963         Reviewed by Darin Adler.
964
965         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
966         the character pointers to types of larger size. This avoids spewing lots of warnings
967         in the KeywordLookup.h header when compiling with the -Wcast-align option.
968
969 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
970
971         RegExpMatchesArray should not call [[put]]
972         https://bugs.webkit.org/show_bug.cgi?id=120317
973
974         Reviewed by Oliver Hunt.
975
976         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
977         property called index or input to either of these prototypes will result in broken behavior.
978
979         * runtime/RegExpMatchesArray.cpp:
980         (JSC::RegExpMatchesArray::reifyAllProperties):
981             - put -> putDirect
982
983 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
984
985         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
986         https://bugs.webkit.org/show_bug.cgi?id=120228
987
988         Reviewed by Oliver Hunt.
989         
990         It turns out that there were three problems:
991         
992         - Using jsNumber() meant that we were converting doubles to integers and then
993           possibly back again whenever doing a set() between floating point arrays.
994         
995         - Slow-path accesses to double typed arrays were slower than necessary because
996           of the to-int conversion attempt.
997         
998         - The use of JSValue as an intermediate for converting between differen types
999           in typedArray.set() resulted in worse code than I had previously expected.
1000         
1001         This patch solves the problem by using template double-dispatch to ensure that
1002         that C++ compiler sees the simplest possible combination of casts between any
1003         combination of typed array types, while still preserving JS and typed array
1004         conversion semantics. Conversions are done as follows:
1005         
1006             SourceAdaptor::convertTo<TargetAdaptor>(value)
1007         
1008         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1009         with one method for each of int32_t, uint32_t, and double. This means that the
1010         C++ compiler will at worst see a widening cast to one of those types followed
1011         by a narrowing conversion (not necessarily a cast - may have clamping or the
1012         JS toInt32() function).
1013         
1014         This change doesn't just affect typedArray.set(); it also affects slow-path
1015         accesses to typed arrays as well. This patch also adds a bunch of new test
1016         coverage.
1017         
1018         This change is a ~50% speed-up on typedArray.set() involving floating point
1019         types.
1020
1021         * GNUmakefile.list.am:
1022         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1023         * JavaScriptCore.xcodeproj/project.pbxproj:
1024         * runtime/GenericTypedArrayView.h:
1025         (JSC::GenericTypedArrayView::set):
1026         * runtime/JSDataViewPrototype.cpp:
1027         (JSC::setData):
1028         * runtime/JSGenericTypedArrayView.h:
1029         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1030         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1031         * runtime/JSGenericTypedArrayViewInlines.h:
1032         (JSC::::setWithSpecificType):
1033         (JSC::::set):
1034         * runtime/ToNativeFromValue.h: Added.
1035         (JSC::toNativeFromValue):
1036         * runtime/TypedArrayAdaptors.h:
1037         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1038         (JSC::IntegralTypedArrayAdaptor::toDouble):
1039         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1040         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1041         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1042         (JSC::IntegralTypedArrayAdaptor::convertTo):
1043         (JSC::FloatTypedArrayAdaptor::toJSValue):
1044         (JSC::FloatTypedArrayAdaptor::toDouble):
1045         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1046         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1047         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1048         (JSC::FloatTypedArrayAdaptor::convertTo):
1049         (JSC::Uint8ClampedAdaptor::toJSValue):
1050         (JSC::Uint8ClampedAdaptor::toDouble):
1051         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1052         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1053         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1054         (JSC::Uint8ClampedAdaptor::convertTo):
1055
1056 2013-08-24  Dan Bernstein  <mitz@apple.com>
1057
1058         [mac] link against libz in a more civilized manner
1059         https://bugs.webkit.org/show_bug.cgi?id=120258
1060
1061         Reviewed by Darin Adler.
1062
1063         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1064         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1065         Link Binary With Libraries build phase.
1066
1067 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1068
1069         Failure building with python3
1070         https://bugs.webkit.org/show_bug.cgi?id=106645
1071
1072         Reviewed by Benjamin Poulain.
1073
1074         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1075         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1076
1077         * disassembler/udis86/itab.py:
1078         (UdItabGenerator.genInsnTable):
1079         * disassembler/udis86/ud_opcode.py:
1080         (UdOpcodeTables.print_table):
1081         * disassembler/udis86/ud_optable.py:
1082         (UdOptableXmlParser.parseDef):
1083         (UdOptableXmlParser.parse):
1084         (printFn):
1085
1086 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1087
1088         Incorrect TypedArray#set behavior
1089         https://bugs.webkit.org/show_bug.cgi?id=83818
1090
1091         Reviewed by Oliver Hunt and Mark Hahnenberg.
1092         
1093         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1094         not smart enough to figure out optimal versions for *all* of the cases. But I
1095         did come up with optimal implementations for most of the cases, and I wrote
1096         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1097         enough to write optimal code for.
1098
1099         * runtime/JSArrayBufferView.h:
1100         (JSC::JSArrayBufferView::hasArrayBuffer):
1101         * runtime/JSArrayBufferViewInlines.h:
1102         (JSC::JSArrayBufferView::buffer):
1103         (JSC::JSArrayBufferView::existingBufferInButterfly):
1104         (JSC::JSArrayBufferView::neuter):
1105         (JSC::JSArrayBufferView::byteOffset):
1106         * runtime/JSGenericTypedArrayView.h:
1107         * runtime/JSGenericTypedArrayViewInlines.h:
1108         (JSC::::setWithSpecificType):
1109         (JSC::::set):
1110         (JSC::::existingBuffer):
1111
1112 2013-08-23  Alex Christensen  <achristensen@apple.com>
1113
1114         Re-separating Win32 and Win64 builds.
1115         https://bugs.webkit.org/show_bug.cgi?id=120178
1116
1117         Reviewed by Brent Fulgham.
1118
1119         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1120         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1121         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1122         Pass PlatformArchitecture as a command line parameter to bash scripts.
1123         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1124         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1125         * JavaScriptCore.vcxproj/build-generated-files.sh:
1126         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1127
1128 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1129
1130         build-jsc --ftl-jit should work
1131         https://bugs.webkit.org/show_bug.cgi?id=120194
1132
1133         Reviewed by Oliver Hunt.
1134
1135         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1136         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1137         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1138         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1139         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1140         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1141
1142 2013-08-23  Oliver Hunt  <oliver@apple.com>
1143
1144         Re-sort xcode project file
1145
1146         * JavaScriptCore.xcodeproj/project.pbxproj:
1147
1148 2013-08-23  Oliver Hunt  <oliver@apple.com>
1149
1150         Support in memory compression of rarely used data
1151         https://bugs.webkit.org/show_bug.cgi?id=120143
1152
1153         Reviewed by Gavin Barraclough.
1154
1155         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1156
1157         * Configurations/JavaScriptCore.xcconfig:
1158         * bytecode/UnlinkedCodeBlock.cpp:
1159         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1160         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1161         * bytecode/UnlinkedCodeBlock.h:
1162
1163 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1164
1165         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1166         https://bugs.webkit.org/show_bug.cgi?id=120179
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         There are many places in the code for JSObject and JSArray where they are manipulating their 
1171         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1172         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1173         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1174         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1175         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1176         should not incur any additional overhead.
1177
1178         * heap/Heap.h:
1179         * runtime/JSArray.cpp:
1180         (JSC::JSArray::unshiftCountSlowCase):
1181         * runtime/JSObject.cpp:
1182         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1183         (JSC::JSObject::createInitialUndecided):
1184         (JSC::JSObject::createInitialInt32):
1185         (JSC::JSObject::createInitialDouble):
1186         (JSC::JSObject::createInitialContiguous):
1187         (JSC::JSObject::createArrayStorage):
1188         (JSC::JSObject::convertUndecidedToArrayStorage):
1189         (JSC::JSObject::convertInt32ToArrayStorage):
1190         (JSC::JSObject::convertDoubleToArrayStorage):
1191         (JSC::JSObject::convertContiguousToArrayStorage):
1192         (JSC::JSObject::increaseVectorLength):
1193         (JSC::JSObject::ensureLengthSlow):
1194         * runtime/JSObject.h:
1195         (JSC::JSObject::putDirectInternal):
1196         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1197         (JSC::JSObject::putDirectWithoutTransition):
1198
1199 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1200
1201         Update LLVM binary drops and scripts to the latest version from SVN
1202         https://bugs.webkit.org/show_bug.cgi?id=120184
1203
1204         Reviewed by Mark Hahnenberg.
1205
1206         * dfg/DFGPlan.cpp:
1207         (JSC::DFG::Plan::compileInThreadImpl):
1208
1209 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1210
1211         Don't leak registers for redeclared variables
1212         https://bugs.webkit.org/show_bug.cgi?id=120174
1213
1214         Reviewed by Geoff Garen.
1215
1216         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1217         Only allocate new registers when necessary.
1218
1219         No performance impact.
1220
1221         * interpreter/Interpreter.cpp:
1222         (JSC::Interpreter::execute):
1223         * runtime/Executable.cpp:
1224         (JSC::ProgramExecutable::initializeGlobalProperties):
1225             - Don't allocate the register here.
1226         * runtime/JSGlobalObject.cpp:
1227         (JSC::JSGlobalObject::addGlobalVar):
1228             - Allocate the register here instead.
1229
1230 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1231
1232         https://bugs.webkit.org/show_bug.cgi?id=120128
1233         Remove putDirectVirtual
1234
1235         Unreviewed, checked in commented out code. :-(
1236
1237         * interpreter/Interpreter.cpp:
1238         (JSC::Interpreter::execute):
1239             - delete commented out code
1240
1241 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1242
1243         Error.stack should not be enumerable
1244         https://bugs.webkit.org/show_bug.cgi?id=120171
1245
1246         Reviewed by Oliver Hunt.
1247
1248         Breaks ECMA tests.
1249
1250         * runtime/ErrorInstance.cpp:
1251         (JSC::ErrorInstance::finishCreation):
1252             - None -> DontEnum
1253
1254 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1255
1256         https://bugs.webkit.org/show_bug.cgi?id=120128
1257         Remove putDirectVirtual
1258
1259         Reviewed by Sam Weinig.
1260
1261         This could most generously be described as 'vestigial'.
1262         No performance impact.
1263
1264         * API/JSObjectRef.cpp:
1265         (JSObjectSetProperty):
1266             - changed to use defineOwnProperty
1267         * debugger/DebuggerActivation.cpp:
1268         * debugger/DebuggerActivation.h:
1269             - remove putDirectVirtual
1270         * interpreter/Interpreter.cpp:
1271         (JSC::Interpreter::execute):
1272             - changed to use defineOwnProperty
1273         * runtime/ClassInfo.h:
1274         * runtime/JSActivation.cpp:
1275         * runtime/JSActivation.h:
1276         * runtime/JSCell.cpp:
1277         * runtime/JSCell.h:
1278         * runtime/JSGlobalObject.cpp:
1279         * runtime/JSGlobalObject.h:
1280         * runtime/JSObject.cpp:
1281         * runtime/JSObject.h:
1282         * runtime/JSProxy.cpp:
1283         * runtime/JSProxy.h:
1284         * runtime/JSSymbolTableObject.cpp:
1285         * runtime/JSSymbolTableObject.h:
1286             - remove putDirectVirtual
1287         * runtime/PropertyDescriptor.h:
1288         (JSC::PropertyDescriptor::PropertyDescriptor):
1289             - added constructor for convenience
1290
1291 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1292
1293         errorDescriptionForValue() should not assume error value is an Object
1294         https://bugs.webkit.org/show_bug.cgi?id=119812
1295
1296         Reviewed by Geoffrey Garen.
1297
1298         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1299         has no type, the function now returns the empty string. 
