Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
4         https://bugs.webkit.org/show_bug.cgi?id=107839
5
6         Reviewed by Oliver Hunt.
7
8         JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
9         are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
10         m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
11         We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
12         to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
13         to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
14         reallocate them.
15
16         * API/JSContext.mm:
17         (-[JSContext wrapperMap]):
18         * API/JSContextInternal.h:
19         * API/JSWrapperMap.mm:
20         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
21         (-[JSObjCClassInfo dealloc]):
22         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
23         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
24         (-[JSObjCClassInfo wrapperForObject:]):
25         (-[JSObjCClassInfo constructor]):
26
27 2013-01-29  Oliver Hunt  <oliver@apple.com>
28
29         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
30         https://bugs.webkit.org/show_bug.cgi?id=108097
31
32         Reviewed by Geoffrey Garen.
33
34         LiteralParser was accepting a bogus 'var a.b = c' statement
35
36         * runtime/LiteralParser.cpp:
37         (JSC::::tryJSONPParse):
38
39 2013-01-29  Oliver Hunt  <oliver@apple.com>
40
41         Force debug builds to do bounds checks on contiguous property storage
42         https://bugs.webkit.org/show_bug.cgi?id=108212
43
44         Reviewed by Mark Hahnenberg.
45
46         Add a ContiguousData type that we use to represent contiguous property
47         storage.  In release builds it is simply a pointer to the correct type,
48         but in debug builds it also carries the data length and performs bounds
49         checks.  This means we don't have to add as many manual bounds assertions
50         when performing operations over contiguous data.
51
52         * dfg/DFGOperations.cpp:
53         * runtime/ArrayStorage.h:
54         (ArrayStorage):
55         (JSC::ArrayStorage::vector):
56         * runtime/Butterfly.h:
57         (JSC::ContiguousData::ContiguousData):
58         (ContiguousData):
59         (JSC::ContiguousData::operator[]):
60         (JSC::ContiguousData::data):
61         (JSC::ContiguousData::length):
62         (JSC):
63         (JSC::Butterfly::contiguousInt32):
64         (Butterfly):
65         (JSC::Butterfly::contiguousDouble):
66         (JSC::Butterfly::contiguous):
67         * runtime/JSArray.cpp:
68         (JSC::JSArray::sortNumericVector):
69         (ContiguousTypeAccessor):
70         (JSC::ContiguousTypeAccessor::getAsValue):
71         (JSC::ContiguousTypeAccessor::setWithValue):
72         (JSC::ContiguousTypeAccessor::replaceDataReference):
73         (JSC):
74         (JSC::JSArray::sortCompactedVector):
75         (JSC::JSArray::sort):
76         (JSC::JSArray::fillArgList):
77         (JSC::JSArray::copyToArguments):
78         * runtime/JSArray.h:
79         (JSArray):
80         * runtime/JSObject.cpp:
81         (JSC::JSObject::copyButterfly):
82         (JSC::JSObject::visitButterfly):
83         (JSC::JSObject::createInitialInt32):
84         (JSC::JSObject::createInitialDouble):
85         (JSC::JSObject::createInitialContiguous):
86         (JSC::JSObject::convertUndecidedToInt32):
87         (JSC::JSObject::convertUndecidedToDouble):
88         (JSC::JSObject::convertUndecidedToContiguous):
89         (JSC::JSObject::convertInt32ToDouble):
90         (JSC::JSObject::convertInt32ToContiguous):
91         (JSC::JSObject::genericConvertDoubleToContiguous):
92         (JSC::JSObject::convertDoubleToContiguous):
93         (JSC::JSObject::rageConvertDoubleToContiguous):
94         (JSC::JSObject::ensureInt32Slow):
95         (JSC::JSObject::ensureDoubleSlow):
96         (JSC::JSObject::ensureContiguousSlow):
97         (JSC::JSObject::rageEnsureContiguousSlow):
98         (JSC::JSObject::ensureLengthSlow):
99         * runtime/JSObject.h:
100         (JSC::JSObject::ensureInt32):
101         (JSC::JSObject::ensureDouble):
102         (JSC::JSObject::ensureContiguous):
103         (JSC::JSObject::rageEnsureContiguous):
104         (JSObject):
105         (JSC::JSObject::indexingData):
106         (JSC::JSObject::currentIndexingData):
107
108 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
109
110         [Windows, WinCairo] Unreviewed build fix after r141050
111
112         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
113         to match JavaScriptCore.vcproj version.
114
115 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
116
117         [Qt] Implement GCActivityCallback
118         https://bugs.webkit.org/show_bug.cgi?id=103998
119
120         Reviewed by Simon Hausmann.
121
122         Implements the activity triggered garbage collector.
123
124         * runtime/GCActivityCallback.cpp:
125         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
126         (JSC::DefaultGCActivityCallback::scheduleTimer):
127         (JSC::DefaultGCActivityCallback::cancelTimer):
128         * runtime/GCActivityCallback.h:
129         (GCActivityCallback):
130         (DefaultGCActivityCallback):
131
132 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
133
134         Compilation warning in JSC
135         https://bugs.webkit.org/show_bug.cgi?id=108178
136
137         Reviewed by Kentaro Hara.
138
139         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
140
141         * runtime/Structure.cpp:
142         (JSC::Structure::Structure):
143
144 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
145
146         [Qt] Fix the JSC build on Mac
147
148         Unreviewed, build fix.
149
150         * heap/HeapTimer.h:
151         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
152
153 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
154
155         [Qt] Implement IncrementalSweeper and HeapTimer
156         https://bugs.webkit.org/show_bug.cgi?id=103996
157
158         Reviewed by Simon Hausmann.
159
160         Implements the incremental sweeping garbage collection for the Qt platform.
161
162         * heap/HeapTimer.cpp:
163         (JSC::HeapTimer::HeapTimer):
164         (JSC::HeapTimer::~HeapTimer):
165         (JSC::HeapTimer::timerEvent):
166         (JSC::HeapTimer::synchronize):
167         (JSC::HeapTimer::invalidate):
168         (JSC::HeapTimer::didStartVMShutdown):
169         * heap/HeapTimer.h:
170         (HeapTimer):
171         * heap/IncrementalSweeper.cpp:
172         (JSC::IncrementalSweeper::IncrementalSweeper):
173         (JSC::IncrementalSweeper::scheduleTimer):
174         * heap/IncrementalSweeper.h:
175         (IncrementalSweeper):
176
177 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
178
179         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
180         https://bugs.webkit.org/show_bug.cgi?id=106868
181
182         Reviewed by Oliver Hunt.
183         
184         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
185         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
186         for debugging (Node::index(), which is not guaranteed to be O(1)).
187         
188         1% speed-up on SunSpider, presumably because this improves compile times.
189
190         * CMakeLists.txt:
191         * GNUmakefile.list.am:
192         * JavaScriptCore.xcodeproj/project.pbxproj:
193         * Target.pri:
194         * bytecode/DataFormat.h:
195         (JSC::dataFormatToString):
196         * dfg/DFGAbstractState.cpp:
197         (JSC::DFG::AbstractState::initialize):
198         (JSC::DFG::AbstractState::booleanResult):
199         (JSC::DFG::AbstractState::execute):
200         (JSC::DFG::AbstractState::mergeStateAtTail):
201         (JSC::DFG::AbstractState::mergeToSuccessors):
202         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
203         (JSC::DFG::AbstractState::dump):
204         * dfg/DFGAbstractState.h:
205         (DFG):
206         (JSC::DFG::AbstractState::forNode):
207         (AbstractState):
208         (JSC::DFG::AbstractState::speculateInt32Unary):
209         (JSC::DFG::AbstractState::speculateNumberUnary):
210         (JSC::DFG::AbstractState::speculateBooleanUnary):
211         (JSC::DFG::AbstractState::speculateInt32Binary):
212         (JSC::DFG::AbstractState::speculateNumberBinary):
213         (JSC::DFG::AbstractState::trySetConstant):
214         * dfg/DFGAbstractValue.h:
215         (AbstractValue):
216         * dfg/DFGAdjacencyList.h:
217         (JSC::DFG::AdjacencyList::AdjacencyList):
218         (JSC::DFG::AdjacencyList::initialize):
219         * dfg/DFGAllocator.h: Added.
220         (DFG):
221         (Allocator):
222         (JSC::DFG::Allocator::Region::size):
223         (JSC::DFG::Allocator::Region::headerSize):
224         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
225         (JSC::DFG::Allocator::Region::data):
226         (JSC::DFG::Allocator::Region::isInThisRegion):
227         (JSC::DFG::Allocator::Region::regionFor):
228         (Region):
229         (JSC::DFG::::Allocator):
230         (JSC::DFG::::~Allocator):
231         (JSC::DFG::::allocate):
232         (JSC::DFG::::free):
233         (JSC::DFG::::freeAll):
234         (JSC::DFG::::reset):
235         (JSC::DFG::::indexOf):
236         (JSC::DFG::::allocatorOf):
237         (JSC::DFG::::bumpAllocate):
238         (JSC::DFG::::freeListAllocate):
239         (JSC::DFG::::allocateSlow):
240         (JSC::DFG::::freeRegionsStartingAt):
241         (JSC::DFG::::startBumpingIn):
242         * dfg/DFGArgumentsSimplificationPhase.cpp:
243         (JSC::DFG::ArgumentsSimplificationPhase::run):
244         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
245         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
246         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
247         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
248         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
249         * dfg/DFGArrayMode.cpp:
250         (JSC::DFG::ArrayMode::originalArrayStructure):
251         (JSC::DFG::ArrayMode::alreadyChecked):
252         * dfg/DFGArrayMode.h:
253         (ArrayMode):
254         * dfg/DFGArrayifySlowPathGenerator.h:
255         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
256         * dfg/DFGBasicBlock.h:
257         (JSC::DFG::BasicBlock::node):
258         (JSC::DFG::BasicBlock::isInPhis):
259         (JSC::DFG::BasicBlock::isInBlock):
260         (BasicBlock):
261         * dfg/DFGBasicBlockInlines.h:
262         (DFG):
263         * dfg/DFGByteCodeParser.cpp:
264         (ByteCodeParser):
265         (JSC::DFG::ByteCodeParser::getDirect):
266         (JSC::DFG::ByteCodeParser::get):
267         (JSC::DFG::ByteCodeParser::setDirect):
268         (JSC::DFG::ByteCodeParser::set):
269         (JSC::DFG::ByteCodeParser::setPair):
270         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
271         (JSC::DFG::ByteCodeParser::getLocal):
272         (JSC::DFG::ByteCodeParser::setLocal):
273         (JSC::DFG::ByteCodeParser::getArgument):
274         (JSC::DFG::ByteCodeParser::setArgument):
275         (JSC::DFG::ByteCodeParser::flushDirect):
276         (JSC::DFG::ByteCodeParser::getToInt32):
277         (JSC::DFG::ByteCodeParser::toInt32):
278         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
279         (JSC::DFG::ByteCodeParser::getJSConstant):
280         (JSC::DFG::ByteCodeParser::getCallee):
281         (JSC::DFG::ByteCodeParser::getThis):
282         (JSC::DFG::ByteCodeParser::setThis):
283         (JSC::DFG::ByteCodeParser::isJSConstant):
284         (JSC::DFG::ByteCodeParser::isInt32Constant):
285         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
286         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
287         (JSC::DFG::ByteCodeParser::constantUndefined):
288         (JSC::DFG::ByteCodeParser::constantNull):
289         (JSC::DFG::ByteCodeParser::one):
290         (JSC::DFG::ByteCodeParser::constantNaN):
291         (JSC::DFG::ByteCodeParser::cellConstant):
292         (JSC::DFG::ByteCodeParser::addToGraph):
293         (JSC::DFG::ByteCodeParser::insertPhiNode):
294         (JSC::DFG::ByteCodeParser::addVarArgChild):
295         (JSC::DFG::ByteCodeParser::addCall):
296         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
297         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
298         (JSC::DFG::ByteCodeParser::getPrediction):
299         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
300         (JSC::DFG::ByteCodeParser::makeSafe):
301         (JSC::DFG::ByteCodeParser::makeDivSafe):
302         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
303         (ConstantRecord):
304         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
305         (PhiStackEntry):
306         (JSC::DFG::ByteCodeParser::handleCall):
307         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
308         (JSC::DFG::ByteCodeParser::handleInlining):
309         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
310         (JSC::DFG::ByteCodeParser::handleMinMax):
311         (JSC::DFG::ByteCodeParser::handleIntrinsic):
312         (JSC::DFG::ByteCodeParser::handleGetByOffset):
313         (JSC::DFG::ByteCodeParser::handleGetById):
314         (JSC::DFG::ByteCodeParser::getScope):
315         (JSC::DFG::ByteCodeParser::parseResolveOperations):
316         (JSC::DFG::ByteCodeParser::parseBlock):
317         (JSC::DFG::ByteCodeParser::processPhiStack):
318         (JSC::DFG::ByteCodeParser::linkBlock):
319         (JSC::DFG::ByteCodeParser::parseCodeBlock):
320         (JSC::DFG::ByteCodeParser::parse):
321         * dfg/DFGCFAPhase.cpp:
322         (JSC::DFG::CFAPhase::performBlockCFA):
323         * dfg/DFGCFGSimplificationPhase.cpp:
324         (JSC::DFG::CFGSimplificationPhase::run):
325         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
326         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
327         (JSC::DFG::CFGSimplificationPhase::fixPhis):
328         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
329         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
330         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
331         (OperandSubstitution):
332         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
333         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
334         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
335         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
336         * dfg/DFGCSEPhase.cpp:
337         (JSC::DFG::CSEPhase::canonicalize):
338         (JSC::DFG::CSEPhase::endIndexForPureCSE):
339         (JSC::DFG::CSEPhase::pureCSE):
340         (JSC::DFG::CSEPhase::constantCSE):
341         (JSC::DFG::CSEPhase::weakConstantCSE):
342         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
343         (JSC::DFG::CSEPhase::getArrayLengthElimination):
344         (JSC::DFG::CSEPhase::globalVarLoadElimination):
345         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
346         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
347         (JSC::DFG::CSEPhase::globalVarStoreElimination):
348         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
349         (JSC::DFG::CSEPhase::getByValLoadElimination):
350         (JSC::DFG::CSEPhase::checkFunctionElimination):
351         (JSC::DFG::CSEPhase::checkExecutableElimination):
352         (JSC::DFG::CSEPhase::checkStructureElimination):
353         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
354         (JSC::DFG::CSEPhase::putStructureStoreElimination):
355         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
356         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
357         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
358         (JSC::DFG::CSEPhase::checkArrayElimination):
359         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
360         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
361         (JSC::DFG::CSEPhase::getLocalLoadElimination):
362         (JSC::DFG::CSEPhase::setLocalStoreElimination):
363         (JSC::DFG::CSEPhase::performSubstitution):
364         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
365         (JSC::DFG::CSEPhase::setReplacement):
366         (JSC::DFG::CSEPhase::eliminate):
367         (JSC::DFG::CSEPhase::performNodeCSE):
368         (JSC::DFG::CSEPhase::performBlockCSE):
369         (CSEPhase):
370         * dfg/DFGCommon.cpp: Added.
371         (DFG):
372         (JSC::DFG::NodePointerTraits::dump):
373         * dfg/DFGCommon.h:
374         (DFG):
375         (JSC::DFG::NodePointerTraits::defaultValue):
376         (NodePointerTraits):
377         (JSC::DFG::verboseCompilationEnabled):
378         (JSC::DFG::shouldDumpGraphAtEachPhase):
379         (JSC::DFG::validationEnabled):
380         * dfg/DFGConstantFoldingPhase.cpp:
381         (JSC::DFG::ConstantFoldingPhase::foldConstants):
382         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
383         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
384         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
385         * dfg/DFGDisassembler.cpp:
386         (JSC::DFG::Disassembler::Disassembler):
387         (JSC::DFG::Disassembler::createDumpList):
388         (JSC::DFG::Disassembler::dumpDisassembly):
389         * dfg/DFGDisassembler.h:
390         (JSC::DFG::Disassembler::setForNode):
391         (Disassembler):
392         * dfg/DFGDriver.cpp:
393         (JSC::DFG::compile):
394         * dfg/DFGEdge.cpp: Added.
