<https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-15  Oliver Hunt  <oliver@apple.com>
2
3         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
4
5         Reviewed by Filip Pizlo.
6
7         Make sure dfgCapabilities doesn't report a Dynamic put as
8         being compilable when we don't actually support it.  
9
10         * bytecode/CodeBlock.cpp:
11         (JSC::CodeBlock::dumpBytecode):
12         * dfg/DFGCapabilities.cpp:
13         (JSC::DFG::capabilityLevel):
14
15 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
16
17         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
18         https://bugs.webkit.org/show_bug.cgi?id=119847
19
20         Reviewed by Oliver Hunt.
21
22         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
23         * runtime/ArrayBufferView.h: Ditto.
24
25 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
26
27         https://bugs.webkit.org/show_bug.cgi?id=119843
28         PropertySlot::setValue is ambiguous
29
30         Reviewed by Geoff Garen.
31
32         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
33         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
34         Unify on always providing the object, and remove the version that just takes a value.
35         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
36         Provide a version of setValue that takes a JSString as the owner of the property.
37         We won't store this, but it makes it clear that this interface should only be used from JSString.
38
39         * API/JSCallbackObjectFunctions.h:
40         (JSC::::getOwnPropertySlot):
41         * JSCTypedArrayStubs.h:
42         * runtime/Arguments.cpp:
43         (JSC::Arguments::getOwnPropertySlotByIndex):
44         (JSC::Arguments::getOwnPropertySlot):
45         * runtime/JSActivation.cpp:
46         (JSC::JSActivation::symbolTableGet):
47         (JSC::JSActivation::getOwnPropertySlot):
48         * runtime/JSArray.cpp:
49         (JSC::JSArray::getOwnPropertySlot):
50         * runtime/JSObject.cpp:
51         (JSC::JSObject::getOwnPropertySlotByIndex):
52         * runtime/JSString.h:
53         (JSC::JSString::getStringPropertySlot):
54         * runtime/JSSymbolTableObject.h:
55         (JSC::symbolTableGet):
56         * runtime/SparseArrayValueMap.cpp:
57         (JSC::SparseArrayEntry::get):
58             - Pass object containing property to PropertySlot::setValue
59         * runtime/PropertySlot.h:
60         (JSC::PropertySlot::setValue):
61             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
62         (JSC::PropertySlot::setUndefined):
63             - removed setValue(JSValue), added setValue(JSString*, JSValue)
64
65 2013-08-15  Oliver Hunt  <oliver@apple.com>
66
67         Remove bogus assertion.
68
69         RS=Filip Pizlo
70
71         * dfg/DFGAbstractInterpreterInlines.h:
72         (JSC::DFG::::executeEffects):
73
74 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
75
76         REGRESSION(r148790) Made 7 tests fail on x86 32bit
77         https://bugs.webkit.org/show_bug.cgi?id=114913
78
79         Reviewed by Filip Pizlo.
80
81         The X87 register was not freed before some calls. Instead
82         of inserting resetX87Registers to the last call sites,
83         the two X87 registers are now freed in every call.
84
85         * llint/LowLevelInterpreter32_64.asm:
86         * llint/LowLevelInterpreter64.asm:
87         * offlineasm/instructions.rb:
88         * offlineasm/x86.rb:
89
90 2013-08-14  Michael Saboff  <msaboff@apple.com>
91
92         Fixed jit on Win64.
93         https://bugs.webkit.org/show_bug.cgi?id=119601
94
95         Reviewed by Oliver Hunt.
96
97         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
98         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
99         * jit/SlowPathCall.h:
100         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
101
102 2013-08-14  Alex Christensen  <achristensen@apple.com>
103
104         Compile fix for Win64 with jit disabled.
105         https://bugs.webkit.org/show_bug.cgi?id=119804
106
107         Reviewed by Michael Saboff.
108
109         * offlineasm/cloop.rb: Added std:: before isnan.
110
111 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
112
113         DFG_JIT implementation for sh4 architecture.
114         https://bugs.webkit.org/show_bug.cgi?id=119737
115
116         Reviewed by Oliver Hunt.
117
118         * assembler/MacroAssemblerSH4.h:
119         (JSC::MacroAssemblerSH4::invert):
120         (JSC::MacroAssemblerSH4::add32):
121         (JSC::MacroAssemblerSH4::and32):
122         (JSC::MacroAssemblerSH4::lshift32):
123         (JSC::MacroAssemblerSH4::mul32):
124         (JSC::MacroAssemblerSH4::or32):
125         (JSC::MacroAssemblerSH4::rshift32):
126         (JSC::MacroAssemblerSH4::sub32):
127         (JSC::MacroAssemblerSH4::xor32):
128         (JSC::MacroAssemblerSH4::store32):
129         (JSC::MacroAssemblerSH4::swapDouble):
130         (JSC::MacroAssemblerSH4::storeDouble):
131         (JSC::MacroAssemblerSH4::subDouble):
132         (JSC::MacroAssemblerSH4::mulDouble):
133         (JSC::MacroAssemblerSH4::divDouble):
134         (JSC::MacroAssemblerSH4::negateDouble):
135         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
136         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
137         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
138         (JSC::MacroAssemblerSH4::swap):
139         (JSC::MacroAssemblerSH4::jump):
140         (JSC::MacroAssemblerSH4::branchNeg32):
141         (JSC::MacroAssemblerSH4::branchAdd32):
142         (JSC::MacroAssemblerSH4::branchMul32):
143         (JSC::MacroAssemblerSH4::urshift32):
144         * assembler/SH4Assembler.h:
145         (JSC::SH4Assembler::SH4Assembler):
146         (JSC::SH4Assembler::labelForWatchpoint):
147         (JSC::SH4Assembler::label):
148         (JSC::SH4Assembler::debugOffset):
149         * dfg/DFGAssemblyHelpers.h:
150         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
151         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
152         (JSC::DFG::AssemblyHelpers::debugCall):
153         * dfg/DFGCCallHelpers.h:
154         (JSC::DFG::CCallHelpers::setupArguments):
155         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
156         * dfg/DFGFPRInfo.h:
157         (JSC::DFG::FPRInfo::toRegister):
158         (JSC::DFG::FPRInfo::toIndex):
159         (JSC::DFG::FPRInfo::debugName):
160         * dfg/DFGGPRInfo.h:
161         (JSC::DFG::GPRInfo::toRegister):
162         (JSC::DFG::GPRInfo::toIndex):
163         (JSC::DFG::GPRInfo::debugName):
164         * dfg/DFGOperations.cpp:
165         * dfg/DFGSpeculativeJIT.h:
166         (JSC::DFG::SpeculativeJIT::callOperation):
167         * jit/JITStubs.h:
168         * jit/JITStubsSH4.h:
169
170 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
171
172         Unreviewed, fix build.
173
174         * API/JSValue.mm:
175         (isDate):
176         (isArray):
177         * API/JSWrapperMap.mm:
178         (tryUnwrapObjcObject):
179         * API/ObjCCallbackFunction.mm:
180         (tryUnwrapBlock):
181
182 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
183
184         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
185         https://bugs.webkit.org/show_bug.cgi?id=119770
186
187         Reviewed by Mark Hahnenberg.
188
189         * API/JSCallbackConstructor.cpp:
190         (JSC::JSCallbackConstructor::finishCreation):
191         * API/JSCallbackConstructor.h:
192         (JSC::JSCallbackConstructor::createStructure):
193         * API/JSCallbackFunction.cpp:
194         (JSC::JSCallbackFunction::finishCreation):
195         * API/JSCallbackFunction.h:
196         (JSC::JSCallbackFunction::createStructure):
197         * API/JSCallbackObject.cpp:
198         (JSC::::createStructure):
199         * API/JSCallbackObject.h:
200         (JSC::JSCallbackObject::visitChildren):
201         * API/JSCallbackObjectFunctions.h:
202         (JSC::::asCallbackObject):
203         (JSC::::finishCreation):
204         * API/JSObjectRef.cpp:
205         (JSObjectGetPrivate):
206         (JSObjectSetPrivate):
207         (JSObjectGetPrivateProperty):
208         (JSObjectSetPrivateProperty):
209         (JSObjectDeletePrivateProperty):
210         * API/JSValueRef.cpp:
211         (JSValueIsObjectOfClass):
212         * API/JSWeakObjectMapRefPrivate.cpp:
213         * API/ObjCCallbackFunction.h:
214         (JSC::ObjCCallbackFunction::createStructure):
215         * JSCTypedArrayStubs.h:
216         * bytecode/CallLinkStatus.cpp:
217         (JSC::CallLinkStatus::CallLinkStatus):
218         (JSC::CallLinkStatus::function):
219         (JSC::CallLinkStatus::internalFunction):
220         * bytecode/CodeBlock.h:
221         (JSC::baselineCodeBlockForInlineCallFrame):
222         * bytecode/SpeculatedType.cpp:
223         (JSC::speculationFromClassInfo):
224         * bytecode/UnlinkedCodeBlock.cpp:
225         (JSC::UnlinkedFunctionExecutable::visitChildren):
226         (JSC::UnlinkedCodeBlock::visitChildren):
227         (JSC::UnlinkedProgramCodeBlock::visitChildren):
228         * bytecode/UnlinkedCodeBlock.h:
229         (JSC::UnlinkedFunctionExecutable::createStructure):
230         (JSC::UnlinkedProgramCodeBlock::createStructure):
231         (JSC::UnlinkedEvalCodeBlock::createStructure):
232         (JSC::UnlinkedFunctionCodeBlock::createStructure):
233         * debugger/Debugger.cpp:
234         * debugger/DebuggerActivation.cpp:
235         (JSC::DebuggerActivation::visitChildren):
236         * debugger/DebuggerActivation.h:
237         (JSC::DebuggerActivation::createStructure):
238         * debugger/DebuggerCallFrame.cpp:
239         (JSC::DebuggerCallFrame::functionName):
240         * dfg/DFGAbstractInterpreterInlines.h:
241         (JSC::DFG::::executeEffects):
242         * dfg/DFGByteCodeParser.cpp:
243         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
244         (JSC::DFG::ByteCodeParser::parseBlock):
245         * dfg/DFGFixupPhase.cpp:
246         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
247         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
248         * dfg/DFGGraph.cpp:
249         (JSC::DFG::Graph::dump):
250         * dfg/DFGGraph.h:
251         (JSC::DFG::Graph::isInternalFunctionConstant):
252         * dfg/DFGOperations.cpp:
253         * dfg/DFGSpeculativeJIT.cpp:
254         (JSC::DFG::SpeculativeJIT::checkArray):
255         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
256         * dfg/DFGThunks.cpp:
257         (JSC::DFG::virtualForThunkGenerator):
258         * interpreter/Interpreter.cpp:
259         (JSC::loadVarargs):
260         * jsc.cpp:
261         (GlobalObject::createStructure):
262         * profiler/LegacyProfiler.cpp:
263         (JSC::LegacyProfiler::createCallIdentifier):
264         * runtime/Arguments.cpp:
265         (JSC::Arguments::visitChildren):
266         * runtime/Arguments.h:
267         (JSC::Arguments::createStructure):
268         (JSC::asArguments):
269         (JSC::Arguments::finishCreation):
270         * runtime/ArrayConstructor.cpp:
271         (JSC::arrayConstructorIsArray):
272         * runtime/ArrayConstructor.h:
273         (JSC::ArrayConstructor::createStructure):
274         * runtime/ArrayPrototype.cpp:
275         (JSC::ArrayPrototype::finishCreation):
276         (JSC::arrayProtoFuncConcat):
277         (JSC::attemptFastSort):
278         * runtime/ArrayPrototype.h:
279         (JSC::ArrayPrototype::createStructure):
280         * runtime/BooleanConstructor.h:
281         (JSC::BooleanConstructor::createStructure):
282         * runtime/BooleanObject.cpp:
283         (JSC::BooleanObject::finishCreation):
284         * runtime/BooleanObject.h:
285         (JSC::BooleanObject::createStructure):
286         (JSC::asBooleanObject):
287         * runtime/BooleanPrototype.cpp:
288         (JSC::BooleanPrototype::finishCreation):
289         (JSC::booleanProtoFuncToString):
290         (JSC::booleanProtoFuncValueOf):
291         * runtime/BooleanPrototype.h:
292         (JSC::BooleanPrototype::createStructure):
293         * runtime/DateConstructor.cpp:
294         (JSC::constructDate):
295         * runtime/DateConstructor.h:
296         (JSC::DateConstructor::createStructure):
297         * runtime/DateInstance.cpp:
298         (JSC::DateInstance::finishCreation):
299         * runtime/DateInstance.h:
300         (JSC::DateInstance::createStructure):
301         (JSC::asDateInstance):
302         * runtime/DatePrototype.cpp:
303         (JSC::formateDateInstance):
304         (JSC::DatePrototype::finishCreation):
305         (JSC::dateProtoFuncToISOString):
306         (JSC::dateProtoFuncToLocaleString):
307         (JSC::dateProtoFuncToLocaleDateString):
308         (JSC::dateProtoFuncToLocaleTimeString):
309         (JSC::dateProtoFuncGetTime):
310         (JSC::dateProtoFuncGetFullYear):
311         (JSC::dateProtoFuncGetUTCFullYear):
312         (JSC::dateProtoFuncGetMonth):
313         (JSC::dateProtoFuncGetUTCMonth):
314         (JSC::dateProtoFuncGetDate):
315         (JSC::dateProtoFuncGetUTCDate):
316         (JSC::dateProtoFuncGetDay):
317         (JSC::dateProtoFuncGetUTCDay):
318         (JSC::dateProtoFuncGetHours):
319         (JSC::dateProtoFuncGetUTCHours):
320         (JSC::dateProtoFuncGetMinutes):
321         (JSC::dateProtoFuncGetUTCMinutes):
322         (JSC::dateProtoFuncGetSeconds):
323         (JSC::dateProtoFuncGetUTCSeconds):
324         (JSC::dateProtoFuncGetMilliSeconds):
325         (JSC::dateProtoFuncGetUTCMilliseconds):
326         (JSC::dateProtoFuncGetTimezoneOffset):
327         (JSC::dateProtoFuncSetTime):
328         (JSC::setNewValueFromTimeArgs):
329         (JSC::setNewValueFromDateArgs):
330         (JSC::dateProtoFuncSetYear):
331         (JSC::dateProtoFuncGetYear):
332         * runtime/DatePrototype.h:
333         (JSC::DatePrototype::createStructure):
334         * runtime/Error.h:
335         (JSC::StrictModeTypeErrorFunction::createStructure):
336         * runtime/ErrorConstructor.h:
337         (JSC::ErrorConstructor::createStructure):
338         * runtime/ErrorInstance.cpp:
339         (JSC::ErrorInstance::finishCreation):
340         * runtime/ErrorInstance.h:
341         (JSC::ErrorInstance::createStructure):
342         * runtime/ErrorPrototype.cpp:
343         (JSC::ErrorPrototype::finishCreation):
344         * runtime/ErrorPrototype.h:
345         (JSC::ErrorPrototype::createStructure):
346         * runtime/ExceptionHelpers.cpp:
347         (JSC::isTerminatedExecutionException):
348         * runtime/ExceptionHelpers.h:
349         (JSC::TerminatedExecutionError::createStructure):
350         * runtime/Executable.cpp:
351         (JSC::EvalExecutable::visitChildren):
352         (JSC::ProgramExecutable::visitChildren):
353         (JSC::FunctionExecutable::visitChildren):
354         (JSC::ExecutableBase::hashFor):
355         * runtime/Executable.h:
356         (JSC::ExecutableBase::createStructure):
357         (JSC::NativeExecutable::createStructure):
358         (JSC::EvalExecutable::createStructure):
359         (JSC::ProgramExecutable::createStructure):
360         (JSC::FunctionExecutable::compileFor):
361         (JSC::FunctionExecutable::compileOptimizedFor):
362         (JSC::FunctionExecutable::createStructure):
363         * runtime/FunctionConstructor.h:
364         (JSC::FunctionConstructor::createStructure):
365         * runtime/FunctionPrototype.cpp:
366         (JSC::functionProtoFuncToString):
367         (JSC::functionProtoFuncApply):
368         (JSC::functionProtoFuncBind):
369         * runtime/FunctionPrototype.h:
370         (JSC::FunctionPrototype::createStructure):
371         * runtime/GetterSetter.cpp:
372         (JSC::GetterSetter::visitChildren):
373         * runtime/GetterSetter.h:
374         (JSC::GetterSetter::createStructure):
375         * runtime/InternalFunction.cpp:
376         (JSC::InternalFunction::finishCreation):
377         * runtime/InternalFunction.h:
378         (JSC::InternalFunction::createStructure):
379         (JSC::asInternalFunction):
380         * runtime/JSAPIValueWrapper.h:
381         (JSC::JSAPIValueWrapper::createStructure):
382         * runtime/JSActivation.cpp:
383         (JSC::JSActivation::visitChildren):
384         (JSC::JSActivation::argumentsGetter):
385         * runtime/JSActivation.h:
386         (JSC::JSActivation::createStructure):
387         (JSC::asActivation):
388         * runtime/JSArray.h:
389         (JSC::JSArray::createStructure):
390         (JSC::asArray):
391         (JSC::isJSArray):
392         * runtime/JSBoundFunction.cpp:
393         (JSC::JSBoundFunction::finishCreation):
394         (JSC::JSBoundFunction::visitChildren):
395         * runtime/JSBoundFunction.h:
396         (JSC::JSBoundFunction::createStructure):
397         * runtime/JSCJSValue.cpp:
398         (JSC::JSValue::dumpInContext):
399         * runtime/JSCJSValueInlines.h:
400         (JSC::JSValue::isFunction):
401         * runtime/JSCell.h:
402         (JSC::jsCast):
403         (JSC::jsDynamicCast):
404         * runtime/JSCellInlines.h:
405         (JSC::allocateCell):
406         * runtime/JSFunction.cpp:
407         (JSC::JSFunction::finishCreation):
408         (JSC::JSFunction::visitChildren):
409         (JSC::skipOverBoundFunctions):
410         (JSC::JSFunction::callerGetter):
411         * runtime/JSFunction.h:
412         (JSC::JSFunction::createStructure):
413         * runtime/JSGlobalObject.cpp:
414         (JSC::JSGlobalObject::visitChildren):
415         (JSC::slowValidateCell):
416         * runtime/JSGlobalObject.h:
417         (JSC::JSGlobalObject::createStructure):
418         * runtime/JSNameScope.cpp:
419         (JSC::JSNameScope::visitChildren):
420         * runtime/JSNameScope.h:
421         (JSC::JSNameScope::createStructure):
422         * runtime/JSNotAnObject.h:
423         (JSC::JSNotAnObject::createStructure):
424         * runtime/JSONObject.cpp:
425         (JSC::JSONObject::finishCreation):
426         (JSC::unwrapBoxedPrimitive):
427         (JSC::Stringifier::Stringifier):
428         (JSC::Stringifier::appendStringifiedValue):
429         (JSC::Stringifier::Holder::Holder):
430         (JSC::Walker::walk):
431         (JSC::JSONProtoFuncStringify):
432         * runtime/JSONObject.h:
433         (JSC::JSONObject::createStructure):
434         * runtime/JSObject.cpp:
435         (JSC::getCallableObjectSlow):
436         (JSC::JSObject::visitChildren):
437         (JSC::JSObject::copyBackingStore):
438         (JSC::JSFinalObject::visitChildren):
439         (JSC::JSObject::ensureInt32Slow):
440         (JSC::JSObject::ensureDoubleSlow):
441         (JSC::JSObject::ensureContiguousSlow):
442         (JSC::JSObject::ensureArrayStorageSlow):
443         * runtime/JSObject.h:
444         (JSC::JSObject::finishCreation):
445         (JSC::JSObject::createStructure):
446         (JSC::JSNonFinalObject::createStructure):
