Unreviewed, rolling out r154804.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r154804.
4         http://trac.webkit.org/changeset/154804
5         https://bugs.webkit.org/show_bug.cgi?id=120477
6
7         Broke Windows build (assumes LLInt features not enabled on
8         this build) (Requested by bfulgham on #webkit).
9
10         * CMakeLists.txt:
11         * GNUmakefile.list.am:
12         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13         * JavaScriptCore.xcodeproj/project.pbxproj:
14         * Target.pri:
15         * bytecode/CodeBlock.cpp:
16         (JSC::CodeBlock::linkIncomingCall):
17         (JSC::CodeBlock::unlinkIncomingCalls):
18         (JSC::CodeBlock::reoptimize):
19         (JSC::ProgramCodeBlock::replacement):
20         (JSC::EvalCodeBlock::replacement):
21         (JSC::FunctionCodeBlock::replacement):
22         (JSC::ProgramCodeBlock::compileOptimized):
23         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
24         (JSC::EvalCodeBlock::compileOptimized):
25         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
26         (JSC::FunctionCodeBlock::compileOptimized):
27         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
28         (JSC::ProgramCodeBlock::jitCompileImpl):
29         (JSC::EvalCodeBlock::jitCompileImpl):
30         (JSC::FunctionCodeBlock::jitCompileImpl):
31         * bytecode/CodeBlock.h:
32         (JSC::CodeBlock::jitType):
33         (JSC::CodeBlock::jitCompile):
34         * bytecode/DeferredCompilationCallback.cpp: Removed.
35         * bytecode/DeferredCompilationCallback.h: Removed.
36         * dfg/DFGDriver.cpp:
37         (JSC::DFG::compile):
38         (JSC::DFG::tryCompile):
39         (JSC::DFG::tryCompileFunction):
40         (JSC::DFG::tryFinalizePlan):
41         * dfg/DFGDriver.h:
42         (JSC::DFG::tryCompile):
43         (JSC::DFG::tryCompileFunction):
44         (JSC::DFG::tryFinalizePlan):
45         * dfg/DFGFailedFinalizer.cpp:
46         (JSC::DFG::FailedFinalizer::finalize):
47         (JSC::DFG::FailedFinalizer::finalizeFunction):
48         * dfg/DFGFailedFinalizer.h:
49         * dfg/DFGFinalizer.h:
50         * dfg/DFGJITFinalizer.cpp:
51         (JSC::DFG::JITFinalizer::finalize):
52         (JSC::DFG::JITFinalizer::finalizeFunction):
53         * dfg/DFGJITFinalizer.h:
54         * dfg/DFGOSRExitPreparation.cpp:
55         (JSC::DFG::prepareCodeOriginForOSRExit):
56         * dfg/DFGOperations.cpp:
57         * dfg/DFGPlan.cpp:
58         (JSC::DFG::Plan::Plan):
59         (JSC::DFG::Plan::compileInThreadImpl):
60         (JSC::DFG::Plan::finalize):
61         * dfg/DFGPlan.h:
62         * dfg/DFGSpeculativeJIT32_64.cpp:
63         (JSC::DFG::SpeculativeJIT::compile):
64         * dfg/DFGWorklist.cpp:
65         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
66         (JSC::DFG::Worklist::runThread):
67         * ftl/FTLJITFinalizer.cpp:
68         (JSC::FTL::JITFinalizer::finalize):
69         (JSC::FTL::JITFinalizer::finalizeFunction):
70         * ftl/FTLJITFinalizer.h:
71         * heap/Heap.h:
72         * interpreter/Interpreter.cpp:
73         (JSC::Interpreter::execute):
74         (JSC::Interpreter::executeCall):
75         (JSC::Interpreter::executeConstruct):
76         (JSC::Interpreter::prepareForRepeatCall):
77         * jit/JITDriver.h: Added.
78         (JSC::jitCompileIfAppropriateImpl):
79         (JSC::jitCompileFunctionIfAppropriateImpl):
80         (JSC::jitCompileIfAppropriate):
81         (JSC::jitCompileFunctionIfAppropriate):
82         * jit/JITStubs.cpp:
83         (JSC::DEFINE_STUB_FUNCTION):
84         (JSC::jitCompileFor):
85         (JSC::lazyLinkFor):
86         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
87         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
88         * llint/LLIntEntrypoints.cpp:
89         (JSC::LLInt::getFunctionEntrypoint):
90         (JSC::LLInt::getEvalEntrypoint):
91         (JSC::LLInt::getProgramEntrypoint):
92         * llint/LLIntEntrypoints.h:
93         (JSC::LLInt::getEntrypoint):
94         * llint/LLIntSlowPaths.cpp:
95         (JSC::LLInt::jitCompileAndSetHeuristics):
96         (JSC::LLInt::setUpCall):
97         * runtime/ArrayPrototype.cpp:
98         (JSC::isNumericCompareFunction):
99         * runtime/CommonSlowPaths.cpp:
100         * runtime/CompilationResult.cpp:
101         (WTF::printInternal):
102         * runtime/CompilationResult.h:
103         * runtime/Executable.cpp:
104         (JSC::EvalExecutable::compileOptimized):
105         (JSC::EvalExecutable::jitCompile):
106         (JSC::EvalExecutable::compileInternal):
107         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
108         (JSC::ProgramExecutable::compileOptimized):
109         (JSC::ProgramExecutable::jitCompile):
110         (JSC::ProgramExecutable::compileInternal):
111         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
112         (JSC::FunctionExecutable::compileOptimizedForCall):
113         (JSC::FunctionExecutable::compileOptimizedForConstruct):
114         (JSC::FunctionExecutable::jitCompileForCall):
115         (JSC::FunctionExecutable::jitCompileForConstruct):
116         (JSC::FunctionExecutable::produceCodeBlockFor):
117         (JSC::FunctionExecutable::compileForCallInternal):
118         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
119         (JSC::FunctionExecutable::compileForConstructInternal):
120         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
121         * runtime/Executable.h:
122         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
123         (JSC::ExecutableBase::offsetOfNumParametersFor):
124         (JSC::ExecutableBase::catchRoutineFor):
125         (JSC::EvalExecutable::compile):
126         (JSC::ProgramExecutable::compile):
127         (JSC::FunctionExecutable::compileForCall):
128         (JSC::FunctionExecutable::compileForConstruct):
129         (JSC::FunctionExecutable::compileFor):
130         (JSC::FunctionExecutable::compileOptimizedFor):
131         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
132         (JSC::FunctionExecutable::jitCompileFor):
133         * runtime/ExecutionHarness.h: Added.
134         (JSC::prepareForExecutionImpl):
135         (JSC::prepareFunctionForExecutionImpl):
136         (JSC::installOptimizedCode):
137         (JSC::prepareForExecution):
138         (JSC::prepareFunctionForExecution):
139         (JSC::replaceWithDeferredOptimizedCode):
140
141 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
142
143         CodeBlock compilation and installation should be simplified and rationalized
144         https://bugs.webkit.org/show_bug.cgi?id=120326
145
146         Reviewed by Oliver Hunt.
147         
148         Previously Executable owned the code for generating JIT code; you always had
149         to go through Executable. But often you also had to go through CodeBlock,
150         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
151         So you'd ask CodeBlock to do something, which would dispatch through a
152         virtual method that would select the appropriate Executable subtype's method.
153         This all meant that the same code would often be duplicated, because most of
154         the work needed to compile something was identical regardless of code type.
155         But then we tried to fix this, by having templatized helpers in
156         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
157         out what happened when you asked for something to be compiled, you'd go on a
158         wild ride that started with CodeBlock, touched upon Executable, and then
159         ricocheted into either ExecutionHarness or JITDriver (likely both).
160         
161         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
162         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
163         done once the compilation finished.
164         
165         Also, most of the DFG JIT drivers assumed that they couldn't install the
166         JITCode into the CodeBlock directly - instead they would return it via a
167         reference, which happened to be a reference to the JITCode pointer in
168         Executable. This was super weird.
169         
170         Finally, there was no notion of compiling code into a special CodeBlock that
171         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
172         entry.
173         
174         This patch solves these problems by reducing all of that complexity into just
175         three primitives:
176         
177         - Executable::newCodeBlock(). This gives you a new code block, either for call
178           or for construct, and either to serve as the baseline code or the optimized
179           code. The new code block is then owned by the caller; Executable doesn't
180           register it anywhere. The new code block has no JITCode and isn't callable,
181           but it has all of the bytecode.
182         
183         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
184           produces a JITCode, and then installs the JITCode into the CodeBlock. This
185           method takes a JITType, and always compiles with that JIT. If you ask for
186           JITCode::InterpreterThunk then you'll get JITCode that just points to the
187           LLInt entrypoints. Once this returns, it is possible to call into the
188           CodeBlock if you do so manually - but the Executable still won't know about
189           it so JS calls to that Executable will still be routed to whatever CodeBlock
190           is associated with the Executable.
191         
192         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
193           entry for that Executable. This involves unlinking the Executable's last
194           CodeBlock, if there was one. This also tells the GC about any effect on
195           memory usage and does a bunch of weird data structure rewiring, since
196           Executable caches some of CodeBlock's fields for the benefit of virtual call
197           fast paths.
198         
199         This functionality is then wrapped around three convenience methods:
200         
201         - Executable::prepareForExecution(). If there is no code block for that
202           Executable, then one is created (newCodeBlock()), compiled
203           (CodeBlock::prepareForExecution()) and installed (installCode()).
204         
205         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
206           can serve as an optimized replacement of the current one.
207         
208         - CodeBlock::install(). Asks the Executable to install this code block.
209         
210         This patch allows me to kill *a lot* of code and to remove a lot of
211         specializations for functions vs. not-functions, and a lot of places where we
212         pass around JITCode references and such. ExecutionHarness and JITDriver are
213         both gone. Overall this patch has more red than green.
214         
215         It also allows me to work on FTL OSR entry and tier-up:
216         
217         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
218           to do some compilation, but it will require the DFG::Worklist to do
219           something different than what JITStubs.cpp would want, once the compilation
220           finishes. This patch introduces a callback mechanism for that purpose.
221         
222         - FTL OSR entry: this will involve creating a special auto-jettisoned
223           CodeBlock that is used only for FTL OSR entry. The new set of primitives
224           allows for this: Executable can vend you a fresh new CodeBlock, and you can
225           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
226           can take that CodeBlock and compile it yourself. Previously the act of
227           producing a CodeBlock-for-optimization and the act of compiling code for it
228           were tightly coupled; now you can separate them and you can create such
229           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
230
231         * CMakeLists.txt:
232         * GNUmakefile.list.am:
233         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
234         * JavaScriptCore.xcodeproj/project.pbxproj:
235         * Target.pri:
236         * bytecode/CodeBlock.cpp:
237         (JSC::CodeBlock::prepareForExecution):
238         (JSC::CodeBlock::install):
239         (JSC::CodeBlock::newReplacement):
240         (JSC::FunctionCodeBlock::jettisonImpl):
241         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
242         * bytecode/CodeBlock.h:
243         (JSC::CodeBlock::hasBaselineJITProfiling):
244         * bytecode/DeferredCompilationCallback.cpp: Added.
245         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
246         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
247         * bytecode/DeferredCompilationCallback.h: Added.
248         * dfg/DFGDriver.cpp:
249         (JSC::DFG::tryCompile):
250         * dfg/DFGDriver.h:
251         (JSC::DFG::tryCompile):
252         * dfg/DFGFailedFinalizer.cpp:
253         (JSC::DFG::FailedFinalizer::finalize):
254         (JSC::DFG::FailedFinalizer::finalizeFunction):
255         * dfg/DFGFailedFinalizer.h:
256         * dfg/DFGFinalizer.h:
257         * dfg/DFGJITFinalizer.cpp:
258         (JSC::DFG::JITFinalizer::finalize):
259         (JSC::DFG::JITFinalizer::finalizeFunction):
260         * dfg/DFGJITFinalizer.h:
261         * dfg/DFGOSRExitPreparation.cpp:
262         (JSC::DFG::prepareCodeOriginForOSRExit):
263         * dfg/DFGOperations.cpp:
264         * dfg/DFGPlan.cpp:
265         (JSC::DFG::Plan::Plan):
266         (JSC::DFG::Plan::compileInThreadImpl):
267         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
268         (JSC::DFG::Plan::finalizeAndNotifyCallback):
269         * dfg/DFGPlan.h:
270         * dfg/DFGWorklist.cpp:
271         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
272         * ftl/FTLJITFinalizer.cpp:
273         (JSC::FTL::JITFinalizer::finalize):
274         (JSC::FTL::JITFinalizer::finalizeFunction):
275         * ftl/FTLJITFinalizer.h:
276         * heap/Heap.h:
277         (JSC::Heap::isDeferred):
278         * interpreter/Interpreter.cpp:
279         (JSC::Interpreter::execute):
280         (JSC::Interpreter::executeCall):
281         (JSC::Interpreter::executeConstruct):
282         (JSC::Interpreter::prepareForRepeatCall):
283         * jit/JITDriver.h: Removed.
284         * jit/JITStubs.cpp:
285         (JSC::DEFINE_STUB_FUNCTION):
286         (JSC::jitCompileFor):
287         (JSC::lazyLinkFor):
288         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
289         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
290         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
291         (JSC::JITToDFGDeferredCompilationCallback::create):
292         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
293         * jit/JITToDFGDeferredCompilationCallback.h: Added.
294         * llint/LLIntEntrypoints.cpp:
295         (JSC::LLInt::setFunctionEntrypoint):
296         (JSC::LLInt::setEvalEntrypoint):
297         (JSC::LLInt::setProgramEntrypoint):
298         * llint/LLIntEntrypoints.h:
299         * llint/LLIntSlowPaths.cpp:
300         (JSC::LLInt::jitCompileAndSetHeuristics):
301         (JSC::LLInt::setUpCall):
302         * runtime/ArrayPrototype.cpp:
303         (JSC::isNumericCompareFunction):
304         * runtime/CommonSlowPaths.cpp:
305         * runtime/CompilationResult.cpp:
306         (WTF::printInternal):
307         * runtime/CompilationResult.h:
308         * runtime/Executable.cpp:
309         (JSC::ScriptExecutable::installCode):
310         (JSC::ScriptExecutable::newCodeBlockFor):
311         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
312         (JSC::ScriptExecutable::prepareForExecutionImpl):
313         * runtime/Executable.h:
314         (JSC::ScriptExecutable::prepareForExecution):
315         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
316         * runtime/ExecutionHarness.h: Removed.
317
318 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
319
320         https://bugs.webkit.org/show_bug.cgi?id=119548
321         Refactoring Exception throws.
322         
323         Reviewed by Geoffrey Garen.
324         
325         Gardening of exception throws. The act of throwing an exception was being handled in 
326         different ways depending on whether the code was running in the LLint, Baseline JIT, 
327         or the DFG Jit. This made development in the vm exception and error objects difficult.
328         
329          * runtime/VM.cpp:
330         (JSC::appendSourceToError): 
331         This function moved from the interpreter into the VM. It views the developers code
332         (if there is a codeBlock) to extract what was trying to be evaluated when the error
333         occurred.
334         
335         (JSC::VM::throwException):
336         This function takes in the error object and sets the following:
337             1: The VM's exception stack
338             2: The VM's exception 
339             3: Appends extra information on the error message(via appendSourceToError)
340             4: The error object's line number
341             5: The error object's column number
342             6: The error object's sourceURL
343             7: The error object's stack trace (unless it already exists because the developer 
344                 created the error object). 
345
346         (JSC::VM::getExceptionInfo):
347         (JSC::VM::setExceptionInfo):
348         (JSC::VM::clearException):
349         (JSC::clearExceptionStack):
350         * runtime/VM.h:
351         (JSC::VM::exceptionOffset):
352         (JSC::VM::exception):
353         (JSC::VM::addressOfException):
354         (JSC::VM::exceptionStack):
355         VM exception and exceptionStack are now private data members.
356
357         * interpreter/Interpreter.h:
358         (JSC::ClearExceptionScope::ClearExceptionScope):
359         Created this structure to temporarily clear the exception within the VM. This 
360         needed to see if addition errors occur when setting the debugger as we are 
361         unwinding the stack.
362
363          * interpreter/Interpreter.cpp:
364         (JSC::Interpreter::unwind): 
365         Removed the code that would try to add error information if it did not exist. 
366         All of this functionality has moved into the VM and all error information is set 
367         at the time the error occurs. 