395         (DFG):
396         (JSC::DFG::Edge::dump):
397         * dfg/DFGEdge.h:
398         (JSC::DFG::Edge::Edge):
399         (JSC::DFG::Edge::node):
400         (JSC::DFG::Edge::operator*):
401         (JSC::DFG::Edge::operator->):
402         (Edge):
403         (JSC::DFG::Edge::setNode):
404         (JSC::DFG::Edge::useKind):
405         (JSC::DFG::Edge::setUseKind):
406         (JSC::DFG::Edge::isSet):
407         (JSC::DFG::Edge::shift):
408         (JSC::DFG::Edge::makeWord):
409         (JSC::DFG::operator==):
410         (JSC::DFG::operator!=):
411         * dfg/DFGFixupPhase.cpp:
412         (JSC::DFG::FixupPhase::fixupBlock):
413         (JSC::DFG::FixupPhase::fixupNode):
414         (JSC::DFG::FixupPhase::checkArray):
415         (JSC::DFG::FixupPhase::blessArrayOperation):
416         (JSC::DFG::FixupPhase::fixIntEdge):
417         (JSC::DFG::FixupPhase::fixDoubleEdge):
418         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
419         (FixupPhase):
420         * dfg/DFGGenerationInfo.h:
421         (JSC::DFG::GenerationInfo::GenerationInfo):
422         (JSC::DFG::GenerationInfo::initConstant):
423         (JSC::DFG::GenerationInfo::initInteger):
424         (JSC::DFG::GenerationInfo::initJSValue):
425         (JSC::DFG::GenerationInfo::initCell):
426         (JSC::DFG::GenerationInfo::initBoolean):
427         (JSC::DFG::GenerationInfo::initDouble):
428         (JSC::DFG::GenerationInfo::initStorage):
429         (GenerationInfo):
430         (JSC::DFG::GenerationInfo::node):
431         (JSC::DFG::GenerationInfo::noticeOSRBirth):
432         (JSC::DFG::GenerationInfo::use):
433         (JSC::DFG::GenerationInfo::appendFill):
434         (JSC::DFG::GenerationInfo::appendSpill):
435         * dfg/DFGGraph.cpp:
436         (JSC::DFG::Graph::Graph):
437         (JSC::DFG::Graph::~Graph):
438         (DFG):
439         (JSC::DFG::Graph::dumpCodeOrigin):
440         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
441         (JSC::DFG::Graph::printNodeWhiteSpace):
442         (JSC::DFG::Graph::dump):
443         (JSC::DFG::Graph::dumpBlockHeader):
444         (JSC::DFG::Graph::refChildren):
445         (JSC::DFG::Graph::derefChildren):
446         (JSC::DFG::Graph::predictArgumentTypes):
447         (JSC::DFG::Graph::collectGarbage):
448         (JSC::DFG::Graph::determineReachability):
449         (JSC::DFG::Graph::resetExitStates):
450         * dfg/DFGGraph.h:
451         (Graph):
452         (JSC::DFG::Graph::ref):
453         (JSC::DFG::Graph::deref):
454         (JSC::DFG::Graph::changeChild):
455         (JSC::DFG::Graph::compareAndSwap):
456         (JSC::DFG::Graph::clearAndDerefChild):
457         (JSC::DFG::Graph::clearAndDerefChild1):
458         (JSC::DFG::Graph::clearAndDerefChild2):
459         (JSC::DFG::Graph::clearAndDerefChild3):
460         (JSC::DFG::Graph::convertToConstant):
461         (JSC::DFG::Graph::getJSConstantSpeculation):
462         (JSC::DFG::Graph::addSpeculationMode):
463         (JSC::DFG::Graph::valueAddSpeculationMode):
464         (JSC::DFG::Graph::arithAddSpeculationMode):
465         (JSC::DFG::Graph::addShouldSpeculateInteger):
466         (JSC::DFG::Graph::mulShouldSpeculateInteger):
467         (JSC::DFG::Graph::negateShouldSpeculateInteger):
468         (JSC::DFG::Graph::isConstant):
469         (JSC::DFG::Graph::isJSConstant):
470         (JSC::DFG::Graph::isInt32Constant):
471         (JSC::DFG::Graph::isDoubleConstant):
472         (JSC::DFG::Graph::isNumberConstant):
473         (JSC::DFG::Graph::isBooleanConstant):
474         (JSC::DFG::Graph::isCellConstant):
475         (JSC::DFG::Graph::isFunctionConstant):
476         (JSC::DFG::Graph::isInternalFunctionConstant):
477         (JSC::DFG::Graph::valueOfJSConstant):
478         (JSC::DFG::Graph::valueOfInt32Constant):
479         (JSC::DFG::Graph::valueOfNumberConstant):
480         (JSC::DFG::Graph::valueOfBooleanConstant):
481         (JSC::DFG::Graph::valueOfFunctionConstant):
482         (JSC::DFG::Graph::valueProfileFor):
483         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
484         (JSC::DFG::Graph::numSuccessors):
485         (JSC::DFG::Graph::successor):
486         (JSC::DFG::Graph::successorForCondition):
487         (JSC::DFG::Graph::isPredictedNumerical):
488         (JSC::DFG::Graph::byValIsPure):
489         (JSC::DFG::Graph::clobbersWorld):
490         (JSC::DFG::Graph::varArgNumChildren):
491         (JSC::DFG::Graph::numChildren):
492         (JSC::DFG::Graph::varArgChild):
493         (JSC::DFG::Graph::child):
494         (JSC::DFG::Graph::voteNode):
495         (JSC::DFG::Graph::voteChildren):
496         (JSC::DFG::Graph::substitute):
497         (JSC::DFG::Graph::substituteGetLocal):
498         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
499         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
500         * dfg/DFGInsertionSet.h:
501         (JSC::DFG::Insertion::Insertion):
502         (JSC::DFG::Insertion::element):
503         (Insertion):
504         (JSC::DFG::InsertionSet::insert):
505         (InsertionSet):
506         * dfg/DFGJITCompiler.cpp:
507         * dfg/DFGJITCompiler.h:
508         (JSC::DFG::JITCompiler::setForNode):
509         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
510         (JSC::DFG::JITCompiler::noticeOSREntry):
511         * dfg/DFGLongLivedState.cpp: Added.
512         (DFG):
513         (JSC::DFG::LongLivedState::LongLivedState):
514         (JSC::DFG::LongLivedState::~LongLivedState):
515         (JSC::DFG::LongLivedState::shrinkToFit):
516         * dfg/DFGLongLivedState.h: Added.
517         (DFG):
518         (LongLivedState):
519         * dfg/DFGMinifiedID.h:
520         (JSC::DFG::MinifiedID::MinifiedID):
521         (JSC::DFG::MinifiedID::node):
522         * dfg/DFGMinifiedNode.cpp:
523         (JSC::DFG::MinifiedNode::fromNode):
524         * dfg/DFGMinifiedNode.h:
525         (MinifiedNode):
526         * dfg/DFGNode.cpp: Added.
527         (DFG):
528         (JSC::DFG::Node::index):
529         (WTF):
530         (WTF::printInternal):
531         * dfg/DFGNode.h:
532         (DFG):
533         (JSC::DFG::Node::Node):
534         (Node):
535         (JSC::DFG::Node::convertToGetByOffset):
536         (JSC::DFG::Node::convertToPutByOffset):
537         (JSC::DFG::Node::ref):
538         (JSC::DFG::Node::shouldSpeculateInteger):
539         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
540         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
541         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
542         (JSC::DFG::Node::shouldSpeculateNumber):
543         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
544         (JSC::DFG::Node::shouldSpeculateFinalObject):
545         (JSC::DFG::Node::shouldSpeculateArray):
546         (JSC::DFG::Node::dumpChildren):
547         (WTF):
548         * dfg/DFGNodeAllocator.h: Added.
549         (DFG):
550         (operator new ):
551         * dfg/DFGOSRExit.cpp:
552         (JSC::DFG::OSRExit::OSRExit):
553         * dfg/DFGOSRExit.h:
554         (OSRExit):
555         (SpeculationFailureDebugInfo):
556         * dfg/DFGOSRExitCompiler.cpp:
557         * dfg/DFGOSRExitCompiler32_64.cpp:
558         (JSC::DFG::OSRExitCompiler::compileExit):
559         * dfg/DFGOSRExitCompiler64.cpp:
560         (JSC::DFG::OSRExitCompiler::compileExit):
561         * dfg/DFGOperations.cpp:
562         * dfg/DFGPhase.cpp:
563         (DFG):
564         (JSC::DFG::Phase::beginPhase):
565         (JSC::DFG::Phase::endPhase):
566         * dfg/DFGPhase.h:
567         (Phase):
568         (JSC::DFG::runAndLog):
569         * dfg/DFGPredictionPropagationPhase.cpp:
570         (JSC::DFG::PredictionPropagationPhase::setPrediction):
571         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
572         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
573         (JSC::DFG::PredictionPropagationPhase::isNotZero):
574         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
575         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
576         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
577         (JSC::DFG::PredictionPropagationPhase::propagate):
578         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
579         (JSC::DFG::PredictionPropagationPhase::propagateForward):
580         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
581         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
582         (PredictionPropagationPhase):
583         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
584         * dfg/DFGScoreBoard.h:
585         (JSC::DFG::ScoreBoard::ScoreBoard):
586         (JSC::DFG::ScoreBoard::use):
587         (JSC::DFG::ScoreBoard::useIfHasResult):
588         (ScoreBoard):
589         * dfg/DFGSilentRegisterSavePlan.h:
590         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
591         (JSC::DFG::SilentRegisterSavePlan::node):
592         (SilentRegisterSavePlan):
593         * dfg/DFGSlowPathGenerator.h:
594         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
595         (JSC::DFG::SlowPathGenerator::generate):
596         (SlowPathGenerator):
597         * dfg/DFGSpeculativeJIT.cpp:
598         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
599         (JSC::DFG::SpeculativeJIT::speculationCheck):
600         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
601         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
602         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
603         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
604         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
605         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
606         (JSC::DFG::SpeculativeJIT::silentSpill):
607         (JSC::DFG::SpeculativeJIT::silentFill):
608         (JSC::DFG::SpeculativeJIT::checkArray):
609         (JSC::DFG::SpeculativeJIT::arrayify):
610         (JSC::DFG::SpeculativeJIT::fillStorage):
611         (JSC::DFG::SpeculativeJIT::useChildren):
612         (JSC::DFG::SpeculativeJIT::isStrictInt32):
613         (JSC::DFG::SpeculativeJIT::isKnownInteger):
614         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
615         (JSC::DFG::SpeculativeJIT::isKnownCell):
616         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
617         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
618         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
619         (JSC::DFG::SpeculativeJIT::writeBarrier):
620         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
621         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
622         (JSC::DFG::GPRTemporary::GPRTemporary):
623         (JSC::DFG::FPRTemporary::FPRTemporary):
624         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
625         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
626         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
627         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
628         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
629         (JSC::DFG::SpeculativeJIT::compileMovHint):
630         (JSC::DFG::SpeculativeJIT::compile):
631         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
632         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
633         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
634         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
635         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
636         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
637         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
638         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
639         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
640         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
641         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
642         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
643         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
644         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
645         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
646         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
647         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
648         (JSC::DFG::SpeculativeJIT::compileAdd):
649         (JSC::DFG::SpeculativeJIT::compileArithSub):
650         (JSC::DFG::SpeculativeJIT::compileArithNegate):
651         (JSC::DFG::SpeculativeJIT::compileArithMul):
652         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
653         (JSC::DFG::SpeculativeJIT::compileArithMod):
654         (JSC::DFG::SpeculativeJIT::compare):
655         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
656         (JSC::DFG::SpeculativeJIT::compileStrictEq):
657         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
658         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
659         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
660         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
661         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
662         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
663         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
664         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
665         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
666         * dfg/DFGSpeculativeJIT.h:
667         (SpeculativeJIT):
668         (JSC::DFG::SpeculativeJIT::canReuse):
669         (JSC::DFG::SpeculativeJIT::isFilled):
670         (JSC::DFG::SpeculativeJIT::isFilledDouble):
671         (JSC::DFG::SpeculativeJIT::use):
672         (JSC::DFG::SpeculativeJIT::isConstant):
673         (JSC::DFG::SpeculativeJIT::isJSConstant):
674         (JSC::DFG::SpeculativeJIT::isInt32Constant):
675         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
676         (JSC::DFG::SpeculativeJIT::isNumberConstant):
677         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
678         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
679         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
680         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
681         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
682         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
683         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
684         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
685         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
686         (JSC::DFG::SpeculativeJIT::isNullConstant):
687         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
688         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
689         (JSC::DFG::SpeculativeJIT::integerResult):
690         (JSC::DFG::SpeculativeJIT::noResult):
691         (JSC::DFG::SpeculativeJIT::cellResult):
692         (JSC::DFG::SpeculativeJIT::booleanResult):
693         (JSC::DFG::SpeculativeJIT::jsValueResult):
694         (JSC::DFG::SpeculativeJIT::storageResult):
695         (JSC::DFG::SpeculativeJIT::doubleResult):
696         (JSC::DFG::SpeculativeJIT::initConstantInfo):
697         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
698         (JSC::DFG::SpeculativeJIT::isInteger):
699         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
700         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
701         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
702         (JSC::DFG::IntegerOperand::IntegerOperand):
703         (JSC::DFG::IntegerOperand::node):
704         (JSC::DFG::IntegerOperand::gpr):
705         (JSC::DFG::IntegerOperand::use):
706         (IntegerOperand):
707         (JSC::DFG::DoubleOperand::DoubleOperand):
708         (JSC::DFG::DoubleOperand::node):
709         (JSC::DFG::DoubleOperand::fpr):
710         (JSC::DFG::DoubleOperand::use):
711         (DoubleOperand):
712         (JSC::DFG::JSValueOperand::JSValueOperand):
713         (JSC::DFG::JSValueOperand::node):
714         (JSC::DFG::JSValueOperand::gpr):
715         (JSC::DFG::JSValueOperand::fill):
716         (JSC::DFG::JSValueOperand::use):
717         (JSValueOperand):
718         (JSC::DFG::StorageOperand::StorageOperand):
719         (JSC::DFG::StorageOperand::node):
720         (JSC::DFG::StorageOperand::gpr):
721         (JSC::DFG::StorageOperand::use):
722         (StorageOperand):
723         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
724         (JSC::DFG::SpeculateIntegerOperand::node):
725         (JSC::DFG::SpeculateIntegerOperand::gpr):
726         (JSC::DFG::SpeculateIntegerOperand::use):
727         (SpeculateIntegerOperand):
728         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
729         (JSC::DFG::SpeculateStrictInt32Operand::node):
730         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
731         (JSC::DFG::SpeculateStrictInt32Operand::use):
732         (SpeculateStrictInt32Operand):
733         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
734         (JSC::DFG::SpeculateDoubleOperand::node):
735         (JSC::DFG::SpeculateDoubleOperand::fpr):
736         (JSC::DFG::SpeculateDoubleOperand::use):
737         (SpeculateDoubleOperand):
738         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
739         (JSC::DFG::SpeculateCellOperand::node):
740         (JSC::DFG::SpeculateCellOperand::gpr):
741         (JSC::DFG::SpeculateCellOperand::use):
742         (SpeculateCellOperand):
743         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
744         (JSC::DFG::SpeculateBooleanOperand::node):
745         (JSC::DFG::SpeculateBooleanOperand::gpr):
746         (JSC::DFG::SpeculateBooleanOperand::use):
747         (SpeculateBooleanOperand):
748         * dfg/DFGSpeculativeJIT32_64.cpp:
749         (JSC::DFG::SpeculativeJIT::fillInteger):
750         (JSC::DFG::SpeculativeJIT::fillDouble):
751         (JSC::DFG::SpeculativeJIT::fillJSValue):
752         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
753         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
754         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
755         (JSC::DFG::SpeculativeJIT::cachedPutById):
756         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
757         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
758         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
759         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
760         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
761         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
762         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
763         (JSC::DFG::SpeculativeJIT::emitCall):
764         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
765         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
766         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
767         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
768         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
769         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
770         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
771         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
772         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
773         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
774         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
775         (JSC::DFG::SpeculativeJIT::compileValueAdd):
776         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
777         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
778         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
779         (JSC::DFG::SpeculativeJIT::emitBranch):
780         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
781         (JSC::DFG::SpeculativeJIT::compile):
782         * dfg/DFGSpeculativeJIT64.cpp:
783         (JSC::DFG::SpeculativeJIT::fillInteger):
784         (JSC::DFG::SpeculativeJIT::fillDouble):
785         (JSC::DFG::SpeculativeJIT::fillJSValue):
786         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
787         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
788         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
789         (JSC::DFG::SpeculativeJIT::cachedPutById):
790         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
791         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
792         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
793         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
794         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
795         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
796         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
797         (JSC::DFG::SpeculativeJIT::emitCall):
798         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
799         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
800         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
801         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
802         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
803         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
804         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
805         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
806         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
807         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
808         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
809         (JSC::DFG::SpeculativeJIT::compileValueAdd):
810         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
811         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
812         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
813         (JSC::DFG::SpeculativeJIT::emitBranch):
814         (JSC::DFG::SpeculativeJIT::compile):
815         * dfg/DFGStructureAbstractValue.h:
816         (StructureAbstractValue):
817         * dfg/DFGStructureCheckHoistingPhase.cpp:
818         (JSC::DFG::StructureCheckHoistingPhase::run):
819         * dfg/DFGValidate.cpp:
820         (DFG):
821         (Validate):
822         (JSC::DFG::Validate::validate):
823         (JSC::DFG::Validate::reportValidationContext):
824         * dfg/DFGValidate.h:
825         * dfg/DFGValueSource.cpp:
826         (JSC::DFG::ValueSource::dump):
827         * dfg/DFGValueSource.h:
828         (JSC::DFG::ValueSource::ValueSource):
829         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
830         (JSC::DFG::VirtualRegisterAllocationPhase::run):
831         * runtime/FunctionExecutableDump.cpp: Added.
832         (JSC):
833         (JSC::FunctionExecutableDump::dump):
834         * runtime/FunctionExecutableDump.h: Added.