1300         * runtime/ExceptionHelpers.cpp:
1301         (JSC::errorDescriptionForValue):
1302
1303 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1304
1305         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1306         https://bugs.webkit.org/show_bug.cgi?id=120107
1307
1308         Reviewed by Yong Li.
1309
1310         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1311
1312         * dfg/DFGSpeculativeJIT.h:
1313         (JSC::DFG::SpeculativeJIT::callOperation):
1314
1315 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1316
1317         Unreviewed, rolling out r154416.
1318         http://trac.webkit.org/changeset/154416
1319         https://bugs.webkit.org/show_bug.cgi?id=120147
1320
1321         Broke Windows builds (Requested by rniwa on #webkit).
1322
1323         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1324         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1325         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1326         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1327         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1328         * JavaScriptCore.vcxproj/build-generated-files.sh:
1329
1330 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1331
1332         Clarify var/const/function declaration
1333         https://bugs.webkit.org/show_bug.cgi?id=120144
1334
1335         Reviewed by Sam Weinig.
1336
1337         Add methods to JSGlobalObject to declare vars, consts, and functions.
1338
1339         * runtime/Executable.cpp:
1340         (JSC::ProgramExecutable::initializeGlobalProperties):
1341         * runtime/Executable.h:
1342             - Moved declaration code to JSGlobalObject
1343         * runtime/JSGlobalObject.cpp:
1344         (JSC::JSGlobalObject::addGlobalVar):
1345             - internal implementation of addVar, addConst, addFunction
1346         * runtime/JSGlobalObject.h:
1347         (JSC::JSGlobalObject::addVar):
1348         (JSC::JSGlobalObject::addConst):
1349         (JSC::JSGlobalObject::addFunction):
1350             - Added methods to declare vars, consts, and functions
1351
1352 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1353
1354         https://bugs.webkit.org/show_bug.cgi?id=119900
1355         Exception in global setter doesn't unwind correctly
1356
1357         Reviewed by Geoffrey Garen.
1358
1359         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1360
1361         * jit/JITStubs.cpp:
1362         (JSC::DEFINE_STUB_FUNCTION):
1363
1364 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1365
1366         Rename/refactor setButterfly/setStructure
1367         https://bugs.webkit.org/show_bug.cgi?id=120138
1368
1369         Reviewed by Geoffrey Garen.
1370
1371         setButterfly becomes setStructureAndButterfly.
1372
1373         Also removed the Butterfly* argument from setStructure and just implicitly
1374         used m_butterfly internally since that's what every single client of setStructure
1375         was doing already.
1376
1377         * jit/JITStubs.cpp:
1378         (JSC::DEFINE_STUB_FUNCTION):
1379         * runtime/JSObject.cpp:
1380         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1381         (JSC::JSObject::createInitialUndecided):
1382         (JSC::JSObject::createInitialInt32):
1383         (JSC::JSObject::createInitialDouble):
1384         (JSC::JSObject::createInitialContiguous):
1385         (JSC::JSObject::createArrayStorage):
1386         (JSC::JSObject::convertUndecidedToInt32):
1387         (JSC::JSObject::convertUndecidedToDouble):
1388         (JSC::JSObject::convertUndecidedToContiguous):
1389         (JSC::JSObject::convertUndecidedToArrayStorage):
1390         (JSC::JSObject::convertInt32ToDouble):
1391         (JSC::JSObject::convertInt32ToContiguous):
1392         (JSC::JSObject::convertInt32ToArrayStorage):
1393         (JSC::JSObject::genericConvertDoubleToContiguous):
1394         (JSC::JSObject::convertDoubleToArrayStorage):
1395         (JSC::JSObject::convertContiguousToArrayStorage):
1396         (JSC::JSObject::switchToSlowPutArrayStorage):
1397         (JSC::JSObject::setPrototype):
1398         (JSC::JSObject::putDirectAccessor):
1399         (JSC::JSObject::seal):
1400         (JSC::JSObject::freeze):
1401         (JSC::JSObject::preventExtensions):
1402         (JSC::JSObject::reifyStaticFunctionsForDelete):
1403         (JSC::JSObject::removeDirect):
1404         * runtime/JSObject.h:
1405         (JSC::JSObject::setStructureAndButterfly):
1406         (JSC::JSObject::setStructure):
1407         (JSC::JSObject::putDirectInternal):
1408         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1409         (JSC::JSObject::putDirectWithoutTransition):
1410         * runtime/Structure.cpp:
1411         (JSC::Structure::flattenDictionaryStructure):
1412
1413 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1414
1415         https://bugs.webkit.org/show_bug.cgi?id=120127
1416         Remove JSObject::propertyIsEnumerable
1417
1418         Unreviewed typo fix
1419
1420         * runtime/JSObject.h:
1421             - fix typo
1422
1423 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1424
1425         https://bugs.webkit.org/show_bug.cgi?id=120139
1426         PropertyDescriptor argument to define methods should be const
1427
1428         Rubber stamped by Sam Weinig.
1429
1430         This should never be modified, and this way we can use rvalues.
1431
1432         * debugger/DebuggerActivation.cpp:
1433         (JSC::DebuggerActivation::defineOwnProperty):
1434         * debugger/DebuggerActivation.h:
1435         * runtime/Arguments.cpp:
1436         (JSC::Arguments::defineOwnProperty):
1437         * runtime/Arguments.h:
1438         * runtime/ClassInfo.h:
1439         * runtime/JSArray.cpp:
1440         (JSC::JSArray::defineOwnProperty):
1441         * runtime/JSArray.h:
1442         * runtime/JSArrayBuffer.cpp:
1443         (JSC::JSArrayBuffer::defineOwnProperty):
1444         * runtime/JSArrayBuffer.h:
1445         * runtime/JSArrayBufferView.cpp:
1446         (JSC::JSArrayBufferView::defineOwnProperty):
1447         * runtime/JSArrayBufferView.h:
1448         * runtime/JSCell.cpp:
1449         (JSC::JSCell::defineOwnProperty):
1450         * runtime/JSCell.h:
1451         * runtime/JSFunction.cpp:
1452         (JSC::JSFunction::defineOwnProperty):
1453         * runtime/JSFunction.h:
1454         * runtime/JSGenericTypedArrayView.h:
1455         * runtime/JSGenericTypedArrayViewInlines.h:
1456         (JSC::::defineOwnProperty):
1457         * runtime/JSGlobalObject.cpp:
1458         (JSC::JSGlobalObject::defineOwnProperty):
1459         * runtime/JSGlobalObject.h:
1460         * runtime/JSObject.cpp:
1461         (JSC::JSObject::putIndexedDescriptor):
1462         (JSC::JSObject::defineOwnIndexedProperty):
1463         (JSC::putDescriptor):
1464         (JSC::JSObject::defineOwnNonIndexProperty):
1465         (JSC::JSObject::defineOwnProperty):
1466         * runtime/JSObject.h:
1467         * runtime/JSProxy.cpp:
1468         (JSC::JSProxy::defineOwnProperty):
1469         * runtime/JSProxy.h:
1470         * runtime/RegExpMatchesArray.h:
1471         (JSC::RegExpMatchesArray::defineOwnProperty):
1472         * runtime/RegExpObject.cpp:
1473         (JSC::RegExpObject::defineOwnProperty):
1474         * runtime/RegExpObject.h:
1475         * runtime/StringObject.cpp:
1476         (JSC::StringObject::defineOwnProperty):
1477         * runtime/StringObject.h:
1478             - make PropertyDescriptor const
1479
1480 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1481
1482         REGRESSION: Crash under JITCompiler::link while loading Gmail
1483         https://bugs.webkit.org/show_bug.cgi?id=119872
1484
1485         Reviewed by Mark Hahnenberg.
1486         
1487         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1488
1489         * dfg/DFGByteCodeParser.cpp:
1490         (JSC::DFG::ByteCodeParser::parseBlock):
1491
1492 2013-08-21  Alex Christensen  <achristensen@apple.com>
1493
1494         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1495
1496         Reviewed by Brent Fulgham.
1497
1498         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1499         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1500         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1501         Pass PlatformArchitecture as a command line parameter to bash scripts.
1502         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1503         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1504         * JavaScriptCore.vcxproj/build-generated-files.sh:
1505         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1506
1507 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1508
1509         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1510         https://bugs.webkit.org/show_bug.cgi?id=120099
1511
1512         Reviewed by Mark Hahnenberg.
1513         
1514         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1515         JSDataView may have ordinary JS indexed properties.
1516
1517         * runtime/ClassInfo.h:
1518         * runtime/JSArrayBufferView.cpp:
1519         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1520         (JSC::JSArrayBufferView::finishCreation):
1521         * runtime/JSArrayBufferView.h:
1522         (JSC::hasArrayBuffer):
1523         * runtime/JSArrayBufferViewInlines.h:
1524         (JSC::JSArrayBufferView::buffer):
1525         (JSC::JSArrayBufferView::neuter):
1526         (JSC::JSArrayBufferView::byteOffset):
1527         * runtime/JSCell.cpp:
1528         (JSC::JSCell::slowDownAndWasteMemory):
1529         * runtime/JSCell.h:
1530         * runtime/JSDataView.cpp:
1531         (JSC::JSDataView::JSDataView):
1532         (JSC::JSDataView::create):
1533         (JSC::JSDataView::slowDownAndWasteMemory):
1534         * runtime/JSDataView.h:
1535         (JSC::JSDataView::buffer):
1536         * runtime/JSGenericTypedArrayView.h:
1537         * runtime/JSGenericTypedArrayViewInlines.h:
1538         (JSC::::visitChildren):
1539         (JSC::::slowDownAndWasteMemory):
1540
1541 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1542
1543         Remove incorrect ASSERT from CopyVisitor::visitItem
1544
1545         Rubber stamped by Filip Pizlo.
1546
1547         * heap/CopyVisitorInlines.h:
1548         (JSC::CopyVisitor::visitItem):
1549
1550 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1551
1552         https://bugs.webkit.org/show_bug.cgi?id=120127
1553         Remove JSObject::propertyIsEnumerable
1554
1555         Reviewed by Sam Weinig.
1556
1557         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1558
1559         * runtime/JSObject.cpp:
1560         * runtime/JSObject.h:
1561             - remove propertyIsEnumerable
1562         * runtime/ObjectPrototype.cpp:
1563         (JSC::objectProtoFuncPropertyIsEnumerable):
1564             - Move implementation here using getOwnPropertyDescriptor directly.
1565
1566 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1567
1568         DFG should inline new typedArray()
1569         https://bugs.webkit.org/show_bug.cgi?id=120022
1570
1571         Reviewed by Oliver Hunt.
1572         
1573         Adds inlining of typed array allocations in the DFG. Any operation of the
1574         form:
1575         
1576             new foo(blah)
1577         
1578         or:
1579         
1580             foo(blah)
1581         
1582         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1583         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1584         is predicted integer, we generate inline code for an allocation. Otherwise
1585         it turns into a call to an operation that behaves like the constructor would
1586         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1587         copy or another array, or it may allocate an array of that length).