368
369         The rest of these functions reference the new calling convention to throw an error.
370
371         * API/APICallbackFunction.h:
372         (JSC::APICallbackFunction::call):
373         * API/JSCallbackConstructor.cpp:
374         (JSC::constructJSCallback):
375         * API/JSCallbackObjectFunctions.h:
376         (JSC::::getOwnPropertySlot):
377         (JSC::::defaultValue):
378         (JSC::::put):
379         (JSC::::putByIndex):
380         (JSC::::deleteProperty):
381         (JSC::::construct):
382         (JSC::::customHasInstance):
383         (JSC::::call):
384         (JSC::::getStaticValue):
385         (JSC::::staticFunctionGetter):
386         (JSC::::callbackGetter):
387         * debugger/Debugger.cpp:
388         (JSC::evaluateInGlobalCallFrame):
389         * debugger/DebuggerCallFrame.cpp:
390         (JSC::DebuggerCallFrame::evaluate):
391         * dfg/DFGAssemblyHelpers.h:
392         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
393         * dfg/DFGOperations.cpp:
394         (JSC::DFG::operationPutByValInternal):
395         * ftl/FTLLowerDFGToLLVM.cpp:
396         (JSC::FTL::LowerDFGToLLVM::callCheck):
397         * heap/Heap.cpp:
398         (JSC::Heap::markRoots):
399         * interpreter/CallFrame.h:
400         (JSC::ExecState::clearException):
401         (JSC::ExecState::exception):
402         (JSC::ExecState::hadException):
403         * interpreter/Interpreter.cpp:
404         (JSC::eval):
405         (JSC::loadVarargs):
406         (JSC::stackTraceAsString):
407         (JSC::Interpreter::execute):
408         (JSC::Interpreter::executeCall):
409         (JSC::Interpreter::executeConstruct):
410         (JSC::Interpreter::prepareForRepeatCall):
411         * interpreter/Interpreter.h:
412         (JSC::ClearExceptionScope::ClearExceptionScope):
413         * jit/JITCode.cpp:
414         (JSC::JITCode::execute):
415         * jit/JITExceptions.cpp:
416         (JSC::genericThrow):
417         * jit/JITOpcodes.cpp:
418         (JSC::JIT::emit_op_catch):
419         * jit/JITOpcodes32_64.cpp:
420         (JSC::JIT::privateCompileCTINativeCall):
421         (JSC::JIT::emit_op_catch):
422         * jit/JITStubs.cpp:
423         (JSC::returnToThrowTrampoline):
424         (JSC::throwExceptionFromOpCall):
425         (JSC::DEFINE_STUB_FUNCTION):
426         (JSC::jitCompileFor):
427         (JSC::lazyLinkFor):
428         (JSC::putByVal):
429         (JSC::cti_vm_handle_exception):
430         * jit/SlowPathCall.h:
431         (JSC::JITSlowPathCall::call):
432         * jit/ThunkGenerators.cpp:
433         (JSC::nativeForGenerator):
434         * jsc.cpp:
435         (functionRun):
436         (functionLoad):
437         (functionCheckSyntax):
438         * llint/LLIntExceptions.cpp:
439         (JSC::LLInt::doThrow):
440         (JSC::LLInt::returnToThrow):
441         (JSC::LLInt::callToThrow):
442         * llint/LLIntSlowPaths.cpp:
443         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
444         * llint/LowLevelInterpreter.cpp:
445         (JSC::CLoop::execute):
446         * llint/LowLevelInterpreter32_64.asm:
447         * llint/LowLevelInterpreter64.asm:
448         * runtime/ArrayConstructor.cpp:
449         (JSC::constructArrayWithSizeQuirk):
450         * runtime/CommonSlowPaths.cpp:
451         (JSC::SLOW_PATH_DECL):
452         * runtime/CommonSlowPaths.h:
453         (JSC::CommonSlowPaths::opIn):
454         * runtime/CommonSlowPathsExceptions.cpp:
455         (JSC::CommonSlowPaths::interpreterThrowInCaller):
456         * runtime/Completion.cpp:
457         (JSC::evaluate):
458         * runtime/Error.cpp:
459         (JSC::addErrorInfo):
460         (JSC::throwTypeError):
461         (JSC::throwSyntaxError):
462         * runtime/Error.h:
463         (JSC::throwVMError):
464         * runtime/ExceptionHelpers.cpp:
465         (JSC::throwOutOfMemoryError):
466         (JSC::throwStackOverflowError):
467         (JSC::throwTerminatedExecutionException):
468         * runtime/Executable.cpp:
469         (JSC::EvalExecutable::create):
470         (JSC::FunctionExecutable::produceCodeBlockFor):
471         * runtime/FunctionConstructor.cpp:
472         (JSC::constructFunction):
473         (JSC::constructFunctionSkippingEvalEnabledCheck):
474         * runtime/JSArray.cpp:
475         (JSC::JSArray::defineOwnProperty):
476         (JSC::JSArray::put):
477         (JSC::JSArray::push):
478         * runtime/JSCJSValue.cpp:
479         (JSC::JSValue::toObjectSlowCase):
480         (JSC::JSValue::synthesizePrototype):
481         (JSC::JSValue::putToPrimitive):
482         * runtime/JSFunction.cpp:
483         (JSC::JSFunction::defineOwnProperty):
484         * runtime/JSGenericTypedArrayViewInlines.h:
485         (JSC::::create):
486         (JSC::::createUninitialized):
487         (JSC::::validateRange):
488         (JSC::::setWithSpecificType):
489         * runtime/JSGlobalObjectFunctions.cpp:
490         (JSC::encode):
491         (JSC::decode):
492         (JSC::globalFuncProtoSetter):
493         * runtime/JSNameScope.cpp:
494         (JSC::JSNameScope::put):
495         * runtime/JSONObject.cpp:
496         (JSC::Stringifier::appendStringifiedValue):
497         (JSC::Walker::walk):
498         * runtime/JSObject.cpp:
499         (JSC::JSObject::put):
500         (JSC::JSObject::defaultValue):
501         (JSC::JSObject::hasInstance):
502         (JSC::JSObject::defaultHasInstance):
503         (JSC::JSObject::defineOwnNonIndexProperty):
504         (JSC::throwTypeError):
505         * runtime/ObjectConstructor.cpp:
506         (JSC::toPropertyDescriptor):
507         * runtime/RegExpConstructor.cpp:
508         (JSC::constructRegExp):
509         * runtime/StringObject.cpp:
510         (JSC::StringObject::defineOwnProperty):
511         * runtime/StringRecursionChecker.cpp:
512         (JSC::StringRecursionChecker::throwStackOverflowError):
513
514 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
515
516         [GTK] Add support for building JSC with FTL JIT enabled
517         https://bugs.webkit.org/show_bug.cgi?id=120270
518
519         Reviewed by Filip Pizlo.
520
521         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
522         compiler flags for the JSC library.
523         * GNUmakefile.list.am: Add the missing build targets.
524         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
525         failures when using the Clang compiler with the libstdc++ standard library.
526         (JSC::FTL::mdKindID):
527         (JSC::FTL::mdString):
528
529 2013-08-23  Andy Estes  <aestes@apple.com>
530
531         Fix issues found by the Clang Static Analyzer
532         https://bugs.webkit.org/show_bug.cgi?id=120230
533
534         Reviewed by Darin Adler.
535
536         * API/JSValue.mm:
537         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
538         * API/ObjCCallbackFunction.mm:
539         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
540         release m_invocation's target since NSInvocation will do it for us on
541         -dealloc.
542         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
543         and -release our reference to the copied block.
544         * API/tests/minidom.c:
545         (createStringWithContentsOfFile): Free buffer before returning.
546         * API/tests/testapi.c:
547         (createStringWithContentsOfFile): Ditto.
548
549 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
550
551         [Windows] Unreviewed build fix after r154629.
552
553         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
554         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
555
556 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
557
558         Windows build fix attempt after r154629.
559
560         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
561
562 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
563
564         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
565         https://bugs.webkit.org/show_bug.cgi?id=120278
566
567         Reviewed by Geoffrey Garen.
568
569         * runtime/JSObject.cpp:
570         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
571
572 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
573
574         Fix indention of Executable.h.
575
576         Rubber stamped by Mark Hahnenberg.
577
578         * runtime/Executable.h:
579
580 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
581
582         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
583         https://bugs.webkit.org/show_bug.cgi?id=120314
584
585         Reviewed by Darin Adler.
586
587         Currently with the way that defineProperty works, we leave a stray low bit set in 
588         PropertyDescriptor::m_attributes in the following code:
589
590         var o = {};
591         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
592         
593         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
594         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
595         but only the top three bits mean anything. Even in the case above, the top three bits are set 
596         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
597
598         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
599         framework's public C API, it's safer to just change how we calculate the default value, which is
600         where the weirdness was originating from in the first place.
601
602         * runtime/PropertyDescriptor.cpp:
603
604 2013-08-24  Sam Weinig  <sam@webkit.org>
605
606         Add support for Promises
607         https://bugs.webkit.org/show_bug.cgi?id=120260
608
609         Reviewed by Darin Adler.
610
611         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
612         - Despite Promises being defined in the DOM, the implementation is being put in JSC
613           in preparation for the Promises eventually being defined in ECMAScript.
614
615         * CMakeLists.txt:
616         * DerivedSources.make:
617         * DerivedSources.pri:
618         * GNUmakefile.list.am:
619         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
620         * JavaScriptCore.xcodeproj/project.pbxproj:
621         * Target.pri:
622         Add new files.
623
624         * jsc.cpp:
625         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
626         you can't quite use Promises with with the command line tool yet.
627     
628         * interpreter/CallFrame.h:
629         (JSC::ExecState::promisePrototypeTable):
630         (JSC::ExecState::promiseConstructorTable):
631         (JSC::ExecState::promiseResolverPrototypeTable):
632         * runtime/VM.cpp:
633         (JSC::VM::VM):
634         (JSC::VM::~VM):
635         * runtime/VM.h:
636         Add supporting code for the new static lookup tables.
637
638         * runtime/CommonIdentifiers.h:
639         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
640
641         * runtime/JSGlobalObject.cpp:
642         (JSC::JSGlobalObject::reset):
643         (JSC::JSGlobalObject::visitChildren):
644         Add supporting code Promise and PromiseResolver's constructors and structures.
645
646         * runtime/JSGlobalObject.h:
647         (JSC::TaskContext::~TaskContext):
648         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
649
650         (JSC::JSGlobalObject::promisePrototype):
651         (JSC::JSGlobalObject::promiseResolverPrototype):
652         (JSC::JSGlobalObject::promiseStructure):
653         (JSC::JSGlobalObject::promiseResolverStructure):
654         (JSC::JSGlobalObject::promiseCallbackStructure):
655         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
656         Add supporting code Promise and PromiseResolver's constructors and structures.
657
658         * runtime/JSPromise.cpp: Added.
659         * runtime/JSPromise.h: Added.
660         * runtime/JSPromiseCallback.cpp: Added.
661         * runtime/JSPromiseCallback.h: Added.
662         * runtime/JSPromiseConstructor.cpp: Added.
663         * runtime/JSPromiseConstructor.h: Added.
664         * runtime/JSPromisePrototype.cpp: Added.
665         * runtime/JSPromisePrototype.h: Added.
666         * runtime/JSPromiseResolver.cpp: Added.
667         * runtime/JSPromiseResolver.h: Added.
668         * runtime/JSPromiseResolverConstructor.cpp: Added.
669         * runtime/JSPromiseResolverConstructor.h: Added.
670         * runtime/JSPromiseResolverPrototype.cpp: Added.
671         * runtime/JSPromiseResolverPrototype.h: Added.
672         Add Promise implementation.
673
674 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
675
676         Plenty of -Wcast-align warnings in KeywordLookup.h
677         https://bugs.webkit.org/show_bug.cgi?id=120316
678
679         Reviewed by Darin Adler.
680
681         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
682         the character pointers to types of larger size. This avoids spewing lots of warnings
683         in the KeywordLookup.h header when compiling with the -Wcast-align option.
684
685 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
686
687         RegExpMatchesArray should not call [[put]]
688         https://bugs.webkit.org/show_bug.cgi?id=120317
689
690         Reviewed by Oliver Hunt.
691
692         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
693         property called index or input to either of these prototypes will result in broken behavior.
694
695         * runtime/RegExpMatchesArray.cpp:
696         (JSC::RegExpMatchesArray::reifyAllProperties):
697             - put -> putDirect
698
699 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
700
701         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
702         https://bugs.webkit.org/show_bug.cgi?id=120228
703
704         Reviewed by Oliver Hunt.
705         
706         It turns out that there were three problems:
707         
708         - Using jsNumber() meant that we were converting doubles to integers and then
709           possibly back again whenever doing a set() between floating point arrays.
710         
711         - Slow-path accesses to double typed arrays were slower than necessary because
712           of the to-int conversion attempt.
713         
714         - The use of JSValue as an intermediate for converting between differen types
715           in typedArray.set() resulted in worse code than I had previously expected.
716         
717         This patch solves the problem by using template double-dispatch to ensure that
718         that C++ compiler sees the simplest possible combination of casts between any
719         combination of typed array types, while still preserving JS and typed array
720         conversion semantics. Conversions are done as follows:
721         
722             SourceAdaptor::convertTo<TargetAdaptor>(value)
723         
724         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
725         with one method for each of int32_t, uint32_t, and double. This means that the
726         C++ compiler will at worst see a widening cast to one of those types followed
727         by a narrowing conversion (not necessarily a cast - may have clamping or the
728         JS toInt32() function).
729         
730         This change doesn't just affect typedArray.set(); it also affects slow-path
731         accesses to typed arrays as well. This patch also adds a bunch of new test
732         coverage.
733         
734         This change is a ~50% speed-up on typedArray.set() involving floating point
735         types.
736
737         * GNUmakefile.list.am:
738         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
739         * JavaScriptCore.xcodeproj/project.pbxproj:
740         * runtime/GenericTypedArrayView.h:
741         (JSC::GenericTypedArrayView::set):
742         * runtime/JSDataViewPrototype.cpp:
743         (JSC::setData):
744         * runtime/JSGenericTypedArrayView.h:
745         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
746         (JSC::JSGenericTypedArrayView::setIndexQuickly):
747         * runtime/JSGenericTypedArrayViewInlines.h:
748         (JSC::::setWithSpecificType):
749         (JSC::::set):
750         * runtime/ToNativeFromValue.h: Added.
751         (JSC::toNativeFromValue):
752         * runtime/TypedArrayAdaptors.h:
753         (JSC::IntegralTypedArrayAdaptor::toJSValue):
754         (JSC::IntegralTypedArrayAdaptor::toDouble):
755         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
756         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
757         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
758         (JSC::IntegralTypedArrayAdaptor::convertTo):
759         (JSC::FloatTypedArrayAdaptor::toJSValue):
760         (JSC::FloatTypedArrayAdaptor::toDouble):
761         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
762         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
763         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
764         (JSC::FloatTypedArrayAdaptor::convertTo):
765         (JSC::Uint8ClampedAdaptor::toJSValue):
766         (JSC::Uint8ClampedAdaptor::toDouble):
767         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
768         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
769         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
770         (JSC::Uint8ClampedAdaptor::convertTo):
771
772 2013-08-24  Dan Bernstein  <mitz@apple.com>
773
774         [mac] link against libz in a more civilized manner
775         https://bugs.webkit.org/show_bug.cgi?id=120258
776
777         Reviewed by Darin Adler.
778
779         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
780         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
781         Link Binary With Libraries build phase.
782
783 2013-08-23  Laszlo Papp  <lpapp@kde.org>
784
785         Failure building with python3
786         https://bugs.webkit.org/show_bug.cgi?id=106645
787
788         Reviewed by Benjamin Poulain.
789
790         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
791         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
792
793         * disassembler/udis86/itab.py:
794         (UdItabGenerator.genInsnTable):
795         * disassembler/udis86/ud_opcode.py:
796         (UdOpcodeTables.print_table):
797         * disassembler/udis86/ud_optable.py:
798         (UdOptableXmlParser.parseDef):
799         (UdOptableXmlParser.parse):
800         (printFn):
801
802 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
803
804         Incorrect TypedArray#set behavior
805         https://bugs.webkit.org/show_bug.cgi?id=83818
806
807         Reviewed by Oliver Hunt and Mark Hahnenberg.
808         
809         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
810         not smart enough to figure out optimal versions for *all* of the cases. But I
811         did come up with optimal implementations for most of the cases, and I wrote
812         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
813         enough to write optimal code for.
814
815         * runtime/JSArrayBufferView.h:
816         (JSC::JSArrayBufferView::hasArrayBuffer):
817         * runtime/JSArrayBufferViewInlines.h:
818         (JSC::JSArrayBufferView::buffer):
819         (JSC::JSArrayBufferView::existingBufferInButterfly):
820         (JSC::JSArrayBufferView::neuter):
821         (JSC::JSArrayBufferView::byteOffset):
822         * runtime/JSGenericTypedArrayView.h:
823         * runtime/JSGenericTypedArrayViewInlines.h:
824         (JSC::::setWithSpecificType):
825         (JSC::::set):
826         (JSC::::existingBuffer):
827
828 2013-08-23  Alex Christensen  <achristensen@apple.com>
829
830         Re-separating Win32 and Win64 builds.
831         https://bugs.webkit.org/show_bug.cgi?id=120178
832
833         Reviewed by Brent Fulgham.
834
835         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
836         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
837         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
838         Pass PlatformArchitecture as a command line parameter to bash scripts.
839         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
840         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
841         * JavaScriptCore.vcxproj/build-generated-files.sh:
842         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
843
844 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
845
846         build-jsc --ftl-jit should work
847         https://bugs.webkit.org/show_bug.cgi?id=120194
848
849         Reviewed by Oliver Hunt.
850
851         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
852         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
853         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
854         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
855         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
856         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
857
858 2013-08-23  Oliver Hunt  <oliver@apple.com>
859
860         Re-sort xcode project file
861
862         * JavaScriptCore.xcodeproj/project.pbxproj:
863
864 2013-08-23  Oliver Hunt  <oliver@apple.com>
865
866         Support in memory compression of rarely used data
867         https://bugs.webkit.org/show_bug.cgi?id=120143
868
869         Reviewed by Gavin Barraclough.
870
871         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
872
873         * Configurations/JavaScriptCore.xcconfig:
874         * bytecode/UnlinkedCodeBlock.cpp:
875         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
876         (JSC::UnlinkedCodeBlock::addExpressionInfo):
877         * bytecode/UnlinkedCodeBlock.h:
878
879 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
880
881         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
882         https://bugs.webkit.org/show_bug.cgi?id=120179
883
884         Reviewed by Geoffrey Garen.
885
886         There are many places in the code for JSObject and JSArray where they are manipulating their 
887         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
888         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
889         like it will make this dance even more intricate. To make everybody's lives easier we should use 
890         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
891         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
892         should not incur any additional overhead.