835         (JSC):
836         (FunctionExecutableDump):
837         (JSC::FunctionExecutableDump::FunctionExecutableDump):
838         * runtime/JSGlobalData.cpp:
839         (JSC::JSGlobalData::JSGlobalData):
840         * runtime/JSGlobalData.h:
841         (JSC):
842         (DFG):
843         (JSGlobalData):
844         * runtime/Options.h:
845         (JSC):
846
847 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
848
849         Collapse testing for a list of PLATFORM() into OS() and USE() tests
850         https://bugs.webkit.org/show_bug.cgi?id=108018
851
852         Reviewed by Eric Seidel.
853
854         No functional change as "OS(DARWIN) && USE(CF)" equals to the
855         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
856         is not using JavaScriptCore. 
857
858         * runtime/DatePrototype.cpp:
859         (JSC):
860
861 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
862
863         Static size inference for JavaScript objects
864         https://bugs.webkit.org/show_bug.cgi?id=108093
865
866         Reviewed by Phil Pizlo.
867
868         * API/JSObjectRef.cpp:
869         * JavaScriptCore.order:
870         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
871
872         * bytecode/CodeBlock.cpp:
873         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
874         have an extra inferredInlineCapacity argument. This is the statically
875         inferred inline capacity, just from analyzing source text. op_new_object
876         also gets a pointer to an allocation profile. (For op_create_this, the
877         profile is in the construtor function.)
878
879         (JSC::CodeBlock::CodeBlock): Link op_new_object.
880
881         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
882
883         * bytecode/CodeBlock.h:
884         (CodeBlock): Removed some dead code. Added object allocation profiles.
885
886         * bytecode/Instruction.h:
887         (JSC): New union type, since an instruction operand may point to an
888         object allocation profile now.
889
890         * bytecode/ObjectAllocationProfile.h: Added.
891         (JSC):
892         (ObjectAllocationProfile):
893         (JSC::ObjectAllocationProfile::offsetOfAllocator):
894         (JSC::ObjectAllocationProfile::offsetOfStructure):
895         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
896         (JSC::ObjectAllocationProfile::isNull):
897         (JSC::ObjectAllocationProfile::initialize):
898         (JSC::ObjectAllocationProfile::structure):
899         (JSC::ObjectAllocationProfile::inlineCapacity):
900         (JSC::ObjectAllocationProfile::clear):
901         (JSC::ObjectAllocationProfile::visitAggregate):
902         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
903         for tracking a prediction about object allocation: structure, inline
904         capacity, allocator to use.
905
906         * bytecode/Opcode.h:
907         (JSC):
908         (JSC::padOpcodeName): Updated instruction sizes.
909
910         * bytecode/UnlinkedCodeBlock.cpp:
911         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
912         * bytecode/UnlinkedCodeBlock.h:
913         (JSC):
914         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
915         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
916         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
917
918         * bytecompiler/BytecodeGenerator.cpp:
919         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
920         end of codegen, since this is our last opportunity.
921
922         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
923         analyzer to bytecode generation. It tracks initializing assignments and
924         makes a guess about how many will happen.
925
926         (JSC::BytecodeGenerator::newObjectAllocationProfile):
927         (JSC):
928         (JSC::BytecodeGenerator::emitProfiledOpcode):
929         (JSC::BytecodeGenerator::emitMove):
930         (JSC::BytecodeGenerator::emitResolve):
931         (JSC::BytecodeGenerator::emitResolveBase):
932         (JSC::BytecodeGenerator::emitResolveBaseForPut):
933         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
934         (JSC::BytecodeGenerator::emitResolveWithThis):
935         (JSC::BytecodeGenerator::emitGetById):
936         (JSC::BytecodeGenerator::emitPutById):
937         (JSC::BytecodeGenerator::emitDirectPutById):
938         (JSC::BytecodeGenerator::emitPutGetterSetter):
939         (JSC::BytecodeGenerator::emitGetArgumentByVal):
940         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
941         analyzer, so it can observe allocations and stores.
942
943         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
944         function because it was a significant amount of logic, and I wanted to
945         add to it.
946
947         (JSC::BytecodeGenerator::emitNewObject):
948         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
949         (JSC::BytecodeGenerator::emitCall):
950         (JSC::BytecodeGenerator::emitCallVarargs):
951         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
952         to track their stores, in case a store kills a profiled allocation. Since
953         profiled opcodes are basically the only interesting stores we do, this
954         is a convenient place to notice any store that might kill an allocation.
955
956         * bytecompiler/BytecodeGenerator.h:
957         (BytecodeGenerator): As above.
958
959         * bytecompiler/StaticPropertyAnalysis.h: Added.
960         (JSC):
961         (StaticPropertyAnalysis):
962         (JSC::StaticPropertyAnalysis::create):
963         (JSC::StaticPropertyAnalysis::addPropertyIndex):
964         (JSC::StaticPropertyAnalysis::record):
965         (JSC::StaticPropertyAnalysis::propertyIndexCount):
966         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
967         class for tracking allocations and stores.
968
969         * bytecompiler/StaticPropertyAnalyzer.h: Added.
970         (StaticPropertyAnalyzer):
971         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
972         (JSC::StaticPropertyAnalyzer::createThis):
973         (JSC::StaticPropertyAnalyzer::newObject):
974         (JSC::StaticPropertyAnalyzer::putById):
975         (JSC::StaticPropertyAnalyzer::mov):
976         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
977         and stores and making an inline capacity guess. The heuristics here are
978         intentionally minimal because we don't want this one class to try to
979         re-create something like a DFG or a runtime analysis. If we discover that
980         we need those kinds of analyses, we should just replace this class with
981         something else.
982
983         This class tracks multiple registers that alias the same object -- that
984         happens a lot, when moving locals into temporary registers -- but it
985         doesn't track control flow or multiple objects that alias the same register.
986
987         * dfg/DFGAbstractState.cpp:
988         (JSC::DFG::AbstractState::execute): Updated for rename.
989
990         * dfg/DFGByteCodeParser.cpp:
991         (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
992         allocation profile.
993
994         * dfg/DFGNode.h:
995         (JSC::DFG::Node::hasInlineCapacity):
996         (Node):
997         (JSC::DFG::Node::inlineCapacity):
998         (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
999         inline capacity for an allocation.
1000
1001         * dfg/DFGNodeType.h:
1002         (DFG): Updated for rename.
1003
1004         * dfg/DFGOperations.cpp: Updated for interface change.
1005
1006         * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
1007         an argument. This is the simplest way, since it's stored as a bytecode operand.
1008
1009         * dfg/DFGPredictionPropagationPhase.cpp:
1010         (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
1011
1012         * dfg/DFGRepatch.cpp:
1013         (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
1014         appears when doing an inline cached load for property number 64 on a 32-bit
1015         system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
1016         offset of the 64bit JSValue -- but we'll actually issue two loads, one for
1017         the payload at that offset, and one for the tag at that offset + 4. We need
1018         to ensure that both loads have a compact representation, or we'll corrupt
1019         the instruction stream.
1020
1021         * dfg/DFGSpeculativeJIT.cpp:
1022         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1023         * dfg/DFGSpeculativeJIT.h:
1024         (JSC::DFG::SpeculativeJIT::callOperation):
1025         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1026         (SpeculativeJIT):
1027         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1028         * dfg/DFGSpeculativeJIT32_64.cpp:
1029         (JSC::DFG::SpeculativeJIT::compile):
1030         * dfg/DFGSpeculativeJIT64.cpp:
1031         (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
1032         passing an allocator to our allocation function, and/or passing a Structure
1033         as a register instead of an immediate.
1034
1035         * heap/MarkedAllocator.h:
1036         (DFG):
1037         (MarkedAllocator):
1038         (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
1039         JIT code generation of allocation from an arbitrary allocator.
1040
1041         * jit/JIT.h:
1042         (JSC):
1043         * jit/JITInlines.h:
1044         (JSC):
1045         (JSC::JIT::emitAllocateJSObject):
1046         * jit/JITOpcodes.cpp:
1047         (JSC::JIT::emit_op_new_object):
1048         (JSC::JIT::emitSlow_op_new_object):
1049         (JSC::JIT::emit_op_create_this):
1050         (JSC::JIT::emitSlow_op_create_this):
1051         * jit/JITOpcodes32_64.cpp:
1052         (JSC::JIT::emit_op_new_object):
1053         (JSC::JIT::emitSlow_op_new_object):
1054         (JSC::JIT::emit_op_create_this):
1055         (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
1056
1057         * jit/JITStubs.cpp:
1058         (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
1059
1060         (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
1061
1062         * llint/LLIntData.cpp:
1063         (JSC::LLInt::Data::performAssertions): Updated for interface changes.
1064
1065         * llint/LLIntSlowPaths.cpp:
1066         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1067         * llint/LowLevelInterpreter.asm:
1068         * llint/LowLevelInterpreter32_64.asm:
1069         * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
1070
1071         * profiler/ProfilerBytecode.cpp:
1072         * profiler/ProfilerBytecodes.cpp:
1073         * profiler/ProfilerCompilation.cpp:
1074         * profiler/ProfilerCompiledBytecode.cpp:
1075         * profiler/ProfilerDatabase.cpp:
1076         * profiler/ProfilerOSRExit.cpp:
1077         * profiler/ProfilerOrigin.cpp:
1078         * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
1079         because that's where createEmptyObject() lives now.
1080
1081         * runtime/Executable.h:
1082         (JSC::JSFunction::JSFunction): Updated for rename.
1083
1084         * runtime/JSCellInlines.h:
1085         (JSC::allocateCell): Updated to match the allocator selection code in
1086         the JIT, so it's clearer that both are correct.
1087
1088         * runtime/JSFunction.cpp:
1089         (JSC::JSFunction::JSFunction):
1090         (JSC::JSFunction::createAllocationProfile):
1091         (JSC::JSFunction::visitChildren):
1092         (JSC::JSFunction::getOwnPropertySlot):
1093         (JSC::JSFunction::put):
1094         (JSC::JSFunction::defineOwnProperty):
1095         (JSC::JSFunction::getConstructData):
1096         * runtime/JSFunction.h:
1097         (JSC::JSFunction::offsetOfScopeChain):
1098         (JSC::JSFunction::offsetOfExecutable):
1099         (JSC::JSFunction::offsetOfAllocationProfile):
1100         (JSC::JSFunction::allocationProfile):
1101         (JSFunction):
1102         (JSC::JSFunction::tryGetAllocationProfile):
1103         (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
1104         data member to be an ObjectAllocationProfile, which includes a pointer
1105         to the desired allocator. This simplifies JIT code, since we don't have
1106         to compute the allocator on the fly. I verified by code inspection that
1107         JSFunction is still only 64 bytes.
1108
1109         * runtime/JSGlobalObject.cpp:
1110         (JSC::JSGlobalObject::reset):
1111         (JSC::JSGlobalObject::visitChildren):
1112         * runtime/JSGlobalObject.h:
1113         (JSGlobalObject):
1114         (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
1115         object structure anymore, because now clients need to specify how much
1116         inline capacity they want.
1117
1118         * runtime/JSONObject.cpp:
1119         * runtime/JSObject.h:
1120         (JSC):
1121         (JSFinalObject):
1122         (JSC::JSFinalObject::defaultInlineCapacity):
1123         (JSC::JSFinalObject::maxInlineCapacity):
1124         (JSC::JSFinalObject::createStructure): A little refactoring to try to 
1125         clarify where some of these constants derive from.
1126
1127         (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
1128
1129         * runtime/JSProxy.cpp:
1130         (JSC::JSProxy::setTarget): Ugly, but effective.
1131
1132         * runtime/LiteralParser.cpp:
1133         * runtime/ObjectConstructor.cpp:
1134         (JSC::constructObject):
1135         (JSC::constructWithObjectConstructor):
1136         (JSC::callObjectConstructor):
1137         (JSC::objectConstructorCreate): Updated for interface changes.
1138
1139         * runtime/ObjectConstructor.h:
1140         (JSC::constructEmptyObject): Clarified your options for how to allocate
1141         an empty object, to emphasize what things can actually vary.
1142
1143         * runtime/PropertyOffset.h: These constants have moved because they're
1144         really higher level concepts to do with the layout of objects and the
1145         collector. PropertyOffset is just an abstract number line, independent
1146         of those things.
1147
1148         * runtime/PrototypeMap.cpp:
1149         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1150         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1151         * runtime/PrototypeMap.h:
1152         (PrototypeMap): The map key is now a pair of prototype and inline capacity,
1153         since Structure encodes inline capacity.
1154
1155         * runtime/Structure.cpp:
1156         (JSC::Structure::Structure):
1157         (JSC::Structure::materializePropertyMap):
1158         (JSC::Structure::addPropertyTransition):
1159         (JSC::Structure::nonPropertyTransition):
1160         (JSC::Structure::copyPropertyTableForPinning):
1161         * runtime/Structure.h:
1162         (Structure):
1163         (JSC::Structure::totalStorageSize):
1164         (JSC::Structure::transitionCount):
1165         (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
1166         up after enabling variable-sized inline capacities: we were passing our
1167         type info where our inline capacity was expected. The compiler didn't
1168         notice because both have type int :(.
1169
1170 2013-01-28  Oliver Hunt  <oliver@apple.com>
1171
1172         Add more assertions to the property storage use in arrays
1173         https://bugs.webkit.org/show_bug.cgi?id=107728
1174
1175         Reviewed by Filip Pizlo.
1176
1177         Add a bunch of assertions to array and object butterfly
1178         usage.  This should make debugging somewhat easier.
1179
1180         I also converted a couple of assertions to release asserts
1181         as they were so low cost it seemed a sensible thing to do.
1182
1183         * runtime/JSArray.cpp:
1184         (JSC::JSArray::sortVector):
1185         (JSC::JSArray::compactForSorting):
1186         * runtime/JSObject.h:
1187         (JSC::JSObject::getHolyIndexQuickly):
1188
1189 2013-01-28  Adam Barth  <abarth@webkit.org>
1190
1191         Remove webkitNotifications.createHTMLNotification
1192         https://bugs.webkit.org/show_bug.cgi?id=107598
1193
1194         Reviewed by Benjamin Poulain.
1195
1196         * Configurations/FeatureDefines.xcconfig:
1197
1198 2013-01-28  Michael Saboff  <msaboff@apple.com>
1199
1200         Cleanup ARM version of debugName() in DFGFPRInfo.h
1201         https://bugs.webkit.org/show_bug.cgi?id=108090
1202
1203         Reviewed by David Kilzer.
1204
1205         Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
1206
1207         * dfg/DFGFPRInfo.h:
1208         (JSC::DFG::FPRInfo::debugName):
1209
1210 2013-01-27  Andreas Kling  <akling@apple.com>
1211
1212         JSC: FunctionParameters are memory hungry.
1213         <http://webkit.org/b/108033>
1214         <rdar://problem/13094803>
1215
1216         Reviewed by Sam Weinig.
1217
1218         Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
1219         with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
1220         roughly in half.
1221
1222         2.73 MB progression on Membuster3.
1223
1224         * bytecode/UnlinkedCodeBlock.cpp:
1225         (JSC::UnlinkedFunctionExecutable::paramString):
1226         * bytecompiler/BytecodeGenerator.cpp:
1227         (JSC::BytecodeGenerator::BytecodeGenerator):
1228         * parser/Nodes.cpp:
1229         (JSC::FunctionParameters::create):
1230         (JSC::FunctionParameters::FunctionParameters):
1231         (JSC::FunctionParameters::~FunctionParameters):
1232         * parser/Nodes.h:
1233         (FunctionParameters):
1234         (JSC::FunctionParameters::size):
1235         (JSC::FunctionParameters::at):
1236         (JSC::FunctionParameters::identifiers):
1237
1238 2013-01-27  Andreas Kling  <akling@apple.com>
1239
1240         JSC: SourceProviderCache is memory hungry.
1241         <http://webkit.org/b/108029>
1242         <rdar://problem/13094806>
1243
1244         Reviewed by Sam Weinig.
1245
1246         Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
1247         Since the lists never change after the object is created, there's no need to keep them in Vectors
1248         and we can instead create the whole cache item in a single allocation.
1249
1250         13.37 MB progression on Membuster3.
1251
1252         * parser/Parser.cpp:
1253         (JSC::::parseFunctionInfo):
1254         * parser/Parser.h:
1255         (JSC::Scope::copyCapturedVariablesToVector):
1256         (JSC::Scope::fillParametersForSourceProviderCache):
1257         (JSC::Scope::restoreFromSourceProviderCache):
1258         * parser/SourceProviderCacheItem.h:
1259         (SourceProviderCacheItemCreationParameters):
1260         (SourceProviderCacheItem):
1261         (JSC::SourceProviderCacheItem::approximateByteSize):
1262         (JSC::SourceProviderCacheItem::usedVariables):
1263         (JSC::SourceProviderCacheItem::writtenVariables):
1264         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
1265         (JSC::SourceProviderCacheItem::create):
1266         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1267
1268 2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
1269
1270         Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
1271         https://bugs.webkit.org/show_bug.cgi?id=106740
1272
1273         Reviewed by Benjamin Poulain.
1274
1275         * config.h:
1276
1277 2013-01-25  Filip Pizlo  <fpizlo@apple.com>
1278
1279         DFG variable event stream shouldn't use NodeIndex
1280         https://bugs.webkit.org/show_bug.cgi?id=107996
1281
1282         Reviewed by Oliver Hunt.
1283         
1284         Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
1285         Internally it currently uses a NodeIndex, but we could change this without having
1286         to recode all of the users of MinifiedID. This effectively decouples the OSR exit
1287         compiler's way of identifying nodes from the speculative JIT's way of identifying
1288         nodes, and should make it easier to make changes to the speculative JIT's internals
1289         in the future.