1588
1589         * bytecode/SpeculatedType.cpp:
1590         (JSC::speculationFromTypedArrayType):
1591         (JSC::speculationFromClassInfo):
1592         * bytecode/SpeculatedType.h:
1593         * dfg/DFGAbstractInterpreterInlines.h:
1594         (JSC::DFG::::executeEffects):
1595         * dfg/DFGBackwardsPropagationPhase.cpp:
1596         (JSC::DFG::BackwardsPropagationPhase::propagate):
1597         * dfg/DFGByteCodeParser.cpp:
1598         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1599         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1600         * dfg/DFGCCallHelpers.h:
1601         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1602         * dfg/DFGCSEPhase.cpp:
1603         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1604         * dfg/DFGClobberize.h:
1605         (JSC::DFG::clobberize):
1606         * dfg/DFGFixupPhase.cpp:
1607         (JSC::DFG::FixupPhase::fixupNode):
1608         * dfg/DFGGraph.cpp:
1609         (JSC::DFG::Graph::dump):
1610         * dfg/DFGNode.h:
1611         (JSC::DFG::Node::hasTypedArrayType):
1612         (JSC::DFG::Node::typedArrayType):
1613         * dfg/DFGNodeType.h:
1614         * dfg/DFGOperations.cpp:
1615         (JSC::DFG::newTypedArrayWithSize):
1616         (JSC::DFG::newTypedArrayWithOneArgument):
1617         * dfg/DFGOperations.h:
1618         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1619         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1620         * dfg/DFGPredictionPropagationPhase.cpp:
1621         (JSC::DFG::PredictionPropagationPhase::propagate):
1622         * dfg/DFGSafeToExecute.h:
1623         (JSC::DFG::safeToExecute):
1624         * dfg/DFGSpeculativeJIT.cpp:
1625         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1626         * dfg/DFGSpeculativeJIT.h:
1627         (JSC::DFG::SpeculativeJIT::callOperation):
1628         * dfg/DFGSpeculativeJIT32_64.cpp:
1629         (JSC::DFG::SpeculativeJIT::compile):
1630         * dfg/DFGSpeculativeJIT64.cpp:
1631         (JSC::DFG::SpeculativeJIT::compile):
1632         * jit/JITOpcodes.cpp:
1633         (JSC::JIT::emit_op_new_object):
1634         * jit/JITOpcodes32_64.cpp:
1635         (JSC::JIT::emit_op_new_object):
1636         * runtime/JSArray.h:
1637         (JSC::JSArray::allocationSize):
1638         * runtime/JSArrayBufferView.h:
1639         (JSC::JSArrayBufferView::allocationSize):
1640         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1641         (JSC::constructGenericTypedArrayView):
1642         * runtime/JSObject.h:
1643         (JSC::JSFinalObject::allocationSize):
1644         * runtime/TypedArrayType.cpp:
1645         (JSC::constructorClassInfoForType):
1646         * runtime/TypedArrayType.h:
1647         (JSC::indexToTypedArrayType):
1648
1649 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1650
1651         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         * dfg/DFGOperations.h:
1656
1657 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1658
1659         https://bugs.webkit.org/show_bug.cgi?id=120093
1660         Remove getOwnPropertyDescriptor trap
1661
1662         Reviewed by Geoff Garen.
1663
1664         All implementations of this method are now called via the method table, and equivalent in behaviour.
1665         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1666
1667         * API/JSCallbackObject.h:
1668         * API/JSCallbackObjectFunctions.h:
1669         * debugger/DebuggerActivation.cpp:
1670         * debugger/DebuggerActivation.h:
1671         * runtime/Arguments.cpp:
1672         * runtime/Arguments.h:
1673         * runtime/ArrayConstructor.cpp:
1674         * runtime/ArrayConstructor.h:
1675         * runtime/ArrayPrototype.cpp:
1676         * runtime/ArrayPrototype.h:
1677         * runtime/BooleanPrototype.cpp:
1678         * runtime/BooleanPrototype.h:
1679             - remove getOwnPropertyDescriptor
1680         * runtime/ClassInfo.h:
1681             - remove getOwnPropertyDescriptor from MethodTable
1682         * runtime/DateConstructor.cpp:
1683         * runtime/DateConstructor.h:
1684         * runtime/DatePrototype.cpp:
1685         * runtime/DatePrototype.h:
1686         * runtime/ErrorPrototype.cpp:
1687         * runtime/ErrorPrototype.h:
1688         * runtime/JSActivation.cpp:
1689         * runtime/JSActivation.h:
1690         * runtime/JSArray.cpp:
1691         * runtime/JSArray.h:
1692         * runtime/JSArrayBuffer.cpp:
1693         * runtime/JSArrayBuffer.h:
1694         * runtime/JSArrayBufferView.cpp:
1695         * runtime/JSArrayBufferView.h:
1696         * runtime/JSCell.cpp:
1697         * runtime/JSCell.h:
1698         * runtime/JSDataView.cpp:
1699         * runtime/JSDataView.h:
1700         * runtime/JSDataViewPrototype.cpp:
1701         * runtime/JSDataViewPrototype.h:
1702         * runtime/JSFunction.cpp:
1703         * runtime/JSFunction.h:
1704         * runtime/JSGenericTypedArrayView.h:
1705         * runtime/JSGenericTypedArrayViewInlines.h:
1706         * runtime/JSGlobalObject.cpp:
1707         * runtime/JSGlobalObject.h:
1708         * runtime/JSNotAnObject.cpp:
1709         * runtime/JSNotAnObject.h:
1710         * runtime/JSONObject.cpp:
1711         * runtime/JSONObject.h:
1712             - remove getOwnPropertyDescriptor
1713         * runtime/JSObject.cpp:
1714         (JSC::JSObject::propertyIsEnumerable):
1715             - switch to call new getOwnPropertyDescriptor member function
1716         (JSC::JSObject::getOwnPropertyDescriptor):
1717             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1718         (JSC::JSObject::defineOwnNonIndexProperty):
1719             - switch to call new getOwnPropertyDescriptor member function
1720         * runtime/JSObject.h:
1721         * runtime/JSProxy.cpp:
1722         * runtime/JSProxy.h:
1723         * runtime/NamePrototype.cpp:
1724         * runtime/NamePrototype.h:
1725         * runtime/NumberConstructor.cpp:
1726         * runtime/NumberConstructor.h:
1727         * runtime/NumberPrototype.cpp:
1728         * runtime/NumberPrototype.h:
1729             - remove getOwnPropertyDescriptor
1730         * runtime/ObjectConstructor.cpp:
1731         (JSC::objectConstructorGetOwnPropertyDescriptor):
1732         (JSC::objectConstructorSeal):
1733         (JSC::objectConstructorFreeze):
1734         (JSC::objectConstructorIsSealed):
1735         (JSC::objectConstructorIsFrozen):
1736             - switch to call new getOwnPropertyDescriptor member function
1737         * runtime/ObjectConstructor.h:
1738             - remove getOwnPropertyDescriptor
1739         * runtime/PropertyDescriptor.h:
1740             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1741         * runtime/RegExpConstructor.cpp:
1742         * runtime/RegExpConstructor.h:
1743         * runtime/RegExpMatchesArray.cpp:
1744         * runtime/RegExpMatchesArray.h:
1745         * runtime/RegExpObject.cpp:
1746         * runtime/RegExpObject.h:
1747         * runtime/RegExpPrototype.cpp:
1748         * runtime/RegExpPrototype.h:
1749         * runtime/StringConstructor.cpp:
1750         * runtime/StringConstructor.h:
1751         * runtime/StringObject.cpp:
1752         * runtime/StringObject.h:
1753             - remove getOwnPropertyDescriptor
1754
1755 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1756
1757         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
1758
1759         Reviewed by Oliver Hunt.
1760
1761         When we flatten an object in dictionary mode, we compact its properties. If the object 
1762         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
1763         compaction its properties fit inline, the object's Structure "forgets" that the object 
1764         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
1765         with bytes = 0, which causes all sorts of badness in CopiedSpace.
1766
1767         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
1768         Butterfly pointer so that the GC doesn't get confused later.
1769
1770         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
1771         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
1772         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
1773         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
1774
1775         * heap/SlotVisitorInlines.h:
1776         (JSC::SlotVisitor::copyLater):
1777         * runtime/JSObject.cpp:
1778         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1779         (JSC::JSObject::convertUndecidedToInt32):
1780         (JSC::JSObject::convertUndecidedToDouble):
1781         (JSC::JSObject::convertUndecidedToContiguous):
1782         (JSC::JSObject::convertInt32ToDouble):
1783         (JSC::JSObject::convertInt32ToContiguous):
1784         (JSC::JSObject::genericConvertDoubleToContiguous):
1785         (JSC::JSObject::switchToSlowPutArrayStorage):
1786         (JSC::JSObject::setPrototype):
1787         (JSC::JSObject::putDirectAccessor):
1788         (JSC::JSObject::seal):
1789         (JSC::JSObject::freeze):
1790         (JSC::JSObject::preventExtensions):
1791         (JSC::JSObject::reifyStaticFunctionsForDelete):
1792         (JSC::JSObject::removeDirect):
1793         * runtime/JSObject.h:
1794         (JSC::JSObject::setButterfly):
1795         (JSC::JSObject::putDirectInternal):
1796         (JSC::JSObject::setStructure):
1797         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1798         * runtime/Structure.cpp:
1799         (JSC::Structure::flattenDictionaryStructure):
1800
1801 2013-08-20  Alex Christensen  <achristensen@apple.com>
1802
1803         Compile fix for Win64 after r154156.
1804
1805         Rubber stamped by Oliver Hunt.
1806
1807         * jit/JITStubsMSVC64.asm:
1808         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
1809         cti_vm_throw_slowpath to cti_vm_handle_exception.
1810
1811 2013-08-20  Alex Christensen  <achristensen@apple.com>
1812
1813         <https://webkit.org/b/120076> More work towards a Win64 build
1814
1815         Reviewed by Brent Fulgham.
1816
1817         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1818         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1819         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1820         * JavaScriptCore.vcxproj/copy-files.cmd:
1821         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1822         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1823         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
1824
1825 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1826
1827         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1828
1829         Reviewed by Geoffrey Garen.
1830
1831         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
1832         initializeLazyWriteBarrierFor* wrapper functions more sane. 
1833
1834         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
1835         and index when triggering the WriteBarrier at the end of compilation. 
1836
1837         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
1838         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
1839         little extra work that really shouldn't have been its responsibility.
1840
1841         * dfg/DFGByteCodeParser.cpp:
1842         (JSC::DFG::ByteCodeParser::addConstant):
1843         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1844         * dfg/DFGDesiredWriteBarriers.cpp:
1845         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1846         (JSC::DFG::DesiredWriteBarrier::trigger):
1847         * dfg/DFGDesiredWriteBarriers.h:
1848         (JSC::DFG::DesiredWriteBarriers::add):
1849         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1850         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1851         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1852         * dfg/DFGFixupPhase.cpp:
1853         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1854         * dfg/DFGGraph.h:
1855         (JSC::DFG::Graph::constantRegisterForConstant):
1856
1857 2013-08-20  Michael Saboff  <msaboff@apple.com>
1858
1859         https://bugs.webkit.org/show_bug.cgi?id=120075
1860         REGRESSION (r128400): BBC4 website not displaying pictures
1861
1862         Reviewed by Oliver Hunt.
1863
1864         * runtime/RegExpMatchesArray.h:
1865         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1866         so that the match results will be reified before any other modification to the results array.
1867
1868 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
1869
1870         Incorrect behavior on emscripten-compiled cube2hash
1871         https://bugs.webkit.org/show_bug.cgi?id=120033
1872
1873         Reviewed by Mark Hahnenberg.
1874         
1875         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1876         then we should bail attempts to CSE.
1877
1878         * dfg/DFGCSEPhase.cpp:
1879         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1880         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1881
1882 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1883
1884         https://bugs.webkit.org/show_bug.cgi?id=120073
1885         Remove use of GOPD from JSFunction::defineProperty
1886
1887         Reviewed by Oliver Hunt.
1888
1889         Call getOwnPropertySlot to check for existing properties instead.
1890
1891         * runtime/JSFunction.cpp:
1892         (JSC::JSFunction::defineOwnProperty):
1893             - getOwnPropertyDescriptor -> getOwnPropertySlot
1894
1895 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1896
1897         https://bugs.webkit.org/show_bug.cgi?id=120067
1898         Remove getPropertyDescriptor
1899
1900         Reviewed by Oliver Hunt.
1901
1902         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1903         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1904
1905         * runtime/JSObject.cpp:
1906         * runtime/JSObject.h:
1907             - remove getPropertyDescriptor
1908         * runtime/ObjectPrototype.cpp:
1909         (JSC::objectProtoFuncLookupGetter):
1910         (JSC::objectProtoFuncLookupSetter):
1911             - replace call to getPropertyDescriptor with getPropertySlot
1912         * runtime/PropertyDescriptor.h:
1913         * runtime/PropertySlot.h:
1914         (JSC::PropertySlot::isAccessor):
1915         (JSC::PropertySlot::isCacheableGetter):
1916         (JSC::PropertySlot::getterSetter):
1917             - rename isGetter() to isAccessor()
1918
1919 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1920
1921         https://bugs.webkit.org/show_bug.cgi?id=120054
1922         Remove some dead code following getOwnPropertyDescriptor cleanup
1923
1924         Reviewed by Oliver Hunt.
1925
1926         * runtime/Lookup.h:
1927         (JSC::getStaticFunctionSlot):
1928             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1929
1930 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1931
1932         https://bugs.webkit.org/show_bug.cgi?id=120052
1933         Remove custom getOwnPropertyDescriptor for JSProxy
1934
1935         Reviewed by Geoff Garen.
1936
1937         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1938         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1939         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1940         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1941         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1942
1943         * runtime/JSProxy.cpp:
1944             - Remove custom getOwnPropertyDescriptor implementation.
