dfad24e8b731358fde9e1622b8b17f8b45103d7c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Mark Lam  <mark.lam@apple.com>
2
3         Change StackIterator to not require writes to the JS stack.
4         https://bugs.webkit.org/show_bug.cgi?id=119657.
5
6         Reviewed by Geoffrey Garen.
7
8         * GNUmakefile.list.am:
9         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11         * JavaScriptCore.xcodeproj/project.pbxproj:
12         * interpreter/CallFrame.h:
13         - Removed references to StackIteratorPrivate.h.
14         * interpreter/StackIterator.cpp:
15         (JSC::StackIterator::numberOfFrames):
16         (JSC::StackIterator::gotoFrameAtIndex):
17         (JSC::StackIterator::gotoNextFrame):
18         (JSC::StackIterator::resetIterator):
19         (JSC::StackIterator::find):
20         (JSC::StackIterator::readFrame):
21         (JSC::StackIterator::readNonInlinedFrame):
22         - Reads in the current CallFrame's data for non-inlined frames.
23         (JSC::inlinedFrameOffset):
24         - Convenience function to compute the inlined frame offset based on the
25           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
26           Otherwise, it's an inlined frame.
27         (JSC::StackIterator::readInlinedFrame):
28         - Determines the inlined frame's caller frame. Will read in the caller
29           frame if it is also an inlined frame i.e. we haven't reached the
30           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
31           read on the outer most frame.
32           This is based on the old StackIterator::Frame::logicalFrame().
33         (JSC::StackIterator::updateFrame):
34         - Reads the data of the caller frame of the current one. This function
35           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
36           but is now simplified because it delegates to the readInlinedFrame()
37           to get the caller for inlined frames.
38         (JSC::StackIterator::Frame::arguments):
39         - Fixed to use the inlined frame versions of Arguments::create() and
40           Arguments::tearOff() when the frame is an inlined frame.
41         (JSC::StackIterator::Frame::print):
42         (debugPrintCallFrame):
43         (debugPrintStack):
44         - Because sometimes, we want to see the whole stack while debugging.
45         * interpreter/StackIterator.h:
46         (JSC::StackIterator::Frame::argumentCount):
47         (JSC::StackIterator::Frame::callerFrame):
48         (JSC::StackIterator::Frame::callee):
49         (JSC::StackIterator::Frame::scope):
50         (JSC::StackIterator::Frame::codeBlock):
51         (JSC::StackIterator::Frame::bytecodeOffset):
52         (JSC::StackIterator::Frame::inlinedFrameInfo):
53         (JSC::StackIterator::Frame::isJSFrame):
54         (JSC::StackIterator::Frame::isInlinedFrame):
55         (JSC::StackIterator::Frame::callFrame):
56         (JSC::StackIterator::Frame::Frame):
57         (JSC::StackIterator::Frame::~Frame):
58         - StackIterator::Frame now caches commonly used accessed values from
59           the CallFrame. It still delegates argument queries to the CallFrame.
60         (JSC::StackIterator::operator*):
61         (JSC::StackIterator::operator->):
62         (JSC::StackIterator::operator!=):
63         (JSC::StackIterator::operator++):
64         (JSC::StackIterator::end):
65         (JSC::StackIterator::operator==):
66         * interpreter/StackIteratorPrivate.h: Removed.
67
68 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
69
70         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
71         https://bugs.webkit.org/show_bug.cgi?id=120472
72
73         Reviewed by Filip Pizlo.
74         
75         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
76         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
77         throwException can be called when topCallFrame is set.
78         * llint/LLIntSlowPaths.cpp:
79         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
80         * runtime/CommonSlowPaths.cpp:
81         (JSC::SLOW_PATH_DECL):
82         * runtime/CommonSlowPathsExceptions.cpp:
83         (JSC::CommonSlowPaths::interpreterThrowInCaller):
84         * runtime/CommonSlowPathsExceptions.h:
85
86         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
87         to throw errors. It unwinds the stack in order to report them. 
88         * dfg/DFGOperations.cpp:
89         * jit/JITExceptions.cpp:
90         (JSC::genericUnwind):
91         (JSC::jitThrowNew):
92         (JSC::jitThrow):
93         * jit/JITExceptions.h:
94         * llint/LLIntExceptions.cpp:
95         (JSC::LLInt::doThrow):
96     
97 2013-08-29  Commit Queue  <commit-queue@webkit.org>
98
99         Unreviewed, rolling out r154804.
100         http://trac.webkit.org/changeset/154804
101         https://bugs.webkit.org/show_bug.cgi?id=120477
102
103         Broke Windows build (assumes LLInt features not enabled on
104         this build) (Requested by bfulgham on #webkit).
105
106         * CMakeLists.txt:
107         * GNUmakefile.list.am:
108         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
109         * JavaScriptCore.xcodeproj/project.pbxproj:
110         * Target.pri:
111         * bytecode/CodeBlock.cpp:
112         (JSC::CodeBlock::linkIncomingCall):
113         (JSC::CodeBlock::unlinkIncomingCalls):
114         (JSC::CodeBlock::reoptimize):
115         (JSC::ProgramCodeBlock::replacement):
116         (JSC::EvalCodeBlock::replacement):
117         (JSC::FunctionCodeBlock::replacement):
118         (JSC::ProgramCodeBlock::compileOptimized):
119         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
120         (JSC::EvalCodeBlock::compileOptimized):
121         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
122         (JSC::FunctionCodeBlock::compileOptimized):
123         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
124         (JSC::ProgramCodeBlock::jitCompileImpl):
125         (JSC::EvalCodeBlock::jitCompileImpl):
126         (JSC::FunctionCodeBlock::jitCompileImpl):
127         * bytecode/CodeBlock.h:
128         (JSC::CodeBlock::jitType):
129         (JSC::CodeBlock::jitCompile):
130         * bytecode/DeferredCompilationCallback.cpp: Removed.
131         * bytecode/DeferredCompilationCallback.h: Removed.
132         * dfg/DFGDriver.cpp:
133         (JSC::DFG::compile):
134         (JSC::DFG::tryCompile):
135         (JSC::DFG::tryCompileFunction):
136         (JSC::DFG::tryFinalizePlan):
137         * dfg/DFGDriver.h:
138         (JSC::DFG::tryCompile):
139         (JSC::DFG::tryCompileFunction):
140         (JSC::DFG::tryFinalizePlan):
141         * dfg/DFGFailedFinalizer.cpp:
142         (JSC::DFG::FailedFinalizer::finalize):
143         (JSC::DFG::FailedFinalizer::finalizeFunction):
144         * dfg/DFGFailedFinalizer.h:
145         * dfg/DFGFinalizer.h:
146         * dfg/DFGJITFinalizer.cpp:
147         (JSC::DFG::JITFinalizer::finalize):
148         (JSC::DFG::JITFinalizer::finalizeFunction):
149         * dfg/DFGJITFinalizer.h:
150         * dfg/DFGOSRExitPreparation.cpp:
151         (JSC::DFG::prepareCodeOriginForOSRExit):
152         * dfg/DFGOperations.cpp:
153         * dfg/DFGPlan.cpp:
154         (JSC::DFG::Plan::Plan):
155         (JSC::DFG::Plan::compileInThreadImpl):
156         (JSC::DFG::Plan::finalize):
157         * dfg/DFGPlan.h:
158         * dfg/DFGSpeculativeJIT32_64.cpp:
159         (JSC::DFG::SpeculativeJIT::compile):
160         * dfg/DFGWorklist.cpp:
161         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
162         (JSC::DFG::Worklist::runThread):
163         * ftl/FTLJITFinalizer.cpp:
164         (JSC::FTL::JITFinalizer::finalize):
165         (JSC::FTL::JITFinalizer::finalizeFunction):
166         * ftl/FTLJITFinalizer.h:
167         * heap/Heap.h:
168         * interpreter/Interpreter.cpp:
169         (JSC::Interpreter::execute):
170         (JSC::Interpreter::executeCall):
171         (JSC::Interpreter::executeConstruct):
172         (JSC::Interpreter::prepareForRepeatCall):
173         * jit/JITDriver.h: Added.
174         (JSC::jitCompileIfAppropriateImpl):
175         (JSC::jitCompileFunctionIfAppropriateImpl):
176         (JSC::jitCompileIfAppropriate):
177         (JSC::jitCompileFunctionIfAppropriate):
178         * jit/JITStubs.cpp:
179         (JSC::DEFINE_STUB_FUNCTION):
180         (JSC::jitCompileFor):
181         (JSC::lazyLinkFor):
182         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
183         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
184         * llint/LLIntEntrypoints.cpp:
185         (JSC::LLInt::getFunctionEntrypoint):
186         (JSC::LLInt::getEvalEntrypoint):
187         (JSC::LLInt::getProgramEntrypoint):
188         * llint/LLIntEntrypoints.h:
189         (JSC::LLInt::getEntrypoint):
190         * llint/LLIntSlowPaths.cpp:
191         (JSC::LLInt::jitCompileAndSetHeuristics):
192         (JSC::LLInt::setUpCall):
193         * runtime/ArrayPrototype.cpp:
194         (JSC::isNumericCompareFunction):
195         * runtime/CommonSlowPaths.cpp:
196         * runtime/CompilationResult.cpp:
197         (WTF::printInternal):
198         * runtime/CompilationResult.h:
199         * runtime/Executable.cpp:
200         (JSC::EvalExecutable::compileOptimized):
201         (JSC::EvalExecutable::jitCompile):
202         (JSC::EvalExecutable::compileInternal):
203         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
204         (JSC::ProgramExecutable::compileOptimized):
205         (JSC::ProgramExecutable::jitCompile):
206         (JSC::ProgramExecutable::compileInternal):
207         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
208         (JSC::FunctionExecutable::compileOptimizedForCall):
209         (JSC::FunctionExecutable::compileOptimizedForConstruct):
210         (JSC::FunctionExecutable::jitCompileForCall):
211         (JSC::FunctionExecutable::jitCompileForConstruct):
212         (JSC::FunctionExecutable::produceCodeBlockFor):
213         (JSC::FunctionExecutable::compileForCallInternal):
214         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
215         (JSC::FunctionExecutable::compileForConstructInternal):
216         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
217         * runtime/Executable.h:
218         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
219         (JSC::ExecutableBase::offsetOfNumParametersFor):
220         (JSC::ExecutableBase::catchRoutineFor):
221         (JSC::EvalExecutable::compile):
222         (JSC::ProgramExecutable::compile):
223         (JSC::FunctionExecutable::compileForCall):
224         (JSC::FunctionExecutable::compileForConstruct):
225         (JSC::FunctionExecutable::compileFor):
226         (JSC::FunctionExecutable::compileOptimizedFor):
227         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
228         (JSC::FunctionExecutable::jitCompileFor):
229         * runtime/ExecutionHarness.h: Added.
230         (JSC::prepareForExecutionImpl):
231         (JSC::prepareFunctionForExecutionImpl):
232         (JSC::installOptimizedCode):
233         (JSC::prepareForExecution):
234         (JSC::prepareFunctionForExecution):
235         (JSC::replaceWithDeferredOptimizedCode):
236
237 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
238
239         CodeBlock compilation and installation should be simplified and rationalized
240         https://bugs.webkit.org/show_bug.cgi?id=120326
241
242         Reviewed by Oliver Hunt.
243         
244         Previously Executable owned the code for generating JIT code; you always had
245         to go through Executable. But often you also had to go through CodeBlock,
246         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
247         So you'd ask CodeBlock to do something, which would dispatch through a
248         virtual method that would select the appropriate Executable subtype's method.
249         This all meant that the same code would often be duplicated, because most of
250         the work needed to compile something was identical regardless of code type.
251         But then we tried to fix this, by having templatized helpers in
252         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
253         out what happened when you asked for something to be compiled, you'd go on a
254         wild ride that started with CodeBlock, touched upon Executable, and then
255         ricocheted into either ExecutionHarness or JITDriver (likely both).
256         
257         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
258         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
259         done once the compilation finished.
260         
261         Also, most of the DFG JIT drivers assumed that they couldn't install the
262         JITCode into the CodeBlock directly - instead they would return it via a
263         reference, which happened to be a reference to the JITCode pointer in
264         Executable. This was super weird.
265         
266         Finally, there was no notion of compiling code into a special CodeBlock that
267         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
268         entry.
269         
270         This patch solves these problems by reducing all of that complexity into just
271         three primitives:
272         
273         - Executable::newCodeBlock(). This gives you a new code block, either for call
274           or for construct, and either to serve as the baseline code or the optimized
275           code. The new code block is then owned by the caller; Executable doesn't
276           register it anywhere. The new code block has no JITCode and isn't callable,
277           but it has all of the bytecode.
278         
279         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
280           produces a JITCode, and then installs the JITCode into the CodeBlock. This
281           method takes a JITType, and always compiles with that JIT. If you ask for
282           JITCode::InterpreterThunk then you'll get JITCode that just points to the
283           LLInt entrypoints. Once this returns, it is possible to call into the
284           CodeBlock if you do so manually - but the Executable still won't know about
285           it so JS calls to that Executable will still be routed to whatever CodeBlock
286           is associated with the Executable.
287         
288         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
289           entry for that Executable. This involves unlinking the Executable's last
290           CodeBlock, if there was one. This also tells the GC about any effect on
291           memory usage and does a bunch of weird data structure rewiring, since
292           Executable caches some of CodeBlock's fields for the benefit of virtual call
293           fast paths.
294         
295         This functionality is then wrapped around three convenience methods:
296         
297         - Executable::prepareForExecution(). If there is no code block for that
298           Executable, then one is created (newCodeBlock()), compiled
299           (CodeBlock::prepareForExecution()) and installed (installCode()).
300         
301         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
302           can serve as an optimized replacement of the current one.
303         
304         - CodeBlock::install(). Asks the Executable to install this code block.
305         
306         This patch allows me to kill *a lot* of code and to remove a lot of
307         specializations for functions vs. not-functions, and a lot of places where we
308         pass around JITCode references and such. ExecutionHarness and JITDriver are
309         both gone. Overall this patch has more red than green.
310         
311         It also allows me to work on FTL OSR entry and tier-up:
312         
313         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
314           to do some compilation, but it will require the DFG::Worklist to do
315           something different than what JITStubs.cpp would want, once the compilation
316           finishes. This patch introduces a callback mechanism for that purpose.
317         
318         - FTL OSR entry: this will involve creating a special auto-jettisoned
319           CodeBlock that is used only for FTL OSR entry. The new set of primitives
320           allows for this: Executable can vend you a fresh new CodeBlock, and you can
321           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
322           can take that CodeBlock and compile it yourself. Previously the act of
323           producing a CodeBlock-for-optimization and the act of compiling code for it
324           were tightly coupled; now you can separate them and you can create such
325           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
326
327         * CMakeLists.txt:
328         * GNUmakefile.list.am:
329         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
330         * JavaScriptCore.xcodeproj/project.pbxproj:
331         * Target.pri:
332         * bytecode/CodeBlock.cpp:
333         (JSC::CodeBlock::prepareForExecution):
334         (JSC::CodeBlock::install):
335         (JSC::CodeBlock::newReplacement):
336         (JSC::FunctionCodeBlock::jettisonImpl):
337         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
338         * bytecode/CodeBlock.h:
339         (JSC::CodeBlock::hasBaselineJITProfiling):
340         * bytecode/DeferredCompilationCallback.cpp: Added.
341         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
342         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
343         * bytecode/DeferredCompilationCallback.h: Added.
344         * dfg/DFGDriver.cpp:
345         (JSC::DFG::tryCompile):
346         * dfg/DFGDriver.h:
347         (JSC::DFG::tryCompile):
348         * dfg/DFGFailedFinalizer.cpp:
349         (JSC::DFG::FailedFinalizer::finalize):
350         (JSC::DFG::FailedFinalizer::finalizeFunction):
351         * dfg/DFGFailedFinalizer.h:
352         * dfg/DFGFinalizer.h:
353         * dfg/DFGJITFinalizer.cpp:
354         (JSC::DFG::JITFinalizer::finalize):
355         (JSC::DFG::JITFinalizer::finalizeFunction):
356         * dfg/DFGJITFinalizer.h:
357         * dfg/DFGOSRExitPreparation.cpp:
358         (JSC::DFG::prepareCodeOriginForOSRExit):
359         * dfg/DFGOperations.cpp:
360         * dfg/DFGPlan.cpp:
361         (JSC::DFG::Plan::Plan):
362         (JSC::DFG::Plan::compileInThreadImpl):
363         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
364         (JSC::DFG::Plan::finalizeAndNotifyCallback):
365         * dfg/DFGPlan.h:
366         * dfg/DFGWorklist.cpp:
367         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
368         * ftl/FTLJITFinalizer.cpp:
369         (JSC::FTL::JITFinalizer::finalize):
370         (JSC::FTL::JITFinalizer::finalizeFunction):
371         * ftl/FTLJITFinalizer.h:
372         * heap/Heap.h:
373         (JSC::Heap::isDeferred):
374         * interpreter/Interpreter.cpp:
375         (JSC::Interpreter::execute):
376         (JSC::Interpreter::executeCall):
377         (JSC::Interpreter::executeConstruct):
378         (JSC::Interpreter::prepareForRepeatCall):
379         * jit/JITDriver.h: Removed.
380         * jit/JITStubs.cpp:
381         (JSC::DEFINE_STUB_FUNCTION):
382         (JSC::jitCompileFor):
383         (JSC::lazyLinkFor):
384         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
385         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
386         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
387         (JSC::JITToDFGDeferredCompilationCallback::create):
388         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
389         * jit/JITToDFGDeferredCompilationCallback.h: Added.
390         * llint/LLIntEntrypoints.cpp:
391         (JSC::LLInt::setFunctionEntrypoint):
392         (JSC::LLInt::setEvalEntrypoint):
393         (JSC::LLInt::setProgramEntrypoint):
394         * llint/LLIntEntrypoints.h:
395         * llint/LLIntSlowPaths.cpp:
396         (JSC::LLInt::jitCompileAndSetHeuristics):
397         (JSC::LLInt::setUpCall):
398         * runtime/ArrayPrototype.cpp:
399         (JSC::isNumericCompareFunction):
400         * runtime/CommonSlowPaths.cpp:
401         * runtime/CompilationResult.cpp:
402         (WTF::printInternal):
403         * runtime/CompilationResult.h:
404         * runtime/Executable.cpp:
405         (JSC::ScriptExecutable::installCode):
406         (JSC::ScriptExecutable::newCodeBlockFor):
407         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
408         (JSC::ScriptExecutable::prepareForExecutionImpl):
409         * runtime/Executable.h:
410         (JSC::ScriptExecutable::prepareForExecution):
411         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
412         * runtime/ExecutionHarness.h: Removed.
413
414 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
415
416         https://bugs.webkit.org/show_bug.cgi?id=119548
417         Refactoring Exception throws.
418         
419         Reviewed by Geoffrey Garen.
420         
421         Gardening of exception throws. The act of throwing an exception was being handled in 
422         different ways depending on whether the code was running in the LLint, Baseline JIT, 
423         or the DFG Jit. This made development in the vm exception and error objects difficult.
424         
425          * runtime/VM.cpp:
426         (JSC::appendSourceToError): 
427         This function moved from the interpreter into the VM. It views the developers code
428         (if there is a codeBlock) to extract what was trying to be evaluated when the error
429         occurred.
430         
431         (JSC::VM::throwException):
432         This function takes in the error object and sets the following:
433             1: The VM's exception stack
434             2: The VM's exception 
435             3: Appends extra information on the error message(via appendSourceToError)
436             4: The error object's line number
437             5: The error object's column number
438             6: The error object's sourceURL
439             7: The error object's stack trace (unless it already exists because the developer 
440                 created the error object). 
441
442         (JSC::VM::getExceptionInfo):
443         (JSC::VM::setExceptionInfo):
444         (JSC::VM::clearException):
445         (JSC::clearExceptionStack):
446         * runtime/VM.h:
447         (JSC::VM::exceptionOffset):
448         (JSC::VM::exception):
449         (JSC::VM::addressOfException):
450         (JSC::VM::exceptionStack):
451         VM exception and exceptionStack are now private data members.
452
453         * interpreter/Interpreter.h:
454         (JSC::ClearExceptionScope::ClearExceptionScope):
455         Created this structure to temporarily clear the exception within the VM. This 
456         needed to see if addition errors occur when setting the debugger as we are 
457         unwinding the stack.
