FTL ArithMod Int32Use doesn't check for negative zero correctly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-09-06  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL ArithMod Int32Use doesn't check for negative zero correctly
4         https://bugs.webkit.org/show_bug.cgi?id=120905
5
6         Reviewed by Mark Hahnenberg.
7
8         * ftl/FTLLowerDFGToLLVM.cpp:
9         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
10
11 2013-09-06  Filip Pizlo  <fpizlo@apple.com>
12
13         FTL ArithNeg Int32Use doesn't check negative zero
14         https://bugs.webkit.org/show_bug.cgi?id=120900
15
16         Reviewed by Mark Hahnenberg.
17
18         * ftl/FTLLowerDFGToLLVM.cpp:
19         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
20
21 2013-09-06  Anders Carlsson  <andersca@apple.com>
22
23         Stop using fastNew/fastDelete in JavaScriptCore
24         https://bugs.webkit.org/show_bug.cgi?id=120898
25
26         Reviewed by Oliver Hunt.
27
28         Change all the hash table members in ExecState to be OwnPtrs and use
29         adoptPtr instead. Also, since none of the hash tables can be null, change their getters
30         to return references and propagate the reference types wherever we know that a HashTable can't be null.
31
32         * interpreter/CallFrame.h:
33         (JSC::ExecState::arrayConstructorTable):
34         (JSC::ExecState::arrayPrototypeTable):
35         (JSC::ExecState::booleanPrototypeTable):
36         (JSC::ExecState::dataViewTable):
37         (JSC::ExecState::dateTable):
38         (JSC::ExecState::dateConstructorTable):
39         (JSC::ExecState::errorPrototypeTable):
40         (JSC::ExecState::globalObjectTable):
41         (JSC::ExecState::jsonTable):
42         (JSC::ExecState::numberConstructorTable):
43         (JSC::ExecState::numberPrototypeTable):
44         (JSC::ExecState::objectConstructorTable):
45         (JSC::ExecState::privateNamePrototypeTable):
46         (JSC::ExecState::regExpTable):
47         (JSC::ExecState::regExpConstructorTable):
48         (JSC::ExecState::regExpPrototypeTable):
49         (JSC::ExecState::stringConstructorTable):
50         (JSC::ExecState::promisePrototypeTable):
51         (JSC::ExecState::promiseConstructorTable):
52         (JSC::ExecState::promiseResolverPrototypeTable):
53         * runtime/ClassInfo.h:
54         (JSC::ClassInfo::propHashTable):
55         * runtime/Lookup.h:
56         (JSC::getStaticPropertySlot):
57         (JSC::getStaticFunctionSlot):
58         (JSC::getStaticValueSlot):
59         (JSC::lookupPut):
60         * runtime/VM.cpp:
61         (JSC::VM::VM):
62         (JSC::VM::~VM):
63         * runtime/VM.h:
64
65 2013-09-06  Filip Pizlo  <fpizlo@apple.com>
66
67         Concurrent FTL causes !hasOptimizedReplacement() asserts in cti_optimize
68         https://bugs.webkit.org/show_bug.cgi?id=120890
69
70         Reviewed by Mark Hahnenberg.
71         
72         Don't install an FTL code block if the DFG code block has already been jettisoned.
73
74         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
75         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
76
77 2013-09-06  Filip Pizlo  <fpizlo@apple.com>
78
79         REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
80         https://bugs.webkit.org/show_bug.cgi?id=120781
81
82         Reviewed by Mark Hahnenberg.
83         
84         Roll this back in with a build fix.
85         
86         - Use some method table hacks to detect if the CheckStructure optimization is
87           valid for to_this.
88         
89         - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
90         
91         This looks like it might be perf-neutral on the major benchmarks, but it
92         introduces some horrible performance cliffs. For example if you add methods to
93         the Array prototype, you'll get horrible performance cliffs. As in virtual calls
94         to C++ every time you call a JS function even if it's inlined.
95         LongSpider/3d-cube appears to hit this.
96
97         * dfg/DFGAbstractInterpreterInlines.h:
98         (JSC::DFG::::executeEffects):
99         * dfg/DFGByteCodeParser.cpp:
100         (JSC::DFG::ByteCodeParser::parseBlock):
101         * dfg/DFGFixupPhase.cpp:
102         (JSC::DFG::FixupPhase::fixupNode):
103         * dfg/DFGRepatch.cpp:
104         (JSC::DFG::emitPutTransitionStub):
105         * dfg/DFGSafeToExecute.h:
106         (JSC::DFG::SafeToExecuteEdge::operator()):
107         * dfg/DFGSpeculativeJIT.cpp:
108         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
109         (JSC::DFG::SpeculativeJIT::speculate):
110         * dfg/DFGSpeculativeJIT.h:
111         * dfg/DFGSpeculativeJIT32_64.cpp:
112         (JSC::DFG::SpeculativeJIT::compile):
113         * dfg/DFGSpeculativeJIT64.cpp:
114         (JSC::DFG::SpeculativeJIT::compile):
115         * dfg/DFGUseKind.cpp:
116         (WTF::printInternal):
117         * dfg/DFGUseKind.h:
118         (JSC::DFG::typeFilterFor):
119         (JSC::DFG::isCell):
120
121 2013-09-05  Filip Pizlo  <fpizlo@apple.com>
122
123         Introduce a way to run benchmarks and JSRegress as stress tests with different jsc command-line options
124         https://bugs.webkit.org/show_bug.cgi?id=120808
125
126         Reviewed by Mark Hahnenberg and rubber stamped by Geoffrey Garen.
127         
128         Allow --useExperimentalFTL=true even if FTL isn't built since this simplifies
129         testing.
130
131         * dfg/DFGTierUpCheckInjectionPhase.cpp:
132         (JSC::DFG::TierUpCheckInjectionPhase::run):
133
134 2013-09-06  Zan Dobersek  <zdobersek@igalia.com>
135
136         Unreviewed build fix for the GTK port when building with FTL JIT enabled.
137
138         * GNUmakefile.list.am: Add the missing files to the build.
139
140 2013-09-05  Oliver Hunt  <oliver@apple.com>
141
142         Make it simpler to introduce new data types to the global object
143         https://bugs.webkit.org/show_bug.cgi?id=120801
144
145         Reviewed by Gavin Barraclough.
146
147         Add an iterator macro that lists all the "simple" ES types (e.g. type
148         consists of instance, constructor, and prototype classes).  So that
149         we don't need to have every new type litter JSGlobalObject.{cpp,h} with
150         members, accessors, and manual GC visiting.
151
152         * runtime/JSGlobalObject.cpp:
153         (JSC::JSGlobalObject::visitChildren):
154         * runtime/JSGlobalObject.h:
155
156 2013-09-05  Mark Rowe  <mrowe@apple.com>
157         
158         Roll out r155149 since it broke the build.
159
160 2013-09-05  Michael Saboff  <msaboff@apple.com>
161
162         Cleanup formatting of byte code debug output
163         Source/JavaScriptCore/ChangeLog
164
165         Rubber stamped by Filip Pizlo.
166
167         Put the formatting of the byte code offset and operation into one common function to
168         simplify and unify formatting.  Changed CodeBlock::registerName() to return
169         "thist" for argument register 0, "argN" for other argument registers and "locN" for
170         local registers.
171
172         * bytecode/CodeBlock.cpp:
173         (JSC::CodeBlock::registerName):
174         (JSC::CodeBlock::printUnaryOp):
175         (JSC::CodeBlock::printBinaryOp):
176         (JSC::CodeBlock::printConditionalJump):
177         (JSC::CodeBlock::printGetByIdOp):
178         (JSC::CodeBlock::printCallOp):
179         (JSC::CodeBlock::printPutByIdOp):
180         (JSC::CodeBlock::dumpBytecode):
181         * bytecode/CodeBlock.h:
182         (JSC::CodeBlock::printLocationAndOp):
183         (JSC::CodeBlock::printLocationOpAndRegisterOperand):
184
185 2013-09-05  Filip Pizlo  <fpizlo@apple.com>
186
187         REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
188         https://bugs.webkit.org/show_bug.cgi?id=120781
189
190         Reviewed by Mark Hahnenberg.
191         
192         - Use some method table hacks to detect if the CheckStructure optimization is
193           valid for to_this.
194         
195         - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
196         
197         This looks like it might be perf-neutral on the major benchmarks, but it
198         introduces some horrible performance cliffs. For example if you add methods to
199         the Array prototype, you'll get horrible performance cliffs. As in virtual calls
200         to C++ every time you call a JS function even if it's inlined.
201         LongSpider/3d-cube appears to hit this.
202
203         * dfg/DFGAbstractInterpreterInlines.h:
204         (JSC::DFG::::executeEffects):
205         * dfg/DFGByteCodeParser.cpp:
206         (JSC::DFG::ByteCodeParser::parseBlock):
207         * dfg/DFGFixupPhase.cpp:
208         (JSC::DFG::FixupPhase::fixupNode):
209         * dfg/DFGSafeToExecute.h:
210         (JSC::DFG::SafeToExecuteEdge::operator()):
211         * dfg/DFGSpeculativeJIT.cpp:
212         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
213         (JSC::DFG::SpeculativeJIT::speculate):
214         * dfg/DFGSpeculativeJIT.h:
215         * dfg/DFGSpeculativeJIT32_64.cpp:
216         (JSC::DFG::SpeculativeJIT::compile):
217         * dfg/DFGSpeculativeJIT64.cpp:
218         (JSC::DFG::SpeculativeJIT::compile):
219         * dfg/DFGUseKind.cpp:
220         (WTF::printInternal):
221         * dfg/DFGUseKind.h:
222         (JSC::DFG::typeFilterFor):
223         (JSC::DFG::isCell):
224
225 2013-09-05  Anders Carlsson  <andersca@apple.com>
226
227         GCAssertions.h should use STL type traits and static_assert
228         https://bugs.webkit.org/show_bug.cgi?id=120785
229
230         Reviewed by Andreas Kling.
231
232         There's no need to rely on compiler specific support to figure out if a class is trivially destructable,
233         we can just use type traits from STL. Do this, fix the assert macro to use static_assert directly and
234         rename it from ASSERT_HAS_TRIVIAL_DESTRUCTOR to STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE to clarify that
235         it's a static assert and to match the STL nomenclature.
236         
237         * API/JSCallbackFunction.cpp:
238         * debugger/DebuggerActivation.cpp:
239         * heap/GCAssertions.h:
240         * runtime/ArrayConstructor.cpp:
241         * runtime/BooleanConstructor.cpp:
242         * runtime/BooleanObject.cpp:
243         * runtime/BooleanPrototype.cpp:
244         * runtime/DateConstructor.cpp:
245         * runtime/ErrorConstructor.cpp:
246         * runtime/ErrorInstance.cpp:
247         * runtime/ErrorPrototype.cpp:
248         * runtime/ExceptionHelpers.cpp:
249         * runtime/FunctionConstructor.cpp:
250         * runtime/FunctionPrototype.cpp:
251         * runtime/GetterSetter.cpp:
252         * runtime/InternalFunction.cpp:
253         * runtime/JSAPIValueWrapper.cpp:
254         * runtime/JSArray.cpp:
255         * runtime/JSCell.cpp:
256         * runtime/JSNotAnObject.cpp:
257         * runtime/JSONObject.cpp:
258         * runtime/JSObject.cpp:
259         * runtime/JSPromiseConstructor.cpp:
260         * runtime/JSPromisePrototype.cpp:
261         * runtime/JSPromiseResolverConstructor.cpp:
262         * runtime/JSPromiseResolverPrototype.cpp:
263         * runtime/JSProxy.cpp:
264         * runtime/JSScope.cpp:
265         * runtime/JSWrapperObject.cpp:
266         * runtime/MathObject.cpp:
267         * runtime/NameConstructor.cpp:
268         * runtime/NativeErrorConstructor.cpp:
269         * runtime/NumberConstructor.cpp:
270         * runtime/NumberObject.cpp:
271         * runtime/NumberPrototype.cpp:
272         * runtime/ObjectConstructor.cpp:
273         * runtime/ObjectPrototype.cpp:
274         * runtime/RegExpObject.cpp:
275         * runtime/StrictEvalActivation.cpp:
276         * runtime/StringConstructor.cpp:
277         * runtime/StringObject.cpp:
278         * runtime/StringPrototype.cpp:
279
280 2013-09-05  Brent Fulgham  <bfulgham@apple.com>
281
282         [Windows] Unreviewed build fix for DebugSuffix target.
283
284         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Don't build 64-bit assembly in 32-bit build.
285         Also correct 'filters' file so that files appear in categories that match their on-disk locations.
286
287 2013-09-04  Filip Pizlo  <fpizlo@apple.com>
288
289         jsc tests should have timeouts
290         https://bugs.webkit.org/show_bug.cgi?id=120725
291
292         Reviewed by Geoffrey Garen.
293         
294         Add the timeout logic directly to 'jsc' because that's easier to do than
295         writing shell/perl code for it.
296
297         * jsc.cpp:
298         (timeoutThreadMain):
299         (main):
300
301 2013-09-04  Filip Pizlo  <fpizlo@apple.com>
302
303         fast/js/dfg-* tests should wait for the concurrent JIT
304         https://bugs.webkit.org/show_bug.cgi?id=120723
305
306         Reviewed by Geoffrey Garen.
307         
308         * runtime/TestRunnerUtils.cpp:
309         (JSC::numberOfDFGCompiles): This should also handle constructors.
310
311 2013-09-04  Filip Pizlo  <fpizlo@apple.com>
312
313         run-fast-jsc should work with new-school fast/js tests that loop until the DFG tiers up
314         https://bugs.webkit.org/show_bug.cgi?id=120697
315
316         Reviewed by Mark Hahnenberg.
317
318         * API/JSCTestRunnerUtils.cpp:
319         (JSC::numberOfDFGCompiles):
320         (JSC::setNeverInline):
321         * CMakeLists.txt:
322         * GNUmakefile.list.am:
323         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
324         * JavaScriptCore.xcodeproj/project.pbxproj:
325         * Target.pri:
326         * jsc.cpp:
327         (GlobalObject::finishCreation):
328         (functionNeverInlineFunction):
329         (functionNumberOfDFGCompiles):
330         * runtime/TestRunnerUtils.cpp: Added.
331         (JSC::getExecutable):
332         (JSC::numberOfDFGCompiles):
333         (JSC::setNeverInline):
334         * runtime/TestRunnerUtils.h: Added.
335
336 2013-09-04  Mark Lam  <mark.lam@apple.com>
337
338         Renamed StackIterator to StackVisitor.
339         https://bugs.webkit.org/show_bug.cgi?id=120706.
340
341         Reviewed by Geoffrey Garen.
342
343         Also did some minor refactoring:
344         - Renamed StackIterator::iterate() to StackVisitor::visit().
345         - Make StackVisitor::visit() a static method.
346         - Move the instantiation of the StackVisitor instance into StackVisitor::visit()
347           from CallFrame::iterate().
348         - Removed StackIterator::resetIterator() and inline its body into the
349           StackVisitor constructor since this is the only remaining caller of it.
350
351         * API/JSContextRef.cpp:
352         (BacktraceFunctor::operator()):
353         * CMakeLists.txt:
354         * GNUmakefile.list.am:
355         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
356         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
357         * JavaScriptCore.xcodeproj/project.pbxproj:
358         * Target.pri:
359         * interpreter/CallFrame.h:
360         (JSC::ExecState::iterate):
361         * interpreter/Interpreter.cpp:
362         (JSC::DumpRegisterFunctor::operator()):
363         (JSC::unwindCallFrame):
364         (JSC::getStackFrameCodeType):
365         (JSC::GetStackTraceFunctor::operator()):
366         (JSC::UnwindFunctor::operator()):
367         * interpreter/Interpreter.h:
368         * interpreter/StackIterator.cpp: Removed.
369         * interpreter/StackIterator.h: Removed.
370         * interpreter/StackVisitor.cpp: Copied from Source/JavaScriptCore/interpreter/StackIterator.cpp.
371         (JSC::StackVisitor::StackVisitor):
372         (JSC::StackVisitor::gotoNextFrame):
373         (JSC::StackVisitor::readFrame):
374         (JSC::StackVisitor::readNonInlinedFrame):
375         (JSC::StackVisitor::readInlinedFrame):
376         (JSC::StackVisitor::Frame::codeType):
377         (JSC::StackVisitor::Frame::functionName):
378         (JSC::StackVisitor::Frame::sourceURL):
379         (JSC::StackVisitor::Frame::toString):
380         (JSC::StackVisitor::Frame::arguments):
381         (JSC::StackVisitor::Frame::computeLineAndColumn):
382         (JSC::StackVisitor::Frame::retrieveExpressionInfo):
383         (JSC::StackVisitor::Frame::setToEnd):
384         (JSC::StackVisitor::Frame::print):
385         (DebugPrintFrameFunctor::operator()):
386         * interpreter/StackVisitor.h: Copied from Source/JavaScriptCore/interpreter/StackIterator.h.
387         (JSC::StackVisitor::visit):
388         * jsc.cpp:
389         (FunctionJSCStackFunctor::operator()):
390         * profiler/ProfileGenerator.cpp:
391         (JSC::AddParentForConsoleStartFunctor::operator()):
392         * runtime/JSFunction.cpp:
393         (JSC::RetrieveArgumentsFunctor::operator()):
394         (JSC::RetrieveCallerFunctionFunctor::operator()):
395         * runtime/JSGlobalObjectFunctions.cpp:
396         (JSC::GlobalFuncProtoGetterFunctor::operator()):
397         (JSC::GlobalFuncProtoSetterFunctor::operator()):
398         * runtime/ObjectConstructor.cpp:
399         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
400
401 2013-09-04  Roger Fong  <roger_fong@apple.com>
402
403         Unreviewed Build fix for Windows DebugSuffix configuration.
404
405         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
406         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
407
408 2013-09-04  Mark Lam  <mark.lam@apple.com>
409
410         Refining the StackIterator callback interface.
411         https://bugs.webkit.org/show_bug.cgi?id=120695.
