ebd43bd3ca472575e028cfa72e715dea173f8397
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-09-06  Michael Saboff  <msaboff@apple.com>
2
3         16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution
4         https://bugs.webkit.org/show_bug.cgi?id=95810
5
6         Reviewed by Benjamin Poulain.
7
8         Added 8 bit path that copies the contents of an 8 bit fiber to the 16 bit buffer
9         when resolving a 16 bit rope.
10
11         * runtime/JSString.cpp:
12         (JSC::JSRopeString::resolveRopeSlowCase):
13
14 2012-09-06  Gavin Barraclough  <barraclough@apple.com>
15
16         JS test suite puts incorrect limitations on Function.toString()
17         https://bugs.webkit.org/show_bug.cgi?id=3975
18
19         Reviewed by Geoff Garen.
20
21         The result of function toString is implementation defined;
22         these test cases were looking for specific whitespace formatting
23         that matches mozilla's, and for redundant braces to be inserted
24         around if/else blocks. Stop that.
25
26         * tests/mozilla/expected.html:
27         * tests/mozilla/js1_2/function/tostring-1.js:
28         (simplify):
29             - reduce whitespace differences
30         * tests/mozilla/js1_2/function/tostring-2.js:
31         (simplify):
32             - reduce whitespace differences
33         (TestOr):
34         (TestAnd):
35             - added braces to match expected output
36
37 2012-09-06  Yuqiang Xian  <yuqiang.xian@intel.com>
38
39         Performance regressions on 32-bit platforms with revisions 125637 and 126387
40         https://bugs.webkit.org/show_bug.cgi?id=95953
41
42         Reviewed by Filip Pizlo.
43
44         * jit/JITPropertyAccess32_64.cpp:
45         (JSC::JIT::emit_op_get_by_val): Fix the typo.
46
47 2012-09-05  Geoffrey Garen  <ggaren@apple.com>
48
49         Rolled out <http://trac.webkit.org/changeset/127698> because it broke
50         fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html
51
52             Named functions should not allocate scope objects for their names
53             https://bugs.webkit.org/show_bug.cgi?id=95659
54
55             Reviewed by Oliver Hunt.
56
57 2012-09-06  Mark Lam  <mark.lam@apple.com>
58
59         Renamed useYarrJIT() option to useRegExpJIT(). Also fixed regression in
60         which inadvertantly allows the ASM llint to use the baseline JIT when
61         useRegExpJIT() is true.
62         https://bugs.webkit.org/show_bug.cgi?id=95918.
63
64         Reviewed by Geoffrey Garen.
65
66         * runtime/JSGlobalData.cpp:
67         (JSC::enableAssembler):
68         (JSC::JSGlobalData::JSGlobalData):
69         * runtime/JSGlobalData.h:
70         (JSC::JSGlobalData::canUseJIT):
71         (JSC::JSGlobalData::canUseRegExpJIT):
72         (JSGlobalData):
73         * runtime/Options.cpp:
74         (JSC::Options::initialize):
75         * runtime/Options.h:
76         (JSC):
77
78 2012-09-06  Patrick Gansterer  <paroga@webkit.org>
79
80         Build fix for Interpreter after r127698.
81
82         * interpreter/Interpreter.cpp:
83         (JSC::Interpreter::privateExecute):
84
85 2012-09-05  Gavin Barraclough  <barraclough@apple.com>
86
87         a = data[a]++; sets the wrong key in data
88         https://bugs.webkit.org/show_bug.cgi?id=91270
89
90         Reviewed by Oliver Hunt.
91
92         Postfix inc/dec is unsafely using finalDestination, can trample base/subscript prior to the result being put.
93
94         * bytecompiler/NodesCodegen.cpp:
95         (JSC::PostfixNode::emitResolve):
96             - Remove redundant parens.
97         (JSC::PostfixNode::emitBracket):
98         (JSC::PostfixNode::emitDot):
99             - Refactored to use tempDestination instead of finalDestination.
100         (JSC::PrefixNode::emitBracket):
101         (JSC::PrefixNode::emitDot):
102             - Should be using emitPreIncOrDec.
103
104 2012-09-05  Gavin Barraclough  <barraclough@apple.com>
105
106         Bug, assignment within subscript of prefix/postfix increment of bracket access
107         https://bugs.webkit.org/show_bug.cgi?id=95913
108
109         Reviewed by Oliver Hunt.
110
111         javascript:alert((function(){ var a = { x:1 }; var b = { x:1 }; a[a=b,"x"]++; return a.x; })())
112
113         * bytecompiler/NodesCodegen.cpp:
114         (JSC::PostfixNode::emitBracket):
115         (JSC::PrefixNode::emitBracket):
116             - Should check for assigments in the subscript when loading the base.
117         * parser/Nodes.h:
118         (JSC::BracketAccessorNode::subscriptHasAssignments):
119         (BracketAccessorNode):
120             - Used by emitBracket methods.
121
122 2012-09-05  Gavin Barraclough  <barraclough@apple.com>
123
124         Merge prefix/postfix nodes
125         https://bugs.webkit.org/show_bug.cgi?id=95898
126
127         Reviewed by Geoff Garen.
128
129         Simplify the AST.
130         This will also mean we have access to m_subscriptHasAssignments when generating a prefix/postfix op applied to a bracket access.
131
132         * bytecompiler/NodesCodegen.cpp:
133         (JSC::PostfixNode::emitResolve):
134             - was PostfixResolveNode::emitBytecode
135         (JSC::PostfixNode::emitBracket):
136             - was PostfixBracketNode::emitBytecode
137         (JSC::PostfixNode::emitDot):
138             - was PostfixDotNode::emitBytecode
139         (JSC::PostfixNode::emitBytecode):
140             - was PostfixErrorNode::emitBytecode, call resolve/bracket/dot version as appropriate.
141         (JSC::PrefixNode::emitResolve):
142             - was PrefixResolveNode::emitBytecode
143         (JSC::PrefixNode::emitBracket):
144             - was PrefixBracketNode::emitBytecode
145         (JSC::PrefixNode::emitDot):
146             - was PrefixDotNode::emitBytecode
147         (JSC::PrefixNode::emitBytecode):
148             - was PrefixErrorNode::emitBytecode, call resolve/bracket/dot version as appropriate.
149         * parser/ASTBuilder.h:
150         (JSC::ASTBuilder::makePrefixNode):
151             - Just makes a PrefixNode!
152         (JSC::ASTBuilder::makePostfixNode):
153             - Just makes a PostfixNode!
154         * parser/NodeConstructors.h:
155         (JSC::PostfixNode::PostfixNode):
156             - Added, merge of PostfixResolveNode/PostfixBracketNode/PostfixDotNode/PostfixErrorNode.
157         (JSC::PrefixNode::PrefixNode):
158             - Added, merge of PrefixResolveNode/PrefixBracketNode/PrefixDotNode/PrefixErrorNode.
159         * parser/Nodes.h:
160         (PostfixNode):
161             - Added, merge of PostfixResolveNode/PostfixBracketNode/PostfixDotNode/PostfixErrorNode.
162         (PrefixNode):
163             - Added, merge of PrefixResolveNode/PrefixBracketNode/PrefixDotNode/PrefixErrorNode.
164
165 2012-09-05  Mark Hahnenberg  <mhahnenberg@apple.com>
166
167         Remove use of JSCell::classInfoOffset() from tryCacheGetByID
168         https://bugs.webkit.org/show_bug.cgi?id=95860
169
170         Reviewed by Oliver Hunt.
171
172         We should just do the indirection through the Structure instead.
173
174         * dfg/DFGRepatch.cpp:
175         (JSC::DFG::tryCacheGetByID):
176
177 2012-09-05  Geoffrey Garen  <ggaren@apple.com>
178
179         Throw exceptions when assigning to const in strict mode
180         https://bugs.webkit.org/show_bug.cgi?id=95894
181
182         Reviewed by Oliver Hunt.
183
184         Currently, this never happens; but it will start happening once the
185         callee is a local const register. In this patch, there's no change in
186         behavior.
187
188         * bytecompiler/BytecodeGenerator.cpp:
189         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): Helper function
190         for doing the throwing.
191         * bytecompiler/BytecodeGenerator.h:
192
193         * bytecompiler/NodesCodegen.cpp:
194         (JSC::PostfixResolveNode::emitBytecode):
195         (JSC::PrefixResolveNode::emitBytecode):
196         (JSC::ReadModifyResolveNode::emitBytecode):
197         (JSC::AssignResolveNode::emitBytecode): Call the helper function.
198
199 2012-09-05  Geoffrey Garen  <ggaren@apple.com>
200
201         Refactored callee access in the DFG to support it in the general case
202         https://bugs.webkit.org/show_bug.cgi?id=95887
203
204         Reviewed by Phil Pizlo and Gavin Barraclough.
205
206         To support named function expressions, the DFG needs to understand the
207         callee register being used in arbitrary expressions, and not just
208         create_this.
209
210         * dfg/DFGByteCodeParser.cpp:
211         (JSC::DFG::ByteCodeParser::getDirect): 
212         (JSC::DFG::ByteCodeParser::getCallee): Remap access to the callee register
213         into a GetCallee node. Otherwise, we get confused and think we have a
214         negatively indexed argument.
215
216         (ByteCodeParser):
217         (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): Inlining also
218         needs to remap, but to the callee in the inline frame, and not the caller's
219         callee.
220
221         (JSC::DFG::ByteCodeParser::parseBlock): Since we support the callee in
222         the general case now, there's no need to handle it in a special way for
223         create_this.
224
225 2012-09-05  Mark Hahnenberg  <mhahnenberg@apple.com>
226
227         Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
228         https://bugs.webkit.org/show_bug.cgi?id=95821
229
230         Reviewed by Oliver Hunt.
231
232         We can replace the load of the ClassInfo from the object with a load from the Structure.
233
234         * dfg/DFGThunks.cpp:
235         (JSC::DFG::virtualForThunkGenerator):
236
237 2012-09-05  Benjamin Poulain  <bpoulain@apple.com>
238
239         Fix the uses of String::operator+=() for Mac
240         https://bugs.webkit.org/show_bug.cgi?id=95818
241
242         Reviewed by Dan Bernstein.
243
244         * jsc.cpp:
245         (functionJSCStack): Use StringBuilder to create the stack dump, it is faster
246         and avoid String::operator+=().
247
248         * parser/Parser.h:
249         (JSC::Parser::updateErrorMessageSpecialCase):
250         (JSC::Parser::updateErrorMessage):
251         (JSC::Parser::updateErrorWithNameAndMessage):
252         Use the String operators (and makeString) to concatenate the strings.
253
254 2012-09-05  Gabor Rapcsanyi  <rgabor@webkit.org>
255
256         DFG JIT doesn't work properly on ARM hardfp
257         https://bugs.webkit.org/show_bug.cgi?id=95684
258
259         Reviewed by Filip Pizlo.
260
261         Add hardfp support to DFG JIT. The patch is created with the
262         help of Zoltan Herczeg.
263
264         * dfg/DFGCCallHelpers.h:
265         (CCallHelpers):
266         (JSC::DFG::CCallHelpers::setupArguments):
267         * dfg/DFGFPRInfo.h:
268         (FPRInfo):
269         * dfg/DFGSpeculativeJIT.h:
270         (SpeculativeJIT):
271         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
272         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
273
274 2012-09-04  Mark Lam  <mark.lam@apple.com>
275
276         Allow the YarrJIT to use the assembler even when useJIT() is false.
277         Introduce the useYarrJIT() option.
278         https://bugs.webkit.org/show_bug.cgi?id=95809.
279
280         Reviewed by Geoffrey Garen.
281
282         * runtime/JSGlobalData.cpp:
283         (JSC::enableAssembler):
284         * runtime/Options.cpp:
285         (JSC::Options::initialize):
286         * runtime/Options.h:
287         (JSC):
288
289 2012-09-04  Gavin Barraclough  <barraclough@apple.com>
290
291         inc/dec behave incorrectly operating on a resolved const
292         https://bugs.webkit.org/show_bug.cgi?id=95815
293
294         Reviewed by Geoff Garen.
295
296         There are two bugs here.
297
298         (1) When the value being incremented is const, and the result is ignored, we assume this cannot be observed, and emit no code.
299             However if the value being incremented is not a primitive & has a valueOf conversion, then this should be being called.
300
301         (2) In the case of a pre-increment of a const value where the result is not ignored, we'll move +/-1 to the destination, then
302             add the resolved const value being incremented to this. This is problematic if the destination is a local, and the const
303             value being incremented has a valueOf conversion that throws - the destination will be modified erroneously. Instead, we
304             need to use a temporary location.
305
306         * bytecompiler/NodesCodegen.cpp:
307         (JSC::PostfixResolveNode::emitBytecode):
308         (JSC::PrefixResolveNode::emitBytecode):
309             - always at least perform a toNumber conversion, use tempDestination when reducing inc/dec to an add +/-1.
310
311 2012-09-04  Filip Pizlo  <fpizlo@apple.com>
312
313         DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound
314         https://bugs.webkit.org/show_bug.cgi?id=95717
315
316         Reviewed by Oliver Hunt.
317         
318         Rolling back in after fixing the negative index case.
319
320         Make GetByVal for JSArrayOutOfBounds do meaningful things. The profiling was already
321         there so we should just use it!
322
323         * bytecode/DFGExitProfile.h:
324         (JSC::DFG::exitKindToString):
325         * dfg/DFGAbstractState.cpp:
326         (JSC::DFG::AbstractState::execute):
327         * dfg/DFGOperations.cpp:
328         * dfg/DFGOperations.h:
329         * dfg/DFGSpeculativeJIT.h:
330         (JSC::DFG::SpeculativeJIT::callOperation):
331         * dfg/DFGSpeculativeJIT32_64.cpp:
332         (JSC::DFG::SpeculativeJIT::compile):
333         * dfg/DFGSpeculativeJIT64.cpp:
334         (JSC::DFG::SpeculativeJIT::compile):
335
336 2012-09-04  Sheriff Bot  <webkit.review.bot@gmail.com>
337
338         Unreviewed, rolling out r127503.
339         http://trac.webkit.org/changeset/127503
340         https://bugs.webkit.org/show_bug.cgi?id=95788
341
342         broke some tests (fast/js/dfg-negative-array-index, fast/js
343         /dfg-put-by-val-setter-then-get-by-val) (Requested by thorton
344         on #webkit).
345
346         * bytecode/DFGExitProfile.h:
347         (JSC::DFG::exitKindToString):
348         * dfg/DFGAbstractState.cpp:
349         (JSC::DFG::AbstractState::execute):
350         * dfg/DFGOperations.cpp:
351         * dfg/DFGOperations.h:
352         * dfg/DFGSpeculativeJIT.h:
353         (JSC::DFG::SpeculativeJIT::callOperation):
354         * dfg/DFGSpeculativeJIT32_64.cpp:
355         (JSC::DFG::SpeculativeJIT::compile):
356         * dfg/DFGSpeculativeJIT64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358
359 2012-09-04  Benjamin Poulain  <bpoulain@apple.com>
360
361         Improve JSC use of Strings after the UString->String change
362         https://bugs.webkit.org/show_bug.cgi?id=95633
363
364         Reviewed by Geoffrey Garen.
365
366         This patch improve the use of strings in the JSC runtime.
367
368         The initialization of Identifier is left for future patches.
369
370         The improvements are the following:
371         -5% faster to raise one of the modified exception.
372         -3 times faster to execute Boolean::toString()
373
374         Most of the changes are just about using the new methods
375         for string literals.
376
377         With the changes, the binary on x86_64 gets 176 bytes smaller.
378
379         * API/JSCallbackObjectFunctions.h:
380         (JSC::::staticFunctionGetter):
381         (JSC::::callbackGetter):
382         * API/JSContextRef.cpp:
383         (JSContextCreateBacktrace):
384         * API/JSObjectRef.cpp:
385         (JSObjectMakeFunctionWithCallback):
386         * bytecode/CodeBlock.cpp:
387         (JSC::valueToSourceString):
388         (JSC::CodeBlock::nameForRegister):
389         * interpreter/Interpreter.cpp:
390         (JSC::Interpreter::addStackTraceIfNecessary):
391         * runtime/ArrayConstructor.cpp:
392         (JSC::constructArrayWithSizeQuirk):
393         * runtime/ArrayPrototype.cpp:
394         (JSC::shift):
395         (JSC::unshift):
396         (JSC::arrayProtoFuncPop):
397         (JSC::arrayProtoFuncReverse):
398         * runtime/BooleanPrototype.cpp:
399         (JSC::booleanProtoFuncToString): Instead of instanciating new strings, reuse the
400         keywords available in SmallStrings. Avoiding the creation of the JSString and StringImpl
401         makes the method significantly faster.
402
403         * runtime/DateConversion.cpp:
404         (JSC::formatDateTime):
405         * runtime/DatePrototype.cpp:
406         (JSC::formatLocaleDate):
407         (JSC::formateDateInstance):
408         (JSC::dateProtoFuncToISOString):
409         Change the way we use snprintf() for clarity and performance.
410
411         Instead of allocating one extra byte to put a zero "just in case", we use the size returned
412         by snprintf().
413         To prevent any overflow from a programming mistake, we explicitely test for overflow and
414         return an empty string.
415
416         (JSC::dateProtoFuncToJSON):
417         * runtime/Error.cpp:
418         (JSC::createNotEnoughArgumentsError):
419         (JSC::throwTypeError):
420         (JSC::throwSyntaxError):
421         * runtime/Error.h:
422         (JSC::StrictModeTypeErrorFunction::create):
423         * runtime/ErrorPrototype.cpp:
424         (JSC::ErrorPrototype::finishCreation):
425         (JSC::errorProtoFuncToString):
426         Using a null String is correct because (8) uses jsString(), (9) tests for a length of 0.
427
428         * runtime/ExceptionHelpers.cpp:
429         (JSC::InterruptedExecutionError::defaultValue):
430         (JSC::TerminatedExecutionError::defaultValue):
431         (JSC::createStackOverflowError):
432         (JSC::createOutOfMemoryError):
433         * runtime/Executable.cpp:
434         (JSC::EvalExecutable::compileInternal):
435         (JSC::FunctionExecutable::paramString):
436         * runtime/FunctionConstructor.cpp:
437         (JSC::constructFunction):
438         (JSC::constructFunctionSkippingEvalEnabledCheck):
439         * runtime/FunctionPrototype.h:
440         (JSC::FunctionPrototype::create):
441         Using a null String for the name is correct because InternalFunction uses jsString()
442         to create the name value.
443
444         * runtime/InternalFunction.cpp:
445         (JSC::InternalFunction::finishCreation):
446         There is no need to create an empty string for a null string, jsString() handle both
447         cases as empty JSString.
448
449         * runtime/JSArray.cpp:
450         (JSC::reject):
451         (JSC::SparseArrayValueMap::put):
452         (JSC::JSArray::put):
453         (JSC::JSArray::putByIndexBeyondVectorLength):
454         (JSC::JSArray::putDirectIndexBeyondVectorLength):
455         (JSC::JSArray::setLength):
456         (JSC::JSArray::pop):
457         (JSC::JSArray::push):
458         * runtime/JSFunction.cpp:
459         (JSC::JSFunction::finishCreation): Same issue as InternalFunction::finishCreation.
460
461         (JSC::JSFunction::callerGetter):
462         (JSC::JSFunction::defineOwnProperty):
463         * runtime/JSGlobalData.cpp:
464         (JSC::enableAssembler): Use CFSTR() instead of CFStringCreateWithCString().
465         CFStringCreateWithCString() copy the content and may choose to decode the data.
466         CFSTR() is much more efficient.
467
468         * runtime/JSGlobalObject.cpp:
469         (JSC::JSGlobalObject::reset):
470         JSFunction uses jsString() to create the name, we can use null strings instead
471         of creating empty strings.
472
473         (JSC::JSGlobalObject::createThrowTypeError): ditto.
474         * runtime/JSGlobalObjectFunctions.cpp:
475         (JSC::encode):
476         (JSC::decode):
477         (JSC::globalFuncEval):
478         * runtime/JSONObject.cpp:
479         (JSC::Stringifier::appendStringifiedValue):
480         (JSC::Stringifier::Holder::appendNextProperty):
481         (JSC::JSONProtoFuncParse):
482         (JSC::JSONProtoFuncStringify):
483         * runtime/JSObject.cpp:
484         (JSC::JSObject::put):
485         (JSC::JSObject::defaultValue):
486         (JSC::JSObject::hasInstance):
487         (JSC::JSObject::defineOwnProperty):
488         * runtime/JSString.cpp:
489         Return an empty JSString to avoid the creation of a temporary empty String.
490
491         (JSC::JSRopeString::getIndexSlowCase):
492         * runtime/JSString.h:
493         (JSC): Remove the versions of jsNontrivialString() taking a char*. All the callers
494         have been replaced by calls using ASCIILiteral.
495
496         * runtime/JSValue.cpp:
497         (JSC::JSValue::putToPrimitive):
498         * runtime/LiteralParser.cpp:
499         (JSC::::Lexer::lex):
500         (JSC::::Lexer::lexString):
501         (JSC::::Lexer::lexNumber):
502         (JSC::::parse):
503         * runtime/LiteralParser.h:
504         (JSC::LiteralParser::getErrorMessage):
505         * runtime/NumberPrototype.cpp:
506         (JSC::numberProtoFuncToExponential):
507         (JSC::numberProtoFuncToFixed):
508         (JSC::numberProtoFuncToPrecision):
509         (JSC::numberProtoFuncToString):
510         * runtime/ObjectConstructor.cpp:
511         (JSC::objectConstructorGetPrototypeOf):
512         (JSC::objectConstructorGetOwnPropertyDescriptor):
513         (JSC::objectConstructorGetOwnPropertyNames):
514         (JSC::objectConstructorKeys):
515         (JSC::toPropertyDescriptor):
516         (JSC::objectConstructorDefineProperty):
517         (JSC::objectConstructorDefineProperties):
518         (JSC::objectConstructorCreate):
519         (JSC::objectConstructorSeal):
520         (JSC::objectConstructorFreeze):
521         (JSC::objectConstructorPreventExtensions):
522         (JSC::objectConstructorIsSealed):
523         (JSC::objectConstructorIsFrozen):
524         (JSC::objectConstructorIsExtensible):
525         * runtime/ObjectPrototype.cpp:
526         (JSC::objectProtoFuncDefineGetter):
527         (JSC::objectProtoFuncDefineSetter):
528         (JSC::objectProtoFuncToString):
529         * runtime/RegExpConstructor.cpp:
530         (JSC::constructRegExp):
531         * runtime/RegExpObject.cpp:
532         (JSC::reject):
533         (JSC::regExpObjectSource):
534         * runtime/RegExpPrototype.cpp:
535         (JSC::regExpProtoFuncCompile):
536         * runtime/StringObject.cpp:
537         (JSC::StringObject::defineOwnProperty):
538         * runtime/StringPrototype.cpp:
539         (JSC::jsSpliceSubstrings):
540         (JSC::jsSpliceSubstringsWithSeparators):
541
542 2012-09-04  Filip Pizlo  <fpizlo@apple.com>
543
544         DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound
545         https://bugs.webkit.org/show_bug.cgi?id=95717
546
547         Reviewed by Oliver Hunt.
548
549         Make GetByVal for JSArrayOutOfBounds do meaningful things. The profiling was already
550         there so we should just use it!