458
459          * interpreter/Interpreter.cpp:
460         (JSC::Interpreter::unwind): 
461         Removed the code that would try to add error information if it did not exist. 
462         All of this functionality has moved into the VM and all error information is set 
463         at the time the error occurs. 
464
465         The rest of these functions reference the new calling convention to throw an error.
466
467         * API/APICallbackFunction.h:
468         (JSC::APICallbackFunction::call):
469         * API/JSCallbackConstructor.cpp:
470         (JSC::constructJSCallback):
471         * API/JSCallbackObjectFunctions.h:
472         (JSC::::getOwnPropertySlot):
473         (JSC::::defaultValue):
474         (JSC::::put):
475         (JSC::::putByIndex):
476         (JSC::::deleteProperty):
477         (JSC::::construct):
478         (JSC::::customHasInstance):
479         (JSC::::call):
480         (JSC::::getStaticValue):
481         (JSC::::staticFunctionGetter):
482         (JSC::::callbackGetter):
483         * debugger/Debugger.cpp:
484         (JSC::evaluateInGlobalCallFrame):
485         * debugger/DebuggerCallFrame.cpp:
486         (JSC::DebuggerCallFrame::evaluate):
487         * dfg/DFGAssemblyHelpers.h:
488         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
489         * dfg/DFGOperations.cpp:
490         (JSC::DFG::operationPutByValInternal):
491         * ftl/FTLLowerDFGToLLVM.cpp:
492         (JSC::FTL::LowerDFGToLLVM::callCheck):
493         * heap/Heap.cpp:
494         (JSC::Heap::markRoots):
495         * interpreter/CallFrame.h:
496         (JSC::ExecState::clearException):
497         (JSC::ExecState::exception):
498         (JSC::ExecState::hadException):
499         * interpreter/Interpreter.cpp:
500         (JSC::eval):
501         (JSC::loadVarargs):
502         (JSC::stackTraceAsString):
503         (JSC::Interpreter::execute):
504         (JSC::Interpreter::executeCall):
505         (JSC::Interpreter::executeConstruct):
506         (JSC::Interpreter::prepareForRepeatCall):
507         * interpreter/Interpreter.h:
508         (JSC::ClearExceptionScope::ClearExceptionScope):
509         * jit/JITCode.cpp:
510         (JSC::JITCode::execute):
511         * jit/JITExceptions.cpp:
512         (JSC::genericThrow):
513         * jit/JITOpcodes.cpp:
514         (JSC::JIT::emit_op_catch):
515         * jit/JITOpcodes32_64.cpp:
516         (JSC::JIT::privateCompileCTINativeCall):
517         (JSC::JIT::emit_op_catch):
518         * jit/JITStubs.cpp:
519         (JSC::returnToThrowTrampoline):
520         (JSC::throwExceptionFromOpCall):
521         (JSC::DEFINE_STUB_FUNCTION):
522         (JSC::jitCompileFor):
523         (JSC::lazyLinkFor):
524         (JSC::putByVal):
525         (JSC::cti_vm_handle_exception):
526         * jit/SlowPathCall.h:
527         (JSC::JITSlowPathCall::call):
528         * jit/ThunkGenerators.cpp:
529         (JSC::nativeForGenerator):
530         * jsc.cpp:
531         (functionRun):
532         (functionLoad):
533         (functionCheckSyntax):
534         * llint/LLIntExceptions.cpp:
535         (JSC::LLInt::doThrow):
536         (JSC::LLInt::returnToThrow):
537         (JSC::LLInt::callToThrow):
538         * llint/LLIntSlowPaths.cpp:
539         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
540         * llint/LowLevelInterpreter.cpp:
541         (JSC::CLoop::execute):
542         * llint/LowLevelInterpreter32_64.asm:
543         * llint/LowLevelInterpreter64.asm:
544         * runtime/ArrayConstructor.cpp:
545         (JSC::constructArrayWithSizeQuirk):
546         * runtime/CommonSlowPaths.cpp:
547         (JSC::SLOW_PATH_DECL):
548         * runtime/CommonSlowPaths.h:
549         (JSC::CommonSlowPaths::opIn):
550         * runtime/CommonSlowPathsExceptions.cpp:
551         (JSC::CommonSlowPaths::interpreterThrowInCaller):
552         * runtime/Completion.cpp:
553         (JSC::evaluate):
554         * runtime/Error.cpp:
555         (JSC::addErrorInfo):
556         (JSC::throwTypeError):
557         (JSC::throwSyntaxError):
558         * runtime/Error.h:
559         (JSC::throwVMError):
560         * runtime/ExceptionHelpers.cpp:
561         (JSC::throwOutOfMemoryError):
562         (JSC::throwStackOverflowError):
563         (JSC::throwTerminatedExecutionException):
564         * runtime/Executable.cpp:
565         (JSC::EvalExecutable::create):
566         (JSC::FunctionExecutable::produceCodeBlockFor):
567         * runtime/FunctionConstructor.cpp:
568         (JSC::constructFunction):
569         (JSC::constructFunctionSkippingEvalEnabledCheck):
570         * runtime/JSArray.cpp:
571         (JSC::JSArray::defineOwnProperty):
572         (JSC::JSArray::put):
573         (JSC::JSArray::push):
574         * runtime/JSCJSValue.cpp:
575         (JSC::JSValue::toObjectSlowCase):
576         (JSC::JSValue::synthesizePrototype):
577         (JSC::JSValue::putToPrimitive):
578         * runtime/JSFunction.cpp:
579         (JSC::JSFunction::defineOwnProperty):
580         * runtime/JSGenericTypedArrayViewInlines.h:
581         (JSC::::create):
582         (JSC::::createUninitialized):
583         (JSC::::validateRange):
584         (JSC::::setWithSpecificType):
585         * runtime/JSGlobalObjectFunctions.cpp:
586         (JSC::encode):
587         (JSC::decode):
588         (JSC::globalFuncProtoSetter):
589         * runtime/JSNameScope.cpp:
590         (JSC::JSNameScope::put):
591         * runtime/JSONObject.cpp:
592         (JSC::Stringifier::appendStringifiedValue):
593         (JSC::Walker::walk):
594         * runtime/JSObject.cpp:
595         (JSC::JSObject::put):
596         (JSC::JSObject::defaultValue):
597         (JSC::JSObject::hasInstance):
598         (JSC::JSObject::defaultHasInstance):
599         (JSC::JSObject::defineOwnNonIndexProperty):
600         (JSC::throwTypeError):
601         * runtime/ObjectConstructor.cpp:
602         (JSC::toPropertyDescriptor):
603         * runtime/RegExpConstructor.cpp:
604         (JSC::constructRegExp):
605         * runtime/StringObject.cpp:
606         (JSC::StringObject::defineOwnProperty):
607         * runtime/StringRecursionChecker.cpp:
608         (JSC::StringRecursionChecker::throwStackOverflowError):
609
610 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
611
612         [GTK] Add support for building JSC with FTL JIT enabled
613         https://bugs.webkit.org/show_bug.cgi?id=120270
614
615         Reviewed by Filip Pizlo.
616
617         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
618         compiler flags for the JSC library.
619         * GNUmakefile.list.am: Add the missing build targets.
620         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
621         failures when using the Clang compiler with the libstdc++ standard library.
622         (JSC::FTL::mdKindID):
623         (JSC::FTL::mdString):
624
625 2013-08-23  Andy Estes  <aestes@apple.com>
626
627         Fix issues found by the Clang Static Analyzer
628         https://bugs.webkit.org/show_bug.cgi?id=120230
629
630         Reviewed by Darin Adler.
631
632         * API/JSValue.mm:
633         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
634         * API/ObjCCallbackFunction.mm:
635         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
636         release m_invocation's target since NSInvocation will do it for us on
637         -dealloc.
638         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
639         and -release our reference to the copied block.
640         * API/tests/minidom.c:
641         (createStringWithContentsOfFile): Free buffer before returning.
642         * API/tests/testapi.c:
643         (createStringWithContentsOfFile): Ditto.
644
645 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
646
647         [Windows] Unreviewed build fix after r154629.
648
649         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
650         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
651
652 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
653
654         Windows build fix attempt after r154629.
655
656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
657
658 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
659
660         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
661         https://bugs.webkit.org/show_bug.cgi?id=120278
662
663         Reviewed by Geoffrey Garen.
664
665         * runtime/JSObject.cpp:
666         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
667
668 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
669
670         Fix indention of Executable.h.
671
672         Rubber stamped by Mark Hahnenberg.
673
674         * runtime/Executable.h:
675
676 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
677
678         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
679         https://bugs.webkit.org/show_bug.cgi?id=120314
680
681         Reviewed by Darin Adler.
682
683         Currently with the way that defineProperty works, we leave a stray low bit set in 
684         PropertyDescriptor::m_attributes in the following code:
685
686         var o = {};
687         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
688         
689         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
690         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
691         but only the top three bits mean anything. Even in the case above, the top three bits are set 
692         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
693
694         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
695         framework's public C API, it's safer to just change how we calculate the default value, which is
696         where the weirdness was originating from in the first place.
697
698         * runtime/PropertyDescriptor.cpp:
699
700 2013-08-24  Sam Weinig  <sam@webkit.org>
701
702         Add support for Promises
703         https://bugs.webkit.org/show_bug.cgi?id=120260
704
705         Reviewed by Darin Adler.
706
707         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
708         - Despite Promises being defined in the DOM, the implementation is being put in JSC
709           in preparation for the Promises eventually being defined in ECMAScript.
710
711         * CMakeLists.txt:
712         * DerivedSources.make:
713         * DerivedSources.pri:
714         * GNUmakefile.list.am:
715         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
716         * JavaScriptCore.xcodeproj/project.pbxproj:
717         * Target.pri:
718         Add new files.
719
720         * jsc.cpp:
721         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
722         you can't quite use Promises with with the command line tool yet.
723     
724         * interpreter/CallFrame.h:
725         (JSC::ExecState::promisePrototypeTable):
726         (JSC::ExecState::promiseConstructorTable):
727         (JSC::ExecState::promiseResolverPrototypeTable):
728         * runtime/VM.cpp:
729         (JSC::VM::VM):
730         (JSC::VM::~VM):
731         * runtime/VM.h:
732         Add supporting code for the new static lookup tables.
733
734         * runtime/CommonIdentifiers.h:
735         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
736
737         * runtime/JSGlobalObject.cpp:
738         (JSC::JSGlobalObject::reset):
739         (JSC::JSGlobalObject::visitChildren):
740         Add supporting code Promise and PromiseResolver's constructors and structures.
741
742         * runtime/JSGlobalObject.h:
743         (JSC::TaskContext::~TaskContext):
744         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
745
746         (JSC::JSGlobalObject::promisePrototype):
747         (JSC::JSGlobalObject::promiseResolverPrototype):
748         (JSC::JSGlobalObject::promiseStructure):
749         (JSC::JSGlobalObject::promiseResolverStructure):
750         (JSC::JSGlobalObject::promiseCallbackStructure):
751         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
752         Add supporting code Promise and PromiseResolver's constructors and structures.
753
754         * runtime/JSPromise.cpp: Added.
755         * runtime/JSPromise.h: Added.
756         * runtime/JSPromiseCallback.cpp: Added.
757         * runtime/JSPromiseCallback.h: Added.
758         * runtime/JSPromiseConstructor.cpp: Added.
759         * runtime/JSPromiseConstructor.h: Added.
760         * runtime/JSPromisePrototype.cpp: Added.
761         * runtime/JSPromisePrototype.h: Added.
762         * runtime/JSPromiseResolver.cpp: Added.
763         * runtime/JSPromiseResolver.h: Added.
764         * runtime/JSPromiseResolverConstructor.cpp: Added.
765         * runtime/JSPromiseResolverConstructor.h: Added.
766         * runtime/JSPromiseResolverPrototype.cpp: Added.
767         * runtime/JSPromiseResolverPrototype.h: Added.
768         Add Promise implementation.
769
770 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
771
772         Plenty of -Wcast-align warnings in KeywordLookup.h
773         https://bugs.webkit.org/show_bug.cgi?id=120316
774
775         Reviewed by Darin Adler.
776
777         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
778         the character pointers to types of larger size. This avoids spewing lots of warnings
779         in the KeywordLookup.h header when compiling with the -Wcast-align option.
780
781 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
782
783         RegExpMatchesArray should not call [[put]]
784         https://bugs.webkit.org/show_bug.cgi?id=120317
785
786         Reviewed by Oliver Hunt.
787
788         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
789         property called index or input to either of these prototypes will result in broken behavior.
790
791         * runtime/RegExpMatchesArray.cpp:
792         (JSC::RegExpMatchesArray::reifyAllProperties):
793             - put -> putDirect
794
795 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
796
797         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
798         https://bugs.webkit.org/show_bug.cgi?id=120228
799
800         Reviewed by Oliver Hunt.
801         
802         It turns out that there were three problems:
803         
804         - Using jsNumber() meant that we were converting doubles to integers and then
805           possibly back again whenever doing a set() between floating point arrays.
806         
807         - Slow-path accesses to double typed arrays were slower than necessary because
808           of the to-int conversion attempt.
809         
810         - The use of JSValue as an intermediate for converting between differen types
811           in typedArray.set() resulted in worse code than I had previously expected.
812         
813         This patch solves the problem by using template double-dispatch to ensure that
814         that C++ compiler sees the simplest possible combination of casts between any
815         combination of typed array types, while still preserving JS and typed array
816         conversion semantics. Conversions are done as follows:
817         
818             SourceAdaptor::convertTo<TargetAdaptor>(value)
819         
820         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
821         with one method for each of int32_t, uint32_t, and double. This means that the
822         C++ compiler will at worst see a widening cast to one of those types followed
823         by a narrowing conversion (not necessarily a cast - may have clamping or the
824         JS toInt32() function).
825         
826         This change doesn't just affect typedArray.set(); it also affects slow-path
827         accesses to typed arrays as well. This patch also adds a bunch of new test
828         coverage.
829         
830         This change is a ~50% speed-up on typedArray.set() involving floating point
831         types.
832
833         * GNUmakefile.list.am:
834         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
835         * JavaScriptCore.xcodeproj/project.pbxproj:
836         * runtime/GenericTypedArrayView.h:
837         (JSC::GenericTypedArrayView::set):
838         * runtime/JSDataViewPrototype.cpp:
839         (JSC::setData):
840         * runtime/JSGenericTypedArrayView.h:
841         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
842         (JSC::JSGenericTypedArrayView::setIndexQuickly):
843         * runtime/JSGenericTypedArrayViewInlines.h:
844         (JSC::::setWithSpecificType):
845         (JSC::::set):
846         * runtime/ToNativeFromValue.h: Added.
847         (JSC::toNativeFromValue):
848         * runtime/TypedArrayAdaptors.h:
849         (JSC::IntegralTypedArrayAdaptor::toJSValue):
850         (JSC::IntegralTypedArrayAdaptor::toDouble):
851         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
852         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
853         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
854         (JSC::IntegralTypedArrayAdaptor::convertTo):
855         (JSC::FloatTypedArrayAdaptor::toJSValue):
856         (JSC::FloatTypedArrayAdaptor::toDouble):
857         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
858         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
859         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
860         (JSC::FloatTypedArrayAdaptor::convertTo):
861         (JSC::Uint8ClampedAdaptor::toJSValue):
862         (JSC::Uint8ClampedAdaptor::toDouble):
863         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
864         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
865         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
866         (JSC::Uint8ClampedAdaptor::convertTo):
867
868 2013-08-24  Dan Bernstein  <mitz@apple.com>
869
870         [mac] link against libz in a more civilized manner
871         https://bugs.webkit.org/show_bug.cgi?id=120258
872
873         Reviewed by Darin Adler.
874
875         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
876         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
877         Link Binary With Libraries build phase.
878
879 2013-08-23  Laszlo Papp  <lpapp@kde.org>
880
881         Failure building with python3
882         https://bugs.webkit.org/show_bug.cgi?id=106645
883
884         Reviewed by Benjamin Poulain.
885
886         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
887         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
888
889         * disassembler/udis86/itab.py:
890         (UdItabGenerator.genInsnTable):
891         * disassembler/udis86/ud_opcode.py:
892         (UdOpcodeTables.print_table):
893         * disassembler/udis86/ud_optable.py:
894         (UdOptableXmlParser.parseDef):
895         (UdOptableXmlParser.parse):
896         (printFn):
897
898 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
899
900         Incorrect TypedArray#set behavior
901         https://bugs.webkit.org/show_bug.cgi?id=83818
902
903         Reviewed by Oliver Hunt and Mark Hahnenberg.
904         
905         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
906         not smart enough to figure out optimal versions for *all* of the cases. But I
907         did come up with optimal implementations for most of the cases, and I wrote
908         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
909         enough to write optimal code for.
910
911         * runtime/JSArrayBufferView.h:
912         (JSC::JSArrayBufferView::hasArrayBuffer):
913         * runtime/JSArrayBufferViewInlines.h:
914         (JSC::JSArrayBufferView::buffer):
915         (JSC::JSArrayBufferView::existingBufferInButterfly):
916         (JSC::JSArrayBufferView::neuter):
917         (JSC::JSArrayBufferView::byteOffset):
918         * runtime/JSGenericTypedArrayView.h:
919         * runtime/JSGenericTypedArrayViewInlines.h:
920         (JSC::::setWithSpecificType):
921         (JSC::::set):
922         (JSC::::existingBuffer):
923
924 2013-08-23  Alex Christensen  <achristensen@apple.com>
925
926         Re-separating Win32 and Win64 builds.
927         https://bugs.webkit.org/show_bug.cgi?id=120178
928
929         Reviewed by Brent Fulgham.
930
931         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
932         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
933         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
934         Pass PlatformArchitecture as a command line parameter to bash scripts.
935         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
936         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
937         * JavaScriptCore.vcxproj/build-generated-files.sh:
938         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
939
940 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
941
942         build-jsc --ftl-jit should work
943         https://bugs.webkit.org/show_bug.cgi?id=120194
944
945         Reviewed by Oliver Hunt.
946
947         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
948         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
949         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
950         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
951         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
952         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
953
954 2013-08-23  Oliver Hunt  <oliver@apple.com>
955
956         Re-sort xcode project file
957
958         * JavaScriptCore.xcodeproj/project.pbxproj:
959
960 2013-08-23  Oliver Hunt  <oliver@apple.com>
961
962         Support in memory compression of rarely used data
963         https://bugs.webkit.org/show_bug.cgi?id=120143
964
965         Reviewed by Gavin Barraclough.
966
967         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
968
969         * Configurations/JavaScriptCore.xcconfig:
970         * bytecode/UnlinkedCodeBlock.cpp:
971         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
972         (JSC::UnlinkedCodeBlock::addExpressionInfo):
973         * bytecode/UnlinkedCodeBlock.h:
974
975 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
976
977         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
978         https://bugs.webkit.org/show_bug.cgi?id=120179
979
980         Reviewed by Geoffrey Garen.
981
982         There are many places in the code for JSObject and JSArray where they are manipulating their 
983         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
984         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
985         like it will make this dance even more intricate. To make everybody's lives easier we should use 
986         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
987         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
988         should not incur any additional overhead.
989
990         * heap/Heap.h:
991         * runtime/JSArray.cpp:
992         (JSC::JSArray::unshiftCountSlowCase):
993         * runtime/JSObject.cpp:
994         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
995         (JSC::JSObject::createInitialUndecided):
996         (JSC::JSObject::createInitialInt32):
997         (JSC::JSObject::createInitialDouble):
998         (JSC::JSObject::createInitialContiguous):
999         (JSC::JSObject::createArrayStorage):
1000         (JSC::JSObject::convertUndecidedToArrayStorage):
1001         (JSC::JSObject::convertInt32ToArrayStorage):
1002         (JSC::JSObject::convertDoubleToArrayStorage):
1003         (JSC::JSObject::convertContiguousToArrayStorage):
1004         (JSC::JSObject::increaseVectorLength):
1005         (JSC::JSObject::ensureLengthSlow):
1006         * runtime/JSObject.h:
1007         (JSC::JSObject::putDirectInternal):
1008         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1009         (JSC::JSObject::putDirectWithoutTransition):
1010
1011 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1012
1013         Update LLVM binary drops and scripts to the latest version from SVN
1014         https://bugs.webkit.org/show_bug.cgi?id=120184
1015
1016         Reviewed by Mark Hahnenberg.
1017
1018         * dfg/DFGPlan.cpp:
1019         (JSC::DFG::Plan::compileInThreadImpl):
1020
1021 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1022
1023         Don't leak registers for redeclared variables
1024         https://bugs.webkit.org/show_bug.cgi?id=120174
1025
1026         Reviewed by Geoff Garen.
1027
1028         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1029         Only allocate new registers when necessary.