412
413         Reviewed by Geoffrey Garen.
414
415         Introduce CallFrame::iterate() which instantiates a StackIterator and
416         invoke its iterate() method with the passed in functor. The only place
417         where the client code gets access to the StackIterator now is as an
418         argument to the client's functor.
419
420         * API/JSContextRef.cpp:
421         (JSContextCreateBacktrace):
422         * interpreter/CallFrame.cpp:
423         * interpreter/CallFrame.h:
424         (JSC::ExecState::iterate):
425         * interpreter/Interpreter.cpp:
426         (JSC::Interpreter::dumpRegisters):
427         (JSC::Interpreter::getStackTrace):
428         (JSC::Interpreter::unwind):
429         * interpreter/StackIterator.cpp:
430         (JSC::StackIterator::StackIterator):
431         (DebugPrintFrameFunctor::DebugPrintFrameFunctor):
432         (DebugPrintFrameFunctor::operator()):
433         (debugPrintCallFrame):
434         (debugPrintStack):
435         * interpreter/StackIterator.h:
436         (JSC::StackIterator::iterate):
437         * jsc.cpp:
438         (functionJSCStack):
439         * profiler/ProfileGenerator.cpp:
440         (JSC::ProfileGenerator::addParentForConsoleStart):
441         * runtime/JSFunction.cpp:
442         (JSC::retrieveArguments):
443         (JSC::RetrieveCallerFunctionFunctor::operator()):
444         (JSC::retrieveCallerFunction):
445         * runtime/JSGlobalObjectFunctions.cpp:
446         (JSC::globalFuncProtoGetter):
447         (JSC::globalFuncProtoSetter):
448         * runtime/ObjectConstructor.cpp:
449         (JSC::objectConstructorGetPrototypeOf):
450
451 2013-09-04  Benjamin Poulain  <benjamin@webkit.org>
452
453         JSGenericTypedArrayViewConstructor.h is referenced twice in the XCode project build section, causing warnings
454         https://bugs.webkit.org/show_bug.cgi?id=120698
455
456         Reviewed by Darin Adler.
457
458         * JavaScriptCore.xcodeproj/project.pbxproj:
459
460 2013-09-04  Mark Hahnenberg  <mhahnenberg@apple.com>
461
462         ASSERT in MarkedAllocator::allocateSlowCase is wrong
463         https://bugs.webkit.org/show_bug.cgi?id=120639
464
465         Reviewed by Oliver Hunt.
466
467         ASSERT(!m_heap->shouldCollect()) is no longer true due to our use of the GC 
468         deferral mechanism. We could technically be beyond our byte allocation limit, 
469         but still not try to collect due to deferral. This patch amends shouldCollect() 
470         to return false if GC is currently deferred.
471
472         * heap/Heap.h:
473         (JSC::Heap::shouldCollect):
474
475 2013-09-03  Filip Pizlo  <fpizlo@apple.com>
476
477         The DFG should be able to tier-up and OSR enter into the FTL
478         https://bugs.webkit.org/show_bug.cgi?id=112838
479
480         Reviewed by Mark Hahnenberg.
481         
482         This adds the ability for the DFG to tier-up into the FTL. This works in both
483         of the expected tier-up modes:
484         
485         Replacement: frequently called functions eventually have their entrypoint
486         replaced with one that goes into FTL-compiled code. Note, this will be a
487         slow-down for now since we don't yet have LLVM calling convention integration.
488         
489         OSR entry: code stuck in hot loops gets OSR'd into the FTL from the DFG.
490         
491         This means that if the DFG detects that a function is an FTL candidate, it
492         inserts execution counting code similar to the kind that the baseline JIT
493         would use. If you trip on a loop count in a loop header that is an OSR
494         candidate (it's not an inlined loop), we do OSR; otherwise we do replacement.
495         OSR almost always also implies future replacement.
496         
497         OSR entry into the FTL is really cool. It uses a specialized FTL compile of
498         the code, where early in the DFG pipeline we replace the original root block
499         with an OSR entrypoint block that jumps to the pre-header of the hot loop.
500         The OSR entrypoint loads all live state at the loop pre-header using loads
501         from a scratch buffer, which gets populated by the runtime's OSR entry
502         preparation code (FTL::prepareOSREntry()). This approach appears to work well
503         with all of our subsequent optimizations, including prediction propagation,
504         CFA, and LICM. LLVM seems happy with it, too. Best of all, it works naturally
505         with concurrent compilation: when we hit the tier-up trigger we spawn a
506         compilation plan at the bytecode index from which we triggered; once the
507         compilation finishes the next trigger will try to enter, at that bytecode
508         index. If it can't - for example because the code has moved on to another
509         loop - then we just try again. Loops that get hot enough for OSR entry (about
510         25,000 iterations) will probably still be running when a concurrent compile
511         finishes, so this doesn't appear to be a big problem.
512         
513         This immediately gives us a 70% speed-up on imaging-gaussian-blur. We could
514         get a bigger speed-up by adding some more intelligence and tweaking LLVM to
515         compile code faster. Those things will happen eventually but this is a good
516         start. Probably this code will see more tuning as we get more coverage in the
517         FTL JIT, but I'll worry about that in future patches.
518
519         * CMakeLists.txt:
520         * GNUmakefile.list.am:
521         * JavaScriptCore.xcodeproj/project.pbxproj:
522         * Target.pri:
523         * bytecode/CodeBlock.cpp:
524         (JSC::CodeBlock::CodeBlock):
525         (JSC::CodeBlock::hasOptimizedReplacement):
526         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
527         * bytecode/CodeBlock.h:
528         * dfg/DFGAbstractInterpreterInlines.h:
529         (JSC::DFG::::executeEffects):
530         * dfg/DFGByteCodeParser.cpp:
531         (JSC::DFG::ByteCodeParser::parseBlock):
532         (JSC::DFG::ByteCodeParser::parse):
533         * dfg/DFGCFGSimplificationPhase.cpp:
534         (JSC::DFG::CFGSimplificationPhase::run):
535         * dfg/DFGClobberize.h:
536         (JSC::DFG::clobberize):
537         * dfg/DFGDriver.cpp:
538         (JSC::DFG::compileImpl):
539         (JSC::DFG::compile):
540         * dfg/DFGDriver.h:
541         * dfg/DFGFixupPhase.cpp:
542         (JSC::DFG::FixupPhase::fixupNode):
543         * dfg/DFGGraph.cpp:
544         (JSC::DFG::Graph::dump):
545         (JSC::DFG::Graph::killBlockAndItsContents):
546         (JSC::DFG::Graph::killUnreachableBlocks):
547         * dfg/DFGGraph.h:
548         * dfg/DFGInPlaceAbstractState.cpp:
549         (JSC::DFG::InPlaceAbstractState::initialize):
550         * dfg/DFGJITCode.cpp:
551         (JSC::DFG::JITCode::reconstruct):
552         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
553         (JSC::DFG::JITCode::optimizeNextInvocation):
554         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
555         (JSC::DFG::JITCode::optimizeAfterWarmUp):
556         (JSC::DFG::JITCode::optimizeSoon):
557         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
558         (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
559         * dfg/DFGJITCode.h:
560         * dfg/DFGJITFinalizer.cpp:
561         (JSC::DFG::JITFinalizer::finalize):
562         (JSC::DFG::JITFinalizer::finalizeFunction):
563         (JSC::DFG::JITFinalizer::finalizeCommon):
564         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
565         (JSC::DFG::createPreHeader):
566         (JSC::DFG::LoopPreHeaderCreationPhase::run):
567         * dfg/DFGLoopPreHeaderCreationPhase.h:
568         * dfg/DFGNode.h:
569         (JSC::DFG::Node::hasUnlinkedLocal):
570         (JSC::DFG::Node::unlinkedLocal):
571         * dfg/DFGNodeType.h:
572         * dfg/DFGOSREntry.cpp:
573         (JSC::DFG::prepareOSREntry):
574         * dfg/DFGOSREntrypointCreationPhase.cpp: Added.
575         (JSC::DFG::OSREntrypointCreationPhase::OSREntrypointCreationPhase):
576         (JSC::DFG::OSREntrypointCreationPhase::run):
577         (JSC::DFG::performOSREntrypointCreation):
578         * dfg/DFGOSREntrypointCreationPhase.h: Added.
579         * dfg/DFGOperations.cpp:
580         * dfg/DFGOperations.h:
581         * dfg/DFGPlan.cpp:
582         (JSC::DFG::Plan::Plan):
583         (JSC::DFG::Plan::compileInThread):
584         (JSC::DFG::Plan::compileInThreadImpl):
585         * dfg/DFGPlan.h:
586         * dfg/DFGPredictionInjectionPhase.cpp:
587         (JSC::DFG::PredictionInjectionPhase::run):
588         * dfg/DFGPredictionPropagationPhase.cpp:
589         (JSC::DFG::PredictionPropagationPhase::propagate):
590         * dfg/DFGSafeToExecute.h:
591         (JSC::DFG::safeToExecute):
592         * dfg/DFGSpeculativeJIT32_64.cpp:
593         (JSC::DFG::SpeculativeJIT::compile):
594         * dfg/DFGSpeculativeJIT64.cpp:
595         (JSC::DFG::SpeculativeJIT::compile):
596         * dfg/DFGTierUpCheckInjectionPhase.cpp: Added.
597         (JSC::DFG::TierUpCheckInjectionPhase::TierUpCheckInjectionPhase):
598         (JSC::DFG::TierUpCheckInjectionPhase::run):
599         (JSC::DFG::performTierUpCheckInjection):
600         * dfg/DFGTierUpCheckInjectionPhase.h: Added.
601         * dfg/DFGToFTLDeferredCompilationCallback.cpp: Added.
602         (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
603         (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
604         (JSC::DFG::ToFTLDeferredCompilationCallback::create):
605         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
606         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
607         * dfg/DFGToFTLDeferredCompilationCallback.h: Added.
608         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: Added.
609         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
610         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
611         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create):
612         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
613         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
614         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: Added.
615         * dfg/DFGWorklist.cpp:
616         (JSC::DFG::globalWorklist):
617         * dfg/DFGWorklist.h:
618         * ftl/FTLCapabilities.cpp:
619         (JSC::FTL::canCompile):
620         * ftl/FTLCapabilities.h:
621         * ftl/FTLForOSREntryJITCode.cpp: Added.
622         (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode):
623         (JSC::FTL::ForOSREntryJITCode::~ForOSREntryJITCode):
624         (JSC::FTL::ForOSREntryJITCode::ftlForOSREntry):
625         (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer):
626         * ftl/FTLForOSREntryJITCode.h: Added.
627         (JSC::FTL::ForOSREntryJITCode::entryBuffer):
628         (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex):
629         (JSC::FTL::ForOSREntryJITCode::bytecodeIndex):
630         (JSC::FTL::ForOSREntryJITCode::countEntryFailure):
631         (JSC::FTL::ForOSREntryJITCode::entryFailureCount):
632         * ftl/FTLJITFinalizer.cpp:
633         (JSC::FTL::JITFinalizer::finalizeFunction):
634         * ftl/FTLLink.cpp:
635         (JSC::FTL::link):
636         * ftl/FTLLowerDFGToLLVM.cpp:
637         (JSC::FTL::LowerDFGToLLVM::compileBlock):
638         (JSC::FTL::LowerDFGToLLVM::compileNode):
639         (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
640         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
641         (JSC::FTL::LowerDFGToLLVM::addWeakReference):
642         * ftl/FTLOSREntry.cpp: Added.
643         (JSC::FTL::prepareOSREntry):
644         * ftl/FTLOSREntry.h: Added.
645         * ftl/FTLOutput.h:
646         (JSC::FTL::Output::crashNonTerminal):
647         (JSC::FTL::Output::crash):
648         * ftl/FTLState.cpp:
649         (JSC::FTL::State::State):
650         * interpreter/Register.h:
651         (JSC::Register::unboxedDouble):
652         * jit/JIT.cpp:
653         (JSC::JIT::emitEnterOptimizationCheck):
654         * jit/JITCode.cpp:
655         (JSC::JITCode::ftlForOSREntry):
656         * jit/JITCode.h:
657         * jit/JITStubs.cpp:
658         (JSC::DEFINE_STUB_FUNCTION):
659         * runtime/Executable.cpp:
660         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
661         * runtime/Options.h:
662         * runtime/VM.cpp:
663         (JSC::VM::ensureWorklist):
664         * runtime/VM.h:
665
666 2013-09-03  Filip Pizlo  <fpizlo@apple.com>
667
668         CodeBlock memory cost reporting should be rationalized
669         https://bugs.webkit.org/show_bug.cgi?id=120615
670
671         Reviewed by Darin Adler.
672         
673         Report the size of the instruction stream, and then remind the GC that we're
674         using memory when we trace.
675         
676         This is a slight slow-down on some JSBench tests because it makes us GC a
677         bit more frequently. But I think it's well worth it; if we really want those
678         tests to GC less frequently then we can achieve that through other kinds of
679         tuning. It's better that the GC knows that CodeBlocks do in fact use memory;
680         what it does with that information is a somewhat orthogonal question.
681
682         * bytecode/CodeBlock.cpp:
683         (JSC::CodeBlock::CodeBlock):
684         (JSC::CodeBlock::visitAggregate):
685
686 2013-09-03  Mark Lam  <mark.lam@apple.com>
687
688         Converting StackIterator to a callback interface.
689         https://bugs.webkit.org/show_bug.cgi?id=120564.
690
691         Reviewed by Filip Pizlo.
692
693         * API/JSContextRef.cpp:
694         (BacktraceFunctor::BacktraceFunctor):
695         (BacktraceFunctor::operator()):
696         (JSContextCreateBacktrace):
697         * interpreter/CallFrame.cpp:
698         * interpreter/CallFrame.h:
699         * interpreter/Interpreter.cpp:
700         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
701         (JSC::DumpRegisterFunctor::operator()):
702         (JSC::Interpreter::dumpRegisters):
703         (JSC::unwindCallFrame):
704         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
705         (JSC::GetStackTraceFunctor::operator()):
706         (JSC::Interpreter::getStackTrace):
707         (JSC::Interpreter::stackTraceAsString):
708         (JSC::UnwindFunctor::UnwindFunctor):
709         (JSC::UnwindFunctor::operator()):
710         (JSC::Interpreter::unwind):
711         * interpreter/Interpreter.h:
712         * interpreter/StackIterator.cpp:
713         (JSC::StackIterator::numberOfFrames):
714         (JSC::StackIterator::gotoFrameAtIndex):
715         (JSC::StackIterator::gotoNextFrameWithFilter):
716         (JSC::StackIterator::resetIterator):
717         (JSC::StackIterator::Frame::print):
718         (debugPrintCallFrame):
719         (DebugPrintStackFunctor::operator()):
720         (debugPrintStack): Added for debugging convenience.
721         * interpreter/StackIterator.h:
722         (JSC::StackIterator::Frame::index):
723         (JSC::StackIterator::iterate):
724         * jsc.cpp:
725         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
726         (FunctionJSCStackFunctor::operator()):
727         (functionJSCStack):
728         * profiler/ProfileGenerator.cpp:
729         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
730         (JSC::AddParentForConsoleStartFunctor::foundParent):
731         (JSC::AddParentForConsoleStartFunctor::operator()):
732         (JSC::ProfileGenerator::addParentForConsoleStart):
733         * runtime/JSFunction.cpp:
734         (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
735         (JSC::RetrieveArgumentsFunctor::result):
736         (JSC::RetrieveArgumentsFunctor::operator()):
737         (JSC::retrieveArguments):
738         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
739         (JSC::RetrieveCallerFunctionFunctor::result):
740         (JSC::RetrieveCallerFunctionFunctor::operator()):
741         (JSC::retrieveCallerFunction):
742         * runtime/JSGlobalObjectFunctions.cpp:
743         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
744         (JSC::GlobalFuncProtoGetterFunctor::result):
745         (JSC::GlobalFuncProtoGetterFunctor::operator()):
746         (JSC::globalFuncProtoGetter):
747         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
748         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
749         (JSC::GlobalFuncProtoSetterFunctor::operator()):
750         (JSC::globalFuncProtoSetter):
751         * runtime/ObjectConstructor.cpp:
752         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
753         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
754         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
755         (JSC::objectConstructorGetPrototypeOf):
756
757 2013-09-03  Oliver Hunt  <oliver@apple.com>
758
759         Support structured clone of Map and Set
760         https://bugs.webkit.org/show_bug.cgi?id=120654
761
762         Reviewed by Simon Fraser.
763
764         Make xcode copy the required headers, and add appropriate export attributes
765
766         * JavaScriptCore.xcodeproj/project.pbxproj:
767         * runtime/JSMap.h:
768         * runtime/JSSet.h:
769         * runtime/MapData.h:
770
771 2013-09-02  Ryosuke Niwa  <rniwa@webkit.org>
772
773         Support the "json" responseType and JSON response entity in XHR
774         https://bugs.webkit.org/show_bug.cgi?id=73648
775
776         Reviewed by Oliver Hunt.
777
778         Based on the patch written by Jarred Nicholls.
779
780         Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'.