893
894         * heap/Heap.h:
895         * runtime/JSArray.cpp:
896         (JSC::JSArray::unshiftCountSlowCase):
897         * runtime/JSObject.cpp:
898         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
899         (JSC::JSObject::createInitialUndecided):
900         (JSC::JSObject::createInitialInt32):
901         (JSC::JSObject::createInitialDouble):
902         (JSC::JSObject::createInitialContiguous):
903         (JSC::JSObject::createArrayStorage):
904         (JSC::JSObject::convertUndecidedToArrayStorage):
905         (JSC::JSObject::convertInt32ToArrayStorage):
906         (JSC::JSObject::convertDoubleToArrayStorage):
907         (JSC::JSObject::convertContiguousToArrayStorage):
908         (JSC::JSObject::increaseVectorLength):
909         (JSC::JSObject::ensureLengthSlow):
910         * runtime/JSObject.h:
911         (JSC::JSObject::putDirectInternal):
912         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
913         (JSC::JSObject::putDirectWithoutTransition):
914
915 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
916
917         Update LLVM binary drops and scripts to the latest version from SVN
918         https://bugs.webkit.org/show_bug.cgi?id=120184
919
920         Reviewed by Mark Hahnenberg.
921
922         * dfg/DFGPlan.cpp:
923         (JSC::DFG::Plan::compileInThreadImpl):
924
925 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
926
927         Don't leak registers for redeclared variables
928         https://bugs.webkit.org/show_bug.cgi?id=120174
929
930         Reviewed by Geoff Garen.
931
932         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
933         Only allocate new registers when necessary.
934
935         No performance impact.
936
937         * interpreter/Interpreter.cpp:
938         (JSC::Interpreter::execute):
939         * runtime/Executable.cpp:
940         (JSC::ProgramExecutable::initializeGlobalProperties):
941             - Don't allocate the register here.
942         * runtime/JSGlobalObject.cpp:
943         (JSC::JSGlobalObject::addGlobalVar):
944             - Allocate the register here instead.
945
946 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
947
948         https://bugs.webkit.org/show_bug.cgi?id=120128
949         Remove putDirectVirtual
950
951         Unreviewed, checked in commented out code. :-(
952
953         * interpreter/Interpreter.cpp:
954         (JSC::Interpreter::execute):
955             - delete commented out code
956
957 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
958
959         Error.stack should not be enumerable
960         https://bugs.webkit.org/show_bug.cgi?id=120171
961
962         Reviewed by Oliver Hunt.
963
964         Breaks ECMA tests.
965
966         * runtime/ErrorInstance.cpp:
967         (JSC::ErrorInstance::finishCreation):
968             - None -> DontEnum
969
970 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
971
972         https://bugs.webkit.org/show_bug.cgi?id=120128
973         Remove putDirectVirtual
974
975         Reviewed by Sam Weinig.
976
977         This could most generously be described as 'vestigial'.
978         No performance impact.
979
980         * API/JSObjectRef.cpp:
981         (JSObjectSetProperty):
982             - changed to use defineOwnProperty
983         * debugger/DebuggerActivation.cpp:
984         * debugger/DebuggerActivation.h:
985             - remove putDirectVirtual
986         * interpreter/Interpreter.cpp:
987         (JSC::Interpreter::execute):
988             - changed to use defineOwnProperty
989         * runtime/ClassInfo.h:
990         * runtime/JSActivation.cpp:
991         * runtime/JSActivation.h:
992         * runtime/JSCell.cpp:
993         * runtime/JSCell.h:
994         * runtime/JSGlobalObject.cpp:
995         * runtime/JSGlobalObject.h:
996         * runtime/JSObject.cpp:
997         * runtime/JSObject.h:
998         * runtime/JSProxy.cpp:
999         * runtime/JSProxy.h:
1000         * runtime/JSSymbolTableObject.cpp:
1001         * runtime/JSSymbolTableObject.h:
1002             - remove putDirectVirtual
1003         * runtime/PropertyDescriptor.h:
1004         (JSC::PropertyDescriptor::PropertyDescriptor):
1005             - added constructor for convenience
1006
1007 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1008
1009         errorDescriptionForValue() should not assume error value is an Object
1010         https://bugs.webkit.org/show_bug.cgi?id=119812
1011
1012         Reviewed by Geoffrey Garen.
1013
1014         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1015         has no type, the function now returns the empty string. 
1016         * runtime/ExceptionHelpers.cpp:
1017         (JSC::errorDescriptionForValue):
1018
1019 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1020
1021         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1022         https://bugs.webkit.org/show_bug.cgi?id=120107
1023
1024         Reviewed by Yong Li.
1025
1026         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1027
1028         * dfg/DFGSpeculativeJIT.h:
1029         (JSC::DFG::SpeculativeJIT::callOperation):
1030
1031 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1032
1033         Unreviewed, rolling out r154416.
1034         http://trac.webkit.org/changeset/154416
1035         https://bugs.webkit.org/show_bug.cgi?id=120147
1036
1037         Broke Windows builds (Requested by rniwa on #webkit).
1038
1039         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1040         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1041         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1042         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1043         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1044         * JavaScriptCore.vcxproj/build-generated-files.sh:
1045
1046 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1047
1048         Clarify var/const/function declaration
1049         https://bugs.webkit.org/show_bug.cgi?id=120144
1050
1051         Reviewed by Sam Weinig.
1052
1053         Add methods to JSGlobalObject to declare vars, consts, and functions.
1054
1055         * runtime/Executable.cpp:
1056         (JSC::ProgramExecutable::initializeGlobalProperties):
1057         * runtime/Executable.h:
1058             - Moved declaration code to JSGlobalObject
1059         * runtime/JSGlobalObject.cpp:
1060         (JSC::JSGlobalObject::addGlobalVar):
1061             - internal implementation of addVar, addConst, addFunction
1062         * runtime/JSGlobalObject.h:
1063         (JSC::JSGlobalObject::addVar):
1064         (JSC::JSGlobalObject::addConst):
1065         (JSC::JSGlobalObject::addFunction):
1066             - Added methods to declare vars, consts, and functions
1067
1068 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1069
1070         https://bugs.webkit.org/show_bug.cgi?id=119900
1071         Exception in global setter doesn't unwind correctly
1072
1073         Reviewed by Geoffrey Garen.
1074
1075         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1076
1077         * jit/JITStubs.cpp:
1078         (JSC::DEFINE_STUB_FUNCTION):
1079
1080 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1081
1082         Rename/refactor setButterfly/setStructure
1083         https://bugs.webkit.org/show_bug.cgi?id=120138
1084
1085         Reviewed by Geoffrey Garen.
1086
1087         setButterfly becomes setStructureAndButterfly.
1088
1089         Also removed the Butterfly* argument from setStructure and just implicitly
1090         used m_butterfly internally since that's what every single client of setStructure
1091         was doing already.
1092
1093         * jit/JITStubs.cpp:
1094         (JSC::DEFINE_STUB_FUNCTION):
1095         * runtime/JSObject.cpp:
1096         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1097         (JSC::JSObject::createInitialUndecided):
1098         (JSC::JSObject::createInitialInt32):
1099         (JSC::JSObject::createInitialDouble):
1100         (JSC::JSObject::createInitialContiguous):
1101         (JSC::JSObject::createArrayStorage):
1102         (JSC::JSObject::convertUndecidedToInt32):
1103         (JSC::JSObject::convertUndecidedToDouble):
1104         (JSC::JSObject::convertUndecidedToContiguous):
1105         (JSC::JSObject::convertUndecidedToArrayStorage):
1106         (JSC::JSObject::convertInt32ToDouble):
1107         (JSC::JSObject::convertInt32ToContiguous):
1108         (JSC::JSObject::convertInt32ToArrayStorage):
1109         (JSC::JSObject::genericConvertDoubleToContiguous):
1110         (JSC::JSObject::convertDoubleToArrayStorage):
1111         (JSC::JSObject::convertContiguousToArrayStorage):
1112         (JSC::JSObject::switchToSlowPutArrayStorage):
1113         (JSC::JSObject::setPrototype):
1114         (JSC::JSObject::putDirectAccessor):
1115         (JSC::JSObject::seal):
1116         (JSC::JSObject::freeze):
1117         (JSC::JSObject::preventExtensions):
1118         (JSC::JSObject::reifyStaticFunctionsForDelete):
1119         (JSC::JSObject::removeDirect):
1120         * runtime/JSObject.h:
1121         (JSC::JSObject::setStructureAndButterfly):
1122         (JSC::JSObject::setStructure):
1123         (JSC::JSObject::putDirectInternal):
1124         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1125         (JSC::JSObject::putDirectWithoutTransition):
1126         * runtime/Structure.cpp:
1127         (JSC::Structure::flattenDictionaryStructure):
1128
1129 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1130
1131         https://bugs.webkit.org/show_bug.cgi?id=120127
1132         Remove JSObject::propertyIsEnumerable
1133
1134         Unreviewed typo fix
1135
1136         * runtime/JSObject.h:
1137             - fix typo
1138
1139 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1140
1141         https://bugs.webkit.org/show_bug.cgi?id=120139
1142         PropertyDescriptor argument to define methods should be const
1143
1144         Rubber stamped by Sam Weinig.
1145
1146         This should never be modified, and this way we can use rvalues.
1147
1148         * debugger/DebuggerActivation.cpp:
1149         (JSC::DebuggerActivation::defineOwnProperty):
1150         * debugger/DebuggerActivation.h:
1151         * runtime/Arguments.cpp:
1152         (JSC::Arguments::defineOwnProperty):
1153         * runtime/Arguments.h:
1154         * runtime/ClassInfo.h:
1155         * runtime/JSArray.cpp:
1156         (JSC::JSArray::defineOwnProperty):
1157         * runtime/JSArray.h:
1158         * runtime/JSArrayBuffer.cpp:
1159         (JSC::JSArrayBuffer::defineOwnProperty):
1160         * runtime/JSArrayBuffer.h:
1161         * runtime/JSArrayBufferView.cpp:
1162         (JSC::JSArrayBufferView::defineOwnProperty):
1163         * runtime/JSArrayBufferView.h:
1164         * runtime/JSCell.cpp:
1165         (JSC::JSCell::defineOwnProperty):
1166         * runtime/JSCell.h:
1167         * runtime/JSFunction.cpp:
1168         (JSC::JSFunction::defineOwnProperty):
1169         * runtime/JSFunction.h:
1170         * runtime/JSGenericTypedArrayView.h:
1171         * runtime/JSGenericTypedArrayViewInlines.h:
1172         (JSC::::defineOwnProperty):
1173         * runtime/JSGlobalObject.cpp:
1174         (JSC::JSGlobalObject::defineOwnProperty):
1175         * runtime/JSGlobalObject.h:
1176         * runtime/JSObject.cpp:
1177         (JSC::JSObject::putIndexedDescriptor):
1178         (JSC::JSObject::defineOwnIndexedProperty):
1179         (JSC::putDescriptor):
1180         (JSC::JSObject::defineOwnNonIndexProperty):
1181         (JSC::JSObject::defineOwnProperty):
1182         * runtime/JSObject.h:
1183         * runtime/JSProxy.cpp:
1184         (JSC::JSProxy::defineOwnProperty):
1185         * runtime/JSProxy.h:
1186         * runtime/RegExpMatchesArray.h:
1187         (JSC::RegExpMatchesArray::defineOwnProperty):
1188         * runtime/RegExpObject.cpp:
1189         (JSC::RegExpObject::defineOwnProperty):
1190         * runtime/RegExpObject.h:
1191         * runtime/StringObject.cpp:
1192         (JSC::StringObject::defineOwnProperty):
1193         * runtime/StringObject.h:
1194             - make PropertyDescriptor const
1195
1196 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1197
1198         REGRESSION: Crash under JITCompiler::link while loading Gmail
1199         https://bugs.webkit.org/show_bug.cgi?id=119872
1200
1201         Reviewed by Mark Hahnenberg.
1202         
1203         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1204
1205         * dfg/DFGByteCodeParser.cpp:
1206         (JSC::DFG::ByteCodeParser::parseBlock):
1207
1208 2013-08-21  Alex Christensen  <achristensen@apple.com>
1209
1210         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1211
1212         Reviewed by Brent Fulgham.
1213
1214         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1215         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1216         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1217         Pass PlatformArchitecture as a command line parameter to bash scripts.
1218         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1219         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1220         * JavaScriptCore.vcxproj/build-generated-files.sh:
1221         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1222
1223 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1224
1225         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1226         https://bugs.webkit.org/show_bug.cgi?id=120099
1227
1228         Reviewed by Mark Hahnenberg.
1229         
1230         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1231         JSDataView may have ordinary JS indexed properties.
1232
1233         * runtime/ClassInfo.h:
1234         * runtime/JSArrayBufferView.cpp:
1235         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1236         (JSC::JSArrayBufferView::finishCreation):
1237         * runtime/JSArrayBufferView.h:
1238         (JSC::hasArrayBuffer):
1239         * runtime/JSArrayBufferViewInlines.h:
1240         (JSC::JSArrayBufferView::buffer):
1241         (JSC::JSArrayBufferView::neuter):
1242         (JSC::JSArrayBufferView::byteOffset):
1243         * runtime/JSCell.cpp:
1244         (JSC::JSCell::slowDownAndWasteMemory):
1245         * runtime/JSCell.h:
1246         * runtime/JSDataView.cpp:
1247         (JSC::JSDataView::JSDataView):
1248         (JSC::JSDataView::create):
1249         (JSC::JSDataView::slowDownAndWasteMemory):
1250         * runtime/JSDataView.h:
1251         (JSC::JSDataView::buffer):
1252         * runtime/JSGenericTypedArrayView.h:
1253         * runtime/JSGenericTypedArrayViewInlines.h:
1254         (JSC::::visitChildren):
1255         (JSC::::slowDownAndWasteMemory):
1256
1257 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1258
1259         Remove incorrect ASSERT from CopyVisitor::visitItem
1260
1261         Rubber stamped by Filip Pizlo.
1262
1263         * heap/CopyVisitorInlines.h:
1264         (JSC::CopyVisitor::visitItem):
1265
1266 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1267
1268         https://bugs.webkit.org/show_bug.cgi?id=120127
1269         Remove JSObject::propertyIsEnumerable
1270
1271         Reviewed by Sam Weinig.
1272
1273         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1274
1275         * runtime/JSObject.cpp:
1276         * runtime/JSObject.h:
1277             - remove propertyIsEnumerable
1278         * runtime/ObjectPrototype.cpp:
1279         (JSC::objectProtoFuncPropertyIsEnumerable):
1280             - Move implementation here using getOwnPropertyDescriptor directly.
1281
1282 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1283
1284         DFG should inline new typedArray()
1285         https://bugs.webkit.org/show_bug.cgi?id=120022
1286
1287         Reviewed by Oliver Hunt.
1288         
1289         Adds inlining of typed array allocations in the DFG. Any operation of the
1290         form:
1291         
1292             new foo(blah)
1293         
1294         or:
1295         
1296             foo(blah)
1297         
1298         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1299         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1300         is predicted integer, we generate inline code for an allocation. Otherwise
1301         it turns into a call to an operation that behaves like the constructor would
1302         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1303         copy or another array, or it may allocate an array of that length).