1030
1031         No performance impact.
1032
1033         * interpreter/Interpreter.cpp:
1034         (JSC::Interpreter::execute):
1035         * runtime/Executable.cpp:
1036         (JSC::ProgramExecutable::initializeGlobalProperties):
1037             - Don't allocate the register here.
1038         * runtime/JSGlobalObject.cpp:
1039         (JSC::JSGlobalObject::addGlobalVar):
1040             - Allocate the register here instead.
1041
1042 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1043
1044         https://bugs.webkit.org/show_bug.cgi?id=120128
1045         Remove putDirectVirtual
1046
1047         Unreviewed, checked in commented out code. :-(
1048
1049         * interpreter/Interpreter.cpp:
1050         (JSC::Interpreter::execute):
1051             - delete commented out code
1052
1053 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1054
1055         Error.stack should not be enumerable
1056         https://bugs.webkit.org/show_bug.cgi?id=120171
1057
1058         Reviewed by Oliver Hunt.
1059
1060         Breaks ECMA tests.
1061
1062         * runtime/ErrorInstance.cpp:
1063         (JSC::ErrorInstance::finishCreation):
1064             - None -> DontEnum
1065
1066 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1067
1068         https://bugs.webkit.org/show_bug.cgi?id=120128
1069         Remove putDirectVirtual
1070
1071         Reviewed by Sam Weinig.
1072
1073         This could most generously be described as 'vestigial'.
1074         No performance impact.
1075
1076         * API/JSObjectRef.cpp:
1077         (JSObjectSetProperty):
1078             - changed to use defineOwnProperty
1079         * debugger/DebuggerActivation.cpp:
1080         * debugger/DebuggerActivation.h:
1081             - remove putDirectVirtual
1082         * interpreter/Interpreter.cpp:
1083         (JSC::Interpreter::execute):
1084             - changed to use defineOwnProperty
1085         * runtime/ClassInfo.h:
1086         * runtime/JSActivation.cpp:
1087         * runtime/JSActivation.h:
1088         * runtime/JSCell.cpp:
1089         * runtime/JSCell.h:
1090         * runtime/JSGlobalObject.cpp:
1091         * runtime/JSGlobalObject.h:
1092         * runtime/JSObject.cpp:
1093         * runtime/JSObject.h:
1094         * runtime/JSProxy.cpp:
1095         * runtime/JSProxy.h:
1096         * runtime/JSSymbolTableObject.cpp:
1097         * runtime/JSSymbolTableObject.h:
1098             - remove putDirectVirtual
1099         * runtime/PropertyDescriptor.h:
1100         (JSC::PropertyDescriptor::PropertyDescriptor):
1101             - added constructor for convenience
1102
1103 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1104
1105         errorDescriptionForValue() should not assume error value is an Object
1106         https://bugs.webkit.org/show_bug.cgi?id=119812
1107
1108         Reviewed by Geoffrey Garen.
1109
1110         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1111         has no type, the function now returns the empty string. 
1112         * runtime/ExceptionHelpers.cpp:
1113         (JSC::errorDescriptionForValue):
1114
1115 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1116
1117         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1118         https://bugs.webkit.org/show_bug.cgi?id=120107
1119
1120         Reviewed by Yong Li.
1121
1122         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1123
1124         * dfg/DFGSpeculativeJIT.h:
1125         (JSC::DFG::SpeculativeJIT::callOperation):
1126
1127 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1128
1129         Unreviewed, rolling out r154416.
1130         http://trac.webkit.org/changeset/154416
1131         https://bugs.webkit.org/show_bug.cgi?id=120147
1132
1133         Broke Windows builds (Requested by rniwa on #webkit).
1134
1135         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1136         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1137         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1138         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1139         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1140         * JavaScriptCore.vcxproj/build-generated-files.sh:
1141
1142 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1143
1144         Clarify var/const/function declaration
1145         https://bugs.webkit.org/show_bug.cgi?id=120144
1146
1147         Reviewed by Sam Weinig.
1148
1149         Add methods to JSGlobalObject to declare vars, consts, and functions.
1150
1151         * runtime/Executable.cpp:
1152         (JSC::ProgramExecutable::initializeGlobalProperties):
1153         * runtime/Executable.h:
1154             - Moved declaration code to JSGlobalObject
1155         * runtime/JSGlobalObject.cpp:
1156         (JSC::JSGlobalObject::addGlobalVar):
1157             - internal implementation of addVar, addConst, addFunction
1158         * runtime/JSGlobalObject.h:
1159         (JSC::JSGlobalObject::addVar):
1160         (JSC::JSGlobalObject::addConst):
1161         (JSC::JSGlobalObject::addFunction):
1162             - Added methods to declare vars, consts, and functions
1163
1164 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1165
1166         https://bugs.webkit.org/show_bug.cgi?id=119900
1167         Exception in global setter doesn't unwind correctly
1168
1169         Reviewed by Geoffrey Garen.
1170
1171         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1172
1173         * jit/JITStubs.cpp:
1174         (JSC::DEFINE_STUB_FUNCTION):
1175
1176 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1177
1178         Rename/refactor setButterfly/setStructure
1179         https://bugs.webkit.org/show_bug.cgi?id=120138
1180
1181         Reviewed by Geoffrey Garen.
1182
1183         setButterfly becomes setStructureAndButterfly.
1184
1185         Also removed the Butterfly* argument from setStructure and just implicitly
1186         used m_butterfly internally since that's what every single client of setStructure
1187         was doing already.
1188
1189         * jit/JITStubs.cpp:
1190         (JSC::DEFINE_STUB_FUNCTION):
1191         * runtime/JSObject.cpp:
1192         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1193         (JSC::JSObject::createInitialUndecided):
1194         (JSC::JSObject::createInitialInt32):
1195         (JSC::JSObject::createInitialDouble):
1196         (JSC::JSObject::createInitialContiguous):
1197         (JSC::JSObject::createArrayStorage):
1198         (JSC::JSObject::convertUndecidedToInt32):
1199         (JSC::JSObject::convertUndecidedToDouble):
1200         (JSC::JSObject::convertUndecidedToContiguous):
1201         (JSC::JSObject::convertUndecidedToArrayStorage):
1202         (JSC::JSObject::convertInt32ToDouble):
1203         (JSC::JSObject::convertInt32ToContiguous):
1204         (JSC::JSObject::convertInt32ToArrayStorage):
1205         (JSC::JSObject::genericConvertDoubleToContiguous):
1206         (JSC::JSObject::convertDoubleToArrayStorage):
1207         (JSC::JSObject::convertContiguousToArrayStorage):
1208         (JSC::JSObject::switchToSlowPutArrayStorage):
1209         (JSC::JSObject::setPrototype):
1210         (JSC::JSObject::putDirectAccessor):
1211         (JSC::JSObject::seal):
1212         (JSC::JSObject::freeze):
1213         (JSC::JSObject::preventExtensions):
1214         (JSC::JSObject::reifyStaticFunctionsForDelete):
1215         (JSC::JSObject::removeDirect):
1216         * runtime/JSObject.h:
1217         (JSC::JSObject::setStructureAndButterfly):
1218         (JSC::JSObject::setStructure):
1219         (JSC::JSObject::putDirectInternal):
1220         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1221         (JSC::JSObject::putDirectWithoutTransition):
1222         * runtime/Structure.cpp:
1223         (JSC::Structure::flattenDictionaryStructure):
1224
1225 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1226
1227         https://bugs.webkit.org/show_bug.cgi?id=120127
1228         Remove JSObject::propertyIsEnumerable
1229
1230         Unreviewed typo fix
1231
1232         * runtime/JSObject.h:
1233             - fix typo
1234
1235 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1236
1237         https://bugs.webkit.org/show_bug.cgi?id=120139
1238         PropertyDescriptor argument to define methods should be const
1239
1240         Rubber stamped by Sam Weinig.
1241
1242         This should never be modified, and this way we can use rvalues.
1243
1244         * debugger/DebuggerActivation.cpp:
1245         (JSC::DebuggerActivation::defineOwnProperty):
1246         * debugger/DebuggerActivation.h:
1247         * runtime/Arguments.cpp:
1248         (JSC::Arguments::defineOwnProperty):
1249         * runtime/Arguments.h:
1250         * runtime/ClassInfo.h:
1251         * runtime/JSArray.cpp:
1252         (JSC::JSArray::defineOwnProperty):
1253         * runtime/JSArray.h:
1254         * runtime/JSArrayBuffer.cpp:
1255         (JSC::JSArrayBuffer::defineOwnProperty):
1256         * runtime/JSArrayBuffer.h:
1257         * runtime/JSArrayBufferView.cpp:
1258         (JSC::JSArrayBufferView::defineOwnProperty):
1259         * runtime/JSArrayBufferView.h:
1260         * runtime/JSCell.cpp:
1261         (JSC::JSCell::defineOwnProperty):
1262         * runtime/JSCell.h:
1263         * runtime/JSFunction.cpp:
1264         (JSC::JSFunction::defineOwnProperty):
1265         * runtime/JSFunction.h:
1266         * runtime/JSGenericTypedArrayView.h:
1267         * runtime/JSGenericTypedArrayViewInlines.h:
1268         (JSC::::defineOwnProperty):
1269         * runtime/JSGlobalObject.cpp:
1270         (JSC::JSGlobalObject::defineOwnProperty):
1271         * runtime/JSGlobalObject.h:
1272         * runtime/JSObject.cpp:
1273         (JSC::JSObject::putIndexedDescriptor):
1274         (JSC::JSObject::defineOwnIndexedProperty):
1275         (JSC::putDescriptor):
1276         (JSC::JSObject::defineOwnNonIndexProperty):
1277         (JSC::JSObject::defineOwnProperty):
1278         * runtime/JSObject.h:
1279         * runtime/JSProxy.cpp:
1280         (JSC::JSProxy::defineOwnProperty):
1281         * runtime/JSProxy.h:
1282         * runtime/RegExpMatchesArray.h:
1283         (JSC::RegExpMatchesArray::defineOwnProperty):
1284         * runtime/RegExpObject.cpp:
1285         (JSC::RegExpObject::defineOwnProperty):
1286         * runtime/RegExpObject.h:
1287         * runtime/StringObject.cpp:
1288         (JSC::StringObject::defineOwnProperty):
1289         * runtime/StringObject.h:
1290             - make PropertyDescriptor const
1291
1292 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1293
1294         REGRESSION: Crash under JITCompiler::link while loading Gmail
1295         https://bugs.webkit.org/show_bug.cgi?id=119872
1296
1297         Reviewed by Mark Hahnenberg.
1298         
1299         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1300
1301         * dfg/DFGByteCodeParser.cpp:
1302         (JSC::DFG::ByteCodeParser::parseBlock):
1303
1304 2013-08-21  Alex Christensen  <achristensen@apple.com>
1305
1306         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1307
1308         Reviewed by Brent Fulgham.
1309
1310         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1311         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1312         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1313         Pass PlatformArchitecture as a command line parameter to bash scripts.
1314         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1315         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1316         * JavaScriptCore.vcxproj/build-generated-files.sh:
1317         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1318
1319 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1320
1321         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1322         https://bugs.webkit.org/show_bug.cgi?id=120099
1323
1324         Reviewed by Mark Hahnenberg.
1325         
1326         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1327         JSDataView may have ordinary JS indexed properties.
1328
1329         * runtime/ClassInfo.h:
1330         * runtime/JSArrayBufferView.cpp:
1331         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1332         (JSC::JSArrayBufferView::finishCreation):
1333         * runtime/JSArrayBufferView.h:
1334         (JSC::hasArrayBuffer):
1335         * runtime/JSArrayBufferViewInlines.h:
1336         (JSC::JSArrayBufferView::buffer):
1337         (JSC::JSArrayBufferView::neuter):
1338         (JSC::JSArrayBufferView::byteOffset):
1339         * runtime/JSCell.cpp:
1340         (JSC::JSCell::slowDownAndWasteMemory):
1341         * runtime/JSCell.h:
1342         * runtime/JSDataView.cpp:
1343         (JSC::JSDataView::JSDataView):
1344         (JSC::JSDataView::create):
1345         (JSC::JSDataView::slowDownAndWasteMemory):
1346         * runtime/JSDataView.h:
1347         (JSC::JSDataView::buffer):
1348         * runtime/JSGenericTypedArrayView.h:
1349         * runtime/JSGenericTypedArrayViewInlines.h:
1350         (JSC::::visitChildren):
1351         (JSC::::slowDownAndWasteMemory):
1352
1353 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1354
1355         Remove incorrect ASSERT from CopyVisitor::visitItem
1356
1357         Rubber stamped by Filip Pizlo.
1358
1359         * heap/CopyVisitorInlines.h:
1360         (JSC::CopyVisitor::visitItem):
1361
1362 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1363
1364         https://bugs.webkit.org/show_bug.cgi?id=120127
1365         Remove JSObject::propertyIsEnumerable
1366
1367         Reviewed by Sam Weinig.
1368
1369         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1370
1371         * runtime/JSObject.cpp:
1372         * runtime/JSObject.h:
1373             - remove propertyIsEnumerable
1374         * runtime/ObjectPrototype.cpp:
1375         (JSC::objectProtoFuncPropertyIsEnumerable):
1376             - Move implementation here using getOwnPropertyDescriptor directly.
1377
1378 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1379
1380         DFG should inline new typedArray()
1381         https://bugs.webkit.org/show_bug.cgi?id=120022
1382
1383         Reviewed by Oliver Hunt.
1384         
1385         Adds inlining of typed array allocations in the DFG. Any operation of the
1386         form:
1387         
1388             new foo(blah)
1389         
1390         or:
1391         
1392             foo(blah)
1393         
1394         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1395         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1396         is predicted integer, we generate inline code for an allocation. Otherwise
1397         it turns into a call to an operation that behaves like the constructor would
1398         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1399         copy or another array, or it may allocate an array of that length).
1400
1401         * bytecode/SpeculatedType.cpp:
1402         (JSC::speculationFromTypedArrayType):
1403         (JSC::speculationFromClassInfo):
1404         * bytecode/SpeculatedType.h:
1405         * dfg/DFGAbstractInterpreterInlines.h:
1406         (JSC::DFG::::executeEffects):
1407         * dfg/DFGBackwardsPropagationPhase.cpp:
1408         (JSC::DFG::BackwardsPropagationPhase::propagate):
1409         * dfg/DFGByteCodeParser.cpp:
1410         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1411         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1412         * dfg/DFGCCallHelpers.h:
1413         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1414         * dfg/DFGCSEPhase.cpp:
1415         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1416         * dfg/DFGClobberize.h:
1417         (JSC::DFG::clobberize):
1418         * dfg/DFGFixupPhase.cpp:
1419         (JSC::DFG::FixupPhase::fixupNode):
1420         * dfg/DFGGraph.cpp:
1421         (JSC::DFG::Graph::dump):
1422         * dfg/DFGNode.h:
1423         (JSC::DFG::Node::hasTypedArrayType):
1424         (JSC::DFG::Node::typedArrayType):
1425         * dfg/DFGNodeType.h:
1426         * dfg/DFGOperations.cpp:
1427         (JSC::DFG::newTypedArrayWithSize):
1428         (JSC::DFG::newTypedArrayWithOneArgument):
1429         * dfg/DFGOperations.h:
1430         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1431         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1432         * dfg/DFGPredictionPropagationPhase.cpp:
1433         (JSC::DFG::PredictionPropagationPhase::propagate):
1434         * dfg/DFGSafeToExecute.h:
1435         (JSC::DFG::safeToExecute):
1436         * dfg/DFGSpeculativeJIT.cpp:
1437         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1438         * dfg/DFGSpeculativeJIT.h:
1439         (JSC::DFG::SpeculativeJIT::callOperation):
1440         * dfg/DFGSpeculativeJIT32_64.cpp:
1441         (JSC::DFG::SpeculativeJIT::compile):
1442         * dfg/DFGSpeculativeJIT64.cpp:
1443         (JSC::DFG::SpeculativeJIT::compile):
1444         * jit/JITOpcodes.cpp:
1445         (JSC::JIT::emit_op_new_object):
1446         * jit/JITOpcodes32_64.cpp:
1447         (JSC::JIT::emit_op_new_object):
1448         * runtime/JSArray.h:
1449         (JSC::JSArray::allocationSize):
1450         * runtime/JSArrayBufferView.h:
1451         (JSC::JSArrayBufferView::allocationSize):
1452         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1453         (JSC::constructGenericTypedArrayView):
1454         * runtime/JSObject.h:
1455         (JSC::JSFinalObject::allocationSize):
1456         * runtime/TypedArrayType.cpp:
1457         (JSC::constructorClassInfoForType):
1458         * runtime/TypedArrayType.h:
1459         (JSC::indexToTypedArrayType):
1460
1461 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1462
1463         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1464
1465         Reviewed by Geoffrey Garen.
1466
1467         * dfg/DFGOperations.h:
1468
1469 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1470
1471         https://bugs.webkit.org/show_bug.cgi?id=120093
1472         Remove getOwnPropertyDescriptor trap
1473
1474         Reviewed by Geoff Garen.
1475
1476         All implementations of this method are now called via the method table, and equivalent in behaviour.
1477         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1478
1479         * API/JSCallbackObject.h:
1480         * API/JSCallbackObjectFunctions.h:
1481         * debugger/DebuggerActivation.cpp:
1482         * debugger/DebuggerActivation.h:
1483         * runtime/Arguments.cpp:
1484         * runtime/Arguments.h:
1485         * runtime/ArrayConstructor.cpp:
1486         * runtime/ArrayConstructor.h:
1487         * runtime/ArrayPrototype.cpp:
1488         * runtime/ArrayPrototype.h:
1489         * runtime/BooleanPrototype.cpp:
1490         * runtime/BooleanPrototype.h:
1491             - remove getOwnPropertyDescriptor
1492         * runtime/ClassInfo.h:
1493             - remove getOwnPropertyDescriptor from MethodTable
1494         * runtime/DateConstructor.cpp:
1495         * runtime/DateConstructor.h:
1496         * runtime/DatePrototype.cpp:
1497         * runtime/DatePrototype.h:
1498         * runtime/ErrorPrototype.cpp:
1499         * runtime/ErrorPrototype.h:
1500         * runtime/JSActivation.cpp:
1501         * runtime/JSActivation.h:
1502         * runtime/JSArray.cpp:
1503         * runtime/JSArray.h:
1504         * runtime/JSArrayBuffer.cpp:
1505         * runtime/JSArrayBuffer.h:
1506         * runtime/JSArrayBufferView.cpp:
1507         * runtime/JSArrayBufferView.h:
1508         * runtime/JSCell.cpp:
1509         * runtime/JSCell.h:
1510         * runtime/JSDataView.cpp:
1511         * runtime/JSDataView.h:
1512         * runtime/JSDataViewPrototype.cpp:
1513         * runtime/JSDataViewPrototype.h:
1514         * runtime/JSFunction.cpp:
1515         * runtime/JSFunction.h:
1516         * runtime/JSGenericTypedArrayView.h:
1517         * runtime/JSGenericTypedArrayViewInlines.h:
1518         * runtime/JSGlobalObject.cpp:
1519         * runtime/JSGlobalObject.h:
1520         * runtime/JSNotAnObject.cpp:
1521         * runtime/JSNotAnObject.h:
1522         * runtime/JSONObject.cpp:
1523         * runtime/JSONObject.h:
1524             - remove getOwnPropertyDescriptor
1525         * runtime/JSObject.cpp:
1526         (JSC::JSObject::propertyIsEnumerable):
1527             - switch to call new getOwnPropertyDescriptor member function
1528         (JSC::JSObject::getOwnPropertyDescriptor):
1529             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1530         (JSC::JSObject::defineOwnNonIndexProperty):
1531             - switch to call new getOwnPropertyDescriptor member function
1532         * runtime/JSObject.h:
1533         * runtime/JSProxy.cpp:
1534         * runtime/JSProxy.h:
1535         * runtime/NamePrototype.cpp:
1536         * runtime/NamePrototype.h:
1537         * runtime/NumberConstructor.cpp:
1538         * runtime/NumberConstructor.h:
1539         * runtime/NumberPrototype.cpp:
1540         * runtime/NumberPrototype.h:
1541             - remove getOwnPropertyDescriptor
1542         * runtime/ObjectConstructor.cpp:
1543         (JSC::objectConstructorGetOwnPropertyDescriptor):
1544         (JSC::objectConstructorSeal):
1545         (JSC::objectConstructorFreeze):
1546         (JSC::objectConstructorIsSealed):
1547         (JSC::objectConstructorIsFrozen):
1548             - switch to call new getOwnPropertyDescriptor member function
1549         * runtime/ObjectConstructor.h:
1550             - remove getOwnPropertyDescriptor
1551         * runtime/PropertyDescriptor.h:
1552             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1553         * runtime/RegExpConstructor.cpp:
1554         * runtime/RegExpConstructor.h:
1555         * runtime/RegExpMatchesArray.cpp:
1556         * runtime/RegExpMatchesArray.h:
1557         * runtime/RegExpObject.cpp:
1558         * runtime/RegExpObject.h:
1559         * runtime/RegExpPrototype.cpp:
1560         * runtime/RegExpPrototype.h:
1561         * runtime/StringConstructor.cpp:
1562         * runtime/StringConstructor.h:
1563         * runtime/StringObject.cpp:
1564         * runtime/StringObject.h:
1565             - remove getOwnPropertyDescriptor
1566
1567 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1568
1569         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
1570
1571         Reviewed by Oliver Hunt.
1572
1573         When we flatten an object in dictionary mode, we compact its properties. If the object 
1574         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
1575         compaction its properties fit inline, the object's Structure "forgets" that the object 
1576         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
1577         with bytes = 0, which causes all sorts of badness in CopiedSpace.
