dbddc23a63bce4e8eeebb0d2515f972a29889356
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-07-03  Mark Lam  <mark.lam@apple.com>
2
3         Add ability to symbolically set and dump JSC VM options.
4         See comments in runtime/Options.h for details on how the options work.
5         https://bugs.webkit.org/show_bug.cgi?id=90420
6
7         Reviewed by Filip Pizlo.
8
9         * assembler/LinkBuffer.cpp:
10         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
11         * assembler/LinkBuffer.h:
12         (JSC):
13         * bytecode/CodeBlock.cpp:
14         (JSC::CodeBlock::shouldOptimizeNow):
15         * bytecode/CodeBlock.h:
16         (JSC::CodeBlock::likelyToTakeSlowCase):
17         (JSC::CodeBlock::couldTakeSlowCase):
18         (JSC::CodeBlock::likelyToTakeSpecialFastCase):
19         (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
20         (JSC::CodeBlock::likelyToTakeAnySlowCase):
21         (JSC::CodeBlock::jitAfterWarmUp):
22         (JSC::CodeBlock::jitSoon):
23         (JSC::CodeBlock::reoptimizationRetryCounter):
24         (JSC::CodeBlock::countReoptimization):
25         (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
26         (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
27         (JSC::CodeBlock::optimizeSoon):
28         (JSC::CodeBlock::exitCountThresholdForReoptimization):
29         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
30         * bytecode/ExecutionCounter.h:
31         (JSC::ExecutionCounter::clippedThreshold):
32         * dfg/DFGByteCodeParser.cpp:
33         (JSC::DFG::ByteCodeParser::handleInlining):
34         * dfg/DFGCapabilities.h:
35         (JSC::DFG::mightCompileEval):
36         (JSC::DFG::mightCompileProgram):
37         (JSC::DFG::mightCompileFunctionForCall):
38         (JSC::DFG::mightCompileFunctionForConstruct):
39         (JSC::DFG::mightInlineFunctionForCall):
40         (JSC::DFG::mightInlineFunctionForConstruct):
41         * dfg/DFGCommon.h:
42         (JSC::DFG::shouldShowDisassembly):
43         * dfg/DFGDriver.cpp:
44         (JSC::DFG::compile):
45         * dfg/DFGOSRExit.cpp:
46         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
47         * dfg/DFGVariableAccessData.h:
48         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
49         * heap/MarkStack.cpp:
50         (JSC::MarkStackSegmentAllocator::allocate):
51         (JSC::MarkStackSegmentAllocator::shrinkReserve):
52         (JSC::MarkStackArray::MarkStackArray):
53         (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
54         (JSC::SlotVisitor::donateKnownParallel):
55         (JSC::SlotVisitor::drain):
56         (JSC::SlotVisitor::drainFromShared):
57         * heap/MarkStack.h:
58         (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
59         (JSC::MarkStack::addOpaqueRoot):
60         * heap/SlotVisitor.h:
61         (JSC::SlotVisitor::donate):
62         * jit/JIT.cpp:
63         (JSC::JIT::emitOptimizationCheck):
64         * jsc.cpp:
65         (printUsageStatement):
66         (parseArguments):
67         * runtime/InitializeThreading.cpp:
68         (JSC::initializeThreadingOnce):
69         * runtime/JSGlobalData.cpp:
70         (JSC::enableAssembler):
71         * runtime/JSGlobalObject.cpp:
72         (JSC::JSGlobalObject::JSGlobalObject):
73         * runtime/Options.cpp:
74         (JSC):
75         (JSC::overrideOptionWithHeuristic):
76         (JSC::Options::initialize):
77         (JSC::Options::setOption):
78         (JSC::Options::dumpAllOptions):
79         (JSC::Options::dumpOption):
80         * runtime/Options.h:
81         (JSC):
82         (Options):
83         (EntryInfo):
84
85 2012-07-03  Jocelyn Turcotte  <jocelyn.turcotte@nokia.com>  Joel Dillon <joel.dillon@codethink.co.uk>
86
87         [Qt][Win] Fix broken QtWebKit5.lib linking
88         https://bugs.webkit.org/show_bug.cgi?id=88321
89
90         Reviewed by Kenneth Rohde Christiansen.
91
92         The goal is to have different ports build systems define STATICALLY_LINKED_WITH_WTF
93         when building JavaScriptCore, if both are packaged in the same DLL, instead
94         of relying on the code to handle this.
95         The effects of BUILDING_* and STATICALLY_LINKED_WITH_* are currently the same
96         except for a check in Source/JavaScriptCore/config.h.
97
98         Keeping the old way for the WX port as requested by the port's contributors.
99         For non-Windows ports there is no difference between IMPORT and EXPORT, no
100         change is needed.
101
102         * API/JSBase.h:
103           JS symbols shouldn't be included by WTF objects anymore. Remove the export when BUILDING_WTF.
104         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
105           Make sure that JavaScriptCore uses import symbols of WTF for the Win port.
106         * runtime/JSExportMacros.h:
107
108 2012-07-02  Filip Pizlo  <fpizlo@apple.com>
109
110         DFG OSR exit value recoveries should be computed lazily
111         https://bugs.webkit.org/show_bug.cgi?id=82155
112
113         Reviewed by Gavin Barraclough.
114         
115         This change aims to reduce one aspect of DFG compile times: the fact
116         that we currently compute the value recoveries for each local and
117         argument on every speculation check. We compile many speculation checks,
118         so this can add up quick. The strategy that this change takes is to
119         have the DFG save just enough information about how the compiler is
120         choosing to represent state, that the DFG::OSRExitCompiler can reify
121         the value recoveries lazily.
122         
123         This appears to be an 0.3% SunSpider speed-up and is neutral elsewhere.
124         
125         I also took the opportunity to fix the sampling regions profiler (it
126         was missing an export macro) and to put in more sampling regions in
127         the DFG (which are disabled so long as ENABLE(SAMPLING_REGIONS) is
128         false).
129         
130         * CMakeLists.txt:
131         * GNUmakefile.list.am:
132         * JavaScriptCore.xcodeproj/project.pbxproj:
133         * Target.pri:
134         * bytecode/CodeBlock.cpp:
135         (JSC):
136         (JSC::CodeBlock::shrinkDFGDataToFit):
137         * bytecode/CodeBlock.h:
138         (CodeBlock):
139         (JSC::CodeBlock::minifiedDFG):
140         (JSC::CodeBlock::variableEventStream):
141         (DFGData):
142         * bytecode/Operands.h:
143         (JSC::Operands::hasOperand):
144         (Operands):
145         (JSC::Operands::size):
146         (JSC::Operands::at):
147         (JSC::Operands::operator[]):
148         (JSC::Operands::isArgument):
149         (JSC::Operands::isVariable):
150         (JSC::Operands::argumentForIndex):
151         (JSC::Operands::variableForIndex):
152         (JSC::Operands::operandForIndex):
153         (JSC):
154         (JSC::dumpOperands):
155         * bytecode/SamplingTool.h:
156         (SamplingRegion):
157         * dfg/DFGByteCodeParser.cpp:
158         (JSC::DFG::parse):
159         * dfg/DFGCFAPhase.cpp:
160         (JSC::DFG::performCFA):
161         * dfg/DFGCSEPhase.cpp:
162         (JSC::DFG::performCSE):
163         * dfg/DFGFixupPhase.cpp:
164         (JSC::DFG::performFixup):
165         * dfg/DFGGenerationInfo.h:
166         (JSC::DFG::GenerationInfo::GenerationInfo):
167         (JSC::DFG::GenerationInfo::initConstant):
168         (JSC::DFG::GenerationInfo::initInteger):
169         (JSC::DFG::GenerationInfo::initJSValue):
170         (JSC::DFG::GenerationInfo::initCell):
171         (JSC::DFG::GenerationInfo::initBoolean):
172         (JSC::DFG::GenerationInfo::initDouble):
173         (JSC::DFG::GenerationInfo::initStorage):
174         (GenerationInfo):
175         (JSC::DFG::GenerationInfo::noticeOSRBirth):
176         (JSC::DFG::GenerationInfo::use):
177         (JSC::DFG::GenerationInfo::spill):
178         (JSC::DFG::GenerationInfo::setSpilled):
179         (JSC::DFG::GenerationInfo::fillJSValue):
180         (JSC::DFG::GenerationInfo::fillCell):
181         (JSC::DFG::GenerationInfo::fillInteger):
182         (JSC::DFG::GenerationInfo::fillBoolean):
183         (JSC::DFG::GenerationInfo::fillDouble):
184         (JSC::DFG::GenerationInfo::fillStorage):
185         (JSC::DFG::GenerationInfo::appendFill):
186         (JSC::DFG::GenerationInfo::appendSpill):
187         * dfg/DFGJITCompiler.cpp:
188         (JSC::DFG::JITCompiler::link):
189         (JSC::DFG::JITCompiler::compile):
190         (JSC::DFG::JITCompiler::compileFunction):
191         * dfg/DFGMinifiedGraph.h: Added.
192         (DFG):
193         (MinifiedGraph):
194         (JSC::DFG::MinifiedGraph::MinifiedGraph):
195         (JSC::DFG::MinifiedGraph::at):
196         (JSC::DFG::MinifiedGraph::append):
197         (JSC::DFG::MinifiedGraph::prepareAndShrink):
198         (JSC::DFG::MinifiedGraph::setOriginalGraphSize):
199         (JSC::DFG::MinifiedGraph::originalGraphSize):
200         * dfg/DFGMinifiedNode.cpp: Added.
201         (DFG):
202         (JSC::DFG::MinifiedNode::fromNode):
203         * dfg/DFGMinifiedNode.h: Added.
204         (DFG):
205         (JSC::DFG::belongsInMinifiedGraph):
206         (MinifiedNode):
207         (JSC::DFG::MinifiedNode::MinifiedNode):
208         (JSC::DFG::MinifiedNode::index):
209         (JSC::DFG::MinifiedNode::op):
210         (JSC::DFG::MinifiedNode::hasChild1):
211         (JSC::DFG::MinifiedNode::child1):
212         (JSC::DFG::MinifiedNode::hasConstant):
213         (JSC::DFG::MinifiedNode::hasConstantNumber):
214         (JSC::DFG::MinifiedNode::constantNumber):
215         (JSC::DFG::MinifiedNode::hasWeakConstant):
216         (JSC::DFG::MinifiedNode::weakConstant):
217         (JSC::DFG::MinifiedNode::getIndex):
218         (JSC::DFG::MinifiedNode::compareByNodeIndex):
219         (JSC::DFG::MinifiedNode::hasChild):
220         * dfg/DFGNode.h:
221         (Node):
222         * dfg/DFGOSRExit.cpp:
223         (JSC::DFG::OSRExit::OSRExit):
224         * dfg/DFGOSRExit.h:
225         (OSRExit):
226         * dfg/DFGOSRExitCompiler.cpp:
227         * dfg/DFGOSRExitCompiler.h:
228         (OSRExitCompiler):
229         * dfg/DFGOSRExitCompiler32_64.cpp:
230         (JSC::DFG::OSRExitCompiler::compileExit):
231         * dfg/DFGOSRExitCompiler64.cpp:
232         (JSC::DFG::OSRExitCompiler::compileExit):
233         * dfg/DFGPredictionPropagationPhase.cpp:
234         (JSC::DFG::performPredictionPropagation):
235         * dfg/DFGRedundantPhiEliminationPhase.cpp:
236         (JSC::DFG::performRedundantPhiElimination):
237         * dfg/DFGSpeculativeJIT.cpp:
238         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
239         (DFG):
240         (JSC::DFG::SpeculativeJIT::fillStorage):
241         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
242         (JSC::DFG::SpeculativeJIT::compileMovHint):
243         (JSC::DFG::SpeculativeJIT::compile):
244         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
245         * dfg/DFGSpeculativeJIT.h:
246         (DFG):
247         (JSC::DFG::SpeculativeJIT::use):
248         (SpeculativeJIT):
249         (JSC::DFG::SpeculativeJIT::spill):
250         (JSC::DFG::SpeculativeJIT::speculationCheck):
251         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
252         (JSC::DFG::SpeculativeJIT::recordSetLocal):
253         * dfg/DFGSpeculativeJIT32_64.cpp:
254         (JSC::DFG::SpeculativeJIT::fillInteger):
255         (JSC::DFG::SpeculativeJIT::fillDouble):
256         (JSC::DFG::SpeculativeJIT::fillJSValue):
257         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
258         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
259         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
260         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
261         (JSC::DFG::SpeculativeJIT::compile):
262         * dfg/DFGSpeculativeJIT64.cpp:
263         (JSC::DFG::SpeculativeJIT::fillInteger):
264         (JSC::DFG::SpeculativeJIT::fillDouble):
265         (JSC::DFG::SpeculativeJIT::fillJSValue):
266         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
267         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
268         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
269         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
270         (JSC::DFG::SpeculativeJIT::compile):
271         * dfg/DFGValueRecoveryOverride.h: Added.
272         (DFG):
273         (ValueRecoveryOverride):
274         (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
275         * dfg/DFGValueSource.cpp: Added.
276         (DFG):
277         (JSC::DFG::ValueSource::dump):
278         * dfg/DFGValueSource.h: Added.
279         (DFG):
280         (JSC::DFG::dataFormatToValueSourceKind):
281         (JSC::DFG::valueSourceKindToDataFormat):
282         (JSC::DFG::isInRegisterFile):
283         (ValueSource):
284         (JSC::DFG::ValueSource::ValueSource):
285         (JSC::DFG::ValueSource::forPrediction):
286         (JSC::DFG::ValueSource::forDataFormat):
287         (JSC::DFG::ValueSource::isSet):
288         (JSC::DFG::ValueSource::kind):
289         (JSC::DFG::ValueSource::isInRegisterFile):
290         (JSC::DFG::ValueSource::dataFormat):
291         (JSC::DFG::ValueSource::valueRecovery):
292         (JSC::DFG::ValueSource::nodeIndex):
293         (JSC::DFG::ValueSource::nodeIndexFromKind):
294         (JSC::DFG::ValueSource::kindFromNodeIndex):
295         * dfg/DFGVariableEvent.cpp: Added.
296         (DFG):
297         (JSC::DFG::VariableEvent::dump):
298         (JSC::DFG::VariableEvent::dumpFillInfo):
299         (JSC::DFG::VariableEvent::dumpSpillInfo):
300         * dfg/DFGVariableEvent.h: Added.
301         (DFG):
302         (VariableEvent):
303         (JSC::DFG::VariableEvent::VariableEvent):
304         (JSC::DFG::VariableEvent::reset):
305         (JSC::DFG::VariableEvent::fillGPR):
306         (JSC::DFG::VariableEvent::fillPair):
307         (JSC::DFG::VariableEvent::fillFPR):
308         (JSC::DFG::VariableEvent::spill):
309         (JSC::DFG::VariableEvent::death):
310         (JSC::DFG::VariableEvent::setLocal):
311         (JSC::DFG::VariableEvent::movHint):
312         (JSC::DFG::VariableEvent::kind):
313         (JSC::DFG::VariableEvent::nodeIndex):
314         (JSC::DFG::VariableEvent::dataFormat):
315         (JSC::DFG::VariableEvent::gpr):
316         (JSC::DFG::VariableEvent::tagGPR):
317         (JSC::DFG::VariableEvent::payloadGPR):
318         (JSC::DFG::VariableEvent::fpr):
319         (JSC::DFG::VariableEvent::virtualRegister):
320         (JSC::DFG::VariableEvent::operand):
321         (JSC::DFG::VariableEvent::variableRepresentation):
322         * dfg/DFGVariableEventStream.cpp: Added.
323         (DFG):
324         (JSC::DFG::VariableEventStream::logEvent):
325         (MinifiedGenerationInfo):
326         (JSC::DFG::MinifiedGenerationInfo::MinifiedGenerationInfo):
327         (JSC::DFG::MinifiedGenerationInfo::update):
328         (JSC::DFG::VariableEventStream::reconstruct):
329         * dfg/DFGVariableEventStream.h: Added.
330         (DFG):
331         (VariableEventStream):
332         (JSC::DFG::VariableEventStream::appendAndLog):
333         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
334         (JSC::DFG::performVirtualRegisterAllocation):
335
336 2012-07-02  Filip Pizlo  <fpizlo@apple.com>
337
338         DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
339         https://bugs.webkit.org/show_bug.cgi?id=90407
340
341         Reviewed by Mark Hahnenberg.
342
343         * dfg/DFGArgumentsSimplificationPhase.cpp:
344         (JSC::DFG::ArgumentsSimplificationPhase::run):
345
346 2012-07-02  Gavin Barraclough  <barraclough@apple.com>
347
348         Array.prototype.pop should throw if property is not configurable
349         https://bugs.webkit.org/show_bug.cgi?id=75788
350
351         Rubber Stamped by Oliver Hunt.
352
353         No real bug here any more, but the error we throw sometimes has a misleading message.
354  
355         * runtime/JSArray.cpp:
356         (JSC::JSArray::pop):
357
358 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
359
360         JSObject wastes too much memory on unused property slots
361         https://bugs.webkit.org/show_bug.cgi?id=90255
362
363         Reviewed by Mark Hahnenberg.
364         
365         Rolling back in after applying a simple fix: it appears that
366         JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
367         property storage than necessary. Fixing this appears to resolve the crash.
368         
369         This does a few things:
370         
371         - JSNonFinalObject no longer has inline property storage.
372         
373         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
374           or 2x the inline storage for JSFinalObject.
375         
376         - Property storage is only reallocated if it needs to be. Previously, we
377           would reallocate the property storage on any transition where the original
378           structure said shouldGrowProperyStorage(), but this led to spurious
379           reallocations when doing transitionless property adds and there are
380           deleted property slots available. That in turn led to crashes, because we
381           would switch to out-of-line storage even if the capacity matched the
382           criteria for inline storage.
383         
384         - Inline JSFunction allocation is killed off because we don't have a good
385           way of inlining property storage allocation. This didn't hurt performance.
386           Killing off code is better than fixing it if that code wasn't doing any
387           good.
388         
389         This looks like a 1% progression on V8.
390
391         * interpreter/Interpreter.cpp:
392         (JSC::Interpreter::privateExecute):
393         * jit/JIT.cpp:
394         (JSC::JIT::privateCompileSlowCases):
395         * jit/JIT.h:
396         * jit/JITInlineMethods.h:
397         (JSC::JIT::emitAllocateBasicJSObject):
398         (JSC):
399         * jit/JITOpcodes.cpp:
400         (JSC::JIT::emit_op_new_func):
401         (JSC):
402         (JSC::JIT::emit_op_new_func_exp):
403         * runtime/JSFunction.cpp:
404         (JSC::JSFunction::finishCreation):
405         * runtime/JSObject.h:
406         (JSC::JSObject::isUsingInlineStorage):
407         (JSObject):
408         (JSC::JSObject::finishCreation):
409         (JSC):
410         (JSC::JSNonFinalObject::hasInlineStorage):
411         (JSNonFinalObject):
412         (JSC::JSNonFinalObject::JSNonFinalObject):
413         (JSC::JSNonFinalObject::finishCreation):
414         (JSC::JSFinalObject::hasInlineStorage):
415         (JSC::JSFinalObject::finishCreation):
416         (JSC::JSObject::offsetOfInlineStorage):
417         (JSC::JSObject::setPropertyStorage):
418         (JSC::Structure::inlineStorageCapacity):
419         (JSC::Structure::isUsingInlineStorage):
420         (JSC::JSObject::putDirectInternal):
421         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
422         (JSC::JSObject::putDirectWithoutTransition):
423         * runtime/Structure.cpp:
424         (JSC::Structure::Structure):
425         (JSC::nextPropertyStorageCapacity):
426         (JSC):
427         (JSC::Structure::growPropertyStorageCapacity):
428         (JSC::Structure::suggestedNewPropertyStorageSize):
429         * runtime/Structure.h:
430         (JSC::Structure::putWillGrowPropertyStorage):
431         (Structure):
432
433 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
434
435         Webkit crashes in DFG on Google Docs when creating a new document
436         https://bugs.webkit.org/show_bug.cgi?id=90209
437
438         Reviewed by Gavin Barraclough.
439         
440         Don't attempt to short-circuit Phantom(GetLocal) if the GetLocal is for a
441         captured variable.
442
443         * dfg/DFGCFGSimplificationPhase.cpp:
444         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
445
446 2012-06-30  Zan Dobersek  <zandobersek@gmail.com>
447
448         Unreviewed, rolling out r121605.
449         http://trac.webkit.org/changeset/121605
450         https://bugs.webkit.org/show_bug.cgi?id=90336
451
452         Changes caused flaky crashes in sputnik/Unicode tests on Apple
453         WK1 and GTK Linux builders
454
455         * interpreter/Interpreter.cpp:
456         (JSC::Interpreter::privateExecute):
457         * jit/JIT.cpp:
458         (JSC::JIT::privateCompileSlowCases):
459         * jit/JIT.h:
460         * jit/JITInlineMethods.h:
461         (JSC::JIT::emitAllocateBasicJSObject):
462         (JSC::JIT::emitAllocateJSFinalObject):
463         (JSC):
464         (JSC::JIT::emitAllocateJSFunction):
465         * jit/JITOpcodes.cpp:
466         (JSC::JIT::emit_op_new_func):
467         (JSC::JIT::emitSlow_op_new_func):
468         (JSC):
469         (JSC::JIT::emit_op_new_func_exp):
470         (JSC::JIT::emitSlow_op_new_func_exp):
471         * runtime/JSFunction.cpp:
472         (JSC::JSFunction::finishCreation):
473         * runtime/JSObject.h:
474         (JSC::JSObject::isUsingInlineStorage):
475         (JSObject):
476         (JSC::JSObject::finishCreation):
477         (JSC):
478         (JSNonFinalObject):
479         (JSC::JSNonFinalObject::JSNonFinalObject):
480         (JSC::JSNonFinalObject::finishCreation):
481         (JSFinalObject):
482         (JSC::JSFinalObject::finishCreation):
483         (JSC::JSObject::offsetOfInlineStorage):
484         (JSC::JSObject::setPropertyStorage):
485         (JSC::Structure::isUsingInlineStorage):
486         (JSC::JSObject::putDirectInternal):
487         (JSC::JSObject::putDirectWithoutTransition):
488         (JSC::JSObject::transitionTo):
489         * runtime/Structure.cpp:
490         (JSC::Structure::Structure):
491         (JSC):
492         (JSC::Structure::growPropertyStorageCapacity):
493         (JSC::Structure::suggestedNewPropertyStorageSize):
494         * runtime/Structure.h:
495         (JSC::Structure::shouldGrowPropertyStorage):
496         (JSC::Structure::propertyStorageSize):
497
498 2012-06-29  Mark Hahnenberg  <mhahnenberg@apple.com>
499
500         Remove warning about protected values when the Heap is being destroyed
501         https://bugs.webkit.org/show_bug.cgi?id=90302
502
503         Reviewed by Geoffrey Garen.
504
505         Having to do book-keeping about whether values allocated from a certain 
506         VM are or are not protected makes the JSC API much more difficult to use 
507         correctly. Clients should be able to throw an entire VM away and not have 
508         to worry about unprotecting all of the values that they protected earlier.