551
552         * bytecode/DFGExitProfile.h:
553         (JSC::DFG::exitKindToString):
554         * dfg/DFGAbstractState.cpp:
555         (JSC::DFG::AbstractState::execute):
556         * dfg/DFGOperations.cpp:
557         * dfg/DFGOperations.h:
558         * dfg/DFGSpeculativeJIT.h:
559         (JSC::DFG::SpeculativeJIT::callOperation):
560         * dfg/DFGSpeculativeJIT32_64.cpp:
561         (JSC::DFG::SpeculativeJIT::compile):
562         * dfg/DFGSpeculativeJIT64.cpp:
563         (JSC::DFG::SpeculativeJIT::compile):
564
565 2012-09-04  Zoltan Horvath  <zoltan@webkit.org>
566
567         Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore
568         https://bugs.webkit.org/show_bug.cgi?id=95737
569
570         Reviewed by Eric Seidel.
571
572         Add WTF_MAKE_FAST_ALLOCATED macro to the following class declarations because these are instantiated by operator new.
573
574         * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
575
576         * heap/MachineStackMarker.cpp:
577         (MachineThreads::Thread): Thread is instantiated at heap/MachineStackMarker.cpp:196.
578         * jit/ExecutableAllocatorFixedVMPool.cpp:
579         (FixedVMPoolExecutableAllocator): FixedVMPoolExecutableAllocator is instantiated at jit/ExecutableAllocatorFixedVMPool.cpp:111
580         * parser/SourceProviderCache.h:
581         (SourceProviderCache): SourceProviderCache is instantiated at parser/SourceProvider.h:49.
582         * parser/SourceProviderCacheItem.h:
583         (SourceProviderCacheItem): SourceProviderCacheItem is instantiated at parser/Parser.cpp:843.
584         * runtime/GCActivityCallback.h:
585         (GCActivityCallback): GCActivityCallback is instantiated at runtime/GCActivityCallback.h:96.
586         * tools/CodeProfile.h:
587         (CodeProfile): CodeProfile is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:140.
588
589 2012-09-04  Mark Hahnenberg  <mhahnenberg@apple.com>
590
591         Remove uses of ClassInfo from SpeculativeJIT::compileObjectOrOtherLogicalNot
592         https://bugs.webkit.org/show_bug.cgi?id=95510
593
594         Reviewed by Oliver Hunt.
595
596         More refactoring to get rid of ClassInfo checks in the DFG.
597
598         * dfg/DFGAbstractState.cpp:
599         (JSC::DFG::AbstractState::execute):
600         * dfg/DFGSpeculativeJIT.h:
601         (SpeculativeJIT):
602         * dfg/DFGSpeculativeJIT32_64.cpp:
603         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
604         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
605         * dfg/DFGSpeculativeJIT64.cpp:
606         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
607         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
608
609 2012-09-03  Patrick Gansterer  <paroga@webkit.org>
610
611         Unreviewed. Build fix for ENABLE(CLASSIC_INTERPRETER) after r127393.
612
613         * interpreter/Interpreter.h:
614
615 2012-09-02  Geoffrey Garen  <ggaren@apple.com>
616
617         Fixed failures seen on Linux bots.
618
619         * jit/JITOpcodes.cpp:
620         (JSC::JIT::emit_op_push_with_scope):
621         * jit/JITOpcodes32_64.cpp:
622         (JSC::JIT::emit_op_push_with_scope):
623         * jit/JITStubs.cpp:
624         (JSC::DEFINE_STUB_FUNCTION):
625         * jit/JITStubs.h: push_*_scope doesn't have a destination operand anymore.
626         Accordingly, update these places in the baseline JIT, which I missed in my last patch.
627
628 2012-09-02  Geoffrey Garen  <ggaren@apple.com>
629
630         Refactored scope chain opcodes to support optimization for named function expressions
631         https://bugs.webkit.org/show_bug.cgi?id=95658
632
633         Reviewed by Sam Weinig.
634
635         Renamed
636             push_scope => push_with_scope
637             push_new_scope => push_name_scope
638         to clarify the difference between them.
639
640         Changed push_with_scope and push_name_scope not to save the new scope in
641         a temporary register, since doing so made optimization harder.
642
643         (The old behavior was a hold-over from when the scope chain wasn't
644         a GC object, and wouldn't be marked otherwise. Now, the scope chain is
645         marked because it is a GC object pointed to by the call frame.)
646
647         Changed push_name_scope to accept an operand specifying the attributes
648         for the named property, instead of assuming DontDelete, because a named
649         function expression needs ReadOnly|DontDelete.
650
651         * bytecompiler/BytecodeGenerator.cpp:
652         (JSC::BytecodeGenerator::highestUsedRegister): Removed this function,
653         which used to be related to preserving saved scope object temporaries,
654         because it had no callers.
655
656 2012-09-01  Geoffrey Garen  <ggaren@apple.com>
657
658         Rolled back out a piece of <http://trac.webkit.org/changeset/127293>
659         because it broke inspector tests on Windows.
660
661             Shrink activation objects by half
662             https://bugs.webkit.org/show_bug.cgi?id=95591
663
664             Reviewed by Sam Weinig.
665
666 2012-09-01  Mark Lam  <mark.lam@apple.com>
667
668         LLInt C loop backend.
669         https://bugs.webkit.org/show_bug.cgi?id=91052.
670
671         Reviewed by Filip Pizlo.
672
673         * JavaScriptCore.xcodeproj/project.pbxproj:
674         * bytecode/CodeBlock.cpp:
675         (JSC::CodeBlock::dump):
676         (JSC::CodeBlock::bytecodeOffset):
677         * interpreter/Interpreter.cpp:
678         (JSC::Interpreter::execute):
679         (JSC::Interpreter::executeCall):
680         (JSC::Interpreter::executeConstruct):
681         (JSC):
682         * interpreter/Interpreter.h:
683         * jit/JITStubs.h:
684         (JITStackFrame):
685         (JSC):
686         * llint/LLIntCLoop.cpp: Added.
687         (JSC):
688         (LLInt):
689         (JSC::LLInt::CLoop::initialize):
690         (JSC::LLInt::CLoop::catchRoutineFor):
691         (JSC::LLInt::CLoop::hostCodeEntryFor):
692         (JSC::LLInt::CLoop::jsCodeEntryWithArityCheckFor):
693         (JSC::LLInt::CLoop::jsCodeEntryFor):
694         * llint/LLIntCLoop.h: Added.
695         (JSC):
696         (LLInt):
697         (CLoop):
698         * llint/LLIntData.cpp:
699         (JSC::LLInt::initialize):
700         * llint/LLIntData.h:
701         (JSC):
702         * llint/LLIntOfflineAsmConfig.h:
703         * llint/LLIntOpcode.h:
704         * llint/LLIntThunks.cpp:
705         (LLInt):
706         * llint/LowLevelInterpreter.asm:
707         * llint/LowLevelInterpreter.cpp:
708         (LLInt):
709         (JSC::LLInt::Ints2Double):
710         (JSC):
711         (JSC::CLoop::execute):
712         * llint/LowLevelInterpreter.h:
713         (JSC):
714         * llint/LowLevelInterpreter32_64.asm:
715         * llint/LowLevelInterpreter64.asm:
716         * offlineasm/asm.rb:
717         * offlineasm/backends.rb:
718         * offlineasm/cloop.rb: Added.
719         * offlineasm/instructions.rb:
720         * runtime/Executable.h:
721         (ExecutableBase):
722         (JSC::ExecutableBase::hostCodeEntryFor):
723         (JSC::ExecutableBase::jsCodeEntryFor):
724         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
725         (JSC::ExecutableBase::catchRoutineFor):
726         (NativeExecutable):
727         * runtime/JSValue.h:
728         (JSC):
729         (LLInt):
730         (JSValue):
731         * runtime/JSValueInlineMethods.h:
732         (JSC):
733         (JSC::JSValue::JSValue):
734         * runtime/Options.cpp:
735         (JSC::Options::initialize):
736
737 2012-09-01  Geoffrey Garen  <ggaren@apple.com>
738
739         Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
740
741             Shrink activation objects by half
742             https://bugs.webkit.org/show_bug.cgi?id=95591
743
744             Reviewed by Sam Weinig.
745
746         * runtime/JSActivation.h:
747         (JSActivation):
748
749 2012-09-01  Geoffrey Garen  <ggaren@apple.com>
750
751         Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
752
753             Shrink activation objects by half
754             https://bugs.webkit.org/show_bug.cgi?id=95591
755
756             Reviewed by Sam Weinig.
757
758         * runtime/JSActivation.cpp:
759         (JSC::JSActivation::JSActivation):
760         * runtime/JSGlobalObject.cpp:
761         (JSC::JSGlobalObject::JSGlobalObject):
762         (JSC::JSGlobalObject::setGlobalThis):
763         (JSC):
764         (JSC::JSGlobalObject::visitChildren):
765         * runtime/JSGlobalObject.h:
766         (JSGlobalObject):
767         (JSC::JSScope::globalThis):
768         (JSC):
769         (JSC::JSGlobalObject::globalThis):
770         * runtime/JSNameScope.h:
771         (JSC::JSNameScope::JSNameScope):
772         * runtime/JSScope.cpp:
773         (JSC::JSScope::visitChildren):
774         * runtime/JSScope.h:
775         (JSScope):
776         (JSC::JSScope::JSScope):
777         (JSC::JSScope::globalObject):
778         (JSC::JSScope::globalData):
779         * runtime/JSSegmentedVariableObject.h:
780         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
781         * runtime/JSSymbolTableObject.h:
782         (JSC::JSSymbolTableObject::JSSymbolTableObject):
783         * runtime/JSVariableObject.h:
784         (JSC::JSVariableObject::JSVariableObject):
785         * runtime/JSWithScope.h:
786         (JSC::JSWithScope::JSWithScope):
787         * runtime/StrictEvalActivation.cpp:
788         (JSC::StrictEvalActivation::StrictEvalActivation):
789
790 2012-09-01  Geoffrey Garen  <ggaren@apple.com>
791
792         Rolled back out a piece of <http://trac.webkit.org/changeset/127293>
793         because it broke Window inspector tests.
794
795             Shrink activation objects by half
796             https://bugs.webkit.org/show_bug.cgi?id=95591
797
798             Reviewed by Sam Weinig.
799
800         * runtime/JSActivation.h:
801         (JSActivation):
802
803 2012-08-31  Filip Pizlo  <fpizlo@apple.com>
804
805         Unreviewed, attempt to fix Windows, take two.
806
807         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
808
809 2012-08-31  Filip Pizlo  <fpizlo@apple.com>
810
811         Unreviewed, attempt to fix Windows.
812
813         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
814
815 2012-08-31  Filip Pizlo  <fpizlo@apple.com>
816
817         JSArray::putDirectIndex should by default behave like JSObject::putDirect
818         https://bugs.webkit.org/show_bug.cgi?id=95630
819
820         Reviewed by Gavin Barraclough.
821
822         * interpreter/Interpreter.cpp:
823         (JSC::Interpreter::privateExecute):
824         * jit/JITStubs.cpp:
825         (JSC::DEFINE_STUB_FUNCTION):
826         * jsc.cpp:
827         (GlobalObject::finishCreation):
828         * llint/LLIntSlowPaths.cpp:
829         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
830         * runtime/JSArray.cpp:
831         (JSC::SparseArrayValueMap::putDirect):
832         (JSC::JSArray::defineOwnNumericProperty):
833         (JSC::JSArray::putDirectIndexBeyondVectorLength):
834         * runtime/JSArray.h:
835         (SparseArrayValueMap):
836         (JSArray):
837         (JSC::JSArray::putDirectIndex):
838         * runtime/JSONObject.cpp:
839         (JSC::Walker::walk):
840         * runtime/RegExpMatchesArray.cpp:
841         (JSC::RegExpMatchesArray::reifyAllProperties):
842         (JSC::RegExpMatchesArray::reifyMatchProperty):
843         * runtime/StringPrototype.cpp:
844         (JSC::splitStringByOneCharacterImpl):
845         (JSC::stringProtoFuncSplit):
846
847 2012-08-31  Geoffrey Garen  <ggaren@apple.com>
848
849         Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
850
851             Shrink activation objects by half
852             https://bugs.webkit.org/show_bug.cgi?id=95591
853
854             Reviewed by Sam Weinig.
855
856         * runtime/JSGlobalData.cpp:
857         (JSC::JSGlobalData::JSGlobalData):
858         * runtime/JSGlobalData.h:
859         (JSGlobalData):
860         * runtime/JSNameScope.h:
861         (JSC::JSNameScope::JSNameScope):
862         * runtime/JSWithScope.h:
863         (JSC::JSWithScope::JSWithScope):
864         * runtime/StrictEvalActivation.cpp:
865         (JSC::StrictEvalActivation::StrictEvalActivation):
866
867 2012-08-31  Geoffrey Garen  <ggaren@apple.com>
868
869         Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
870
871             Shrink activation objects by half
872             https://bugs.webkit.org/show_bug.cgi?id=95591
873
874             Reviewed by Sam Weinig.
875
876         * dfg/DFGAbstractState.cpp:
877         (JSC::DFG::AbstractState::execute):
878         * jit/JITOpcodes.cpp:
879         (JSC::JIT::emit_op_resolve_global_dynamic):
880         * llint/LowLevelInterpreter32_64.asm:
881         * llint/LowLevelInterpreter64.asm:
882         * runtime/JSActivation.cpp:
883         (JSC::JSActivation::JSActivation):
884         * runtime/JSGlobalData.cpp:
885         (JSC::JSGlobalData::JSGlobalData):
886         * runtime/JSGlobalData.h:
887         (JSGlobalData):
888         * runtime/JSGlobalObject.cpp:
889         (JSC::JSGlobalObject::reset):
890         (JSC::JSGlobalObject::visitChildren):
891         * runtime/JSGlobalObject.h:
892         (JSGlobalObject):
893         (JSC::JSGlobalObject::withScopeStructure):
894         (JSC::JSGlobalObject::strictEvalActivationStructure):
895         (JSC::JSGlobalObject::activationStructure):
896         (JSC::JSGlobalObject::nameScopeStructure):
897
898 2012-08-31  Mark Hahnenberg  <mhahnenberg@apple.com>
899
900         Remove use of ClassInfo in SpeculativeJIT::emitBranch
901         https://bugs.webkit.org/show_bug.cgi?id=95623
902
903         Reviewed by Filip Pizlo.
904
905         * dfg/DFGAbstractState.cpp:
906         (JSC::DFG::AbstractState::execute):
907         * dfg/DFGSpeculativeJIT.h:
908         (SpeculativeJIT):
909         * dfg/DFGSpeculativeJIT32_64.cpp:
910         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
911         (JSC::DFG::SpeculativeJIT::emitBranch):
912         * dfg/DFGSpeculativeJIT64.cpp:
913         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
914         (JSC::DFG::SpeculativeJIT::emitBranch):
915
916 2012-08-31  Geoffrey Garen  <ggaren@apple.com>
917
918         Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
919
920             Shrink activation objects by half
921             https://bugs.webkit.org/show_bug.cgi?id=95591
922
923             Reviewed by Sam Weinig.
924
925         * heap/MarkedBlock.cpp:
926         (JSC::MarkedBlock::MarkedBlock):
927         * heap/MarkedBlock.h:
928         (MarkedBlock):
929         (JSC::MarkedBlock::globalData):
930         (JSC):
931         * heap/WeakSet.cpp:
932         (JSC::WeakSet::addAllocator):
933         * heap/WeakSet.h:
934         (WeakSet):
935         (JSC::WeakSet::WeakSet):
936         (JSC::WeakSet::globalData):
937         * runtime/JSGlobalData.h:
938         (JSC::WeakSet::heap):
939         (JSC):
940
941 2012-08-31  Mark Lam  <mark.lam@apple.com>
942
943         Refactor LLInt and supporting code in preparation for the C Loop backend.
944         https://bugs.webkit.org/show_bug.cgi?id=95531.
945
946         Reviewed by Filip Pizlo.
947
948         * bytecode/GetByIdStatus.cpp:
949         (JSC::GetByIdStatus::computeFromLLInt):
950         * bytecode/PutByIdStatus.cpp:
951         (JSC::PutByIdStatus::computeFromLLInt):
952         * jit/JITExceptions.cpp:
953         (JSC::genericThrow): Use ExecutableBase::catchRoutineFor() to fetch
954             fetch the catch routine for a thrown exception.  This will allow
955             us to redefine that for the C loop later, and still keep this
956             code readable.
957         * llint/LLIntOfflineAsmConfig.h: Moved ASM macros to
958             LowLevelInterpreter.cpp which is the only place they are used. This
959             will make it more convenient to redefine them for the C loop later.
960         * llint/LLIntSlowPaths.cpp:
961         (JSC::LLInt::setUpCall): Use ExecutableBase's hostCodeEntry()
962             jsCodeEntryFor(), and jsCodeWithArityCheckEntryFor() for computing
963             the entry points to functions being called.
964         * llint/LLIntSlowPaths.h:
965         (SlowPathReturnType):
966         (JSC::LLInt::encodeResult):
967         (LLInt):
968         (JSC::LLInt::decodeResult): Added.  Needed by LLInt C Loop later.
969         * llint/LowLevelInterpreter.asm:
970         * llint/LowLevelInterpreter.cpp:
971         * llint/LowLevelInterpreter32_64.asm:
972         * llint/LowLevelInterpreter64.asm:
973         * offlineasm/asm.rb: Disambiguate between opcodes and other labels.
974         * offlineasm/config.rb:
975         * runtime/Executable.h:
976         (JSC::ExecutableBase::hostCodeEntryFor): Added.
977         (ExecutableBase):
978         (JSC::ExecutableBase::jsCodeEntryFor): Added.
979         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): Added.
980         (JSC::ExecutableBase::catchRoutineFor): Added.
981         * runtime/JSValueInlineMethods.h:
982         (JSC):
983
984 2012-08-31  Tony Chang  <tony@chromium.org>
985
986         Remove ENABLE_CSS3_FLEXBOX compile time flag
987         https://bugs.webkit.org/show_bug.cgi?id=95382
988
989         Reviewed by Ojan Vafai.
990
991         Everyone is already enabling this by default and the spec has stablized.
992
993         * Configurations/FeatureDefines.xcconfig:
994
995 2012-08-31  Geoffrey Garen  <ggaren@apple.com>
996
997         Not reviewed.
998
999         Rolled out http://trac.webkit.org/changeset/127293 because it broke
1000         inspector tests on Windows.
1001
1002             Shrink activation objects by half
1003             https://bugs.webkit.org/show_bug.cgi?id=95591
1004
1005             Reviewed by Sam Weinig.
1006
1007 2012-08-31  Geoffrey Garen  <ggaren@apple.com>
1008
1009         Shrink activation objects by half
1010         https://bugs.webkit.org/show_bug.cgi?id=95591
1011
1012         Reviewed by Sam Weinig.
1013
1014         Removed the global object, global data, and global this pointers from
1015         JSScope, and changed an int to a bitfield. This gets the JSActivation
1016         class down to 64 bytes, which in practice cuts it in half by getting it
1017         out of the 128 byte size class.
1018
1019         Now, it's one extra indirection to get these pointers. These pointers
1020         aren't accessed by JIT code, so I thought there would be no cost to the
1021         extra indirection. However, some C++-heavy SunSpider tests regressed a
1022         bit in an early version of the patch, which added even more indirection.
1023         This suggests that calls to exec->globalData() and/or exec->lexicalGlobalObject()
1024         are common and probably duplicated in lots of places, and could stand
1025         further optimization in C++.
1026
1027         * dfg/DFGAbstractState.cpp:
1028         (JSC::DFG::AbstractState::execute): Test against the specific activation
1029         for our global object, since there's no VM-shared activation structure
1030         anymore. This is guaranteed to have the same success rate as the old test
1031         because activation scope is fixed at compile time.
1032
1033         * heap/MarkedBlock.cpp:
1034         (JSC::MarkedBlock::MarkedBlock):
1035         * heap/MarkedBlock.h:
1036         (JSC::MarkedBlock::globalData):
1037         * heap/WeakSet.cpp:
1038         (JSC::WeakSet::addAllocator):
1039         * heap/WeakSet.h:
1040         (WeakSet):
1041         (JSC::WeakSet::WeakSet):
1042         (JSC::WeakSet::globalData): Store a JSGlobalData* instead of a Heap*
1043         because JSGlobalData->Heap is just a constant fold in the addressing
1044         mode, while Heap->JSGlobalData is an extra pointer dereference. (These
1045         objects should eventually just merge.)
1046
1047         * jit/JITOpcodes.cpp:
1048         (JSC::JIT::emit_op_resolve_global_dynamic): See DFGAbstractState.cpp.