1578
1579         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
1580         Butterfly pointer so that the GC doesn't get confused later.
1581
1582         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
1583         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
1584         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
1585         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
1586
1587         * heap/SlotVisitorInlines.h:
1588         (JSC::SlotVisitor::copyLater):
1589         * runtime/JSObject.cpp:
1590         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1591         (JSC::JSObject::convertUndecidedToInt32):
1592         (JSC::JSObject::convertUndecidedToDouble):
1593         (JSC::JSObject::convertUndecidedToContiguous):
1594         (JSC::JSObject::convertInt32ToDouble):
1595         (JSC::JSObject::convertInt32ToContiguous):
1596         (JSC::JSObject::genericConvertDoubleToContiguous):
1597         (JSC::JSObject::switchToSlowPutArrayStorage):
1598         (JSC::JSObject::setPrototype):
1599         (JSC::JSObject::putDirectAccessor):
1600         (JSC::JSObject::seal):
1601         (JSC::JSObject::freeze):
1602         (JSC::JSObject::preventExtensions):
1603         (JSC::JSObject::reifyStaticFunctionsForDelete):
1604         (JSC::JSObject::removeDirect):
1605         * runtime/JSObject.h:
1606         (JSC::JSObject::setButterfly):
1607         (JSC::JSObject::putDirectInternal):
1608         (JSC::JSObject::setStructure):
1609         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1610         * runtime/Structure.cpp:
1611         (JSC::Structure::flattenDictionaryStructure):
1612
1613 2013-08-20  Alex Christensen  <achristensen@apple.com>
1614
1615         Compile fix for Win64 after r154156.
1616
1617         Rubber stamped by Oliver Hunt.
1618
1619         * jit/JITStubsMSVC64.asm:
1620         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
1621         cti_vm_throw_slowpath to cti_vm_handle_exception.
1622
1623 2013-08-20  Alex Christensen  <achristensen@apple.com>
1624
1625         <https://webkit.org/b/120076> More work towards a Win64 build
1626
1627         Reviewed by Brent Fulgham.
1628
1629         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1630         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1631         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1632         * JavaScriptCore.vcxproj/copy-files.cmd:
1633         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1634         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1635         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
1636
1637 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1638
1639         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1640
1641         Reviewed by Geoffrey Garen.
1642
1643         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
1644         initializeLazyWriteBarrierFor* wrapper functions more sane. 
1645
1646         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
1647         and index when triggering the WriteBarrier at the end of compilation. 
1648
1649         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
1650         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
1651         little extra work that really shouldn't have been its responsibility.
1652
1653         * dfg/DFGByteCodeParser.cpp:
1654         (JSC::DFG::ByteCodeParser::addConstant):
1655         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1656         * dfg/DFGDesiredWriteBarriers.cpp:
1657         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1658         (JSC::DFG::DesiredWriteBarrier::trigger):
1659         * dfg/DFGDesiredWriteBarriers.h:
1660         (JSC::DFG::DesiredWriteBarriers::add):
1661         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1662         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1663         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1664         * dfg/DFGFixupPhase.cpp:
1665         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1666         * dfg/DFGGraph.h:
1667         (JSC::DFG::Graph::constantRegisterForConstant):
1668
1669 2013-08-20  Michael Saboff  <msaboff@apple.com>
1670
1671         https://bugs.webkit.org/show_bug.cgi?id=120075
1672         REGRESSION (r128400): BBC4 website not displaying pictures
1673
1674         Reviewed by Oliver Hunt.
1675
1676         * runtime/RegExpMatchesArray.h:
1677         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1678         so that the match results will be reified before any other modification to the results array.
1679
1680 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
1681
1682         Incorrect behavior on emscripten-compiled cube2hash
1683         https://bugs.webkit.org/show_bug.cgi?id=120033
1684
1685         Reviewed by Mark Hahnenberg.
1686         
1687         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1688         then we should bail attempts to CSE.
1689
1690         * dfg/DFGCSEPhase.cpp:
1691         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1692         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1693
1694 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1695
1696         https://bugs.webkit.org/show_bug.cgi?id=120073
1697         Remove use of GOPD from JSFunction::defineProperty
1698
1699         Reviewed by Oliver Hunt.
1700
1701         Call getOwnPropertySlot to check for existing properties instead.
1702
1703         * runtime/JSFunction.cpp:
1704         (JSC::JSFunction::defineOwnProperty):
1705             - getOwnPropertyDescriptor -> getOwnPropertySlot
1706
1707 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1708
1709         https://bugs.webkit.org/show_bug.cgi?id=120067
1710         Remove getPropertyDescriptor
1711
1712         Reviewed by Oliver Hunt.
1713
1714         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1715         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1716
1717         * runtime/JSObject.cpp:
1718         * runtime/JSObject.h:
1719             - remove getPropertyDescriptor
1720         * runtime/ObjectPrototype.cpp:
1721         (JSC::objectProtoFuncLookupGetter):
1722         (JSC::objectProtoFuncLookupSetter):
1723             - replace call to getPropertyDescriptor with getPropertySlot
1724         * runtime/PropertyDescriptor.h:
1725         * runtime/PropertySlot.h:
1726         (JSC::PropertySlot::isAccessor):
1727         (JSC::PropertySlot::isCacheableGetter):
1728         (JSC::PropertySlot::getterSetter):
1729             - rename isGetter() to isAccessor()
1730
1731 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1732
1733         https://bugs.webkit.org/show_bug.cgi?id=120054
1734         Remove some dead code following getOwnPropertyDescriptor cleanup
1735
1736         Reviewed by Oliver Hunt.
1737
1738         * runtime/Lookup.h:
1739         (JSC::getStaticFunctionSlot):
1740             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1741
1742 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1743
1744         https://bugs.webkit.org/show_bug.cgi?id=120052
1745         Remove custom getOwnPropertyDescriptor for JSProxy
1746
1747         Reviewed by Geoff Garen.
1748
1749         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1750         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1751         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1752         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1753         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1754
1755         * runtime/JSProxy.cpp:
1756             - Remove custom getOwnPropertyDescriptor implementation.
1757         * runtime/PropertyDescriptor.h:
1758             - Modify own property access check to perform toThis conversion.
1759
1760 2013-08-20  Alex Christensen  <achristensen@apple.com>
1761
1762         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1763         https://bugs.webkit.org/show_bug.cgi?id=119512
1764
1765         Reviewed by Brent Fulgham.
1766
1767         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1768         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1769         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1770         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1771         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1772         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1773         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1774         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1775
1776 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
1777
1778         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1779
1780         Reviewed by Allan Sandfeld Jensen.
1781
1782         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1783         instructions and two constants now DFG is enabled for sh4 architecture.
1784         These missing ensureSpace calls lead to random crashes.
1785
1786         * assembler/MacroAssemblerSH4.h:
1787         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1788
1789 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
1790
1791         https://bugs.webkit.org/show_bug.cgi?id=120034
1792         Remove custom getOwnPropertyDescriptor for global objects
1793
1794         Reviewed by Geoff Garen.
1795
1796         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1797
1798         * runtime/JSGlobalObject.cpp:
1799             - Remove custom getOwnPropertyDescriptor implementation.
1800         * runtime/JSSymbolTableObject.h:
1801         (JSC::symbolTableGet):
1802             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1803         * runtime/PropertyDescriptor.h:
1804             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1805         * runtime/PropertySlot.h:
1806         (JSC::PropertySlot::setUndefined):
1807             - This is used by WebCore when blocking access to properties on cross-frame access.
1808               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1809
1810 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1811
1812         DFG should inline typedArray.byteOffset
1813         https://bugs.webkit.org/show_bug.cgi?id=119962
1814
1815         Reviewed by Oliver Hunt.
1816         
1817         This adds a new node, GetTypedArrayByteOffset, which inlines
1818         typedArray.byteOffset.
1819         
1820         Also, I improved a bunch of the clobbering logic related to typed arrays
1821         and clobbering in general. For example, PutByOffset/PutStructure are not
1822         clobber-world so they can be handled by most default cases in CSE. Also,
1823         It's better to use the 'Class_field' notation for typed arrays now that
1824         they no longer involve magical descriptor thingies.
1825
1826         * bytecode/SpeculatedType.h:
1827         * dfg/DFGAbstractHeap.h:
1828         * dfg/DFGAbstractInterpreterInlines.h:
1829         (JSC::DFG::::executeEffects):
1830         * dfg/DFGArrayMode.h:
1831         (JSC::DFG::neverNeedsStorage):
1832         * dfg/DFGCSEPhase.cpp:
1833         (JSC::DFG::CSEPhase::getByValLoadElimination):
1834         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1835         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1836         (JSC::DFG::CSEPhase::checkArrayElimination):
1837         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1838         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
1839         (JSC::DFG::CSEPhase::performNodeCSE):
1840         * dfg/DFGClobberize.h:
1841         (JSC::DFG::clobberize):
1842         * dfg/DFGFixupPhase.cpp:
1843         (JSC::DFG::FixupPhase::fixupNode):
1844         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1845         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1846         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1847         * dfg/DFGNodeType.h:
1848         * dfg/DFGPredictionPropagationPhase.cpp:
1849         (JSC::DFG::PredictionPropagationPhase::propagate):
1850         * dfg/DFGSafeToExecute.h:
1851         (JSC::DFG::safeToExecute):
1852         * dfg/DFGSpeculativeJIT.cpp:
1853         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1854         * dfg/DFGSpeculativeJIT.h:
1855         * dfg/DFGSpeculativeJIT32_64.cpp:
1856         (JSC::DFG::SpeculativeJIT::compile):
1857         * dfg/DFGSpeculativeJIT64.cpp:
1858         (JSC::DFG::SpeculativeJIT::compile):
1859         * dfg/DFGTypeCheckHoistingPhase.cpp:
1860         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1861         * runtime/ArrayBuffer.h:
1862         (JSC::ArrayBuffer::offsetOfData):
1863         * runtime/Butterfly.h:
1864         (JSC::Butterfly::offsetOfArrayBuffer):
1865         * runtime/IndexingHeader.h:
1866         (JSC::IndexingHeader::offsetOfArrayBuffer):
1867
1868 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
1869
1870         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
1871
1872         Reviewed by Geoffrey Garen.
1873
1874         * dfg/DFGByteCodeParser.cpp:
1875         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1876
1877 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1878
1879         https://bugs.webkit.org/show_bug.cgi?id=119995
1880         Start removing custom implementations of getOwnPropertyDescriptor
1881
1882         Reviewed by Oliver Hunt.
1883
1884         This can now typically implemented in terms of getOwnPropertySlot.
1885         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
1886         Switch over most classes in JSC & the WebCore bindings generator to use this.
1887
1888         * API/JSCallbackObjectFunctions.h:
1889         * debugger/DebuggerActivation.cpp:
1890         * runtime/Arguments.cpp:
1891         * runtime/ArrayConstructor.cpp:
1892         * runtime/ArrayPrototype.cpp:
1893         * runtime/BooleanPrototype.cpp:
1894         * runtime/DateConstructor.cpp:
1895         * runtime/DatePrototype.cpp:
1896         * runtime/ErrorPrototype.cpp:
1897         * runtime/JSActivation.cpp:
1898         * runtime/JSArray.cpp:
1899         * runtime/JSArrayBuffer.cpp:
1900         * runtime/JSArrayBufferView.cpp:
1901         * runtime/JSCell.cpp:
1902         * runtime/JSDataView.cpp:
1903         * runtime/JSDataViewPrototype.cpp:
1904         * runtime/JSFunction.cpp:
1905         * runtime/JSGenericTypedArrayViewInlines.h:
1906         * runtime/JSNotAnObject.cpp:
1907         * runtime/JSONObject.cpp:
1908         * runtime/JSObject.cpp:
1909         * runtime/NamePrototype.cpp:
1910         * runtime/NumberConstructor.cpp:
1911         * runtime/NumberPrototype.cpp:
1912         * runtime/ObjectConstructor.cpp:
1913             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1914         * runtime/PropertyDescriptor.h:
1915             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
1916         * runtime/PropertySlot.h:
1917         (JSC::PropertySlot::isValue):
1918         (JSC::PropertySlot::isGetter):
1919         (JSC::PropertySlot::isCustom):
1920         (JSC::PropertySlot::isCacheableValue):
1921         (JSC::PropertySlot::isCacheableGetter):
1922         (JSC::PropertySlot::isCacheableCustom):
1923         (JSC::PropertySlot::attributes):
1924         (JSC::PropertySlot::getterSetter):
1925             - Add accessors necessary to convert PropertySlot to descriptor.
1926         * runtime/RegExpConstructor.cpp:
1927         * runtime/RegExpMatchesArray.cpp:
1928         * runtime/RegExpMatchesArray.h:
1929         * runtime/RegExpObject.cpp:
1930         * runtime/RegExpPrototype.cpp:
1931         * runtime/StringConstructor.cpp:
1932         * runtime/StringObject.cpp:
1933             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1934
1935 2013-08-19  Michael Saboff  <msaboff@apple.com>
1936
1937         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
1938
1939         Reviewed by Sam Weinig.
1940
1941         * dfg/DFGSpeculativeJIT32_64.cpp:
1942         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1943         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1944         all versions of fillSpeculateBoolean().
1945
1946 2013-08-19  Michael Saboff  <msaboff@apple.com>
1947
1948         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1949
1950         Reviewed by Benjamin Poulain.
1951
1952         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1953         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1954
1955         * assembler/MacroAssemblerX86Common.h:
1956         (JSC::MacroAssemblerX86Common::branchTest32):
1957
1958 2013-08-16  Oliver Hunt  <oliver@apple.com>
1959
1960         <https://webkit.org/b/119860> Crash during exception unwinding
1961
1962         Reviewed by Filip Pizlo.
1963
1964         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1965         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1966
1967         We need this so that Throw and ThrowReferenceError no longer need to be treated as
1968         terminals and the subsequent flush keeps the activation (and other registers) live.
1969
1970         * dfg/DFGAbstractInterpreterInlines.h:
1971         (JSC::DFG::::executeEffects):
1972         * dfg/DFGByteCodeParser.cpp:
1973         (JSC::DFG::ByteCodeParser::parseBlock):
1974         * dfg/DFGClobberize.h:
1975         (JSC::DFG::clobberize):
1976         * dfg/DFGFixupPhase.cpp:
1977         (JSC::DFG::FixupPhase::fixupNode):
1978         * dfg/DFGNode.h:
1979         (JSC::DFG::Node::isTerminal):
1980         * dfg/DFGNodeType.h:
1981         * dfg/DFGPredictionPropagationPhase.cpp:
1982         (JSC::DFG::PredictionPropagationPhase::propagate):
1983         * dfg/DFGSafeToExecute.h:
1984         (JSC::DFG::safeToExecute):
1985         * dfg/DFGSpeculativeJIT32_64.cpp:
1986         (JSC::DFG::SpeculativeJIT::compile):
1987         * dfg/DFGSpeculativeJIT64.cpp:
1988         (JSC::DFG::SpeculativeJIT::compile):
1989
1990 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1991
1992         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1993
1994         Reviewed by Oliver Hunt.
1995
1996         Guard the compilation of these files only if DFG_JIT is enabled.
1997
1998         * dfg/DFGDesiredTransitions.cpp:
1999         * dfg/DFGDesiredTransitions.h:
2000         * dfg/DFGDesiredWeakReferences.cpp:
2001         * dfg/DFGDesiredWeakReferences.h:
2002         * dfg/DFGDesiredWriteBarriers.cpp:
2003         * dfg/DFGDesiredWriteBarriers.h:
2004
2005 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2006
2007         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2008         https://bugs.webkit.org/show_bug.cgi?id=119961
2009
2010         Reviewed by Mark Hahnenberg.
2011
2012         * dfg/DFGFixupPhase.cpp:
2013         (JSC::DFG::FixupPhase::fixupNode):
2014
2015 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2016
2017         https://bugs.webkit.org/show_bug.cgi?id=119972
2018         Add attributes field to PropertySlot
2019
2020         Reviewed by Geoff Garen.
2021
2022         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2023         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2024         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2025
2026         No performance impact.
2027
2028         * runtime/PropertySlot.h:
2029         (JSC::PropertySlot::setValue):
2030         (JSC::PropertySlot::setCustom):
2031         (JSC::PropertySlot::setCacheableCustom):
2032         (JSC::PropertySlot::setCustomIndex):
2033         (JSC::PropertySlot::setGetterSlot):
2034         (JSC::PropertySlot::setCacheableGetterSlot):
2035             - These mathods now all require 'attributes'.
2036         * runtime/JSObject.h:
2037         (JSC::JSObject::getDirect):
2038         (JSC::JSObject::getDirectOffset):
2039         (JSC::JSObject::inlineGetOwnPropertySlot):
2040             - Added variants of getDirect, getDirectOffset that return the attributes.
2041         * API/JSCallbackObjectFunctions.h:
2042         (JSC::::getOwnPropertySlot):
2043         * runtime/Arguments.cpp:
2044         (JSC::Arguments::getOwnPropertySlotByIndex):
2045         (JSC::Arguments::getOwnPropertySlot):
2046         * runtime/JSActivation.cpp:
2047         (JSC::JSActivation::symbolTableGet):
2048         (JSC::JSActivation::getOwnPropertySlot):
2049         * runtime/JSArray.cpp:
2050         (JSC::JSArray::getOwnPropertySlot):
2051         * runtime/JSArrayBuffer.cpp:
2052         (JSC::JSArrayBuffer::getOwnPropertySlot):
2053         * runtime/JSArrayBufferView.cpp:
2054         (JSC::JSArrayBufferView::getOwnPropertySlot):
2055         * runtime/JSDataView.cpp:
2056         (JSC::JSDataView::getOwnPropertySlot):
2057         * runtime/JSFunction.cpp:
2058         (JSC::JSFunction::getOwnPropertySlot):
2059         * runtime/JSGenericTypedArrayViewInlines.h:
2060         (JSC::::getOwnPropertySlot):
2061         (JSC::::getOwnPropertySlotByIndex):
2062         * runtime/JSObject.cpp:
2063         (JSC::JSObject::getOwnPropertySlotByIndex):
2064         (JSC::JSObject::fillGetterPropertySlot):
2065         * runtime/JSString.h:
2066         (JSC::JSString::getStringPropertySlot):
2067         * runtime/JSSymbolTableObject.h:
2068         (JSC::symbolTableGet):
2069         * runtime/Lookup.cpp:
2070         (JSC::setUpStaticFunctionSlot):
2071         * runtime/Lookup.h:
2072         (JSC::getStaticPropertySlot):
2073         (JSC::getStaticPropertyDescriptor):
2074         (JSC::getStaticValueSlot):
2075         (JSC::getStaticValueDescriptor):
2076         * runtime/RegExpObject.cpp:
2077         (JSC::RegExpObject::getOwnPropertySlot):
2078         * runtime/SparseArrayValueMap.cpp:
2079         (JSC::SparseArrayEntry::get):
2080             - Pass attributes to PropertySlot::set* methods.