1945         * runtime/PropertyDescriptor.h:
1946             - Modify own property access check to perform toThis conversion.
1947
1948 2013-08-20  Alex Christensen  <achristensen@apple.com>
1949
1950         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1951         https://bugs.webkit.org/show_bug.cgi?id=119512
1952
1953         Reviewed by Brent Fulgham.
1954
1955         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1956         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1957         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1958         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1959         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1960         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1961         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1962         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1963
1964 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
1965
1966         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1967
1968         Reviewed by Allan Sandfeld Jensen.
1969
1970         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1971         instructions and two constants now DFG is enabled for sh4 architecture.
1972         These missing ensureSpace calls lead to random crashes.
1973
1974         * assembler/MacroAssemblerSH4.h:
1975         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1976
1977 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
1978
1979         https://bugs.webkit.org/show_bug.cgi?id=120034
1980         Remove custom getOwnPropertyDescriptor for global objects
1981
1982         Reviewed by Geoff Garen.
1983
1984         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1985
1986         * runtime/JSGlobalObject.cpp:
1987             - Remove custom getOwnPropertyDescriptor implementation.
1988         * runtime/JSSymbolTableObject.h:
1989         (JSC::symbolTableGet):
1990             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1991         * runtime/PropertyDescriptor.h:
1992             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1993         * runtime/PropertySlot.h:
1994         (JSC::PropertySlot::setUndefined):
1995             - This is used by WebCore when blocking access to properties on cross-frame access.
1996               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1997
1998 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1999
2000         DFG should inline typedArray.byteOffset
2001         https://bugs.webkit.org/show_bug.cgi?id=119962
2002
2003         Reviewed by Oliver Hunt.
2004         
2005         This adds a new node, GetTypedArrayByteOffset, which inlines
2006         typedArray.byteOffset.
2007         
2008         Also, I improved a bunch of the clobbering logic related to typed arrays
2009         and clobbering in general. For example, PutByOffset/PutStructure are not
2010         clobber-world so they can be handled by most default cases in CSE. Also,
2011         It's better to use the 'Class_field' notation for typed arrays now that
2012         they no longer involve magical descriptor thingies.
2013
2014         * bytecode/SpeculatedType.h:
2015         * dfg/DFGAbstractHeap.h:
2016         * dfg/DFGAbstractInterpreterInlines.h:
2017         (JSC::DFG::::executeEffects):
2018         * dfg/DFGArrayMode.h:
2019         (JSC::DFG::neverNeedsStorage):
2020         * dfg/DFGCSEPhase.cpp:
2021         (JSC::DFG::CSEPhase::getByValLoadElimination):
2022         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2023         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2024         (JSC::DFG::CSEPhase::checkArrayElimination):
2025         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2026         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2027         (JSC::DFG::CSEPhase::performNodeCSE):
2028         * dfg/DFGClobberize.h:
2029         (JSC::DFG::clobberize):
2030         * dfg/DFGFixupPhase.cpp:
2031         (JSC::DFG::FixupPhase::fixupNode):
2032         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2033         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2034         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2035         * dfg/DFGNodeType.h:
2036         * dfg/DFGPredictionPropagationPhase.cpp:
2037         (JSC::DFG::PredictionPropagationPhase::propagate):
2038         * dfg/DFGSafeToExecute.h:
2039         (JSC::DFG::safeToExecute):
2040         * dfg/DFGSpeculativeJIT.cpp:
2041         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2042         * dfg/DFGSpeculativeJIT.h:
2043         * dfg/DFGSpeculativeJIT32_64.cpp:
2044         (JSC::DFG::SpeculativeJIT::compile):
2045         * dfg/DFGSpeculativeJIT64.cpp:
2046         (JSC::DFG::SpeculativeJIT::compile):
2047         * dfg/DFGTypeCheckHoistingPhase.cpp:
2048         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2049         * runtime/ArrayBuffer.h:
2050         (JSC::ArrayBuffer::offsetOfData):
2051         * runtime/Butterfly.h:
2052         (JSC::Butterfly::offsetOfArrayBuffer):
2053         * runtime/IndexingHeader.h:
2054         (JSC::IndexingHeader::offsetOfArrayBuffer):
2055
2056 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2057
2058         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2059
2060         Reviewed by Geoffrey Garen.
2061
2062         * dfg/DFGByteCodeParser.cpp:
2063         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2064
2065 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2066
2067         https://bugs.webkit.org/show_bug.cgi?id=119995
2068         Start removing custom implementations of getOwnPropertyDescriptor
2069
2070         Reviewed by Oliver Hunt.
2071
2072         This can now typically implemented in terms of getOwnPropertySlot.
2073         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2074         Switch over most classes in JSC & the WebCore bindings generator to use this.
2075
2076         * API/JSCallbackObjectFunctions.h:
2077         * debugger/DebuggerActivation.cpp:
2078         * runtime/Arguments.cpp:
2079         * runtime/ArrayConstructor.cpp:
2080         * runtime/ArrayPrototype.cpp:
2081         * runtime/BooleanPrototype.cpp:
2082         * runtime/DateConstructor.cpp:
2083         * runtime/DatePrototype.cpp:
2084         * runtime/ErrorPrototype.cpp:
2085         * runtime/JSActivation.cpp:
2086         * runtime/JSArray.cpp:
2087         * runtime/JSArrayBuffer.cpp:
2088         * runtime/JSArrayBufferView.cpp:
2089         * runtime/JSCell.cpp:
2090         * runtime/JSDataView.cpp:
2091         * runtime/JSDataViewPrototype.cpp:
2092         * runtime/JSFunction.cpp:
2093         * runtime/JSGenericTypedArrayViewInlines.h:
2094         * runtime/JSNotAnObject.cpp:
2095         * runtime/JSONObject.cpp:
2096         * runtime/JSObject.cpp:
2097         * runtime/NamePrototype.cpp:
2098         * runtime/NumberConstructor.cpp:
2099         * runtime/NumberPrototype.cpp:
2100         * runtime/ObjectConstructor.cpp:
2101             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2102         * runtime/PropertyDescriptor.h:
2103             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2104         * runtime/PropertySlot.h:
2105         (JSC::PropertySlot::isValue):
2106         (JSC::PropertySlot::isGetter):
2107         (JSC::PropertySlot::isCustom):
2108         (JSC::PropertySlot::isCacheableValue):
2109         (JSC::PropertySlot::isCacheableGetter):
2110         (JSC::PropertySlot::isCacheableCustom):
2111         (JSC::PropertySlot::attributes):
2112         (JSC::PropertySlot::getterSetter):
2113             - Add accessors necessary to convert PropertySlot to descriptor.
2114         * runtime/RegExpConstructor.cpp:
2115         * runtime/RegExpMatchesArray.cpp:
2116         * runtime/RegExpMatchesArray.h:
2117         * runtime/RegExpObject.cpp:
2118         * runtime/RegExpPrototype.cpp:
2119         * runtime/StringConstructor.cpp:
2120         * runtime/StringObject.cpp:
2121             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2122
2123 2013-08-19  Michael Saboff  <msaboff@apple.com>
2124
2125         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2126
2127         Reviewed by Sam Weinig.
2128
2129         * dfg/DFGSpeculativeJIT32_64.cpp:
2130         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2131         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2132         all versions of fillSpeculateBoolean().
2133
2134 2013-08-19  Michael Saboff  <msaboff@apple.com>
2135
2136         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2137
2138         Reviewed by Benjamin Poulain.
2139
2140         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2141         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2142
2143         * assembler/MacroAssemblerX86Common.h:
2144         (JSC::MacroAssemblerX86Common::branchTest32):
2145
2146 2013-08-16  Oliver Hunt  <oliver@apple.com>
2147
2148         <https://webkit.org/b/119860> Crash during exception unwinding
2149
2150         Reviewed by Filip Pizlo.
2151
2152         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2153         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2154
2155         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2156         terminals and the subsequent flush keeps the activation (and other registers) live.
2157
2158         * dfg/DFGAbstractInterpreterInlines.h:
2159         (JSC::DFG::::executeEffects):
2160         * dfg/DFGByteCodeParser.cpp:
2161         (JSC::DFG::ByteCodeParser::parseBlock):
2162         * dfg/DFGClobberize.h:
2163         (JSC::DFG::clobberize):
2164         * dfg/DFGFixupPhase.cpp:
2165         (JSC::DFG::FixupPhase::fixupNode):
2166         * dfg/DFGNode.h:
2167         (JSC::DFG::Node::isTerminal):
2168         * dfg/DFGNodeType.h:
2169         * dfg/DFGPredictionPropagationPhase.cpp:
2170         (JSC::DFG::PredictionPropagationPhase::propagate):
2171         * dfg/DFGSafeToExecute.h:
2172         (JSC::DFG::safeToExecute):
2173         * dfg/DFGSpeculativeJIT32_64.cpp:
2174         (JSC::DFG::SpeculativeJIT::compile):
2175         * dfg/DFGSpeculativeJIT64.cpp:
2176         (JSC::DFG::SpeculativeJIT::compile):
2177
2178 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2179
2180         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2181
2182         Reviewed by Oliver Hunt.
2183
2184         Guard the compilation of these files only if DFG_JIT is enabled.
2185
2186         * dfg/DFGDesiredTransitions.cpp:
2187         * dfg/DFGDesiredTransitions.h:
2188         * dfg/DFGDesiredWeakReferences.cpp:
2189         * dfg/DFGDesiredWeakReferences.h:
2190         * dfg/DFGDesiredWriteBarriers.cpp:
2191         * dfg/DFGDesiredWriteBarriers.h:
2192
2193 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2194
2195         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2196         https://bugs.webkit.org/show_bug.cgi?id=119961
2197
2198         Reviewed by Mark Hahnenberg.
2199
2200         * dfg/DFGFixupPhase.cpp:
2201         (JSC::DFG::FixupPhase::fixupNode):
2202
2203 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2204
2205         https://bugs.webkit.org/show_bug.cgi?id=119972
2206         Add attributes field to PropertySlot
2207
2208         Reviewed by Geoff Garen.
2209
2210         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2211         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2212         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2213
2214         No performance impact.
2215
2216         * runtime/PropertySlot.h:
2217         (JSC::PropertySlot::setValue):
2218         (JSC::PropertySlot::setCustom):
2219         (JSC::PropertySlot::setCacheableCustom):
2220         (JSC::PropertySlot::setCustomIndex):
2221         (JSC::PropertySlot::setGetterSlot):
2222         (JSC::PropertySlot::setCacheableGetterSlot):
2223             - These mathods now all require 'attributes'.
2224         * runtime/JSObject.h:
2225         (JSC::JSObject::getDirect):
2226         (JSC::JSObject::getDirectOffset):
2227         (JSC::JSObject::inlineGetOwnPropertySlot):
2228             - Added variants of getDirect, getDirectOffset that return the attributes.