1049
1050         * llint/LowLevelInterpreter32_64.asm:
1051         * llint/LowLevelInterpreter64.asm: Load the activation structure from
1052         the code block instead of the global data because the structure is not
1053         VM-shared anymore. (See DFGAbstractState.cpp.)
1054
1055         * runtime/JSActivation.cpp:
1056         (JSC::JSActivation::JSActivation):
1057         * runtime/JSActivation.h:
1058         (JSActivation): This is the point of the patch: Remove the data.
1059
1060         * runtime/JSGlobalData.cpp:
1061         (JSC::JSGlobalData::JSGlobalData):
1062         * runtime/JSGlobalData.h:
1063         (JSGlobalData): No longer VM-shared. (See DFGAbstractState.cpp.)
1064
1065         (JSC::WeakSet::heap): (See WeakSet.h.)
1066
1067         * runtime/JSGlobalObject.cpp:
1068         (JSC::JSGlobalObject::JSGlobalObject):
1069         (JSC::JSGlobalObject::setGlobalThis):
1070         (JSC::JSGlobalObject::reset):
1071         (JSC::JSGlobalObject::visitChildren):
1072         * runtime/JSGlobalObject.h:
1073         (JSGlobalObject):
1074         (JSC::JSGlobalObject::withScopeStructure):
1075         (JSC::JSGlobalObject::strictEvalActivationStructure):
1076         (JSC::JSGlobalObject::activationStructure):
1077         (JSC::JSGlobalObject::nameScopeStructure):
1078         (JSC::JSScope::globalThis):
1079         (JSC::JSGlobalObject::globalThis): Data that used to be in the JSScope
1080         class goes here now, so it's not duplicated across all activations.
1081
1082         * runtime/JSNameScope.h:
1083         (JSC::JSNameScope::JSNameScope):
1084         * runtime/JSScope.cpp:
1085         (JSC::JSScope::visitChildren): This is the point of the patch: Remove the data.
1086
1087         * runtime/JSScope.h:
1088         (JSScope):
1089         (JSC::JSScope::JSScope):
1090         (JSC::JSScope::globalObject):
1091         (JSC::JSScope::globalData):
1092         * runtime/JSSegmentedVariableObject.h:
1093         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
1094         * runtime/JSSymbolTableObject.h:
1095         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1096         * runtime/JSVariableObject.h:
1097         (JSC::JSVariableObject::JSVariableObject):
1098         * runtime/JSWithScope.h:
1099         (JSC::JSWithScope::JSWithScope):
1100         * runtime/StrictEvalActivation.cpp:
1101         (JSC::StrictEvalActivation::StrictEvalActivation): Simplified now that
1102         we don't need to pass so much data to JSScope.
1103
1104 2012-08-31  Patrick Gansterer  <paroga@webkit.org>
1105
1106         Build fix for WinCE after r127191.
1107
1108         * bytecode/JumpTable.h:
1109
1110 2012-08-30  Filip Pizlo  <fpizlo@apple.com>
1111
1112         ASSERTION FAILURE in JSC::JSGlobalData::float32ArrayDescriptor when running fast/js/dfg-float64array.html
1113         https://bugs.webkit.org/show_bug.cgi?id=95398
1114
1115         Reviewed by Mark Hahnenberg.
1116
1117         Trying to get the build failure to be a bit more informative.
1118
1119         * runtime/JSGlobalData.h:
1120         (JSGlobalData):
1121
1122 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1123
1124         Try to fix the Qt build: add some #includes that, for some reason, only the Qt linker requires.
1125
1126         * runtime/BooleanObject.cpp:
1127         * runtime/ErrorInstance.cpp:
1128         * runtime/NameInstance.cpp:
1129
1130 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1131
1132         Fix the Qt build: Removed a now-dead variable.
1133
1134         * interpreter/Interpreter.cpp:
1135         (JSC::Interpreter::execute):
1136
1137 2012-08-30  Benjamin Poulain  <bpoulain@apple.com>
1138
1139         Ambiguous operator[]  after r127191 on some compiler
1140         https://bugs.webkit.org/show_bug.cgi?id=95509
1141
1142         Reviewed by Simon Fraser.
1143
1144         On some compilers, the operator[] conflicts with the Obj-C++ operators. This attempts to solve
1145         the issue.
1146
1147         * runtime/JSString.h:
1148         (JSC::jsSingleCharacterSubstring):
1149         (JSC::jsString):
1150         (JSC::jsSubstring8):
1151         (JSC::jsSubstring):
1152         (JSC::jsOwnedString):
1153
1154 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1155
1156         Try to fix the Qt build: Remove the inline keyword at the declaration
1157         site. 
1158
1159         The Qt compiler seems to be confused, complaining about these functions
1160         not being defined in a translation unit, even though no generated code
1161         in the unit calls these functions. Maybe removing the keyword at the
1162         declaration site will change its mind.
1163
1164         This shouldn't change the inlining decision at all: the definition is
1165         still inline.
1166
1167         * interpreter/CallFrame.h:
1168         (ExecState):
1169
1170 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1171
1172         Undo Qt build fix guess, since it breaks other builds.
1173
1174         * runtime/JSArray.h:
1175
1176 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1177
1178         Try to fix the Qt build: add an #include to JSArray.h, since
1179         it's included by some of the files Qt complains about, and
1180         some of is functions call the functions Qt complains about.
1181
1182         * runtime/JSArray.h:
1183
1184 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1185
1186         Second step toward fixing the Windows build: Add new symbols.
1187
1188         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1189
1190 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1191
1192         Try to fix the Qt build: add an #include.
1193
1194         * bytecode/GetByIdStatus.cpp:
1195
1196 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1197
1198         First step toward fixing the Windows build: Remove old symbols.
1199
1200         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1201
1202 2012-08-30  Geoffrey Garen  <ggaren@apple.com>
1203
1204         Use one object instead of two for closures, eliminating ScopeChainNode
1205         https://bugs.webkit.org/show_bug.cgi?id=95501
1206
1207         Reviewed by Filip Pizlo.
1208
1209         This patch removes ScopeChainNode, and moves all the data and related
1210         functions that used to be in ScopeChainNode into JSScope.
1211
1212         Most of this patch is mechanical changes to use a JSScope* where we used
1213         to use a ScopeChainNode*. I've only specifically commented about items
1214         that were non-mechanical.
1215
1216         * runtime/Completion.cpp:
1217         (JSC::evaluate):
1218         * runtime/Completion.h: Don't require an explicit scope chain argument
1219         when evaluating code. Clients never wanted anything other than the
1220         global scope, and other arbitrary scopes probably wouldn't work
1221         correctly, anyway.
1222
1223         * runtime/JSScope.cpp:
1224         * runtime/JSScope.h:
1225         (JSC::JSScope::JSScope): JSScope now requires the data we used to pass to
1226         ScopeChainNode, so it can link itself into the scope chain correctly.
1227
1228         * runtime/JSWithScope.h:
1229         (JSC::JSWithScope::create):
1230         (JSC::JSWithScope::JSWithScope): JSWithScope gets an extra constructor
1231         for specifically supplying your own scope chain. The DOM needs this
1232         interface for setting up the scope chain for certain event handlers.
1233         Other clients always just push the JSWithScope to the head of the current
1234         scope chain.
1235
1236 2012-08-30  Mark Lam  <mark.lam@apple.com>
1237
1238         Render unto #ifdef's that which belong to them.
1239         https://bugs.webkit.org/show_bug.cgi?id=95482.
1240
1241         Reviewed by Filip Pizlo.
1242
1243         Refining / disambiguating between #ifdefs and adding some. For
1244         example, ENABLE(JIT) is conflated with ENABLE(LLINT) in some places.
1245         Also, we need to add ENABLE(COMPUTED_GOTO_OPCODES) to indicate that we
1246         want interpreted opcodes to use COMPUTED GOTOs apart from ENABLE(LLINT)
1247         and ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER). Also cleaned up #ifdefs
1248         in certain places which were previously incorrect.
1249
1250         * bytecode/CodeBlock.cpp:
1251         (JSC):
1252         (JSC::CodeBlock::bytecodeOffset):
1253         * bytecode/CodeBlock.h:
1254         (CodeBlock):
1255         * bytecode/Opcode.h:
1256         (JSC::padOpcodeName):
1257         * config.h:
1258         * dfg/DFGOperations.cpp:
1259         * interpreter/AbstractPC.cpp:
1260         (JSC::AbstractPC::AbstractPC):
1261         * interpreter/CallFrame.h:
1262         (ExecState):
1263         * interpreter/Interpreter.cpp:
1264         (JSC::Interpreter::~Interpreter):
1265         (JSC::Interpreter::initialize):
1266         (JSC::Interpreter::isOpcode):
1267         (JSC::Interpreter::unwindCallFrame):
1268         (JSC::getLineNumberForCallFrame):
1269         (JSC::getCallerInfo):
1270         (JSC::Interpreter::execute):
1271         (JSC::Interpreter::executeCall):
1272         (JSC::Interpreter::executeConstruct):
1273         (JSC::Interpreter::privateExecute):
1274         * interpreter/Interpreter.h:
1275         (JSC::Interpreter::getOpcode):
1276         (JSC::Interpreter::getOpcodeID):
1277         (Interpreter):
1278         * jit/HostCallReturnValue.h:
1279         * jit/JITCode.h:
1280         (JITCode):
1281         * jit/JITExceptions.cpp:
1282         * jit/JITExceptions.h:
1283         * jit/JSInterfaceJIT.h:
1284         * llint/LLIntData.h:
1285         (JSC::LLInt::getOpcode):
1286         * llint/LLIntEntrypoints.cpp:
1287         (JSC::LLInt::getFunctionEntrypoint):
1288         (JSC::LLInt::getEvalEntrypoint):
1289         (JSC::LLInt::getProgramEntrypoint):
1290         * llint/LLIntOffsetsExtractor.cpp:
1291         (JSC::LLIntOffsetsExtractor::dummy):
1292         * llint/LLIntSlowPaths.cpp:
1293         (LLInt):
1294         * runtime/JSGlobalData.cpp:
1295         (JSC):
1296
1297 2012-08-30  JungJik Lee  <jungjik.lee@samsung.com>
1298
1299         [EFL][WK2] Add WebMemorySampler feature.
1300         https://bugs.webkit.org/show_bug.cgi?id=91214
1301
1302         Reviewed by Kenneth Rohde Christiansen.
1303
1304         WebMemorySampler collects Javascript stack and JIT memory usage in globalMemoryStatistics.
1305
1306         * PlatformEfl.cmake:
1307
1308 2012-08-30  Benjamin Poulain  <bpoulain@apple.com>
1309
1310         Replace JSC::UString by WTF::String
1311         https://bugs.webkit.org/show_bug.cgi?id=95271
1312
1313         Reviewed by Geoffrey Garen.
1314
1315         Having JSC::UString and WTF::String increase the complexity of working on WebKit, and
1316         add useless conversions in the bindings. It also cause some code bloat.
1317
1318         The performance advantages of UString have been ported over in previous patches. This patch
1319         is the last step: getting rid of UString.
1320
1321         In addition to the simplified code, this also reduce the binary size by 15kb on x86_64.
1322
1323         * API/OpaqueJSString.cpp:
1324         (OpaqueJSString::ustring):
1325         * runtime/Identifier.h:
1326         (JSC::Identifier::ustring):
1327         To avoid changing everything at once, the function named ustring() were kept as is. They
1328         will be renamed in a follow up patch.
1329
1330         * runtime/JSString.h:
1331         (JSC::JSString::string):
1332         (JSC::JSValue::toWTFString):
1333         (JSC::inlineJSValueNotStringtoString):
1334         (JSC::JSValue::toWTFStringInline):
1335         Since JSValue::toString() already exist (and return the JSString), the direct accessor is renamed
1336         to ::toWTFString(). We may change ::string() to ::jsString() and ::toWTFString() to ::toString()
1337         in the future.
1338
1339         * runtime/StringPrototype.cpp:
1340         (JSC::substituteBackreferencesSlow): Replace the use of UString::getCharacters<>() by String::getCharactersWithUpconvert<>().
1341
1342 2012-08-24  Mark Hahnenberg  <mhahnenberg@apple.com>
1343
1344         Remove uses of ClassInfo in StrictEq and CompareEq in the DFG
1345         https://bugs.webkit.org/show_bug.cgi?id=93401
1346
1347         Reviewed by Filip Pizlo.
1348
1349         Another incremental step in removing the dependence on ClassInfo pointers in object headers.
1350
1351         * bytecode/SpeculatedType.h:
1352         (JSC::isCellOrOtherSpeculation):
1353         (JSC):
1354         * dfg/DFGAbstractState.cpp: Updated the CFA to reflect the changes to the backend.
1355         (JSC::DFG::AbstractState::execute):
1356         * dfg/DFGNode.h:
1357         (Node):
1358         (JSC::DFG::Node::shouldSpeculateString): Added this new function since it was conspicuously absent.
1359         (JSC::DFG::Node::shouldSpeculateNonStringCellOrOther): Also add this function for use in the CFA.
1360         * dfg/DFGSpeculativeJIT.cpp: Refactored how we handle CompareEq and CompareStrictEq in the DFG. We now just 
1361         check for Strings by comparing the object's Structure to the global Structure for strings. We only 
1362         check for MasqueradesAsUndefined if the watchpoint has fired. These changes allow us to remove our 
1363         uses of the ClassInfo pointer for compiling these nodes.
1364         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1365         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1366         (JSC::DFG::SpeculativeJIT::compare):
1367         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1368         * dfg/DFGSpeculativeJIT.h:
1369         (SpeculativeJIT):
1370         * dfg/DFGSpeculativeJIT32_64.cpp: Same changes for 32 bit as for 64 bit.
1371         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1372         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1373         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1374         * dfg/DFGSpeculativeJIT64.cpp:
1375         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1376         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1377         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1378
1379 2012-08-30  Yong Li  <yoli@rim.com>
1380
1381         [BlackBerry] Implement IncrementalSweeper for PLATFORM(BLACKBERRY)
1382         https://bugs.webkit.org/show_bug.cgi?id=95469
1383
1384         Reviewed by Rob Buis.
1385
1386         RIM PR# 200595.
1387         Share most code with USE(CF) and implement timer-related methods
1388         for PLATFORM(BLACKBERRY).
1389
1390         * heap/IncrementalSweeper.cpp:
1391         (JSC):
1392         (JSC::IncrementalSweeper::IncrementalSweeper):
1393         (JSC::IncrementalSweeper::create):
1394         (JSC::IncrementalSweeper::scheduleTimer):
1395         (JSC::IncrementalSweeper::cancelTimer):
1396         (JSC::IncrementalSweeper::doSweep):
1397         * heap/IncrementalSweeper.h:
1398         (IncrementalSweeper):
1399
1400 2012-08-30  Mark Lam  <mark.lam@apple.com>
1401
1402         Fix broken classic intrpreter build.
1403         https://bugs.webkit.org/show_bug.cgi?id=95484.
1404
1405         Reviewed by Filip Pizlo.
1406
1407         * interpreter/Interpreter.cpp:
1408         (JSC::Interpreter::privateExecute):
1409
1410 2012-08-30  Byungwoo Lee  <bw80.lee@samsung.com>
1411
1412         Build warning : -Wsign-compare on DFGByteCodeParser.cpp.
1413         https://bugs.webkit.org/show_bug.cgi?id=95418
1414
1415         Reviewed by Filip Pizlo.
1416
1417         There is a build warning '-Wsign-compare' on
1418         findArgumentPositionForLocal() in DFGByteCodeParser.cpp.
1419
1420         For removing this warning, casting statement is added explicitly.
1421
1422         * dfg/DFGByteCodeParser.cpp:
1423         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
1424         (JSC::DFG::ByteCodeParser::findArgumentPosition):
1425
1426 2012-08-30  Yong Li  <yoli@rim.com>
1427
1428         [BlackBerry] Set timer client on platform timer used in HeapTimer
1429         https://bugs.webkit.org/show_bug.cgi?id=95464
1430
1431         Reviewed by Rob Buis.
1432
1433         Otherwise the timer won't work.
1434
1435         * heap/HeapTimer.cpp:
1436         (JSC::HeapTimer::HeapTimer):
1437
1438 2012-08-30  Julien BRIANCEAU   <jbrianceau@nds.com>
1439
1440         [sh4] Add missing implementation for JavaScriptCore JIT
1441         https://bugs.webkit.org/show_bug.cgi?id=95452
1442
1443         Reviewed by Oliver Hunt.
1444
1445         * assembler/MacroAssemblerSH4.h:
1446         (JSC::MacroAssemblerSH4::isCompactPtrAlignedAddressOffset):
1447         (MacroAssemblerSH4):
1448         (JSC::MacroAssemblerSH4::add32):
1449         (JSC::MacroAssemblerSH4::convertibleLoadPtr):
1450         * assembler/SH4Assembler.h:
1451         (JSC::SH4Assembler::labelIgnoringWatchpoints):
1452         (SH4Assembler):
1453         (JSC::SH4Assembler::replaceWithLoad):
1454         (JSC::SH4Assembler::replaceWithAddressComputation):
1455
1456 2012-08-30  Charles Wei  <charles.wei@torchmobile.com.cn>
1457
1458         [BlackBerry] Eliminate build warnings
1459         https://bugs.webkit.org/show_bug.cgi?id=95338
1460
1461         Reviewed by Filip Pizlo.
1462
1463         static_cast to the same type to eliminate the build time warnings.
1464
1465         * assembler/AssemblerBufferWithConstantPool.h:
1466         (JSC::AssemblerBufferWithConstantPool::flushWithoutBarrier):
1467         * assembler/MacroAssemblerARM.h:
1468         (JSC::MacroAssemblerARM::branch32):
1469
1470 2012-08-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1471
1472         Remove use of ClassInfo from compileGetByValOnArguments and compileGetArgumentsLength
1473         https://bugs.webkit.org/show_bug.cgi?id=95131
1474
1475         Reviewed by Filip Pizlo.
1476
1477         * dfg/DFGSpeculativeJIT.cpp:
1478         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): We don't need this speculation check. We can replace it 
1479         with an assert to guarantee this.
1480
1481 2012-08-29  Mark Lam  <mark.lam@apple.com>
1482
1483         Refactoring LLInt::Data.
1484         https://bugs.webkit.org/show_bug.cgi?id=95316.
1485
1486         Reviewed by Geoff Garen.
1487
1488         This change allows its opcodeMap to be easily queried from any function
1489         without needing to go through a GlobalData object.  It also introduces
1490         the LLInt::getCodePtr() methods that will be used by the LLInt C loop
1491         later to redefine how llint symbols (opcodes and trampoline glue
1492         labels) get resolved.
1493
1494         * assembler/MacroAssemblerCodeRef.h:
1495         (MacroAssemblerCodePtr):
1496         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1497         (MacroAssemblerCodeRef):
1498         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1499         * bytecode/CodeBlock.cpp:
1500         (JSC::CodeBlock::adjustPCIfAtCallSite):
1501         (JSC::CodeBlock::bytecodeOffset):
1502         * bytecode/Opcode.h:
1503             Remove the 'const' to simplify things and avoid having to do
1504             additional casts and #ifdefs in many places.
1505         * bytecode/ResolveGlobalStatus.cpp:
1506         (JSC::computeForLLInt):
1507         * bytecompiler/BytecodeGenerator.cpp:
1508         (JSC::BytecodeGenerator::generate):
1509         * interpreter/Interpreter.cpp:
1510         (JSC::Interpreter::initialize):
1511         * interpreter/Interpreter.h:
1512         (Interpreter):
1513         * jit/JITExceptions.cpp:
1514         (JSC::genericThrow):
1515         * llint/LLIntData.cpp:
1516         (LLInt):
1517         (JSC::LLInt::initialize):
1518         * llint/LLIntData.h:
1519         (JSC):
1520         (LLInt):
1521         (Data):
1522         (JSC::LLInt::exceptionInstructions):
1523         (JSC::LLInt::opcodeMap):
1524         (JSC::LLInt::getOpcode):
1525         (JSC::LLInt::getCodePtr):
1526         (JSC::LLInt::Data::performAssertions):
1527         * llint/LLIntExceptions.cpp:
1528         (JSC::LLInt::returnToThrowForThrownException):
1529         (JSC::LLInt::returnToThrow):
1530         (JSC::LLInt::callToThrow):
1531         * llint/LLIntSlowPaths.cpp:
1532         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1533         (JSC::LLInt::handleHostCall):
1534         * runtime/InitializeThreading.cpp:
1535         (JSC::initializeThreadingOnce): Initialize the singleton LLInt data.
1536         * runtime/JSGlobalData.cpp:
1537         (JSC::JSGlobalData::JSGlobalData):
1538         * runtime/JSGlobalData.h:
1539         (JSGlobalData): Removed the now unneeded LLInt::Data instance in
1540             JSGlobalData.
1541         * runtime/JSValue.h:
1542         (JSValue):
1543
1544 2012-08-29  Gavin Barraclough  <barraclough@apple.com>
1545
1546         PutById uses DataLabel32, not DataLabelCompact
1547         https://bugs.webkit.org/show_bug.cgi?id=95245
1548
1549         Reviewed by Geoff Garen.
1550
1551         JIT::resetPatchPutById calls the the wrong thing on x86-64 – this is moot right now,
1552         since they currently both do the same thing, but if we were to ever make compact mean
1553         8-bit this could be a real problem. Also, relying on the object still being in eax
1554         on entry to the transition stub isn't very robust - added nonArgGPR1 to at least make
1555         this explicit.