2081
2082 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2083
2084         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2085
2086         Reviewed by Filip Pizlo.
2087
2088         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2089         Vector of WriteBarriers rather than the specific address. The fact that we were 
2090         arbitrarily storing into a Vector's backing store for constants at the end of 
2091         compilation after the Vector could have resized was causing crashes.
2092
2093         * bytecode/CodeBlock.h:
2094         (JSC::CodeBlock::constants):
2095         (JSC::CodeBlock::addConstantLazily):
2096         * dfg/DFGByteCodeParser.cpp:
2097         (JSC::DFG::ByteCodeParser::addConstant):
2098         * dfg/DFGDesiredWriteBarriers.cpp:
2099         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2100         (JSC::DFG::DesiredWriteBarrier::trigger):
2101         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2102         * dfg/DFGDesiredWriteBarriers.h:
2103         (JSC::DFG::DesiredWriteBarriers::add):
2104         * dfg/DFGFixupPhase.cpp:
2105         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2106         * dfg/DFGGraph.h:
2107         (JSC::DFG::Graph::constantRegisterForConstant):
2108
2109 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2110
2111         DFG should optimize typedArray.byteLength
2112         https://bugs.webkit.org/show_bug.cgi?id=119909
2113
2114         Reviewed by Oliver Hunt.
2115         
2116         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2117         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2118         legal since the byteLength of a typed array cannot exceed
2119         numeric_limits<int32_t>::max().
2120
2121         * bytecode/SpeculatedType.cpp:
2122         (JSC::typedArrayTypeFromSpeculation):
2123         * bytecode/SpeculatedType.h:
2124         * dfg/DFGArrayMode.cpp:
2125         (JSC::DFG::toArrayType):
2126         * dfg/DFGArrayMode.h:
2127         * dfg/DFGFixupPhase.cpp:
2128         (JSC::DFG::FixupPhase::fixupNode):
2129         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2130         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2131         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2132         (JSC::DFG::FixupPhase::prependGetArrayLength):
2133         * dfg/DFGGraph.h:
2134         (JSC::DFG::Graph::constantRegisterForConstant):
2135         (JSC::DFG::Graph::convertToConstant):
2136         * runtime/TypedArrayType.h:
2137         (JSC::logElementSize):
2138         (JSC::elementSize):
2139
2140 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2141
2142         DFG optimizes out strict mode arguments tear off
2143         https://bugs.webkit.org/show_bug.cgi?id=119504
2144
2145         Reviewed by Mark Hahnenberg and Oliver Hunt.
2146         
2147         Don't do the optimization for strict mode.
2148
2149         * dfg/DFGArgumentsSimplificationPhase.cpp:
2150         (JSC::DFG::ArgumentsSimplificationPhase::run):
2151         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2152
2153 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2154
2155         [JSC] x86: improve code generation for xxxTest32
2156         https://bugs.webkit.org/show_bug.cgi?id=119876
2157
2158         Reviewed by Geoffrey Garen.
2159
2160         Try to use testb whenever possible when testing for an immediate value.
2161
2162         When the input is an address and an offset, we can tweak the mask
2163         and offset to be able to generate testb for any byte of the mask.
2164
2165         When the input is a register, we can use testb if we are only interested
2166         in testing the low bits.
2167
2168         * assembler/MacroAssemblerX86Common.h:
2169         (JSC::MacroAssemblerX86Common::branchTest32):
2170         (JSC::MacroAssemblerX86Common::test32):
2171         (JSC::MacroAssemblerX86Common::generateTest32):
2172
2173 2013-08-16  Mark Lam  <mark.lam@apple.com>
2174
2175         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2176         error message that an object is not a constructor though it expects a function
2177
2178         Reviewed by Michael Saboff.
2179
2180         * jit/JITStubs.cpp:
2181         (JSC::DEFINE_STUB_FUNCTION):
2182
2183 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2184
2185         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2186         https://bugs.webkit.org/show_bug.cgi?id=119897
2187
2188         Reviewed by Oliver Hunt.
2189         
2190         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2191         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2192         to turn objects into dictionaries when you're storing using bracket syntax or using
2193         eval is still in place.
2194
2195         * bytecode/CodeBlock.h:
2196         (JSC::CodeBlock::putByIdContext):
2197         * dfg/DFGOperations.cpp:
2198         * jit/JITStubs.cpp:
2199         (JSC::DEFINE_STUB_FUNCTION):
2200         * llint/LLIntSlowPaths.cpp:
2201         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2202         * runtime/JSObject.h:
2203         (JSC::JSObject::putDirectInternal):
2204         * runtime/PutPropertySlot.h:
2205         (JSC::PutPropertySlot::PutPropertySlot):
2206         (JSC::PutPropertySlot::context):
2207         * runtime/Structure.cpp:
2208         (JSC::Structure::addPropertyTransition):
2209         * runtime/Structure.h:
2210
2211 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2212
2213         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2214
2215         Reviewed by Allan Sandfeld Jensen.
2216
2217         ctiVMHandleException must jump/return using register ra (r31).
2218
2219         * jit/JITStubsMIPS.h:
2220
2221 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2222
2223         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2224
2225         Reviewed by Allan Sandfeld Jensen.
2226
2227         Fix typo in JITStubsSH4.h file.
2228
2229         * jit/JITStubsSH4.h:
2230
2231 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2232
2233         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2234
2235         Reviewed by Oliver Hunt.
2236
2237         The concurrent compilation thread should interact minimally with the Heap, including not 
2238         triggering WriteBarriers. This is a prerequisite for generational GC.
2239
2240         * JavaScriptCore.xcodeproj/project.pbxproj:
2241         * bytecode/CodeBlock.cpp:
2242         (JSC::CodeBlock::addOrFindConstant):
2243         (JSC::CodeBlock::findConstant):
2244         * bytecode/CodeBlock.h:
2245         (JSC::CodeBlock::addConstantLazily):
2246         * dfg/DFGByteCodeParser.cpp:
2247         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2248         (JSC::DFG::ByteCodeParser::constantUndefined):
2249         (JSC::DFG::ByteCodeParser::constantNull):
2250         (JSC::DFG::ByteCodeParser::one):
2251         (JSC::DFG::ByteCodeParser::constantNaN):
2252         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2253         * dfg/DFGCommonData.cpp:
2254         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2255         * dfg/DFGCommonData.h:
2256         * dfg/DFGDesiredTransitions.cpp: Added.
2257         (JSC::DFG::DesiredTransition::DesiredTransition):
2258         (JSC::DFG::DesiredTransition::reallyAdd):
2259         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2260         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2261         (JSC::DFG::DesiredTransitions::addLazily):
2262         (JSC::DFG::DesiredTransitions::reallyAdd):
2263         * dfg/DFGDesiredTransitions.h: Added.
2264         * dfg/DFGDesiredWeakReferences.cpp: Added.
2265         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2266         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2267         (JSC::DFG::DesiredWeakReferences::addLazily):
2268         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2269         * dfg/DFGDesiredWeakReferences.h: Added.
2270         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2271         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2272         (JSC::DFG::DesiredWriteBarrier::trigger):
2273         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2274         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2275         (JSC::DFG::DesiredWriteBarriers::addImpl):
2276         (JSC::DFG::DesiredWriteBarriers::trigger):
2277         * dfg/DFGDesiredWriteBarriers.h: Added.
2278         (JSC::DFG::DesiredWriteBarriers::add):
2279         (JSC::DFG::initializeLazyWriteBarrier):
2280         * dfg/DFGFixupPhase.cpp:
2281         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2282         * dfg/DFGGraph.h:
2283         (JSC::DFG::Graph::convertToConstant):
2284         * dfg/DFGJITCompiler.h:
2285         (JSC::DFG::JITCompiler::addWeakReference):
2286         * dfg/DFGPlan.cpp:
2287         (JSC::DFG::Plan::Plan):
2288         (JSC::DFG::Plan::reallyAdd):
2289         * dfg/DFGPlan.h:
2290         * dfg/DFGSpeculativeJIT32_64.cpp:
2291         (JSC::DFG::SpeculativeJIT::compile):
2292         * dfg/DFGSpeculativeJIT64.cpp:
2293         (JSC::DFG::SpeculativeJIT::compile):
2294         * runtime/WriteBarrier.h:
2295         (JSC::WriteBarrierBase::set):
2296         (JSC::WriteBarrier::WriteBarrier):
2297
2298 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2299
2300         Fix x86 32bits build after r154158
2301
2302         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2303
2304 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2305
2306         Build fix attempt after r154156.
2307
2308         * jit/JITStubs.cpp:
2309         (JSC::cti_vm_handle_exception): encode!
2310
2311 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2312
2313         [JSC] x86: Use inc and dec when possible
2314         https://bugs.webkit.org/show_bug.cgi?id=119831
2315
2316         Reviewed by Geoffrey Garen.
2317
2318         When incrementing or decrementing by an immediate of 1, use the insctructions
2319         inc and dec instead of add and sub.
2320         The instructions have good timing and their encoding is smaller.
2321
2322         * assembler/MacroAssemblerX86Common.h:
2323         (JSC::MacroAssemblerX86_64::add32):
2324         (JSC::MacroAssemblerX86_64::sub32):
2325         * assembler/MacroAssemblerX86_64.h:
2326         (JSC::MacroAssemblerX86_64::add64):
2327         (JSC::MacroAssemblerX86_64::sub64):
2328         * assembler/X86Assembler.h:
2329         (JSC::X86Assembler::dec_r):
2330         (JSC::X86Assembler::decq_r):
2331         (JSC::X86Assembler::inc_r):
2332         (JSC::X86Assembler::incq_r):
2333
2334 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2335
2336         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2337         https://bugs.webkit.org/show_bug.cgi?id=119874
2338
2339         Reviewed by Oliver Hunt and Mark Hahnenberg.
2340         
2341         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2342         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2343         sometimes for typed array length accesses, and the FixupPhase assuming that a
2344         ForceExit ArrayMode means that it should continue using a generic GetById.
2345
2346         This fixes the confusion.
2347
2348         * dfg/DFGFixupPhase.cpp:
2349         (JSC::DFG::FixupPhase::fixupNode):
2350
2351 2013-08-15  Mark Lam  <mark.lam@apple.com>
2352
2353         Fix crash when performing activation tearoff.
2354         https://bugs.webkit.org/show_bug.cgi?id=119848
2355
2356         Reviewed by Oliver Hunt.
2357
2358         The activation tearoff crash was due to a bug in the baseline JIT.
2359         If we have a scenario where the a baseline JIT frame calls a LLINT
2360         frame, an exception may be thrown while in the LLINT.
2361
2362         Interpreter::throwException() which handles the exception will unwind
2363         all frames until it finds a catcher or sees a host frame. When we
2364         return from the LLINT to the baseline JIT code, the baseline JIT code
2365         errorneously sets topCallFrame to the value in its call frame register,
2366         and starts unwinding the stack frames that have already been unwound.
2367
2368         The fix is:
2369         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2370            This is a more accurate description of what this runtime function
2371            is supposed to do i.e. it handles the exception which include doing
2372            nothing (if there are no more frames to unwind).
2373         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2374            set on it.
2375         3. Reloading the call frame register from topCallFrame when we're
2376            returning from a callee and detect exception handling in progress.
2377
2378         * interpreter/Interpreter.cpp:
2379         (JSC::Interpreter::unwindCallFrame):
2380         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2381         (JSC::Interpreter::getStackTrace):
2382         * interpreter/Interpreter.h:
2383         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2384         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2385         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2386         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2387         * jit/JIT.h:
2388         * jit/JITExceptions.cpp:
2389         (JSC::uncaughtExceptionHandler):
2390         - Convenience function to get the handler for uncaught exceptions.
2391         * jit/JITExceptions.h:
2392         * jit/JITInlines.h:
2393         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2394         * jit/JITOpcodes32_64.cpp:
2395         (JSC::JIT::privateCompileCTINativeCall):
2396         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2397         * jit/JITStubs.cpp:
2398         (JSC::throwExceptionFromOpCall):
2399         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2400         (JSC::cti_vm_handle_exception):
2401         - Check for the case when there are no more frames to unwind.
2402         * jit/JITStubs.h:
2403         * jit/JITStubsARM.h:
2404         * jit/JITStubsARMv7.h:
2405         * jit/JITStubsMIPS.h:
2406         * jit/JITStubsSH4.h:
2407         * jit/JITStubsX86.h:
2408         * jit/JITStubsX86_64.h:
2409         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2410         * jit/SlowPathCall.h:
2411         (JSC::JITSlowPathCall::call):
2412         - reload cfr from topcallFrame when handling an exception.
2413         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2414         * jit/ThunkGenerators.cpp:
2415         (JSC::nativeForGenerator):
2416         * llint/LowLevelInterpreter32_64.asm:
2417         * llint/LowLevelInterpreter64.asm:
2418         - reload cfr from topcallFrame when handling an exception.
2419         * runtime/VM.cpp:
2420         (JSC::VM::VM):
2421         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2422
2423 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2424
2425         Remove some code duplication.
2426         
2427         Rubber stamped by Mark Hahnenberg.
2428
2429         * runtime/JSDataViewPrototype.cpp:
2430         (JSC::getData):
2431         (JSC::setData):
2432
2433 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2434
2435         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2436         https://bugs.webkit.org/show_bug.cgi?id=119794
2437
2438         Reviewed by Filip Pizlo.
2439
2440         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2441
2442         * dfg/DFGUseKind.h:
2443         (JSC::DFG::isNumerical):
2444         (JSC::DFG::isDouble):
2445
2446 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2447
2448         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2449
2450         Rubber stamped by Oliver Hunt.
2451         
2452         This was causing some test crashes for me.
2453
2454         * dfg/DFGCapabilities.cpp:
2455         (JSC::DFG::capabilityLevel):
2456
2457 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2458
2459         [Windows] Clear up improper export declaration.
2460
2461         * runtime/ArrayBufferView.h:
2462
2463 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2464
2465         Unreviewed, remove some unnecessary periods from exceptions.
2466
2467         * runtime/JSDataViewPrototype.cpp:
2468         (JSC::getData):
2469         (JSC::setData):
2470
2471 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2472
2473         Unreviewed, fix 32-bit build.
2474
2475         * dfg/DFGSpeculativeJIT32_64.cpp:
2476         (JSC::DFG::SpeculativeJIT::compile):
2477
2478 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2479
2480         Typed arrays should be rewritten
2481         https://bugs.webkit.org/show_bug.cgi?id=119064
2482
2483         Reviewed by Oliver Hunt.
2484         
2485         Typed arrays were previously deficient in several major ways:
2486         
2487         - They were defined separately in WebCore and in the jsc shell. The two
2488           implementations were different, and the jsc shell one was basically wrong.
2489           The WebCore one was quite awful, also.
2490         
2491         - Typed arrays were not visible to the JIT except through some weird hooks.
2492           For example, the JIT could not ask "what is the Structure that this typed
2493           array would have if I just allocated it from this global object". Also,
2494           it was difficult to wire any of the typed array intrinsics, because most
2495           of the functionality wasn't visible anywhere in JSC.
2496         
2497         - Typed array allocation was brain-dead. Allocating a typed array involved
2498           two JS objects, two GC weak handles, and three malloc allocations.
2499         
2500         - Neutering. It involved keeping tabs on all native views but not the view
2501           wrappers, even though the native views can autoneuter just by asking the
2502           buffer if it was neutered anytime you touch them; while the JS view
2503           wrappers are the ones that you really want to reach out to.
2504         
2505         - Common case-ing. Most typed arrays have one buffer and one view, and
2506           usually nobody touches the buffer. Yet we created all of that stuff
2507           anyway, using data structures optimized for the case where you had a lot
2508           of views.
2509         
2510         - Semantic goofs. Typed arrays should, in the future, behave like ES
2511           features rather than DOM features, for example when it comes to exceptions.
2512           Firefox already does this and I agree with them.
2513         
2514         This patch cleanses our codebase of these sins:
2515         
2516         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
2517           management of native references to buffers is left to WebCore.
2518         
2519         - Allocating a typed array requires either two GC allocations (a cell and a
2520           copied storage vector) or one GC allocation, a malloc allocation, and a
2521           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
2522           latter). The latter is only used for oversize arrays. Remember that before
2523           it was 7 allocations no matter what.
2524         
2525         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
2526           mode/length, void* vector. Before it was a lot more than that - remember,
2527           there were five additional objects that did absolutely nothing for anybody.
2528         
2529         - Native views aren't tracked by the buffer, or by the wrappers. They are
2530           transient. In the future we'll probably switch to not even having them be
2531           malloc'd.
2532         
2533         - Native array buffers have an efficient way of tracking all of their JS view
2534           wrappers, both for neutering, and for lifecycle management. The GC
2535           special-cases native array buffers. This saves a bunch of grief; for example
2536           it means that a JS view wrapper can refer to its buffer via the butterfly,
2537           which would be dead by the time we went to finalize.
2538         
2539         - Typed array semantics now match Firefox, which also happens to be where the
2540           standards are going. The discussion on webkit-dev seemed to confirm that
2541           Chrome is also heading in this direction. This includes making
2542           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
2543           ArrayBufferView as a JS-visible construct.
2544         
2545         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
2546         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
2547         further typed array optimizations in the JSC JITs, including inlining typed
2548         array allocation, inlining more of the accessors, reducing the cost of type
2549         checks, etc.
2550         
2551         An additional property of this patch is that typed arrays are mostly
2552         implemented using templates. This deduplicates a bunch of code, but does mean
2553         that we need some hacks for exporting s_info's of template classes. See
2554         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
2555         low-impact compared to code duplication.
2556         
2557         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
2558
2559         * CMakeLists.txt:
2560         * DerivedSources.make:
2561         * GNUmakefile.list.am:
2562         * JSCTypedArrayStubs.h: Removed.
2563         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2564         * JavaScriptCore.xcodeproj/project.pbxproj:
2565         * Target.pri:
2566         * bytecode/ByValInfo.h:
2567         (JSC::hasOptimizableIndexingForClassInfo):
2568         (JSC::jitArrayModeForClassInfo):
2569         (JSC::typedArrayTypeForJITArrayMode):
2570         * bytecode/SpeculatedType.cpp:
2571         (JSC::speculationFromClassInfo):
2572         * dfg/DFGArrayMode.cpp:
2573         (JSC::DFG::toTypedArrayType):
2574         * dfg/DFGArrayMode.h:
2575         (JSC::DFG::ArrayMode::typedArrayType):
2576         * dfg/DFGSpeculativeJIT.cpp:
2577         (JSC::DFG::SpeculativeJIT::checkArray):
2578         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2579         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2580         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2581         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2582         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2583         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2584         * dfg/DFGSpeculativeJIT.h:
2585         * dfg/DFGSpeculativeJIT32_64.cpp:
2586         (JSC::DFG::SpeculativeJIT::compile):
2587         * dfg/DFGSpeculativeJIT64.cpp:
2588         (JSC::DFG::SpeculativeJIT::compile):
2589         * heap/CopyToken.h:
2590         * heap/DeferGC.h:
2591         (JSC::DeferGCForAWhile::DeferGCForAWhile):
2592         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
2593         * heap/GCIncomingRefCounted.h: Added.
2594         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
2595         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
2596         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
2597         (JSC::GCIncomingRefCounted::incomingReferenceAt):
2598         (JSC::GCIncomingRefCounted::singletonFlag):
2599         (JSC::GCIncomingRefCounted::hasVectorOfCells):
2600         (JSC::GCIncomingRefCounted::hasAnyIncoming):
2601         (JSC::GCIncomingRefCounted::hasSingleton):
2602         (JSC::GCIncomingRefCounted::singleton):
2603         (JSC::GCIncomingRefCounted::vectorOfCells):
2604         * heap/GCIncomingRefCountedInlines.h: Added.
2605         (JSC::::addIncomingReference):
2606         (JSC::::filterIncomingReferences):
2607         * heap/GCIncomingRefCountedSet.h: Added.