1290         
1291         Also changed variable event stream logging to exclude information about births and
1292         deaths of constants, since the OSR exit compiler never cares about which register
1293         holds a constant; if a value is constant then the OSR exit compiler can reify it.
1294         
1295         Also changed the variable event stream's value recovery computation to use a
1296         HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
1297         
1298         This appears to be performance-neutral. It's primarily meant as a small step
1299         towards https://bugs.webkit.org/show_bug.cgi?id=106868.
1300
1301         * GNUmakefile.list.am:
1302         * JavaScriptCore.xcodeproj/project.pbxproj:
1303         * dfg/DFGGenerationInfo.h:
1304         (JSC::DFG::GenerationInfo::GenerationInfo):
1305         (JSC::DFG::GenerationInfo::initConstant):
1306         (JSC::DFG::GenerationInfo::initInteger):
1307         (JSC::DFG::GenerationInfo::initJSValue):
1308         (JSC::DFG::GenerationInfo::initCell):
1309         (JSC::DFG::GenerationInfo::initBoolean):
1310         (JSC::DFG::GenerationInfo::initDouble):
1311         (JSC::DFG::GenerationInfo::initStorage):
1312         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1313         (JSC::DFG::GenerationInfo::use):
1314         (JSC::DFG::GenerationInfo::appendFill):
1315         (JSC::DFG::GenerationInfo::appendSpill):
1316         (GenerationInfo):
1317         * dfg/DFGJITCompiler.cpp:
1318         (JSC::DFG::JITCompiler::link):
1319         * dfg/DFGMinifiedGraph.h:
1320         (JSC::DFG::MinifiedGraph::at):
1321         (MinifiedGraph):
1322         * dfg/DFGMinifiedID.h: Added.
1323         (DFG):
1324         (MinifiedID):
1325         (JSC::DFG::MinifiedID::MinifiedID):
1326         (JSC::DFG::MinifiedID::operator!):
1327         (JSC::DFG::MinifiedID::nodeIndex):
1328         (JSC::DFG::MinifiedID::operator==):
1329         (JSC::DFG::MinifiedID::operator!=):
1330         (JSC::DFG::MinifiedID::operator<):
1331         (JSC::DFG::MinifiedID::operator>):
1332         (JSC::DFG::MinifiedID::operator<=):
1333         (JSC::DFG::MinifiedID::operator>=):
1334         (JSC::DFG::MinifiedID::hash):
1335         (JSC::DFG::MinifiedID::dump):
1336         (JSC::DFG::MinifiedID::isHashTableDeletedValue):
1337         (JSC::DFG::MinifiedID::invalidID):
1338         (JSC::DFG::MinifiedID::otherInvalidID):
1339         (JSC::DFG::MinifiedID::fromBits):
1340         (JSC::DFG::MinifiedIDHash::hash):
1341         (JSC::DFG::MinifiedIDHash::equal):
1342         (MinifiedIDHash):
1343         (WTF):
1344         * dfg/DFGMinifiedNode.cpp:
1345         (JSC::DFG::MinifiedNode::fromNode):
1346         * dfg/DFGMinifiedNode.h:
1347         (JSC::DFG::MinifiedNode::id):
1348         (JSC::DFG::MinifiedNode::child1):
1349         (JSC::DFG::MinifiedNode::getID):
1350         (JSC::DFG::MinifiedNode::compareByNodeIndex):
1351         (MinifiedNode):
1352         * dfg/DFGSpeculativeJIT.cpp:
1353         (JSC::DFG::SpeculativeJIT::compileMovHint):
1354         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1355         * dfg/DFGSpeculativeJIT.h:
1356         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
1357         * dfg/DFGValueSource.cpp:
1358         (JSC::DFG::ValueSource::dump):
1359         * dfg/DFGValueSource.h:
1360         (JSC::DFG::ValueSource::ValueSource):
1361         (JSC::DFG::ValueSource::isSet):
1362         (JSC::DFG::ValueSource::kind):
1363         (JSC::DFG::ValueSource::id):
1364         (ValueSource):
1365         (JSC::DFG::ValueSource::idFromKind):
1366         (JSC::DFG::ValueSource::kindFromID):
1367         * dfg/DFGVariableEvent.cpp:
1368         (JSC::DFG::VariableEvent::dump):
1369         (JSC::DFG::VariableEvent::dumpFillInfo):
1370         (JSC::DFG::VariableEvent::dumpSpillInfo):
1371         * dfg/DFGVariableEvent.h:
1372         (JSC::DFG::VariableEvent::fillGPR):
1373         (JSC::DFG::VariableEvent::fillPair):
1374         (JSC::DFG::VariableEvent::fillFPR):
1375         (JSC::DFG::VariableEvent::spill):
1376         (JSC::DFG::VariableEvent::death):
1377         (JSC::DFG::VariableEvent::movHint):
1378         (JSC::DFG::VariableEvent::id):
1379         (VariableEvent):
1380         * dfg/DFGVariableEventStream.cpp:
1381         (DFG):
1382         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
1383         (JSC::DFG::VariableEventStream::reconstruct):
1384         * dfg/DFGVariableEventStream.h:
1385         (VariableEventStream):
1386
1387 2013-01-25  Roger Fong  <roger_fong@apple.com>
1388
1389         Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
1390
1391         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
1392         * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
1393         * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
1394         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
1395         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
1396         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
1397         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
1398         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1399         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
1400         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
1401         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
1402         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
1403         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1404         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
1405         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
1406         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
1407         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
1408         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
1409         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
1410
1411 2013-01-24  Roger Fong  <roger_fong@apple.com>
1412
1413         VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
1414         https://bugs.webkit.org/show_bug.cgi?id=106987
1415
1416         Reviewed by Brent Fulgham.
1417
1418         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
1419         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
1420         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1421         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
1422         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1423         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1424         * JavaScriptCore.vcxproj/jsc/jscDebug.props:
1425         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
1426         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
1427         * JavaScriptCore.vcxproj/testRegExp: Added.
1428         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
1429         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
1430         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
1431         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
1432         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
1433         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
1434         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
1435         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
1436         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
1437         * JavaScriptCore.vcxproj/testapi: Added.
1438         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
1439         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
1440         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
1441         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
1442         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
1443         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
1444         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
1445         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
1446         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
1447
1448 2013-01-24  Roger Fong  <roger_fong@apple.com>
1449
1450         Unreviewed. Windows build fix.
1451
1452         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1453
1454 2013-01-24  Filip Pizlo  <fpizlo@apple.com>
1455
1456         DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
1457         https://bugs.webkit.org/show_bug.cgi?id=107860
1458
1459         Reviewed by Mark Hahnenberg.
1460
1461         * dfg/DFGJITCompiler.h:
1462         (JITCompiler):
1463         * dfg/DFGSpeculativeJIT64.cpp:
1464         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1465         (JSC::DFG::SpeculativeJIT::emitBranch):
1466
1467 2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>
1468
1469         Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
1470         https://bugs.webkit.org/show_bug.cgi?id=107327
1471
1472         Reviewed by Filip Pizlo.
1473
1474         We're renaming these two files, so we have to replace the names everywhere.
1475
1476         * API/APICast.h:
1477         * API/APIJSValue.h: Removed.
1478         * API/JSBlockAdaptor.mm:
1479         * API/JSStringRefCF.cpp:
1480         * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
1481         * API/JSValue.mm:
1482         * API/JSValueInternal.h:
1483         * API/JSValueRef.cpp:
1484         * API/JSWeakObjectMapRefPrivate.cpp:
1485         * API/JavaScriptCore.h:
1486         * CMakeLists.txt:
1487         * GNUmakefile.list.am:
1488         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1489         * JavaScriptCore.xcodeproj/project.pbxproj:
1490         * Target.pri:
1491         * bytecode/CallLinkStatus.h:
1492         * bytecode/CodeBlock.cpp:
1493         * bytecode/MethodOfGettingAValueProfile.h:
1494         * bytecode/ResolveGlobalStatus.cpp:
1495         * bytecode/ResolveGlobalStatus.h:
1496         * bytecode/SpeculatedType.h:
1497         * bytecode/ValueRecovery.h:
1498         * dfg/DFGByteCodeParser.cpp:
1499         * dfg/DFGJITCompiler.cpp:
1500         * dfg/DFGNode.h:
1501         * dfg/DFGSpeculativeJIT.cpp:
1502         * dfg/DFGSpeculativeJIT64.cpp:
1503         * heap/CopiedBlock.h:
1504         * heap/HandleStack.cpp:
1505         * heap/HandleTypes.h:
1506         * heap/WeakImpl.h:
1507         * interpreter/Interpreter.h:
1508         * interpreter/Register.h:
1509         * interpreter/VMInspector.h:
1510         * jit/HostCallReturnValue.cpp:
1511         * jit/HostCallReturnValue.h:
1512         * jit/JITCode.h:
1513         * jit/JITExceptions.cpp:
1514         * jit/JITExceptions.h:
1515         * jit/JSInterfaceJIT.h:
1516         * llint/LLIntCLoop.h:
1517         * llint/LLIntData.h:
1518         * llint/LLIntSlowPaths.cpp:
1519         * profiler/ProfilerBytecode.h:
1520         * profiler/ProfilerBytecodeSequence.h:
1521         * profiler/ProfilerBytecodes.h:
1522         * profiler/ProfilerCompilation.h:
1523         * profiler/ProfilerCompiledBytecode.h:
1524         * profiler/ProfilerDatabase.h:
1525         * profiler/ProfilerOSRExit.h:
1526         * profiler/ProfilerOSRExitSite.h:
1527         * profiler/ProfilerOrigin.h:
1528         * profiler/ProfilerOriginStack.h:
1529         * runtime/ArgList.cpp:
1530         * runtime/CachedTranscendentalFunction.h:
1531         * runtime/CallData.h:
1532         * runtime/Completion.h:
1533         * runtime/ConstructData.h:
1534         * runtime/DateConstructor.cpp:
1535         * runtime/DateInstance.cpp:
1536         * runtime/DatePrototype.cpp:
1537         * runtime/JSAPIValueWrapper.h:
1538         * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
1539         * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
1540         (JSValue):
1541         * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
1542         * runtime/JSGlobalData.h:
1543         * runtime/JSGlobalObject.cpp:
1544         * runtime/JSGlobalObjectFunctions.h:
1545         * runtime/JSStringJoiner.h:
1546         * runtime/JSValue.cpp: Removed.
1547         * runtime/JSValue.h: Removed.
1548         * runtime/JSValueInlines.h: Removed.
1549         * runtime/LiteralParser.h:
1550         * runtime/Operations.h:
1551         * runtime/PropertyDescriptor.h:
1552         * runtime/PropertySlot.h:
1553         * runtime/Protect.h:
1554         * runtime/RegExpPrototype.cpp:
1555         * runtime/Structure.h:
1556
1557 2013-01-23  Oliver Hunt  <oliver@apple.com>
1558
1559         Harden JSC a bit with RELEASE_ASSERT
1560         https://bugs.webkit.org/show_bug.cgi?id=107766
1561
1562         Reviewed by Mark Hahnenberg.
1563
1564         Went through and replaced a pile of ASSERTs that were covering
1565         significantly important details (bounds checks, etc) where
1566         having the checks did not impact release performance in any
1567         measurable way.
1568
1569         * API/JSContextRef.cpp:
1570         (JSContextCreateBacktrace):
1571         * assembler/MacroAssembler.h:
1572         (JSC::MacroAssembler::branchAdd32):
1573         (JSC::MacroAssembler::branchMul32):
1574         * bytecode/CodeBlock.cpp:
1575         (JSC::CodeBlock::dumpBytecode):
1576         (JSC::CodeBlock::handlerForBytecodeOffset):
1577         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1578         (JSC::CodeBlock::bytecodeOffset):
1579         * bytecode/CodeBlock.h:
1580         (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
1581         (JSC::CodeBlock::bytecodeOffset):
1582         (JSC::CodeBlock::exceptionHandler):
1583         (JSC::CodeBlock::codeOrigin):
1584         (JSC::CodeBlock::immediateSwitchJumpTable):
1585         (JSC::CodeBlock::characterSwitchJumpTable):
1586         (JSC::CodeBlock::stringSwitchJumpTable):
1587         (JSC::CodeBlock::setIdentifiers):
1588         (JSC::baselineCodeBlockForInlineCallFrame):
1589         (JSC::ExecState::uncheckedR):
1590         * bytecode/CodeOrigin.cpp:
1591         (JSC::CodeOrigin::inlineStack):
1592         * bytecode/CodeOrigin.h:
1593         (JSC::CodeOrigin::CodeOrigin):
1594         * dfg/DFGCSEPhase.cpp:
1595         * dfg/DFGOSRExit.cpp:
1596         * dfg/DFGScratchRegisterAllocator.h:
1597         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1598         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1599         * dfg/DFGSpeculativeJIT.h:
1600         (JSC::DFG::SpeculativeJIT::allocate):
1601         (JSC::DFG::SpeculativeJIT::spill):
1602         (JSC::DFG::SpeculativeJIT::integerResult):
1603         * dfg/DFGSpeculativeJIT64.cpp:
1604         (JSC::DFG::SpeculativeJIT::fillInteger):
1605         (JSC::DFG::SpeculativeJIT::fillDouble):
1606         (JSC::DFG::SpeculativeJIT::fillJSValue):
1607         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1608         (JSC::DFG::SpeculativeJIT::emitCall):
1609         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1610         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1611         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1612         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1613         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1614         (JSC::DFG::SpeculativeJIT::compile):
1615         * dfg/DFGValueSource.h:
1616         (JSC::DFG::dataFormatToValueSourceKind):
1617         (JSC::DFG::ValueSource::ValueSource):
1618         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1619         * heap/BlockAllocator.cpp:
1620         (JSC::BlockAllocator::BlockAllocator):
1621         (JSC::BlockAllocator::releaseFreeRegions):
1622         (JSC::BlockAllocator::blockFreeingThreadMain):
1623         * heap/Heap.cpp:
1624         (JSC::Heap::lastChanceToFinalize):
1625         (JSC::Heap::collect):
1626         * interpreter/Interpreter.cpp:
1627         (JSC::Interpreter::throwException):
1628         (JSC::Interpreter::execute):
1629         * jit/GCAwareJITStubRoutine.cpp:
1630         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
1631         * jit/JIT.cpp:
1632         (JSC::JIT::privateCompileMainPass):
1633         (JSC::JIT::privateCompileSlowCases):
1634         * jit/JITExceptions.cpp:
1635         (JSC::genericThrow):
1636         * jit/JITInlines.h:
1637         (JSC::JIT::emitLoad):
1638         * jit/JITOpcodes.cpp:
1639         (JSC::JIT::emit_op_end):
1640         (JSC::JIT::emit_resolve_operations):
1641         * jit/JITStubRoutine.cpp:
1642         (JSC::JITStubRoutine::observeZeroRefCount):
1643         * jit/JITStubs.cpp:
1644         (JSC::returnToThrowTrampoline):
1645         * runtime/Arguments.cpp:
1646         (JSC::Arguments::getOwnPropertySlot):
1647         (JSC::Arguments::getOwnPropertyDescriptor):
1648         (JSC::Arguments::deleteProperty):
1649         (JSC::Arguments::defineOwnProperty):
1650         (JSC::Arguments::didTearOffActivation):
1651         * runtime/ArrayPrototype.cpp:
1652         (JSC::shift):
1653         (JSC::unshift):
1654         (JSC::arrayProtoFuncLastIndexOf):
1655         * runtime/ButterflyInlines.h:
1656         (JSC::Butterfly::growPropertyStorage):
1657         * runtime/CodeCache.cpp:
1658         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1659         * runtime/CodeCache.h:
1660         (JSC::CacheMap::add):
1661         * runtime/Completion.cpp:
1662         (JSC::checkSyntax):
1663         (JSC::evaluate):
1664         * runtime/Executable.cpp:
1665         (JSC::FunctionExecutable::FunctionExecutable):
1666         (JSC::EvalExecutable::unlinkCalls):
1667         (JSC::ProgramExecutable::compileOptimized):
1668         (JSC::ProgramExecutable::unlinkCalls):
1669         (JSC::ProgramExecutable::initializeGlobalProperties):
1670         (JSC::FunctionExecutable::baselineCodeBlockFor):
1671         (JSC::FunctionExecutable::compileOptimizedForCall):
1672         (JSC::FunctionExecutable::compileOptimizedForConstruct):
1673         (JSC::FunctionExecutable::compileForCallInternal):
1674         (JSC::FunctionExecutable::compileForConstructInternal):
1675         (JSC::FunctionExecutable::unlinkCalls):
1676         (JSC::NativeExecutable::hashFor):
1677         * runtime/Executable.h:
1678         (JSC::EvalExecutable::compile):
1679         (JSC::ProgramExecutable::compile):
1680         (JSC::FunctionExecutable::compileForCall):
1681         (JSC::FunctionExecutable::compileForConstruct):
1682         * runtime/IndexingHeader.h:
1683         (JSC::IndexingHeader::setVectorLength):
1684         * runtime/JSArray.cpp:
1685         (JSC::JSArray::pop):
1686         (JSC::JSArray::shiftCountWithArrayStorage):
1687         (JSC::JSArray::shiftCountWithAnyIndexingType):
1688         (JSC::JSArray::unshiftCountWithArrayStorage):
1689         * runtime/JSGlobalObjectFunctions.cpp:
1690         (JSC::jsStrDecimalLiteral):
1691         * runtime/JSObject.cpp:
1692         (JSC::JSObject::copyButterfly):
1693         (JSC::JSObject::defineOwnIndexedProperty):
1694         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1695         * runtime/JSString.cpp:
1696         (JSC::JSRopeString::getIndexSlowCase):
1697         * yarr/YarrInterpreter.cpp:
1698         (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
1699
1700 2013-01-23  Filip Pizlo  <fpizlo@apple.com>
1701
1702         Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
1703         https://bugs.webkit.org/show_bug.cgi?id=107750
1704         <rdar://problem/12387265>
1705
1706         Reviewed by Mark Hahnenberg.
1707         
1708         The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
1709         for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
1710         GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
1711         checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
1712         GetLocal we are eliminating, then we allow redundant GetLocals.
1713
1714         * dfg/DFGConstantFoldingPhase.cpp:
1715         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1716         (ConstantFoldingPhase):
1717         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1718
1719 2013-01-23  Oliver Hunt  <oliver@apple.com>
1720
1721         Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
1722         https://bugs.webkit.org/show_bug.cgi?id=107736
1723
1724         Reviewed by Mark Hahnenberg.
1725
1726         Mechanical change with no performance impact.
1727
1728         * API/JSBlockAdaptor.mm:
1729         (BlockArgumentTypeDelegate::typeVoid):
1730         * API/JSCallbackObjectFunctions.h:
1731         (JSC::::construct):
1732         (JSC::::call):
1733         * API/JSScriptRef.cpp:
1734         * API/ObjCCallbackFunction.mm:
1735         (ArgumentTypeDelegate::typeVoid):
1736         * assembler/ARMv7Assembler.h:
1737         (JSC::ARMv7Assembler::link):
1738         (JSC::ARMv7Assembler::replaceWithLoad):
1739         (JSC::ARMv7Assembler::replaceWithAddressComputation):
1740         * assembler/MacroAssembler.h:
1741         (JSC::MacroAssembler::invert):
1742         * assembler/MacroAssemblerARM.h:
1743         (JSC::MacroAssemblerARM::countLeadingZeros32):
1744         (JSC::MacroAssemblerARM::divDouble):
1745         * assembler/MacroAssemblerMIPS.h:
1746         (JSC::MacroAssemblerMIPS::absDouble):
1747         (JSC::MacroAssemblerMIPS::replaceWithJump):
1748         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
1749         * assembler/MacroAssemblerSH4.h:
1750         (JSC::MacroAssemblerSH4::absDouble):
1751         (JSC::MacroAssemblerSH4::replaceWithJump):
1752         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
1753         * assembler/SH4Assembler.h:
1754         (JSC::SH4Assembler::shllImm8r):
1755         (JSC::SH4Assembler::shlrImm8r):
1756         (JSC::SH4Assembler::cmplRegReg):
1757         (JSC::SH4Assembler::branch):
1758         * assembler/X86Assembler.h:
1759         (JSC::X86Assembler::replaceWithLoad):
1760         (JSC::X86Assembler::replaceWithAddressComputation):
1761         * bytecode/CallLinkInfo.cpp:
1762         (JSC::CallLinkInfo::unlink):
1763         * bytecode/CodeBlock.cpp:
1764         (JSC::debugHookName):
1765         (JSC::CodeBlock::printGetByIdOp):
1766         (JSC::CodeBlock::printGetByIdCacheStatus):
1767         (JSC::CodeBlock::visitAggregate):
1768         (JSC::CodeBlock::finalizeUnconditionally):
1769         (JSC::CodeBlock::usesOpcode):
1770         * bytecode/DataFormat.h:
1771         (JSC::needDataFormatConversion):
1772         * bytecode/ExitKind.cpp:
1773         (JSC::exitKindToString):
1774         (JSC::exitKindIsCountable):
1775         * bytecode/MethodOfGettingAValueProfile.cpp:
1776         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
1777         * bytecode/Opcode.h:
1778         (JSC::opcodeLength):
1779         * bytecode/PolymorphicPutByIdList.cpp:
1780         (JSC::PutByIdAccess::fromStructureStubInfo):
1781         (JSC::PutByIdAccess::visitWeak):
1782         * bytecode/StructureStubInfo.cpp:
1783         (JSC::StructureStubInfo::deref):
1784         * bytecompiler/BytecodeGenerator.cpp:
1785         (JSC::ResolveResult::checkValidity):
1786         (JSC::BytecodeGenerator::emitGetLocalVar):
1787         (JSC::BytecodeGenerator::beginSwitch):
1788         * bytecompiler/NodesCodegen.cpp:
1789         (JSC::BinaryOpNode::emitBytecode):
1790         (JSC::emitReadModifyAssignment):
1791         * dfg/DFGAbstractState.cpp:
1792         (JSC::DFG::AbstractState::execute):
1793         (JSC::DFG::AbstractState::mergeStateAtTail):
1794         (JSC::DFG::AbstractState::mergeToSuccessors):
1795         * dfg/DFGByteCodeParser.cpp:
1796         (JSC::DFG::ByteCodeParser::makeSafe):
1797         (JSC::DFG::ByteCodeParser::parseBlock):
1798         * dfg/DFGCFGSimplificationPhase.cpp:
1799         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1800         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1801         * dfg/DFGCSEPhase.cpp:
1802         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1803         * dfg/DFGCapabilities.cpp:
1804         (JSC::DFG::canHandleOpcodes):
1805         * dfg/DFGCommon.h:
1806         (JSC::DFG::useKindToString):
1807         * dfg/DFGDoubleFormatState.h:
1808         (JSC::DFG::mergeDoubleFormatStates):
1809         (JSC::DFG::doubleFormatStateToString):
1810         * dfg/DFGFixupPhase.cpp:
1811         (JSC::DFG::FixupPhase::blessArrayOperation):
1812         * dfg/DFGGraph.h:
1813         (JSC::DFG::Graph::clobbersWorld):
1814         * dfg/DFGNode.h:
1815         (JSC::DFG::Node::valueOfJSConstant):
1816         (JSC::DFG::Node::successor):
1817         * dfg/DFGNodeFlags.cpp:
1818         (JSC::DFG::nodeFlagsAsString):
1819         * dfg/DFGNodeType.h:
1820         (JSC::DFG::defaultFlags):
1821         * dfg/DFGRepatch.h:
1822         (JSC::DFG::dfgResetGetByID):
1823         (JSC::DFG::dfgResetPutByID):
1824         * dfg/DFGSlowPathGenerator.h:
1825         (JSC::DFG::SlowPathGenerator::call):
1826         * dfg/DFGSpeculativeJIT.cpp:
1827         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1828         (JSC::DFG::SpeculativeJIT::silentSpill):
1829         (JSC::DFG::SpeculativeJIT::silentFill):
1830         (JSC::DFG::SpeculativeJIT::checkArray):
1831         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1832         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1833         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1834         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1835         * dfg/DFGSpeculativeJIT.h:
1836         (JSC::DFG::SpeculativeJIT::bitOp):
1837         (JSC::DFG::SpeculativeJIT::shiftOp):
1838         (JSC::DFG::SpeculativeJIT::integerResult):
1839         * dfg/DFGSpeculativeJIT32_64.cpp:
1840         (JSC::DFG::SpeculativeJIT::fillInteger):
1841         (JSC::DFG::SpeculativeJIT::fillDouble):
1842         (JSC::DFG::SpeculativeJIT::fillJSValue):
1843         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1844         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1845         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1846         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1847         (JSC::DFG::SpeculativeJIT::compile):
1848         * dfg/DFGSpeculativeJIT64.cpp:
1849         (JSC::DFG::SpeculativeJIT::fillInteger):
1850         (JSC::DFG::SpeculativeJIT::fillDouble):
1851         (JSC::DFG::SpeculativeJIT::fillJSValue):
1852         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1853         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1854         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1855         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1856         (JSC::DFG::SpeculativeJIT::compile):
1857         * dfg/DFGStructureCheckHoistingPhase.cpp:
1858         (JSC::DFG::StructureCheckHoistingPhase::run):
1859         * dfg/DFGValueSource.h:
1860         (JSC::DFG::ValueSource::valueRecovery):
1861         * dfg/DFGVariableEvent.cpp:
1862         (JSC::DFG::VariableEvent::dump):
1863         * dfg/DFGVariableEventStream.cpp:
1864         (JSC::DFG::VariableEventStream::reconstruct):
1865         * heap/BlockAllocator.h:
1866         (JSC::BlockAllocator::regionSetFor):
1867         * heap/GCThread.cpp:
1868         (JSC::GCThread::gcThreadMain):
1869         * heap/MarkedBlock.cpp:
1870         (JSC::MarkedBlock::sweepHelper):
1871         * heap/MarkedBlock.h:
1872         (JSC::MarkedBlock::isLive):
1873         * interpreter/CallFrame.h:
1874         (JSC::ExecState::inlineCallFrame):
1875         * interpreter/Interpreter.cpp:
1876         (JSC::getCallerInfo):
1877         (JSC::getStackFrameCodeType):
1878         (JSC::Interpreter::execute):
1879         * jit/ExecutableAllocatorFixedVMPool.cpp:
1880         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
1881         * jit/JIT.cpp:
1882         (JSC::JIT::privateCompileMainPass):
1883         (JSC::JIT::privateCompileSlowCases):
1884         (JSC::JIT::privateCompile):
1885         * jit/JITArithmetic.cpp:
1886         (JSC::JIT::emitSlow_op_mod):
1887         * jit/JITArithmetic32_64.cpp:
1888         (JSC::JIT::emitBinaryDoubleOp):
1889         (JSC::JIT::emitSlow_op_mod):
1890         * jit/JITPropertyAccess.cpp:
1891         (JSC::JIT::isDirectPutById):
1892         * jit/JITStubs.cpp:
1893         (JSC::getPolymorphicAccessStructureListSlot):
1894         (JSC::DEFINE_STUB_FUNCTION):
1895         * llint/LLIntSlowPaths.cpp:
1896         (JSC::LLInt::jitCompileAndSetHeuristics):
1897         * parser/Lexer.cpp:
1898         (JSC::::lex):
1899         * parser/Nodes.h:
1900         (JSC::ExpressionNode::emitBytecodeInConditionContext):
1901         * parser/Parser.h:
1902         (JSC::Parser::getTokenName):
1903         (JSC::Parser::updateErrorMessageSpecialCase):
1904         * parser/SyntaxChecker.h:
1905         (JSC::SyntaxChecker::operatorStackPop):
1906         * runtime/Arguments.cpp:
1907         (JSC::Arguments::tearOffForInlineCallFrame):
1908         * runtime/DatePrototype.cpp:
1909         (JSC::formatLocaleDate):
1910         * runtime/Executable.cpp:
1911         (JSC::samplingDescription):
1912         * runtime/Executable.h:
1913         (JSC::ScriptExecutable::unlinkCalls):
1914         * runtime/Identifier.cpp:
1915         (JSC):
1916         * runtime/InternalFunction.cpp:
1917         (JSC::InternalFunction::getCallData):
1918         * runtime/JSArray.cpp:
1919         (JSC::JSArray::push):
1920         (JSC::JSArray::sort):
1921         * runtime/JSCell.cpp:
1922         (JSC::JSCell::defaultValue):
1923         (JSC::JSCell::getOwnPropertyNames):
1924         (JSC::JSCell::getOwnNonIndexPropertyNames):
1925         (JSC::JSCell::className):
1926         (JSC::JSCell::getPropertyNames):
1927         (JSC::JSCell::customHasInstance):
1928         (JSC::JSCell::putDirectVirtual):
1929         (JSC::JSCell::defineOwnProperty):
1930         (JSC::JSCell::getOwnPropertyDescriptor):
1931         * runtime/JSCell.h:
1932         (JSCell):
1933         * runtime/JSNameScope.cpp:
1934         (JSC::JSNameScope::put):
1935         * runtime/JSObject.cpp:
1936         (JSC::JSObject::getOwnPropertySlotByIndex):
1937         (JSC::JSObject::putByIndex):
1938         (JSC::JSObject::ensureArrayStorageSlow):
1939         (JSC::JSObject::deletePropertyByIndex):
1940         (JSC::JSObject::getOwnPropertyNames):
1941         (JSC::JSObject::putByIndexBeyondVectorLength):
1942         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1943         (JSC::JSObject::getOwnPropertyDescriptor):
1944         * runtime/JSObject.h:
1945         (JSC::JSObject::canGetIndexQuickly):
1946         (JSC::JSObject::getIndexQuickly):
1947         (JSC::JSObject::tryGetIndexQuickly):
1948         (JSC::JSObject::canSetIndexQuickly):
1949         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
1950         (JSC::JSObject::setIndexQuickly):
1951         (JSC::JSObject::initializeIndex):
1952         (JSC::JSObject::hasSparseMap):
1953         (JSC::JSObject::inSparseIndexingMode):
1954         * runtime/JSScope.cpp:
1955         (JSC::JSScope::isDynamicScope):
1956         * runtime/JSSymbolTableObject.cpp:
1957         (JSC::JSSymbolTableObject::putDirectVirtual):
1958         * runtime/JSSymbolTableObject.h:
1959         (JSSymbolTableObject):
1960         * runtime/LiteralParser.cpp:
1961         (JSC::::parse):
1962         * runtime/RegExp.cpp:
1963         (JSC::RegExp::compile):
1964         (JSC::RegExp::compileMatchOnly):
1965         * runtime/StructureTransitionTable.h:
1966         (JSC::newIndexingType):
1967         * tools/CodeProfile.cpp:
1968         (JSC::CodeProfile::sample):
1969         * yarr/YarrCanonicalizeUCS2.h:
1970         (JSC::Yarr::getCanonicalPair):
1971         (JSC::Yarr::areCanonicallyEquivalent):
1972         * yarr/YarrInterpreter.cpp:
1973         (JSC::Yarr::Interpreter::matchCharacterClass):
1974         (JSC::Yarr::Interpreter::matchBackReference):
1975         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
1976         (JSC::Yarr::Interpreter::matchParentheses):
1977         (JSC::Yarr::Interpreter::backtrackParentheses):
1978         (JSC::Yarr::Interpreter::matchDisjunction):
1979         * yarr/YarrJIT.cpp:
1980         (JSC::Yarr::YarrGenerator::generateTerm):
1981         (JSC::Yarr::YarrGenerator::backtrackTerm):
1982         * yarr/YarrParser.h:
1983         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
1984         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
1985         * yarr/YarrPattern.cpp:
1986         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1987
1988 2013-01-23  Tony Chang  <tony@chromium.org>
1989
1990         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
1991
1992         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
1993         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
1994
1995 2013-01-23  Oliver Hunt  <oliver@apple.com>
1996
1997         Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
1998         https://bugs.webkit.org/show_bug.cgi?id=107726
1999
2000         Reviewed by Filip Pizlo.
2001
2002         Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
2003
2004         * assembler/MacroAssembler.h:
2005         (JSC::MacroAssembler::branchAdd32):
2006         (JSC::MacroAssembler::branchMul32):
2007         * bytecode/CodeBlockHash.cpp:
2008         (JSC::CodeBlockHash::CodeBlockHash):
2009         * heap/BlockAllocator.h:
2010         (JSC::Region::create):
2011         (JSC::Region::createCustomSize):
2012         * heap/GCAssertions.h:
2013         * heap/HandleSet.cpp:
2014         (JSC::HandleSet::visitStrongHandles):
2015         (JSC::HandleSet::writeBarrier):
2016         * heap/HandleSet.h:
2017         (JSC::HandleSet::allocate):
2018         * heap/Heap.cpp:
2019         (JSC::Heap::collect):
2020         * heap/SlotVisitor.cpp:
2021         (JSC::SlotVisitor::validate):
2022         * interpreter/Interpreter.cpp:
2023         (JSC::Interpreter::execute):
2024         * jit/ExecutableAllocator.cpp:
2025         (JSC::DemandExecutableAllocator::allocateNewSpace):
2026         (JSC::ExecutableAllocator::allocate):
2027         * jit/ExecutableAllocator.h:
2028         (JSC::roundUpAllocationSize):
2029         * jit/ExecutableAllocatorFixedVMPool.cpp:
2030         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2031         (JSC::ExecutableAllocator::allocate):
2032         * runtime/ButterflyInlines.h:
2033         (JSC::Butterfly::createUninitialized):
2034         * runtime/Completion.cpp:
2035         (JSC::evaluate):
2036         * runtime/JSArray.h:
2037         (JSC::constructArray):
2038         * runtime/JSGlobalObject.cpp:
2039         (JSC::slowValidateCell):
2040         * runtime/JSObject.cpp:
2041         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2042         (JSC::JSObject::createArrayStorage):
2043         * tools/TieredMMapArray.h:
2044         (JSC::TieredMMapArray::append):
2045         * yarr/YarrInterpreter.cpp:
2046         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2047         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2048         (JSC::Yarr::Interpreter::InputStream::readChecked):
2049         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2050         (JSC::Yarr::Interpreter::InputStream::atEnd):
2051         (JSC::Yarr::Interpreter::interpret):
2052
2053 2013-01-22  Filip Pizlo  <fpizlo@apple.com>
2054
2055         Convert CSE phase to not rely too much on NodeIndex
2056         https://bugs.webkit.org/show_bug.cgi?id=107616
2057
2058         Reviewed by Geoffrey Garen.
2059         
2060         - Instead of looping over the graph (which assumes that you can simply loop over all
2061           nodes without considering blocks first) to reset node.replacement, do that in the
2062           loop that sets up relevantToOSR, just before running CSE on the block.