447         (JSC::JSFinalObject::createStructure):
448         (JSC::isJSFinalObject):
449         * runtime/JSPropertyNameIterator.cpp:
450         (JSC::JSPropertyNameIterator::visitChildren):
451         * runtime/JSPropertyNameIterator.h:
452         (JSC::JSPropertyNameIterator::createStructure):
453         * runtime/JSProxy.cpp:
454         (JSC::JSProxy::visitChildren):
455         * runtime/JSProxy.h:
456         (JSC::JSProxy::createStructure):
457         * runtime/JSScope.cpp:
458         (JSC::JSScope::visitChildren):
459         * runtime/JSSegmentedVariableObject.cpp:
460         (JSC::JSSegmentedVariableObject::visitChildren):
461         * runtime/JSString.h:
462         (JSC::JSString::createStructure):
463         (JSC::isJSString):
464         * runtime/JSSymbolTableObject.cpp:
465         (JSC::JSSymbolTableObject::visitChildren):
466         * runtime/JSVariableObject.h:
467         * runtime/JSWithScope.cpp:
468         (JSC::JSWithScope::visitChildren):
469         * runtime/JSWithScope.h:
470         (JSC::JSWithScope::createStructure):
471         * runtime/JSWrapperObject.cpp:
472         (JSC::JSWrapperObject::visitChildren):
473         * runtime/JSWrapperObject.h:
474         (JSC::JSWrapperObject::createStructure):
475         * runtime/MathObject.cpp:
476         (JSC::MathObject::finishCreation):
477         * runtime/MathObject.h:
478         (JSC::MathObject::createStructure):
479         * runtime/NameConstructor.h:
480         (JSC::NameConstructor::createStructure):
481         * runtime/NameInstance.h:
482         (JSC::NameInstance::createStructure):
483         (JSC::NameInstance::finishCreation):
484         * runtime/NamePrototype.cpp:
485         (JSC::NamePrototype::finishCreation):
486         (JSC::privateNameProtoFuncToString):
487         * runtime/NamePrototype.h:
488         (JSC::NamePrototype::createStructure):
489         * runtime/NativeErrorConstructor.cpp:
490         (JSC::NativeErrorConstructor::visitChildren):
491         * runtime/NativeErrorConstructor.h:
492         (JSC::NativeErrorConstructor::createStructure):
493         (JSC::NativeErrorConstructor::finishCreation):
494         * runtime/NumberConstructor.cpp:
495         (JSC::NumberConstructor::finishCreation):
496         * runtime/NumberConstructor.h:
497         (JSC::NumberConstructor::createStructure):
498         * runtime/NumberObject.cpp:
499         (JSC::NumberObject::finishCreation):
500         * runtime/NumberObject.h:
501         (JSC::NumberObject::createStructure):
502         * runtime/NumberPrototype.cpp:
503         (JSC::NumberPrototype::finishCreation):
504         * runtime/NumberPrototype.h:
505         (JSC::NumberPrototype::createStructure):
506         * runtime/ObjectConstructor.h:
507         (JSC::ObjectConstructor::createStructure):
508         * runtime/ObjectPrototype.cpp:
509         (JSC::ObjectPrototype::finishCreation):
510         * runtime/ObjectPrototype.h:
511         (JSC::ObjectPrototype::createStructure):
512         * runtime/PropertyMapHashTable.h:
513         (JSC::PropertyTable::createStructure):
514         * runtime/PropertyTable.cpp:
515         (JSC::PropertyTable::visitChildren):
516         * runtime/RegExp.h:
517         (JSC::RegExp::createStructure):
518         * runtime/RegExpConstructor.cpp:
519         (JSC::RegExpConstructor::finishCreation):
520         (JSC::RegExpConstructor::visitChildren):
521         (JSC::constructRegExp):
522         * runtime/RegExpConstructor.h:
523         (JSC::RegExpConstructor::createStructure):
524         (JSC::asRegExpConstructor):
525         * runtime/RegExpMatchesArray.cpp:
526         (JSC::RegExpMatchesArray::visitChildren):
527         * runtime/RegExpMatchesArray.h:
528         (JSC::RegExpMatchesArray::createStructure):
529         * runtime/RegExpObject.cpp:
530         (JSC::RegExpObject::finishCreation):
531         (JSC::RegExpObject::visitChildren):
532         * runtime/RegExpObject.h:
533         (JSC::RegExpObject::createStructure):
534         (JSC::asRegExpObject):
535         * runtime/RegExpPrototype.cpp:
536         (JSC::regExpProtoFuncTest):
537         (JSC::regExpProtoFuncExec):
538         (JSC::regExpProtoFuncCompile):
539         (JSC::regExpProtoFuncToString):
540         * runtime/RegExpPrototype.h:
541         (JSC::RegExpPrototype::createStructure):
542         * runtime/SparseArrayValueMap.cpp:
543         (JSC::SparseArrayValueMap::createStructure):
544         * runtime/SparseArrayValueMap.h:
545         * runtime/StrictEvalActivation.h:
546         (JSC::StrictEvalActivation::createStructure):
547         * runtime/StringConstructor.h:
548         (JSC::StringConstructor::createStructure):
549         * runtime/StringObject.cpp:
550         (JSC::StringObject::finishCreation):
551         * runtime/StringObject.h:
552         (JSC::StringObject::createStructure):
553         (JSC::asStringObject):
554         * runtime/StringPrototype.cpp:
555         (JSC::StringPrototype::finishCreation):
556         (JSC::stringProtoFuncReplace):
557         (JSC::stringProtoFuncToString):
558         (JSC::stringProtoFuncMatch):
559         (JSC::stringProtoFuncSearch):
560         (JSC::stringProtoFuncSplit):
561         * runtime/StringPrototype.h:
562         (JSC::StringPrototype::createStructure):
563         * runtime/Structure.cpp:
564         (JSC::Structure::Structure):
565         (JSC::Structure::materializePropertyMap):
566         (JSC::Structure::get):
567         (JSC::Structure::visitChildren):
568         * runtime/Structure.h:
569         (JSC::Structure::typeInfo):
570         (JSC::Structure::previousID):
571         (JSC::Structure::outOfLineSize):
572         (JSC::Structure::totalStorageCapacity):
573         (JSC::Structure::materializePropertyMapIfNecessary):
574         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
575         * runtime/StructureChain.cpp:
576         (JSC::StructureChain::visitChildren):
577         * runtime/StructureChain.h:
578         (JSC::StructureChain::createStructure):
579         * runtime/StructureInlines.h:
580         (JSC::Structure::get):
581         * runtime/StructureRareData.cpp:
582         (JSC::StructureRareData::createStructure):
583         (JSC::StructureRareData::visitChildren):
584         * runtime/StructureRareData.h:
585         * runtime/SymbolTable.h:
586         (JSC::SharedSymbolTable::createStructure):
587         * runtime/VM.cpp:
588         (JSC::VM::VM):
589         (JSC::StackPreservingRecompiler::operator()):
590         (JSC::VM::releaseExecutableMemory):
591         * runtime/WriteBarrier.h:
592         (JSC::validateCell):
593         * testRegExp.cpp:
594         (GlobalObject::createStructure):
595
596 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
597
598         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
599         https://bugs.webkit.org/show_bug.cgi?id=119762
600
601         Reviewed by Geoffrey Garen.
602
603         * heap/Heap.cpp:
604         (JSC::Heap::Heap):
605         (JSC::Heap::markRoots):
606         (JSC::Heap::collect):
607         * jsc.cpp:
608         (StopWatch::start):
609         (StopWatch::stop):
610         * testRegExp.cpp:
611         (StopWatch::start):
612         (StopWatch::stop):
613
614 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
615
616         [sh4] Prepare LLINT for DFG_JIT implementation.
617         https://bugs.webkit.org/show_bug.cgi?id=119755
618
619         Reviewed by Oliver Hunt.
620
621         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
622         * offlineasm/sh4.rb:
623             - Handle storeb opcode.
624             - Make relative jumps when possible using braf opcode.
625             - Update bmulio implementation to be consistent with baseline JIT.
626             - Remove useless code from leap opcode.
627             - Fix incorrect comment.
628
629 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
630
631         [sh4] Prepare baseline JIT for DFG_JIT implementation.
632         https://bugs.webkit.org/show_bug.cgi?id=119758
633
634         Reviewed by Oliver Hunt.
635
636         * assembler/MacroAssemblerSH4.h:
637             - Introduce a loadEffectiveAddress function to avoid code duplication.
638             - Add ASSERTs and clean code.
639         * assembler/SH4Assembler.h:
640             - Prepare DFG_JIT implementation.
641             - Add ASSERTs.
642         * jit/JITStubs.cpp:
643             - Add SH4 specific call for assertions.
644         * jit/JITStubs.h:
645             - Cosmetic change.
646         * jit/JITStubsSH4.h:
647             - Use constants to be more flexible with sh4 JIT stack frame.
648         * jit/JSInterfaceJIT.h:
649             - Cosmetic change.
650
651 2013-08-13  Oliver Hunt  <oliver@apple.com>
652
653         Harden executeConstruct against incorrect return types from host functions
654         https://bugs.webkit.org/show_bug.cgi?id=119757
655
656         Reviewed by Mark Hahnenberg.
657
658         Add logic to guard against bogus return types.  There doesn't seem to be any
659         class in webkit that does this wrong, but the typed array stubs in debug JSC
660         do exhibit this bad behaviour.
661
662         * interpreter/Interpreter.cpp:
663         (JSC::Interpreter::executeConstruct):
664
665 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
666
667         [Qt] Fix C++11 build with gcc 4.4 and 4.5
668         https://bugs.webkit.org/show_bug.cgi?id=119736
669
670         Reviewed by Anders Carlsson.
671
672         Don't force C++11 mode off anymore.
673
674         * Target.pri:
675
676 2013-08-12  Oliver Hunt  <oliver@apple.com>
677
678         Remove CodeBlock's notion of adding identifiers entirely
679         https://bugs.webkit.org/show_bug.cgi?id=119708
680
681         Reviewed by Geoffrey Garen.
682
683         Remove addAdditionalIdentifier entirely, including the bogus assertion.
684         Move the addition of identifiers to DFGPlan::reallyAdd
685
686         * bytecode/CodeBlock.h:
687         * dfg/DFGDesiredIdentifiers.cpp:
688         (JSC::DFG::DesiredIdentifiers::reallyAdd):
689         * dfg/DFGDesiredIdentifiers.h:
690         * dfg/DFGPlan.cpp:
691         (JSC::DFG::Plan::reallyAdd):
692         (JSC::DFG::Plan::finalize):
693         * dfg/DFGPlan.h:
694
695 2013-08-12  Oliver Hunt  <oliver@apple.com>
696
697         Build fix
698
699         * runtime/JSCell.h:
700
701 2013-08-12  Oliver Hunt  <oliver@apple.com>
702
703         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
704         https://bugs.webkit.org/show_bug.cgi?id=119705
705
706         Reviewed by Geoffrey Garen.
707
708         Relatively trivial refactoring
709
710         * bytecode/CodeBlock.h:
711         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
712         (JSC::CodeBlock::addAdditionalIdentifier):
713         (JSC::CodeBlock::identifier):
714         (JSC::CodeBlock::numberOfIdentifiers):
715         * dfg/DFGCommonData.h:
716
717 2013-08-12  Oliver Hunt  <oliver@apple.com>
718
719         Stop making unnecessary copy of CodeBlock Identifier Vector
720         https://bugs.webkit.org/show_bug.cgi?id=119702
721
722         Reviewed by Michael Saboff.
723
724         Make CodeBlock simply use a separate Vector for additional Identifiers
725         and use the UnlinkedCodeBlock for the initial set of identifiers.
726
727         * bytecode/CodeBlock.cpp:
728         (JSC::CodeBlock::printGetByIdOp):
729         (JSC::dumpStructure):
730         (JSC::dumpChain):
731         (JSC::CodeBlock::printGetByIdCacheStatus):
732         (JSC::CodeBlock::printPutByIdOp):
733         (JSC::CodeBlock::dumpBytecode):
734         (JSC::CodeBlock::CodeBlock):
735         (JSC::CodeBlock::shrinkToFit):
736         * bytecode/CodeBlock.h:
737         (JSC::CodeBlock::numberOfIdentifiers):
738         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
739         (JSC::CodeBlock::addAdditionalIdentifier):
740         (JSC::CodeBlock::identifier):
741         * dfg/DFGDesiredIdentifiers.cpp:
742         (JSC::DFG::DesiredIdentifiers::reallyAdd):
743         * jit/JIT.h:
744         * jit/JITOpcodes.cpp:
745         (JSC::JIT::emitSlow_op_get_arguments_length):
746         * jit/JITPropertyAccess.cpp:
747         (JSC::JIT::emit_op_get_by_id):
748         (JSC::JIT::compileGetByIdHotPath):
749         (JSC::JIT::emitSlow_op_get_by_id):
750         (JSC::JIT::compileGetByIdSlowCase):
751         (JSC::JIT::emitSlow_op_put_by_id):
752         * jit/JITPropertyAccess32_64.cpp:
753         (JSC::JIT::emit_op_get_by_id):
754         (JSC::JIT::compileGetByIdHotPath):
755         (JSC::JIT::compileGetByIdSlowCase):
756         * jit/JITStubs.cpp:
757         (JSC::DEFINE_STUB_FUNCTION):
758         * llint/LLIntSlowPaths.cpp:
759         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
760
761 2013-08-08  Mark Lam  <mark.lam@apple.com>
762
763         Restoring use of StackIterator instead of Interpreter::getStacktrace().
764         https://bugs.webkit.org/show_bug.cgi?id=119575.
765
766         Reviewed by Oliver Hunt.
767
768         * interpreter/Interpreter.h:
769         - Made getStackTrace() private.
770         * interpreter/StackIterator.cpp:
771         (JSC::StackIterator::StackIterator):
772         (JSC::StackIterator::numberOfFrames):
773         - Computes the number of frames by iterating through the whole stack
774           from the starting frame. The iterator will save its current frame
775           position before counting the frames, and then restoring it after
776           the counting.
777         (JSC::StackIterator::gotoFrameAtIndex):
778         (JSC::StackIterator::gotoNextFrame):
779         (JSC::StackIterator::resetIterator):
780         - Points the iterator to the starting frame.
781         * interpreter/StackIteratorPrivate.h:
782
783 2013-08-08  Mark Lam  <mark.lam@apple.com>
784
785         Moved ErrorConstructor and NativeErrorConstructor helper functions into
786         the Interpreter class.
787         https://bugs.webkit.org/show_bug.cgi?id=119576.
788
789         Reviewed by Oliver Hunt.
790
791         This change is needed to prepare for making Interpreter::getStackTrace()
792         private. It does not change the behavior of the code, only the lexical
793         scoping.
794
795         * interpreter/Interpreter.h:
796         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
797         * runtime/ErrorConstructor.cpp:
798         (JSC::Interpreter::constructWithErrorConstructor):
799         (JSC::ErrorConstructor::getConstructData):
800         (JSC::Interpreter::callErrorConstructor):
801         (JSC::ErrorConstructor::getCallData):
802         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
803           directly. So, we moved the helper functions into the Interpreter
804           class.
805         * runtime/NativeErrorConstructor.cpp:
806         (JSC::Interpreter::constructWithNativeErrorConstructor):
807         (JSC::NativeErrorConstructor::getConstructData):
808         (JSC::Interpreter::callNativeErrorConstructor):
809         (JSC::NativeErrorConstructor::getCallData):
810         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
811           directly. So, we moved the helper functions into the Interpreter
812           class.
813
814 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
815
816         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
817         https://bugs.webkit.org/show_bug.cgi?id=119555
818
819         Reviewed by Geoffrey Garen.
820
821         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
822         This was causing crashes on maps.google.com in 32-bit debug builds.
823
824         * dfg/DFGSpeculativeJIT32_64.cpp:
825         (JSC::DFG::SpeculativeJIT::compile):
826
827 2013-08-06  Michael Saboff  <msaboff@apple.com>
828
829         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
830         https://bugs.webkit.org/show_bug.cgi?id=119405
831
832         Reviewed by Geoffrey Garen.
833
834         * dfg/DFGSpeculativeJIT.cpp:
835         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
836         ourselves to save a register and then load from it.
837
838 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
839
840         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
841         https://bugs.webkit.org/show_bug.cgi?id=119528
842
843         Reviewed by Geoffrey Garen.
844
845         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
846         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
847         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
848         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
849         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
850
851         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
852
853         * bytecode/CodeBlock.cpp:
854         (JSC::CodeBlock::finalizeUnconditionally):
855         * dfg/DFGDriver.cpp:
856         (JSC::DFG::compile):
857         * dfg/DFGFixupPhase.cpp:
858         (JSC::DFG::FixupPhase::fixupNode):
859         * dfg/DFGGraph.cpp:
860         (JSC::DFG::Graph::dump):
861         * dfg/DFGSpeculativeJIT64.cpp:
862         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
863         * runtime/JSObject.h:
864         (JSC::JSObject::getIndexQuickly):
865         (JSC::JSObject::tryGetIndexQuickly):
866
867 2013-08-08  Stephanie Lewis  <slewis@apple.com>
868
869         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
870
871         Unreviewed.
872
873         Ensure llint symbols are in source order.
874
875         * JavaScriptCore.order:
876
877 2013-08-06  Mark Lam  <mark.lam@apple.com>
878
879         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
880         https://bugs.webkit.org/show_bug.cgi?id=119532.
881
882         Reviewed by Oliver Hunt.
883
884         * parser/Parser.cpp:
885         (JSC::::Parser):
886         - Just need to initialize the Parser's JSTokenLocation's initial line and
887           startOffset as well during Parser construction.
888
889 2013-08-06  Stephanie Lewis  <slewis@apple.com>
890
891         Update Order Files for Safari
892         <rdar://problem/14517392>
893
894         Unreviewed.
895
896         * JavaScriptCore.order:
897
898 2013-08-04  Sam Weinig  <sam@webkit.org>
899
900         Remove support for HTML5 MicroData
901         https://bugs.webkit.org/show_bug.cgi?id=119480
902
903         Reviewed by Anders Carlsson.
904
905         * Configurations/FeatureDefines.xcconfig:
906
907 2013-08-05  Oliver Hunt  <oliver@apple.com>
908
909         Delay Arguments creation in strict mode
910         https://bugs.webkit.org/show_bug.cgi?id=119505
911
912         Reviewed by Geoffrey Garen.
913
914         Make use of the write tracking performed by the parser to
915         allow us to know if we're modifying the parameters to a function.
916         Then use that information to make strict mode function opt out
917         of eager arguments creation.
918
919         * bytecompiler/BytecodeGenerator.cpp:
920         (JSC::BytecodeGenerator::BytecodeGenerator):
921         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
922         (JSC::BytecodeGenerator::emitReturn):
923         * bytecompiler/BytecodeGenerator.h:
924         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
925         * parser/Nodes.h:
926         (JSC::ScopeNode::modifiesParameter):
927         * parser/Parser.cpp:
928         (JSC::::parseInner):
929         * parser/Parser.h:
930         (JSC::Scope::declareParameter):
931         (JSC::Scope::getCapturedVariables):
932         (JSC::Parser::declareWrite):
933         * parser/ParserModes.h:
934
935 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
936
937         Remove useless code from COMPILER(RVCT) JITStubs
938         https://bugs.webkit.org/show_bug.cgi?id=119521
939
940         Reviewed by Geoffrey Garen.
941
942         * jit/JITStubsARMv7.h:
943         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
944         (JSC::ctiOpThrowNotCaught): Ditto.
945
946 2013-07-23  David Farler  <dfarler@apple.com>
947
948         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
949         https://bugs.webkit.org/show_bug.cgi?id=117762
950
951         Reviewed by Mark Rowe.
952
953         * Configurations/DebugRelease.xcconfig:
954         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
955         * Configurations/JavaScriptCore.xcconfig:
956         Add ASAN_OTHER_LDFLAGS.
957         * Configurations/ToolExecutable.xcconfig:
958         Don't use ASAN for build tools.
959
960 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
961
962         Build fix for ARM MSVC after r153222 and r153648.
963
964         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
965
966 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
967
968         Build fix for ARM MSVC after r150109.
969
970         Read the stub template from a header files instead of the JITStubs.cpp.
971
972         * CMakeLists.txt:
973         * DerivedSources.pri:
974         * create_jit_stubs:
975
976 2013-08-05  Oliver Hunt  <oliver@apple.com>
977
978         Move TypedArray implementation into JSC
979         https://bugs.webkit.org/show_bug.cgi?id=119489
980
981         Reviewed by Filip Pizlo.
982
983         Move TypedArray implementation into JSC in advance of re-implementation
984
985         * GNUmakefile.list.am:
986         * JSCTypedArrayStubs.h:
987         * JavaScriptCore.xcodeproj/project.pbxproj:
988         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
989         (JSC::ArrayBuffer::transfer):
990         (JSC::ArrayBuffer::addView):
991         (JSC::ArrayBuffer::removeView):
992         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
993         (JSC::ArrayBufferContents::ArrayBufferContents):
994         (JSC::ArrayBufferContents::data):
995         (JSC::ArrayBufferContents::sizeInBytes):
996         (JSC::ArrayBufferContents::transfer):
997         (JSC::ArrayBufferContents::copyTo):
998         (JSC::ArrayBuffer::isNeutered):
999         (JSC::ArrayBuffer::~ArrayBuffer):
1000         (JSC::ArrayBuffer::clampValue):
1001         (JSC::ArrayBuffer::create):
1002         (JSC::ArrayBuffer::createUninitialized):
1003         (JSC::ArrayBuffer::ArrayBuffer):
1004         (JSC::ArrayBuffer::data):
1005         (JSC::ArrayBuffer::byteLength):
1006         (JSC::ArrayBuffer::slice):
1007         (JSC::ArrayBuffer::sliceImpl):
1008         (JSC::ArrayBuffer::clampIndex):
1009         (JSC::ArrayBufferContents::tryAllocate):
1010         (JSC::ArrayBufferContents::~ArrayBufferContents):
1011         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1012         (JSC::ArrayBufferView::ArrayBufferView):
1013         (JSC::ArrayBufferView::~ArrayBufferView):
1014         (JSC::ArrayBufferView::neuter):
1015         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1016         (JSC::ArrayBufferView::buffer):
1017         (JSC::ArrayBufferView::baseAddress):
1018         (JSC::ArrayBufferView::byteOffset):
1019         (JSC::ArrayBufferView::setNeuterable):
1020         (JSC::ArrayBufferView::isNeuterable):
1021         (JSC::ArrayBufferView::verifySubRange):
1022         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1023         (JSC::ArrayBufferView::setImpl):
1024         (JSC::ArrayBufferView::setRangeImpl):
1025         (JSC::ArrayBufferView::zeroRangeImpl):
1026         (JSC::ArrayBufferView::calculateOffsetAndLength):
1027         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1028         (JSC::Float32Array::set):
1029         (JSC::Float32Array::getType):
1030         (JSC::Float32Array::create):
1031         (JSC::Float32Array::createUninitialized):
1032         (JSC::Float32Array::Float32Array):
1033         (JSC::Float32Array::subarray):
1034         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1035         (JSC::Float64Array::set):
1036         (JSC::Float64Array::getType):
1037         (JSC::Float64Array::create):
1038         (JSC::Float64Array::createUninitialized):
1039         (JSC::Float64Array::Float64Array):
1040         (JSC::Float64Array::subarray):
1041         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1042         (JSC::Int16Array::getType):
1043         (JSC::Int16Array::create):
1044         (JSC::Int16Array::createUninitialized):
1045         (JSC::Int16Array::Int16Array):
1046         (JSC::Int16Array::subarray):
1047         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1048         (JSC::Int32Array::getType):
1049         (JSC::Int32Array::create):
1050         (JSC::Int32Array::createUninitialized):
1051         (JSC::Int32Array::Int32Array):
1052         (JSC::Int32Array::subarray):
1053         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1054         (JSC::Int8Array::getType):
1055         (JSC::Int8Array::create):
1056         (JSC::Int8Array::createUninitialized):
1057         (JSC::Int8Array::Int8Array):
1058         (JSC::Int8Array::subarray):
1059         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1060         (JSC::IntegralTypedArrayBase::set):
1061         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1062         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1063         (JSC::TypedArrayBase::data):
1064         (JSC::TypedArrayBase::set):
1065         (JSC::TypedArrayBase::setRange):
1066         (JSC::TypedArrayBase::zeroRange):
1067         (JSC::TypedArrayBase::length):
1068         (JSC::TypedArrayBase::byteLength):
1069         (JSC::TypedArrayBase::item):
1070         (JSC::TypedArrayBase::checkInboundData):
1071         (JSC::TypedArrayBase::TypedArrayBase):
1072         (JSC::TypedArrayBase::create):
1073         (JSC::TypedArrayBase::createUninitialized):
1074         (JSC::TypedArrayBase::subarrayImpl):
1075         (JSC::TypedArrayBase::neuter):
1076         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1077         (JSC::Uint16Array::getType):
1078         (JSC::Uint16Array::create):
1079         (JSC::Uint16Array::createUninitialized):
1080         (JSC::Uint16Array::Uint16Array):
1081         (JSC::Uint16Array::subarray):
1082         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1083         (JSC::Uint32Array::getType):
1084         (JSC::Uint32Array::create):
1085         (JSC::Uint32Array::createUninitialized):
1086         (JSC::Uint32Array::Uint32Array):
1087         (JSC::Uint32Array::subarray):
1088         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1089         (JSC::Uint8Array::getType):
1090         (JSC::Uint8Array::create):
1091         (JSC::Uint8Array::createUninitialized):
1092         (JSC::Uint8Array::Uint8Array):
1093         (JSC::Uint8Array::subarray):
1094         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1095         (JSC::Uint8ClampedArray::getType):
1096         (JSC::Uint8ClampedArray::create):
1097         (JSC::Uint8ClampedArray::createUninitialized):
1098         (JSC::Uint8ClampedArray::zeroFill):
1099         (JSC::Uint8ClampedArray::set):
1100         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1101         (JSC::Uint8ClampedArray::subarray):
1102         * runtime/VM.h:
1103
1104 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1105
1106         Copied space should be able to handle more than one copied backing store per JSCell
1107         https://bugs.webkit.org/show_bug.cgi?id=119471
1108
1109         Reviewed by Mark Hahnenberg.
1110         
1111         This allows a cell to call copyLater() multiple times for multiple different
1112         backing stores, and then have copyBackingStore() called exactly once for each
1113         of those. A token tells it which backing store to copy. All backing stores
1114         must be named using the CopyToken, an enumeration which currently cannot
1115         exceed eight entries.
1116         
1117         When copyBackingStore() is called, it's up to the callee to (a) use the token
1118         to decide what to copy and (b) call its base class's copyBackingStore() in
1119         case the base class had something that needed copying. The only exception is
1120         that JSCell never asks anything to be copied, and so if your base is JSCell
1121         then you don't have to do anything.
1122
1123         * GNUmakefile.list.am:
1124         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1125         * JavaScriptCore.xcodeproj/project.pbxproj:
1126         * heap/CopiedBlock.h:
1127         * heap/CopiedBlockInlines.h:
1128         (JSC::CopiedBlock::reportLiveBytes):
1129         * heap/CopyToken.h: Added.
1130         * heap/CopyVisitor.cpp:
1131         (JSC::CopyVisitor::copyFromShared):
1132         * heap/CopyVisitor.h:
1133         * heap/CopyVisitorInlines.h:
1134         (JSC::CopyVisitor::visitItem):
1135         * heap/CopyWorkList.h:
1136         (JSC::CopyWorklistItem::CopyWorklistItem):
1137         (JSC::CopyWorklistItem::cell):
1138         (JSC::CopyWorklistItem::token):
1139         (JSC::CopyWorkListSegment::get):
1140         (JSC::CopyWorkListSegment::append):
1141         (JSC::CopyWorkListSegment::data):
1142         (JSC::CopyWorkListIterator::get):
1143         (JSC::CopyWorkListIterator::operator*):
1144         (JSC::CopyWorkListIterator::operator->):
1145         (JSC::CopyWorkList::append):
1146         * heap/SlotVisitor.h:
1147         * heap/SlotVisitorInlines.h:
1148         (JSC::SlotVisitor::copyLater):
1149         * runtime/ClassInfo.h:
1150         * runtime/JSCell.cpp:
1151         (JSC::JSCell::copyBackingStore):
1152         * runtime/JSCell.h:
1153         * runtime/JSObject.cpp:
1154         (JSC::JSObject::visitButterfly):
1155         (JSC::JSObject::copyBackingStore):
1156         * runtime/JSObject.h:
1157
1158 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1159
1160         [Automake] Define ENABLE_JIT through the Autoconf header
1161         https://bugs.webkit.org/show_bug.cgi?id=119445
1162
1163         Reviewed by Martin Robinson.
1164
1165         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1166
1167 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1168
1169         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1170         https://bugs.webkit.org/show_bug.cgi?id=119470
1171
1172         Reviewed by Oliver Hunt.
1173         
1174         Structure can still tell you if the object "could" (in the conservative sense)
1175         have an indexing header; that's used by the compiler.
1176         
1177         Most of the time if you want to know if there's an indexing header, you ask the
1178         JSObject.
1179         
1180         In some cases, the JSObject wants to know if it would have an indexing header if
1181         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1182
1183         * dfg/DFGRepatch.cpp:
1184         (JSC::DFG::tryCachePutByID):
1185         (JSC::DFG::tryBuildPutByIdList):
1186         * dfg/DFGSpeculativeJIT.cpp:
1187         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1188         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1189         * runtime/ButterflyInlines.h:
1190         (JSC::Butterfly::create):
1191         (JSC::Butterfly::growPropertyStorage):
1192         (JSC::Butterfly::growArrayRight):
1193         (JSC::Butterfly::resizeArray):
1194         * runtime/JSObject.cpp:
1195         (JSC::JSObject::copyButterfly):
1196         (JSC::JSObject::visitButterfly):
1197         * runtime/JSObject.h:
1198         (JSC::JSObject::hasIndexingHeader):
1199         (JSC::JSObject::setButterfly):
1200         * runtime/Structure.h:
1201         (JSC::Structure::couldHaveIndexingHeader):
1202         (JSC::Structure::hasIndexingHeader):
1203
1204 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1205
1206         Give the error object's stack property accessor attributes.
1207         https://bugs.webkit.org/show_bug.cgi?id=119404
1208
1209         Reviewed by Geoffrey Garen.
1210         
1211         Changed the attributes of error object's stack property to allow developers to write
1212         and delete the stack property. This will match the functionality of Chrome. Firefox  
1213         allows developers to write the error's stack, but not delete it. 
1214
1215         * interpreter/Interpreter.cpp:
1216         (JSC::Interpreter::addStackTraceIfNecessary):
1217         * runtime/ErrorInstance.cpp:
1218         (JSC::ErrorInstance::finishCreation):
1219
1220 2013-08-02  Oliver Hunt  <oliver@apple.com>
1221
1222         Incorrect type speculation reported by ToPrimitive
1223         https://bugs.webkit.org/show_bug.cgi?id=119458
1224
1225         Reviewed by Mark Hahnenberg.
1226
1227         Make sure that we report the correct type possibilities for the output
1228         from ToPrimitive
1229
1230         * dfg/DFGAbstractInterpreterInlines.h:
1231         (JSC::DFG::::executeEffects):
1232
1233 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1234
1235         Remove no-arguments constructor to PropertySlot
1236         https://bugs.webkit.org/show_bug.cgi?id=119460
1237
1238         Reviewed by Geoff Garen.
1239
1240         This constructor was unsafe if getValue is subsequently called,
1241         and the property is a getter. Simplest to just remove it.
1242
1243         * runtime/Arguments.cpp:
1244         (JSC::Arguments::defineOwnProperty):
1245         * runtime/JSActivation.cpp:
1246         (JSC::JSActivation::getOwnPropertyDescriptor):
1247         * runtime/JSFunction.cpp:
1248         (JSC::JSFunction::getOwnPropertyDescriptor):
1249         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1250         (JSC::JSFunction::put):
1251         (JSC::JSFunction::defineOwnProperty):
1252         * runtime/JSGlobalObject.cpp:
1253         (JSC::JSGlobalObject::defineOwnProperty):
1254         * runtime/JSGlobalObject.h:
1255         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1256         * runtime/JSNameScope.cpp:
1257         (JSC::JSNameScope::put):
1258         * runtime/JSONObject.cpp:
1259         (JSC::Stringifier::Holder::appendNextProperty):
1260         (JSC::Walker::walk):
1261         * runtime/JSObject.cpp:
1262         (JSC::JSObject::hasProperty):
1263         (JSC::JSObject::hasOwnProperty):
1264         (JSC::JSObject::reifyStaticFunctionsForDelete):
1265         * runtime/Lookup.h:
1266         (JSC::getStaticPropertyDescriptor):
1267         (JSC::getStaticFunctionDescriptor):
1268         (JSC::getStaticValueDescriptor):
1269         * runtime/ObjectConstructor.cpp:
1270         (JSC::defineProperties):
1271         * runtime/PropertySlot.h:
1272
1273 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1274
1275         DFG validation can cause assertion failures due to dumping
1276         https://bugs.webkit.org/show_bug.cgi?id=119456
1277
1278         Reviewed by Geoffrey Garen.
1279
1280         * bytecode/CodeBlock.cpp:
1281         (JSC::CodeBlock::hasHash):
1282         (JSC::CodeBlock::isSafeToComputeHash):
1283         (JSC::CodeBlock::hash):
1284         (JSC::CodeBlock::dumpAssumingJITType):
1285         * bytecode/CodeBlock.h:
1286
1287 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1288
1289         Have vm's exceptionStack match java's vm's exceptionStack.
1290         https://bugs.webkit.org/show_bug.cgi?id=119362
1291
1292         Reviewed by Geoffrey Garen.
1293         
1294         The error object's stack is only updated if it does not exist yet. This matches 
1295         the functionality of other browsers, and Java VMs. 
1296
1297         * interpreter/Interpreter.cpp:
1298         (JSC::Interpreter::addStackTraceIfNecessary):
1299         (JSC::Interpreter::throwException):
1300         * runtime/VM.cpp:
1301         (JSC::VM::clearExceptionStack):
1302         * runtime/VM.h:
1303         (JSC::VM::lastExceptionStack):
1304
1305 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1306
1307         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1308         https://bugs.webkit.org/show_bug.cgi?id=119447
1309
1310         Reviewed by Geoffrey Garen.
1311
1312         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1313         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1314         r153583 (sh4) and r153648 (ARM).
1315
1316         * jit/JITStubsMIPS.h:
1317
1318 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1319
1320         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1321         https://bugs.webkit.org/show_bug.cgi?id=119422
1322
1323         Reviewed by Oliver Hunt.
1324         
1325         This simplifies some code and also allows Structure to claim that an object
1326         has an indexing header even if it doesn't have indexed properties.
1327         
1328         I also changed some calls to use hasIndexedProperties() since in some cases,
1329         that's what we actually meant. Currently the two are synonyms.
1330
1331         * dfg/DFGRepatch.cpp:
1332         (JSC::DFG::tryCachePutByID):
1333         (JSC::DFG::tryBuildPutByIdList):
1334         * dfg/DFGSpeculativeJIT.cpp:
1335         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1336         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1337         * runtime/ButterflyInlines.h:
1338         (JSC::Butterfly::create):
1339         (JSC::Butterfly::growPropertyStorage):
1340         (JSC::Butterfly::growArrayRight):
1341         (JSC::Butterfly::resizeArray):
1342         * runtime/IndexingType.h:
1343         * runtime/JSObject.cpp:
1344         (JSC::JSObject::copyButterfly):
1345         (JSC::JSObject::visitButterfly):
1346         (JSC::JSObject::setPrototype):
1347         * runtime/JSObject.h:
1348         (JSC::JSObject::setButterfly):
1349         * runtime/JSPropertyNameIterator.cpp:
1350         (JSC::JSPropertyNameIterator::create):
1351         * runtime/Structure.h:
1352         (JSC::Structure::hasIndexingHeader):
1353
1354 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1355
1356         REGRESSION: ARM still crashes after change set r153612.
1357         https://bugs.webkit.org/show_bug.cgi?id=119433
1358
1359         Reviewed by Michael Saboff.
1360
1361         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1362         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1363         for sh4 architecture.
1364
1365         * jit/JITStubsARM.h:
1366         * jit/JITStubsARMv7.h:
1367
1368 2013-08-02  Michael Saboff  <msaboff@apple.com>
1369
1370         REGRESSION(r153612): It made jsc and layout tests crash
1371         https://bugs.webkit.org/show_bug.cgi?id=119440
1372
1373         Reviewed by Csaba Osztrogonác.
1374
1375         Made the changes if changeset r153612 only apply to 32 bit builds.
1376
1377         * jit/JITExceptions.cpp:
1378         * jit/JITExceptions.h:
1379         * jit/JITStubs.cpp:
1380         (JSC::cti_vm_throw_slowpath):
1381         * jit/JITStubs.h:
1382
1383 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1384
1385         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1386
1387         * CMakeLists.txt:
1388
1389 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1390
1391         [Forms: color] <input type='color'> popover color well implementation
1392         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1393
1394         Reviewed by Benjamin Poulain.
1395
1396         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1397
1398 2013-08-01  Oliver Hunt  <oliver@apple.com>
1399
1400         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1401         https://bugs.webkit.org/show_bug.cgi?id=119408
1402
1403         Reviewed by Filip Pizlo.
1404
1405         Construct ToString and Phantom nodes in advance of MakeRope
1406         nodes to ensure that ordering is ensured, and correct values
1407         will be reified on OSR exit.
1408
1409         * dfg/DFGByteCodeParser.cpp:
1410         (JSC::DFG::ByteCodeParser::parseBlock):
1411
1412 2013-08-01  Michael Saboff  <msaboff@apple.com>
1413
1414         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1415         https://bugs.webkit.org/show_bug.cgi?id=119140
1416
1417         Reviewed by Filip Pizlo.
1418
1419         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1420
1421         * jit/JITExceptions.cpp:
1422         (JSC::encode):
1423         * jit/JITExceptions.h:
1424         * jit/JITStubs.cpp:
1425         (JSC::cti_vm_throw_slowpath):
1426         * jit/JITStubs.h:
1427
1428 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1429
1430         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1431         https://bugs.webkit.org/show_bug.cgi?id=119391
1432
1433         Reviewed by Csaba Osztrogonác.
1434
1435         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1436             - Call frame is in r14 register.
1437             - Do not restore registers from JIT stack frame here.
1438
1439 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1440
1441         More cleanup in PropertySlot
1442         https://bugs.webkit.org/show_bug.cgi?id=119359
1443
1444         Reviewed by Geoff Garen.
1445
1446         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1447         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1448
1449         * dfg/DFGRepatch.cpp:
1450         (JSC::DFG::tryCacheGetByID):
1451         (JSC::DFG::tryBuildGetByIDList):
1452             - No need to ASSERT slotBase is an object.
1453         * jit/JITStubs.cpp:
1454         (JSC::tryCacheGetByID):
1455         (JSC::DEFINE_STUB_FUNCTION):
1456             - No need to ASSERT slotBase is an object.
1457         * runtime/JSObject.cpp:
1458         (JSC::JSObject::getOwnPropertySlotByIndex):
1459         (JSC::JSObject::fillGetterPropertySlot):
1460             - Pass an object through to setGetterSlot.
1461         * runtime/JSObject.h:
1462         (JSC::PropertySlot::getValue):
1463             - Moved from PropertySlot (need to know anout JSObject).
1464         * runtime/PropertySlot.cpp:
1465         (JSC::PropertySlot::functionGetter):
1466             - update per member name changes
1467         * runtime/PropertySlot.h:
1468         (JSC::PropertySlot::PropertySlot):
1469             - Argument to constructor set to 'thisValue'.
1470         (JSC::PropertySlot::slotBase):
1471             - This returns a JSObject*.
1472         (JSC::PropertySlot::setValue):
1473         (JSC::PropertySlot::setCustom):
1474         (JSC::PropertySlot::setCacheableCustom):
1475         (JSC::PropertySlot::setCustomIndex):
1476         (JSC::PropertySlot::setGetterSlot):
1477         (JSC::PropertySlot::setCacheableGetterSlot):
1478             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1479         * runtime/SparseArrayValueMap.cpp:
1480         (JSC::SparseArrayEntry::get):
1481             - Pass an object through to setGetterSlot.
1482         * runtime/SparseArrayValueMap.h:
1483             - Pass an object through to setGetterSlot.
1484
1485 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1486
1487         Reduce JSC API static value setter/getter overhead.
1488         https://bugs.webkit.org/show_bug.cgi?id=119277
1489
1490         Reviewed by Geoffrey Garen.
1491
1492         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1493         need to get called every time when set or get the static value.
1494
1495         * API/JSCallbackObjectFunctions.h:
1496         (JSC::::put):
1497         (JSC::::putByIndex):
1498         (JSC::::getStaticValue):
1499         * API/JSClassRef.cpp:
1500         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1501         * API/JSClassRef.h:
1502         (StaticValueEntry::StaticValueEntry):
1503
1504 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1505
1506         Use emptyString instead of String("")
1507         https://bugs.webkit.org/show_bug.cgi?id=119335
1508
1509         Reviewed by Darin Adler.
1510
1511         Use emptyString() instead of String("") because it is better style and
1512         faster. This is a followup to r116908, removing all occurrences of
1513         String("") from WebKit.
1514
1515         * runtime/RegExpConstructor.cpp:
1516         (JSC::constructRegExp):
1517         * runtime/RegExpPrototype.cpp:
1518         (JSC::regExpProtoFuncCompile):
1519         * runtime/StringPrototype.cpp:
1520         (JSC::stringProtoFuncMatch):
1521         (JSC::stringProtoFuncSearch):
1522
1523 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1524
1525         <input type=color> Mac UI behaviour
1526         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1527
1528         Reviewed by Brady Eidson.
1529
1530         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1531
1532 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1533
1534         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1535         https://bugs.webkit.org/show_bug.cgi?id=119349
1536
1537         Reviewed by Geoffrey Garen.
1538
1539         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1540         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1541         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1542         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1543         JIT then this resizing never happens and we crash at link time in the DFG.
1544
1545         We can fix this by also doing the resize in the DFG to catch this case.
1546
1547         * dfg/DFGJITCompiler.cpp:
1548         (JSC::DFG::JITCompiler::link):
1549
1550 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1551
1552         Speculative Windows build fix.
1553
1554         Reviewed by NOBODY
1555
1556         * runtime/JSString.cpp:
1557         (JSC::JSRopeString::getIndexSlowCase):
1558         * runtime/JSString.h:
1559
1560 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1561
1562         Some cleanup in JSValue::get
1563         https://bugs.webkit.org/show_bug.cgi?id=119343
1564
1565         Reviewed by Geoff Garen.
1566
1567         JSValue::get is implemented to:
1568             1) Check if the value is a cell – if not, synthesize a prototype to search,
1569             2) call getOwnPropertySlot on the cell,
1570             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1571         By all rights this should crash when passed a string and accessing a property that does not exist, because
1572         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1573         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1574         prototype chain, and faking out a return value of undefined if no property is found.
1575
1576         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1577         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1578
1579         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1580         slots anyway.
1581
1582         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1583
1584 2013-07-31  Michael Saboff  <msaboff@apple.com>
1585
1586         [Win] JavaScript crash.
1587         https://bugs.webkit.org/show_bug.cgi?id=119339
1588
1589         Reviewed by Mark Hahnenberg.
1590
1591         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1592         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1593
1594 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1595
1596         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1597         https://bugs.webkit.org/show_bug.cgi?id=119281
1598
1599         Reviewed by Geoffrey Garen.
1600
1601         This leads to out of bounds accesses and subsequent crashes.
1602
1603         * dfg/DFGSpeculativeJIT.cpp:
1604         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1605         * dfg/DFGSpeculativeJIT64.cpp:
1606         (JSC::DFG::SpeculativeJIT::compile):
1607
1608 2013-07-30  Oliver Hunt  <oliver@apple.com>
1609
1610         Add an assertion to SpeculateCellOperand
1611         https://bugs.webkit.org/show_bug.cgi?id=119276
1612
1613         Reviewed by Michael Saboff.
1614
1615         More assertions are better
1616
1617         * dfg/DFGSpeculativeJIT64.cpp:
1618         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1619         (JSC::DFG::SpeculativeJIT::compile):
1620
1621 2013-07-30  Mark Lam  <mark.lam@apple.com>
1622
1623         Fix problems with divot and lineStart mismatches.
1624         https://bugs.webkit.org/show_bug.cgi?id=118662.
1625
1626         Reviewed by Oliver Hunt.
1627
1628         r152494 added the recording of lineStart values for divot positions.
1629         This is needed for the computation of column numbers. Similarly, it also
1630         added the recording of line numbers for the divot positions. One problem
1631         with the approach taken was that the line and lineStart values were
1632         recorded independently, and hence were not always guaranteed to be
1633         sampled at the same place that the divot position is recorded. This
1634         resulted in potential mismatches that cause some assertions to fail.
1635
1636         The solution is to introduce a JSTextPosition abstraction that records
1637         the divot position, line, and lineStart as a single quantity. Wherever
1638         we record the divot position as an unsigned int previously, we now record
1639         its JSTextPosition which captures all 3 values in one go. This ensures
1640         that the captured line and lineStart will always match the captured divot
1641         position.
1642
1643         * bytecompiler/BytecodeGenerator.cpp:
1644         (JSC::BytecodeGenerator::emitCall):
1645         (JSC::BytecodeGenerator::emitCallEval):
1646         (JSC::BytecodeGenerator::emitCallVarargs):
1647         (JSC::BytecodeGenerator::emitConstruct):
1648         (JSC::BytecodeGenerator::emitDebugHook):
1649         - Use JSTextPosition instead of passing line and lineStart explicitly.
1650         * bytecompiler/BytecodeGenerator.h:
1651         (JSC::BytecodeGenerator::emitExpressionInfo):
1652         - Use JSTextPosition instead of passing line and lineStart explicitly.
1653         * bytecompiler/NodesCodegen.cpp:
1654         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1655         (JSC::ResolveNode::emitBytecode):
1656         (JSC::BracketAccessorNode::emitBytecode):
1657         (JSC::DotAccessorNode::emitBytecode):
1658         (JSC::NewExprNode::emitBytecode):
1659         (JSC::EvalFunctionCallNode::emitBytecode):
1660         (JSC::FunctionCallValueNode::emitBytecode):
1661         (JSC::FunctionCallResolveNode::emitBytecode):
1662         (JSC::FunctionCallBracketNode::emitBytecode):
1663         (JSC::FunctionCallDotNode::emitBytecode):
1664         (JSC::CallFunctionCallDotNode::emitBytecode):
1665         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1666         (JSC::PostfixNode::emitResolve):
1667         (JSC::PostfixNode::emitBracket):
1668         (JSC::PostfixNode::emitDot):
1669         (JSC::DeleteResolveNode::emitBytecode):
1670         (JSC::DeleteBracketNode::emitBytecode):
1671         (JSC::DeleteDotNode::emitBytecode):
1672         (JSC::PrefixNode::emitResolve):
1673         (JSC::PrefixNode::emitBracket):
1674         (JSC::PrefixNode::emitDot):
1675         (JSC::UnaryOpNode::emitBytecode):
1676         (JSC::BinaryOpNode::emitStrcat):
1677         (JSC::BinaryOpNode::emitBytecode):
1678         (JSC::ThrowableBinaryOpNode::emitBytecode):
1679         (JSC::InstanceOfNode::emitBytecode):
1680         (JSC::emitReadModifyAssignment):
1681         (JSC::ReadModifyResolveNode::emitBytecode):
1682         (JSC::AssignResolveNode::emitBytecode):
1683         (JSC::AssignDotNode::emitBytecode):
1684         (JSC::ReadModifyDotNode::emitBytecode):
1685         (JSC::AssignBracketNode::emitBytecode):
1686         (JSC::ReadModifyBracketNode::emitBytecode):
1687         (JSC::ForInNode::emitBytecode):
1688         (JSC::WithNode::emitBytecode):
1689         (JSC::ThrowNode::emitBytecode):
1690         - Use JSTextPosition instead of passing line and lineStart explicitly.
1691         * parser/ASTBuilder.h:
1692         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1693         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1694         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1695         (JSC::ASTBuilder::createResolve):
1696         (JSC::ASTBuilder::createBracketAccess):
1697         (JSC::ASTBuilder::createDotAccess):
1698         (JSC::ASTBuilder::createRegExp):
1699         (JSC::ASTBuilder::createNewExpr):
1700         (JSC::ASTBuilder::createAssignResolve):
1701         (JSC::ASTBuilder::createExprStatement):
1702         (JSC::ASTBuilder::createForInLoop):
1703         (JSC::ASTBuilder::createReturnStatement):
1704         (JSC::ASTBuilder::createBreakStatement):
1705         (JSC::ASTBuilder::createContinueStatement):
1706         (JSC::ASTBuilder::createLabelStatement):
1707         (JSC::ASTBuilder::createWithStatement):
1708         (JSC::ASTBuilder::createThrowStatement):
1709         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1710         (JSC::ASTBuilder::appendUnaryToken):
1711         (JSC::ASTBuilder::unaryTokenStackLastStart):
1712         (JSC::ASTBuilder::assignmentStackAppend):
1713         (JSC::ASTBuilder::createAssignment):
1714         (JSC::ASTBuilder::setExceptionLocation):
1715         (JSC::ASTBuilder::makeDeleteNode):
1716         (JSC::ASTBuilder::makeFunctionCallNode):
1717         (JSC::ASTBuilder::makeBinaryNode):
1718         (JSC::ASTBuilder::makeAssignNode):
1719         (JSC::ASTBuilder::makePrefixNode):
1720         (JSC::ASTBuilder::makePostfixNode):
1721         - Use JSTextPosition instead of passing line and lineStart explicitly.
1722         * parser/Lexer.cpp:
1723         (JSC::::lex):
1724         - Added support for capturing the appropriate JSTextPositions instead
1725           of just the character offset.
1726         * parser/Lexer.h:
1727         (JSC::Lexer::currentPosition):
1728         (JSC::::lexExpectIdentifier):
1729         - Added support for capturing the appropriate JSTextPositions instead
1730           of just the character offset.
1731         * parser/NodeConstructors.h:
1732         (JSC::Node::Node):
1733         (JSC::ResolveNode::ResolveNode):
1734         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1735         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1736         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1737         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1738         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1739         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1740         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1741         (JSC::PostfixNode::PostfixNode):
1742         (JSC::DeleteResolveNode::DeleteResolveNode):
1743         (JSC::DeleteBracketNode::DeleteBracketNode):
1744         (JSC::DeleteDotNode::DeleteDotNode):
1745         (JSC::PrefixNode::PrefixNode):
1746         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1747         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1748         (JSC::AssignBracketNode::AssignBracketNode):
1749         (JSC::AssignDotNode::AssignDotNode):
1750         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1751         (JSC::AssignErrorNode::AssignErrorNode):
1752         (JSC::WithNode::WithNode):
1753         (JSC::ForInNode::ForInNode):
1754         - Use JSTextPosition instead of passing line and lineStart explicitly.
1755         * parser/Nodes.cpp:
1756         (JSC::StatementNode::setLoc):
1757         - Use JSTextPosition instead of passing line and lineStart explicitly.
1758         * parser/Nodes.h:
1759         (JSC::Node::lineNo):
1760         (JSC::Node::startOffset):
1761         (JSC::Node::lineStartOffset):
1762         (JSC::Node::position):
1763         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1764         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1765         (JSC::ThrowableExpressionData::divot):
1766         (JSC::ThrowableExpressionData::divotStart):
1767         (JSC::ThrowableExpressionData::divotEnd):
1768         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1769         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1770         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1771         (JSC::ThrowableSubExpressionData::subexpressionStart):
1772         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1773         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1774         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1775         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1776         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1777         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1778         - Use JSTextPosition instead of passing line and lineStart explicitly.
1779         * parser/Parser.cpp:
1780         (JSC::::Parser):
1781         (JSC::::parseInner):
1782         - Use JSTextPosition instead of passing line and lineStart explicitly.
1783         (JSC::::didFinishParsing):
1784         - Remove setting of m_lastLine value. We always pass in the value from
1785           m_lastLine anyway. So, this assignment is effectively a nop.
1786         (JSC::::parseVarDeclaration):
1787         (JSC::::parseVarDeclarationList):
1788         (JSC::::parseForStatement):
1789         (JSC::::parseBreakStatement):
1790         (JSC::::parseContinueStatement):
1791         (JSC::::parseReturnStatement):
1792         (JSC::::parseThrowStatement):
1793         (JSC::::parseWithStatement):
1794         (JSC::::parseTryStatement):
1795         (JSC::::parseBlockStatement):
1796         (JSC::::parseFunctionDeclaration):
1797         (JSC::LabelInfo::LabelInfo):
1798         (JSC::::parseExpressionOrLabelStatement):
1799         (JSC::::parseExpressionStatement):
1800         (JSC::::parseAssignmentExpression):
1801         (JSC::::parseBinaryExpression):
1802         (JSC::::parseProperty):
1803         (JSC::::parsePrimaryExpression):
1804         (JSC::::parseMemberExpression):
1805         (JSC::::parseUnaryExpression):
1806         - Use JSTextPosition instead of passing line and lineStart explicitly.
1807         * parser/Parser.h:
1808         (JSC::Parser::next):
1809         (JSC::Parser::nextExpectIdentifier):
1810         (JSC::Parser::getToken):
1811         (JSC::Parser::tokenStartPosition):
1812         (JSC::Parser::tokenEndPosition):
1813         (JSC::Parser::lastTokenEndPosition):
1814         (JSC::::parse):
1815         - Use JSTextPosition instead of passing line and lineStart explicitly.
1816         * parser/ParserTokens.h:
1817         (JSC::JSTextPosition::JSTextPosition):
1818         (JSC::JSTextPosition::operator+):
1819         (JSC::JSTextPosition::operator-):
1820         (JSC::JSTextPosition::operator int):
1821         - Added JSTextPosition.
1822         * parser/SyntaxChecker.h:
1823         (JSC::SyntaxChecker::makeFunctionCallNode):
1824         (JSC::SyntaxChecker::makeAssignNode):
1825         (JSC::SyntaxChecker::makePrefixNode):
1826         (JSC::SyntaxChecker::makePostfixNode):
1827         (JSC::SyntaxChecker::makeDeleteNode):
1828         (JSC::SyntaxChecker::createResolve):
1829         (JSC::SyntaxChecker::createBracketAccess):
1830         (JSC::SyntaxChecker::createDotAccess):
1831         (JSC::SyntaxChecker::createRegExp):
1832         (JSC::SyntaxChecker::createNewExpr):
1833         (JSC::SyntaxChecker::createAssignResolve):
1834         (JSC::SyntaxChecker::createForInLoop):
1835         (JSC::SyntaxChecker::createReturnStatement):
1836         (JSC::SyntaxChecker::createBreakStatement):
1837         (JSC::SyntaxChecker::createContinueStatement):
1838         (JSC::SyntaxChecker::createWithStatement):
1839         (JSC::SyntaxChecker::createLabelStatement):
1840         (JSC::SyntaxChecker::createThrowStatement):
1841         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1842         (JSC::SyntaxChecker::operatorStackPop):
1843         - Use JSTextPosition instead of passing line and lineStart explicitly.
1844
1845 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1846
1847         Unreviewed. Fix make distcheck.
1848
1849         * GNUmakefile.list.am: Add missing files to compilation.
1850         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1851         include FTL header files not included in the compilation.
1852         * dfg/DFGDriver.cpp: Ditto.
1853         * dfg/DFGPlan.cpp: Ditto.
1854
1855 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1856
1857         Eager stack trace for error objects.
1858         https://bugs.webkit.org/show_bug.cgi?id=118918
1859
1860         Reviewed by Geoffrey Garen.
1861         
1862         Chrome and Firefox give error objects the stack property and we wanted to match
1863         that functionality. This allows developers to see the stack without throwing an object.
1864
1865         * runtime/ErrorInstance.cpp:
1866         (JSC::ErrorInstance::finishCreation):
1867          For error objects that are not thrown as an exception, we pass the stackTrace in 
1868          as a parameter. This allows the error object to have the stack property.
1869         
1870         * interpreter/Interpreter.cpp:
1871         (JSC::stackTraceAsString):
1872         Helper function used to eliminate duplicate code.
1873
1874         (JSC::Interpreter::addStackTraceIfNecessary):
1875         When an error object is created by the user the vm->exceptionStack is not set.
1876         If the user throws this error object later the stack that is in the error object 
1877         may not be the correct stack for the throw, so when we set the vm->exception stack,
1878         the stack property on the error object is set as well.
1879         
1880         * runtime/ErrorConstructor.cpp:
1881         (JSC::constructWithErrorConstructor):
1882         (JSC::callErrorConstructor):
1883         * runtime/NativeErrorConstructor.cpp:
1884         (JSC::constructWithNativeErrorConstructor):
1885         (JSC::callNativeErrorConstructor):
1886         These functions indicate that the user created an error object. For all error objects 
1887         that the user explicitly creates, the topCallFrame is at a new frame created to 
1888         handle the user's call. In this case though, the error object needs the caller's 
1889         frame to create the stack trace correctly.
1890         
1891         * interpreter/Interpreter.h:
1892         * runtime/ErrorInstance.h:
1893         (JSC::ErrorInstance::create):
1894
1895 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1896
1897         Some cleanup in PropertySlot
1898         https://bugs.webkit.org/show_bug.cgi?id=119189
1899
1900         Reviewed by Geoff Garen.
1901
1902         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1903         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1904         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1905         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1906         (this is invalidOffset if not cacheable).
1907
1908             * Internally, always track the type of the property using an enum value, PropertyType.
1909             * Use m_offset to indicate cacheable.
1910             * Keep the external interface (CachedPropertyType) unchanged.
1911             * Better pack data into the m_data union.
1912
1913         Performance neutral.
1914
1915         * dfg/DFGRepatch.cpp:
1916         (JSC::DFG::tryCacheGetByID):
1917         (JSC::DFG::tryBuildGetByIDList):
1918             - cachedPropertyType() -> isCacheable*()
1919         * jit/JITPropertyAccess.cpp:
1920         (JSC::JIT::privateCompileGetByIdProto):
1921         (JSC::JIT::privateCompileGetByIdSelfList):
1922         (JSC::JIT::privateCompileGetByIdProtoList):
1923         (JSC::JIT::privateCompileGetByIdChainList):
1924         (JSC::JIT::privateCompileGetByIdChain):
1925             - cachedPropertyType() -> isCacheable*()
1926         * jit/JITPropertyAccess32_64.cpp:
1927         (JSC::JIT::privateCompileGetByIdProto):
1928         (JSC::JIT::privateCompileGetByIdSelfList):
1929         (JSC::JIT::privateCompileGetByIdProtoList):
1930         (JSC::JIT::privateCompileGetByIdChainList):
1931         (JSC::JIT::privateCompileGetByIdChain):
1932             - cachedPropertyType() -> isCacheable*()
1933         * jit/JITStubs.cpp:
1934         (JSC::tryCacheGetByID):
1935             - cachedPropertyType() -> isCacheable*()
1936         * llint/LLIntSlowPaths.cpp:
1937         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1938             - cachedPropertyType() -> isCacheable*()
1939         * runtime/PropertySlot.cpp:
1940         (JSC::PropertySlot::functionGetter):
1941             - refactoring described above.
1942         * runtime/PropertySlot.h:
1943         (JSC::PropertySlot::PropertySlot):
1944         (JSC::PropertySlot::getValue):
1945         (JSC::PropertySlot::isCacheable):
1946         (JSC::PropertySlot::isCacheableValue):
1947         (JSC::PropertySlot::isCacheableGetter):
1948         (JSC::PropertySlot::isCacheableCustom):
1949         (JSC::PropertySlot::cachedOffset):
1950         (JSC::PropertySlot::customGetter):
1951         (JSC::PropertySlot::setValue):
1952         (JSC::PropertySlot::setCustom):
1953         (JSC::PropertySlot::setCacheableCustom):
1954         (JSC::PropertySlot::setCustomIndex):
1955         (JSC::PropertySlot::setGetterSlot):
1956         (JSC::PropertySlot::setCacheableGetterSlot):
1957         (JSC::PropertySlot::setUndefined):
1958         (JSC::PropertySlot::slotBase):
1959         (JSC::PropertySlot::setBase):
1960             - refactoring described above.
1961
1962 2013-07-28  Oliver Hunt  <oliver@apple.com>
1963
1964         REGRESSION: Crash when opening Facebook.com
1965         https://bugs.webkit.org/show_bug.cgi?id=119155
1966
1967         Reviewed by Andreas Kling.
1968
1969         Scope nodes are always objects, so we should be using SpecObjectOther
1970         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1971         contradiction in the CFA, resulting in bogus codegen.
1972
1973         * dfg/DFGAbstractInterpreterInlines.h:
1974         (JSC::DFG::::executeEffects):
1975         * dfg/DFGPredictionPropagationPhase.cpp:
1976         (JSC::DFG::PredictionPropagationPhase::propagate):
1977
1978 2013-07-26  Oliver Hunt  <oliver@apple.com>
1979
1980         REGRESSION(FTL?): Crashes in plugin tests
1981         https://bugs.webkit.org/show_bug.cgi?id=119141
1982
1983         Reviewed by Michael Saboff.
1984
1985         Re-export getStackTrace
1986
1987         * interpreter/Interpreter.h:
1988
1989 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1990
1991         REGRESSION: Crash when opening a message on Gmail
1992         https://bugs.webkit.org/show_bug.cgi?id=119105
1993
1994         Reviewed by Oliver Hunt and Mark Hahnenberg.
1995         
1996         - GetById patching in the DFG needs to be more disciplined about how it derives the
1997           slow path.
1998         
1999         - Fix some dumping code thread safety issues.
2000
2001         * bytecode/CallLinkStatus.cpp:
2002         (JSC::CallLinkStatus::dump):
2003         * bytecode/CodeBlock.cpp:
2004         (JSC::CodeBlock::dumpBytecode):
2005         * dfg/DFGRepatch.cpp:
2006         (JSC::DFG::getPolymorphicStructureList):
2007         (JSC::DFG::tryBuildGetByIDList):
2008
2009 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2010
2011         [mips] Fix LLINT build for mips backend
2012         https://bugs.webkit.org/show_bug.cgi?id=119152
2013
2014         Reviewed by Oliver Hunt.
2015
2016         * offlineasm/mips.rb:
2017
2018 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2019
2020         Setting a large numeric property on an object causes it to allocate a huge backing store
2021         https://bugs.webkit.org/show_bug.cgi?id=118914
2022
2023         Reviewed by Geoffrey Garen.
2024
2025         There are two distinct actions that we're trying to optimize for:
2026
2027         new Array(100000);
2028
2029         and:
2030
2031         a = [];
2032         a[100000] = 42;
2033         
2034         In the first case, the programmer has indicated that they expect this Array to be very big, 
2035         so they should get a contiguous array up until some threshold, above which we perform density 
2036         calculations to see if it is indeed dense enough to warrant being contiguous.
2037         
2038         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2039         we should be more conservative and assume it should be sparse until we've proven otherwise.
2040         
2041         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2042         between them for the purposes of not over-allocating large backing stores like we see on 
2043         http://www.peekanalytics.com/burgerjoints/
2044         
2045         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2046         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2047         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2048         map instead. So for example, in the second case above the empty array has a blank indexing 
2049         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2050
2051         This fix is ~800x speedup on the accompanying regression test :-o
2052
2053         * runtime/ArrayConventions.h:
2054         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2055         * runtime/JSObject.cpp:
2056         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2057         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2058         (JSC::JSObject::putByIndexBeyondVectorLength):
2059         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2060
2061 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2062
2063         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2064         https://bugs.webkit.org/show_bug.cgi?id=119148
2065
2066         Reviewed by Csaba Osztrogonác.
2067
2068         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2069         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2070         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2071         code duplication.
2072
2073 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2074
2075         REGRESSION(FTL): Crash in sh4 baseline JIT.
2076         https://bugs.webkit.org/show_bug.cgi?id=119138
2077
2078         Reviewed by Csaba Osztrogonác.
2079
2080         This crash is due to incomplete report of r150146 and r148474.
2081
2082         * jit/JITStubsSH4.h:
2083
2084 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2085
2086         Unreviewed.
2087
2088         * Target.pri: Adding missing DFG files to the Qt build.
2089
2090 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2091
2092         GTK and Qt buildfix after the intrusive win buildfix r153360.
2093
2094         * GNUmakefile.list.am:
2095         * Target.pri:
2096
2097 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2098
2099         Unreviewed, fix build break after r153360.
2100
2101         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2102
2103 2013-07-25  Roger Fong  <roger_fong@apple.com>
2104
2105         Unreviewed build fix, AppleWin port.
2106
2107         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2108         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2109         * JavaScriptCore.vcxproj/copy-files.cmd:
2110
2111 2013-07-25  Roger Fong  <roger_fong@apple.com>
2112
2113         Unreviewed. Followup to r153360.
2114
2115         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2117
2118 2013-07-25  Michael Saboff  <msaboff@apple.com>
2119
2120         [Windows] Speculative build fix.
2121
2122         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2123         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2124
2125         * JavaScriptCore.xcodeproj/project.pbxproj:
2126         * llint/LLIntExceptions.cpp:
2127         * llint/LLIntExceptions.h:
2128         * llint/LLIntSlowPaths.cpp:
2129         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2130         * runtime/CommonSlowPaths.cpp:
2131         (JSC::SLOW_PATH_DECL):
2132         * runtime/CommonSlowPathsExceptions.cpp: Added.
2133         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2134         * runtime/CommonSlowPathsExceptions.h: Added.
2135
2136 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2137
2138         [Windows] Unreviewed build fix.
2139
2140         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2141         parser/SourceCode.h,.cpp.
2142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2143
2144 2013-07-25  Anders Carlsson  <andersca@apple.com>
2145
2146         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2147         https://bugs.webkit.org/show_bug.cgi?id=119108
2148
2149         Reviewed by Mark Hahnenberg.
2150
2151         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2152
2153         * heap/CopiedSpace.cpp:
2154         (JSC::CopiedSpace::tryAllocateSlowCase):
2155         * heap/Heap.cpp:
2156         (JSC::Heap::protect):
2157         (JSC::Heap::unprotect):
2158         (JSC::Heap::collect):
2159         * heap/MarkedAllocator.cpp:
2160         (JSC::MarkedAllocator::allocateSlowCase):
2161         * runtime/JSGlobalObject.cpp:
2162         (JSC::JSGlobalObject::init):
2163         * runtime/VM.h:
2164         (JSC::VM::currentThreadIsHoldingAPILock):
2165
2166 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2167
2168         REGRESSION(FTL): Most layout tests crashes
2169         https://bugs.webkit.org/show_bug.cgi?id=119089
2170
2171         Reviewed by Oliver Hunt.
2172
2173         * runtime/ExecutionHarness.h:
2174         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2175         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2176         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2177         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2178         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2179         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2180
2181 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2182
2183         [Windows] Unreviewed build fix.
2184
2185         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2186         include path.
2187
2188 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2189
2190         [Windows] Unreviewed build fix.
2191
2192         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2193         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2194         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2195
2196 2013-07-25  Oliver Hunt  <oliver@apple.com>
2197
2198         Make all jit & non-jit combos build cleanly
2199         https://bugs.webkit.org/show_bug.cgi?id=119102
2200
2201         Reviewed by Anders Carlsson.
2202
2203         * bytecode/CodeBlock.cpp:
2204         (JSC::CodeBlock::counterValueForOptimizeSoon):
2205         * bytecode/CodeBlock.h:
2206         (JSC::CodeBlock::optimizeAfterWarmUp):
2207         (JSC::CodeBlock::numberOfDFGCompiles):
2208
2209 2013-07-25  Oliver Hunt  <oliver@apple.com>
2210
2211         32 bit portion of load validation logic
2212         https://bugs.webkit.org/show_bug.cgi?id=118878
2213
2214         Reviewed by NOBODY (Build fix).
2215
2216         * dfg/DFGSpeculativeJIT32_64.cpp:
2217         (JSC::DFG::SpeculativeJIT::compile):
2218
2219 2013-07-25  Oliver Hunt  <oliver@apple.com>
2220
2221         More 32bit build fixes
2222
2223         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2224
2225         * API/APICallbackFunction.h:
2226         (JSC::APICallbackFunction::call):
2227         * bytecode/CodeBlock.cpp:
2228         * runtime/Structure.cpp:
2229
2230 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2231
2232         Optimize the thread locks for API Shims
2233         https://bugs.webkit.org/show_bug.cgi?id=118573
2234
2235         Reviewed by Geoffrey Garen.
2236
2237         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2238         only used by WebCore's main thread).
2239
2240         * API/APIShims.h:
2241         (JSC::APIEntryShim::APIEntryShim):
2242         (JSC::APICallbackShim::APICallbackShim):
2243         * runtime/JSLock.cpp:
2244         (JSC::JSLockHolder::JSLockHolder):
2245         (JSC::JSLockHolder::init):
2246         (JSC::JSLockHolder::~JSLockHolder):
2247         (JSC::JSLock::DropAllLocks::DropAllLocks):
2248         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2249         * runtime/VM.cpp:
2250         (JSC::VM::VM):
2251         * runtime/VM.h:
2252
2253 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2254
2255         Unreviewed build fix after r153218.
2256
2257         Broke the EFL port build with gcc 4.7.
2258
2259         * interpreter/StackIterator.cpp:
2260         (JSC::printif):
2261
2262 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2263
2264         Build fix: add missing #include.
2265         https://bugs.webkit.org/show_bug.cgi?id=119087
2266
2267         Reviewed by Allan Sandfeld Jensen.
2268
2269         * bytecode/ArrayProfile.cpp:
2270
2271 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2272
2273         Unreviewed, build fix on the EFL port.
2274
2275         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2276
2277 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2278
2279         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2280         https://bugs.webkit.org/show_bug.cgi?id=119083
2281
2282         Reviewed by Allan Sandfeld Jensen.
2283
2284         * assembler/MacroAssemblerSH4.h:
2285         (JSC::MacroAssemblerSH4::store8):
2286
2287 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2288
2289         [Qt] Fix test build after FTL upstream
2290
2291         Unreviewed build fix.
2292
2293         * Target.pri:
2294
2295 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2296
2297         [Qt] Build fix after FTL.
2298
2299         Un Reviewed build fix.
2300
2301         * Target.pri:
2302         * interpreter/StackIterator.cpp:
2303         (JSC::StackIterator::Frame::print):
2304
2305 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2306
2307         Unreviewed build fix after FTL upstream.
2308
2309         * dfg/DFGWorklist.cpp:
2310         (JSC::DFG::Worklist::~Worklist):
2311
2312 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2313
2314         Unreviewed, build fix on the EFL port.
2315
2316         * CMakeLists.txt:
2317         Added SourceCode.cpp and removed BlackBerry file.
2318         * jit/JITCode.h:
2319         (JSC::JITCode::nextTierJIT):
2320         Fixed to build break because of -Werror=return-type
2321         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2322         * runtime/JSScope.h:
2323         (JSC::makeType):
2324         Fixed to build break because of -Werror=return-type
2325
2326 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2327
2328         Unreviewed build fixing after FTL upstream.
2329
2330         * runtime/Executable.cpp:
2331         (JSC::FunctionExecutable::produceCodeBlockFor):
2332
2333 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2334
2335         Add missing implementation of bxxxnz in sh4 LLINT.
2336         https://bugs.webkit.org/show_bug.cgi?id=119079
2337
2338         Reviewed by Allan Sandfeld Jensen.
2339
2340         * offlineasm/sh4.rb:
2341
2342 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2343
2344         Unreviewed, build fix on the Qt port.
2345
2346         * Target.pri: Add additional build files for the FTL.
2347
2348 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2349
2350         Unreviewed buildfix after FTL upstream..
2351
2352         * interpreter/StackIterator.cpp:
2353         (JSC::StackIterator::Frame::codeType):
2354         (JSC::StackIterator::Frame::functionName):
2355         (JSC::StackIterator::Frame::sourceURL):
2356         (JSC::StackIterator::Frame::logicalFrame):
2357
2358 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2359
2360         Unreviewed.
2361
2362         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2363         method is not left undefined, causing build failures on (at least) the GTK port.
2364
2365 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2366
2367         Unreviewed, further build fixing on the GTK port.
2368
2369         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2370
2371 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2372
2373         Unreviewed GTK build fixing.
2374
2375         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2376         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2377
2378 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2379
2380         Buildfix after this error:
2381         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2382
2383         * dfg/DFGPlan.cpp:
2384         (JSC::DFG::Plan::compileInThread):
2385
2386 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2387
2388         One more buildfix after FTL upstream.
2389
2390         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2391
2392         * dfg/DFGLazyJSValue.cpp:
2393         (JSC::DFG::LazyJSValue::getValue):
2394         (JSC::DFG::LazyJSValue::strictEqual):
2395
2396 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2397
2398         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2399         https://bugs.webkit.org/show_bug.cgi?id=119076
2400
2401         Reviewed by Allan Sandfeld Jensen.
2402
2403         * offlineasm/mips.rb:
2404         * offlineasm/sh4.rb:
2405
2406 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2407
2408         Unreviewed GTK build fix.
2409
2410         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2411
2412 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2413
2414         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2415         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2416
2417         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2418
2419 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2420
2421         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2422
2423         * GNUmakefile.am:
2424         * GNUmakefile.list.am:
2425
2426 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2427
2428         Unreviewed buildfix after FTL upstream.
2429
2430         * runtime/JSScope.h:
2431         (JSC::needsVarInjectionChecks):
2432
2433 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2434
2435         One more fix after FTL upstream.
2436
2437         * Target.pri:
2438         * bytecode/CodeBlock.h:
2439         * bytecode/GetByIdStatus.h:
2440         (JSC::GetByIdStatus::GetByIdStatus):
2441
2442 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2443
2444         Unreviewed buildfix after FTL upstream.
2445
2446         Add ftl directory as include path.
2447
2448         * CMakeLists.txt:
2449         * JavaScriptCore.pri:
2450
2451 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2452
2453         Unreviewed buildfix after FTL upstream for non C++11 builds.
2454
2455         * interpreter/CallFrame.h:
2456         * interpreter/StackIteratorPrivate.h:
2457         (JSC::StackIterator::end):
2458
2459 2013-07-24  Oliver Hunt  <oliver@apple.com>
2460
2461         Endeavour to fix CMakelist builds
2462
2463         * CMakeLists.txt:
2464
2465 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2466
2467         fourthTier: DFG IR dumps should be easier to read
2468         https://bugs.webkit.org/show_bug.cgi?id=119050
2469
2470         Reviewed by Mark Hahnenberg.
2471         
2472         Added a DumpContext that includes support for printing an endnote
2473         that describes all structures in full, while the main flow of the
2474         dump just uses made-up names for the structures. This is helpful
2475         since Structure::dump() may print a lot. The stuff it prints is
2476         useful, but if it's all inline with the surrounding thing you're        
2477         dumping (often, a node in the DFG), then you get a ridiculously
2478         long print-out. All classes that dump structures (including
2479         Structure itself) now have dumpInContext() methods that use
2480         inContext() for dumping anything that might transitively print a
2481         structure. If Structure::dumpInContext() is called with a NULL
2482         context, it just uses dump() like before. Hence you don't have to
2483         know anything about DumpContext unless you want to.
2484         
2485         inContext(*structure, context) dumps something like %B4:Array,
2486         and the endnote will have something like:
2487         
2488             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2489         
2490         where B4 is the inferred name that StringHashDumpContext came up
2491         with.
2492         
2493         Also shortened a bunch of other dumps, removing information that
2494         isn't so important.
2495         
2496         * JavaScriptCore.xcodeproj/project.pbxproj:
2497         * bytecode/ArrayProfile.cpp:
2498         (JSC::dumpArrayModes):
2499         * bytecode/CodeBlockHash.cpp:
2500         (JSC):
2501         (JSC::CodeBlockHash::CodeBlockHash):
2502         (JSC::CodeBlockHash::dump):
2503         * bytecode/CodeOrigin.cpp:
2504         (JSC::CodeOrigin::dumpInContext):
2505         (JSC):
2506         (JSC::InlineCallFrame::dumpInContext):
2507         (JSC::InlineCallFrame::dump):
2508         * bytecode/CodeOrigin.h:
2509         (CodeOrigin):
2510         (InlineCallFrame):
2511         * bytecode/Operands.h:
2512         (JSC::OperandValueTraits::isEmptyForDump):
2513         (Operands):
2514         (JSC::Operands::dump):
2515         (JSC):
2516         * bytecode/OperandsInlines.h: Added.
2517         (JSC):
2518         (JSC::::dumpInContext):
2519         * bytecode/StructureSet.h:
2520         (JSC::StructureSet::dumpInContext):
2521         (JSC::StructureSet::dump):
2522         (StructureSet):
2523         * dfg/DFGAbstractValue.cpp:
2524         (JSC::DFG::AbstractValue::dump):
2525         (DFG):
2526         (JSC::DFG::AbstractValue::dumpInContext):
2527         * dfg/DFGAbstractValue.h:
2528         (JSC::DFG::AbstractValue::operator!):
2529         (AbstractValue):
2530         * dfg/DFGCFAPhase.cpp:
2531         (JSC::DFG::CFAPhase::performBlockCFA):
2532         * dfg/DFGCommon.cpp:
2533         * dfg/DFGCommon.h:
2534         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2535         * dfg/DFGDisassembler.cpp:
2536         (JSC::DFG::Disassembler::createDumpList):
2537         * dfg/DFGDisassembler.h:
2538         (Disassembler):
2539         * dfg/DFGFlushFormat.h:
2540         (WTF::inContext):
2541         (WTF):
2542         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2543         * dfg/DFGGraph.cpp:
2544         (JSC::DFG::Graph::dumpCodeOrigin):
2545         (JSC::DFG::Graph::dump):
2546         (JSC::DFG::Graph::dumpBlockHeader):
2547         * dfg/DFGGraph.h:
2548         (Graph):
2549         * dfg/DFGLazyJSValue.cpp:
2550         (JSC::DFG::LazyJSValue::dumpInContext):
2551         (JSC::DFG::LazyJSValue::dump):
2552         (DFG):
2553         * dfg/DFGLazyJSValue.h:
2554         (LazyJSValue):
2555         * dfg/DFGNode.h:
2556         (JSC::DFG::nodeMapDump):
2557         (WTF::inContext):
2558         (WTF):
2559         * dfg/DFGOSRExitCompiler32_64.cpp:
2560         (JSC::DFG::OSRExitCompiler::compileExit):
2561         * dfg/DFGOSRExitCompiler64.cpp:
2562         (JSC::DFG::OSRExitCompiler::compileExit):
2563         * dfg/DFGStructureAbstractValue.h:
2564         (JSC::DFG::StructureAbstractValue::dumpInContext):
2565         (JSC::DFG::StructureAbstractValue::dump):
2566         (StructureAbstractValue):
2567         * ftl/FTLExitValue.cpp:
2568         (JSC::FTL::ExitValue::dumpInContext):
2569         (JSC::FTL::ExitValue::dump):
2570         (FTL):
2571         * ftl/FTLExitValue.h:
2572         (ExitValue):
2573         * ftl/FTLLowerDFGToLLVM.cpp:
2574         * ftl/FTLValueSource.cpp:
2575         (JSC::FTL::ValueSource::dumpInContext):
2576         (FTL):
2577         * ftl/FTLValueSource.h:
2578         (ValueSource):
2579         * runtime/DumpContext.cpp: Added.
2580         (JSC):
2581         (JSC::DumpContext::DumpContext):
2582         (JSC::DumpContext::~DumpContext):
2583         (JSC::DumpContext::isEmpty):
2584         (JSC::DumpContext::dump):
2585         * runtime/DumpContext.h: Added.
2586         (JSC):
2587         (DumpContext):
2588         * runtime/JSCJSValue.cpp:
2589         (JSC::JSValue::dump):
2590         (JSC):
2591         (JSC::JSValue::dumpInContext):
2592         * runtime/JSCJSValue.h:
2593         (JSC):
2594         (JSValue):
2595         * runtime/Structure.cpp:
2596         (JSC::Structure::dumpInContext):
2597         (JSC):
2598         (JSC::Structure::dumpBrief):
2599         (JSC::Structure::dumpContextHeader):
2600         * runtime/Structure.h:
2601         (JSC):
2602         (Structure):
2603
2604 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2605
2606         fourthTier: DFG should do a high-level LICM before going to FTL
2607         https://bugs.webkit.org/show_bug.cgi?id=118749
2608
2609         Reviewed by Oliver Hunt.
2610         
2611         Implements LICM hoisting for nodes that never write anything and never read
2612         things that are clobbered by the loop. There are some other preconditions for
2613         hoisting, see DFGLICMPhase.cpp.
2614
2615         Also did a few fixes:
2616         
2617         - ClobberSet::add was failing to switch Super entries to Direct entries in
2618           some cases.
2619         
2620         - DFGClobberize.cpp needed to #include "Operations.h".
2621         
2622         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2623         
2624         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2625           Knowing the indexInBlock is an optional optimization that all other clients
2626           of AI still opt into, but LICM doesn't.
2627         
2628         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2629
2630         * JavaScriptCore.xcodeproj/project.pbxproj:
2631         * dfg/DFGAbstractInterpreter.h:
2632         (AbstractInterpreter):
2633         * dfg/DFGAbstractInterpreterInlines.h:
2634         (JSC::DFG::::executeEffects):
2635         (JSC::DFG::::execute):
2636         (DFG):
2637         (JSC::DFG::::clobberWorld):
2638         (JSC::DFG::::clobberStructures):
2639         * dfg/DFGAtTailAbstractState.cpp: Added.
2640         (DFG):
2641         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2642         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2643         (JSC::DFG::AtTailAbstractState::createValueForNode):
2644         (JSC::DFG::AtTailAbstractState::forNode):
2645         * dfg/DFGAtTailAbstractState.h: Added.
2646         (DFG):
2647         (AtTailAbstractState):
2648         (JSC::DFG::AtTailAbstractState::initializeTo):
2649         (JSC::DFG::AtTailAbstractState::forNode):
2650         (JSC::DFG::AtTailAbstractState::variables):
2651         (JSC::DFG::AtTailAbstractState::block):
2652         (JSC::DFG::AtTailAbstractState::isValid):
2653         (JSC::DFG::AtTailAbstractState::setDidClobber):
2654         (JSC::DFG::AtTailAbstractState::setIsValid):
2655         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2656         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2657         (JSC::DFG::AtTailAbstractState::haveStructures):
2658         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2659         * dfg/DFGBasicBlock.h:
2660         (JSC::DFG::BasicBlock::insertBeforeLast):
2661         * dfg/DFGBasicBlockInlines.h:
2662         (DFG):
2663         * dfg/DFGClobberSet.cpp:
2664         (JSC::DFG::ClobberSet::add):
2665         (JSC::DFG::ClobberSet::addAll):
2666         * dfg/DFGClobberize.cpp:
2667         (JSC::DFG::doesWrites):
2668         * dfg/DFGClobberize.h:
2669         (DFG):
2670         * dfg/DFGDCEPhase.cpp:
2671         (JSC::DFG::DCEPhase::DCEPhase):
2672         (JSC::DFG::DCEPhase::run):
2673         (JSC::DFG::DCEPhase::fixupBlock):
2674         (DCEPhase):
2675         * dfg/DFGEdgeDominates.h: Added.
2676         (DFG):
2677         (EdgeDominates):
2678         (JSC::DFG::EdgeDominates::EdgeDominates):
2679         (JSC::DFG::EdgeDominates::operator()):
2680         (JSC::DFG::EdgeDominates::result):
2681         (JSC::DFG::edgesDominate):
2682         * dfg/DFGFixupPhase.cpp:
2683         (JSC::DFG::FixupPhase::fixupNode):
2684         (JSC::DFG::FixupPhase::checkArray):
2685         * dfg/DFGLICMPhase.cpp: Added.
2686         (LICMPhase):
2687         (JSC::DFG::LICMPhase::LICMPhase):
2688         (JSC::DFG::LICMPhase::run):
2689         (JSC::DFG::LICMPhase::attemptHoist):
2690         (DFG):
2691         (JSC::DFG::performLICM):
2692         * dfg/DFGLICMPhase.h: Added.
2693         (DFG):
2694         * dfg/DFGPlan.cpp:
2695         (JSC::DFG::Plan::compileInThreadImpl):
2696
2697 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2698
2699         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2700         https://bugs.webkit.org/show_bug.cgi?id=118910
2701
2702         Reviewed by Sam Weinig.
2703         
2704         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2705         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2706         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2707         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2708         create them all up front). FTL AbstractHeaps also don't actually give you the
2709         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2710         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2711         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2712         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2713         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2714         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2715         payload is the direct subtype of its corresponding TOP Kind).
2716         
2717         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2718         clobbered. It represents the set that results from unifying a bunch of
2719         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2720         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2721         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2722         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2723         member is equal to it, or if any of its ancestors are equal to a direct member.
2724         
2725         Example #1:
2726         
2727             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2728               is a subtype of Variables, which is a subtype of World.
2729             - You query Variables. I.e. Variables with a TOP payload, which is the
2730               supertype of Variables(X) for any X, and a subtype of World.
2731             
2732             The set will have Variables(5) as a direct member, and Variables and World as
2733             super members. The Variables query will immediately return true, because
2734             Variables is indeed a super member.
2735         
2736         Example #2:
2737         
2738             - I add Variables(5)
2739             - You query NamedProperties
2740             
2741             NamedProperties is not a member at all (neither direct or super). We next
2742             query World. World is a member, but it's a super member, so we return false.
2743         
2744         Example #3:
2745         
2746             - I add Variables
2747             - You query Variables(5)
2748             
2749             The set will have Variables as a direct member, and World as a super member.
2750             The Variables(5) query will not find Variables(5) in the set, but then it
2751             will query Variables. Variables is a direct member, so we return true.
2752         
2753         Example #4:
2754         
2755             - I add Variables
2756             - You query NamedProperties(5)
2757             
2758             Neither NamedProperties nor NamedProperties(5) are members. We next query
2759             World. World is a member, but it's a super member, so we return false.
2760         
2761         Overlap queries require that either the heap being queried is in the set (either
2762         direct or super), or that one of its ancestors is a direct member. Another way to
2763         think about how this works is that two heaps A and B are said to overlap if
2764         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2765         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2766         heaps and answers the question, "is any member in the set an ancestor (i.e.
2767         supertype) of some other heap". We would have the set contain the heaps themselves,
2768         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2769         chain of A, and repeatedly querying its membership in the set. This is what the
2770         "direct" members of our set do. Now consider the other part, where we want to ask if
2771         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2772         would implement this by implementing set.add(B) as adding not just B but also all of
2773         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2774         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2775         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2776         heap" question. ClobberSet does this, but combines the two sets into a single
2777         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2778         supertype set and the subtype set; if it's false then it's only a member of one of
2779         them.
2780         
2781         Finally, this adds a functorized clobberize() method that adds the read and write
2782         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2783         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2784         are also provided. This allows you to say things like:
2785         
2786             ClobberSet set;
2787             addWrites(graph, node1, set);
2788             if (readsOverlap(graph, node2, set))
2789                 // We know that node1 may write to something that node2 may read from.
2790         
2791         Currently this facility is only used to improve graph dumping, but it will be
2792         instrumental in both LICM and GVN. In the future, I want to completely kill the
2793         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2794         of accomplishing almost exactly what AbstractHeap gives you.
2795
2796         * JavaScriptCore.xcodeproj/project.pbxproj:
2797         * dfg/DFGAbstractHeap.cpp: Added.
2798         (DFG):
2799         (JSC::DFG::AbstractHeap::Payload::dump):
2800         (JSC::DFG::AbstractHeap::dump):
2801         (WTF):
2802         (WTF::printInternal):
2803         * dfg/DFGAbstractHeap.h: Added.
2804         (DFG):
2805         (AbstractHeap):
2806         (Payload):
2807         (JSC::DFG::AbstractHeap::Payload::Payload):
2808         (JSC::DFG::AbstractHeap::Payload::top):
2809         (JSC::DFG::AbstractHeap::Payload::isTop):
2810         (JSC::DFG::AbstractHeap::Payload::value):
2811         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2812         (JSC::DFG::AbstractHeap::Payload::operator==):
2813         (JSC::DFG::AbstractHeap::Payload::operator!=):
2814         (JSC::DFG::AbstractHeap::Payload::operator<):
2815         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2816         (JSC::DFG::AbstractHeap::Payload::overlaps):
2817         (JSC::DFG::AbstractHeap::AbstractHeap):
2818         (JSC::DFG::AbstractHeap::operator!):
2819         (JSC::DFG::AbstractHeap::kind):
2820         (JSC::DFG::AbstractHeap::payload):
2821         (JSC::DFG::AbstractHeap::isDisjoint):
2822         (JSC::DFG::AbstractHeap::overlaps):
2823         (JSC::DFG::AbstractHeap::supertype):
2824         (JSC::DFG::AbstractHeap::hash):
2825         (JSC::DFG::AbstractHeap::operator==):
2826         (JSC::DFG::AbstractHeap::operator!=):
2827         (JSC::DFG::AbstractHeap::operator<):
2828         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2829         (JSC::DFG::AbstractHeap::payloadImpl):
2830         (JSC::DFG::AbstractHeap::encode):
2831         (JSC::DFG::AbstractHeapHash::hash):
2832         (JSC::DFG::AbstractHeapHash::equal):
2833         (AbstractHeapHash):
2834         (WTF):
2835         * dfg/DFGClobberSet.cpp: Added.
2836         (DFG):
2837         (JSC::DFG::ClobberSet::ClobberSet):
2838         (JSC::DFG::ClobberSet::~ClobberSet):
2839         (JSC::DFG::ClobberSet::add):
2840         (JSC::DFG::ClobberSet::addAll):
2841         (JSC::DFG::ClobberSet::contains):
2842         (JSC::DFG::ClobberSet::overlaps):
2843         (JSC::DFG::ClobberSet::clear):
2844         (JSC::DFG::ClobberSet::direct):
2845         (JSC::DFG::ClobberSet::super):
2846         (JSC::DFG::ClobberSet::dump):
2847         (JSC::DFG::ClobberSet::setOf):
2848         (JSC::DFG::addReads):
2849         (JSC::DFG::addWrites):
2850         (JSC::DFG::addReadsAndWrites):
2851         (JSC::DFG::readsOverlap):
2852         (JSC::DFG::writesOverlap):
2853         * dfg/DFGClobberSet.h: Added.
2854         (DFG):
2855         (ClobberSet):
2856         (JSC::DFG::ClobberSet::isEmpty):
2857         (ClobberSetAdd):
2858         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2859         (JSC::DFG::ClobberSetAdd::operator()):
2860         (ClobberSetOverlaps):
2861         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2862         (JSC::DFG::ClobberSetOverlaps::operator()):
2863         (JSC::DFG::ClobberSetOverlaps::result):
2864         * dfg/DFGClobberize.cpp: Added.
2865         (DFG):
2866         (JSC::DFG::didWrites):
2867         * dfg/DFGClobberize.h: Added.
2868         (DFG):
2869         (JSC::DFG::clobberize):
2870         (NoOpClobberize):
2871         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2872         (JSC::DFG::NoOpClobberize::operator()):
2873         (CheckClobberize):
2874         (JSC::DFG::CheckClobberize::CheckClobberize):
2875         (JSC::DFG::CheckClobberize::operator()):
2876         (JSC::DFG::CheckClobberize::result):
2877         * dfg/DFGGraph.cpp:
2878         (JSC::DFG::Graph::dump):
2879
2880 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2881
2882         fourthTier: It should be easy to figure out which blocks nodes belong to
2883         https://bugs.webkit.org/show_bug.cgi?id=118957
2884
2885         Reviewed by Sam Weinig.
2886
2887         * dfg/DFGGraph.cpp:
2888         (DFG):
2889         (JSC::DFG::Graph::initializeNodeOwners):
2890         * dfg/DFGGraph.h:
2891         (Graph):
2892         * dfg/DFGNode.h:
2893
2894 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2895
2896         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2897         https://bugs.webkit.org/show_bug.cgi?id=118956
2898
2899         Reviewed by Sam Weinig.
2900         
2901         We had two way of expressing that something exits forward: the NodeExitsForward
2902         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2903         makes it just be a flag.
2904
2905         * dfg/DFGAbstractInterpreterInlines.h:
2906         (JSC::DFG::::executeEffects):
2907         * dfg/DFGArgumentsSimplificationPhase.cpp:
2908         (JSC::DFG::ArgumentsSimplificationPhase::run):
2909         * dfg/DFGCSEPhase.cpp:
2910         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2911         (JSC::DFG::CSEPhase::checkStructureElimination):
2912         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2913         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2914         (JSC::DFG::CSEPhase::checkArrayElimination):
2915         (JSC::DFG::CSEPhase::performNodeCSE):
2916         * dfg/DFGConstantFoldingPhase.cpp:
2917         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2918         * dfg/DFGFixupPhase.cpp:
2919         (JSC::DFG::FixupPhase::fixupNode):
2920         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2921         * dfg/DFGMinifiedNode.h:
2922         (JSC::DFG::belongsInMinifiedGraph):
2923         (JSC::DFG::MinifiedNode::hasChild):
2924         * dfg/DFGNode.h:
2925         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2926         (JSC::DFG::Node::hasStructureSet):
2927         (JSC::DFG::Node::hasStructure):
2928         (JSC::DFG::Node::hasArrayMode):
2929         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2930         * dfg/DFGNodeType.h:
2931         (DFG):
2932         (JSC::DFG::needsOSRForwardRewiring):
2933         * dfg/DFGPredictionPropagationPhase.cpp:
2934         (JSC::DFG::PredictionPropagationPhase::propagate):
2935         * dfg/DFGSafeToExecute.h:
2936         (JSC::DFG::safeToExecute):
2937         * dfg/DFGSpeculativeJIT.cpp:
2938         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2939         * dfg/DFGSpeculativeJIT32_64.cpp:
2940         (JSC::DFG::SpeculativeJIT::compile):
2941         * dfg/DFGSpeculativeJIT64.cpp:
2942         (JSC::DFG::SpeculativeJIT::compile):
2943         * dfg/DFGTypeCheckHoistingPhase.cpp:
2944         (JSC::DFG::TypeCheckHoistingPhase::run):
2945         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2946         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2947         * dfg/DFGVariableEventStream.cpp:
2948         (JSC::DFG::VariableEventStream::reconstruct):
2949         * ftl/FTLCapabilities.cpp:
2950         (JSC::FTL::canCompile):
2951         * ftl/FTLLowerDFGToLLVM.cpp:
2952         (JSC::FTL::LowerDFGToLLVM::compileNode):
2953         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2954
2955 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2956
2957         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2958         https://bugs.webkit.org/show_bug.cgi?id=118946
2959
2960         Reviewed by Geoffrey Garen.
2961         
2962         We want to decouple the exit target code origin of a node from the code origin
2963         for all other purposes. The purposes of code origins are:
2964         
2965         - Where the node will exit, if it exits. The exit target should be consistent with
2966           the surrounding nodes, in that if you just looked at the code origins of nodes in
2967           the graph, they would be consistent with the code origins in bytecode. This is
2968           necessary for live-at-bytecode analyses to work, and to preserve the original
2969           bytecode semantics when exiting.
2970         
2971         - What kind of code the node came from, for semantics thingies. For example, we
2972           might use the code origin to find the node's global object for doing an original
2973           array check. Or we might use it to determine if the code is in strict mode. Or
2974           other similar things. When we use the code origin in this way, we're basically
2975           using it as a way of describing the node's meta-data without putting it into the
2976           node directly, to save space. In the absurd extreme you could imagine nodes not
2977           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2978           what bytecode the node originated from. We won't do that, but you can think of
2979           this use of code origins as just a way of compressing meta-data.
2980         
2981         - What code origin we should supply profiling to, if we exit. This is closely
2982           related to the semantics thingies, in that the exit profiling is a persistent
2983           kind of semantic meta-data that survives between recompiles, and the only way to
2984           do that is to ascribe it to the original bytecode via the code origin.
2985         
2986         If we hoist a node, we need to change the exit target code origin, but we must not
2987         change the code origin for other purposes. The best way to do this is to decouple
2988         the two kinds of code origin.
2989         
2990         OSR exit data structures already do this, because they may edit the exit target
2991         code origin while keeping the code origin for profiling intact. This happens for
2992         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2993         That's what this patch does.
2994
2995         * dfg/DFGNode.h:
2996         (JSC::DFG::Node::Node):
2997         (Node):
2998         * dfg/DFGOSRExit.cpp:
2999         (JSC::DFG::OSRExit::OSRExit):
3000         * dfg/DFGOSRExitBase.h:
3001         (JSC::DFG::OSRExitBase::OSRExitBase):
3002         * dfg/DFGSpeculativeJIT.cpp:
3003         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3004         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3005         * dfg/DFGSpeculativeJIT.h:
3006         (SpeculativeJIT):
3007         * ftl/FTLLowerDFGToLLVM.cpp:
3008         (JSC::FTL::LowerDFGToLLVM::compileNode):
3009         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3010         (LowerDFGToLLVM):
3011         * ftl/FTLOSRExit.cpp:
3012         (JSC::FTL::OSRExit::OSRExit):
3013         * ftl/FTLOSRExit.h:
3014         (OSRExit):
3015
3016 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3017
3018         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
3019         https://bugs.webkit.org/show_bug.cgi?id=118866
3020
3021         Reviewed by Sam Weinig.
3022         
3023         Adds a safeToExecute() method that takes a node and an abstract state and tells you
3024         if the node will run without crashing under that state.
3025
3026         * JavaScriptCore.xcodeproj/project.pbxproj:
3027         * bytecode/CodeBlock.cpp:
3028         (JSC::CodeBlock::CodeBlock):
3029         * dfg/DFGCFAPhase.cpp:
3030         (CFAPhase):
3031         (JSC::DFG::CFAPhase::CFAPhase):
3032         (JSC::DFG::CFAPhase::run):
3033         (JSC::DFG::CFAPhase::performBlockCFA):
3034         (JSC::DFG::CFAPhase::performForwardCFA):
3035         * dfg/DFGSafeToExecute.h: Added.
3036         (DFG):
3037         (SafeToExecuteEdge):
3038         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3039         (JSC::DFG::SafeToExecuteEdge::operator()):
3040         (JSC::DFG::SafeToExecuteEdge::result):
3041         (JSC::DFG::safeToExecute):
3042         * dfg/DFGStructureAbstractValue.h:
3043         (JSC::DFG::StructureAbstractValue::isValidOffset):
3044         (StructureAbstractValue):
3045         * runtime/Options.h:
3046         (JSC):
3047
3048 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3049
3050         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
3051         https://bugs.webkit.org/show_bug.cgi?id=118948
3052
3053         Reviewed by Sam Weinig.
3054         
3055         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
3056           This allows doing "what if" experiments with IR generation, even if the generated IR
3057           can't yet execute.
3058         
3059         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
3060           off-ramp.
3061
3062         * JavaScriptCore.xcodeproj/project.pbxproj:
3063         * dfg/DFGPlan.cpp:
3064         (JSC::DFG::Plan::compileInThreadImpl):
3065         * ftl/FTLFail.cpp: Added.
3066         (FTL):
3067         (JSC::FTL::fail):
3068         * ftl/FTLFail.h: Added.
3069         (FTL):
3070         * ftl/FTLIntrinsicRepository.h:
3071         (FTL):
3072         * ftl/FTLLowerDFGToLLVM.cpp:
3073         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3074         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3075         * runtime/Options.h:
3076         (JSC):
3077
3078 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3079
3080         fourthTier: StringObjectUse uses structures, and CSE should know that
3081         https://bugs.webkit.org/show_bug.cgi?id=118940
3082
3083         Reviewed by Geoffrey Garen.
3084         
3085         This is asymptomatic right now, but we should fix it.
3086
3087         * JavaScriptCore.xcodeproj/project.pbxproj:
3088         * dfg/DFGCSEPhase.cpp:
3089         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3090         * dfg/DFGEdgeUsesStructure.h: Added.
3091         (DFG):
3092         (EdgeUsesStructure):
3093         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3094         (JSC::DFG::EdgeUsesStructure::operator()):
3095         (JSC::DFG::EdgeUsesStructure::result):
3096         (JSC::DFG::edgesUseStructure):
3097         * dfg/DFGUseKind.h:
3098         (DFG):
3099         (JSC::DFG::usesStructure):
3100
3101 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3102
3103         fourthTier: String GetByVal out-of-bounds handling is so wrong
3104         https://bugs.webkit.org/show_bug.cgi?id=118935
3105
3106         Reviewed by Geoffrey Garen.
3107         
3108         Bunch of String GetByVal out-of-bounds fixes:
3109         
3110         - Even if the string proto chain is sane, we need to watch out for negative
3111           indices. They may get values or call getters in the prototypes, since proto
3112           sanity doesn't check for negative indexed properties, as they are not
3113           technically indexed properties.
3114         
3115         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3116           given this information.
3117         
3118         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3119           given this information.
3120         
3121         Also fixed some other things:
3122         
3123         - If the DFG is disabled, the testRunner should pretend that we've done a
3124           bunch of DFG compiles. That's necessary to prevent the tests from timing
3125           out.
3126         
3127         - Disassembler shouldn't try to dump source code since it's not safe in the
3128           concurrent JIT.
3129
3130         * API/JSCTestRunnerUtils.cpp:
3131         (JSC::numberOfDFGCompiles):
3132         * JavaScriptCore.xcodeproj/project.pbxproj:
3133         * dfg/DFGAbstractInterpreterInlines.h:
3134         (JSC::DFG::::executeEffects):
3135         * dfg/DFGDisassembler.cpp:
3136         (JSC::DFG::Disassembler::dumpHeader):
3137         * dfg/DFGGraph.h:
3138         (JSC::DFG::Graph::byValIsPure):
3139         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3140         (DFG):
3141         (SaneStringGetByValSlowPathGenerator):
3142         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3143         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3144         * dfg/DFGSpeculativeJIT.cpp:
3145         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3146
3147 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3148
3149         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3150         https://bugs.webkit.org/show_bug.cgi?id=118911
3151
3152         Reviewed by Geoffrey Garen.
3153         
3154         We could also have a separate method like "willNotCrash(offset)", but that's not
3155         what isValidOffset() is intended to mean.
3156
3157         * runtime/Structure.h:
3158         (JSC::Structure::isValidOffset):
3159
3160 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3161
3162         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3163         https://bugs.webkit.org/show_bug.cgi?id=118878
3164
3165         Reviewed by Oliver Hunt.
3166         
3167         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3168           to load from an object of this structure, at this offset, would I commit suicide
3169           or would I get back some kind of value?"
3170         
3171         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3172           way from the start.
3173         
3174         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3175         
3176         - Make GetByOffset also reference the base object in addition to the butterfly.
3177         
3178         The future use of this power will be to answer questions like "If I hoisted this
3179         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3180         fine?"
3181         
3182         I don't currently plan to use this power to perform validation, since the CSE has
3183         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3184         remove - both in the case of StructureSets where size >= 2 and in the case of
3185         CheckStructures that match across PutStructures. At first I tried to write a
3186         validator that was aware of this, but the validation code got way too complicated
3187         and I started having nightmares of spurious assertion bugs being filed against me.
3188         
3189         This also changes some of the code for how we hash FunctionExecutable's for debug
3190         dumps, since that code still had some thread-safety issues. Basically, the
3191         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3192         that could transitively try to compute the hash from the source code. The source
3193         code is a string that may be lazily computed, and that involves all manner of thread
3194         unsafe things.
3195
3196         * bytecode/CodeOrigin.cpp:
3197         (JSC::InlineCallFrame::hash):
3198         * dfg/DFGAbstractInterpreterInlines.h:
3199         (JSC::DFG::::executeEffects):
3200         * dfg/DFGByteCodeParser.cpp:
3201         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3202         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3203         (JSC::DFG::ByteCodeParser::parseBlock):
3204         * dfg/DFGCFAPhase.cpp:
3205         (JSC::DFG::CFAPhase::performBlockCFA):
3206         * dfg/DFGConstantFoldingPhase.cpp:
3207         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3208         * dfg/DFGFixupPhase.cpp:
3209         (JSC::DFG::FixupPhase::fixupNode):
3210         * dfg/DFGGraph.h:
3211         (StorageAccessData):
3212         * dfg/DFGNode.h:
3213         (JSC::DFG::Node::convertToGetByOffset):
3214         * dfg/DFGSpeculativeJIT64.cpp:
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * ftl/FTLLowerDFGToLLVM.cpp:
3217         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3218         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3219         * runtime/FunctionExecutableDump.cpp:
3220         (JSC::FunctionExecutableDump::dump):
3221         * runtime/Structure.h:
3222         (Structure):
3223         (JSC::Structure::isValidOffset):
3224
3225 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3226
3227         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3228         https://bugs.webkit.org/show_bug.cgi?id=118880
3229
3230         Reviewed by Sam Weinig.
3231         
3232         It should be possible to have an AbstractState that is backed by a HashMap. But to
3233         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3234         the map, since otherwise the idiom of getting a reference to the AbstractValue
3235         returned by forNode() would cause really subtle memory corruption bugs.
3236
3237         * dfg/DFGAbstractInterpreterInlines.h:
3238         (JSC::DFG::::executeEffects):
3239         * dfg/DFGInPlaceAbstractState.h:
3240         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3241         (InPlaceAbstractState):
3242
3243 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3244
3245         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3246         https://bugs.webkit.org/show_bug.cgi?id=118835
3247
3248         Reviewed by Oliver Hunt.
3249         
3250         This separates AbstractState into two things:
3251         
3252         - InPlaceAbstractState, which can tell you the abstract state of anything you
3253           might care about, and uses the old AbstractState's algorithms and data
3254           structures for doing so.
3255         
3256         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3257           respect to an AbstractStateType. Currently we always use
3258           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3259           class that supports basic primitives like forNode() and variables().
3260         
3261         This is important because:
3262         
3263         - We want to hoist things out of loops.
3264
3265         - We don't know what things rely on what type checks.
3266
3267         - We only want to hoist type checks out of loops if they aren't clobbered.
3268
3269         - We may want to still hoist things that depended on those type checks, if it's
3270           safe to do those things based on the CFA state at the tail of the loop
3271           pre-header.
3272
3273         - We don't want things to rely on their type checks by way of a token, because
3274           that's just weird.
3275
3276         So, we want to be able to have a special form of the CFA that can
3277         incrementally update a basic block's state-at-tail, and we want to be able to
3278         do this for multiple blocks simultaneously. This requires *not* storing the
3279         per-node state in the nodes themselves, but instead using the at-tail HashMap
3280         directly.
3281
3282         Hence we need to have a way of making the abstract interpreter (i.e.
3283         AbstractState::execute) polymorphic with respect to state representation. Put
3284         another way, we need to separate the way that abstract state is represented
3285         from the way DFG IR is abstractly interpreted.
3286
3287         * JavaScriptCore.xcodeproj/project.pbxproj:
3288         * dfg/DFGAbstractInterpreter.h: Added.
3289         (DFG):
3290         (AbstractInterpreter):
3291         (JSC::DFG::AbstractInterpreter::forNode):
3292         (JSC::DFG::AbstractInterpreter::variables):
3293         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3294         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3295         (JSC::DFG::AbstractInterpreter::filter):
3296         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3297         (JSC::DFG::AbstractInterpreter::filterByValue):
3298         (JSC::DFG::AbstractInterpreter::trySetConstant):
3299         (JSC::DFG::AbstractInterpreter::filterByType):
3300         * dfg/DFGAbstractInterpreterInlines.h: Added.
3301         (DFG):
3302         (JSC::DFG::::AbstractInterpreter):
3303         (JSC::DFG::::~AbstractInterpreter):
3304         (JSC::DFG::::booleanResult):
3305         (JSC::DFG::::startExecuting):
3306         (JSC::DFG::::executeEdges):
3307         (JSC::DFG::::verifyEdge):
3308         (JSC::DFG::::verifyEdges):
3309         (JSC::DFG::::executeEffects):
3310         (JSC::DFG::::execute):
3311         (JSC::DFG::::clobberWorld):
3312         (JSC::DFG::::clobberCapturedVars):
3313         (JSC::DFG::::clobberStructures):
3314         (JSC::DFG::::dump):
3315         (JSC::DFG::::filter):
3316         (JSC::DFG::::filterArrayModes):
3317         (JSC::DFG::::filterByValue):
3318         * dfg/DFGAbstractState.cpp: Removed.
3319         * dfg/DFGAbstractState.h: Removed.
3320         * dfg/DFGArgumentsSimplificationPhase.cpp:
3321         * dfg/DFGCFAPhase.cpp:
3322         (JSC::DFG::CFAPhase::CFAPhase):
3323         (JSC::DFG::CFAPhase::performBlockCFA):
3324         (CFAPhase):
3325         * dfg/DFGCFGSimplificationPhase.cpp:
3326         * dfg/DFGConstantFoldingPhase.cpp:
3327         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3328         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3329         (ConstantFoldingPhase):
3330         * dfg/DFGInPlaceAbstractState.cpp: Added.
3331         (DFG):
3332         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3333         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3334         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3335         (JSC::DFG::setLiveValues):
3336         (JSC::DFG::InPlaceAbstractState::initialize):
3337         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3338         (JSC::DFG::InPlaceAbstractState::reset):
3339         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3340         (JSC::DFG::InPlaceAbstractState::merge):
3341         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3342         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3343         * dfg/DFGInPlaceAbstractState.h: Added.
3344         (DFG):
3345         (InPlaceAbstractState):
3346         (JSC::DFG::InPlaceAbstractState::forNode):
3347         (JSC::DFG::InPlaceAbstractState::variables):
3348         (JSC::DFG::InPlaceAbstractState::block):
3349         (JSC::DFG::InPlaceAbstractState::didClobber):
3350         (JSC::DFG::InPlaceAbstractState::isValid):
3351         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3352         (JSC::DFG::InPlaceAbstractState::setIsValid):
3353         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3354         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3355         (JSC::DFG::InPlaceAbstractState::haveStructures):
3356         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3357         * dfg/DFGMergeMode.h: Added.
3358         (DFG):
3359         * dfg/DFGSpeculativeJIT.cpp:
3360         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3361         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3362         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3363         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3364         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3365         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3366         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3367         * dfg/DFGSpeculativeJIT.h:
3368         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3369         (SpeculativeJIT):
3370         * dfg/DFGSpeculativeJIT32_64.cpp:
3371         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3372         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3373         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3374         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3375         * dfg/DFGSpeculativeJIT64.cpp:
3376         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3377         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3378         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3379         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3380         * ftl/FTLLowerDFGToLLVM.cpp:
3381         (FTL):
3382         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3383         (JSC::FTL::LowerDFGToLLVM::compileNode):
3384         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3385         (JSC::FTL::LowerDFGToLLVM::speculate):
3386         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3387         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3388         (LowerDFGToLLVM):
3389
3390 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3391
3392         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3393         https://bugs.webkit.org/show_bug.cgi?id=118867
3394
3395         Reviewed by Mark Hahnenberg.
3396         
3397         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3398         ArrayProfile.
3399
3400         It also makes it easier to ask any array-using node how to create its type check.
3401         
3402         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3403         an array profile, thinking that it was storing into a value profile. Reshuffling the
3404         fields in ArrayProfile revealed this.
3405
3406         * bytecode/ArrayProfile.cpp:
3407         (JSC::ArrayProfile::computeUpdatedPrediction):
3408         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3409         * bytecode/ArrayProfile.h:
3410         (JSC::ArrayProfile::ArrayProfile):
3411         (ArrayProfile):
3412         * bytecode/CodeBlock.cpp:
3413         (JSC::CodeBlock::updateAllArrayPredictions):
3414         (JSC::CodeBlock::updateAllPredictions):
3415         * bytecode/CodeBlock.h:
3416         (CodeBlock):
3417         (JSC::CodeBlock::updateAllArrayPredictions):
3418         * dfg/DFGArrayMode.h:
3419         (ArrayMode):
3420         * dfg/DFGByteCodeParser.cpp:
3421         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3422         (JSC::DFG::ByteCodeParser::parseBlock):
3423         * dfg/DFGFixupPhase.cpp:
3424         (JSC::DFG::FixupPhase::fixupNode):
3425         (FixupPhase):
3426         (JSC::DFG::FixupPhase::checkArray):
3427         (JSC::DFG::FixupPhase::blessArrayOperation):
3428         * llint/LowLevelInterpreter64.asm:
3429
3430 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3431
3432         fourthTier: CFA should consider live-at-head for clobbering and dumping
3433         https://bugs.webkit.org/show_bug.cgi?id=118857
3434
3435         Reviewed by Mark Hahnenberg.
3436         
3437         - clobberStructures() was not considering nodes live-at-head when in SSA
3438           form. This means it would fail to clobber some structures.
3439         
3440         - dump() was not considering nodes live-at-head when in SSA form. This
3441           means it wouldn't dump everything that you might be interested in.
3442         
3443         - AbstractState::m_currentNode is a useless variable and we should get
3444           rid of it.
3445
3446         * dfg/DFGAbstractState.cpp:
3447         (JSC::DFG::AbstractState::AbstractState):
3448         (JSC::DFG::AbstractState::beginBasicBlock):
3449         (JSC::DFG::AbstractState::reset):
3450         (JSC::DFG::AbstractState::startExecuting):
3451         (JSC::DFG::AbstractState::clobberStructures):
3452         (JSC::DFG::AbstractState::dump):
3453         * dfg/DFGAbstractState.h:
3454         (AbstractState):
3455
3456 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3457
3458         fourthTier: Add a phase to create loop pre-headers
3459         https://bugs.webkit.org/show_bug.cgi?id=118778
3460
3461         Reviewed by Oliver Hunt.
3462         
3463         Add a loop pre-header creation phase. Any loop that doesn't already have
3464         just one predecessor that isn't part of the loop has a pre-header
3465         prepended. All non-loop predecessors then jump to that pre-header.
3466         
3467         Also fix a handful of bugs:
3468         
3469         - DFG::Analysis should set m_valid before running the analysis, since that
3470           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3471           may be called by the analysis before the analysis completes. NaturalLoops
3472           does this with loopsOf().
3473         
3474         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3475           returning 0, since that'll happen if the block isn't in any loop.
3476         
3477         - Change BlockInsertionSet to dethread the graph, since anyone using it
3478           will want to do so.
3479         
3480         - Change dethreading to ignore SSA form graphs.
3481         
3482         This also adds NaturalLoops::belongsTo(), which I always used in the
3483         pre-header creation phase. I didn't end up using it but I'll probably use
3484         it in the near future.
3485         
3486         * JavaScriptCore.xcodeproj/project.pbxproj:
3487         * dfg/DFGAnalysis.h:
3488         (JSC::DFG::Analysis::computeIfNecessary):
3489         * dfg/DFGBlockInsertionSet.cpp:
3490         (JSC::DFG::BlockInsertionSet::execute):
3491         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3492         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3493         * dfg/DFGGraph.cpp:
3494         (JSC::DFG::Graph::dethread):
3495         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3496         (DFG):
3497         (LoopPreHeaderCreationPhase):
3498         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3499         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3500         (JSC::DFG::performLoopPreHeaderCreation):
3501         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3502         (DFG):
3503         * dfg/DFGNaturalLoops.h:
3504         (NaturalLoop):
3505         (JSC::DFG::NaturalLoops::headerOf):
3506         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3507         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3508         (JSC::DFG::NaturalLoops::belongsTo):
3509         (NaturalLoops):
3510         * dfg/DFGPlan.cpp:
3511         (JSC::DFG::Plan::compileInThreadImpl):
3512
3513 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3514
3515         fourthTier: Rationalize Node::replacement
3516         https://bugs.webkit.org/show_bug.cgi?id=118774
3517
3518         Reviewed by Oliver Hunt.
3519         
3520         - Clearing of replacements is now done in Graph::clearReplacements().
3521         
3522         - New nodes now have replacement set to 0.
3523         
3524         - Node::replacement is now part of a 'misc' union. I'll be putting at least
3525           one other field into that union as part of LICM work (see
3526           https://bugs.webkit.org/show_bug.cgi?id=118749).
3527
3528         * dfg/DFGCPSRethreadingPhase.cpp:
3529         (JSC::DFG::CPSRethreadingPhase::run):
3530         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3531         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3532         * dfg/DFGCSEPhase.cpp:
3533         (JSC::DFG::CSEPhase::run):
3534         (JSC::DFG::CSEPhase::setReplacement):
3535         (JSC::DFG::CSEPhase::performBlockCSE):
3536         * dfg/DFGGraph.cpp:
3537         (DFG):
3538         (JSC::DFG::Graph::clearReplacements):
3539         * dfg/DFGGraph.h:
3540         (JSC::DFG::Graph::performSubstitutionForEdge):
3541         (Graph):
3542         * dfg/DFGNode.h:
3543         (JSC::DFG::Node::Node):
3544         * dfg/DFGSSAConversionPhase.cpp:
3545         (JSC::DFG::SSAConversionPhase::run):
3546
3547 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3548
3549         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3550         https://bugs.webkit.org/show_bug.cgi?id=118750
3551
3552         Reviewed by Mark Hahnenberg.
3553
3554         * dfg/DFGBasicBlock.h:
3555         (BasicBlock):
3556         * dfg/DFGNaturalLoops.cpp:
3557         (JSC::DFG::NaturalLoops::compute):
3558         (JSC::DFG::NaturalLoops::loopsOf):
3559         * dfg/DFGNaturalLoops.h:
3560         (DFG):
3561         (JSC::DFG::NaturalLoop::NaturalLoop):
3562         (NaturalLoop):
3563         (JSC::DFG::NaturalLoop::index):
3564         (JSC::DFG::NaturalLoop::isOuterMostLoop):
3565         (JSC::DFG::NaturalLoop::addBlock):
3566         (JSC::DFG::NaturalLoops::headerOf):
3567         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3568         (NaturalLoops):
3569         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3570         * dfg/DFGPlan.cpp:
3571         (JSC::DFG::Plan::compileInThreadImpl):
3572
3573 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3574
3575         fourthTier: don't GC when shutting down the VM
3576         https://bugs.webkit.org/show_bug.cgi?id=118751
3577
3578         Reviewed by Mark Hahnenberg.
3579
3580         * heap/Heap.h:
3581         (Heap):
3582         * runtime/VM.cpp:
3583         (JSC::VM::~VM):
3584
3585 2013-07-12  Filip Pizlo  <fpizlo@apple.com>
3586
3587         fourthTier: DFG should have an SSA form for use by FTL
3588         https://bugs.webkit.org/show_bug.cgi?id=118338
3589
3590         Reviewed by Mark Hahnenberg.
3591         
3592         Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
3593         after breaking critical edges. The conversion algorithm follows Aycock and
3594         Horspool, and the SSA form itself follows something I've done before, where
3595         instead of having Phi functions specify input nodes corresponding to block
3596         predecessors, we instead have Upsilon functions in the predecessors that
3597         specify which value in that block goes into which subsequent Phi. Upsilons
3598         don't have to dominate Phis (usually they don't) and they correspond to a
3599         non-SSA "mov" into the Phi's "variable". This gives all of the good
3600         properties of SSA, while ensuring that a bunch of CFG transformations don't
3601         have to be SSA-aware.
3602         
3603         So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
3604         simplification is probably SSA-aware by default, though I haven't tried it.
3605         Constant folding probably needs a few tweaks, but is likely ready. Ditto
3606         for CSE, though it's not clear that we'd want to use block-local CSE when
3607         we could be doing GVN.
3608         
3609         Currently only the FTL can generate code from the SSA form, and there is no
3610         way to convert from SSA to ThreadedCPS or LoadStore. There probably will
3611         never be such a capability.
3612         
3613         In order to handle OSR exit state in the SSA, we place MovHints at Phi
3614         points. Other than that, you can reconstruct state-at-exit by forward
3615         propagating MovHints. Note that MovHint is the new SetLocal in SSA.
3616         SetLocal and GetLocal only survive into SSA if they are on captured
3617         variables, or in the case of flushes. A "live SetLocal" will be
3618         NodeMustGenerate and will always correspond to a flush. Computing the
3619         state-at-exit requires running SSA liveness analysis, OSR availability
3620         analysis, and flush liveness analysis. The FTL runs all of these prior to
3621         generating code. While OSR exit continues to be tricky, much of the logic
3622         is now factored into separate phases and the backend has to do less work
3623         to reason about what happened outside of the basic block that is being
3624         lowered.
3625         
3626         Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
3627         code in depth-first order, thus guaranteeing that a node will always be
3628         lowered (and hence have a LValue) before any of the blocks dominated by
3629         that node's block have code generated. For Upsilon/Phi, we just use
3630         alloca's. We could do something more clever there, but it's probably not
3631         worth it, at least not now.
3632         
3633         Finally, while the SSA form is currently only being converted to LLVM IR,
3634         there is nothing that prevents us from considering other backends in the
3635         future - with the caveat that this form is designed to be first lowered to
3636         a lower-level SSA before actual machine code generation commences. So we
3637         ought to either use LLVM (the intended path) or we will have to write our
3638         own SSA low-level backend.
3639         
3640         This runs all of the code that the FTL was known to run previously. No
3641         change in performance for now. But it does open some exciting
3642         possibilities!
3643
3644         * JavaScriptCore.xcodeproj/project.pbxproj:
3645         * bytecode/Operands.h:
3646         (JSC::OperandValueTraits::dump):
3647         (JSC::Operands::fill):
3648         (Operands):
3649         (JSC::Operands::clear):
3650         (JSC::Operands::operator==):
3651         * dfg/DFGAbstractState.cpp:
3652         (JSC::DFG::AbstractState::beginBasicBlock):
3653         (JSC::DFG::setLiveValues):
3654         (DFG):
3655         (JSC::DFG::AbstractState::initialize):
3656         (JSC::DFG::AbstractState::endBasicBlock):
3657         (JSC::DFG::AbstractState::executeEffects):
3658         (JSC::DFG::AbstractState::mergeStateAtTail):
3659         (JSC::DFG::AbstractState::merge):
3660         * dfg/DFGAbstractState.h:
3661         (AbstractState):
3662         * dfg/DFGAdjacencyList.h:
3663         (JSC::DFG::AdjacencyList::justOneChild):
3664         (AdjacencyList):
3665         * dfg/DFGBasicBlock.cpp: Added.
3666         (DFG):
3667         (JSC::DFG::BasicBlock::BasicBlock):
3668         (JSC::DFG::BasicBlock::~BasicBlock):
3669         (JSC::DFG::BasicBlock::ensureLocals):
3670         (JSC::DFG::BasicBlock::isInPhis):
3671         (JSC::DFG::BasicBlock::isInBlock):
3672         (JSC::DFG::BasicBlock::removePredecessor):
3673         (JSC::DFG::BasicBlock::replacePredecessor):
3674         (JSC::DFG::BasicBlock::dump):
3675         (JSC::DFG::BasicBlock::SSAData::SSAData):
3676         (JSC::DFG::BasicBlock::SSAData::~SSAData):
3677         * dfg/DFGBasicBlock.h:
3678         (BasicBlock):
3679         (JSC::DFG::BasicBlock::operator[]):
3680         (JSC::DFG::BasicBlock::successor):
3681         (JSC::DFG::BasicBlock::successorForCondition):
3682         (SSAData):
3683         * dfg/DFGBasicBlockInlines.h:
3684         (DFG):
3685         * dfg/DFGBlockInsertionSet.cpp: Added.
3686         (DFG):
3687         (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
3688         (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
3689         (JSC::DFG::BlockInsertionSet::insert):
3690         (JSC::DFG::BlockInsertionSet::insertBefore):
3691         (JSC::DFG::BlockInsertionSet::execute):
3692         * dfg/DFGBlockInsertionSet.h: Added.
3693         (DFG):
3694         (BlockInsertionSet):
3695         * dfg/DFGCFAPhase.cpp:
3696         (JSC::DFG::CFAPhase::run):
3697         * dfg/DFGCFGSimplificationPhase.cpp:
3698         * dfg/DFGCPSRethreadingPhase.cpp:
3699         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3700         * dfg/DFGCommon.cpp:
3701         (WTF::printInternal):
3702         * dfg/DFGCommon.h:
3703         (JSC::DFG::doesKill):
3704         (DFG):
3705         (JSC::DFG::killStatusForDoesKill):
3706         * dfg/DFGConstantFoldingPhase.cpp:
3707         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3708         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3709         * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
3710         (DFG):
3711         (CriticalEdgeBreakingPhase):
3712         (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
3713         (JSC::DFG::CriticalEdgeBreakingPhase::run):
3714         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3715         (JSC::DFG::performCriticalEdgeBreaking):
3716         * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
3717         (DFG):
3718         * dfg/DFGDCEPhase.cpp:
3719         (JSC::DFG::DCEPhase::run):
3720         (JSC::DFG::DCEPhase::findTypeCheckRoot):
3721         (JSC::DFG::DCEPhase::countNode):
3722         (DCEPhase):
3723         (JSC::DFG::DCEPhase::countEdge):
3724         (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
3725         * dfg/DFGDriver.cpp:
3726         (JSC::DFG::compile):
3727         * dfg/DFGEdge.cpp:
3728         (JSC::DFG::Edge::dump):
3729         * dfg/DFGEdge.h:
3730         (JSC::DFG::Edge::Edge):
3731         (JSC::DFG::Edge::setNode):
3732         (JSC::DFG::Edge::useKindUnchecked):
3733         (JSC::DFG::Edge::setUseKind):
3734         (JSC::DFG::Edge::setProofStatus):
3735         (JSC::DFG::Edge::willNotHaveCheck):
3736         (JSC::DFG::Edge::willHaveCheck):
3737         (Edge):
3738         (JSC::DFG::Edge::killStatusUnchecked):
3739         (JSC::DFG::Edge::killStatus):
3740         (JSC::DFG::Edge::setKillStatus):
3741         (JSC::DFG::Edge::doesKill):
3742         (JSC::DFG::Edge::doesNotKill):
3743         (JSC::DFG::Edge::shift):
3744         (JSC::DFG::Edge::makeWord):
3745         * dfg/DFGFixupPhase.cpp:
3746         (JSC::DFG::FixupPhase::fixupNode):
3747         * dfg/DFGFlushFormat.cpp: Added.
3748         (WTF):
3749         (WTF::printInternal):
3750         * dfg/DFGFlushFormat.h: Added.
3751         (DFG):
3752         (JSC::DFG::resultFor):
3753         (JSC::DFG::useKindFor):
3754         (WTF):
3755         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
3756         (DFG):
3757         (FlushLivenessAnalysisPhase):
3758         (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
3759         (JSC::DFG::FlushLivenessAnalysisPhase::run):
3760         (JSC::DFG::FlushLivenessAnalysisPhase::process):
3761         (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
3762         (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
3763         (JSC::DFG::performFlushLivenessAnalysis):
3764         * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
3765         (DFG):
3766         * dfg/DFGGraph.cpp:
3767         (JSC::DFG::Graph::dump):
3768         (JSC::DFG::Graph::dumpBlockHeader):
3769         (DFG):
3770         (JSC::DFG::Graph::addForDepthFirstSort):
3771         (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
3772         * dfg/DFGGraph.h:
3773         (JSC::DFG::Graph::convertToConstant):
3774         (JSC::DFG::Graph::valueProfileFor):
3775         (Graph):
3776         * dfg/DFGInsertionSet.h:
3777         (DFG):
3778         (JSC::DFG::InsertionSet::execute):
3779         * dfg/DFGLivenessAnalysisPhase.cpp: Added.
3780         (DFG):
3781         (LivenessAnalysisPhase):
3782         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
3783         (JSC::DFG::LivenessAnalysisPhase::run):
3784         (JSC::DFG::LivenessAnalysisPhase::process):
3785         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
3786         (JSC::DFG::performLivenessAnalysis):
3787         * dfg/DFGLivenessAnalysisPhase.h: Added.
3788         (DFG):
3789         * dfg/DFGNode.cpp:
3790         (JSC::DFG::Node::hasVariableAccessData):
3791         (DFG):
3792         * dfg/DFGNode.h:
3793         (DFG):
3794         (Node):
3795         (JSC::DFG::Node::hasLocal):
3796         (JSC::DFG::Node::variableAccessData):
3797         (JSC::DFG::Node::hasPhi):
3798         (JSC::DFG::Node::phi):
3799         (JSC::DFG::Node::takenBlock):
3800         (JSC::DFG::Node::notTakenBlock):
3801         (JSC::DFG::Node::successor):
3802         (JSC::DFG::Node::successorForCondition):
3803         (JSC::DFG::nodeComparator):
3804         (JSC::DFG::nodeListDump):
3805         (JSC::DFG::nodeMapDump):
3806         * dfg/DFGNodeFlags.cpp:
3807         (JSC::DFG::dumpNodeFlags):
3808         * dfg/DFGNodeType.h:
3809         (DFG):
3810         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
3811         (DFG):
3812         (OSRAvailabilityAnalysisPhase):
3813         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
3814         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3815         (JSC::DFG::performOSRAvailabilityAnalysis):
3816         * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
3817         (DFG):
3818         * dfg/DFGPlan.cpp:
3819         (JSC::DFG::Plan::compileInThreadImpl):
3820         * dfg/DFGPredictionInjectionPhase.cpp:
3821         (JSC::DFG::PredictionInjectionPhase::run):
3822         * dfg/DFGPredictionPropagationPhase.cpp:
3823         (JSC::DFG::PredictionPropagationPhase::propagate):
3824         * dfg/DFGSSAConversionPhase.cpp: Added.
3825         (DFG):
3826         (SSAConversionPhase):
3827         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3828         (JSC::DFG::SSAConversionPhase::run):
3829         (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
3830         (JSC::DFG::SSAConversionPhase::forwardPhi):
3831         (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
3832         (JSC::DFG::SSAConversionPhase::deduplicateChildren):
3833         (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
3834         (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
3835         (JSC::DFG::performSSAConversion):
3836         * dfg/DFGSSAConversionPhase.h: Added.
3837         (DFG):
3838         * dfg/DFGSpeculativeJIT32_64.cpp:
3839         (JSC::DFG::SpeculativeJIT::compile):
3840         * dfg/DFGSpeculativeJIT64.cpp:
3841         (JSC::DFG::SpeculativeJIT::compile):
3842         * dfg/DFGValidate.cpp:
3843         (JSC::DFG::Validate::validate):
3844         (Validate):
3845         (JSC::DFG::Validate::validateCPS):
3846         * dfg/DFGVariableAccessData.h:
3847         (JSC::DFG::VariableAccessData::flushFormat):
3848         (VariableAccessData):
3849         * ftl/FTLCapabilities.cpp:
3850         (JSC::FTL::canCompile):
3851         * ftl/FTLLowerDFGToLLVM.cpp:
3852         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3853         (JSC::FTL::LowerDFGToLLVM::lower):
3854         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3855         (JSC::FTL::LowerDFGToLLVM::compileBlock):
3856         (JSC::FTL::LowerDFGToLLVM::compileNode):
3857         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3858         (LowerDFGToLLVM):
3859         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3860         (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
3861         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3862         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3863         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3864         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3865         (JSC::FTL::LowerDFGToLLVM::compileAdd):
3866         (JSC::FTL::LowerDFGToLLVM::compileArithSub):
3867         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3868         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3869         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3870         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3871         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3872         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3873         (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
3874         (JSC::FTL::LowerDFGToLLVM::compileBitOr):
3875         (JSC::FTL::LowerDFGToLLVM::compileBitXor):
3876         (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
3877         (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
3878         (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
3879         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
3880         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
3881         (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
3882         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3883         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3884         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3885         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
3886         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
3887         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3888         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
3889         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
3890         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
3891         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
3892         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
3893         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3894         (JSC::FTL::LowerDFGToLLVM::speculateBackward):
3895         (JSC::FTL::LowerDFGToLLVM::lowInt32):
3896         (JSC::FTL::LowerDFGToLLVM::lowCell):
3897         (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3898         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3899         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3900         (JSC::FTL::LowerDFGToLLVM::lowStorage):
3901         (JSC::FTL::LowerDFGToLLVM::speculate):
3902         (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
3903         (JSC::FTL::LowerDFGToLLVM::isLive):
3904         (JSC::FTL::LowerDFGToLLVM::use):
3905         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
3906         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3907         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3908         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3909         (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
3910         (JSC::FTL::LowerDFGToLLVM::setInt32):
3911         (JSC::FTL::LowerDFGToLLVM::setJSValue):
3912         (JSC::FTL::LowerDFGToLLVM::setBoolean):
3913         (JSC::FTL::LowerDFGToLLVM::setStorage):
3914         (JSC::FTL::LowerDFGToLLVM::setDouble):
3915         (JSC::FTL::LowerDFGToLLVM::isValid):
3916         * ftl/FTLLoweredNodeValue.h: Added.
3917         (FTL):
3918         (LoweredNodeValue):
3919         (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
3920         (JSC::FTL::LoweredNodeValue::isSet):
3921         (JSC::FTL::LoweredNodeValue::operator!):
3922         (JSC::FTL::LoweredNodeValue::value):
3923         (JSC::FTL::LoweredNodeValue::block):
3924         * ftl/FTLValueFromBlock.h:
3925         (JSC::FTL::ValueFromBlock::ValueFromBlock):
3926         (ValueFromBlock):
3927         * ftl/FTLValueSource.cpp:
3928         (JSC::FTL::ValueSource::dump):
3929         * ftl/FTLValueSource.h:
3930
3931 2013-07-11  Mark Lam  <mark.lam@apple.com>
3932
3933         Resurrect the CLoop LLINT on the FTL branch.
3934         https://bugs.webkit.org/show_bug.cgi?id=118144.
3935
3936         Reviewed by Mark Hahnenberg.
3937
3938         * bytecode/CodeBlock.h:
3939         (JSC::CodeBlock::jitType):
3940           - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
3941         * bytecode/JumpTable.h:
3942         (JSC::SimpleJumpTable::clear):
3943         * interpreter/StackIterator.cpp:
3944         (JSC::StackIterator::Frame::bytecodeOffset):
3945         (JSC::StackIterator::Frame::print):
3946       &nbs