2608         (JSC::GCIncomingRefCountedSet::size):
2609         * heap/GCIncomingRefCountedSetInlines.h: Added.
2610         (JSC::::GCIncomingRefCountedSet):
2611         (JSC::::~GCIncomingRefCountedSet):
2612         (JSC::::addReference):
2613         (JSC::::sweep):
2614         (JSC::::removeAll):
2615         (JSC::::removeDead):
2616         * heap/Heap.cpp:
2617         (JSC::Heap::addReference):
2618         (JSC::Heap::extraSize):
2619         (JSC::Heap::size):
2620         (JSC::Heap::capacity):
2621         (JSC::Heap::collect):
2622         (JSC::Heap::decrementDeferralDepth):
2623         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2624         * heap/Heap.h:
2625         * interpreter/CallFrame.h:
2626         (JSC::ExecState::dataViewTable):
2627         * jit/JIT.h:
2628         * jit/JITPropertyAccess.cpp:
2629         (JSC::JIT::privateCompileGetByVal):
2630         (JSC::JIT::privateCompilePutByVal):
2631         (JSC::JIT::emitIntTypedArrayGetByVal):
2632         (JSC::JIT::emitFloatTypedArrayGetByVal):
2633         (JSC::JIT::emitIntTypedArrayPutByVal):
2634         (JSC::JIT::emitFloatTypedArrayPutByVal):
2635         * jsc.cpp:
2636         (GlobalObject::finishCreation):
2637         * runtime/ArrayBuffer.cpp:
2638         (JSC::ArrayBuffer::transfer):
2639         * runtime/ArrayBuffer.h:
2640         (JSC::ArrayBuffer::createAdopted):
2641         (JSC::ArrayBuffer::ArrayBuffer):
2642         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
2643         (JSC::ArrayBuffer::pin):
2644         (JSC::ArrayBuffer::unpin):
2645         (JSC::ArrayBufferContents::tryAllocate):
2646         * runtime/ArrayBufferView.cpp:
2647         (JSC::ArrayBufferView::ArrayBufferView):
2648         (JSC::ArrayBufferView::~ArrayBufferView):
2649         (JSC::ArrayBufferView::setNeuterable):
2650         * runtime/ArrayBufferView.h:
2651         (JSC::ArrayBufferView::isNeutered):
2652         (JSC::ArrayBufferView::buffer):
2653         (JSC::ArrayBufferView::baseAddress):
2654         (JSC::ArrayBufferView::byteOffset):
2655         (JSC::ArrayBufferView::verifySubRange):
2656         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2657         (JSC::ArrayBufferView::calculateOffsetAndLength):
2658         * runtime/ClassInfo.h:
2659         * runtime/CommonIdentifiers.h:
2660         * runtime/DataView.cpp: Added.
2661         (JSC::DataView::DataView):
2662         (JSC::DataView::create):
2663         (JSC::DataView::wrap):
2664         * runtime/DataView.h: Added.
2665         (JSC::DataView::byteLength):
2666         (JSC::DataView::getType):
2667         (JSC::DataView::get):
2668         (JSC::DataView::set):
2669         * runtime/Float32Array.h:
2670         * runtime/Float64Array.h:
2671         * runtime/GenericTypedArrayView.h: Added.
2672         (JSC::GenericTypedArrayView::data):
2673         (JSC::GenericTypedArrayView::set):
2674         (JSC::GenericTypedArrayView::setRange):
2675         (JSC::GenericTypedArrayView::zeroRange):
2676         (JSC::GenericTypedArrayView::zeroFill):
2677         (JSC::GenericTypedArrayView::length):
2678         (JSC::GenericTypedArrayView::byteLength):
2679         (JSC::GenericTypedArrayView::item):
2680         (JSC::GenericTypedArrayView::checkInboundData):
2681         (JSC::GenericTypedArrayView::getType):
2682         * runtime/GenericTypedArrayViewInlines.h: Added.
2683         (JSC::::GenericTypedArrayView):
2684         (JSC::::create):
2685         (JSC::::createUninitialized):
2686         (JSC::::subarray):
2687         (JSC::::wrap):
2688         * runtime/IndexingHeader.h:
2689         (JSC::IndexingHeader::arrayBuffer):
2690         (JSC::IndexingHeader::setArrayBuffer):
2691         * runtime/Int16Array.h:
2692         * runtime/Int32Array.h:
2693         * runtime/Int8Array.h:
2694         * runtime/JSArrayBuffer.cpp: Added.
2695         (JSC::JSArrayBuffer::JSArrayBuffer):
2696         (JSC::JSArrayBuffer::finishCreation):
2697         (JSC::JSArrayBuffer::create):
2698         (JSC::JSArrayBuffer::createStructure):
2699         (JSC::JSArrayBuffer::getOwnPropertySlot):
2700         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2701         (JSC::JSArrayBuffer::put):
2702         (JSC::JSArrayBuffer::defineOwnProperty):
2703         (JSC::JSArrayBuffer::deleteProperty):
2704         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2705         * runtime/JSArrayBuffer.h: Added.
2706         (JSC::JSArrayBuffer::impl):
2707         (JSC::toArrayBuffer):
2708         * runtime/JSArrayBufferConstructor.cpp: Added.
2709         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2710         (JSC::JSArrayBufferConstructor::finishCreation):
2711         (JSC::JSArrayBufferConstructor::create):
2712         (JSC::JSArrayBufferConstructor::createStructure):
2713         (JSC::constructArrayBuffer):
2714         (JSC::JSArrayBufferConstructor::getConstructData):
2715         (JSC::JSArrayBufferConstructor::getCallData):
2716         * runtime/JSArrayBufferConstructor.h: Added.
2717         * runtime/JSArrayBufferPrototype.cpp: Added.
2718         (JSC::arrayBufferProtoFuncSlice):
2719         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2720         (JSC::JSArrayBufferPrototype::finishCreation):
2721         (JSC::JSArrayBufferPrototype::create):
2722         (JSC::JSArrayBufferPrototype::createStructure):
2723         * runtime/JSArrayBufferPrototype.h: Added.
2724         * runtime/JSArrayBufferView.cpp: Added.
2725         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2726         (JSC::JSArrayBufferView::JSArrayBufferView):
2727         (JSC::JSArrayBufferView::finishCreation):
2728         (JSC::JSArrayBufferView::getOwnPropertySlot):
2729         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2730         (JSC::JSArrayBufferView::put):
2731         (JSC::JSArrayBufferView::defineOwnProperty):
2732         (JSC::JSArrayBufferView::deleteProperty):
2733         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2734         (JSC::JSArrayBufferView::finalize):
2735         * runtime/JSArrayBufferView.h: Added.
2736         (JSC::JSArrayBufferView::sizeOf):
2737         (JSC::JSArrayBufferView::ConstructionContext::operator!):
2738         (JSC::JSArrayBufferView::ConstructionContext::structure):
2739         (JSC::JSArrayBufferView::ConstructionContext::vector):
2740         (JSC::JSArrayBufferView::ConstructionContext::length):
2741         (JSC::JSArrayBufferView::ConstructionContext::mode):
2742         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2743         (JSC::JSArrayBufferView::mode):
2744         (JSC::JSArrayBufferView::vector):
2745         (JSC::JSArrayBufferView::length):
2746         (JSC::JSArrayBufferView::offsetOfVector):
2747         (JSC::JSArrayBufferView::offsetOfLength):
2748         (JSC::JSArrayBufferView::offsetOfMode):
2749         * runtime/JSArrayBufferViewInlines.h: Added.
2750         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2751         (JSC::JSArrayBufferView::buffer):
2752         (JSC::JSArrayBufferView::impl):
2753         (JSC::JSArrayBufferView::neuter):
2754         (JSC::JSArrayBufferView::byteOffset):
2755         * runtime/JSCell.cpp:
2756         (JSC::JSCell::slowDownAndWasteMemory):
2757         (JSC::JSCell::getTypedArrayImpl):
2758         * runtime/JSCell.h:
2759         * runtime/JSDataView.cpp: Added.
2760         (JSC::JSDataView::JSDataView):
2761         (JSC::JSDataView::create):
2762         (JSC::JSDataView::createUninitialized):
2763         (JSC::JSDataView::set):
2764         (JSC::JSDataView::typedImpl):
2765         (JSC::JSDataView::getOwnPropertySlot):
2766         (JSC::JSDataView::getOwnPropertyDescriptor):
2767         (JSC::JSDataView::slowDownAndWasteMemory):
2768         (JSC::JSDataView::getTypedArrayImpl):
2769         (JSC::JSDataView::createStructure):
2770         * runtime/JSDataView.h: Added.
2771         * runtime/JSDataViewPrototype.cpp: Added.
2772         (JSC::JSDataViewPrototype::JSDataViewPrototype):
2773         (JSC::JSDataViewPrototype::create):
2774         (JSC::JSDataViewPrototype::createStructure):
2775         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2776         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2777         (JSC::getData):
2778         (JSC::setData):
2779         (JSC::dataViewProtoFuncGetInt8):
2780         (JSC::dataViewProtoFuncGetInt16):
2781         (JSC::dataViewProtoFuncGetInt32):
2782         (JSC::dataViewProtoFuncGetUint8):
2783         (JSC::dataViewProtoFuncGetUint16):
2784         (JSC::dataViewProtoFuncGetUint32):
2785         (JSC::dataViewProtoFuncGetFloat32):
2786         (JSC::dataViewProtoFuncGetFloat64):
2787         (JSC::dataViewProtoFuncSetInt8):
2788         (JSC::dataViewProtoFuncSetInt16):
2789         (JSC::dataViewProtoFuncSetInt32):
2790         (JSC::dataViewProtoFuncSetUint8):
2791         (JSC::dataViewProtoFuncSetUint16):
2792         (JSC::dataViewProtoFuncSetUint32):
2793         (JSC::dataViewProtoFuncSetFloat32):
2794         (JSC::dataViewProtoFuncSetFloat64):
2795         * runtime/JSDataViewPrototype.h: Added.
2796         * runtime/JSFloat32Array.h: Added.
2797         * runtime/JSFloat64Array.h: Added.
2798         * runtime/JSGenericTypedArrayView.h: Added.
2799         (JSC::JSGenericTypedArrayView::byteLength):
2800         (JSC::JSGenericTypedArrayView::byteSize):
2801         (JSC::JSGenericTypedArrayView::typedVector):
2802         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2803         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2804         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2805         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2806         (JSC::JSGenericTypedArrayView::getIndexQuickly):
2807         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2808         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2809         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2810         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2811         (JSC::JSGenericTypedArrayView::typedImpl):
2812         (JSC::JSGenericTypedArrayView::createStructure):
2813         (JSC::JSGenericTypedArrayView::info):
2814         (JSC::toNativeTypedView):
2815         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
2816         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
2817         (JSC::::JSGenericTypedArrayViewConstructor):
2818         (JSC::::finishCreation):
2819         (JSC::::create):
2820         (JSC::::createStructure):
2821         (JSC::constructGenericTypedArrayView):
2822         (JSC::::getConstructData):
2823         (JSC::::getCallData):
2824         * runtime/JSGenericTypedArrayViewInlines.h: Added.
2825         (JSC::::JSGenericTypedArrayView):
2826         (JSC::::create):
2827         (JSC::::createUninitialized):
2828         (JSC::::validateRange):
2829         (JSC::::setWithSpecificType):
2830         (JSC::::set):
2831         (JSC::::getOwnPropertySlot):
2832         (JSC::::getOwnPropertyDescriptor):
2833         (JSC::::put):
2834         (JSC::::defineOwnProperty):
2835         (JSC::::deleteProperty):
2836         (JSC::::getOwnPropertySlotByIndex):
2837         (JSC::::putByIndex):
2838         (JSC::::deletePropertyByIndex):
2839         (JSC::::getOwnNonIndexPropertyNames):
2840         (JSC::::getOwnPropertyNames):
2841         (JSC::::visitChildren):
2842         (JSC::::copyBackingStore):
2843         (JSC::::slowDownAndWasteMemory):
2844         (JSC::::getTypedArrayImpl):
2845         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
2846         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
2847         (JSC::genericTypedArrayViewProtoFuncSet):
2848         (JSC::genericTypedArrayViewProtoFuncSubarray):
2849         (JSC::::JSGenericTypedArrayViewPrototype):
2850         (JSC::::finishCreation):
2851         (JSC::::create):
2852         (JSC::::createStructure):
2853         * runtime/JSGlobalObject.cpp:
2854         (JSC::JSGlobalObject::reset):
2855         (JSC::JSGlobalObject::visitChildren):
2856         * runtime/JSGlobalObject.h:
2857         (JSC::JSGlobalObject::arrayBufferPrototype):
2858         (JSC::JSGlobalObject::arrayBufferStructure):
2859         (JSC::JSGlobalObject::typedArrayStructure):
2860         * runtime/JSInt16Array.h: Added.
2861         * runtime/JSInt32Array.h: Added.
2862         * runtime/JSInt8Array.h: Added.
2863         * runtime/JSTypedArrayConstructors.cpp: Added.
2864         * runtime/JSTypedArrayConstructors.h: Added.
2865         * runtime/JSTypedArrayPrototypes.cpp: Added.
2866         * runtime/JSTypedArrayPrototypes.h: Added.
2867         * runtime/JSTypedArrays.cpp: Added.
2868         * runtime/JSTypedArrays.h: Added.
2869         * runtime/JSUint16Array.h: Added.
2870         * runtime/JSUint32Array.h: Added.
2871         * runtime/JSUint8Array.h: Added.
2872         * runtime/JSUint8ClampedArray.h: Added.
2873         * runtime/Operations.h:
2874         * runtime/Options.h:
2875         * runtime/SimpleTypedArrayController.cpp: Added.
2876         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
2877         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
2878         (JSC::SimpleTypedArrayController::toJS):
2879         * runtime/SimpleTypedArrayController.h: Added.
2880         * runtime/Structure.h:
2881         (JSC::Structure::couldHaveIndexingHeader):
2882         * runtime/StructureInlines.h:
2883         (JSC::Structure::hasIndexingHeader):
2884         * runtime/TypedArrayAdaptors.h: Added.
2885         (JSC::IntegralTypedArrayAdaptor::toNative):
2886         (JSC::IntegralTypedArrayAdaptor::toJSValue):
2887         (JSC::IntegralTypedArrayAdaptor::toDouble):
2888         (JSC::FloatTypedArrayAdaptor::toNative):
2889         (JSC::FloatTypedArrayAdaptor::toJSValue):
2890         (JSC::FloatTypedArrayAdaptor::toDouble):
2891         (JSC::Uint8ClampedAdaptor::toNative):
2892         (JSC::Uint8ClampedAdaptor::toJSValue):
2893         (JSC::Uint8ClampedAdaptor::toDouble):
2894         (JSC::Uint8ClampedAdaptor::clamp):
2895         * runtime/TypedArrayController.cpp: Added.
2896         (JSC::TypedArrayController::TypedArrayController):
2897         (JSC::TypedArrayController::~TypedArrayController):
2898         * runtime/TypedArrayController.h: Added.
2899         * runtime/TypedArrayDescriptor.h: Removed.
2900         * runtime/TypedArrayInlines.h: Added.
2901         * runtime/TypedArrayType.cpp: Added.
2902         (JSC::classInfoForType):
2903         (WTF::printInternal):
2904         * runtime/TypedArrayType.h: Added.
2905         (JSC::toIndex):
2906         (JSC::isTypedView):
2907         (JSC::elementSize):
2908         (JSC::isInt):
2909         (JSC::isFloat):
2910         (JSC::isSigned):
2911         (JSC::isClamped):
2912         * runtime/TypedArrays.h: Added.
2913         * runtime/Uint16Array.h:
2914         * runtime/Uint32Array.h:
2915         * runtime/Uint8Array.h:
2916         * runtime/Uint8ClampedArray.h:
2917         * runtime/VM.cpp:
2918         (JSC::VM::VM):
2919         (JSC::VM::~VM):
2920         * runtime/VM.h:
2921
2922 2013-08-15  Oliver Hunt  <oliver@apple.com>
2923
2924         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
2925
2926         Reviewed by Filip Pizlo.
2927
2928         Make sure dfgCapabilities doesn't report a Dynamic put as
2929         being compilable when we don't actually support it.  
2930
2931         * bytecode/CodeBlock.cpp:
2932         (JSC::CodeBlock::dumpBytecode):
2933         * dfg/DFGCapabilities.cpp:
2934         (JSC::DFG::capabilityLevel):
2935
2936 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2937
2938         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2939         https://bugs.webkit.org/show_bug.cgi?id=119847
2940
2941         Reviewed by Oliver Hunt.
2942
2943         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2944         * runtime/ArrayBufferView.h: Ditto.
2945
2946 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
2947
2948         https://bugs.webkit.org/show_bug.cgi?id=119843
2949         PropertySlot::setValue is ambiguous
2950
2951         Reviewed by Geoff Garen.
2952
2953         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2954         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2955         Unify on always providing the object, and remove the version that just takes a value.
2956         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2957         Provide a version of setValue that takes a JSString as the owner of the property.
2958         We won't store this, but it makes it clear that this interface should only be used from JSString.
2959
2960         * API/JSCallbackObjectFunctions.h:
2961         (JSC::::getOwnPropertySlot):
2962         * JSCTypedArrayStubs.h:
2963         * runtime/Arguments.cpp:
2964         (JSC::Arguments::getOwnPropertySlotByIndex):
2965         (JSC::Arguments::getOwnPropertySlot):
2966         * runtime/JSActivation.cpp:
2967         (JSC::JSActivation::symbolTableGet):
2968         (JSC::JSActivation::getOwnPropertySlot):
2969         * runtime/JSArray.cpp:
2970         (JSC::JSArray::getOwnPropertySlot):
2971         * runtime/JSObject.cpp:
2972         (JSC::JSObject::getOwnPropertySlotByIndex):
2973         * runtime/JSString.h:
2974         (JSC::JSString::getStringPropertySlot):
2975         * runtime/JSSymbolTableObject.h:
2976         (JSC::symbolTableGet):
2977         * runtime/SparseArrayValueMap.cpp:
2978         (JSC::SparseArrayEntry::get):
2979             - Pass object containing property to PropertySlot::setValue
2980         * runtime/PropertySlot.h:
2981         (JSC::PropertySlot::setValue):
2982             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2983         (JSC::PropertySlot::setUndefined):
2984             - removed setValue(JSValue), added setValue(JSString*, JSValue)
2985
2986 2013-08-15  Oliver Hunt  <oliver@apple.com>
2987
2988         Remove bogus assertion.
2989
2990         RS=Filip Pizlo
2991
2992         * dfg/DFGAbstractInterpreterInlines.h:
2993         (JSC::DFG::::executeEffects):
2994
2995 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2996
2997         REGRESSION(r148790) Made 7 tests fail on x86 32bit
2998         https://bugs.webkit.org/show_bug.cgi?id=114913
2999
3000         Reviewed by Filip Pizlo.
3001
3002         The X87 register was not freed before some calls. Instead
3003         of inserting resetX87Registers to the last call sites,
3004         the two X87 registers are now freed in every call.
3005
3006         * llint/LowLevelInterpreter32_64.asm:
3007         * llint/LowLevelInterpreter64.asm:
3008         * offlineasm/instructions.rb:
3009         * offlineasm/x86.rb:
3010
3011 2013-08-14  Michael Saboff  <msaboff@apple.com>
3012
3013         Fixed jit on Win64.
3014         https://bugs.webkit.org/show_bug.cgi?id=119601
3015
3016         Reviewed by Oliver Hunt.
3017
3018         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3019         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3020         * jit/SlowPathCall.h:
3021         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3022
3023 2013-08-14  Alex Christensen  <achristensen@apple.com>
3024
3025         Compile fix for Win64 with jit disabled.
3026         https://bugs.webkit.org/show_bug.cgi?id=119804
3027
3028         Reviewed by Michael Saboff.
3029
3030         * offlineasm/cloop.rb: Added std:: before isnan.