1556
1557         * jit/JITPropertyAccess.cpp:
1558         (JSC::JIT::emitSlow_op_put_by_id):
1559             - copy regT0 to nonArgGPR1
1560         (JSC::JIT::privateCompilePutByIdTransition):
1561             - DataLabelCompact -> DataLabel32
1562         (JSC::JIT::resetPatchPutById):
1563             - reload regT0 from nonArgGPR1
1564         * jit/JSInterfaceJIT.h:
1565         (JSInterfaceJIT):
1566             - added nonArgGPR1
1567
1568 2012-08-28  Yong Li  <yoli@rim.com>
1569
1570         ExecutableAllocator should be destructed after Heap
1571         https://bugs.webkit.org/show_bug.cgi?id=95244
1572
1573         Reviewed by Rob Buis.
1574
1575         RIM PR# 199364.
1576         Make ExecutableAllocator the first member in JSGlobalData.
1577         Existing Web Worker tests can show the issue.
1578
1579         * runtime/JSGlobalData.cpp:
1580         (JSC::JSGlobalData::JSGlobalData):
1581         * runtime/JSGlobalData.h:
1582         (JSGlobalData):
1583
1584 2012-08-29  Geoffrey Garen  <ggaren@apple.com>
1585
1586         Try to fix the Windows build.
1587
1588         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
1589
1590 2012-08-28  Geoffrey Garen  <ggaren@apple.com>
1591
1592         Introduced JSWithScope, making all scope objects subclasses of JSScope
1593         https://bugs.webkit.org/show_bug.cgi?id=95295
1594
1595         Reviewed by Filip Pizlo.
1596
1597         This is a step toward removing ScopeChainNode. With a uniform representation
1598         for objects in the scope chain, we can move data from ScopeChainNode
1599         into JSScope.
1600
1601         * CMakeLists.txt:
1602         * GNUmakefile.list.am:
1603         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1604         * JavaScriptCore.xcodeproj/project.pbxproj:
1605         * Target.pri: Build!
1606
1607         * interpreter/Interpreter.cpp:
1608         (JSC::Interpreter::privateExecute):
1609         * jit/JITStubs.cpp:
1610         (JSC::DEFINE_STUB_FUNCTION):
1611         * llint/LLIntSlowPaths.cpp:
1612         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Use an explicit JSWithScope object
1613         for 'with' statements. Since 'with' can put any object in the scope
1614         chain, we'll need an adapter object to hold the data ScopeChainNode
1615         currently holds.
1616
1617         (JSGlobalData): Support for JSWithScope.
1618
1619         * runtime/JSScope.cpp:
1620         (JSC::JSScope::objectAtScope):
1621         * runtime/JSScope.h: Check for and unwrap JSWithScope.
1622
1623         * runtime/JSType.h: Support for JSWithScope.
1624
1625         * runtime/StrictEvalActivation.cpp:
1626         (JSC::StrictEvalActivation::StrictEvalActivation):
1627         * runtime/StrictEvalActivation.h:
1628         (StrictEvalActivation): Inherit from JSScope, to make the scope chain uniform.
1629
1630         * runtime/JSWithScope.cpp: Added.
1631         (JSC::JSWithScope::visitChildren):
1632         * runtime/JSWithScope.h: Added.
1633         (JSWithScope):
1634         (JSC::JSWithScope::create):
1635         (JSC::JSWithScope::object):
1636         (JSC::JSWithScope::createStructure):
1637         (JSC::JSWithScope::JSWithScope): New adapter object. Since this object
1638         is never exposed to scripts, it doesn't need any meaningful implementation
1639         of property access or other callbacks.
1640
1641 2012-08-29  Patrick Gansterer  <paroga@webkit.org>
1642
1643         Unreviewed. Build fix for !ENABLE(JIT) after r126962.
1644
1645         * interpreter/Interpreter.cpp:
1646         (JSC::Interpreter::privateExecute):
1647
1648 2012-08-28  Geoffrey Garen  <ggaren@apple.com>
1649
1650         Added JSScope::objectInScope(), and refactored callers to use it
1651         https://bugs.webkit.org/show_bug.cgi?id=95281
1652
1653         Reviewed by Gavin Barraclough.
1654
1655         This is a step toward removing ScopeChainNode. We need a layer of
1656         indirection so that 'with' scopes can proxy for an object.
1657         JSScope::objectInScope() will be that layer.
1658
1659         * bytecode/EvalCodeCache.h:
1660         (JSC::EvalCodeCache::tryGet):
1661         (JSC::EvalCodeCache::getSlow):
1662         * bytecompiler/BytecodeGenerator.cpp:
1663         (JSC::BytecodeGenerator::resolve):
1664         (JSC::BytecodeGenerator::resolveConstDecl): . vs ->
1665
1666         * interpreter/Interpreter.cpp:
1667         (JSC::Interpreter::unwindCallFrame):
1668         (JSC::Interpreter::execute):
1669         * runtime/JSScope.cpp:
1670         (JSC::JSScope::resolve):
1671         (JSC::JSScope::resolveSkip):
1672         (JSC::JSScope::resolveGlobalDynamic):
1673         (JSC::JSScope::resolveBase):
1674         (JSC::JSScope::resolveWithBase):
1675         (JSC::JSScope::resolveWithThis): Added JSScope::objectAtScope() calls.
1676
1677         * runtime/JSScope.h:
1678         (JSScope):
1679         (JSC::JSScope::objectAtScope):
1680         (JSC):
1681         (ScopeChainIterator):
1682         (JSC::ScopeChainIterator::ScopeChainIterator):
1683         (JSC::ScopeChainIterator::get):
1684         (JSC::ScopeChainIterator::operator->):
1685         (JSC::ScopeChainIterator::operator++):
1686         (JSC::ScopeChainIterator::operator==):
1687         (JSC::ScopeChainIterator::operator!=):
1688         (JSC::ScopeChainNode::begin):
1689         (JSC::ScopeChainNode::end): I moved ScopeChainIterator to this file
1690         to resolve a circular #include problem. Eventually, I'll probably rename
1691         it to JSScope::iterator, so I think it belongs here.
1692
1693         * runtime/ScopeChain.cpp:
1694         (JSC::ScopeChainNode::print):
1695         (JSC::ScopeChainNode::localDepth): . vs ->
1696
1697         * runtime/ScopeChain.h:
1698         (ScopeChainNode): I made the 'object' data member private because it's
1699         no longer safe to access -- you need to call JSScope::objectAtScope()
1700         instead.
1701
1702         The JITs need to be friends because of the private declaration.
1703
1704         Subtly, JIT/LLInt code is correct without any changes because JIT/LLInt
1705         code never compiles direct access to a with scope.
1706
1707 2012-08-28  Mark Lam  <mark.lam@apple.com>
1708
1709         Adding support for adding LLInt opcode extensions.  This will be needed
1710         by the LLInt C loop interpreter later.
1711         https://bugs.webkit.org/show_bug.cgi?id=95277.
1712
1713         Reviewed by Geoffrey Garen.
1714
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         * bytecode/Opcode.h:
1717         * llint/LLIntOpcode.h: Added.
1718         * llint/LowLevelInterpreter.h:
1719
1720 2012-08-28  Gavin Barraclough  <barraclough@apple.com>
1721
1722         Rolled out r126928, this broke stuff :'-(
1723
1724         * jit/JITPropertyAccess.cpp:
1725         (JSC::JIT::privateCompilePutByIdTransition):
1726         (JSC::JIT::resetPatchPutById):
1727
1728 2012-08-28  Gavin Barraclough  <barraclough@apple.com>
1729
1730         PutById uses DataLabel32, not DataLabelCompact
1731         https://bugs.webkit.org/show_bug.cgi?id=95245
1732
1733         Reviewed by Geoff Garen.
1734
1735         JIT::resetPatchPutById calls the the wrong thing on x86-64 – this is moot right now,
1736         since they currently both do the same thing, but if we were to ever make compact mean
1737         8-bit this could be a real problem. Also, don't rely on the object still being in eax
1738         on entry to the transition stub – this isn't very robust.
1739
1740         * jit/JITPropertyAccess.cpp:
1741         (JSC::JIT::privateCompilePutByIdTransition):
1742             - DataLabelCompact -> DataLabel32
1743         (JSC::JIT::resetPatchPutById):
1744             - reload regT0 from the stack
1745
1746 2012-08-28  Sheriff Bot  <webkit.review.bot@gmail.com>
1747
1748         Unreviewed, rolling out r126914.
1749         http://trac.webkit.org/changeset/126914
1750         https://bugs.webkit.org/show_bug.cgi?id=95239
1751
1752         it breaks everything and fixes nothing (Requested by pizlo on
1753         #webkit).
1754
1755         * API/JSCallbackObject.h:
1756         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
1757         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
1758         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
1759         * API/JSCallbackObjectFunctions.h:
1760         (JSC::::getOwnPropertyNames):
1761         * API/JSClassRef.cpp:
1762         (OpaqueJSClass::~OpaqueJSClass):
1763         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1764         (OpaqueJSClass::contextData):
1765         * bytecode/CodeBlock.cpp:
1766         (JSC::CodeBlock::dump):
1767         (JSC::EvalCodeCache::visitAggregate):
1768         (JSC::CodeBlock::nameForRegister):
1769         * bytecode/JumpTable.h:
1770         (JSC::StringJumpTable::offsetForValue):
1771         (JSC::StringJumpTable::ctiForValue):
1772         * bytecode/LazyOperandValueProfile.cpp:
1773         (JSC::LazyOperandValueProfileParser::getIfPresent):
1774         * bytecode/SamplingTool.cpp:
1775         (JSC::SamplingTool::dump):
1776         * bytecompiler/BytecodeGenerator.cpp:
1777         (JSC::BytecodeGenerator::addVar):
1778         (JSC::BytecodeGenerator::addGlobalVar):
1779         (JSC::BytecodeGenerator::addConstant):
1780         (JSC::BytecodeGenerator::addConstantValue):
1781         (JSC::BytecodeGenerator::emitLoad):
1782         (JSC::BytecodeGenerator::addStringConstant):
1783         (JSC::BytecodeGenerator::emitLazyNewFunction):
1784         * bytecompiler/NodesCodegen.cpp:
1785         (JSC::PropertyListNode::emitBytecode):
1786         * debugger/Debugger.cpp:
1787         * dfg/DFGArgumentsSimplificationPhase.cpp:
1788         (JSC::DFG::ArgumentsSimplificationPhase::run):
1789         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1790         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1791         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1792         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1793         * dfg/DFGAssemblyHelpers.cpp:
1794         (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
1795         * dfg/DFGByteCodeCache.h:
1796         (JSC::DFG::ByteCodeCache::~ByteCodeCache):
1797         (JSC::DFG::ByteCodeCache::get):
1798         * dfg/DFGByteCodeParser.cpp:
1799         (JSC::DFG::ByteCodeParser::cellConstant):
1800         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1801         * dfg/DFGStructureCheckHoistingPhase.cpp:
1802         (JSC::DFG::StructureCheckHoistingPhase::run):
1803         (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
1804         (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
1805         * heap/Heap.cpp:
1806         (JSC::Heap::markProtectedObjects):
1807         * heap/Heap.h:
1808         (JSC::Heap::forEachProtectedCell):
1809         * heap/JITStubRoutineSet.cpp:
1810         (JSC::JITStubRoutineSet::markSlow):
1811         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
1812         * heap/MarkStack.cpp:
1813         (JSC::MarkStack::internalAppend):
1814         * heap/Weak.h:
1815         (JSC::weakRemove):
1816         * jit/JIT.cpp:
1817         (JSC::JIT::privateCompile):
1818         * jit/JITStubs.cpp:
1819         (JSC::JITThunks::ctiStub):
1820         * parser/Parser.cpp:
1821         (JSC::::parseStrictObjectLiteral):
1822         * profiler/Profile.cpp:
1823         (JSC::functionNameCountPairComparator):
1824         (JSC::Profile::debugPrintDataSampleStyle):
1825         * runtime/Identifier.cpp:
1826         (JSC::Identifier::add):
1827         * runtime/JSActivation.cpp:
1828         (JSC::JSActivation::getOwnPropertyNames):
1829         (JSC::JSActivation::symbolTablePutWithAttributes):
1830         * runtime/JSArray.cpp:
1831         (JSC::SparseArrayValueMap::put):
1832         (JSC::SparseArrayValueMap::putDirect):
1833         (JSC::SparseArrayValueMap::visitChildren):
1834         (JSC::JSArray::enterDictionaryMode):
1835         (JSC::JSArray::defineOwnNumericProperty):
1836         (JSC::JSArray::getOwnPropertySlotByIndex):
1837         (JSC::JSArray::getOwnPropertyDescriptor):
1838         (JSC::JSArray::putByIndexBeyondVectorLength):
1839         (JSC::JSArray::putDirectIndexBeyondVectorLength):
1840         (JSC::JSArray::deletePropertyByIndex):
1841         (JSC::JSArray::getOwnPropertyNames):
1842         (JSC::JSArray::setLength):
1843         (JSC::JSArray::sort):
1844         (JSC::JSArray::compactForSorting):
1845         (JSC::JSArray::checkConsistency):
1846         * runtime/JSSymbolTableObject.cpp:
1847         (JSC::JSSymbolTableObject::getOwnPropertyNames):
1848         * runtime/JSSymbolTableObject.h:
1849         (JSC::symbolTableGet):
1850         (JSC::symbolTablePut):
1851         (JSC::symbolTablePutWithAttributes):
1852         * runtime/RegExpCache.cpp:
1853         (JSC::RegExpCache::invalidateCode):
1854         * runtime/WeakGCMap.h:
1855         (JSC::WeakGCMap::clear):
1856         (JSC::WeakGCMap::set):
1857         * tools/ProfileTreeNode.h:
1858         (JSC::ProfileTreeNode::sampleChild):
1859         (JSC::ProfileTreeNode::childCount):
1860         (JSC::ProfileTreeNode::dumpInternal):
1861         (JSC::ProfileTreeNode::compareEntries):
1862
1863 2012-08-28  Filip Pizlo  <fpizlo@apple.com>
1864
1865         LLInt should not rely on ordering of global labels
1866         https://bugs.webkit.org/show_bug.cgi?id=95221
1867
1868         Reviewed by Oliver Hunt.
1869
1870         * llint/LowLevelInterpreter.asm:
1871         * llint/LowLevelInterpreter32_64.asm:
1872         * llint/LowLevelInterpreter64.asm:
1873
1874 2012-08-28  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
1875
1876         Rename first/second to key/value in HashMap iterators
1877         https://bugs.webkit.org/show_bug.cgi?id=82784
1878
1879         Reviewed by Eric Seidel.
1880
1881         * API/JSCallbackObject.h:
1882         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
1883         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
1884         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
1885         * API/JSCallbackObjectFunctions.h:
1886         (JSC::::getOwnPropertyNames):
1887         * API/JSClassRef.cpp:
1888         (OpaqueJSClass::~OpaqueJSClass):
1889         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1890         (OpaqueJSClass::contextData):
1891         * bytecode/CodeBlock.cpp:
1892         (JSC::CodeBlock::dump):
1893         (JSC::EvalCodeCache::visitAggregate):
1894         (JSC::CodeBlock::nameForRegister):
1895         * bytecode/JumpTable.h:
1896         (JSC::StringJumpTable::offsetForValue):
1897         (JSC::StringJumpTable::ctiForValue):
1898         * bytecode/LazyOperandValueProfile.cpp:
1899         (JSC::LazyOperandValueProfileParser::getIfPresent):
1900         * bytecode/SamplingTool.cpp:
1901         (JSC::SamplingTool::dump):
1902         * bytecompiler/BytecodeGenerator.cpp:
1903         (JSC::BytecodeGenerator::addVar):
1904         (JSC::BytecodeGenerator::addGlobalVar):
1905         (JSC::BytecodeGenerator::addConstant):
1906         (JSC::BytecodeGenerator::addConstantValue):
1907         (JSC::BytecodeGenerator::emitLoad):
1908         (JSC::BytecodeGenerator::addStringConstant):
1909         (JSC::BytecodeGenerator::emitLazyNewFunction):
1910         * bytecompiler/NodesCodegen.cpp:
1911         (JSC::PropertyListNode::emitBytecode):
1912         * debugger/Debugger.cpp:
1913         * dfg/DFGArgumentsSimplificationPhase.cpp:
1914         (JSC::DFG::ArgumentsSimplificationPhase::run):
1915         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1916         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1917         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1918         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1919         * dfg/DFGAssemblyHelpers.cpp:
1920         (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
1921         * dfg/DFGByteCodeCache.h:
1922         (JSC::DFG::ByteCodeCache::~ByteCodeCache):
1923         (JSC::DFG::ByteCodeCache::get):
1924         * dfg/DFGByteCodeParser.cpp:
1925         (JSC::DFG::ByteCodeParser::cellConstant):
1926         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1927         * dfg/DFGStructureCheckHoistingPhase.cpp:
1928         (JSC::DFG::StructureCheckHoistingPhase::run):
1929         (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
1930         (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
1931         * heap/Heap.cpp:
1932         (JSC::Heap::markProtectedObjects):
1933         * heap/Heap.h:
1934         (JSC::Heap::forEachProtectedCell):
1935         * heap/JITStubRoutineSet.cpp:
1936         (JSC::JITStubRoutineSet::markSlow):
1937         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
1938         * heap/MarkStack.cpp:
1939         (JSC::MarkStack::internalAppend):
1940         * heap/Weak.h:
1941         (JSC::weakRemove):
1942         * jit/JIT.cpp:
1943         (JSC::JIT::privateCompile):
1944         * jit/JITStubs.cpp:
1945         (JSC::JITThunks::ctiStub):
1946         * parser/Parser.cpp:
1947         (JSC::::parseStrictObjectLiteral):
1948         * profiler/Profile.cpp:
1949         (JSC::functionNameCountPairComparator):
1950         (JSC::Profile::debugPrintDataSampleStyle):
1951         * runtime/Identifier.cpp:
1952         (JSC::Identifier::add):
1953         * runtime/JSActivation.cpp:
1954         (JSC::JSActivation::getOwnPropertyNames):
1955         (JSC::JSActivation::symbolTablePutWithAttributes):
1956         * runtime/JSArray.cpp:
1957         (JSC::SparseArrayValueMap::put):
1958         (JSC::SparseArrayValueMap::putDirect):
1959         (JSC::SparseArrayValueMap::visitChildren):
1960         (JSC::JSArray::enterDictionaryMode):
1961         (JSC::JSArray::defineOwnNumericProperty):
1962         (JSC::JSArray::getOwnPropertySlotByIndex):
1963         (JSC::JSArray::getOwnPropertyDescriptor):
1964         (JSC::JSArray::putByIndexBeyondVectorLength):
1965         (JSC::JSArray::putDirectIndexBeyondVectorLength):
1966         (JSC::JSArray::deletePropertyByIndex):
1967         (JSC::JSArray::getOwnPropertyNames):
1968         (JSC::JSArray::setLength):
1969         (JSC::JSArray::sort):
1970         (JSC::JSArray::compactForSorting):
1971         (JSC::JSArray::checkConsistency):
1972         * runtime/JSSymbolTableObject.cpp:
1973         (JSC::JSSymbolTableObject::getOwnPropertyNames):
1974         * runtime/JSSymbolTableObject.h:
1975         (JSC::symbolTableGet):
1976         (JSC::symbolTablePut):
1977         (JSC::symbolTablePutWithAttributes):
1978         * runtime/RegExpCache.cpp:
1979         (JSC::RegExpCache::invalidateCode):
1980         * runtime/WeakGCMap.h:
1981         (JSC::WeakGCMap::clear):
1982         (JSC::WeakGCMap::set):
1983         * tools/ProfileTreeNode.h:
1984         (JSC::ProfileTreeNode::sampleChild):
1985         (JSC::ProfileTreeNode::childCount):
1986         (JSC::ProfileTreeNode::dumpInternal):
1987         (JSC::ProfileTreeNode::compareEntries):
1988
1989 2012-08-28  Geoffrey Garen  <ggaren@apple.com>
1990
1991         GCC warning in JSActivation is causing Mac EWS errors
1992         https://bugs.webkit.org/show_bug.cgi?id=95103
1993
1994         Reviewed by Sam Weinig.
1995
1996         Try to fix a strict aliasing violation by using bitwise_cast. The
1997         union in the cast should signal to the compiler that aliasing between
1998         types is happening.
1999
2000         * runtime/JSActivation.cpp:
2001         (JSC::JSActivation::visitChildren):
2002
2003 2012-08-28  Geoffrey Garen  <ggaren@apple.com>
2004
2005         Build fix: svn add two files I forgot in my last patch.
2006
2007 2012-08-27  Geoffrey Garen  <ggaren@apple.com>
2008
2009         Refactored and consolidated variable resolution functions
2010         https://bugs.webkit.org/show_bug.cgi?id=95166
2011
2012         Reviewed by Filip Pizlo.
2013
2014         This patch does a few things:
2015
2016         (1) Introduces a new class, JSScope, which is the base class for all
2017         objects that represent a scope in the scope chain.
2018
2019         (2) Refactors and consolidates duplicate implementations of variable
2020         resolution into the JSScope class.
2021
2022         (3) Renames JSStaticScopeObject to JSNameScope because, as distinct from
2023         something like a 'let' scope, JSStaticScopeObject only has storage for a
2024         single name.
2025
2026         These changes makes logical sense to me as-is. I will also use them in an
2027         upcoming optimization.
2028
2029         * CMakeLists.txt:
2030         * GNUmakefile.list.am:
2031         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2032         * JavaScriptCore.xcodeproj/project.pbxproj:
2033         * Target.pri: Build!
2034
2035         * bytecode/CodeBlock.cpp:
2036         (JSC): Build fix for LLInt-only builds.
2037
2038         * bytecode/GlobalResolveInfo.h:
2039         (GlobalResolveInfo): Use PropertyOffset to be consistent with other parts
2040         of the engine.
2041
2042         * bytecompiler/NodesCodegen.cpp:
2043         * dfg/DFGOperations.cpp: Use the shared code in JSScope instead of rolling
2044         our own.
2045
2046         * interpreter/Interpreter.cpp:
2047         (JSC::Interpreter::execute):
2048         (JSC::Interpreter::createExceptionScope):
2049         (JSC::Interpreter::privateExecute):
2050         * interpreter/Interpreter.h: Use the shared code in JSScope instead of rolling
2051         our own.
2052
2053         * jit/JITStubs.cpp:
2054         (JSC::DEFINE_STUB_FUNCTION): Use the shared code in JSScope instead of rolling
2055         our own.
2056
2057         * llint/LLIntSlowPaths.cpp:
2058         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2059         (LLInt): Use the shared code in JSScope instead of rolling our own. Note
2060         that one of these slow paths calls the wrong helper function. I left it
2061         that way to avoid a behavior change in a refactoring patch.
