dd9b2b327186ffbf5a1c03b1f1d036b999bcafa7
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-10-04  Sheriff Bot  <webkit.review.bot@gmail.com>
2
3         Unreviewed, rolling out r96630.
4         http://trac.webkit.org/changeset/96630
5         https://bugs.webkit.org/show_bug.cgi?id=69368
6
7         Caused assertion failures in validateCell (Requested by
8         mhahnenberg on #webkit).
9
10         * runtime/BooleanConstructor.cpp:
11         * runtime/BooleanConstructor.h:
12         * runtime/Error.cpp:
13         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
14         (JSC::StrictModeTypeErrorFunction::getCallData):
15         * runtime/ErrorConstructor.cpp:
16         * runtime/ErrorConstructor.h:
17         * runtime/FunctionConstructor.cpp:
18         * runtime/FunctionConstructor.h:
19         * runtime/FunctionPrototype.cpp:
20         * runtime/FunctionPrototype.h:
21
22 2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>
23
24         Add static ClassInfo structs to classes that override JSCell::getCallData
25         https://bugs.webkit.org/show_bug.cgi?id=69311
26
27         Reviewed by Darin Adler.
28
29         Added ClassInfo structs to each class that defined its own getCallData 
30         function but did not already have its own ClassInfo struct.  This is a 
31         necessary addition for when we switch over to looking up getCallData from 
32         the MethodTable in ClassInfo rather than doing the virtual call (which we 
33         are removing).  These new ClassInfo structs are public because we often 
34         use these structs in other areas of the code to uniquely identify JSC classes and 
35         to enforce runtime invariants based on those class identities using ASSERTs.
36
37         * runtime/BooleanConstructor.cpp:
38         * runtime/BooleanConstructor.h:
39
40         getCallData was not marked as static is StrictModeTypeErrorFunction.  
41         * runtime/Error.cpp:
42         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
43         (JSC::StrictModeTypeErrorFunction::getCallData):
44         * runtime/ErrorConstructor.cpp:
45         * runtime/ErrorConstructor.h:
46         * runtime/FunctionConstructor.cpp:
47         * runtime/FunctionConstructor.h:
48         * runtime/FunctionPrototype.cpp:
49         * runtime/FunctionPrototype.h:
50
51 2011-10-04  Ryosuke Niwa  <rniwa@webkit.org>
52
53         Leopard build fix after r96613.
54
55         * wtf/Platform.h:
56
57 2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>
58
59         Implicitly add toString and valueOf to prototype when convertToType callback is provided
60         https://bugs.webkit.org/show_bug.cgi?id=69156
61
62         Reviewed by Geoffrey Garen.
63
64         Added callbacks for toString and valueOf which are implicitly added to a client object's
65         prototype if they provide a convertToType callback when declaring their class through 
66         the JSC API.
67
68         * API/JSCallbackFunction.cpp:
69         (JSC::JSCallbackFunction::toStringCallback):
70         (JSC::JSCallbackFunction::valueOfCallback):
71         * API/JSCallbackFunction.h:
72         * API/JSClassRef.cpp:
73         (OpaqueJSClass::prototype):
74         * API/tests/testapi.js:
75
76 2011-10-03  Jon Lee  <jonlee@apple.com>
77
78         Extend DOM WheelEvent to differentiate between physical and logical scroll directions
79         https://bugs.webkit.org/show_bug.cgi?id=68959
80         <rdar://problem/10036688>
81
82         Reviewed by Sam Weinig.
83
84         * wtf/Platform.h: Added HAVE_INVERTED_WHEEL_EVENTS for Lion and later.
85
86 2011-10-04  Csaba Osztrogonác  <ossy@webkit.org>
87
88         MinGW warning fix after r96286.
89
90         Avoid redefining STDCALL, because STDCALL is also defined in mingw32/include/windef.h:
91         #define __stdcall __attribute__((stdcall))
92         #define STDCALL __stdcall
93
94         Reviewed by Tor Arne Vestbø.
95
96         * assembler/MacroAssemblerCodeRef.h:
97
98 2011-10-04  Gavin Peters  <gavinp@chromium.org>
99
100        add more stack dumping methods
101        https://bugs.webkit.org/show_bug.cgi?id=69018
102
103        In addition to WTFReportBacktrace, this adds the cross-platform WTFGetBacktrace, which lets
104        WebKit programmatically retrieve the current stack.  This is useful if you need to add more
105        reporting to field crash report uploads, if you're tracking down an irreproducable bug,
106        for instance.
107
108        Reviewed by Darin Adler.
109
110        * wtf/Assertions.cpp:
111        * wtf/Assertions.h:
112
113 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
114
115         DFG should inline Array.push and Array.pop
116         https://bugs.webkit.org/show_bug.cgi?id=69314
117
118         Reviewed by Geoff Garen.
119         
120         Fix 32-bit.
121
122         * dfg/DFGSpeculativeJIT32_64.cpp:
123         (JSC::DFG::SpeculativeJIT::compile):
124
125 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
126
127         DFG should inline Array.push and Array.pop
128         https://bugs.webkit.org/show_bug.cgi?id=69314
129
130         Reviewed by Oliver Hunt.
131         
132         1% speed-up in V8 due to 6% speed-up in V8-deltablue.
133
134         * assembler/MacroAssemblerX86_64.h:
135         (JSC::MacroAssemblerX86_64::storePtr):
136         * create_hash_table:
137         * dfg/DFGByteCodeParser.cpp:
138         (JSC::DFG::ByteCodeParser::handleIntrinsic):
139         (JSC::DFG::ByteCodeParser::parseBlock):
140         * dfg/DFGGraph.cpp:
141         (JSC::DFG::Graph::dump):
142         * dfg/DFGIntrinsic.h:
143         * dfg/DFGNode.h:
144         (JSC::DFG::Node::hasHeapPrediction):
145         * dfg/DFGOperations.cpp:
146         * dfg/DFGOperations.h:
147         * dfg/DFGPropagator.cpp:
148         (JSC::DFG::Propagator::propagateNodePredictions):
149         (JSC::DFG::Propagator::getByValLoadElimination):
150         (JSC::DFG::Propagator::getMethodLoadElimination):
151         * dfg/DFGSpeculativeJIT32_64.cpp:
152         (JSC::DFG::SpeculativeJIT::compile):
153         * dfg/DFGSpeculativeJIT64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155
156 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
157
158         JSC ASSERT Opening the Web Inspector
159         https://bugs.webkit.org/show_bug.cgi?id=69293
160
161         Reviewed by Oliver Hunt.
162         
163         If a polymorphic access structure list has a duplicated structure, then
164         don't crash.
165
166         * dfg/DFGByteCodeParser.cpp:
167         (JSC::DFG::ByteCodeParser::parseBlock):
168
169 2011-10-03  Gavin Barraclough  <barraclough@apple.com>
170
171         On X86, switch bucketCount into a register, timeoutCheck into memory
172         https://bugs.webkit.org/show_bug.cgi?id=69299
173
174         Reviewed by Geoff Garen.
175
176         We don't have sufficient registers to keep both in registers, and DFG JIT will trample esi;
177         it doesn't matter if the bucketCount gets stomped on (in fact it may add to randomness!),
178         but it if the timeoutCheck gets trashed we may make calls out to the timout_check stub
179         function too frequently (regressing performance). This patch has no perf impact on sunspider.
180
181         * JavaScriptCore.xcodeproj/project.pbxproj:
182         * assembler/MacroAssemblerX86.h:
183         (JSC::MacroAssemblerX86::branchAdd32):
184         (JSC::MacroAssemblerX86::branchSub32):
185             - Added branchSub32 with AbsoluteAddress.
186         * jit/JIT.cpp:
187         (JSC::JIT::emitTimeoutCheck):
188             - Keep timeout count in memory on X86.
189         * jit/JITInlineMethods.h:
190         (JSC::JIT::emitValueProfilingSite):
191             - remove X86 specific code, switch bucket count back into a register.
192         * jit/JITStubs.cpp:
193             - Stop initializing esi (it is no longer the timeoutCheck!)
194         * jit/JSInterfaceJIT.h:
195             - change definition of esi to be the bucketCountRegister.
196         * runtime/JSGlobalData.cpp:
197         (JSC::JSGlobalData::JSGlobalData):
198         * runtime/JSGlobalData.h:
199             - Add timeoutCount as a property to global data (the counter should be per-thread).
200
201 2011-10-03  Filip Pizlo  <fpizlo@apple.com>
202
203         DFG backends don't have access to per-node predictions from the propagator
204         https://bugs.webkit.org/show_bug.cgi?id=69291
205
206         Reviewed by Oliver Hunt.
207         
208         Nodes now have two notion of predictions: the heap prediction, which is
209         what came directly from value profiling, and the propagator's predictions,
210         which arise out of abstract interpretation. Every node has a propagator
211         prediction, but not every node has a heap prediction; and there is no
212         guarantee that a node that has both will keep them consistent as the
213         propagator may have additional information available to it.
214         
215         This is performance neutral.
216
217         * dfg/DFGGraph.cpp:
218         (JSC::DFG::Graph::dump):
219         * dfg/DFGGraph.h:
220         * dfg/DFGJITCompiler.h:
221         (JSC::DFG::JITCompiler::getPrediction):
222         * dfg/DFGNode.h:
223         (JSC::DFG::Node::Node):
224         (JSC::DFG::Node::hasHeapPrediction):
225         (JSC::DFG::Node::getHeapPrediction):
226         (JSC::DFG::Node::predictHeap):
227         (JSC::DFG::Node::prediction):
228         (JSC::DFG::Node::predict):
229         * dfg/DFGPropagator.cpp:
230         (JSC::DFG::Propagator::Propagator):
231         (JSC::DFG::Propagator::setPrediction):
232         (JSC::DFG::Propagator::mergePrediction):
233         (JSC::DFG::Propagator::propagateNodePredictions):
234         (JSC::DFG::Propagator::fixupNode):
235         (JSC::DFG::Propagator::isPredictedNumerical):
236         (JSC::DFG::Propagator::logicalNotIsPure):
237         (JSC::DFG::Propagator::setReplacement):
238
239 2011-10-03  Jer Noble  <jer.noble@apple.com>
240
241         Unreviewed, rolling out r96526.
242         http://trac.webkit.org/changeset/96526
243         https://bugs.webkit.org/show_bug.cgi?id=68587
244
245         WEB_AUDIO has numerous 64->32 bit casting warnings, causing
246         build breakages where -Wall is enabled.
247
248         * Configurations/FeatureDefines.xcconfig:
249         * wtf/Platform.h:
250
251 2011-10-03  Gavin Barraclough  <barraclough@apple.com>
252
253         Unreviewed build fix for DFG JIT 32_64.
254
255         * dfg/DFGJITCompiler32_64.cpp:
256         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
257         * dfg/DFGSpeculativeJIT32_64.cpp:
258         (JSC::DFG::SpeculativeJIT::compile):
259
260 2011-10-02  Filip Pizlo  <fpizlo@apple.com>
261
262         DFG should speculate more aggressively on obvious cases on
263         polymorphic get_by_id
264         https://bugs.webkit.org/show_bug.cgi?id=69235
265
266         Reviewed by Oliver Hunt.
267         
268         This implements trivial polymorphic get_by_id. It also fixes
269         problems in the CSE for CheckStructure in the put_by_id
270         transition case.
271         
272         Doing this required knowing whether a polymorphic get_by_id stub
273         was doing a direct access rather than a call of some kind.
274         
275         Slight speed-up on Kraken and SunSpider. 0.5% speed-up in the
276         scaled mean of all benchmarks.
277
278         * GNUmakefile.list.am:
279         * JavaScriptCore.xcodeproj/project.pbxproj:
280         * bytecode/Instruction.h:
281         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
282         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
283         * dfg/DFGByteCodeParser.cpp:
284         (JSC::DFG::ByteCodeParser::cellConstant):
285         (JSC::DFG::ByteCodeParser::parseBlock):
286         * dfg/DFGGraph.cpp:
287         (JSC::DFG::Graph::dump):
288         * dfg/DFGGraph.h:
289         (JSC::DFG::Graph::addStructureSet):
290         (JSC::DFG::Graph::addStructureTransitionData):
291         * dfg/DFGNode.h:
292         (JSC::DFG::StructureTransitionData::StructureTransitionData):
293         (JSC::DFG::Node::hasStructureTransitionData):
294         (JSC::DFG::Node::structureTransitionData):
295         (JSC::DFG::Node::hasStructureSet):
296         (JSC::DFG::Node::structureSet):
297         * dfg/DFGPropagator.cpp:
298         (JSC::DFG::Propagator::checkStructureLoadElimination):
299         (JSC::DFG::Propagator::performNodeCSE):
300         * dfg/DFGRepatch.cpp:
301         (JSC::DFG::tryBuildGetByIDList):
302         (JSC::DFG::tryBuildGetByIDProtoList):
303         * dfg/DFGSpeculativeJIT32_64.cpp:
304         (JSC::DFG::SpeculativeJIT::compile):
305         * dfg/DFGSpeculativeJIT64.cpp:
306         (JSC::DFG::SpeculativeJIT::compile):
307         * dfg/DFGStructureSet.h: Added.
308         (JSC::DFG::StructureSet::StructureSet):
309         (JSC::DFG::StructureSet::add):
310         (JSC::DFG::StructureSet::addAll):
311         (JSC::DFG::StructureSet::remove):
312         (JSC::DFG::StructureSet::contains):
313         (JSC::DFG::StructureSet::isSubsetOf):
314         (JSC::DFG::StructureSet::isSupersetOf):
315         (JSC::DFG::StructureSet::size):
316         (JSC::DFG::StructureSet::at):
317         (JSC::DFG::StructureSet::operator[]):
318         (JSC::DFG::StructureSet::last):
319         * jit/JITPropertyAccess.cpp:
320         (JSC::JIT::privateCompileGetByIdSelfList):
321         (JSC::JIT::privateCompileGetByIdProtoList):
322         (JSC::JIT::privateCompileGetByIdChainList):
323         * jit/JITPropertyAccess32_64.cpp:
324         (JSC::JIT::privateCompileGetByIdSelfList):
325         (JSC::JIT::privateCompileGetByIdProtoList):
326         (JSC::JIT::privateCompileGetByIdChainList):
327         * jit/JITStubs.cpp:
328         (JSC::DEFINE_STUB_FUNCTION):
329         (JSC::getPolymorphicAccessStructureListSlot):
330
331 2011-10-03  Jer Noble  <jer.noble@apple.com>
332
333         Enable WEB_AUDIO by default in the WebKit/mac port.
334         https://bugs.webkit.org/show_bug.cgi?id=68587
335
336         Reviewed by Simon Fraser.
337
338         * Configurations/FeatureDefines.xcconfig:
339         * wtf/Platform.h:
340
341 2011-10-03  Carlos Garcia Campos  <cgarcia@igalia.com>
342
343         [GTK] Fix make distcheck build
344         https://bugs.webkit.org/show_bug.cgi?id=69243
345
346         Reviewed by Martin Robinson.
347
348         * GNUmakefile.list.am:
349
350 2011-10-03  Pierre Rossi  <pierre.rossi@gmail.com>
351
352         [Qt] Build fix: Qt::escape is deprecated in Qt5
353         https://bugs.webkit.org/show_bug.cgi?id=69162
354
355         Use QString::toHtmlEscaped in the Qt5 case.
356
357         Reviewed by Andreas Kling.
358
359         * JavaScriptCore.pri:
360         * wtf/qt/UtilsQt.h: Added.
361         (escapeHtml):
362         * wtf/wtf.pri:
363
364 2011-10-03  Balazs Kelemen  <kbalazs@webkit.org>
365
366         libdispatch based ParallelJobs is not enough parallel
367         https://bugs.webkit.org/show_bug.cgi?id=66378
368
369         Reviewed by Zoltan Herczeg.
370
371         Use the appropriate libdispatch API for our use case.
372         Throw away the hard coded limit of parallel threads
373         and use dispatch_apply with the default priority normal
374         queue istead of using our own custom serial queue (which
375         was a misuse of the API). Enabling PARALLEL_JOBS is now
376         a 60% win (2.63x as fast) on the methanol benchmark
377         (https://gitorious.org/methanol) with an SVG centric test set
378         while the old implementation was almost identical (less than 5% win).
379
380         * wtf/ParallelJobsLibdispatch.h:
381         (WTF::ParallelEnvironment::ParallelEnvironment):
382         (WTF::ParallelEnvironment::execute):
383
384 2011-10-02  Zoltan Herczeg  <zherczeg@webkit.org>
385
386         [Qt]REGRESSION(r95912): It made sputnik tests flakey
387         https://bugs.webkit.org/show_bug.cgi?id=68990
388
389         Reviewed by Geoffrey Garen.
390
391         Changing signed char to int in r96354 solved the
392         problem. However transitionCount still returns
393         with a signed char and should be changed to int.
394
395         * runtime/Structure.h:
396         (JSC::Structure::transitionCount):
397
398 2011-10-02  Filip Pizlo  <fpizlo@apple.com>
399
400         DFG misses some obvious opportunities for common subexpression elimination
401         https://bugs.webkit.org/show_bug.cgi?id=69233
402
403         Reviewed by Oliver Hunt.
404         
405         0.7% speed-up on SunSpider.
406
407         * dfg/DFGPropagator.cpp:
408         (JSC::DFG::Propagator::getByValLoadElimination):
409         (JSC::DFG::Propagator::getMethodLoadElimination):
410         (JSC::DFG::Propagator::checkStructureLoadElimination):
411         (JSC::DFG::Propagator::getByOffsetLoadElimination):
412         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
413         (JSC::DFG::Propagator::performNodeCSE):
414
415 2011-10-02  Gavin Barraclough  <barraclough@apple.com>
416
417         Bug 67455 - Different regular expression result
418
419         Reviewed by Darin Adler.
420         
421         Fix a regression introduced in r72140. A return was added to the backtracking loop for
422         backtrackParentheses with QuantifierNonGreedy, so it always returns after one iteration.
423         This is incorrect. The additional return should only trigger to force an early return if
424         an error has occured.
425
426         * yarr/YarrInterpreter.cpp:
427         (JSC::Yarr::Interpreter::matchParentheses):
428             - Simplify some nested if else logic.
429         (JSC::Yarr::Interpreter::backtrackParentheses):
430             - Simplify some nested if else logic.
431             - Only return early from backtrackParentheses on success/error, not on failure.
432
433 2011-10-01  Geoffrey Garen  <ggaren@apple.com>
434
435         Removed redundant helper functions for allocating Strong handles
436         https://bugs.webkit.org/show_bug.cgi?id=69218
437
438         Reviewed by Sam Weinig.
439
440         * heap/Heap.h:
441         (JSC::Heap::handleHeap):
442         * runtime/JSGlobalData.h: Removed these helper functions, since they
443         just created indirection.
444
445         * heap/StrongInlines.h: Added. Broke out a header for inline functions
446         to resolve circular dependencies created by inlining. I'm told this is
447         the future for JavaScriptCore.
448
449         * GNUmakefile.list.am:
450         * JavaScriptCore.gypi:
451         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
452         * JavaScriptCore.xcodeproj/project.pbxproj: Go forth and build.
453
454         * API/JSCallbackObjectFunctions.h:
455         (JSC::::init):
456         * runtime/WeakGCMap.h:
457         (JSC::WeakGCMap::add):
458         (JSC::WeakGCMap::set):
459         * runtime/StructureTransitionTable.h:
460         (JSC::StructureTransitionTable::setSingleTransition):
461         * heap/Local.h:
462         (JSC::::Local):
463         * heap/Strong.h:
464         (JSC::::Strong):
465         (JSC::::set):
466         * heap/Weak.h:
467         (JSC::Weak::Weak):
468         (JSC::Weak::set): Allocate handles directly instead of going through a
469         chain of forwarding functions.
470
471         * bytecompiler/BytecodeGenerator.cpp:
472         * runtime/JSGlobalData.cpp:
473         * runtime/LiteralParser.cpp:
474         * runtime/RegExpCache.cpp: Updated for header changes.
475
476 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
477
478         All of JSC's heuristics should be in one place for easier tuning
479         https://bugs.webkit.org/show_bug.cgi?id=69201
480
481         Reviewed by Oliver Hunt.
482         
483         This makes it possible to change tiered compilation heuristics in
484         one place (Heuristics.cpp) without recompiling the whole project.
485         
486         It also makes it possible to enable setting heuristics using
487         environment variables. This is off by default. When turned on, it
488         makes tuning the system much easier.
489
490         * CMakeLists.txt:
491         * GNUmakefile.list.am:
492         * JavaScriptCore.pro:
493         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
494         * JavaScriptCore.xcodeproj/project.pbxproj:
495         * bytecode/CodeBlock.cpp:
496         (JSC::CodeBlock::shouldOptimizeNow):
497         * bytecode/CodeBlock.h:
498         * dfg/DFGJITCompiler.cpp:
499         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
500         * jit/JIT.cpp:
501         (JSC::JIT::emitOptimizationCheck):
502         * runtime/Heuristics.cpp: Added.
503         (JSC::Heuristics::parse):
504         (JSC::Heuristics::setHeuristic):
505         (JSC::Heuristics::initializeHeuristics):
506         * runtime/Heuristics.h: Added.