781
782         * JavaScriptCore.xcodeproj/project.pbxproj:
783         * runtime/JSONObject.cpp:
784         (JSC::JSONParse):
785         * runtime/JSONObject.h:
786
787 2013-09-02  Filip Pizlo  <fpizlo@apple.com>
788
789         CodeBlock::jettison() should be implicit
790         https://bugs.webkit.org/show_bug.cgi?id=120567
791
792         Reviewed by Oliver Hunt.
793         
794         This is a risky change from a performance standpoint, but I believe it's
795         necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC
796         can delete CodeBlocks because the GC always holds a reference to them.
797         Once a CodeBlock reaches just one reference (i.e. the one from the GC)
798         then the GC will free it only if it's not on the stack.
799         
800         This allows me to get rid of the jettisoning logic. We need this for FTL
801         tier-up. Well; we don't need it, but it will help prevent a lot of bugs.
802         Previously, if you wanted to to replace one code block with another, you
803         had to remember to tell the GC that the previous code block is
804         "jettisoned". We would need to do this when tiering up from DFG to FTL
805         and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot
806         of permutations here - tiering up to the FTL, OSR entering into the FTL,
807         deciding that an OSR entry code block is not relevant anymore - just to
808         name a few. In each of these cases we'd have to jettison the previous
809         code block. It smells like a huge source of future bugs.
810         
811         So I made jettisoning implicit by making the GC always watch out for a
812         CodeBlock being owned solely by the GC.
813         
814         This change is performance neutral.
815
816         * CMakeLists.txt:
817         * GNUmakefile.list.am:
818         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
819         * JavaScriptCore.xcodeproj/project.pbxproj:
820         * Target.pri:
821         * bytecode/CodeBlock.cpp:
822         (JSC::CodeBlock::CodeBlock):
823         (JSC::CodeBlock::~CodeBlock):
824         (JSC::CodeBlock::visitAggregate):
825         (JSC::CodeBlock::jettison):
826         * bytecode/CodeBlock.h:
827         (JSC::CodeBlock::setJITCode):
828         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
829         (JSC::CodeBlockSet::mark):
830         * dfg/DFGCommonData.h:
831         (JSC::DFG::CommonData::CommonData):
832         * heap/CodeBlockSet.cpp: Added.
833         (JSC::CodeBlockSet::CodeBlockSet):
834         (JSC::CodeBlockSet::~CodeBlockSet):
835         (JSC::CodeBlockSet::add):
836         (JSC::CodeBlockSet::clearMarks):
837         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
838         (JSC::CodeBlockSet::traceMarked):
839         * heap/CodeBlockSet.h: Added.
840         * heap/ConservativeRoots.cpp:
841         (JSC::ConservativeRoots::add):
842         * heap/ConservativeRoots.h:
843         * heap/DFGCodeBlocks.cpp: Removed.
844         * heap/DFGCodeBlocks.h: Removed.
845         * heap/Heap.cpp:
846         (JSC::Heap::markRoots):
847         (JSC::Heap::deleteAllCompiledCode):
848         (JSC::Heap::deleteUnmarkedCompiledCode):
849         * heap/Heap.h:
850         * interpreter/JSStack.cpp:
851         (JSC::JSStack::gatherConservativeRoots):
852         * interpreter/JSStack.h:
853         * runtime/Executable.cpp:
854         (JSC::ScriptExecutable::installCode):
855         * runtime/Executable.h:
856         * runtime/VM.h:
857
858 2013-09-02  Darin Adler  <darin@apple.com>
859
860         [Mac] No need for HardAutorelease, which is same as CFBridgingRelease
861         https://bugs.webkit.org/show_bug.cgi?id=120569
862
863         Reviewed by Andy Estes.
864
865         * API/JSValue.mm:
866         (valueToString): Use CFBridgingRelease.
867
868 2013-08-30  Filip Pizlo  <fpizlo@apple.com>
869
870         CodeBlock refactoring broke profile dumping
871         https://bugs.webkit.org/show_bug.cgi?id=120551
872
873         Reviewed by Michael Saboff.
874         
875         Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot
876         of the problems we have with code like CodeBlock::baselineVersion() is that we
877         were trying *way too hard* to side-step the fact that Executable can't return a
878         CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a
879         CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it
880         did have a CodeBlock, you were really going to have a bad time. Also it really
881         bugs me that the methods were called generatedBytecode(). In all other contexts
882         if you ask for a CodeBlock, then method to call is codeBlock(). So I made all
883         of those changes.
884
885         * bytecode/CodeBlock.cpp:
886         (JSC::CodeBlock::baselineVersion):
887         (JSC::ProgramCodeBlock::replacement):
888         (JSC::EvalCodeBlock::replacement):
889         (JSC::FunctionCodeBlock::replacement):
890         (JSC::CodeBlock::globalObjectFor):
891         * bytecode/CodeOrigin.cpp:
892         (JSC::InlineCallFrame::hash):
893         * dfg/DFGOperations.cpp:
894         * interpreter/Interpreter.cpp:
895         (JSC::Interpreter::execute):
896         (JSC::Interpreter::executeCall):
897         (JSC::Interpreter::executeConstruct):
898         (JSC::Interpreter::prepareForRepeatCall):
899         * jit/JITCode.h:
900         (JSC::JITCode::isExecutableScript):
901         (JSC::JITCode::isLowerTier):
902         * jit/JITStubs.cpp:
903         (JSC::lazyLinkFor):
904         (JSC::DEFINE_STUB_FUNCTION):
905         * llint/LLIntSlowPaths.cpp:
906         (JSC::LLInt::traceFunctionPrologue):
907         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
908         (JSC::LLInt::setUpCall):
909         * runtime/ArrayPrototype.cpp:
910         (JSC::isNumericCompareFunction):
911         * runtime/CommonSlowPaths.h:
912         (JSC::CommonSlowPaths::arityCheckFor):
913         * runtime/Executable.cpp:
914         (JSC::ScriptExecutable::installCode):
915         * runtime/Executable.h:
916         (JSC::EvalExecutable::codeBlock):
917         (JSC::ProgramExecutable::codeBlock):
918         (JSC::FunctionExecutable::eitherCodeBlock):
919         (JSC::FunctionExecutable::codeBlockForCall):
920         (JSC::FunctionExecutable::codeBlockForConstruct):
921         (JSC::FunctionExecutable::codeBlockFor):
922         * runtime/FunctionExecutableDump.cpp:
923         (JSC::FunctionExecutableDump::dump):
924
925 2013-08-30  Oliver Hunt  <oliver@apple.com>
926
927         Implement ES6 Set class
928         https://bugs.webkit.org/show_bug.cgi?id=120549
929
930         Reviewed by Filip Pizlo.
931
932         We simply reuse the MapData type from JSMap making the
933         it much simpler.
934
935         * JavaScriptCore.xcodeproj/project.pbxproj:
936         * runtime/CommonIdentifiers.h:
937         * runtime/JSGlobalObject.cpp:
938         (JSC::JSGlobalObject::reset):
939         (JSC::JSGlobalObject::visitChildren):
940         * runtime/JSGlobalObject.h:
941         (JSC::JSGlobalObject::setStructure):
942         * runtime/JSSet.cpp: Added.
943         (JSC::JSSet::visitChildren):
944         (JSC::JSSet::finishCreation):
945         * runtime/JSSet.h: Added.
946         (JSC::JSSet::createStructure):
947         (JSC::JSSet::create):
948         (JSC::JSSet::mapData):
949         (JSC::JSSet::JSSet):
950         * runtime/SetConstructor.cpp: Added.
951         (JSC::SetConstructor::finishCreation):
952         (JSC::callSet):
953         (JSC::constructSet):
954         (JSC::SetConstructor::getConstructData):
955         (JSC::SetConstructor::getCallData):
956         * runtime/SetConstructor.h: Added.
957         (JSC::SetConstructor::create):
958         (JSC::SetConstructor::createStructure):
959         (JSC::SetConstructor::SetConstructor):
960         * runtime/SetPrototype.cpp: Added.
961         (JSC::SetPrototype::finishCreation):
962         (JSC::getMapData):
963         (JSC::setProtoFuncAdd):
964         (JSC::setProtoFuncClear):
965         (JSC::setProtoFuncDelete):
966         (JSC::setProtoFuncForEach):
967         (JSC::setProtoFuncHas):
968         (JSC::setProtoFuncSize):
969         * runtime/SetPrototype.h: Added.
970         (JSC::SetPrototype::create):
971         (JSC::SetPrototype::createStructure):
972         (JSC::SetPrototype::SetPrototype):
973
974 2013-08-30  Oliver Hunt  <oliver@apple.com>
975
976         Make JSValue bool conversion less dangerous
977         https://bugs.webkit.org/show_bug.cgi?id=120505
978
979         Reviewed by Darin Adler.
980
981         Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
982         we do elsewhere.  Then fix the places where terrible type coercion was
983         happening.  All of the changes made had no fundamental behavioural impact
984         as they were coercion results that were ignored (returning undefined 
985         after an exception).  
986
987         * dfg/DFGOperations.cpp:
988         * interpreter/CallFrame.h:
989         (JSC::ExecState::hadException):
990         * runtime/JSCJSValue.h:
991         * runtime/JSCJSValueInlines.h:
992         (JSC::JSValue::operator UnspecifiedBoolType*):
993         * runtime/JSGlobalObjectFunctions.cpp:
994         (JSC::globalFuncEval):
995         * runtime/PropertyDescriptor.cpp:
996         (JSC::PropertyDescriptor::equalTo)
997
998 2013-08-30  Chris Curtis  <chris_curtis@apple.com>
999
1000         Cleaning errorDescriptionForValue after r154839
1001         https://bugs.webkit.org/show_bug.cgi?id=120531
1002         
1003         Reviewed by Darin Adler.
1004         
1005         Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 
1006         can assert again that the parameterized JSValue is !isEmpty().
1007         
1008         * runtime/ExceptionHelpers.cpp:
1009         (JSC::errorDescriptionForValue):
1010
1011 2013-08-30  Antti Koivisto  <antti@apple.com>
1012
1013         Remove code behind ENABLE(DIALOG_ELEMENT)
1014         https://bugs.webkit.org/show_bug.cgi?id=120467
1015
1016         Reviewed by Darin Adler.
1017
1018         * Configurations/FeatureDefines.xcconfig:
1019
1020 2013-08-29  Andreas Kling  <akling@apple.com>
1021
1022         De-bork Qt build.
1023
1024         * Target.pri:
1025
1026 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
1027
1028         Unreviewed build fix attempt for Windows.
1029
1030         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1031         Renamed JSMapConstructor and JSMapPrototype.
1032
1033 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
1034
1035         Fix build break after r154861
1036         https://bugs.webkit.org/show_bug.cgi?id=120503
1037
1038         Reviewed by Geoffrey Garen.
1039
1040         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
1041
1042         * CMakeLists.txt:
1043         * GNUmakefile.list.am:
1044         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1045         * Target.pri:
1046         * runtime/MapData.h:
1047         (JSC::MapData::KeyType::KeyType):
1048
1049 2013-08-29  Andreas Kling  <akling@apple.com>
1050
1051         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
1052         <https://webkit.org/b/120487>
1053
1054         Reviewed by Oliver Hunt.
1055
1056         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
1057         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
1058         exact amount of space needed.
1059
1060         * bytecode/CodeBlock.h:
1061         * bytecode/CodeBlock.cpp:
1062         (JSC::CodeBlock::CodeBlock):
1063         (JSC::CodeBlock::shrinkToFit):
1064
1065 2013-08-29  Oliver Hunt  <oliver@apple.com>
1066
1067         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
1068
1069         * runtime/MapData.h:
1070         (JSC::MapData::KeyType::KeyType):
1071
1072 2013-08-29  Oliver Hunt  <oliver@apple.com>
1073
1074
1075         Implement ES6 Map object
1076         https://bugs.webkit.org/show_bug.cgi?id=120333
1077
1078         Reviewed by Geoffrey Garen.
1079
1080         Implement support for the ES6 Map type and related classes.
1081
1082         * JavaScriptCore.xcodeproj/project.pbxproj:
1083         * heap/CopyToken.h: Add a new token to track copying the backing store
1084         * runtime/CommonIdentifiers.h: Add new identifiers
1085         * runtime/JSGlobalObject.cpp:
1086         * runtime/JSGlobalObject.h:
1087             Add new structures and prototypes
1088
1089         * runtime/JSMap.cpp: Added.
1090         * runtime/JSMap.h: Added.
1091             New JSMap class to represent a Map instance
1092
1093         * runtime/MapConstructor.cpp: Added.
1094         * runtime/MapConstructor.h: Added.
1095             The Map constructor
1096
1097         * runtime/MapData.cpp: Added.
1098         * runtime/MapData.h: Added.
1099             The most interesting data structure.  The roughly corresponds
1100             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
1101             map implementation.  We implement it using 2 hashtables and a flat
1102             table.  Due to the different semantics of string comparisons vs.
1103             all others we need have one map keyed by String and the other by
1104             generic JSValue.  The actual table is represented more or less
1105             exactly as described in the ES6 draft - a single contiguous list of
1106             key/value pairs.  The entire map could be achieved with just this
1107             table, however we need the HashMaps in order to maintain O(1) lookup.
1108
1109             Deleted values are simply cleared as the draft says, however the
1110             implementation compacts the storage on copy as long as the are no
1111             active iterators.
1112
1113         * runtime/MapPrototype.cpp: Added.
1114         * runtime/MapPrototype.h: Added.
1115             Implement Map prototype functions
1116
1117         * runtime/VM.cpp:
1118             Add new structures.
1119
1120 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1121
1122         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
1123         https://bugs.webkit.org/show_bug.cgi?id=120489
1124
1125         Reviewed by Geoffrey Garen.
1126         
1127         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
1128         DFG compilation but we've also started one or more FTL compilations, then we
1129         shouldn't get confused. Previously we would have gotten confused because we would
1130         see an in-process deferred compile (the FTL compile) and also an optimized
1131         replacement (the DFG code).
1132         
1133         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
1134         did two things in this order: triggered a tier-up compilation from the DFG into
1135         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
1136         shouldn't be confused by the presence of an in-process deferred compile (the FTL
1137         compile). Previously we would have waited for that compile to finish; but the more
1138         sensible thing to do is to let it complete and then invalidate it, while at the
1139         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
1140         
1141         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
1142         triggered an FTL compile for replacement, then it should fire off a second compile
1143         instead of thinking that it can wait for that one to finish. Or vice-versa. We
1144         need to allow for two FTL compiles to be enqueued at the same time (one for
1145         replacement and one for OSR entry in a loop).
1146         
1147         Then there's also the problem that DFG::compile() is almost certainly going to be
1148         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
1149         right now there is no way to tell it which one you want.
1150         
1151         This fixes these problems and removes a bunch of potential confusion by making the
1152         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
1153         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
1154         
1155         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
1156         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
1157         possible. Fixing that is a bigger issue for a later changeset.
1158
1159         * CMakeLists.txt:
1160         * GNUmakefile.list.am:
1161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1162         * JavaScriptCore.xcodeproj/project.pbxproj:
1163         * Target.pri:
1164         * bytecode/CodeBlock.cpp:
1165         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
1166         * dfg/DFGCompilationKey.cpp: Added.
1167         (JSC::DFG::CompilationKey::dump):
1168         * dfg/DFGCompilationKey.h: Added.
1169         (JSC::DFG::CompilationKey::CompilationKey):
1170         (JSC::DFG::CompilationKey::operator!):
1171         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
1172         (JSC::DFG::CompilationKey::profiledBlock):
1173         (JSC::DFG::CompilationKey::mode):
1174         (JSC::DFG::CompilationKey::operator==):
1175         (JSC::DFG::CompilationKey::hash):
1176         (JSC::DFG::CompilationKeyHash::hash):
1177         (JSC::DFG::CompilationKeyHash::equal):
1178         * dfg/DFGCompilationMode.cpp: Added.
1179         (WTF::printInternal):
1180         * dfg/DFGCompilationMode.h: Added.
1181         * dfg/DFGDriver.cpp:
1182         (JSC::DFG::compileImpl):
1183         (JSC::DFG::compile):
1184         * dfg/DFGDriver.h:
1185         * dfg/DFGPlan.cpp:
1186         (JSC::DFG::Plan::Plan):
1187         (JSC::DFG::Plan::key):
1188         * dfg/DFGPlan.h:
1189         * dfg/DFGWorklist.cpp:
1190         (JSC::DFG::Worklist::enqueue):
1191         (JSC::DFG::Worklist::compilationState):
1192         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1193         (JSC::DFG::Worklist::runThread):
1194         * dfg/DFGWorklist.h:
1195         * jit/JITStubs.cpp:
1196         (JSC::DEFINE_STUB_FUNCTION):
1197
1198 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
1199
1200         [Windows] Unreviewed build fix after r154847.
1201         If you are going to exclude promises, actually exclude the build components.
1202
1203         * interpreter/CallFrame.h: Exclude promise declarations
1204         * runtime/JSGlobalObject.cpp:
1205         (JSC::JSGlobalObject::reset): Exclude promise code.
1206         (JSC::JSGlobalObject::visitChildren): Ditto.
1207         * runtime/VM.cpp: Ditto.