2062
2063         * parser/Nodes.cpp: Updated for rename.
2064
2065         * runtime/CommonSlowPaths.h:
2066         (CommonSlowPaths): Removed resolve slow paths because were duplicative.
2067
2068         * runtime/JSGlobalData.cpp:
2069         (JSC::JSGlobalData::JSGlobalData):
2070         * runtime/JSGlobalData.h:
2071         (JSGlobalData): Updated for renames.
2072
2073         * runtime/JSNameScope.cpp: Copied from Source/JavaScriptCore/runtime/JSStaticScopeObject.cpp.
2074         (JSC):
2075         (JSC::JSNameScope::visitChildren):
2076         (JSC::JSNameScope::toThisObject):
2077         (JSC::JSNameScope::put):
2078         (JSC::JSNameScope::getOwnPropertySlot):
2079         * runtime/JSNameScope.h: Copied from Source/JavaScriptCore/runtime/JSStaticScopeObject.h.
2080         (JSC):
2081         (JSC::JSNameScope::create):
2082         (JSC::JSNameScope::createStructure):
2083         (JSNameScope):
2084         (JSC::JSNameScope::JSNameScope):
2085         (JSC::JSNameScope::isDynamicScope): Used do-webcore-rename script here.
2086         It is fabulous!
2087
2088         * runtime/JSObject.h:
2089         (JSObject):
2090         (JSC::JSObject::isNameScopeObject): More rename.
2091
2092         * runtime/JSScope.cpp: Added.
2093         (JSC):
2094         (JSC::JSScope::isDynamicScope):
2095         (JSC::JSScope::resolve):
2096         (JSC::JSScope::resolveSkip):
2097         (JSC::JSScope::resolveGlobal):
2098         (JSC::JSScope::resolveGlobalDynamic):
2099         (JSC::JSScope::resolveBase):
2100         (JSC::JSScope::resolveWithBase):
2101         (JSC::JSScope::resolveWithThis):
2102         * runtime/JSScope.h: Added.
2103         (JSC):
2104         (JSScope):
2105         (JSC::JSScope::JSScope): All the code here is a port from the
2106         Interpreter.cpp implementations of this functionality.
2107
2108         * runtime/JSStaticScopeObject.cpp: Removed.
2109         * runtime/JSStaticScopeObject.h: Removed.
2110
2111         * runtime/JSSymbolTableObject.cpp:
2112         (JSC):
2113         * runtime/JSSymbolTableObject.h:
2114         (JSSymbolTableObject):
2115         * runtime/JSType.h: Updated for rename.
2116
2117         * runtime/Operations.h:
2118         (JSC::resolveBase): Removed because it was duplicative.
2119
2120 2012-08-28  Alban Browaeys <prahal@yahoo.com>
2121
2122         [GTK] LLint build fails with -g -02
2123         https://bugs.webkit.org/show_bug.cgi?id=90098
2124
2125         Reviewed by Filip Pizlo.
2126
2127         Avoid duplicate offsets for llint, discarding them.
2128
2129         * offlineasm/offsets.rb:
2130
2131 2012-08-27  Sheriff Bot  <webkit.review.bot@gmail.com>
2132
2133         Unreviewed, rolling out r126836.
2134         http://trac.webkit.org/changeset/126836
2135         https://bugs.webkit.org/show_bug.cgi?id=95163
2136
2137         Broke all Apple ports, EFL, and Qt. (Requested by tkent on
2138         #webkit).
2139
2140         * API/JSCallbackObject.h:
2141         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
2142         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
2143         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
2144         * API/JSCallbackObjectFunctions.h:
2145         (JSC::::getOwnPropertyNames):
2146         * API/JSClassRef.cpp:
2147         (OpaqueJSClass::~OpaqueJSClass):
2148         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2149         (OpaqueJSClass::contextData):
2150         * bytecode/CodeBlock.cpp:
2151         (JSC::CodeBlock::dump):
2152         (JSC::EvalCodeCache::visitAggregate):
2153         (JSC::CodeBlock::nameForRegister):
2154         * bytecode/JumpTable.h:
2155         (JSC::StringJumpTable::offsetForValue):
2156         (JSC::StringJumpTable::ctiForValue):
2157         * bytecode/LazyOperandValueProfile.cpp:
2158         (JSC::LazyOperandValueProfileParser::getIfPresent):
2159         * bytecode/SamplingTool.cpp:
2160         (JSC::SamplingTool::dump):
2161         * bytecompiler/BytecodeGenerator.cpp:
2162         (JSC::BytecodeGenerator::addVar):
2163         (JSC::BytecodeGenerator::addGlobalVar):
2164         (JSC::BytecodeGenerator::addConstant):
2165         (JSC::BytecodeGenerator::addConstantValue):
2166         (JSC::BytecodeGenerator::emitLoad):
2167         (JSC::BytecodeGenerator::addStringConstant):
2168         (JSC::BytecodeGenerator::emitLazyNewFunction):
2169         * bytecompiler/NodesCodegen.cpp:
2170         (JSC::PropertyListNode::emitBytecode):
2171         * debugger/Debugger.cpp:
2172         * dfg/DFGArgumentsSimplificationPhase.cpp:
2173         (JSC::DFG::ArgumentsSimplificationPhase::run):
2174         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
2175         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
2176         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
2177         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
2178         * dfg/DFGAssemblyHelpers.cpp:
2179         (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
2180         * dfg/DFGByteCodeCache.h:
2181         (JSC::DFG::ByteCodeCache::~ByteCodeCache):
2182         (JSC::DFG::ByteCodeCache::get):
2183         * dfg/DFGByteCodeParser.cpp:
2184         (JSC::DFG::ByteCodeParser::cellConstant):
2185         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2186         * dfg/DFGStructureCheckHoistingPhase.cpp:
2187         (JSC::DFG::StructureCheckHoistingPhase::run):
2188         (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
2189         (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
2190         * heap/Heap.cpp:
2191         (JSC::Heap::markProtectedObjects):
2192         * heap/Heap.h:
2193         (JSC::Heap::forEachProtectedCell):
2194         * heap/JITStubRoutineSet.cpp:
2195         (JSC::JITStubRoutineSet::markSlow):
2196         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
2197         * heap/MarkStack.cpp:
2198         (JSC::MarkStack::internalAppend):
2199         * heap/Weak.h:
2200         (JSC::weakRemove):
2201         * jit/JIT.cpp:
2202         (JSC::JIT::privateCompile):
2203         * jit/JITStubs.cpp:
2204         (JSC::JITThunks::ctiStub):
2205         * parser/Parser.cpp:
2206         (JSC::::parseStrictObjectLiteral):
2207         * profiler/Profile.cpp:
2208         (JSC::functionNameCountPairComparator):
2209         (JSC::Profile::debugPrintDataSampleStyle):
2210         * runtime/Identifier.cpp:
2211         (JSC::Identifier::add):
2212         * runtime/JSActivation.cpp:
2213         (JSC::JSActivation::getOwnPropertyNames):
2214         (JSC::JSActivation::symbolTablePutWithAttributes):
2215         * runtime/JSArray.cpp:
2216         (JSC::SparseArrayValueMap::put):
2217         (JSC::SparseArrayValueMap::putDirect):
2218         (JSC::SparseArrayValueMap::visitChildren):
2219         (JSC::JSArray::enterDictionaryMode):
2220         (JSC::JSArray::defineOwnNumericProperty):
2221         (JSC::JSArray::getOwnPropertySlotByIndex):
2222         (JSC::JSArray::getOwnPropertyDescriptor):
2223         (JSC::JSArray::putByIndexBeyondVectorLength):
2224         (JSC::JSArray::putDirectIndexBeyondVectorLength):
2225         (JSC::JSArray::deletePropertyByIndex):
2226         (JSC::JSArray::getOwnPropertyNames):
2227         (JSC::JSArray::setLength):
2228         (JSC::JSArray::sort):
2229         (JSC::JSArray::compactForSorting):
2230         (JSC::JSArray::checkConsistency):
2231         * runtime/JSSymbolTableObject.cpp:
2232         (JSC::JSSymbolTableObject::getOwnPropertyNames):
2233         * runtime/JSSymbolTableObject.h:
2234         (JSC::symbolTableGet):
2235         (JSC::symbolTablePut):
2236         (JSC::symbolTablePutWithAttributes):
2237         * runtime/RegExpCache.cpp:
2238         (JSC::RegExpCache::invalidateCode):
2239         * runtime/WeakGCMap.h:
2240         (JSC::WeakGCMap::clear):
2241         (JSC::WeakGCMap::set):
2242         * tools/ProfileTreeNode.h:
2243         (JSC::ProfileTreeNode::sampleChild):
2244         (JSC::ProfileTreeNode::childCount):
2245         (JSC::ProfileTreeNode::dumpInternal):
2246         (JSC::ProfileTreeNode::compareEntries):
2247
2248 2012-08-27  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
2249
2250         Rename first/second to key/value in HashMap iterators
2251         https://bugs.webkit.org/show_bug.cgi?id=82784
2252
2253         Reviewed by Eric Seidel.
2254
2255         * API/JSCallbackObject.h:
2256         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
2257         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
2258         (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
2259         * API/JSCallbackObjectFunctions.h:
2260         (JSC::::getOwnPropertyNames):
2261         * API/JSClassRef.cpp:
2262         (OpaqueJSClass::~OpaqueJSClass):
2263         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2264         (OpaqueJSClass::contextData):
2265         * bytecode/CodeBlock.cpp:
2266         (JSC::CodeBlock::dump):
2267         (JSC::EvalCodeCache::visitAggregate):
2268         (JSC::CodeBlock::nameForRegister):
2269         * bytecode/JumpTable.h:
2270         (JSC::StringJumpTable::offsetForValue):
2271         (JSC::StringJumpTable::ctiForValue):
2272         * bytecode/LazyOperandValueProfile.cpp:
2273         (JSC::LazyOperandValueProfileParser::getIfPresent):
2274         * bytecode/SamplingTool.cpp:
2275         (JSC::SamplingTool::dump):
2276         * bytecompiler/BytecodeGenerator.cpp:
2277         (JSC::BytecodeGenerator::addVar):
2278         (JSC::BytecodeGenerator::addGlobalVar):
2279         (JSC::BytecodeGenerator::addConstant):
2280         (JSC::BytecodeGenerator::addConstantValue):
2281         (JSC::BytecodeGenerator::emitLoad):
2282         (JSC::BytecodeGenerator::addStringConstant):
2283         (JSC::BytecodeGenerator::emitLazyNewFunction):
2284         * bytecompiler/NodesCodegen.cpp:
2285         (JSC::PropertyListNode::emitBytecode):
2286         * debugger/Debugger.cpp:
2287         * dfg/DFGArgumentsSimplificationPhase.cpp:
2288         (JSC::DFG::ArgumentsSimplificationPhase::run):
2289         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
2290         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
2291         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
2292         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
2293         * dfg/DFGAssemblyHelpers.cpp:
2294         (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
2295         * dfg/DFGByteCodeCache.h:
2296         (JSC::DFG::ByteCodeCache::~ByteCodeCache):
2297         (JSC::DFG::ByteCodeCache::get):
2298         * dfg/DFGByteCodeParser.cpp:
2299         (JSC::DFG::ByteCodeParser::cellConstant):
2300         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2301         * dfg/DFGStructureCheckHoistingPhase.cpp:
2302         (JSC::DFG::StructureCheckHoistingPhase::run):
2303         (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
2304         (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
2305         * heap/Heap.cpp:
2306         (JSC::Heap::markProtectedObjects):
2307         * heap/Heap.h:
2308         (JSC::Heap::forEachProtectedCell):
2309         * heap/JITStubRoutineSet.cpp:
2310         (JSC::JITStubRoutineSet::markSlow):
2311         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
2312         * heap/MarkStack.cpp:
2313         (JSC::MarkStack::internalAppend):
2314         * heap/Weak.h:
2315         (JSC::weakRemove):
2316         * jit/JIT.cpp:
2317         (JSC::JIT::privateCompile):
2318         * jit/JITStubs.cpp:
2319         (JSC::JITThunks::ctiStub):
2320         * parser/Parser.cpp:
2321         (JSC::::parseStrictObjectLiteral):
2322         * profiler/Profile.cpp:
2323         (JSC::functionNameCountPairComparator):
2324         (JSC::Profile::debugPrintDataSampleStyle):
2325         * runtime/Identifier.cpp:
2326         (JSC::Identifier::add):
2327         * runtime/JSActivation.cpp:
2328         (JSC::JSActivation::getOwnPropertyNames):
2329         (JSC::JSActivation::symbolTablePutWithAttributes):
2330         * runtime/JSArray.cpp:
2331         (JSC::SparseArrayValueMap::put):
2332         (JSC::SparseArrayValueMap::putDirect):
2333         (JSC::SparseArrayValueMap::visitChildren):
2334         (JSC::JSArray::enterDictionaryMode):
2335         (JSC::JSArray::defineOwnNumericProperty):
2336         (JSC::JSArray::getOwnPropertySlotByIndex):
2337         (JSC::JSArray::getOwnPropertyDescriptor):
2338         (JSC::JSArray::putByIndexBeyondVectorLength):
2339         (JSC::JSArray::putDirectIndexBeyondVectorLength):
2340         (JSC::JSArray::deletePropertyByIndex):
2341         (JSC::JSArray::getOwnPropertyNames):
2342         (JSC::JSArray::setLength):
2343         (JSC::JSArray::sort):
2344         (JSC::JSArray::compactForSorting):
2345         (JSC::JSArray::checkConsistency):
2346         * runtime/JSSymbolTableObject.cpp:
2347         (JSC::JSSymbolTableObject::getOwnPropertyNames):
2348         * runtime/JSSymbolTableObject.h:
2349         (JSC::symbolTableGet):
2350         (JSC::symbolTablePut):
2351         (JSC::symbolTablePutWithAttributes):
2352         * runtime/RegExpCache.cpp:
2353         (JSC::RegExpCache::invalidateCode):
2354         * runtime/WeakGCMap.h:
2355         (JSC::WeakGCMap::clear):
2356         (JSC::WeakGCMap::set):
2357         * tools/ProfileTreeNode.h:
2358         (JSC::ProfileTreeNode::sampleChild):
2359         (JSC::ProfileTreeNode::childCount):
2360         (JSC::ProfileTreeNode::dumpInternal):
2361         (JSC::ProfileTreeNode::compareEntries):
2362
2363 2012-08-27  Filip Pizlo  <fpizlo@apple.com>
2364
2365         Structure check hoisting should abstain if the OSR entry's must-handle value for the respective variable has a different structure
2366         https://bugs.webkit.org/show_bug.cgi?id=95141
2367         <rdar://problem/12170401>
2368
2369         Reviewed by Mark Hahnenberg.
2370
2371         * dfg/DFGStructureCheckHoistingPhase.cpp:
2372         (JSC::DFG::StructureCheckHoistingPhase::run):
2373
2374 2012-08-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2375
2376         Remove use of ClassInfo from SpeculativeJIT::compileGetByValOnArguments
2377         https://bugs.webkit.org/show_bug.cgi?id=95131
2378
2379         Reviewed by Filip Pizlo.
2380
2381         * dfg/DFGSpeculativeJIT.cpp:
2382         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): We don't need this speculation check. We can replace it 
2383         with an assert to guarantee this.
2384
2385 2012-08-27  Oliver Hunt  <oliver@apple.com>
2386
2387         Remove opcode definition autogen for now
2388         https://bugs.webkit.org/show_bug.cgi?id=95148
2389
2390         Reviewed by Mark Hahnenberg.
2391
2392         This isn't worth doing at the moment.
2393
2394         * DerivedSources.make:
2395         * JavaScriptCore.xcodeproj/project.pbxproj:
2396         * bytecode/Opcode.h:
2397         (JSC):
2398         (JSC::padOpcodeName):
2399         * bytecode/OpcodeDefinitions.h: Removed.
2400         * bytecode/opcodes: Removed.
2401         * opcode_definition_generator.py: Removed.
2402         * opcode_generator.py: Removed.
2403         * opcode_parser.py: Removed.
2404
2405 2012-08-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2406
2407         Remove uses of TypedArray ClassInfo from SpeculativeJIT::checkArgumentTypes
2408         https://bugs.webkit.org/show_bug.cgi?id=95112
2409
2410         Reviewed by Filip Pizlo.
2411
2412         Removing these checks since we no longer need them.
2413
2414         * dfg/DFGAbstractState.cpp:
2415         (JSC::DFG::AbstractState::initialize):
2416         * dfg/DFGSpeculativeJIT.cpp:
2417         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2418
2419 2012-08-27  Benjamin Poulain  <benjamin@webkit.org>
2420
2421         Add ECMAScript Number to String conversion to WTF::String
2422         https://bugs.webkit.org/show_bug.cgi?id=95016
2423
2424         Reviewed by Geoffrey Garen.
2425
2426         Rename UString::number(double) to UString::numberToStringECMAScript(double) to
2427         differenciate it from the fixed-width conversion performed by String::number().
2428
2429         * parser/ParserArena.h:
2430         (JSC::IdentifierArena::makeNumericIdentifier):
2431         * runtime/JSONObject.cpp:
2432         (JSC::Stringifier::appendStringifiedValue):
2433         * runtime/NumberPrototype.cpp:
2434         (JSC::numberProtoFuncToExponential):
2435         (JSC::numberProtoFuncToFixed):
2436         (JSC::numberProtoFuncToPrecision):
2437         (JSC::numberProtoFuncToString):
2438         * runtime/NumericStrings.h:
2439         (JSC::NumericStrings::add):
2440         * runtime/UString.cpp:
2441         (JSC::UString::numberToStringECMAScript):
2442         * runtime/UString.h:
2443         (UString):
2444
2445 2012-08-27  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
2446
2447         Rename RegisterProtocolHandler API to NavigatorContentUtils
2448         https://bugs.webkit.org/show_bug.cgi?id=94920
2449
2450         Reviewed by Adam Barth.
2451
2452         ENABLE_REGISTER_PROTOCOL_HANDLER is renamed to ENABLE_NAVIGATOR_CONTENT_UTILS.
2453
2454         * Configurations/FeatureDefines.xcconfig:
2455
2456 2012-08-26  Filip Pizlo  <fpizlo@apple.com>
2457
2458         Unreviewed, fix for builds without VALUE_PROFILING. I had forgotten that shouldEmitProfiling()
2459         is designed to return true if DFG_JIT is disabled. I should be using canBeOptimized() instead.
2460
2461         * jit/JITCall.cpp:
2462         (JSC::JIT::compileOpCall):
2463         * jit/JITCall32_64.cpp:
2464         (JSC::JIT::compileOpCall):
2465
2466 2012-08-26  Geoffrey Garen  <ggaren@apple.com>
2467
2468         Don't allocate space for arguments and call frame if arguments aren't captured
2469         https://bugs.webkit.org/show_bug.cgi?id=95024
2470
2471         Reviewed by Phil Pizlo.
2472
2473         27% on v8-real-earley.
2474
2475         * runtime/JSActivation.h:
2476         (JSC::JSActivation::registerOffset): The offset is zero if we're skipping
2477         the arguments and call frame because "offset" means space reserved for
2478         those things.
2479
2480         (JSC::JSActivation::tearOff): Don't copy the scope chain and callee. We
2481         don't need them for anything, and we're no longer guaranteed to have
2482         space for them.
2483
2484 2012-08-26  Geoffrey Garen  <ggaren@apple.com>
2485
2486         Removed the NULL checks from visitChildren functions
2487         https://bugs.webkit.org/show_bug.cgi?id=95021
2488
2489         Reviewed by Oliver Hunt.
2490
2491         As of http://trac.webkit.org/changeset/126624, all values are NULL-checked
2492         during GC, so explicit NULL checks aren't needed anymore.
2493
2494 2011-08-26  Geoffrey Garen  <ggaren@apple.com>
2495
2496         Removed a JSC-specific hack from the web inspector
2497         https://bugs.webkit.org/show_bug.cgi?id=95033
2498
2499         Reviewed by Filip Pizlo.
2500
2501         Added support for what the web inspector really wanted instead.
2502
2503         * runtime/JSActivation.cpp:
2504         (JSC::JSActivation::symbolTableGet):
2505         (JSC::JSActivation::symbolTablePut): Added some explanation for these
2506         checks, which were non-obvious to me.
2507
2508         (JSC::JSActivation::getOwnPropertySlot): It's impossible to access the
2509         arguments property of an activation after it's been torn off, since the
2510         only way to tear off an activation is to instantiate a new function,
2511         which has its own arguments property in scope. However, the inspector
2512         get special access to activations, and may try to perform this access,
2513         so we need a special guard to maintain coherence and avoid crashing in
2514         case the activation optimized out the arguments property.
2515
2516         * runtime/JSActivation.cpp:
2517         (JSC::JSActivation::symbolTableGet):
2518         (JSC::JSActivation::symbolTablePut):
2519         (JSC::JSActivation::getOwnPropertyNames):
2520         (JSC::JSActivation::getOwnPropertyDescriptor): Provide getOwnPropertyNames
2521         and getOwnPropertyDescriptor implementations, to meet the web inspector's
2522         needs. (User code can never call these.)
2523
2524 2012-08-24  Filip Pizlo  <fpizlo@apple.com>
2525
2526         Finally inlining should correctly track the catch context
2527         https://bugs.webkit.org/show_bug.cgi?id=94986
2528         <rdar://problem/11753784>
2529
2530         Reviewed by Sam Weinig.
2531
2532         This fixes two behaviors:
2533         
2534         1) Throwing from a finally block. Previously, we would seem to reenter the finally
2535            block - though only once.
2536         
2537         2) Executing a finally block from some nested context, for example due to a
2538            'continue', 'break', or 'return' in the try. This would execute the finally
2539            block in the context of of the try block, which could lead to either scope depth
2540            mismatches or reexecutions of the finally block on throw, similarly to (1) but
2541            for different reasons.