507         * runtime/InitializeThreading.cpp:
508         (JSC::initializeThreadingOnce):
509
510 2011-10-01  Oliver Hunt  <oliver@apple.com>
511
512         Support string length in the DFG
513         https://bugs.webkit.org/show_bug.cgi?id=69215
514
515         Reviewed by Geoff Garen.
516
517         Adds a GetStringLength node to the DFG so that we can support
518         string.length inline.
519
520         * dfg/DFGNode.h:
521         * dfg/DFGPropagator.cpp:
522         (JSC::DFG::Propagator::propagateNodePredictions):
523         (JSC::DFG::Propagator::fixupNode):
524         (JSC::DFG::Propagator::performNodeCSE):
525         * dfg/DFGSpeculativeJIT.h:
526         (JSC::DFG::SpeculativeJIT::isKnownString):
527         * dfg/DFGSpeculativeJIT32_64.cpp:
528         (JSC::DFG::SpeculativeJIT::compile):
529         * dfg/DFGSpeculativeJIT64.cpp:
530         (JSC::DFG::SpeculativeJIT::compile):
531         * runtime/JSString.h:
532         (JSC::JSString::offsetOfLength):
533
534 2011-10-01  Yuqiang Xian  <yuqiang.xian@intel.com>
535
536         JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT
537         https://bugs.webkit.org/show_bug.cgi?id=69205
538
539         Reviewed by Gavin Barraclough.
540
541         If there are unboxed integers and cells in register file (e.g. by SetLocal), 
542         they must be reboxed before exiting from the speculative DFG JIT execution.
543         This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new
544         ValueRecoveryTechnique (AlreadyInRegisterFileAsCell).
545
546         * dfg/DFGJITCompiler32_64.cpp:
547         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
548         * dfg/DFGSpeculativeJIT.cpp:
549         (JSC::DFG::ValueSource::dump):
550         (JSC::DFG::ValueRecovery::dump):
551         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
552         * dfg/DFGSpeculativeJIT.h:
553         (JSC::DFG::ValueSource::forPrediction):
554         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):
555
556 2011-10-01  Sheriff Bot  <webkit.review.bot@gmail.com>
557
558         Unreviewed, rolling out r96421.
559         http://trac.webkit.org/changeset/96421
560         https://bugs.webkit.org/show_bug.cgi?id=69206
561
562         It broke Qt-WK2 build (Requested by ossy on #webkit).
563
564         * JavaScriptCore.pri:
565         * wtf/qt/UtilsQt.h: Removed.
566         * wtf/wtf.pri:
567
568 2011-09-30  Daniel Bates  <dbates@webkit.org>
569
570         Attempt to fix the Apple Windows and WinCairo Debug builds after
571         <http://trac.webkit.org/changeset/96446> (https://bugs.webkit.org/show_bug.cgi?id=69203).
572
573         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove the symbol
574         ?toStrictThisObject@JSObject@JSC@@UBE?AVJSValue@2@PAVExecState@2@@Z since the
575         corresponding function, JSValue::toStrictThisObject(), was removed.
576
577 2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>
578
579         DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
580         https://bugs.webkit.org/show_bug.cgi?id=69126
581
582         Reviewed by Gavin Barraclough.
583
584         The setupResults routine has the bug of reversing the source and destination. 
585         Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.
586
587         * dfg/DFGJITCodeGenerator.h:
588         (JSC::DFG::setupTwoStubArgs):
589         (JSC::DFG::setupResults):
590         * dfg/DFGJITCodeGenerator32_64.cpp:
591         (JSC::DFG::JITCodeGenerator::fillJSValue):
592         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
593         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
594
595 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
596
597         Remove toStrictThisObject, toThisString, toThisJSString
598         https://bugs.webkit.org/show_bug.cgi?id=69203
599
600         Rubber stamped by Sam Weinig
601
602         These are no longer used.
603
604         * JavaScriptCore.exp:
605         * runtime/JSActivation.cpp:
606         * runtime/JSActivation.h:
607         * runtime/JSObject.cpp:
608         * runtime/JSObject.h:
609         * runtime/JSStaticScopeObject.cpp:
610         * runtime/JSStaticScopeObject.h:
611         * runtime/JSValue.h:
612         * runtime/StrictEvalActivation.cpp:
613         * runtime/StrictEvalActivation.h:
614
615 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
616
617         DFG does not speculate aggressively enough on put_by_id
618         https://bugs.webkit.org/show_bug.cgi?id=69114
619
620         Reviewed by Oliver Hunt.
621
622         This adds new nodes along with optimizations for those nodes:
623         
624         GetPropertyStorage: CheckStructure used to do both the structure
625         check and retrieve the storage pointer. Now CheckStructure just
626         checks the structure, and GetPropertyStorage retrieves the
627         storage pointer.
628         
629         PutStructure: Changes the structure, and has the expected store
630         to load optimization with CheckStructure.
631         
632         PutByOffset: Directly sets the value. Has store to load
633         optimization with GetByOffset.
634
635         * dfg/DFGByteCodeParser.cpp:
636         (JSC::DFG::ByteCodeParser::cellConstant):
637         (JSC::DFG::ByteCodeParser::parseBlock):
638         * dfg/DFGGraph.cpp:
639         (JSC::DFG::Graph::dump):
640         * dfg/DFGJITCodeGenerator.cpp:
641         (JSC::DFG::JITCodeGenerator::writeBarrier):
642         * dfg/DFGJITCodeGenerator.h:
643         * dfg/DFGNode.h:
644         (JSC::DFG::Node::hasStructure):
645         (JSC::DFG::Node::hasStorageAccessData):
646         * dfg/DFGPropagator.cpp:
647         (JSC::DFG::Propagator::propagateNodePredictions):
648         (JSC::DFG::Propagator::impureCSE):
649         (JSC::DFG::Propagator::checkStructureLoadElimination):
650         (JSC::DFG::Propagator::getByOffsetLoadElimination):
651         (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
652         (JSC::DFG::Propagator::eliminate):
653         (JSC::DFG::Propagator::performNodeCSE):
654         * dfg/DFGSpeculativeJIT32_64.cpp:
655         (JSC::DFG::SpeculativeJIT::compile):
656         * dfg/DFGSpeculativeJIT64.cpp:
657         (JSC::DFG::SpeculativeJIT::compile):
658
659 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
660
661         StringRecursionChecker should not work in terms of EncodedJSValue
662         https://bugs.webkit.org/show_bug.cgi?id=69188
663
664         Reviewed by Oliver Hunt.
665
666         0 is not the empty value on 32_64.
667         Code that casts literals to EncodedJSValues may be unsafe if we change our internal representation.
668
669         * runtime/ArrayPrototype.cpp:
670         (JSC::arrayProtoFuncToString):
671         (JSC::arrayProtoFuncToLocaleString):
672         (JSC::arrayProtoFuncJoin):
673         * runtime/ErrorPrototype.cpp:
674         (JSC::errorProtoFuncToString):
675         * runtime/RegExpPrototype.cpp:
676         (JSC::regExpProtoFuncToString):
677         * runtime/StringRecursionChecker.cpp:
678         (JSC::StringRecursionChecker::throwStackOverflowError):
679         (JSC::StringRecursionChecker::emptyString):
680         * runtime/StringRecursionChecker.h:
681         (JSC::StringRecursionChecker::performCheck):
682         (JSC::StringRecursionChecker::earlyReturnValue):
683
684 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
685
686         DFG JIT, Branch on integer can always be a 32-bit compare.
687         https://bugs.webkit.org/show_bug.cgi?id=69174
688
689         Reviewed by Sam Weinig.
690
691         if (shouldSpeculateInteger(node.child1()) && !isStrictInt32(node.child1())),
692         the JSVALUE64 JIT will currently compare all 64bits in the register, but in
693         these cases the DataFormat is always a JS boxed integer. In these cases we
694         can just compare the low 32bits anyway - no need to check the tag.
695         This allows the code to be unified with the JSVALUE32_64 JIT.
696
697         * dfg/DFGSpeculativeJIT32_64.cpp:
698         (JSC::DFG::SpeculativeJIT::compile):
699         * dfg/DFGSpeculativeJIT64.cpp:
700         (JSC::DFG::SpeculativeJIT::compile):
701
702 2011-09-30  Oliver Hunt  <oliver@apple.com>
703
704         Need a sensible GGC policy
705
706         Reviewed by Geoff Garen.
707
708         This replaces the existing random collection policy
709         with a deterministic policy based on nursery size.
710
711         * heap/AllocationSpace.cpp:
712         (JSC::AllocationSpace::allocateSlowCase):
713         * heap/Heap.cpp:
714         (JSC::Heap::Heap):
715         (JSC::Heap::markRoots):
716         (JSC::Heap::collect):
717         * heap/Heap.h:
718         * heap/MarkedSpace.cpp:
719         (JSC::MarkedSpace::MarkedSpace):
720         (JSC::MarkedSpace::resetAllocator):
721         * heap/MarkedSpace.h:
722         (JSC::MarkedSpace::nurseryWaterMark):
723         (JSC::MarkedSpace::allocate):
724
725 2011-09-30  Filip Pizlo  <fpizlo@apple.com>
726
727         DFG 32-bit support for op_call and op_construct causes
728         run-javascriptcore-tests to fail
729         https://bugs.webkit.org/show_bug.cgi?id=69171
730
731         Reviewed by Gavin Barraclough.
732         
733         This fixes one obvious bug that was causing test failures (no
734         support for dummy slow case for op_add in 32_64), and disables
735         op_call and op_construct by default.        
736
737         * dfg/DFGCapabilities.h:
738         (JSC::DFG::canCompileOpcode):
739         * jit/JITArithmetic32_64.cpp:
740         (JSC::JIT::emit_op_add):
741         (JSC::JIT::emitSlow_op_add):
742
743 2011-09-30  Geoffrey Garen  <ggaren@apple.com>
744
745         Crash due to out of bounds read/write in MarkedSpace
746         https://bugs.webkit.org/show_bug.cgi?id=69148
747         
748         This was a case of being surprised by a poorly aritulcated cell size limit,
749         plus an incorrect ASSERT guarding the cell size limit.
750
751         Reviewed by Oliver Hunt.
752
753         * heap/MarkedSpace.h:
754         (JSC::MarkedSpace::sizeClassFor): Changed heap size ranges to be inclusive,
755         since it makes the ranges easier to understand.
756         
757         Bumped up the max cell size to support the use case in this bug. Since the
758         atomSize is much bigger than it used to be, there isn't much accounting
759         cost to handling more size classes.
760         
761         Switched to FixedArray, to help catch SizeClass indexing bugs in the future.
762
763         * heap/MarkedSpace.cpp:
764         (JSC::MarkedSpace::MarkedSpace):
765         (JSC::MarkedSpace::resetAllocator):
766         (JSC::MarkedSpace::canonicalizeCellLivenessData): Updated for size ranges
767         being inclusive.
768
769 2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>
770
771         [Qt] Build fix: Qt::escape is deprecated in Qt5
772         https://bugs.webkit.org/show_bug.cgi?id=69162
773
774         Use QString::toHtmlEscaped in the Qt5 case.
775
776         Reviewed by Andreas Kling.
777
778         * JavaScriptCore.pri:
779         * wtf/qt/UtilsQt.h: Added.
780         (escapeHtml):
781         * wtf/wtf.pri:
782
783 2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>
784
785         Fix bug in getHostCallReturnValue of DFG JIT on X86
786         https://bugs.webkit.org/show_bug.cgi?id=69133
787
788         Reviewed by Gavin Barraclough.
789
790         We need to insert the additional argument in the stack slot before
791         return address instead of simply pushing it afterwards.
792         Also getHostCallReturnValue* should be attributed as stdcall
793         to make the stack cleaned up by the callee.
794
795         * dfg/DFGOperations.cpp:
796
797 2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>
798
799         [Qt] wtf header files are unknown to Qt Creator
800         https://bugs.webkit.org/show_bug.cgi?id=69158
801
802         Adding the HEADERS variable in wtf.pri so that
803         the header files can be accessed easily.
804
805         Reviewed by Andreas Kling.
806
807         * wtf/wtf.pri:
808
809 2011-09-30  Gavin Barraclough  <barraclough@apple.com>
810
811         Merge some more of DFGSpeculativeJIT 32_64/64
812         https://bugs.webkit.org/show_bug.cgi?id=69164
813
814         Reviewed by Oliver Hunt.
815
816         * dfg/DFGJITCodeGenerator.h:
817         * dfg/DFGJITCodeGenerator32_64.cpp:
818         * dfg/DFGJITCodeGenerator64.cpp:
819         * dfg/DFGSpeculativeJIT.cpp:
820         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
821         * dfg/DFGSpeculativeJIT.h:
822         * dfg/DFGSpeculativeJIT32_64.cpp:
823         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
824         (JSC::DFG::SpeculativeJIT::compare):
825         (JSC::DFG::SpeculativeJIT::compileValueAdd):
826         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
827         (JSC::DFG::SpeculativeJIT::compile):
828         * dfg/DFGSpeculativeJIT64.cpp:
829         (JSC::DFG::SpeculativeJIT::compare):
830         (JSC::DFG::SpeculativeJIT::compileValueAdd):
831         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
832         (JSC::DFG::SpeculativeJIT::compile):
833
834 2011-09-30  Mark Hahnenberg  <mhahnenberg@apple.com>
835
836         Add getCallData to MethodTable in ClassInfo
837         https://bugs.webkit.org/show_bug.cgi?id=69024
838
839         Reviewed by Sam Weinig.
840
841         * JavaScriptCore.exp:
842         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
843
844         Added the getCallData to the MethodTable in the ClassInfo struct.
845         * runtime/ClassInfo.h:
846
847 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
848
849         Add op_call/op_constructor support to JSVALUE32_64 DFG JIT
850         https://bugs.webkit.org/show_bug.cgi?id=69120
851
852         Reviewed by Gavin Barraclough.
853
854         Improve the coverage of JSVALUE32_64 DFG JIT.
855
856         * dfg/DFGByteCodeParser.cpp:
857         (JSC::DFG::ByteCodeParser::parseBlock):
858         * dfg/DFGCapabilities.h:
859         (JSC::DFG::canCompileOpcode):
860         * dfg/DFGJITCodeGenerator.h:
861         (JSC::DFG::tagOfCallData):
862         (JSC::DFG::payloadOfCallData):
863         * dfg/DFGJITCodeGenerator32_64.cpp:
864         (JSC::DFG::JITCodeGenerator::emitCall):
865
866 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
867
868         DFG JIT - register not unlocked after usage in ArithDiv
869         https://bugs.webkit.org/show_bug.cgi?id=69122
870
871         Reviewed by Geoffrey Garen.
872
873         Some allocated register is not unlocked after the usage in ArithDiv. 
874         Also there's a typo in "ENBALE_DFG_CONSISTENTCY_CHECK".
875
876         * dfg/DFGNode.h:
877         * dfg/DFGSpeculativeJIT32_64.cpp:
878         (JSC::DFG::SpeculativeJIT::compile):
879         * dfg/DFGSpeculativeJIT64.cpp:
880         (JSC::DFG::SpeculativeJIT::compile):
881
882 2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>
883
884         De-virtualize JSCell::toObject
885         https://bugs.webkit.org/show_bug.cgi?id=68937
886
887         Reviewed by Darin Adler.
888
889         * JavaScriptCore.exp:
890         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
891
892         De-virtualized JSCell::toObject and changed its implementation to manually check the 
893         cases for JSString and JSObject rather than leaving it up to the virtual method call.
894         * runtime/JSCell.cpp:
895         (JSC::JSCell::toObject):
896         * runtime/JSCell.h:
897
898         Removed JSNotAnObject::toObject because the case for JSObject works for it.
899         Also removed JSObject::toObject because it was essentially the identity function,
900         which is not necessary since toObject is no longer virtual.
901         * runtime/JSNotAnObject.cpp:
902         * runtime/JSNotAnObject.h:
903         * runtime/JSObject.cpp:
904         * runtime/JSObject.h:
905
906         De-virtualized JSObject::toObject and JSString::toObject.
907         * runtime/JSString.h:
908
909 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
910
911         Start refactoring DFGSpeculativeJIT
912         https://bugs.webkit.org/show_bug.cgi?id=69112
913
914         Reviewed by Oliver Hunt.
915
916         Again, move JSVALUE64 code into a DFJSpeculativeJIT64.cpp
917
918         * JavaScriptCore.xcodeproj/project.pbxproj:
919         * dfg/DFGSpeculativeJIT.cpp:
920         (JSC::DFG::ValueSource::dump):
921         (JSC::DFG::ValueRecovery::dump):
922         (JSC::DFG::OSRExit::OSRExit):
923         (JSC::DFG::OSRExit::dump):
924         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
925         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
926         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
927         (JSC::DFG::SpeculativeJIT::compile):
928         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
929         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
930         * dfg/DFGSpeculativeJIT.h:
931         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
932         * dfg/DFGSpeculativeJIT32_64.cpp:
933         (JSC::DFG::SpeculativeJIT::compare):
934         * dfg/DFGSpeculativeJIT64.cpp: Copied from Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp.
935         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
936         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
937         (JSC::DFG::SpeculativeJIT::compile):
938
939 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
940
941         Refactor out trivially duplicated code in DFGJITCodeGenerator.
942         https://bugs.webkit.org/show_bug.cgi?id=69109
943
944         Reviewed by Oliver Hunt.
945
946         Some code is trivially redundant between DFGJITCodeGenerator.cpp & DFGJITCodeGenerator32_64.cpp
947
948         Basically move a JSVALUE64 specific code into a new DFGJITCodeGenerator64.cpp, leave common code
949         in DFGJITCodeGenerator.cpp, and remove copies from DFGJITCodeGenerator32_64.cpp.
950
951         For some function differences are trivial & make more sense to ifdef individually, and some
952         Operand methods make more sense left in DFGJITCodeGenerator.cpp alongside similar constructors.
953
954         * JavaScriptCore.xcodeproj/project.pbxproj:
955         * dfg/DFGJITCodeGenerator.cpp:
956         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
957         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
958         (JSC::DFG::JITCodeGenerator::writeBarrier):
959         (JSC::DFG::JITCodeGenerator::dump):
960         (JSC::DFG::JITCodeGenerator::checkConsistency):
961         (JSC::DFG::GPRTemporary::GPRTemporary):
962         (JSC::DFG::FPRTemporary::FPRTemporary):
963         * dfg/DFGJITCodeGenerator32_64.cpp:
964         * dfg/DFGJITCodeGenerator64.cpp: Copied from Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp.
965         * dfg/DFGJITCompiler.h:
966         (JSC::DFG::JITCompiler::branchIfNotCell):
967         * dfg/DFGJITCompilerInlineMethods.h:
968
969 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
970
971         DFG JIT should infer which uses of a variable are not aliased
972         https://bugs.webkit.org/show_bug.cgi?id=68593
973
974         Reviewed by Oliver Hunt.
975         
976         This separates how a variable is stored (i.e. its virtual register)
977         from how it's predicted. Each variable now takes a
978         VariableAccessData as its operand, instead of the virtual register.
979         The VariableAccessData stores the operand and the prediction. If
980         multiple uses of a variable are aliased, their VariableAccessDatas
981         are unified.
982         
983         This also adds tracking of which argument values are used. It
984         correctly observes that an argument value is not used, if the
985         argument is assigned to inside the function before being used.
986         
987         This also adds tracking of which variables are live at the head of
988         a basic block, and separates that from a variable being live at the
989         tail.
990         
991         Finally, this communicates to both OSR entry and OSR exit code how
992         a variable is predicted at a particular point in the code, rather
993         than just communicating how it was predicted in the entire code
994         block (since with this patch there is no longer the notion of a
995         variable having just one prediction for a code block).
996
997         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
998         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         * bytecode/ActionablePrediction.h: Added.