509
510         * heap/Heap.cpp:
511         (JSC::Heap::lastChanceToFinalize):
512
513 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
514
515         JSObject wastes too much memory on unused property slots
516         https://bugs.webkit.org/show_bug.cgi?id=90255
517
518         Reviewed by Mark Hahnenberg.
519         
520         This does a few things:
521         
522         - JSNonFinalObject no longer has inline property storage.
523         
524         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
525           or 2x the inline storage for JSFinalObject.
526         
527         - Property storage is only reallocated if it needs to be. Previously, we
528           would reallocate the property storage on any transition where the original
529           structure said shouldGrowProperyStorage(), but this led to spurious
530           reallocations when doing transitionless property adds and there are
531           deleted property slots available. That in turn led to crashes, because we
532           would switch to out-of-line storage even if the capacity matched the
533           criteria for inline storage.
534         
535         - Inline JSFunction allocation is killed off because we don't have a good
536           way of inlining property storage allocation. This didn't hurt performance.
537           Killing off code is better than fixing it if that code wasn't doing any
538           good.
539         
540         This looks like a 1% progression on V8.
541
542         * interpreter/Interpreter.cpp:
543         (JSC::Interpreter::privateExecute):
544         * jit/JIT.cpp:
545         (JSC::JIT::privateCompileSlowCases):
546         * jit/JIT.h:
547         * jit/JITInlineMethods.h:
548         (JSC::JIT::emitAllocateBasicJSObject):
549         (JSC):
550         * jit/JITOpcodes.cpp:
551         (JSC::JIT::emit_op_new_func):
552         (JSC):
553         (JSC::JIT::emit_op_new_func_exp):
554         * runtime/JSFunction.cpp:
555         (JSC::JSFunction::finishCreation):
556         * runtime/JSObject.h:
557         (JSC::JSObject::isUsingInlineStorage):
558         (JSObject):
559         (JSC::JSObject::finishCreation):
560         (JSC):
561         (JSC::JSNonFinalObject::hasInlineStorage):
562         (JSNonFinalObject):
563         (JSC::JSNonFinalObject::JSNonFinalObject):
564         (JSC::JSNonFinalObject::finishCreation):
565         (JSC::JSFinalObject::hasInlineStorage):
566         (JSC::JSFinalObject::finishCreation):
567         (JSC::JSObject::offsetOfInlineStorage):
568         (JSC::JSObject::setPropertyStorage):
569         (JSC::Structure::inlineStorageCapacity):
570         (JSC::Structure::isUsingInlineStorage):
571         (JSC::JSObject::putDirectInternal):
572         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
573         (JSC::JSObject::putDirectWithoutTransition):
574         * runtime/Structure.cpp:
575         (JSC::Structure::Structure):
576         (JSC::nextPropertyStorageCapacity):
577         (JSC):
578         (JSC::Structure::growPropertyStorageCapacity):
579         (JSC::Structure::suggestedNewPropertyStorageSize):
580         * runtime/Structure.h:
581         (JSC::Structure::putWillGrowPropertyStorage):
582         (Structure):
583
584 2012-06-28  Filip Pizlo  <fpizlo@apple.com>
585
586         DFG recompilation heuristics should be based on count, not rate
587         https://bugs.webkit.org/show_bug.cgi?id=90146
588
589         Reviewed by Oliver Hunt.
590         
591         This removes a bunch of code that was previously trying to prevent spurious
592         reoptimizations if a large enough majority of executions of a code block did
593         not result in OSR exit. It turns out that this code was purely harmful. This
594         patch removes all of that logic and replaces it with a dead-simple
595         heuristic: if you exit more than N times (where N is an exponential function
596         of the number of times the code block has already been recompiled) then we
597         will recompile.
598         
599         This appears to be a broad ~1% win on many benchmarks large and small.
600
601         * bytecode/CodeBlock.cpp:
602         (JSC::CodeBlock::CodeBlock):
603         * bytecode/CodeBlock.h:
604         (JSC::CodeBlock::osrExitCounter):
605         (JSC::CodeBlock::countOSRExit):
606         (CodeBlock):
607         (JSC::CodeBlock::addressOfOSRExitCounter):
608         (JSC::CodeBlock::offsetOfOSRExitCounter):
609         (JSC::CodeBlock::adjustedExitCountThreshold):
610         (JSC::CodeBlock::exitCountThresholdForReoptimization):
611         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
612         (JSC::CodeBlock::shouldReoptimizeNow):
613         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
614         * bytecode/ExecutionCounter.cpp:
615         (JSC::ExecutionCounter::setThreshold):
616         * bytecode/ExecutionCounter.h:
617         (ExecutionCounter):
618         (JSC::ExecutionCounter::clippedThreshold):
619         * dfg/DFGJITCompiler.cpp:
620         (JSC::DFG::JITCompiler::compileBody):
621         * dfg/DFGOSRExit.cpp:
622         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
623         * dfg/DFGOSRExitCompiler.cpp:
624         (JSC::DFG::OSRExitCompiler::handleExitCounts):
625         * dfg/DFGOperations.cpp:
626         * jit/JITStubs.cpp:
627         (JSC::DEFINE_STUB_FUNCTION):
628         * runtime/Options.cpp:
629         (Options):
630         (JSC::Options::initializeOptions):
631         * runtime/Options.h:
632         (Options):
633
634 2012-06-28  Mark Lam  <mark.lam@apple.com>
635
636         Adding a commenting utility to record BytecodeGenerator comments
637         with opcodes that are emitted.  Presently, the comments can only
638         be constant strings.  Adding comments for opcodes is optional.
639         If a comment is added, the comment will be printed following the
640         opcode when CodeBlock::dump() is called.
641
642         This utility is disabled by default, and is only meant for VM
643         development purposes.  It should not be enabled for product builds.
644
645         To enable this utility, set ENABLE_BYTECODE_COMMENTS in CodeBlock.h
646         to 1.
647
648         https://bugs.webkit.org/show_bug.cgi?id=90095
649
650         Reviewed by Geoffrey Garen.
651
652         * GNUmakefile.list.am:
653         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
654         * JavaScriptCore.xcodeproj/project.pbxproj:
655         * bytecode/CodeBlock.cpp:
656         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): Dumps the comment.
657         (JSC):
658         (JSC::CodeBlock::printUnaryOp): Add comment dumps.
659         (JSC::CodeBlock::printBinaryOp): Add comment dumps.
660         (JSC::CodeBlock::printConditionalJump): Add comment dumps.
661         (JSC::CodeBlock::printCallOp): Add comment dumps.
662         (JSC::CodeBlock::printPutByIdOp): Add comment dumps.
663         (JSC::CodeBlock::dump): Add comment dumps.
664         (JSC::CodeBlock::CodeBlock):
665         (JSC::CodeBlock::commentForBytecodeOffset):
666             Finds the comment for an opcode if available.
667         (JSC::CodeBlock::dumpBytecodeComments):
668             For debugging whether comments are collected.
669             It is not being called anywhere.
670         * bytecode/CodeBlock.h:
671         (CodeBlock):
672         (JSC::CodeBlock::bytecodeComments):
673         * bytecode/Comment.h: Added.
674         (JSC):
675         (Comment):
676         * bytecompiler/BytecodeGenerator.cpp:
677         (JSC::BytecodeGenerator::BytecodeGenerator):
678         (JSC::BytecodeGenerator::emitOpcode): Calls emitComment().
679         (JSC):
680         (JSC::BytecodeGenerator::emitComment): Adds comment to CodeBlock.
681         (JSC::BytecodeGenerator::prependComment):
682             Registers a comment for emitComemnt() to use later.
683         * bytecompiler/BytecodeGenerator.h:
684         (BytecodeGenerator):
685         (JSC::BytecodeGenerator::emitComment):
686         (JSC::BytecodeGenerator::prependComment):
687             These are inlined versions of these functions that nullify them
688             when ENABLE_BYTECODE_COMMENTS is 0.
689         (JSC::BytecodeGenerator::comments):
690
691 2012-06-28  Oliver Hunt  <oliver@apple.com>
692
693         32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
694         https://bugs.webkit.org/show_bug.cgi?id=90127
695
696         Reviewed by Filip Pizlo.
697
698         The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
699         correctly.  This patch fixes this by killing the fill info in the GenerationInfo
700         when the spillFormat doesn't guarantee the value is a double.
701
702         * dfg/DFGSpeculativeJIT32_64.cpp:
703         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
704
705 2012-06-28  Kent Tamura  <tkent@chromium.org>
706
707         Classify form control states by their owner forms
708         https://bugs.webkit.org/show_bug.cgi?id=89950
709
710         Reviewed by Hajime Morita.
711
712         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
713         Expose WTF::StringBuilder::canShrink()
714
715 2012-06-27  Michael Saboff  <msaboff@apple.com>
716
717         [Win] jscore-tests flakey
718         https://bugs.webkit.org/show_bug.cgi?id=88118
719
720         Reviewed by Jessie Berlin.
721
722         jsDriver.pl on windows intermittently doesn't get the returned value from jsc,
723         instead it gets 126.  Added a new option to jsc (-x) which prints the exit
724         code before exiting.  jsDriver.pl uses this option on Windows and parses the
725         exit code output for the exit code, removing it before comparing the actual
726         and expected outputs.  Filed a follow on "FIXME" defect:
727         [WIN] Intermittent failure for jsc return value to propagate through jsDriver.pl
728         https://bugs.webkit.org/show_bug.cgi?id=90119
729
730         * jsc.cpp:
731         (CommandLine::CommandLine):
732         (CommandLine):
733         (printUsageStatement):
734         (parseArguments):
735         (jscmain):
736         * tests/mozilla/jsDriver.pl:
737         (execute_tests):
738
739 2012-06-27  Sheriff Bot  <webkit.review.bot@gmail.com>
740
741         Unreviewed, rolling out r121359.
742         http://trac.webkit.org/changeset/121359
743         https://bugs.webkit.org/show_bug.cgi?id=90115
744
745         Broke many inspector tests (Requested by jpfau on #webkit).
746
747         * interpreter/Interpreter.h:
748         (JSC::StackFrame::toString):
749
750 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
751
752         Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on
753         https://bugs.webkit.org/show_bug.cgi?id=90053
754         <rdar://problem/11764613>
755
756         Reviewed by Mark Hahnenberg.
757         
758         The problem is that the code was assuming that the recovery should be Undefined if the source of
759         the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a
760         UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive.
761         In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this
762         was already in place but the fast check for !shouldGenerate() broke it.
763
764         * dfg/DFGSpeculativeJIT.cpp:
765         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
766
767 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
768
769         DFG disassembly should be easier to read
770         https://bugs.webkit.org/show_bug.cgi?id=90106
771
772         Reviewed by Mark Hahnenberg.
773         
774         Did a few things:
775         
776         - Options::showDFGDisassembly now shows OSR exit disassembly as well.
777         
778         - Phi node dumping doesn't attempt to do line wrapping since it just made the dump harder
779           to read.
780         
781         - DFG graph disassembly view shows a few additional node types that turn out to be
782           essential for understanding OSR exits.
783         
784         Put together, these changes reinforce the philosophy that anything needed for computing
785         OSR exit is just as important as the machine code itself. Of course, we still don't take
786         that philosophy to its full extreme - for example Phantom nodes are not dumped. We may
787         revisit that in the future.
788
789         * assembler/LinkBuffer.cpp:
790         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
791         * assembler/LinkBuffer.h:
792         (JSC):
793         * dfg/DFGDisassembler.cpp:
794         (JSC::DFG::Disassembler::dump):
795         * dfg/DFGGraph.cpp:
796         (JSC::DFG::Graph::dumpBlockHeader):
797         * dfg/DFGNode.h:
798         (JSC::DFG::Node::willHaveCodeGenOrOSR):
799         * dfg/DFGOSRExitCompiler.cpp:
800         * jit/JIT.cpp:
801         (JSC::JIT::privateCompile):
802
803 2012-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
804
805         JSLock should be per-JSGlobalData
806         https://bugs.webkit.org/show_bug.cgi?id=89123
807
808         Reviewed by Geoffrey Garen.
809
810         * API/APIShims.h:
811         (APIEntryShimWithoutLock):
812         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
813         determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
814         HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
815         JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
816         its destruction has begun. 
817         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
818         (JSC::APIEntryShim::APIEntryShim):
819         (APIEntryShim):
820         (JSC::APIEntryShim::~APIEntryShim):
821         (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
822         Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
823         and before we've released it, which can only done in APIEntryShim.
824         (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
825         * API/JSContextRef.cpp:
826         (JSGlobalContextCreate):
827         (JSGlobalContextCreateInGroup):
828         (JSGlobalContextRelease):
829         (JSContextCreateBacktrace):
830         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
831         * heap/CopiedSpace.cpp:
832         (JSC::CopiedSpace::tryAllocateSlowCase):
833         * heap/Heap.cpp:
834         (JSC::Heap::protect):
835         (JSC::Heap::unprotect):
836         (JSC::Heap::collect):
837         (JSC::Heap::setActivityCallback):
838         (JSC::Heap::activityCallback):
839         (JSC::Heap::sweeper):
840         * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
841         are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
842         and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
843         prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
844         (Heap):
845         * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
846         (JSC::HeapTimer::~HeapTimer):
847         (JSC::HeapTimer::invalidate):
848         (JSC):
849         (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
850         that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
851         HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
852         (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
853         out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
854         but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
855         we were interrupted between releasing our mutex and trying to grab the APILock.
856         * heap/HeapTimer.h:
857         (HeapTimer):
858         * heap/IncrementalSweeper.cpp:
859         (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
860         all of that for us. 
861         (JSC::IncrementalSweeper::create):
862         * heap/IncrementalSweeper.h:
863         (IncrementalSweeper):
864         * heap/MarkedAllocator.cpp:
865         (JSC::MarkedAllocator::allocateSlowCase):
866         * heap/WeakBlock.cpp:
867         (JSC::WeakBlock::reap):
868         * jsc.cpp:
869         (functionGC):
870         (functionReleaseExecutableMemory):
871         (jscmain):
872         * runtime/Completion.cpp:
873         (JSC::checkSyntax):
874         (JSC::evaluate):
875         * runtime/GCActivityCallback.h:
876         (DefaultGCActivityCallback):
877         (JSC::DefaultGCActivityCallback::create):
878         * runtime/JSGlobalData.cpp:
879         (JSC::JSGlobalData::JSGlobalData):
880         (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
881         that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
882         it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
883         APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
884         (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
885         (JSC::JSGlobalData::sharedInstanceInternal):
886         * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
887         de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
888         (JSGlobalData):
889         (JSC::JSGlobalData::apiLock):
890         * runtime/JSGlobalObject.cpp:
891         (JSC::JSGlobalObject::~JSGlobalObject):
892         (JSC::JSGlobalObject::init):
893         * runtime/JSLock.cpp:
894         (JSC):
895         (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
896         (JSC::GlobalJSLock::~GlobalJSLock):
897         (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
898         it can successfully unlock it later without it disappearing from underneath it.
899         (JSC::JSLockHolder::~JSLockHolder):
900         (JSC::JSLock::JSLock):
901         (JSC::JSLock::~JSLock):
902         (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
903         actually waiting for long periods. 
904         (JSC::JSLock::unlock):
905         (JSC::JSLock::currentThreadIsHoldingLock):
906         (JSC::JSLock::dropAllLocks):
907         (JSC::JSLock::dropAllLocksUnconditionally):
908         (JSC::JSLock::grabAllLocks):
909         (JSC::JSLock::DropAllLocks::DropAllLocks):
910         (JSC::JSLock::DropAllLocks::~DropAllLocks):
911         * runtime/JSLock.h:
912         (JSC):
913         (GlobalJSLock):
914         (JSLockHolder):
915         (JSLock):
916         (DropAllLocks):
917         * runtime/WeakGCMap.h:
918         (JSC::WeakGCMap::set):
919         * testRegExp.cpp:
920         (realMain):
921
922 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
923
924         x86 disassembler confuses immediates with addresses
925         https://bugs.webkit.org/show_bug.cgi?id=90099
926
927         Reviewed by Mark Hahnenberg.
928         
929         Prepend "$" to immediates to disambiguate between immediates and addresses. This is in
930         accordance with the gas and AT&T syntax.
931
932         * disassembler/udis86/udis86_syn-att.c:
933         (gen_operand):
934
935 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
936
937         Add a comment clarifying Options::showDisassembly versus Options::showDFGDisassembly.
938
939         Rubber stamped by Mark Hahnenberg.
940
941         * runtime/Options.cpp:
942         (JSC::Options::initializeOptions):
943
944 2012-06-27  Anthony Scian  <ascian@rim.com>
945
946         Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
947         https://bugs.webkit.org/show_bug.cgi?id=40118
948
949         Reviewed by Yong Li.
950
951         Added member functions to expose function name, urlString, and line #.
952         Refactored toString to make use of these member functions to reduce
953         duplicated code for future maintenance.
954
955         Manually tested refactoring of toString by tracing thrown exceptions.
956
957         * interpreter/Interpreter.h:
958         (StackFrame):
959         (JSC::StackFrame::toString):
960         (JSC::StackFrame::friendlySourceURL):
961         (JSC::StackFrame::friendlyFunctionName):
962         (JSC::StackFrame::friendlyLineNumber):
963
964 2012-06-27  Oswald Buddenhagen  <oswald.buddenhagen@nokia.com>
965
966         [Qt] Remove redundant c++11 warning suppression code
967
968         This is already handled in default_post.
969
970         Reviewed by Tor Arne Vestbø.
971
972         * Target.pri:
973
974 2012-06-26  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
975
976         [Qt] Add missing heades to HEADERS
977
978         For JavaScriptCore there aren't any Qt specific files, so we include all
979         headers for easy editing in Qt Creator.
980
981         Reviewed by Simon Hausmann.
982
983         * Target.pri:
984
985 2012-06-26  Dominic Cooney  <dominicc@chromium.org>
986
987         [Chromium] Remove unused build scripts and empty folders for JavaScriptCore w/ gyp
988         https://bugs.webkit.org/show_bug.cgi?id=90029
989
990         Reviewed by Adam Barth.
991
992         * gyp: Removed.
993         * gyp/generate-derived-sources.sh: Removed.
994         * gyp/generate-dtrace-header.sh: Removed.
995         * gyp/run-if-exists.sh: Removed.
996         * gyp/update-info-plist.sh: Removed.
997
998 2012-06-26  Geoffrey Garen  <ggaren@apple.com>
999
1000         Reduced (but did not eliminate) use of "berzerker GC"
1001         https://bugs.webkit.org/show_bug.cgi?id=89237
1002
1003         Reviewed by Gavin Barraclough.
1004
1005         (PART 2)
1006
1007         This part turns off "berzerker GC" and turns on incremental shrinking.
1008
1009         * heap/IncrementalSweeper.cpp:
1010         (JSC::IncrementalSweeper::doSweep): Free or shrink after sweeping to
1011         maintain the behavior we used to get from the occasional berzerker GC,
1012         which would run all finalizers and then free or shrink all blocks
1013         synchronously.
1014
1015         * heap/MarkedBlock.h:
1016         (JSC::MarkedBlock::needsSweeping): Sweep zapped blocks, too. It's always
1017         safe to sweep a zapped block (that's the point of zapping), and it's
1018         sometimes profitable. For example, consider this case: Block A does some
1019         allocation (transitioning Block A from Marked to FreeListed), then GC
1020         happens (transitioning Block A to Zapped), then all objects in Block A
1021         are free, then the incremental sweeper visits Block A. If we skipped
1022         Zapped blocks, we'd skip Block A, even though it would be profitable to
1023         run its destructors and free its memory.
1024
1025         * runtime/GCActivityCallback.cpp:
1026         (JSC::DefaultGCActivityCallback::doWork): Don't sweep eagerly; we'll do
1027         this incrementally.
1028
1029 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
1030
1031         DFG PutByValAlias is too aggressive
1032         https://bugs.webkit.org/show_bug.cgi?id=90026
1033         <rdar://problem/11751830>
1034
1035         Reviewed by Gavin Barraclough.
1036         
1037         For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
1038         performance by much.
1039         
1040         For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
1041         is within bounds. This also has the effect of making our out-of-bounds handling consistent
1042         with WebCore.