1304
1305         * bytecode/SpeculatedType.cpp:
1306         (JSC::speculationFromTypedArrayType):
1307         (JSC::speculationFromClassInfo):
1308         * bytecode/SpeculatedType.h:
1309         * dfg/DFGAbstractInterpreterInlines.h:
1310         (JSC::DFG::::executeEffects):
1311         * dfg/DFGBackwardsPropagationPhase.cpp:
1312         (JSC::DFG::BackwardsPropagationPhase::propagate):
1313         * dfg/DFGByteCodeParser.cpp:
1314         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1315         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1316         * dfg/DFGCCallHelpers.h:
1317         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1318         * dfg/DFGCSEPhase.cpp:
1319         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1320         * dfg/DFGClobberize.h:
1321         (JSC::DFG::clobberize):
1322         * dfg/DFGFixupPhase.cpp:
1323         (JSC::DFG::FixupPhase::fixupNode):
1324         * dfg/DFGGraph.cpp:
1325         (JSC::DFG::Graph::dump):
1326         * dfg/DFGNode.h:
1327         (JSC::DFG::Node::hasTypedArrayType):
1328         (JSC::DFG::Node::typedArrayType):
1329         * dfg/DFGNodeType.h:
1330         * dfg/DFGOperations.cpp:
1331         (JSC::DFG::newTypedArrayWithSize):
1332         (JSC::DFG::newTypedArrayWithOneArgument):
1333         * dfg/DFGOperations.h:
1334         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1335         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1336         * dfg/DFGPredictionPropagationPhase.cpp:
1337         (JSC::DFG::PredictionPropagationPhase::propagate):
1338         * dfg/DFGSafeToExecute.h:
1339         (JSC::DFG::safeToExecute):
1340         * dfg/DFGSpeculativeJIT.cpp:
1341         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1342         * dfg/DFGSpeculativeJIT.h:
1343         (JSC::DFG::SpeculativeJIT::callOperation):
1344         * dfg/DFGSpeculativeJIT32_64.cpp:
1345         (JSC::DFG::SpeculativeJIT::compile):
1346         * dfg/DFGSpeculativeJIT64.cpp:
1347         (JSC::DFG::SpeculativeJIT::compile):
1348         * jit/JITOpcodes.cpp:
1349         (JSC::JIT::emit_op_new_object):
1350         * jit/JITOpcodes32_64.cpp:
1351         (JSC::JIT::emit_op_new_object):
1352         * runtime/JSArray.h:
1353         (JSC::JSArray::allocationSize):
1354         * runtime/JSArrayBufferView.h:
1355         (JSC::JSArrayBufferView::allocationSize):
1356         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1357         (JSC::constructGenericTypedArrayView):
1358         * runtime/JSObject.h:
1359         (JSC::JSFinalObject::allocationSize):
1360         * runtime/TypedArrayType.cpp:
1361         (JSC::constructorClassInfoForType):
1362         * runtime/TypedArrayType.h:
1363         (JSC::indexToTypedArrayType):
1364
1365 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1366
1367         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1368
1369         Reviewed by Geoffrey Garen.
1370
1371         * dfg/DFGOperations.h:
1372
1373 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1374
1375         https://bugs.webkit.org/show_bug.cgi?id=120093
1376         Remove getOwnPropertyDescriptor trap
1377
1378         Reviewed by Geoff Garen.
1379
1380         All implementations of this method are now called via the method table, and equivalent in behaviour.
1381         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1382
1383         * API/JSCallbackObject.h:
1384         * API/JSCallbackObjectFunctions.h:
1385         * debugger/DebuggerActivation.cpp:
1386         * debugger/DebuggerActivation.h:
1387         * runtime/Arguments.cpp:
1388         * runtime/Arguments.h:
1389         * runtime/ArrayConstructor.cpp:
1390         * runtime/ArrayConstructor.h:
1391         * runtime/ArrayPrototype.cpp:
1392         * runtime/ArrayPrototype.h:
1393         * runtime/BooleanPrototype.cpp:
1394         * runtime/BooleanPrototype.h:
1395             - remove getOwnPropertyDescriptor
1396         * runtime/ClassInfo.h:
1397             - remove getOwnPropertyDescriptor from MethodTable
1398         * runtime/DateConstructor.cpp:
1399         * runtime/DateConstructor.h:
1400         * runtime/DatePrototype.cpp:
1401         * runtime/DatePrototype.h:
1402         * runtime/ErrorPrototype.cpp:
1403         * runtime/ErrorPrototype.h:
1404         * runtime/JSActivation.cpp:
1405         * runtime/JSActivation.h:
1406         * runtime/JSArray.cpp:
1407         * runtime/JSArray.h:
1408         * runtime/JSArrayBuffer.cpp:
1409         * runtime/JSArrayBuffer.h:
1410         * runtime/JSArrayBufferView.cpp:
1411         * runtime/JSArrayBufferView.h:
1412         * runtime/JSCell.cpp:
1413         * runtime/JSCell.h:
1414         * runtime/JSDataView.cpp:
1415         * runtime/JSDataView.h:
1416         * runtime/JSDataViewPrototype.cpp:
1417         * runtime/JSDataViewPrototype.h:
1418         * runtime/JSFunction.cpp:
1419         * runtime/JSFunction.h:
1420         * runtime/JSGenericTypedArrayView.h:
1421         * runtime/JSGenericTypedArrayViewInlines.h:
1422         * runtime/JSGlobalObject.cpp:
1423         * runtime/JSGlobalObject.h:
1424         * runtime/JSNotAnObject.cpp:
1425         * runtime/JSNotAnObject.h:
1426         * runtime/JSONObject.cpp:
1427         * runtime/JSONObject.h:
1428             - remove getOwnPropertyDescriptor
1429         * runtime/JSObject.cpp:
1430         (JSC::JSObject::propertyIsEnumerable):
1431             - switch to call new getOwnPropertyDescriptor member function
1432         (JSC::JSObject::getOwnPropertyDescriptor):
1433             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1434         (JSC::JSObject::defineOwnNonIndexProperty):
1435             - switch to call new getOwnPropertyDescriptor member function
1436         * runtime/JSObject.h:
1437         * runtime/JSProxy.cpp:
1438         * runtime/JSProxy.h:
1439         * runtime/NamePrototype.cpp:
1440         * runtime/NamePrototype.h:
1441         * runtime/NumberConstructor.cpp:
1442         * runtime/NumberConstructor.h:
1443         * runtime/NumberPrototype.cpp:
1444         * runtime/NumberPrototype.h:
1445             - remove getOwnPropertyDescriptor
1446         * runtime/ObjectConstructor.cpp:
1447         (JSC::objectConstructorGetOwnPropertyDescriptor):
1448         (JSC::objectConstructorSeal):
1449         (JSC::objectConstructorFreeze):
1450         (JSC::objectConstructorIsSealed):
1451         (JSC::objectConstructorIsFrozen):
1452             - switch to call new getOwnPropertyDescriptor member function
1453         * runtime/ObjectConstructor.h:
1454             - remove getOwnPropertyDescriptor
1455         * runtime/PropertyDescriptor.h:
1456             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1457         * runtime/RegExpConstructor.cpp:
1458         * runtime/RegExpConstructor.h:
1459         * runtime/RegExpMatchesArray.cpp:
1460         * runtime/RegExpMatchesArray.h:
1461         * runtime/RegExpObject.cpp:
1462         * runtime/RegExpObject.h:
1463         * runtime/RegExpPrototype.cpp:
1464         * runtime/RegExpPrototype.h:
1465         * runtime/StringConstructor.cpp:
1466         * runtime/StringConstructor.h:
1467         * runtime/StringObject.cpp:
1468         * runtime/StringObject.h:
1469             - remove getOwnPropertyDescriptor
1470
1471 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1472
1473         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
1474
1475         Reviewed by Oliver Hunt.
1476
1477         When we flatten an object in dictionary mode, we compact its properties. If the object 
1478         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
1479         compaction its properties fit inline, the object's Structure "forgets" that the object 
1480         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
1481         with bytes = 0, which causes all sorts of badness in CopiedSpace.
1482
1483         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
1484         Butterfly pointer so that the GC doesn't get confused later.
1485
1486         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
1487         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
1488         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
1489         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
1490
1491         * heap/SlotVisitorInlines.h:
1492         (JSC::SlotVisitor::copyLater):
1493         * runtime/JSObject.cpp:
1494         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1495         (JSC::JSObject::convertUndecidedToInt32):
1496         (JSC::JSObject::convertUndecidedToDouble):
1497         (JSC::JSObject::convertUndecidedToContiguous):
1498         (JSC::JSObject::convertInt32ToDouble):
1499         (JSC::JSObject::convertInt32ToContiguous):
1500         (JSC::JSObject::genericConvertDoubleToContiguous):
1501         (JSC::JSObject::switchToSlowPutArrayStorage):
1502         (JSC::JSObject::setPrototype):
1503         (JSC::JSObject::putDirectAccessor):
1504         (JSC::JSObject::seal):
1505         (JSC::JSObject::freeze):
1506         (JSC::JSObject::preventExtensions):
1507         (JSC::JSObject::reifyStaticFunctionsForDelete):
1508         (JSC::JSObject::removeDirect):
1509         * runtime/JSObject.h:
1510         (JSC::JSObject::setButterfly):
1511         (JSC::JSObject::putDirectInternal):
1512         (JSC::JSObject::setStructure):
1513         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1514         * runtime/Structure.cpp:
1515         (JSC::Structure::flattenDictionaryStructure):
1516
1517 2013-08-20  Alex Christensen  <achristensen@apple.com>
1518
1519         Compile fix for Win64 after r154156.
1520
1521         Rubber stamped by Oliver Hunt.
1522
1523         * jit/JITStubsMSVC64.asm:
1524         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
1525         cti_vm_throw_slowpath to cti_vm_handle_exception.
1526
1527 2013-08-20  Alex Christensen  <achristensen@apple.com>
1528
1529         <https://webkit.org/b/120076> More work towards a Win64 build
1530
1531         Reviewed by Brent Fulgham.
1532
1533         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1534         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1535         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1536         * JavaScriptCore.vcxproj/copy-files.cmd:
1537         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1538         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1539         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
1540
1541 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1542
1543         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1544
1545         Reviewed by Geoffrey Garen.
1546
1547         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
1548         initializeLazyWriteBarrierFor* wrapper functions more sane. 
1549
1550         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
1551         and index when triggering the WriteBarrier at the end of compilation. 
1552
1553         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
1554         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
1555         little extra work that really shouldn't have been its responsibility.
1556
1557         * dfg/DFGByteCodeParser.cpp:
1558         (JSC::DFG::ByteCodeParser::addConstant):
1559         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1560         * dfg/DFGDesiredWriteBarriers.cpp:
1561         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1562         (JSC::DFG::DesiredWriteBarrier::trigger):
1563         * dfg/DFGDesiredWriteBarriers.h:
1564         (JSC::DFG::DesiredWriteBarriers::add):
1565         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1566         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1567         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1568         * dfg/DFGFixupPhase.cpp:
1569         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1570         * dfg/DFGGraph.h:
1571         (JSC::DFG::Graph::constantRegisterForConstant):
1572
1573 2013-08-20  Michael Saboff  <msaboff@apple.com>
1574
1575         https://bugs.webkit.org/show_bug.cgi?id=120075
1576         REGRESSION (r128400): BBC4 website not displaying pictures
1577
1578         Reviewed by Oliver Hunt.
1579
1580         * runtime/RegExpMatchesArray.h:
1581         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1582         so that the match results will be reified before any other modification to the results array.
1583
1584 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
1585
1586         Incorrect behavior on emscripten-compiled cube2hash
1587         https://bugs.webkit.org/show_bug.cgi?id=120033
1588
1589         Reviewed by Mark Hahnenberg.
1590         
1591         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1592         then we should bail attempts to CSE.
1593
1594         * dfg/DFGCSEPhase.cpp:
1595         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1596         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1597
1598 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1599
1600         https://bugs.webkit.org/show_bug.cgi?id=120073
1601         Remove use of GOPD from JSFunction::defineProperty
1602
1603         Reviewed by Oliver Hunt.
1604
1605         Call getOwnPropertySlot to check for existing properties instead.
1606
1607         * runtime/JSFunction.cpp:
1608         (JSC::JSFunction::defineOwnProperty):
1609             - getOwnPropertyDescriptor -> getOwnPropertySlot
1610
1611 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1612
1613         https://bugs.webkit.org/show_bug.cgi?id=120067
1614         Remove getPropertyDescriptor
1615
1616         Reviewed by Oliver Hunt.
1617
1618         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1619         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1620
1621         * runtime/JSObject.cpp:
1622         * runtime/JSObject.h:
1623             - remove getPropertyDescriptor
1624         * runtime/ObjectPrototype.cpp:
1625         (JSC::objectProtoFuncLookupGetter):
1626         (JSC::objectProtoFuncLookupSetter):
1627             - replace call to getPropertyDescriptor with getPropertySlot
1628         * runtime/PropertyDescriptor.h:
1629         * runtime/PropertySlot.h:
1630         (JSC::PropertySlot::isAccessor):
1631         (JSC::PropertySlot::isCacheableGetter):
1632         (JSC::PropertySlot::getterSetter):
1633             - rename isGetter() to isAccessor()
1634
1635 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1636
1637         https://bugs.webkit.org/show_bug.cgi?id=120054
1638         Remove some dead code following getOwnPropertyDescriptor cleanup
1639
1640         Reviewed by Oliver Hunt.
1641
1642         * runtime/Lookup.h:
1643         (JSC::getStaticFunctionSlot):
1644             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1645
1646 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1647
1648         https://bugs.webkit.org/show_bug.cgi?id=120052
1649         Remove custom getOwnPropertyDescriptor for JSProxy
1650
1651         Reviewed by Geoff Garen.
1652
1653         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1654         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1655         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1656         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1657         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1658
1659         * runtime/JSProxy.cpp:
1660             - Remove custom getOwnPropertyDescriptor implementation.
1661         * runtime/PropertyDescriptor.h:
1662             - Modify own property access check to perform toThis conversion.
1663
1664 2013-08-20  Alex Christensen  <achristensen@apple.com>
1665
1666         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1667         https://bugs.webkit.org/show_bug.cgi?id=119512
1668
1669         Reviewed by Brent Fulgham.
1670
1671         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1672         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1673         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1674         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1675         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1676         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1677         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1678         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1679
1680 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
1681
1682         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1683
1684         Reviewed by Allan Sandfeld Jensen.
1685
1686         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1687         instructions and two constants now DFG is enabled for sh4 architecture.
1688         These missing ensureSpace calls lead to random crashes.
1689
1690         * assembler/MacroAssemblerSH4.h:
1691         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1692
1693 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
1694
1695         https://bugs.webkit.org/show_bug.cgi?id=120034
1696         Remove custom getOwnPropertyDescriptor for global objects
1697
1698         Reviewed by Geoff Garen.
1699
1700         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1701
1702         * runtime/JSGlobalObject.cpp:
1703             - Remove custom getOwnPropertyDescriptor implementation.
1704         * runtime/JSSymbolTableObject.h:
1705         (JSC::symbolTableGet):
1706             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1707         * runtime/PropertyDescriptor.h:
1708             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1709         * runtime/PropertySlot.h:
1710         (JSC::PropertySlot::setUndefined):
1711             - This is used by WebCore when blocking access to properties on cross-frame access.
1712               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1713
1714 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1715
1716         DFG should inline typedArray.byteOffset
1717         https://bugs.webkit.org/show_bug.cgi?id=119962
1718
1719         Reviewed by Oliver Hunt.
1720         
1721         This adds a new node, GetTypedArrayByteOffset, which inlines
1722         typedArray.byteOffset.
1723         
1724         Also, I improved a bunch of the clobbering logic related to typed arrays
1725         and clobbering in general. For example, PutByOffset/PutStructure are not
1726         clobber-world so they can be handled by most default cases in CSE. Also,
1727         It's better to use the 'Class_field' notation for typed arrays now that
1728         they no longer involve magical descriptor thingies.
1729
1730         * bytecode/SpeculatedType.h:
1731         * dfg/DFGAbstractHeap.h:
1732         * dfg/DFGAbstractInterpreterInlines.h:
1733         (JSC::DFG::::executeEffects):
1734         * dfg/DFGArrayMode.h:
1735         (JSC::DFG::neverNeedsStorage):
1736         * dfg/DFGCSEPhase.cpp:
1737         (JSC::DFG::CSEPhase::getByValLoadElimination):
1738         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1739         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1740         (JSC::DFG::CSEPhase::checkArrayElimination):
1741         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1742         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
1743         (JSC::DFG::CSEPhase::performNodeCSE):
1744         * dfg/DFGClobberize.h:
1745         (JSC::DFG::clobberize):
1746         * dfg/DFGFixupPhase.cpp:
1747         (JSC::DFG::FixupPhase::fixupNode):
1748         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1749         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1750         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1751         * dfg/DFGNodeType.h:
1752         * dfg/DFGPredictionPropagationPhase.cpp:
1753         (JSC::DFG::PredictionPropagationPhase::propagate):
1754         * dfg/DFGSafeToExecute.h:
1755         (JSC::DFG::safeToExecute):
1756         * dfg/DFGSpeculativeJIT.cpp:
1757         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1758         * dfg/DFGSpeculativeJIT.h:
1759         * dfg/DFGSpeculativeJIT32_64.cpp:
1760         (JSC::DFG::SpeculativeJIT::compile):
1761         * dfg/DFGSpeculativeJIT64.cpp:
1762         (JSC::DFG::SpeculativeJIT::compile):
1763         * dfg/DFGTypeCheckHoistingPhase.cpp:
1764         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1765         * runtime/ArrayBuffer.h:
1766         (JSC::ArrayBuffer::offsetOfData):
1767         * runtime/Butterfly.h:
1768         (JSC::Butterfly::offsetOfArrayBuffer):
1769         * runtime/IndexingHeader.h:
1770         (JSC::IndexingHeader::offsetOfArrayBuffer):
1771
1772 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
1773
1774         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
1775
1776         Reviewed by Geoffrey Garen.
1777
1778         * dfg/DFGByteCodeParser.cpp:
1779         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1780
1781 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1782
1783         https://bugs.webkit.org/show_bug.cgi?id=119995
1784         Start removing custom implementations of getOwnPropertyDescriptor
1785
1786         Reviewed by Oliver Hunt.
1787
1788         This can now typically implemented in terms of getOwnPropertySlot.
1789         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
1790         Switch over most classes in JSC & the WebCore bindings generator to use this.
1791
1792         * API/JSCallbackObjectFunctions.h:
1793         * debugger/DebuggerActivation.cpp:
1794         * runtime/Arguments.cpp:
1795         * runtime/ArrayConstructor.cpp:
1796         * runtime/ArrayPrototype.cpp:
1797         * runtime/BooleanPrototype.cpp:
1798         * runtime/DateConstructor.cpp:
1799         * runtime/DatePrototype.cpp:
1800         * runtime/ErrorPrototype.cpp:
1801         * runtime/JSActivation.cpp:
1802         * runtime/JSArray.cpp:
1803         * runtime/JSArrayBuffer.cpp:
1804         * runtime/JSArrayBufferView.cpp:
1805         * runtime/JSCell.cpp:
1806         * runtime/JSDataView.cpp:
1807         * runtime/JSDataViewPrototype.cpp:
1808         * runtime/JSFunction.cpp:
1809         * runtime/JSGenericTypedArrayViewInlines.h:
1810         * runtime/JSNotAnObject.cpp:
1811         * runtime/JSONObject.cpp:
1812         * runtime/JSObject.cpp:
1813         * runtime/NamePrototype.cpp:
1814         * runtime/NumberConstructor.cpp:
1815         * runtime/NumberPrototype.cpp:
1816         * runtime/ObjectConstructor.cpp:
1817             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1818         * runtime/PropertyDescriptor.h:
1819             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
1820         * runtime/PropertySlot.h:
1821         (JSC::PropertySlot::isValue):
1822         (JSC::PropertySlot::isGetter):
1823         (JSC::PropertySlot::isCustom):
1824         (JSC::PropertySlot::isCacheableValue):
1825         (JSC::PropertySlot::isCacheableGetter):
1826         (JSC::PropertySlot::isCacheableCustom):
1827         (JSC::PropertySlot::attributes):
1828         (JSC::PropertySlot::getterSetter):
1829             - Add accessors necessary to convert PropertySlot to descriptor.