1001         (JSC::actionablePredictionFromPredictedType):
1002         (JSC::valueObeysPrediction):
1003         (JSC::actionablePredictionToString):
1004         (JSC::ActionablePredictions::ActionablePredictions):
1005         (JSC::ActionablePredictions::setArgument):
1006         (JSC::ActionablePredictions::argument):
1007         (JSC::ActionablePredictions::setVariable):
1008         (JSC::ActionablePredictions::variable):
1009         (JSC::ActionablePredictions::argumentUpperBound):
1010         (JSC::ActionablePredictions::variableUpperBound):
1011         (JSC::ActionablePredictions::pack):
1012         (JSC::ActionablePredictions::packVector):
1013         * bytecode/CodeBlock.h:
1014         * bytecode/PredictionTracker.h:
1015         * dfg/DFGByteCodeParser.cpp:
1016         (JSC::DFG::ByteCodeParser::newVariableAccessData):
1017         (JSC::DFG::ByteCodeParser::getLocal):
1018         (JSC::DFG::ByteCodeParser::setLocal):
1019         (JSC::DFG::ByteCodeParser::getArgument):
1020         (JSC::DFG::ByteCodeParser::setArgument):
1021         (JSC::DFG::ByteCodeParser::parseBlock):
1022         (JSC::DFG::ByteCodeParser::processPhiStack):
1023         (JSC::DFG::ByteCodeParser::parse):
1024         * dfg/DFGDriver.cpp:
1025         (JSC::DFG::compile):
1026         * dfg/DFGGraph.cpp:
1027         (JSC::DFG::Graph::nameOfVariableAccessData):
1028         (JSC::DFG::Graph::dump):
1029         (JSC::DFG::Graph::predictArgumentTypes):
1030         * dfg/DFGGraph.h:
1031         (JSC::DFG::operandIsArgument):
1032         (JSC::DFG::VariableRecord::setFirstTime):
1033         (JSC::DFG::BasicBlock::BasicBlock):
1034         (JSC::DFG::Graph::predict):
1035         (JSC::DFG::Graph::getPrediction):
1036         * dfg/DFGJITCompiler.h:
1037         (JSC::DFG::JITCompiler::noticeOSREntry):
1038         * dfg/DFGNode.h:
1039         (JSC::DFG::Node::hasVariableAccessData):
1040         (JSC::DFG::Node::hasLocal):
1041         (JSC::DFG::Node::variableAccessData):
1042         (JSC::DFG::Node::local):
1043         * dfg/DFGOSREntry.cpp:
1044         (JSC::DFG::prepareOSREntry):
1045         * dfg/DFGOSREntry.h:
1046         * dfg/DFGPropagator.cpp:
1047         (JSC::DFG::Propagator::propagateNodePredictions):
1048         * dfg/DFGSpeculativeJIT.cpp:
1049         (JSC::DFG::ValueSource::dump):
1050         (JSC::DFG::OSRExit::OSRExit):
1051         (JSC::DFG::SpeculativeJIT::compile):
1052         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1053         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1054         * dfg/DFGSpeculativeJIT.h:
1055         (JSC::DFG::ValueSource::ValueSource):
1056         (JSC::DFG::ValueSource::forPrediction):
1057         (JSC::DFG::ValueSource::isSet):
1058         (JSC::DFG::ValueSource::kind):
1059         (JSC::DFG::ValueSource::nodeIndex):
1060         (JSC::DFG::ValueSource::nodeIndexFromKind):
1061         (JSC::DFG::ValueSource::kindFromNodeIndex):
1062         (JSC::DFG::SpeculativeJIT::isKnownArray):
1063         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1064         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1065         * dfg/DFGSpeculativeJIT32_64.cpp:
1066         (JSC::DFG::OSRExit::OSRExit):
1067         (JSC::DFG::SpeculativeJIT::compile):
1068         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1069         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1070         * wtf/PackedIntVector.h: Added.
1071         (WTF::PackedIntVector::PackedIntVector):
1072         (WTF::PackedIntVector::operator=):
1073         (WTF::PackedIntVector::size):
1074         (WTF::PackedIntVector::ensureSize):
1075         (WTF::PackedIntVector::resize):
1076         (WTF::PackedIntVector::clearAll):
1077         (WTF::PackedIntVector::get):
1078         (WTF::PackedIntVector::set):
1079         (WTF::PackedIntVector::mask):
1080         * wtf/Platform.h:
1081         * wtf/UnionFind.h: Added.
1082         (WTF::UnionFind::UnionFind):
1083         (WTF::UnionFind::find):
1084         (WTF::UnionFind::unify):
1085
1086 2011-09-29  Oliver Hunt  <oliver@apple.com>
1087
1088         Build fix.
1089
1090         * heap/AllocationSpace.h:
1091
1092 2011-09-29  Oliver Hunt  <oliver@apple.com>
1093
1094         Add logic to collect dirty objects as roots
1095         https://bugs.webkit.org/show_bug.cgi?id=69100
1096
1097         Reviewed by Geoff Garen.
1098
1099         This gives us the ability to walk all the MarkedBlocks in an
1100         AllocationSpace and collect the dirty objects, and then use
1101         them as GC roots.
1102         
1103         I also rearranged the order of these instructions because it
1104         makes them smaller on some platforms with some card sizes.
1105
1106         * dfg/DFGJITCodeGenerator.cpp:
1107         (JSC::DFG::JITCodeGenerator::markCellCard):
1108         * dfg/DFGJITCodeGenerator32_64.cpp:
1109         (JSC::DFG::JITCodeGenerator::markCellCard):
1110         * heap/AllocationSpace.cpp:
1111            Tidy up the write barrier logic a bit.
1112         (JSC::MarkedBlock::gatherDirtyObjects):
1113         (JSC::TakeIfDirty::returnValue):
1114         (JSC::TakeIfDirty::TakeIfDirty):
1115         (JSC::TakeIfDirty::operator()):
1116         (JSC::AllocationSpace::gatherDirtyObjects):
1117         * heap/AllocationSpace.h:
1118         * heap/CardSet.h:
1119         (JSC::::isCardMarked):
1120         (JSC::::clearCard):
1121         * heap/Heap.cpp:
1122         (JSC::Heap::markRoots):
1123         * heap/Heap.h:
1124         (JSC::Heap::writeBarrier):
1125         * heap/MarkStack.cpp:
1126         (JSC::SlotVisitor::visitChildren):
1127         * heap/MarkedBlock.h:
1128         (JSC::MarkedBlock::setDirtyObject):
1129         (JSC::MarkedBlock::addressOfCardFor):
1130         * heap/SlotVisitor.h:
1131         * jit/JITPropertyAccess.cpp:
1132         (JSC::JIT::emitWriteBarrier):
1133            Tidy the write barrier a bit.
1134
1135 2011-09-29  Gavin Barraclough  <barraclough@apple.com>
1136
1137         Unreviewed windows build fix.
1138
1139         * assembler/MacroAssemblerCodeRef.h:
1140         * dfg/DFGOperations.h:
1141
1142 2011-09-29  Filip Pizlo  <fpizlo@apple.com>
1143
1144         Structure transitions involving many (> 64) properties sometimes cause structure corruption
1145         https://bugs.webkit.org/show_bug.cgi?id=69102
1146
1147         Reviewed by Darin Adler.
1148         
1149         Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
1150         don't lead to the dictionary kind being forgotten.
1151         
1152         * runtime/Structure.cpp:
1153         (JSC::Structure::Structure):
1154         * runtime/Structure.h:
1155
1156 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1157
1158         DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT
1159         https://bugs.webkit.org/show_bug.cgi?id=69058
1160
1161         Reviewed by Gavin Barraclough.
1162
1163         Also Fixed the stdcall FunctionPtr constructors to make them compiled correctly on Linux
1164
1165         * assembler/MacroAssemblerCodeRef.h:
1166         (JSC::FunctionPtr::FunctionPtr):
1167
1168 2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1169
1170         De-virtualize JSCell::visitChildrenVirtual and remove all other visitChildrenVirtual methods
1171         https://bugs.webkit.org/show_bug.cgi?id=68839
1172
1173         Reviewed by Geoffrey Garen.
1174
1175         Removed the remaining visitChildrenVirtual methods.  This patch completes the process of 
1176         de-virtualizing visitChildren.
1177
1178         * API/JSCallbackObject.h:
1179         * JavaScriptCore.exp:
1180         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1181         * debugger/DebuggerActivation.cpp:
1182         * debugger/DebuggerActivation.h:
1183         * runtime/Arguments.cpp:
1184         * runtime/Arguments.h:
1185         * runtime/Executable.cpp:
1186         * runtime/Executable.h:
1187         * runtime/GetterSetter.cpp:
1188         * runtime/GetterSetter.h:
1189         * runtime/JSActivation.cpp:
1190         * runtime/JSActivation.h:
1191         * runtime/JSArray.cpp:
1192         * runtime/JSArray.h:
1193         * runtime/JSFunction.cpp:
1194         * runtime/JSFunction.h:
1195         * runtime/JSGlobalObject.cpp:
1196         * runtime/JSGlobalObject.h:
1197         * runtime/JSObject.cpp:
1198         * runtime/JSPropertyNameIterator.cpp:
1199         * runtime/JSPropertyNameIterator.h:
1200         * runtime/JSStaticScopeObject.cpp:
1201         * runtime/JSStaticScopeObject.h:
1202         * runtime/JSValue.h:
1203         * runtime/NativeErrorConstructor.cpp:
1204         * runtime/NativeErrorConstructor.h:
1205         * runtime/RegExpObject.cpp:
1206         * runtime/RegExpObject.h:
1207         * runtime/Structure.cpp:
1208         * runtime/Structure.h:
1209         * runtime/StructureChain.cpp:
1210         * runtime/StructureChain.h:
1211
1212         Inlined the method table access and call to the visitChildren function (the only call sites 
1213         to visitChildren are here).
1214         * heap/MarkStack.cpp:
1215         (JSC::SlotVisitor::visitChildren):
1216
1217         Changed the field name for the visitChildren function pointer to visitChildren (from 
1218         visitChildrenFunctionPtr) to make call sites less verbose.
1219         * runtime/ClassInfo.h:
1220
1221         Discovered JSBoundFunction doesn't have its own ClassInfo (it used JSFunction's ClassInfo) but 
1222         overrides visitChildren, so it needs to have its own ClassInfo.
1223         * runtime/JSBoundFunction.cpp:
1224         * runtime/JSBoundFunction.h:
1225
1226         Had to move className up to make sure that the virtual destructor in JSObject wasn't 
1227         the first non-inline virtual method in JSObject (as per the comment in the file).
1228         Also moved JSCell::visitChildrenVirtual into JSObject.h in order for it be inline-able
1229         to mitigate the cost of an extra method call.
1230
1231         Also added a convenience accessor function methodTable() to JSCell to return the MethodTable to make 
1232         call sites more concise.  Implementation is inline in JSObject.h.
1233         * runtime/JSObject.h:
1234         (JSC::JSCell::methodTable):
1235         * runtime/JSCell.h:
1236
1237         Added an out of line virtual destructor to JSWrapperObject and ScopeChainNode to 
1238         appease the vtable gods.  It refused to compile if there were no virtual methods in 
1239         both of these classes due to the presence of a weak vtable pointer.
1240         * runtime/JSWrapperObject.cpp:
1241         (JSC::JSWrapperObject::~JSWrapperObject):
1242         * runtime/JSWrapperObject.h:
1243         * runtime/ScopeChain.cpp:
1244         (JSC::ScopeChainNode::~ScopeChainNode):
1245         * runtime/ScopeChain.h:
1246
1247 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1248
1249         Bug fixes for CreateThis, NewObject and GetByOffset in JSVALUE32_64 DFG JIT
1250         https://bugs.webkit.org/show_bug.cgi?id=69075
1251
1252         Reviewed by Gavin Barraclough.
1253
1254         * dfg/DFGSpeculativeJIT32_64.cpp:
1255         (JSC::DFG::SpeculativeJIT::compile):
1256
1257 2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>
1258
1259         JSVALUE32_64 DFG JIT failed to be built on 32-bit Linux due to incorrect overloaded OpInfo constructor
1260         https://bugs.webkit.org/show_bug.cgi?id=69054
1261
1262         Reviewed by Gavin Barraclough.
1263
1264         size_t is equal to uint32_t on most 32-bit platforms, except for Mac OS.
1265
1266         * dfg/DFGNode.h:
1267
1268 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
1269
1270         DFG checkArgumentTypes fails to check boolean predictions
1271         https://bugs.webkit.org/show_bug.cgi?id=69059
1272
1273         Reviewed by Gavin Barraclough.
1274
1275         * dfg/DFGSpeculativeJIT.cpp:
1276         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1277         * dfg/DFGSpeculativeJIT32_64.cpp:
1278         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1279
1280 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1281
1282         Build fix pt 2 for r96286.
1283
1284         * assembler/MacroAssemblerCodeRef.h:
1285
1286 2011-09-28  Ryosuke Niwa  <rniwa@webkit.org>
1287
1288         Build fix attempt for r96286.
1289
1290         * assembler/MacroAssemblerCodeRef.h:
1291
1292 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1293
1294         DFG JIT Operations on 32_64 should use stdcall calling convention.
1295         https://bugs.webkit.org/show_bug.cgi?id=69046
1296
1297         Reviewed by Sam Weinig.
1298
1299         All calls out are expecting stdcall conventions, but the default on OS X are cdecl.
1300         Leave D_DFGOperation_DD calls as the one exception, since we want to be able to link
1301         directly to std library functions like fmod - leave these calls obeying the default
1302         platform calling convention.
1303
1304         * assembler/MacroAssemblerCodeRef.h:
1305         (JSC::FunctionPtr::FunctionPtr):
1306             - Add implicit constructors for std calls.
1307         * dfg/DFGJITCodeGenerator.h:
1308         (JSC::DFG::callOperation):
1309             - Make this work non-Mac platforms.
1310         * dfg/DFGOperations.cpp:
1311         (JSC::DFG::operationPutByValInternal):
1312         * dfg/DFGOperations.h:
1313             - Mark all operations as stdcalls.
1314
1315 2011-09-28  Filip Pizlo  <fpizlo@apple.com>
1316
1317         DFG JIT falls back on numerical comparisons when it does not
1318         recognize a prediction
1319         https://bugs.webkit.org/show_bug.cgi?id=68977
1320
1321         Reviewed by Geoffrey Garen.
1322         
1323         This fixes both the way comparison implementations are selected. It
1324         also fixes a bug where comparisons other than equality (like < or >)
1325         on objects are compiled as if the comparison was equality.
1326
1327         * dfg/DFGSpeculativeJIT.cpp:
1328         (JSC::DFG::SpeculativeJIT::compare):
1329
1330 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1331
1332         Implement callOperation(D_DFGOperation_DD) for DFG JIT 32_64
1333         https://bugs.webkit.org/show_bug.cgi?id=69026
1334
1335         Reviewed by Sam Weinig.
1336
1337         * assembler/X86Assembler.h:
1338         (JSC::X86Assembler::fstpl):
1339         * dfg/DFGJITCodeGenerator.h:
1340         (JSC::DFG::callOperation):
1341
1342 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1343
1344         Merge bug#68580, bug#68932 for DFG JIT with JSVALUE32_64
1345         https://bugs.webkit.org/show_bug.cgi?id=69017
1346
1347         Reviewed by Oliver Hunt.
1348
1349         * dfg/DFGJITCodeGenerator.h:
1350         (JSC::DFG::callOperation):
1351         * dfg/DFGOperations.cpp:
1352         * dfg/DFGSpeculativeJIT.cpp:
1353         (JSC::DFG::SpeculativeJIT::compile):
1354         * dfg/DFGSpeculativeJIT32_64.cpp:
1355         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
1356         (JSC::DFG::SpeculativeJIT::compile):
1357
1358 2011-09-28  Gavin Barraclough  <barraclough@apple.com>
1359
1360         https://bugs.webkit.org/show_bug.cgi?id=64679
1361         Fix bugs in Array.prototype this handling.
1362
1363         Reviewed by Oliver Hunt.
1364
1365         * runtime/ArrayPrototype.cpp:
1366         (JSC::arrayProtoFuncJoin):
1367         (JSC::arrayProtoFuncConcat):
1368         (JSC::arrayProtoFuncPop):
1369         (JSC::arrayProtoFuncPush):
1370         (JSC::arrayProtoFuncReverse):
1371         (JSC::arrayProtoFuncShift):
1372         (JSC::arrayProtoFuncSlice):
1373         (JSC::arrayProtoFuncSort):
1374         (JSC::arrayProtoFuncSplice):
1375         (JSC::arrayProtoFuncUnShift):
1376         (JSC::arrayProtoFuncFilter):
1377         (JSC::arrayProtoFuncMap):
1378         (JSC::arrayProtoFuncEvery):
1379         (JSC::arrayProtoFuncForEach):
1380         (JSC::arrayProtoFuncSome):
1381         (JSC::arrayProtoFuncReduce):
1382         (JSC::arrayProtoFuncReduceRight):
1383         (JSC::arrayProtoFuncIndexOf):
1384         (JSC::arrayProtoFuncLastIndexOf):
1385             - These methods should throw if this value is undefined.
1386
1387 2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
1388
1389         Value profiling in baseline JIT for JSVALUE32_64
1390         https://bugs.webkit.org/show_bug.cgi?id=68750
1391
1392         Reviewed by Geoff Garen.
1393
1394         * jit/JITArithmetic32_64.cpp:
1395         (JSC::JIT::emit_op_mul):
1396         (JSC::JIT::emit_op_div):
1397         * jit/JITCall32_64.cpp:
1398         (JSC::JIT::emit_op_call_put_result):
1399         * jit/JITOpcodes32_64.cpp:
1400         (JSC::JIT::emit_op_resolve):
1401         (JSC::JIT::emit_op_resolve_base):
1402         (JSC::JIT::emit_op_resolve_skip):
1403         (JSC::JIT::emit_op_resolve_global):
1404         (JSC::JIT::emitSlow_op_resolve_global):
1405         (JSC::JIT::emit_op_resolve_with_base):
1406         (JSC::JIT::emit_op_resolve_with_this):
1407         * jit/JITPropertyAccess32_64.cpp:
1408         (JSC::JIT::emit_op_method_check):
1409         (JSC::JIT::emit_op_get_by_val):
1410         (JSC::JIT::emitSlow_op_get_by_val):
1411         (JSC::JIT::emit_op_get_by_id):
1412         (JSC::JIT::emitSlow_op_get_by_id):
1413         (JSC::JIT::emit_op_get_scoped_var):
1414         (JSC::JIT::emit_op_get_global_var):
1415         * jit/JITStubCall.h:
1416         (JSC::JITStubCall::callWithValueProfiling):
1417
1418 2011-09-28  Yuqiang Xian  <yuqiang.xian@intel.com>
1419
1420         Wrong integer checks in JSVALUE32_64 DFG JIT
1421         https://bugs.webkit.org/show_bug.cgi?id=68985
1422
1423         Reviewed by Geoffrey Garen.
1424
1425         * dfg/DFGJITCodeGenerator32_64.cpp:
1426         (JSC::DFG::JITCodeGenerator::fillDouble):
1427         * dfg/DFGSpeculativeJIT32_64.cpp:
1428         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1429
1430 2011-09-28  Adam Barth  <abarth@webkit.org>
1431
1432         Remove empty directories.
1433
1434         * wtf/brew: Removed.
1435         * wtf/unicode/brew: Removed.
1436
1437 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
1438
1439         DFG JIT cannot compile op_new_object, op_new_array,
1440         op_new_array_buffer, or op_new_regexp
1441         https://bugs.webkit.org/show_bug.cgi?id=68580
1442
1443         Reviewed by Oliver Hunt.
1444         
1445         This implements all four opcodes, but has op_new_regexp turns off
1446         by default because it unveils some bad speculation logic when
1447         compiling string-validate-input.
1448         
1449         With op_new_regexp turned off, this is a 5% win on Kraken and a
1450         0.7% speed-up on V8. Neutral on SunSpider.
1451
1452         * dfg/DFGByteCodeParser.cpp:
1453         (JSC::DFG::ByteCodeParser::parseBlock):
1454         * dfg/DFGCapabilities.h:
1455         (JSC::DFG::canCompileOpcode):
1456         * dfg/DFGJITCodeGenerator.h:
1457         (JSC::DFG::callOperation):
1458         * dfg/DFGNode.h:
1459         (JSC::DFG::Node::hasConstantBuffer):
1460         (JSC::DFG::Node::startConstant):
1461         (JSC::DFG::Node::numConstants):
1462         (JSC::DFG::Node::hasRegexpIndex):
1463         (JSC::DFG::Node::regexpIndex):
1464         * dfg/DFGOperations.cpp:
1465         * dfg/DFGOperations.h:
1466         * dfg/DFGPropagator.cpp:
1467         (JSC::DFG::Propagator::propagateNodePredictions):
1468         * dfg/DFGSpeculativeJIT.cpp:
1469         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
1470         (JSC::DFG::SpeculativeJIT::compile):
1471         * dfg/DFGSpeculativeJIT.h:
1472         (JSC::DFG::SpeculativeJIT::isKnownArray):
1473
1474 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
1475
1476         DFG JIT should speculate more aggressively on reads of array.length
1477         https://bugs.webkit.org/show_bug.cgi?id=68932
1478
1479         Reviewed by Oliver Hunt.
1480         
1481         This is a 2% speed-up on Kraken, neutral elsewhere.
1482
1483         * dfg/DFGNode.h:
1484         * dfg/DFGPropagator.cpp:
1485         (JSC::DFG::Propagator::propagateNodePredictions):
1486         (JSC::DFG::Propagator::fixupNode):
1487         (JSC::DFG::Propagator::performNodeCSE):
1488         * dfg/DFGSpeculativeJIT.cpp:
1489         (JSC::DFG::SpeculativeJIT::compile):
1490
1491 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
1492
1493         DFG JIT - merge changes between 95905 - 96175
1494         https://bugs.webkit.org/show_bug.cgi?id=68963
1495
1496         Reviewed by Sam Weinig.
1497
1498         Merge missing changes from bug#68677, bug#68784, bug#68785.
1499
1500         * dfg/DFGJITCompiler32_64.cpp:
1501         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1502         (JSC::DFG::JITCompiler::compileEntry):
1503         (JSC::DFG::JITCompiler::compileBody):
1504         * dfg/DFGSpeculativeJIT32_64.cpp:
1505         (JSC::DFG::SpeculativeJIT::compile):
1506
1507 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
1508
1509         Get JSVALUE32_64 DFG JIT building on OS X.
1510         https://bugs.webkit.org/show_bug.cgi?id=68961
1511
1512         Reviewed by Geoff Garen.
1513
1514         * Merge bug #68763 (DFG JIT should not eagerly initialize integer tags in the register file).
1515         * Forward-declare functions in DFGOperations.cpp
1516         * UNUSED_PARAM for unused arguments
1517         * NO_RETURN for unimplemented function that ASSERT_NOT_REACHED
1518         * Fix argument types handled by OpInfo constructor.