1043
1044         * dfg/DFGCSEPhase.cpp:
1045         (JSC::DFG::CSEPhase::performNodeCSE):
1046         * dfg/DFGGraph.h:
1047         (JSC::DFG::Graph::byValIsPure):
1048         (JSC::DFG::Graph::clobbersWorld):
1049         * dfg/DFGNodeType.h:
1050         (DFG):
1051         * dfg/DFGSpeculativeJIT.cpp:
1052         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1053         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1054
1055 2012-06-26  Yong Li  <yoli@rim.com>
1056
1057         [BlackBerry] Add JSC statistics into about:memory
1058         https://bugs.webkit.org/show_bug.cgi?id=89779
1059
1060         Reviewed by Rob Buis.
1061
1062         Fix non-JIT build on BlackBerry broken by r121196.
1063
1064         * runtime/MemoryStatistics.cpp:
1065         (JSC::globalMemoryStatistics):
1066
1067 2012-06-25  Filip Pizlo  <fpizlo@apple.com>
1068
1069         DFG::operationNewArray is unnecessarily slow, and may use the wrong array
1070         prototype when inlined
1071         https://bugs.webkit.org/show_bug.cgi?id=89821
1072
1073         Reviewed by Geoffrey Garen.
1074         
1075         Fixes all array allocations to use the right structure, and hence the right prototype. Adds
1076         inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
1077         empty arrays.
1078
1079         * dfg/DFGAbstractState.cpp:
1080         (JSC::DFG::AbstractState::execute):
1081         * dfg/DFGByteCodeParser.cpp:
1082         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1083         * dfg/DFGCCallHelpers.h:
1084         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1085         (CCallHelpers):
1086         * dfg/DFGNodeType.h:
1087         (DFG):
1088         * dfg/DFGOperations.cpp:
1089         * dfg/DFGOperations.h:
1090         * dfg/DFGPredictionPropagationPhase.cpp:
1091         (JSC::DFG::PredictionPropagationPhase::propagate):
1092         * dfg/DFGSpeculativeJIT.h:
1093         (JSC::DFG::SpeculativeJIT::callOperation):
1094         * dfg/DFGSpeculativeJIT32_64.cpp:
1095         (JSC::DFG::SpeculativeJIT::compile):
1096         * dfg/DFGSpeculativeJIT64.cpp:
1097         (JSC::DFG::SpeculativeJIT::compile):
1098         * runtime/JSArray.h:
1099         (JSC):
1100         (JSC::constructArray):
1101         * runtime/JSGlobalObject.h:
1102         (JSC):
1103         (JSC::constructArray):
1104
1105 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
1106
1107         New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
1108         https://bugs.webkit.org/show_bug.cgi?id=89953
1109
1110         Reviewed by Zoltan Herczeg.
1111         
1112         DFG 32-bit JIT was confused about the difference between a predicted type and a
1113         proven type. This is easy to get confused about, since a local that is predicted int32
1114         almost always means that the local must be an int32 since speculations are hoisted to
1115         stores to locals. But that is less likely to be the case for arguments, where there is
1116         an additional least-upper-bounding step: any store to an argument with a weird type
1117         may force the argument to be any type.
1118         
1119         This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
1120         GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
1121         a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
1122         than the VariableAccessData::prediction(), which is a predicted type.
1123
1124         * dfg/DFGSpeculativeJIT32_64.cpp:
1125         (JSC::DFG::SpeculativeJIT::compile):
1126
1127 2012-06-25  Filip Pizlo  <fpizlo@apple.com>
1128
1129         JSC should try to make profiling deterministic because otherwise reproducing failures is
1130         nearly impossible
1131         https://bugs.webkit.org/show_bug.cgi?id=89940
1132
1133         Rubber stamped by Gavin Barraclough.
1134         
1135         This rolls out the part of http://trac.webkit.org/changeset/121215 that introduced randomness
1136         into the system. Now, instead of randomizing the tier-up threshold, we always set it to an
1137         artificially low (and statically predetermined!) value. This gives most of the benefit of
1138         threshold randomization without actually making the system behave completely differently on
1139         each invocation.
1140
1141         * bytecode/ExecutionCounter.cpp:
1142         (JSC::ExecutionCounter::setThreshold):
1143         * runtime/Options.cpp:
1144         (Options):
1145         (JSC::Options::initializeOptions):
1146         * runtime/Options.h:
1147         (Options):
1148
1149 2012-06-22  Filip Pizlo  <fpizlo@apple.com>
1150
1151         Value profiling should use tier-up threshold randomization to get more coverage
1152         https://bugs.webkit.org/show_bug.cgi?id=89802
1153
1154         Reviewed by Gavin Barraclough.
1155         
1156         This patch causes both LLInt and Baseline JIT code to take the OSR slow path several
1157         times before actually doing OSR. If we take the OSR slow path before the execution
1158         count threshold is reached, then we just call CodeBlock::updateAllPredictions() to
1159         compute the current latest least-upper-bound SpecType of all values seen in each
1160         ValueProfile.
1161
1162         * bytecode/CodeBlock.cpp:
1163         (JSC::CodeBlock::stronglyVisitStrongReferences):
1164         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1165         (JSC):
1166         (JSC::CodeBlock::updateAllPredictions):
1167         (JSC::CodeBlock::shouldOptimizeNow):
1168         * bytecode/CodeBlock.h:
1169         (JSC::CodeBlock::llintExecuteCounter):
1170         (JSC::CodeBlock::jitExecuteCounter):
1171         (CodeBlock):
1172         (JSC::CodeBlock::updateAllPredictions):
1173         * bytecode/ExecutionCounter.cpp:
1174         (JSC::ExecutionCounter::setThreshold):
1175         (JSC::ExecutionCounter::status):
1176         (JSC):
1177         * bytecode/ExecutionCounter.h:
1178         (JSC::ExecutionCounter::count):
1179         (ExecutionCounter):
1180         * dfg/DFGAbstractState.cpp:
1181         (JSC::DFG::AbstractState::execute):
1182         * dfg/DFGOperations.cpp:
1183         * dfg/DFGSpeculativeJIT.cpp:
1184         (JSC::DFG::SpeculativeJIT::compile):
1185         * jit/JITStubs.cpp:
1186         (JSC::DEFINE_STUB_FUNCTION):
1187         * llint/LLIntSlowPaths.cpp:
1188         (JSC::LLInt::jitCompileAndSetHeuristics):
1189         (JSC::LLInt::entryOSR):
1190         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1191         * runtime/JSGlobalObject.cpp:
1192         (JSC::JSGlobalObject::JSGlobalObject):
1193         (JSC):
1194         * runtime/JSGlobalObject.h:
1195         (JSGlobalObject):
1196         (JSC::JSGlobalObject::weakRandomInteger):
1197         * runtime/Options.cpp:
1198         (Options):
1199         (JSC::Options::initializeOptions):
1200         * runtime/Options.h:
1201         (Options):
1202         * runtime/WeakRandom.h:
1203         (WeakRandom):
1204         (JSC::WeakRandom::seedUnsafe):
1205
1206 2012-06-25  Yong Li  <yoli@rim.com>
1207
1208         [BlackBerry] Add JSC statistics into about:memory
1209         https://bugs.webkit.org/show_bug.cgi?id=89779
1210
1211         Reviewed by Rob Buis.
1212
1213         Add MemoryStatistics.cpp into build, and fill JITBytes for BlackBerry port.
1214
1215         * PlatformBlackBerry.cmake:
1216         * runtime/MemoryStatistics.cpp:
1217         (JSC::globalMemoryStatistics):
1218
1219 2012-06-23  Sheriff Bot  <webkit.review.bot@gmail.com>
1220
1221         Unreviewed, rolling out r121058.
1222         http://trac.webkit.org/changeset/121058
1223         https://bugs.webkit.org/show_bug.cgi?id=89809
1224
1225         Patch causes plugins tests to crash in GTK debug builds
1226         (Requested by zdobersek on #webkit).
1227
1228         * API/APIShims.h:
1229         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
1230         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
1231         (APIEntryShimWithoutLock):
1232         (JSC::APIEntryShim::APIEntryShim):
1233         (APIEntryShim):
1234         (JSC::APICallbackShim::~APICallbackShim):
1235         * API/JSContextRef.cpp:
1236         (JSGlobalContextCreate):
1237         (JSGlobalContextCreateInGroup):
1238         (JSGlobalContextRelease):
1239         (JSContextCreateBacktrace):
1240         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1241         * heap/CopiedSpace.cpp:
1242         (JSC::CopiedSpace::tryAllocateSlowCase):
1243         * heap/Heap.cpp:
1244         (JSC::Heap::protect):
1245         (JSC::Heap::unprotect):
1246         (JSC::Heap::collect):
1247         (JSC::Heap::setActivityCallback):
1248         (JSC::Heap::activityCallback):
1249         (JSC::Heap::sweeper):
1250         * heap/Heap.h:
1251         (Heap):
1252         * heap/HeapTimer.cpp:
1253         (JSC::HeapTimer::~HeapTimer):
1254         (JSC::HeapTimer::invalidate):
1255         (JSC::HeapTimer::timerDidFire):
1256         (JSC):
1257         * heap/HeapTimer.h:
1258         (HeapTimer):
1259         * heap/IncrementalSweeper.cpp:
1260         (JSC::IncrementalSweeper::doWork):
1261         (JSC::IncrementalSweeper::create):
1262         * heap/IncrementalSweeper.h:
1263         (IncrementalSweeper):
1264         * heap/MarkedAllocator.cpp:
1265         (JSC::MarkedAllocator::allocateSlowCase):
1266         * heap/WeakBlock.cpp:
1267         (JSC::WeakBlock::reap):
1268         * jsc.cpp:
1269         (functionGC):
1270         (functionReleaseExecutableMemory):
1271         (jscmain):
1272         * runtime/Completion.cpp:
1273         (JSC::checkSyntax):
1274         (JSC::evaluate):
1275         * runtime/GCActivityCallback.h:
1276         (DefaultGCActivityCallback):
1277         (JSC::DefaultGCActivityCallback::create):
1278         * runtime/JSGlobalData.cpp:
1279         (JSC::JSGlobalData::JSGlobalData):
1280         (JSC::JSGlobalData::~JSGlobalData):
1281         (JSC::JSGlobalData::sharedInstance):
1282         (JSC::JSGlobalData::sharedInstanceInternal):
1283         * runtime/JSGlobalData.h:
1284         (JSGlobalData):
1285         * runtime/JSGlobalObject.cpp:
1286         (JSC::JSGlobalObject::~JSGlobalObject):
1287         (JSC::JSGlobalObject::init):
1288         * runtime/JSLock.cpp:
1289         (JSC):
1290         (JSC::createJSLockCount):
1291         (JSC::JSLock::lockCount):
1292         (JSC::setLockCount):
1293         (JSC::JSLock::JSLock):
1294         (JSC::JSLock::lock):
1295         (JSC::JSLock::unlock):
1296         (JSC::JSLock::currentThreadIsHoldingLock):
1297         (JSC::JSLock::DropAllLocks::DropAllLocks):
1298         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1299         * runtime/JSLock.h:
1300         (JSC):
1301         (JSLock):
1302         (JSC::JSLock::JSLock):
1303         (JSC::JSLock::~JSLock):
1304         (DropAllLocks):
1305         * runtime/WeakGCMap.h:
1306         (JSC::WeakGCMap::set):
1307         * testRegExp.cpp:
1308         (realMain):
1309
1310 2012-06-22  Alexandru Chiculita  <achicu@adobe.com>
1311
1312         [CSS Shaders] Re-enable the CSS Shaders compile time flag on Safari Mac
1313         https://bugs.webkit.org/show_bug.cgi?id=89781
1314
1315         Reviewed by Dean Jackson.
1316
1317         Added ENABLE_CSS_SHADERS flag as enabled by default on Safari for Mac.
1318
1319         * Configurations/FeatureDefines.xcconfig:
1320
1321 2012-06-22  Filip Pizlo  <fpizlo@apple.com>
1322
1323         DFG tier-up should happen in prologues, not epilogues
1324         https://bugs.webkit.org/show_bug.cgi?id=89752
1325
1326         Reviewed by Geoffrey Garen.
1327
1328         This change has two outcomes:
1329         
1330         1) Slightly reduces the likelihood that a function will be optimized both
1331         standalone and via inlining.  Previously, if you had a call sequence like foo() 
1332         calls bar() exactly once, and nobody else calls bar(), then bar() would get
1333         optimized first (because it returns first) and then foo() gets optimized.  If foo()
1334         can inline bar() then that means that bar() gets optimized twice.  But now, if we
1335         optimize in prologues, then foo() will be optimized first.  If it inlines bar(),
1336         that means that there will no longer be any calls to bar().
1337         
1338         2) It lets us kill some code in JITStubs.  Epilogue tier-up was very different from
1339         loop tier-up, since epilogue tier-up should not attempt OSR.  But prologue tier-up
1340         requires OSR (albeit really easy OSR since it's the top of the compilation unit),
1341         so it becomes just like loop tier-up.  As a result, we now have one optimization
1342         hook (cti_optimize) instead of two (cti_optimize_from_loop and
1343         cti_optimize_from_ret).
1344         
1345         As a consequence of not having an optimization check in epilogues, the OSR exit
1346         code must now trigger reoptimization itself instead of just signaling the epilogue
1347         check to fire.
1348         
1349         This also adds the ability to count the number of DFG compilations, which was
1350         useful for debugging this patch and might be useful for other things in the future.
1351
1352         * bytecode/CodeBlock.cpp:
1353         (JSC::CodeBlock::reoptimize):
1354         (JSC):
1355         * bytecode/CodeBlock.h:
1356         (CodeBlock):
1357         * dfg/DFGByteCodeParser.cpp:
1358         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1359         * dfg/DFGDriver.cpp:
1360         (DFG):
1361         (JSC::DFG::getNumCompilations):
1362         (JSC::DFG::compile):
1363         * dfg/DFGDriver.h:
1364         (DFG):
1365         * dfg/DFGOSRExitCompiler.cpp:
1366         (JSC::DFG::OSRExitCompiler::handleExitCounts):
1367         * dfg/DFGOperations.cpp:
1368         * dfg/DFGOperations.h:
1369         * jit/JIT.cpp:
1370         (JSC::JIT::emitOptimizationCheck):
1371         * jit/JIT.h:
1372         * jit/JITCall32_64.cpp:
1373         (JSC::JIT::emit_op_ret):
1374         (JSC::JIT::emit_op_ret_object_or_this):
1375         * jit/JITOpcodes.cpp:
1376         (JSC::JIT::emit_op_ret):
1377         (JSC::JIT::emit_op_ret_object_or_this):
1378         (JSC::JIT::emit_op_enter):
1379         * jit/JITOpcodes32_64.cpp:
1380         (JSC::JIT::emit_op_enter):
1381         * jit/JITStubs.cpp:
1382         (JSC::DEFINE_STUB_FUNCTION):
1383         * jit/JITStubs.h:
1384
1385 2012-06-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1386
1387         JSLock should be per-JSGlobalData
1388         https://bugs.webkit.org/show_bug.cgi?id=89123
1389
1390         Reviewed by Gavin Barraclough.
1391
1392         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1393         * API/APIShims.h:
1394         (APIEntryShimWithoutLock):
1395         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
1396         determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
1397         HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
1398         JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
1399         its destruction has begun. 
1400         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): Now derefs if it also refed.
1401         (JSC::APIEntryShim::APIEntryShim):
1402         (APIEntryShim):
1403         (JSC::APIEntryShim::~APIEntryShim):
1404         (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
1405         Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
1406         and before we've released it, which can only done in APIEntryShim.
1407         (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
1408         * API/JSContextRef.cpp:
1409         (JSGlobalContextCreate):
1410         (JSGlobalContextCreateInGroup):
1411         (JSGlobalContextRelease):
1412         (JSContextCreateBacktrace):
1413         * heap/CopiedSpace.cpp:
1414         (JSC::CopiedSpace::tryAllocateSlowCase):
1415         * heap/Heap.cpp:
1416         (JSC::Heap::protect):
1417         (JSC::Heap::unprotect):
1418         (JSC::Heap::collect):
1419         (JSC::Heap::setActivityCallback):
1420         (JSC::Heap::activityCallback):
1421         (JSC::Heap::sweeper):
1422         * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
1423         are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
1424         and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
1425         prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
1426         (Heap):
1427         * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
1428         (JSC::HeapTimer::~HeapTimer):
1429         (JSC::HeapTimer::invalidate):
1430         (JSC):
1431         (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
1432         that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
1433         HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
1434         (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
1435         out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
1436         but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
1437         we were interrupted between releasing our mutex and trying to grab the APILock.
1438         * heap/HeapTimer.h: 
1439         (HeapTimer):
1440         * heap/IncrementalSweeper.cpp:
1441         (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
1442         all of that for us. 
1443         (JSC::IncrementalSweeper::create):
1444         * heap/IncrementalSweeper.h:
1445         (IncrementalSweeper):
1446         * heap/MarkedAllocator.cpp:
1447         (JSC::MarkedAllocator::allocateSlowCase):
1448         * heap/WeakBlock.cpp:
1449         (JSC::WeakBlock::reap):
1450         * jsc.cpp:
1451         (functionGC):
1452         (functionReleaseExecutableMemory):
1453         (jscmain):
1454         * runtime/Completion.cpp:
1455         (JSC::checkSyntax):
1456         (JSC::evaluate):
1457         * runtime/GCActivityCallback.h:
1458         (DefaultGCActivityCallback):
1459         (JSC::DefaultGCActivityCallback::create):
1460         * runtime/JSGlobalData.cpp:
1461         (JSC::JSGlobalData::JSGlobalData):
1462         (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
1463         that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
1464         it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
1465         APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
1466         (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
1467         (JSC::JSGlobalData::sharedInstanceInternal):
1468         * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
1469         de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
1470         (JSGlobalData):
1471         (JSC::JSGlobalData::apiLock):
1472         * runtime/JSGlobalObject.cpp:
1473         (JSC::JSGlobalObject::~JSGlobalObject):
1474         (JSC::JSGlobalObject::init):
1475         * runtime/JSLock.cpp:
1476         (JSC):
1477         (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
1478         (JSC::GlobalJSLock::~GlobalJSLock):
1479         (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
1480         it can successfully unlock it later without it disappearing from underneath it.
1481         (JSC::JSLockHolder::~JSLockHolder):
1482         (JSC::JSLock::JSLock):
1483         (JSC::JSLock::~JSLock):
1484         (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
1485         actually waiting for long periods. 
1486         (JSC::JSLock::unlock):
1487         (JSC::JSLock::currentThreadIsHoldingLock): 
1488         (JSC::JSLock::dropAllLocks):
1489         (JSC::JSLock::dropAllLocksUnconditionally):
1490         (JSC::JSLock::grabAllLocks):
1491         (JSC::JSLock::DropAllLocks::DropAllLocks):
1492         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1493         * runtime/JSLock.h:
1494         (JSC):
1495         (GlobalJSLock):
1496         (JSLockHolder):
1497         (JSLock):
1498         (DropAllLocks):
1499         * runtime/WeakGCMap.h:
1500         (JSC::WeakGCMap::set):
1501         * testRegExp.cpp:
1502         (realMain):
1503
1504 2012-06-22  Peter Beverloo  <peter@chromium.org>
1505
1506         [Chromium] Disable c++0x compatibility warnings in JavaScriptCore.gyp when building for Android
1507         https://bugs.webkit.org/show_bug.cgi?id=88853
1508
1509         Reviewed by Steve Block.
1510
1511         The Android exclusions were necessary to fix a gyp generation error, as
1512         the gcc_version variable wasn't being defined for Android. Remove these
1513         exceptions when Chromium is able to define the gcc_version variable.
1514
1515         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1516
1517 2012-06-21  Filip Pizlo  <fpizlo@apple.com>
1518
1519         op_resolve_global should not prevent DFG inlining
1520         https://bugs.webkit.org/show_bug.cgi?id=89726
1521
1522         Reviewed by Gavin Barraclough.
1523
1524         * bytecode/CodeBlock.cpp:
1525         (JSC::CodeBlock::CodeBlock):
1526         (JSC::CodeBlock::shrinkToFit):
1527         * bytecode/GlobalResolveInfo.h:
1528         (JSC::GlobalResolveInfo::GlobalResolveInfo):
1529         (GlobalResolveInfo):
1530         * dfg/DFGByteCodeParser.cpp:
1531         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1532         * dfg/DFGCapabilities.h:
1533         (JSC::DFG::canInlineOpcode):
1534         * dfg/DFGOperations.cpp:
1535         * dfg/DFGOperations.h:
1536         * dfg/DFGSpeculativeJIT.h:
1537         (JSC::DFG::SpeculativeJIT::callOperation):
1538         * dfg/DFGSpeculativeJIT32_64.cpp:
1539         (JSC::DFG::SpeculativeJIT::compile):
1540         * dfg/DFGSpeculativeJIT64.cpp:
1541         (JSC::DFG::SpeculativeJIT::compile):
1542
1543 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1544
1545         DFG should inline 'new Array()'
1546         https://bugs.webkit.org/show_bug.cgi?id=89632
1547
1548         Reviewed by Geoffrey Garen.
1549         
1550         This adds support for treating InternalFunction like intrinsics. The code
1551         to do so is actually quite clean, so I don't feel bad about perpetuating
1552         the InternalFunction vs. JSFunction-with-NativeExecutable dichotomy.
1553         
1554         Currently this newfound power is only used to inline 'new Array()'.
1555         
1556         * dfg/DFGByteCodeParser.cpp:
1557         (ByteCodeParser):
1558         (JSC::DFG::ByteCodeParser::handleCall):
1559         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1560         (DFG):
1561         * dfg/DFGGraph.h:
1562         (JSC::DFG::Graph::isInternalFunctionConstant):
1563         (JSC::DFG::Graph::valueOfInternalFunctionConstant):
1564
1565 2012-06-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1566
1567         Adding copyrights to new files.
1568
1569         * heap/HeapTimer.cpp:
1570         * heap/HeapTimer.h:
1571         * heap/IncrementalSweeper.cpp:
1572         * heap/IncrementalSweeper.h:
1573
1574 2012-06-21  Arnaud Renevier  <arno@renevier.net>
1575
1576         make sure headers are included only once per file
1577         https://bugs.webkit.org/show_bug.cgi?id=88922
1578
1579         Reviewed by Alexey Proskuryakov.
1580
1581         * bytecode/CodeBlock.h:
1582         * heap/MachineStackMarker.cpp:
1583         * runtime/JSVariableObject.h:
1584
1585 2012-06-21  Ryuan Choi  <ryuan.choi@gmail.com>
1586
1587         [EFL][WK2] Make WebKit2/Efl headers and resources installable.