3031
3032 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3033
3034         DFG_JIT implementation for sh4 architecture.
3035         https://bugs.webkit.org/show_bug.cgi?id=119737
3036
3037         Reviewed by Oliver Hunt.
3038
3039         * assembler/MacroAssemblerSH4.h:
3040         (JSC::MacroAssemblerSH4::invert):
3041         (JSC::MacroAssemblerSH4::add32):
3042         (JSC::MacroAssemblerSH4::and32):
3043         (JSC::MacroAssemblerSH4::lshift32):
3044         (JSC::MacroAssemblerSH4::mul32):
3045         (JSC::MacroAssemblerSH4::or32):
3046         (JSC::MacroAssemblerSH4::rshift32):
3047         (JSC::MacroAssemblerSH4::sub32):
3048         (JSC::MacroAssemblerSH4::xor32):
3049         (JSC::MacroAssemblerSH4::store32):
3050         (JSC::MacroAssemblerSH4::swapDouble):
3051         (JSC::MacroAssemblerSH4::storeDouble):
3052         (JSC::MacroAssemblerSH4::subDouble):
3053         (JSC::MacroAssemblerSH4::mulDouble):
3054         (JSC::MacroAssemblerSH4::divDouble):
3055         (JSC::MacroAssemblerSH4::negateDouble):
3056         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3057         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3058         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3059         (JSC::MacroAssemblerSH4::swap):
3060         (JSC::MacroAssemblerSH4::jump):
3061         (JSC::MacroAssemblerSH4::branchNeg32):
3062         (JSC::MacroAssemblerSH4::branchAdd32):
3063         (JSC::MacroAssemblerSH4::branchMul32):
3064         (JSC::MacroAssemblerSH4::urshift32):
3065         * assembler/SH4Assembler.h:
3066         (JSC::SH4Assembler::SH4Assembler):
3067         (JSC::SH4Assembler::labelForWatchpoint):
3068         (JSC::SH4Assembler::label):
3069         (JSC::SH4Assembler::debugOffset):
3070         * dfg/DFGAssemblyHelpers.h:
3071         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3072         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3073         (JSC::DFG::AssemblyHelpers::debugCall):
3074         * dfg/DFGCCallHelpers.h:
3075         (JSC::DFG::CCallHelpers::setupArguments):
3076         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3077         * dfg/DFGFPRInfo.h:
3078         (JSC::DFG::FPRInfo::toRegister):
3079         (JSC::DFG::FPRInfo::toIndex):
3080         (JSC::DFG::FPRInfo::debugName):
3081         * dfg/DFGGPRInfo.h:
3082         (JSC::DFG::GPRInfo::toRegister):
3083         (JSC::DFG::GPRInfo::toIndex):
3084         (JSC::DFG::GPRInfo::debugName):
3085         * dfg/DFGOperations.cpp:
3086         * dfg/DFGSpeculativeJIT.h:
3087         (JSC::DFG::SpeculativeJIT::callOperation):
3088         * jit/JITStubs.h:
3089         * jit/JITStubsSH4.h:
3090
3091 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3092
3093         Unreviewed, fix build.
3094
3095         * API/JSValue.mm:
3096         (isDate):
3097         (isArray):
3098         * API/JSWrapperMap.mm:
3099         (tryUnwrapObjcObject):
3100         * API/ObjCCallbackFunction.mm:
3101         (tryUnwrapBlock):
3102
3103 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3104
3105         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3106         https://bugs.webkit.org/show_bug.cgi?id=119770
3107
3108         Reviewed by Mark Hahnenberg.
3109
3110         * API/JSCallbackConstructor.cpp:
3111         (JSC::JSCallbackConstructor::finishCreation):
3112         * API/JSCallbackConstructor.h:
3113         (JSC::JSCallbackConstructor::createStructure):
3114         * API/JSCallbackFunction.cpp:
3115         (JSC::JSCallbackFunction::finishCreation):
3116         * API/JSCallbackFunction.h:
3117         (JSC::JSCallbackFunction::createStructure):
3118         * API/JSCallbackObject.cpp:
3119         (JSC::::createStructure):
3120         * API/JSCallbackObject.h:
3121         (JSC::JSCallbackObject::visitChildren):
3122         * API/JSCallbackObjectFunctions.h:
3123         (JSC::::asCallbackObject):
3124         (JSC::::finishCreation):
3125         * API/JSObjectRef.cpp:
3126         (JSObjectGetPrivate):
3127         (JSObjectSetPrivate):
3128         (JSObjectGetPrivateProperty):
3129         (JSObjectSetPrivateProperty):
3130         (JSObjectDeletePrivateProperty):
3131         * API/JSValueRef.cpp:
3132         (JSValueIsObjectOfClass):
3133         * API/JSWeakObjectMapRefPrivate.cpp:
3134         * API/ObjCCallbackFunction.h:
3135         (JSC::ObjCCallbackFunction::createStructure):
3136         * JSCTypedArrayStubs.h:
3137         * bytecode/CallLinkStatus.cpp:
3138         (JSC::CallLinkStatus::CallLinkStatus):
3139         (JSC::CallLinkStatus::function):
3140         (JSC::CallLinkStatus::internalFunction):
3141         * bytecode/CodeBlock.h:
3142         (JSC::baselineCodeBlockForInlineCallFrame):
3143         * bytecode/SpeculatedType.cpp:
3144         (JSC::speculationFromClassInfo):
3145         * bytecode/UnlinkedCodeBlock.cpp:
3146         (JSC::UnlinkedFunctionExecutable::visitChildren):
3147         (JSC::UnlinkedCodeBlock::visitChildren):
3148         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3149         * bytecode/UnlinkedCodeBlock.h:
3150         (JSC::UnlinkedFunctionExecutable::createStructure):
3151         (JSC::UnlinkedProgramCodeBlock::createStructure):
3152         (JSC::UnlinkedEvalCodeBlock::createStructure):
3153         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3154         * debugger/Debugger.cpp:
3155         * debugger/DebuggerActivation.cpp:
3156         (JSC::DebuggerActivation::visitChildren):
3157         * debugger/DebuggerActivation.h:
3158         (JSC::DebuggerActivation::createStructure):
3159         * debugger/DebuggerCallFrame.cpp:
3160         (JSC::DebuggerCallFrame::functionName):
3161         * dfg/DFGAbstractInterpreterInlines.h:
3162         (JSC::DFG::::executeEffects):
3163         * dfg/DFGByteCodeParser.cpp:
3164         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3165         (JSC::DFG::ByteCodeParser::parseBlock):
3166         * dfg/DFGFixupPhase.cpp:
3167         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3168         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3169         * dfg/DFGGraph.cpp:
3170         (JSC::DFG::Graph::dump):
3171         * dfg/DFGGraph.h:
3172         (JSC::DFG::Graph::isInternalFunctionConstant):
3173         * dfg/DFGOperations.cpp:
3174         * dfg/DFGSpeculativeJIT.cpp:
3175         (JSC::DFG::SpeculativeJIT::checkArray):
3176         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3177         * dfg/DFGThunks.cpp:
3178         (JSC::DFG::virtualForThunkGenerator):
3179         * interpreter/Interpreter.cpp:
3180         (JSC::loadVarargs):
3181         * jsc.cpp:
3182         (GlobalObject::createStructure):
3183         * profiler/LegacyProfiler.cpp:
3184         (JSC::LegacyProfiler::createCallIdentifier):
3185         * runtime/Arguments.cpp:
3186         (JSC::Arguments::visitChildren):
3187         * runtime/Arguments.h:
3188         (JSC::Arguments::createStructure):
3189         (JSC::asArguments):
3190         (JSC::Arguments::finishCreation):
3191         * runtime/ArrayConstructor.cpp:
3192         (JSC::arrayConstructorIsArray):
3193         * runtime/ArrayConstructor.h:
3194         (JSC::ArrayConstructor::createStructure):
3195         * runtime/ArrayPrototype.cpp:
3196         (JSC::ArrayPrototype::finishCreation):
3197         (JSC::arrayProtoFuncConcat):
3198         (JSC::attemptFastSort):
3199         * runtime/ArrayPrototype.h:
3200         (JSC::ArrayPrototype::createStructure):
3201         * runtime/BooleanConstructor.h:
3202         (JSC::BooleanConstructor::createStructure):
3203         * runtime/BooleanObject.cpp:
3204         (JSC::BooleanObject::finishCreation):
3205         * runtime/BooleanObject.h:
3206         (JSC::BooleanObject::createStructure):
3207         (JSC::asBooleanObject):
3208         * runtime/BooleanPrototype.cpp:
3209         (JSC::BooleanPrototype::finishCreation):
3210         (JSC::booleanProtoFuncToString):
3211         (JSC::booleanProtoFuncValueOf):
3212         * runtime/BooleanPrototype.h:
3213         (JSC::BooleanPrototype::createStructure):
3214         * runtime/DateConstructor.cpp:
3215         (JSC::constructDate):
3216         * runtime/DateConstructor.h:
3217         (JSC::DateConstructor::createStructure):
3218         * runtime/DateInstance.cpp:
3219         (JSC::DateInstance::finishCreation):
3220         * runtime/DateInstance.h:
3221         (JSC::DateInstance::createStructure):
3222         (JSC::asDateInstance):
3223         * runtime/DatePrototype.cpp:
3224         (JSC::formateDateInstance):
3225         (JSC::DatePrototype::finishCreation):
3226         (JSC::dateProtoFuncToISOString):
3227         (JSC::dateProtoFuncToLocaleString):
3228         (JSC::dateProtoFuncToLocaleDateString):
3229         (JSC::dateProtoFuncToLocaleTimeString):
3230         (JSC::dateProtoFuncGetTime):
3231         (JSC::dateProtoFuncGetFullYear):
3232         (JSC::dateProtoFuncGetUTCFullYear):
3233         (JSC::dateProtoFuncGetMonth):
3234         (JSC::dateProtoFuncGetUTCMonth):
3235         (JSC::dateProtoFuncGetDate):
3236         (JSC::dateProtoFuncGetUTCDate):
3237         (JSC::dateProtoFuncGetDay):
3238         (JSC::dateProtoFuncGetUTCDay):
3239         (JSC::dateProtoFuncGetHours):
3240         (JSC::dateProtoFuncGetUTCHours):
3241         (JSC::dateProtoFuncGetMinutes):
3242         (JSC::dateProtoFuncGetUTCMinutes):
3243         (JSC::dateProtoFuncGetSeconds):
3244         (JSC::dateProtoFuncGetUTCSeconds):
3245         (JSC::dateProtoFuncGetMilliSeconds):
3246         (JSC::dateProtoFuncGetUTCMilliseconds):
3247         (JSC::dateProtoFuncGetTimezoneOffset):
3248         (JSC::dateProtoFuncSetTime):
3249         (JSC::setNewValueFromTimeArgs):
3250         (JSC::setNewValueFromDateArgs):
3251         (JSC::dateProtoFuncSetYear):
3252         (JSC::dateProtoFuncGetYear):
3253         * runtime/DatePrototype.h:
3254         (JSC::DatePrototype::createStructure):
3255         * runtime/Error.h:
3256         (JSC::StrictModeTypeErrorFunction::createStructure):
3257         * runtime/ErrorConstructor.h:
3258         (JSC::ErrorConstructor::createStructure):
3259         * runtime/ErrorInstance.cpp:
3260         (JSC::ErrorInstance::finishCreation):
3261         * runtime/ErrorInstance.h:
3262         (JSC::ErrorInstance::createStructure):
3263         * runtime/ErrorPrototype.cpp:
3264         (JSC::ErrorPrototype::finishCreation):
3265         * runtime/ErrorPrototype.h:
3266         (JSC::ErrorPrototype::createStructure):
3267         * runtime/ExceptionHelpers.cpp:
3268         (JSC::isTerminatedExecutionException):
3269         * runtime/ExceptionHelpers.h:
3270         (JSC::TerminatedExecutionError::createStructure):
3271         * runtime/Executable.cpp:
3272         (JSC::EvalExecutable::visitChildren):
3273         (JSC::ProgramExecutable::visitChildren):
3274         (JSC::FunctionExecutable::visitChildren):
3275         (JSC::ExecutableBase::hashFor):
3276         * runtime/Executable.h:
3277         (JSC::ExecutableBase::createStructure):
3278         (JSC::NativeExecutable::createStructure):
3279         (JSC::EvalExecutable::createStructure):
3280         (JSC::ProgramExecutable::createStructure):
3281         (JSC::FunctionExecutable::compileFor):
3282         (JSC::FunctionExecutable::compileOptimizedFor):
3283         (JSC::FunctionExecutable::createStructure):
3284         * runtime/FunctionConstructor.h:
3285         (JSC::FunctionConstructor::createStructure):
3286         * runtime/FunctionPrototype.cpp:
3287         (JSC::functionProtoFuncToString):
3288         (JSC::functionProtoFuncApply):
3289         (JSC::functionProtoFuncBind):
3290         * runtime/FunctionPrototype.h:
3291         (JSC::FunctionPrototype::createStructure):
3292         * runtime/GetterSetter.cpp:
3293         (JSC::GetterSetter::visitChildren):
3294         * runtime/GetterSetter.h:
3295         (JSC::GetterSetter::createStructure):
3296         * runtime/InternalFunction.cpp:
3297         (JSC::InternalFunction::finishCreation):
3298         * runtime/InternalFunction.h:
3299         (JSC::InternalFunction::createStructure):
3300         (JSC::asInternalFunction):
3301         * runtime/JSAPIValueWrapper.h:
3302         (JSC::JSAPIValueWrapper::createStructure):
3303         * runtime/JSActivation.cpp:
3304         (JSC::JSActivation::visitChildren):
3305         (JSC::JSActivation::argumentsGetter):
3306         * runtime/JSActivation.h:
3307         (JSC::JSActivation::createStructure):
3308         (JSC::asActivation):
3309         * runtime/JSArray.h:
3310         (JSC::JSArray::createStructure):
3311         (JSC::asArray):
3312         (JSC::isJSArray):
3313         * runtime/JSBoundFunction.cpp:
3314         (JSC::JSBoundFunction::finishCreation):
3315         (JSC::JSBoundFunction::visitChildren):
3316         * runtime/JSBoundFunction.h:
3317         (JSC::JSBoundFunction::createStructure):
3318         * runtime/JSCJSValue.cpp:
3319         (JSC::JSValue::dumpInContext):
3320         * runtime/JSCJSValueInlines.h:
3321         (JSC::JSValue::isFunction):
3322         * runtime/JSCell.h:
3323         (JSC::jsCast):
3324         (JSC::jsDynamicCast):
3325         * runtime/JSCellInlines.h:
3326         (JSC::allocateCell):
3327         * runtime/JSFunction.cpp:
3328         (JSC::JSFunction::finishCreation):
3329         (JSC::JSFunction::visitChildren):
3330         (JSC::skipOverBoundFunctions):
3331         (JSC::JSFunction::callerGetter):
3332         * runtime/JSFunction.h:
3333         (JSC::JSFunction::createStructure):
3334         * runtime/JSGlobalObject.cpp:
3335         (JSC::JSGlobalObject::visitChildren):
3336         (JSC::slowValidateCell):
3337         * runtime/JSGlobalObject.h:
3338         (JSC::JSGlobalObject::createStructure):
3339         * runtime/JSNameScope.cpp:
3340         (JSC::JSNameScope::visitChildren):
3341         * runtime/JSNameScope.h:
3342         (JSC::JSNameScope::createStructure):
3343         * runtime/JSNotAnObject.h:
3344         (JSC::JSNotAnObject::createStructure):
3345         * runtime/JSONObject.cpp:
3346         (JSC::JSONObject::finishCreation):
3347         (JSC::unwrapBoxedPrimitive):
3348         (JSC::Stringifier::Stringifier):
3349         (JSC::Stringifier::appendStringifiedValue):
3350         (JSC::Stringifier::Holder::Holder):
3351         (JSC::Walker::walk):
3352         (JSC::JSONProtoFuncStringify):
3353         * runtime/JSONObject.h:
3354         (JSC::JSONObject::createStructure):
3355         * runtime/JSObject.cpp:
3356         (JSC::getCallableObjectSlow):
3357         (JSC::JSObject::visitChildren):
3358         (JSC::JSObject::copyBackingStore):
3359         (JSC::JSFinalObject::visitChildren):
3360         (JSC::JSObject::ensureInt32Slow):
3361         (JSC::JSObject::ensureDoubleSlow):
3362         (JSC::JSObject::ensureContiguousSlow):
3363         (JSC::JSObject::ensureArrayStorageSlow):
3364         * runtime/JSObject.h:
3365         (JSC::JSObject::finishCreation):
3366         (JSC::JSObject::createStructure):
3367         (JSC::JSNonFinalObject::createStructure):
3368         (JSC::JSFinalObject::createStructure):
3369         (JSC::isJSFinalObject):
3370         * runtime/JSPropertyNameIterator.cpp:
3371         (JSC::JSPropertyNameIterator::visitChildren):
3372         * runtime/JSPropertyNameIterator.h:
3373         (JSC::JSPropertyNameIterator::createStructure):
3374         * runtime/JSProxy.cpp:
3375         (JSC::JSProxy::visitChildren):
3376         * runtime/JSProxy.h:
3377         (JSC::JSProxy::createStructure):
3378         * runtime/JSScope.cpp:
3379         (JSC::JSScope::visitChildren):
3380         * runtime/JSSegmentedVariableObject.cpp:
3381         (JSC::JSSegmentedVariableObject::visitChildren):
3382         * runtime/JSString.h:
3383         (JSC::JSString::createStructure):
3384         (JSC::isJSString):
3385         * runtime/JSSymbolTableObject.cpp:
3386         (JSC::JSSymbolTableObject::visitChildren):
3387         * runtime/JSVariableObject.h:
3388         * runtime/JSWithScope.cpp:
3389         (JSC::JSWithScope::visitChildren):
3390         * runtime/JSWithScope.h:
3391         (JSC::JSWithScope::createStructure):
3392         * runtime/JSWrapperObject.cpp:
3393         (JSC::JSWrapperObject::visitChildren):
3394         * runtime/JSWrapperObject.h:
3395         (JSC::JSWrapperObject::createStructure):
3396         * runtime/MathObject.cpp:
3397         (JSC::MathObject::finishCreation):
3398         * runtime/MathObject.h:
3399         (JSC::MathObject::createStructure):
3400         * runtime/NameConstructor.h:
3401         (JSC::NameConstructor::createStructure):
3402         * runtime/NameInstance.h:
3403         (JSC::NameInstance::createStructure):
3404         (JSC::NameInstance::finishCreation):
3405         * runtime/NamePrototype.cpp:
3406         (JSC::NamePrototype::finishCreation):
3407         (JSC::privateNameProtoFuncToString):
3408         * runtime/NamePrototype.h:
3409         (JSC::NamePrototype::createStructure):
3410         * runtime/NativeErrorConstructor.cpp:
3411         (JSC::NativeErrorConstructor::visitChildren):
3412         * runtime/NativeErrorConstructor.h:
3413         (JSC::NativeErrorConstructor::createStructure):
3414         (JSC::NativeErrorConstructor::finishCreation):
3415         * runtime/NumberConstructor.cpp:
3416         (JSC::NumberConstructor::finishCreation):
3417         * runtime/NumberConstructor.h:
3418         (JSC::NumberConstructor::createStructure):
3419         * runtime/NumberObject.cpp:
3420         (JSC::NumberObject::finishCreation):
3421         * runtime/NumberObject.h:
3422         (JSC::NumberObject::createStructure):
3423         * runtime/NumberPrototype.cpp:
3424         (JSC::NumberPrototype::finishCreation):
3425         * runtime/NumberPrototype.h:
3426         (JSC::NumberPrototype::createStructure):
3427         * runtime/ObjectConstructor.h:
3428         (JSC::ObjectConstructor::createStructure):
3429         * runtime/ObjectPrototype.cpp:
3430         (JSC::ObjectPrototype::finishCreation):
3431         * runtime/ObjectPrototype.h:
3432         (JSC::ObjectPrototype::createStructure):
3433         * runtime/PropertyMapHashTable.h:
3434         (JSC::PropertyTable::createStructure):
3435         * runtime/PropertyTable.cpp:
3436         (JSC::PropertyTable::visitChildren):
3437         * runtime/RegExp.h:
3438         (JSC::RegExp::createStructure):
3439         * runtime/RegExpConstructor.cpp:
3440         (JSC::RegExpConstructor::finishCreation):
3441         (JSC::RegExpConstructor::visitChildren):
3442         (JSC::constructRegExp):
3443         * runtime/RegExpConstructor.h:
3444         (JSC::RegExpConstructor::createStructure):
3445         (JSC::asRegExpConstructor):
3446         * runtime/RegExpMatchesArray.cpp:
3447         (JSC::RegExpMatchesArray::visitChildren):
3448         * runtime/RegExpMatchesArray.h:
3449         (JSC::RegExpMatchesArray::createStructure):
3450         * runtime/RegExpObject.cpp:
3451         (JSC::RegExpObject::finishCreation):
3452         (JSC::RegExpObject::visitChildren):
3453         * runtime/RegExpObject.h:
3454         (JSC::RegExpObject::createStructure):
3455         (JSC::asRegExpObject):
3456         * runtime/RegExpPrototype.cpp:
3457         (JSC::regExpProtoFuncTest):
3458         (JSC::regExpProtoFuncExec):
3459         (JSC::regExpProtoFuncCompile):
3460         (JSC::regExpProtoFuncToString):
3461         * runtime/RegExpPrototype.h:
3462         (JSC::RegExpPrototype::createStructure):
3463         * runtime/SparseArrayValueMap.cpp:
3464         (JSC::SparseArrayValueMap::createStructure):
3465         * runtime/SparseArrayValueMap.h:
3466         * runtime/StrictEvalActivation.h:
3467         (JSC::StrictEvalActivation::createStructure):
3468         * runtime/StringConstructor.h:
3469         (JSC::StringConstructor::createStructure):
3470         * runtime/StringObject.cpp:
3471         (JSC::StringObject::finishCreation):
3472         * runtime/StringObject.h:
3473         (JSC::StringObject::createStructure):
3474         (JSC::asStringObject):
3475         * runtime/StringPrototype.cpp:
3476         (JSC::StringPrototype::finishCreation):
3477         (JSC::stringProtoFuncReplace):
3478         (JSC::stringProtoFuncToString):
3479         (JSC::stringProtoFuncMatch):
3480         (JSC::stringProtoFuncSearch):
3481         (JSC::stringProtoFuncSplit):
3482         * runtime/StringPrototype.h:
3483         (JSC::StringPrototype::createStructure):
3484         * runtime/Structure.cpp:
3485         (JSC::Structure::Structure):
3486         (JSC::Structure::materializePropertyMap):
3487         (JSC::Structure::get):
3488         (JSC::Structure::visitChildren):
3489         * runtime/Structure.h:
3490         (JSC::Structure::typeInfo):
3491         (JSC::Structure::previousID):
3492         (JSC::Structure::outOfLineSize):
3493         (JSC::Structure::totalStorageCapacity):
3494         (JSC::Structure::materializePropertyMapIfNecessary):
3495         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3496         * runtime/StructureChain.cpp:
3497         (JSC::StructureChain::visitChildren):
3498         * runtime/StructureChain.h:
3499         (JSC::StructureChain::createStructure):
3500         * runtime/StructureInlines.h:
3501         (JSC::Structure::get):
3502         * runtime/StructureRareData.cpp:
3503         (JSC::StructureRareData::createStructure):
3504         (JSC::StructureRareData::visitChildren):
3505         * runtime/StructureRareData.h:
3506         * runtime/SymbolTable.h:
3507         (JSC::SharedSymbolTable::createStructure):
3508         * runtime/VM.cpp:
3509         (JSC::VM::VM):
3510         (JSC::StackPreservingRecompiler::operator()):
3511         (JSC::VM::releaseExecutableMemory):
3512         * runtime/WriteBarrier.h:
3513         (JSC::validateCell):
3514         * testRegExp.cpp:
3515         (GlobalObject::createStructure):