1519         * Use SYMBOL_STRING instead of STRINGIZE for asm symbols.
1520         * Add files to Xcode project.
1521
1522 2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
1523
1524         Bug fixes for GetById, PutById, and GetByOffset in JSVALUE32_64 DFG JIT
1525         https://bugs.webkit.org/show_bug.cgi?id=68755
1526
1527         Reviewed by Gavin Barraclough.
1528
1529         We need to load/store and repatch both tag and payload of a property
1530         for GetById/PutById. Also reorder the loads of tag and payload for
1531         GetByOffset as the result tag GPR could reuse the storage GPR.
1532
1533         * bytecode/StructureStubInfo.h:
1534         * dfg/DFGJITCodeGenerator32_64.cpp:
1535         (JSC::DFG::JITCodeGenerator::cachedGetById):
1536         (JSC::DFG::JITCodeGenerator::cachedPutById):
1537         * dfg/DFGJITCompiler.h:
1538         (JSC::DFG::JITCompiler::addPropertyAccess):
1539         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
1540         * dfg/DFGJITCompiler32_64.cpp:
1541         (JSC::DFG::JITCompiler::link):
1542         * dfg/DFGRepatch.cpp:
1543         (JSC::DFG::dfgRepatchByIdSelfAccess):
1544         * dfg/DFGSpeculativeJIT32_64.cpp:
1545         (JSC::DFG::SpeculativeJIT::compile):
1546
1547 2011-09-24  Gavin Barraclough  <barraclough@apple.com>
1548
1549         Macro assembler branch8 & 16 methods vary in treatment of upper bits
1550         https://bugs.webkit.org/show_bug.cgi?id=68301
1551
1552         Reviewed by Sam Weinig.
1553
1554         Fix for branch16 - remove it!
1555         No performance impact.
1556
1557         * assembler/MacroAssembler.h:
1558         * assembler/MacroAssemblerARM.h:
1559         * assembler/MacroAssemblerARMv7.h:
1560         * assembler/MacroAssemblerMIPS.h:
1561         * assembler/MacroAssemblerSH4.h:
1562         * assembler/MacroAssemblerX86Common.h:
1563         * yarr/YarrJIT.cpp:
1564         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1565         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1566         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1567         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1568         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1569
1570 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1571
1572         Add static version of JSCell::getCallData
1573         https://bugs.webkit.org/show_bug.cgi?id=68741
1574
1575         Reviewed by Darin Adler.
1576
1577         In this patch we just extract the bodies of the virtual getCallData methods
1578         throughout the JSCell inheritance hierarchy out into static methods, which are 
1579         now called from the virtual methods.  This is an intermediate step in trying to 
1580         move the virtual-ness of getCallData into our own method table stored in 
1581         ClassInfo.  We need to convert the methods to static methods because static methods 
1582         can be represented as function pointers rather than pointers to member functions, and
1583         function pointers are smaller and faster to call than pointers to member functions.
1584
1585         * API/JSCallbackFunction.cpp:
1586         (JSC::JSCallbackFunction::getCallDataVirtual):
1587         (JSC::JSCallbackFunction::getCallData):
1588         * API/JSCallbackFunction.h:
1589         * API/JSCallbackObject.h:
1590         * API/JSCallbackObjectFunctions.h:
1591         (JSC::::getCallDataVirtual):
1592         (JSC::::getCallData):
1593         * API/JSObjectRef.cpp:
1594         (JSObjectIsFunction):
1595         (JSObjectCallAsFunction):
1596         * JavaScriptCore.exp:
1597         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1598         * interpreter/Interpreter.cpp:
1599         (JSC::Interpreter::privateExecute):
1600         * jit/JITStubs.cpp:
1601         (JSC::DEFINE_STUB_FUNCTION):
1602         * runtime/ArrayConstructor.cpp:
1603         (JSC::ArrayConstructor::getCallDataVirtual):
1604         (JSC::ArrayConstructor::getCallData):
1605         * runtime/ArrayConstructor.h:
1606         * runtime/BooleanConstructor.cpp:
1607         (JSC::BooleanConstructor::getCallDataVirtual):
1608         (JSC::BooleanConstructor::getCallData):
1609         * runtime/BooleanConstructor.h:
1610         * runtime/DateConstructor.cpp:
1611         (JSC::DateConstructor::getCallDataVirtual):
1612         (JSC::DateConstructor::getCallData):
1613         * runtime/DateConstructor.h:
1614         * runtime/Error.cpp:
1615         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
1616         (JSC::StrictModeTypeErrorFunction::getCallData):
1617         * runtime/ErrorConstructor.cpp:
1618         (JSC::ErrorConstructor::getCallDataVirtual):
1619         (JSC::ErrorConstructor::getCallData):
1620         * runtime/ErrorConstructor.h:
1621         * runtime/FunctionConstructor.cpp:
1622         (JSC::FunctionConstructor::getCallDataVirtual):
1623         (JSC::FunctionConstructor::getCallData):
1624         * runtime/FunctionConstructor.h:
1625         * runtime/FunctionPrototype.cpp:
1626         (JSC::FunctionPrototype::getCallDataVirtual):
1627         (JSC::FunctionPrototype::getCallData):
1628         * runtime/FunctionPrototype.h:
1629         * runtime/InternalFunction.h:
1630         * runtime/JSCell.cpp:
1631         (JSC::JSCell::getCallDataVirtual):
1632         (JSC::JSCell::getCallData):
1633         * runtime/JSCell.h:
1634         (JSC::getCallData):
1635         * runtime/JSFunction.cpp:
1636         (JSC::JSFunction::getCallDataVirtual):
1637         (JSC::JSFunction::getCallData):
1638         * runtime/JSFunction.h:
1639         * runtime/JSONObject.cpp:
1640         (JSC::Stringifier::Stringifier):
1641         (JSC::Stringifier::toJSON):
1642         (JSC::Stringifier::appendStringifiedValue):
1643         * runtime/JSObject.cpp:
1644         (JSC::JSObject::put):
1645         * runtime/NativeErrorConstructor.cpp:
1646         (JSC::NativeErrorConstructor::getCallDataVirtual):
1647         (JSC::NativeErrorConstructor::getCallData):
1648         * runtime/NativeErrorConstructor.h:
1649         * runtime/NumberConstructor.cpp:
1650         (JSC::NumberConstructor::getCallDataVirtual):
1651         (JSC::NumberConstructor::getCallData):
1652         * runtime/NumberConstructor.h:
1653         * runtime/ObjectConstructor.cpp:
1654         (JSC::ObjectConstructor::getCallDataVirtual):
1655         (JSC::ObjectConstructor::getCallData):
1656         * runtime/ObjectConstructor.h:
1657         * runtime/Operations.cpp:
1658         (JSC::jsTypeStringForValue):
1659         (JSC::jsIsObjectType):
1660         (JSC::jsIsFunctionType):
1661         * runtime/PropertySlot.cpp:
1662         (JSC::PropertySlot::functionGetter):
1663         * runtime/RegExpConstructor.cpp:
1664         (JSC::RegExpConstructor::getCallDataVirtual):
1665         (JSC::RegExpConstructor::getCallData):
1666         * runtime/RegExpConstructor.h:
1667         * runtime/StringConstructor.cpp:
1668         (JSC::StringConstructor::getCallDataVirtual):
1669         (JSC::StringConstructor::getCallData):
1670         * runtime/StringConstructor.h:
1671
1672 2011-09-27  Tim Horton  <timothy_horton@apple.com>
1673
1674         Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption
1675         https://bugs.webkit.org/show_bug.cgi?id=68816
1676         <rdar://problem/10186468>
1677
1678         Reviewed by Simon Fraser.
1679         
1680         Add ByteArray::clear, which zeros the memory in the ByteArray.
1681
1682         * wtf/ByteArray.h:
1683         (WTF::ByteArray::clear): Added.
1684
1685 2011-09-27  Sheriff Bot  <webkit.review.bot@gmail.com>
1686
1687         Unreviewed, rolling out r96131.
1688         http://trac.webkit.org/changeset/96131
1689         https://bugs.webkit.org/show_bug.cgi?id=68927
1690
1691         It made 18+ tests crash on all platform (Requested by
1692         Ossy_night on #webkit).
1693
1694         * JavaScriptCore.exp:
1695         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1696         * interpreter/Interpreter.cpp:
1697         (JSC::Interpreter::throwException):
1698         * interpreter/Interpreter.h:
1699         * jsc.cpp:
1700         (GlobalObject::finishCreation):
1701         * parser/Parser.h:
1702         (JSC::Parser::parse):
1703         * runtime/CommonIdentifiers.h:
1704         * runtime/Error.cpp:
1705         (JSC::addErrorInfo):
1706         * runtime/Error.h:
1707
1708 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1709
1710         De-virtualize JSCell::getPrimitiveNumber
1711         https://bugs.webkit.org/show_bug.cgi?id=68851
1712
1713         Reviewed by Darin Adler.
1714
1715         * JavaScriptCore.exp:
1716         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1717
1718         Changed JSCell::getPrimitiveNumber to manually handle the dispatch for 
1719         JSCells (JSObject and JSString in this case).
1720         * runtime/JSCell.cpp:
1721         (JSC::JSCell::getPrimitiveNumber):
1722         * runtime/JSCell.h:
1723
1724         Removed JSNotAnObject::getPrimitiveNumber since its return value doesn't 
1725         matter and it already implements defaultValue, so JSObject::getPrimitiveNumber
1726         can cover the case for JSNotAnObject.
1727         * runtime/JSNotAnObject.cpp:
1728         * runtime/JSNotAnObject.h:
1729
1730         De-virtualized JSObject::getPrimitiveNumber and JSString::getPrimitiveNumber 
1731         and changed them to be const.  Also made JSString::getPrimitiveNumber public 
1732         because it needs to be called from JSCell::getPrimitiveNumber and also since it's 
1733         no longer virtual, we want people who have a more specific pointer (JSString* 
1734         instead of JSCell*) to not have to pay the cost of a virtual method call.
1735         * runtime/JSObject.cpp:
1736         (JSC::JSObject::getPrimitiveNumber):
1737         * runtime/JSObject.h:
1738         * runtime/JSString.cpp:
1739         (JSC::JSString::getPrimitiveNumber):
1740         * runtime/JSString.h:
1741
1742 2011-09-27  Juan Carlos Montemayor Elosua  <j.mont@me.com>
1743
1744         Implement Error.stack
1745         https://bugs.webkit.org/show_bug.cgi?id=66994
1746
1747         Reviewed by Oliver Hunt.
1748
1749         This patch utilizes topCallFrame to create a stack trace when
1750         an error is thrown. Users will also be able to use the stack()
1751         command in jsc to get arrays with stack trace information.
1752
1753         * JavaScriptCore.exp:
1754         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1755         * interpreter/Interpreter.cpp:
1756         (JSC::getCallerLine):
1757         (JSC::getSourceURLFromCallFrame):
1758         (JSC::getStackFrameCodeType):
1759         (JSC::Interpreter::getStackTrace):
1760         (JSC::Interpreter::throwException):
1761         * interpreter/Interpreter.h:
1762         (JSC::StackFrame::toString):
1763         * jsc.cpp:
1764         (GlobalObject::finishCreation):
1765         (functionJSCStack):
1766         * parser/Parser.h:
1767         (JSC::Parser::parse):
1768         * runtime/CommonIdentifiers.h:
1769         * runtime/Error.cpp:
1770         (JSC::addErrorInfo):
1771         * runtime/Error.h:
1772
1773 2011-09-27  Carlos Garcia Campos  <cgarcia@igalia.com>
1774
1775         [GTK] Reorganize header files
1776         https://bugs.webkit.org/show_bug.cgi?id=65616
1777
1778         Reviewed by Martin Robinson.
1779
1780         Install header files under $libwebkitgtkincludedir/JavaScriptCore.
1781
1782         * GNUmakefile.am: Use $libwebkitgtkincludedir.
1783         * javascriptcoregtk.pc.in: Use webkitgtk-<api-version> as include dir.
1784
1785 2011-09-26  Geoffrey Garen  <ggaren@apple.com>
1786
1787         REGRESSION (r95912): Conservative marking doesn't filter out pointers to
1788         MarkedBlock metadata
1789         https://bugs.webkit.org/show_bug.cgi?id=68860
1790
1791         Reviewed by Oliver Hunt.
1792         
1793         Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom.
1794
1795         * heap/MarkedBlock.h:
1796         (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask
1797         because the mask doesn't produce the actual atom number.
1798
1799         (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good
1800         enough; we also need to test that a pointer is beyond the metadata section
1801         of a MarkedBlock, to avoid treating random metadata as a JSCell.
1802
1803 2011-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1804
1805         Make JSCell::toBoolean non-virtual
1806         https://bugs.webkit.org/show_bug.cgi?id=67727
1807
1808         Reviewed by Geoffrey Garen.
1809
1810         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
1811         before it was simply virtual and would crash if its implementation was called). 
1812         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
1813         explicitly covers all cases of toBoolean, so having a virtual implementation of 
1814         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
1815
1816         * JavaScriptCore.exp:
1817         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1818         * runtime/JSCell.cpp:
1819         * runtime/JSCell.h:
1820         * runtime/JSNotAnObject.cpp:
1821         * runtime/JSNotAnObject.h:
1822         * runtime/JSObject.h:
1823         * runtime/JSString.h:
1824         (JSC::JSCell::toBoolean):
1825         (JSC::JSValue::toBoolean):
1826
1827 2011-09-26  Chris Marrin  <cmarrin@apple.com>
1828
1829         Enable requestAnimationFrame on Windows
1830         https://bugs.webkit.org/show_bug.cgi?id=68397
1831
1832         Reviewed by Simon Fraser.
1833
1834         Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows
1835
1836         * wtf/Platform.h:
1837
1838 2011-09-26  Noel Gordon  <noel.gordon@gmail.com>
1839
1840         [Chromium] Remove DFGAliasTracker.h references from gyp project files
1841         https://bugs.webkit.org/show_bug.cgi?id=68787
1842
1843         Reviewed by Geoffrey Garen.
1844
1845         DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
1846         to that file from the gyp project files.
1847
1848         * JavaScriptCore.gypi:
1849
1850 2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
1851
1852         [Qt]REGRESSION(r95865): It made 4 tests crash
1853         https://bugs.webkit.org/show_bug.cgi?id=68780
1854         
1855         Reviewed by Oliver Hunt.
1856
1857         emitJumpSlowCaseIfNotJSCell(...) cannot be moved
1858         away since the next load depends on it.
1859
1860         * jit/JITPropertyAccess32_64.cpp:
1861         (JSC::JIT::emit_op_put_by_val):
1862
1863 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1864
1865         Add custom vtable struct to ClassInfo struct
1866         https://bugs.webkit.org/show_bug.cgi?id=68567
1867
1868         Reviewed by Oliver Hunt.
1869
1870         Declared/defined the MethodTable struct and added it to the ClassInfo struct.
1871         Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
1872         succinctly where they need to be defined.
1873
1874         Also added to it the first function to use this macro, visitChildren. 
1875
1876         This is part of the process of getting rid of all C++ virtual methods in JSCell.  
1877         Eventually all virtual functions in JSCell that can't easily be converted to 
1878         non-virtual functions will be put into this custom vtable structure.
1879         * runtime/ClassInfo.h:
1880
1881         Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
1882         ClassInfo structs declared in these classes.  This saves us from having to visit 
1883         each s_info definition in the future when we add more methods to the MethodTable.
1884         * API/JSCallbackConstructor.cpp:
1885         * API/JSCallbackFunction.cpp:
1886         * API/JSCallbackObject.cpp:
1887         * JavaScriptCore.exp:
1888         * runtime/Arguments.cpp:
1889         * runtime/ArrayConstructor.cpp:
1890         * runtime/ArrayPrototype.cpp:
1891         * runtime/BooleanObject.cpp:
1892         * runtime/BooleanPrototype.cpp:
1893         * runtime/DateConstructor.cpp:
1894         * runtime/DateInstance.cpp:
1895         * runtime/DatePrototype.cpp:
1896         * runtime/ErrorInstance.cpp:
1897         * runtime/ErrorPrototype.cpp:
1898         * runtime/ExceptionHelpers.cpp:
1899         * runtime/Executable.cpp:
1900         * runtime/GetterSetter.cpp:
1901         * runtime/InternalFunction.cpp:
1902         * runtime/JSAPIValueWrapper.cpp:
1903         * runtime/JSActivation.cpp:
1904         * runtime/JSArray.cpp:
1905         * runtime/JSByteArray.cpp:
1906         * runtime/JSFunction.cpp:
1907         * runtime/JSGlobalObject.cpp:
1908         * runtime/JSONObject.cpp:
1909         * runtime/JSObject.cpp:
1910         * runtime/JSPropertyNameIterator.cpp:
1911         * runtime/JSString.cpp:
1912         * runtime/MathObject.cpp:
1913         * runtime/NativeErrorConstructor.cpp:
1914         * runtime/NumberConstructor.cpp:
1915         * runtime/NumberObject.cpp:
1916         * runtime/NumberPrototype.cpp:
1917         * runtime/ObjectConstructor.cpp:
1918         * runtime/ObjectPrototype.cpp:
1919         * runtime/RegExp.cpp:
1920         * runtime/RegExpConstructor.cpp:
1921         * runtime/RegExpObject.cpp:
1922         * runtime/RegExpPrototype.cpp:
1923         * runtime/ScopeChain.cpp:
1924         * runtime/StringConstructor.cpp:
1925         * runtime/StringObject.cpp:
1926         * runtime/StringPrototype.cpp:
1927         * runtime/Structure.cpp:
1928         * runtime/StructureChain.cpp:
1929
1930         Had to make visitChildren and visitChildrenVirtual protected instead of private
1931         because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
1932         visitChildren function pointer in their vtable since they don't provide their own
1933         implementation. Same for RegExpObject.
1934         * runtime/JSWrapperObject.h:
1935         * runtime/RegExpObject.h:
1936
1937 2011-09-25  Adam Barth  <abarth@webkit.org>
1938
1939         Finish removing PLATFORM(BREWMP) by removing associated code
1940         https://bugs.webkit.org/show_bug.cgi?id=68779
1941
1942         Reviewed by Sam Weinig.
1943
1944         * JavaScriptCore.gyp/JavaScriptCore.gyp:
1945         * JavaScriptCore.gypi:
1946         * gyp/JavaScriptCore.gyp:
1947         * wscript:
1948         * wtf/FastMalloc.cpp:
1949         (WTF::fastMallocSize):
1950         * wtf/Vector.h:
1951         * wtf/brew: Removed.
1952         * wtf/brew/MainThreadBrew.cpp: Removed.
1953         * wtf/brew/OwnPtrBrew.cpp: Removed.
1954         * wtf/brew/RefPtrBrew.h: Removed.
1955         * wtf/brew/ShellBrew.h: Removed.
1956         * wtf/brew/StringBrew.cpp: Removed.
1957         * wtf/brew/SystemMallocBrew.h: Removed.
1958         * wtf/unicode/brew: Removed.
1959         * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
1960         * wtf/unicode/brew/UnicodeBrew.h: Removed.
1961
1962 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1963
1964         DFG JIT does not count speculation successes correctly
1965         https://bugs.webkit.org/show_bug.cgi?id=68785
1966
1967         Reviewed by Geoffrey Garen.
1968
1969         * dfg/DFGJITCompiler.cpp:
1970         (JSC::DFG::JITCompiler::compileEntry):
1971         (JSC::DFG::JITCompiler::compileBody):
1972         * dfg/DFGOperations.cpp:
1973
1974 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1975
1976         DFG support for op_resolve_global is not enabled
1977         https://bugs.webkit.org/show_bug.cgi?id=68786
1978
1979         Reviewed by Geoffrey Garen.
1980
1981         * dfg/DFGCapabilities.h:
1982         (JSC::DFG::canCompileOpcode):
1983
1984 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
1985
1986         DFG static prediction code is no longer needed and should be removed
1987         https://bugs.webkit.org/show_bug.cgi?id=68784
1988
1989         Reviewed by Oliver Hunt.
1990         
1991         This gets rid of static prediction code, and ensures that we do not
1992         try to compile code where dynamic predictions are not available.
1993         This is accomplished by immediately performing an OSR exit wherever
1994         a value is retrieved for which no predictions exist.
1995         
1996         This also adds value profiling for this on functions used for calls.
1997         
1998         The heuristics for deciding when to optimize code are also tweaked,
1999         since it is now profitable to optimize sooner. This may need to be
2000         tweaked further, but this patch only makes minimal changes.
2001         
2002         This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
2003         overall win on Kraken.  It's neutral elsewhere.