1588         https://bugs.webkit.org/show_bug.cgi?id=88207
1589
1590         Reviewed by Chang Shu.
1591
1592         * shell/CMakeLists.txt: Use ${EXEC_INSTALL_DIR} instead of hardcoding "bin"
1593
1594 2012-06-20  Geoffrey Garen  <ggaren@apple.com>
1595
1596         Reduced (but did not eliminate) use of "berzerker GC"
1597         https://bugs.webkit.org/show_bug.cgi?id=89237
1598
1599         Reviewed by Gavin Barraclough.
1600
1601         (PART 1)
1602
1603         This patch turned out to be crashy, so I'm landing the non-crashy bits
1604         first.
1605
1606         This part is pre-requisite refactoring. I didn't actually turn off
1607         "berzerker GC" or turn on incremental shrinking.
1608
1609         * heap/MarkedAllocator.cpp:
1610         (JSC::MarkedAllocator::removeBlock): Make sure to clear the free list when
1611         we throw away the block we're currently allocating out of. Otherwise, we'll
1612         allocate out of a stale free list.
1613
1614         * heap/MarkedSpace.cpp:
1615         (JSC::Free::Free):
1616         (JSC::Free::operator()):
1617         (JSC::Free::returnValue): Refactored this functor to use a shared helper
1618         function, so we can share our implementation with the incremental sweeper.
1619
1620         Also changed to freeing individual blocks immediately instead of linking
1621         them into a list for later freeing. This makes the programming interface
1622         simpler, and it's slightly more efficient to boot.
1623
1624         (JSC::MarkedSpace::~MarkedSpace): Updated for rename.
1625
1626         (JSC::MarkedSpace::freeBlock):
1627         (JSC::MarkedSpace::freeOrShrinkBlock): New helper functions to share behavior
1628         with the incremental sweeper.
1629
1630         (JSC::MarkedSpace::shrink): Updated for new functor behavior.
1631
1632         * heap/MarkedSpace.h: Statically typed languages are awesome.
1633
1634 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1635
1636         DFG should optimize ResolveGlobal
1637         https://bugs.webkit.org/show_bug.cgi?id=89617
1638
1639         Reviewed by Oliver Hunt.
1640         
1641         This adds inlining of ResolveGlobal accesses that are known monomorphic. It also
1642         adds the specific function optimization to ResolveGlobal, when it is inlined. And,
1643         it makes internal functions act like specific functions, since that will be the
1644         most common use-case of this optimization.
1645         
1646         This is only a slighy speed-up (sub 1%), since we don't yet do the obvious thing
1647         with this optimization, which is to completely inline common "globally resolved"
1648         function and constructor calls, like "new Array()".
1649
1650         * CMakeLists.txt:
1651         * GNUmakefile.list.am:
1652         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1653         * JavaScriptCore.xcodeproj/project.pbxproj:
1654         * Target.pri:
1655         * bytecode/CodeBlock.cpp:
1656         (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
1657         * bytecode/CodeBlock.h:
1658         (CodeBlock):
1659         (JSC::CodeBlock::numberOfGlobalResolveInfos):
1660         * bytecode/GlobalResolveInfo.h:
1661         (JSC::getGlobalResolveInfoBytecodeOffset):
1662         (JSC):
1663         * bytecode/ResolveGlobalStatus.cpp: Added.
1664         (JSC):
1665         (JSC::computeForStructure):
1666         (JSC::computeForLLInt):
1667         (JSC::ResolveGlobalStatus::computeFor):
1668         * bytecode/ResolveGlobalStatus.h: Added.
1669         (JSC):
1670         (ResolveGlobalStatus):
1671         (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
1672         (JSC::ResolveGlobalStatus::state):
1673         (JSC::ResolveGlobalStatus::isSet):
1674         (JSC::ResolveGlobalStatus::operator!):
1675         (JSC::ResolveGlobalStatus::isSimple):
1676         (JSC::ResolveGlobalStatus::takesSlowPath):
1677         (JSC::ResolveGlobalStatus::structure):
1678         (JSC::ResolveGlobalStatus::offset):
1679         (JSC::ResolveGlobalStatus::specificValue):
1680         * dfg/DFGByteCodeParser.cpp:
1681         (ByteCodeParser):
1682         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1683         (DFG):
1684         (JSC::DFG::ByteCodeParser::handleGetById):
1685         (JSC::DFG::ByteCodeParser::parseBlock):
1686         * runtime/JSObject.cpp:
1687         (JSC::getCallableObjectSlow):
1688         (JSC):
1689         (JSC::JSObject::put):
1690         (JSC::JSObject::putDirectVirtual):
1691         (JSC::JSObject::putDirectAccessor):
1692         * runtime/JSObject.h:
1693         (JSC):
1694         (JSC::getCallableObject):
1695         (JSC::JSObject::putOwnDataProperty):
1696         (JSC::JSObject::putDirect):
1697         (JSC::JSObject::putDirectWithoutTransition):
1698
1699 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1700
1701         Functions on global objects should be specializable
1702         https://bugs.webkit.org/show_bug.cgi?id=89615
1703
1704         Reviewed by Oliver Hunt.
1705         
1706         I tested to see if this brought back the bug in https://bugs.webkit.org/show_bug.cgi?id=33343,
1707         and it didn't. Bug 33343 was the reason why we disabled global object function specialization
1708         to begin with. So I'm guessing this is safe.
1709
1710         * runtime/JSGlobalObject.cpp:
1711         (JSC::JSGlobalObject::init):
1712
1713 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1714
1715         build-webkit failure due to illegal 32-bit integer constants in code
1716         generated by offlineasm
1717         https://bugs.webkit.org/show_bug.cgi?id=89347
1718
1719         Reviewed by Geoffrey Garen.
1720         
1721         The offending constants are the magic numbers used by offlineasm to find
1722         offsets in the generated machine code. Added code to turn them into what
1723         the C++ compiler will believe to be valid 32-bit values.
1724
1725         * offlineasm/offsets.rb:
1726
1727 2012-06-19  Geoffrey Garen  <ggaren@apple.com>
1728
1729         Made the incremental sweeper more aggressive
1730         https://bugs.webkit.org/show_bug.cgi?id=89527
1731
1732         Reviewed by Oliver Hunt.
1733
1734         This is a pre-requisite to getting rid of "berzerker GC" because we need
1735         the sweeper to reclaim memory in a timely fashion, or we'll see a memory
1736         footprint regression.
1737
1738         * heap/IncrementalSweeper.h:
1739         * heap/IncrementalSweeper.cpp:
1740         (JSC::IncrementalSweeper::scheduleTimer): Since the time slice is predictable,
1741         no need to use a data member to record it.
1742
1743         (JSC::IncrementalSweeper::doSweep): Sweep as many blocks as we can in a
1744         small time slice. This is better than sweeping only one block per timer
1745         fire because that strategy has a heavy timer overhead, and artificially
1746         delays memory reclamation.
1747
1748 2012-06-20  Filip Pizlo  <fpizlo@apple.com>
1749
1750         DFG should be able to print disassembly interleaved with the IR
1751         https://bugs.webkit.org/show_bug.cgi?id=89551
1752
1753         Reviewed by Geoffrey Garen.
1754         
1755         This change also removes running Dominators unconditionally on every DFG
1756         compile. Dominators are designed to be computed on-demand, and currently
1757         the only demand is graph dumps.
1758
1759         * CMakeLists.txt:
1760         * GNUmakefile.list.am:
1761         * JavaScriptCore.xcodeproj/project.pbxproj:
1762         * Target.pri:
1763         * assembler/ARMv7Assembler.h:
1764         (JSC::ARMv7Assembler::labelIgnoringWatchpoints):
1765         (ARMv7Assembler):
1766         * assembler/AbstractMacroAssembler.h:
1767         (AbstractMacroAssembler):
1768         (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
1769         * assembler/X86Assembler.h:
1770         (X86Assembler):
1771         (JSC::X86Assembler::labelIgnoringWatchpoints):
1772         * dfg/DFGCommon.h:
1773         (JSC::DFG::shouldShowDisassembly):
1774         (DFG):
1775         * dfg/DFGDisassembler.cpp: Added.
1776         (DFG):
1777         (JSC::DFG::Disassembler::Disassembler):
1778         (JSC::DFG::Disassembler::dump):
1779         (JSC::DFG::Disassembler::dumpDisassembly):
1780         * dfg/DFGDisassembler.h: Added.
1781         (DFG):
1782         (Disassembler):
1783         (JSC::DFG::Disassembler::setStartOfCode):
1784         (JSC::DFG::Disassembler::setForBlock):
1785         (JSC::DFG::Disassembler::setForNode):
1786         (JSC::DFG::Disassembler::setEndOfMainPath):
1787         (JSC::DFG::Disassembler::setEndOfCode):
1788         * dfg/DFGDriver.cpp:
1789         (JSC::DFG::compile):
1790         * dfg/DFGGraph.cpp:
1791         (JSC::DFG::Graph::dumpCodeOrigin):
1792         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1793         (DFG):
1794         (JSC::DFG::Graph::printNodeWhiteSpace):
1795         (JSC::DFG::Graph::dump):
1796         (JSC::DFG::Graph::dumpBlockHeader):
1797         * dfg/DFGGraph.h:
1798         * dfg/DFGJITCompiler.cpp:
1799         (JSC::DFG::JITCompiler::JITCompiler):
1800         (DFG):
1801         (JSC::DFG::JITCompiler::compile):
1802         (JSC::DFG::JITCompiler::compileFunction):
1803         * dfg/DFGJITCompiler.h:
1804         (JITCompiler):
1805         (JSC::DFG::JITCompiler::setStartOfCode):
1806         (JSC::DFG::JITCompiler::setForBlock):
1807         (JSC::DFG::JITCompiler::setForNode):
1808         (JSC::DFG::JITCompiler::setEndOfMainPath):
1809         (JSC::DFG::JITCompiler::setEndOfCode):
1810         * dfg/DFGNode.h:
1811         (Node):
1812         (JSC::DFG::Node::willHaveCodeGen):
1813         * dfg/DFGNodeFlags.cpp:
1814         (JSC::DFG::nodeFlagsAsString):
1815         * dfg/DFGSpeculativeJIT.cpp:
1816         (JSC::DFG::SpeculativeJIT::compile):
1817         * dfg/DFGSpeculativeJIT.h:
1818         (SpeculativeJIT):
1819         * runtime/Options.cpp:
1820         (Options):
1821         (JSC::Options::initializeOptions):
1822         * runtime/Options.h:
1823         (Options):
1824
1825 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1826
1827         JSC should be able to show disassembly for all generated JIT code
1828         https://bugs.webkit.org/show_bug.cgi?id=89536
1829
1830         Reviewed by Gavin Barraclough.
1831         
1832         Now instead of doing linkBuffer.finalizeCode(), you do
1833         FINALIZE_CODE(linkBuffer, (... explanation ...)). FINALIZE_CODE() then
1834         prints your explanation and the disassembled code, if
1835         Options::showDisassembly is set to true.
1836
1837         * CMakeLists.txt:
1838         * GNUmakefile.list.am:
1839         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1840         * JavaScriptCore.xcodeproj/project.pbxproj:
1841         * Target.pri:
1842         * assembler/LinkBuffer.cpp: Added.
1843         (JSC):
1844         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1845         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1846         (JSC::LinkBuffer::linkCode):
1847         (JSC::LinkBuffer::performFinalization):
1848         (JSC::LinkBuffer::dumpLinkStatistics):
1849         (JSC::LinkBuffer::dumpCode):
1850         * assembler/LinkBuffer.h:
1851         (LinkBuffer):
1852         (JSC):
1853         * assembler/MacroAssemblerCodeRef.h:
1854         (JSC::MacroAssemblerCodeRef::tryToDisassemble):
1855         (MacroAssemblerCodeRef):
1856         * dfg/DFGJITCompiler.cpp:
1857         (JSC::DFG::JITCompiler::compile):
1858         (JSC::DFG::JITCompiler::compileFunction):
1859         * dfg/DFGOSRExitCompiler.cpp:
1860         * dfg/DFGRepatch.cpp:
1861         (JSC::DFG::generateProtoChainAccessStub):
1862         (JSC::DFG::tryCacheGetByID):
1863         (JSC::DFG::tryBuildGetByIDList):
1864         (JSC::DFG::emitPutReplaceStub):
1865         (JSC::DFG::emitPutTransitionStub):
1866         * dfg/DFGThunks.cpp:
1867         (JSC::DFG::osrExitGenerationThunkGenerator):
1868         * disassembler/Disassembler.h:
1869         (JSC):
1870         (JSC::tryToDisassemble):
1871         * disassembler/UDis86Disassembler.cpp:
1872         (JSC::tryToDisassemble):
1873         * jit/JIT.cpp:
1874         (JSC::JIT::privateCompile):
1875         * jit/JITCode.h:
1876         (JSC::JITCode::tryToDisassemble):
1877         * jit/JITOpcodes.cpp:
1878         (JSC::JIT::privateCompileCTIMachineTrampolines):
1879         * jit/JITOpcodes32_64.cpp:
1880         (JSC::JIT::privateCompileCTIMachineTrampolines):
1881         (JSC::JIT::privateCompileCTINativeCall):
1882         * jit/JITPropertyAccess.cpp:
1883         (JSC::JIT::stringGetByValStubGenerator):
1884         (JSC::JIT::privateCompilePutByIdTransition):
1885         (JSC::JIT::privateCompilePatchGetArrayLength):
1886         (JSC::JIT::privateCompileGetByIdProto):
1887         (JSC::JIT::privateCompileGetByIdSelfList):
1888         (JSC::JIT::privateCompileGetByIdProtoList):
1889         (JSC::JIT::privateCompileGetByIdChainList):
1890         (JSC::JIT::privateCompileGetByIdChain):
1891         * jit/JITPropertyAccess32_64.cpp:
1892         (JSC::JIT::stringGetByValStubGenerator):
1893         (JSC::JIT::privateCompilePutByIdTransition):
1894         (JSC::JIT::privateCompilePatchGetArrayLength):
1895         (JSC::JIT::privateCompileGetByIdProto):
1896         (JSC::JIT::privateCompileGetByIdSelfList):
1897         (JSC::JIT::privateCompileGetByIdProtoList):
1898         (JSC::JIT::privateCompileGetByIdChainList):
1899         (JSC::JIT::privateCompileGetByIdChain):
1900         * jit/SpecializedThunkJIT.h:
1901         (JSC::SpecializedThunkJIT::finalize):
1902         * jit/ThunkGenerators.cpp:
1903         (JSC::charCodeAtThunkGenerator):
1904         (JSC::charAtThunkGenerator):
1905         (JSC::fromCharCodeThunkGenerator):
1906         (JSC::sqrtThunkGenerator):
1907         (JSC::floorThunkGenerator):
1908         (JSC::ceilThunkGenerator):
1909         (JSC::roundThunkGenerator):
1910         (JSC::expThunkGenerator):
1911         (JSC::logThunkGenerator):
1912         (JSC::absThunkGenerator):
1913         (JSC::powThunkGenerator):
1914         * llint/LLIntThunks.cpp:
1915         (JSC::LLInt::generateThunkWithJumpTo):
1916         (JSC::LLInt::functionForCallEntryThunkGenerator):
1917         (JSC::LLInt::functionForConstructEntryThunkGenerator):
1918         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1919         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1920         (JSC::LLInt::evalEntryThunkGenerator):
1921         (JSC::LLInt::programEntryThunkGenerator):
1922         * runtime/Options.cpp:
1923         (Options):
1924         (JSC::Options::initializeOptions):
1925         * runtime/Options.h:
1926         (Options):
1927         * yarr/YarrJIT.cpp:
1928         (JSC::Yarr::YarrGenerator::compile):
1929
1930 2012-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1931
1932         [Qt][Mac] REGRESSION(r120742): It broke the build
1933         https://bugs.webkit.org/show_bug.cgi?id=89516
1934
1935         Reviewed by Geoffrey Garen.
1936
1937         Removing GCActivityCallbackCF.cpp because it doesn't mesh well with cross-platform 
1938         code on Darwin (e.g. Qt). We now use plain ol' vanilla ifdefs to handle platforms 
1939         without CF support. These if-defs will probably disappear in the future when we 
1940         use cross-platform timers in HeapTimer.
1941
1942         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1943         * JavaScriptCore.xcodeproj/project.pbxproj:
1944         * runtime/GCActivityCallback.cpp:
1945         (JSC):
1946         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1947         (JSC::DefaultGCActivityCallback::doWork):
1948         (JSC::DefaultGCActivityCallback::scheduleTimer):
1949         (JSC::DefaultGCActivityCallback::cancelTimer):
1950         (JSC::DefaultGCActivityCallback::didAllocate):
1951         (JSC::DefaultGCActivityCallback::willCollect):
1952         (JSC::DefaultGCActivityCallback::cancel):
1953         * runtime/GCActivityCallbackCF.cpp: Removed.
1954
1955 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1956
1957         DFG CFA forgets to notify subsequent phases of found constants if it proves LogicalNot to be a constant
1958         https://bugs.webkit.org/show_bug.cgi?id=89511
1959         <rdar://problem/11700089>
1960
1961         Reviewed by Geoffrey Garen.
1962
1963         * dfg/DFGAbstractState.cpp:
1964         (JSC::DFG::AbstractState::execute):
1965
1966 2012-06-19  Mark Lam  <mark.lam@apple.com>
1967
1968         CodeBlock::needsCallReturnIndices() is no longer needed.
1969         https://bugs.webkit.org/show_bug.cgi?id=89490
1970
1971         Reviewed by Geoffrey Garen.
1972
1973         * bytecode/CodeBlock.h:
1974         (JSC::CodeBlock::needsCallReturnIndices): removed.
1975         * dfg/DFGJITCompiler.cpp:
1976         (JSC::DFG::JITCompiler::link):
1977         * jit/JIT.cpp:
1978         (JSC::JIT::privateCompile):
1979
1980 2012-06-19  Filip Pizlo  <fpizlo@apple.com>
1981
1982         Unreviewed, try to fix Windows build.
1983
1984         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
1985
1986 2012-06-17  Filip Pizlo  <fpizlo@apple.com>
1987
1988         It should be possible to look at disassembly
1989         https://bugs.webkit.org/show_bug.cgi?id=89319
1990
1991         Reviewed by Sam Weinig.
1992         
1993         This imports the udis86 disassembler library. The library is placed
1994         behind an abstraction in disassembler/Disassembler.h, so that we can
1995         in the future use other disassemblers (for other platforms) whenever
1996         appropriate. As a first step, the disassembler is being invoked for
1997         DFG verbose dumps.
1998         
1999         If we ever want to merge a new version of udis86 in the future, I've
2000         made notes about changes I made to the library in
2001         disassembler/udis86/differences.txt.
2002
2003         * CMakeLists.txt:
2004         * DerivedSources.make:
2005         * GNUmakefile.list.am:
2006         * JavaScriptCore.pri:
2007         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2008         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
2009         * JavaScriptCore.xcodeproj/project.pbxproj:
2010         * dfg/DFGJITCompiler.cpp:
2011         (JSC::DFG::JITCompiler::compile):
2012         (JSC::DFG::JITCompiler::compileFunction):
2013         * disassembler: Added.
2014         * disassembler/Disassembler.h: Added.
2015         (JSC):
2016         (JSC::tryToDisassemble):
2017         * disassembler/UDis86Disassembler.cpp: Added.
2018         (JSC):
2019         (JSC::tryToDisassemble):
2020         * disassembler/udis86: Added.
2021         * disassembler/udis86/differences.txt: Added.
2022         * disassembler/udis86/itab.py: Added.
2023         (UdItabGenerator):
2024         (UdItabGenerator.__init__):
2025         (UdItabGenerator.toGroupId):
2026         (UdItabGenerator.genLookupTable):
2027         (UdItabGenerator.genLookupTableList):
2028         (UdItabGenerator.genInsnTable):
2029         (genItabH):
2030         (genItabH.UD_ITAB_H):
2031         (genItabC):
2032         (genItab):
2033         (main):
2034         * disassembler/udis86/optable.xml: Added.
2035         * disassembler/udis86/ud_opcode.py: Added.
2036         (UdOpcodeTables):
2037         (UdOpcodeTables.sizeOfTable):
2038         (UdOpcodeTables.nameOfTable):
2039         (UdOpcodeTables.updateTable):
2040         (UdOpcodeTables.Insn):
2041         (UdOpcodeTables.Insn.__init__):
2042         (UdOpcodeTables.Insn.__init__.opcode):
2043         (UdOpcodeTables.parse):
2044         (UdOpcodeTables.addInsnDef):
2045         (UdOpcodeTables.print_table):
2046         (UdOpcodeTables.print_tree):
2047         * disassembler/udis86/ud_optable.py: Added.
2048         (UdOptableXmlParser):
2049         (UdOptableXmlParser.parseDef):
2050         (UdOptableXmlParser.parse):
2051         (printFn):
2052         (parse):
2053         (main):
2054         * disassembler/udis86/udis86.c: Added.
2055         (ud_init):
2056         (ud_disassemble):
2057         (ud_set_mode):
2058         (ud_set_vendor):
2059         (ud_set_pc):
2060         (ud):
2061         (ud_insn_asm):
2062         (ud_insn_off):
2063         (ud_insn_hex):
2064         (ud_insn_ptr):
2065         (ud_insn_len):
2066         * disassembler/udis86/udis86.h: Added.
2067         * disassembler/udis86/udis86_decode.c: Added.
2068         (eff_adr_mode):
2069         (ud_lookup_mnemonic):
2070         (decode_prefixes):
2071         (modrm):
2072         (resolve_operand_size):
2073         (resolve_mnemonic):
2074         (decode_a):
2075         (decode_gpr):
2076         (resolve_gpr64):
2077         (resolve_gpr32):
2078         (resolve_reg):
2079         (decode_imm):
2080         (decode_modrm_reg):
2081         (decode_modrm_rm):
2082         (decode_o):
2083         (decode_operand):
2084         (decode_operands):
2085         (clear_insn):
2086         (resolve_mode):
2087         (gen_hex):
2088         (decode_insn):
2089         (decode_3dnow):
2090         (decode_ssepfx):
2091         (decode_ext):
2092         (decode_opcode):
2093         (ud_decode):
2094         * disassembler/udis86/udis86_decode.h: Added.