1830         * runtime/RegExpConstructor.cpp:
1831         * runtime/RegExpMatchesArray.cpp:
1832         * runtime/RegExpMatchesArray.h:
1833         * runtime/RegExpObject.cpp:
1834         * runtime/RegExpPrototype.cpp:
1835         * runtime/StringConstructor.cpp:
1836         * runtime/StringObject.cpp:
1837             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1838
1839 2013-08-19  Michael Saboff  <msaboff@apple.com>
1840
1841         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
1842
1843         Reviewed by Sam Weinig.
1844
1845         * dfg/DFGSpeculativeJIT32_64.cpp:
1846         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1847         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1848         all versions of fillSpeculateBoolean().
1849
1850 2013-08-19  Michael Saboff  <msaboff@apple.com>
1851
1852         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1853
1854         Reviewed by Benjamin Poulain.
1855
1856         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1857         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1858
1859         * assembler/MacroAssemblerX86Common.h:
1860         (JSC::MacroAssemblerX86Common::branchTest32):
1861
1862 2013-08-16  Oliver Hunt  <oliver@apple.com>
1863
1864         <https://webkit.org/b/119860> Crash during exception unwinding
1865
1866         Reviewed by Filip Pizlo.
1867
1868         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1869         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1870
1871         We need this so that Throw and ThrowReferenceError no longer need to be treated as
1872         terminals and the subsequent flush keeps the activation (and other registers) live.
1873
1874         * dfg/DFGAbstractInterpreterInlines.h:
1875         (JSC::DFG::::executeEffects):
1876         * dfg/DFGByteCodeParser.cpp:
1877         (JSC::DFG::ByteCodeParser::parseBlock):
1878         * dfg/DFGClobberize.h:
1879         (JSC::DFG::clobberize):
1880         * dfg/DFGFixupPhase.cpp:
1881         (JSC::DFG::FixupPhase::fixupNode):
1882         * dfg/DFGNode.h:
1883         (JSC::DFG::Node::isTerminal):
1884         * dfg/DFGNodeType.h:
1885         * dfg/DFGPredictionPropagationPhase.cpp:
1886         (JSC::DFG::PredictionPropagationPhase::propagate):
1887         * dfg/DFGSafeToExecute.h:
1888         (JSC::DFG::safeToExecute):
1889         * dfg/DFGSpeculativeJIT32_64.cpp:
1890         (JSC::DFG::SpeculativeJIT::compile):
1891         * dfg/DFGSpeculativeJIT64.cpp:
1892         (JSC::DFG::SpeculativeJIT::compile):
1893
1894 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1895
1896         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1897
1898         Reviewed by Oliver Hunt.
1899
1900         Guard the compilation of these files only if DFG_JIT is enabled.
1901
1902         * dfg/DFGDesiredTransitions.cpp:
1903         * dfg/DFGDesiredTransitions.h:
1904         * dfg/DFGDesiredWeakReferences.cpp:
1905         * dfg/DFGDesiredWeakReferences.h:
1906         * dfg/DFGDesiredWriteBarriers.cpp:
1907         * dfg/DFGDesiredWriteBarriers.h:
1908
1909 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1910
1911         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
1912         https://bugs.webkit.org/show_bug.cgi?id=119961
1913
1914         Reviewed by Mark Hahnenberg.
1915
1916         * dfg/DFGFixupPhase.cpp:
1917         (JSC::DFG::FixupPhase::fixupNode):
1918
1919 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1920
1921         https://bugs.webkit.org/show_bug.cgi?id=119972
1922         Add attributes field to PropertySlot
1923
1924         Reviewed by Geoff Garen.
1925
1926         For all JSC types, this makes getOwnPropertyDescriptor redundant.
1927         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1928         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1929
1930         No performance impact.
1931
1932         * runtime/PropertySlot.h:
1933         (JSC::PropertySlot::setValue):
1934         (JSC::PropertySlot::setCustom):
1935         (JSC::PropertySlot::setCacheableCustom):
1936         (JSC::PropertySlot::setCustomIndex):
1937         (JSC::PropertySlot::setGetterSlot):
1938         (JSC::PropertySlot::setCacheableGetterSlot):
1939             - These mathods now all require 'attributes'.
1940         * runtime/JSObject.h:
1941         (JSC::JSObject::getDirect):
1942         (JSC::JSObject::getDirectOffset):
1943         (JSC::JSObject::inlineGetOwnPropertySlot):
1944             - Added variants of getDirect, getDirectOffset that return the attributes.
1945         * API/JSCallbackObjectFunctions.h:
1946         (JSC::::getOwnPropertySlot):
1947         * runtime/Arguments.cpp:
1948         (JSC::Arguments::getOwnPropertySlotByIndex):
1949         (JSC::Arguments::getOwnPropertySlot):
1950         * runtime/JSActivation.cpp:
1951         (JSC::JSActivation::symbolTableGet):
1952         (JSC::JSActivation::getOwnPropertySlot):
1953         * runtime/JSArray.cpp:
1954         (JSC::JSArray::getOwnPropertySlot):
1955         * runtime/JSArrayBuffer.cpp:
1956         (JSC::JSArrayBuffer::getOwnPropertySlot):
1957         * runtime/JSArrayBufferView.cpp:
1958         (JSC::JSArrayBufferView::getOwnPropertySlot):
1959         * runtime/JSDataView.cpp:
1960         (JSC::JSDataView::getOwnPropertySlot):
1961         * runtime/JSFunction.cpp:
1962         (JSC::JSFunction::getOwnPropertySlot):
1963         * runtime/JSGenericTypedArrayViewInlines.h:
1964         (JSC::::getOwnPropertySlot):
1965         (JSC::::getOwnPropertySlotByIndex):
1966         * runtime/JSObject.cpp:
1967         (JSC::JSObject::getOwnPropertySlotByIndex):
1968         (JSC::JSObject::fillGetterPropertySlot):
1969         * runtime/JSString.h:
1970         (JSC::JSString::getStringPropertySlot):
1971         * runtime/JSSymbolTableObject.h:
1972         (JSC::symbolTableGet):
1973         * runtime/Lookup.cpp:
1974         (JSC::setUpStaticFunctionSlot):
1975         * runtime/Lookup.h:
1976         (JSC::getStaticPropertySlot):
1977         (JSC::getStaticPropertyDescriptor):
1978         (JSC::getStaticValueSlot):
1979         (JSC::getStaticValueDescriptor):
1980         * runtime/RegExpObject.cpp:
1981         (JSC::RegExpObject::getOwnPropertySlot):
1982         * runtime/SparseArrayValueMap.cpp:
1983         (JSC::SparseArrayEntry::get):
1984             - Pass attributes to PropertySlot::set* methods.
1985
1986 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1987
1988         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1989
1990         Reviewed by Filip Pizlo.
1991
1992         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1993         Vector of WriteBarriers rather than the specific address. The fact that we were 
1994         arbitrarily storing into a Vector's backing store for constants at the end of 
1995         compilation after the Vector could have resized was causing crashes.
1996
1997         * bytecode/CodeBlock.h:
1998         (JSC::CodeBlock::constants):
1999         (JSC::CodeBlock::addConstantLazily):
2000         * dfg/DFGByteCodeParser.cpp:
2001         (JSC::DFG::ByteCodeParser::addConstant):
2002         * dfg/DFGDesiredWriteBarriers.cpp:
2003         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2004         (JSC::DFG::DesiredWriteBarrier::trigger):
2005         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2006         * dfg/DFGDesiredWriteBarriers.h:
2007         (JSC::DFG::DesiredWriteBarriers::add):
2008         * dfg/DFGFixupPhase.cpp:
2009         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2010         * dfg/DFGGraph.h:
2011         (JSC::DFG::Graph::constantRegisterForConstant):
2012
2013 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2014
2015         DFG should optimize typedArray.byteLength
2016         https://bugs.webkit.org/show_bug.cgi?id=119909
2017
2018         Reviewed by Oliver Hunt.
2019         
2020         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2021         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2022         legal since the byteLength of a typed array cannot exceed
2023         numeric_limits<int32_t>::max().
2024
2025         * bytecode/SpeculatedType.cpp:
2026         (JSC::typedArrayTypeFromSpeculation):
2027         * bytecode/SpeculatedType.h:
2028         * dfg/DFGArrayMode.cpp:
2029         (JSC::DFG::toArrayType):
2030         * dfg/DFGArrayMode.h:
2031         * dfg/DFGFixupPhase.cpp:
2032         (JSC::DFG::FixupPhase::fixupNode):
2033         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2034         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2035         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2036         (JSC::DFG::FixupPhase::prependGetArrayLength):
2037         * dfg/DFGGraph.h:
2038         (JSC::DFG::Graph::constantRegisterForConstant):
2039         (JSC::DFG::Graph::convertToConstant):
2040         * runtime/TypedArrayType.h:
2041         (JSC::logElementSize):
2042         (JSC::elementSize):
2043
2044 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2045
2046         DFG optimizes out strict mode arguments tear off
2047         https://bugs.webkit.org/show_bug.cgi?id=119504
2048
2049         Reviewed by Mark Hahnenberg and Oliver Hunt.
2050         
2051         Don't do the optimization for strict mode.
2052
2053         * dfg/DFGArgumentsSimplificationPhase.cpp:
2054         (JSC::DFG::ArgumentsSimplificationPhase::run):
2055         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2056
2057 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2058
2059         [JSC] x86: improve code generation for xxxTest32
2060         https://bugs.webkit.org/show_bug.cgi?id=119876
2061
2062         Reviewed by Geoffrey Garen.
2063
2064         Try to use testb whenever possible when testing for an immediate value.
2065
2066         When the input is an address and an offset, we can tweak the mask
2067         and offset to be able to generate testb for any byte of the mask.
2068
2069         When the input is a register, we can use testb if we are only interested
2070         in testing the low bits.
2071
2072         * assembler/MacroAssemblerX86Common.h:
2073         (JSC::MacroAssemblerX86Common::branchTest32):
2074         (JSC::MacroAssemblerX86Common::test32):
2075         (JSC::MacroAssemblerX86Common::generateTest32):
2076
2077 2013-08-16  Mark Lam  <mark.lam@apple.com>
2078
2079         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2080         error message that an object is not a constructor though it expects a function
2081
2082         Reviewed by Michael Saboff.
2083
2084         * jit/JITStubs.cpp:
2085         (JSC::DEFINE_STUB_FUNCTION):
2086
2087 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2088
2089         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2090         https://bugs.webkit.org/show_bug.cgi?id=119897
2091
2092         Reviewed by Oliver Hunt.
2093         
2094         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2095         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2096         to turn objects into dictionaries when you're storing using bracket syntax or using
2097         eval is still in place.
2098
2099         * bytecode/CodeBlock.h:
2100         (JSC::CodeBlock::putByIdContext):
2101         * dfg/DFGOperations.cpp:
2102         * jit/JITStubs.cpp:
2103         (JSC::DEFINE_STUB_FUNCTION):
2104         * llint/LLIntSlowPaths.cpp:
2105         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2106         * runtime/JSObject.h:
2107         (JSC::JSObject::putDirectInternal):
2108         * runtime/PutPropertySlot.h:
2109         (JSC::PutPropertySlot::PutPropertySlot):
2110         (JSC::PutPropertySlot::context):
2111         * runtime/Structure.cpp:
2112         (JSC::Structure::addPropertyTransition):
2113         * runtime/Structure.h:
2114
2115 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2116
2117         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2118
2119         Reviewed by Allan Sandfeld Jensen.
2120
2121         ctiVMHandleException must jump/return using register ra (r31).
2122
2123         * jit/JITStubsMIPS.h:
2124
2125 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2126
2127         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2128
2129         Reviewed by Allan Sandfeld Jensen.
2130
2131         Fix typo in JITStubsSH4.h file.
2132
2133         * jit/JITStubsSH4.h:
2134
2135 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2136
2137         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2138
2139         Reviewed by Oliver Hunt.
2140
2141         The concurrent compilation thread should interact minimally with the Heap, including not 
2142         triggering WriteBarriers. This is a prerequisite for generational GC.
2143
2144         * JavaScriptCore.xcodeproj/project.pbxproj:
2145         * bytecode/CodeBlock.cpp:
2146         (JSC::CodeBlock::addOrFindConstant):
2147         (JSC::CodeBlock::findConstant):
2148         * bytecode/CodeBlock.h:
2149         (JSC::CodeBlock::addConstantLazily):
2150         * dfg/DFGByteCodeParser.cpp:
2151         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2152         (JSC::DFG::ByteCodeParser::constantUndefined):
2153         (JSC::DFG::ByteCodeParser::constantNull):
2154         (JSC::DFG::ByteCodeParser::one):
2155         (JSC::DFG::ByteCodeParser::constantNaN):
2156         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2157         * dfg/DFGCommonData.cpp:
2158         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2159         * dfg/DFGCommonData.h:
2160         * dfg/DFGDesiredTransitions.cpp: Added.
2161         (JSC::DFG::DesiredTransition::DesiredTransition):
2162         (JSC::DFG::DesiredTransition::reallyAdd):
2163         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2164         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2165         (JSC::DFG::DesiredTransitions::addLazily):
2166         (JSC::DFG::DesiredTransitions::reallyAdd):
2167         * dfg/DFGDesiredTransitions.h: Added.
2168         * dfg/DFGDesiredWeakReferences.cpp: Added.
2169         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2170         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2171         (JSC::DFG::DesiredWeakReferences::addLazily):
2172         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2173         * dfg/DFGDesiredWeakReferences.h: Added.
2174         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2175         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2176         (JSC::DFG::DesiredWriteBarrier::trigger):
2177         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2178         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2179         (JSC::DFG::DesiredWriteBarriers::addImpl):
2180         (JSC::DFG::DesiredWriteBarriers::trigger):
2181         * dfg/DFGDesiredWriteBarriers.h: Added.
2182         (JSC::DFG::DesiredWriteBarriers::add):
2183         (JSC::DFG::initializeLazyWriteBarrier):
2184         * dfg/DFGFixupPhase.cpp:
2185         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2186         * dfg/DFGGraph.h:
2187         (JSC::DFG::Graph::convertToConstant):
2188         * dfg/DFGJITCompiler.h:
2189         (JSC::DFG::JITCompiler::addWeakReference):
2190         * dfg/DFGPlan.cpp:
2191         (JSC::DFG::Plan::Plan):
2192         (JSC::DFG::Plan::reallyAdd):
2193         * dfg/DFGPlan.h:
2194         * dfg/DFGSpeculativeJIT32_64.cpp:
2195         (JSC::DFG::SpeculativeJIT::compile):
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197         (JSC::DFG::SpeculativeJIT::compile):
2198         * runtime/WriteBarrier.h:
2199         (JSC::WriteBarrierBase::set):
2200         (JSC::WriteBarrier::WriteBarrier):
2201
2202 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2203
2204         Fix x86 32bits build after r154158
2205
2206         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2207
2208 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2209
2210         Build fix attempt after r154156.
2211
2212         * jit/JITStubs.cpp:
2213         (JSC::cti_vm_handle_exception): encode!
2214
2215 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2216
2217         [JSC] x86: Use inc and dec when possible
2218         https://bugs.webkit.org/show_bug.cgi?id=119831
2219
2220         Reviewed by Geoffrey Garen.
2221
2222         When incrementing or decrementing by an immediate of 1, use the insctructions
2223         inc and dec instead of add and sub.
2224         The instructions have good timing and their encoding is smaller.
2225
2226         * assembler/MacroAssemblerX86Common.h:
2227         (JSC::MacroAssemblerX86_64::add32):
2228         (JSC::MacroAssemblerX86_64::sub32):
2229         * assembler/MacroAssemblerX86_64.h:
2230         (JSC::MacroAssemblerX86_64::add64):
2231         (JSC::MacroAssemblerX86_64::sub64):
2232         * assembler/X86Assembler.h:
2233         (JSC::X86Assembler::dec_r):
2234         (JSC::X86Assembler::decq_r):
2235         (JSC::X86Assembler::inc_r):
2236         (JSC::X86Assembler::incq_r):
2237
2238 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2239
2240         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2241         https://bugs.webkit.org/show_bug.cgi?id=119874
2242
2243         Reviewed by Oliver Hunt and Mark Hahnenberg.
2244         
2245         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2246         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2247         sometimes for typed array length accesses, and the FixupPhase assuming that a
2248         ForceExit ArrayMode means that it should continue using a generic GetById.
2249
2250         This fixes the confusion.
2251
2252         * dfg/DFGFixupPhase.cpp:
2253         (JSC::DFG::FixupPhase::fixupNode):
2254
2255 2013-08-15  Mark Lam  <mark.lam@apple.com>
2256
2257         Fix crash when performing activation tearoff.
2258         https://bugs.webkit.org/show_bug.cgi?id=119848
2259
2260         Reviewed by Oliver Hunt.
2261
2262         The activation tearoff crash was due to a bug in the baseline JIT.
2263         If we have a scenario where the a baseline JIT frame calls a LLINT
2264         frame, an exception may be thrown while in the LLINT.