2004
2005         * bytecode/CodeBlock.cpp:
2006         (JSC::CodeBlock::shouldOptimizeNow):
2007         (JSC::CodeBlock::dumpValueProfiles):
2008         * bytecode/CodeBlock.h:
2009         * bytecode/PredictedType.cpp:
2010         (JSC::predictionToString):
2011         * bytecode/PredictedType.h:
2012         (JSC::isCellPrediction):
2013         (JSC::isObjectPrediction):
2014         (JSC::isFinalObjectPrediction):
2015         (JSC::isStringPrediction):
2016         (JSC::isArrayPrediction):
2017         (JSC::isInt32Prediction):
2018         (JSC::isDoublePrediction):
2019         (JSC::isNumberPrediction):
2020         (JSC::isBooleanPrediction):
2021         (JSC::mergePredictions):
2022         * bytecode/PredictionTracker.h:
2023         (JSC::PredictionTracker::predictArgument):
2024         (JSC::PredictionTracker::predict):
2025         (JSC::PredictionTracker::predictGlobalVar):
2026         * bytecode/ValueProfile.cpp:
2027         (JSC::ValueProfile::computeUpdatedPrediction):
2028         * dfg/DFGByteCodeParser.cpp:
2029         (JSC::DFG::ByteCodeParser::set):
2030         (JSC::DFG::ByteCodeParser::addCall):
2031         (JSC::DFG::ByteCodeParser::getPrediction):
2032         (JSC::DFG::ByteCodeParser::parseBlock):
2033         * dfg/DFGGraph.cpp:
2034         (JSC::DFG::Graph::predictArgumentTypes):
2035         * dfg/DFGGraph.h:
2036         (JSC::DFG::Graph::predict):
2037         (JSC::DFG::Graph::predictGlobalVar):
2038         (JSC::DFG::Graph::getMethodCheckPrediction):
2039         (JSC::DFG::Graph::getJSConstantPrediction):
2040         (JSC::DFG::Graph::getPrediction):
2041         * dfg/DFGJITCodeGenerator.cpp:
2042         (JSC::DFG::JITCodeGenerator::writeBarrier):
2043         (JSC::DFG::JITCodeGenerator::emitBranch):
2044         * dfg/DFGJITCompiler.h:
2045         (JSC::DFG::JITCompiler::getPrediction):
2046         * dfg/DFGNode.h:
2047         (JSC::DFG::Node::valueOfJSConstantNode):
2048         (JSC::DFG::Node::isInt32Constant):
2049         (JSC::DFG::Node::isDoubleConstant):
2050         (JSC::DFG::Node::isNumberConstant):
2051         (JSC::DFG::Node::isBooleanConstant):
2052         (JSC::DFG::Node::predict):
2053         * dfg/DFGPropagator.cpp:
2054         (JSC::DFG::Propagator::Propagator):
2055         (JSC::DFG::Propagator::propagateNodePredictions):
2056         (JSC::DFG::Propagator::fixupNode):
2057         (JSC::DFG::Propagator::isPredictedNumerical):
2058         (JSC::DFG::Propagator::logicalNotIsPure):
2059         * dfg/DFGSpeculativeJIT.cpp:
2060         (JSC::DFG::SpeculativeJIT::compile):
2061         * dfg/DFGSpeculativeJIT.h:
2062         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
2063         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
2064         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
2065         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
2066         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
2067         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
2068         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
2069         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
2070         * jit/JIT.cpp:
2071         (JSC::JIT::privateCompile):
2072
2073 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
2074
2075         DFG JIT Construct opcode takes a this argument even though it's
2076         not passed
2077         https://bugs.webkit.org/show_bug.cgi?id=68782
2078
2079         Reviewed by Oliver Hunt.
2080         
2081         This is performance-neutral, mostly. It's a slight speed-up on
2082         v8-splay.
2083         
2084         * dfg/DFGByteCodeParser.cpp:
2085         (JSC::DFG::ByteCodeParser::addCall):
2086         * dfg/DFGJITCodeGenerator.cpp:
2087         (JSC::DFG::JITCodeGenerator::emitCall):
2088
2089 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
2090
2091         DFG tracking of the value in cachedResultRegister does not handle
2092         op_mov correctly
2093         https://bugs.webkit.org/show_bug.cgi?id=68781
2094
2095         Reviewed by Oliver Hunt.
2096         
2097         This takes the simplest approach: it makes the old JIT dumber rather
2098         than making the DFG JIT smarter. This is performance-neutral.
2099
2100         * jit/JIT.h:
2101         (JSC::JIT::canBeOptimized):
2102         * jit/JITOpcodes.cpp:
2103         (JSC::JIT::emit_op_mov):
2104
2105 2011-09-25  Adam Barth  <abarth@webkit.org>
2106
2107         Remove PLATFORM(HAIKU) and associated code
2108         https://bugs.webkit.org/show_bug.cgi?id=68774
2109
2110         Reviewed by Sam Weinig.
2111
2112         * JavaScriptCore.gyp/JavaScriptCore.gyp:
2113         * JavaScriptCore.gypi:
2114         * gyp/JavaScriptCore.gyp:
2115         * heap/MachineStackMarker.cpp:
2116         * wtf/PageAllocation.h:
2117         * wtf/Platform.h:
2118         * wtf/StackBounds.cpp:
2119         * wtf/haiku: Removed.
2120         * wtf/haiku/MainThreadHaiku.cpp: Removed.
2121         * wtf/haiku/StringHaiku.cpp: Removed.
2122         * wtf/text/WTFString.h:
2123
2124 2011-09-24  Adam Barth  <abarth@webkit.org>
2125
2126         Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
2127         https://bugs.webkit.org/show_bug.cgi?id=68767
2128
2129         Reviewed by Eric Seidel.
2130
2131         * Configurations/FeatureDefines.xcconfig:
2132
2133 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2134
2135         JIT implementation of put_by_val increments m_length instead of setting
2136         it to index+1
2137         https://bugs.webkit.org/show_bug.cgi?id=68766
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         * jit/JITPropertyAccess.cpp:
2142         (JSC::JIT::emit_op_put_by_val):
2143
2144 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2145
2146         More build fixage.
2147
2148         * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.
2149
2150 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2151
2152         The DFG should not attempt to guess types in the absence of value
2153         profiles
2154         https://bugs.webkit.org/show_bug.cgi?id=68677
2155
2156         Reviewed by Oliver Hunt.
2157         
2158         This adds the ForceOSRExit node, which is ignored by the propagator
2159         and virtual register allocator (and hence ensuring that liveness analysis
2160         works correctly), but forces terminateSpeculativeExecution() in the
2161         back-end. This appears to be a slight speed-up on benchmark averages,
2162         with ~5% swings on individual benchmarks, in both directions. But it's
2163         never a regression on any average, and appears to be a ~1% progression
2164         in the SunSpider average.
2165         
2166         This also adds a bit better debugging support in the old JIT and in DFG,
2167         as this was necessary to debug the much more frequent OSR transitions
2168         that occur with this change.
2169
2170         * dfg/DFGByteCodeParser.cpp:
2171         (JSC::DFG::ByteCodeParser::addCall):
2172         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2173         (JSC::DFG::ByteCodeParser::parseBlock):
2174         * dfg/DFGJITCompiler.cpp:
2175         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2176         * dfg/DFGNode.h:
2177         * dfg/DFGPropagator.cpp:
2178         (JSC::DFG::Propagator::propagateNodePredictions):
2179         * dfg/DFGSpeculativeJIT.cpp:
2180         (JSC::DFG::SpeculativeJIT::compile):
2181         * jit/JIT.cpp:
2182         (JSC::JIT::privateCompileMainPass):
2183         (JSC::JIT::privateCompileSlowCases):
2184         (JSC::JIT::privateCompile):
2185         * jit/JIT.h:
2186
2187 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2188
2189         Some Windows build fixage.
2190
2191         * heap/MarkedBlock.cpp:
2192         (JSC::MarkedBlock::sweep):
2193         * heap/MarkedBlock.h:
2194         (JSC::MarkedBlock::isLive): Show the compiler that all control paths
2195         return a value. There, there, compiler. Everything's going to be OK.
2196
2197         * runtime/JSCell.h:
2198         (JSC::JSCell::setVPtr): Oops! Unrename this function.
2199
2200 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
2201
2202         Allocate new objects unmarked
2203         https://bugs.webkit.org/show_bug.cgi?id=68764
2204
2205         Reviewed by Oliver Hunt.
2206         
2207         This is a pre-requisite to using the mark bit to determine object age.
2208
2209         ~2% v8 speedup, mostly due to a 12% v8-splay speedup.
2210
2211         * heap/MarkedBlock.h:
2212         (JSC::MarkedBlock::isLive):
2213         (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
2214         this patch. They can now determine object liveness without relying on
2215         newly allocated objects having their mark bits set. Each MarkedBlock
2216         now has a state variable that tells us how to determine whether its
2217         cells are live. (This new state variable supercedes the old one about
2218         destructor state. The rest of this patch is just refactoring to support
2219         the invariants of this new state variable without introducing a
2220         performance regression.)
2221
2222         (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
2223         state when a block becomes fully allocated.
2224
2225         (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
2226         this function because, logically, clearing all mark bits is the first
2227         step in saying "mark bits now exactly reflect object liveness".
2228
2229         (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
2230         that this function only tells you about the mark bits, so it's only
2231         meaningful if you've put the mark bits into a meaningful state before
2232         calling it.
2233
2234         (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
2235         instead of testing mark bits, since mark bits are not always the right
2236         way to find out if an object is live anymore. (New objects are live, but
2237         not marked.)
2238
2239         * heap/MarkedBlock.cpp:
2240         (JSC::MarkedBlock::recycle):
2241         (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
2242         initialization when recycling an old block -- into the MarkedBlock
2243         constructor, for simplicity.
2244
2245         (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
2246         a zapped cell before running a destructor, and always zap after
2247         running a destructor. This does not seem to be expensive, and the
2248         alternative just creates a too-confusing matrix of possible cell states
2249         ((zombie undestructed cell + zombie destructed cell + zapped destructed
2250         cell) * 5! permutations for progressing through block states = "Oh my!").
2251
2252         (JSC::MarkedBlock::specializedSweep):
2253         (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
2254         optimization to use template specialization to constant fold lots of
2255         branches and elide certain operations entirely during a sweep. Merged
2256         four or five functions that were logically about sweeping into this one
2257         function pair, so there's only one way to do things now, it's
2258         automatically correct, and it's always fast.
2259
2260         (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
2261         about exactly what it does, and to honor the new block state system.
2262
2263         * heap/AllocationSpace.cpp:
2264         (JSC::AllocationSpace::allocateBlock): Updated for rename.
2265
2266         (JSC::AllocationSpace::freeBlocks): Updated for changed interface.
2267
2268         (JSC::TakeIfUnmarked::TakeIfUnmarked):
2269         (JSC::TakeIfUnmarked::operator()):
2270         (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
2271         to clarify that this functor only tests the mark bits, so it's only
2272         valid if you've put the mark bits into a meaningful state before
2273         calling it.
2274         
2275         (JSC::AllocationSpace::shrink): Updated for rename.
2276
2277         * heap/AllocationSpace.h:
2278         (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
2279         little more specific about what we're making canonical.
2280
2281         (JSC::AllocationSpace::forEachCell): Updated for rename.
2282
2283         (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
2284         liveness data before iterating blocks -- clients that want iterated
2285         blocks to have valid cell lieveness data should make this call for
2286         themselves. (And not all clients want it.)
2287
2288         * heap/ConservativeRoots.cpp:
2289         (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
2290         obsolete comment.
2291
2292         * heap/Heap.cpp:
2293         (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
2294         because clearMarks() now does that implicitly.
2295
2296         (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
2297         tear-down tests cell liveness when running destructors.
2298
2299         (JSC::Heap::markRoots):
2300         (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
2301         and into collect, since it strictly depends on root marking, and does
2302         not contribute to root marking.
2303
2304         (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
2305         specific about what we're making canonical.
2306
2307         * heap/Heap.h:
2308         (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
2309         data before iterating protected cells, since we know they're all live,
2310         and don't need to test for it.
2311
2312         * heap/Local.h:
2313         (JSC::::set): Can't make the same ASSERT we used to because we just don't
2314         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
2315         in a weaker form in the future.
2316
2317         * heap/MarkedSpace.cpp:
2318         (JSC::MarkedSpace::addBlock):
2319         (JSC::MarkedSpace::removeBlock): Updated for interface change.
2320         (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
2321         specific about what we're making canonical.
2322
2323         * heap/MarkedSpace.h:
2324         (JSC::MarkedSpace::allocate):
2325         (JSC::MarkedSpace::SizeClass::SizeClass):
2326         (JSC::MarkedSpace::SizeClass::resetAllocator):
2327         (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
2328         functionality a bit. We now track only one block -- "currentBlock" --
2329         and rely on its internal state to know whether it has more cells to
2330         allocate.
2331
2332         * heap/Weak.h:
2333         (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
2334         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
2335         in a weaker form in the future.
2336
2337         * runtime/JSCell.h:
2338         (JSC::JSCell::vptr):
2339         (JSC::JSCell::zap):
2340         (JSC::JSCell::isZapped):
2341         (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
2342         In the future, exactly how a JSCell zaps itself will change, as the
2343         internal representation of JSCell changes.
2344
2345 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
2346
2347         DFG JIT should not eagerly initialize integer tags in the register file
2348         https://bugs.webkit.org/show_bug.cgi?id=68763
2349
2350         Reviewed by Oliver Hunt.
2351
2352         * dfg/DFGJITCompiler.cpp:
2353         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2354         * dfg/DFGSpeculativeJIT.cpp:
2355         (JSC::DFG::ValueRecovery::dump):
2356         (JSC::DFG::OSRExit::OSRExit):
2357         (JSC::DFG::SpeculativeJIT::compile):
2358         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2359         * dfg/DFGSpeculativeJIT.h:
2360         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
2361         (JSC::DFG::OSRExit::operandForArgument):
2362         (JSC::DFG::OSRExit::operandForIndex):
2363         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2364
2365 2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>
2366
2367         Add JSVALUE32_64 support to DFG JIT
2368         https://bugs.webkit.org/show_bug.cgi?id=67460
2369
2370         Reviewed by Gavin Barraclough.
2371
2372         This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
2373         It's tested on IA32 Linux EFL port currently. It still cannot run
2374         all the test cases and benchmarks so should be turned off now.
2375         
2376         The major work includes:
2377         1) dealing with JSVALUE32_64 data format in DFG JIT;
2378         2) bindings between 64-bit JS Value and 32-bit registers;
2379         3) handling of function calls. Currently for DFG operation function
2380         calls we follow the X86 cdecl calling convention on Linux, and the
2381         implementation is in a naive way by pushing the arguments into stack
2382         one by one.
2383         
2384         The known issues include:
2385         1) some code duplicates unnecessarily, especially in Speculative JIT
2386         code generation, where most of the operations on SpeculataInteger /
2387         SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
2388         is needed in the future;
2389         2) lack of op_call and op_construct support, comparing to current
2390         JSVALUE64 DFG;
2391         3) currently integer speculations assume to be StrictInt32;
2392         4) lack of JSBoolean speculations;
2393         5) boxing and unboxing doubles could be improved;
2394         6) DFG X86 register description is different with the baseline JIT,
2395         the timeoutCheckRegister is used for general purpose usage;
2396         7) calls to runtime functions with primitive double parameters (e.g.
2397         fmod) don't work. Support needs to be added to the assembler to
2398         implement the mechanism of passing double parameters for X86 cdecl
2399         convention.
2400         
2401         And there should be many other hidden bugs which should be exposed and
2402         resolved in later debugging process.
2403
2404         * CMakeListsEfl.txt:
2405         * assembler/MacroAssemblerX86.h:
2406         (JSC::MacroAssemblerX86::loadDouble):
2407         (JSC::MacroAssemblerX86::storeDouble):
2408         * assembler/X86Assembler.h:
2409         (JSC::X86Assembler::movsd_rm):
2410         * bytecode/StructureStubInfo.h:
2411         * dfg/DFGByteCodeParser.cpp:
2412         (JSC::DFG::ByteCodeParser::parseBlock):
2413         * dfg/DFGCapabilities.h:
2414         (JSC::DFG::canCompileOpcode):
2415         * dfg/DFGFPRInfo.h:
2416         (JSC::DFG::FPRInfo::debugName):
2417         * dfg/DFGGPRInfo.h:
2418         (JSC::DFG::GPRInfo::toRegister):
2419         (JSC::DFG::GPRInfo::toIndex):
2420         (JSC::DFG::GPRInfo::debugName):
2421         * dfg/DFGGenerationInfo.h:
2422         (JSC::DFG::needDataFormatConversion):
2423         (JSC::DFG::GenerationInfo::initJSValue):
2424         (JSC::DFG::GenerationInfo::initDouble):
2425         (JSC::DFG::GenerationInfo::gpr):
2426         (JSC::DFG::GenerationInfo::tagGPR):
2427         (JSC::DFG::GenerationInfo::payloadGPR):
2428         (JSC::DFG::GenerationInfo::fpr):
2429         (JSC::DFG::GenerationInfo::fillJSValue):
2430         (JSC::DFG::GenerationInfo::fillCell):
2431         (JSC::DFG::GenerationInfo::fillDouble):
2432         * dfg/DFGJITCodeGenerator.cpp:
2433         * dfg/DFGJITCodeGenerator.h:
2434         (JSC::DFG::JITCodeGenerator::allocate):
2435         (JSC::DFG::JITCodeGenerator::use):
2436         (JSC::DFG::JITCodeGenerator::registersMatched):
2437         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
2438         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2439         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2440         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
2441         (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
2442         (JSC::DFG::JITCodeGenerator::boxDouble):
2443         (JSC::DFG::JITCodeGenerator::unboxDouble):
2444         (JSC::DFG::JITCodeGenerator::spill):
2445         (JSC::DFG::addressOfDoubleConstant):
2446         (JSC::DFG::integerResult):
2447         (JSC::DFG::jsValueResult):
2448         (JSC::DFG::setupResults):
2449         (JSC::DFG::callOperation):
2450         (JSC::JSValueOperand::JSValueOperand):
2451         (JSC::JSValueOperand::~JSValueOperand):
2452         (JSC::JSValueOperand::isDouble):
2453         (JSC::JSValueOperand::fill):
2454         (JSC::JSValueOperand::tagGPR):
2455         (JSC::JSValueOperand::payloadGPR):
2456         (JSC::JSValueOperand::fpr):
2457         (JSC::GPRTemporary::~GPRTemporary):
2458         (JSC::GPRTemporary::gpr):
2459         (JSC::GPRResult2::GPRResult2):
2460         * dfg/DFGJITCodeGenerator32_64.cpp: Added.
2461         (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
2462         (JSC::DFG::JITCodeGenerator::fillInteger):
2463         (JSC::DFG::JITCodeGenerator::fillDouble):
2464         (JSC::DFG::JITCodeGenerator::fillJSValue):
2465         (JSC::DFG::JITCodeGenerator::fillStorage):
2466         (JSC::DFG::JITCodeGenerator::useChildren):
2467         (JSC::DFG::JITCodeGenerator::isStrictInt32):
2468         (JSC::DFG::JITCodeGenerator::isKnownInteger):
2469         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
2470         (JSC::DFG::JITCodeGenerator::isKnownCell):
2471         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
2472         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2473         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
2474         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2475         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2476         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
2477         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2478         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2479         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2480         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
2481         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
2482         (JSC::DFG::JITCodeGenerator::cachedGetById):
2483         (JSC::DFG::JITCodeGenerator::writeBarrier):
2484         (JSC::DFG::JITCodeGenerator::cachedPutById):
2485         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
2486         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
2487         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
2488         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
2489         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
2490         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2491         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
2492         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
2493         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
2494         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
2495         (JSC::DFG::JITCodeGenerator::emitBranch):
2496         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
2497         (JSC::DFG::JITCodeGenerator::emitCall):
2498         (JSC::DFG::JITCodeGenerator::speculationCheck):
2499         (JSC::DFG::dataFormatString):
2500         (JSC::DFG::JITCodeGenerator::dump):
2501         (JSC::DFG::JITCodeGenerator::checkConsistency):
2502         (JSC::DFG::GPRTemporary::GPRTemporary):
2503         (JSC::DFG::FPRTemporary::FPRTemporary):
2504         * dfg/DFGJITCompiler.cpp:
2505         * dfg/DFGJITCompiler.h:
2506         (JSC::DFG::JITCompiler::tagForGlobalVar):
2507         (JSC::DFG::JITCompiler::payloadForGlobalVar):
2508         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
2509         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2510         (JSC::DFG::JITCompiler::boxDouble):
2511         (JSC::DFG::JITCompiler::unboxDouble):
2512         (JSC::DFG::JITCompiler::addPropertyAccess):
2513         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
2514         * dfg/DFGJITCompiler32_64.cpp: Added.
2515         (JSC::DFG::JITCompiler::fillNumericToDouble):
2516         (JSC::DFG::JITCompiler::fillInt32ToInteger):
2517         (JSC::DFG::JITCompiler::fillToJS):
2518         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2519         (JSC::DFG::JITCompiler::linkOSRExits):
2520         (JSC::DFG::JITCompiler::compileEntry):
2521         (JSC::DFG::JITCompiler::compileBody):
2522         (JSC::DFG::JITCompiler::link):
2523         (JSC::DFG::JITCompiler::compile):
2524         (JSC::DFG::JITCompiler::compileFunction):
2525         (JSC::DFG::JITCompiler::jitAssertIsInt32):
2526         (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
2527         (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
2528         (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
2529         (JSC::DFG::JITCompiler::jitAssertIsCell):
2530         (JSC::DFG::JITCompiler::emitCount):
2531         (JSC::DFG::JITCompiler::setSamplingFlag):
2532         (JSC::DFG::JITCompiler::clearSamplingFlag):
2533         * dfg/DFGJITCompilerInlineMethods.h: Added.