2095         (ud_itab_entry_operand):
2096         (ud_itab_entry):
2097         (ud_lookup_table_list_entry):
2098         (sse_pfx_idx):
2099         (mode_idx):
2100         (modrm_mod_idx):
2101         (vendor_idx):
2102         (is_group_ptr):
2103         (group_idx):
2104         * disassembler/udis86/udis86_extern.h: Added.
2105         * disassembler/udis86/udis86_input.c: Added.
2106         (inp_buff_hook):
2107         (inp_file_hook):
2108         (ud):
2109         (ud_set_user_opaque_data):
2110         (ud_get_user_opaque_data):
2111         (ud_set_input_buffer):
2112         (ud_set_input_file):
2113         (ud_input_skip):
2114         (ud_input_end):
2115         (ud_inp_next):
2116         (ud_inp_back):
2117         (ud_inp_peek):
2118         (ud_inp_move):
2119         (ud_inp_uint8):
2120         (ud_inp_uint16):
2121         (ud_inp_uint32):
2122         (ud_inp_uint64):
2123         * disassembler/udis86/udis86_input.h: Added.
2124         * disassembler/udis86/udis86_itab_holder.c: Added.
2125         * disassembler/udis86/udis86_syn-att.c: Added.
2126         (opr_cast):
2127         (gen_operand):
2128         (ud_translate_att):
2129         * disassembler/udis86/udis86_syn-intel.c: Added.
2130         (opr_cast):
2131         (gen_operand):
2132         (ud_translate_intel):
2133         * disassembler/udis86/udis86_syn.c: Added.
2134         * disassembler/udis86/udis86_syn.h: Added.
2135         (mkasm):
2136         * disassembler/udis86/udis86_types.h: Added.
2137         (ud_operand):
2138         (ud):
2139         * jit/JITCode.h:
2140         (JITCode):
2141         (JSC::JITCode::tryToDisassemble):
2142
2143 2012-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2144
2145         GCActivityCallback and IncrementalSweeper should share code
2146         https://bugs.webkit.org/show_bug.cgi?id=89400
2147
2148         Reviewed by Geoffrey Garen.
2149
2150         A lot of functionality is duplicated between GCActivityCallback and IncrementalSweeper. 
2151         We should extract the common functionality out into a separate class that both of them 
2152         can inherit from. This refactoring will be an even greater boon when we add the ability 
2153         to shut these two agents down in a thread-safe fashion
2154
2155         * CMakeLists.txt:
2156         * GNUmakefile.list.am:
2157         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2158         * JavaScriptCore.xcodeproj/project.pbxproj:
2159         * Target.pri:
2160         * heap/Heap.cpp:
2161         (JSC::Heap::Heap): Move initialization down so that the JSGlobalData has a valid Heap when 
2162         we're initializing the GCActivityCallback and the IncrementalSweeper.
2163         * heap/Heap.h:
2164         (Heap):
2165         * heap/HeapTimer.cpp: Added.
2166         (JSC):
2167         (JSC::HeapTimer::HeapTimer): Initialize the various base class data that
2168         DefaultGCActivityCallback::commonConstructor() used to do.
2169         (JSC::HeapTimer::~HeapTimer): Call to invalidate().
2170         (JSC::HeapTimer::synchronize): Same functionality as the old DefaultGCActivityCallback::synchronize().
2171         Virtual so that non-CF subclasses can override.
2172         (JSC::HeapTimer::invalidate): Tears down the runloop timer to prevent any future firing.
2173         (JSC::HeapTimer::timerDidFire): Callback to pass to the timer function. Casts and calls the virtual doWork().
2174         * heap/HeapTimer.h: Added. This is the class that serves as the common base class for 
2175         both GCActivityCallback and IncrementalSweeper. It handles setting up and tearing down run loops and synchronizing 
2176         across threads for its subclasses. 
2177         (JSC):
2178         (HeapTimer):
2179         * heap/IncrementalSweeper.cpp: Changes to accomodate the extraction of common functionality 
2180         between IncrementalSweeper and GCActivityCallback into a common ancestor.
2181         (JSC):
2182         (JSC::IncrementalSweeper::doWork): 
2183         (JSC::IncrementalSweeper::IncrementalSweeper):
2184         (JSC::IncrementalSweeper::cancelTimer):
2185         (JSC::IncrementalSweeper::create):
2186         * heap/IncrementalSweeper.h:
2187         (IncrementalSweeper):
2188         * runtime/GCActivityCallback.cpp:
2189         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2190         (JSC::DefaultGCActivityCallback::doWork):
2191         * runtime/GCActivityCallback.h:
2192         (GCActivityCallback):
2193         (JSC::GCActivityCallback::willCollect):
2194         (JSC::GCActivityCallback::GCActivityCallback):
2195         (JSC):
2196         (DefaultGCActivityCallback): Remove the platform data struct. The platform data should be kept in 
2197         the class itself so as to be accessible by doWork(). Most of the platform data for CF is kept in 
2198         HeapTimer anyways, so we only need the m_delay field now.
2199         * runtime/GCActivityCallbackBlackBerry.cpp:
2200         (JSC):
2201         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2202         (JSC::DefaultGCActivityCallback::doWork):
2203         (JSC::DefaultGCActivityCallback::didAllocate):
2204         * runtime/GCActivityCallbackCF.cpp:
2205         (JSC):
2206         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2207         (JSC::DefaultGCActivityCallback::doWork):
2208         (JSC::DefaultGCActivityCallback::scheduleTimer):
2209         (JSC::DefaultGCActivityCallback::cancelTimer):
2210         (JSC::DefaultGCActivityCallback::didAllocate):
2211         (JSC::DefaultGCActivityCallback::willCollect):
2212         (JSC::DefaultGCActivityCallback::cancel):
2213
2214
2215 2012-06-19  Mike West  <mkwst@chromium.org>
2216
2217         Introduce ENABLE_CSP_NEXT configuration flag.
2218         https://bugs.webkit.org/show_bug.cgi?id=89300
2219
2220         Reviewed by Adam Barth.
2221
2222         The 1.0 draft of the Content Security Policy spec is just about to
2223         move to Last Call. We'll hide work on the upcoming 1.1 spec behind
2224         this ENABLE flag, disabled by default.
2225
2226         Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
2227
2228         * Configurations/FeatureDefines.xcconfig:
2229
2230 2012-06-18  Mark Lam  <mark.lam@apple.com>
2231
2232         Changed JSC to always record line number information so that error.stack
2233         and window.onerror() can report proper line numbers.
2234         https://bugs.webkit.org/show_bug.cgi?id=89410
2235
2236         Reviewed by Geoffrey Garen.
2237
2238         * bytecode/CodeBlock.cpp:
2239         (JSC::CodeBlock::CodeBlock):
2240         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2241         (JSC::CodeBlock::shrinkToFit): m_lineInfo is now available unconditionally.
2242
2243         * bytecode/CodeBlock.h:
2244         (JSC::CodeBlock::addLineInfo):
2245         (JSC::CodeBlock::hasLineInfo): Unused.  Now removed.
2246         (JSC::CodeBlock::needsCallReturnIndices):
2247         (CodeBlock):
2248         (RareData):  Hoisted m_lineInfo out of m_rareData.  m_lineInfo is now
2249         filled in unconditionally.
2250
2251         * bytecompiler/BytecodeGenerator.h:
2252         (JSC::BytecodeGenerator::addLineInfo):
2253
2254 2012-06-18  Andy Estes  <aestes@apple.com>
2255
2256         Fix r120663, which didn't land the change that was reviewed.
2257
2258 2012-06-18  Andy Estes  <aestes@apple.com>
2259
2260         [JSC] In JSGlobalData.cpp, enableAssembler() sometimes leaks two CF objects
2261         https://bugs.webkit.org/show_bug.cgi?id=89415
2262
2263         Reviewed by Sam Weinig.
2264
2265         In the case where canUseJIT was a non-NULL CFBooleanRef,
2266         enableAssembler() would leak both canUseJITKey and canUseJIT by
2267         returning before calling CFRelease. Fix this by using RetainPtr.
2268
2269         * runtime/JSGlobalData.cpp:
2270         (JSC::enableAssembler):
2271
2272 2012-06-17  Geoffrey Garen  <ggaren@apple.com>
2273
2274         GC copy phase spends needless cycles zero-filling blocks
2275         https://bugs.webkit.org/show_bug.cgi?id=89128
2276
2277         Reviewed by Gavin Barraclough.
2278
2279         We only need to zero-fill when we're allocating memory that might not
2280         get fully initialized before GC.
2281
2282         * heap/CopiedBlock.h:
2283         (JSC::CopiedBlock::createNoZeroFill):
2284         (JSC::CopiedBlock::create): Added a way to create without zero-filling.
2285         This is our optimization.
2286
2287         (JSC::CopiedBlock::zeroFillToEnd):
2288         (JSC::CopiedBlock::CopiedBlock): Split zero-filling out from creation,
2289         so we can sometimes create without zero-filling.
2290
2291         * heap/CopiedSpace.cpp:
2292         (JSC::CopiedSpace::init):
2293         (JSC::CopiedSpace::tryAllocateSlowCase):
2294         (JSC::CopiedSpace::doneCopying): Renamed addNewBlock to allocateBlock()
2295         to clarify that the new block is always newly-allocated.
2296
2297         (JSC::CopiedSpace::doneFillingBlock): Make sure to zero-fill to the end
2298         of a block that might be used in the future for allocation. (Most of the
2299         time, this is a no-op, since we've already filled the block completely.)
2300
2301         (JSC::CopiedSpace::getFreshBlock): Removed this function because the
2302         abstraction of "allocation must succeed" is no longer useful.
2303
2304         * heap/CopiedSpace.h: Updated declarations to match.
2305
2306         * heap/CopiedSpaceInlineMethods.h:
2307         (JSC::CopiedSpace::allocateBlockForCopyingPhase): New function, which
2308         knows that it can skip zero-filling.
2309
2310         Added tighter scoping to our lock, to improve parallelism.
2311
2312         (JSC::CopiedSpace::allocateBlock): Folded getFreshBlock functionality
2313         into this function, for simplicity.
2314
2315         * heap/MarkStack.cpp:
2316         (JSC::SlotVisitor::startCopying):
2317         (JSC::SlotVisitor::allocateNewSpace): Use our new zero-fill-free helper
2318         function for great good.
2319
2320 2012-06-17  Filip Pizlo  <fpizlo@apple.com>
2321
2322         DFG should attempt to use structure watchpoints for all inlined get_by_id's and put_by_id's
2323         https://bugs.webkit.org/show_bug.cgi?id=89316
2324
2325         Reviewed by Oliver Hunt.
2326
2327         * dfg/DFGByteCodeParser.cpp:
2328         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
2329         (ByteCodeParser):
2330         (JSC::DFG::ByteCodeParser::handleGetById):
2331         (JSC::DFG::ByteCodeParser::parseBlock):
2332
2333 2012-06-15  Yong Li  <yoli@rim.com>
2334
2335         [BlackBerry] Put platform-specific GC policy in GCActivityCallback
2336         https://bugs.webkit.org/show_bug.cgi?id=89236
2337
2338         Reviewed by Rob Buis.
2339
2340         Add GCActivityCallbackBlackBerry.cpp and implement platform-specific
2341         low memory GC policy there.
2342
2343         * PlatformBlackBerry.cmake:
2344         * heap/Heap.h:
2345         (JSC::Heap::isSafeToCollect): Added.
2346         * runtime/GCActivityCallbackBlackBerry.cpp: Added.
2347         (JSC):
2348         (JSC::DefaultGCActivityCallbackPlatformData::DefaultGCActivityCallbackPlatformData):
2349         (DefaultGCActivityCallbackPlatformData):
2350         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2351         (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
2352         (JSC::DefaultGCActivityCallback::didAllocate):
2353         (JSC::DefaultGCActivityCallback::willCollect):
2354         (JSC::DefaultGCActivityCallback::synchronize):
2355         (JSC::DefaultGCActivityCallback::cancel):
2356
2357 2012-06-15  Filip Pizlo  <fpizlo@apple.com>
2358
2359         DFG should be able to set watchpoints on structure transitions in the
2360         method check prototype chain
2361         https://bugs.webkit.org/show_bug.cgi?id=89058
2362
2363         Adding the same assertion to 32-bit that I added to 64-bit. This change
2364         does not affect correctness but it's a good thing for assertion coverage.
2365
2366         * dfg/DFGSpeculativeJIT32_64.cpp:
2367         (JSC::DFG::SpeculativeJIT::compile):
2368
2369 2012-06-13  Filip Pizlo  <fpizlo@apple.com>
2370
2371         DFG should be able to set watchpoints on structure transitions in the
2372         method check prototype chain
2373         https://bugs.webkit.org/show_bug.cgi?id=89058
2374
2375         Reviewed by Gavin Barraclough.
2376         
2377         This adds the ability to set watchpoints on Structures, and then does
2378         the most modest thing we can do with this ability: the DFG now sets
2379         watchpoints on structure transitions in the prototype chain of method
2380         checks.
2381         
2382         This appears to be a >1% speed-up on V8.
2383
2384         * bytecode/PutByIdStatus.cpp:
2385         (JSC::PutByIdStatus::computeFromLLInt):
2386         (JSC::PutByIdStatus::computeFor):
2387         * bytecode/StructureSet.h:
2388         (JSC::StructureSet::containsOnly):
2389         (StructureSet):
2390         * bytecode/Watchpoint.cpp:
2391         (JSC::WatchpointSet::WatchpointSet):
2392         (JSC::InlineWatchpointSet::add):
2393         (JSC):
2394         (JSC::InlineWatchpointSet::inflateSlow):
2395         (JSC::InlineWatchpointSet::freeFat):
2396         * bytecode/Watchpoint.h:
2397         (WatchpointSet):
2398         (JSC):
2399         (InlineWatchpointSet):
2400         (JSC::InlineWatchpointSet::InlineWatchpointSet):
2401         (JSC::InlineWatchpointSet::~InlineWatchpointSet):
2402         (JSC::InlineWatchpointSet::hasBeenInvalidated):
2403         (JSC::InlineWatchpointSet::isStillValid):
2404         (JSC::InlineWatchpointSet::startWatching):
2405         (JSC::InlineWatchpointSet::notifyWrite):
2406         (JSC::InlineWatchpointSet::isFat):
2407         (JSC::InlineWatchpointSet::fat):
2408         (JSC::InlineWatchpointSet::inflate):
2409         * dfg/DFGAbstractState.cpp:
2410         (JSC::DFG::AbstractState::execute):
2411         * dfg/DFGByteCodeParser.cpp:
2412         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
2413         (ByteCodeParser):
2414         (JSC::DFG::ByteCodeParser::parseBlock):
2415         * dfg/DFGCSEPhase.cpp:
2416         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2417         (CSEPhase):
2418         (JSC::DFG::CSEPhase::performNodeCSE):
2419         * dfg/DFGCommon.h:
2420         * dfg/DFGGraph.cpp:
2421         (JSC::DFG::Graph::dump):
2422         * dfg/DFGGraph.h:
2423         (JSC::DFG::Graph::isCellConstant):
2424         * dfg/DFGJITCompiler.h:
2425         (JSC::DFG::JITCompiler::addWeakReferences):
2426         (JITCompiler):
2427         * dfg/DFGNode.h:
2428         (JSC::DFG::Node::hasStructure):
2429         (Node):
2430         (JSC::DFG::Node::structure):
2431         * dfg/DFGNodeType.h:
2432         (DFG):
2433         * dfg/DFGPredictionPropagationPhase.cpp:
2434         (JSC::DFG::PredictionPropagationPhase::propagate):
2435         * dfg/DFGRepatch.cpp:
2436         (JSC::DFG::emitPutTransitionStub):
2437         * dfg/DFGSpeculativeJIT64.cpp:
2438         (JSC::DFG::SpeculativeJIT::compile):
2439         * jit/JITStubs.cpp:
2440         (JSC::JITThunks::tryCachePutByID):
2441         * llint/LLIntSlowPaths.cpp:
2442         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2443         * runtime/Structure.cpp:
2444         (JSC::Structure::Structure):
2445         * runtime/Structure.h:
2446         (JSC::Structure::transitionWatchpointSetHasBeenInvalidated):
2447         (Structure):
2448         (JSC::Structure::transitionWatchpointSetIsStillValid):
2449         (JSC::Structure::addTransitionWatchpoint):
2450         (JSC::Structure::notifyTransitionFromThisStructure):
2451         (JSC::JSCell::setStructure):
2452         * runtime/SymbolTable.cpp:
2453         (JSC::SymbolTableEntry::attemptToWatch):
2454
2455 2012-06-13  Filip Pizlo  <fpizlo@apple.com>
2456
2457         DFG should be able to set watchpoints on global variables
2458         https://bugs.webkit.org/show_bug.cgi?id=88692
2459
2460         Reviewed by Geoffrey Garen.
2461         
2462         Rolling back in after fixing Windows build issues, and implementing
2463         branchTest8 for the Qt port's strange assemblers.
2464         
2465         This implements global variable constant folding by allowing the optimizing
2466         compiler to set a "watchpoint" on globals that it wishes to constant fold.
2467         If the watchpoint fires, then an OSR exit is forced by overwriting the
2468         machine code that the optimizing compiler generated with a jump.
2469         
2470         As such, this patch is adding quite a bit of stuff:
2471         
2472         - Jump replacement on those hardware targets supported by the optimizing
2473           JIT. It is now possible to patch in a jump instruction over any recorded
2474           watchpoint label. The jump must be "local" in the sense that it must be
2475           within the range of the largest jump distance supported by a one
2476           instruction jump.
2477           
2478         - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
2479           that records the location where a jump must be inserted and the
2480           destination to which it should jump. Watchpoints can be added to a
2481           WatchpointSet. The WatchpointSet can be fired all at once, which plants
2482           all jumps. WatchpointSet also remembers if it had ever been invalidated,
2483           which allows for monotonicity: we typically don't want to optimize using
2484           watchpoints on something for which watchpoints had previously fired. The
2485           act of notifying a WatchpointSet has a trivial fast path in case no
2486           Watchpoints are registered (one-byte load+branch).
2487         
2488         - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
2489           except that you don't have to emit branches. But, you need to know what
2490           WatchpointSet to add the resulting Watchpoint to. Not everything that
2491           you could write a speculationCheck() for will have a WatchpointSet that
2492           would get notified if the condition you were speculating against became
2493           invalid.
2494           
2495         - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
2496           do so without incurring any space overhead for those entries that don't
2497           have WatchpointSets.
2498           
2499         - The bytecode generator infers all global function variables to be
2500           watchable, and makes all stores perform the WatchpointSet's write check,
2501           and marks all loads as being potentially watchable (i.e. you can compile
2502           them to a watchpoint and a constant).
2503         
2504         Put together, this allows for fully sleazy inlining of calls to globally
2505         declared functions. The inline prologue will no longer contain the load of
2506         the function, or any checks of the function you're calling. I.e. it's
2507         pretty much like the kind of inlining you would see in Java or C++.
2508         Furthermore, the watchpointing functionality is built to be fairly general,
2509         and should allow setting watchpoints on all sorts of interesting things
2510         in the future.
2511         
2512         The sleazy inlining means that we will now sometimes inline in code paths
2513         that have never executed. Previously, to inline we would have either had
2514         to have executed the call (to read the call's inline cache) or have
2515         executed the method check (to read the method check's inline cache). Now,
2516         we might inline when the callee is a watched global variable. This
2517         revealed some humorous bugs. First, constant folding disagreed with CFA
2518         over what kinds of operations can clobber (example: code path A is dead
2519         but stores a String into variable X, all other code paths store 0 into
2520         X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
2521         clobbering constant, but constant folding thought it was clobbering
2522         because it saw the String prediction). Second, inlining would crash if
2523         the inline callee had not been compiled. This patch fixes both bugs,
2524         since otherwise run-javascriptcore-tests would report regressions.