2229         * API/JSCallbackObjectFunctions.h:
2230         (JSC::::getOwnPropertySlot):
2231         * runtime/Arguments.cpp:
2232         (JSC::Arguments::getOwnPropertySlotByIndex):
2233         (JSC::Arguments::getOwnPropertySlot):
2234         * runtime/JSActivation.cpp:
2235         (JSC::JSActivation::symbolTableGet):
2236         (JSC::JSActivation::getOwnPropertySlot):
2237         * runtime/JSArray.cpp:
2238         (JSC::JSArray::getOwnPropertySlot):
2239         * runtime/JSArrayBuffer.cpp:
2240         (JSC::JSArrayBuffer::getOwnPropertySlot):
2241         * runtime/JSArrayBufferView.cpp:
2242         (JSC::JSArrayBufferView::getOwnPropertySlot):
2243         * runtime/JSDataView.cpp:
2244         (JSC::JSDataView::getOwnPropertySlot):
2245         * runtime/JSFunction.cpp:
2246         (JSC::JSFunction::getOwnPropertySlot):
2247         * runtime/JSGenericTypedArrayViewInlines.h:
2248         (JSC::::getOwnPropertySlot):
2249         (JSC::::getOwnPropertySlotByIndex):
2250         * runtime/JSObject.cpp:
2251         (JSC::JSObject::getOwnPropertySlotByIndex):
2252         (JSC::JSObject::fillGetterPropertySlot):
2253         * runtime/JSString.h:
2254         (JSC::JSString::getStringPropertySlot):
2255         * runtime/JSSymbolTableObject.h:
2256         (JSC::symbolTableGet):
2257         * runtime/Lookup.cpp:
2258         (JSC::setUpStaticFunctionSlot):
2259         * runtime/Lookup.h:
2260         (JSC::getStaticPropertySlot):
2261         (JSC::getStaticPropertyDescriptor):
2262         (JSC::getStaticValueSlot):
2263         (JSC::getStaticValueDescriptor):
2264         * runtime/RegExpObject.cpp:
2265         (JSC::RegExpObject::getOwnPropertySlot):
2266         * runtime/SparseArrayValueMap.cpp:
2267         (JSC::SparseArrayEntry::get):
2268             - Pass attributes to PropertySlot::set* methods.
2269
2270 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2271
2272         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2273
2274         Reviewed by Filip Pizlo.
2275
2276         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2277         Vector of WriteBarriers rather than the specific address. The fact that we were 
2278         arbitrarily storing into a Vector's backing store for constants at the end of 
2279         compilation after the Vector could have resized was causing crashes.
2280
2281         * bytecode/CodeBlock.h:
2282         (JSC::CodeBlock::constants):
2283         (JSC::CodeBlock::addConstantLazily):
2284         * dfg/DFGByteCodeParser.cpp:
2285         (JSC::DFG::ByteCodeParser::addConstant):
2286         * dfg/DFGDesiredWriteBarriers.cpp:
2287         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2288         (JSC::DFG::DesiredWriteBarrier::trigger):
2289         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2290         * dfg/DFGDesiredWriteBarriers.h:
2291         (JSC::DFG::DesiredWriteBarriers::add):
2292         * dfg/DFGFixupPhase.cpp:
2293         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2294         * dfg/DFGGraph.h:
2295         (JSC::DFG::Graph::constantRegisterForConstant):
2296
2297 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2298
2299         DFG should optimize typedArray.byteLength
2300         https://bugs.webkit.org/show_bug.cgi?id=119909
2301
2302         Reviewed by Oliver Hunt.
2303         
2304         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2305         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2306         legal since the byteLength of a typed array cannot exceed
2307         numeric_limits<int32_t>::max().
2308
2309         * bytecode/SpeculatedType.cpp:
2310         (JSC::typedArrayTypeFromSpeculation):
2311         * bytecode/SpeculatedType.h:
2312         * dfg/DFGArrayMode.cpp:
2313         (JSC::DFG::toArrayType):
2314         * dfg/DFGArrayMode.h:
2315         * dfg/DFGFixupPhase.cpp:
2316         (JSC::DFG::FixupPhase::fixupNode):
2317         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2318         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2319         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2320         (JSC::DFG::FixupPhase::prependGetArrayLength):
2321         * dfg/DFGGraph.h:
2322         (JSC::DFG::Graph::constantRegisterForConstant):
2323         (JSC::DFG::Graph::convertToConstant):
2324         * runtime/TypedArrayType.h:
2325         (JSC::logElementSize):
2326         (JSC::elementSize):
2327
2328 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2329
2330         DFG optimizes out strict mode arguments tear off
2331         https://bugs.webkit.org/show_bug.cgi?id=119504
2332
2333         Reviewed by Mark Hahnenberg and Oliver Hunt.
2334         
2335         Don't do the optimization for strict mode.
2336
2337         * dfg/DFGArgumentsSimplificationPhase.cpp:
2338         (JSC::DFG::ArgumentsSimplificationPhase::run):
2339         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2340
2341 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2342
2343         [JSC] x86: improve code generation for xxxTest32
2344         https://bugs.webkit.org/show_bug.cgi?id=119876
2345
2346         Reviewed by Geoffrey Garen.
2347
2348         Try to use testb whenever possible when testing for an immediate value.
2349
2350         When the input is an address and an offset, we can tweak the mask
2351         and offset to be able to generate testb for any byte of the mask.
2352
2353         When the input is a register, we can use testb if we are only interested
2354         in testing the low bits.
2355
2356         * assembler/MacroAssemblerX86Common.h:
2357         (JSC::MacroAssemblerX86Common::branchTest32):
2358         (JSC::MacroAssemblerX86Common::test32):
2359         (JSC::MacroAssemblerX86Common::generateTest32):
2360
2361 2013-08-16  Mark Lam  <mark.lam@apple.com>
2362
2363         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2364         error message that an object is not a constructor though it expects a function
2365
2366         Reviewed by Michael Saboff.
2367
2368         * jit/JITStubs.cpp:
2369         (JSC::DEFINE_STUB_FUNCTION):
2370
2371 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2372
2373         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2374         https://bugs.webkit.org/show_bug.cgi?id=119897
2375
2376         Reviewed by Oliver Hunt.
2377         
2378         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2379         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2380         to turn objects into dictionaries when you're storing using bracket syntax or using
2381         eval is still in place.
2382
2383         * bytecode/CodeBlock.h:
2384         (JSC::CodeBlock::putByIdContext):
2385         * dfg/DFGOperations.cpp:
2386         * jit/JITStubs.cpp:
2387         (JSC::DEFINE_STUB_FUNCTION):
2388         * llint/LLIntSlowPaths.cpp:
2389         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2390         * runtime/JSObject.h:
2391         (JSC::JSObject::putDirectInternal):
2392         * runtime/PutPropertySlot.h:
2393         (JSC::PutPropertySlot::PutPropertySlot):
2394         (JSC::PutPropertySlot::context):
2395         * runtime/Structure.cpp:
2396         (JSC::Structure::addPropertyTransition):
2397         * runtime/Structure.h:
2398
2399 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2400
2401         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2402
2403         Reviewed by Allan Sandfeld Jensen.
2404
2405         ctiVMHandleException must jump/return using register ra (r31).
2406
2407         * jit/JITStubsMIPS.h:
2408
2409 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2410
2411         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2412
2413         Reviewed by Allan Sandfeld Jensen.
2414
2415         Fix typo in JITStubsSH4.h file.
2416
2417         * jit/JITStubsSH4.h:
2418
2419 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2420
2421         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2422
2423         Reviewed by Oliver Hunt.
2424
2425         The concurrent compilation thread should interact minimally with the Heap, including not 
2426         triggering WriteBarriers. This is a prerequisite for generational GC.
2427
2428         * JavaScriptCore.xcodeproj/project.pbxproj:
2429         * bytecode/CodeBlock.cpp:
2430         (JSC::CodeBlock::addOrFindConstant):
2431         (JSC::CodeBlock::findConstant):
2432         * bytecode/CodeBlock.h:
2433         (JSC::CodeBlock::addConstantLazily):
2434         * dfg/DFGByteCodeParser.cpp:
2435         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2436         (JSC::DFG::ByteCodeParser::constantUndefined):
2437         (JSC::DFG::ByteCodeParser::constantNull):
2438         (JSC::DFG::ByteCodeParser::one):
2439         (JSC::DFG::ByteCodeParser::constantNaN):
2440         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2441         * dfg/DFGCommonData.cpp:
2442         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2443         * dfg/DFGCommonData.h:
2444         * dfg/DFGDesiredTransitions.cpp: Added.
2445         (JSC::DFG::DesiredTransition::DesiredTransition):
2446         (JSC::DFG::DesiredTransition::reallyAdd):
2447         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2448         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2449         (JSC::DFG::DesiredTransitions::addLazily):
2450         (JSC::DFG::DesiredTransitions::reallyAdd):
2451         * dfg/DFGDesiredTransitions.h: Added.
2452         * dfg/DFGDesiredWeakReferences.cpp: Added.
2453         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2454         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2455         (JSC::DFG::DesiredWeakReferences::addLazily):
2456         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2457         * dfg/DFGDesiredWeakReferences.h: Added.
2458         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2459         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2460         (JSC::DFG::DesiredWriteBarrier::trigger):
2461         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2462         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2463         (JSC::DFG::DesiredWriteBarriers::addImpl):
2464         (JSC::DFG::DesiredWriteBarriers::trigger):
2465         * dfg/DFGDesiredWriteBarriers.h: Added.
2466         (JSC::DFG::DesiredWriteBarriers::add):
2467         (JSC::DFG::initializeLazyWriteBarrier):
2468         * dfg/DFGFixupPhase.cpp:
2469         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2470         * dfg/DFGGraph.h:
2471         (JSC::DFG::Graph::convertToConstant):
2472         * dfg/DFGJITCompiler.h:
2473         (JSC::DFG::JITCompiler::addWeakReference):
2474         * dfg/DFGPlan.cpp:
2475         (JSC::DFG::Plan::Plan):
2476         (JSC::DFG::Plan::reallyAdd):
2477         * dfg/DFGPlan.h:
2478         * dfg/DFGSpeculativeJIT32_64.cpp:
2479         (JSC::DFG::SpeculativeJIT::compile):
2480         * dfg/DFGSpeculativeJIT64.cpp:
2481         (JSC::DFG::SpeculativeJIT::compile):
2482         * runtime/WriteBarrier.h:
2483         (JSC::WriteBarrierBase::set):
2484         (JSC::WriteBarrier::WriteBarrier):
2485
2486 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2487
2488         Fix x86 32bits build after r154158
2489
2490         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2491
2492 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2493
2494         Build fix attempt after r154156.
2495
2496         * jit/JITStubs.cpp:
2497         (JSC::cti_vm_handle_exception): encode!
2498
2499 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2500
2501         [JSC] x86: Use inc and dec when possible
2502         https://bugs.webkit.org/show_bug.cgi?id=119831
2503
2504         Reviewed by Geoffrey Garen.
2505
2506         When incrementing or decrementing by an immediate of 1, use the insctructions
2507         inc and dec instead of add and sub.
2508         The instructions have good timing and their encoding is smaller.
2509
2510         * assembler/MacroAssemblerX86Common.h:
2511         (JSC::MacroAssemblerX86_64::add32):
2512         (JSC::MacroAssemblerX86_64::sub32):
2513         * assembler/MacroAssemblerX86_64.h:
2514         (JSC::MacroAssemblerX86_64::add64):
2515         (JSC::MacroAssemblerX86_64::sub64):
2516         * assembler/X86Assembler.h:
2517         (JSC::X86Assembler::dec_r):
2518         (JSC::X86Assembler::decq_r):
2519         (JSC::X86Assembler::inc_r):
2520         (JSC::X86Assembler::incq_r):
2521
2522 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2523
2524         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2525         https://bugs.webkit.org/show_bug.cgi?id=119874
2526
2527         Reviewed by Oliver Hunt and Mark Hahnenberg.
2528         
2529         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2530         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2531         sometimes for typed array length accesses, and the FixupPhase assuming that a
2532         ForceExit ArrayMode means that it should continue using a generic GetById.
2533
2534         This fixes the confusion.
2535
2536         * dfg/DFGFixupPhase.cpp:
2537         (JSC::DFG::FixupPhase::fixupNode):
2538
2539 2013-08-15  Mark Lam  <mark.lam@apple.com>
2540
2541         Fix crash when performing activation tearoff.
2542         https://bugs.webkit.org/show_bug.cgi?id=119848
2543
2544         Reviewed by Oliver Hunt.
2545
2546         The activation tearoff crash was due to a bug in the baseline JIT.
2547         If we have a scenario where the a baseline JIT frame calls a LLINT
2548         frame, an exception may be thrown while in the LLINT.