2534         (JSC::DFG::JITCompiler::emitLoadTag):
2535         (JSC::DFG::JITCompiler::emitLoadPayload):
2536         (JSC::DFG::JITCompiler::emitLoad):
2537         (JSC::DFG::JITCompiler::emitLoad2):
2538         (JSC::DFG::JITCompiler::emitLoadDouble):
2539         (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
2540         (JSC::DFG::JITCompiler::emitStore):
2541         (JSC::DFG::JITCompiler::emitStoreInt32):
2542         (JSC::DFG::JITCompiler::emitStoreCell):
2543         (JSC::DFG::JITCompiler::emitStoreBool):
2544         (JSC::DFG::JITCompiler::emitStoreDouble):
2545         * dfg/DFGNode.h:
2546         * dfg/DFGOperations.cpp:
2547         * dfg/DFGRepatch.cpp:
2548         (JSC::DFG::generateProtoChainAccessStub):
2549         (JSC::DFG::tryCacheGetByID):
2550         (JSC::DFG::tryBuildGetByIDList):
2551         (JSC::DFG::tryCachePutByID):
2552         * dfg/DFGSpeculativeJIT.cpp:
2553         * dfg/DFGSpeculativeJIT.h:
2554         (JSC::DFG::ValueRecovery::inGPR):
2555         (JSC::DFG::ValueRecovery::inPair):
2556         (JSC::DFG::ValueRecovery::tagGPR):
2557         (JSC::DFG::ValueRecovery::payloadGPR):
2558         * dfg/DFGSpeculativeJIT32_64.cpp: Added.
2559         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2560         (JSC::DFG::ValueSource::dump):
2561         (JSC::DFG::ValueRecovery::dump):
2562         (JSC::DFG::OSRExit::OSRExit):
2563         (JSC::DFG::OSRExit::dump):
2564         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2565         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2566         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2567         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2568         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2569         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
2570         (JSC::DFG::SpeculativeJIT::convertToDouble):
2571         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2572         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2573         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2574         (JSC::DFG::SpeculativeJIT::compare):
2575         (JSC::DFG::SpeculativeJIT::compile):
2576         (JSC::DFG::SpeculativeJIT::compileMovHint):
2577         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2578         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
2579         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2580         * runtime/JSValue.h:
2581
2582 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2583
2584         wtf/BitVector.h has a variety of bugs which manifest when the
2585         vector grows beyond 63 bits
2586         https://bugs.webkit.org/show_bug.cgi?id=68746
2587
2588         Reviewed by Oliver Hunt.
2589         
2590         Out-of-lined slow path code in BitVector so that not every user
2591         of CodeBlock ends up having to compile it. Fixed a variety of
2592         index computation and size computation bugs.
2593         
2594         I have not seen these issues manifest themselves, but they are
2595         blocking a patch that uses BitVector more aggressively.
2596
2597         * GNUmakefile.list.am:
2598         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
2599         * JavaScriptCore.xcodeproj/project.pbxproj:
2600         * wtf/BitVector.cpp: Added.
2601         (BitVector::BitVector):
2602         (BitVector::operator=):
2603         (BitVector::resize):
2604         (BitVector::clearAll):
2605         (BitVector::OutOfLineBits::create):
2606         (BitVector::OutOfLineBits::destroy):
2607         (BitVector::resizeOutOfLine):
2608         * wtf/BitVector.h:
2609         (WTF::BitVector::ensureSize):
2610         (WTF::BitVector::get):
2611         (WTF::BitVector::set):
2612         (WTF::BitVector::clear):
2613         (WTF::BitVector::byteCount):
2614         (WTF::BitVector::OutOfLineBits::numWords):
2615         (WTF::BitVector::OutOfLineBits::bits):
2616         (WTF::BitVector::outOfLineBits):
2617         * wtf/CMakeLists.txt:
2618         * wtf/wtf.pri:
2619
2620 2011-09-23  Adam Klein  <adamk@chromium.org>
2621
2622         Add ENABLE_MUTATION_OBSERVERS feature flag
2623         https://bugs.webkit.org/show_bug.cgi?id=68732
2624
2625         Reviewed by Ojan Vafai.
2626
2627         This flag will guard an implementation of the "Mutation Observers" proposed in
2628         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
2629
2630         * Configurations/FeatureDefines.xcconfig:
2631
2632 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2633
2634         De-virtualize JSCell::getJSNumber
2635         https://bugs.webkit.org/show_bug.cgi?id=68651
2636
2637         Reviewed by Oliver Hunt.
2638
2639         Added a new JSType to check whether or not something is a 
2640         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
2641         currently a better way to determine whether something is indeed a NumberObject.
2642         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
2643         for whether the object is a NumberObject or not.  This patch is part of 
2644         the larger process of de-virtualizing JSCell.
2645
2646         * JavaScriptCore.exp:
2647         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2648         * runtime/JSCell.cpp:
2649         (JSC::JSCell::getJSNumber):
2650         * runtime/JSCell.h:
2651         (JSC::JSValue::getJSNumber):
2652         * runtime/JSType.h:
2653         * runtime/JSTypeInfo.h:
2654         (JSC::TypeInfo::isNumberObject):
2655         * runtime/JSValue.h:
2656         * runtime/NumberObject.cpp:
2657         (JSC::NumberObject::getJSNumber):
2658         * runtime/NumberObject.h:
2659         (JSC::NumberObject::createStructure):
2660         * runtime/NumberPrototype.h:
2661         (JSC::NumberPrototype::createStructure):
2662
2663 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2664
2665         Resolve opcodes should have value profiling.
2666         https://bugs.webkit.org/show_bug.cgi?id=68723
2667
2668         Reviewed by Oliver Hunt.
2669         
2670         This adds value profiling to all forms of op_resolve in the
2671         old JIT, and patches that information into the DFG along with
2672         performing the appropriate type propagation.
2673
2674         * dfg/DFGByteCodeParser.cpp:
2675         (JSC::DFG::ByteCodeParser::parseBlock):
2676         * dfg/DFGGraph.h:
2677         (JSC::DFG::Graph::predict):
2678         * dfg/DFGNode.h:
2679         (JSC::DFG::Node::hasIdentifier):
2680         (JSC::DFG::Node::resolveGlobalDataIndex):
2681         (JSC::DFG::Node::hasPrediction):
2682         * dfg/DFGPropagator.cpp:
2683         (JSC::DFG::Propagator::propagateNodePredictions):
2684         * dfg/DFGSpeculativeJIT.cpp:
2685         (JSC::DFG::SpeculativeJIT::compile):
2686         * jit/JITOpcodes.cpp:
2687         (JSC::JIT::emit_op_resolve):
2688         (JSC::JIT::emit_op_resolve_base):
2689         (JSC::JIT::emit_op_resolve_skip):
2690         (JSC::JIT::emit_op_resolve_global):
2691         (JSC::JIT::emitSlow_op_resolve_global):
2692         (JSC::JIT::emit_op_resolve_with_base):
2693         (JSC::JIT::emit_op_resolve_with_this):
2694         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
2695         * jit/JITStubCall.h:
2696         (JSC::JITStubCall::callWithValueProfiling):
2697
2698 2011-09-23  Oliver Hunt  <oliver@apple.com>
2699
2700         Fix windows build.
2701
2702         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2703
2704 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
2705
2706         Strict mode does not work in non-trivial nested functions.
2707         https://bugs.webkit.org/show_bug.cgi?id=68740
2708
2709         Reviewed by Oliver Hunt.
2710
2711         Function-info caching does not preserve all state that it should.
2712
2713         * parser/JSParser.cpp:
2714         (JSC::JSParser::Scope::saveFunctionInfo):
2715         (JSC::JSParser::Scope::restoreFunctionInfo):
2716         (JSC::JSParser::parseFunctionInfo):
2717         * parser/SourceProviderCacheItem.h:
2718
2719 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2720
2721         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
2722         https://bugs.webkit.org/show_bug.cgi?id=68724
2723
2724         Reviewed by Oliver Hunt.
2725
2726         * dfg/DFGPropagator.cpp:
2727         (JSC::DFG::Propagator::propagateNodePredictions):
2728
2729 2011-09-23  Oliver Hunt  <oliver@apple.com>
2730
2731         Build fix.
2732
2733         * JavaScriptCore.xcodeproj/project.pbxproj:
2734
2735 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2736
2737         DFG implementation of PutScopedVar corrupts register allocation
2738         https://bugs.webkit.org/show_bug.cgi?id=68735
2739
2740         Reviewed by Oliver Hunt.
2741
2742         * dfg/DFGSpeculativeJIT.cpp:
2743         (JSC::DFG::SpeculativeJIT::compile):
2744
2745 2011-09-23  Oliver Hunt  <oliver@apple.com>
2746
2747         Make write barriers actually do something when enabled
2748         https://bugs.webkit.org/show_bug.cgi?id=68717
2749
2750         Reviewed by Geoffrey Garen.
2751
2752         Add a basic card marking style write barrier to JSC (currently
2753         turned off).  This requires two scratch registers in the JIT
2754         so there was some register re-arranging to satisfy that requirement.
2755         Happily this produced a minor perf bump in sunspider (~0.5%).
2756
2757         Turning the barriers on causes an overall regression of around 1.5%
2758
2759         * JavaScriptCore.exp:
2760         * JavaScriptCore.xcodeproj/project.pbxproj:
2761         * assembler/MacroAssemblerX86Common.h:
2762         (JSC::MacroAssemblerX86Common::store8):
2763         * assembler/X86Assembler.h:
2764         (JSC::X86Assembler::movb_i8m):
2765         * dfg/DFGJITCodeGenerator.cpp:
2766         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
2767         (JSC::DFG::JITCodeGenerator::writeBarrier):
2768         (JSC::DFG::JITCodeGenerator::markCellCard):
2769         (JSC::DFG::JITCodeGenerator::cachedPutById):
2770         * dfg/DFGJITCodeGenerator.h:
2771         * dfg/DFGRepatch.cpp:
2772         (JSC::DFG::tryCachePutByID):
2773         * dfg/DFGSpeculativeJIT.cpp:
2774         (JSC::DFG::SpeculativeJIT::compile):
2775         * heap/CardSet.h: Added.
2776         (JSC::CardSet::CardSet):
2777         (JSC::::cardForAtom):
2778         (JSC::::cardMarkedForAtom):
2779         (JSC::::markCardForAtom):
2780         * heap/Heap.cpp:
2781         * heap/Heap.h:
2782         (JSC::Heap::addressOfCardFor):
2783         (JSC::Heap::writeBarrierFastCase):
2784         * heap/MarkedBlock.h:
2785         (JSC::MarkedBlock::setDirtyObject):
2786         (JSC::MarkedBlock::addressOfCardFor):
2787         (JSC::MarkedBlock::offsetOfCards):
2788         * jit/JIT.h:
2789         * jit/JITPropertyAccess.cpp:
2790         (JSC::JIT::emit_op_put_by_val):
2791         (JSC::JIT::emit_op_put_by_id):
2792         (JSC::JIT::privateCompilePutByIdTransition):
2793         (JSC::JIT::emit_op_put_scoped_var):
2794         (JSC::JIT::emit_op_put_global_var):
2795         (JSC::JIT::emitWriteBarrier):
2796         * jit/JITPropertyAccess32_64.cpp:
2797         (JSC::JIT::emit_op_put_by_val):
2798         (JSC::JIT::emit_op_put_by_id):
2799         (JSC::JIT::emitSlow_op_put_by_id):
2800         (JSC::JIT::privateCompilePutByIdTransition):
2801         (JSC::JIT::emit_op_put_scoped_var):
2802         (JSC::JIT::emit_op_put_global_var):
2803
2804 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
2805
2806         https://bugs.webkit.org/show_bug.cgi?id=68077
2807         SH4 assemblers doesn't refer to executable memory handle.
2808
2809         Reviewed by Gavin Barraclough.
2810
2811         * assembler/MacroAssemblerSH4.h:
2812         (JSC::MacroAssemblerSH4::branch8):
2813         * assembler/SH4Assembler.h:
2814         (JSC::SH4Assembler::executableCopy):
2815
2816 2011-09-23  Oliver Hunt  <oliver@apple.com>
2817
2818         PutScopedVar nodes should report that it has a var number
2819         https://bugs.webkit.org/show_bug.cgi?id=68721
2820
2821         Reviewed by Anders Carlsson.
2822
2823         Another assertion fix.
2824
2825         * dfg/DFGNode.h:
2826         (JSC::DFG::Node::hasVarNumber):
2827
2828 2011-09-23  Oliver Hunt  <oliver@apple.com>
2829
2830         Add a bunch of unhandled node types to the propagator
2831         https://bugs.webkit.org/show_bug.cgi?id=68716
2832
2833         Reviewed by Darin Adler.
2834
2835         Remove the ASSERT_NOT_REACHED() default for debug builds in the
2836         prediction propagator, this way unhandled nodes will just cause
2837         compile time failures rather than failing at some point in the
2838         future.
2839
2840         * dfg/DFGPropagator.cpp:
2841         (JSC::DFG::Propagator::propagateNodePredictions):
2842
2843 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2844
2845         Add static version of JSCell::visitChildren
2846         https://bugs.webkit.org/show_bug.cgi?id=68404
2847
2848         Reviewed by Darin Adler.
2849
2850         In this patch we just extract the bodies of the virtual visitChildren methods
2851         throughout the JSCell inheritance hierarchy out into static methods, which are 
2852         now called from the virtual methods.  This is an intermediate step in trying to 
2853         move the virtual-ness of visitChildren into our own custom vtable stored in 
2854         ClassInfo.  We need to convert the methods to static methods in order to be 
2855         able to more easily store and refer to them in our custom vtable since normal 
2856         member methods store some implicit information in their types, making it 
2857         impossible to store them generically in ClassInfo.
2858
2859         * API/JSCallbackObject.h:
2860         (JSC::JSCallbackObject::visitChildrenVirtual):
2861         (JSC::JSCallbackObject::visitChildren):
2862         * JavaScriptCore.exp:
2863         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2864         * debugger/DebuggerActivation.cpp:
2865         (JSC::DebuggerActivation::visitChildrenVirtual):
2866         (JSC::DebuggerActivation::visitChildren):
2867         * debugger/DebuggerActivation.h:
2868         * heap/MarkStack.cpp:
2869         (JSC::SlotVisitor::visitChildren):
2870         (JSC::SlotVisitor::drain):
2871         * runtime/Arguments.cpp:
2872         (JSC::Arguments::visitChildrenVirtual):
2873         (JSC::Arguments::visitChildren):
2874         * runtime/Arguments.h:
2875         * runtime/Executable.cpp:
2876         (JSC::EvalExecutable::visitChildrenVirtual):
2877         (JSC::EvalExecutable::visitChildren):
2878         (JSC::ProgramExecutable::visitChildrenVirtual):
2879         (JSC::ProgramExecutable::visitChildren):
2880         (JSC::FunctionExecutable::visitChildrenVirtual):
2881         (JSC::FunctionExecutable::visitChildren):
2882         * runtime/Executable.h:
2883         * runtime/GetterSetter.cpp:
2884         (JSC::GetterSetter::visitChildrenVirtual):
2885         (JSC::GetterSetter::visitChildren):
2886         * runtime/GetterSetter.h:
2887         * runtime/JSActivation.cpp:
2888         (JSC::JSActivation::visitChildrenVirtual):
2889         (JSC::JSActivation::visitChildren):
2890         * runtime/JSActivation.h:
2891         * runtime/JSArray.cpp:
2892         (JSC::JSArray::visitChildrenVirtual):
2893         (JSC::JSArray::visitChildren):
2894         * runtime/JSArray.h:
2895         * runtime/JSBoundFunction.cpp:
2896         (JSC::JSBoundFunction::visitChildrenVirtual):
2897         (JSC::JSBoundFunction::visitChildren):
2898         * runtime/JSBoundFunction.h:
2899         * runtime/JSCell.h:
2900         (JSC::JSCell::visitChildrenVirtual):
2901         (JSC::JSCell::visitChildren):
2902         * runtime/JSFunction.cpp:
2903         (JSC::JSFunction::visitChildrenVirtual):
2904         (JSC::JSFunction::visitChildren):
2905         * runtime/JSFunction.h:
2906         * runtime/JSGlobalObject.cpp:
2907         (JSC::JSGlobalObject::visitChildrenVirtual):
2908         (JSC::JSGlobalObject::visitChildren):
2909         * runtime/JSGlobalObject.h:
2910         * runtime/JSObject.cpp:
2911         (JSC::JSObject::visitChildrenVirtual):
2912         (JSC::JSObject::visitChildren):
2913         * runtime/JSObject.h:
2914         (JSC::JSObject::visitChildrenDirect):
2915         * runtime/JSPropertyNameIterator.cpp:
2916         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
2917         (JSC::JSPropertyNameIterator::visitChildren):
2918         * runtime/JSPropertyNameIterator.h:
2919         * runtime/JSStaticScopeObject.cpp:
2920         (JSC::JSStaticScopeObject::visitChildrenVirtual):
2921         (JSC::JSStaticScopeObject::visitChildren):
2922         * runtime/JSStaticScopeObject.h:
2923         * runtime/JSWrapperObject.cpp:
2924         (JSC::JSWrapperObject::visitChildrenVirtual):
2925         (JSC::JSWrapperObject::visitChildren):
2926         * runtime/JSWrapperObject.h:
2927         * runtime/NativeErrorConstructor.cpp:
2928         (JSC::NativeErrorConstructor::visitChildrenVirtual):
2929         (JSC::NativeErrorConstructor::visitChildren):
2930         * runtime/NativeErrorConstructor.h:
2931         * runtime/RegExpObject.cpp:
2932         (JSC::RegExpObject::visitChildrenVirtual):
2933         (JSC::RegExpObject::visitChildren):
2934         * runtime/RegExpObject.h:
2935         * runtime/ScopeChain.cpp:
2936         (JSC::ScopeChainNode::visitChildrenVirtual):
2937         (JSC::ScopeChainNode::visitChildren):
2938         * runtime/ScopeChain.h:
2939         * runtime/Structure.cpp:
2940         (JSC::Structure::visitChildrenVirtual):
2941         (JSC::Structure::visitChildren):
2942         * runtime/Structure.h:
2943         * runtime/StructureChain.cpp:
2944         (JSC::StructureChain::visitChildrenVirtual):
2945         (JSC::StructureChain::visitChildren):
2946         * runtime/StructureChain.h:
2947
2948 2011-09-23  Oliver Hunt  <oliver@apple.com>
2949
2950         Node propagation doesn't handle PutScopedVar
2951         https://bugs.webkit.org/show_bug.cgi?id=68713
2952
2953         Reviewed by Sam Weinig.
2954
2955         This was causing assertion failures.
2956
2957         * dfg/DFGPropagator.cpp:
2958         (JSC::DFG::Propagator::propagateNodePredictions):
2959
2960 2011-09-23  Anders Carlsson  <andersca@apple.com>
2961
2962         Make sure to define OVERRIDE and FINAL for older builds of clang.
2963
2964         * wtf/Compiler.h:
2965
2966 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
2967
2968         Implement op_resolve_global in the DFG JIT
2969         https://bugs.webkit.org/show_bug.cgi?id=68704
2970
2971         Reviewed by Oliver Hunt.
2972
2973         This is performance neutral, but increases coverage.
2974
2975         * dfg/DFGByteCodeParser.cpp:
2976         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2977         (JSC::DFG::ByteCodeParser::parseBlock):
2978         * dfg/DFGNode.h:
2979         (JSC::DFG::Node::hasIdentifier):
2980         (JSC::DFG::Node::resolveInfoIndex):
2981         * dfg/DFGOperations.cpp:
2982         * dfg/DFGOperations.h:
2983         * dfg/DFGSpeculativeJIT.cpp:
2984         (JSC::DFG::SpeculativeJIT::compile):
2985
2986 2011-09-23  Mark Rowe  <mrowe@apple.com>
2987
2988         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
2989
2990         * wtf/Platform.h:
2991
2992 2011-09-22  Anders Carlsson  <andersca@apple.com>
2993
2994         We should add support for OVERRIDE and FINAL annotations
2995         https://bugs.webkit.org/show_bug.cgi?id=68654
2996
2997         Reviewed by David Hyatt.
2998
2999         Add OVERRIDE and FINAL macros for compilers that support them.
3000
3001         * wtf/Compiler.h:
3002
3003 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3004
3005         GetScopedVar should have value profiling
3006         https://bugs.webkit.org/show_bug.cgi?id=68676
3007
3008         Reviewed by Oliver Hunt.
3009         
3010         Added GetScopedVar value profiling and predictin propagation.
3011         Added GetScopeChain to CSE.
3012
3013         * dfg/DFGByteCodeParser.cpp:
3014         (JSC::DFG::ByteCodeParser::parseBlock):
3015         * dfg/DFGGraph.h:
3016         (JSC::DFG::Graph::predict):
3017         * dfg/DFGNode.h:
3018         (JSC::DFG::Node::hasPrediction):
3019         * dfg/DFGPropagator.cpp:
3020         (JSC::DFG::Propagator::propagateNodePredictions):
3021         (JSC::DFG::Propagator::getScopeChainLoadElimination):
3022         (JSC::DFG::Propagator::performNodeCSE):
3023         * jit/JITPropertyAccess.cpp:
3024         (JSC::JIT::emit_op_get_scoped_var):
3025
3026 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3027
3028         PPC build fix, part 3.
3029
3030         * runtime/Executable.cpp:
3031         (JSC::FunctionExecutable::compileForConstructInternal):
3032
3033 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3034
3035         Another PPC build fix.
3036
3037         * runtime/Executable.cpp:
3038         * runtime/Executable.h:
3039
3040 2011-09-22  Dean Jackson  <dino@apple.com>
3041
3042         Add ENABLE_CSS_FILTERS
3043         https://bugs.webkit.org/show_bug.cgi?id=68652
3044
3045         Reviewed by Simon Fraser.
3046
3047         * Configurations/FeatureDefines.xcconfig:
3048
3049 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3050
3051         Incorrect this value passed to callbacks.
3052         https://bugs.webkit.org/show_bug.cgi?id=68668
3053
3054         Reviewed by Oliver Hunt.
3055
3056         From Array/String prototype function.  Should be undefined, but
3057         global object is passed instead (this is visible for strict callbacks).