2525
2526         * CMakeLists.txt:
2527         * GNUmakefile.list.am:
2528         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2529         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2530         * JavaScriptCore.xcodeproj/project.pbxproj:
2531         * Target.pri:
2532         * assembler/ARMv7Assembler.h:
2533         (ARMv7Assembler):
2534         (JSC::ARMv7Assembler::ARMv7Assembler):
2535         (JSC::ARMv7Assembler::labelForWatchpoint):
2536         (JSC::ARMv7Assembler::label):
2537         (JSC::ARMv7Assembler::replaceWithJump):
2538         (JSC::ARMv7Assembler::maxJumpReplacementSize):
2539         * assembler/AbstractMacroAssembler.h:
2540         (JSC):
2541         (AbstractMacroAssembler):
2542         (Label):
2543         (JSC::AbstractMacroAssembler::watchpointLabel):
2544         (JSC::AbstractMacroAssembler::readPointer):
2545         * assembler/AssemblerBuffer.h:
2546         * assembler/MacroAssemblerARM.h:
2547         (JSC::MacroAssemblerARM::branchTest8):
2548         (MacroAssemblerARM):
2549         (JSC::MacroAssemblerARM::replaceWithJump):
2550         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2551         * assembler/MacroAssemblerARMv7.h:
2552         (JSC::MacroAssemblerARMv7::load8Signed):
2553         (JSC::MacroAssemblerARMv7::load16Signed):
2554         (MacroAssemblerARMv7):
2555         (JSC::MacroAssemblerARMv7::replaceWithJump):
2556         (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
2557         (JSC::MacroAssemblerARMv7::branchTest8):
2558         (JSC::MacroAssemblerARMv7::jump):
2559         (JSC::MacroAssemblerARMv7::makeBranch):
2560         * assembler/MacroAssemblerMIPS.h:
2561         (JSC::MacroAssemblerMIPS::branchTest8):
2562         (MacroAssemblerMIPS):
2563         (JSC::MacroAssemblerMIPS::replaceWithJump):
2564         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2565         * assembler/MacroAssemblerSH4.h:
2566         (JSC::MacroAssemblerSH4::branchTest8):
2567         (MacroAssemblerSH4):
2568         (JSC::MacroAssemblerSH4::replaceWithJump):
2569         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2570         * assembler/MacroAssemblerX86.h:
2571         (MacroAssemblerX86):
2572         (JSC::MacroAssemblerX86::branchTest8):
2573         * assembler/MacroAssemblerX86Common.h:
2574         (JSC::MacroAssemblerX86Common::replaceWithJump):
2575         (MacroAssemblerX86Common):
2576         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
2577         * assembler/MacroAssemblerX86_64.h:
2578         (MacroAssemblerX86_64):
2579         (JSC::MacroAssemblerX86_64::branchTest8):
2580         * assembler/X86Assembler.h:
2581         (JSC::X86Assembler::X86Assembler):
2582         (X86Assembler):
2583         (JSC::X86Assembler::cmpb_im):
2584         (JSC::X86Assembler::testb_im):
2585         (JSC::X86Assembler::labelForWatchpoint):
2586         (JSC::X86Assembler::label):
2587         (JSC::X86Assembler::replaceWithJump):
2588         (JSC::X86Assembler::maxJumpReplacementSize):
2589         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2590         * bytecode/CodeBlock.cpp:
2591         (JSC):
2592         (JSC::CodeBlock::printGetByIdCacheStatus):
2593         (JSC::CodeBlock::dump):
2594         * bytecode/CodeBlock.h:
2595         (JSC::CodeBlock::appendOSRExit):
2596         (JSC::CodeBlock::appendSpeculationRecovery):
2597         (CodeBlock):
2598         (JSC::CodeBlock::appendWatchpoint):
2599         (JSC::CodeBlock::numberOfWatchpoints):
2600         (JSC::CodeBlock::watchpoint):
2601         (DFGData):
2602         * bytecode/DFGExitProfile.h:
2603         (JSC::DFG::exitKindToString):
2604         (JSC::DFG::exitKindIsCountable):
2605         * bytecode/GetByIdStatus.cpp:
2606         (JSC::GetByIdStatus::computeForChain):
2607         * bytecode/Instruction.h:
2608         (Instruction):
2609         (JSC::Instruction::Instruction):
2610         * bytecode/Opcode.h:
2611         (JSC):
2612         (JSC::padOpcodeName):
2613         * bytecode/Watchpoint.cpp: Added.
2614         (JSC):
2615         (JSC::Watchpoint::~Watchpoint):
2616         (JSC::Watchpoint::correctLabels):
2617         (JSC::Watchpoint::fire):
2618         (JSC::WatchpointSet::WatchpointSet):
2619         (JSC::WatchpointSet::~WatchpointSet):
2620         (JSC::WatchpointSet::add):
2621         (JSC::WatchpointSet::notifyWriteSlow):
2622         (JSC::WatchpointSet::fireAllWatchpoints):
2623         * bytecode/Watchpoint.h: Added.
2624         (JSC):
2625         (Watchpoint):
2626         (JSC::Watchpoint::Watchpoint):
2627         (JSC::Watchpoint::setDestination):
2628         (WatchpointSet):
2629         (JSC::WatchpointSet::isStillValid):
2630         (JSC::WatchpointSet::hasBeenInvalidated):
2631         (JSC::WatchpointSet::startWatching):
2632         (JSC::WatchpointSet::notifyWrite):
2633         (JSC::WatchpointSet::addressOfIsWatched):
2634         * bytecompiler/BytecodeGenerator.cpp:
2635         (JSC::ResolveResult::checkValidity):
2636         (JSC::BytecodeGenerator::addGlobalVar):
2637         (JSC::BytecodeGenerator::BytecodeGenerator):
2638         (JSC::BytecodeGenerator::resolve):
2639         (JSC::BytecodeGenerator::emitResolve):
2640         (JSC::BytecodeGenerator::emitResolveWithBase):
2641         (JSC::BytecodeGenerator::emitResolveWithThis):
2642         (JSC::BytecodeGenerator::emitGetStaticVar):
2643         (JSC::BytecodeGenerator::emitPutStaticVar):
2644         * bytecompiler/BytecodeGenerator.h:
2645         (BytecodeGenerator):
2646         * bytecompiler/NodesCodegen.cpp:
2647         (JSC::FunctionCallResolveNode::emitBytecode):
2648         (JSC::PostfixResolveNode::emitBytecode):
2649         (JSC::PrefixResolveNode::emitBytecode):
2650         (JSC::ReadModifyResolveNode::emitBytecode):
2651         (JSC::AssignResolveNode::emitBytecode):
2652         (JSC::ConstDeclNode::emitCodeSingle):
2653         * dfg/DFGAbstractState.cpp:
2654         (JSC::DFG::AbstractState::execute):
2655         (JSC::DFG::AbstractState::clobberStructures):
2656         * dfg/DFGAbstractState.h:
2657         (AbstractState):
2658         (JSC::DFG::AbstractState::didClobber):
2659         * dfg/DFGByteCodeParser.cpp:
2660         (JSC::DFG::ByteCodeParser::handleInlining):
2661         (JSC::DFG::ByteCodeParser::parseBlock):
2662         * dfg/DFGCCallHelpers.h:
2663         (CCallHelpers):
2664         (JSC::DFG::CCallHelpers::setupArguments):
2665         * dfg/DFGCSEPhase.cpp:
2666         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
2667         (CSEPhase):
2668         (JSC::DFG::CSEPhase::globalVarStoreElimination):
2669         (JSC::DFG::CSEPhase::performNodeCSE):
2670         * dfg/DFGCapabilities.h:
2671         (JSC::DFG::canCompileOpcode):
2672         * dfg/DFGConstantFoldingPhase.cpp:
2673         (JSC::DFG::ConstantFoldingPhase::run):
2674         * dfg/DFGCorrectableJumpPoint.h:
2675         (JSC::DFG::CorrectableJumpPoint::isSet):
2676         (CorrectableJumpPoint):
2677         * dfg/DFGJITCompiler.cpp:
2678         (JSC::DFG::JITCompiler::linkOSRExits):
2679         (JSC::DFG::JITCompiler::link):
2680         * dfg/DFGNode.h:
2681         (JSC::DFG::Node::hasIdentifierNumberForCheck):
2682         (Node):
2683         (JSC::DFG::Node::identifierNumberForCheck):
2684         (JSC::DFG::Node::hasRegisterPointer):
2685         * dfg/DFGNodeType.h:
2686         (DFG):
2687         * dfg/DFGOSRExit.cpp:
2688         (JSC::DFG::OSRExit::OSRExit):
2689         * dfg/DFGOSRExit.h:
2690         (OSRExit):
2691         * dfg/DFGOperations.cpp:
2692         * dfg/DFGOperations.h:
2693         * dfg/DFGPredictionPropagationPhase.cpp:
2694         (JSC::DFG::PredictionPropagationPhase::propagate):
2695         * dfg/DFGSpeculativeJIT.h:
2696         (JSC::DFG::SpeculativeJIT::callOperation):
2697         (JSC::DFG::SpeculativeJIT::appendCall):
2698         (SpeculativeJIT):
2699         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2700         * dfg/DFGSpeculativeJIT32_64.cpp:
2701         (JSC::DFG::SpeculativeJIT::compile):
2702         * dfg/DFGSpeculativeJIT64.cpp:
2703         (JSC::DFG::SpeculativeJIT::compile):
2704         * interpreter/Interpreter.cpp:
2705         (JSC::Interpreter::privateExecute):
2706         * jit/JIT.cpp:
2707         (JSC::JIT::privateCompileMainPass):
2708         (JSC::JIT::privateCompileSlowCases):
2709         * jit/JIT.h:
2710         * jit/JITPropertyAccess.cpp:
2711         (JSC::JIT::emit_op_put_global_var_check):
2712         (JSC):
2713         (JSC::JIT::emitSlow_op_put_global_var_check):
2714         * jit/JITPropertyAccess32_64.cpp:
2715         (JSC::JIT::emit_op_put_global_var_check):
2716         (JSC):
2717         (JSC::JIT::emitSlow_op_put_global_var_check):
2718         * jit/JITStubs.cpp:
2719         (JSC::DEFINE_STUB_FUNCTION):
2720         (JSC):
2721         * jit/JITStubs.h:
2722         * llint/LLIntSlowPaths.cpp:
2723         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2724         (LLInt):
2725         * llint/LLIntSlowPaths.h:
2726         (LLInt):
2727         * llint/LowLevelInterpreter32_64.asm:
2728         * llint/LowLevelInterpreter64.asm:
2729         * runtime/JSObject.cpp:
2730         (JSC::JSObject::removeDirect):
2731         * runtime/JSObject.h:
2732         (JSObject):
2733         * runtime/JSSymbolTableObject.h:
2734         (JSC::symbolTableGet):
2735         (JSC::symbolTablePut):
2736         (JSC::symbolTablePutWithAttributes):
2737         * runtime/SymbolTable.cpp: Added.
2738         (JSC):
2739         (JSC::SymbolTableEntry::copySlow):
2740         (JSC::SymbolTableEntry::freeFatEntrySlow):
2741         (JSC::SymbolTableEntry::couldBeWatched):
2742         (JSC::SymbolTableEntry::attemptToWatch):
2743         (JSC::SymbolTableEntry::addressOfIsWatched):
2744         (JSC::SymbolTableEntry::addWatchpoint):
2745         (JSC::SymbolTableEntry::notifyWriteSlow):
2746         (JSC::SymbolTableEntry::inflateSlow):
2747         * runtime/SymbolTable.h:
2748         (JSC):
2749         (SymbolTableEntry):
2750         (Fast):
2751         (JSC::SymbolTableEntry::Fast::Fast):
2752         (JSC::SymbolTableEntry::Fast::isNull):
2753         (JSC::SymbolTableEntry::Fast::getIndex):
2754         (JSC::SymbolTableEntry::Fast::isReadOnly):
2755         (JSC::SymbolTableEntry::Fast::getAttributes):
2756         (JSC::SymbolTableEntry::Fast::isFat):
2757         (JSC::SymbolTableEntry::SymbolTableEntry):
2758         (JSC::SymbolTableEntry::~SymbolTableEntry):
2759         (JSC::SymbolTableEntry::operator=):
2760         (JSC::SymbolTableEntry::isNull):
2761         (JSC::SymbolTableEntry::getIndex):
2762         (JSC::SymbolTableEntry::getFast):
2763         (JSC::SymbolTableEntry::getAttributes):
2764         (JSC::SymbolTableEntry::isReadOnly):
2765         (JSC::SymbolTableEntry::watchpointSet):
2766         (JSC::SymbolTableEntry::notifyWrite):
2767         (FatEntry):
2768         (JSC::SymbolTableEntry::FatEntry::FatEntry):
2769         (JSC::SymbolTableEntry::isFat):
2770         (JSC::SymbolTableEntry::fatEntry):
2771         (JSC::SymbolTableEntry::inflate):
2772         (JSC::SymbolTableEntry::bits):
2773         (JSC::SymbolTableEntry::freeFatEntry):
2774         (JSC::SymbolTableEntry::pack):
2775         (JSC::SymbolTableEntry::isValidIndex):
2776
2777 2012-06-13  Sheriff Bot  <webkit.review.bot@gmail.com>
2778
2779         Unreviewed, rolling out r120172.
2780         http://trac.webkit.org/changeset/120172
2781         https://bugs.webkit.org/show_bug.cgi?id=88976
2782
2783         The patch causes compilation failures on Gtk, Qt and Apple Win
2784         bots (Requested by zdobersek on #webkit).
2785
2786         * CMakeLists.txt:
2787         * GNUmakefile.list.am:
2788         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2789         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2790         * JavaScriptCore.xcodeproj/project.pbxproj:
2791         * Target.pri:
2792         * assembler/ARMv7Assembler.h:
2793         (JSC::ARMv7Assembler::nop):
2794         (JSC::ARMv7Assembler::label):
2795         (JSC::ARMv7Assembler::readPointer):
2796         (ARMv7Assembler):
2797         * assembler/AbstractMacroAssembler.h:
2798         (JSC):
2799         (AbstractMacroAssembler):
2800         (Label):
2801         * assembler/AssemblerBuffer.h:
2802         * assembler/MacroAssemblerARM.h:
2803         * assembler/MacroAssemblerARMv7.h:
2804         (JSC::MacroAssemblerARMv7::nop):
2805         (JSC::MacroAssemblerARMv7::jump):
2806         (JSC::MacroAssemblerARMv7::makeBranch):
2807         * assembler/MacroAssemblerMIPS.h:
2808         * assembler/MacroAssemblerSH4.h:
2809         * assembler/MacroAssemblerX86.h:
2810         (MacroAssemblerX86):
2811         (JSC::MacroAssemblerX86::moveWithPatch):
2812         * assembler/MacroAssemblerX86Common.h:
2813         * assembler/MacroAssemblerX86_64.h:
2814         (JSC::MacroAssemblerX86_64::branchTest8):
2815         * assembler/X86Assembler.h:
2816         (JSC::X86Assembler::cmpb_im):
2817         (JSC::X86Assembler::codeSize):
2818         (JSC::X86Assembler::label):
2819         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2820         * bytecode/CodeBlock.cpp:
2821         (JSC::CodeBlock::dump):
2822         * bytecode/CodeBlock.h:
2823         (JSC::CodeBlock::appendOSRExit):
2824         (JSC::CodeBlock::appendSpeculationRecovery):
2825         (DFGData):
2826         * bytecode/DFGExitProfile.h:
2827         (JSC::DFG::exitKindToString):
2828         (JSC::DFG::exitKindIsCountable):
2829         * bytecode/Instruction.h:
2830         * bytecode/Opcode.h:
2831         (JSC):
2832         (JSC::padOpcodeName):
2833         * bytecode/Watchpoint.cpp: Removed.
2834         * bytecode/Watchpoint.h: Removed.
2835         * bytecompiler/BytecodeGenerator.cpp:
2836         (JSC::ResolveResult::checkValidity):
2837         (JSC::BytecodeGenerator::addGlobalVar):
2838         (JSC::BytecodeGenerator::BytecodeGenerator):
2839         (JSC::BytecodeGenerator::resolve):
2840         (JSC::BytecodeGenerator::emitResolve):
2841         (JSC::BytecodeGenerator::emitResolveWithBase):
2842         (JSC::BytecodeGenerator::emitResolveWithThis):
2843         (JSC::BytecodeGenerator::emitGetStaticVar):
2844         (JSC::BytecodeGenerator::emitPutStaticVar):
2845         * bytecompiler/BytecodeGenerator.h:
2846         (BytecodeGenerator):
2847         * bytecompiler/NodesCodegen.cpp:
2848         (JSC::FunctionCallResolveNode::emitBytecode):
2849         (JSC::PostfixResolveNode::emitBytecode):
2850         (JSC::PrefixResolveNode::emitBytecode):
2851         (JSC::ReadModifyResolveNode::emitBytecode):
2852         (JSC::AssignResolveNode::emitBytecode):
2853         (JSC::ConstDeclNode::emitCodeSingle):
2854         * dfg/DFGAbstractState.cpp:
2855         (JSC::DFG::AbstractState::execute):
2856         (JSC::DFG::AbstractState::clobberStructures):
2857         * dfg/DFGAbstractState.h:
2858         (AbstractState):
2859         * dfg/DFGByteCodeParser.cpp:
2860         (JSC::DFG::ByteCodeParser::handleInlining):
2861         (JSC::DFG::ByteCodeParser::parseBlock):
2862         * dfg/DFGCCallHelpers.h:
2863         (JSC::DFG::CCallHelpers::setupArguments):
2864         * dfg/DFGCSEPhase.cpp:
2865         (JSC::DFG::CSEPhase::globalVarStoreElimination):
2866         (JSC::DFG::CSEPhase::performNodeCSE):
2867         * dfg/DFGCapabilities.h:
2868         (JSC::DFG::canCompileOpcode):
2869         * dfg/DFGConstantFoldingPhase.cpp:
2870         (JSC::DFG::ConstantFoldingPhase::run):
2871         * dfg/DFGCorrectableJumpPoint.h:
2872         * dfg/DFGJITCompiler.cpp:
2873         (JSC::DFG::JITCompiler::linkOSRExits):
2874         (JSC::DFG::JITCompiler::link):
2875         * dfg/DFGNode.h:
2876         (JSC::DFG::Node::hasRegisterPointer):
2877         * dfg/DFGNodeType.h:
2878         (DFG):
2879         * dfg/DFGOSRExit.cpp:
2880         (JSC::DFG::OSRExit::OSRExit):
2881         * dfg/DFGOSRExit.h:
2882         (OSRExit):
2883         * dfg/DFGOperations.cpp:
2884         * dfg/DFGOperations.h:
2885         * dfg/DFGPredictionPropagationPhase.cpp:
2886         (JSC::DFG::PredictionPropagationPhase::propagate):
2887         * dfg/DFGSpeculativeJIT.h:
2888         (JSC::DFG::SpeculativeJIT::callOperation):
2889         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2890         (JSC::DFG::SpeculativeJIT::speculationCheck):
2891         * dfg/DFGSpeculativeJIT32_64.cpp:
2892         (JSC::DFG::SpeculativeJIT::compile):
2893         * dfg/DFGSpeculativeJIT64.cpp:
2894         (JSC::DFG::SpeculativeJIT::compile):
2895         * jit/JIT.cpp:
2896         (JSC::JIT::privateCompileMainPass):
2897         (JSC::JIT::privateCompileSlowCases):
2898         * jit/JIT.h:
2899         * jit/JITPropertyAccess.cpp:
2900         * jit/JITPropertyAccess32_64.cpp:
2901         * jit/JITStubs.cpp:
2902         * jit/JITStubs.h:
2903         * llint/LLIntSlowPaths.cpp:
2904         * llint/LLIntSlowPaths.h:
2905         (LLInt):
2906         * llint/LowLevelInterpreter32_64.asm:
2907         * llint/LowLevelInterpreter64.asm:
2908         * runtime/JSObject.cpp:
2909         (JSC::JSObject::removeDirect):
2910         * runtime/JSObject.h:
2911         (JSObject):
2912         * runtime/JSSymbolTableObject.h:
2913         (JSC::symbolTableGet):
2914         (JSC::symbolTablePut):
2915         (JSC::symbolTablePutWithAttributes):
2916         * runtime/SymbolTable.cpp: Removed.
2917         * runtime/SymbolTable.h:
2918         (JSC):
2919         (JSC::SymbolTableEntry::isNull):
2920         (JSC::SymbolTableEntry::getIndex):
2921         (SymbolTableEntry):
2922         (JSC::SymbolTableEntry::getAttributes):
2923         (JSC::SymbolTableEntry::isReadOnly):
2924         (JSC::SymbolTableEntry::pack):
2925         (JSC::SymbolTableEntry::isValidIndex):
2926
2927 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
2928
2929         DFG should be able to set watchpoints on global variables
2930         https://bugs.webkit.org/show_bug.cgi?id=88692
2931
2932         Reviewed by Geoffrey Garen.
2933         
2934         This implements global variable constant folding by allowing the optimizing
2935         compiler to set a "watchpoint" on globals that it wishes to constant fold.
2936         If the watchpoint fires, then an OSR exit is forced by overwriting the
2937         machine code that the optimizing compiler generated with a jump.
2938         
2939         As such, this patch is adding quite a bit of stuff:
2940         
2941         - Jump replacement on those hardware targets supported by the optimizing
2942           JIT. It is now possible to patch in a jump instruction over any recorded
2943           watchpoint label. The jump must be "local" in the sense that it must be
2944           within the range of the largest jump distance supported by a one
2945           instruction jump.
2946           
2947         - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
2948           that records the location where a jump must be inserted and the
2949           destination to which it should jump. Watchpoints can be added to a
2950           WatchpointSet. The WatchpointSet can be fired all at once, which plants
2951           all jumps. WatchpointSet also remembers if it had ever been invalidated,
2952           which allows for monotonicity: we typically don't want to optimize using
2953           watchpoints on something for which watchpoints had previously fired. The
2954           act of notifying a WatchpointSet has a trivial fast path in case no
2955           Watchpoints are registered (one-byte load+branch).
2956         
2957         - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
2958           except that you don't have to emit branches. But, you need to know what
2959           WatchpointSet to add the resulting Watchpoint to. Not everything that
2960           you could write a speculationCheck() for will have a WatchpointSet that
2961           would get notified if the condition you were speculating against became
2962           invalid.
2963           
2964         - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
2965           do so without incurring any space overhead for those entries that don't
2966           have WatchpointSets.
2967           
2968         - The bytecode generator infers all global function variables to be
2969           watchable, and makes all stores perform the WatchpointSet's write check,
2970           and marks all loads as being potentially watchable (i.e. you can compile
2971           them to a watchpoint and a constant).
2972         
2973         Put together, this allows for fully sleazy inlining of calls to globally
2974         declared functions. The inline prologue will no longer contain the load of
2975         the function, or any checks of the function you're calling. I.e. it's
2976         pretty much like the kind of inlining you would see in Java or C++.
2977         Furthermore, the watchpointing functionality is built to be fairly general,
2978         and should allow setting watchpoints on all sorts of interesting things
2979         in the future.
2980         
2981         The sleazy inlining means that we will now sometimes inline in code paths
2982         that have never executed. Previously, to inline we would have either had
2983         to have executed the call (to read the call's inline cache) or have
2984         executed the method check (to read the method check's inline cache). Now,
2985         we might inline when the callee is a watched global variable. This
2986         revealed some humorous bugs. First, constant folding disagreed with CFA
2987         over what kinds of operations can clobber (example: code path A is dead
2988         but stores a String into variable X, all other code paths store 0 into
2989         X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
2990         clobbering constant, but constant folding thought it was clobbering
2991         because it saw the String prediction). Second, inlining would crash if
2992         the inline callee had not been compiled. This patch fixes both bugs,
2993         since otherwise run-javascriptcore-tests would report regressions.