2063         
2064         - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
2065           NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
2066           some reshuffling to fit it in.
2067
2068         * dfg/DFGCSEPhase.cpp:
2069         (JSC::DFG::CSEPhase::CSEPhase):
2070         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2071         (JSC::DFG::CSEPhase::performNodeCSE):
2072         (JSC::DFG::CSEPhase::performBlockCSE):
2073         (CSEPhase):
2074         * dfg/DFGNodeFlags.h:
2075         (DFG):
2076         * dfg/DFGNodeType.h:
2077         (DFG):
2078
2079 2013-01-21  Kentaro Hara  <haraken@chromium.org>
2080
2081         Implement UIEvent constructor
2082         https://bugs.webkit.org/show_bug.cgi?id=107430
2083
2084         Reviewed by Adam Barth.
2085
2086         Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
2087
2088         UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
2089         which is enabled on Safari and Chromium for now.
2090
2091         * Configurations/FeatureDefines.xcconfig:
2092
2093 2013-01-22  Roger Fong  <roger_fong@apple.com>
2094
2095         Unreviewed VS2010 build fix following r140259.
2096
2097         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2098         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2099
2100 2013-01-22  Roger Fong  <roger_fong@apple.com>
2101
2102         JavaScriptCore property sheets, project files and modified build scripts.
2103         https://bugs.webkit.org/show_bug.cgi?id=106987
2104
2105         Reviewed by Brent Fulgham.
2106
2107         * JavaScriptCore.vcxproj: Added.
2108         * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
2109         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
2110         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
2111         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
2112         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
2113         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
2114         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
2115         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
2116         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
2117         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
2118         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
2119         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
2120         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
2121         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
2122         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
2123         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
2124         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
2125         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
2126         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
2127         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
2128         * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
2129         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
2130         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2131         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
2132         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
2133         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2134         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
2135         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2136         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
2137         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
2138         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2139         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
2140         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
2141         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
2142         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
2143         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
2144         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
2145         * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
2146         * JavaScriptCore.vcxproj/copy-files.cmd: Added.
2147         * JavaScriptCore.vcxproj/jsc: Added.
2148         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
2149         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
2150         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
2151         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
2152         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
2153         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
2154         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
2155         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
2156         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
2157         * config.h:
2158
2159 2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>
2160
2161         [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
2162         https://bugs.webkit.org/show_bug.cgi?id=107230
2163
2164         Reviewed by David Kilzer.
2165
2166         * Configurations/FeatureDefines.xcconfig:
2167
2168 2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>
2169
2170         Yarr JIT isn't big endian compatible
2171         https://bugs.webkit.org/show_bug.cgi?id=102897
2172
2173         Reviewed by Oliver Hunt.
2174
2175         This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
2176
2177         * yarr/YarrJIT.cpp:
2178         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2179
2180 2013-01-22  David Kilzer  <ddkilzer@apple.com>
2181
2182         Fix DateMath.cpp to compile with -Wshorten-64-to-32
2183         <http://webkit.org/b/107503>
2184
2185         Reviewed by Darin Adler.
2186
2187         * runtime/JSDateMath.cpp:
2188         (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
2189         static_cast<int>().
2190
2191 2013-01-22  Tim Horton  <timothy_horton@apple.com>
2192
2193         PDFPlugin: Build PDFPlugin everywhere, enable at runtime
2194         https://bugs.webkit.org/show_bug.cgi?id=107117
2195
2196         Reviewed by Alexey Proskuryakov.
2197
2198         Since PDFLayerController SPI is all forward-declared, the plugin should build
2199         on all Mac platforms, and can be enabled at runtime.
2200
2201         * Configurations/FeatureDefines.xcconfig:
2202
2203 2013-01-21  Justin Schuh  <jschuh@chromium.org>
2204
2205         [CHROMIUM] Suppress c4267 build warnings for Win64 targets
2206         https://bugs.webkit.org/show_bug.cgi?id=107499
2207
2208         Reviewed by Abhishek Arya.
2209
2210         * JavaScriptCore.gyp/JavaScriptCore.gyp:
2211
2212 2013-01-21  Dirk Schulze  <dschulze@adobe.com>
2213
2214         Add build flag for Canvas's Path object (disabled by default)
2215         https://bugs.webkit.org/show_bug.cgi?id=107473
2216
2217         Reviewed by Dean Jackson.
2218
2219         Add CANVAS_PATH build flag to build systems.
2220
2221         * Configurations/FeatureDefines.xcconfig:
2222
2223 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2224
2225         Weak GC maps should be easier to use
2226         https://bugs.webkit.org/show_bug.cgi?id=107312
2227
2228         Reviewed by Sam Weinig.
2229
2230         Follow-up fix.
2231
2232         * runtime/PrototypeMap.cpp:
2233         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
2234         ASSERT, which was disabled because of a bug in WeakGCMap.
2235
2236         * runtime/WeakGCMap.h:
2237         (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
2238         a PassWeak() clears itself when passed to another function. So, we pass
2239         nullptr instead, and fix things up afterwards.
2240
2241 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2242
2243         Unreviewed.
2244
2245         Temporarily disabling this ASSERT to get the bots green
2246         while I investigate a fix.
2247
2248         * runtime/PrototypeMap.cpp:
2249         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2250
2251 2013-01-20  Filip Pizlo  <fpizlo@apple.com>
2252
2253         Inserting a node into the DFG graph should not require five lines of code
2254         https://bugs.webkit.org/show_bug.cgi?id=107381
2255
2256         Reviewed by Sam Weinig.
2257         
2258         This adds fairly comprehensive support for inserting a node into a DFG graph in one
2259         method call. A common example of this is:
2260         
2261         m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
2262         
2263         The arguments to insert() specify what reference counting you need to have happen
2264         (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
2265         that was created), the prediction to set (SpecNone is a common default), followed by
2266         the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
2267         (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
2268         function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
2269         non-recursively ref() the node being created if the flags say NodeMustGenerate.
2270         
2271         In all, this new mechanism retains the flexibility of the old approach (you get to
2272         manage ref counts yourself, albeit in less code) while ensuring that most code that adds
2273         nodes to the graph now needs less code to do it.
2274         
2275         In the future, we should revisit the reference counting methodology in the DFG: we could
2276         do like most compilers and get rid of it entirely, or we could make it automatic. This
2277         patch doesn't attempt to make any such major changes, and only seeks to simplify the
2278         technique we were already using (manual ref counting).
2279
2280         * GNUmakefile.list.am:
2281         * JavaScriptCore.xcodeproj/project.pbxproj:
2282         * bytecode/Operands.h:
2283         (JSC::dumpOperands):
2284         * dfg/DFGAdjacencyList.h:
2285         (AdjacencyList):
2286         (JSC::DFG::AdjacencyList::kind):
2287         * dfg/DFGArgumentsSimplificationPhase.cpp:
2288         (JSC::DFG::ArgumentsSimplificationPhase::run):
2289         * dfg/DFGBasicBlock.h:
2290         (DFG):
2291         (BasicBlock):
2292         * dfg/DFGBasicBlockInlines.h: Added.
2293         (DFG):
2294         * dfg/DFGCFGSimplificationPhase.cpp:
2295         (JSC::DFG::CFGSimplificationPhase::run):
2296         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2297         * dfg/DFGCommon.h:
2298         * dfg/DFGConstantFoldingPhase.cpp:
2299         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
2300         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2301         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2302         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
2303         (ConstantFoldingPhase):
2304         * dfg/DFGFixupPhase.cpp:
2305         (JSC::DFG::FixupPhase::FixupPhase):
2306         (JSC::DFG::FixupPhase::fixupBlock):
2307         (JSC::DFG::FixupPhase::fixupNode):
2308         (FixupPhase):
2309         (JSC::DFG::FixupPhase::checkArray):
2310         (JSC::DFG::FixupPhase::blessArrayOperation):
2311         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2312         * dfg/DFGGraph.h:
2313         (JSC::DFG::Graph::ref):
2314         (Graph):
2315         * dfg/DFGInsertionSet.h:
2316         (DFG):
2317         (JSC::DFG::Insertion::Insertion):
2318         (JSC::DFG::Insertion::element):
2319         (Insertion):
2320         (JSC::DFG::InsertionSet::InsertionSet):
2321         (JSC::DFG::InsertionSet::insert):
2322         (InsertionSet):
2323         (JSC::DFG::InsertionSet::execute):
2324         * dfg/DFGNode.h:
2325         (JSC::DFG::Node::Node):
2326         (Node):
2327         * dfg/DFGStructureCheckHoistingPhase.cpp:
2328         (JSC::DFG::StructureCheckHoistingPhase::run):
2329         * dfg/DFGVariadicFunction.h: Added.
2330
2331 2013-01-19  Geoffrey Garen  <ggaren@apple.com>
2332
2333         Track inheritance structures in a side table, instead of using a private
2334         name in each prototype
2335         https://bugs.webkit.org/show_bug.cgi?id=107378
2336
2337         Reviewed by Sam Weinig and Phil Pizlo.
2338
2339         This is a step toward object size inference.
2340
2341         Using a side table frees us to use a more complex key (a pair of
2342         prototype and expected inline capacity).
2343
2344         It also avoids ruining inline caches for prototypes. (Adding a new private
2345         name for a new inline capacity would change the prototype's structure,
2346         possibly firing watchpoints, making inline caches go polymorphic, and
2347         generally causing us to have a bad time.)
2348
2349         * CMakeLists.txt:
2350         * GNUmakefile.list.am:
2351         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2352         * JavaScriptCore.xcodeproj/project.pbxproj:
2353         * Target.pri: Buildage.
2354
2355         * runtime/ArrayPrototype.cpp:
2356         (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
2357
2358         * runtime/JSFunction.cpp:
2359         (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
2360
2361         (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
2362         forgot to visit one of its data members (m_cachedInheritorID). This
2363         wasn't a user-visible problem before because JSFunction would always
2364         visit its .prototype property, which visited its m_cachedInheritorID.
2365         But now, function.prototype only weakly owns function.m_cachedInheritorID.
2366
2367         * runtime/JSGlobalData.h:
2368         (JSGlobalData): Added the map, taking care to make sure that its
2369         destructor would run after the heap destructor.
2370
2371         * runtime/JSGlobalObject.cpp:
2372         (JSC::JSGlobalObject::reset): Updated to use new side table API.
2373
2374         * runtime/JSObject.cpp:
2375         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2376         (JSC::JSObject::setPrototype):
2377         * runtime/JSObject.h:
2378         (JSObject): Updated to use new side table API, and removed lots of code
2379         that used to manage the per-object private name.
2380
2381         * runtime/JSProxy.cpp:
2382         (JSC::JSProxy::setTarget):
2383         * runtime/ObjectConstructor.cpp:
2384         (JSC::objectConstructorCreate):
2385         * runtime/ObjectPrototype.cpp:
2386         (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
2387
2388         * runtime/PrototypeMap.cpp: Added.
2389         (JSC):
2390         (JSC::PrototypeMap::addPrototype):
2391         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2392         * runtime/PrototypeMap.h: Added.
2393         (PrototypeMap):
2394         (JSC::PrototypeMap::isPrototype):
2395         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
2396         This is a simple weak map, mapping an object to the structure you should
2397         use when inheriting from that object. (In future, inline capacity will
2398         be a part of the mapping.)
2399
2400         I used two maps to preserve existing behavior that allowed us to speculate
2401         about an object becoming a prototype, even if it wasn't one at the moment.
2402         However, I suspect that behavior can be removed without harm.
2403
2404         * runtime/WeakGCMap.h:
2405         (JSC::WeakGCMap::contains):
2406         (WeakGCMap): I would rate myself a 6 / 10 in C++.
2407
2408 2013-01-18  Dan Bernstein  <mitz@apple.com>
2409
2410         Removed duplicate references to two headers in the project files.
2411
2412         Rubber-stamped by Mark Rowe.
2413
2414         * JavaScriptCore.xcodeproj/project.pbxproj:
2415
2416 2013-01-18  Michael Saboff  <msaboff@apple.com>
2417
2418         Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
2419         Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
2420
2421         * dfg/DFGFixupPhase.cpp:
2422         (JSC::DFG::FixupPhase::fixupNode):
2423
2424 2013-01-18  Michael Saboff  <msaboff@apple.com>
2425
2426         Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
2427
2428         * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
2429
2430 2013-01-18  Michael Saboff  <msaboff@apple.com>
2431
2432         Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
2433         https://bugs.webkit.org/show_bug.cgi?id=107340
2434
2435         Reviewed by Filip Pizlo.
2436
2437         Due to the change landed in r140201, more nodes might end up
2438         generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
2439         constant path of compileInt32ToDouble() to use the more
2440         restrictive isInt32Constant() check on the input.  This check was
2441         the same as the existing ASSERT() so the ASSERT was eliminated.
2442
2443         * dfg/DFGSpeculativeJIT.cpp:
2444         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2445
2446 2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>
2447
2448         Weak GC maps should be easier to use
2449         https://bugs.webkit.org/show_bug.cgi?id=107312
2450
2451         Reviewed by Ryosuke Niwa.
2452
2453         Build fix for linux platforms after r140194.
2454
2455         * runtime/WeakGCMap.h:
2456         (WeakGCMap):
2457
2458 2013-01-18  Michael Saboff  <msaboff@apple.com>
2459
2460         Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
2461         https://bugs.webkit.org/show_bug.cgi?id=107321
2462
2463         Reviewed by  Filip Pizlo.
2464
2465         Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
2466         an ArithDiv node with integer inputs and output for platforms that don't have integer division.
2467         Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
2468         without any further checks.
2469
2470         * dfg/DFGFixupPhase.cpp:
2471         (JSC::DFG::FixupPhase::fixupNode):
2472         (JSC::DFG::FixupPhase::fixDoubleEdge):
2473         (FixupPhase):
2474         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2475
2476 2013-01-18  Michael Saboff  <msaboff@apple.com>
2477
2478         Fix up of ArithDiv nodes for non-x86 CPUs is broken
2479         https://bugs.webkit.org/show_bug.cgi?id=107309
2480
2481         Reviewed by  Filip Pizlo.
2482
2483         Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
2484
2485         * dfg/DFGFixupPhase.cpp:
2486         (JSC::DFG::FixupPhase::fixDoubleEdge):
2487
2488 2013-01-18  Dan Bernstein  <mitz@apple.com>
2489
2490         Tried to fix the build after r140194.
2491
2492         * API/JSWrapperMap.mm:
2493         (-[JSWrapperMap wrapperForObject:]):
2494
2495 2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2496
2497         Objective-C API: Update documentation for JSValue and JSContext
2498         https://bugs.webkit.org/show_bug.cgi?id=107313
2499
2500         Reviewed by Geoffrey Garen.
2501
2502         After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
2503
2504         * API/APIJSValue.h:
2505         * API/JSContext.h:
2506
2507 2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>
2508
2509         r134080 causes heap problem on linux systems where PAGESIZE != 4096
2510         https://bugs.webkit.org/show_bug.cgi?id=102828
2511
2512         Reviewed by Mark Hahnenberg.
2513
2514         Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
2515
2516         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2517         * heap/MarkStack.cpp:
2518         (JSC):
2519         (JSC::MarkStackArray::MarkStackArray):
2520         (JSC::MarkStackArray::expand):
2521         (JSC::MarkStackArray::donateSomeCellsTo):
2522         (JSC::MarkStackArray::stealSomeCellsFrom):
2523         * heap/MarkStack.h:
2524         (JSC::MarkStackSegment::data):
2525         (CapacityFromSize):
2526         (MarkStackArray):
2527         * heap/MarkStackInlines.h:
2528         (JSC::MarkStackArray::setTopForFullSegment):
2529         (JSC::MarkStackArray::append):
2530         (JSC::MarkStackArray::isEmpty):
2531         (JSC::MarkStackArray::size):
2532         * runtime/Options.h:
2533         (JSC):
2534
2535 2013-01-18  Geoffrey Garen  <ggaren@apple.com>
2536
2537         Weak GC maps should be easier to use
2538         https://bugs.webkit.org/show_bug.cgi?id=107312
2539
2540         Reviewed by Sam Weinig.
2541
2542         This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
2543         items from the map, and to instead have the map automatically remove
2544         stale items itself upon insertion. This has a few advantages:
2545
2546         (1) WeakGCMap is now compatible with all the specializations you would
2547         use for HashMap.