1208         (JSC::VM::VM):
1209         (JSC::VM::~VM):
1210         * runtime/VM.h:
1211
1212 2013-08-29  Sam Weinig  <sam@webkit.org>
1213
1214         Add ENABLE guards for Promises
1215         https://bugs.webkit.org/show_bug.cgi?id=120488
1216
1217         Reviewed by Andreas Kling.
1218
1219         * Configurations/FeatureDefines.xcconfig:
1220         * runtime/JSGlobalObject.cpp:
1221         * runtime/JSGlobalObject.h:
1222         * runtime/JSPromise.cpp:
1223         * runtime/JSPromise.h:
1224         * runtime/JSPromiseCallback.cpp:
1225         * runtime/JSPromiseCallback.h:
1226         * runtime/JSPromiseConstructor.cpp:
1227         * runtime/JSPromiseConstructor.h:
1228         * runtime/JSPromisePrototype.cpp:
1229         * runtime/JSPromisePrototype.h:
1230         * runtime/JSPromiseResolver.cpp:
1231         * runtime/JSPromiseResolver.h:
1232         * runtime/JSPromiseResolverConstructor.cpp:
1233         * runtime/JSPromiseResolverConstructor.h:
1234         * runtime/JSPromiseResolverPrototype.cpp:
1235         * runtime/JSPromiseResolverPrototype.h:
1236
1237 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1238
1239         Unreviewed, fix FTL build.
1240
1241         * ftl/FTLLowerDFGToLLVM.cpp:
1242         (JSC::FTL::LowerDFGToLLVM::callCheck):
1243
1244 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
1245
1246         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
1247         https://bugs.webkit.org/show_bug.cgi?id=120080
1248
1249         Reviewed by Michael Saboff.
1250
1251         * jit/JITOpcodes32_64.cpp:
1252         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
1253
1254 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1255
1256         Kill code that became dead after http://trac.webkit.org/changeset/154833
1257
1258         Rubber stamped by Oliver Hunt.
1259
1260         * dfg/DFGDriver.h:
1261
1262 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1263
1264         CodeBlock's magic for scaling tier-up thresholds should be more reusable
1265         https://bugs.webkit.org/show_bug.cgi?id=120486
1266
1267         Reviewed by Oliver Hunt.
1268         
1269         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
1270         as a adjustedCounterValue() method.
1271
1272         * bytecode/CodeBlock.cpp:
1273         (JSC::CodeBlock::adjustedCounterValue):
1274         (JSC::CodeBlock::optimizeAfterWarmUp):
1275         (JSC::CodeBlock::optimizeAfterLongWarmUp):
1276         (JSC::CodeBlock::optimizeSoon):
1277         * bytecode/CodeBlock.h:
1278         * dfg/DFGOSRExitCompilerCommon.cpp:
1279         (JSC::DFG::handleExitCounts):
1280
1281 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1282
1283         CodeBlock::prepareForExecution() is silly
1284         https://bugs.webkit.org/show_bug.cgi?id=120453
1285
1286         Reviewed by Oliver Hunt.
1287         
1288         Instead of saying:
1289         
1290             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
1291         
1292         we should just say:
1293         
1294             JIT::compile(stuff, codeBlock, more stuff);
1295         
1296         And similarly for the LLInt and DFG.
1297         
1298         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
1299         wrapper that uses the JITType argument to call into the appropriate execution
1300         engine, which is what the user wanted to do in the first place.
1301
1302         * CMakeLists.txt:
1303         * GNUmakefile.list.am:
1304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1305         * JavaScriptCore.xcodeproj/project.pbxproj:
1306         * Target.pri:
1307         * bytecode/CodeBlock.cpp:
1308         * bytecode/CodeBlock.h:
1309         * dfg/DFGDriver.cpp:
1310         (JSC::DFG::compileImpl):
1311         (JSC::DFG::compile):
1312         * dfg/DFGDriver.h:
1313         (JSC::DFG::tryCompile):
1314         * dfg/DFGOSRExitPreparation.cpp:
1315         (JSC::DFG::prepareCodeOriginForOSRExit):
1316         * dfg/DFGWorklist.cpp:
1317         (JSC::DFG::globalWorklist):
1318         * dfg/DFGWorklist.h:
1319         * jit/JIT.cpp:
1320         (JSC::JIT::privateCompile):
1321         * jit/JIT.h:
1322         (JSC::JIT::compile):
1323         * jit/JITStubs.cpp:
1324         (JSC::DEFINE_STUB_FUNCTION):
1325         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
1326         (JSC::LLInt::setFunctionEntrypoint):
1327         (JSC::LLInt::setEvalEntrypoint):
1328         (JSC::LLInt::setProgramEntrypoint):
1329         (JSC::LLInt::setEntrypoint):
1330         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
1331         * llint/LLIntEntrypoints.cpp: Removed.
1332         * llint/LLIntEntrypoints.h: Removed.
1333         * llint/LLIntSlowPaths.cpp:
1334         (JSC::LLInt::jitCompileAndSetHeuristics):
1335         * runtime/Executable.cpp:
1336         (JSC::ScriptExecutable::prepareForExecutionImpl):
1337
1338 2013-08-29  Mark Lam  <mark.lam@apple.com>
1339
1340         Gardening: fixed broken non-DFG build.
1341         https://bugs.webkit.org/show_bug.cgi?id=120481.
1342
1343         Not reviewed.
1344
1345         * interpreter/StackIterator.h:
1346
1347 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
1348
1349         CodeBlock compilation and installation should be simplified and rationalized
1350         https://bugs.webkit.org/show_bug.cgi?id=120326
1351
1352         Reviewed by Oliver Hunt.
1353         
1354         Rolling r154804 back in after fixing no-LLInt build.
1355         
1356         Previously Executable owned the code for generating JIT code; you always had
1357         to go through Executable. But often you also had to go through CodeBlock,
1358         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
1359         So you'd ask CodeBlock to do something, which would dispatch through a
1360         virtual method that would select the appropriate Executable subtype's method.
1361         This all meant that the same code would often be duplicated, because most of
1362         the work needed to compile something was identical regardless of code type.
1363         But then we tried to fix this, by having templatized helpers in
1364         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
1365         out what happened when you asked for something to be compiled, you'd go on a
1366         wild ride that started with CodeBlock, touched upon Executable, and then
1367         ricocheted into either ExecutionHarness or JITDriver (likely both).
1368         
1369         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
1370         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
1371         done once the compilation finished.
1372         
1373         Also, most of the DFG JIT drivers assumed that they couldn't install the
1374         JITCode into the CodeBlock directly - instead they would return it via a
1375         reference, which happened to be a reference to the JITCode pointer in
1376         Executable. This was super weird.
1377         
1378         Finally, there was no notion of compiling code into a special CodeBlock that
1379         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
1380         entry.
1381         
1382         This patch solves these problems by reducing all of that complexity into just
1383         three primitives:
1384         
1385         - Executable::newCodeBlock(). This gives you a new code block, either for call
1386           or for construct, and either to serve as the baseline code or the optimized
1387           code. The new code block is then owned by the caller; Executable doesn't
1388           register it anywhere. The new code block has no JITCode and isn't callable,
1389           but it has all of the bytecode.
1390         
1391         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
1392           produces a JITCode, and then installs the JITCode into the CodeBlock. This
1393           method takes a JITType, and always compiles with that JIT. If you ask for
1394           JITCode::InterpreterThunk then you'll get JITCode that just points to the
1395           LLInt entrypoints. Once this returns, it is possible to call into the
1396           CodeBlock if you do so manually - but the Executable still won't know about
1397           it so JS calls to that Executable will still be routed to whatever CodeBlock
1398           is associated with the Executable.
1399         
1400         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
1401           entry for that Executable. This involves unlinking the Executable's last
1402           CodeBlock, if there was one. This also tells the GC about any effect on
1403           memory usage and does a bunch of weird data structure rewiring, since
1404           Executable caches some of CodeBlock's fields for the benefit of virtual call
1405           fast paths.
1406         
1407         This functionality is then wrapped around three convenience methods:
1408         
1409         - Executable::prepareForExecution(). If there is no code block for that
1410           Executable, then one is created (newCodeBlock()), compiled
1411           (CodeBlock::prepareForExecution()) and installed (installCode()).
1412         
1413         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
1414           can serve as an optimized replacement of the current one.
1415         
1416         - CodeBlock::install(). Asks the Executable to install this code block.
1417         
1418         This patch allows me to kill *a lot* of code and to remove a lot of
1419         specializations for functions vs. not-functions, and a lot of places where we
1420         pass around JITCode references and such. ExecutionHarness and JITDriver are
1421         both gone. Overall this patch has more red than green.
1422         
1423         It also allows me to work on FTL OSR entry and tier-up:
1424         
1425         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
1426           to do some compilation, but it will require the DFG::Worklist to do
1427           something different than what JITStubs.cpp would want, once the compilation
1428           finishes. This patch introduces a callback mechanism for that purpose.
1429         
1430         - FTL OSR entry: this will involve creating a special auto-jettisoned
1431           CodeBlock that is used only for FTL OSR entry. The new set of primitives
1432           allows for this: Executable can vend you a fresh new CodeBlock, and you can
1433           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
1434           can take that CodeBlock and compile it yourself. Previously the act of
1435           producing a CodeBlock-for-optimization and the act of compiling code for it
1436           were tightly coupled; now you can separate them and you can create such
1437           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
1438
1439         * CMakeLists.txt:
1440         * GNUmakefile.list.am:
1441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1442         * JavaScriptCore.xcodeproj/project.pbxproj:
1443         * Target.pri:
1444         * bytecode/CodeBlock.cpp:
1445         (JSC::CodeBlock::unlinkIncomingCalls):
1446         (JSC::CodeBlock::prepareForExecutionImpl):
1447         (JSC::CodeBlock::prepareForExecution):
1448         (JSC::CodeBlock::prepareForExecutionAsynchronously):
1449         (JSC::CodeBlock::install):
1450         (JSC::CodeBlock::newReplacement):
1451         (JSC::FunctionCodeBlock::jettisonImpl):
1452         * bytecode/CodeBlock.h:
1453         (JSC::CodeBlock::hasBaselineJITProfiling):
1454         * bytecode/DeferredCompilationCallback.cpp: Added.
1455         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
1456         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
1457         * bytecode/DeferredCompilationCallback.h: Added.
1458         * dfg/DFGDriver.cpp:
1459         (JSC::DFG::tryCompile):
1460         * dfg/DFGDriver.h:
1461         (JSC::DFG::tryCompile):
1462         * dfg/DFGFailedFinalizer.cpp:
1463         (JSC::DFG::FailedFinalizer::finalize):
1464         (JSC::DFG::FailedFinalizer::finalizeFunction):
1465         * dfg/DFGFailedFinalizer.h:
1466         * dfg/DFGFinalizer.h:
1467         * dfg/DFGJITFinalizer.cpp:
1468         (JSC::DFG::JITFinalizer::finalize):
1469         (JSC::DFG::JITFinalizer::finalizeFunction):
1470         * dfg/DFGJITFinalizer.h:
1471         * dfg/DFGOSRExitPreparation.cpp:
1472         (JSC::DFG::prepareCodeOriginForOSRExit):
1473         * dfg/DFGOperations.cpp:
1474         * dfg/DFGPlan.cpp:
1475         (JSC::DFG::Plan::Plan):
1476         (JSC::DFG::Plan::compileInThreadImpl):
1477         (JSC::DFG::Plan::notifyReady):
1478         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1479         (JSC::DFG::Plan::finalizeAndNotifyCallback):
1480         * dfg/DFGPlan.h:
1481         * dfg/DFGSpeculativeJIT32_64.cpp:
1482         (JSC::DFG::SpeculativeJIT::compile):
1483         * dfg/DFGWorklist.cpp:
1484         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1485         (JSC::DFG::Worklist::runThread):
1486         * ftl/FTLJITFinalizer.cpp:
1487         (JSC::FTL::JITFinalizer::finalize):
1488         (JSC::FTL::JITFinalizer::finalizeFunction):
1489         * ftl/FTLJITFinalizer.h:
1490         * heap/Heap.h:
1491         (JSC::Heap::isDeferred):
1492         * interpreter/Interpreter.cpp:
1493         (JSC::Interpreter::execute):
1494         (JSC::Interpreter::executeCall):
1495         (JSC::Interpreter::executeConstruct):
1496         (JSC::Interpreter::prepareForRepeatCall):
1497         * jit/JITDriver.h: Removed.
1498         * jit/JITStubs.cpp:
1499         (JSC::DEFINE_STUB_FUNCTION):
1500         (JSC::jitCompileFor):
1501         (JSC::lazyLinkFor):
1502         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
1503         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
1504         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
1505         (JSC::JITToDFGDeferredCompilationCallback::create):
1506         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1507         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1508         * jit/JITToDFGDeferredCompilationCallback.h: Added.
1509         * llint/LLIntEntrypoints.cpp:
1510         (JSC::LLInt::setFunctionEntrypoint):
1511         (JSC::LLInt::setEvalEntrypoint):
1512         (JSC::LLInt::setProgramEntrypoint):
1513         * llint/LLIntEntrypoints.h:
1514         * llint/LLIntSlowPaths.cpp:
1515         (JSC::LLInt::jitCompileAndSetHeuristics):
1516         (JSC::LLInt::setUpCall):
1517         * runtime/ArrayPrototype.cpp:
1518         (JSC::isNumericCompareFunction):
1519         * runtime/CommonSlowPaths.cpp:
1520         * runtime/CompilationResult.cpp:
1521         (WTF::printInternal):
1522         * runtime/CompilationResult.h:
1523         * runtime/Executable.cpp:
1524         (JSC::ScriptExecutable::installCode):
1525         (JSC::ScriptExecutable::newCodeBlockFor):
1526         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1527         (JSC::ScriptExecutable::prepareForExecutionImpl):
1528         * runtime/Executable.h:
1529         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
1530         (JSC::ExecutableBase::offsetOfNumParametersFor):
1531         (JSC::ScriptExecutable::prepareForExecution):
1532         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
1533         * runtime/ExecutionHarness.h: Removed.
1534
1535 2013-08-29  Mark Lam  <mark.lam@apple.com>
1536
1537         Change StackIterator to not require writes to the JS stack.
1538         https://bugs.webkit.org/show_bug.cgi?id=119657.
1539
1540         Reviewed by Geoffrey Garen.
1541
1542         * GNUmakefile.list.am:
1543         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1544         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1545         * JavaScriptCore.xcodeproj/project.pbxproj:
1546         * interpreter/CallFrame.h:
1547         - Removed references to StackIteratorPrivate.h.
1548         * interpreter/StackIterator.cpp:
1549         (JSC::StackIterator::numberOfFrames):
1550         (JSC::StackIterator::gotoFrameAtIndex):
1551         (JSC::StackIterator::gotoNextFrame):
1552         (JSC::StackIterator::resetIterator):
1553         (JSC::StackIterator::find):
1554         (JSC::StackIterator::readFrame):
1555         (JSC::StackIterator::readNonInlinedFrame):
1556         - Reads in the current CallFrame's data for non-inlined frames.
1557         (JSC::inlinedFrameOffset):
1558         - Convenience function to compute the inlined frame offset based on the
1559           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
1560           Otherwise, it's an inlined frame.
1561         (JSC::StackIterator::readInlinedFrame):
1562         - Determines the inlined frame's caller frame. Will read in the caller
1563           frame if it is also an inlined frame i.e. we haven't reached the
1564           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
1565           read on the outer most frame.
1566           This is based on the old StackIterator::Frame::logicalFrame().
1567         (JSC::StackIterator::updateFrame):
1568         - Reads the data of the caller frame of the current one. This function
1569           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
1570           but is now simplified because it delegates to the readInlinedFrame()
1571           to get the caller for inlined frames.
1572         (JSC::StackIterator::Frame::arguments):
1573         - Fixed to use the inlined frame versions of Arguments::create() and
1574           Arguments::tearOff() when the frame is an inlined frame.
1575         (JSC::StackIterator::Frame::print):
1576         (debugPrintCallFrame):
1577         (debugPrintStack):
1578         - Because sometimes, we want to see the whole stack while debugging.
1579         * interpreter/StackIterator.h:
1580         (JSC::StackIterator::Frame::argumentCount):
1581         (JSC::StackIterator::Frame::callerFrame):
1582         (JSC::StackIterator::Frame::callee):
1583         (JSC::StackIterator::Frame::scope):
1584         (JSC::StackIterator::Frame::codeBlock):
1585         (JSC::StackIterator::Frame::bytecodeOffset):
1586         (JSC::StackIterator::Frame::inlinedFrameInfo):
1587         (JSC::StackIterator::Frame::isJSFrame):
1588         (JSC::StackIterator::Frame::isInlinedFrame):
1589         (JSC::StackIterator::Frame::callFrame):
1590         (JSC::StackIterator::Frame::Frame):
1591         (JSC::StackIterator::Frame::~Frame):
1592         - StackIterator::Frame now caches commonly used accessed values from
1593           the CallFrame. It still delegates argument queries to the CallFrame.
1594         (JSC::StackIterator::operator*):
1595         (JSC::StackIterator::operator->):
1596         (JSC::StackIterator::operator!=):
1597         (JSC::StackIterator::operator++):
1598         (JSC::StackIterator::end):
1599         (JSC::StackIterator::operator==):
1600         * interpreter/StackIteratorPrivate.h: Removed.
1601
1602 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
1603
1604         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
1605         https://bugs.webkit.org/show_bug.cgi?id=120472
1606
1607         Reviewed by Filip Pizlo.
1608         
1609         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
1610         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
1611         throwException can be called when topCallFrame is set.