2549
2550         Interpreter::throwException() which handles the exception will unwind
2551         all frames until it finds a catcher or sees a host frame. When we
2552         return from the LLINT to the baseline JIT code, the baseline JIT code
2553         errorneously sets topCallFrame to the value in its call frame register,
2554         and starts unwinding the stack frames that have already been unwound.
2555
2556         The fix is:
2557         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2558            This is a more accurate description of what this runtime function
2559            is supposed to do i.e. it handles the exception which include doing
2560            nothing (if there are no more frames to unwind).
2561         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2562            set on it.
2563         3. Reloading the call frame register from topCallFrame when we're
2564            returning from a callee and detect exception handling in progress.
2565
2566         * interpreter/Interpreter.cpp:
2567         (JSC::Interpreter::unwindCallFrame):
2568         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2569         (JSC::Interpreter::getStackTrace):
2570         * interpreter/Interpreter.h:
2571         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2572         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2573         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2574         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2575         * jit/JIT.h:
2576         * jit/JITExceptions.cpp:
2577         (JSC::uncaughtExceptionHandler):
2578         - Convenience function to get the handler for uncaught exceptions.
2579         * jit/JITExceptions.h:
2580         * jit/JITInlines.h:
2581         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2582         * jit/JITOpcodes32_64.cpp:
2583         (JSC::JIT::privateCompileCTINativeCall):
2584         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2585         * jit/JITStubs.cpp:
2586         (JSC::throwExceptionFromOpCall):
2587         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2588         (JSC::cti_vm_handle_exception):
2589         - Check for the case when there are no more frames to unwind.
2590         * jit/JITStubs.h:
2591         * jit/JITStubsARM.h:
2592         * jit/JITStubsARMv7.h:
2593         * jit/JITStubsMIPS.h:
2594         * jit/JITStubsSH4.h:
2595         * jit/JITStubsX86.h:
2596         * jit/JITStubsX86_64.h:
2597         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2598         * jit/SlowPathCall.h:
2599         (JSC::JITSlowPathCall::call):
2600         - reload cfr from topcallFrame when handling an exception.
2601         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2602         * jit/ThunkGenerators.cpp:
2603         (JSC::nativeForGenerator):
2604         * llint/LowLevelInterpreter32_64.asm:
2605         * llint/LowLevelInterpreter64.asm:
2606         - reload cfr from topcallFrame when handling an exception.
2607         * runtime/VM.cpp:
2608         (JSC::VM::VM):
2609         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2610
2611 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2612
2613         Remove some code duplication.
2614         
2615         Rubber stamped by Mark Hahnenberg.
2616
2617         * runtime/JSDataViewPrototype.cpp:
2618         (JSC::getData):
2619         (JSC::setData):
2620
2621 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2622
2623         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2624         https://bugs.webkit.org/show_bug.cgi?id=119794
2625
2626         Reviewed by Filip Pizlo.
2627
2628         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2629
2630         * dfg/DFGUseKind.h:
2631         (JSC::DFG::isNumerical):
2632         (JSC::DFG::isDouble):
2633
2634 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2635
2636         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2637
2638         Rubber stamped by Oliver Hunt.
2639         
2640         This was causing some test crashes for me.
2641
2642         * dfg/DFGCapabilities.cpp:
2643         (JSC::DFG::capabilityLevel):
2644
2645 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2646
2647         [Windows] Clear up improper export declaration.
2648
2649         * runtime/ArrayBufferView.h:
2650
2651 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2652
2653         Unreviewed, remove some unnecessary periods from exceptions.
2654
2655         * runtime/JSDataViewPrototype.cpp:
2656         (JSC::getData):
2657         (JSC::setData):
2658
2659 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2660
2661         Unreviewed, fix 32-bit build.
2662
2663         * dfg/DFGSpeculativeJIT32_64.cpp:
2664         (JSC::DFG::SpeculativeJIT::compile):
2665
2666 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2667
2668         Typed arrays should be rewritten
2669         https://bugs.webkit.org/show_bug.cgi?id=119064
2670
2671         Reviewed by Oliver Hunt.
2672         
2673         Typed arrays were previously deficient in several major ways:
2674         
2675         - They were defined separately in WebCore and in the jsc shell. The two
2676           implementations were different, and the jsc shell one was basically wrong.
2677           The WebCore one was quite awful, also.
2678         
2679         - Typed arrays were not visible to the JIT except through some weird hooks.
2680           For example, the JIT could not ask "what is the Structure that this typed
2681           array would have if I just allocated it from this global object". Also,
2682           it was difficult to wire any of the typed array intrinsics, because most
2683           of the functionality wasn't visible anywhere in JSC.
2684         
2685         - Typed array allocation was brain-dead. Allocating a typed array involved
2686           two JS objects, two GC weak handles, and three malloc allocations.
2687         
2688         - Neutering. It involved keeping tabs on all native views but not the view
2689           wrappers, even though the native views can autoneuter just by asking the
2690           buffer if it was neutered anytime you touch them; while the JS view
2691           wrappers are the ones that you really want to reach out to.
2692         
2693         - Common case-ing. Most typed arrays have one buffer and one view, and
2694           usually nobody touches the buffer. Yet we created all of that stuff
2695           anyway, using data structures optimized for the case where you had a lot
2696           of views.
2697         
2698         - Semantic goofs. Typed arrays should, in the future, behave like ES
2699           features rather than DOM features, for example when it comes to exceptions.
2700           Firefox already does this and I agree with them.
2701         
2702         This patch cleanses our codebase of these sins:
2703         
2704         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
2705           management of native references to buffers is left to WebCore.
2706         
2707         - Allocating a typed array requires either two GC allocations (a cell and a
2708           copied storage vector) or one GC allocation, a malloc allocation, and a
2709           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
2710           latter). The latter is only used for oversize arrays. Remember that before
2711           it was 7 allocations no matter what.
2712         
2713         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
2714           mode/length, void* vector. Before it was a lot more than that - remember,
2715           there were five additional objects that did absolutely nothing for anybody.
2716         
2717         - Native views aren't tracked by the buffer, or by the wrappers. They are
2718           transient. In the future we'll probably switch to not even having them be
2719           malloc'd.
2720         
2721         - Native array buffers have an efficient way of tracking all of their JS view
2722           wrappers, both for neutering, and for lifecycle management. The GC
2723           special-cases native array buffers. This saves a bunch of grief; for example
2724           it means that a JS view wrapper can refer to its buffer via the butterfly,
2725           which would be dead by the time we went to finalize.
2726         
2727         - Typed array semantics now match Firefox, which also happens to be where the
2728           standards are going. The discussion on webkit-dev seemed to confirm that
2729           Chrome is also heading in this direction. This includes making
2730           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
2731           ArrayBufferView as a JS-visible construct.
2732         
2733         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
2734         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
2735         further typed array optimizations in the JSC JITs, including inlining typed
2736         array allocation, inlining more of the accessors, reducing the cost of type
2737         checks, etc.
2738         
2739         An additional property of this patch is that typed arrays are mostly
2740         implemented using templates. This deduplicates a bunch of code, but does mean
2741         that we need some hacks for exporting s_info's of template classes. See
2742         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
2743         low-impact compared to code duplication.
2744         
2745         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
2746
2747         * CMakeLists.txt:
2748         * DerivedSources.make:
2749         * GNUmakefile.list.am:
2750         * JSCTypedArrayStubs.h: Removed.
2751         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2752         * JavaScriptCore.xcodeproj/project.pbxproj:
2753         * Target.pri:
2754         * bytecode/ByValInfo.h:
2755         (JSC::hasOptimizableIndexingForClassInfo):
2756         (JSC::jitArrayModeForClassInfo):
2757         (JSC::typedArrayTypeForJITArrayMode):
2758         * bytecode/SpeculatedType.cpp:
2759         (JSC::speculationFromClassInfo):
2760         * dfg/DFGArrayMode.cpp:
2761         (JSC::DFG::toTypedArrayType):
2762         * dfg/DFGArrayMode.h:
2763         (JSC::DFG::ArrayMode::typedArrayType):
2764         * dfg/DFGSpeculativeJIT.cpp:
2765         (JSC::DFG::SpeculativeJIT::checkArray):
2766         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2767         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2768         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2769         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2770         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2771         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2772         * dfg/DFGSpeculativeJIT.h:
2773         * dfg/DFGSpeculativeJIT32_64.cpp:
2774         (JSC::DFG::SpeculativeJIT::compile):
2775         * dfg/DFGSpeculativeJIT64.cpp:
2776         (JSC::DFG::SpeculativeJIT::compile):
2777         * heap/CopyToken.h:
2778         * heap/DeferGC.h:
2779         (JSC::DeferGCForAWhile::DeferGCForAWhile):
2780         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
2781         * heap/GCIncomingRefCounted.h: Added.
2782         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
2783         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
2784         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
2785         (JSC::GCIncomingRefCounted::incomingReferenceAt):
2786         (JSC::GCIncomingRefCounted::singletonFlag):
2787         (JSC::GCIncomingRefCounted::hasVectorOfCells):
2788         (JSC::GCIncomingRefCounted::hasAnyIncoming):
2789         (JSC::GCIncomingRefCounted::hasSingleton):
2790         (JSC::GCIncomingRefCounted::singleton):
2791         (JSC::GCIncomingRefCounted::vectorOfCells):
2792         * heap/GCIncomingRefCountedInlines.h: Added.
2793         (JSC::::addIncomingReference):
2794         (JSC::::filterIncomingReferences):
2795         * heap/GCIncomingRefCountedSet.h: Added.
2796         (JSC::GCIncomingRefCountedSet::size):
2797         * heap/GCIncomingRefCountedSetInlines.h: Added.
2798         (JSC::::GCIncomingRefCountedSet):
2799         (JSC::::~GCIncomingRefCountedSet):
2800         (JSC::::addReference):
2801         (JSC::::sweep):
2802         (JSC::::removeAll):
2803         (JSC::::removeDead):
2804         * heap/Heap.cpp:
2805         (JSC::Heap::addReference):
2806         (JSC::Heap::extraSize):
2807         (JSC::Heap::size):
2808         (JSC::Heap::capacity):
2809         (JSC::Heap::collect):
2810         (JSC::Heap::decrementDeferralDepth):
2811         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2812         * heap/Heap.h:
2813         * interpreter/CallFrame.h:
2814         (JSC::ExecState::dataViewTable):
2815         * jit/JIT.h:
2816         * jit/JITPropertyAccess.cpp:
2817         (JSC::JIT::privateCompileGetByVal):
2818         (JSC::JIT::privateCompilePutByVal):
2819         (JSC::JIT::emitIntTypedArrayGetByVal):
2820         (JSC::JIT::emitFloatTypedArrayGetByVal):
2821         (JSC::JIT::emitIntTypedArrayPutByVal):
2822         (JSC::JIT::emitFloatTypedArrayPutByVal):
2823         * jsc.cpp:
2824         (GlobalObject::finishCreation):
2825         * runtime/ArrayBuffer.cpp:
2826         (JSC::ArrayBuffer::transfer):
2827         * runtime/ArrayBuffer.h:
2828         (JSC::ArrayBuffer::createAdopted):
2829         (JSC::ArrayBuffer::ArrayBuffer):
2830         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
2831         (JSC::ArrayBuffer::pin):
2832         (JSC::ArrayBuffer::unpin):
2833         (JSC::ArrayBufferContents::tryAllocate):
2834         * runtime/ArrayBufferView.cpp:
2835         (JSC::ArrayBufferView::ArrayBufferView):
2836         (JSC::ArrayBufferView::~ArrayBufferView):
2837         (JSC::ArrayBufferView::setNeuterable):
2838         * runtime/ArrayBufferView.h:
2839         (JSC::ArrayBufferView::isNeutered):
2840         (JSC::ArrayBufferView::buffer):
2841         (JSC::ArrayBufferView::baseAddress):
2842         (JSC::ArrayBufferView::byteOffset):
2843         (JSC::ArrayBufferView::verifySubRange):
2844         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2845         (JSC::ArrayBufferView::calculateOffsetAndLength):
2846         * runtime/ClassInfo.h:
2847         * runtime/CommonIdentifiers.h:
2848         * runtime/DataView.cpp: Added.