2548
2549         (2) There's no need for clients to write special finalization munging
2550         functions.
2551
2552         (3) Clients can specify custom value finalizers if they like.
2553
2554         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
2555
2556         * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
2557         data, since we've reduced interdependency.
2558
2559         * heap/Handle.h: No more need to forward declare, since we've reduced
2560         interdependency.
2561
2562         * heap/Weak.h:
2563         (Weak): Use explicit so we can assign directly to a weak map iterator
2564         without ambiguity between Weak<T> and PassWeak<T>.
2565
2566         * runtime/Structure.cpp:
2567         (JSC::StructureTransitionTable::add): See above.
2568
2569         * runtime/Structure.h:
2570         (JSC):
2571         * runtime/StructureTransitionTable.h:
2572         (StructureTransitionTable): Bad code goes away, programmer happy.
2573
2574         * runtime/WeakGCMap.h:
2575         (JSC):
2576         (WeakGCMap):
2577         (JSC::WeakGCMap::WeakGCMap):
2578         (JSC::WeakGCMap::set):
2579         (JSC::WeakGCMap::add):
2580         (JSC::WeakGCMap::find):
2581         (JSC::WeakGCMap::contains):
2582         (JSC::WeakGCMap::gcMap):
2583         (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
2584         function that might observe a Weak<T> that has died, just enough to
2585         make such items appear as if they are not in the table.
2586
2587 2013-01-18  Michael Saboff  <msaboff@apple.com>
2588
2589         Refactor isPowerOf2() and add getLSBSet()
2590         https://bugs.webkit.org/show_bug.cgi?id=107306
2591
2592         Reviewed by Filip Pizlo.
2593
2594         Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
2595
2596         * runtime/PropertyMapHashTable.h:
2597         (JSC::isPowerOf2):
2598
2599 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2600
2601         Objective-C API: Clean up JSValue.mm
2602         https://bugs.webkit.org/show_bug.cgi?id=107163
2603
2604         Reviewed by Darin Adler.
2605
2606         m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 
2607         on every API call.  In the head of just about every method in JSValue.mm we're doing:
2608
2609         JSContext *context = [self context];
2610         if (!context)
2611             return nil;
2612
2613         This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.  
2614         We can just delete all these lines from all functions doing this, and where they were referring to the local 
2615         variable 'context', instead we can just access m_context directly.
2616
2617         Since we're already going to be modifying most of JSValue.mm, we'll also do the following:
2618
2619         1) context @property is no longer weak – the context property is declared as:
2620
2621             @property(readonly, weak) JSContext *context;
2622
2623         This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading. 
2624         We should change it to:
2625
2626             @property(readonly, retain) JSContext *context;
2627
2628         2) the JSContext ivar and accessor can be automatically generated.  Since we're no longer doing anything 
2629         special with m_context, we can just let the compiler handle the ivar for us.  We'll delete:
2630
2631             JSContext *m_context;
2632
2633         and:
2634
2635             - (JSContext *)context
2636             {
2637                 return m_context;
2638         
2639             }
2640
2641         and find&replace "m_context" to "_context" in JSValue.mm.
2642
2643         * API/APIJSValue.h:
2644         * API/JSValue.mm:
2645         (-[JSValue toObject]):
2646         (-[JSValue toBool]):
2647         (-[JSValue toDouble]):
2648         (-[JSValue toNumber]):
2649         (-[JSValue toString]):
2650         (-[JSValue toDate]):
2651         (-[JSValue toArray]):
2652         (-[JSValue toDictionary]):
2653         (-[JSValue valueForProperty:]):
2654         (-[JSValue setValue:forProperty:]):
2655         (-[JSValue deleteProperty:]):
2656         (-[JSValue hasProperty:]):
2657         (-[JSValue defineProperty:descriptor:]):
2658         (-[JSValue valueAtIndex:]):
2659         (-[JSValue setValue:atIndex:]):
2660         (-[JSValue isUndefined]):
2661         (-[JSValue isNull]):
2662         (-[JSValue isBoolean]):
2663         (-[JSValue isNumber]):
2664         (-[JSValue isString]):
2665         (-[JSValue isObject]):
2666         (-[JSValue isEqualToObject:]):
2667         (-[JSValue isEqualWithTypeCoercionToObject:]):
2668         (-[JSValue isInstanceOf:]):
2669         (-[JSValue callWithArguments:]):
2670         (-[JSValue constructWithArguments:]):
2671         (-[JSValue invokeMethod:withArguments:]):
2672         (-[JSValue objectForKeyedSubscript:]):
2673         (-[JSValue setObject:forKeyedSubscript:]):
2674         (-[JSValue initWithValue:inContext:]):
2675         (-[JSValue dealloc]):
2676         (-[JSValue description]):
2677
2678 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2679
2680         Objective-C API: Clean up JSValue
2681         https://bugs.webkit.org/show_bug.cgi?id=107156
2682
2683         Reviewed by Oliver Hunt.
2684
2685         JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.  
2686         These exist to handle the context going away before the value does; the context needs to be able to unprotect 
2687         values early.  Since the value is now keeping the context alive there is no longer any danger of this happening; 
2688         instead we should just protect/unprotect the value in JSValue's init/dealloc methods.
2689
2690         * API/JSContext.mm:
2691         (-[JSContext dealloc]):
2692         * API/JSContextInternal.h:
2693         * API/JSValue.mm:
2694         (-[JSValue initWithValue:inContext:]):
2695         (-[JSValue dealloc]):
2696
2697 2013-01-17  Filip Pizlo  <fpizlo@apple.com>
2698
2699         DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants
2700         https://bugs.webkit.org/show_bug.cgi?id=107147
2701
2702         Reviewed by Mark Hahnenberg.
2703         
2704         This small refactoring will enable a world where ref() returns Node*, which is useful for
2705         https://bugs.webkit.org/show_bug.cgi?id=106868.  Also, while this refactoring does lead to
2706         slightly less terse code, it's also slightly more self-explanatory.  I could never quite
2707         remember what the meaning of the bool return from ref() and deref() was.
2708
2709         * dfg/DFGGraph.cpp:
2710         (JSC::DFG::Graph::collectGarbage):
2711         * dfg/DFGGraph.h:
2712         (JSC::DFG::Graph::ref):
2713         (JSC::DFG::Graph::deref):
2714         * dfg/DFGNode.h:
2715         (JSC::DFG::Node::ref):
2716         (Node):
2717         (JSC::DFG::Node::postfixRef):
2718         (JSC::DFG::Node::deref):
2719         (JSC::DFG::Node::postfixDeref):
2720
2721 2013-01-17  Alexey Proskuryakov  <ap@apple.com>
2722
2723         Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up
2724         in svn stat.
2725
2726         * disassembler/udis86: Added property svn:ignore.
2727
2728 2013-01-16  Filip Pizlo  <fpizlo@apple.com>
2729
2730         DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
2731         https://bugs.webkit.org/show_bug.cgi?id=107081
2732
2733         Reviewed by Michael Saboff.
2734
2735         This bug led to the 32_64 backend emitting contiguous allocation code to allocate
2736         ArrayStorage arrays. This then led to all manner of heap corruption, since
2737         subsequent array accesses would be accessing the contiguous array "as if" it was
2738         an arraystorage array.
2739
2740         * dfg/DFGSpeculativeJIT32_64.cpp:
2741         (JSC::DFG::SpeculativeJIT::compile):
2742
2743 2013-01-16  Jonathan Liu  <net147@gmail.com>
2744
2745         Add missing sys/mman.h include on Mac
2746         https://bugs.webkit.org/show_bug.cgi?id=98089
2747
2748         Reviewed by Darin Adler.
2749
2750         The madvise function and MADV_FREE constant require sys/mman.h.
2751
2752         * jit/ExecutableAllocatorFixedVMPool.cpp:
2753
2754 2013-01-15  Michael Saboff  <msaboff@apple.com>
2755
2756         DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
2757         https://bugs.webkit.org/show_bug.cgi?id=106978
2758
2759         Reviewed by Filip Pizlo.
2760
2761         Changed the numerator equal to -2^31 check to just return if we expect an integer
2762         result, since the check is after we have determined that the denominator is -1.
2763         The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.
2764
2765         * dfg/DFGSpeculativeJIT.cpp:
2766         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
2767
2768 2013-01-15  Levi Weintraub  <leviw@chromium.org>
2769
2770         Unreviewed, rolling out r139792.
2771         http://trac.webkit.org/changeset/139792
2772         https://bugs.webkit.org/show_bug.cgi?id=106970
2773
2774         Broke the windows build.
2775
2776         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
2777
2778 2013-01-15  Pratik Solanki  <psolanki@apple.com>
2779
2780         Use MADV_FREE_REUSABLE to return JIT memory to OS
2781         https://bugs.webkit.org/show_bug.cgi?id=106830
2782         <rdar://problem/11437701>
2783
2784         Reviewed by Geoffrey Garen.
2785
2786         Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug
2787         fixed.
2788
2789         * jit/ExecutableAllocatorFixedVMPool.cpp:
2790         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
2791
2792 2013-01-15  Levi Weintraub  <leviw@chromium.org>
2793
2794         Unreviewed, rolling out r139790.
2795         http://trac.webkit.org/changeset/139790
2796         https://bugs.webkit.org/show_bug.cgi?id=106948
2797
2798         The patch is failing its own test.
2799
2800         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
2801
2802 2013-01-15  Zan Dobersek  <zandobersek@gmail.com>
2803
2804         [Autotools] Unify JavaScriptCore sources list, regardless of target OS
2805         https://bugs.webkit.org/show_bug.cgi?id=106007
2806
2807         Reviewed by Gustavo Noronha Silva.
2808
2809         Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target
2810         in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED
2811         feature define. This define is only used on 64-bit architecture and indirectly depends
2812         on enabling either JIT or YARR JIT feature. Both of these defines are disabled on
2813         Windows OS when using 64-bit architecture so there's no need to add this target to
2814         sources only when the target OS is Windows.
2815
2816         * GNUmakefile.list.am:
2817
2818 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2819
2820         DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value
2821         https://bugs.webkit.org/show_bug.cgi?id=106727
2822
2823         Reviewed by Oliver Hunt.
2824         
2825         The problem was this statement:
2826         
2827         if (m_value != other.m_value)
2828             m_value = JSValue();
2829         
2830         This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other
2831         abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its
2832         claim that it has been proven to be constant. But this misses the special case that if the other abstract value is
2833         completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change
2834         this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it
2835         didn't have to.
2836         
2837         This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently
2838         precise as often as possible.
2839
2840         * dfg/DFGAbstractValue.h:
2841         (JSC::DFG::AbstractValue::merge):
2842
2843 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2844
2845         Python implementation reports "MemoryError" instead of doing things
2846         https://bugs.webkit.org/show_bug.cgi?id=106690
2847
2848         Reviewed by Oliver Hunt.
2849         
2850         The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to
2851         be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it
2852         doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the
2853         variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the
2854         variable is used in the next block then the next block will have a reference to the last mention in our block unless
2855         that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that
2856         the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible
2857         refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the
2858         variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us.
2859         Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible
2860         for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if
2861         there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the
2862         parser.
2863         
2864         This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't
2865         matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in
2866         the next block, so we must merge it no matter what.
2867         
2868         Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next
2869         to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps
2870         that involve a lot of variables.
2871
2872         * bytecode/Operands.h:
2873         (JSC::dumpOperands):
2874         * dfg/DFGAbstractState.cpp:
2875         (JSC::DFG::AbstractState::mergeStateAtTail):
2876
2877 2013-01-14  Roger Fong  <roger_fong@apple.com>
2878
2879         Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541.
2880
2881         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2882
2883 2013-01-13  Filip Pizlo  <fpizlo@apple.com>
2884
2885         DFG phases that store per-node information should store it in Node itself rather than using a secondary vector
2886         https://bugs.webkit.org/show_bug.cgi?id=106753
2887
2888         Reviewed by Geoffrey Garen.
2889
2890         * dfg/DFGAbstractState.cpp:
2891         (JSC::DFG::AbstractState::AbstractState):
2892         (JSC::DFG::AbstractState::beginBasicBlock):
2893         (JSC::DFG::AbstractState::dump):
2894         * dfg/DFGAbstractState.h:
2895         (JSC::DFG::AbstractState::forNode):
2896         (AbstractState):
2897         * dfg/DFGCFGSimplificationPhase.cpp:
2898         * dfg/DFGCSEPhase.cpp:
2899         (JSC::DFG::CSEPhase::CSEPhase):
2900         (JSC::DFG::CSEPhase::performSubstitution):
2901         (JSC::DFG::CSEPhase::setReplacement):
2902         (CSEPhase):
2903         * dfg/DFGNode.h:
2904         (Node):
2905
2906 2013-01-12  Tim Horton  <timothy_horton@apple.com>
2907
2908         Unreviewed build fix.
2909
2910         * API/JSBlockAdaptor.mm:
2911         * API/JSContext.mm:
2912         * API/JSValue.mm:
2913
2914 2013-01-12  Csaba Osztrogonác  <ossy@webkit.org>
2915
2916         Unreviewed 64 bit buildfix after r139496.
2917
2918         * dfg/DFGOperations.cpp:
2919
2920 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
2921
2922         Unreviewed, speculative build fix.
2923
2924         * API/JSWrapperMap.mm:
2925
2926 2013-01-10  Filip Pizlo  <fpizlo@apple.com>
2927
2928         JITThunks should not compile only because of luck
2929         https://bugs.webkit.org/show_bug.cgi?id=105696
2930
2931         Rubber stamped by Sam Weinig and Geoffrey Garen.
2932         
2933         This patch was supposed to just move JITThunks into its own file. But then I
2934         realized that there is a horrible circular dependency chain between JSCell,
2935         JSGlobalData, CallFrame, and Weak, which only works because of magical include
2936         order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
2937         before it includes JSCell or JSValue.
2938         
2939         I first tried to just get JITThunks.h to just magically do the same pointless
2940         includes that JITStubs.h had, but then I decided to actually fix the underflying
2941         problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
2942         JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
2943         Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
2944         also gave me an opportunity to move JSValue inline methods from JSCell.h into
2945         JSValueInlines.h. But to make this really work, I needed to remove includes of
2946         *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
2947         which defeats the whole entire purpose of having an Inlines.h file), and I needed
2948         to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
2949         having .cpp files include Operations.h. In future, if you're adding a .cpp file
2950         to JSC, you'll almost certainly have to include Operations.h unless you enjoy
2951         link errors.