2994
2995         * CMakeLists.txt:
2996         * GNUmakefile.list.am:
2997         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2998         * JavaScriptCore.xcodeproj/project.pbxproj:
2999         * Target.pri:
3000         * assembler/ARMv7Assembler.h:
3001         (ARMv7Assembler):
3002         (JSC::ARMv7Assembler::ARMv7Assembler):
3003         (JSC::ARMv7Assembler::labelForWatchpoint):
3004         (JSC::ARMv7Assembler::label):
3005         (JSC::ARMv7Assembler::replaceWithJump):
3006         (JSC::ARMv7Assembler::maxJumpReplacementSize):
3007         * assembler/AbstractMacroAssembler.h:
3008         (JSC):
3009         (AbstractMacroAssembler):
3010         (Label):
3011         (JSC::AbstractMacroAssembler::watchpointLabel):
3012         * assembler/AssemblerBuffer.h:
3013         * assembler/MacroAssemblerARM.h:
3014         (JSC::MacroAssemblerARM::replaceWithJump):
3015         (MacroAssemblerARM):
3016         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
3017         * assembler/MacroAssemblerARMv7.h:
3018         (MacroAssemblerARMv7):
3019         (JSC::MacroAssemblerARMv7::replaceWithJump):
3020         (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
3021         (JSC::MacroAssemblerARMv7::branchTest8):
3022         (JSC::MacroAssemblerARMv7::jump):
3023         (JSC::MacroAssemblerARMv7::makeBranch):
3024         * assembler/MacroAssemblerMIPS.h:
3025         (JSC::MacroAssemblerMIPS::replaceWithJump):
3026         (MacroAssemblerMIPS):
3027         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
3028         * assembler/MacroAssemblerSH4.h:
3029         (JSC::MacroAssemblerSH4::replaceWithJump):
3030         (MacroAssemblerSH4):
3031         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
3032         * assembler/MacroAssemblerX86.h:
3033         (MacroAssemblerX86):
3034         (JSC::MacroAssemblerX86::branchTest8):
3035         * assembler/MacroAssemblerX86Common.h:
3036         (JSC::MacroAssemblerX86Common::replaceWithJump):
3037         (MacroAssemblerX86Common):
3038         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
3039         * assembler/MacroAssemblerX86_64.h:
3040         (MacroAssemblerX86_64):
3041         (JSC::MacroAssemblerX86_64::branchTest8):
3042         * assembler/X86Assembler.h:
3043         (JSC::X86Assembler::X86Assembler):
3044         (X86Assembler):
3045         (JSC::X86Assembler::cmpb_im):
3046         (JSC::X86Assembler::testb_im):
3047         (JSC::X86Assembler::labelForWatchpoint):
3048         (JSC::X86Assembler::label):
3049         (JSC::X86Assembler::replaceWithJump):
3050         (JSC::X86Assembler::maxJumpReplacementSize):
3051         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
3052         * bytecode/CodeBlock.cpp:
3053         (JSC::CodeBlock::dump):
3054         * bytecode/CodeBlock.h:
3055         (JSC::CodeBlock::appendOSRExit):
3056         (JSC::CodeBlock::appendSpeculationRecovery):
3057         (CodeBlock):
3058         (JSC::CodeBlock::appendWatchpoint):
3059         (JSC::CodeBlock::numberOfWatchpoints):
3060         (JSC::CodeBlock::watchpoint):
3061         (DFGData):
3062         * bytecode/DFGExitProfile.h:
3063         (JSC::DFG::exitKindToString):
3064         (JSC::DFG::exitKindIsCountable):
3065         * bytecode/Instruction.h:
3066         (Instruction):
3067         (JSC::Instruction::Instruction):
3068         * bytecode/Opcode.h:
3069         (JSC):
3070         (JSC::padOpcodeName):
3071         * bytecode/Watchpoint.cpp: Added.
3072         (JSC):
3073         (JSC::Watchpoint::~Watchpoint):
3074         (JSC::Watchpoint::correctLabels):
3075         (JSC::Watchpoint::fire):
3076         (JSC::WatchpointSet::WatchpointSet):
3077         (JSC::WatchpointSet::~WatchpointSet):
3078         (JSC::WatchpointSet::add):
3079         (JSC::WatchpointSet::notifyWriteSlow):
3080         (JSC::WatchpointSet::fireAllWatchpoints):
3081         * bytecode/Watchpoint.h: Added.
3082         (JSC):
3083         (Watchpoint):
3084         (JSC::Watchpoint::Watchpoint):
3085         (JSC::Watchpoint::setDestination):
3086         (WatchpointSet):
3087         (JSC::WatchpointSet::isStillValid):
3088         (JSC::WatchpointSet::hasBeenInvalidated):
3089         (JSC::WatchpointSet::startWatching):
3090         (JSC::WatchpointSet::notifyWrite):
3091         (JSC::WatchpointSet::addressOfIsWatched):
3092         * bytecompiler/BytecodeGenerator.cpp:
3093         (JSC::ResolveResult::checkValidity):
3094         (JSC::BytecodeGenerator::addGlobalVar):
3095         (JSC::BytecodeGenerator::BytecodeGenerator):
3096         (JSC::BytecodeGenerator::resolve):
3097         (JSC::BytecodeGenerator::emitResolve):
3098         (JSC::BytecodeGenerator::emitResolveWithBase):
3099         (JSC::BytecodeGenerator::emitResolveWithThis):
3100         (JSC::BytecodeGenerator::emitGetStaticVar):
3101         (JSC::BytecodeGenerator::emitPutStaticVar):
3102         * bytecompiler/BytecodeGenerator.h:
3103         (BytecodeGenerator):
3104         * bytecompiler/NodesCodegen.cpp:
3105         (JSC::FunctionCallResolveNode::emitBytecode):
3106         (JSC::PostfixResolveNode::emitBytecode):
3107         (JSC::PrefixResolveNode::emitBytecode):
3108         (JSC::ReadModifyResolveNode::emitBytecode):
3109         (JSC::AssignResolveNode::emitBytecode):
3110         (JSC::ConstDeclNode::emitCodeSingle):
3111         * dfg/DFGAbstractState.cpp:
3112         (JSC::DFG::AbstractState::execute):
3113         (JSC::DFG::AbstractState::clobberStructures):
3114         * dfg/DFGAbstractState.h:
3115         (AbstractState):
3116         (JSC::DFG::AbstractState::didClobber):
3117         * dfg/DFGByteCodeParser.cpp:
3118         (JSC::DFG::ByteCodeParser::handleInlining):
3119         (JSC::DFG::ByteCodeParser::parseBlock):
3120         * dfg/DFGCCallHelpers.h:
3121         (CCallHelpers):
3122         (JSC::DFG::CCallHelpers::setupArguments):
3123         * dfg/DFGCSEPhase.cpp:
3124         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
3125         (CSEPhase):
3126         (JSC::DFG::CSEPhase::globalVarStoreElimination):
3127         (JSC::DFG::CSEPhase::performNodeCSE):
3128         * dfg/DFGCapabilities.h:
3129         (JSC::DFG::canCompileOpcode):
3130         * dfg/DFGConstantFoldingPhase.cpp:
3131         (JSC::DFG::ConstantFoldingPhase::run):
3132         * dfg/DFGCorrectableJumpPoint.h:
3133         (JSC::DFG::CorrectableJumpPoint::isSet):
3134         (CorrectableJumpPoint):
3135         * dfg/DFGJITCompiler.cpp:
3136         (JSC::DFG::JITCompiler::linkOSRExits):
3137         (JSC::DFG::JITCompiler::link):
3138         * dfg/DFGNode.h:
3139         (JSC::DFG::Node::hasIdentifierNumberForCheck):
3140         (Node):
3141         (JSC::DFG::Node::identifierNumberForCheck):
3142         (JSC::DFG::Node::hasRegisterPointer):
3143         * dfg/DFGNodeType.h:
3144         (DFG):
3145         * dfg/DFGOSRExit.cpp:
3146         (JSC::DFG::OSRExit::OSRExit):
3147         * dfg/DFGOSRExit.h:
3148         (OSRExit):
3149         * dfg/DFGOperations.cpp:
3150         * dfg/DFGOperations.h:
3151         * dfg/DFGPredictionPropagationPhase.cpp:
3152         (JSC::DFG::PredictionPropagationPhase::propagate):
3153         * dfg/DFGSpeculativeJIT.h:
3154         (JSC::DFG::SpeculativeJIT::callOperation):
3155         (JSC::DFG::SpeculativeJIT::appendCall):
3156         (SpeculativeJIT):
3157         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
3158         * dfg/DFGSpeculativeJIT32_64.cpp:
3159         (JSC::DFG::SpeculativeJIT::compile):
3160         * dfg/DFGSpeculativeJIT64.cpp:
3161         (JSC::DFG::SpeculativeJIT::compile):
3162         * jit/JIT.cpp:
3163         (JSC::JIT::privateCompileMainPass):
3164         (JSC::JIT::privateCompileSlowCases):
3165         * jit/JIT.h:
3166         * jit/JITPropertyAccess.cpp:
3167         (JSC::JIT::emit_op_put_global_var_check):
3168         (JSC):
3169         (JSC::JIT::emitSlow_op_put_global_var_check):
3170         * jit/JITPropertyAccess32_64.cpp:
3171         (JSC::JIT::emit_op_put_global_var_check):
3172         (JSC):
3173         (JSC::JIT::emitSlow_op_put_global_var_check):
3174         * jit/JITStubs.cpp:
3175         (JSC::JITThunks::JITThunks):
3176         (JSC::DEFINE_STUB_FUNCTION):
3177         (JSC):
3178         * jit/JITStubs.h:
3179         * llint/LLIntSlowPaths.cpp:
3180         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3181         (LLInt):
3182         * llint/LLIntSlowPaths.h:
3183         (LLInt):
3184         * llint/LowLevelInterpreter32_64.asm:
3185         * llint/LowLevelInterpreter64.asm:
3186         * runtime/JSObject.cpp:
3187         (JSC::JSObject::removeDirect):
3188         * runtime/JSObject.h:
3189         (JSObject):
3190         * runtime/JSSymbolTableObject.h:
3191         (JSC::symbolTableGet):
3192         (JSC::symbolTablePut):
3193         (JSC::symbolTablePutWithAttributes):
3194         * runtime/SymbolTable.cpp: Added.
3195         (JSC):
3196         (JSC::SymbolTableEntry::copySlow):
3197         (JSC::SymbolTableEntry::freeFatEntrySlow):
3198         (JSC::SymbolTableEntry::couldBeWatched):
3199         (JSC::SymbolTableEntry::attemptToWatch):
3200         (JSC::SymbolTableEntry::addressOfIsWatched):
3201         (JSC::SymbolTableEntry::addWatchpoint):
3202         (JSC::SymbolTableEntry::notifyWriteSlow):
3203         (JSC::SymbolTableEntry::inflateSlow):
3204         * runtime/SymbolTable.h:
3205         (JSC):
3206         (SymbolTableEntry):
3207         (Fast):
3208         (JSC::SymbolTableEntry::Fast::Fast):
3209         (JSC::SymbolTableEntry::Fast::isNull):
3210         (JSC::SymbolTableEntry::Fast::getIndex):
3211         (JSC::SymbolTableEntry::Fast::isReadOnly):
3212         (JSC::SymbolTableEntry::Fast::getAttributes):
3213         (JSC::SymbolTableEntry::Fast::isFat):
3214         (JSC::SymbolTableEntry::SymbolTableEntry):
3215         (JSC::SymbolTableEntry::~SymbolTableEntry):
3216         (JSC::SymbolTableEntry::operator=):
3217         (JSC::SymbolTableEntry::isNull):
3218         (JSC::SymbolTableEntry::getIndex):
3219         (JSC::SymbolTableEntry::getFast):
3220         (JSC::SymbolTableEntry::getAttributes):
3221         (JSC::SymbolTableEntry::isReadOnly):
3222         (JSC::SymbolTableEntry::watchpointSet):
3223         (JSC::SymbolTableEntry::notifyWrite):
3224         (FatEntry):
3225         (JSC::SymbolTableEntry::FatEntry::FatEntry):
3226         (JSC::SymbolTableEntry::isFat):
3227         (JSC::SymbolTableEntry::fatEntry):
3228         (JSC::SymbolTableEntry::inflate):
3229         (JSC::SymbolTableEntry::bits):
3230         (JSC::SymbolTableEntry::freeFatEntry):
3231         (JSC::SymbolTableEntry::pack):
3232         (JSC::SymbolTableEntry::isValidIndex):
3233
3234 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3235
3236         Unreviewed build fix for ARMv7 debug builds.
3237
3238         * jit/JITStubs.cpp:
3239         (JSC::JITThunks::JITThunks):
3240
3241 2012-06-12  Geoffrey Garen  <ggaren@apple.com>
3242
3243         Build fix for case-sensitive file systems: use the right case.
3244
3245         * heap/ListableHandler.h:
3246
3247 2012-06-11  Geoffrey Garen  <ggaren@apple.com>
3248
3249         GC should be 1.7X faster
3250         https://bugs.webkit.org/show_bug.cgi?id=88840
3251
3252         Reviewed by Oliver Hunt.
3253
3254         I profiled, and removed anything that showed up as a concurrency
3255         bottleneck. Then, I added 3 threads to our max thread count, since we
3256         can scale up to more threads now.
3257
3258         * heap/BlockAllocator.cpp:
3259         (JSC::BlockAllocator::BlockAllocator):
3260         (JSC::BlockAllocator::~BlockAllocator):
3261         (JSC::BlockAllocator::releaseFreeBlocks):
3262         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
3263         (JSC::BlockAllocator::waitForRelativeTime):
3264         (JSC::BlockAllocator::blockFreeingThreadMain):
3265         * heap/BlockAllocator.h:
3266         (BlockAllocator):
3267         (JSC::BlockAllocator::allocate):
3268         (JSC::BlockAllocator::deallocate): Use a spin lock for the common case
3269         where we're just popping a linked list. (A pthread mutex would sleep our
3270         thread even if the lock were only contended for a microsecond.) 
3271
3272         Scope the lock to avoid holding it while allocating VM, since that's a
3273         slow activity and it doesn't modify any of our data structures.
3274
3275         We still use a pthread mutex to handle our condition variable since we
3276         have to, and it's not a hot path.
3277
3278         * heap/CopiedSpace.cpp:
3279         (JSC::CopiedSpace::CopiedSpace):
3280         (JSC::CopiedSpace::doneFillingBlock):
3281         * heap/CopiedSpace.h:
3282         (JSC::CopiedSpace::CopiedSpace): Use a spin lock for the to space lock,
3283         since it just guards linked list and hash table manipulation.
3284
3285         * heap/MarkStack.cpp:
3286         (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator):
3287         (JSC::MarkStackSegmentAllocator::allocate):
3288         (JSC::MarkStackSegmentAllocator::release):
3289         (JSC::MarkStackSegmentAllocator::shrinkReserve): Use a spin lock, since
3290         we're just managing a linked list.
3291
3292         (JSC::MarkStackArray::donateSomeCellsTo): Changed donation to be proportional
3293         to our current stack size. This fixes cases where we used to donate too
3294         much. Interestingly, donating too much was starving the donor (when it
3295         ran out of work later) *and* the recipient (since it had to wait on a
3296         long donation operation to complete before it could acquire the lock).
3297
3298         In the worst case, we're still guaranteed to donate N cells in roughly log N time.
3299
3300         This change also fixes cases where we used to donate too little, since
3301         we would always keep a fixed minimum number of cells. In the worst case,
3302         with N marking threads, would could have N large object graph roots in
3303         our stack for the duration of GC, and scale to only 1 thread.
3304
3305         It's an interesting observation that a single object in the mark stack
3306         might represent an arbitrarily large object graph -- and only the act
3307         of marking can find out.
3308
3309         (JSC::MarkStackArray::stealSomeCellsFrom): Steal in proportion to idle
3310         threads. Once again, this fixes cases where constants could cause us
3311         to steal too much or too little.
3312
3313         (JSC::SlotVisitor::donateKnownParallel): Always wake up other threads
3314         if they're idle. We can afford to do this because we're conservative
3315         about when we donate.
3316
3317         (JSC::SlotVisitor::drainFromShared):
3318         * heap/MarkStack.h:
3319         (MarkStackSegmentAllocator):
3320         (MarkStackArray):
3321         (JSC):
3322         * heap/SlotVisitor.h: Merged the "should I donate?" decision into a
3323         single function, for simplicity.
3324
3325         * runtime/Options.cpp:
3326         (minimumNumberOfScansBetweenRebalance): Reduced the delay before donation
3327         a lot. We can afford to do this because, in the common case, donation is
3328         a single branch that decides not to donate. 
3329
3330         (cpusToUse): Use more CPUs now, since we scale better now.
3331
3332         * runtime/Options.h:
3333         (Options): Removed now-unused variables.
3334
3335 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3336
3337         REGRESSION(120121): inspector tests crash in DFG
3338         https://bugs.webkit.org/show_bug.cgi?id=88941
3339
3340         Reviewed by Geoffrey Garen.
3341         
3342         The CFG simplifier has two different ways of fixing up GetLocal, Phantom, and Flush. If we've
3343         already fixed up the node one way, we shouldn't try the other way. The reason why we shouldn't
3344         is that the second way depends on the node referring to other nodes in the to-be-jettisoned
3345         block. After fixup they potentially will refer to nodes in the block being merged to.
3346
3347         * dfg/DFGCFGSimplificationPhase.cpp:
3348         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3349         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3350
3351 2012-06-12  Leo Yang  <leo.yang@torchmobile.com.cn>
3352
3353         Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
3354         https://bugs.webkit.org/show_bug.cgi?id=87334
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         Add a copy member function to JSC::HasTable. This function will copy all data
3359         members except for *table* which contains thread specific data that prevents
3360         up copying it. When you want to copy a JSC::HashTable that was constructed
3361         on another thread you should call JSC::HashTable::copy().
3362
3363         * runtime/Lookup.h:
3364         (JSC::HashTable::copy):
3365         (HashTable):
3366
3367 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3368
3369         DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
3370         until after CFG simplification
3371         https://bugs.webkit.org/show_bug.cgi?id=88927
3372         <rdar://problem/11513971>
3373
3374         Reviewed by Geoffrey Garen.
3375         
3376         Speculation fixup needs to run if simplification did things, because simplification can change
3377         predictions - particularly if you had a control flow path that stored weird things into a
3378         variable, but that path got axed by the simplifier.
3379         
3380         Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
3381         one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.
3382
3383         * dfg/DFGDriver.cpp:
3384         (JSC::DFG::compile):
3385         * dfg/DFGFixupPhase.cpp:
3386         (JSC::DFG::FixupPhase::fixupNode):
3387
3388 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
3389
3390         REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
3391         https://bugs.webkit.org/show_bug.cgi?id=88783
3392         <rdar://problem/11640299>
3393
3394         Reviewed by Geoffrey Garen.
3395         
3396         If you don't keep alive the base of an object access over the various checks
3397         you do for the prototype chain, you're going to have a bad time.
3398
3399         * dfg/DFGByteCodeParser.cpp:
3400         (JSC::DFG::ByteCodeParser::handleGetById):
3401
3402 2012-06-12  Hojong Han  <hojong.han@samsung.com>
3403
3404         Property names of the built-in object cannot be retrieved 
3405         after trying to delete one of its properties
3406         https://bugs.webkit.org/show_bug.cgi?id=86461
3407
3408         Reviewed by Gavin Barraclough.
3409
3410         * runtime/JSObject.cpp:
3411         (JSC::getClassPropertyNames):
3412         (JSC::JSObject::getOwnPropertyNames):
3413
3414 2012-06-11  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3415
3416         [CMAKE][EFL] Remove duplicated executable output path
3417         https://bugs.webkit.org/show_bug.cgi?id=88765
3418
3419         Reviewed by Daniel Bates.
3420
3421         CMake files for EFL port have redefined executable output path. However, EFL port doesn't
3422         need to define again because it is already defined in top-level CMake file.
3423
3424         * shell/CMakeLists.txt:
3425
3426 2012-06-11  Carlos Garcia Campos  <cgarcia@igalia.com>
3427
3428         Unreviewed. Fix make distcheck issues.
3429
3430         * GNUmakefile.list.am: Remove non existent header file.
3431
3432 2012-06-10  Patrick Gansterer  <paroga@webkit.org>
3433
3434         Unreviewed. Build fix for !ENABLE(JIT) after r119844 and r119925.
3435
3436         * runtime/Executable.h:
3437         (ExecutableBase):
3438         (JSC::ExecutableBase::clearCodeVirtual):
3439
3440 2012-06-10  Patrick Gansterer  <paroga@webkit.org>
3441
3442         Unreviewed. Build fix for !ENABLE(JIT) after r119844.
3443
3444         * runtime/Executable.h:
3445         (ExecutableBase):
3446         (JSC):
3447
3448 2012-06-09  Dominic Cooney  <dominicc@chromium.org>
3449
3450         [Chromium] Remove JavaScriptCore dependencies from gyp
3451         https://bugs.webkit.org/show_bug.cgi?id=88510
3452
3453         Reviewed by Adam Barth.
3454
3455         Chromium doesn't support JSC any more and there doesn't seem to be
3456         a strong interest in using GYP as the common build system in other
3457         ports.
3458
3459         * JavaScriptCore.gyp/JavaScriptCore.gyp: WebCore still depends on YARR interpreter.
3460         * JavaScriptCore.gypi: Only include YARR source.
3461         * gyp/JavaScriptCore.gyp: Removed.
3462         * gyp/gtk.gyp: Removed.
3463
3464 2012-06-09  Geoffrey Garen  <ggaren@apple.com>
3465
3466         Unreviewed, rolling back in part2 of r118646.
3467
3468         This patch removes eager finalization.
3469
3470         Weak pointer finalization should be lazy
3471         https://bugs.webkit.org/show_bug.cgi?id=87599
3472
3473         Reviewed by Sam Weinig.
3474
3475         * heap/Heap.cpp:
3476         (JSC::Heap::collect): Don't finalize eagerly -- we'll do it lazily.