2265
2266         Interpreter::throwException() which handles the exception will unwind
2267         all frames until it finds a catcher or sees a host frame. When we
2268         return from the LLINT to the baseline JIT code, the baseline JIT code
2269         errorneously sets topCallFrame to the value in its call frame register,
2270         and starts unwinding the stack frames that have already been unwound.
2271
2272         The fix is:
2273         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2274            This is a more accurate description of what this runtime function
2275            is supposed to do i.e. it handles the exception which include doing
2276            nothing (if there are no more frames to unwind).
2277         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2278            set on it.
2279         3. Reloading the call frame register from topCallFrame when we're
2280            returning from a callee and detect exception handling in progress.
2281
2282         * interpreter/Interpreter.cpp:
2283         (JSC::Interpreter::unwindCallFrame):
2284         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2285         (JSC::Interpreter::getStackTrace):
2286         * interpreter/Interpreter.h:
2287         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2288         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2289         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2290         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2291         * jit/JIT.h:
2292         * jit/JITExceptions.cpp:
2293         (JSC::uncaughtExceptionHandler):
2294         - Convenience function to get the handler for uncaught exceptions.
2295         * jit/JITExceptions.h:
2296         * jit/JITInlines.h:
2297         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2298         * jit/JITOpcodes32_64.cpp:
2299         (JSC::JIT::privateCompileCTINativeCall):
2300         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2301         * jit/JITStubs.cpp:
2302         (JSC::throwExceptionFromOpCall):
2303         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2304         (JSC::cti_vm_handle_exception):
2305         - Check for the case when there are no more frames to unwind.
2306         * jit/JITStubs.h:
2307         * jit/JITStubsARM.h:
2308         * jit/JITStubsARMv7.h:
2309         * jit/JITStubsMIPS.h:
2310         * jit/JITStubsSH4.h:
2311         * jit/JITStubsX86.h:
2312         * jit/JITStubsX86_64.h:
2313         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2314         * jit/SlowPathCall.h:
2315         (JSC::JITSlowPathCall::call):
2316         - reload cfr from topcallFrame when handling an exception.
2317         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2318         * jit/ThunkGenerators.cpp:
2319         (JSC::nativeForGenerator):
2320         * llint/LowLevelInterpreter32_64.asm:
2321         * llint/LowLevelInterpreter64.asm:
2322         - reload cfr from topcallFrame when handling an exception.
2323         * runtime/VM.cpp:
2324         (JSC::VM::VM):
2325         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2326
2327 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2328
2329         Remove some code duplication.
2330         
2331         Rubber stamped by Mark Hahnenberg.
2332
2333         * runtime/JSDataViewPrototype.cpp:
2334         (JSC::getData):
2335         (JSC::setData):
2336
2337 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2338
2339         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2340         https://bugs.webkit.org/show_bug.cgi?id=119794
2341
2342         Reviewed by Filip Pizlo.
2343
2344         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2345
2346         * dfg/DFGUseKind.h:
2347         (JSC::DFG::isNumerical):
2348         (JSC::DFG::isDouble):
2349
2350 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2351
2352         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2353
2354         Rubber stamped by Oliver Hunt.
2355         
2356         This was causing some test crashes for me.
2357
2358         * dfg/DFGCapabilities.cpp:
2359         (JSC::DFG::capabilityLevel):
2360
2361 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2362
2363         [Windows] Clear up improper export declaration.
2364
2365         * runtime/ArrayBufferView.h:
2366
2367 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2368
2369         Unreviewed, remove some unnecessary periods from exceptions.
2370
2371         * runtime/JSDataViewPrototype.cpp:
2372         (JSC::getData):
2373         (JSC::setData):
2374
2375 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2376
2377         Unreviewed, fix 32-bit build.
2378
2379         * dfg/DFGSpeculativeJIT32_64.cpp:
2380         (JSC::DFG::SpeculativeJIT::compile):
2381
2382 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2383
2384         Typed arrays should be rewritten
2385         https://bugs.webkit.org/show_bug.cgi?id=119064
2386
2387         Reviewed by Oliver Hunt.
2388         
2389         Typed arrays were previously deficient in several major ways:
2390         
2391         - They were defined separately in WebCore and in the jsc shell. The two
2392           implementations were different, and the jsc shell one was basically wrong.
2393           The WebCore one was quite awful, also.
2394         
2395         - Typed arrays were not visible to the JIT except through some weird hooks.
2396           For example, the JIT could not ask "what is the Structure that this typed
2397           array would have if I just allocated it from this global object". Also,
2398           it was difficult to wire any of the typed array intrinsics, because most
2399           of the functionality wasn't visible anywhere in JSC.
2400         
2401         - Typed array allocation was brain-dead. Allocating a typed array involved
2402           two JS objects, two GC weak handles, and three malloc allocations.
2403         
2404         - Neutering. It involved keeping tabs on all native views but not the view
2405           wrappers, even though the native views can autoneuter just by asking the
2406           buffer if it was neutered anytime you touch them; while the JS view
2407           wrappers are the ones that you really want to reach out to.
2408         
2409         - Common case-ing. Most typed arrays have one buffer and one view, and
2410           usually nobody touches the buffer. Yet we created all of that stuff
2411           anyway, using data structures optimized for the case where you had a lot
2412           of views.
2413         
2414         - Semantic goofs. Typed arrays should, in the future, behave like ES
2415           features rather than DOM features, for example when it comes to exceptions.
2416           Firefox already does this and I agree with them.
2417         
2418         This patch cleanses our codebase of these sins:
2419         
2420         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
2421           management of native references to buffers is left to WebCore.
2422         
2423         - Allocating a typed array requires either two GC allocations (a cell and a
2424           copied storage vector) or one GC allocation, a malloc allocation, and a
2425           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
2426           latter). The latter is only used for oversize arrays. Remember that before
2427           it was 7 allocations no matter what.
2428         
2429         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
2430           mode/length, void* vector. Before it was a lot more than that - remember,
2431           there were five additional objects that did absolutely nothing for anybody.
2432         
2433         - Native views aren't tracked by the buffer, or by the wrappers. They are
2434           transient. In the future we'll probably switch to not even having them be
2435           malloc'd.
2436         
2437         - Native array buffers have an efficient way of tracking all of their JS view
2438           wrappers, both for neutering, and for lifecycle management. The GC
2439           special-cases native array buffers. This saves a bunch of grief; for example
2440           it means that a JS view wrapper can refer to its buffer via the butterfly,
2441           which would be dead by the time we went to finalize.
2442         
2443         - Typed array semantics now match Firefox, which also happens to be where the
2444           standards are going. The discussion on webkit-dev seemed to confirm that
2445           Chrome is also heading in this direction. This includes making
2446           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
2447           ArrayBufferView as a JS-visible construct.
2448         
2449         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
2450         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
2451         further typed array optimizations in the JSC JITs, including inlining typed
2452         array allocation, inlining more of the accessors, reducing the cost of type
2453         checks, etc.
2454         
2455         An additional property of this patch is that typed arrays are mostly
2456         implemented using templates. This deduplicates a bunch of code, but does mean
2457         that we need some hacks for exporting s_info's of template classes. See
2458         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
2459         low-impact compared to code duplication.
2460         
2461         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
2462
2463         * CMakeLists.txt:
2464         * DerivedSources.make:
2465         * GNUmakefile.list.am:
2466         * JSCTypedArrayStubs.h: Removed.
2467         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2468         * JavaScriptCore.xcodeproj/project.pbxproj:
2469         * Target.pri:
2470         * bytecode/ByValInfo.h:
2471         (JSC::hasOptimizableIndexingForClassInfo):
2472         (JSC::jitArrayModeForClassInfo):
2473         (JSC::typedArrayTypeForJITArrayMode):
2474         * bytecode/SpeculatedType.cpp:
2475         (JSC::speculationFromClassInfo):
2476         * dfg/DFGArrayMode.cpp:
2477         (JSC::DFG::toTypedArrayType):
2478         * dfg/DFGArrayMode.h:
2479         (JSC::DFG::ArrayMode::typedArrayType):
2480         * dfg/DFGSpeculativeJIT.cpp:
2481         (JSC::DFG::SpeculativeJIT::checkArray):
2482         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2483         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2484         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2485         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2486         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2487         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2488         * dfg/DFGSpeculativeJIT.h:
2489         * dfg/DFGSpeculativeJIT32_64.cpp:
2490         (JSC::DFG::SpeculativeJIT::compile):
2491         * dfg/DFGSpeculativeJIT64.cpp:
2492         (JSC::DFG::SpeculativeJIT::compile):
2493         * heap/CopyToken.h:
2494         * heap/DeferGC.h:
2495         (JSC::DeferGCForAWhile::DeferGCForAWhile):
2496         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
2497         * heap/GCIncomingRefCounted.h: Added.
2498         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
2499         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
2500         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
2501         (JSC::GCIncomingRefCounted::incomingReferenceAt):
2502         (JSC::GCIncomingRefCounted::singletonFlag):
2503         (JSC::GCIncomingRefCounted::hasVectorOfCells):
2504         (JSC::GCIncomingRefCounted::hasAnyIncoming):
2505         (JSC::GCIncomingRefCounted::hasSingleton):
2506         (JSC::GCIncomingRefCounted::singleton):
2507         (JSC::GCIncomingRefCounted::vectorOfCells):
2508         * heap/GCIncomingRefCountedInlines.h: Added.
2509         (JSC::::addIncomingReference):
2510         (JSC::::filterIncomingReferences):
2511         * heap/GCIncomingRefCountedSet.h: Added.
2512         (JSC::GCIncomingRefCountedSet::size):
2513         * heap/GCIncomingRefCountedSetInlines.h: Added.
2514         (JSC::::GCIncomingRefCountedSet):
2515         (JSC::::~GCIncomingRefCountedSet):
2516         (JSC::::addReference):
2517         (JSC::::sweep):
2518         (JSC::::removeAll):
2519         (JSC::::removeDead):
2520         * heap/Heap.cpp:
2521         (JSC::Heap::addReference):
2522         (JSC::Heap::extraSize):
2523         (JSC::Heap::size):
2524         (JSC::Heap::capacity):
2525         (JSC::Heap::collect):
2526         (JSC::Heap::decrementDeferralDepth):
2527         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2528         * heap/Heap.h:
2529         * interpreter/CallFrame.h:
2530         (JSC::ExecState::dataViewTable):
2531         * jit/JIT.h:
2532         * jit/JITPropertyAccess.cpp:
2533         (JSC::JIT::privateCompileGetByVal):
2534         (JSC::JIT::privateCompilePutByVal):
2535         (JSC::JIT::emitIntTypedArrayGetByVal):
2536         (JSC::JIT::emitFloatTypedArrayGetByVal):
2537         (JSC::JIT::emitIntTypedArrayPutByVal):
2538         (JSC::JIT::emitFloatTypedArrayPutByVal):
2539         * jsc.cpp:
2540         (GlobalObject::finishCreation):
2541         * runtime/ArrayBuffer.cpp:
2542         (JSC::ArrayBuffer::transfer):
2543         * runtime/ArrayBuffer.h:
2544         (JSC::ArrayBuffer::createAdopted):
2545         (JSC::ArrayBuffer::ArrayBuffer):
2546         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
2547         (JSC::ArrayBuffer::pin):
2548         (JSC::ArrayBuffer::unpin):
2549         (JSC::ArrayBufferContents::tryAllocate):
2550         * runtime/ArrayBufferView.cpp:
2551         (JSC::ArrayBufferView::ArrayBufferView):
2552         (JSC::ArrayBufferView::~ArrayBufferView):
2553         (JSC::ArrayBufferView::setNeuterable):
2554         * runtime/ArrayBufferView.h:
2555         (JSC::ArrayBufferView::isNeutered):
2556         (JSC::ArrayBufferView::buffer):
2557         (JSC::ArrayBufferView::baseAddress):
2558         (JSC::ArrayBufferView::byteOffset):
2559         (JSC::ArrayBufferView::verifySubRange):
2560         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2561         (JSC::ArrayBufferView::calculateOffsetAndLength):
2562         * runtime/ClassInfo.h:
2563         * runtime/CommonIdentifiers.h:
2564         * runtime/DataView.cpp: Added.
2565         (JSC::DataView::DataView):
2566         (JSC::DataView::create):
2567         (JSC::DataView::wrap):
2568         * runtime/DataView.h: Added.
2569         (JSC::DataView::byteLength):
2570         (JSC::DataView::getType):
2571         (JSC::DataView::get):
2572         (JSC::DataView::set):
2573         * runtime/Float32Array.h:
2574         * runtime/Float64Array.h:
2575         * runtime/GenericTypedArrayView.h: Added.
2576         (JSC::GenericTypedArrayView::data):
2577         (JSC::GenericTypedArrayView::set):
2578         (JSC::GenericTypedArrayView::setRange):
2579         (JSC::GenericTypedArrayView::zeroRange):
2580         (JSC::GenericTypedArrayView::zeroFill):
2581         (JSC::GenericTypedArrayView::length):
2582         (JSC::GenericTypedArrayView::byteLength):
2583         (JSC::GenericTypedArrayView::item):
2584         (JSC::GenericTypedArrayView::checkInboundData):
2585         (JSC::GenericTypedArrayView::getType):
2586         * runtime/GenericTypedArrayViewInlines.h: Added.
2587         (JSC::::GenericTypedArrayView):
2588         (JSC::::create):
2589         (JSC::::createUninitialized):
2590         (JSC::::subarray):
2591         (JSC::::wrap):
2592         * runtime/IndexingHeader.h:
2593         (JSC::IndexingHeader::arrayBuffer):
2594         (JSC::IndexingHeader::setArrayBuffer):
2595         * runtime/Int16Array.h:
2596         * runtime/Int32Array.h:
2597         * runtime/Int8Array.h:
2598         * runtime/JSArrayBuffer.cpp: Added.
2599         (JSC::JSArrayBuffer::JSArrayBuffer):
2600         (JSC::JSArrayBuffer::finishCreation):
2601         (JSC::JSArrayBuffer::create):
2602         (JSC::JSArrayBuffer::createStructure):
2603         (JSC::JSArrayBuffer::getOwnPropertySlot):
2604         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2605         (JSC::JSArrayBuffer::put):
2606         (JSC::JSArrayBuffer::defineOwnProperty):
2607         (JSC::JSArrayBuffer::deleteProperty):
2608         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2609         * runtime/JSArrayBuffer.h: Added.
2610         (JSC::JSArrayBuffer::impl):
2611         (JSC::toArrayBuffer):
2612         * runtime/JSArrayBufferConstructor.cpp: Added.
2613         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2614         (JSC::JSArrayBufferConstructor::finishCreation):
2615         (JSC::JSArrayBufferConstructor::create):
2616         (JSC::JSArrayBufferConstructor::createStructure):
2617         (JSC::constructArrayBuffer):
2618         (JSC::JSArrayBufferConstructor::getConstructData):
2619         (JSC::JSArrayBufferConstructor::getCallData):
2620         * runtime/JSArrayBufferConstructor.h: Added.
2621         * runtime/JSArrayBufferPrototype.cpp: Added.
2622         (JSC::arrayBufferProtoFuncSlice):
2623         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2624         (JSC::JSArrayBufferPrototype::finishCreation):
2625         (JSC::JSArrayBufferPrototype::create):
2626         (JSC::JSArrayBufferPrototype::createStructure):
2627         * runtime/JSArrayBufferPrototype.h: Added.
2628         * runtime/JSArrayBufferView.cpp: Added.
2629         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2630         (JSC::JSArrayBufferView::JSArrayBufferView):
2631         (JSC::JSArrayBufferView::finishCreation):
2632         (JSC::JSArrayBufferView::getOwnPropertySlot):
2633         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2634         (JSC::JSArrayBufferView::put):
2635         (JSC::JSArrayBufferView::defineOwnProperty):
2636         (JSC::JSArrayBufferView::deleteProperty):
2637         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2638         (JSC::JSArrayBufferView::finalize):
2639         * runtime/JSArrayBufferView.h: Added.
2640         (JSC::JSArrayBufferView::sizeOf):
2641         (JSC::JSArrayBufferView::ConstructionContext::operator!):
2642         (JSC::JSArrayBufferView::ConstructionContext::structure):
2643         (JSC::JSArrayBufferView::ConstructionContext::vector):
2644         (JSC::JSArrayBufferView::ConstructionContext::length):
2645         (JSC::JSArrayBufferView::ConstructionContext::mode):
2646         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2647         (JSC::JSArrayBufferView::mode):
2648         (JSC::JSArrayBufferView::vector):
2649         (JSC::JSArrayBufferView::length):
2650         (JSC::JSArrayBufferView::offsetOfVector):
2651         (JSC::JSArrayBufferView::offsetOfLength):
2652         (JSC::JSArrayBufferView::offsetOfMode):
2653         * runtime/JSArrayBufferViewInlines.h: Added.