2952
2953         * API/JSBase.cpp:
2954         * API/JSCallbackConstructor.cpp:
2955         * API/JSCallbackFunction.cpp:
2956         * API/JSCallbackObject.cpp:
2957         * API/JSClassRef.cpp:
2958         * API/JSContextRef.cpp:
2959         * API/JSObjectRef.cpp:
2960         * API/JSScriptRef.cpp:
2961         * API/JSWeakObjectMapRefPrivate.cpp:
2962         * JSCTypedArrayStubs.h:
2963         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2964         * JavaScriptCore.xcodeproj/project.pbxproj:
2965         * bytecode/ArrayAllocationProfile.cpp:
2966         * bytecode/CodeBlock.cpp:
2967         * bytecode/GetByIdStatus.cpp:
2968         * bytecode/LazyOperandValueProfile.cpp:
2969         * bytecode/ResolveGlobalStatus.cpp:
2970         * bytecode/SpeculatedType.cpp:
2971         * bytecode/UnlinkedCodeBlock.cpp:
2972         * bytecompiler/BytecodeGenerator.cpp:
2973         * debugger/Debugger.cpp:
2974         * debugger/DebuggerActivation.cpp:
2975         * debugger/DebuggerCallFrame.cpp:
2976         * dfg/DFGArgumentsSimplificationPhase.cpp:
2977         * dfg/DFGArrayMode.cpp:
2978         * dfg/DFGByteCodeParser.cpp:
2979         * dfg/DFGConstantFoldingPhase.cpp:
2980         * dfg/DFGDriver.cpp:
2981         * dfg/DFGFixupPhase.cpp:
2982         * dfg/DFGGraph.cpp:
2983         * dfg/DFGJITCompiler.cpp:
2984         * dfg/DFGOSREntry.cpp:
2985         * dfg/DFGOSRExitCompiler.cpp:
2986         * dfg/DFGOSRExitCompiler32_64.cpp:
2987         * dfg/DFGOSRExitCompiler64.cpp:
2988         * dfg/DFGPredictionPropagationPhase.cpp:
2989         * dfg/DFGSpeculativeJIT.cpp:
2990         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2991         (DFG):
2992         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2993         (JSC::DFG::SpeculativeJIT::silentSpill):
2994         (JSC::DFG::SpeculativeJIT::silentFill):
2995         * dfg/DFGSpeculativeJIT.h:
2996         (SpeculativeJIT):
2997         * dfg/DFGSpeculativeJIT32_64.cpp:
2998         * dfg/DFGSpeculativeJIT64.cpp:
2999         * dfg/DFGStructureCheckHoistingPhase.cpp:
3000         * dfg/DFGVariableEventStream.cpp:
3001         * heap/CopiedBlock.h:
3002         * heap/CopiedSpace.cpp:
3003         * heap/HandleSet.cpp:
3004         * heap/Heap.cpp:
3005         * heap/HeapStatistics.cpp:
3006         * heap/SlotVisitor.cpp:
3007         * heap/WeakBlock.cpp:
3008         * interpreter/CallFrame.cpp:
3009         * interpreter/CallFrame.h:
3010         * jit/ClosureCallStubRoutine.cpp:
3011         * jit/GCAwareJITStubRoutine.cpp:
3012         * jit/JIT.cpp:
3013         * jit/JITArithmetic.cpp:
3014         * jit/JITArithmetic32_64.cpp:
3015         * jit/JITCall.cpp:
3016         * jit/JITCall32_64.cpp:
3017         * jit/JITCode.h:
3018         * jit/JITExceptions.cpp:
3019         * jit/JITStubs.h:
3020         * jit/JITThunks.h:
3021         * jsc.cpp:
3022         * llint/LLIntExceptions.cpp:
3023         * profiler/LegacyProfiler.cpp:
3024         * profiler/ProfileGenerator.cpp:
3025         * profiler/ProfilerBytecode.cpp:
3026         * profiler/ProfilerBytecodeSequence.cpp:
3027         * profiler/ProfilerBytecodes.cpp:
3028         * profiler/ProfilerCompilation.cpp:
3029         * profiler/ProfilerCompiledBytecode.cpp:
3030         * profiler/ProfilerDatabase.cpp:
3031         * profiler/ProfilerOSRExit.cpp:
3032         * profiler/ProfilerOSRExitSite.cpp:
3033         * profiler/ProfilerOrigin.cpp:
3034         * profiler/ProfilerOriginStack.cpp:
3035         * profiler/ProfilerProfiledBytecodes.cpp:
3036         * runtime/ArgList.cpp:
3037         * runtime/Arguments.cpp:
3038         * runtime/ArrayConstructor.cpp:
3039         * runtime/BooleanConstructor.cpp:
3040         * runtime/BooleanObject.cpp:
3041         * runtime/BooleanPrototype.cpp:
3042         * runtime/CallData.cpp:
3043         * runtime/CodeCache.cpp:
3044         * runtime/Completion.cpp:
3045         * runtime/ConstructData.cpp:
3046         * runtime/DateConstructor.cpp:
3047         * runtime/DateInstance.cpp:
3048         * runtime/DatePrototype.cpp:
3049         * runtime/Error.cpp:
3050         * runtime/ErrorConstructor.cpp:
3051         * runtime/ErrorInstance.cpp:
3052         * runtime/ErrorPrototype.cpp:
3053         * runtime/ExceptionHelpers.cpp:
3054         * runtime/Executable.cpp:
3055         * runtime/FunctionConstructor.cpp:
3056         * runtime/FunctionPrototype.cpp:
3057         * runtime/GetterSetter.cpp:
3058         * runtime/Identifier.cpp:
3059         * runtime/InternalFunction.cpp:
3060         * runtime/JSActivation.cpp:
3061         * runtime/JSBoundFunction.cpp:
3062         * runtime/JSCell.cpp:
3063         * runtime/JSCell.h:
3064         (JSC):
3065         * runtime/JSCellInlines.h: Added.
3066         (JSC):
3067         (JSC::JSCell::JSCell):
3068         (JSC::JSCell::finishCreation):
3069         (JSC::JSCell::structure):
3070         (JSC::JSCell::visitChildren):
3071         (JSC::allocateCell):
3072         (JSC::isZapped):
3073         (JSC::JSCell::isObject):
3074         (JSC::JSCell::isString):
3075         (JSC::JSCell::isGetterSetter):
3076         (JSC::JSCell::isProxy):
3077         (JSC::JSCell::isAPIValueWrapper):
3078         (JSC::JSCell::setStructure):
3079         (JSC::JSCell::methodTable):
3080         (JSC::JSCell::inherits):
3081         (JSC::JSCell::fastGetOwnPropertySlot):
3082         (JSC::JSCell::fastGetOwnProperty):
3083         (JSC::JSCell::toBoolean):
3084         * runtime/JSDateMath.cpp:
3085         * runtime/JSFunction.cpp:
3086         * runtime/JSFunction.h:
3087         (JSC):
3088         * runtime/JSGlobalData.h:
3089         (JSC):
3090         (JSGlobalData):
3091         * runtime/JSGlobalObject.cpp:
3092         * runtime/JSGlobalObjectFunctions.cpp:
3093         * runtime/JSLock.cpp:
3094         * runtime/JSNameScope.cpp:
3095         * runtime/JSNotAnObject.cpp:
3096         * runtime/JSONObject.cpp:
3097         * runtime/JSObject.h:
3098         (JSC):
3099         * runtime/JSProxy.cpp:
3100         * runtime/JSScope.cpp:
3101         * runtime/JSSegmentedVariableObject.cpp:
3102         * runtime/JSString.h:
3103         (JSC):
3104         * runtime/JSStringJoiner.cpp:
3105         * runtime/JSSymbolTableObject.cpp:
3106         * runtime/JSValue.cpp:
3107         * runtime/JSValueInlines.h:
3108         (JSC::JSValue::toInt32):
3109         (JSC::JSValue::toUInt32):
3110         (JSC):
3111         (JSC::JSValue::isUInt32):
3112         (JSC::JSValue::asUInt32):
3113         (JSC::JSValue::asNumber):
3114         (JSC::jsNaN):
3115         (JSC::JSValue::JSValue):
3116         (JSC::JSValue::encode):
3117         (JSC::JSValue::decode):
3118         (JSC::JSValue::operator bool):
3119         (JSC::JSValue::operator==):
3120         (JSC::JSValue::operator!=):
3121         (JSC::JSValue::isEmpty):
3122         (JSC::JSValue::isUndefined):
3123         (JSC::JSValue::isNull):
3124         (JSC::JSValue::isUndefinedOrNull):
3125         (JSC::JSValue::isCell):
3126         (JSC::JSValue::isInt32):
3127         (JSC::JSValue::isDouble):
3128         (JSC::JSValue::isTrue):
3129         (JSC::JSValue::isFalse):
3130         (JSC::JSValue::tag):
3131         (JSC::JSValue::payload):
3132         (JSC::JSValue::asInt32):
3133         (JSC::JSValue::asDouble):
3134         (JSC::JSValue::asCell):
3135         (JSC::JSValue::isNumber):
3136         (JSC::JSValue::isBoolean):
3137         (JSC::JSValue::asBoolean):
3138         (JSC::reinterpretDoubleToInt64):
3139         (JSC::reinterpretInt64ToDouble):
3140         (JSC::JSValue::isString):
3141         (JSC::JSValue::isPrimitive):
3142         (JSC::JSValue::isGetterSetter):
3143         (JSC::JSValue::isObject):
3144         (JSC::JSValue::getString):
3145         (JSC::::getString):
3146         (JSC::JSValue::getObject):
3147         (JSC::JSValue::getUInt32):
3148         (JSC::JSValue::toPrimitive):
3149         (JSC::JSValue::getPrimitiveNumber):
3150         (JSC::JSValue::toNumber):
3151         (JSC::JSValue::toObject):
3152         (JSC::JSValue::isFunction):
3153         (JSC::JSValue::inherits):
3154         (JSC::JSValue::toThisObject):
3155         (JSC::JSValue::get):
3156         (JSC::JSValue::put):
3157         (JSC::JSValue::putByIndex):
3158         (JSC::JSValue::structureOrUndefined):
3159         (JSC::JSValue::equal):
3160         (JSC::JSValue::equalSlowCaseInline):
3161         (JSC::JSValue::strictEqualSlowCaseInline):
3162         (JSC::JSValue::strictEqual):
3163         * runtime/JSVariableObject.cpp:
3164         * runtime/JSWithScope.cpp:
3165         * runtime/JSWrapperObject.cpp:
3166         * runtime/LiteralParser.cpp:
3167         * runtime/Lookup.cpp:
3168         * runtime/NameConstructor.cpp:
3169         * runtime/NameInstance.cpp:
3170         * runtime/NamePrototype.cpp:
3171         * runtime/NativeErrorConstructor.cpp:
3172         * runtime/NativeErrorPrototype.cpp:
3173         * runtime/NumberConstructor.cpp:
3174         * runtime/NumberObject.cpp:
3175         * runtime/ObjectConstructor.cpp:
3176         * runtime/ObjectPrototype.cpp:
3177         * runtime/Operations.h:
3178         (JSC):
3179         * runtime/PropertySlot.cpp:
3180         * runtime/RegExp.cpp:
3181         * runtime/RegExpCache.cpp:
3182         * runtime/RegExpCachedResult.cpp:
3183         * runtime/RegExpConstructor.cpp:
3184         * runtime/RegExpMatchesArray.cpp:
3185         * runtime/RegExpObject.cpp:
3186         * runtime/RegExpPrototype.cpp:
3187         * runtime/SmallStrings.cpp:
3188         * runtime/SparseArrayValueMap.cpp:
3189         * runtime/StrictEvalActivation.cpp:
3190         * runtime/StringConstructor.cpp:
3191         * runtime/StringObject.cpp:
3192         * runtime/StringRecursionChecker.cpp:
3193         * runtime/Structure.h:
3194         (JSC):
3195         * runtime/StructureChain.cpp:
3196         * runtime/TimeoutChecker.cpp:
3197         * testRegExp.cpp:
3198
3199 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3200
3201         If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
3202         https://bugs.webkit.org/show_bug.cgi?id=106724
3203
3204         Reviewed by Oliver Hunt.
3205         
3206         In cases where we were getting it wrong, I think it was benign because we would either already have an
3207         OSR exit prior to there, or the operand would be a constant.  But still, it's good to get this right.
3208
3209         * dfg/DFGByteCodeParser.cpp:
3210         (JSC::DFG::ByteCodeParser::parseBlock):
3211
3212 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3213
3214         Phantom(GetLocal) should be treated as relevant to OSR
3215         https://bugs.webkit.org/show_bug.cgi?id=106715
3216
3217         Reviewed by Mark Hahnenberg.
3218
3219         * dfg/DFGCSEPhase.cpp:
3220         (JSC::DFG::CSEPhase::performBlockCSE):
3221
3222 2013-01-11  Pratik Solanki  <psolanki@apple.com>
3223
3224         Fix function name typo ProgramExecutable::initalizeGlobalProperties()
3225         https://bugs.webkit.org/show_bug.cgi?id=106701
3226
3227         Reviewed by Geoffrey Garen.
3228
3229         * interpreter/Interpreter.cpp:
3230         (JSC::Interpreter::execute):
3231         * runtime/Executable.cpp:
3232         (JSC::ProgramExecutable::initializeGlobalProperties):
3233         * runtime/Executable.h:
3234
3235 2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3236
3237         testapi is failing with a block-related error in the Objc API
3238         https://bugs.webkit.org/show_bug.cgi?id=106055
3239
3240         Reviewed by Filip Pizlo.
3241
3242         Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool.
3243
3244         * API/ObjCCallbackFunction.mm:
3245         (blockSignatureContainsClass):
3246
3247 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3248
3249         Add a run-time option to print bytecode at DFG compile time
3250         https://bugs.webkit.org/show_bug.cgi?id=106704
3251
3252         Reviewed by Mark Hahnenberg.
3253
3254         * dfg/DFGByteCodeParser.cpp:
3255         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3256         * runtime/Options.h:
3257         (JSC):
3258
3259 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3260
3261         It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state
3262         https://bugs.webkit.org/show_bug.cgi?id=106700
3263
3264         Reviewed by Mark Hahnenberg.
3265
3266         * dfg/DFGAssemblyHelpers.h:
3267         (DFG):
3268         (JSC::DFG::AssemblyHelpers::debugCall):
3269         * dfg/DFGCommon.h:
3270         * dfg/DFGOSRExit.h:
3271         (DFG):
3272         * dfg/DFGOSRExitCompiler32_64.cpp:
3273         (JSC::DFG::OSRExitCompiler::compileExit):
3274         * dfg/DFGOSRExitCompiler64.cpp:
3275         (JSC::DFG::OSRExitCompiler::compileExit):
3276         * dfg/DFGOperations.cpp:
3277         * dfg/DFGOperations.h:
3278         * runtime/Options.h:
3279         (JSC):
3280
3281 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3282
3283         Removed getDirectLocation and offsetForLocation and all their uses
3284         https://bugs.webkit.org/show_bug.cgi?id=106692
3285
3286         Reviewed by Filip Pizlo.
3287
3288         getDirectLocation() and its associated offsetForLocation() relied on
3289         detailed knowledge of the rules of PropertyOffset, JSObject, and
3290         Structure, which is a hard thing to reverse-engineer reliably. Luckily,
3291         it wasn't needed, and all clients either wanted a true value or a
3292         PropertyOffset. So, I refactored accordingly.
3293
3294         * dfg/DFGOperations.cpp: Renamed putDirectOffset to putDirect, to clarify
3295         that we are not putting an offset.
3296
3297         * runtime/JSActivation.cpp:
3298         (JSC::JSActivation::getOwnPropertySlot): Get a value instead of a value
3299         pointer, since we never wanted a pointer to begin with.
3300
3301         * runtime/JSFunction.cpp:
3302         (JSC::JSFunction::getOwnPropertySlot): Use a PropertyOffset instead of a pointer,
3303         so we don't have to reverse-engineer the offset from the pointer.
3304
3305         * runtime/JSObject.cpp:
3306         (JSC::JSObject::put):
3307         (JSC::JSObject::resetInheritorID):
3308         (JSC::JSObject::inheritorID):
3309         (JSC::JSObject::removeDirect):
3310         (JSC::JSObject::fillGetterPropertySlot):
3311         (JSC::JSObject::getOwnPropertyDescriptor): Renamed getDirectOffset and
3312         putDirectOffset, as explaind above. We want to use the name "getDirectOffset"
3313         for when the thing you're getting is the offset.
3314
3315         * runtime/JSObject.h:
3316         (JSC::JSObject::getDirect):
3317         (JSC::JSObject::getDirectOffset): Changed getDirectLocation to getDirectOffset,
3318         since clients really wants PropertyOffsets and not locations.
3319
3320         (JSObject::offsetForLocation): Removed this function because it was hard
3321         to get right.
3322
3323         (JSC::JSObject::putDirect):
3324         (JSC::JSObject::putDirectUndefined):
3325         (JSC::JSObject::inlineGetOwnPropertySlot):
3326         (JSC::JSObject::putDirectInternal):
3327         (JSC::JSObject::putDirectWithoutTransition):
3328         * runtime/JSScope.cpp:
3329         (JSC::executeResolveOperations):
3330         (JSC::JSScope::resolvePut):
3331         * runtime/JSValue.cpp:
3332         (JSC::JSValue::putToPrimitive): Updated for renames.
3333
3334         * runtime/Lookup.cpp:
3335         (JSC::setUpStaticFunctionSlot): Use a PropertyOffset instead of a pointer,
3336         so we don't have to reverse-engineer the offset from the pointer.
3337
3338         * runtime/Structure.cpp:
3339         (JSC::Structure::flattenDictionaryStructure): Updated for renames.
3340
3341 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3342
3343         Removed an unused version of getDirectLocation
3344         https://bugs.webkit.org/show_bug.cgi?id=106691
3345
3346         Reviewed by Gavin Barraclough.
3347
3348         getDirectLocation is a weird operation. Removing the unused version is
3349         the easy part.
3350
3351         * runtime/JSObject.h:
3352         (JSObject):
3353
3354 2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3355
3356         Objective-C objects that are passed to JavaScript leak (until the JSContext is destroyed)
3357         https://bugs.webkit.org/show_bug.cgi?id=106056
3358
3359         Reviewed by Darin Adler.
3360
3361         * API/APIJSValue.h:
3362         * API/JSValue.mm: Make the reference to the JSContext strong.
3363         (-[JSValue context]):
3364         (-[JSValue initWithValue:inContext:]):
3365         (-[JSValue dealloc]):
3366         * API/JSWrapperMap.mm: Make the reference back from wrappers to Obj-C objects weak instead of strong.
3367         Also add an explicit WeakGCMap in the JSWrapperMap rather than using Obj-C associated object API which 
3368         was causing memory leaks.
3369         (wrapperClass):
3370         (-[JSObjCClassInfo wrapperForObject:]):
3371         (-[JSWrapperMap initWithContext:]):
3372         (-[JSWrapperMap dealloc]):
3373         (-[JSWrapperMap wrapperForObject:]):
3374
3375 2013-01-11  Geoffrey Garen  <ggaren@apple.com>
3376
3377         Fixed some bogus PropertyOffset ASSERTs
3378         https://bugs.webkit.org/show_bug.cgi?id=106686
3379
3380         Reviewed by Gavin Barraclough.
3381
3382         The ASSERTs were passing a JSType instead of an inlineCapacity, due to
3383         an incomplete refactoring.
3384
3385         The compiler didn't catch this because both types are int underneath.
3386
3387         * runtime/JSObject.h:
3388         (JSC::JSObject::getDirect):
3389         (JSC::JSObject::getDirectLocation):
3390         (JSC::JSObject::offsetForLocation):
3391         * runtime/Structure.cpp:
3392         (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
3393         our inline capacity, as we intended.
3394