2849         (JSC::DataView::DataView):
2850         (JSC::DataView::create):
2851         (JSC::DataView::wrap):
2852         * runtime/DataView.h: Added.
2853         (JSC::DataView::byteLength):
2854         (JSC::DataView::getType):
2855         (JSC::DataView::get):
2856         (JSC::DataView::set):
2857         * runtime/Float32Array.h:
2858         * runtime/Float64Array.h:
2859         * runtime/GenericTypedArrayView.h: Added.
2860         (JSC::GenericTypedArrayView::data):
2861         (JSC::GenericTypedArrayView::set):
2862         (JSC::GenericTypedArrayView::setRange):
2863         (JSC::GenericTypedArrayView::zeroRange):
2864         (JSC::GenericTypedArrayView::zeroFill):
2865         (JSC::GenericTypedArrayView::length):
2866         (JSC::GenericTypedArrayView::byteLength):
2867         (JSC::GenericTypedArrayView::item):
2868         (JSC::GenericTypedArrayView::checkInboundData):
2869         (JSC::GenericTypedArrayView::getType):
2870         * runtime/GenericTypedArrayViewInlines.h: Added.
2871         (JSC::::GenericTypedArrayView):
2872         (JSC::::create):
2873         (JSC::::createUninitialized):
2874         (JSC::::subarray):
2875         (JSC::::wrap):
2876         * runtime/IndexingHeader.h:
2877         (JSC::IndexingHeader::arrayBuffer):
2878         (JSC::IndexingHeader::setArrayBuffer):
2879         * runtime/Int16Array.h:
2880         * runtime/Int32Array.h:
2881         * runtime/Int8Array.h:
2882         * runtime/JSArrayBuffer.cpp: Added.
2883         (JSC::JSArrayBuffer::JSArrayBuffer):
2884         (JSC::JSArrayBuffer::finishCreation):
2885         (JSC::JSArrayBuffer::create):
2886         (JSC::JSArrayBuffer::createStructure):
2887         (JSC::JSArrayBuffer::getOwnPropertySlot):
2888         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2889         (JSC::JSArrayBuffer::put):
2890         (JSC::JSArrayBuffer::defineOwnProperty):
2891         (JSC::JSArrayBuffer::deleteProperty):
2892         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2893         * runtime/JSArrayBuffer.h: Added.
2894         (JSC::JSArrayBuffer::impl):
2895         (JSC::toArrayBuffer):
2896         * runtime/JSArrayBufferConstructor.cpp: Added.
2897         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2898         (JSC::JSArrayBufferConstructor::finishCreation):
2899         (JSC::JSArrayBufferConstructor::create):
2900         (JSC::JSArrayBufferConstructor::createStructure):
2901         (JSC::constructArrayBuffer):
2902         (JSC::JSArrayBufferConstructor::getConstructData):
2903         (JSC::JSArrayBufferConstructor::getCallData):
2904         * runtime/JSArrayBufferConstructor.h: Added.
2905         * runtime/JSArrayBufferPrototype.cpp: Added.
2906         (JSC::arrayBufferProtoFuncSlice):
2907         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2908         (JSC::JSArrayBufferPrototype::finishCreation):
2909         (JSC::JSArrayBufferPrototype::create):
2910         (JSC::JSArrayBufferPrototype::createStructure):
2911         * runtime/JSArrayBufferPrototype.h: Added.
2912         * runtime/JSArrayBufferView.cpp: Added.
2913         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2914         (JSC::JSArrayBufferView::JSArrayBufferView):
2915         (JSC::JSArrayBufferView::finishCreation):
2916         (JSC::JSArrayBufferView::getOwnPropertySlot):
2917         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2918         (JSC::JSArrayBufferView::put):
2919         (JSC::JSArrayBufferView::defineOwnProperty):
2920         (JSC::JSArrayBufferView::deleteProperty):
2921         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2922         (JSC::JSArrayBufferView::finalize):
2923         * runtime/JSArrayBufferView.h: Added.
2924         (JSC::JSArrayBufferView::sizeOf):
2925         (JSC::JSArrayBufferView::ConstructionContext::operator!):
2926         (JSC::JSArrayBufferView::ConstructionContext::structure):
2927         (JSC::JSArrayBufferView::ConstructionContext::vector):
2928         (JSC::JSArrayBufferView::ConstructionContext::length):
2929         (JSC::JSArrayBufferView::ConstructionContext::mode):
2930         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2931         (JSC::JSArrayBufferView::mode):
2932         (JSC::JSArrayBufferView::vector):
2933         (JSC::JSArrayBufferView::length):
2934         (JSC::JSArrayBufferView::offsetOfVector):
2935         (JSC::JSArrayBufferView::offsetOfLength):
2936         (JSC::JSArrayBufferView::offsetOfMode):
2937         * runtime/JSArrayBufferViewInlines.h: Added.
2938         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2939         (JSC::JSArrayBufferView::buffer):
2940         (JSC::JSArrayBufferView::impl):
2941         (JSC::JSArrayBufferView::neuter):
2942         (JSC::JSArrayBufferView::byteOffset):
2943         * runtime/JSCell.cpp:
2944         (JSC::JSCell::slowDownAndWasteMemory):
2945         (JSC::JSCell::getTypedArrayImpl):
2946         * runtime/JSCell.h:
2947         * runtime/JSDataView.cpp: Added.
2948         (JSC::JSDataView::JSDataView):
2949         (JSC::JSDataView::create):
2950         (JSC::JSDataView::createUninitialized):
2951         (JSC::JSDataView::set):
2952         (JSC::JSDataView::typedImpl):
2953         (JSC::JSDataView::getOwnPropertySlot):
2954         (JSC::JSDataView::getOwnPropertyDescriptor):
2955         (JSC::JSDataView::slowDownAndWasteMemory):
2956         (JSC::JSDataView::getTypedArrayImpl):
2957         (JSC::JSDataView::createStructure):
2958         * runtime/JSDataView.h: Added.
2959         * runtime/JSDataViewPrototype.cpp: Added.
2960         (JSC::JSDataViewPrototype::JSDataViewPrototype):
2961         (JSC::JSDataViewPrototype::create):
2962         (JSC::JSDataViewPrototype::createStructure):
2963         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2964         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2965         (JSC::getData):
2966         (JSC::setData):
2967         (JSC::dataViewProtoFuncGetInt8):
2968         (JSC::dataViewProtoFuncGetInt16):
2969         (JSC::dataViewProtoFuncGetInt32):
2970         (JSC::dataViewProtoFuncGetUint8):
2971         (JSC::dataViewProtoFuncGetUint16):
2972         (JSC::dataViewProtoFuncGetUint32):
2973         (JSC::dataViewProtoFuncGetFloat32):
2974         (JSC::dataViewProtoFuncGetFloat64):
2975         (JSC::dataViewProtoFuncSetInt8):
2976         (JSC::dataViewProtoFuncSetInt16):
2977         (JSC::dataViewProtoFuncSetInt32):
2978         (JSC::dataViewProtoFuncSetUint8):
2979         (JSC::dataViewProtoFuncSetUint16):
2980         (JSC::dataViewProtoFuncSetUint32):
2981         (JSC::dataViewProtoFuncSetFloat32):
2982         (JSC::dataViewProtoFuncSetFloat64):
2983         * runtime/JSDataViewPrototype.h: Added.
2984         * runtime/JSFloat32Array.h: Added.
2985         * runtime/JSFloat64Array.h: Added.
2986         * runtime/JSGenericTypedArrayView.h: Added.
2987         (JSC::JSGenericTypedArrayView::byteLength):
2988         (JSC::JSGenericTypedArrayView::byteSize):
2989         (JSC::JSGenericTypedArrayView::typedVector):
2990         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2991         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2992         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2993         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2994         (JSC::JSGenericTypedArrayView::getIndexQuickly):
2995         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2996         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2997         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2998         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2999         (JSC::JSGenericTypedArrayView::typedImpl):
3000         (JSC::JSGenericTypedArrayView::createStructure):
3001         (JSC::JSGenericTypedArrayView::info):
3002         (JSC::toNativeTypedView):
3003         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3004         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3005         (JSC::::JSGenericTypedArrayViewConstructor):
3006         (JSC::::finishCreation):
3007         (JSC::::create):
3008         (JSC::::createStructure):
3009         (JSC::constructGenericTypedArrayView):
3010         (JSC::::getConstructData):
3011         (JSC::::getCallData):
3012         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3013         (JSC::::JSGenericTypedArrayView):
3014         (JSC::::create):
3015         (JSC::::createUninitialized):
3016         (JSC::::validateRange):
3017         (JSC::::setWithSpecificType):
3018         (JSC::::set):
3019         (JSC::::getOwnPropertySlot):
3020         (JSC::::getOwnPropertyDescriptor):
3021         (JSC::::put):
3022         (JSC::::defineOwnProperty):
3023         (JSC::::deleteProperty):
3024         (JSC::::getOwnPropertySlotByIndex):
3025         (JSC::::putByIndex):
3026         (JSC::::deletePropertyByIndex):
3027         (JSC::::getOwnNonIndexPropertyNames):
3028         (JSC::::getOwnPropertyNames):
3029         (JSC::::visitChildren):
3030         (JSC::::copyBackingStore):
3031         (JSC::::slowDownAndWasteMemory):
3032         (JSC::::getTypedArrayImpl):
3033         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
3034         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
3035         (JSC::genericTypedArrayViewProtoFuncSet):
3036         (JSC::genericTypedArrayViewProtoFuncSubarray):
3037         (JSC::::JSGenericTypedArrayViewPrototype):
3038         (JSC::::finishCreation):
3039         (JSC::::create):
3040         (JSC::::createStructure):
3041         * runtime/JSGlobalObject.cpp:
3042         (JSC::JSGlobalObject::reset):
3043         (JSC::JSGlobalObject::visitChildren):
3044         * runtime/JSGlobalObject.h:
3045         (JSC::JSGlobalObject::arrayBufferPrototype):
3046         (JSC::JSGlobalObject::arrayBufferStructure):
3047         (JSC::JSGlobalObject::typedArrayStructure):
3048         * runtime/JSInt16Array.h: Added.
3049         * runtime/JSInt32Array.h: Added.
3050         * runtime/JSInt8Array.h: Added.
3051         * runtime/JSTypedArrayConstructors.cpp: Added.
3052         * runtime/JSTypedArrayConstructors.h: Added.
3053         * runtime/JSTypedArrayPrototypes.cpp: Added.
3054         * runtime/JSTypedArrayPrototypes.h: Added.
3055         * runtime/JSTypedArrays.cpp: Added.
3056         * runtime/JSTypedArrays.h: Added.
3057         * runtime/JSUint16Array.h: Added.
3058         * runtime/JSUint32Array.h: Added.
3059         * runtime/JSUint8Array.h: Added.
3060         * runtime/JSUint8ClampedArray.h: Added.
3061         * runtime/Operations.h:
3062         * runtime/Options.h:
3063         * runtime/SimpleTypedArrayController.cpp: Added.
3064         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
3065         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
3066         (JSC::SimpleTypedArrayController::toJS):
3067         * runtime/SimpleTypedArrayController.h: Added.
3068         * runtime/Structure.h:
3069         (JSC::Structure::couldHaveIndexingHeader):
3070         * runtime/StructureInlines.h:
3071         (JSC::Structure::hasIndexingHeader):
3072         * runtime/TypedArrayAdaptors.h: Added.
3073         (JSC::IntegralTypedArrayAdaptor::toNative):
3074         (JSC::IntegralTypedArrayAdaptor::toJSValue):
3075         (JSC::IntegralTypedArrayAdaptor::toDouble):
3076         (JSC::FloatTypedArrayAdaptor::toNative):
3077         (JSC::FloatTypedArrayAdaptor::toJSValue):
3078         (JSC::FloatTypedArrayAdaptor::toDouble):
3079         (JSC::Uint8ClampedAdaptor::toNative):
3080         (JSC::Uint8ClampedAdaptor::toJSValue):
3081         (JSC::Uint8ClampedAdaptor::toDouble):
3082         (JSC::Uint8ClampedAdaptor::clamp):
3083         * runtime/TypedArrayController.cpp: Added.