2542
2543         * bytecompiler/BytecodeGenerator.cpp:
2544         (JSC):
2545         (JSC::BytecodeGenerator::pushFinallyContext):
2546         (JSC::BytecodeGenerator::emitComplexJumpScopes):
2547         (JSC::BytecodeGenerator::pushTry):
2548         (JSC::BytecodeGenerator::popTryAndEmitCatch):
2549         * bytecompiler/BytecodeGenerator.h:
2550         (FinallyContext):
2551         (TryData):
2552         (JSC):
2553         (TryContext):
2554         (TryRange):
2555         (BytecodeGenerator):
2556         * bytecompiler/NodesCodegen.cpp:
2557         (JSC::TryNode::emitBytecode):
2558
2559 2012-08-26  Filip Pizlo  <fpizlo@apple.com>
2560
2561         Array type checks and storage accesses should be uniformly represented and available to CSE
2562         https://bugs.webkit.org/show_bug.cgi?id=95013
2563
2564         Reviewed by Oliver Hunt.
2565
2566         This uniformly breaks up all array accesses into up to three parts:
2567         
2568         1) The type check, using a newly introduced CheckArray node, in addition to possibly
2569            a CheckStructure node. We were already inserting the CheckStructure prior to this
2570            patch. The CheckArray node will be automatically eliminated if the thing it was
2571            checking for had already been checked for, either intentionally (a CheckStructure
2572            inserted based on the array profile of this access) or accidentally (some checks,
2573            typically a CheckStructure, inserted for some unrelated operations). The
2574            CheckArray node may not be inserted if the array type is non-specific (Generic or
2575            ForceExit).
2576         
2577         2) The storage load using GetIndexedPropertyStorage. Previously, this only worked for
2578            GetByVal. Now it works for all array accesses. The storage load may not be
2579            inserted if the mode of array access does not permit CSE of storage loads (like
2580            non-specific modes or Arguments).
2581         
2582         3) The access itself: one of GetByVal, PutByVal, PutByValAlias, ArrayPush, ArrayPop,
2583            GetArrayLength, StringCharAt, or StringCharCodeAt.
2584         
2585         This means that the type check can be subjected to CSE even if the CFA isn't smart
2586         enough to reason about it (yet!). It also means that the storage load can always be
2587         subjected to CSE; previously CSE on storage load only worked for array loads and not
2588         other forms of access. Finally, it removes the bizarre behavior that
2589         GetIndexedPropertyStorage previously had: previously, it was responsible for the type
2590         check in some cases, but not others; this made reasoning about the CFA really
2591         confusing.
2592         
2593         This change also disables late refinement of array mode, since I decided that
2594         supporting that feature is both confusing and likely unprofitable. The array modes are
2595         now locked in in the first fixup run after prediction propagation. Of course,
2596         refinements from Generic to something else would not have been a problem; we could
2597         reenable those if we thought we really needed to.
2598
2599         * dfg/DFGAbstractState.cpp:
2600         (JSC::DFG::AbstractState::execute):
2601         * dfg/DFGArgumentsSimplificationPhase.cpp:
2602         (JSC::DFG::ArgumentsSimplificationPhase::run):
2603         * dfg/DFGArrayMode.cpp:
2604         (JSC::DFG::fromStructure):
2605         (DFG):
2606         (JSC::DFG::refineArrayMode):
2607         * dfg/DFGArrayMode.h:
2608         (DFG):
2609         (JSC::DFG::modeIsJSArray):
2610         (JSC::DFG::lengthNeedsStorage):
2611         (JSC::DFG::modeIsSpecific):
2612         (JSC::DFG::modeSupportsLength):
2613         * dfg/DFGByteCodeParser.cpp:
2614         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2615         (JSC::DFG::ByteCodeParser::getArrayMode):
2616         (ByteCodeParser):
2617         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
2618         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2619         (JSC::DFG::ByteCodeParser::parseBlock):
2620         * dfg/DFGCFGSimplificationPhase.cpp:
2621         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2622         * dfg/DFGCSEPhase.cpp:
2623         (JSC::DFG::CSEPhase::CSEPhase):
2624         (JSC::DFG::CSEPhase::checkStructureElimination):
2625         (CSEPhase):
2626         (JSC::DFG::CSEPhase::checkArrayElimination):
2627         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2628         (JSC::DFG::CSEPhase::performNodeCSE):
2629         (JSC::DFG::performCSE):
2630         * dfg/DFGCSEPhase.h:
2631         (DFG):
2632         * dfg/DFGCommon.h:
2633         * dfg/DFGConstantFoldingPhase.cpp:
2634         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2635         * dfg/DFGDriver.cpp:
2636         (JSC::DFG::compile):
2637         * dfg/DFGFixupPhase.cpp:
2638         (JSC::DFG::FixupPhase::fixupNode):
2639         (JSC::DFG::FixupPhase::checkArray):
2640         (FixupPhase):
2641         (JSC::DFG::FixupPhase::blessArrayOperation):
2642         * dfg/DFGGraph.cpp:
2643         (JSC::DFG::Graph::Graph):
2644         (DFG):
2645         (JSC::DFG::Graph::dump):
2646         (JSC::DFG::Graph::collectGarbage):
2647         * dfg/DFGGraph.h:
2648         (Graph):
2649         (JSC::DFG::Graph::vote):
2650         (JSC::DFG::Graph::substitute):
2651         * dfg/DFGNode.h:
2652         (JSC::DFG::Node::hasArrayMode):
2653         (JSC::DFG::Node::setArrayMode):
2654         * dfg/DFGNodeType.h:
2655         (DFG):
2656         * dfg/DFGOperations.cpp:
2657         * dfg/DFGPhase.h:
2658         (DFG):
2659         * dfg/DFGPredictionPropagationPhase.cpp:
2660         (JSC::DFG::PredictionPropagationPhase::propagate):
2661         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
2662         * dfg/DFGSpeculativeJIT.cpp:
2663         (JSC::DFG::SpeculativeJIT::checkArray):
2664         (JSC::DFG::SpeculativeJIT::useChildren):
2665         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2666         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2667         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2668         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2669         * dfg/DFGSpeculativeJIT.h:
2670         (SpeculativeJIT):
2671         * dfg/DFGSpeculativeJIT32_64.cpp:
2672         (JSC::DFG::SpeculativeJIT::compile):
2673         * dfg/DFGSpeculativeJIT64.cpp:
2674         (JSC::DFG::SpeculativeJIT::compile):
2675         * dfg/DFGStructureCheckHoistingPhase.cpp:
2676         (JSC::DFG::StructureCheckHoistingPhase::run):
2677
2678 2012-08-26  Filip Pizlo  <fpizlo@apple.com>
2679
2680         DFGGraph.h has a bogus comment about the nature of StorageAccessData
2681         https://bugs.webkit.org/show_bug.cgi?id=95035
2682
2683         Reviewed by Oliver Hunt.
2684
2685         The comment is both wrong (storage access instructions don't reference CheckStructure)
2686         and highly redundant: of course it's the case that two structures may have the same
2687         identifier. Our interference analyses currently don't care about this and make the
2688         conservative assumptions when necessary (same identifier, same object -> must be same
2689         property; same identifier, may be same object -> may be the same property). Better to
2690         remove the bogus comment since the code that operates over this data structure is
2691         fairly self-explanatory already.
2692
2693         * dfg/DFGGraph.h:
2694         (StorageAccessData):
2695
2696 2012-08-25  Geoffrey Garen  <ggaren@apple.com>
2697
2698         Try a little harder to fix the Linux build.
2699
2700         * runtime/JSActivation.cpp:
2701         * runtime/JSActivation.h:
2702
2703 2012-08-25  Geoffrey Garen  <ggaren@apple.com>
2704
2705         Try to fix the Linux build.
2706
2707         * runtime/JSActivation.cpp:
2708
2709 2012-08-25  Geoffrey Garen  <ggaren@apple.com>
2710
2711         Don't use malloc / destructors for activation objects
2712         https://bugs.webkit.org/show_bug.cgi?id=94897
2713
2714         Reviewed by Oliver Hunt.
2715
2716         65% faster on v8-real-earley.
2717
2718         Lots of boilerplate here, but the jist is this:
2719
2720         (1) Use CopiedSpace instead of malloc to allocate the activation's
2721         backing store.
2722
2723         (2) Use MarkedSpace instead of ref-counting to allocate the symbol table.
2724
2725         (3) ==> No more destructor.
2726
2727         * bytecode/CodeBlock.cpp:
2728         (JSC::CodeBlock::CodeBlock):
2729         (JSC::CodeBlock::stronglyVisitStrongReferences):
2730         * bytecode/CodeBlock.h:
2731         (JSC::CodeBlock::symbolTable):
2732         (CodeBlock):
2733         (JSC::GlobalCodeBlock::GlobalCodeBlock):
2734         (JSC::FunctionCodeBlock::FunctionCodeBlock):
2735         (FunctionCodeBlock): SymbolTable is a GC object now, so it gets a write
2736         barrier and visit calls instead of ref-counting. I changed all CodeBlocks
2737         to use shared symbol tables because the distinction between shared and
2738         unshared hurt my head.
2739
2740         * bytecompiler/BytecodeGenerator.cpp:
2741         (JSC::BytecodeGenerator::resolve):
2742         (JSC::BytecodeGenerator::resolveConstDecl):
2743         (JSC::BytecodeGenerator::emitPutStaticVar):
2744         * dfg/DFGByteCodeParser.cpp:
2745         (JSC::DFG::ByteCodeParser::parseBlock):
2746         * dfg/DFGSpeculativeJIT32_64.cpp:
2747         (JSC::DFG::SpeculativeJIT::compile):
2748         * dfg/DFGSpeculativeJIT64.cpp:
2749         (JSC::DFG::SpeculativeJIT::compile): Sometimes, a period just wants
2750         to be an arrow. And then C++ is there to accommodate.
2751
2752         * jit/JITDriver.h:
2753         (JSC::jitCompileFunctionIfAppropriate):
2754         * runtime/Arguments.h:
2755         (ArgumentsData):
2756         (JSC::Arguments::setRegisters):
2757         (Arguments):
2758         (JSC::Arguments::argument):
2759         (JSC::Arguments::finishCreation):
2760         * runtime/Executable.cpp:
2761         (JSC::FunctionExecutable::FunctionExecutable):
2762         (JSC::ProgramExecutable::compileInternal):
2763         (JSC::FunctionExecutable::compileForCallInternal):
2764         (JSC::FunctionExecutable::compileForConstructInternal):
2765         (JSC::FunctionExecutable::visitChildren):
2766         * runtime/Executable.h:
2767         (JSC::FunctionExecutable::symbolTable):
2768         (FunctionExecutable):
2769         * runtime/ExecutionHarness.h:
2770         (JSC::prepareFunctionForExecution): I changed from WriteBarrier to
2771         WriteBarrierBase so activations could reuse StorageBarrier and PropertyStorage.
2772
2773         * runtime/JSActivation.cpp:
2774         (JSC::JSActivation::JSActivation):
2775         (JSC::JSActivation::finishCreation): Allocate the symbol table here,
2776         after we're fully constructed, to avoid GC during initialization.
2777
2778         (JSC::JSActivation::visitChildren):
2779         (JSC::JSActivation::symbolTableGet):
2780         (JSC::JSActivation::symbolTablePut):
2781         (JSC::JSActivation::getOwnPropertyNames):
2782         (JSC::JSActivation::symbolTablePutWithAttributes):
2783         * runtime/JSActivation.h:
2784         (JSC::JSActivation::create):
2785         (JSActivation):
2786         (JSC::JSActivation::registerOffset):
2787         (JSC):
2788         (JSC::JSActivation::registerArraySize):
2789         (JSC::JSActivation::registerArraySizeInBytes):
2790         (JSC::JSActivation::tearOff): Tear-off zero-initializes all uncopied
2791         registers. This makes it safe to copyAndAppend the full buffer in
2792         visitChildren, without any extra checks.
2793
2794         * runtime/JSCell.h:
2795         (JSCell): Moved a shared default set of flags into this base class, so
2796         I could use it in a few places.
2797
2798         * runtime/JSGlobalData.cpp:
2799         (JSC::JSGlobalData::JSGlobalData):
2800         * runtime/JSGlobalData.h:
2801         (JSGlobalData): New structure for symbol tables.
2802
2803         * runtime/JSGlobalObject.cpp:
2804         (JSC::JSGlobalObject::JSGlobalObject):
2805         (JSC::JSGlobalObject::addStaticGlobals):
2806         * runtime/JSGlobalObject.h:
2807         (JSGlobalObject):
2808         (JSC::JSGlobalObject::symbolTableHasProperty): We don't need an inline
2809         symbol table -- JSSymbolTableObject will GC allocate one for us.
2810
2811         * runtime/JSObject.h:
2812         (JSObject):
2813         * runtime/JSSegmentedVariableObject.h:
2814         (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
2815         * runtime/JSStaticScopeObject.cpp:
2816         (JSC):
2817         (JSC::JSStaticScopeObject::visitChildren): NULL check our register store
2818         because finishCreation allocates an object now, so we may get marked
2819         before we've assigned to our register store.
2820
2821         * runtime/JSStaticScopeObject.h:
2822         (JSC::JSStaticScopeObject::finishCreation):
2823         (JSC::JSStaticScopeObject::JSStaticScopeObject):
2824         (JSStaticScopeObject): No more destructor for this object, either, since
2825         it no longer embeds a hash table.
2826
2827         * runtime/JSSymbolTableObject.cpp:
2828         (JSC::JSSymbolTableObject::visitChildren):
2829         (JSC::JSSymbolTableObject::deleteProperty):
2830         (JSC::JSSymbolTableObject::getOwnPropertyNames):
2831         * runtime/JSSymbolTableObject.h:
2832         (JSC::JSSymbolTableObject::symbolTable):
2833         (JSSymbolTableObject):
2834         (JSC::JSSymbolTableObject::JSSymbolTableObject):
2835         (JSC::JSSymbolTableObject::finishCreation):
2836         (JSC::symbolTableGet):
2837         (JSC::symbolTablePut):
2838         (JSC::symbolTablePutWithAttributes): SymbolTableObject allocates a symbol
2839         table automatically if one isn't provided. (Activations provide their
2840         own, which they get from compiled code.)
2841
2842         * runtime/JSVariableObject.cpp:
2843         (JSC):
2844         * runtime/JSVariableObject.h:
2845         (JSC::JSVariableObject::registerAt):
2846         (JSC::JSVariableObject::addressOfRegisters):
2847         (JSVariableObject):
2848         (JSC::JSVariableObject::JSVariableObject):
2849         (JSC::JSVariableObject::finishCreation): Removed a bunch of obsolete code.
2850         Activations manage their registers directly now.
2851
2852         * runtime/StorageBarrier.h:
2853         (StorageBarrier):
2854         (JSC::StorageBarrier::operator!):
2855
2856         * runtime/SymbolTable.cpp:
2857         (JSC):
2858         (JSC::SharedSymbolTable::destroy):
2859         * runtime/SymbolTable.h:
2860         (JSC::SharedSymbolTable::create):
2861         (SharedSymbolTable):
2862         (JSC::SharedSymbolTable::createStructure):
2863         (JSC::SharedSymbolTable::SharedSymbolTable): Boilerplat code to
2864         make shared symbol table GC-allocated.
2865
2866 2012-08-25  Filip Pizlo  <fpizlo@apple.com>
2867
2868         op_call should have ArrayProfiling for the benefit of array intrinsics
2869         https://bugs.webkit.org/show_bug.cgi?id=95014
2870
2871         Reviewed by Sam Weinig.
2872
2873         This is a performance-neutral change that just adds the profiling but does not
2874         use it, yet. If in the future we wanted to make this kind of profiling cheaper
2875         we could move it into specialized thunks for the relevant array intrinsics, but
2876         I figure that if this much simpler change gives us what we need without any
2877         discernable performance penalty then that's for the best.
2878
2879         * bytecompiler/BytecodeGenerator.cpp:
2880         (JSC::BytecodeGenerator::emitCall):
2881         * jit/JITCall.cpp:
2882         (JSC::JIT::compileOpCall):
2883         * jit/JITCall32_64.cpp:
2884         (JSC::JIT::compileOpCall):
2885         * llint/LowLevelInterpreter.asm:
2886         * llint/LowLevelInterpreter32_64.asm:
2887         * llint/LowLevelInterpreter64.asm:
2888
2889 2012-08-25  Filip Pizlo  <fpizlo@apple.com>
2890
2891         The redundant phi elimination phase is not used and should be removed
2892         https://bugs.webkit.org/show_bug.cgi?id=95006
2893
2894         Reviewed by Dan Bernstein.
2895
2896         Just removing dead code.
2897
2898         * CMakeLists.txt:
2899         * GNUmakefile.list.am:
2900         * JavaScriptCore.xcodeproj/project.pbxproj:
2901         * Target.pri:
2902         * dfg/DFGDriver.cpp:
2903         * dfg/DFGRedundantPhiEliminationPhase.cpp: Removed.
2904         * dfg/DFGRedundantPhiEliminationPhase.h: Removed.
2905
2906 2012-08-24  Benjamin Poulain  <bpoulain@apple.com>
2907
2908         Unify Number to StringImpl conversion
2909         https://bugs.webkit.org/show_bug.cgi?id=94879
2910
2911         Reviewed by Geoffrey Garen.
2912
2913         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2914         * runtime/UString.cpp:
2915         * runtime/UString.h:
2916         (JSC::UString::number):
2917         Update UString to directly use the common NumberToString implementation.
2918
2919 2012-08-24  Oliver Hunt  <oliver@apple.com>
2920
2921         Always null check cells before marking
2922         https://bugs.webkit.org/show_bug.cgi?id=94968
2923
2924         Reviewed by Geoffrey Garen.
2925
2926         Originally we tried to minimise null checks by only null checking values
2927         that we knew could be null, however given that we can't ever guarantee
2928         when a GC will happen, we're better off just always assuming that a null
2929         check will be necessary.  This results in a much less fragile code base
2930         as we can add GC allocations to object initialisers without having to
2931         subsequently worry about whether the object we are initialising will need
2932         to add a bunch of null checks in its visitChildren implementation.
2933
2934         * heap/MarkStack.cpp:
2935         (JSC::MarkStack::internalAppend):
2936         * heap/MarkStackInlineMethods.h:
2937         (JSC::MarkStack::append):
2938         (JSC::MarkStack::appendUnbarrieredPointer):
2939         * runtime/Structure.h:
2940         (JSC::MarkStack::internalAppend):
2941
2942 2012-08-23  Oliver Hunt  <oliver@apple.com>
2943
2944         Autogenerate Opcode definitions
2945         https://bugs.webkit.org/show_bug.cgi?id=94840
2946
2947         Reviewed by Gavin Barraclough.
2948
2949         Start the process of autogenerating the code emission for the bytecode.
2950         We'll just start with automatic generation of the list of Opcodes as that
2951         requires the actual definition of the opcodes, and the logic for parsing
2952         them.
2953
2954         Due to some rather annoying dependency cycles, this initial version has
2955         the OpcodeDefinitions.h file checked into the tree, although with some
2956         work I hope to be able to fix that.
2957
2958         * DerivedSources.make:
2959         * JavaScriptCore.xcodeproj/project.pbxproj:
2960         * bytecode/Opcode.h:
2961           Include OpcodeDefinitions.h as our definitive source of info
2962           about the opcodes.
2963         * bytecode/OpcodeDefinitions.h: Added.
2964           Autogenerated file
2965         * bytecode/opcodes: Added.
2966           The new opcode definition file
2967         * opcode_definition_generator.py: Added.
2968         (generateOpcodeDefinition):
2969         (generate):
2970           Module that generates the content for OpcodeDefinitions.h
2971         * opcode_generator.py: Added.
2972         (printUsage):
2973         (main):
2974           Driver script
2975         * opcode_parser.py: Added.
2976           Simple parser for the opcode definitions.
2977
2978 2011-08-23  Geoffrey Garen  <ggaren@apple.com>
2979
2980         Unreviewed, rolling out r126505.
2981         http://trac.webkit.org/changeset/126505
2982         https://bugs.webkit.org/show_bug.cgi?id=94840
2983
2984         Caused testapi to crash on launch
2985
2986         * DerivedSources.make:
2987         * JavaScriptCore.xcodeproj/project.pbxproj:
2988         * bytecode/Opcode.h:
2989         (JSC):
2990         (JSC::padOpcodeName):
2991         * bytecode/OpcodeDefinitions.h: Removed.
2992         * bytecode/opcodes: Removed.
2993         * opcode_definition_generator.py: Removed.
2994         * opcode_generator.py: Removed.
2995         * opcode_parser.py: Removed.
2996
2997 2012-08-23  Oliver Hunt  <oliver@apple.com>
2998
2999         Autogenerate Opcode definitions
3000         https://bugs.webkit.org/show_bug.cgi?id=94840
3001
3002         Reviewed by Gavin Barraclough.
3003
3004         Start the process of autogenerating the code emission for the bytecode.
3005         We'll just start with automatic generation of the list of Opcodes as that
3006         requires the actual definition of the opcodes, and the logic for parsing
3007         them.
3008
3009         Due to some rather annoying dependency cycles, this initial version has
3010         the OpcodeDefinitions.h file checked into the tree, although with some
3011         work I hope to be able to fix that.
3012
3013         * DerivedSources.make:
3014         * JavaScriptCore.xcodeproj/project.pbxproj:
3015         * bytecode/Opcode.h:
3016           Include OpcodeDefinitions.h as our definitive source of info
3017           about the opcodes.
3018         * bytecode/OpcodeDefinitions.h: Added.
3019           Autogenerated file
3020         * bytecode/opcodes: Added.
3021           The new opcode definition file
3022         * opcode_definition_generator.py: Added.
3023         (generateOpcodeDefinition):
3024         (generate):
3025           Module that generates the content for OpcodeDefinitions.h
3026         * opcode_generator.py: Added.
3027         (printUsage):
3028         (main):
3029           Driver script
3030         * opcode_parser.py: Added.
3031           Simple parser for the opcode definitions.
3032
3033 2012-08-23  Mark Hahnenberg  <mhahnenberg@apple.com>
3034
3035         Change behavior of MasqueradesAsUndefined to better accommodate DFG changes
3036         https://bugs.webkit.org/show_bug.cgi?id=93884
3037
3038         Reviewed by Filip Pizlo.
3039
3040         With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of  
3041         MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,  
3042         we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined  
3043         objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).  