3058
3059         * runtime/ArrayPrototype.cpp:
3060         (JSC::arrayProtoFuncSort):
3061         (JSC::arrayProtoFuncFilter):
3062         (JSC::arrayProtoFuncMap):
3063         (JSC::arrayProtoFuncEvery):
3064         (JSC::arrayProtoFuncForEach):
3065         (JSC::arrayProtoFuncSome):
3066         * runtime/JSArray.cpp:
3067         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3068         (JSC::JSArray::sort):
3069         * runtime/StringPrototype.cpp:
3070         (JSC::stringProtoFuncReplace):
3071
3072 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3073
3074         Function.prototype.bind.length shoudl be 1.
3075
3076         Rubber stamped by Olier Hunt.
3077
3078         * runtime/FunctionPrototype.cpp:
3079         (JSC::FunctionPrototype::addFunctionProperties):
3080
3081 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3082
3083         PPC build fix.
3084
3085         * bytecode/CodeBlock.h:
3086
3087 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3088
3089         Windows build fix pt. 2
3090
3091         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3092
3093 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3094
3095         Windows build fix pt. 1
3096
3097         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3098
3099 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3100
3101         DFG JIT does not support to_primitive or strcat
3102         https://bugs.webkit.org/show_bug.cgi?id=68582
3103
3104         Reviewed by Darin Adler.
3105         
3106         This adds functional support for to_primitive and strcat. It focuses
3107         on minimizing the amount of code emitted on to_primitive (if we know
3108         that it is a primitive or can speculate cheaply, then we omit the
3109         slow path) and on keeping the implementation of strcat simple while
3110         leveraging whatever optimizations we have already. In particular,
3111         unlike the Call and Construct nodes which require extending the size
3112         of the DFG's callee registers, StrCat takes advantage of the fact
3113         that no JS code can run while StrCat is in progress and uses a
3114         scratch buffer, rather than the register file, to store the list of
3115         values to concatenate. This was done mainly to keep the code simple,
3116         but there are probably other benefits to keeping call frame sizes
3117         down. Essentially, this patch ensures that the presence of an
3118         op_strcat does not mess up any other optimizations we might do while
3119         ensuring that if you do execute it, it'll work about as well as you'd
3120         expect.
3121         
3122         When combined with the previous patch for integer division, this is a
3123         14% speed-up on Kraken. Without it, it would have been a 2% loss.
3124
3125         * assembler/AbstractMacroAssembler.h:
3126         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
3127         * dfg/DFGByteCodeParser.cpp:
3128         (JSC::DFG::ByteCodeParser::parseBlock):
3129         * dfg/DFGCapabilities.h:
3130         (JSC::DFG::canCompileOpcode):
3131         * dfg/DFGJITCodeGenerator.h:
3132         (JSC::DFG::JITCodeGenerator::callOperation):
3133         * dfg/DFGJITCompiler.cpp:
3134         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3135         * dfg/DFGNode.h:
3136         * dfg/DFGOperations.cpp:
3137         * dfg/DFGOperations.h:
3138         * dfg/DFGPropagator.cpp:
3139         (JSC::DFG::Propagator::propagateNodePredictions):
3140         (JSC::DFG::Propagator::performNodeCSE):
3141         * dfg/DFGSpeculativeJIT.cpp:
3142         (JSC::DFG::SpeculativeJIT::compile):
3143         * runtime/JSGlobalData.cpp:
3144         (JSC::JSGlobalData::JSGlobalData):
3145         (JSC::JSGlobalData::~JSGlobalData):
3146         * runtime/JSGlobalData.h:
3147         (JSC::JSGlobalData::scratchBufferForSize):
3148
3149 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3150
3151         DFG JIT should support integer division
3152         https://bugs.webkit.org/show_bug.cgi?id=68597
3153
3154         Reviewed by Darin Adler.
3155         
3156         This adds support for ArithDiv speculating integer, and speculating
3157         that the result is integer (i.e. remainder = 0).
3158         
3159         This is a 4% win on Kraken and a 1% loss on V8.
3160
3161         * bytecode/CodeBlock.h:
3162         * dfg/DFGByteCodeParser.cpp:
3163         (JSC::DFG::ByteCodeParser::makeDivSafe):
3164         (JSC::DFG::ByteCodeParser::parseBlock):
3165         * dfg/DFGNode.h:
3166         (JSC::DFG::Node::hasArithNodeFlags):
3167         * dfg/DFGPropagator.cpp:
3168         (JSC::DFG::Propagator::propagateArithNodeFlags):
3169         (JSC::DFG::Propagator::propagateNodePredictions):
3170         (JSC::DFG::Propagator::fixupNode):
3171         * dfg/DFGSpeculativeJIT.cpp:
3172         (JSC::DFG::SpeculativeJIT::compile):
3173         * jit/JITArithmetic.cpp:
3174         (JSC::JIT::emit_op_div):
3175
3176 2011-09-22  Oliver Hunt  <oliver@apple.com>
3177
3178         Implement put_scoped_var in the DFG jit
3179         https://bugs.webkit.org/show_bug.cgi?id=68653
3180
3181         Reviewed by Gavin Barraclough.
3182
3183         Naive implementation of put_scoped_var.  Same story as the
3184         get_scoped_var implementation, although I've hoisted scope
3185         object acquisition into a separate dfg node.  Ideally in the
3186         future we would reuse the resolved scope chain object, but
3187         for now we don't.
3188
3189         * dfg/DFGByteCodeParser.cpp:
3190         (JSC::DFG::ByteCodeParser::parseBlock):
3191         * dfg/DFGCapabilities.h:
3192         (JSC::DFG::canCompileOpcode):
3193         * dfg/DFGNode.h:
3194         (JSC::DFG::Node::hasScopeChainDepth):
3195         (JSC::DFG::Node::scopeChainDepth):
3196         * dfg/DFGPropagator.cpp:
3197         (JSC::DFG::Propagator::propagateNodePredictions):
3198         * dfg/DFGSpeculativeJIT.cpp:
3199         (JSC::DFG::SpeculativeJIT::compile):
3200
3201 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
3202
3203         Implement Function.prototype.bind
3204         https://bugs.webkit.org/show_bug.cgi?id=26382
3205
3206         Reviewed by Sam Weinig.
3207
3208         This patch provides a basic functional implementation
3209         for Function.bind. It should (hopefully!) be fully
3210         functionally correct, and the bound functions can be
3211         called to quickly (since they are a subclass of
3212         JSFunction, not InternalFunction), but we'll probably
3213         want to follow up with some optimization work to keep
3214         bound calls in JIT code.
3215
3216         * JavaScriptCore.JSVALUE32_64only.exp:
3217         * JavaScriptCore.JSVALUE64only.exp:
3218         * JavaScriptCore.exp:
3219         * JavaScriptCore.xcodeproj/project.pbxproj:
3220         * jit/JITStubs.cpp:
3221         (JSC::JITThunks::hostFunctionStub):
3222         * jit/JITStubs.h:
3223         * jsc.cpp:
3224         (GlobalObject::addFunction):
3225         * runtime/CommonIdentifiers.h:
3226         * runtime/ConstructData.h:
3227         * runtime/Executable.h:
3228         (JSC::NativeExecutable::NativeExecutable):
3229         * runtime/FunctionPrototype.cpp:
3230         (JSC::FunctionPrototype::addFunctionProperties):
3231         (JSC::functionProtoFuncBind):
3232         * runtime/FunctionPrototype.h:
3233         * runtime/JSBoundFunction.cpp: Added.
3234         (JSC::boundFunctionCall):
3235         (JSC::boundFunctionConstruct):
3236         (JSC::JSBoundFunction::create):
3237         (JSC::JSBoundFunction::hasInstance):
3238         (JSC::JSBoundFunction::getOwnPropertySlot):
3239         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
3240         (JSC::JSBoundFunction::JSBoundFunction):
3241         (JSC::JSBoundFunction::finishCreation):
3242         * runtime/JSBoundFunction.h: Added.
3243         (JSC::JSBoundFunction::targetFunction):
3244         (JSC::JSBoundFunction::boundThis):
3245         (JSC::JSBoundFunction::boundArgs):
3246         (JSC::JSBoundFunction::createStructure):
3247         * runtime/JSFunction.cpp:
3248         (JSC::JSFunction::create):
3249         (JSC::JSFunction::finishCreation):
3250         (JSC::createDescriptorForThrowingProperty):
3251         (JSC::JSFunction::getOwnPropertySlot):
3252         * runtime/JSFunction.h:
3253         * runtime/JSGlobalData.cpp:
3254         (JSC::JSGlobalData::getHostFunction):
3255         * runtime/JSGlobalData.h:
3256         * runtime/JSGlobalObject.cpp:
3257         (JSC::JSGlobalObject::reset):
3258         (JSC::JSGlobalObject::visitChildren):
3259         * runtime/JSGlobalObject.h:
3260         (JSC::JSGlobalObject::boundFunctionStructure):
3261         * runtime/Lookup.cpp:
3262         (JSC::setUpStaticFunctionSlot):
3263
3264 2011-09-22  Oliver Hunt  <oliver@apple.com>
3265
3266         Implement get_scoped_var in the DFG
3267         https://bugs.webkit.org/show_bug.cgi?id=68640
3268
3269         Reviewed by Gavin Barraclough.
3270
3271         Naive implementation of get_scoped_var in the DFG.  Essentially this
3272         is the bare minimum required to get correct behaviour, so there's no
3273         load/store coalescing or type profiling involved, even though these
3274         would be wins.  No impact on SunSpider or V8.
3275
3276         * dfg/DFGByteCodeParser.cpp:
3277         (JSC::DFG::ByteCodeParser::parseBlock):
3278         * dfg/DFGCapabilities.h:
3279         (JSC::DFG::canCompileOpcode):
3280         * dfg/DFGNode.h:
3281         (JSC::DFG::Node::hasVarNumber):
3282         (JSC::DFG::Node::hasScopeChainDepth):
3283         (JSC::DFG::Node::scopeChainDepth):
3284         * dfg/DFGPropagator.cpp:
3285         (JSC::DFG::Propagator::propagateNodePredictions):
3286         * dfg/DFGSpeculativeJIT.cpp:
3287         (JSC::DFG::SpeculativeJIT::compile):
3288
3289 2011-09-22  Adam Roben  <aroben@apple.com>
3290
3291         Remove FindSafari from all our .sln files
3292
3293         It isn't used anymore, so there's no point in building it.
3294
3295         Part of <http://webkit.org/b/68628> Remove FindSafari
3296
3297         Reviewed by Steve Falkenburg.
3298
3299         * JavaScriptCore.vcproj/JavaScriptCore.sln:
3300
3301 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
3302
3303         32-bit call code clobbers the function cell tag
3304         https://bugs.webkit.org/show_bug.cgi?id=68606
3305
3306         Reviewed by Csaba Osztrogonác.
3307         
3308         This is a minimalistic fix: it simply emits code to restore the
3309         cell tag on the slow path, if we know that we failed due to
3310         emitCallIfNotType.
3311
3312         * jit/JITCall32_64.cpp:
3313         (JSC::JIT::compileOpCallVarargsSlowCase):
3314         (JSC::JIT::compileOpCallSlowCase):
3315
3316 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3317
3318         Add missing addPtr->add32 mapping for X86.
3319
3320         Rubber stamped by Sam Weinig.
3321
3322         * assembler/MacroAssembler.h:
3323         (JSC::MacroAssembler::addPtr):
3324
3325 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3326
3327         Add missing addDouble for AbsoluteAddress to X86
3328
3329         Rubber stamped by Geoff Garen.
3330
3331         * assembler/MacroAssemblerX86.h:
3332         (JSC::MacroAssemblerX86::addDouble):
3333         * assembler/X86Assembler.h:
3334         (JSC::X86Assembler::addsd_mr):
3335         (JSC::X86Assembler::cvtsi2sd_rr):
3336         (JSC::X86Assembler::cvtsi2sd_mr):
3337
3338 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3339
3340         Build fix following fix for bug #68586.
3341
3342         * jit/JIT.cpp:
3343         * jit/JITInlineMethods.h:
3344
3345 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3346
3347         DFG JIT should be able to compile op_throw
3348         https://bugs.webkit.org/show_bug.cgi?id=68571
3349
3350         Reviewed by Geoffrey Garen.
3351         
3352         This compiles op_throw in the simplest way possible: it's an OSR
3353         point back to the old JIT. This is a good step towards increasing
3354         coverage, particularly on Kraken, but it's neutral because the
3355         same functions that do throw also use some other unsupported
3356         opcodes.
3357
3358         * dfg/DFGByteCodeParser.cpp:
3359         (JSC::DFG::ByteCodeParser::parseBlock):
3360         * dfg/DFGCapabilities.h:
3361         (JSC::DFG::canCompileOpcode):
3362         * dfg/DFGNode.h:
3363         * dfg/DFGPropagator.cpp:
3364         (JSC::DFG::Propagator::propagateNodePredictions):
3365         * dfg/DFGSpeculativeJIT.cpp:
3366         (JSC::DFG::SpeculativeJIT::compile):
3367
3368 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3369
3370         DFG should support continuous optimization
3371         https://bugs.webkit.org/show_bug.cgi?id=68329
3372
3373         Reviewed by Geoffrey Garen.
3374         
3375         This adds the ability to reoptimize a code block if speculation
3376         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
3377         on V8, neutral on SunSpider.
3378
3379         * CMakeLists.txt:
3380         * GNUmakefile.list.am:
3381         * JavaScriptCore.pro:
3382         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3383         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3384         * JavaScriptCore.xcodeproj/project.pbxproj:
3385         * bytecode/CodeBlock.cpp:
3386         (JSC::CodeBlock::CodeBlock):
3387         (JSC::ProgramCodeBlock::jettison):
3388         (JSC::EvalCodeBlock::jettison):
3389         (JSC::FunctionCodeBlock::jettison):
3390         (JSC::CodeBlock::shouldOptimizeNow):
3391         (JSC::CodeBlock::dumpValueProfiles):
3392         * bytecode/CodeBlock.h:
3393         * dfg/DFGByteCodeParser.cpp:
3394         (JSC::DFG::ByteCodeParser::getStrongPrediction):
3395         * dfg/DFGJITCompiler.cpp:
3396         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3397         (JSC::DFG::JITCompiler::compileEntry):
3398         (JSC::DFG::JITCompiler::compileBody):
3399         * dfg/DFGJITCompiler.h:
3400         (JSC::DFG::JITCompiler::noticeOSREntry):
3401         * dfg/DFGOSREntry.cpp:
3402         (JSC::DFG::prepareOSREntry):
3403         * dfg/DFGOSREntry.h:
3404         (JSC::DFG::getOSREntryDataBytecodeIndex):
3405         * dfg/DFGSpeculativeJIT.cpp:
3406         (JSC::DFG::SpeculativeJIT::compile):
3407         * heap/ConservativeRoots.cpp:
3408         (JSC::ConservativeRoots::ConservativeRoots):
3409         (JSC::ConservativeRoots::~ConservativeRoots):
3410         (JSC::DummyMarkHook::mark):
3411         (JSC::ConservativeRoots::genericAddPointer):
3412         (JSC::ConservativeRoots::genericAddSpan):
3413         (JSC::ConservativeRoots::add):
3414         * heap/ConservativeRoots.h:
3415         * heap/Heap.cpp:
3416         (JSC::Heap::addJettisonCodeBlock):
3417         (JSC::Heap::markRoots):
3418         * heap/Heap.h:
3419         * heap/JettisonedCodeBlocks.cpp: Added.
3420         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
3421         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
3422         (JSC::JettisonedCodeBlocks::addCodeBlock):
3423         (JSC::JettisonedCodeBlocks::clearMarks):
3424         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
3425         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
3426         * heap/JettisonedCodeBlocks.h: Added.
3427         (JSC::JettisonedCodeBlocks::mark):
3428         * interpreter/RegisterFile.cpp:
3429         (JSC::RegisterFile::gatherConservativeRoots):
3430         * interpreter/RegisterFile.h:
3431         * jit/JITStubs.cpp:
3432         (JSC::DEFINE_STUB_FUNCTION):
3433         * runtime/Executable.cpp:
3434         (JSC::jettisonCodeBlock):
3435         (JSC::EvalExecutable::jettisonOptimizedCode):
3436         (JSC::ProgramExecutable::jettisonOptimizedCode):
3437         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
3438         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
3439         * runtime/Executable.h:
3440         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
3441         * wtf/BitVector.h: Added.
3442         (WTF::BitVector::BitVector):
3443         (WTF::BitVector::~BitVector):
3444         (WTF::BitVector::operator=):
3445         (WTF::BitVector::size):
3446         (WTF::BitVector::ensureSize):
3447         (WTF::BitVector::resize):
3448         (WTF::BitVector::clearAll):
3449         (WTF::BitVector::get):
3450         (WTF::BitVector::set):
3451         (WTF::BitVector::clear):
3452         (WTF::BitVector::bitsInPointer):
3453         (WTF::BitVector::maxInlineBits):
3454         (WTF::BitVector::byteCount):
3455         (WTF::BitVector::makeInlineBits):
3456         (WTF::BitVector::OutOfLineBits::numBits):
3457         (WTF::BitVector::OutOfLineBits::numWords):
3458         (WTF::BitVector::OutOfLineBits::bits):
3459         (WTF::BitVector::OutOfLineBits::create):
3460         (WTF::BitVector::OutOfLineBits::destroy):
3461         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
3462         (WTF::BitVector::isInline):
3463         (WTF::BitVector::outOfLineBits):
3464         (WTF::BitVector::resizeOutOfLine):
3465         (WTF::BitVector::bits):
3466
3467 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3468
3469         Add X86 GPRInfo for DFG JIT.
3470         https://bugs.webkit.org/show_bug.cgi?id=68586
3471
3472         Reviewed by Geoff Garen.
3473
3474         * dfg/DFGGPRInfo.h:
3475         (JSC::DFG::GPRInfo::toRegister):
3476         (JSC::DFG::GPRInfo::toIndex):
3477         (JSC::DFG::GPRInfo::debugName):
3478
3479 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3480
3481         Should support value profiling on CPU(X86)
3482         https://bugs.webkit.org/show_bug.cgi?id=68575
3483
3484         Reviewed by Sam Weinig.
3485
3486         Fix verbose profiling in ToT (SlowCaseProfile had been
3487         partially renamed to RareCaseProfile), add in-memory
3488         bucket counter for CPU(X86), move JIT::m_canBeOptimized
3489         out of the DFG_JIT ifdef.
3490
3491         * bytecode/CodeBlock.cpp:
3492         (JSC::CodeBlock::resetRareCaseProfiles):
3493         (JSC::CodeBlock::dumpValueProfiles):
3494         * bytecode/CodeBlock.h:
3495         * dfg/DFGByteCodeParser.cpp:
3496         (JSC::DFG::ByteCodeParser::makeSafe):
3497         * jit/JIT.cpp:
3498         (JSC::JIT::privateCompileSlowCases):
3499         (JSC::JIT::privateCompile):
3500         * jit/JIT.h:
3501         * jit/JITInlineMethods.h:
3502         (JSC::JIT::emitValueProfilingSite):
3503
3504 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
3505
3506         DFG does not support compiling functions as constructors
3507         https://bugs.webkit.org/show_bug.cgi?id=68500
3508
3509         Reviewed by Oliver Hunt.
3510         
3511         This adds support for compiling constructors to the DFG. It's a
3512         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
3513         It's also a 13% win on access-binary-trees, but it's neutral in
3514         the SunSpider and Kraken averages.
3515
3516         * dfg/DFGByteCodeParser.cpp:
3517         (JSC::DFG::ByteCodeParser::parseBlock):
3518         * dfg/DFGCapabilities.h:
3519         (JSC::DFG::mightCompileFunctionForConstruct):
3520         (JSC::DFG::canCompileOpcode):
3521         * dfg/DFGNode.h:
3522         * dfg/DFGOperations.cpp:
3523         * dfg/DFGOperations.h:
3524         * dfg/DFGPropagator.cpp:
3525         (JSC::DFG::Propagator::propagateNodePredictions):
3526         (JSC::DFG::Propagator::performNodeCSE):
3527         * dfg/DFGSpeculativeJIT.cpp:
3528         (JSC::DFG::SpeculativeJIT::compile):
3529         * runtime/Executable.cpp:
3530         (JSC::FunctionExecutable::compileOptimizedForConstruct):
3531         (JSC::FunctionExecutable::compileForConstructInternal):
3532         * runtime/Executable.h:
3533         (JSC::FunctionExecutable::compileForConstruct):
3534         (JSC::FunctionExecutable::compileFor):
3535         (JSC::FunctionExecutable::compileOptimizedFor):
3536
3537 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
3538
3539         Replace jsFunctionVPtr compares with a type check on the Structure.
3540         https://bugs.webkit.org/show_bug.cgi?id=68557
3541
3542         Reviewed by Oliver Hunt.
3543
3544         This will permit calls to still optimize to subclasses of JSFunction
3545         that have the correct type (but a different C++ vptr).