1612         * llint/LLIntSlowPaths.cpp:
1613         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1614         * runtime/CommonSlowPaths.cpp:
1615         (JSC::SLOW_PATH_DECL):
1616         * runtime/CommonSlowPathsExceptions.cpp:
1617         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1618         * runtime/CommonSlowPathsExceptions.h:
1619
1620         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
1621         to throw errors. It unwinds the stack in order to report them. 
1622         * dfg/DFGOperations.cpp:
1623         * jit/JITExceptions.cpp:
1624         (JSC::genericUnwind):
1625         (JSC::jitThrowNew):
1626         (JSC::jitThrow):
1627         * jit/JITExceptions.h:
1628         * llint/LLIntExceptions.cpp:
1629         (JSC::LLInt::doThrow):
1630     
1631 2013-08-29  Commit Queue  <commit-queue@webkit.org>
1632
1633         Unreviewed, rolling out r154804.
1634         http://trac.webkit.org/changeset/154804
1635         https://bugs.webkit.org/show_bug.cgi?id=120477
1636
1637         Broke Windows build (assumes LLInt features not enabled on
1638         this build) (Requested by bfulgham on #webkit).
1639
1640         * CMakeLists.txt:
1641         * GNUmakefile.list.am:
1642         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1643         * JavaScriptCore.xcodeproj/project.pbxproj:
1644         * Target.pri:
1645         * bytecode/CodeBlock.cpp:
1646         (JSC::CodeBlock::linkIncomingCall):
1647         (JSC::CodeBlock::unlinkIncomingCalls):
1648         (JSC::CodeBlock::reoptimize):
1649         (JSC::ProgramCodeBlock::replacement):
1650         (JSC::EvalCodeBlock::replacement):
1651         (JSC::FunctionCodeBlock::replacement):
1652         (JSC::ProgramCodeBlock::compileOptimized):
1653         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
1654         (JSC::EvalCodeBlock::compileOptimized):
1655         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
1656         (JSC::FunctionCodeBlock::compileOptimized):
1657         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
1658         (JSC::ProgramCodeBlock::jitCompileImpl):
1659         (JSC::EvalCodeBlock::jitCompileImpl):
1660         (JSC::FunctionCodeBlock::jitCompileImpl):
1661         * bytecode/CodeBlock.h:
1662         (JSC::CodeBlock::jitType):
1663         (JSC::CodeBlock::jitCompile):
1664         * bytecode/DeferredCompilationCallback.cpp: Removed.
1665         * bytecode/DeferredCompilationCallback.h: Removed.
1666         * dfg/DFGDriver.cpp:
1667         (JSC::DFG::compile):
1668         (JSC::DFG::tryCompile):
1669         (JSC::DFG::tryCompileFunction):
1670         (JSC::DFG::tryFinalizePlan):
1671         * dfg/DFGDriver.h:
1672         (JSC::DFG::tryCompile):
1673         (JSC::DFG::tryCompileFunction):
1674         (JSC::DFG::tryFinalizePlan):
1675         * dfg/DFGFailedFinalizer.cpp:
1676         (JSC::DFG::FailedFinalizer::finalize):
1677         (JSC::DFG::FailedFinalizer::finalizeFunction):
1678         * dfg/DFGFailedFinalizer.h:
1679         * dfg/DFGFinalizer.h:
1680         * dfg/DFGJITFinalizer.cpp:
1681         (JSC::DFG::JITFinalizer::finalize):
1682         (JSC::DFG::JITFinalizer::finalizeFunction):
1683         * dfg/DFGJITFinalizer.h:
1684         * dfg/DFGOSRExitPreparation.cpp:
1685         (JSC::DFG::prepareCodeOriginForOSRExit):
1686         * dfg/DFGOperations.cpp:
1687         * dfg/DFGPlan.cpp:
1688         (JSC::DFG::Plan::Plan):
1689         (JSC::DFG::Plan::compileInThreadImpl):
1690         (JSC::DFG::Plan::finalize):
1691         * dfg/DFGPlan.h:
1692         * dfg/DFGSpeculativeJIT32_64.cpp:
1693         (JSC::DFG::SpeculativeJIT::compile):
1694         * dfg/DFGWorklist.cpp:
1695         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1696         (JSC::DFG::Worklist::runThread):
1697         * ftl/FTLJITFinalizer.cpp:
1698         (JSC::FTL::JITFinalizer::finalize):
1699         (JSC::FTL::JITFinalizer::finalizeFunction):
1700         * ftl/FTLJITFinalizer.h:
1701         * heap/Heap.h:
1702         * interpreter/Interpreter.cpp:
1703         (JSC::Interpreter::execute):
1704         (JSC::Interpreter::executeCall):
1705         (JSC::Interpreter::executeConstruct):
1706         (JSC::Interpreter::prepareForRepeatCall):
1707         * jit/JITDriver.h: Added.
1708         (JSC::jitCompileIfAppropriateImpl):
1709         (JSC::jitCompileFunctionIfAppropriateImpl):
1710         (JSC::jitCompileIfAppropriate):
1711         (JSC::jitCompileFunctionIfAppropriate):
1712         * jit/JITStubs.cpp:
1713         (JSC::DEFINE_STUB_FUNCTION):
1714         (JSC::jitCompileFor):
1715         (JSC::lazyLinkFor):
1716         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
1717         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
1718         * llint/LLIntEntrypoints.cpp:
1719         (JSC::LLInt::getFunctionEntrypoint):
1720         (JSC::LLInt::getEvalEntrypoint):
1721         (JSC::LLInt::getProgramEntrypoint):
1722         * llint/LLIntEntrypoints.h:
1723         (JSC::LLInt::getEntrypoint):
1724         * llint/LLIntSlowPaths.cpp:
1725         (JSC::LLInt::jitCompileAndSetHeuristics):
1726         (JSC::LLInt::setUpCall):
1727         * runtime/ArrayPrototype.cpp:
1728         (JSC::isNumericCompareFunction):
1729         * runtime/CommonSlowPaths.cpp:
1730         * runtime/CompilationResult.cpp:
1731         (WTF::printInternal):
1732         * runtime/CompilationResult.h:
1733         * runtime/Executable.cpp:
1734         (JSC::EvalExecutable::compileOptimized):
1735         (JSC::EvalExecutable::jitCompile):
1736         (JSC::EvalExecutable::compileInternal):
1737         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
1738         (JSC::ProgramExecutable::compileOptimized):
1739         (JSC::ProgramExecutable::jitCompile):
1740         (JSC::ProgramExecutable::compileInternal):
1741         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
1742         (JSC::FunctionExecutable::compileOptimizedForCall):
1743         (JSC::FunctionExecutable::compileOptimizedForConstruct):
1744         (JSC::FunctionExecutable::jitCompileForCall):
1745         (JSC::FunctionExecutable::jitCompileForConstruct):
1746         (JSC::FunctionExecutable::produceCodeBlockFor):
1747         (JSC::FunctionExecutable::compileForCallInternal):
1748         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
1749         (JSC::FunctionExecutable::compileForConstructInternal):
1750         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
1751         * runtime/Executable.h:
1752         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
1753         (JSC::ExecutableBase::offsetOfNumParametersFor):
1754         (JSC::ExecutableBase::catchRoutineFor):
1755         (JSC::EvalExecutable::compile):
1756         (JSC::ProgramExecutable::compile):
1757         (JSC::FunctionExecutable::compileForCall):
1758         (JSC::FunctionExecutable::compileForConstruct):
1759         (JSC::FunctionExecutable::compileFor):
1760         (JSC::FunctionExecutable::compileOptimizedFor):
1761         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
1762         (JSC::FunctionExecutable::jitCompileFor):
1763         * runtime/ExecutionHarness.h: Added.
1764         (JSC::prepareForExecutionImpl):
1765         (JSC::prepareFunctionForExecutionImpl):
1766         (JSC::installOptimizedCode):
1767         (JSC::prepareForExecution):
1768         (JSC::prepareFunctionForExecution):
1769         (JSC::replaceWithDeferredOptimizedCode):
1770
1771 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
1772
1773         CodeBlock compilation and installation should be simplified and rationalized
1774         https://bugs.webkit.org/show_bug.cgi?id=120326
1775
1776         Reviewed by Oliver Hunt.
1777         
1778         Previously Executable owned the code for generating JIT code; you always had
1779         to go through Executable. But often you also had to go through CodeBlock,
1780         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
1781         So you'd ask CodeBlock to do something, which would dispatch through a
1782         virtual method that would select the appropriate Executable subtype's method.
1783         This all meant that the same code would often be duplicated, because most of
1784         the work needed to compile something was identical regardless of code type.
1785         But then we tried to fix this, by having templatized helpers in
1786         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
1787         out what happened when you asked for something to be compiled, you'd go on a
1788         wild ride that started with CodeBlock, touched upon Executable, and then
1789         ricocheted into either ExecutionHarness or JITDriver (likely both).
1790         
1791         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
1792         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
1793         done once the compilation finished.
1794         
1795         Also, most of the DFG JIT drivers assumed that they couldn't install the
1796         JITCode into the CodeBlock directly - instead they would return it via a
1797         reference, which happened to be a reference to the JITCode pointer in
1798         Executable. This was super weird.
1799         
1800         Finally, there was no notion of compiling code into a special CodeBlock that
1801         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
1802         entry.
1803         
1804         This patch solves these problems by reducing all of that complexity into just
1805         three primitives:
1806         
1807         - Executable::newCodeBlock(). This gives you a new code block, either for call
1808           or for construct, and either to serve as the baseline code or the optimized
1809           code. The new code block is then owned by the caller; Executable doesn't
1810           register it anywhere. The new code block has no JITCode and isn't callable,
1811           but it has all of the bytecode.
1812         
1813         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
1814           produces a JITCode, and then installs the JITCode into the CodeBlock. This
1815           method takes a JITType, and always compiles with that JIT. If you ask for
1816           JITCode::InterpreterThunk then you'll get JITCode that just points to the
1817           LLInt entrypoints. Once this returns, it is possible to call into the
1818           CodeBlock if you do so manually - but the Executable still won't know about
1819           it so JS calls to that Executable will still be routed to whatever CodeBlock
1820           is associated with the Executable.
1821         
1822         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
1823           entry for that Executable. This involves unlinking the Executable's last
1824           CodeBlock, if there was one. This also tells the GC about any effect on
1825           memory usage and does a bunch of weird data structure rewiring, since
1826           Executable caches some of CodeBlock's fields for the benefit of virtual call
1827           fast paths.
1828         
1829         This functionality is then wrapped around three convenience methods:
1830         
1831         - Executable::prepareForExecution(). If there is no code block for that
1832           Executable, then one is created (newCodeBlock()), compiled
1833           (CodeBlock::prepareForExecution()) and installed (installCode()).
1834         
1835         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
1836           can serve as an optimized replacement of the current one.
1837         
1838         - CodeBlock::install(). Asks the Executable to install this code block.
1839         
1840         This patch allows me to kill *a lot* of code and to remove a lot of
1841         specializations for functions vs. not-functions, and a lot of places where we
1842         pass around JITCode references and such. ExecutionHarness and JITDriver are
1843         both gone. Overall this patch has more red than green.
1844         
1845         It also allows me to work on FTL OSR entry and tier-up:
1846         
1847         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
1848           to do some compilation, but it will require the DFG::Worklist to do
1849           something different than what JITStubs.cpp would want, once the compilation
1850           finishes. This patch introduces a callback mechanism for that purpose.
1851         
1852         - FTL OSR entry: this will involve creating a special auto-jettisoned
1853           CodeBlock that is used only for FTL OSR entry. The new set of primitives
1854           allows for this: Executable can vend you a fresh new CodeBlock, and you can
1855           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
1856           can take that CodeBlock and compile it yourself. Previously the act of
1857           producing a CodeBlock-for-optimization and the act of compiling code for it
1858           were tightly coupled; now you can separate them and you can create such
1859           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
1860
1861         * CMakeLists.txt:
1862         * GNUmakefile.list.am:
1863         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1864         * JavaScriptCore.xcodeproj/project.pbxproj:
1865         * Target.pri:
1866         * bytecode/CodeBlock.cpp:
1867         (JSC::CodeBlock::prepareForExecution):
1868         (JSC::CodeBlock::install):
1869         (JSC::CodeBlock::newReplacement):
1870         (JSC::FunctionCodeBlock::jettisonImpl):
1871         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1872         * bytecode/CodeBlock.h:
1873         (JSC::CodeBlock::hasBaselineJITProfiling):
1874         * bytecode/DeferredCompilationCallback.cpp: Added.
1875         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
1876         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
1877         * bytecode/DeferredCompilationCallback.h: Added.
1878         * dfg/DFGDriver.cpp:
1879         (JSC::DFG::tryCompile):
1880         * dfg/DFGDriver.h:
1881         (JSC::DFG::tryCompile):
1882         * dfg/DFGFailedFinalizer.cpp:
1883         (JSC::DFG::FailedFinalizer::finalize):
1884         (JSC::DFG::FailedFinalizer::finalizeFunction):
1885         * dfg/DFGFailedFinalizer.h:
1886         * dfg/DFGFinalizer.h:
1887         * dfg/DFGJITFinalizer.cpp:
1888         (JSC::DFG::JITFinalizer::finalize):
1889         (JSC::DFG::JITFinalizer::finalizeFunction):
1890         * dfg/DFGJITFinalizer.h:
1891         * dfg/DFGOSRExitPreparation.cpp:
1892         (JSC::DFG::prepareCodeOriginForOSRExit):
1893         * dfg/DFGOperations.cpp:
1894         * dfg/DFGPlan.cpp:
1895         (JSC::DFG::Plan::Plan):
1896         (JSC::DFG::Plan::compileInThreadImpl):
1897         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1898         (JSC::DFG::Plan::finalizeAndNotifyCallback):
1899         * dfg/DFGPlan.h:
1900         * dfg/DFGWorklist.cpp:
1901         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1902         * ftl/FTLJITFinalizer.cpp:
1903         (JSC::FTL::JITFinalizer::finalize):
1904         (JSC::FTL::JITFinalizer::finalizeFunction):
1905         * ftl/FTLJITFinalizer.h:
1906         * heap/Heap.h:
1907         (JSC::Heap::isDeferred):
1908         * interpreter/Interpreter.cpp:
1909         (JSC::Interpreter::execute):
1910         (JSC::Interpreter::executeCall):
1911         (JSC::Interpreter::executeConstruct):
1912         (JSC::Interpreter::prepareForRepeatCall):
1913         * jit/JITDriver.h: Removed.
1914         * jit/JITStubs.cpp:
1915         (JSC::DEFINE_STUB_FUNCTION):
1916         (JSC::jitCompileFor):
1917         (JSC::lazyLinkFor):
1918         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
1919         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
1920         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
1921         (JSC::JITToDFGDeferredCompilationCallback::create):
1922         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1923         * jit/JITToDFGDeferredCompilationCallback.h: Added.
1924         * llint/LLIntEntrypoints.cpp:
1925         (JSC::LLInt::setFunctionEntrypoint):
1926         (JSC::LLInt::setEvalEntrypoint):
1927         (JSC::LLInt::setProgramEntrypoint):
1928         * llint/LLIntEntrypoints.h:
1929         * llint/LLIntSlowPaths.cpp:
1930         (JSC::LLInt::jitCompileAndSetHeuristics):
1931         (JSC::LLInt::setUpCall):
1932         * runtime/ArrayPrototype.cpp:
1933         (JSC::isNumericCompareFunction):
1934         * runtime/CommonSlowPaths.cpp:
1935         * runtime/CompilationResult.cpp:
1936         (WTF::printInternal):
1937         * runtime/CompilationResult.h:
1938         * runtime/Executable.cpp:
1939         (JSC::ScriptExecutable::installCode):
1940         (JSC::ScriptExecutable::newCodeBlockFor):
1941         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1942         (JSC::ScriptExecutable::prepareForExecutionImpl):
1943         * runtime/Executable.h:
1944         (JSC::ScriptExecutable::prepareForExecution):
1945         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
1946         * runtime/ExecutionHarness.h: Removed.
1947
1948 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
1949
1950         https://bugs.webkit.org/show_bug.cgi?id=119548
1951         Refactoring Exception throws.
1952         
1953         Reviewed by Geoffrey Garen.
1954         
1955         Gardening of exception throws. The act of throwing an exception was being handled in 
1956         different ways depending on whether the code was running in the LLint, Baseline JIT, 
1957         or the DFG Jit. This made development in the vm exception and error objects difficult.
1958         
1959          * runtime/VM.cpp:
1960         (JSC::appendSourceToError): 
1961         This function moved from the interpreter into the VM. It views the developers code
1962         (if there is a codeBlock) to extract what was trying to be evaluated when the error
1963         occurred.
1964         
1965         (JSC::VM::throwException):
1966         This function takes in the error object and sets the following:
1967             1: The VM's exception stack
1968             2: The VM's exception 
1969             3: Appends extra information on the error message(via appendSourceToError)
1970             4: The error object's line number
1971             5: The error object's column number
1972             6: The error object's sourceURL
1973             7: The error object's stack trace (unless it already exists because the developer 
1974                 created the error object). 
1975
1976         (JSC::VM::getExceptionInfo):
1977         (JSC::VM::setExceptionInfo):
1978         (JSC::VM::clearException):
1979         (JSC::clearExceptionStack):
1980         * runtime/VM.h:
1981         (JSC::VM::exceptionOffset):
1982         (JSC::VM::exception):
1983         (JSC::VM::addressOfException):
1984         (JSC::VM::exceptionStack):
1985         VM exception and exceptionStack are now private data members.
1986
1987         * interpreter/Interpreter.h:
1988         (JSC::ClearExceptionScope::ClearExceptionScope):
1989         Created this structure to temporarily clear the exception within the VM. This 
1990         needed to see if addition errors occur when setting the debugger as we are 
1991         unwinding the stack.