3516
3517 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
3518
3519         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
3520         https://bugs.webkit.org/show_bug.cgi?id=119762
3521
3522         Reviewed by Geoffrey Garen.
3523
3524         * heap/Heap.cpp:
3525         (JSC::Heap::Heap):
3526         (JSC::Heap::markRoots):
3527         (JSC::Heap::collect):
3528         * jsc.cpp:
3529         (StopWatch::start):
3530         (StopWatch::stop):
3531         * testRegExp.cpp:
3532         (StopWatch::start):
3533         (StopWatch::stop):
3534
3535 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
3536
3537         [sh4] Prepare LLINT for DFG_JIT implementation.
3538         https://bugs.webkit.org/show_bug.cgi?id=119755
3539
3540         Reviewed by Oliver Hunt.
3541
3542         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
3543         * offlineasm/sh4.rb:
3544             - Handle storeb opcode.
3545             - Make relative jumps when possible using braf opcode.
3546             - Update bmulio implementation to be consistent with baseline JIT.
3547             - Remove useless code from leap opcode.
3548             - Fix incorrect comment.
3549
3550 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
3551
3552         [sh4] Prepare baseline JIT for DFG_JIT implementation.
3553         https://bugs.webkit.org/show_bug.cgi?id=119758
3554
3555         Reviewed by Oliver Hunt.
3556
3557         * assembler/MacroAssemblerSH4.h:
3558             - Introduce a loadEffectiveAddress function to avoid code duplication.
3559             - Add ASSERTs and clean code.
3560         * assembler/SH4Assembler.h:
3561             - Prepare DFG_JIT implementation.
3562             - Add ASSERTs.
3563         * jit/JITStubs.cpp:
3564             - Add SH4 specific call for assertions.
3565         * jit/JITStubs.h:
3566             - Cosmetic change.
3567         * jit/JITStubsSH4.h:
3568             - Use constants to be more flexible with sh4 JIT stack frame.
3569         * jit/JSInterfaceJIT.h:
3570             - Cosmetic change.
3571
3572 2013-08-13  Oliver Hunt  <oliver@apple.com>
3573
3574         Harden executeConstruct against incorrect return types from host functions
3575         https://bugs.webkit.org/show_bug.cgi?id=119757
3576
3577         Reviewed by Mark Hahnenberg.
3578
3579         Add logic to guard against bogus return types.  There doesn't seem to be any
3580         class in webkit that does this wrong, but the typed array stubs in debug JSC
3581         do exhibit this bad behaviour.
3582
3583         * interpreter/Interpreter.cpp:
3584         (JSC::Interpreter::executeConstruct):
3585
3586 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3587
3588         [Qt] Fix C++11 build with gcc 4.4 and 4.5
3589         https://bugs.webkit.org/show_bug.cgi?id=119736
3590
3591         Reviewed by Anders Carlsson.
3592
3593         Don't force C++11 mode off anymore.
3594
3595         * Target.pri:
3596
3597 2013-08-12  Oliver Hunt  <oliver@apple.com>
3598
3599         Remove CodeBlock's notion of adding identifiers entirely
3600         https://bugs.webkit.org/show_bug.cgi?id=119708
3601
3602         Reviewed by Geoffrey Garen.
3603
3604         Remove addAdditionalIdentifier entirely, including the bogus assertion.
3605         Move the addition of identifiers to DFGPlan::reallyAdd
3606
3607         * bytecode/CodeBlock.h:
3608         * dfg/DFGDesiredIdentifiers.cpp:
3609         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3610         * dfg/DFGDesiredIdentifiers.h:
3611         * dfg/DFGPlan.cpp:
3612         (JSC::DFG::Plan::reallyAdd):
3613         (JSC::DFG::Plan::finalize):
3614         * dfg/DFGPlan.h:
3615
3616 2013-08-12  Oliver Hunt  <oliver@apple.com>
3617
3618         Build fix
3619
3620         * runtime/JSCell.h:
3621
3622 2013-08-12  Oliver Hunt  <oliver@apple.com>
3623
3624         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
3625         https://bugs.webkit.org/show_bug.cgi?id=119705
3626
3627         Reviewed by Geoffrey Garen.
3628
3629         Relatively trivial refactoring
3630
3631         * bytecode/CodeBlock.h:
3632         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
3633         (JSC::CodeBlock::addAdditionalIdentifier):
3634         (JSC::CodeBlock::identifier):
3635         (JSC::CodeBlock::numberOfIdentifiers):
3636         * dfg/DFGCommonData.h:
3637
3638 2013-08-12  Oliver Hunt  <oliver@apple.com>
3639
3640         Stop making unnecessary copy of CodeBlock Identifier Vector
3641         https://bugs.webkit.org/show_bug.cgi?id=119702
3642
3643         Reviewed by Michael Saboff.
3644
3645         Make CodeBlock simply use a separate Vector for additional Identifiers
3646         and use the UnlinkedCodeBlock for the initial set of identifiers.
3647
3648         * bytecode/CodeBlock.cpp:
3649         (JSC::CodeBlock::printGetByIdOp):
3650         (JSC::dumpStructure):
3651         (JSC::dumpChain):
3652         (JSC::CodeBlock::printGetByIdCacheStatus):
3653         (JSC::CodeBlock::printPutByIdOp):
3654         (JSC::CodeBlock::dumpBytecode):
3655         (JSC::CodeBlock::CodeBlock):
3656         (JSC::CodeBlock::shrinkToFit):
3657         * bytecode/CodeBlock.h:
3658         (JSC::CodeBlock::numberOfIdentifiers):
3659         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
3660         (JSC::CodeBlock::addAdditionalIdentifier):
3661         (JSC::CodeBlock::identifier):
3662         * dfg/DFGDesiredIdentifiers.cpp:
3663         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3664         * jit/JIT.h:
3665         * jit/JITOpcodes.cpp:
3666         (JSC::JIT::emitSlow_op_get_arguments_length):
3667         * jit/JITPropertyAccess.cpp:
3668         (JSC::JIT::emit_op_get_by_id):
3669         (JSC::JIT::compileGetByIdHotPath):
3670         (JSC::JIT::emitSlow_op_get_by_id):
3671         (JSC::JIT::compileGetByIdSlowCase):
3672         (JSC::JIT::emitSlow_op_put_by_id):
3673         * jit/JITPropertyAccess32_64.cpp:
3674         (JSC::JIT::emit_op_get_by_id):
3675         (JSC::JIT::compileGetByIdHotPath):
3676         (JSC::JIT::compileGetByIdSlowCase):
3677         * jit/JITStubs.cpp:
3678         (JSC::DEFINE_STUB_FUNCTION):
3679         * llint/LLIntSlowPaths.cpp:
3680         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3681
3682 2013-08-08  Mark Lam  <mark.lam@apple.com>
3683
3684         Restoring use of StackIterator instead of Interpreter::getStacktrace().
3685         https://bugs.webkit.org/show_bug.cgi?id=119575.
3686
3687         Reviewed by Oliver Hunt.
3688
3689         * interpreter/Interpreter.h:
3690         - Made getStackTrace() private.
3691         * interpreter/StackIterator.cpp:
3692         (JSC::StackIterator::StackIterator):
3693         (JSC::StackIterator::numberOfFrames):
3694         - Computes the number of frames by iterating through the whole stack
3695           from the starting frame. The iterator will save its current frame
3696           position before counting the frames, and then restoring it after
3697           the counting.
3698         (JSC::StackIterator::gotoFrameAtIndex):
3699         (JSC::StackIterator::gotoNextFrame):
3700         (JSC::StackIterator::resetIterator):
3701         - Points the iterator to the starting frame.
3702         * interpreter/StackIteratorPrivate.h:
3703
3704 2013-08-08  Mark Lam  <mark.lam@apple.com>
3705
3706         Moved ErrorConstructor and NativeErrorConstructor helper functions into
3707         the Interpreter class.
3708         https://bugs.webkit.org/show_bug.cgi?id=119576.
3709
3710         Reviewed by Oliver Hunt.
3711
3712         This change is needed to prepare for making Interpreter::getStackTrace()
3713         private. It does not change the behavior of the code, only the lexical
3714         scoping.
3715
3716         * interpreter/Interpreter.h:
3717         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
3718         * runtime/ErrorConstructor.cpp:
3719         (JSC::Interpreter::constructWithErrorConstructor):
3720         (JSC::ErrorConstructor::getConstructData):
3721         (JSC::Interpreter::callErrorConstructor):
3722         (JSC::ErrorConstructor::getCallData):
3723         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
3724           directly. So, we moved the helper functions into the Interpreter
3725           class.
3726         * runtime/NativeErrorConstructor.cpp:
3727         (JSC::Interpreter::constructWithNativeErrorConstructor):
3728         (JSC::NativeErrorConstructor::getConstructData):
3729         (JSC::Interpreter::callNativeErrorConstructor):
3730         (JSC::NativeErrorConstructor::getCallData):
3731         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
3732           directly. So, we moved the helper functions into the Interpreter
3733           class.
3734
3735 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3736
3737         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
3738         https://bugs.webkit.org/show_bug.cgi?id=119555
3739
3740         Reviewed by Geoffrey Garen.
3741
3742         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
3743         This was causing crashes on maps.google.com in 32-bit debug builds.
3744
3745         * dfg/DFGSpeculativeJIT32_64.cpp:
3746         (JSC::DFG::SpeculativeJIT::compile):
3747
3748 2013-08-06  Michael Saboff  <msaboff@apple.com>
3749
3750         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
3751         https://bugs.webkit.org/show_bug.cgi?id=119405
3752
3753         Reviewed by Geoffrey Garen.
3754
3755         * dfg/DFGSpeculativeJIT.cpp:
3756         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
3757         ourselves to save a register and then load from it.
3758
3759 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
3760
3761         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
3762         https://bugs.webkit.org/show_bug.cgi?id=119528
3763
3764         Reviewed by Geoffrey Garen.
3765
3766         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
3767         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
3768         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
3769         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
3770         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
3771
3772         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
3773
3774         * bytecode/CodeBlock.cpp:
3775         (JSC::CodeBlock::finalizeUnconditionally):
3776         * dfg/DFGDriver.cpp:
3777         (JSC::DFG::compile):
3778         * dfg/DFGFixupPhase.cpp:
3779         (JSC::DFG::FixupPhase::fixupNode):
3780         * dfg/DFGGraph.cpp:
3781         (JSC::DFG::Graph::dump):
3782         * dfg/DFGSpeculativeJIT64.cpp:
3783         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3784         * runtime/JSObject.h:
3785         (JSC::JSObject::getIndexQuickly):
3786         (JSC::JSObject::tryGetIndexQuickly):
3787
3788 2013-08-08  Stephanie Lewis  <slewis@apple.com>
3789
3790         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
3791
3792         Unreviewed.
3793
3794         Ensure llint symbols are in source order.
3795
3796         * JavaScriptCore.order:
3797
3798 2013-08-06  Mark Lam  <mark.lam@apple.com>
3799
3800         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
3801         https://bugs.webkit.org/show_bug.cgi?id=119532.
3802
3803         Reviewed by Oliver Hunt.
3804
3805         * parser/Parser.cpp:
3806         (JSC::::Parser):
3807         - Just need to initialize the Parser's JSTokenLocation's initial line and
3808           startOffset as well during Parser construction.
3809
3810 2013-08-06  Stephanie Lewis  <slewis@apple.com>
3811
3812         Update Order Files for Safari
3813         <rdar://problem/14517392>
3814
3815         Unreviewed.
3816
3817         * JavaScriptCore.order:
3818
3819 2013-08-04  Sam Weinig  <sam@webkit.org>
3820
3821         Remove support for HTML5 MicroData
3822         https://bugs.webkit.org/show_bug.cgi?id=119480
3823
3824         Reviewed by Anders Carlsson.
3825
3826         * Configurations/FeatureDefines.xcconfig:
3827
3828 2013-08-05  Oliver Hunt  <oliver@apple.com>
3829
3830         Delay Arguments creation in strict mode
3831         https://bugs.webkit.org/show_bug.cgi?id=119505
3832
3833         Reviewed by Geoffrey Garen.
3834
3835         Make use of the write tracking performed by the parser to
3836         allow us to know if we're modifying the parameters to a function.
3837         Then use that information to make strict mode function opt out
3838         of eager arguments creation.
3839
3840         * bytecompiler/BytecodeGenerator.cpp:
3841         (JSC::BytecodeGenerator::BytecodeGenerator):
3842         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3843         (JSC::BytecodeGenerator::emitReturn):
3844         * bytecompiler/BytecodeGenerator.h:
3845         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
3846         * parser/Nodes.h:
3847         (JSC::ScopeNode::modifiesParameter):
3848         * parser/Parser.cpp:
3849         (JSC::::parseInner):
3850         * parser/Parser.h:
3851         (JSC::Scope::declareParameter):
3852         (JSC::Scope::getCapturedVariables):
3853         (JSC::Parser::declareWrite):
3854         * parser/ParserModes.h:
3855
3856 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3857
3858         Remove useless code from COMPILER(RVCT) JITStubs
3859         https://bugs.webkit.org/show_bug.cgi?id=119521
3860
3861         Reviewed by Geoffrey Garen.
3862
3863         * jit/JITStubsARMv7.h:
3864         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
3865         (JSC::ctiOpThrowNotCaught): Ditto.
3866
3867 2013-07-23  David Farler  <dfarler@apple.com>
3868
3869         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
3870         https://bugs.webkit.org/show_bug.cgi?id=117762
3871
3872         Reviewed by Mark Rowe.
3873
3874         * Configurations/DebugRelease.xcconfig:
3875         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
3876         * Configurations/JavaScriptCore.xcconfig:
3877         Add ASAN_OTHER_LDFLAGS.
3878         * Configurations/ToolExecutable.xcconfig:
3879         Don't use ASAN for build tools.
3880
3881 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3882
3883         Build fix for ARM MSVC after r153222 and r153648.
3884
3885         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
3886
3887 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3888
3889         Build fix for ARM MSVC after r150109.
3890
3891         Read the stub template from a header files instead of the JITStubs.cpp.
3892
3893         * CMakeLists.txt:
3894         * DerivedSources.pri:
3895         * create_jit_stubs:
3896
3897 2013-08-05  Oliver Hunt  <oliver@apple.com>
3898
3899         Move TypedArray implementation into JSC
3900         https://bugs.webkit.org/show_bug.cgi?id=119489
3901
3902         Reviewed by Filip Pizlo.
3903
3904         Move TypedArray implementation into JSC in advance of re-implementation
3905
3906         * GNUmakefile.list.am:
3907         * JSCTypedArrayStubs.h:
3908         * JavaScriptCore.xcodeproj/project.pbxproj:
3909         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
3910         (JSC::ArrayBuffer::transfer):
3911         (JSC::ArrayBuffer::addView):
3912         (JSC::ArrayBuffer::removeView):
3913         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
3914         (JSC::ArrayBufferContents::ArrayBufferContents):
3915         (JSC::ArrayBufferContents::data):
3916         (JSC::ArrayBufferContents::sizeInBytes):
3917         (JSC::ArrayBufferContents::transfer):
3918         (JSC::ArrayBufferContents::copyTo):
3919         (JSC::ArrayBuffer::isNeutered):
3920         (JSC::ArrayBuffer::~ArrayBuffer):
3921         (JSC::ArrayBuffer::clampValue):
3922         (JSC::ArrayBuffer::create):
3923         (JSC::ArrayBuffer::createUninitialized):
3924         (JSC::ArrayBuffer::ArrayBuffer):
3925         (JSC::ArrayBuffer::data):
3926         (JSC::ArrayBuffer::byteLength):
3927         (JSC::ArrayBuffer::slice):
3928         (JSC::ArrayBuffer::sliceImpl):
3929         (JSC::ArrayBuffer::clampIndex):
3930         (JSC::ArrayBufferContents::tryAllocate):
3931         (JSC::ArrayBufferContents::~ArrayBufferContents):
3932         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
3933         (JSC::ArrayBufferView::ArrayBufferView):
3934         (JSC::ArrayBufferView::~ArrayBufferView):
3935         (JSC::ArrayBufferView::neuter):
3936         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
3937         (JSC::ArrayBufferView::buffer):
3938         (JSC::ArrayBufferView::baseAddress):
3939         (JSC::ArrayBufferView::byteOffset):
3940         (JSC::ArrayBufferView::setNeuterable):
3941         (JSC::ArrayBufferView::isNeuterable):
3942         (JSC::ArrayBufferView::verifySubRange):
3943         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3944         (JSC::ArrayBufferView::setImpl):
3945         (JSC::ArrayBufferView::setRangeImpl):
3946         (JSC::ArrayBufferView::zeroRangeImpl):
3947         (JSC::ArrayBufferView::calculateOffsetAndLength):
3948         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
3949         (JSC::Float32Array::set):
3950         (JSC::Float32Array::getType):
3951         (JSC::Float32Array::create):
3952         (JSC::Float32Array::createUninitialized):
3953         (JSC::Float32Array::Float32Array):
3954         (JSC::Float32Array::subarray):