3546
3547         This patch stops passing the globalData into numerous functions.
3548
3549         * dfg/DFGByteCodeParser.cpp:
3550         (JSC::DFG::ByteCodeParser::parseBlock):
3551         * dfg/DFGGraph.h:
3552         (JSC::DFG::Graph::isFunctionConstant):
3553         (JSC::DFG::Graph::valueOfFunctionConstant):
3554         * dfg/DFGJITCompiler.h:
3555         (JSC::DFG::JITCompiler::isFunctionConstant):
3556         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
3557         * dfg/DFGOperations.cpp:
3558         * interpreter/Interpreter.cpp:
3559         (JSC::Interpreter::privateExecute):
3560         * jit/JIT.h:
3561         * jit/JITCall.cpp:
3562         (JSC::JIT::compileOpCallVarargs):
3563         (JSC::JIT::compileOpCallSlowCase):
3564         * jit/JITCall32_64.cpp:
3565         (JSC::JIT::compileOpCallVarargs):
3566         (JSC::JIT::compileOpCallSlowCase):
3567         * jit/JITInlineMethods.h:
3568         (JSC::JIT::emitJumpIfNotType):
3569         * jit/JITStubs.cpp:
3570         (JSC::DEFINE_STUB_FUNCTION):
3571         * runtime/Executable.h:
3572         (JSC::isHostFunction):
3573         * runtime/JSFunction.h:
3574         (JSC::JSFunction::createStructure):
3575         * runtime/JSObject.cpp:
3576         (JSC::JSObject::put):
3577         (JSC::JSObject::putWithAttributes):
3578         * runtime/JSObject.h:
3579         (JSC::getJSFunction):
3580         (JSC::JSObject::putDirect):
3581         (JSC::JSObject::putDirectWithoutTransition):
3582         * runtime/JSType.h:
3583
3584 2011-09-21  Geoffrey Garen  <ggaren@apple.com>
3585
3586         Removed WTFTHREADDATA_MULTITHREADED, making it always true
3587         https://bugs.webkit.org/show_bug.cgi?id=68549
3588
3589         Reviewed by Darin Adler.
3590         
3591         Another part of making threads exist in WebKit.
3592
3593         * wtf/WTFThreadData.cpp:
3594         * wtf/WTFThreadData.h:
3595         (WTF::wtfThreadData):
3596
3597 2011-09-21  Dan Bernstein  <mitz@apple.com>
3598
3599         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
3600         https://bugs.webkit.org/show_bug.cgi?id=68451
3601
3602         Reviewed by Darin Adler.
3603
3604         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
3605         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
3606
3607 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
3608
3609         MacroAssembler fixes.
3610         https://bugs.webkit.org/show_bug.cgi?id=68494
3611
3612         Reviewed by Sam Weinig.
3613
3614         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
3615
3616         * assembler/MacroAssembler.h:
3617         (JSC::MacroAssembler::orPtr):
3618         (JSC::MacroAssembler::loadPtr):
3619         * assembler/MacroAssemblerARM.h:
3620         (JSC::MacroAssemblerARM::or32):
3621         * assembler/MacroAssemblerARMv7.h:
3622         (JSC::MacroAssemblerARMv7::or32):
3623         * assembler/MacroAssemblerMIPS.h:
3624         (JSC::MacroAssemblerMIPS::or32):
3625         * assembler/MacroAssemblerSH4.h:
3626         (JSC::MacroAssemblerSH4::or32):
3627         (JSC::MacroAssemblerSH4::load32):
3628         * assembler/MacroAssemblerX86.h:
3629         (JSC::MacroAssemblerX86::load32):
3630         * assembler/MacroAssemblerX86_64.h:
3631         (JSC::MacroAssemblerX86_64::load32):
3632
3633 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
3634
3635         Some Heap cleanup.
3636
3637         Reviewed by Beth Dakin.
3638
3639         * heap/MarkedBlock.cpp:
3640         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
3641         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
3642         since there is only one now.
3643
3644         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
3645         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
3646         place where we were recalculating it.
3647
3648         * heap/MarkedSpace.cpp:
3649         (JSC::MarkedSpace::addBlock): Updated for rename.
3650
3651 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
3652
3653         DFG JIT always speculates integer on modulo
3654         https://bugs.webkit.org/show_bug.cgi?id=68485
3655
3656         Reviewed by Oliver Hunt.
3657         
3658         Added support for double modulo, which is a call to fmod().
3659         Also added support for recording the old JIT's statistics
3660         on op_mod and propagating them along the graph. Finally,
3661         fixed a goof in the ArithNodeFlags propagation logic that
3662         was made obvious when I started testing ArithMod.
3663
3664         * dfg/DFGByteCodeParser.cpp:
3665         (JSC::DFG::ByteCodeParser::makeSafe):
3666         (JSC::DFG::ByteCodeParser::parseBlock):
3667         * dfg/DFGNode.h:
3668         (JSC::DFG::Node::hasArithNodeFlags):
3669         * dfg/DFGPropagator.cpp:
3670         (JSC::DFG::Propagator::propagateArithNodeFlags):
3671         (JSC::DFG::Propagator::propagateNodePredictions):
3672         (JSC::DFG::Propagator::fixupNode):
3673         * dfg/DFGSpeculativeJIT.cpp:
3674         (JSC::DFG::SpeculativeJIT::compile):
3675
3676 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
3677
3678         [GTK] requestAnimationFrame support for gtk port
3679         https://bugs.webkit.org/show_bug.cgi?id=66280
3680
3681         Reviewed by Martin Robinson.
3682
3683         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
3684
3685         * wtf/Platform.h:
3686
3687 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
3688
3689         DFG JIT performs too many negative zero checks, and too many
3690         overflow checks
3691         https://bugs.webkit.org/show_bug.cgi?id=68430
3692
3693         Reviewed by Oliver Hunt.
3694         
3695         This adds comprehensive support for deciding how to perform an
3696         arithmetic operations based on a combination of overflow profiling,
3697         negative zero profiling, value profiling, and a static analysis of
3698         how the results of these operations get used.
3699         
3700         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
3701         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
3702         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
3703         V8-crypto, because apparenty everything we do speeds up crypto.
3704
3705         * dfg/DFGByteCodeParser.cpp:
3706         (JSC::DFG::ByteCodeParser::toInt32):
3707         (JSC::DFG::ByteCodeParser::toNumber):
3708         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
3709         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
3710         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
3711         (JSC::DFG::ByteCodeParser::makeSafe):
3712         (JSC::DFG::ByteCodeParser::handleMinMax):
3713         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3714         (JSC::DFG::ByteCodeParser::parseBlock):
3715         (JSC::DFG::ByteCodeParser::processPhiStack):
3716         (JSC::DFG::ByteCodeParser::parse):
3717         * dfg/DFGGraph.cpp:
3718         (JSC::DFG::Graph::dump):
3719         * dfg/DFGJITCodeGenerator.cpp:
3720         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
3721         * dfg/DFGNode.h:
3722         (JSC::DFG::nodeUsedAsNumber):
3723         (JSC::DFG::nodeCanTruncateInteger):
3724         (JSC::DFG::nodeCanIgnoreNegativeZero):
3725         (JSC::DFG::nodeCanSpeculateInteger):
3726         (JSC::DFG::arithNodeFlagsAsString):
3727         (JSC::DFG::Node::Node):
3728         (JSC::DFG::Node::hasArithNodeFlags):
3729         (JSC::DFG::Node::rawArithNodeFlags):
3730         (JSC::DFG::Node::arithNodeFlags):
3731         (JSC::DFG::Node::arithNodeFlagsForCompare):
3732         (JSC::DFG::Node::setArithNodeFlag):
3733         (JSC::DFG::Node::mergeArithNodeFlags):
3734         * dfg/DFGPropagator.cpp:
3735         (JSC::DFG::Propagator::fixpoint):
3736         (JSC::DFG::Propagator::isNotNegZero):
3737         (JSC::DFG::Propagator::isNotZero):
3738         (JSC::DFG::Propagator::propagateArithNodeFlags):
3739         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
3740         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
3741         (JSC::DFG::Propagator::propagateNodePredictions):
3742         (JSC::DFG::Propagator::propagatePredictionsForward):
3743         (JSC::DFG::Propagator::propagatePredictionsBackward):
3744         (JSC::DFG::Propagator::toDouble):
3745         (JSC::DFG::Propagator::fixupNode):
3746         (JSC::DFG::Propagator::fixup):
3747         (JSC::DFG::Propagator::startIndexForChildren):
3748         (JSC::DFG::Propagator::endIndexForPureCSE):
3749         (JSC::DFG::Propagator::pureCSE):
3750         (JSC::DFG::Propagator::clobbersWorld):
3751         (JSC::DFG::Propagator::setReplacement):
3752         (JSC::DFG::Propagator::performNodeCSE):
3753         (JSC::DFG::Propagator::localCSE):
3754         * dfg/DFGSpeculativeJIT.cpp:
3755         (JSC::DFG::SpeculativeJIT::compile):
3756         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3757
3758 2011-09-19  Oliver Hunt  <oliver@apple.com>
3759
3760         Refactor Heap allocation logic into separate AllocationSpace class
3761         https://bugs.webkit.org/show_bug.cgi?id=68409
3762
3763         Reviewed by Gavin Barraclough.
3764
3765         This patch hoists direct manipulation of the MarkedSpace and related
3766         data out of Heap and into a separate class.  This will allow us to
3767         have multiple allocation spaces in future, so easing the way towards
3768         having GC'd backing stores for objects.
3769
3770         * CMakeLists.txt:
3771         * GNUmakefile.list.am:
3772         * JavaScriptCore.exp:
3773         * JavaScriptCore.gypi:
3774         * JavaScriptCore.pro:
3775         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3776         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3777         * JavaScriptCore.xcodeproj/project.pbxproj:
3778         * debugger/Debugger.cpp:
3779         (JSC::Debugger::recompileAllJSFunctions):
3780         * heap/AllocationSpace.cpp: Added.
3781         (JSC::AllocationSpace::tryAllocate):
3782         (JSC::AllocationSpace::allocateSlowCase):
3783         (JSC::AllocationSpace::allocateBlock):
3784         (JSC::AllocationSpace::freeBlocks):
3785         (JSC::TakeIfEmpty::TakeIfEmpty):
3786         (JSC::TakeIfEmpty::operator()):
3787         (JSC::TakeIfEmpty::returnValue):
3788         (JSC::AllocationSpace::shrink):
3789         * heap/AllocationSpace.h: Added.
3790         (JSC::AllocationSpace::AllocationSpace):
3791         (JSC::AllocationSpace::blocks):
3792         (JSC::AllocationSpace::sizeClassFor):
3793         (JSC::AllocationSpace::setHighWaterMark):
3794         (JSC::AllocationSpace::highWaterMark):
3795         (JSC::AllocationSpace::canonicalizeBlocks):
3796         (JSC::AllocationSpace::resetAllocator):
3797         (JSC::AllocationSpace::forEachCell):
3798         (JSC::AllocationSpace::forEachBlock):
3799         (JSC::AllocationSpace::allocate):
3800         * heap/Heap.cpp:
3801         (JSC::Heap::Heap):
3802         (JSC::Heap::reportExtraMemoryCostSlowCase):
3803         (JSC::Heap::getConservativeRegisterRoots):
3804         (JSC::Heap::markRoots):
3805         (JSC::Heap::clearMarks):
3806         (JSC::Heap::sweep):
3807         (JSC::Heap::objectCount):
3808         (JSC::Heap::size):
3809         (JSC::Heap::capacity):
3810         (JSC::Heap::globalObjectCount):
3811         (JSC::Heap::objectTypeCounts):
3812         (JSC::Heap::collect):
3813         (JSC::Heap::canonicalizeBlocks):
3814         (JSC::Heap::resetAllocator):
3815         (JSC::Heap::freeBlocks):
3816         (JSC::Heap::shrink):
3817         * heap/Heap.h:
3818         (JSC::Heap::objectSpace):
3819         (JSC::Heap::sizeClassForObject):
3820         (JSC::Heap::allocate):
3821         * jit/JITInlineMethods.h:
3822         (JSC::JIT::emitAllocateBasicJSObject):
3823         * runtime/JSGlobalData.cpp:
3824         (JSC::JSGlobalData::recompileAllJSFunctions):
3825         (JSC::JSGlobalData::releaseExecutableMemory):
3826
3827 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
3828
3829         Removed BREWMP* platform #ifdefs
3830         https://bugs.webkit.org/show_bug.cgi?id=68425
3831         
3832         BREWMP* has no maintainer, and this is dead code.
3833
3834         Reviewed by Darin Adler.
3835
3836         * heap/MarkStack.h:
3837         (JSC::::shrinkAllocation):
3838         * jit/ExecutableAllocator.h:
3839         (JSC::ExecutableAllocator::cacheFlush):
3840         * runtime/TimeoutChecker.cpp:
3841         (JSC::getCPUTime):
3842         * wtf/Assertions.cpp:
3843         * wtf/Assertions.h:
3844         * wtf/CurrentTime.cpp:
3845         * wtf/DateMath.cpp:
3846         (WTF::calculateUTCOffset):
3847         * wtf/FastMalloc.cpp:
3848         (WTF::fastMalloc):
3849         (WTF::fastCalloc):
3850         (WTF::fastMallocSize):
3851         * wtf/FastMalloc.h:
3852         * wtf/MainThread.cpp:
3853         * wtf/MathExtras.h:
3854         * wtf/OwnPtrCommon.h:
3855         * wtf/Platform.h:
3856         * wtf/RandomNumber.cpp:
3857         (WTF::randomNumber):
3858         * wtf/RandomNumberSeed.h:
3859         (WTF::initializeRandomNumberGenerator):
3860         * wtf/text/WTFString.h:
3861         * wtf/unicode/Unicode.h:
3862
3863 2011-09-20  Adam Roben  <aroben@apple.com>
3864
3865         Windows build fix after r95523
3866
3867         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
3868
3869 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
3870
3871         DFG JIT does not speculate aggressively enough on GetById
3872         https://bugs.webkit.org/show_bug.cgi?id=68320
3873
3874         Reviewed by Oliver Hunt.
3875         
3876         This adds the ability to access properties directly, by offset.
3877         This optimization kicks in when at the time of DFG compilation,
3878         it appears that the given get_by_id is self-cached by the old JIT.
3879         Two new opcodes get introduced: CheckStructure and GetByOffset.
3880         CheckStructure performs a speculation check on the object's
3881         structure, and returns the storage pointer. GetByOffset performs
3882         a direct read of the field from the storage pointer. Both
3883         CheckStructure and GetByOffset can be CSE'd, so that we can
3884         eliminate redundant structure checks, and redundant reads of the
3885         same field.
3886         
3887         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
3888         neutral on SunSpider.
3889
3890         * bytecode/PredictedType.cpp:
3891         (JSC::predictionFromClassInfo):
3892         (JSC::predictionFromStructure):
3893         (JSC::predictionFromCell):
3894         * bytecode/PredictedType.h:
3895         * dfg/DFGByteCodeParser.cpp:
3896         (JSC::DFG::ByteCodeParser::parseBlock):
3897         * dfg/DFGGenerationInfo.h:
3898         (JSC::DFG::dataFormatToString):
3899         (JSC::DFG::needDataFormatConversion):
3900         (JSC::DFG::GenerationInfo::initStorage):
3901         (JSC::DFG::GenerationInfo::spill):
3902         (JSC::DFG::GenerationInfo::fillStorage):
3903         * dfg/DFGGraph.h:
3904         (JSC::DFG::Graph::predict):
3905         (JSC::DFG::Graph::getPrediction):
3906         * dfg/DFGJITCodeGenerator.cpp:
3907         (JSC::DFG::JITCodeGenerator::fillInteger):
3908         (JSC::DFG::JITCodeGenerator::fillDouble):
3909         (JSC::DFG::JITCodeGenerator::fillJSValue):
3910         (JSC::DFG::JITCodeGenerator::fillStorage):
3911         (JSC::DFG::GPRTemporary::GPRTemporary):
3912         * dfg/DFGJITCodeGenerator.h:
3913         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
3914         (JSC::DFG::JITCodeGenerator::silentFillGPR):
3915         (JSC::DFG::JITCodeGenerator::spill):
3916         (JSC::DFG::JITCodeGenerator::storageResult):
3917         (JSC::DFG::StorageOperand::StorageOperand):
3918         (JSC::DFG::StorageOperand::~StorageOperand):
3919         (JSC::DFG::StorageOperand::index):
3920         (JSC::DFG::StorageOperand::gpr):
3921         (JSC::DFG::StorageOperand::use):
3922         * dfg/DFGNode.h:
3923         (JSC::DFG::OpInfo::OpInfo):
3924         (JSC::DFG::Node::Node):
3925         (JSC::DFG::Node::hasPrediction):
3926         (JSC::DFG::Node::hasStructure):
3927         (JSC::DFG::Node::structure):
3928         (JSC::DFG::Node::hasStorageAccessData):
3929         (JSC::DFG::Node::storageAccessDataIndex):
3930         * dfg/DFGPropagator.cpp:
3931         (JSC::DFG::Propagator::propagateNode):
3932         (JSC::DFG::Propagator::globalVarLoadElimination):
3933         (JSC::DFG::Propagator::getMethodLoadElimination):
3934         (JSC::DFG::Propagator::checkStructureLoadElimination):
3935         (JSC::DFG::Propagator::getByOffsetLoadElimination):
3936         (JSC::DFG::Propagator::performNodeCSE):
3937         * dfg/DFGSpeculativeJIT.cpp:
3938         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3939         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3940         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3941         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3942         (JSC::DFG::SpeculativeJIT::compile):
3943         * wtf/StdLibExtras.h:
3944         (WTF::safeCast):
3945
3946 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3947
3948         Remove toPrimitive from JSCell
3949         https://bugs.webkit.org/show_bug.cgi?id=67875
3950
3951         Reviewed by Darin Adler.
3952
3953         Part of the refactoring process to un-virtualize JSCell.  We move 
3954         all of the implicit functionality provided by the virtual toPrimitive method 
3955         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
3956         also de-virtualizing JSCell::toPrimitive.
3957
3958         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3959         * runtime/JSCell.cpp:
3960         (JSC::JSCell::toPrimitive):
3961         * runtime/JSCell.h:
3962
3963         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
3964         JSObject.  This pushes the virtual method further down, enabling us to get rid 
3965         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
3966         again, but we'll cross that bridge when we come to it.
3967         * runtime/JSNotAnObject.cpp:
3968         (JSC::JSNotAnObject::defaultValue):
3969         * runtime/JSNotAnObject.h:
3970         * runtime/JSObject.h:
3971         * runtime/JSString.h:
3972
3973 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
3974
3975         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
3976         https://bugs.webkit.org/show_bug.cgi?id=68424
3977
3978         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
3979         
3980         This may break WinCE and other ports that have not built and tested with
3981         this configuration. I've filed bugs for port maintainers. It's time for
3982         WebKit to move forward.
3983
3984         Reviewed by Mark Rowe.
3985
3986         * heap/Heap.cpp:
3987         (JSC::Heap::Heap):
3988         (JSC::Heap::~Heap):
3989         (JSC::Heap::destroy):
3990         (JSC::Heap::blockFreeingThreadMain):
3991         (JSC::Heap::allocateBlock):
3992         (JSC::Heap::freeBlocks):
3993         (JSC::Heap::releaseFreeBlocks):
3994         * heap/Heap.h:
3995         * wtf/Platform.h:
3996
3997 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
3998
3999         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
4000         https://bugs.webkit.org/show_bug.cgi?id=68423
4001
4002         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
4003         
4004         This may break WinCE and other ports that have not built and tested with
4005         this configuration. I've filed bugs for port maintainers. It's time for
4006         WebKit to move forward.
4007
4008         Reviewed by Mark Rowe.
4009
4010         * wtf/CryptographicallyRandomNumber.cpp:
4011         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
4012         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
4013         * wtf/FastMalloc.cpp:
4014         * wtf/Platform.h:
4015         * wtf/RandomNumber.cpp:
4016         (WTF::randomNumber):
4017         * wtf/RefCountedLeakCounter.cpp:
4018         (WTF::RefCountedLeakCounter::increment):
4019         (WTF::RefCountedLeakCounter::decrement):
4020         * wtf/ThreadingPthreads.cpp:
4021         (WTF::initializeThreading):
4022         * wtf/ThreadingWin.cpp:
4023         (WTF::initializeThreading):
4024         * wtf/dtoa.cpp:
4025         (WTF::pow5mult):
4026         * wtf/gtk/ThreadingGtk.cpp:
4027         (WTF::initializeThreading):
4028         * wtf/qt/ThreadingQt.cpp:
4029         (WTF::initializeThreading):
4030
4031 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
4032
4033         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
4034         https://bugs.webkit.org/show_bug.cgi?id=68422
4035         
4036         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
4037         
4038         This may break WinCE and other ports that have not built and tested with
4039         this configuration. I've filed bugs for port maintainers. It's time for