1992
1993          * interpreter/Interpreter.cpp:
1994         (JSC::Interpreter::unwind): 
1995         Removed the code that would try to add error information if it did not exist. 
1996         All of this functionality has moved into the VM and all error information is set 
1997         at the time the error occurs. 
1998
1999         The rest of these functions reference the new calling convention to throw an error.
2000
2001         * API/APICallbackFunction.h:
2002         (JSC::APICallbackFunction::call):
2003         * API/JSCallbackConstructor.cpp:
2004         (JSC::constructJSCallback):
2005         * API/JSCallbackObjectFunctions.h:
2006         (JSC::::getOwnPropertySlot):
2007         (JSC::::defaultValue):
2008         (JSC::::put):
2009         (JSC::::putByIndex):
2010         (JSC::::deleteProperty):
2011         (JSC::::construct):
2012         (JSC::::customHasInstance):
2013         (JSC::::call):
2014         (JSC::::getStaticValue):
2015         (JSC::::staticFunctionGetter):
2016         (JSC::::callbackGetter):
2017         * debugger/Debugger.cpp:
2018         (JSC::evaluateInGlobalCallFrame):
2019         * debugger/DebuggerCallFrame.cpp:
2020         (JSC::DebuggerCallFrame::evaluate):
2021         * dfg/DFGAssemblyHelpers.h:
2022         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
2023         * dfg/DFGOperations.cpp:
2024         (JSC::DFG::operationPutByValInternal):
2025         * ftl/FTLLowerDFGToLLVM.cpp:
2026         (JSC::FTL::LowerDFGToLLVM::callCheck):
2027         * heap/Heap.cpp:
2028         (JSC::Heap::markRoots):
2029         * interpreter/CallFrame.h:
2030         (JSC::ExecState::clearException):
2031         (JSC::ExecState::exception):
2032         (JSC::ExecState::hadException):
2033         * interpreter/Interpreter.cpp:
2034         (JSC::eval):
2035         (JSC::loadVarargs):
2036         (JSC::stackTraceAsString):
2037         (JSC::Interpreter::execute):
2038         (JSC::Interpreter::executeCall):
2039         (JSC::Interpreter::executeConstruct):
2040         (JSC::Interpreter::prepareForRepeatCall):
2041         * interpreter/Interpreter.h:
2042         (JSC::ClearExceptionScope::ClearExceptionScope):
2043         * jit/JITCode.cpp:
2044         (JSC::JITCode::execute):
2045         * jit/JITExceptions.cpp:
2046         (JSC::genericThrow):
2047         * jit/JITOpcodes.cpp:
2048         (JSC::JIT::emit_op_catch):
2049         * jit/JITOpcodes32_64.cpp:
2050         (JSC::JIT::privateCompileCTINativeCall):
2051         (JSC::JIT::emit_op_catch):
2052         * jit/JITStubs.cpp:
2053         (JSC::returnToThrowTrampoline):
2054         (JSC::throwExceptionFromOpCall):
2055         (JSC::DEFINE_STUB_FUNCTION):
2056         (JSC::jitCompileFor):
2057         (JSC::lazyLinkFor):
2058         (JSC::putByVal):
2059         (JSC::cti_vm_handle_exception):
2060         * jit/SlowPathCall.h:
2061         (JSC::JITSlowPathCall::call):
2062         * jit/ThunkGenerators.cpp:
2063         (JSC::nativeForGenerator):
2064         * jsc.cpp:
2065         (functionRun):
2066         (functionLoad):
2067         (functionCheckSyntax):
2068         * llint/LLIntExceptions.cpp:
2069         (JSC::LLInt::doThrow):
2070         (JSC::LLInt::returnToThrow):
2071         (JSC::LLInt::callToThrow):
2072         * llint/LLIntSlowPaths.cpp:
2073         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2074         * llint/LowLevelInterpreter.cpp:
2075         (JSC::CLoop::execute):
2076         * llint/LowLevelInterpreter32_64.asm:
2077         * llint/LowLevelInterpreter64.asm:
2078         * runtime/ArrayConstructor.cpp:
2079         (JSC::constructArrayWithSizeQuirk):
2080         * runtime/CommonSlowPaths.cpp:
2081         (JSC::SLOW_PATH_DECL):
2082         * runtime/CommonSlowPaths.h:
2083         (JSC::CommonSlowPaths::opIn):
2084         * runtime/CommonSlowPathsExceptions.cpp:
2085         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2086         * runtime/Completion.cpp:
2087         (JSC::evaluate):
2088         * runtime/Error.cpp:
2089         (JSC::addErrorInfo):
2090         (JSC::throwTypeError):
2091         (JSC::throwSyntaxError):
2092         * runtime/Error.h:
2093         (JSC::throwVMError):
2094         * runtime/ExceptionHelpers.cpp:
2095         (JSC::throwOutOfMemoryError):
2096         (JSC::throwStackOverflowError):
2097         (JSC::throwTerminatedExecutionException):
2098         * runtime/Executable.cpp:
2099         (JSC::EvalExecutable::create):
2100         (JSC::FunctionExecutable::produceCodeBlockFor):
2101         * runtime/FunctionConstructor.cpp:
2102         (JSC::constructFunction):
2103         (JSC::constructFunctionSkippingEvalEnabledCheck):
2104         * runtime/JSArray.cpp:
2105         (JSC::JSArray::defineOwnProperty):
2106         (JSC::JSArray::put):
2107         (JSC::JSArray::push):
2108         * runtime/JSCJSValue.cpp:
2109         (JSC::JSValue::toObjectSlowCase):
2110         (JSC::JSValue::synthesizePrototype):
2111         (JSC::JSValue::putToPrimitive):
2112         * runtime/JSFunction.cpp:
2113         (JSC::JSFunction::defineOwnProperty):
2114         * runtime/JSGenericTypedArrayViewInlines.h:
2115         (JSC::::create):
2116         (JSC::::createUninitialized):
2117         (JSC::::validateRange):
2118         (JSC::::setWithSpecificType):
2119         * runtime/JSGlobalObjectFunctions.cpp:
2120         (JSC::encode):
2121         (JSC::decode):
2122         (JSC::globalFuncProtoSetter):
2123         * runtime/JSNameScope.cpp:
2124         (JSC::JSNameScope::put):
2125         * runtime/JSONObject.cpp:
2126         (JSC::Stringifier::appendStringifiedValue):
2127         (JSC::Walker::walk):
2128         * runtime/JSObject.cpp:
2129         (JSC::JSObject::put):
2130         (JSC::JSObject::defaultValue):
2131         (JSC::JSObject::hasInstance):
2132         (JSC::JSObject::defaultHasInstance):
2133         (JSC::JSObject::defineOwnNonIndexProperty):
2134         (JSC::throwTypeError):
2135         * runtime/ObjectConstructor.cpp:
2136         (JSC::toPropertyDescriptor):
2137         * runtime/RegExpConstructor.cpp:
2138         (JSC::constructRegExp):
2139         * runtime/StringObject.cpp:
2140         (JSC::StringObject::defineOwnProperty):
2141         * runtime/StringRecursionChecker.cpp:
2142         (JSC::StringRecursionChecker::throwStackOverflowError):
2143
2144 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
2145
2146         [GTK] Add support for building JSC with FTL JIT enabled
2147         https://bugs.webkit.org/show_bug.cgi?id=120270
2148
2149         Reviewed by Filip Pizlo.
2150
2151         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
2152         compiler flags for the JSC library.
2153         * GNUmakefile.list.am: Add the missing build targets.
2154         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
2155         failures when using the Clang compiler with the libstdc++ standard library.
2156         (JSC::FTL::mdKindID):
2157         (JSC::FTL::mdString):
2158
2159 2013-08-23  Andy Estes  <aestes@apple.com>
2160
2161         Fix issues found by the Clang Static Analyzer
2162         https://bugs.webkit.org/show_bug.cgi?id=120230
2163
2164         Reviewed by Darin Adler.
2165
2166         * API/JSValue.mm:
2167         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
2168         * API/ObjCCallbackFunction.mm:
2169         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
2170         release m_invocation's target since NSInvocation will do it for us on
2171         -dealloc.
2172         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
2173         and -release our reference to the copied block.
2174         * API/tests/minidom.c:
2175         (createStringWithContentsOfFile): Free buffer before returning.
2176         * API/tests/testapi.c:
2177         (createStringWithContentsOfFile): Ditto.
2178
2179 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
2180
2181         [Windows] Unreviewed build fix after r154629.
2182
2183         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
2184         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2185
2186 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
2187
2188         Windows build fix attempt after r154629.
2189
2190         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2191
2192 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2193
2194         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
2195         https://bugs.webkit.org/show_bug.cgi?id=120278
2196
2197         Reviewed by Geoffrey Garen.
2198
2199         * runtime/JSObject.cpp:
2200         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2201
2202 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
2203
2204         Fix indention of Executable.h.
2205
2206         Rubber stamped by Mark Hahnenberg.
2207
2208         * runtime/Executable.h:
2209
2210 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2211
2212         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
2213         https://bugs.webkit.org/show_bug.cgi?id=120314
2214
2215         Reviewed by Darin Adler.
2216
2217         Currently with the way that defineProperty works, we leave a stray low bit set in 
2218         PropertyDescriptor::m_attributes in the following code:
2219
2220         var o = {};
2221         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
2222         
2223         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
2224         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
2225         but only the top three bits mean anything. Even in the case above, the top three bits are set 
2226         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
2227
2228         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
2229         framework's public C API, it's safer to just change how we calculate the default value, which is
2230         where the weirdness was originating from in the first place.
2231
2232         * runtime/PropertyDescriptor.cpp:
2233
2234 2013-08-24  Sam Weinig  <sam@webkit.org>
2235
2236         Add support for Promises
2237         https://bugs.webkit.org/show_bug.cgi?id=120260
2238
2239         Reviewed by Darin Adler.
2240
2241         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
2242         - Despite Promises being defined in the DOM, the implementation is being put in JSC
2243           in preparation for the Promises eventually being defined in ECMAScript.
2244
2245         * CMakeLists.txt:
2246         * DerivedSources.make:
2247         * DerivedSources.pri:
2248         * GNUmakefile.list.am:
2249         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2250         * JavaScriptCore.xcodeproj/project.pbxproj:
2251         * Target.pri:
2252         Add new files.
2253
2254         * jsc.cpp:
2255         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
2256         you can't quite use Promises with with the command line tool yet.
2257     
2258         * interpreter/CallFrame.h:
2259         (JSC::ExecState::promisePrototypeTable):
2260         (JSC::ExecState::promiseConstructorTable):
2261         (JSC::ExecState::promiseResolverPrototypeTable):
2262         * runtime/VM.cpp:
2263         (JSC::VM::VM):
2264         (JSC::VM::~VM):
2265         * runtime/VM.h:
2266         Add supporting code for the new static lookup tables.
2267
2268         * runtime/CommonIdentifiers.h:
2269         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
2270
2271         * runtime/JSGlobalObject.cpp:
2272         (JSC::JSGlobalObject::reset):
2273         (JSC::JSGlobalObject::visitChildren):
2274         Add supporting code Promise and PromiseResolver's constructors and structures.
2275
2276         * runtime/JSGlobalObject.h:
2277         (JSC::TaskContext::~TaskContext):
2278         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
2279
2280         (JSC::JSGlobalObject::promisePrototype):
2281         (JSC::JSGlobalObject::promiseResolverPrototype):
2282         (JSC::JSGlobalObject::promiseStructure):
2283         (JSC::JSGlobalObject::promiseResolverStructure):
2284         (JSC::JSGlobalObject::promiseCallbackStructure):
2285         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
2286         Add supporting code Promise and PromiseResolver's constructors and structures.
2287
2288         * runtime/JSPromise.cpp: Added.
2289         * runtime/JSPromise.h: Added.
2290         * runtime/JSPromiseCallback.cpp: Added.
2291         * runtime/JSPromiseCallback.h: Added.
2292         * runtime/JSPromiseConstructor.cpp: Added.
2293         * runtime/JSPromiseConstructor.h: Added.
2294         * runtime/JSPromisePrototype.cpp: Added.
2295         * runtime/JSPromisePrototype.h: Added.
2296         * runtime/JSPromiseResolver.cpp: Added.
2297         * runtime/JSPromiseResolver.h: Added.
2298         * runtime/JSPromiseResolverConstructor.cpp: Added.
2299         * runtime/JSPromiseResolverConstructor.h: Added.
2300         * runtime/JSPromiseResolverPrototype.cpp: Added.
2301         * runtime/JSPromiseResolverPrototype.h: Added.
2302         Add Promise implementation.
2303
2304 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
2305
2306         Plenty of -Wcast-align warnings in KeywordLookup.h
2307         https://bugs.webkit.org/show_bug.cgi?id=120316
2308
2309         Reviewed by Darin Adler.
2310
2311         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
2312         the character pointers to types of larger size. This avoids spewing lots of warnings
2313         in the KeywordLookup.h header when compiling with the -Wcast-align option.
2314
2315 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
2316
2317         RegExpMatchesArray should not call [[put]]
2318         https://bugs.webkit.org/show_bug.cgi?id=120317
2319
2320         Reviewed by Oliver Hunt.
2321
2322         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
2323         property called index or input to either of these prototypes will result in broken behavior.
2324
2325         * runtime/RegExpMatchesArray.cpp:
2326         (JSC::RegExpMatchesArray::reifyAllProperties):
2327             - put -> putDirect
2328
2329 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
2330
2331         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
2332         https://bugs.webkit.org/show_bug.cgi?id=120228
2333
2334         Reviewed by Oliver Hunt.
2335         
2336         It turns out that there were three problems:
2337         
2338         - Using jsNumber() meant that we were converting doubles to integers and then
2339           possibly back again whenever doing a set() between floating point arrays.
2340         
2341         - Slow-path accesses to double typed arrays were slower than necessary because
2342           of the to-int conversion attempt.
2343         
2344         - The use of JSValue as an intermediate for converting between differen types
2345           in typedArray.set() resulted in worse code than I had previously expected.
2346         
2347         This patch solves the problem by using template double-dispatch to ensure that
2348         that C++ compiler sees the simplest possible combination of casts between any
2349         combination of typed array types, while still preserving JS and typed array
2350         conversion semantics. Conversions are done as follows:
2351         
2352             SourceAdaptor::convertTo<TargetAdaptor>(value)
2353         
2354         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
2355         with one method for each of int32_t, uint32_t, and double. This means that the
2356         C++ compiler will at worst see a widening cast to one of those types followed
2357         by a narrowing conversion (not necessarily a cast - may have clamping or the
2358         JS toInt32() function).
2359         
2360         This change doesn't just affect typedArray.set(); it also affects slow-path
2361         accesses to typed arrays as well. This patch also adds a bunch of new test
2362         coverage.
2363         
2364         This change is a ~50% speed-up on typedArray.set() involving floating point
2365         types.
2366
2367         * GNUmakefile.list.am:
2368         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2369         * JavaScriptCore.xcodeproj/project.pbxproj:
2370         * runtime/GenericTypedArrayView.h:
2371         (JSC::GenericTypedArrayView::set):
2372         * runtime/JSDataViewPrototype.cpp:
2373         (JSC::setData):
2374         * runtime/JSGenericTypedArrayView.h:
2375         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2376         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2377         * runtime/JSGenericTypedArrayViewInlines.h:
2378         (JSC::::setWithSpecificType):
2379         (JSC::::set):
2380         * runtime/ToNativeFromValue.h: Added.
2381         (JSC::toNativeFromValue):
2382         * runtime/TypedArrayAdaptors.h:
2383         (JSC::IntegralTypedArrayAdaptor::toJSValue):
2384         (JSC::IntegralTypedArrayAdaptor::toDouble):
2385         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
2386         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
2387         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
2388         (JSC::IntegralTypedArrayAdaptor::convertTo):
2389         (JSC::FloatTypedArrayAdaptor::toJSValue):
2390         (JSC::FloatTypedArrayAdaptor::toDouble):
2391         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
2392         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
2393         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
2394         (JSC::FloatTypedArrayAdaptor::convertTo):
2395         (JSC::Uint8ClampedAdaptor::toJSValue):
2396         (JSC::Uint8ClampedAdaptor::toDouble):
2397         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
2398         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
2399         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
2400         (JSC::Uint8ClampedAdaptor::convertTo):
2401
2402 2013-08-24  Dan Bernstein  <mitz@apple.com>
2403
2404         [mac] link against libz in a more civilized manner
2405         https://bugs.webkit.org/show_bug.cgi?id=120258
2406
2407         Reviewed by Darin Adler.
2408
2409         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
2410         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
2411         Link Binary With Libraries build phase.
2412
2413 2013-08-23  Laszlo Papp  <lpapp@kde.org>
2414
2415         Failure building with python3
2416         https://bugs.webkit.org/show_bug.cgi?id=106645
2417
2418         Reviewed by Benjamin Poulain.
2419
2420         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
2421         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
2422
2423         * disassembler/udis86/itab.py:
2424         (UdItabGenerator.genInsnTable):
2425         * disassembler/udis86/ud_opcode.py:
2426         (UdOpcodeTables.print_table):
2427         * disassembler/udis86/ud_optable.py:
2428         (UdOptableXmlParser.parseDef):
2429         (UdOptableXmlParser.parse):
2430         (printFn):
2431
2432 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
2433
2434         Incorrect TypedArray#set behavior
2435         https://bugs.webkit.org/show_bug.cgi?id=83818
2436
2437         Reviewed by Oliver Hunt and Mark Hahnenberg.
2438         
2439         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
2440         not smart enough to figure out optimal versions for *all* of the cases. But I
2441         did come up with optimal implementations for most of the cases, and I wrote
2442         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
2443         enough to write optimal code for.