3044         For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not  
3045         masquerade as undefined within frame B, but it will continue to masquerade in frame A. 
3046
3047         There are two primary changes that are taking place here. One is to thread the ExecState* through  
3048         JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's  
3049         JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two  
3050         are distinct, then the object cannot MasqueradeAsUndefined. 
3051
3052         The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined 
3053         flag in the Structure is checked. For C++ code, this check has been factored into its own function in  
3054         Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has  
3055         had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed  
3056         through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers 
3057         that are MasqueradesAsUndefined.
3058
3059         * API/JSValueRef.cpp:
3060         (JSValueToBoolean):
3061         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3062         * bytecode/Watchpoint.h:
3063         (WatchpointSet):
3064         * debugger/DebuggerCallFrame.h:
3065         (JSC::DebuggerCallFrame::callFrame):
3066         * dfg/DFGAbstractState.cpp:
3067         (JSC::DFG::AbstractState::execute):
3068         * dfg/DFGCFGSimplificationPhase.cpp:
3069         (JSC::DFG::CFGSimplificationPhase::run):
3070         * dfg/DFGOperations.cpp:
3071         * dfg/DFGOperations.h:
3072         * dfg/DFGSpeculativeJIT32_64.cpp:
3073         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3074         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3075         (JSC::DFG::SpeculativeJIT::compile):
3076         * dfg/DFGSpeculativeJIT64.cpp:
3077         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3078         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3079         (JSC::DFG::SpeculativeJIT::compile):
3080         * interpreter/Interpreter.cpp:
3081         (JSC::Interpreter::privateExecute):
3082         * jit/JITOpcodes.cpp:
3083         (JSC::JIT::emit_op_is_undefined):
3084         (JSC::JIT::emit_op_jeq_null):
3085         (JSC::JIT::emit_op_jneq_null):
3086         (JSC::JIT::emit_op_eq_null):
3087         (JSC::JIT::emit_op_neq_null):
3088         * jit/JITOpcodes32_64.cpp:
3089         (JSC::JIT::emit_op_is_undefined):
3090         (JSC::JIT::emit_op_jeq_null):
3091         (JSC::JIT::emit_op_jneq_null):
3092         (JSC::JIT::emit_op_eq_null):
3093         (JSC::JIT::emit_op_neq_null):
3094         * jit/JITStubs.cpp:
3095         (JSC::DEFINE_STUB_FUNCTION):
3096         * llint/LLIntSlowPaths.cpp:
3097         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3098         * llint/LowLevelInterpreter32_64.asm:
3099         * llint/LowLevelInterpreter64.asm:
3100         * runtime/ArrayPrototype.cpp:
3101         (JSC::arrayProtoFuncFilter):
3102         (JSC::arrayProtoFuncEvery):
3103         (JSC::arrayProtoFuncSome):
3104         * runtime/BooleanConstructor.cpp:
3105         (JSC::constructBoolean):
3106         (JSC::callBooleanConstructor):
3107         * runtime/JSCell.h:
3108         (JSCell):
3109         * runtime/JSGlobalObject.cpp:
3110         (JSC::JSGlobalObject::JSGlobalObject):
3111         * runtime/JSGlobalObject.h:
3112         (JSGlobalObject):
3113         (JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
3114         * runtime/JSString.h:
3115         (JSC::JSCell::toBoolean):
3116         (JSC::JSValue::toBoolean):
3117         * runtime/JSValue.h:
3118         * runtime/ObjectConstructor.cpp:
3119         (JSC::toPropertyDescriptor):
3120         * runtime/Operations.cpp:
3121         (JSC::jsTypeStringForValue):
3122         (JSC::jsIsObjectType):
3123         * runtime/Operations.h:
3124         (JSC):
3125         (JSC::JSValue::equalSlowCaseInline):
3126         * runtime/RegExpConstructor.cpp:
3127         (JSC::setRegExpConstructorMultiline):
3128         * runtime/RegExpPrototype.cpp:
3129         (JSC::regExpProtoFuncToString):
3130         * runtime/Structure.h:
3131         (Structure):
3132         (JSC::Structure::globalObjectOffset):
3133         (JSC::Structure::masqueradesAsUndefined):
3134         (JSC):
3135
3136 2012-08-23  Mark Rowe  <mrowe@apple.com>
3137
3138         Make JavaScriptCore build with the latest version of clang.
3139
3140         Reviewed by Dan Bernstein.
3141
3142         * heap/MachineStackMarker.cpp:
3143         (JSC::MachineThreads::MachineThreads): The m_heap member is only used within
3144         assertions, so guard its initialization with !ASSERT_DISABLED.
3145         * heap/MachineStackMarker.h:
3146         (MachineThreads): Ditto for its declaration.
3147         * jit/JITStubCall.h:
3148         (JSC::JITStubCall::JITStubCall): The m_returnType member is only used within
3149         assertions or if we're using JSVALUE32_64, so guard its uses with the appropriate
3150         #if.
3151         (JITStubCall): Ditto.
3152
3153 2012-08-23  Christophe Dumez  <christophe.dumez@intel.com>
3154
3155         Serialization of JavaScript values does not appear to respect new HTML5 Structured Clone semantics
3156         https://bugs.webkit.org/show_bug.cgi?id=65292
3157
3158         Reviewed by Oliver Hunt.
3159
3160         Add function to construct a StringObject from a JSValue.
3161         Similar functions already exist for NumberObject and
3162         BooleanObject for example.
3163
3164         Export several symbols so address linking errors in
3165         WebCore.
3166
3167         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3168         * runtime/BooleanObject.h:
3169         (BooleanObject):
3170         * runtime/NumberObject.h:
3171         (NumberObject):
3172         (JSC):
3173         * runtime/StringObject.cpp:
3174         (JSC::constructString):
3175         (JSC):
3176         * runtime/StringObject.h:
3177         (JSC):
3178
3179 2012-08-22  Filip Pizlo  <fpizlo@apple.com>
3180
3181         Array accesses should remember what kind of array they are predicted to access
3182         https://bugs.webkit.org/show_bug.cgi?id=94448
3183
3184         Reviewed by Gavin Barraclough.
3185
3186         Introduced the notion of DFG::Array::Mode, stored in node.arrayMode(), which allows nodes
3187         to remember how they decided to access arrays. This permits the bytecode parser to "lock in"
3188         the mode of access if it has profiling at its disposal, and it also allows the prediction
3189         propagator to do a fixup of the array mode later in the optimization fixpoint.
3190         
3191         This patch adds a healthy amount of new capability (specifically the ability of the parser
3192         to lock in an array mode regardless of type predictions) and it also blows away a lot of
3193         messy code.
3194
3195         * CMakeLists.txt:
3196         * GNUmakefile.list.am:
3197         * JavaScriptCore.xcodeproj/project.pbxproj:
3198         * Target.pri:
3199         * dfg/DFGAbstractState.cpp:
3200         (JSC::DFG::AbstractState::execute):
3201         * dfg/DFGArgumentsSimplificationPhase.cpp:
3202         (JSC::DFG::ArgumentsSimplificationPhase::run):
3203         * dfg/DFGArrayMode.cpp: Added.
3204         (DFG):
3205         (JSC::DFG::fromObserved):
3206         (JSC::DFG::refineArrayMode):
3207         (JSC::DFG::modeAlreadyChecked):
3208         (JSC::DFG::modeToString):
3209         * dfg/DFGArrayMode.h: Added.
3210         (DFG):
3211         (JSC::DFG::canCSEStorage):
3212         (JSC::DFG::modeForPut):
3213         (JSC::DFG::modesCompatibleForStorageLoad):
3214         (JSC::DFG::modeSupportsLength):
3215         * dfg/DFGByteCodeParser.cpp:
3216         (ByteCodeParser):
3217         (JSC::DFG::ByteCodeParser::getArrayModeWithoutOSRExit):
3218         (JSC::DFG::ByteCodeParser::getArrayMode):
3219         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3220         (JSC::DFG::ByteCodeParser::parseBlock):
3221         * dfg/DFGCSEPhase.cpp:
3222         (JSC::DFG::CSEPhase::getByValLoadElimination):
3223         (JSC::DFG::CSEPhase::checkStructureLoadElimination):
3224         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3225         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
3226         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
3227         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
3228         (JSC::DFG::CSEPhase::performNodeCSE):
3229         * dfg/DFGFixupPhase.cpp:
3230         (JSC::DFG::FixupPhase::fixupNode):
3231         * dfg/DFGGraph.cpp:
3232         (JSC::DFG::Graph::dump):
3233         * dfg/DFGGraph.h:
3234         (JSC::DFG::Graph::byValIsPure):
3235         (JSC::DFG::Graph::clobbersWorld):
3236         * dfg/DFGNode.h:
3237         (JSC::DFG::Node::hasArrayMode):
3238         (Node):
3239         (JSC::DFG::Node::arrayMode):
3240         (JSC::DFG::Node::setArrayMode):
3241         * dfg/DFGNodeType.h:
3242         (DFG):
3243         * dfg/DFGPredictionPropagationPhase.cpp:
3244         (JSC::DFG::PredictionPropagationPhase::propagate):
3245         * dfg/DFGSpeculativeJIT.cpp:
3246         (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
3247         (DFG):
3248         (JSC::DFG::SpeculativeJIT::speculateArray):
3249         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3250         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3251         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3252         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3253         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3254         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3255         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3256         * dfg/DFGSpeculativeJIT.h:
3257         (SpeculativeJIT):
3258         * dfg/DFGSpeculativeJIT32_64.cpp:
3259         (JSC::DFG::SpeculativeJIT::compile):
3260         * dfg/DFGSpeculativeJIT64.cpp:
3261         (JSC::DFG::SpeculativeJIT::compile):
3262         * dfg/DFGStructureCheckHoistingPhase.cpp:
3263         (JSC::DFG::StructureCheckHoistingPhase::run):
3264
3265 2012-08-22  Geoffrey Garen  <ggaren@apple.com>
3266
3267         ThreadRestrictionVerifier should be opt-in, not opt-out
3268         https://bugs.webkit.org/show_bug.cgi?id=94761
3269
3270         Reviewed by Mark Hahnenberg.
3271
3272         Removed explicit calls to disable the verifier, since it's off by default now.
3273
3274         * parser/SourceProvider.h:
3275         (JSC::SourceProvider::SourceProvider):
3276         (SourceProvider):
3277         * runtime/SymbolTable.h:
3278         (JSC::SharedSymbolTable::SharedSymbolTable):
3279
3280 2012-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
3281
3282         Separate MarkStackThreadSharedData from MarkStack
3283         https://bugs.webkit.org/show_bug.cgi?id=94294
3284
3285         Reviewed by Filip Pizlo.
3286
3287         MarkStackThreadSharedData is soon going to have data to allow for a parallel copying 
3288         mode too, so to separate our concerns we should split it out into its own set of files 
3289         and rename it to GCThreadSharedData. For now this is purely a cosmetic refactoring.
3290
3291         * CMakeLists.txt:
3292         * GNUmakefile.list.am:
3293         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3294         * JavaScriptCore.xcodeproj/project.pbxproj:
3295         * Target.pri:
3296         * heap/GCThreadSharedData.cpp: Added.
3297         (JSC):
3298         (JSC::GCThreadSharedData::resetChildren):
3299         (JSC::GCThreadSharedData::childVisitCount):
3300         (JSC::GCThreadSharedData::markingThreadMain):
3301         (JSC::GCThreadSharedData::markingThreadStartFunc):
3302         (JSC::GCThreadSharedData::GCThreadSharedData):
3303         (JSC::GCThreadSharedData::~GCThreadSharedData):
3304         (JSC::GCThreadSharedData::reset):
3305         * heap/GCThreadSharedData.h: Added.
3306         (JSC):
3307         (GCThreadSharedData):
3308         * heap/Heap.h:
3309         (Heap):
3310         * heap/ListableHandler.h:
3311         (ListableHandler):
3312         * heap/MarkStack.cpp:
3313         (JSC::MarkStack::MarkStack):
3314         (JSC::MarkStack::~MarkStack):
3315         * heap/MarkStack.h:
3316         (JSC):
3317         (MarkStack):
3318         (JSC::MarkStack::sharedData):
3319         * heap/MarkStackInlineMethods.h: Added.
3320         (JSC):
3321         (JSC::MarkStack::append):
3322         (JSC::MarkStack::appendUnbarrieredPointer):
3323         (JSC::MarkStack::appendUnbarrieredValue):
3324         (JSC::MarkStack::internalAppend):
3325         (JSC::MarkStack::addWeakReferenceHarvester):
3326         (JSC::MarkStack::addUnconditionalFinalizer):
3327         (JSC::MarkStack::addOpaqueRoot):
3328         (JSC::MarkStack::containsOpaqueRoot):
3329         (JSC::MarkStack::opaqueRootCount):
3330         * heap/SlotVisitor.h:
3331         (JSC):
3332         (SlotVisitor):
3333         (JSC::SlotVisitor::SlotVisitor):
3334
3335 2012-08-22  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
3336
3337         Fix JSC build when DFG-JIT is disabled
3338         https://bugs.webkit.org/show_bug.cgi?id=94694
3339
3340         Reviewed by Csaba Osztrogonác.
3341
3342         Adding an appropriate guard for fixing the build.
3343
3344         * bytecode/ResolveGlobalStatus.cpp:
3345         (JSC):
3346
3347 2012-08-21  Mark Lam  <mark.lam@apple.com>
3348
3349         Introducing the VMInspector for VM debugging use.
3350         https://bugs.webkit.org/show_bug.cgi?id=94613.
3351
3352         Reviewed by Filip Pizlo.
3353
3354         Adding some utility functions for debugging the VM. This code is
3355         presently #ifdef'd out by default.
3356
3357         * CMakeLists.txt:
3358         * GNUmakefile.list.am:
3359         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3360         * JavaScriptCore.xcodeproj/project.pbxproj:
3361         * interpreter/CallFrame.h:
3362         (ExecState):
3363         * interpreter/VMInspector.cpp: Added.
3364         (JSC):
3365         (JSC::VMInspector::getTypeName):
3366         (JSC::VMInspector::dumpFrame0):
3367         (JSC::VMInspector::dumpFrame):
3368         (JSC::VMInspector::countFrames):
3369         * interpreter/VMInspector.h: Added.
3370         (JSC):
3371         (VMInspector):
3372
3373 2012-08-21  Filip Pizlo  <fpizlo@apple.com>
3374
3375         A patchable GetById right after a watchpoint should have the appropriate nop padding
3376         https://bugs.webkit.org/show_bug.cgi?id=94635
3377
3378         Reviewed by Mark Hahnenberg.
3379
3380         * assembler/AbstractMacroAssembler.h:
3381         (JSC::AbstractMacroAssembler::padBeforePatch):
3382         (AbstractMacroAssembler):
3383         * assembler/MacroAssemblerARMv7.h:
3384         (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
3385         (JSC::MacroAssemblerARMv7::moveWithPatch):
3386         (JSC::MacroAssemblerARMv7::patchableJump):
3387         * assembler/MacroAssemblerX86.h:
3388         (JSC::MacroAssemblerX86::moveWithPatch):
3389         (JSC::MacroAssemblerX86::branchPtrWithPatch):
3390         (JSC::MacroAssemblerX86::storePtrWithPatch):
3391         * assembler/MacroAssemblerX86Common.h:
3392         (JSC::MacroAssemblerX86Common::load32WithAddressOffsetPatch):
3393         (JSC::MacroAssemblerX86Common::load32WithCompactAddressOffsetPatch):
3394         (JSC::MacroAssemblerX86Common::loadCompactWithAddressOffsetPatch):
3395         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
3396         * assembler/MacroAssemblerX86_64.h:
3397         (JSC::MacroAssemblerX86_64::loadPtrWithAddressOffsetPatch):
3398         (JSC::MacroAssemblerX86_64::loadPtrWithCompactAddressOffsetPatch):
3399         (JSC::MacroAssemblerX86_64::storePtrWithAddressOffsetPatch):
3400         (JSC::MacroAssemblerX86_64::moveWithPatch):
3401         * jit/JumpReplacementWatchpoint.cpp:
3402         (JSC::JumpReplacementWatchpoint::fireInternal):
3403
3404 2012-08-20  Mark Lam  <mark.lam@apple.com>
3405
3406         Fix broken non-JIT build.
3407         https://bugs.webkit.org/show_bug.cgi?id=94564.
3408
3409         Reviewed by Filip Pizlo.
3410
3411         Added some UNUSED_PARAM() macros to make the compiler happy.
3412
3413         * runtime/Executable.cpp:
3414         (JSC::EvalExecutable::compileInternal):
3415         (JSC::ProgramExecutable::compileInternal):
3416         (JSC::FunctionExecutable::compileForCallInternal):
3417         (JSC::FunctionExecutable::compileForConstructInternal):
3418
3419 2012-08-20  Mark Lam  <mark.lam@apple.com>
3420
3421         Fixed erroneous line number for LLint frame when throwing exceptions.
3422         https://bugs.webkit.org/show_bug.cgi?id=94051.
3423
3424         Reviewed by Filip Pizlo.
3425
3426         For LLInt frames, before throwing an exception, adjust the PC from the
3427         return PC back to the call PC if we are indeed at a call site.
3428
3429         * bytecode/CodeBlock.cpp:
3430         (JSC::CodeBlock::adjustPCIfAtCallSite):
3431         (JSC):
3432         (JSC::CodeBlock::bytecodeOffset):
3433         * bytecode/CodeBlock.h:
3434         (CodeBlock):
3435         * llint/LLIntExceptions.cpp:
3436         (JSC::LLInt::fixupPCforExceptionIfNeeded):
3437         (LLInt):
3438         (JSC::LLInt::interpreterThrowInCaller):
3439         (JSC::LLInt::returnToThrow):
3440         (JSC::LLInt::callToThrow):
3441
3442 2012-08-20  Filip Pizlo  <fpizlo@apple.com>
3443
3444         fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html on 32-bit
3445         https://bugs.webkit.org/show_bug.cgi?id=94538
3446
3447         Reviewed by Mark Hahnenberg.
3448
3449         * dfg/DFGSpeculativeJIT32_64.cpp:
3450         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3451
3452 2012-08-20  Filip Pizlo  <fpizlo@apple.com>
3453
3454         fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html crashes on 32-bit
3455         https://bugs.webkit.org/show_bug.cgi?id=94026
3456
3457         Reviewed by Mark Hahnenberg.
3458
3459         * dfg/DFGSpeculativeJIT32_64.cpp:
3460         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3461
3462 2012-08-19  Filip Pizlo  <fpizlo@apple.com>
3463
3464         The relationship between abstract values and structure transition watchpoints should be rationalized
3465         https://bugs.webkit.org/show_bug.cgi?id=94205
3466
3467         Reviewed by Geoffrey Garen.
3468
3469         This patch does a number of things related to the handling of the abstract values
3470         arrising from values with structures known to be watchpointable:
3471         
3472         - This rationalizes the relationship between the structure that we know an object
3473           to have *right now* based on having executed a check against that structure, and
3474           the structure that we know the object could have *in the future* based on a type
3475           check executed in the past over a structure that was watchpointable.
3476         
3477         - We use the above to assert that structure transition watchpoints are being used
3478           soundly.
3479         
3480         - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
3481           whenever possible.
3482         
3483         - This rationalizes the handling of CFA over constants that appeared in the bytecode.
3484           If at compile-time the constant has a watchpointable structure, then we can prove
3485           what structures it may have in the future. The analysis uses this to both assert
3486           that structure transition watchpoints are being used correctly, and to find
3487           opportunities for using them more aggressively.
3488         
3489         The net effect of all of these changes is that OSR entry should work more smoothly.
3490         It may also be a slight win due to strength reductions, though most of those strength
3491         reductions would have already been done by the parser and the structure check hoister.
3492
3493         * GNUmakefile.list.am:
3494         * JavaScriptCore.xcodeproj/project.pbxproj:
3495         * dfg/DFGAbstractState.cpp:
3496         (JSC::DFG::AbstractState::beginBasicBlock):
3497         (JSC::DFG::AbstractState::execute):
3498         * dfg/DFGAbstractValue.h:
3499         (DFG):
3500         (JSC::DFG::AbstractValue::clear):
3501         (JSC::DFG::AbstractValue::isClear):
3502         (JSC::DFG::AbstractValue::makeTop):
3503         (JSC::DFG::AbstractValue::clobberStructures):
3504         (JSC::DFG::AbstractValue::isTop):
3505         (JSC::DFG::AbstractValue::setFuturePossibleStructure):
3506         (AbstractValue):
3507         (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
3508         (JSC::DFG::AbstractValue::setMostSpecific):
3509         (JSC::DFG::AbstractValue::set):
3510         (JSC::DFG::AbstractValue::operator==):
3511         (JSC::DFG::AbstractValue::merge):
3512         (JSC::DFG::AbstractValue::filter):
3513         (JSC::DFG::AbstractValue::filterValueByType):
3514         (JSC::DFG::AbstractValue::validateType):
3515         (JSC::DFG::AbstractValue::validate):
3516         (JSC::DFG::AbstractValue::checkConsistency):
3517         (JSC::DFG::AbstractValue::dump):
3518         * dfg/DFGArgumentsSimplificationPhase.cpp:
3519         (JSC::DFG::ArgumentsSimplificationPhase::run):
3520         * dfg/DFGCSEPhase.cpp:
3521         (JSC::DFG::CSEPhase::checkStructureLoadElimination):
3522         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3523         (JSC::DFG::CSEPhase::performNodeCSE):
3524         * dfg/DFGConstantFoldingPhase.cpp:
3525         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3526         * dfg/DFGNode.h:
3527         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3528         (Node):
3529         (JSC::DFG::Node::hasStructure):
3530         * dfg/DFGNodeType.h:
3531         (DFG):
3532         * dfg/DFGOSREntry.cpp:
3533         (JSC::DFG::prepareOSREntry):
3534         * dfg/DFGPredictionPropagationPhase.cpp:
3535         (JSC::DFG::PredictionPropagationPhase::propagate):
3536         * dfg/DFGSpeculativeJIT.cpp:
3537         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
3538         (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
3539         (DFG):
3540         (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
3541         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
3542         (JSC::DFG::SpeculativeJIT::speculateArray):
3543         * dfg/DFGSpeculativeJIT.h:
3544         (SpeculativeJIT):
3545         * dfg/DFGSpeculativeJIT32_64.cpp:
3546         (JSC::DFG::SpeculativeJIT::compile):
3547         * dfg/DFGSpeculativeJIT64.cpp:
3548         (JSC::DFG::SpeculativeJIT::compile):
3549         * dfg/DFGStructureAbstractValue.h: Added.