3477
3478         * heap/MarkedBlock.cpp:
3479         (JSC::MarkedBlock::sweep): Do sweep weak sets when sweeping a block,
3480         since we won't get another chance.
3481
3482         * heap/MarkedBlock.h:
3483         (JSC::MarkedBlock::sweepWeakSet):
3484         * heap/MarkedSpace.cpp:
3485         (MarkedSpace::WeakSetSweep):
3486         * heap/MarkedSpace.h:
3487         (JSC::MarkedSpace::sweepWeakSets): Removed now-unused code.
3488
3489 2012-06-09  Sukolsak Sakshuwong  <sukolsak@google.com>
3490
3491         Add UNDO_MANAGER flag
3492         https://bugs.webkit.org/show_bug.cgi?id=87908
3493
3494         Reviewed by Tony Chang.
3495
3496         * Configurations/FeatureDefines.xcconfig:
3497
3498 2012-06-08  Geoffrey Garen  <ggaren@apple.com>
3499
3500         Unreviewed, rolling back in part1 of r118646.
3501
3502         This patch includes everything necessary for lazy finalization, but
3503         keeps eager finalization enabled for the time being.
3504
3505         Weak pointer finalization should be lazy
3506         https://bugs.webkit.org/show_bug.cgi?id=87599
3507
3508         Reviewed by Sam Weinig.
3509
3510         * heap/MarkedBlock.cpp:
3511         * heap/MarkedBlock.h:
3512         (JSC::MarkedBlock::resetAllocator):
3513         * heap/MarkedSpace.cpp:
3514         (JSC::MarkedSpace::resetAllocators):
3515         * heap/MarkedSpace.h:
3516         (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
3517         It will happen automatically when a weak set is swept. It's simpler to
3518         have only one canonical way for this to happen, and it wasn't buying
3519         us anything to do it eagerly.
3520         * heap/WeakBlock.cpp:
3521         (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
3522         the sweep would be a no-op. If even one finalizer is pending, we need to
3523         run it, since we won't get another chance.
3524         * heap/WeakSet.cpp:
3525         (JSC::WeakSet::sweep): This loop can be simpler now that
3526         WeakBlock::sweep() does what we mean.
3527         Reset our allocator after a sweep because this is the optimal time to
3528         start trying to recycle old weak pointers.
3529         (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
3530         allocator because we've swept already, and forcing a new sweep would be
3531         wasteful.
3532         * heap/WeakSet.h:
3533         (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
3534         because the shrink may have removed the block the allocator was going to
3535         allocate out of.
3536
3537 2012-06-08  Gavin Barraclough  <barraclough@apple.com>
3538
3539         Unreviewed roll out r119795.
3540         
3541         This broke jquery/core.html
3542
3543         * dfg/DFGSpeculativeJIT.h:
3544         (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
3545         * jit/JITInlineMethods.h:
3546         (JSC::JIT::emitAllocateBasicJSObject):
3547         * llint/LowLevelInterpreter.asm:
3548         * runtime/JSGlobalData.h:
3549         (JSGlobalData):
3550         * runtime/JSGlobalThis.cpp:
3551         (JSC::JSGlobalThis::setUnwrappedObject):
3552         * runtime/JSObject.cpp:
3553         (JSC::JSObject::visitChildren):
3554         (JSC::JSObject::createInheritorID):
3555         * runtime/JSObject.h:
3556         (JSObject):
3557         (JSC::JSObject::resetInheritorID):
3558         (JSC):
3559         (JSC::JSObject::offsetOfInheritorID):
3560         (JSC::JSObject::inheritorID):
3561
3562 2012-06-08  Filip Pizlo  <fpizlo@apple.com>
3563
3564         PredictedType should be called SpeculatedType
3565         https://bugs.webkit.org/show_bug.cgi?id=88477
3566
3567         Unreviewed, fix a renaming goof from http://trac.webkit.org/changeset/119660.
3568         I accidentally renamed ByteCodeParser::getPrediction to
3569         ByteCodeParser::getSpeculation.  That was not the intent. This changes it
3570         back.
3571
3572         * dfg/DFGByteCodeParser.cpp:
3573         (JSC::DFG::ByteCodeParser::addCall):
3574         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3575         (JSC::DFG::ByteCodeParser::getPrediction):
3576         (JSC::DFG::ByteCodeParser::handleCall):
3577         (JSC::DFG::ByteCodeParser::parseBlock):
3578
3579 2012-06-08  Andy Wingo  <wingo@igalia.com>
3580
3581         Explictly mark stubs called by JIT as being internal
3582         https://bugs.webkit.org/show_bug.cgi?id=88552
3583
3584         Reviewed by Filip Pizlo.
3585
3586         * dfg/DFGOSRExitCompiler.h:
3587         * dfg/DFGOperations.cpp:
3588         * dfg/DFGOperations.h:
3589         * jit/HostCallReturnValue.h:
3590         * jit/JITStubs.cpp:
3591         * jit/JITStubs.h:
3592         * jit/ThunkGenerators.cpp:
3593         * llint/LLIntSlowPaths.h: Mark a bunch of stubs as being
3594         WTF_INTERNAL.  Change most calls to SYMBOL_STRING_RELOCATION to
3595         LOCAL_REFERENCE, or GLOBAL_REFERENCE in the case of the wrappers
3596         to truly global symbols.
3597         * offlineasm/asm.rb: Generate LOCAL_REFERENCE instead of
3598         SYMBOL_STRING_RELOCATION.
3599
3600 2012-06-08  Geoffrey Garen  <ggaren@apple.com>
3601
3602         Don't rely on weak pointers for eager CodeBlock finalization
3603         https://bugs.webkit.org/show_bug.cgi?id=88465
3604
3605         Reviewed by Gavin Barraclough.
3606
3607         This is incompatible with lazy weak pointer finalization.
3608
3609         I considered just making CodeBlock finalization lazy-friendly, but it
3610         turns out that the heap is already way up in CodeBlock's business when
3611         it comes to finalization, so I decided to finish the job and move full
3612         responsibility for CodeBlock finalization into the heap.
3613
3614         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Maybe this
3615         will build.
3616
3617         * debugger/Debugger.cpp: Updated for rename.
3618
3619         * heap/Heap.cpp:
3620         (JSC::Heap::deleteAllCompiledCode): Renamed for consistency. Fixed a bug
3621         where we would not delete code for a code block that had been previously
3622         jettisoned. I don't know if this happens in practice -- I mostly did
3623         this to improve consistency with deleteUnmarkedCompiledCode.
3624
3625         (JSC::Heap::deleteUnmarkedCompiledCode): New function, responsible for
3626         eager finalization of unmarked code blocks.
3627
3628         (JSC::Heap::collect): Updated for rename. Updated to call
3629         deleteUnmarkedCompiledCode(), which takes care of jettisoned DFG code
3630         blocks too.
3631
3632         (JSC::Heap::addCompiledCode): Renamed, since this points to all code
3633         now, not just functions.
3634
3635         * heap/Heap.h:
3636         (Heap): Keep track of all user code, not just functions. This is a
3637         negligible additional overhead, since most code is function code.
3638
3639         * runtime/Executable.cpp:
3640         (JSC::*::finalize): Removed these functions, since we don't rely on
3641         weak pointer finalization anymore.
3642
3643         (JSC::FunctionExecutable::FunctionExecutable): Moved linked-list stuff
3644         into base class so all executables can be in the list.
3645
3646         (JSC::EvalExecutable::clearCode):
3647         (JSC::ProgramExecutable::clearCode):
3648         (JSC::FunctionExecutable::clearCode): All we need to do is delete our
3649         CodeBlock -- that will delete all of its internal data structures.
3650
3651         (JSC::FunctionExecutable::clearCodeIfNotCompiling): Factored out a helper
3652         function to improve clarity.
3653
3654         * runtime/Executable.h:
3655         (JSC::ExecutableBase): Moved linked-list stuff
3656         into base class so all executables can be in the list.
3657
3658         (JSC::NativeExecutable::create):
3659         (NativeExecutable):
3660         (ScriptExecutable):
3661         (JSC::ScriptExecutable::finishCreation):
3662         (JSC::EvalExecutable::create):
3663         (EvalExecutable):
3664         (JSC::ProgramExecutable::create):
3665         (ProgramExecutable):
3666         (FunctionExecutable):
3667         (JSC::FunctionExecutable::create): Don't use a finalizer -- the heap
3668         will call us back to destroy our code block.
3669
3670         (JSC::FunctionExecutable::discardCode): Renamed to clearCodeIfNotCompiling()
3671         for clarity.
3672
3673         (JSC::FunctionExecutable::isCompiling): New helper function, for clarity.
3674
3675         (JSC::ScriptExecutable::clearCodeVirtual): New helper function, since
3676         the heap needs to make polymorphic calls to clear code.
3677
3678         * runtime/JSGlobalData.cpp:
3679         (JSC::StackPreservingRecompiler::operator()):
3680         * runtime/JSGlobalObject.cpp:
3681         (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Updated for
3682         renames.
3683
3684 2012-06-07  Filip Pizlo  <fpizlo@apple.com>
3685
3686         DFG should inline prototype chain accesses, and do the right things if the
3687         specific function optimization is available
3688         https://bugs.webkit.org/show_bug.cgi?id=88594
3689
3690         Reviewed by Gavin Barraclough.
3691         
3692         Looks like a 3% win on V8.
3693
3694         * bytecode/CodeBlock.h:
3695         (JSC::Structure::prototypeForLookup):
3696         (JSC):
3697         * bytecode/GetByIdStatus.cpp:
3698         (JSC::GetByIdStatus::computeFromLLInt):
3699         (JSC):
3700         (JSC::GetByIdStatus::computeForChain):
3701         (JSC::GetByIdStatus::computeFor):
3702         * bytecode/GetByIdStatus.h:
3703         (JSC::GetByIdStatus::GetByIdStatus):
3704         (JSC::GetByIdStatus::isSimple):
3705         (JSC::GetByIdStatus::chain):
3706         (JSC::GetByIdStatus::specificValue):
3707         (GetByIdStatus):
3708         * bytecode/StructureSet.h:
3709         (StructureSet):
3710         (JSC::StructureSet::singletonStructure):
3711         * bytecode/StructureStubInfo.h:
3712         (JSC::StructureStubInfo::initGetByIdProto):
3713         (JSC::StructureStubInfo::initGetByIdChain):
3714         * dfg/DFGByteCodeParser.cpp:
3715         (JSC::DFG::ByteCodeParser::handleGetById):
3716         * dfg/DFGRepatch.cpp:
3717         (JSC::DFG::tryCacheGetByID):
3718         * jit/JITStubs.cpp:
3719         (JSC::JITThunks::tryCacheGetByID):
3720         * runtime/JSGlobalObject.h:
3721         (JSC::Structure::prototypeForLookup):
3722         (JSC):
3723         * runtime/Structure.h:
3724         (Structure):
3725
3726 2012-06-07  Gavin Barraclough  <barraclough@apple.com>
3727
3728         Remove JSObject::m_inheritorID
3729         https://bugs.webkit.org/show_bug.cgi?id=88378
3730
3731         Reviewed by Geoff Garen.
3732
3733         This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
3734         and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
3735         Instead use a private named value in the object's property storage.
3736
3737         * dfg/DFGSpeculativeJIT.h:
3738         (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
3739             - No need m_inheritorID to initialize!
3740         * jit/JITInlineMethods.h:
3741         (JSC::JIT::emitAllocateBasicJSObject):
3742             - No need m_inheritorID to initialize!
3743         * llint/LowLevelInterpreter.asm:
3744             - No need m_inheritorID to initialize!
3745         * runtime/JSGlobalData.h:
3746         (JSGlobalData):
3747             - Added private name 'm_inheritorIDKey'.
3748         * runtime/JSGlobalThis.cpp:
3749         (JSC::JSGlobalThis::setUnwrappedObject):
3750             - resetInheritorID is now passed a JSGlobalData&.
3751         * runtime/JSObject.cpp:
3752         (JSC::JSObject::visitChildren):
3753             - No m_inheritorID to be marked.
3754         (JSC::JSObject::createInheritorID):
3755             - Store the newly created inheritorID in the property map.
3756         * runtime/JSObject.h:
3757         (JSC::JSObject::resetInheritorID):
3758             - Remove the inheritorID from property storage.
3759         (JSC::JSObject::inheritorID):
3760             - Read the inheritorID from property storage.
3761
3762 2012-06-07  Gavin Barraclough  <barraclough@apple.com>
3763
3764         Math.pow on iOS does not support denormal numbers.
3765         https://bugs.webkit.org/show_bug.cgi?id=88592
3766
3767         Reviewed by Filip Pizlo.
3768
3769         Import an implementation from fdlibm, detect cases where it is safe to use the system
3770         implementation & where we should fall back to fdlibm.
3771
3772         * runtime/MathObject.cpp:
3773         (JSC::isDenormal):
3774         (JSC::isEdgeCase):
3775         (JSC::mathPow):
3776             - On iOS, detect cases where denormal support may be required & use fdlibm in these cases.
3777         (JSC::mathProtoFuncPow):
3778             - Changed to use mathPow.
3779         (JSC::fdlibmScalbn):
3780         (JSC::fdlibmPow):
3781             - These functions imported from fdlibm; original style retained to ease future merging.
3782
3783 2012-06-07  Patrick Gansterer  <paroga@webkit.org>
3784
3785         Unreviewed. Build fix for !ENABLE(JIT) after r119441.
3786
3787         * interpreter/Interpreter.cpp:
3788         (JSC::Interpreter::privateExecute):
3789
3790 2012-06-07  Andy Wingo  <wingo@igalia.com>
3791
3792         Unreviewed build fix after r119593.
3793
3794         * llint/LLIntOfflineAsmConfig.h (OFFLINE_ASM_GLOBAL_LABEL): Fix
3795         uses of "name" to be "label", the macro's parameter.  Otherwise we
3796         serialize mentions of the literal symbol "name" into the objcode.
3797         Causes a build error using GNU ld (not gold).
3798
3799 2012-06-06  Ryosuke Niwa  <rniwa@webkit.org>
3800
3801         Chromium build fix attempt. Why do we need to list these files in gyp!?
3802
3803         * JavaScriptCore.gypi:
3804
3805 2012-06-06  Filip Pizlo  <fpizlo@apple.com>
3806
3807         PredictedType should be called SpeculatedType
3808         https://bugs.webkit.org/show_bug.cgi?id=88477
3809
3810         Rubber stamped by Gavin Barraclough.
3811
3812         * CMakeLists.txt:
3813         * GNUmakefile.list.am:
3814         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3815         * JavaScriptCore.xcodeproj/project.pbxproj:
3816         * Target.pri:
3817         * bytecode/CodeBlock.cpp:
3818         (JSC::CodeBlock::shouldOptimizeNow):
3819         (JSC::CodeBlock::dumpValueProfiles):
3820         * bytecode/CodeBlock.h:
3821         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
3822         * bytecode/LazyOperandValueProfile.cpp:
3823         (JSC::LazyOperandValueProfileParser::prediction):
3824         * bytecode/LazyOperandValueProfile.h:
3825         (LazyOperandValueProfileParser):
3826         * bytecode/PredictedType.cpp: Removed.
3827         * bytecode/PredictedType.h: Removed.
3828         * bytecode/SpeculatedType.cpp: Copied from Source/JavaScriptCore/bytecode/PredictedType.cpp.
3829         (JSC::speculationToString):
3830         (JSC::speculationToAbbreviatedString):
3831         (JSC::speculationFromClassInfo):
3832         (JSC::speculationFromStructure):
3833         (JSC::speculationFromCell):
3834         (JSC::speculationFromValue):
3835         * bytecode/SpeculatedType.h: Copied from Source/JavaScriptCore/bytecode/PredictedType.h.
3836         (JSC):
3837         (JSC::isAnySpeculation):
3838         (JSC::isCellSpeculation):
3839         (JSC::isObjectSpeculation):
3840         (JSC::isFinalObjectSpeculation):
3841         (JSC::isFinalObjectOrOtherSpeculation):
3842         (JSC::isFixedIndexedStorageObjectSpeculation):
3843         (JSC::isStringSpeculation):
3844         (JSC::isArraySpeculation):
3845         (JSC::isFunctionSpeculation):
3846         (JSC::isInt8ArraySpeculation):
3847         (JSC::isInt16ArraySpeculation):
3848         (JSC::isInt32ArraySpeculation):
3849         (JSC::isUint8ArraySpeculation):
3850         (JSC::isUint8ClampedArraySpeculation):
3851         (JSC::isUint16ArraySpeculation):
3852         (JSC::isUint32ArraySpeculation):
3853         (JSC::isFloat32ArraySpeculation):
3854         (JSC::isFloat64ArraySpeculation):
3855         (JSC::isArgumentsSpeculation):
3856         (JSC::isActionableIntMutableArraySpeculation):
3857         (JSC::isActionableFloatMutableArraySpeculation):
3858         (JSC::isActionableTypedMutableArraySpeculation):
3859         (JSC::isActionableMutableArraySpeculation):
3860         (JSC::isActionableArraySpeculation):
3861         (JSC::isArrayOrOtherSpeculation):
3862         (JSC::isMyArgumentsSpeculation):
3863         (JSC::isInt32Speculation):
3864         (JSC::isDoubleRealSpeculation):
3865         (JSC::isDoubleSpeculation):
3866         (JSC::isNumberSpeculation):
3867         (JSC::isBooleanSpeculation):
3868         (JSC::isOtherSpeculation):
3869         (JSC::isEmptySpeculation):
3870         (JSC::mergeSpeculations):
3871         (JSC::mergeSpeculation):
3872         * bytecode/StructureSet.h:
3873         (JSC::StructureSet::speculationFromStructures):
3874         * bytecode/ValueProfile.h:
3875         (JSC::ValueProfileBase::ValueProfileBase):
3876         (JSC::ValueProfileBase::dump):
3877         (JSC::ValueProfileBase::computeUpdatedPrediction):
3878         (ValueProfileBase):
3879         * dfg/DFGAbstractState.cpp:
3880         (JSC::DFG::AbstractState::initialize):
3881         (JSC::DFG::AbstractState::execute):
3882         (JSC::DFG::AbstractState::mergeStateAtTail):
3883         * dfg/DFGAbstractState.h:
3884         (JSC::DFG::AbstractState::speculateInt32Unary):
3885         (JSC::DFG::AbstractState::speculateNumberUnary):
3886         (JSC::DFG::AbstractState::speculateBooleanUnary):
3887         (JSC::DFG::AbstractState::speculateInt32Binary):
3888         (JSC::DFG::AbstractState::speculateNumberBinary):
3889         * dfg/DFGAbstractValue.h:
3890         (JSC::DFG::StructureAbstractValue::filter):
3891         (JSC::DFG::StructureAbstractValue::speculationFromStructures):
3892         (JSC::DFG::AbstractValue::AbstractValue):
3893         (JSC::DFG::AbstractValue::clear):
3894         (JSC::DFG::AbstractValue::isClear):
3895         (JSC::DFG::AbstractValue::makeTop):
3896         (JSC::DFG::AbstractValue::clobberStructures):
3897         (JSC::DFG::AbstractValue::isTop):
3898         (JSC::DFG::AbstractValue::set):
3899         (JSC::DFG::AbstractValue::merge):
3900         (JSC::DFG::AbstractValue::filter):
3901         (JSC::DFG::AbstractValue::validateIgnoringValue):
3902         (JSC::DFG::AbstractValue::validate):
3903         (JSC::DFG::AbstractValue::checkConsistency):
3904         (JSC::DFG::AbstractValue::dump):
3905         (AbstractValue):
3906         * dfg/DFGArgumentPosition.h:
3907         (JSC::DFG::ArgumentPosition::ArgumentPosition):
3908         (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
3909         (JSC::DFG::ArgumentPosition::prediction):
3910         (ArgumentPosition):
3911         * dfg/DFGArgumentsSimplificationPhase.cpp:
3912         (JSC::DFG::ArgumentsSimplificationPhase::run):
3913         * dfg/DFGByteCodeParser.cpp:
3914         (ByteCodeParser):
3915         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3916         (JSC::DFG::ByteCodeParser::getLocal):
3917         (JSC::DFG::ByteCodeParser::getArgument):
3918         (JSC::DFG::ByteCodeParser::addCall):
3919         (JSC::DFG::ByteCodeParser::getSpeculationWithoutOSRExit):
3920         (JSC::DFG::ByteCodeParser::getSpeculation):
3921         (InlineStackEntry):
3922         (JSC::DFG::ByteCodeParser::handleCall):
3923         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3924         (JSC::DFG::ByteCodeParser::handleGetById):
3925         (JSC::DFG::ByteCodeParser::parseBlock):
3926         (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
3927         (JSC::DFG::ByteCodeParser::parse):
3928         * dfg/DFGCSEPhase.cpp:
3929         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
3930         (JSC::DFG::CSEPhase::performNodeCSE):
3931         * dfg/DFGConstantFoldingPhase.cpp:
3932         (JSC::DFG::ConstantFoldingPhase::run):
3933         * dfg/DFGFixupPhase.cpp:
3934         (JSC::DFG::FixupPhase::fixupNode):
3935         (JSC::DFG::FixupPhase::fixDoubleEdge):
3936         * dfg/DFGGraph.cpp:
3937         (JSC::DFG::Graph::nameOfVariableAccessData):
3938         (JSC::DFG::Graph::dump):
3939         (JSC::DFG::Graph::predictArgumentTypes):
3940         * dfg/DFGGraph.h:
3941         (JSC::DFG::Graph::getJSConstantSpeculation):
3942         (JSC::DFG::Graph::isPredictedNumerical):
3943         (JSC::DFG::Graph::byValIsPure):
3944         * dfg/DFGJITCompiler.h:
3945         (JSC::DFG::JITCompiler::getSpeculation):
3946   &nb