2444
2445         * runtime/JSArrayBufferView.h:
2446         (JSC::JSArrayBufferView::hasArrayBuffer):
2447         * runtime/JSArrayBufferViewInlines.h:
2448         (JSC::JSArrayBufferView::buffer):
2449         (JSC::JSArrayBufferView::existingBufferInButterfly):
2450         (JSC::JSArrayBufferView::neuter):
2451         (JSC::JSArrayBufferView::byteOffset):
2452         * runtime/JSGenericTypedArrayView.h:
2453         * runtime/JSGenericTypedArrayViewInlines.h:
2454         (JSC::::setWithSpecificType):
2455         (JSC::::set):
2456         (JSC::::existingBuffer):
2457
2458 2013-08-23  Alex Christensen  <achristensen@apple.com>
2459
2460         Re-separating Win32 and Win64 builds.
2461         https://bugs.webkit.org/show_bug.cgi?id=120178
2462
2463         Reviewed by Brent Fulgham.
2464
2465         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2466         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2467         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2468         Pass PlatformArchitecture as a command line parameter to bash scripts.
2469         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2470         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2471         * JavaScriptCore.vcxproj/build-generated-files.sh:
2472         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
2473
2474 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
2475
2476         build-jsc --ftl-jit should work
2477         https://bugs.webkit.org/show_bug.cgi?id=120194
2478
2479         Reviewed by Oliver Hunt.
2480
2481         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
2482         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
2483         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
2484         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
2485         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2486         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
2487
2488 2013-08-23  Oliver Hunt  <oliver@apple.com>
2489
2490         Re-sort xcode project file
2491
2492         * JavaScriptCore.xcodeproj/project.pbxproj:
2493
2494 2013-08-23  Oliver Hunt  <oliver@apple.com>
2495
2496         Support in memory compression of rarely used data
2497         https://bugs.webkit.org/show_bug.cgi?id=120143
2498
2499         Reviewed by Gavin Barraclough.
2500
2501         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
2502
2503         * Configurations/JavaScriptCore.xcconfig:
2504         * bytecode/UnlinkedCodeBlock.cpp:
2505         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
2506         (JSC::UnlinkedCodeBlock::addExpressionInfo):
2507         * bytecode/UnlinkedCodeBlock.h:
2508
2509 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
2510
2511         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
2512         https://bugs.webkit.org/show_bug.cgi?id=120179
2513
2514         Reviewed by Geoffrey Garen.
2515
2516         There are many places in the code for JSObject and JSArray where they are manipulating their 
2517         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
2518         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
2519         like it will make this dance even more intricate. To make everybody's lives easier we should use 
2520         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
2521         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
2522         should not incur any additional overhead.
2523
2524         * heap/Heap.h:
2525         * runtime/JSArray.cpp:
2526         (JSC::JSArray::unshiftCountSlowCase):
2527         * runtime/JSObject.cpp:
2528         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2529         (JSC::JSObject::createInitialUndecided):
2530         (JSC::JSObject::createInitialInt32):
2531         (JSC::JSObject::createInitialDouble):
2532         (JSC::JSObject::createInitialContiguous):
2533         (JSC::JSObject::createArrayStorage):
2534         (JSC::JSObject::convertUndecidedToArrayStorage):
2535         (JSC::JSObject::convertInt32ToArrayStorage):
2536         (JSC::JSObject::convertDoubleToArrayStorage):
2537         (JSC::JSObject::convertContiguousToArrayStorage):
2538         (JSC::JSObject::increaseVectorLength):
2539         (JSC::JSObject::ensureLengthSlow):
2540         * runtime/JSObject.h:
2541         (JSC::JSObject::putDirectInternal):
2542         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2543         (JSC::JSObject::putDirectWithoutTransition):
2544
2545 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
2546
2547         Update LLVM binary drops and scripts to the latest version from SVN
2548         https://bugs.webkit.org/show_bug.cgi?id=120184
2549
2550         Reviewed by Mark Hahnenberg.
2551
2552         * dfg/DFGPlan.cpp:
2553         (JSC::DFG::Plan::compileInThreadImpl):
2554
2555 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
2556
2557         Don't leak registers for redeclared variables
2558         https://bugs.webkit.org/show_bug.cgi?id=120174
2559
2560         Reviewed by Geoff Garen.
2561
2562         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
2563         Only allocate new registers when necessary.
2564
2565         No performance impact.
2566
2567         * interpreter/Interpreter.cpp:
2568         (JSC::Interpreter::execute):
2569         * runtime/Executable.cpp:
2570         (JSC::ProgramExecutable::initializeGlobalProperties):
2571             - Don't allocate the register here.
2572         * runtime/JSGlobalObject.cpp:
2573         (JSC::JSGlobalObject::addGlobalVar):
2574             - Allocate the register here instead.
2575
2576 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
2577
2578         https://bugs.webkit.org/show_bug.cgi?id=120128
2579         Remove putDirectVirtual
2580
2581         Unreviewed, checked in commented out code. :-(
2582
2583         * interpreter/Interpreter.cpp:
2584         (JSC::Interpreter::execute):
2585             - delete commented out code
2586
2587 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
2588
2589         Error.stack should not be enumerable
2590         https://bugs.webkit.org/show_bug.cgi?id=120171
2591
2592         Reviewed by Oliver Hunt.
2593
2594         Breaks ECMA tests.
2595
2596         * runtime/ErrorInstance.cpp:
2597         (JSC::ErrorInstance::finishCreation):
2598             - None -> DontEnum
2599
2600 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2601
2602         https://bugs.webkit.org/show_bug.cgi?id=120128
2603         Remove putDirectVirtual
2604
2605         Reviewed by Sam Weinig.
2606
2607         This could most generously be described as 'vestigial'.
2608         No performance impact.
2609
2610         * API/JSObjectRef.cpp:
2611         (JSObjectSetProperty):
2612             - changed to use defineOwnProperty
2613         * debugger/DebuggerActivation.cpp:
2614         * debugger/DebuggerActivation.h:
2615             - remove putDirectVirtual
2616         * interpreter/Interpreter.cpp:
2617         (JSC::Interpreter::execute):
2618             - changed to use defineOwnProperty
2619         * runtime/ClassInfo.h:
2620         * runtime/JSActivation.cpp:
2621         * runtime/JSActivation.h:
2622         * runtime/JSCell.cpp:
2623         * runtime/JSCell.h:
2624         * runtime/JSGlobalObject.cpp:
2625         * runtime/JSGlobalObject.h:
2626         * runtime/JSObject.cpp:
2627         * runtime/JSObject.h:
2628         * runtime/JSProxy.cpp:
2629         * runtime/JSProxy.h:
2630         * runtime/JSSymbolTableObject.cpp:
2631         * runtime/JSSymbolTableObject.h:
2632             - remove putDirectVirtual
2633         * runtime/PropertyDescriptor.h:
2634         (JSC::PropertyDescriptor::PropertyDescriptor):
2635             - added constructor for convenience
2636
2637 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
2638
2639         errorDescriptionForValue() should not assume error value is an Object
2640         https://bugs.webkit.org/show_bug.cgi?id=119812
2641
2642         Reviewed by Geoffrey Garen.
2643
2644         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
2645         has no type, the function now returns the empty string. 
2646         * runtime/ExceptionHelpers.cpp:
2647         (JSC::errorDescriptionForValue):
2648
2649 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
2650
2651         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
2652         https://bugs.webkit.org/show_bug.cgi?id=120107
2653
2654         Reviewed by Yong Li.
2655
2656         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
2657
2658         * dfg/DFGSpeculativeJIT.h:
2659         (JSC::DFG::SpeculativeJIT::callOperation):
2660
2661 2013-08-21  Commit Queue  <commit-queue@webkit.org>
2662
2663         Unreviewed, rolling out r154416.
2664         http://trac.webkit.org/changeset/154416
2665         https://bugs.webkit.org/show_bug.cgi?id=120147
2666
2667         Broke Windows builds (Requested by rniwa on #webkit).
2668
2669         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2670         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2671         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2672         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2673         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2674         * JavaScriptCore.vcxproj/build-generated-files.sh:
2675
2676 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2677
2678         Clarify var/const/function declaration
2679         https://bugs.webkit.org/show_bug.cgi?id=120144
2680
2681         Reviewed by Sam Weinig.
2682
2683         Add methods to JSGlobalObject to declare vars, consts, and functions.
2684
2685         * runtime/Executable.cpp:
2686         (JSC::ProgramExecutable::initializeGlobalProperties):
2687         * runtime/Executable.h:
2688             - Moved declaration code to JSGlobalObject
2689         * runtime/JSGlobalObject.cpp:
2690         (JSC::JSGlobalObject::addGlobalVar):
2691             - internal implementation of addVar, addConst, addFunction
2692         * runtime/JSGlobalObject.h:
2693         (JSC::JSGlobalObject::addVar):
2694         (JSC::JSGlobalObject::addConst):
2695         (JSC::JSGlobalObject::addFunction):
2696             - Added methods to declare vars, consts, and functions
2697
2698 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
2699
2700         https://bugs.webkit.org/show_bug.cgi?id=119900
2701         Exception in global setter doesn't unwind correctly
2702
2703         Reviewed by Geoffrey Garen.
2704
2705         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
2706
2707         * jit/JITStubs.cpp:
2708         (JSC::DEFINE_STUB_FUNCTION):
2709
2710 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2711
2712         Rename/refactor setButterfly/setStructure
2713         https://bugs.webkit.org/show_bug.cgi?id=120138
2714
2715         Reviewed by Geoffrey Garen.
2716
2717         setButterfly becomes setStructureAndButterfly.
2718
2719         Also removed the Butterfly* argument from setStructure and just implicitly
2720         used m_butterfly internally since that's what every single client of setStructure
2721         was doing already.
2722
2723         * jit/JITStubs.cpp:
2724         (JSC::DEFINE_STUB_FUNCTION):
2725         * runtime/JSObject.cpp:
2726         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2727         (JSC::JSObject::createInitialUndecided):
2728         (JSC::JSObject::createInitialInt32):
2729         (JSC::JSObject::createInitialDouble):
2730         (JSC::JSObject::createInitialContiguous):
2731         (JSC::JSObject::createArrayStorage):
2732         (JSC::JSObject::convertUndecidedToInt32):
2733         (JSC::JSObject::convertUndecidedToDouble):
2734         (JSC::JSObject::convertUndecidedToContiguous):
2735         (JSC::JSObject::convertUndecidedToArrayStorage):
2736         (JSC::JSObject::convertInt32ToDouble):
2737         (JSC::JSObject::convertInt32ToContiguous):
2738         (JSC::JSObject::convertInt32ToArrayStorage):
2739         (JSC::JSObject::genericConvertDoubleToContiguous):
2740         (JSC::JSObject::convertDoubleToArrayStorage):
2741         (JSC::JSObject::convertContiguousToArrayStorage):
2742         (JSC::JSObject::switchToSlowPutArrayStorage):
2743         (JSC::JSObject::setPrototype):
2744         (JSC::JSObject::putDirectAccessor):
2745         (JSC::JSObject::seal):
2746         (JSC::JSObject::freeze):
2747         (JSC::JSObject::preventExtensions):
2748         (JSC::JSObject::reifyStaticFunctionsForDelete):
2749         (JSC::JSObject::removeDirect):
2750         * runtime/JSObject.h:
2751         (JSC::JSObject::setStructureAndButterfly):
2752         (JSC::JSObject::setStructure):
2753         (JSC::JSObject::putDirectInternal):
2754         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2755         (JSC::JSObject::putDirectWithoutTransition):
2756         * runtime/Structure.cpp:
2757         (JSC::Structure::flattenDictionaryStructure):
2758
2759 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2760
2761         https://bugs.webkit.org/show_bug.cgi?id=120127
2762         Remove JSObject::propertyIsEnumerable
2763
2764         Unreviewed typo fix
2765
2766         * runtime/JSObject.h:
2767             - fix typo
2768
2769 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2770
2771         https://bugs.webkit.org/show_bug.cgi?id=120139
2772         PropertyDescriptor argument to define methods should be const
2773
2774         Rubber stamped by Sam Weinig.
2775
2776         This should never be modified, and this way we can use rvalues.
2777
2778         * debugger/DebuggerActivation.cpp:
2779         (JSC::DebuggerActivation::defineOwnProperty):
2780         * debugger/DebuggerActivation.h:
2781         * runtime/Arguments.cpp:
2782         (JSC::Arguments::defineOwnProperty):
2783         * runtime/Arguments.h:
2784         * runtime/ClassInfo.h:
2785         * runtime/JSArray.cpp:
2786         (JSC::JSArray::defineOwnProperty):
2787         * runtime/JSArray.h:
2788         * runtime/JSArrayBuffer.cpp:
2789         (JSC::JSArrayBuffer::defineOwnProperty):
2790         * runtime/JSArrayBuffer.h:
2791         * runtime/JSArrayBufferView.cpp:
2792         (JSC::JSArrayBufferView::defineOwnProperty):
2793         * runtime/JSArrayBufferView.h:
2794         * runtime/JSCell.cpp:
2795         (JSC::JSCell::defineOwnProperty):
2796         * runtime/JSCell.h:
2797         * runtime/JSFunction.cpp:
2798         (JSC::JSFunction::defineOwnProperty):
2799         * runtime/JSFunction.h:
2800         * runtime/JSGenericTypedArrayView.h:
2801         * runtime/JSGenericTypedArrayViewInlines.h:
2802         (JSC::::defineOwnProperty):
2803         * runtime/JSGlobalObject.cpp:
2804         (JSC::JSGlobalObject::defineOwnProperty):
2805         * runtime/JSGlobalObject.h:
2806         * runtime/JSObject.cpp:
2807         (JSC::JSObject::putIndexedDescriptor):
2808         (JSC::JSObject::defineOwnIndexedProperty):
2809         (JSC::putDescriptor):
2810         (JSC::JSObject::defineOwnNonIndexProperty):
2811         (JSC::JSObject::defineOwnProperty):
2812         * runtime/JSObject.h:
2813         * runtime/JSProxy.cpp:
2814         (JSC::JSProxy::defineOwnProperty):
2815         * runtime/JSProxy.h:
2816         * runtime/RegExpMatchesArray.h:
2817         (JSC::RegExpMatchesArray::defineOwnProperty):
2818         * runtime/RegExpObject.cpp:
2819         (JSC::RegExpObject::defineOwnProperty):
2820         * runtime/RegExpObject.h:
2821         * runtime/StringObject.cpp:
2822         (JSC::StringObject::defineOwnProperty):
2823         * runtime/StringObject.h:
2824             - make PropertyDescriptor const
2825
2826 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
2827
2828         REGRESSION: Crash under JITCompiler::link while loading Gmail
2829         https://bugs.webkit.org/show_bug.cgi?id=119872
2830
2831         Reviewed by Mark Hahnenberg.
2832         
2833         Apparently, unsigned + signed = unsigned. Work around it with a cast.
2834
2835         * dfg/DFGByteCodeParser.cpp:
2836         (JSC::DFG::ByteCodeParser::parseBlock):
2837
2838 2013-08-21  Alex Christensen  <achristensen@apple.com>
2839
2840         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
2841
2842         Reviewed by Brent Fulgham.
2843
2844         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2845         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2846         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2847         Pass PlatformArchitecture as a command line parameter to bash scripts.
2848         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2849         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2850         * JavaScriptCore.vcxproj/build-generated-files.sh:
2851         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
2852
2853 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
2854
2855         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
2856         https://bugs.webkit.org/show_bug.cgi?id=120099
2857
2858         Reviewed by Mark Hahnenberg.
2859         
2860         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
2861         JSDataView may have ordinary JS indexed properties.
2862
2863         * runtime/ClassInfo.h:
2864         * runtime/JSArrayBufferView.cpp:
2865         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2866         (JSC::JSArrayBufferView::finishCreation):
2867         * runtime/JSArrayBufferView.h:
2868         (JSC::hasArrayBuffer):
2869         * runtime/JSArrayBufferViewInlines.h:
2870         (JSC::JSArrayBufferView::buffer):
2871         (JSC::JSArrayBufferView::neuter):
2872         (JSC::JSArrayBufferView::byteOffset):
2873         * runtime/JSCell.cpp:
2874         (JSC::JSCell::slowDownAndWasteMemory):
2875         * runtime/JSCell.h:
2876         * runtime/JSDataView.cpp:
2877         (JSC::JSDataView::JSDataView):
2878         (JSC::JSDataView::create):
2879         (JSC::JSDataView::slowDownAndWasteMemory):
2880         * runtime/JSDataView.h:
2881         (JSC::JSDataView::buffer):
2882         * runtime/JSGenericTypedArrayView.h:
2883         * runtime/JSGenericTypedArrayViewInlines.h:
2884         (JSC::::visitChildren):
2885         (JSC::::slowDownAndWasteMemory):
2886
2887 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2888
2889         Remove incorrect ASSERT from CopyVisitor::visitItem
2890
2891         Rubber stamped by Filip Pizlo.
2892
2893         * heap/CopyVisitorInlines.h:
2894         (JSC::CopyVisitor::visitItem):
2895
2896 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2897
2898         https://bugs.webkit.org/show_bug.cgi?id=120127
2899         Remove JSObject::propertyIsEnumerable
2900
2901         Reviewed by Sam Weinig.
2902
2903         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
2904
2905         * runtime/JSObject.cpp:
2906         * runtime/JSObject.h:
2907             - remove propertyIsEnumerable
2908         * runtime/ObjectPrototype.cpp:
2909         (JSC::objectProtoFuncPropertyIsEnumerable):
2910             - Move implementation here using getOwnPropertyDescriptor directly.