3550         (DFG):
3551         (StructureAbstractValue):
3552         (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
3553         (JSC::DFG::StructureAbstractValue::clear):
3554         (JSC::DFG::StructureAbstractValue::makeTop):
3555         (JSC::DFG::StructureAbstractValue::top):
3556         (JSC::DFG::StructureAbstractValue::add):
3557         (JSC::DFG::StructureAbstractValue::addAll):
3558         (JSC::DFG::StructureAbstractValue::contains):
3559         (JSC::DFG::StructureAbstractValue::isSubsetOf):
3560         (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
3561         (JSC::DFG::StructureAbstractValue::isSupersetOf):
3562         (JSC::DFG::StructureAbstractValue::filter):
3563         (JSC::DFG::StructureAbstractValue::isClear):
3564         (JSC::DFG::StructureAbstractValue::isTop):
3565         (JSC::DFG::StructureAbstractValue::isClearOrTop):
3566         (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
3567         (JSC::DFG::StructureAbstractValue::size):
3568         (JSC::DFG::StructureAbstractValue::at):
3569         (JSC::DFG::StructureAbstractValue::operator[]):
3570         (JSC::DFG::StructureAbstractValue::last):
3571         (JSC::DFG::StructureAbstractValue::speculationFromStructures):
3572         (JSC::DFG::StructureAbstractValue::hasSingleton):
3573         (JSC::DFG::StructureAbstractValue::singleton):
3574         (JSC::DFG::StructureAbstractValue::operator==):
3575         (JSC::DFG::StructureAbstractValue::dump):
3576         (JSC::DFG::StructureAbstractValue::topValue):
3577         * dfg/DFGStructureCheckHoistingPhase.cpp:
3578         (JSC::DFG::StructureCheckHoistingPhase::run):
3579
3580 2012-08-17  Filip Pizlo  <fpizlo@apple.com>
3581
3582         The current state of the call frame should be taken into account in the DFG for both predictions and proofs
3583         https://bugs.webkit.org/show_bug.cgi?id=94412
3584
3585         Reviewed by Geoffrey Garen.
3586
3587         This ensures that no matter how smart the DFG gets, it'll always know through
3588         which entrypoint OSR will try to enter, and with which values it will attempt
3589         to do so. For prologue OSR, this has no effect other than adding the current
3590         arguments to the argument predictions. For loop OSR, this makes our treatment
3591         of the loop slightly more conservative - just conservative enough to ensure
3592         that OSR succeeds.
3593
3594         * bytecode/CodeBlock.cpp:
3595         (JSC::ProgramCodeBlock::compileOptimized):
3596         (JSC::EvalCodeBlock::compileOptimized):
3597         (JSC::FunctionCodeBlock::compileOptimized):
3598         * bytecode/CodeBlock.h:
3599         (CodeBlock):
3600         (ProgramCodeBlock):
3601         (EvalCodeBlock):
3602         (FunctionCodeBlock):
3603         * dfg/DFGAbstractState.cpp:
3604         (JSC::DFG::AbstractState::initialize):
3605         * dfg/DFGAbstractValue.h:
3606         (JSC::DFG::AbstractValue::setMostSpecific):
3607         (AbstractValue):
3608         * dfg/DFGByteCodeParser.cpp:
3609         (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
3610         (JSC::DFG::ByteCodeParser::parse):
3611         * dfg/DFGDriver.cpp:
3612         (JSC::DFG::compile):
3613         (JSC::DFG::tryCompile):
3614         (JSC::DFG::tryCompileFunction):
3615         * dfg/DFGDriver.h:
3616         (DFG):
3617         (JSC::DFG::tryCompile):
3618         (JSC::DFG::tryCompileFunction):
3619         * dfg/DFGGraph.h:
3620         (JSC::DFG::Graph::Graph):
3621         (Graph):
3622         * jit/JITDriver.h:
3623         (JSC::jitCompileIfAppropriate):
3624         (JSC::jitCompileFunctionIfAppropriate):
3625         * jit/JITStubs.cpp:
3626         (JSC::DEFINE_STUB_FUNCTION):
3627         * runtime/Executable.cpp:
3628         (JSC::EvalExecutable::compileOptimized):
3629         (JSC::EvalExecutable::compileInternal):
3630         (JSC::ProgramExecutable::compileOptimized):
3631         (JSC::ProgramExecutable::compileInternal):
3632         (JSC::FunctionExecutable::compileOptimizedForCall):
3633         (JSC::FunctionExecutable::compileOptimizedForConstruct):
3634         (JSC::FunctionExecutable::compileForCallInternal):
3635         (JSC::FunctionExecutable::compileForConstructInternal):
3636         * runtime/Executable.h:
3637         (EvalExecutable):
3638         (ProgramExecutable):
3639         (FunctionExecutable):
3640         (JSC::FunctionExecutable::compileOptimizedFor):
3641         * runtime/ExecutionHarness.h:
3642         (JSC::prepareForExecution):
3643         (JSC::prepareFunctionForExecution):
3644
3645 2012-08-17  Filip Pizlo  <fpizlo@apple.com>
3646
3647         DFG CSE should be more honest about when it changed the IR
3648         https://bugs.webkit.org/show_bug.cgi?id=94408
3649
3650         Reviewed by Geoffrey Garen.
3651
3652         The CSE phase now always returns true if it changed the IR.
3653
3654         * dfg/DFGCSEPhase.cpp:
3655         (JSC::DFG::CSEPhase::setReplacement):
3656         (JSC::DFG::CSEPhase::eliminate):
3657         (JSC::DFG::CSEPhase::performNodeCSE):
3658
3659 2012-08-17  Filip Pizlo  <fpizlo@apple.com>
3660
3661         DFG is still too pessimistic about what constitutes a side-effect on array accesses
3662         https://bugs.webkit.org/show_bug.cgi?id=94309
3663
3664         Reviewed by Geoffrey Garen.
3665
3666         This change means that even if structure transition watchpoints are not used for
3667         hoisting of clobbered structure checks, we still retain good performance on the
3668         benchmarks we care about. That's important, since butterflies will likely make
3669         most array structures not watchpointable.
3670
3671         * dfg/DFGAbstractState.cpp:
3672         (JSC::DFG::AbstractState::execute):
3673         * dfg/DFGStructureCheckHoistingPhase.cpp:
3674         (JSC::DFG::StructureCheckHoistingPhase::run):
3675
3676 2012-08-17  Milian Wolff  <milian.wolff@kdab.com>
3677
3678         [Qt] QNX build fails due to ctype usage in system headers
3679         https://bugs.webkit.org/show_bug.cgi?id=93849
3680
3681         Reviewed by Simon Hausmann.
3682
3683         Move the check for whether DisallowCType should be active or not
3684         to the DisallowCType.h header. This way, we can update the list
3685         of platforms or OSes which do not work with this header in a
3686         central place. All users can now safely include the header
3687         and do not need to place custom guards around it.
3688
3689         * config.h:
3690
3691 2012-08-16  Simon Hausmann  <simon.hausmann@nokia.com>
3692
3693         [Qt] Replace use of internal Weak smart pointer with JSWeakObjectMap
3694         https://bugs.webkit.org/show_bug.cgi?id=93872
3695
3696         Reviewed by Kenneth Rohde Christiansen.
3697
3698         * Target.pri: Add missing JSWeakObjectMap file to build.
3699
3700 2012-08-16  Filip Pizlo  <fpizlo@apple.com>
3701
3702         Structure check hoisting should be less expensive
3703         https://bugs.webkit.org/show_bug.cgi?id=94201
3704
3705         Reviewed by Mark Hahnenberg.
3706
3707         This appears like a broad win on short-running programs.
3708
3709         * dfg/DFGArgumentsSimplificationPhase.cpp:
3710         (JSC::DFG::ArgumentsSimplificationPhase::run):
3711         * dfg/DFGCSEPhase.cpp:
3712         (JSC::DFG::CSEPhase::performNodeCSE):
3713         * dfg/DFGDriver.cpp:
3714         (JSC::DFG::compile):
3715         * dfg/DFGGraph.h:
3716         (JSC::DFG::Graph::compareAndSwap):
3717         (Graph):
3718         (JSC::DFG::Graph::substitute):
3719         (JSC::DFG::Graph::substituteGetLocal):
3720         * dfg/DFGStructureCheckHoistingPhase.cpp:
3721         (JSC::DFG::StructureCheckHoistingPhase::run):
3722
3723 2012-08-16  Filip Pizlo  <fpizlo@apple.com>
3724
3725         All op_resolve_global instructions should end up in the list of global resolve instructions
3726         https://bugs.webkit.org/show_bug.cgi?id=94247
3727         <rdar://problem/12103500>
3728
3729         Reviewed by Mark Hahnenberg.
3730
3731         * bytecompiler/BytecodeGenerator.cpp:
3732         (JSC::BytecodeGenerator::emitResolveWithBase):
3733
3734 2012-08-15  Bruno de Oliveira Abinader  <bruno.abinader@basyskom.com>
3735
3736         [css3-text] Add CSS3 Text decoration compile flag
3737         https://bugs.webkit.org/show_bug.cgi?id=93863
3738
3739         Reviewed by Julien Chaffraix.
3740
3741         This patch handles the compile flag implementation, which will come disabled by
3742         default, thus not exposing the CSS3 text decoration features to the web, unless
3743         when explicitly enabling it with "--css3-text-decoration" build parameter.
3744
3745         * Configurations/FeatureDefines.xcconfig:
3746
3747 2012-08-15  Sheriff Bot  <webkit.review.bot@gmail.com>
3748
3749         Unreviewed, rolling out r125687.
3750         http://trac.webkit.org/changeset/125687
3751         https://bugs.webkit.org/show_bug.cgi?id=94147
3752
3753         It broke the whole world (Requested by Ossy_night on #webkit).
3754
3755         * API/JSValueRef.cpp:
3756         (JSValueToBoolean):
3757         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3758         * bytecode/Watchpoint.h:
3759         (WatchpointSet):
3760         * debugger/DebuggerCallFrame.h:
3761         * dfg/DFGAbstractState.cpp:
3762         (JSC::DFG::AbstractState::execute):
3763         * dfg/DFGCFGSimplificationPhase.cpp:
3764         (JSC::DFG::CFGSimplificationPhase::run):
3765         * dfg/DFGOperations.cpp:
3766         * dfg/DFGOperations.h:
3767         * dfg/DFGSpeculativeJIT32_64.cpp:
3768         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3769         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3770         (JSC::DFG::SpeculativeJIT::compile):
3771         * dfg/DFGSpeculativeJIT64.cpp:
3772         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3773         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3774         (JSC::DFG::SpeculativeJIT::compile):
3775         * interpreter/Interpreter.cpp:
3776         (JSC::Interpreter::privateExecute):
3777         * jit/JITOpcodes.cpp:
3778         (JSC::JIT::emit_op_is_undefined):
3779         (JSC::JIT::emit_op_jeq_null):
3780         (JSC::JIT::emit_op_jneq_null):
3781         (JSC::JIT::emit_op_eq_null):
3782         (JSC::JIT::emit_op_neq_null):
3783         * jit/JITOpcodes32_64.cpp:
3784         (JSC::JIT::emit_op_is_undefined):
3785         (JSC::JIT::emit_op_jeq_null):
3786         (JSC::JIT::emit_op_jneq_null):
3787         (JSC::JIT::emit_op_eq_null):
3788         (JSC::JIT::emit_op_neq_null):
3789         * jit/JITStubs.cpp:
3790         (JSC::DEFINE_STUB_FUNCTION):
3791         * llint/LLIntSlowPaths.cpp:
3792         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3793         * llint/LowLevelInterpreter32_64.asm:
3794         * llint/LowLevelInterpreter64.asm:
3795         * runtime/ArrayPrototype.cpp:
3796         (JSC::arrayProtoFuncFilter):
3797         (JSC::arrayProtoFuncEvery):
3798         (JSC::arrayProtoFuncSome):
3799         * runtime/BooleanConstructor.cpp:
3800         (JSC::constructBoolean):
3801         (JSC::callBooleanConstructor):
3802         * runtime/JSCell.h:
3803         (JSCell):
3804         * runtime/JSGlobalObject.cpp:
3805         (JSC::JSGlobalObject::JSGlobalObject):
3806         * runtime/JSGlobalObject.h:
3807         (JSGlobalObject):
3808         * runtime/JSString.h:
3809         (JSC::JSCell::toBoolean):
3810         (JSC::JSValue::toBoolean):
3811         * runtime/JSValue.h:
3812         * runtime/ObjectConstructor.cpp:
3813         (JSC::toPropertyDescriptor):
3814         * runtime/Operations.cpp:
3815         (JSC::jsTypeStringForValue):
3816         (JSC::jsIsObjectType):
3817         * runtime/Operations.h:
3818         (JSC):
3819         (JSC::JSValue::equalSlowCaseInline):
3820         * runtime/RegExpConstructor.cpp:
3821         (JSC::setRegExpConstructorMultiline):
3822         * runtime/RegExpPrototype.cpp:
3823         (JSC::regExpProtoFuncToString):
3824         * runtime/Structure.h:
3825
3826 2012-08-15  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
3827
3828         Buildfix after r125541
3829         https://bugs.webkit.org/show_bug.cgi?id=94097
3830
3831         Reviewed by Filip Pizlo.
3832
3833         r125541 has broken the traditional ARM port build of JSC.
3834
3835         * assembler/MacroAssemblerARM.h:
3836         (JSC::MacroAssemblerARM::neg32):
3837         (JSC::MacroAssemblerARM::xor32):
3838
3839 2012-08-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3840
3841         Change behavior of MasqueradesAsUndefined to better accommodate DFG changes
3842         https://bugs.webkit.org/show_bug.cgi?id=93884
3843
3844         Reviewed by Geoffrey Garen.
3845
3846         With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
3847         MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
3848         we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
3849         objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
3850         For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
3851         masquerade as undefined within frame B, but it will continue to masquerade in frame A.
3852
3853         There are two primary changes that are taking place here. One is to thread the ExecState* through 
3854         JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's 
3855         JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two 
3856         are distinct, then the object cannot MasqueradeAsUndefined.
3857
3858         The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined
3859         flag in the Structure is checked. For C++ code, this check has been factored into its own function in 
3860         Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has 
3861         had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed 
3862         through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers
3863         that are MasqueradesAsUndefined.
3864
3865         * API/JSValueRef.cpp:
3866         (JSValueToBoolean):
3867         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3868         * bytecode/Watchpoint.h:
3869         (WatchpointSet):
3870         * debugger/DebuggerCallFrame.h:
3871         (JSC::DebuggerCallFrame::callFrame):
3872         * dfg/DFGAbstractState.cpp:
3873         (JSC::DFG::AbstractState::execute):
3874         * dfg/DFGCFGSimplificationPhase.cpp:
3875         (JSC::DFG::CFGSimplificationPhase::run):
3876         * dfg/DFGOperations.cpp:
3877         * dfg/DFGOperations.h:
3878         * dfg/DFGSpeculativeJIT32_64.cpp:
3879         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3880         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3881         (JSC::DFG::SpeculativeJIT::compile):
3882         * dfg/DFGSpeculativeJIT64.cpp:
3883         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3884         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3885         (JSC::DFG::SpeculativeJIT::compile):
3886         * interpreter/Interpreter.cpp:
3887         (JSC::Interpreter::privateExecute):
3888         * jit/JITOpcodes.cpp:
3889         (JSC::JIT::emit_op_is_undefined):
3890         (JSC::JIT::emit_op_jeq_null):
3891         (JSC::JIT::emit_op_jneq_null):
3892         (JSC::JIT::emit_op_eq_null):
3893         (JSC::JIT::emit_op_neq_null):
3894         * jit/JITOpcodes32_64.cpp:
3895         (JSC::JIT::emit_op_is_undefined):
3896         (JSC::JIT::emit_op_jeq_null):
3897         (JSC::JIT::emit_op_jneq_null):
3898         (JSC::JIT::emit_op_eq_null):
3899         (JSC::JIT::emit_op_neq_null):
3900         * jit/JITStubs.cpp:
3901         (JSC::DEFINE_STUB_FUNCTION):
3902         * llint/LLIntSlowPaths.cpp:
3903         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3904         * llint/LowLevelInterpreter32_64.asm:
3905         * llint/LowLevelInterpreter64.asm:
3906         * runtime/ArrayPrototype.cpp:
3907         (JSC::arrayProtoFuncFilter):
3908         (JSC::arrayProtoFuncEvery):
3909         (JSC::arrayProtoFuncSome):
3910         * runtime/BooleanConstructor.cpp:
3911         (JSC::constructBoolean):
3912         (JSC::callBooleanConstructor):
3913         * runtime/JSCell.h:
3914         (JSCell):
3915         * runtime/JSGlobalObject.cpp:
3916         (JSC::JSGlobalObject::JSGlobalObject):
3917         * runtime/JSGlobalObject.h:
3918         (JSGlobalObject):
3919         (JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
3920         * runtime/JSString.h:
3921         (JSC::JSCell::toBoolean):
3922         (JSC::JSValue::toBoolean):
3923         * runtime/JSValue.h:
3924         * runtime/ObjectConstructor.cpp:
3925         (JSC::toPropertyDescriptor):
3926         * runtime/Operations.cpp:
3927         (JSC::jsTypeStringForValue):
3928         (JSC::jsIsObjectType):
3929         * runtime/Operations.h:
3930         (JSC):
3931         (JSC::JSValue::equalSlowCaseInline):
3932         * runtime/RegExpConstructor.cpp:
3933         (JSC::setRegExpConstructorMultiline):
3934         * runtime/RegExpPrototype.cpp:
3935         (JSC::regExpProtoFuncToString):
3936         * runtime/Structure.h:
3937         (Structure):
3938         (JSC::Structure::globalObjectOffset):
3939         (JSC::Structure::masqueradesAsUndefined):
3940         (JSC):
3941
3942 2012-08-14  Filip Pizlo  <fpizlo@apple.com>
3943
3944         Unreviewed, build fix for !ENABLE(DFG_JIT)
3945
3946         * jit/JITPropertyAccess.cpp:
3947         (JSC::JIT::emit_op_get_by_val):
3948         (JSC::JIT::emit_op_put_by_val):
3949         (JSC::JIT::privateCompilePatchGetArrayLength):
3950         * jit/JITPropertyAccess32_64.cpp:
3951         (JSC::JIT::emit_op_get_by_val):
3952         (JSC::JIT::emit_op_put_by_val):
3953         (JSC::JIT::privateCompilePatchGetArrayLength):
3954         * llint/LowLevelInterpreter32_64.asm:
3955         * llint/LowLevelInterpreter64.asm:
3956
3957 2012-08-13  Filip Pizlo  <fpizlo@apple.com>
3958
3959         Array checks should use the structure, not the class info
3960         https://bugs.webkit.org/show_bug.cgi?id=93150
3961
3962         Reviewed by Mark Hahnenberg.
3963
3964         This changes all array checks used in array accesses (get, put, get length,
3965         push, pop) to use the structure, not the class info. Additionally, these
3966         checks in the LLInt and baseline JIT record the structure in an ArrayProfile,
3967         so that the DFG can know exactly what structure to check for.
3968         
3969         * CMakeLists.txt:
3970         * GNUmakefile.list.am:
3971         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3972         * JavaScriptCore.xcodeproj/project.pbxproj:
3973         * Target.pri:
3974         * bytecode/ArrayProfile.cpp: Added.
3975         (JSC):
3976         (JSC::ArrayProfile::computeUpdatedPrediction):
3977         * bytecode/ArrayProfile.h: Added.
3978         (JSC):
3979         (JSC::arrayModeFromStructure):
3980         (ArrayProfile):
3981         (JSC::ArrayProfile::ArrayProfile):
3982         (JSC::ArrayProfile::bytecodeOffset):
3983         (JSC::ArrayProfile::addressOfLastSeenStructure):
3984         (JSC::ArrayProfile::observeStructure):
3985         (JSC::ArrayProfile::expectedStructure):
3986         (JSC::ArrayProfile::structureIsPolymorphic):
3987         (JSC::ArrayProfile::hasDefiniteStructure):
3988         (JSC::ArrayProfile::observedArrayModes):
3989         * bytecode/CodeBlock.cpp:
3990         (JSC::CodeBlock::dump):
3991         (JSC::CodeBlock::getArrayProfile):
3992         (JSC):
3993         (JSC::CodeBlock::getOrAddArrayProfile):
3994         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3995         * bytecode/CodeBlock.h:
3996         (JSC::CodeBlock::executionEntryCount):
3997         (JSC::CodeBlock::numberOfArrayProfiles):
3998         (JSC::CodeBlock::arrayProfiles):
3999         (JSC::CodeBlock::addArrayProfile):
4000         (CodeBlock):
4001         * bytecode/Instruction.h:
4002         (JSC):
4003         (JSC::Instruction::Instruction):
4004         * bytecode/Opcode.h:
4005         (JSC):
4006         (JSC::padOpcodeName):
4007         * bytecompiler/BytecodeGenerator.cpp:
4008         (JSC::BytecodeGenerator::emitGetArgumentByVal):
4009         (JSC::BytecodeGenerator::emitGetByVal):
4010         (JSC::BytecodeGenerator::emitPutByVal):
4011         * dfg/DFGAbstractState.cpp:
4012         (JSC::DFG::AbstractState::initialize):
4013         (JSC::DFG::AbstractState::execute):
4014         * dfg/DFGAbstractValue.h:
4015         (JSC::DFG::StructureAbstractValue::hasSingleton):
4016      &