2654         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2655         (JSC::JSArrayBufferView::buffer):
2656         (JSC::JSArrayBufferView::impl):
2657         (JSC::JSArrayBufferView::neuter):
2658         (JSC::JSArrayBufferView::byteOffset):
2659         * runtime/JSCell.cpp:
2660         (JSC::JSCell::slowDownAndWasteMemory):
2661         (JSC::JSCell::getTypedArrayImpl):
2662         * runtime/JSCell.h:
2663         * runtime/JSDataView.cpp: Added.
2664         (JSC::JSDataView::JSDataView):
2665         (JSC::JSDataView::create):
2666         (JSC::JSDataView::createUninitialized):
2667         (JSC::JSDataView::set):
2668         (JSC::JSDataView::typedImpl):
2669         (JSC::JSDataView::getOwnPropertySlot):
2670         (JSC::JSDataView::getOwnPropertyDescriptor):
2671         (JSC::JSDataView::slowDownAndWasteMemory):
2672         (JSC::JSDataView::getTypedArrayImpl):
2673         (JSC::JSDataView::createStructure):
2674         * runtime/JSDataView.h: Added.
2675         * runtime/JSDataViewPrototype.cpp: Added.
2676         (JSC::JSDataViewPrototype::JSDataViewPrototype):
2677         (JSC::JSDataViewPrototype::create):
2678         (JSC::JSDataViewPrototype::createStructure):
2679         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2680         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2681         (JSC::getData):
2682         (JSC::setData):
2683         (JSC::dataViewProtoFuncGetInt8):
2684         (JSC::dataViewProtoFuncGetInt16):
2685         (JSC::dataViewProtoFuncGetInt32):
2686         (JSC::dataViewProtoFuncGetUint8):
2687         (JSC::dataViewProtoFuncGetUint16):
2688         (JSC::dataViewProtoFuncGetUint32):
2689         (JSC::dataViewProtoFuncGetFloat32):
2690         (JSC::dataViewProtoFuncGetFloat64):
2691         (JSC::dataViewProtoFuncSetInt8):
2692         (JSC::dataViewProtoFuncSetInt16):
2693         (JSC::dataViewProtoFuncSetInt32):
2694         (JSC::dataViewProtoFuncSetUint8):
2695         (JSC::dataViewProtoFuncSetUint16):
2696         (JSC::dataViewProtoFuncSetUint32):
2697         (JSC::dataViewProtoFuncSetFloat32):
2698         (JSC::dataViewProtoFuncSetFloat64):
2699         * runtime/JSDataViewPrototype.h: Added.
2700         * runtime/JSFloat32Array.h: Added.
2701         * runtime/JSFloat64Array.h: Added.
2702         * runtime/JSGenericTypedArrayView.h: Added.
2703         (JSC::JSGenericTypedArrayView::byteLength):
2704         (JSC::JSGenericTypedArrayView::byteSize):
2705         (JSC::JSGenericTypedArrayView::typedVector):
2706         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2707         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2708         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2709         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2710         (JSC::JSGenericTypedArrayView::getIndexQuickly):
2711         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2712         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2713         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2714         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2715         (JSC::JSGenericTypedArrayView::typedImpl):
2716         (JSC::JSGenericTypedArrayView::createStructure):
2717         (JSC::JSGenericTypedArrayView::info):
2718         (JSC::toNativeTypedView):
2719         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
2720         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
2721         (JSC::::JSGenericTypedArrayViewConstructor):
2722         (JSC::::finishCreation):
2723         (JSC::::create):
2724         (JSC::::createStructure):
2725         (JSC::constructGenericTypedArrayView):
2726         (JSC::::getConstructData):
2727         (JSC::::getCallData):
2728         * runtime/JSGenericTypedArrayViewInlines.h: Added.
2729         (JSC::::JSGenericTypedArrayView):
2730         (JSC::::create):
2731         (JSC::::createUninitialized):
2732         (JSC::::validateRange):
2733         (JSC::::setWithSpecificType):
2734         (JSC::::set):
2735         (JSC::::getOwnPropertySlot):
2736         (JSC::::getOwnPropertyDescriptor):
2737         (JSC::::put):
2738         (JSC::::defineOwnProperty):
2739         (JSC::::deleteProperty):
2740         (JSC::::getOwnPropertySlotByIndex):
2741         (JSC::::putByIndex):
2742         (JSC::::deletePropertyByIndex):
2743         (JSC::::getOwnNonIndexPropertyNames):
2744         (JSC::::getOwnPropertyNames):
2745         (JSC::::visitChildren):
2746         (JSC::::copyBackingStore):
2747         (JSC::::slowDownAndWasteMemory):
2748         (JSC::::getTypedArrayImpl):
2749         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
2750         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
2751         (JSC::genericTypedArrayViewProtoFuncSet):
2752         (JSC::genericTypedArrayViewProtoFuncSubarray):
2753         (JSC::::JSGenericTypedArrayViewPrototype):
2754         (JSC::::finishCreation):
2755         (JSC::::create):
2756         (JSC::::createStructure):
2757         * runtime/JSGlobalObject.cpp:
2758         (JSC::JSGlobalObject::reset):
2759         (JSC::JSGlobalObject::visitChildren):
2760         * runtime/JSGlobalObject.h:
2761         (JSC::JSGlobalObject::arrayBufferPrototype):
2762         (JSC::JSGlobalObject::arrayBufferStructure):
2763         (JSC::JSGlobalObject::typedArrayStructure):
2764         * runtime/JSInt16Array.h: Added.
2765         * runtime/JSInt32Array.h: Added.
2766         * runtime/JSInt8Array.h: Added.
2767         * runtime/JSTypedArrayConstructors.cpp: Added.
2768         * runtime/JSTypedArrayConstructors.h: Added.
2769         * runtime/JSTypedArrayPrototypes.cpp: Added.
2770         * runtime/JSTypedArrayPrototypes.h: Added.
2771         * runtime/JSTypedArrays.cpp: Added.
2772         * runtime/JSTypedArrays.h: Added.
2773         * runtime/JSUint16Array.h: Added.
2774         * runtime/JSUint32Array.h: Added.
2775         * runtime/JSUint8Array.h: Added.
2776         * runtime/JSUint8ClampedArray.h: Added.
2777         * runtime/Operations.h:
2778         * runtime/Options.h:
2779         * runtime/SimpleTypedArrayController.cpp: Added.
2780         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
2781         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
2782         (JSC::SimpleTypedArrayController::toJS):
2783         * runtime/SimpleTypedArrayController.h: Added.
2784         * runtime/Structure.h:
2785         (JSC::Structure::couldHaveIndexingHeader):
2786         * runtime/StructureInlines.h:
2787         (JSC::Structure::hasIndexingHeader):
2788         * runtime/TypedArrayAdaptors.h: Added.
2789         (JSC::IntegralTypedArrayAdaptor::toNative):
2790         (JSC::IntegralTypedArrayAdaptor::toJSValue):
2791         (JSC::IntegralTypedArrayAdaptor::toDouble):
2792         (JSC::FloatTypedArrayAdaptor::toNative):
2793         (JSC::FloatTypedArrayAdaptor::toJSValue):
2794         (JSC::FloatTypedArrayAdaptor::toDouble):
2795         (JSC::Uint8ClampedAdaptor::toNative):
2796         (JSC::Uint8ClampedAdaptor::toJSValue):
2797         (JSC::Uint8ClampedAdaptor::toDouble):
2798         (JSC::Uint8ClampedAdaptor::clamp):
2799         * runtime/TypedArrayController.cpp: Added.
2800         (JSC::TypedArrayController::TypedArrayController):
2801         (JSC::TypedArrayController::~TypedArrayController):
2802         * runtime/TypedArrayController.h: Added.
2803         * runtime/TypedArrayDescriptor.h: Removed.
2804         * runtime/TypedArrayInlines.h: Added.
2805         * runtime/TypedArrayType.cpp: Added.
2806         (JSC::classInfoForType):
2807         (WTF::printInternal):
2808         * runtime/TypedArrayType.h: Added.
2809         (JSC::toIndex):
2810         (JSC::isTypedView):
2811         (JSC::elementSize):
2812         (JSC::isInt):
2813         (JSC::isFloat):
2814         (JSC::isSigned):
2815         (JSC::isClamped):
2816         * runtime/TypedArrays.h: Added.
2817         * runtime/Uint16Array.h:
2818         * runtime/Uint32Array.h:
2819         * runtime/Uint8Array.h:
2820         * runtime/Uint8ClampedArray.h:
2821         * runtime/VM.cpp:
2822         (JSC::VM::VM):
2823         (JSC::VM::~VM):
2824         * runtime/VM.h:
2825
2826 2013-08-15  Oliver Hunt  <oliver@apple.com>
2827
2828         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
2829
2830         Reviewed by Filip Pizlo.
2831
2832         Make sure dfgCapabilities doesn't report a Dynamic put as
2833         being compilable when we don't actually support it.  
2834
2835         * bytecode/CodeBlock.cpp:
2836         (JSC::CodeBlock::dumpBytecode):
2837         * dfg/DFGCapabilities.cpp:
2838         (JSC::DFG::capabilityLevel):
2839
2840 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2841
2842         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2843         https://bugs.webkit.org/show_bug.cgi?id=119847
2844
2845         Reviewed by Oliver Hunt.
2846
2847         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2848         * runtime/ArrayBufferView.h: Ditto.
2849
2850 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
2851
2852         https://bugs.webkit.org/show_bug.cgi?id=119843
2853         PropertySlot::setValue is ambiguous
2854
2855         Reviewed by Geoff Garen.
2856
2857         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2858         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2859         Unify on always providing the object, and remove the version that just takes a value.
2860         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2861         Provide a version of setValue that takes a JSString as the owner of the property.
2862         We won't store this, but it makes it clear that this interface should only be used from JSString.
2863
2864         * API/JSCallbackObjectFunctions.h:
2865         (JSC::::getOwnPropertySlot):
2866         * JSCTypedArrayStubs.h:
2867         * runtime/Arguments.cpp:
2868         (JSC::Arguments::getOwnPropertySlotByIndex):
2869         (JSC::Arguments::getOwnPropertySlot):
2870         * runtime/JSActivation.cpp:
2871         (JSC::JSActivation::symbolTableGet):
2872         (JSC::JSActivation::getOwnPropertySlot):
2873         * runtime/JSArray.cpp:
2874         (JSC::JSArray::getOwnPropertySlot):
2875         * runtime/JSObject.cpp:
2876         (JSC::JSObject::getOwnPropertySlotByIndex):
2877         * runtime/JSString.h:
2878         (JSC::JSString::getStringPropertySlot):
2879         * runtime/JSSymbolTableObject.h:
2880         (JSC::symbolTableGet):
2881         * runtime/SparseArrayValueMap.cpp:
2882         (JSC::SparseArrayEntry::get):
2883             - Pass object containing property to PropertySlot::setValue
2884         * runtime/PropertySlot.h:
2885         (JSC::PropertySlot::setValue):
2886             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2887         (JSC::PropertySlot::setUndefined):
2888             - removed setValue(JSValue), added setValue(JSString*, JSValue)
2889
2890 2013-08-15  Oliver Hunt  <oliver@apple.com>
2891
2892         Remove bogus assertion.
2893
2894         RS=Filip Pizlo
2895
2896         * dfg/DFGAbstractInterpreterInlines.h:
2897         (JSC::DFG::::executeEffects):
2898
2899 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2900
2901         REGRESSION(r148790) Made 7 tests fail on x86 32bit
2902         https://bugs.webkit.org/show_bug.cgi?id=114913
2903
2904         Reviewed by Filip Pizlo.
2905
2906         The X87 register was not freed before some calls. Instead
2907         of inserting resetX87Registers to the last call sites,
2908         the two X87 registers are now freed in every call.
2909
2910         * llint/LowLevelInterpreter32_64.asm:
2911         * llint/LowLevelInterpreter64.asm:
2912         * offlineasm/instructions.rb:
2913         * offlineasm/x86.rb:
2914
2915 2013-08-14  Michael Saboff  <msaboff@apple.com>
2916
2917         Fixed jit on Win64.
2918         https://bugs.webkit.org/show_bug.cgi?id=119601
2919
2920         Reviewed by Oliver Hunt.
2921
2922         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2923         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2924         * jit/SlowPathCall.h:
2925         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2926
2927 2013-08-14  Alex Christensen  <achristensen@apple.com>
2928
2929         Compile fix for Win64 with jit disabled.
2930         https://bugs.webkit.org/show_bug.cgi?id=119804
2931
2932         Reviewed by Michael Saboff.
2933
2934         * offlineasm/cloop.rb: Added std:: before isnan.
2935
2936 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2937
2938         DFG_JIT implementation for sh4 architecture.
2939         https://bugs.webkit.org/show_bug.cgi?id=119737
2940
2941         Reviewed by Oliver Hunt.
2942
2943         * assembler/MacroAssemblerSH4.h:
2944         (JSC::MacroAssemblerSH4::invert):
2945         (JSC::MacroAssemblerSH4::add32):
2946         (JSC::MacroAssemblerSH4::and32):
2947         (JSC::MacroAssemblerSH4::lshift32):
2948         (JSC::MacroAssemblerSH4::mul32):
2949         (JSC::MacroAssemblerSH4::or32):
2950         (JSC::MacroAssemblerSH4::rshift32):
2951         (JSC::MacroAssemblerSH4::sub32):
2952         (JSC::MacroAssemblerSH4::xor32):
2953         (JSC::MacroAssemblerSH4::store32):
2954         (JSC::MacroAssemblerSH4::swapDouble):
2955         (JSC::MacroAssemblerSH4::storeDouble):
2956         (JSC::MacroAssemblerSH4::subDouble):
2957         (JSC::MacroAssemblerSH4::mulDouble):
2958         (JSC::MacroAssemblerSH4::divDouble):
2959         (JSC::MacroAssemblerSH4::negateDouble):
2960         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2961         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2962         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2963         (JSC::MacroAssemblerSH4::swap):
2964         (JSC::MacroAssemblerSH4::jump):
2965         (JSC::MacroAssemblerSH4::branchNeg32):
2966         (JSC::MacroAssemblerSH4::branchAdd32):
2967         (JSC::MacroAssemblerSH4::branchMul32):
2968         (JSC::MacroAssemblerSH4::urshift32):
2969         * assembler/SH4Assembler.h:
2970         (JSC::SH4Assembler::SH4Assembler):
2971         (JSC::SH4Assembler::labelForWatchpoint):
2972         (JSC::SH4Assembler::label):
2973         (JSC::SH4Assembler::debugOffset):
2974         * dfg/DFGAssemblyHelpers.h:
2975         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2976         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2977         (JSC::DFG::AssemblyHelpers::debugCall):
2978         * dfg/DFGCCallHelpers.h:
2979         (JSC::DFG::CCallHelpers::setupArguments):
2980         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2981         * dfg/DFGFPRInfo.h:
2982         (JSC::DFG::FPRInfo::toRegister):
2983         (JSC::DFG::FPRInfo::toIndex):
2984         (JSC::DFG::FPRInfo::debugName):
2985         * dfg/DFGGPRInfo.h:
2986         (JSC::DFG::GPRInfo::toRegister):
2987         (JSC::DFG::GPRInfo::toIndex):
2988         (JSC::DFG::GPRInfo::debugName):
2989         * dfg/DFGOperations.cpp:
2990         * dfg/DFGSpeculativeJIT.h:
2991         (JSC::DFG::SpeculativeJIT::callOperation):
2992         * jit/JITStubs.h:
2993         * jit/JITStubsSH4.h:
2994
2995 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2996
2997         Unreviewed, fix build.
2998
2999         * API/JSValue.mm:
3000         (isDate):
3001         (isArray):
3002         * API/JSWrapperMap.mm:
3003         (tryUnwrapObjcObject):
3004         * API/ObjCCallbackFunction.mm:
3005         (tryUnwrapBlock):
3006
3007 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3008
3009         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3010         https://bugs.webkit.org/show_bug.cgi?id=119770