2911
2912 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
2913
2914         DFG should inline new typedArray()
2915         https://bugs.webkit.org/show_bug.cgi?id=120022
2916
2917         Reviewed by Oliver Hunt.
2918         
2919         Adds inlining of typed array allocations in the DFG. Any operation of the
2920         form:
2921         
2922             new foo(blah)
2923         
2924         or:
2925         
2926             foo(blah)
2927         
2928         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
2929         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
2930         is predicted integer, we generate inline code for an allocation. Otherwise
2931         it turns into a call to an operation that behaves like the constructor would
2932         if it was passed one argument (i.e. it may wrap a buffer or it may create a
2933         copy or another array, or it may allocate an array of that length).
2934
2935         * bytecode/SpeculatedType.cpp:
2936         (JSC::speculationFromTypedArrayType):
2937         (JSC::speculationFromClassInfo):
2938         * bytecode/SpeculatedType.h:
2939         * dfg/DFGAbstractInterpreterInlines.h:
2940         (JSC::DFG::::executeEffects):
2941         * dfg/DFGBackwardsPropagationPhase.cpp:
2942         (JSC::DFG::BackwardsPropagationPhase::propagate):
2943         * dfg/DFGByteCodeParser.cpp:
2944         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2945         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2946         * dfg/DFGCCallHelpers.h:
2947         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2948         * dfg/DFGCSEPhase.cpp:
2949         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2950         * dfg/DFGClobberize.h:
2951         (JSC::DFG::clobberize):
2952         * dfg/DFGFixupPhase.cpp:
2953         (JSC::DFG::FixupPhase::fixupNode):
2954         * dfg/DFGGraph.cpp:
2955         (JSC::DFG::Graph::dump):
2956         * dfg/DFGNode.h:
2957         (JSC::DFG::Node::hasTypedArrayType):
2958         (JSC::DFG::Node::typedArrayType):
2959         * dfg/DFGNodeType.h:
2960         * dfg/DFGOperations.cpp:
2961         (JSC::DFG::newTypedArrayWithSize):
2962         (JSC::DFG::newTypedArrayWithOneArgument):
2963         * dfg/DFGOperations.h:
2964         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2965         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
2966         * dfg/DFGPredictionPropagationPhase.cpp:
2967         (JSC::DFG::PredictionPropagationPhase::propagate):
2968         * dfg/DFGSafeToExecute.h:
2969         (JSC::DFG::safeToExecute):
2970         * dfg/DFGSpeculativeJIT.cpp:
2971         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2972         * dfg/DFGSpeculativeJIT.h:
2973         (JSC::DFG::SpeculativeJIT::callOperation):
2974         * dfg/DFGSpeculativeJIT32_64.cpp:
2975         (JSC::DFG::SpeculativeJIT::compile):
2976         * dfg/DFGSpeculativeJIT64.cpp:
2977         (JSC::DFG::SpeculativeJIT::compile):
2978         * jit/JITOpcodes.cpp:
2979         (JSC::JIT::emit_op_new_object):
2980         * jit/JITOpcodes32_64.cpp:
2981         (JSC::JIT::emit_op_new_object):
2982         * runtime/JSArray.h:
2983         (JSC::JSArray::allocationSize):
2984         * runtime/JSArrayBufferView.h:
2985         (JSC::JSArrayBufferView::allocationSize):
2986         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2987         (JSC::constructGenericTypedArrayView):
2988         * runtime/JSObject.h:
2989         (JSC::JSFinalObject::allocationSize):
2990         * runtime/TypedArrayType.cpp:
2991         (JSC::constructorClassInfoForType):
2992         * runtime/TypedArrayType.h:
2993         (JSC::indexToTypedArrayType):
2994
2995 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
2996
2997         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
2998
2999         Reviewed by Geoffrey Garen.
3000
3001         * dfg/DFGOperations.h:
3002
3003 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
3004
3005         https://bugs.webkit.org/show_bug.cgi?id=120093
3006         Remove getOwnPropertyDescriptor trap
3007
3008         Reviewed by Geoff Garen.
3009
3010         All implementations of this method are now called via the method table, and equivalent in behaviour.
3011         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
3012
3013         * API/JSCallbackObject.h:
3014         * API/JSCallbackObjectFunctions.h:
3015         * debugger/DebuggerActivation.cpp:
3016         * debugger/DebuggerActivation.h:
3017         * runtime/Arguments.cpp:
3018         * runtime/Arguments.h:
3019         * runtime/ArrayConstructor.cpp:
3020         * runtime/ArrayConstructor.h:
3021         * runtime/ArrayPrototype.cpp:
3022         * runtime/ArrayPrototype.h:
3023         * runtime/BooleanPrototype.cpp:
3024         * runtime/BooleanPrototype.h:
3025             - remove getOwnPropertyDescriptor
3026         * runtime/ClassInfo.h:
3027             - remove getOwnPropertyDescriptor from MethodTable
3028         * runtime/DateConstructor.cpp:
3029         * runtime/DateConstructor.h:
3030         * runtime/DatePrototype.cpp:
3031         * runtime/DatePrototype.h:
3032         * runtime/ErrorPrototype.cpp:
3033         * runtime/ErrorPrototype.h:
3034         * runtime/JSActivation.cpp:
3035         * runtime/JSActivation.h:
3036         * runtime/JSArray.cpp:
3037         * runtime/JSArray.h:
3038         * runtime/JSArrayBuffer.cpp:
3039         * runtime/JSArrayBuffer.h:
3040         * runtime/JSArrayBufferView.cpp:
3041         * runtime/JSArrayBufferView.h:
3042         * runtime/JSCell.cpp:
3043         * runtime/JSCell.h:
3044         * runtime/JSDataView.cpp:
3045         * runtime/JSDataView.h:
3046         * runtime/JSDataViewPrototype.cpp:
3047         * runtime/JSDataViewPrototype.h:
3048         * runtime/JSFunction.cpp:
3049         * runtime/JSFunction.h:
3050         * runtime/JSGenericTypedArrayView.h:
3051         * runtime/JSGenericTypedArrayViewInlines.h:
3052         * runtime/JSGlobalObject.cpp:
3053         * runtime/JSGlobalObject.h:
3054         * runtime/JSNotAnObject.cpp:
3055         * runtime/JSNotAnObject.h:
3056         * runtime/JSONObject.cpp:
3057         * runtime/JSONObject.h:
3058             - remove getOwnPropertyDescriptor
3059         * runtime/JSObject.cpp:
3060         (JSC::JSObject::propertyIsEnumerable):
3061             - switch to call new getOwnPropertyDescriptor member function
3062         (JSC::JSObject::getOwnPropertyDescriptor):
3063             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
3064         (JSC::JSObject::defineOwnNonIndexProperty):
3065             - switch to call new getOwnPropertyDescriptor member function
3066         * runtime/JSObject.h:
3067         * runtime/JSProxy.cpp:
3068         * runtime/JSProxy.h:
3069         * runtime/NamePrototype.cpp:
3070         * runtime/NamePrototype.h:
3071         * runtime/NumberConstructor.cpp:
3072         * runtime/NumberConstructor.h:
3073         * runtime/NumberPrototype.cpp:
3074         * runtime/NumberPrototype.h:
3075             - remove getOwnPropertyDescriptor
3076         * runtime/ObjectConstructor.cpp:
3077         (JSC::objectConstructorGetOwnPropertyDescriptor):
3078         (JSC::objectConstructorSeal):
3079         (JSC::objectConstructorFreeze):
3080         (JSC::objectConstructorIsSealed):
3081         (JSC::objectConstructorIsFrozen):
3082             - switch to call new getOwnPropertyDescriptor member function
3083         * runtime/ObjectConstructor.h:
3084             - remove getOwnPropertyDescriptor
3085         * runtime/PropertyDescriptor.h:
3086             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
3087         * runtime/RegExpConstructor.cpp:
3088         * runtime/RegExpConstructor.h:
3089         * runtime/RegExpMatchesArray.cpp:
3090         * runtime/RegExpMatchesArray.h:
3091         * runtime/RegExpObject.cpp:
3092         * runtime/RegExpObject.h:
3093         * runtime/RegExpPrototype.cpp:
3094         * runtime/RegExpPrototype.h:
3095         * runtime/StringConstructor.cpp:
3096         * runtime/StringConstructor.h:
3097         * runtime/StringObject.cpp:
3098         * runtime/StringObject.h:
3099             - remove getOwnPropertyDescriptor
3100
3101 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
3102
3103         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
3104
3105         Reviewed by Oliver Hunt.
3106
3107         When we flatten an object in dictionary mode, we compact its properties. If the object 
3108         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
3109         compaction its properties fit inline, the object's Structure "forgets" that the object 
3110         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
3111         with bytes = 0, which causes all sorts of badness in CopiedSpace.
3112
3113         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
3114         Butterfly pointer so that the GC doesn't get confused later.
3115
3116         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
3117         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
3118         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
3119         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
3120
3121         * heap/SlotVisitorInlines.h:
3122         (JSC::SlotVisitor::copyLater):
3123         * runtime/JSObject.cpp:
3124         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3125         (JSC::JSObject::convertUndecidedToInt32):
3126         (JSC::JSObject::convertUndecidedToDouble):
3127         (JSC::JSObject::convertUndecidedToContiguous):
3128         (JSC::JSObject::convertInt32ToDouble):
3129         (JSC::JSObject::convertInt32ToContiguous):
3130         (JSC::JSObject::genericConvertDoubleToContiguous):
3131         (JSC::JSObject::switchToSlowPutArrayStorage):
3132         (JSC::JSObject::setPrototype):
3133         (JSC::JSObject::putDirectAccessor):
3134         (JSC::JSObject::seal):
3135         (JSC::JSObject::freeze):
3136         (JSC::JSObject::preventExtensions):
3137         (JSC::JSObject::reifyStaticFunctionsForDelete):
3138         (JSC::JSObject::removeDirect):
3139         * runtime/JSObject.h:
3140         (JSC::JSObject::setButterfly):
3141         (JSC::JSObject::putDirectInternal):
3142         (JSC::JSObject::setStructure):
3143         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3144         * runtime/Structure.cpp:
3145         (JSC::Structure::flattenDictionaryStructure):
3146
3147 2013-08-20  Alex Christensen  <achristensen@apple.com>
3148
3149         Compile fix for Win64 after r154156.
3150
3151         Rubber stamped by Oliver Hunt.
3152
3153         * jit/JITStubsMSVC64.asm:
3154         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
3155         cti_vm_throw_slowpath to cti_vm_handle_exception.
3156
3157 2013-08-20  Alex Christensen  <achristensen@apple.com>
3158
3159         <https://webkit.org/b/120076> More work towards a Win64 build
3160
3161         Reviewed by Brent Fulgham.
3162
3163         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
3164         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
3165         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
3166         * JavaScriptCore.vcxproj/copy-files.cmd:
3167         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
3168         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3169         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
3170
3171 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
3172
3173         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
3174
3175         Reviewed by Geoffrey Garen.
3176
3177         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
3178         initializeLazyWriteBarrierFor* wrapper functions more sane. 
3179
3180         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
3181         and index when triggering the WriteBarrier at the end of compilation. 
3182
3183         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
3184         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
3185         little extra work that really shouldn't have been its responsibility.
3186
3187         * dfg/DFGByteCodeParser.cpp:
3188         (JSC::DFG::ByteCodeParser::addConstant):
3189         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3190         * dfg/DFGDesiredWriteBarriers.cpp:
3191         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
3192         (JSC::DFG::DesiredWriteBarrier::trigger):
3193         * dfg/DFGDesiredWriteBarriers.h:
3194         (JSC::DFG::DesiredWriteBarriers::add):
3195         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
3196         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
3197         (JSC::DFG::initializeLazyWriteBarrierForConstant):
3198         * dfg/DFGFixupPhase.cpp:
3199         (JSC::DFG::FixupPhase::truncateConstantToInt32):
3200         * dfg/DFGGraph.h:
3201         (JSC::DFG::Graph::constantRegisterForConstant):
3202
3203 2013-08-20  Michael Saboff  <msaboff@apple.com>
3204
3205         https://bugs.webkit.org/show_bug.cgi?id=120075
3206         REGRESSION (r128400): BBC4 website not displaying pictures
3207
3208         Reviewed by Oliver Hunt.
3209
3210         * runtime/RegExpMatchesArray.h:
3211         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
3212         so that the match results will be reified before any other modification to the results array.
3213
3214 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
3215
3216         Incorrect behavior on emscripten-compiled cube2hash
3217         https://bugs.webkit.org/show_bug.cgi?id=120033
3218
3219         Reviewed by Mark Hahnenberg.
3220         
3221         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
3222         then we should bail attempts to CSE.
3223
3224         * dfg/DFGCSEPhase.cpp:
3225         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
3226         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
3227
3228 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
3229
3230         https://bugs.webkit.org/show_bug.cgi?id=120073
3231         Remove use of GOPD from JSFunction::defineProperty
3232
3233         Reviewed by Oliver Hunt.
3234
3235         Call getOwnPropertySlot to check for existing properties instead.
3236
3237         * runtime/JSFunction.cpp:
3238         (JSC::JSFunction::defineOwnProperty):
3239             - getOwnPropertyDescriptor -> getOwnPropertySlot
3240
3241 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
3242
3243         https://bugs.webkit.org/show_bug.cgi?id=120067
3244         Remove getPropertyDescriptor
3245
3246         Reviewed by Oliver Hunt.
3247
3248         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
3249         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
3250
3251         * runtime/JSObject.cpp:
3252         * runtime/JSObject.h:
3253             - remove getPropertyDescriptor
3254         * runtime/ObjectPrototype.cpp:
3255         (JSC::objectProtoFuncLookupGetter):
3256         (JSC::objectProtoFuncLookupSetter):
3257             - replace call to getPropertyDescriptor with getPropertySlot
3258         * runtime/PropertyDescriptor.h:
3259         * runtime/PropertySlot.h:
3260         (JSC::PropertySlot::isAccessor):
3261         (JSC::PropertySlot::isCacheableGetter):
3262         (JSC::PropertySlot::getterSetter):
3263             - rename isGetter() to isAccessor()
3264
3265 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
3266
3267         https://bugs.webkit.org/show_bug.cgi?id=120054
3268         Remove some dead code following getOwnPropertyDescriptor cleanup
3269
3270         Reviewed by Oliver Hunt.
3271
3272         * runtime/Lookup.h:
3273         (JSC::getStaticFunctionSlot):
3274             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
3275
3276 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
3277
3278         https://bugs.webkit.org/show_bug.cgi?id=120052
3279         Remove custom getOwnPropertyDescriptor for JSProxy
3280
3281         Reviewed by Geoff Garen.
3282
3283         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
3284         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
3285         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
3286         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
3287         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
3288
3289         * runtime/JSProxy.cpp:
3290             - Remove custom getOwnPropertyDescriptor implementation.
3291         * runtime/PropertyDescriptor.h:
3292             - Modify own property access check to perform toThis conversion.
3293
3294 2013-08-20  Alex Christensen  <achristensen@apple.com>
3295
3296         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
3297         https://bugs.webkit.org/show_bug.cgi?id=119512
3298
3299         Reviewed by Brent Fulgham.
3300
3301         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3302         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3303         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
3304         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
3305         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
3306         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
3307         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3308         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
3309
3310 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
3311
3312         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
3313
3314         Reviewed by Allan Sandfeld Jensen.
3315
3316         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
3317         instructions and two constants now DFG is enabled for sh4 architecture.
3318         These missing ensureSpace calls lead to random crashes.
3319
3320         * assembler/MacroAssemblerSH4.h:
3321         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
3322
3323 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
3324
3325         https://bugs.webkit.org/show_bug.cgi?id=120034
3326         Remove custom getOwnPropertyDescriptor for global objects
3327
3328         Reviewed by Geoff Garen.
3329
3330         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
3331
3332         * runtime/JSGlobalObject.cpp:
3333             - Remove custom getOwnPropertyDescriptor implementation.
3334         * runtime/JSSymbolTableObject.h:
3335         (JSC::symbolTableGet):
3336             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
3337         * runtime/PropertyDescriptor.h:
3338             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
3339         * runtime/PropertySlot.h:
3340         (JSC::PropertySlot::setUndefined):
3341             - This is used by WebCore when blocking access to properties on cross-frame access.
3342               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
3343
3344 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
3345
3346         DFG should inline typedArray.byteOffset
3347         https://bugs.webkit.org/show_bug.cgi?id=119962
3348
3349         Reviewed by Oliver Hunt.
3350         
3351         This adds a new node, GetTypedArrayByteOffset, which inlines
3352         typedArray.byteOffset.
3353         
3354         Also, I improved a bunch of the clobbering logic related to typed arrays
3355         and clobbering in general. For example, PutByOffset/PutStructure are not
3356         clobber-world so they can be handled by most default cases in CSE. Also,
3357         It's better to use the 'Class_field' notation for typed arrays now that
3358         they no longer involve magical descriptor thingies.