3084         (JSC::TypedArrayController::TypedArrayController):
3085         (JSC::TypedArrayController::~TypedArrayController):
3086         * runtime/TypedArrayController.h: Added.
3087         * runtime/TypedArrayDescriptor.h: Removed.
3088         * runtime/TypedArrayInlines.h: Added.
3089         * runtime/TypedArrayType.cpp: Added.
3090         (JSC::classInfoForType):
3091         (WTF::printInternal):
3092         * runtime/TypedArrayType.h: Added.
3093         (JSC::toIndex):
3094         (JSC::isTypedView):
3095         (JSC::elementSize):
3096         (JSC::isInt):
3097         (JSC::isFloat):
3098         (JSC::isSigned):
3099         (JSC::isClamped):
3100         * runtime/TypedArrays.h: Added.
3101         * runtime/Uint16Array.h:
3102         * runtime/Uint32Array.h:
3103         * runtime/Uint8Array.h:
3104         * runtime/Uint8ClampedArray.h:
3105         * runtime/VM.cpp:
3106         (JSC::VM::VM):
3107         (JSC::VM::~VM):
3108         * runtime/VM.h:
3109
3110 2013-08-15  Oliver Hunt  <oliver@apple.com>
3111
3112         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
3113
3114         Reviewed by Filip Pizlo.
3115
3116         Make sure dfgCapabilities doesn't report a Dynamic put as
3117         being compilable when we don't actually support it.  
3118
3119         * bytecode/CodeBlock.cpp:
3120         (JSC::CodeBlock::dumpBytecode):
3121         * dfg/DFGCapabilities.cpp:
3122         (JSC::DFG::capabilityLevel):
3123
3124 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3125
3126         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
3127         https://bugs.webkit.org/show_bug.cgi?id=119847
3128
3129         Reviewed by Oliver Hunt.
3130
3131         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
3132         * runtime/ArrayBufferView.h: Ditto.
3133
3134 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
3135
3136         https://bugs.webkit.org/show_bug.cgi?id=119843
3137         PropertySlot::setValue is ambiguous
3138
3139         Reviewed by Geoff Garen.
3140
3141         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
3142         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
3143         Unify on always providing the object, and remove the version that just takes a value.
3144         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
3145         Provide a version of setValue that takes a JSString as the owner of the property.
3146         We won't store this, but it makes it clear that this interface should only be used from JSString.
3147
3148         * API/JSCallbackObjectFunctions.h:
3149         (JSC::::getOwnPropertySlot):
3150         * JSCTypedArrayStubs.h:
3151         * runtime/Arguments.cpp:
3152         (JSC::Arguments::getOwnPropertySlotByIndex):
3153         (JSC::Arguments::getOwnPropertySlot):
3154         * runtime/JSActivation.cpp:
3155         (JSC::JSActivation::symbolTableGet):
3156         (JSC::JSActivation::getOwnPropertySlot):
3157         * runtime/JSArray.cpp:
3158         (JSC::JSArray::getOwnPropertySlot):
3159         * runtime/JSObject.cpp:
3160         (JSC::JSObject::getOwnPropertySlotByIndex):
3161         * runtime/JSString.h:
3162         (JSC::JSString::getStringPropertySlot):
3163         * runtime/JSSymbolTableObject.h:
3164         (JSC::symbolTableGet):
3165         * runtime/SparseArrayValueMap.cpp:
3166         (JSC::SparseArrayEntry::get):
3167             - Pass object containing property to PropertySlot::setValue
3168         * runtime/PropertySlot.h:
3169         (JSC::PropertySlot::setValue):
3170             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
3171         (JSC::PropertySlot::setUndefined):
3172             - removed setValue(JSValue), added setValue(JSString*, JSValue)
3173
3174 2013-08-15  Oliver Hunt  <oliver@apple.com>
3175
3176         Remove bogus assertion.
3177
3178         RS=Filip Pizlo
3179
3180         * dfg/DFGAbstractInterpreterInlines.h:
3181         (JSC::DFG::::executeEffects):
3182
3183 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3184
3185         REGRESSION(r148790) Made 7 tests fail on x86 32bit
3186         https://bugs.webkit.org/show_bug.cgi?id=114913
3187
3188         Reviewed by Filip Pizlo.
3189
3190         The X87 register was not freed before some calls. Instead
3191         of inserting resetX87Registers to the last call sites,
3192         the two X87 registers are now freed in every call.
3193
3194         * llint/LowLevelInterpreter32_64.asm:
3195         * llint/LowLevelInterpreter64.asm:
3196         * offlineasm/instructions.rb:
3197         * offlineasm/x86.rb:
3198
3199 2013-08-14  Michael Saboff  <msaboff@apple.com>
3200
3201         Fixed jit on Win64.
3202         https://bugs.webkit.org/show_bug.cgi?id=119601
3203
3204         Reviewed by Oliver Hunt.
3205
3206         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3207         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3208         * jit/SlowPathCall.h:
3209         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3210
3211 2013-08-14  Alex Christensen  <achristensen@apple.com>
3212
3213         Compile fix for Win64 with jit disabled.
3214         https://bugs.webkit.org/show_bug.cgi?id=119804
3215
3216         Reviewed by Michael Saboff.
3217
3218         * offlineasm/cloop.rb: Added std:: before isnan.
3219
3220 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3221
3222         DFG_JIT implementation for sh4 architecture.
3223         https://bugs.webkit.org/show_bug.cgi?id=119737
3224
3225         Reviewed by Oliver Hunt.
3226
3227         * assembler/MacroAssemblerSH4.h:
3228         (JSC::MacroAssemblerSH4::invert):
3229         (JSC::MacroAssemblerSH4::add32):
3230         (JSC::MacroAssemblerSH4::and32):
3231         (JSC::MacroAssemblerSH4::lshift32):
3232         (JSC::MacroAssemblerSH4::mul32):
3233         (JSC::MacroAssemblerSH4::or32):
3234         (JSC::MacroAssemblerSH4::rshift32):
3235         (JSC::MacroAssemblerSH4::sub32):
3236         (JSC::MacroAssemblerSH4::xor32):
3237         (JSC::MacroAssemblerSH4::store32):
3238         (JSC::MacroAssemblerSH4::swapDouble):
3239         (JSC::MacroAssemblerSH4::storeDouble):
3240         (JSC::MacroAssemblerSH4::subDouble):
3241         (JSC::MacroAssemblerSH4::mulDouble):
3242         (JSC::MacroAssemblerSH4::divDouble):
3243         (JSC::MacroAssemblerSH4::negateDouble):
3244         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3245         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3246         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3247         (JSC::MacroAssemblerSH4::swap):
3248         (JSC::MacroAssemblerSH4::jump):
3249         (JSC::MacroAssemblerSH4::branchNeg32):
3250         (JSC::MacroAssemblerSH4::branchAdd32):
3251         (JSC::MacroAssemblerSH4::branchMul32):
3252         (JSC::MacroAssemblerSH4::urshift32):
3253         * assembler/SH4Assembler.h:
3254         (JSC::SH4Assembler::SH4Assembler):
3255         (JSC::SH4Assembler::labelForWatchpoint):
3256         (JSC::SH4Assembler::label):
3257         (JSC::SH4Assembler::debugOffset):
3258         * dfg/DFGAssemblyHelpers.h:
3259         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3260         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3261         (JSC::DFG::AssemblyHelpers::debugCall):
3262         * dfg/DFGCCallHelpers.h:
3263         (JSC::DFG::CCallHelpers::setupArguments):
3264         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3265         * dfg/DFGFPRInfo.h:
3266         (JSC::DFG::FPRInfo::toRegister):
3267         (JSC::DFG::FPRInfo::toIndex):
3268         (JSC::DFG::FPRInfo::debugName):
3269         * dfg/DFGGPRInfo.h:
3270         (JSC::DFG::GPRInfo::toRegister):
3271         (JSC::DFG::GPRInfo::toIndex):
3272         (JSC::DFG::GPRInfo::debugName):
3273         * dfg/DFGOperations.cpp:
3274         * dfg/DFGSpeculativeJIT.h:
3275         (JSC::DFG::SpeculativeJIT::callOperation):
3276         * jit/JITStubs.h:
3277         * jit/JITStubsSH4.h:
3278
3279 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3280
3281         Unreviewed, fix build.
3282
3283         * API/JSValue.mm:
3284         (isDate):
3285         (isArray):
3286         * API/JSWrapperMap.mm:
3287         (tryUnwrapObjcObject):
3288         * API/ObjCCallbackFunction.mm:
3289         (tryUnwrapBlock):
3290
3291 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3292
3293         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3294         https://bugs.webkit.org/show_bug.cgi?id=119770
3295
3296         Reviewed by Mark Hahnenberg.
3297
3298         * API/JSCallbackConstructor.cpp:
3299         (JSC::JSCallbackConstructor::finishCreation):
3300         * API/JSCallbackConstructor.h:
3301         (JSC::JSCallbackConstructor::createStructure):
3302         * API/JSCallbackFunction.cpp:
3303         (JSC::JSCallbackFunction::finishCreation):
3304         * API/JSCallbackFunction.h:
3305         (JSC::JSCallbackFunction::createStructure):
3306         * API/JSCallbackObject.cpp:
3307         (JSC::::createStructure):
3308         * API/JSCallbackObject.h:
3309         (JSC::JSCallbackObject::visitChildren):
3310         * API/JSCallbackObjectFunctions.h:
3311         (JSC::::asCallbackObject):
3312         (JSC::::finishCreation):
3313         * API/JSObjectRef.cpp:
3314         (JSObjectGetPrivate):
3315         (JSObjectSetPrivate):
3316         (JSObjectGetPrivateProperty):
3317         (JSObjectSetPrivateProperty):
3318         (JSObjectDeletePrivateProperty):
3319         * API/JSValueRef.cpp:
3320         (JSValueIsObjectOfClass):
3321         * API/JSWeakObjectMapRefPrivate.cpp:
3322         * API/ObjCCallbackFunction.h:
3323         (JSC::ObjCCallbackFunction::createStructure):
3324         * JSCTypedArrayStubs.h:
3325         * bytecode/CallLinkStatus.cpp:
3326         (JSC::CallLinkStatus::CallLinkStatus):
3327         (JSC::CallLinkStatus::function):
3328         (JSC::CallLinkStatus::internalFunction):
3329         * bytecode/CodeBlock.h:
3330         (JSC::baselineCodeBlockForInlineCallFrame):
3331         * bytecode/SpeculatedType.cpp:
3332         (JSC::speculationFromClassInfo):
3333         * bytecode/UnlinkedCodeBlock.cpp:
3334         (JSC::UnlinkedFunctionExecutable::visitChildren):
3335         (JSC::UnlinkedCodeBlock::visitChildren):
3336         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3337         * bytecode/UnlinkedCodeBlock.h:
3338         (JSC::UnlinkedFunctionExecutable::createStructure):
3339         (JSC::UnlinkedProgramCodeBlock::createStructure):
3340         (JSC::UnlinkedEvalCodeBlock::createStructure):
3341         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3342         * debugger/Debugger.cpp:
3343         * debugger/DebuggerActivation.cpp:
3344         (JSC::DebuggerActivation::visitChildren):
3345         * debugger/DebuggerActivation.h:
3346         (JSC::DebuggerActivation::createStructure):
3347         * debugger/DebuggerCallFrame.cpp:
3348         (JSC::DebuggerCallFrame::functionName):
3349         * dfg/DFGAbstractInterpreterInlines.h:
3350         (JSC::DFG::::executeEffects):
3351         * dfg/DFGByteCodeParser.cpp:
3352         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3353         (JSC::DFG::ByteCodeParser::parseBlock):
3354         * dfg/DFGFixupPhase.cpp:
3355         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3356         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):