3011
3012         Reviewed by Mark Hahnenberg.
3013
3014         * API/JSCallbackConstructor.cpp:
3015         (JSC::JSCallbackConstructor::finishCreation):
3016         * API/JSCallbackConstructor.h:
3017         (JSC::JSCallbackConstructor::createStructure):
3018         * API/JSCallbackFunction.cpp:
3019         (JSC::JSCallbackFunction::finishCreation):
3020         * API/JSCallbackFunction.h:
3021         (JSC::JSCallbackFunction::createStructure):
3022         * API/JSCallbackObject.cpp:
3023         (JSC::::createStructure):
3024         * API/JSCallbackObject.h:
3025         (JSC::JSCallbackObject::visitChildren):
3026         * API/JSCallbackObjectFunctions.h:
3027         (JSC::::asCallbackObject):
3028         (JSC::::finishCreation):
3029         * API/JSObjectRef.cpp:
3030         (JSObjectGetPrivate):
3031         (JSObjectSetPrivate):
3032         (JSObjectGetPrivateProperty):
3033         (JSObjectSetPrivateProperty):
3034         (JSObjectDeletePrivateProperty):
3035         * API/JSValueRef.cpp:
3036         (JSValueIsObjectOfClass):
3037         * API/JSWeakObjectMapRefPrivate.cpp:
3038         * API/ObjCCallbackFunction.h:
3039         (JSC::ObjCCallbackFunction::createStructure):
3040         * JSCTypedArrayStubs.h:
3041         * bytecode/CallLinkStatus.cpp:
3042         (JSC::CallLinkStatus::CallLinkStatus):
3043         (JSC::CallLinkStatus::function):
3044         (JSC::CallLinkStatus::internalFunction):
3045         * bytecode/CodeBlock.h:
3046         (JSC::baselineCodeBlockForInlineCallFrame):
3047         * bytecode/SpeculatedType.cpp:
3048         (JSC::speculationFromClassInfo):
3049         * bytecode/UnlinkedCodeBlock.cpp:
3050         (JSC::UnlinkedFunctionExecutable::visitChildren):
3051         (JSC::UnlinkedCodeBlock::visitChildren):
3052         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3053         * bytecode/UnlinkedCodeBlock.h:
3054         (JSC::UnlinkedFunctionExecutable::createStructure):
3055         (JSC::UnlinkedProgramCodeBlock::createStructure):
3056         (JSC::UnlinkedEvalCodeBlock::createStructure):
3057         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3058         * debugger/Debugger.cpp:
3059         * debugger/DebuggerActivation.cpp:
3060         (JSC::DebuggerActivation::visitChildren):
3061         * debugger/DebuggerActivation.h:
3062         (JSC::DebuggerActivation::createStructure):
3063         * debugger/DebuggerCallFrame.cpp:
3064         (JSC::DebuggerCallFrame::functionName):
3065         * dfg/DFGAbstractInterpreterInlines.h:
3066         (JSC::DFG::::executeEffects):
3067         * dfg/DFGByteCodeParser.cpp:
3068         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3069         (JSC::DFG::ByteCodeParser::parseBlock):
3070         * dfg/DFGFixupPhase.cpp:
3071         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3072         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3073         * dfg/DFGGraph.cpp:
3074         (JSC::DFG::Graph::dump):
3075         * dfg/DFGGraph.h:
3076         (JSC::DFG::Graph::isInternalFunctionConstant):
3077         * dfg/DFGOperations.cpp:
3078         * dfg/DFGSpeculativeJIT.cpp:
3079         (JSC::DFG::SpeculativeJIT::checkArray):
3080         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3081         * dfg/DFGThunks.cpp:
3082         (JSC::DFG::virtualForThunkGenerator):
3083         * interpreter/Interpreter.cpp:
3084         (JSC::loadVarargs):
3085         * jsc.cpp:
3086         (GlobalObject::createStructure):
3087         * profiler/LegacyProfiler.cpp:
3088         (JSC::LegacyProfiler::createCallIdentifier):
3089         * runtime/Arguments.cpp:
3090         (JSC::Arguments::visitChildren):
3091         * runtime/Arguments.h:
3092         (JSC::Arguments::createStructure):
3093         (JSC::asArguments):
3094         (JSC::Arguments::finishCreation):
3095         * runtime/ArrayConstructor.cpp:
3096         (JSC::arrayConstructorIsArray):
3097         * runtime/ArrayConstructor.h:
3098         (JSC::ArrayConstructor::createStructure):
3099         * runtime/ArrayPrototype.cpp:
3100         (JSC::ArrayPrototype::finishCreation):
3101         (JSC::arrayProtoFuncConcat):
3102         (JSC::attemptFastSort):
3103         * runtime/ArrayPrototype.h:
3104         (JSC::ArrayPrototype::createStructure):
3105         * runtime/BooleanConstructor.h:
3106         (JSC::BooleanConstructor::createStructure):
3107         * runtime/BooleanObject.cpp:
3108         (JSC::BooleanObject::finishCreation):
3109         * runtime/BooleanObject.h:
3110         (JSC::BooleanObject::createStructure):
3111         (JSC::asBooleanObject):
3112         * runtime/BooleanPrototype.cpp:
3113         (JSC::BooleanPrototype::finishCreation):
3114         (JSC::booleanProtoFuncToString):
3115         (JSC::booleanProtoFuncValueOf):
3116         * runtime/BooleanPrototype.h:
3117         (JSC::BooleanPrototype::createStructure):
3118         * runtime/DateConstructor.cpp:
3119         (JSC::constructDate):
3120         * runtime/DateConstructor.h:
3121         (JSC::DateConstructor::createStructure):
3122         * runtime/DateInstance.cpp:
3123         (JSC::DateInstance::finishCreation):
3124         * runtime/DateInstance.h:
3125         (JSC::DateInstance::createStructure):
3126         (JSC::asDateInstance):
3127         * runtime/DatePrototype.cpp:
3128         (JSC::formateDateInstance):
3129         (JSC::DatePrototype::finishCreation):
3130         (JSC::dateProtoFuncToISOString):
3131         (JSC::dateProtoFuncToLocaleString):
3132         (JSC::dateProtoFuncToLocaleDateString):
3133         (JSC::dateProtoFuncToLocaleTimeString):
3134         (JSC::dateProtoFuncGetTime):
3135         (JSC::dateProtoFuncGetFullYear):
3136         (JSC::dateProtoFuncGetUTCFullYear):
3137         (JSC::dateProtoFuncGetMonth):
3138         (JSC::dateProtoFuncGetUTCMonth):
3139         (JSC::dateProtoFuncGetDate):
3140         (JSC::dateProtoFuncGetUTCDate):
3141         (JSC::dateProtoFuncGetDay):
3142         (JSC::dateProtoFuncGetUTCDay):
3143         (JSC::dateProtoFuncGetHours):
3144         (JSC::dateProtoFuncGetUTCHours):
3145         (JSC::dateProtoFuncGetMinutes):
3146         (JSC::dateProtoFuncGetUTCMinutes):
3147         (JSC::dateProtoFuncGetSeconds):
3148         (JSC::dateProtoFuncGetUTCSeconds):
3149         (JSC::dateProtoFuncGetMilliSeconds):
3150         (JSC::dateProtoFuncGetUTCMilliseconds):
3151         (JSC::dateProtoFuncGetTimezoneOffset):
3152         (JSC::dateProtoFuncSetTime):
3153         (JSC::setNewValueFromTimeArgs):
3154         (JSC::setNewValueFromDateArgs):
3155         (JSC::dateProtoFuncSetYear):
3156         (JSC::dateProtoFuncGetYear):
3157         * runtime/DatePrototype.h:
3158         (JSC::DatePrototype::createStructure):
3159         * runtime/Error.h:
3160         (JSC::StrictModeTypeErrorFunction::createStructure):
3161         * runtime/ErrorConstructor.h:
3162         (JSC::ErrorConstructor::createStructure):
3163         * runtime/ErrorInstance.cpp:
3164         (JSC::ErrorInstance::finishCreation):
3165         * runtime/ErrorInstance.h:
3166         (JSC::ErrorInstance::createStructure):
3167         * runtime/ErrorPrototype.cpp:
3168         (JSC::ErrorPrototype::finishCreation):
3169         * runtime/ErrorPrototype.h:
3170         (JSC::ErrorPrototype::createStructure):
3171         * runtime/ExceptionHelpers.cpp:
3172         (JSC::isTerminatedExecutionException):
3173         * runtime/ExceptionHelpers.h:
3174         (JSC::TerminatedExecutionError::createStructure):
3175         * runtime/Executable.cpp:
3176         (JSC::EvalExecutable::visitChildren):
3177         (JSC::ProgramExecutable::visitChildren):
3178         (JSC::FunctionExecutable::visitChildren):
3179         (JSC::ExecutableBase::hashFor):
3180         * runtime/Executable.h:
3181         (JSC::ExecutableBase::createStructure):
3182         (JSC::NativeExecutable::createStructure):
3183         (JSC::EvalExecutable::createStructure):
3184         (JSC::ProgramExecutable::createStructure):
3185         (JSC::FunctionExecutable::compileFor):
3186         (JSC::FunctionExecutable::compileOptimizedFor):
3187         (JSC::FunctionExecutable::createStructure):
3188         * runtime/FunctionConstructor.h:
3189         (JSC::FunctionConstructor::createStructure):
3190         * runtime/FunctionPrototype.cpp:
3191         (JSC::functionProtoFuncToString):
3192         (JSC::functionProtoFuncApply):
3193         (JSC::functionProtoFuncBind):
3194         * runtime/FunctionPrototype.h:
3195         (JSC::FunctionPrototype::createStructure):
3196         * runtime/GetterSetter.cpp:
3197         (JSC::GetterSetter::visitChildren):
3198         * runtime/GetterSetter.h:
3199         (JSC::GetterSetter::createStructure):
3200         * runtime/InternalFunction.cpp:
3201         (JSC::InternalFunction::finishCreation):
3202         * runtime/InternalFunction.h:
3203         (JSC::InternalFunction::createStructure):
3204         (JSC::asInternalFunction):
3205         * runtime/JSAPIValueWrapper.h:
3206         (JSC::JSAPIValueWrapper::createStructure):
3207         * runtime/JSActivation.cpp:
3208         (JSC::JSActivation::visitChildren):
3209         (JSC::JSActivation::argumentsGetter):
3210         * runtime/JSActivation.h:
3211         (JSC::JSActivation::createStructure):
3212         (JSC::asActivation):
3213         * runtime/JSArray.h:
3214         (JSC::JSArray::createStructure):
3215         (JSC::asArray):
3216         (JSC::isJSArray):
3217         * runtime/JSBoundFunction.cpp:
3218         (JSC::JSBoundFunction::finishCreation):
3219         (JSC::JSBoundFunction::visitChildren):
3220         * runtime/JSBoundFunction.h:
3221         (JSC::JSBoundFunction::createStructure):
3222         * runtime/JSCJSValue.cpp:
3223         (JSC::JSValue::dumpInContext):
3224         * runtime/JSCJSValueInlines.h:
3225         (JSC::JSValue::isFunction):
3226         * runtime/JSCell.h:
3227         (JSC::jsCast):
3228         (JSC::jsDynamicCast):
3229         * runtime/JSCellInlines.h:
3230         (JSC::allocateCell):
3231         * runtime/JSFunction.cpp:
3232         (JSC::JSFunction::finishCreation):
3233         (JSC::JSFunction::visitChildren):
3234         (JSC::skipOverBoundFunctions):
3235         (JSC::JSFunction::callerGetter):
3236         * runtime/JSFunction.h:
3237         (JSC::JSFunction::createStructure):
3238         * runtime/JSGlobalObject.cpp:
3239         (JSC::JSGlobalObject::visitChildren):
3240         (JSC::slowValidateCell):
3241         * runtime/JSGlobalObject.h:
3242         (JSC::JSGlobalObject::createStructure):
3243         * runtime/JSNameScope.cpp:
3244         (JSC::JSNameScope::visitChildren):
3245         * runtime/JSNameScope.h:
3246         (JSC::JSNameScope::createStructure):
3247         * runtime/JSNotAnObject.h:
3248         (JSC::JSNotAnObject::createStructure):
3249         * runtime/JSONObject.cpp:
3250         (JSC::JSONObject::finishCreation):
3251         (JSC::unwrapBoxedPrimitive):
3252         (JSC::Stringifier::Stringifier):
3253         (JSC::Stringifier::appendStringifiedValue):
3254         (JSC::Stringifier::Holder::Holder):
3255         (JSC::Walker::walk):
3256         (JSC::JSONProtoFuncStringify):
3257         * runtime/JSONObject.h:
3258         (JSC::JSONObject::createStructure):
3259         * runtime/JSObject.cpp:
3260         (JSC::getCallableObjectSlow):
3261         (JSC::JSObject::visitChildren):
3262         (JSC::JSObject::copyBackingStore):
3263         (JSC::JSFinalObject::visitChildren):
3264         (JSC::JSObject::ensureInt32Slow):
3265         (JSC::JSObject::ensureDoubleSlow):
3266         (JSC::JSObject::ensureContiguousSlow):
3267         (JSC::JSObject::ensureArrayStorageSlow):
3268         * runtime/JSObject.h:
3269         (JSC::JSObject::finishCreation):
3270         (JSC::JSObject::createStructure):
3271         (JSC::JSNonFinalObject::createStructure):
3272         (JSC::JSFinalObject::createStructure):
3273         (JSC::isJSFinalObject):
3274         * runtime/JSPropertyNameIterator.cpp:
3275         (JSC::JSPropertyNameIterator::visitChildren):
3276         * runtime/JSPropertyNameIterator.h:
3277         (JSC::JSPropertyNameIterator::createStructure):
3278         * runtime/JSProxy.cpp:
3279         (JSC::JSProxy::visitChildren):
3280         * runtime/JSProxy.h:
3281         (JSC::JSProxy::createStructure):
3282         * runtime/JSScope.cpp:
3283         (JSC::JSScope::visitChildren):
3284         * runtime/JSSegmentedVariableObject.cpp:
3285         (JSC::JSSegmentedVariableObject::visitChildren):
3286         * runtime/JSString.h:
3287         (JSC::JSString::createStructure):
3288         (JSC::isJSString):
3289         * runtime/JSSymbolTableObject.cpp:
3290         (JSC::JSSymbolTableObject::visitChildren):
3291         * runtime/JSVariableObject.h:
3292         * runtime/JSWithScope.cpp:
3293         (JSC::JSWithScope::visitChildren):
3294         * runtime/JSWithScope.h:
3295         (JSC::JSWithScope::createStructure):
3296         * runtime/JSWrapperObject.cpp:
3297         (JSC::JSWrapperObject::visitChildren):
3298         * runtime/JSWrapperObject.h:
3299         (JSC::JSWrapperObject::createStructure):
3300         * runtime/MathObject.cpp:
3301         (JSC::MathObject::finishCreation):
3302         * runtime/MathObject.h:
3303         (JSC::MathObject::createStructure):
3304         * runtime/NameConstructor.h:
3305         (JSC::NameConstructor::createStructure):
3306         * runtime/NameInstance.h:
3307         (JSC::NameInstance::createStructure):
3308         (JSC::NameInstance::finishCreation):
3309         * runtime/NamePrototype.cpp:
3310         (JSC::NamePrototype::finishCreation):
3311         (JSC::privateNameProtoFuncToString):
3312         * runtime/NamePrototype.h:
3313         (JSC::NamePrototype::createStructure):
3314         * runtime/NativeErrorConstructor.cpp:
3315         (JSC::NativeErrorConstructor::visitChildren):
3316         * runtime/NativeErrorConstructor.h:
3317         (JSC::NativeErrorConstructor::createStructure):
3318         (JSC::NativeErrorConstructor::finishCreation):
3319         * runtime/NumberConstructor.cpp:
3320         (JSC::NumberConstructor::finishCreation):
3321         * runtime/NumberConstructor.h:
3322         (JSC::NumberConstructor::createStructure):
3323         * runtime/NumberObject.cpp:
3324         (JSC::NumberObject::finishCreation):
3325         * runtime/NumberObject.h:
3326         (JSC::NumberObject::createStructure):
3327         * runtime/NumberPrototype.cpp:
3328         (JSC::NumberPrototype::finishCreation):
3329         * runtime/NumberPrototype.h:
3330         (JSC::NumberPrototype::createStructure):
3331         * runtime/ObjectConstructor.h:
3332         (JSC::ObjectConstructor::createStructure):
3333         * runtime/ObjectPrototype.cpp:
3334         (JSC::ObjectPrototype::finishCreation):
3335         * runtime/ObjectPrototype.h:
3336         (JSC::ObjectPrototype::createStructure):
3337         * runtime/PropertyMapHashTable.h:
3338         (JSC::PropertyTable::createStructure):
3339         * runtime/PropertyTable.cpp:
3340         (JSC::PropertyTable::visitChildren):
3341         * runtime/RegExp.h:
3342         (JSC::RegExp::createStructure):
3343         * runtime/RegExpConstructor.cpp:
3344         (JSC::RegExpConstructor::finishCreation):
3345         (JSC::RegExpConstructor::visitChildren):
3346         (JSC::constructRegExp):
3347         * runtime/RegExpConstructor.h:
3348         (JSC::RegExpConstructor::createStructure):
3349         (JSC::asRegExpConstructor):
3350         * runtime/RegExpMatchesArray.cpp:
3351         (JSC::RegExpMatchesArray::visitChildren):
3352         * runtime/RegExpMatchesArray.h:
3353         (JSC::RegExpMatchesArray::createStructure):
3354         * runtime/RegExpObject.cpp:
3355         (JSC::RegExpObject::finishCreation):
3356         (JSC::RegExpObject::visitChildren):
3357         * runtime/RegExpObject.h:
3358         (JSC::RegExpObject::createStructure):
3359         (JSC::asRegExpObject):
3360         * runtime/RegExpPrototype.cpp:
3361         (JSC::regExpProtoFuncTest):
3362         (JSC::regExpProtoFuncExec):
3363         (JSC::regExpProtoFuncCompile):
3364         (JSC::regExpProtoFuncToString):
3365         * runtime/RegExpPrototype.h:
3366         (JSC::RegExpPrototype::createStructure):
3367         * runtime/SparseArrayValueMap.cpp:
3368         (JSC::SparseArrayValueMap::createStructure):
3369         * runtime/SparseArrayValueMap.h:
3370         * runtime/StrictEvalActivation.h:
3371         (JSC::StrictEvalActivation::createStructure):
3372         * runtime/StringConstructor.h:
3373         (JSC::StringConstructor::createStructure):
3374         * runtime/StringObject.cpp:
3375         (JSC::StringObject::finishCreation):
3376         * runtime/StringObject.h:
3377         (JSC::StringObject::createStructure):
3378         (JSC::asStringObject):
3379         * runtime/StringPrototype.cpp: