Make JSValue bool conversion less dangerous
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-30  Oliver Hunt  <oliver@apple.com>
2
3         Make JSValue bool conversion less dangerous
4         https://bugs.webkit.org/show_bug.cgi?id=120505
5
6         Reviewed by Darin Adler.
7
8         Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
9         we do elsewhere.  Then fix the places where terrible type coercion was
10         happening.  All of the changes made had no fundamental behavioural impact
11         as they were coercion results that were ignored (returning undefined 
12         after an exception).  
13
14         * dfg/DFGOperations.cpp:
15         * interpreter/CallFrame.h:
16         (JSC::ExecState::hadException):
17         * runtime/JSCJSValue.h:
18         * runtime/JSCJSValueInlines.h:
19         (JSC::JSValue::operator UnspecifiedBoolType*):
20         * runtime/JSGlobalObjectFunctions.cpp:
21         (JSC::globalFuncEval):
22         * runtime/PropertyDescriptor.cpp:
23         (JSC::PropertyDescriptor::equalTo)
24
25 2013-08-30  Chris Curtis  <chris_curtis@apple.com>
26
27         Cleaning errorDescriptionForValue after r154839
28         https://bugs.webkit.org/show_bug.cgi?id=120531
29         
30         Reviewed by Darin Adler.
31         
32         Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 
33         can assert again that the parameterized JSValue is !isEmpty().
34         
35         * runtime/ExceptionHelpers.cpp:
36         (JSC::errorDescriptionForValue):
37
38 2013-08-30  Antti Koivisto  <antti@apple.com>
39
40         Remove code behind ENABLE(DIALOG_ELEMENT)
41         https://bugs.webkit.org/show_bug.cgi?id=120467
42
43         Reviewed by Darin Adler.
44
45         * Configurations/FeatureDefines.xcconfig:
46
47 2013-08-29  Andreas Kling  <akling@apple.com>
48
49         De-bork Qt build.
50
51         * Target.pri:
52
53 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
54
55         Unreviewed build fix attempt for Windows.
56
57         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
58         Renamed JSMapConstructor and JSMapPrototype.
59
60 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
61
62         Fix build break after r154861
63         https://bugs.webkit.org/show_bug.cgi?id=120503
64
65         Reviewed by Geoffrey Garen.
66
67         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
68
69         * CMakeLists.txt:
70         * GNUmakefile.list.am:
71         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
72         * Target.pri:
73         * runtime/MapData.h:
74         (JSC::MapData::KeyType::KeyType):
75
76 2013-08-29  Andreas Kling  <akling@apple.com>
77
78         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
79         <https://webkit.org/b/120487>
80
81         Reviewed by Oliver Hunt.
82
83         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
84         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
85         exact amount of space needed.
86
87         * bytecode/CodeBlock.h:
88         * bytecode/CodeBlock.cpp:
89         (JSC::CodeBlock::CodeBlock):
90         (JSC::CodeBlock::shrinkToFit):
91
92 2013-08-29  Oliver Hunt  <oliver@apple.com>
93
94         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
95
96         * runtime/MapData.h:
97         (JSC::MapData::KeyType::KeyType):
98
99 2013-08-29  Oliver Hunt  <oliver@apple.com>
100
101
102         Implement ES6 Map object
103         https://bugs.webkit.org/show_bug.cgi?id=120333
104
105         Reviewed by Geoffrey Garen.
106
107         Implement support for the ES6 Map type and related classes.
108
109         * JavaScriptCore.xcodeproj/project.pbxproj:
110         * heap/CopyToken.h: Add a new token to track copying the backing store
111         * runtime/CommonIdentifiers.h: Add new identifiers
112         * runtime/JSGlobalObject.cpp:
113         * runtime/JSGlobalObject.h:
114             Add new structures and prototypes
115
116         * runtime/JSMap.cpp: Added.
117         * runtime/JSMap.h: Added.
118             New JSMap class to represent a Map instance
119
120         * runtime/MapConstructor.cpp: Added.
121         * runtime/MapConstructor.h: Added.
122             The Map constructor
123
124         * runtime/MapData.cpp: Added.
125         * runtime/MapData.h: Added.
126             The most interesting data structure.  The roughly corresponds
127             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
128             map implementation.  We implement it using 2 hashtables and a flat
129             table.  Due to the different semantics of string comparisons vs.
130             all others we need have one map keyed by String and the other by
131             generic JSValue.  The actual table is represented more or less
132             exactly as described in the ES6 draft - a single contiguous list of
133             key/value pairs.  The entire map could be achieved with just this
134             table, however we need the HashMaps in order to maintain O(1) lookup.
135
136             Deleted values are simply cleared as the draft says, however the
137             implementation compacts the storage on copy as long as the are no
138             active iterators.
139
140         * runtime/MapPrototype.cpp: Added.
141         * runtime/MapPrototype.h: Added.
142             Implement Map prototype functions
143
144         * runtime/VM.cpp:
145             Add new structures.
146
147 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
148
149         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
150         https://bugs.webkit.org/show_bug.cgi?id=120489
151
152         Reviewed by Geoffrey Garen.
153         
154         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
155         DFG compilation but we've also started one or more FTL compilations, then we
156         shouldn't get confused. Previously we would have gotten confused because we would
157         see an in-process deferred compile (the FTL compile) and also an optimized
158         replacement (the DFG code).
159         
160         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
161         did two things in this order: triggered a tier-up compilation from the DFG into
162         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
163         shouldn't be confused by the presence of an in-process deferred compile (the FTL
164         compile). Previously we would have waited for that compile to finish; but the more
165         sensible thing to do is to let it complete and then invalidate it, while at the
166         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
167         
168         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
169         triggered an FTL compile for replacement, then it should fire off a second compile
170         instead of thinking that it can wait for that one to finish. Or vice-versa. We
171         need to allow for two FTL compiles to be enqueued at the same time (one for
172         replacement and one for OSR entry in a loop).
173         
174         Then there's also the problem that DFG::compile() is almost certainly going to be
175         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
176         right now there is no way to tell it which one you want.
177         
178         This fixes these problems and removes a bunch of potential confusion by making the
179         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
180         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
181         
182         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
183         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
184         possible. Fixing that is a bigger issue for a later changeset.
185
186         * CMakeLists.txt:
187         * GNUmakefile.list.am:
188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
189         * JavaScriptCore.xcodeproj/project.pbxproj:
190         * Target.pri:
191         * bytecode/CodeBlock.cpp:
192         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
193         * dfg/DFGCompilationKey.cpp: Added.
194         (JSC::DFG::CompilationKey::dump):
195         * dfg/DFGCompilationKey.h: Added.
196         (JSC::DFG::CompilationKey::CompilationKey):
197         (JSC::DFG::CompilationKey::operator!):
198         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
199         (JSC::DFG::CompilationKey::profiledBlock):
200         (JSC::DFG::CompilationKey::mode):
201         (JSC::DFG::CompilationKey::operator==):
202         (JSC::DFG::CompilationKey::hash):
203         (JSC::DFG::CompilationKeyHash::hash):
204         (JSC::DFG::CompilationKeyHash::equal):
205         * dfg/DFGCompilationMode.cpp: Added.
206         (WTF::printInternal):
207         * dfg/DFGCompilationMode.h: Added.
208         * dfg/DFGDriver.cpp:
209         (JSC::DFG::compileImpl):
210         (JSC::DFG::compile):
211         * dfg/DFGDriver.h:
212         * dfg/DFGPlan.cpp:
213         (JSC::DFG::Plan::Plan):
214         (JSC::DFG::Plan::key):
215         * dfg/DFGPlan.h:
216         * dfg/DFGWorklist.cpp:
217         (JSC::DFG::Worklist::enqueue):
218         (JSC::DFG::Worklist::compilationState):
219         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
220         (JSC::DFG::Worklist::runThread):
221         * dfg/DFGWorklist.h:
222         * jit/JITStubs.cpp:
223         (JSC::DEFINE_STUB_FUNCTION):
224
225 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
226
227         [Windows] Unreviewed build fix after r154847.
228         If you are going to exclude promises, actually exclude the build components.
229
230         * interpreter/CallFrame.h: Exclude promise declarations
231         * runtime/JSGlobalObject.cpp:
232         (JSC::JSGlobalObject::reset): Exclude promise code.
233         (JSC::JSGlobalObject::visitChildren): Ditto.
234         * runtime/VM.cpp: Ditto.
235         (JSC::VM::VM):
236         (JSC::VM::~VM):
237         * runtime/VM.h:
238
239 2013-08-29  Sam Weinig  <sam@webkit.org>
240
241         Add ENABLE guards for Promises
242         https://bugs.webkit.org/show_bug.cgi?id=120488
243
244         Reviewed by Andreas Kling.
245
246         * Configurations/FeatureDefines.xcconfig:
247         * runtime/JSGlobalObject.cpp:
248         * runtime/JSGlobalObject.h:
249         * runtime/JSPromise.cpp:
250         * runtime/JSPromise.h:
251         * runtime/JSPromiseCallback.cpp:
252         * runtime/JSPromiseCallback.h:
253         * runtime/JSPromiseConstructor.cpp:
254         * runtime/JSPromiseConstructor.h:
255         * runtime/JSPromisePrototype.cpp:
256         * runtime/JSPromisePrototype.h:
257         * runtime/JSPromiseResolver.cpp:
258         * runtime/JSPromiseResolver.h:
259         * runtime/JSPromiseResolverConstructor.cpp:
260         * runtime/JSPromiseResolverConstructor.h:
261         * runtime/JSPromiseResolverPrototype.cpp:
262         * runtime/JSPromiseResolverPrototype.h:
263
264 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
265
266         Unreviewed, fix FTL build.
267
268         * ftl/FTLLowerDFGToLLVM.cpp:
269         (JSC::FTL::LowerDFGToLLVM::callCheck):
270
271 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
272
273         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
274         https://bugs.webkit.org/show_bug.cgi?id=120080
275
276         Reviewed by Michael Saboff.
277
278         * jit/JITOpcodes32_64.cpp:
279         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
280
281 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
282
283         Kill code that became dead after http://trac.webkit.org/changeset/154833
284
285         Rubber stamped by Oliver Hunt.
286
287         * dfg/DFGDriver.h:
288
289 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
290
291         CodeBlock's magic for scaling tier-up thresholds should be more reusable
292         https://bugs.webkit.org/show_bug.cgi?id=120486
293
294         Reviewed by Oliver Hunt.
295         
296         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
297         as a adjustedCounterValue() method.
298
299         * bytecode/CodeBlock.cpp:
300         (JSC::CodeBlock::adjustedCounterValue):
301         (JSC::CodeBlock::optimizeAfterWarmUp):
302         (JSC::CodeBlock::optimizeAfterLongWarmUp):
303         (JSC::CodeBlock::optimizeSoon):
304         * bytecode/CodeBlock.h:
305         * dfg/DFGOSRExitCompilerCommon.cpp:
306         (JSC::DFG::handleExitCounts):
307
308 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
309
310         CodeBlock::prepareForExecution() is silly
311         https://bugs.webkit.org/show_bug.cgi?id=120453
312
313         Reviewed by Oliver Hunt.
314         
315         Instead of saying:
316         
317             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
318         
319         we should just say:
320         
321             JIT::compile(stuff, codeBlock, more stuff);
322         
323         And similarly for the LLInt and DFG.
324         
325         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
326         wrapper that uses the JITType argument to call into the appropriate execution
327         engine, which is what the user wanted to do in the first place.
328
329         * CMakeLists.txt:
330         * GNUmakefile.list.am:
331         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
332         * JavaScriptCore.xcodeproj/project.pbxproj:
333         * Target.pri:
334         * bytecode/CodeBlock.cpp:
335         * bytecode/CodeBlock.h:
336         * dfg/DFGDriver.cpp:
337         (JSC::DFG::compileImpl):
338         (JSC::DFG::compile):
339         * dfg/DFGDriver.h:
340         (JSC::DFG::tryCompile):
341         * dfg/DFGOSRExitPreparation.cpp:
342         (JSC::DFG::prepareCodeOriginForOSRExit):
343         * dfg/DFGWorklist.cpp:
344         (JSC::DFG::globalWorklist):
345         * dfg/DFGWorklist.h:
346         * jit/JIT.cpp:
347         (JSC::JIT::privateCompile):
348         * jit/JIT.h:
349         (JSC::JIT::compile):
350         * jit/JITStubs.cpp:
351         (JSC::DEFINE_STUB_FUNCTION):
352         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
353         (JSC::LLInt::setFunctionEntrypoint):
354         (JSC::LLInt::setEvalEntrypoint):
355         (JSC::LLInt::setProgramEntrypoint):
356         (JSC::LLInt::setEntrypoint):
357         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
358         * llint/LLIntEntrypoints.cpp: Removed.
359         * llint/LLIntEntrypoints.h: Removed.
360         * llint/LLIntSlowPaths.cpp:
361         (JSC::LLInt::jitCompileAndSetHeuristics):
362         * runtime/Executable.cpp:
363         (JSC::ScriptExecutable::prepareForExecutionImpl):
364
365 2013-08-29  Mark Lam  <mark.lam@apple.com>
366
367         Gardening: fixed broken non-DFG build.
368         https://bugs.webkit.org/show_bug.cgi?id=120481.
369
370         Not reviewed.
371
372         * interpreter/StackIterator.h:
373
374 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
375
376         CodeBlock compilation and installation should be simplified and rationalized
377         https://bugs.webkit.org/show_bug.cgi?id=120326
378
379         Reviewed by Oliver Hunt.
380         
381         Rolling r154804 back in after fixing no-LLInt build.
382         
383         Previously Executable owned the code for generating JIT code; you always had
384         to go through Executable. But often you also had to go through CodeBlock,
385         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
386         So you'd ask CodeBlock to do something, which would dispatch through a
387         virtual method that would select the appropriate Executable subtype's method.
388         This all meant that the same code would often be duplicated, because most of
389         the work needed to compile something was identical regardless of code type.
390         But then we tried to fix this, by having templatized helpers in
391         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
392         out what happened when you asked for something to be compiled, you'd go on a
393         wild ride that started with CodeBlock, touched upon Executable, and then
394         ricocheted into either ExecutionHarness or JITDriver (likely both).
395         
396         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
397         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
398         done once the compilation finished.
399         
400         Also, most of the DFG JIT drivers assumed that they couldn't install the
401         JITCode into the CodeBlock directly - instead they would return it via a
402         reference, which happened to be a reference to the JITCode pointer in
403         Executable. This was super weird.
404         
405         Finally, there was no notion of compiling code into a special CodeBlock that
406         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
407         entry.
408         
409         This patch solves these problems by reducing all of that complexity into just
410         three primitives:
411         
412         - Executable::newCodeBlock(). This gives you a new code block, either for call
413           or for construct, and either to serve as the baseline code or the optimized
414           code. The new code block is then owned by the caller; Executable doesn't
415           register it anywhere. The new code block has no JITCode and isn't callable,
416           but it has all of the bytecode.
417         
418         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
419           produces a JITCode, and then installs the JITCode into the CodeBlock. This
420           method takes a JITType, and always compiles with that JIT. If you ask for
421           JITCode::InterpreterThunk then you'll get JITCode that just points to the
422           LLInt entrypoints. Once this returns, it is possible to call into the
423           CodeBlock if you do so manually - but the Executable still won't know about
424           it so JS calls to that Executable will still be routed to whatever CodeBlock
425           is associated with the Executable.
426         
427         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
428           entry for that Executable. This involves unlinking the Executable's last
429           CodeBlock, if there was one. This also tells the GC about any effect on
430           memory usage and does a bunch of weird data structure rewiring, since
431           Executable caches some of CodeBlock's fields for the benefit of virtual call
432           fast paths.
433         
434         This functionality is then wrapped around three convenience methods:
435         
436         - Executable::prepareForExecution(). If there is no code block for that
437           Executable, then one is created (newCodeBlock()), compiled
438           (CodeBlock::prepareForExecution()) and installed (installCode()).
439         
440         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
441           can serve as an optimized replacement of the current one.
442         
443         - CodeBlock::install(). Asks the Executable to install this code block.
444         
445         This patch allows me to kill *a lot* of code and to remove a lot of
446         specializations for functions vs. not-functions, and a lot of places where we
447         pass around JITCode references and such. ExecutionHarness and JITDriver are
448         both gone. Overall this patch has more red than green.
449         
450         It also allows me to work on FTL OSR entry and tier-up:
451         
452         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
453           to do some compilation, but it will require the DFG::Worklist to do
454           something different than what JITStubs.cpp would want, once the compilation
455           finishes. This patch introduces a callback mechanism for that purpose.
456         
457         - FTL OSR entry: this will involve creating a special auto-jettisoned
458           CodeBlock that is used only for FTL OSR entry. The new set of primitives
459           allows for this: Executable can vend you a fresh new CodeBlock, and you can
460           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
461           can take that CodeBlock and compile it yourself. Previously the act of
462           producing a CodeBlock-for-optimization and the act of compiling code for it
463           were tightly coupled; now you can separate them and you can create such
464           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
465
466         * CMakeLists.txt:
467         * GNUmakefile.list.am:
468         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
469         * JavaScriptCore.xcodeproj/project.pbxproj:
470         * Target.pri:
471         * bytecode/CodeBlock.cpp:
472         (JSC::CodeBlock::unlinkIncomingCalls):
473         (JSC::CodeBlock::prepareForExecutionImpl):
474         (JSC::CodeBlock::prepareForExecution):
475         (JSC::CodeBlock::prepareForExecutionAsynchronously):
476         (JSC::CodeBlock::install):
477         (JSC::CodeBlock::newReplacement):
478         (JSC::FunctionCodeBlock::jettisonImpl):
479         * bytecode/CodeBlock.h:
480         (JSC::CodeBlock::hasBaselineJITProfiling):
481         * bytecode/DeferredCompilationCallback.cpp: Added.
482         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
483         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
484         * bytecode/DeferredCompilationCallback.h: Added.
485         * dfg/DFGDriver.cpp:
486         (JSC::DFG::tryCompile):
487         * dfg/DFGDriver.h:
488         (JSC::DFG::tryCompile):
489         * dfg/DFGFailedFinalizer.cpp:
490         (JSC::DFG::FailedFinalizer::finalize):
491         (JSC::DFG::FailedFinalizer::finalizeFunction):
492         * dfg/DFGFailedFinalizer.h:
493         * dfg/DFGFinalizer.h:
494         * dfg/DFGJITFinalizer.cpp:
495         (JSC::DFG::JITFinalizer::finalize):
496         (JSC::DFG::JITFinalizer::finalizeFunction):
497         * dfg/DFGJITFinalizer.h:
498         * dfg/DFGOSRExitPreparation.cpp:
499         (JSC::DFG::prepareCodeOriginForOSRExit):
500         * dfg/DFGOperations.cpp:
501         * dfg/DFGPlan.cpp:
502         (JSC::DFG::Plan::Plan):
503         (JSC::DFG::Plan::compileInThreadImpl):
504         (JSC::DFG::Plan::notifyReady):
505         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
506         (JSC::DFG::Plan::finalizeAndNotifyCallback):
507         * dfg/DFGPlan.h:
508         * dfg/DFGSpeculativeJIT32_64.cpp:
509         (JSC::DFG::SpeculativeJIT::compile):
510         * dfg/DFGWorklist.cpp:
511         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
512         (JSC::DFG::Worklist::runThread):
513         * ftl/FTLJITFinalizer.cpp:
514         (JSC::FTL::JITFinalizer::finalize):
515         (JSC::FTL::JITFinalizer::finalizeFunction):
516         * ftl/FTLJITFinalizer.h:
517         * heap/Heap.h:
518         (JSC::Heap::isDeferred):
519         * interpreter/Interpreter.cpp:
520         (JSC::Interpreter::execute):
521         (JSC::Interpreter::executeCall):
522         (JSC::Interpreter::executeConstruct):
523         (JSC::Interpreter::prepareForRepeatCall):
524         * jit/JITDriver.h: Removed.
525         * jit/JITStubs.cpp:
526         (JSC::DEFINE_STUB_FUNCTION):
527         (JSC::jitCompileFor):
528         (JSC::lazyLinkFor):
529         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
530         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
531         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
532         (JSC::JITToDFGDeferredCompilationCallback::create):
533         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
534         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
535         * jit/JITToDFGDeferredCompilationCallback.h: Added.
536         * llint/LLIntEntrypoints.cpp:
537         (JSC::LLInt::setFunctionEntrypoint):
538         (JSC::LLInt::setEvalEntrypoint):
539         (JSC::LLInt::setProgramEntrypoint):
540         * llint/LLIntEntrypoints.h:
541         * llint/LLIntSlowPaths.cpp:
542         (JSC::LLInt::jitCompileAndSetHeuristics):
543         (JSC::LLInt::setUpCall):
544         * runtime/ArrayPrototype.cpp:
545         (JSC::isNumericCompareFunction):
546         * runtime/CommonSlowPaths.cpp:
547         * runtime/CompilationResult.cpp:
548         (WTF::printInternal):
549         * runtime/CompilationResult.h:
550         * runtime/Executable.cpp:
551         (JSC::ScriptExecutable::installCode):
552         (JSC::ScriptExecutable::newCodeBlockFor):
553         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
554         (JSC::ScriptExecutable::prepareForExecutionImpl):
555         * runtime/Executable.h:
556         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
557         (JSC::ExecutableBase::offsetOfNumParametersFor):
558         (JSC::ScriptExecutable::prepareForExecution):
559         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
560         * runtime/ExecutionHarness.h: Removed.
561
562 2013-08-29  Mark Lam  <mark.lam@apple.com>
563
564         Change StackIterator to not require writes to the JS stack.
565         https://bugs.webkit.org/show_bug.cgi?id=119657.
566
567         Reviewed by Geoffrey Garen.
568
569         * GNUmakefile.list.am:
570         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
571         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
572         * JavaScriptCore.xcodeproj/project.pbxproj:
573         * interpreter/CallFrame.h:
574         - Removed references to StackIteratorPrivate.h.
575         * interpreter/StackIterator.cpp:
576         (JSC::StackIterator::numberOfFrames):
577         (JSC::StackIterator::gotoFrameAtIndex):
578         (JSC::StackIterator::gotoNextFrame):
579         (JSC::StackIterator::resetIterator):
580         (JSC::StackIterator::find):
581         (JSC::StackIterator::readFrame):
582         (JSC::StackIterator::readNonInlinedFrame):
583         - Reads in the current CallFrame's data for non-inlined frames.
584         (JSC::inlinedFrameOffset):
585         - Convenience function to compute the inlined frame offset based on the
586           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
587           Otherwise, it's an inlined frame.
588         (JSC::StackIterator::readInlinedFrame):
589         - Determines the inlined frame's caller frame. Will read in the caller
590           frame if it is also an inlined frame i.e. we haven't reached the
591           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
592           read on the outer most frame.
593           This is based on the old StackIterator::Frame::logicalFrame().
594         (JSC::StackIterator::updateFrame):
595         - Reads the data of the caller frame of the current one. This function
596           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
597           but is now simplified because it delegates to the readInlinedFrame()
598           to get the caller for inlined frames.
599         (JSC::StackIterator::Frame::arguments):
600         - Fixed to use the inlined frame versions of Arguments::create() and
601           Arguments::tearOff() when the frame is an inlined frame.
602         (JSC::StackIterator::Frame::print):
603         (debugPrintCallFrame):
604         (debugPrintStack):
605         - Because sometimes, we want to see the whole stack while debugging.
606         * interpreter/StackIterator.h:
607         (JSC::StackIterator::Frame::argumentCount):
608         (JSC::StackIterator::Frame::callerFrame):
609         (JSC::StackIterator::Frame::callee):
610         (JSC::StackIterator::Frame::scope):
611         (JSC::StackIterator::Frame::codeBlock):
612         (JSC::StackIterator::Frame::bytecodeOffset):
613         (JSC::StackIterator::Frame::inlinedFrameInfo):
614         (JSC::StackIterator::Frame::isJSFrame):
615         (JSC::StackIterator::Frame::isInlinedFrame):
616         (JSC::StackIterator::Frame::callFrame):
617         (JSC::StackIterator::Frame::Frame):
618         (JSC::StackIterator::Frame::~Frame):
619         - StackIterator::Frame now caches commonly used accessed values from
620           the CallFrame. It still delegates argument queries to the CallFrame.
621         (JSC::StackIterator::operator*):
622         (JSC::StackIterator::operator->):
623         (JSC::StackIterator::operator!=):
624         (JSC::StackIterator::operator++):
625         (JSC::StackIterator::end):
626         (JSC::StackIterator::operator==):
627         * interpreter/StackIteratorPrivate.h: Removed.
628
629 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
630
631         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
632         https://bugs.webkit.org/show_bug.cgi?id=120472
633
634         Reviewed by Filip Pizlo.
635         
636         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
637         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
638         throwException can be called when topCallFrame is set.
639         * llint/LLIntSlowPaths.cpp:
640         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
641         * runtime/CommonSlowPaths.cpp:
642         (JSC::SLOW_PATH_DECL):
643         * runtime/CommonSlowPathsExceptions.cpp:
644         (JSC::CommonSlowPaths::interpreterThrowInCaller):
645         * runtime/CommonSlowPathsExceptions.h:
646
647         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
648         to throw errors. It unwinds the stack in order to report them. 
649         * dfg/DFGOperations.cpp:
650         * jit/JITExceptions.cpp:
651         (JSC::genericUnwind):
652         (JSC::jitThrowNew):
653         (JSC::jitThrow):
654         * jit/JITExceptions.h:
655         * llint/LLIntExceptions.cpp:
656         (JSC::LLInt::doThrow):
657     
658 2013-08-29  Commit Queue  <commit-queue@webkit.org>
659
660         Unreviewed, rolling out r154804.
661         http://trac.webkit.org/changeset/154804
662         https://bugs.webkit.org/show_bug.cgi?id=120477
663
664         Broke Windows build (assumes LLInt features not enabled on
665         this build) (Requested by bfulgham on #webkit).
666
667         * CMakeLists.txt:
668         * GNUmakefile.list.am:
669         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
670         * JavaScriptCore.xcodeproj/project.pbxproj:
671         * Target.pri:
672         * bytecode/CodeBlock.cpp:
673         (JSC::CodeBlock::linkIncomingCall):
674         (JSC::CodeBlock::unlinkIncomingCalls):
675         (JSC::CodeBlock::reoptimize):
676         (JSC::ProgramCodeBlock::replacement):
677         (JSC::EvalCodeBlock::replacement):
678         (JSC::FunctionCodeBlock::replacement):
679         (JSC::ProgramCodeBlock::compileOptimized):
680         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
681         (JSC::EvalCodeBlock::compileOptimized):
682         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
683         (JSC::FunctionCodeBlock::compileOptimized):
684         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
685         (JSC::ProgramCodeBlock::jitCompileImpl):
686         (JSC::EvalCodeBlock::jitCompileImpl):
687         (JSC::FunctionCodeBlock::jitCompileImpl):
688         * bytecode/CodeBlock.h:
689         (JSC::CodeBlock::jitType):
690         (JSC::CodeBlock::jitCompile):
691         * bytecode/DeferredCompilationCallback.cpp: Removed.
692         * bytecode/DeferredCompilationCallback.h: Removed.
693         * dfg/DFGDriver.cpp:
694         (JSC::DFG::compile):
695         (JSC::DFG::tryCompile):
696         (JSC::DFG::tryCompileFunction):
697         (JSC::DFG::tryFinalizePlan):
698         * dfg/DFGDriver.h:
699         (JSC::DFG::tryCompile):
700         (JSC::DFG::tryCompileFunction):
701         (JSC::DFG::tryFinalizePlan):
702         * dfg/DFGFailedFinalizer.cpp:
703         (JSC::DFG::FailedFinalizer::finalize):
704         (JSC::DFG::FailedFinalizer::finalizeFunction):
705         * dfg/DFGFailedFinalizer.h:
706         * dfg/DFGFinalizer.h:
707         * dfg/DFGJITFinalizer.cpp:
708         (JSC::DFG::JITFinalizer::finalize):
709         (JSC::DFG::JITFinalizer::finalizeFunction):
710         * dfg/DFGJITFinalizer.h:
711         * dfg/DFGOSRExitPreparation.cpp:
712         (JSC::DFG::prepareCodeOriginForOSRExit):
713         * dfg/DFGOperations.cpp:
714         * dfg/DFGPlan.cpp:
715         (JSC::DFG::Plan::Plan):
716         (JSC::DFG::Plan::compileInThreadImpl):
717         (JSC::DFG::Plan::finalize):
718         * dfg/DFGPlan.h:
719         * dfg/DFGSpeculativeJIT32_64.cpp:
720         (JSC::DFG::SpeculativeJIT::compile):
721         * dfg/DFGWorklist.cpp:
722         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
723         (JSC::DFG::Worklist::runThread):
724         * ftl/FTLJITFinalizer.cpp:
725         (JSC::FTL::JITFinalizer::finalize):
726         (JSC::FTL::JITFinalizer::finalizeFunction):
727         * ftl/FTLJITFinalizer.h:
728         * heap/Heap.h:
729         * interpreter/Interpreter.cpp:
730         (JSC::Interpreter::execute):
731         (JSC::Interpreter::executeCall):
732         (JSC::Interpreter::executeConstruct):
733         (JSC::Interpreter::prepareForRepeatCall):
734         * jit/JITDriver.h: Added.
735         (JSC::jitCompileIfAppropriateImpl):
736         (JSC::jitCompileFunctionIfAppropriateImpl):
737         (JSC::jitCompileIfAppropriate):
738         (JSC::jitCompileFunctionIfAppropriate):
739         * jit/JITStubs.cpp:
740         (JSC::DEFINE_STUB_FUNCTION):
741         (JSC::jitCompileFor):
742         (JSC::lazyLinkFor):
743         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
744         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
745         * llint/LLIntEntrypoints.cpp:
746         (JSC::LLInt::getFunctionEntrypoint):
747         (JSC::LLInt::getEvalEntrypoint):
748         (JSC::LLInt::getProgramEntrypoint):
749         * llint/LLIntEntrypoints.h:
750         (JSC::LLInt::getEntrypoint):
751         * llint/LLIntSlowPaths.cpp:
752         (JSC::LLInt::jitCompileAndSetHeuristics):
753         (JSC::LLInt::setUpCall):
754         * runtime/ArrayPrototype.cpp:
755         (JSC::isNumericCompareFunction):
756         * runtime/CommonSlowPaths.cpp:
757         * runtime/CompilationResult.cpp:
758         (WTF::printInternal):
759         * runtime/CompilationResult.h:
760         * runtime/Executable.cpp:
761         (JSC::EvalExecutable::compileOptimized):
762         (JSC::EvalExecutable::jitCompile):
763         (JSC::EvalExecutable::compileInternal):
764         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
765         (JSC::ProgramExecutable::compileOptimized):
766         (JSC::ProgramExecutable::jitCompile):
767         (JSC::ProgramExecutable::compileInternal):
768         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
769         (JSC::FunctionExecutable::compileOptimizedForCall):
770         (JSC::FunctionExecutable::compileOptimizedForConstruct):
771         (JSC::FunctionExecutable::jitCompileForCall):
772         (JSC::FunctionExecutable::jitCompileForConstruct):
773         (JSC::FunctionExecutable::produceCodeBlockFor):
774         (JSC::FunctionExecutable::compileForCallInternal):
775         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
776         (JSC::FunctionExecutable::compileForConstructInternal):
777         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
778         * runtime/Executable.h:
779         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
780         (JSC::ExecutableBase::offsetOfNumParametersFor):
781         (JSC::ExecutableBase::catchRoutineFor):
782         (JSC::EvalExecutable::compile):
783         (JSC::ProgramExecutable::compile):
784         (JSC::FunctionExecutable::compileForCall):
785         (JSC::FunctionExecutable::compileForConstruct):
786         (JSC::FunctionExecutable::compileFor):
787         (JSC::FunctionExecutable::compileOptimizedFor):
788         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
789         (JSC::FunctionExecutable::jitCompileFor):
790         * runtime/ExecutionHarness.h: Added.
791         (JSC::prepareForExecutionImpl):
792         (JSC::prepareFunctionForExecutionImpl):
793         (JSC::installOptimizedCode):
794         (JSC::prepareForExecution):
795         (JSC::prepareFunctionForExecution):
796         (JSC::replaceWithDeferredOptimizedCode):
797
798 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
799
800         CodeBlock compilation and installation should be simplified and rationalized
801         https://bugs.webkit.org/show_bug.cgi?id=120326
802
803         Reviewed by Oliver Hunt.
804         
805         Previously Executable owned the code for generating JIT code; you always had
806         to go through Executable. But often you also had to go through CodeBlock,
807         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
808         So you'd ask CodeBlock to do something, which would dispatch through a
809         virtual method that would select the appropriate Executable subtype's method.
810         This all meant that the same code would often be duplicated, because most of
811         the work needed to compile something was identical regardless of code type.
812         But then we tried to fix this, by having templatized helpers in
813         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
814         out what happened when you asked for something to be compiled, you'd go on a
815         wild ride that started with CodeBlock, touched upon Executable, and then
816         ricocheted into either ExecutionHarness or JITDriver (likely both).
817         
818         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
819         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
820         done once the compilation finished.
821         
822         Also, most of the DFG JIT drivers assumed that they couldn't install the
823         JITCode into the CodeBlock directly - instead they would return it via a
824         reference, which happened to be a reference to the JITCode pointer in
825         Executable. This was super weird.
826         
827         Finally, there was no notion of compiling code into a special CodeBlock that
828         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
829         entry.
830         
831         This patch solves these problems by reducing all of that complexity into just
832         three primitives:
833         
834         - Executable::newCodeBlock(). This gives you a new code block, either for call
835           or for construct, and either to serve as the baseline code or the optimized
836           code. The new code block is then owned by the caller; Executable doesn't
837           register it anywhere. The new code block has no JITCode and isn't callable,
838           but it has all of the bytecode.
839         
840         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
841           produces a JITCode, and then installs the JITCode into the CodeBlock. This
842           method takes a JITType, and always compiles with that JIT. If you ask for
843           JITCode::InterpreterThunk then you'll get JITCode that just points to the
844           LLInt entrypoints. Once this returns, it is possible to call into the
845           CodeBlock if you do so manually - but the Executable still won't know about
846           it so JS calls to that Executable will still be routed to whatever CodeBlock
847           is associated with the Executable.
848         
849         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
850           entry for that Executable. This involves unlinking the Executable's last
851           CodeBlock, if there was one. This also tells the GC about any effect on
852           memory usage and does a bunch of weird data structure rewiring, since
853           Executable caches some of CodeBlock's fields for the benefit of virtual call
854           fast paths.
855         
856         This functionality is then wrapped around three convenience methods:
857         
858         - Executable::prepareForExecution(). If there is no code block for that
859           Executable, then one is created (newCodeBlock()), compiled
860           (CodeBlock::prepareForExecution()) and installed (installCode()).
861         
862         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
863           can serve as an optimized replacement of the current one.
864         
865         - CodeBlock::install(). Asks the Executable to install this code block.
866         
867         This patch allows me to kill *a lot* of code and to remove a lot of
868         specializations for functions vs. not-functions, and a lot of places where we
869         pass around JITCode references and such. ExecutionHarness and JITDriver are
870         both gone. Overall this patch has more red than green.
871         
872         It also allows me to work on FTL OSR entry and tier-up:
873         
874         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
875           to do some compilation, but it will require the DFG::Worklist to do
876           something different than what JITStubs.cpp would want, once the compilation
877           finishes. This patch introduces a callback mechanism for that purpose.
878         
879         - FTL OSR entry: this will involve creating a special auto-jettisoned
880           CodeBlock that is used only for FTL OSR entry. The new set of primitives
881           allows for this: Executable can vend you a fresh new CodeBlock, and you can
882           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
883           can take that CodeBlock and compile it yourself. Previously the act of
884           producing a CodeBlock-for-optimization and the act of compiling code for it
885           were tightly coupled; now you can separate them and you can create such
886           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
887
888         * CMakeLists.txt:
889         * GNUmakefile.list.am:
890         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
891         * JavaScriptCore.xcodeproj/project.pbxproj:
892         * Target.pri:
893         * bytecode/CodeBlock.cpp:
894         (JSC::CodeBlock::prepareForExecution):
895         (JSC::CodeBlock::install):
896         (JSC::CodeBlock::newReplacement):
897         (JSC::FunctionCodeBlock::jettisonImpl):
898         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
899         * bytecode/CodeBlock.h:
900         (JSC::CodeBlock::hasBaselineJITProfiling):
901         * bytecode/DeferredCompilationCallback.cpp: Added.
902         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
903         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
904         * bytecode/DeferredCompilationCallback.h: Added.
905         * dfg/DFGDriver.cpp:
906         (JSC::DFG::tryCompile):
907         * dfg/DFGDriver.h:
908         (JSC::DFG::tryCompile):
909         * dfg/DFGFailedFinalizer.cpp:
910         (JSC::DFG::FailedFinalizer::finalize):
911         (JSC::DFG::FailedFinalizer::finalizeFunction):
912         * dfg/DFGFailedFinalizer.h:
913         * dfg/DFGFinalizer.h:
914         * dfg/DFGJITFinalizer.cpp:
915         (JSC::DFG::JITFinalizer::finalize):
916         (JSC::DFG::JITFinalizer::finalizeFunction):
917         * dfg/DFGJITFinalizer.h:
918         * dfg/DFGOSRExitPreparation.cpp:
919         (JSC::DFG::prepareCodeOriginForOSRExit):
920         * dfg/DFGOperations.cpp:
921         * dfg/DFGPlan.cpp:
922         (JSC::DFG::Plan::Plan):
923         (JSC::DFG::Plan::compileInThreadImpl):
924         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
925         (JSC::DFG::Plan::finalizeAndNotifyCallback):
926         * dfg/DFGPlan.h:
927         * dfg/DFGWorklist.cpp:
928         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
929         * ftl/FTLJITFinalizer.cpp:
930         (JSC::FTL::JITFinalizer::finalize):
931         (JSC::FTL::JITFinalizer::finalizeFunction):
932         * ftl/FTLJITFinalizer.h:
933         * heap/Heap.h:
934         (JSC::Heap::isDeferred):
935         * interpreter/Interpreter.cpp:
936         (JSC::Interpreter::execute):
937         (JSC::Interpreter::executeCall):
938         (JSC::Interpreter::executeConstruct):
939         (JSC::Interpreter::prepareForRepeatCall):
940         * jit/JITDriver.h: Removed.
941         * jit/JITStubs.cpp:
942         (JSC::DEFINE_STUB_FUNCTION):
943         (JSC::jitCompileFor):
944         (JSC::lazyLinkFor):
945         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
946         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
947         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
948         (JSC::JITToDFGDeferredCompilationCallback::create):
949         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
950         * jit/JITToDFGDeferredCompilationCallback.h: Added.
951         * llint/LLIntEntrypoints.cpp:
952         (JSC::LLInt::setFunctionEntrypoint):
953         (JSC::LLInt::setEvalEntrypoint):
954         (JSC::LLInt::setProgramEntrypoint):
955         * llint/LLIntEntrypoints.h:
956         * llint/LLIntSlowPaths.cpp:
957         (JSC::LLInt::jitCompileAndSetHeuristics):
958         (JSC::LLInt::setUpCall):
959         * runtime/ArrayPrototype.cpp:
960         (JSC::isNumericCompareFunction):
961         * runtime/CommonSlowPaths.cpp:
962         * runtime/CompilationResult.cpp:
963         (WTF::printInternal):
964         * runtime/CompilationResult.h:
965         * runtime/Executable.cpp:
966         (JSC::ScriptExecutable::installCode):
967         (JSC::ScriptExecutable::newCodeBlockFor):
968         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
969         (JSC::ScriptExecutable::prepareForExecutionImpl):
970         * runtime/Executable.h:
971         (JSC::ScriptExecutable::prepareForExecution):
972         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
973         * runtime/ExecutionHarness.h: Removed.
974
975 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
976
977         https://bugs.webkit.org/show_bug.cgi?id=119548
978         Refactoring Exception throws.
979         
980         Reviewed by Geoffrey Garen.
981         
982         Gardening of exception throws. The act of throwing an exception was being handled in 
983         different ways depending on whether the code was running in the LLint, Baseline JIT, 
984         or the DFG Jit. This made development in the vm exception and error objects difficult.
985         
986          * runtime/VM.cpp:
987         (JSC::appendSourceToError): 
988         This function moved from the interpreter into the VM. It views the developers code
989         (if there is a codeBlock) to extract what was trying to be evaluated when the error
990         occurred.
991         
992         (JSC::VM::throwException):
993         This function takes in the error object and sets the following:
994             1: The VM's exception stack
995             2: The VM's exception 
996             3: Appends extra information on the error message(via appendSourceToError)
997             4: The error object's line number
998             5: The error object's column number
999             6: The error object's sourceURL
1000             7: The error object's stack trace (unless it already exists because the developer 
1001                 created the error object). 
1002
1003         (JSC::VM::getExceptionInfo):
1004         (JSC::VM::setExceptionInfo):
1005         (JSC::VM::clearException):
1006         (JSC::clearExceptionStack):
1007         * runtime/VM.h:
1008         (JSC::VM::exceptionOffset):
1009         (JSC::VM::exception):
1010         (JSC::VM::addressOfException):
1011         (JSC::VM::exceptionStack):
1012         VM exception and exceptionStack are now private data members.
1013
1014         * interpreter/Interpreter.h:
1015         (JSC::ClearExceptionScope::ClearExceptionScope):
1016         Created this structure to temporarily clear the exception within the VM. This 
1017         needed to see if addition errors occur when setting the debugger as we are 
1018         unwinding the stack.
1019
1020          * interpreter/Interpreter.cpp:
1021         (JSC::Interpreter::unwind): 
1022         Removed the code that would try to add error information if it did not exist. 
1023         All of this functionality has moved into the VM and all error information is set 
1024         at the time the error occurs. 
1025
1026         The rest of these functions reference the new calling convention to throw an error.
1027
1028         * API/APICallbackFunction.h:
1029         (JSC::APICallbackFunction::call):
1030         * API/JSCallbackConstructor.cpp:
1031         (JSC::constructJSCallback):
1032         * API/JSCallbackObjectFunctions.h:
1033         (JSC::::getOwnPropertySlot):
1034         (JSC::::defaultValue):
1035         (JSC::::put):
1036         (JSC::::putByIndex):
1037         (JSC::::deleteProperty):
1038         (JSC::::construct):
1039         (JSC::::customHasInstance):
1040         (JSC::::call):
1041         (JSC::::getStaticValue):
1042         (JSC::::staticFunctionGetter):
1043         (JSC::::callbackGetter):
1044         * debugger/Debugger.cpp:
1045         (JSC::evaluateInGlobalCallFrame):
1046         * debugger/DebuggerCallFrame.cpp:
1047         (JSC::DebuggerCallFrame::evaluate):
1048         * dfg/DFGAssemblyHelpers.h:
1049         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
1050         * dfg/DFGOperations.cpp:
1051         (JSC::DFG::operationPutByValInternal):
1052         * ftl/FTLLowerDFGToLLVM.cpp:
1053         (JSC::FTL::LowerDFGToLLVM::callCheck):
1054         * heap/Heap.cpp:
1055         (JSC::Heap::markRoots):
1056         * interpreter/CallFrame.h:
1057         (JSC::ExecState::clearException):
1058         (JSC::ExecState::exception):
1059         (JSC::ExecState::hadException):
1060         * interpreter/Interpreter.cpp:
1061         (JSC::eval):
1062         (JSC::loadVarargs):
1063         (JSC::stackTraceAsString):
1064         (JSC::Interpreter::execute):
1065         (JSC::Interpreter::executeCall):
1066         (JSC::Interpreter::executeConstruct):
1067         (JSC::Interpreter::prepareForRepeatCall):
1068         * interpreter/Interpreter.h:
1069         (JSC::ClearExceptionScope::ClearExceptionScope):
1070         * jit/JITCode.cpp:
1071         (JSC::JITCode::execute):
1072         * jit/JITExceptions.cpp:
1073         (JSC::genericThrow):
1074         * jit/JITOpcodes.cpp:
1075         (JSC::JIT::emit_op_catch):
1076         * jit/JITOpcodes32_64.cpp:
1077         (JSC::JIT::privateCompileCTINativeCall):
1078         (JSC::JIT::emit_op_catch):
1079         * jit/JITStubs.cpp:
1080         (JSC::returnToThrowTrampoline):
1081         (JSC::throwExceptionFromOpCall):
1082         (JSC::DEFINE_STUB_FUNCTION):
1083         (JSC::jitCompileFor):
1084         (JSC::lazyLinkFor):
1085         (JSC::putByVal):
1086         (JSC::cti_vm_handle_exception):
1087         * jit/SlowPathCall.h:
1088         (JSC::JITSlowPathCall::call):
1089         * jit/ThunkGenerators.cpp:
1090         (JSC::nativeForGenerator):
1091         * jsc.cpp:
1092         (functionRun):
1093         (functionLoad):
1094         (functionCheckSyntax):
1095         * llint/LLIntExceptions.cpp:
1096         (JSC::LLInt::doThrow):
1097         (JSC::LLInt::returnToThrow):
1098         (JSC::LLInt::callToThrow):
1099         * llint/LLIntSlowPaths.cpp:
1100         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1101         * llint/LowLevelInterpreter.cpp:
1102         (JSC::CLoop::execute):
1103         * llint/LowLevelInterpreter32_64.asm:
1104         * llint/LowLevelInterpreter64.asm:
1105         * runtime/ArrayConstructor.cpp:
1106         (JSC::constructArrayWithSizeQuirk):
1107         * runtime/CommonSlowPaths.cpp:
1108         (JSC::SLOW_PATH_DECL):
1109         * runtime/CommonSlowPaths.h:
1110         (JSC::CommonSlowPaths::opIn):
1111         * runtime/CommonSlowPathsExceptions.cpp:
1112         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1113         * runtime/Completion.cpp:
1114         (JSC::evaluate):
1115         * runtime/Error.cpp:
1116         (JSC::addErrorInfo):
1117         (JSC::throwTypeError):
1118         (JSC::throwSyntaxError):
1119         * runtime/Error.h:
1120         (JSC::throwVMError):
1121         * runtime/ExceptionHelpers.cpp:
1122         (JSC::throwOutOfMemoryError):
1123         (JSC::throwStackOverflowError):
1124         (JSC::throwTerminatedExecutionException):
1125         * runtime/Executable.cpp:
1126         (JSC::EvalExecutable::create):
1127         (JSC::FunctionExecutable::produceCodeBlockFor):
1128         * runtime/FunctionConstructor.cpp:
1129         (JSC::constructFunction):
1130         (JSC::constructFunctionSkippingEvalEnabledCheck):
1131         * runtime/JSArray.cpp:
1132         (JSC::JSArray::defineOwnProperty):
1133         (JSC::JSArray::put):
1134         (JSC::JSArray::push):
1135         * runtime/JSCJSValue.cpp:
1136         (JSC::JSValue::toObjectSlowCase):
1137         (JSC::JSValue::synthesizePrototype):
1138         (JSC::JSValue::putToPrimitive):
1139         * runtime/JSFunction.cpp:
1140         (JSC::JSFunction::defineOwnProperty):
1141         * runtime/JSGenericTypedArrayViewInlines.h:
1142         (JSC::::create):
1143         (JSC::::createUninitialized):
1144         (JSC::::validateRange):
1145         (JSC::::setWithSpecificType):
1146         * runtime/JSGlobalObjectFunctions.cpp:
1147         (JSC::encode):
1148         (JSC::decode):
1149         (JSC::globalFuncProtoSetter):
1150         * runtime/JSNameScope.cpp:
1151         (JSC::JSNameScope::put):
1152         * runtime/JSONObject.cpp:
1153         (JSC::Stringifier::appendStringifiedValue):
1154         (JSC::Walker::walk):
1155         * runtime/JSObject.cpp:
1156         (JSC::JSObject::put):
1157         (JSC::JSObject::defaultValue):
1158         (JSC::JSObject::hasInstance):
1159         (JSC::JSObject::defaultHasInstance):
1160         (JSC::JSObject::defineOwnNonIndexProperty):
1161         (JSC::throwTypeError):
1162         * runtime/ObjectConstructor.cpp:
1163         (JSC::toPropertyDescriptor):
1164         * runtime/RegExpConstructor.cpp:
1165         (JSC::constructRegExp):
1166         * runtime/StringObject.cpp:
1167         (JSC::StringObject::defineOwnProperty):
1168         * runtime/StringRecursionChecker.cpp:
1169         (JSC::StringRecursionChecker::throwStackOverflowError):
1170
1171 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1172
1173         [GTK] Add support for building JSC with FTL JIT enabled
1174         https://bugs.webkit.org/show_bug.cgi?id=120270
1175
1176         Reviewed by Filip Pizlo.
1177
1178         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1179         compiler flags for the JSC library.
1180         * GNUmakefile.list.am: Add the missing build targets.
1181         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1182         failures when using the Clang compiler with the libstdc++ standard library.
1183         (JSC::FTL::mdKindID):
1184         (JSC::FTL::mdString):
1185
1186 2013-08-23  Andy Estes  <aestes@apple.com>
1187
1188         Fix issues found by the Clang Static Analyzer
1189         https://bugs.webkit.org/show_bug.cgi?id=120230
1190
1191         Reviewed by Darin Adler.
1192
1193         * API/JSValue.mm:
1194         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1195         * API/ObjCCallbackFunction.mm:
1196         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1197         release m_invocation's target since NSInvocation will do it for us on
1198         -dealloc.
1199         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1200         and -release our reference to the copied block.
1201         * API/tests/minidom.c:
1202         (createStringWithContentsOfFile): Free buffer before returning.
1203         * API/tests/testapi.c:
1204         (createStringWithContentsOfFile): Ditto.
1205
1206 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1207
1208         [Windows] Unreviewed build fix after r154629.
1209
1210         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1211         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1212
1213 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1214
1215         Windows build fix attempt after r154629.
1216
1217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1218
1219 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1220
1221         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1222         https://bugs.webkit.org/show_bug.cgi?id=120278
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         * runtime/JSObject.cpp:
1227         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1228
1229 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1230
1231         Fix indention of Executable.h.
1232
1233         Rubber stamped by Mark Hahnenberg.
1234
1235         * runtime/Executable.h:
1236
1237 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1238
1239         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1240         https://bugs.webkit.org/show_bug.cgi?id=120314
1241
1242         Reviewed by Darin Adler.
1243
1244         Currently with the way that defineProperty works, we leave a stray low bit set in 
1245         PropertyDescriptor::m_attributes in the following code:
1246
1247         var o = {};
1248         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1249         
1250         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1251         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1252         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1253         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1254
1255         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1256         framework's public C API, it's safer to just change how we calculate the default value, which is
1257         where the weirdness was originating from in the first place.
1258
1259         * runtime/PropertyDescriptor.cpp:
1260
1261 2013-08-24  Sam Weinig  <sam@webkit.org>
1262
1263         Add support for Promises
1264         https://bugs.webkit.org/show_bug.cgi?id=120260
1265
1266         Reviewed by Darin Adler.
1267
1268         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1269         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1270           in preparation for the Promises eventually being defined in ECMAScript.
1271
1272         * CMakeLists.txt:
1273         * DerivedSources.make:
1274         * DerivedSources.pri:
1275         * GNUmakefile.list.am:
1276         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1277         * JavaScriptCore.xcodeproj/project.pbxproj:
1278         * Target.pri:
1279         Add new files.
1280
1281         * jsc.cpp:
1282         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1283         you can't quite use Promises with with the command line tool yet.
1284     
1285         * interpreter/CallFrame.h:
1286         (JSC::ExecState::promisePrototypeTable):
1287         (JSC::ExecState::promiseConstructorTable):
1288         (JSC::ExecState::promiseResolverPrototypeTable):
1289         * runtime/VM.cpp:
1290         (JSC::VM::VM):
1291         (JSC::VM::~VM):
1292         * runtime/VM.h:
1293         Add supporting code for the new static lookup tables.
1294
1295         * runtime/CommonIdentifiers.h:
1296         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1297
1298         * runtime/JSGlobalObject.cpp:
1299         (JSC::JSGlobalObject::reset):
1300         (JSC::JSGlobalObject::visitChildren):
1301         Add supporting code Promise and PromiseResolver's constructors and structures.
1302
1303         * runtime/JSGlobalObject.h:
1304         (JSC::TaskContext::~TaskContext):
1305         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1306
1307         (JSC::JSGlobalObject::promisePrototype):
1308         (JSC::JSGlobalObject::promiseResolverPrototype):
1309         (JSC::JSGlobalObject::promiseStructure):
1310         (JSC::JSGlobalObject::promiseResolverStructure):
1311         (JSC::JSGlobalObject::promiseCallbackStructure):
1312         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1313         Add supporting code Promise and PromiseResolver's constructors and structures.
1314
1315         * runtime/JSPromise.cpp: Added.
1316         * runtime/JSPromise.h: Added.
1317         * runtime/JSPromiseCallback.cpp: Added.
1318         * runtime/JSPromiseCallback.h: Added.
1319         * runtime/JSPromiseConstructor.cpp: Added.
1320         * runtime/JSPromiseConstructor.h: Added.
1321         * runtime/JSPromisePrototype.cpp: Added.
1322         * runtime/JSPromisePrototype.h: Added.
1323         * runtime/JSPromiseResolver.cpp: Added.
1324         * runtime/JSPromiseResolver.h: Added.
1325         * runtime/JSPromiseResolverConstructor.cpp: Added.
1326         * runtime/JSPromiseResolverConstructor.h: Added.
1327         * runtime/JSPromiseResolverPrototype.cpp: Added.
1328         * runtime/JSPromiseResolverPrototype.h: Added.
1329         Add Promise implementation.
1330
1331 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1332
1333         Plenty of -Wcast-align warnings in KeywordLookup.h
1334         https://bugs.webkit.org/show_bug.cgi?id=120316
1335
1336         Reviewed by Darin Adler.
1337
1338         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1339         the character pointers to types of larger size. This avoids spewing lots of warnings
1340         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1341
1342 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1343
1344         RegExpMatchesArray should not call [[put]]
1345         https://bugs.webkit.org/show_bug.cgi?id=120317
1346
1347         Reviewed by Oliver Hunt.
1348
1349         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1350         property called index or input to either of these prototypes will result in broken behavior.
1351
1352         * runtime/RegExpMatchesArray.cpp:
1353         (JSC::RegExpMatchesArray::reifyAllProperties):
1354             - put -> putDirect
1355
1356 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1357
1358         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1359         https://bugs.webkit.org/show_bug.cgi?id=120228
1360
1361         Reviewed by Oliver Hunt.
1362         
1363         It turns out that there were three problems:
1364         
1365         - Using jsNumber() meant that we were converting doubles to integers and then
1366           possibly back again whenever doing a set() between floating point arrays.
1367         
1368         - Slow-path accesses to double typed arrays were slower than necessary because
1369           of the to-int conversion attempt.
1370         
1371         - The use of JSValue as an intermediate for converting between differen types
1372           in typedArray.set() resulted in worse code than I had previously expected.
1373         
1374         This patch solves the problem by using template double-dispatch to ensure that
1375         that C++ compiler sees the simplest possible combination of casts between any
1376         combination of typed array types, while still preserving JS and typed array
1377         conversion semantics. Conversions are done as follows:
1378         
1379             SourceAdaptor::convertTo<TargetAdaptor>(value)
1380         
1381         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1382         with one method for each of int32_t, uint32_t, and double. This means that the
1383         C++ compiler will at worst see a widening cast to one of those types followed
1384         by a narrowing conversion (not necessarily a cast - may have clamping or the
1385         JS toInt32() function).
1386         
1387         This change doesn't just affect typedArray.set(); it also affects slow-path
1388         accesses to typed arrays as well. This patch also adds a bunch of new test
1389         coverage.
1390         
1391         This change is a ~50% speed-up on typedArray.set() involving floating point
1392         types.
1393
1394         * GNUmakefile.list.am:
1395         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1396         * JavaScriptCore.xcodeproj/project.pbxproj:
1397         * runtime/GenericTypedArrayView.h:
1398         (JSC::GenericTypedArrayView::set):
1399         * runtime/JSDataViewPrototype.cpp:
1400         (JSC::setData):
1401         * runtime/JSGenericTypedArrayView.h:
1402         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1403         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1404         * runtime/JSGenericTypedArrayViewInlines.h:
1405         (JSC::::setWithSpecificType):
1406         (JSC::::set):
1407         * runtime/ToNativeFromValue.h: Added.
1408         (JSC::toNativeFromValue):
1409         * runtime/TypedArrayAdaptors.h:
1410         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1411         (JSC::IntegralTypedArrayAdaptor::toDouble):
1412         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1413         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1414         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1415         (JSC::IntegralTypedArrayAdaptor::convertTo):
1416         (JSC::FloatTypedArrayAdaptor::toJSValue):
1417         (JSC::FloatTypedArrayAdaptor::toDouble):
1418         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1419         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1420         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1421         (JSC::FloatTypedArrayAdaptor::convertTo):
1422         (JSC::Uint8ClampedAdaptor::toJSValue):
1423         (JSC::Uint8ClampedAdaptor::toDouble):
1424         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1425         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1426         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1427         (JSC::Uint8ClampedAdaptor::convertTo):
1428
1429 2013-08-24  Dan Bernstein  <mitz@apple.com>
1430
1431         [mac] link against libz in a more civilized manner
1432         https://bugs.webkit.org/show_bug.cgi?id=120258
1433
1434         Reviewed by Darin Adler.
1435
1436         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1437         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1438         Link Binary With Libraries build phase.
1439
1440 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1441
1442         Failure building with python3
1443         https://bugs.webkit.org/show_bug.cgi?id=106645
1444
1445         Reviewed by Benjamin Poulain.
1446
1447         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1448         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1449
1450         * disassembler/udis86/itab.py:
1451         (UdItabGenerator.genInsnTable):
1452         * disassembler/udis86/ud_opcode.py:
1453         (UdOpcodeTables.print_table):
1454         * disassembler/udis86/ud_optable.py:
1455         (UdOptableXmlParser.parseDef):
1456         (UdOptableXmlParser.parse):
1457         (printFn):
1458
1459 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1460
1461         Incorrect TypedArray#set behavior
1462         https://bugs.webkit.org/show_bug.cgi?id=83818
1463
1464         Reviewed by Oliver Hunt and Mark Hahnenberg.
1465         
1466         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1467         not smart enough to figure out optimal versions for *all* of the cases. But I
1468         did come up with optimal implementations for most of the cases, and I wrote
1469         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1470         enough to write optimal code for.
1471
1472         * runtime/JSArrayBufferView.h:
1473         (JSC::JSArrayBufferView::hasArrayBuffer):
1474         * runtime/JSArrayBufferViewInlines.h:
1475         (JSC::JSArrayBufferView::buffer):
1476         (JSC::JSArrayBufferView::existingBufferInButterfly):
1477         (JSC::JSArrayBufferView::neuter):
1478         (JSC::JSArrayBufferView::byteOffset):
1479         * runtime/JSGenericTypedArrayView.h:
1480         * runtime/JSGenericTypedArrayViewInlines.h:
1481         (JSC::::setWithSpecificType):
1482         (JSC::::set):
1483         (JSC::::existingBuffer):
1484
1485 2013-08-23  Alex Christensen  <achristensen@apple.com>
1486
1487         Re-separating Win32 and Win64 builds.
1488         https://bugs.webkit.org/show_bug.cgi?id=120178
1489
1490         Reviewed by Brent Fulgham.
1491
1492         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1493         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1494         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1495         Pass PlatformArchitecture as a command line parameter to bash scripts.
1496         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1497         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1498         * JavaScriptCore.vcxproj/build-generated-files.sh:
1499         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1500
1501 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1502
1503         build-jsc --ftl-jit should work
1504         https://bugs.webkit.org/show_bug.cgi?id=120194
1505
1506         Reviewed by Oliver Hunt.
1507
1508         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1509         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1510         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1511         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1512         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1513         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1514
1515 2013-08-23  Oliver Hunt  <oliver@apple.com>
1516
1517         Re-sort xcode project file
1518
1519         * JavaScriptCore.xcodeproj/project.pbxproj:
1520
1521 2013-08-23  Oliver Hunt  <oliver@apple.com>
1522
1523         Support in memory compression of rarely used data
1524         https://bugs.webkit.org/show_bug.cgi?id=120143
1525
1526         Reviewed by Gavin Barraclough.
1527
1528         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1529
1530         * Configurations/JavaScriptCore.xcconfig:
1531         * bytecode/UnlinkedCodeBlock.cpp:
1532         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1533         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1534         * bytecode/UnlinkedCodeBlock.h:
1535
1536 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1537
1538         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1539         https://bugs.webkit.org/show_bug.cgi?id=120179
1540
1541         Reviewed by Geoffrey Garen.
1542
1543         There are many places in the code for JSObject and JSArray where they are manipulating their 
1544         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1545         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1546         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1547         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1548         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1549         should not incur any additional overhead.
1550
1551         * heap/Heap.h:
1552         * runtime/JSArray.cpp:
1553         (JSC::JSArray::unshiftCountSlowCase):
1554         * runtime/JSObject.cpp:
1555         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1556         (JSC::JSObject::createInitialUndecided):
1557         (JSC::JSObject::createInitialInt32):
1558         (JSC::JSObject::createInitialDouble):
1559         (JSC::JSObject::createInitialContiguous):
1560         (JSC::JSObject::createArrayStorage):
1561         (JSC::JSObject::convertUndecidedToArrayStorage):
1562         (JSC::JSObject::convertInt32ToArrayStorage):
1563         (JSC::JSObject::convertDoubleToArrayStorage):
1564         (JSC::JSObject::convertContiguousToArrayStorage):
1565         (JSC::JSObject::increaseVectorLength):
1566         (JSC::JSObject::ensureLengthSlow):
1567         * runtime/JSObject.h:
1568         (JSC::JSObject::putDirectInternal):
1569         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1570         (JSC::JSObject::putDirectWithoutTransition):
1571
1572 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1573
1574         Update LLVM binary drops and scripts to the latest version from SVN
1575         https://bugs.webkit.org/show_bug.cgi?id=120184
1576
1577         Reviewed by Mark Hahnenberg.
1578
1579         * dfg/DFGPlan.cpp:
1580         (JSC::DFG::Plan::compileInThreadImpl):
1581
1582 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1583
1584         Don't leak registers for redeclared variables
1585         https://bugs.webkit.org/show_bug.cgi?id=120174
1586
1587         Reviewed by Geoff Garen.
1588
1589         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1590         Only allocate new registers when necessary.
1591
1592         No performance impact.
1593
1594         * interpreter/Interpreter.cpp:
1595         (JSC::Interpreter::execute):
1596         * runtime/Executable.cpp:
1597         (JSC::ProgramExecutable::initializeGlobalProperties):
1598             - Don't allocate the register here.
1599         * runtime/JSGlobalObject.cpp:
1600         (JSC::JSGlobalObject::addGlobalVar):
1601             - Allocate the register here instead.
1602
1603 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1604
1605         https://bugs.webkit.org/show_bug.cgi?id=120128
1606         Remove putDirectVirtual
1607
1608         Unreviewed, checked in commented out code. :-(
1609
1610         * interpreter/Interpreter.cpp:
1611         (JSC::Interpreter::execute):
1612             - delete commented out code
1613
1614 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1615
1616         Error.stack should not be enumerable
1617         https://bugs.webkit.org/show_bug.cgi?id=120171
1618
1619         Reviewed by Oliver Hunt.
1620
1621         Breaks ECMA tests.
1622
1623         * runtime/ErrorInstance.cpp:
1624         (JSC::ErrorInstance::finishCreation):
1625             - None -> DontEnum
1626
1627 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1628
1629         https://bugs.webkit.org/show_bug.cgi?id=120128
1630         Remove putDirectVirtual
1631
1632         Reviewed by Sam Weinig.
1633
1634         This could most generously be described as 'vestigial'.
1635         No performance impact.
1636
1637         * API/JSObjectRef.cpp:
1638         (JSObjectSetProperty):
1639             - changed to use defineOwnProperty
1640         * debugger/DebuggerActivation.cpp:
1641         * debugger/DebuggerActivation.h:
1642             - remove putDirectVirtual
1643         * interpreter/Interpreter.cpp:
1644         (JSC::Interpreter::execute):
1645             - changed to use defineOwnProperty
1646         * runtime/ClassInfo.h:
1647         * runtime/JSActivation.cpp:
1648         * runtime/JSActivation.h:
1649         * runtime/JSCell.cpp:
1650         * runtime/JSCell.h:
1651         * runtime/JSGlobalObject.cpp:
1652         * runtime/JSGlobalObject.h:
1653         * runtime/JSObject.cpp:
1654         * runtime/JSObject.h:
1655         * runtime/JSProxy.cpp:
1656         * runtime/JSProxy.h:
1657         * runtime/JSSymbolTableObject.cpp:
1658         * runtime/JSSymbolTableObject.h:
1659             - remove putDirectVirtual
1660         * runtime/PropertyDescriptor.h:
1661         (JSC::PropertyDescriptor::PropertyDescriptor):
1662             - added constructor for convenience
1663
1664 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1665
1666         errorDescriptionForValue() should not assume error value is an Object
1667         https://bugs.webkit.org/show_bug.cgi?id=119812
1668
1669         Reviewed by Geoffrey Garen.
1670
1671         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1672         has no type, the function now returns the empty string. 
1673         * runtime/ExceptionHelpers.cpp:
1674         (JSC::errorDescriptionForValue):
1675
1676 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1677
1678         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1679         https://bugs.webkit.org/show_bug.cgi?id=120107
1680
1681         Reviewed by Yong Li.
1682
1683         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1684
1685         * dfg/DFGSpeculativeJIT.h:
1686         (JSC::DFG::SpeculativeJIT::callOperation):
1687
1688 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1689
1690         Unreviewed, rolling out r154416.
1691         http://trac.webkit.org/changeset/154416
1692         https://bugs.webkit.org/show_bug.cgi?id=120147
1693
1694         Broke Windows builds (Requested by rniwa on #webkit).
1695
1696         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1697         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1698         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1699         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1700         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1701         * JavaScriptCore.vcxproj/build-generated-files.sh:
1702
1703 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1704
1705         Clarify var/const/function declaration
1706         https://bugs.webkit.org/show_bug.cgi?id=120144
1707
1708         Reviewed by Sam Weinig.
1709
1710         Add methods to JSGlobalObject to declare vars, consts, and functions.
1711
1712         * runtime/Executable.cpp:
1713         (JSC::ProgramExecutable::initializeGlobalProperties):
1714         * runtime/Executable.h:
1715             - Moved declaration code to JSGlobalObject
1716         * runtime/JSGlobalObject.cpp:
1717         (JSC::JSGlobalObject::addGlobalVar):
1718             - internal implementation of addVar, addConst, addFunction
1719         * runtime/JSGlobalObject.h:
1720         (JSC::JSGlobalObject::addVar):
1721         (JSC::JSGlobalObject::addConst):
1722         (JSC::JSGlobalObject::addFunction):
1723             - Added methods to declare vars, consts, and functions
1724
1725 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1726
1727         https://bugs.webkit.org/show_bug.cgi?id=119900
1728         Exception in global setter doesn't unwind correctly
1729
1730         Reviewed by Geoffrey Garen.
1731
1732         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1733
1734         * jit/JITStubs.cpp:
1735         (JSC::DEFINE_STUB_FUNCTION):
1736
1737 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1738
1739         Rename/refactor setButterfly/setStructure
1740         https://bugs.webkit.org/show_bug.cgi?id=120138
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         setButterfly becomes setStructureAndButterfly.
1745
1746         Also removed the Butterfly* argument from setStructure and just implicitly
1747         used m_butterfly internally since that's what every single client of setStructure
1748         was doing already.
1749
1750         * jit/JITStubs.cpp:
1751         (JSC::DEFINE_STUB_FUNCTION):
1752         * runtime/JSObject.cpp:
1753         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1754         (JSC::JSObject::createInitialUndecided):
1755         (JSC::JSObject::createInitialInt32):
1756         (JSC::JSObject::createInitialDouble):
1757         (JSC::JSObject::createInitialContiguous):
1758         (JSC::JSObject::createArrayStorage):
1759         (JSC::JSObject::convertUndecidedToInt32):
1760         (JSC::JSObject::convertUndecidedToDouble):
1761         (JSC::JSObject::convertUndecidedToContiguous):
1762         (JSC::JSObject::convertUndecidedToArrayStorage):
1763         (JSC::JSObject::convertInt32ToDouble):
1764         (JSC::JSObject::convertInt32ToContiguous):
1765         (JSC::JSObject::convertInt32ToArrayStorage):
1766         (JSC::JSObject::genericConvertDoubleToContiguous):
1767         (JSC::JSObject::convertDoubleToArrayStorage):
1768         (JSC::JSObject::convertContiguousToArrayStorage):
1769         (JSC::JSObject::switchToSlowPutArrayStorage):
1770         (JSC::JSObject::setPrototype):
1771         (JSC::JSObject::putDirectAccessor):
1772         (JSC::JSObject::seal):
1773         (JSC::JSObject::freeze):
1774         (JSC::JSObject::preventExtensions):
1775         (JSC::JSObject::reifyStaticFunctionsForDelete):
1776         (JSC::JSObject::removeDirect):
1777         * runtime/JSObject.h:
1778         (JSC::JSObject::setStructureAndButterfly):
1779         (JSC::JSObject::setStructure):
1780         (JSC::JSObject::putDirectInternal):
1781         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1782         (JSC::JSObject::putDirectWithoutTransition):
1783         * runtime/Structure.cpp:
1784         (JSC::Structure::flattenDictionaryStructure):
1785
1786 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1787
1788         https://bugs.webkit.org/show_bug.cgi?id=120127
1789         Remove JSObject::propertyIsEnumerable
1790
1791         Unreviewed typo fix
1792
1793         * runtime/JSObject.h:
1794             - fix typo
1795
1796 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1797
1798         https://bugs.webkit.org/show_bug.cgi?id=120139
1799         PropertyDescriptor argument to define methods should be const
1800
1801         Rubber stamped by Sam Weinig.
1802
1803         This should never be modified, and this way we can use rvalues.
1804
1805         * debugger/DebuggerActivation.cpp:
1806         (JSC::DebuggerActivation::defineOwnProperty):
1807         * debugger/DebuggerActivation.h:
1808         * runtime/Arguments.cpp:
1809         (JSC::Arguments::defineOwnProperty):
1810         * runtime/Arguments.h:
1811         * runtime/ClassInfo.h:
1812         * runtime/JSArray.cpp:
1813         (JSC::JSArray::defineOwnProperty):
1814         * runtime/JSArray.h:
1815         * runtime/JSArrayBuffer.cpp:
1816         (JSC::JSArrayBuffer::defineOwnProperty):
1817         * runtime/JSArrayBuffer.h:
1818         * runtime/JSArrayBufferView.cpp:
1819         (JSC::JSArrayBufferView::defineOwnProperty):
1820         * runtime/JSArrayBufferView.h:
1821         * runtime/JSCell.cpp:
1822         (JSC::JSCell::defineOwnProperty):
1823         * runtime/JSCell.h:
1824         * runtime/JSFunction.cpp:
1825         (JSC::JSFunction::defineOwnProperty):
1826         * runtime/JSFunction.h:
1827         * runtime/JSGenericTypedArrayView.h:
1828         * runtime/JSGenericTypedArrayViewInlines.h:
1829         (JSC::::defineOwnProperty):
1830         * runtime/JSGlobalObject.cpp:
1831         (JSC::JSGlobalObject::defineOwnProperty):
1832         * runtime/JSGlobalObject.h:
1833         * runtime/JSObject.cpp:
1834         (JSC::JSObject::putIndexedDescriptor):
1835         (JSC::JSObject::defineOwnIndexedProperty):
1836         (JSC::putDescriptor):
1837         (JSC::JSObject::defineOwnNonIndexProperty):
1838         (JSC::JSObject::defineOwnProperty):
1839         * runtime/JSObject.h:
1840         * runtime/JSProxy.cpp:
1841         (JSC::JSProxy::defineOwnProperty):
1842         * runtime/JSProxy.h:
1843         * runtime/RegExpMatchesArray.h:
1844         (JSC::RegExpMatchesArray::defineOwnProperty):
1845         * runtime/RegExpObject.cpp:
1846         (JSC::RegExpObject::defineOwnProperty):
1847         * runtime/RegExpObject.h:
1848         * runtime/StringObject.cpp:
1849         (JSC::StringObject::defineOwnProperty):
1850         * runtime/StringObject.h:
1851             - make PropertyDescriptor const
1852
1853 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1854
1855         REGRESSION: Crash under JITCompiler::link while loading Gmail
1856         https://bugs.webkit.org/show_bug.cgi?id=119872
1857
1858         Reviewed by Mark Hahnenberg.
1859         
1860         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1861
1862         * dfg/DFGByteCodeParser.cpp:
1863         (JSC::DFG::ByteCodeParser::parseBlock):
1864
1865 2013-08-21  Alex Christensen  <achristensen@apple.com>
1866
1867         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1868
1869         Reviewed by Brent Fulgham.
1870
1871         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1872         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1873         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1874         Pass PlatformArchitecture as a command line parameter to bash scripts.
1875         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1876         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1877         * JavaScriptCore.vcxproj/build-generated-files.sh:
1878         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1879
1880 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1881
1882         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1883         https://bugs.webkit.org/show_bug.cgi?id=120099
1884
1885         Reviewed by Mark Hahnenberg.
1886         
1887         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1888         JSDataView may have ordinary JS indexed properties.
1889
1890         * runtime/ClassInfo.h:
1891         * runtime/JSArrayBufferView.cpp:
1892         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1893         (JSC::JSArrayBufferView::finishCreation):
1894         * runtime/JSArrayBufferView.h:
1895         (JSC::hasArrayBuffer):
1896         * runtime/JSArrayBufferViewInlines.h:
1897         (JSC::JSArrayBufferView::buffer):
1898         (JSC::JSArrayBufferView::neuter):
1899         (JSC::JSArrayBufferView::byteOffset):
1900         * runtime/JSCell.cpp:
1901         (JSC::JSCell::slowDownAndWasteMemory):
1902         * runtime/JSCell.h:
1903         * runtime/JSDataView.cpp:
1904         (JSC::JSDataView::JSDataView):
1905         (JSC::JSDataView::create):
1906         (JSC::JSDataView::slowDownAndWasteMemory):
1907         * runtime/JSDataView.h:
1908         (JSC::JSDataView::buffer):
1909         * runtime/JSGenericTypedArrayView.h:
1910         * runtime/JSGenericTypedArrayViewInlines.h:
1911         (JSC::::visitChildren):
1912         (JSC::::slowDownAndWasteMemory):
1913
1914 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1915
1916         Remove incorrect ASSERT from CopyVisitor::visitItem
1917
1918         Rubber stamped by Filip Pizlo.
1919
1920         * heap/CopyVisitorInlines.h:
1921         (JSC::CopyVisitor::visitItem):
1922
1923 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1924
1925         https://bugs.webkit.org/show_bug.cgi?id=120127
1926         Remove JSObject::propertyIsEnumerable
1927
1928         Reviewed by Sam Weinig.
1929
1930         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1931
1932         * runtime/JSObject.cpp:
1933         * runtime/JSObject.h:
1934             - remove propertyIsEnumerable
1935         * runtime/ObjectPrototype.cpp:
1936         (JSC::objectProtoFuncPropertyIsEnumerable):
1937             - Move implementation here using getOwnPropertyDescriptor directly.
1938
1939 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1940
1941         DFG should inline new typedArray()
1942         https://bugs.webkit.org/show_bug.cgi?id=120022
1943
1944         Reviewed by Oliver Hunt.
1945         
1946         Adds inlining of typed array allocations in the DFG. Any operation of the
1947         form:
1948         
1949             new foo(blah)
1950         
1951         or:
1952         
1953             foo(blah)
1954         
1955         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1956         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1957         is predicted integer, we generate inline code for an allocation. Otherwise
1958         it turns into a call to an operation that behaves like the constructor would
1959         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1960         copy or another array, or it may allocate an array of that length).
1961
1962         * bytecode/SpeculatedType.cpp:
1963         (JSC::speculationFromTypedArrayType):
1964         (JSC::speculationFromClassInfo):
1965         * bytecode/SpeculatedType.h:
1966         * dfg/DFGAbstractInterpreterInlines.h:
1967         (JSC::DFG::::executeEffects):
1968         * dfg/DFGBackwardsPropagationPhase.cpp:
1969         (JSC::DFG::BackwardsPropagationPhase::propagate):
1970         * dfg/DFGByteCodeParser.cpp:
1971         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1972         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1973         * dfg/DFGCCallHelpers.h:
1974         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1975         * dfg/DFGCSEPhase.cpp:
1976         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1977         * dfg/DFGClobberize.h:
1978         (JSC::DFG::clobberize):
1979         * dfg/DFGFixupPhase.cpp:
1980         (JSC::DFG::FixupPhase::fixupNode):
1981         * dfg/DFGGraph.cpp:
1982         (JSC::DFG::Graph::dump):
1983         * dfg/DFGNode.h:
1984         (JSC::DFG::Node::hasTypedArrayType):
1985         (JSC::DFG::Node::typedArrayType):
1986         * dfg/DFGNodeType.h:
1987         * dfg/DFGOperations.cpp:
1988         (JSC::DFG::newTypedArrayWithSize):
1989         (JSC::DFG::newTypedArrayWithOneArgument):
1990         * dfg/DFGOperations.h:
1991         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1992         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1993         * dfg/DFGPredictionPropagationPhase.cpp:
1994         (JSC::DFG::PredictionPropagationPhase::propagate):
1995         * dfg/DFGSafeToExecute.h:
1996         (JSC::DFG::safeToExecute):
1997         * dfg/DFGSpeculativeJIT.cpp:
1998         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1999         * dfg/DFGSpeculativeJIT.h:
2000         (JSC::DFG::SpeculativeJIT::callOperation):
2001         * dfg/DFGSpeculativeJIT32_64.cpp:
2002         (JSC::DFG::SpeculativeJIT::compile):
2003         * dfg/DFGSpeculativeJIT64.cpp:
2004         (JSC::DFG::SpeculativeJIT::compile):
2005         * jit/JITOpcodes.cpp:
2006         (JSC::JIT::emit_op_new_object):
2007         * jit/JITOpcodes32_64.cpp:
2008         (JSC::JIT::emit_op_new_object):
2009         * runtime/JSArray.h:
2010         (JSC::JSArray::allocationSize):
2011         * runtime/JSArrayBufferView.h:
2012         (JSC::JSArrayBufferView::allocationSize):
2013         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2014         (JSC::constructGenericTypedArrayView):
2015         * runtime/JSObject.h:
2016         (JSC::JSFinalObject::allocationSize):
2017         * runtime/TypedArrayType.cpp:
2018         (JSC::constructorClassInfoForType):
2019         * runtime/TypedArrayType.h:
2020         (JSC::indexToTypedArrayType):
2021
2022 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
2023
2024         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
2025
2026         Reviewed by Geoffrey Garen.
2027
2028         * dfg/DFGOperations.h:
2029
2030 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2031
2032         https://bugs.webkit.org/show_bug.cgi?id=120093
2033         Remove getOwnPropertyDescriptor trap
2034
2035         Reviewed by Geoff Garen.
2036
2037         All implementations of this method are now called via the method table, and equivalent in behaviour.
2038         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
2039
2040         * API/JSCallbackObject.h:
2041         * API/JSCallbackObjectFunctions.h:
2042         * debugger/DebuggerActivation.cpp:
2043         * debugger/DebuggerActivation.h:
2044         * runtime/Arguments.cpp:
2045         * runtime/Arguments.h:
2046         * runtime/ArrayConstructor.cpp:
2047         * runtime/ArrayConstructor.h:
2048         * runtime/ArrayPrototype.cpp:
2049         * runtime/ArrayPrototype.h:
2050         * runtime/BooleanPrototype.cpp:
2051         * runtime/BooleanPrototype.h:
2052             - remove getOwnPropertyDescriptor
2053         * runtime/ClassInfo.h:
2054             - remove getOwnPropertyDescriptor from MethodTable
2055         * runtime/DateConstructor.cpp:
2056         * runtime/DateConstructor.h:
2057         * runtime/DatePrototype.cpp:
2058         * runtime/DatePrototype.h:
2059         * runtime/ErrorPrototype.cpp:
2060         * runtime/ErrorPrototype.h:
2061         * runtime/JSActivation.cpp:
2062         * runtime/JSActivation.h:
2063         * runtime/JSArray.cpp:
2064         * runtime/JSArray.h:
2065         * runtime/JSArrayBuffer.cpp:
2066         * runtime/JSArrayBuffer.h:
2067         * runtime/JSArrayBufferView.cpp:
2068         * runtime/JSArrayBufferView.h:
2069         * runtime/JSCell.cpp:
2070         * runtime/JSCell.h:
2071         * runtime/JSDataView.cpp:
2072         * runtime/JSDataView.h:
2073         * runtime/JSDataViewPrototype.cpp:
2074         * runtime/JSDataViewPrototype.h:
2075         * runtime/JSFunction.cpp:
2076         * runtime/JSFunction.h:
2077         * runtime/JSGenericTypedArrayView.h:
2078         * runtime/JSGenericTypedArrayViewInlines.h:
2079         * runtime/JSGlobalObject.cpp:
2080         * runtime/JSGlobalObject.h:
2081         * runtime/JSNotAnObject.cpp:
2082         * runtime/JSNotAnObject.h:
2083         * runtime/JSONObject.cpp:
2084         * runtime/JSONObject.h:
2085             - remove getOwnPropertyDescriptor
2086         * runtime/JSObject.cpp:
2087         (JSC::JSObject::propertyIsEnumerable):
2088             - switch to call new getOwnPropertyDescriptor member function
2089         (JSC::JSObject::getOwnPropertyDescriptor):
2090             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2091         (JSC::JSObject::defineOwnNonIndexProperty):
2092             - switch to call new getOwnPropertyDescriptor member function
2093         * runtime/JSObject.h:
2094         * runtime/JSProxy.cpp:
2095         * runtime/JSProxy.h:
2096         * runtime/NamePrototype.cpp:
2097         * runtime/NamePrototype.h:
2098         * runtime/NumberConstructor.cpp:
2099         * runtime/NumberConstructor.h:
2100         * runtime/NumberPrototype.cpp:
2101         * runtime/NumberPrototype.h:
2102             - remove getOwnPropertyDescriptor
2103         * runtime/ObjectConstructor.cpp:
2104         (JSC::objectConstructorGetOwnPropertyDescriptor):
2105         (JSC::objectConstructorSeal):
2106         (JSC::objectConstructorFreeze):
2107         (JSC::objectConstructorIsSealed):
2108         (JSC::objectConstructorIsFrozen):
2109             - switch to call new getOwnPropertyDescriptor member function
2110         * runtime/ObjectConstructor.h:
2111             - remove getOwnPropertyDescriptor
2112         * runtime/PropertyDescriptor.h:
2113             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2114         * runtime/RegExpConstructor.cpp:
2115         * runtime/RegExpConstructor.h:
2116         * runtime/RegExpMatchesArray.cpp:
2117         * runtime/RegExpMatchesArray.h:
2118         * runtime/RegExpObject.cpp:
2119         * runtime/RegExpObject.h:
2120         * runtime/RegExpPrototype.cpp:
2121         * runtime/RegExpPrototype.h:
2122         * runtime/StringConstructor.cpp:
2123         * runtime/StringConstructor.h:
2124         * runtime/StringObject.cpp:
2125         * runtime/StringObject.h:
2126             - remove getOwnPropertyDescriptor
2127
2128 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2129
2130         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2131
2132         Reviewed by Oliver Hunt.
2133
2134         When we flatten an object in dictionary mode, we compact its properties. If the object 
2135         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2136         compaction its properties fit inline, the object's Structure "forgets" that the object 
2137         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2138         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2139
2140         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2141         Butterfly pointer so that the GC doesn't get confused later.
2142
2143         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2144         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2145         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2146         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2147
2148         * heap/SlotVisitorInlines.h:
2149         (JSC::SlotVisitor::copyLater):
2150         * runtime/JSObject.cpp:
2151         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2152         (JSC::JSObject::convertUndecidedToInt32):
2153         (JSC::JSObject::convertUndecidedToDouble):
2154         (JSC::JSObject::convertUndecidedToContiguous):
2155         (JSC::JSObject::convertInt32ToDouble):
2156         (JSC::JSObject::convertInt32ToContiguous):
2157         (JSC::JSObject::genericConvertDoubleToContiguous):
2158         (JSC::JSObject::switchToSlowPutArrayStorage):
2159         (JSC::JSObject::setPrototype):
2160         (JSC::JSObject::putDirectAccessor):
2161         (JSC::JSObject::seal):
2162         (JSC::JSObject::freeze):
2163         (JSC::JSObject::preventExtensions):
2164         (JSC::JSObject::reifyStaticFunctionsForDelete):
2165         (JSC::JSObject::removeDirect):
2166         * runtime/JSObject.h:
2167         (JSC::JSObject::setButterfly):
2168         (JSC::JSObject::putDirectInternal):
2169         (JSC::JSObject::setStructure):
2170         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2171         * runtime/Structure.cpp:
2172         (JSC::Structure::flattenDictionaryStructure):
2173
2174 2013-08-20  Alex Christensen  <achristensen@apple.com>
2175
2176         Compile fix for Win64 after r154156.
2177
2178         Rubber stamped by Oliver Hunt.
2179
2180         * jit/JITStubsMSVC64.asm:
2181         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2182         cti_vm_throw_slowpath to cti_vm_handle_exception.
2183
2184 2013-08-20  Alex Christensen  <achristensen@apple.com>
2185
2186         <https://webkit.org/b/120076> More work towards a Win64 build
2187
2188         Reviewed by Brent Fulgham.
2189
2190         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2191         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2192         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2193         * JavaScriptCore.vcxproj/copy-files.cmd:
2194         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2195         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2196         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2197
2198 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2199
2200         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2201
2202         Reviewed by Geoffrey Garen.
2203
2204         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2205         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2206
2207         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2208         and index when triggering the WriteBarrier at the end of compilation. 
2209
2210         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2211         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2212         little extra work that really shouldn't have been its responsibility.
2213
2214         * dfg/DFGByteCodeParser.cpp:
2215         (JSC::DFG::ByteCodeParser::addConstant):
2216         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2217         * dfg/DFGDesiredWriteBarriers.cpp:
2218         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2219         (JSC::DFG::DesiredWriteBarrier::trigger):
2220         * dfg/DFGDesiredWriteBarriers.h:
2221         (JSC::DFG::DesiredWriteBarriers::add):
2222         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2223         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2224         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2225         * dfg/DFGFixupPhase.cpp:
2226         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2227         * dfg/DFGGraph.h:
2228         (JSC::DFG::Graph::constantRegisterForConstant):
2229
2230 2013-08-20  Michael Saboff  <msaboff@apple.com>
2231
2232         https://bugs.webkit.org/show_bug.cgi?id=120075
2233         REGRESSION (r128400): BBC4 website not displaying pictures
2234
2235         Reviewed by Oliver Hunt.
2236
2237         * runtime/RegExpMatchesArray.h:
2238         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2239         so that the match results will be reified before any other modification to the results array.
2240
2241 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2242
2243         Incorrect behavior on emscripten-compiled cube2hash
2244         https://bugs.webkit.org/show_bug.cgi?id=120033
2245
2246         Reviewed by Mark Hahnenberg.
2247         
2248         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2249         then we should bail attempts to CSE.
2250
2251         * dfg/DFGCSEPhase.cpp:
2252         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2253         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2254
2255 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2256
2257         https://bugs.webkit.org/show_bug.cgi?id=120073
2258         Remove use of GOPD from JSFunction::defineProperty
2259
2260         Reviewed by Oliver Hunt.
2261
2262         Call getOwnPropertySlot to check for existing properties instead.
2263
2264         * runtime/JSFunction.cpp:
2265         (JSC::JSFunction::defineOwnProperty):
2266             - getOwnPropertyDescriptor -> getOwnPropertySlot
2267
2268 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2269
2270         https://bugs.webkit.org/show_bug.cgi?id=120067
2271         Remove getPropertyDescriptor
2272
2273         Reviewed by Oliver Hunt.
2274
2275         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2276         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2277
2278         * runtime/JSObject.cpp:
2279         * runtime/JSObject.h:
2280             - remove getPropertyDescriptor
2281         * runtime/ObjectPrototype.cpp:
2282         (JSC::objectProtoFuncLookupGetter):
2283         (JSC::objectProtoFuncLookupSetter):
2284             - replace call to getPropertyDescriptor with getPropertySlot
2285         * runtime/PropertyDescriptor.h:
2286         * runtime/PropertySlot.h:
2287         (JSC::PropertySlot::isAccessor):
2288         (JSC::PropertySlot::isCacheableGetter):
2289         (JSC::PropertySlot::getterSetter):
2290             - rename isGetter() to isAccessor()
2291
2292 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2293
2294         https://bugs.webkit.org/show_bug.cgi?id=120054
2295         Remove some dead code following getOwnPropertyDescriptor cleanup
2296
2297         Reviewed by Oliver Hunt.
2298
2299         * runtime/Lookup.h:
2300         (JSC::getStaticFunctionSlot):
2301             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2302
2303 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2304
2305         https://bugs.webkit.org/show_bug.cgi?id=120052
2306         Remove custom getOwnPropertyDescriptor for JSProxy
2307
2308         Reviewed by Geoff Garen.
2309
2310         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2311         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2312         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2313         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2314         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2315
2316         * runtime/JSProxy.cpp:
2317             - Remove custom getOwnPropertyDescriptor implementation.
2318         * runtime/PropertyDescriptor.h:
2319             - Modify own property access check to perform toThis conversion.
2320
2321 2013-08-20  Alex Christensen  <achristensen@apple.com>
2322
2323         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2324         https://bugs.webkit.org/show_bug.cgi?id=119512
2325
2326         Reviewed by Brent Fulgham.
2327
2328         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2329         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2330         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2331         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2332         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2333         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2334         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2335         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2336
2337 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2338
2339         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2340
2341         Reviewed by Allan Sandfeld Jensen.
2342
2343         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2344         instructions and two constants now DFG is enabled for sh4 architecture.
2345         These missing ensureSpace calls lead to random crashes.
2346
2347         * assembler/MacroAssemblerSH4.h:
2348         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2349
2350 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2351
2352         https://bugs.webkit.org/show_bug.cgi?id=120034
2353         Remove custom getOwnPropertyDescriptor for global objects
2354
2355         Reviewed by Geoff Garen.
2356
2357         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2358
2359         * runtime/JSGlobalObject.cpp:
2360             - Remove custom getOwnPropertyDescriptor implementation.
2361         * runtime/JSSymbolTableObject.h:
2362         (JSC::symbolTableGet):
2363             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2364         * runtime/PropertyDescriptor.h:
2365             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2366         * runtime/PropertySlot.h:
2367         (JSC::PropertySlot::setUndefined):
2368             - This is used by WebCore when blocking access to properties on cross-frame access.
2369               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2370
2371 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2372
2373         DFG should inline typedArray.byteOffset
2374         https://bugs.webkit.org/show_bug.cgi?id=119962
2375
2376         Reviewed by Oliver Hunt.
2377         
2378         This adds a new node, GetTypedArrayByteOffset, which inlines
2379         typedArray.byteOffset.
2380         
2381         Also, I improved a bunch of the clobbering logic related to typed arrays
2382         and clobbering in general. For example, PutByOffset/PutStructure are not
2383         clobber-world so they can be handled by most default cases in CSE. Also,
2384         It's better to use the 'Class_field' notation for typed arrays now that
2385         they no longer involve magical descriptor thingies.
2386
2387         * bytecode/SpeculatedType.h:
2388         * dfg/DFGAbstractHeap.h:
2389         * dfg/DFGAbstractInterpreterInlines.h:
2390         (JSC::DFG::::executeEffects):
2391         * dfg/DFGArrayMode.h:
2392         (JSC::DFG::neverNeedsStorage):
2393         * dfg/DFGCSEPhase.cpp:
2394         (JSC::DFG::CSEPhase::getByValLoadElimination):
2395         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2396         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2397         (JSC::DFG::CSEPhase::checkArrayElimination):
2398         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2399         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2400         (JSC::DFG::CSEPhase::performNodeCSE):
2401         * dfg/DFGClobberize.h:
2402         (JSC::DFG::clobberize):
2403         * dfg/DFGFixupPhase.cpp:
2404         (JSC::DFG::FixupPhase::fixupNode):
2405         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2406         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2407         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2408         * dfg/DFGNodeType.h:
2409         * dfg/DFGPredictionPropagationPhase.cpp:
2410         (JSC::DFG::PredictionPropagationPhase::propagate):
2411         * dfg/DFGSafeToExecute.h:
2412         (JSC::DFG::safeToExecute):
2413         * dfg/DFGSpeculativeJIT.cpp:
2414         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2415         * dfg/DFGSpeculativeJIT.h:
2416         * dfg/DFGSpeculativeJIT32_64.cpp:
2417         (JSC::DFG::SpeculativeJIT::compile):
2418         * dfg/DFGSpeculativeJIT64.cpp:
2419         (JSC::DFG::SpeculativeJIT::compile):
2420         * dfg/DFGTypeCheckHoistingPhase.cpp:
2421         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2422         * runtime/ArrayBuffer.h:
2423         (JSC::ArrayBuffer::offsetOfData):
2424         * runtime/Butterfly.h:
2425         (JSC::Butterfly::offsetOfArrayBuffer):
2426         * runtime/IndexingHeader.h:
2427         (JSC::IndexingHeader::offsetOfArrayBuffer):
2428
2429 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2430
2431         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2432
2433         Reviewed by Geoffrey Garen.
2434
2435         * dfg/DFGByteCodeParser.cpp:
2436         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2437
2438 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2439
2440         https://bugs.webkit.org/show_bug.cgi?id=119995
2441         Start removing custom implementations of getOwnPropertyDescriptor
2442
2443         Reviewed by Oliver Hunt.
2444
2445         This can now typically implemented in terms of getOwnPropertySlot.
2446         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2447         Switch over most classes in JSC & the WebCore bindings generator to use this.
2448
2449         * API/JSCallbackObjectFunctions.h:
2450         * debugger/DebuggerActivation.cpp:
2451         * runtime/Arguments.cpp:
2452         * runtime/ArrayConstructor.cpp:
2453         * runtime/ArrayPrototype.cpp:
2454         * runtime/BooleanPrototype.cpp:
2455         * runtime/DateConstructor.cpp:
2456         * runtime/DatePrototype.cpp:
2457         * runtime/ErrorPrototype.cpp:
2458         * runtime/JSActivation.cpp:
2459         * runtime/JSArray.cpp:
2460         * runtime/JSArrayBuffer.cpp:
2461         * runtime/JSArrayBufferView.cpp:
2462         * runtime/JSCell.cpp:
2463         * runtime/JSDataView.cpp:
2464         * runtime/JSDataViewPrototype.cpp:
2465         * runtime/JSFunction.cpp:
2466         * runtime/JSGenericTypedArrayViewInlines.h:
2467         * runtime/JSNotAnObject.cpp:
2468         * runtime/JSONObject.cpp:
2469         * runtime/JSObject.cpp:
2470         * runtime/NamePrototype.cpp:
2471         * runtime/NumberConstructor.cpp:
2472         * runtime/NumberPrototype.cpp:
2473         * runtime/ObjectConstructor.cpp:
2474             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2475         * runtime/PropertyDescriptor.h:
2476             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2477         * runtime/PropertySlot.h:
2478         (JSC::PropertySlot::isValue):
2479         (JSC::PropertySlot::isGetter):
2480         (JSC::PropertySlot::isCustom):
2481         (JSC::PropertySlot::isCacheableValue):
2482         (JSC::PropertySlot::isCacheableGetter):
2483         (JSC::PropertySlot::isCacheableCustom):
2484         (JSC::PropertySlot::attributes):
2485         (JSC::PropertySlot::getterSetter):
2486             - Add accessors necessary to convert PropertySlot to descriptor.
2487         * runtime/RegExpConstructor.cpp:
2488         * runtime/RegExpMatchesArray.cpp:
2489         * runtime/RegExpMatchesArray.h:
2490         * runtime/RegExpObject.cpp:
2491         * runtime/RegExpPrototype.cpp:
2492         * runtime/StringConstructor.cpp:
2493         * runtime/StringObject.cpp:
2494             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2495
2496 2013-08-19  Michael Saboff  <msaboff@apple.com>
2497
2498         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2499
2500         Reviewed by Sam Weinig.
2501
2502         * dfg/DFGSpeculativeJIT32_64.cpp:
2503         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2504         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2505         all versions of fillSpeculateBoolean().
2506
2507 2013-08-19  Michael Saboff  <msaboff@apple.com>
2508
2509         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2510
2511         Reviewed by Benjamin Poulain.
2512
2513         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2514         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2515
2516         * assembler/MacroAssemblerX86Common.h:
2517         (JSC::MacroAssemblerX86Common::branchTest32):
2518
2519 2013-08-16  Oliver Hunt  <oliver@apple.com>
2520
2521         <https://webkit.org/b/119860> Crash during exception unwinding
2522
2523         Reviewed by Filip Pizlo.
2524
2525         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2526         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2527
2528         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2529         terminals and the subsequent flush keeps the activation (and other registers) live.
2530
2531         * dfg/DFGAbstractInterpreterInlines.h:
2532         (JSC::DFG::::executeEffects):
2533         * dfg/DFGByteCodeParser.cpp:
2534         (JSC::DFG::ByteCodeParser::parseBlock):
2535         * dfg/DFGClobberize.h:
2536         (JSC::DFG::clobberize):
2537         * dfg/DFGFixupPhase.cpp:
2538         (JSC::DFG::FixupPhase::fixupNode):
2539         * dfg/DFGNode.h:
2540         (JSC::DFG::Node::isTerminal):
2541         * dfg/DFGNodeType.h:
2542         * dfg/DFGPredictionPropagationPhase.cpp:
2543         (JSC::DFG::PredictionPropagationPhase::propagate):
2544         * dfg/DFGSafeToExecute.h:
2545         (JSC::DFG::safeToExecute):
2546         * dfg/DFGSpeculativeJIT32_64.cpp:
2547         (JSC::DFG::SpeculativeJIT::compile):
2548         * dfg/DFGSpeculativeJIT64.cpp:
2549         (JSC::DFG::SpeculativeJIT::compile):
2550
2551 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2552
2553         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2554
2555         Reviewed by Oliver Hunt.
2556
2557         Guard the compilation of these files only if DFG_JIT is enabled.
2558
2559         * dfg/DFGDesiredTransitions.cpp:
2560         * dfg/DFGDesiredTransitions.h:
2561         * dfg/DFGDesiredWeakReferences.cpp:
2562         * dfg/DFGDesiredWeakReferences.h:
2563         * dfg/DFGDesiredWriteBarriers.cpp:
2564         * dfg/DFGDesiredWriteBarriers.h:
2565
2566 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2567
2568         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2569         https://bugs.webkit.org/show_bug.cgi?id=119961
2570
2571         Reviewed by Mark Hahnenberg.
2572
2573         * dfg/DFGFixupPhase.cpp:
2574         (JSC::DFG::FixupPhase::fixupNode):
2575
2576 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2577
2578         https://bugs.webkit.org/show_bug.cgi?id=119972
2579         Add attributes field to PropertySlot
2580
2581         Reviewed by Geoff Garen.
2582
2583         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2584         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2585         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2586
2587         No performance impact.
2588
2589         * runtime/PropertySlot.h:
2590         (JSC::PropertySlot::setValue):
2591         (JSC::PropertySlot::setCustom):
2592         (JSC::PropertySlot::setCacheableCustom):
2593         (JSC::PropertySlot::setCustomIndex):
2594         (JSC::PropertySlot::setGetterSlot):
2595         (JSC::PropertySlot::setCacheableGetterSlot):
2596             - These mathods now all require 'attributes'.
2597         * runtime/JSObject.h:
2598         (JSC::JSObject::getDirect):
2599         (JSC::JSObject::getDirectOffset):
2600         (JSC::JSObject::inlineGetOwnPropertySlot):
2601             - Added variants of getDirect, getDirectOffset that return the attributes.
2602         * API/JSCallbackObjectFunctions.h:
2603         (JSC::::getOwnPropertySlot):
2604         * runtime/Arguments.cpp:
2605         (JSC::Arguments::getOwnPropertySlotByIndex):
2606         (JSC::Arguments::getOwnPropertySlot):
2607         * runtime/JSActivation.cpp:
2608         (JSC::JSActivation::symbolTableGet):
2609         (JSC::JSActivation::getOwnPropertySlot):
2610         * runtime/JSArray.cpp:
2611         (JSC::JSArray::getOwnPropertySlot):
2612         * runtime/JSArrayBuffer.cpp:
2613         (JSC::JSArrayBuffer::getOwnPropertySlot):
2614         * runtime/JSArrayBufferView.cpp:
2615         (JSC::JSArrayBufferView::getOwnPropertySlot):
2616         * runtime/JSDataView.cpp:
2617         (JSC::JSDataView::getOwnPropertySlot):
2618         * runtime/JSFunction.cpp:
2619         (JSC::JSFunction::getOwnPropertySlot):
2620         * runtime/JSGenericTypedArrayViewInlines.h:
2621         (JSC::::getOwnPropertySlot):
2622         (JSC::::getOwnPropertySlotByIndex):
2623         * runtime/JSObject.cpp:
2624         (JSC::JSObject::getOwnPropertySlotByIndex):
2625         (JSC::JSObject::fillGetterPropertySlot):
2626         * runtime/JSString.h:
2627         (JSC::JSString::getStringPropertySlot):
2628         * runtime/JSSymbolTableObject.h:
2629         (JSC::symbolTableGet):
2630         * runtime/Lookup.cpp:
2631         (JSC::setUpStaticFunctionSlot):
2632         * runtime/Lookup.h:
2633         (JSC::getStaticPropertySlot):
2634         (JSC::getStaticPropertyDescriptor):
2635         (JSC::getStaticValueSlot):
2636         (JSC::getStaticValueDescriptor):
2637         * runtime/RegExpObject.cpp:
2638         (JSC::RegExpObject::getOwnPropertySlot):
2639         * runtime/SparseArrayValueMap.cpp:
2640         (JSC::SparseArrayEntry::get):
2641             - Pass attributes to PropertySlot::set* methods.
2642
2643 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2644
2645         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2646
2647         Reviewed by Filip Pizlo.
2648
2649         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2650         Vector of WriteBarriers rather than the specific address. The fact that we were 
2651         arbitrarily storing into a Vector's backing store for constants at the end of 
2652         compilation after the Vector could have resized was causing crashes.
2653
2654         * bytecode/CodeBlock.h:
2655         (JSC::CodeBlock::constants):
2656         (JSC::CodeBlock::addConstantLazily):
2657         * dfg/DFGByteCodeParser.cpp:
2658         (JSC::DFG::ByteCodeParser::addConstant):
2659         * dfg/DFGDesiredWriteBarriers.cpp:
2660         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2661         (JSC::DFG::DesiredWriteBarrier::trigger):
2662         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2663         * dfg/DFGDesiredWriteBarriers.h:
2664         (JSC::DFG::DesiredWriteBarriers::add):
2665         * dfg/DFGFixupPhase.cpp:
2666         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2667         * dfg/DFGGraph.h:
2668         (JSC::DFG::Graph::constantRegisterForConstant):
2669
2670 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2671
2672         DFG should optimize typedArray.byteLength
2673         https://bugs.webkit.org/show_bug.cgi?id=119909
2674
2675         Reviewed by Oliver Hunt.
2676         
2677         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2678         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2679         legal since the byteLength of a typed array cannot exceed
2680         numeric_limits<int32_t>::max().
2681
2682         * bytecode/SpeculatedType.cpp:
2683         (JSC::typedArrayTypeFromSpeculation):
2684         * bytecode/SpeculatedType.h:
2685         * dfg/DFGArrayMode.cpp:
2686         (JSC::DFG::toArrayType):
2687         * dfg/DFGArrayMode.h:
2688         * dfg/DFGFixupPhase.cpp:
2689         (JSC::DFG::FixupPhase::fixupNode):
2690         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2691         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2692         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2693         (JSC::DFG::FixupPhase::prependGetArrayLength):
2694         * dfg/DFGGraph.h:
2695         (JSC::DFG::Graph::constantRegisterForConstant):
2696         (JSC::DFG::Graph::convertToConstant):
2697         * runtime/TypedArrayType.h:
2698         (JSC::logElementSize):
2699         (JSC::elementSize):
2700
2701 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2702
2703         DFG optimizes out strict mode arguments tear off
2704         https://bugs.webkit.org/show_bug.cgi?id=119504
2705
2706         Reviewed by Mark Hahnenberg and Oliver Hunt.
2707         
2708         Don't do the optimization for strict mode.
2709
2710         * dfg/DFGArgumentsSimplificationPhase.cpp:
2711         (JSC::DFG::ArgumentsSimplificationPhase::run):
2712         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2713
2714 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2715
2716         [JSC] x86: improve code generation for xxxTest32
2717         https://bugs.webkit.org/show_bug.cgi?id=119876
2718
2719         Reviewed by Geoffrey Garen.
2720
2721         Try to use testb whenever possible when testing for an immediate value.
2722
2723         When the input is an address and an offset, we can tweak the mask
2724         and offset to be able to generate testb for any byte of the mask.
2725
2726         When the input is a register, we can use testb if we are only interested
2727         in testing the low bits.
2728
2729         * assembler/MacroAssemblerX86Common.h:
2730         (JSC::MacroAssemblerX86Common::branchTest32):
2731         (JSC::MacroAssemblerX86Common::test32):
2732         (JSC::MacroAssemblerX86Common::generateTest32):
2733
2734 2013-08-16  Mark Lam  <mark.lam@apple.com>
2735
2736         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2737         error message that an object is not a constructor though it expects a function
2738
2739         Reviewed by Michael Saboff.
2740
2741         * jit/JITStubs.cpp:
2742         (JSC::DEFINE_STUB_FUNCTION):
2743
2744 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2745
2746         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2747         https://bugs.webkit.org/show_bug.cgi?id=119897
2748
2749         Reviewed by Oliver Hunt.
2750         
2751         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2752         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2753         to turn objects into dictionaries when you're storing using bracket syntax or using
2754         eval is still in place.
2755
2756         * bytecode/CodeBlock.h:
2757         (JSC::CodeBlock::putByIdContext):
2758         * dfg/DFGOperations.cpp:
2759         * jit/JITStubs.cpp:
2760         (JSC::DEFINE_STUB_FUNCTION):
2761         * llint/LLIntSlowPaths.cpp:
2762         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2763         * runtime/JSObject.h:
2764         (JSC::JSObject::putDirectInternal):
2765         * runtime/PutPropertySlot.h:
2766         (JSC::PutPropertySlot::PutPropertySlot):
2767         (JSC::PutPropertySlot::context):
2768         * runtime/Structure.cpp:
2769         (JSC::Structure::addPropertyTransition):
2770         * runtime/Structure.h:
2771
2772 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2773
2774         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2775
2776         Reviewed by Allan Sandfeld Jensen.
2777
2778         ctiVMHandleException must jump/return using register ra (r31).
2779
2780         * jit/JITStubsMIPS.h:
2781
2782 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2783
2784         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2785
2786         Reviewed by Allan Sandfeld Jensen.
2787
2788         Fix typo in JITStubsSH4.h file.
2789
2790         * jit/JITStubsSH4.h:
2791
2792 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2793
2794         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2795
2796         Reviewed by Oliver Hunt.
2797
2798         The concurrent compilation thread should interact minimally with the Heap, including not 
2799         triggering WriteBarriers. This is a prerequisite for generational GC.
2800
2801         * JavaScriptCore.xcodeproj/project.pbxproj:
2802         * bytecode/CodeBlock.cpp:
2803         (JSC::CodeBlock::addOrFindConstant):
2804         (JSC::CodeBlock::findConstant):
2805         * bytecode/CodeBlock.h:
2806         (JSC::CodeBlock::addConstantLazily):
2807         * dfg/DFGByteCodeParser.cpp:
2808         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2809         (JSC::DFG::ByteCodeParser::constantUndefined):
2810         (JSC::DFG::ByteCodeParser::constantNull):
2811         (JSC::DFG::ByteCodeParser::one):
2812         (JSC::DFG::ByteCodeParser::constantNaN):
2813         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2814         * dfg/DFGCommonData.cpp:
2815         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2816         * dfg/DFGCommonData.h:
2817         * dfg/DFGDesiredTransitions.cpp: Added.
2818         (JSC::DFG::DesiredTransition::DesiredTransition):
2819         (JSC::DFG::DesiredTransition::reallyAdd):
2820         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2821         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2822         (JSC::DFG::DesiredTransitions::addLazily):
2823         (JSC::DFG::DesiredTransitions::reallyAdd):
2824         * dfg/DFGDesiredTransitions.h: Added.
2825         * dfg/DFGDesiredWeakReferences.cpp: Added.
2826         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2827         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2828         (JSC::DFG::DesiredWeakReferences::addLazily):
2829         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2830         * dfg/DFGDesiredWeakReferences.h: Added.
2831         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2832         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2833         (JSC::DFG::DesiredWriteBarrier::trigger):
2834         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2835         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2836         (JSC::DFG::DesiredWriteBarriers::addImpl):
2837         (JSC::DFG::DesiredWriteBarriers::trigger):
2838         * dfg/DFGDesiredWriteBarriers.h: Added.
2839         (JSC::DFG::DesiredWriteBarriers::add):
2840         (JSC::DFG::initializeLazyWriteBarrier):
2841         * dfg/DFGFixupPhase.cpp:
2842         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2843         * dfg/DFGGraph.h:
2844         (JSC::DFG::Graph::convertToConstant):
2845         * dfg/DFGJITCompiler.h:
2846         (JSC::DFG::JITCompiler::addWeakReference):
2847         * dfg/DFGPlan.cpp:
2848         (JSC::DFG::Plan::Plan):
2849         (JSC::DFG::Plan::reallyAdd):
2850         * dfg/DFGPlan.h:
2851         * dfg/DFGSpeculativeJIT32_64.cpp:
2852         (JSC::DFG::SpeculativeJIT::compile):
2853         * dfg/DFGSpeculativeJIT64.cpp:
2854         (JSC::DFG::SpeculativeJIT::compile):
2855         * runtime/WriteBarrier.h:
2856         (JSC::WriteBarrierBase::set):
2857         (JSC::WriteBarrier::WriteBarrier):
2858
2859 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2860
2861         Fix x86 32bits build after r154158
2862
2863         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2864
2865 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2866
2867         Build fix attempt after r154156.
2868
2869         * jit/JITStubs.cpp:
2870         (JSC::cti_vm_handle_exception): encode!
2871
2872 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2873
2874         [JSC] x86: Use inc and dec when possible
2875         https://bugs.webkit.org/show_bug.cgi?id=119831
2876
2877         Reviewed by Geoffrey Garen.
2878
2879         When incrementing or decrementing by an immediate of 1, use the insctructions
2880         inc and dec instead of add and sub.
2881         The instructions have good timing and their encoding is smaller.
2882
2883         * assembler/MacroAssemblerX86Common.h:
2884         (JSC::MacroAssemblerX86_64::add32):
2885         (JSC::MacroAssemblerX86_64::sub32):
2886         * assembler/MacroAssemblerX86_64.h:
2887         (JSC::MacroAssemblerX86_64::add64):
2888         (JSC::MacroAssemblerX86_64::sub64):
2889         * assembler/X86Assembler.h:
2890         (JSC::X86Assembler::dec_r):
2891         (JSC::X86Assembler::decq_r):
2892         (JSC::X86Assembler::inc_r):
2893         (JSC::X86Assembler::incq_r):
2894
2895 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2896
2897         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2898         https://bugs.webkit.org/show_bug.cgi?id=119874
2899
2900         Reviewed by Oliver Hunt and Mark Hahnenberg.
2901         
2902         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2903         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2904         sometimes for typed array length accesses, and the FixupPhase assuming that a
2905         ForceExit ArrayMode means that it should continue using a generic GetById.
2906
2907         This fixes the confusion.
2908
2909         * dfg/DFGFixupPhase.cpp:
2910         (JSC::DFG::FixupPhase::fixupNode):
2911
2912 2013-08-15  Mark Lam  <mark.lam@apple.com>
2913
2914         Fix crash when performing activation tearoff.
2915         https://bugs.webkit.org/show_bug.cgi?id=119848
2916
2917         Reviewed by Oliver Hunt.
2918
2919         The activation tearoff crash was due to a bug in the baseline JIT.
2920         If we have a scenario where the a baseline JIT frame calls a LLINT
2921         frame, an exception may be thrown while in the LLINT.
2922
2923         Interpreter::throwException() which handles the exception will unwind
2924         all frames until it finds a catcher or sees a host frame. When we
2925         return from the LLINT to the baseline JIT code, the baseline JIT code
2926         errorneously sets topCallFrame to the value in its call frame register,
2927         and starts unwinding the stack frames that have already been unwound.
2928
2929         The fix is:
2930         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2931            This is a more accurate description of what this runtime function
2932            is supposed to do i.e. it handles the exception which include doing
2933            nothing (if there are no more frames to unwind).
2934         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2935            set on it.
2936         3. Reloading the call frame register from topCallFrame when we're
2937            returning from a callee and detect exception handling in progress.
2938
2939         * interpreter/Interpreter.cpp:
2940         (JSC::Interpreter::unwindCallFrame):
2941         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2942         (JSC::Interpreter::getStackTrace):
2943         * interpreter/Interpreter.h:
2944         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2945         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2946         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2947         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2948         * jit/JIT.h:
2949         * jit/JITExceptions.cpp:
2950         (JSC::uncaughtExceptionHandler):
2951         - Convenience function to get the handler for uncaught exceptions.
2952         * jit/JITExceptions.h:
2953         * jit/JITInlines.h:
2954         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2955         * jit/JITOpcodes32_64.cpp:
2956         (JSC::JIT::privateCompileCTINativeCall):
2957         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2958         * jit/JITStubs.cpp:
2959         (JSC::throwExceptionFromOpCall):
2960         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2961         (JSC::cti_vm_handle_exception):
2962         - Check for the case when there are no more frames to unwind.
2963         * jit/JITStubs.h:
2964         * jit/JITStubsARM.h:
2965         * jit/JITStubsARMv7.h:
2966         * jit/JITStubsMIPS.h:
2967         * jit/JITStubsSH4.h:
2968         * jit/JITStubsX86.h:
2969         * jit/JITStubsX86_64.h:
2970         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2971         * jit/SlowPathCall.h:
2972         (JSC::JITSlowPathCall::call):
2973         - reload cfr from topcallFrame when handling an exception.
2974         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2975         * jit/ThunkGenerators.cpp:
2976         (JSC::nativeForGenerator):
2977         * llint/LowLevelInterpreter32_64.asm:
2978         * llint/LowLevelInterpreter64.asm:
2979         - reload cfr from topcallFrame when handling an exception.
2980         * runtime/VM.cpp:
2981         (JSC::VM::VM):
2982         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2983
2984 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2985
2986         Remove some code duplication.
2987         
2988         Rubber stamped by Mark Hahnenberg.
2989
2990         * runtime/JSDataViewPrototype.cpp:
2991         (JSC::getData):
2992         (JSC::setData):
2993
2994 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2995
2996         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2997         https://bugs.webkit.org/show_bug.cgi?id=119794
2998
2999         Reviewed by Filip Pizlo.
3000
3001         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
3002
3003         * dfg/DFGUseKind.h:
3004         (JSC::DFG::isNumerical):
3005         (JSC::DFG::isDouble):
3006
3007 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3008
3009         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
3010
3011         Rubber stamped by Oliver Hunt.
3012         
3013         This was causing some test crashes for me.
3014
3015         * dfg/DFGCapabilities.cpp:
3016         (JSC::DFG::capabilityLevel):
3017
3018 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3019
3020         [Windows] Clear up improper export declaration.
3021
3022         * runtime/ArrayBufferView.h:
3023
3024 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3025
3026         Unreviewed, remove some unnecessary periods from exceptions.
3027
3028         * runtime/JSDataViewPrototype.cpp:
3029         (JSC::getData):
3030         (JSC::setData):
3031
3032 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3033
3034         Unreviewed, fix 32-bit build.
3035
3036         * dfg/DFGSpeculativeJIT32_64.cpp:
3037         (JSC::DFG::SpeculativeJIT::compile):
3038
3039 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
3040
3041         Typed arrays should be rewritten
3042         https://bugs.webkit.org/show_bug.cgi?id=119064
3043
3044         Reviewed by Oliver Hunt.
3045         
3046         Typed arrays were previously deficient in several major ways:
3047         
3048         - They were defined separately in WebCore and in the jsc shell. The two
3049           implementations were different, and the jsc shell one was basically wrong.
3050           The WebCore one was quite awful, also.
3051         
3052         - Typed arrays were not visible to the JIT except through some weird hooks.
3053           For example, the JIT could not ask "what is the Structure that this typed
3054           array would have if I just allocated it from this global object". Also,
3055           it was difficult to wire any of the typed array intrinsics, because most
3056           of the functionality wasn't visible anywhere in JSC.
3057         
3058         - Typed array allocation was brain-dead. Allocating a typed array involved
3059           two JS objects, two GC weak handles, and three malloc allocations.
3060         
3061         - Neutering. It involved keeping tabs on all native views but not the view
3062           wrappers, even though the native views can autoneuter just by asking the
3063           buffer if it was neutered anytime you touch them; while the JS view
3064           wrappers are the ones that you really want to reach out to.
3065         
3066         - Common case-ing. Most typed arrays have one buffer and one view, and
3067           usually nobody touches the buffer. Yet we created all of that stuff
3068           anyway, using data structures optimized for the case where you had a lot
3069           of views.
3070         
3071         - Semantic goofs. Typed arrays should, in the future, behave like ES
3072           features rather than DOM features, for example when it comes to exceptions.
3073           Firefox already does this and I agree with them.
3074         
3075         This patch cleanses our codebase of these sins:
3076         
3077         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3078           management of native references to buffers is left to WebCore.
3079         
3080         - Allocating a typed array requires either two GC allocations (a cell and a
3081           copied storage vector) or one GC allocation, a malloc allocation, and a
3082           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3083           latter). The latter is only used for oversize arrays. Remember that before
3084           it was 7 allocations no matter what.
3085         
3086         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3087           mode/length, void* vector. Before it was a lot more than that - remember,
3088           there were five additional objects that did absolutely nothing for anybody.
3089         
3090         - Native views aren't tracked by the buffer, or by the wrappers. They are
3091           transient. In the future we'll probably switch to not even having them be
3092           malloc'd.
3093         
3094         - Native array buffers have an efficient way of tracking all of their JS view
3095           wrappers, both for neutering, and for lifecycle management. The GC
3096           special-cases native array buffers. This saves a bunch of grief; for example
3097           it means that a JS view wrapper can refer to its buffer via the butterfly,
3098           which would be dead by the time we went to finalize.
3099         
3100         - Typed array semantics now match Firefox, which also happens to be where the
3101           standards are going. The discussion on webkit-dev seemed to confirm that
3102           Chrome is also heading in this direction. This includes making
3103           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3104           ArrayBufferView as a JS-visible construct.
3105         
3106         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3107         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3108         further typed array optimizations in the JSC JITs, including inlining typed
3109         array allocation, inlining more of the accessors, reducing the cost of type
3110         checks, etc.
3111         
3112         An additional property of this patch is that typed arrays are mostly
3113         implemented using templates. This deduplicates a bunch of code, but does mean
3114         that we need some hacks for exporting s_info's of template classes. See
3115         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3116         low-impact compared to code duplication.
3117         
3118         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3119
3120         * CMakeLists.txt:
3121         * DerivedSources.make:
3122         * GNUmakefile.list.am:
3123         * JSCTypedArrayStubs.h: Removed.
3124         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3125         * JavaScriptCore.xcodeproj/project.pbxproj:
3126         * Target.pri:
3127         * bytecode/ByValInfo.h:
3128         (JSC::hasOptimizableIndexingForClassInfo):
3129         (JSC::jitArrayModeForClassInfo):
3130         (JSC::typedArrayTypeForJITArrayMode):
3131         * bytecode/SpeculatedType.cpp:
3132         (JSC::speculationFromClassInfo):
3133         * dfg/DFGArrayMode.cpp:
3134         (JSC::DFG::toTypedArrayType):
3135         * dfg/DFGArrayMode.h:
3136         (JSC::DFG::ArrayMode::typedArrayType):
3137         * dfg/DFGSpeculativeJIT.cpp:
3138         (JSC::DFG::SpeculativeJIT::checkArray):
3139         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3140         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3141         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3142         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3143         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3144         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3145         * dfg/DFGSpeculativeJIT.h:
3146         * dfg/DFGSpeculativeJIT32_64.cpp:
3147         (JSC::DFG::SpeculativeJIT::compile):
3148         * dfg/DFGSpeculativeJIT64.cpp:
3149         (JSC::DFG::SpeculativeJIT::compile):
3150         * heap/CopyToken.h:
3151         * heap/DeferGC.h:
3152         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3153         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3154         * heap/GCIncomingRefCounted.h: Added.
3155         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3156         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3157         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3158         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3159         (JSC::GCIncomingRefCounted::singletonFlag):
3160         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3161         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3162         (JSC::GCIncomingRefCounted::hasSingleton):
3163         (JSC::GCIncomingRefCounted::singleton):
3164         (JSC::GCIncomingRefCounted::vectorOfCells):
3165         * heap/GCIncomingRefCountedInlines.h: Added.
3166         (JSC::::addIncomingReference):
3167         (JSC::::filterIncomingReferences):
3168         * heap/GCIncomingRefCountedSet.h: Added.
3169         (JSC::GCIncomingRefCountedSet::size):
3170         * heap/GCIncomingRefCountedSetInlines.h: Added.
3171         (JSC::::GCIncomingRefCountedSet):
3172         (JSC::::~GCIncomingRefCountedSet):
3173         (JSC::::addReference):
3174         (JSC::::sweep):
3175         (JSC::::removeAll):
3176         (JSC::::removeDead):
3177         * heap/Heap.cpp:
3178         (JSC::Heap::addReference):
3179         (JSC::Heap::extraSize):
3180         (JSC::Heap::size):
3181         (JSC::Heap::capacity):
3182         (JSC::Heap::collect):
3183         (JSC::Heap::decrementDeferralDepth):
3184         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3185         * heap/Heap.h:
3186         * interpreter/CallFrame.h:
3187         (JSC::ExecState::dataViewTable):
3188         * jit/JIT.h:
3189         * jit/JITPropertyAccess.cpp:
3190         (JSC::JIT::privateCompileGetByVal):
3191         (JSC::JIT::privateCompilePutByVal):
3192         (JSC::JIT::emitIntTypedArrayGetByVal):
3193         (JSC::JIT::emitFloatTypedArrayGetByVal):
3194         (JSC::JIT::emitIntTypedArrayPutByVal):
3195         (JSC::JIT::emitFloatTypedArrayPutByVal):
3196         * jsc.cpp:
3197         (GlobalObject::finishCreation):
3198         * runtime/ArrayBuffer.cpp:
3199         (JSC::ArrayBuffer::transfer):
3200         * runtime/ArrayBuffer.h:
3201         (JSC::ArrayBuffer::createAdopted):
3202         (JSC::ArrayBuffer::ArrayBuffer):
3203         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3204         (JSC::ArrayBuffer::pin):
3205         (JSC::ArrayBuffer::unpin):
3206         (JSC::ArrayBufferContents::tryAllocate):
3207         * runtime/ArrayBufferView.cpp:
3208         (JSC::ArrayBufferView::ArrayBufferView):
3209         (JSC::ArrayBufferView::~ArrayBufferView):
3210         (JSC::ArrayBufferView::setNeuterable):
3211         * runtime/ArrayBufferView.h:
3212         (JSC::ArrayBufferView::isNeutered):
3213         (JSC::ArrayBufferView::buffer):
3214         (JSC::ArrayBufferView::baseAddress):
3215         (JSC::ArrayBufferView::byteOffset):
3216         (JSC::ArrayBufferView::verifySubRange):
3217         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3218         (JSC::ArrayBufferView::calculateOffsetAndLength):
3219         * runtime/ClassInfo.h:
3220         * runtime/CommonIdentifiers.h:
3221         * runtime/DataView.cpp: Added.
3222         (JSC::DataView::DataView):
3223         (JSC::DataView::create):
3224         (JSC::DataView::wrap):
3225         * runtime/DataView.h: Added.
3226         (JSC::DataView::byteLength):
3227         (JSC::DataView::getType):
3228         (JSC::DataView::get):
3229         (JSC::DataView::set):
3230         * runtime/Float32Array.h:
3231         * runtime/Float64Array.h:
3232         * runtime/GenericTypedArrayView.h: Added.
3233         (JSC::GenericTypedArrayView::data):
3234         (JSC::GenericTypedArrayView::set):
3235         (JSC::GenericTypedArrayView::setRange):
3236         (JSC::GenericTypedArrayView::zeroRange):
3237         (JSC::GenericTypedArrayView::zeroFill):
3238         (JSC::GenericTypedArrayView::length):
3239         (JSC::GenericTypedArrayView::byteLength):
3240         (JSC::GenericTypedArrayView::item):
3241         (JSC::GenericTypedArrayView::checkInboundData):
3242         (JSC::GenericTypedArrayView::getType):
3243         * runtime/GenericTypedArrayViewInlines.h: Added.
3244         (JSC::::GenericTypedArrayView):
3245         (JSC::::create):
3246         (JSC::::createUninitialized):
3247         (JSC::::subarray):
3248         (JSC::::wrap):
3249         * runtime/IndexingHeader.h:
3250         (JSC::IndexingHeader::arrayBuffer):
3251         (JSC::IndexingHeader::setArrayBuffer):
3252         * runtime/Int16Array.h:
3253         * runtime/Int32Array.h:
3254         * runtime/Int8Array.h:
3255         * runtime/JSArrayBuffer.cpp: Added.
3256         (JSC::JSArrayBuffer::JSArrayBuffer):
3257         (JSC::JSArrayBuffer::finishCreation):
3258         (JSC::JSArrayBuffer::create):
3259         (JSC::JSArrayBuffer::createStructure):
3260         (JSC::JSArrayBuffer::getOwnPropertySlot):
3261         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3262         (JSC::JSArrayBuffer::put):
3263         (JSC::JSArrayBuffer::defineOwnProperty):
3264         (JSC::JSArrayBuffer::deleteProperty):
3265         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3266         * runtime/JSArrayBuffer.h: Added.
3267         (JSC::JSArrayBuffer::impl):
3268         (JSC::toArrayBuffer):
3269         * runtime/JSArrayBufferConstructor.cpp: Added.
3270         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3271         (JSC::JSArrayBufferConstructor::finishCreation):
3272         (JSC::JSArrayBufferConstructor::create):
3273         (JSC::JSArrayBufferConstructor::createStructure):
3274         (JSC::constructArrayBuffer):
3275         (JSC::JSArrayBufferConstructor::getConstructData):
3276         (JSC::JSArrayBufferConstructor::getCallData):
3277         * runtime/JSArrayBufferConstructor.h: Added.
3278         * runtime/JSArrayBufferPrototype.cpp: Added.
3279         (JSC::arrayBufferProtoFuncSlice):
3280         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3281         (JSC::JSArrayBufferPrototype::finishCreation):
3282         (JSC::JSArrayBufferPrototype::create):
3283         (JSC::JSArrayBufferPrototype::createStructure):
3284         * runtime/JSArrayBufferPrototype.h: Added.
3285         * runtime/JSArrayBufferView.cpp: Added.
3286         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3287         (JSC::JSArrayBufferView::JSArrayBufferView):
3288         (JSC::JSArrayBufferView::finishCreation):
3289         (JSC::JSArrayBufferView::getOwnPropertySlot):
3290         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3291         (JSC::JSArrayBufferView::put):
3292         (JSC::JSArrayBufferView::defineOwnProperty):
3293         (JSC::JSArrayBufferView::deleteProperty):
3294         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3295         (JSC::JSArrayBufferView::finalize):
3296         * runtime/JSArrayBufferView.h: Added.
3297         (JSC::JSArrayBufferView::sizeOf):
3298         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3299         (JSC::JSArrayBufferView::ConstructionContext::structure):
3300         (JSC::JSArrayBufferView::ConstructionContext::vector):
3301         (JSC::JSArrayBufferView::ConstructionContext::length):
3302         (JSC::JSArrayBufferView::ConstructionContext::mode):
3303         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3304         (JSC::JSArrayBufferView::mode):
3305         (JSC::JSArrayBufferView::vector):
3306         (JSC::JSArrayBufferView::length):
3307         (JSC::JSArrayBufferView::offsetOfVector):
3308         (JSC::JSArrayBufferView::offsetOfLength):
3309         (JSC::JSArrayBufferView::offsetOfMode):
3310         * runtime/JSArrayBufferViewInlines.h: Added.
3311         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3312         (JSC::JSArrayBufferView::buffer):
3313         (JSC::JSArrayBufferView::impl):
3314         (JSC::JSArrayBufferView::neuter):
3315         (JSC::JSArrayBufferView::byteOffset):
3316         * runtime/JSCell.cpp:
3317         (JSC::JSCell::slowDownAndWasteMemory):
3318         (JSC::JSCell::getTypedArrayImpl):
3319         * runtime/JSCell.h:
3320         * runtime/JSDataView.cpp: Added.
3321         (JSC::JSDataView::JSDataView):
3322         (JSC::JSDataView::create):
3323         (JSC::JSDataView::createUninitialized):
3324         (JSC::JSDataView::set):
3325         (JSC::JSDataView::typedImpl):
3326         (JSC::JSDataView::getOwnPropertySlot):
3327         (JSC::JSDataView::getOwnPropertyDescriptor):
3328         (JSC::JSDataView::slowDownAndWasteMemory):
3329         (JSC::JSDataView::getTypedArrayImpl):
3330         (JSC::JSDataView::createStructure):
3331         * runtime/JSDataView.h: Added.
3332         * runtime/JSDataViewPrototype.cpp: Added.
3333         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3334         (JSC::JSDataViewPrototype::create):
3335         (JSC::JSDataViewPrototype::createStructure):
3336         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3337         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3338         (JSC::getData):
3339         (JSC::setData):
3340         (JSC::dataViewProtoFuncGetInt8):
3341         (JSC::dataViewProtoFuncGetInt16):
3342         (JSC::dataViewProtoFuncGetInt32):
3343         (JSC::dataViewProtoFuncGetUint8):
3344         (JSC::dataViewProtoFuncGetUint16):
3345         (JSC::dataViewProtoFuncGetUint32):
3346         (JSC::dataViewProtoFuncGetFloat32):
3347         (JSC::dataViewProtoFuncGetFloat64):
3348         (JSC::dataViewProtoFuncSetInt8):
3349         (JSC::dataViewProtoFuncSetInt16):
3350         (JSC::dataViewProtoFuncSetInt32):
3351         (JSC::dataViewProtoFuncSetUint8):
3352         (JSC::dataViewProtoFuncSetUint16):
3353         (JSC::dataViewProtoFuncSetUint32):
3354         (JSC::dataViewProtoFuncSetFloat32):
3355         (JSC::dataViewProtoFuncSetFloat64):
3356         * runtime/JSDataViewPrototype.h: Added.
3357         * runtime/JSFloat32Array.h: Added.
3358         * runtime/JSFloat64Array.h: Added.
3359         * runtime/JSGenericTypedArrayView.h: Added.
3360         (JSC::JSGenericTypedArrayView::byteLength):
3361         (JSC::JSGenericTypedArrayView::byteSize):
3362         (JSC::JSGenericTypedArrayView::typedVector):
3363         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3364         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3365         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3366         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3367         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3368         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3369         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3370         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3371         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3372         (JSC::JSGenericTypedArrayView::typedImpl):
3373         (JSC::JSGenericTypedArrayView::createStructure):
3374         (JSC::JSGenericTypedArrayView::info):
3375         (JSC::toNativeTypedView):
3376         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3377         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3378         (JSC::::JSGenericTypedArrayViewConstructor):
3379         (JSC::::finishCreation):
3380         (JSC::::create):
3381         (JSC::::createStructure):
3382         (JSC::constructGenericTypedArrayView):
3383         (JSC::::getConstructData):
3384         (JSC::::getCallData):
3385         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3386         (JSC::::JSGenericTypedArrayView):
3387         (JSC::::create):
3388         (JSC::::createUninitialized):
3389         (JSC::::validateRange):
3390         (JSC::::setWithSpecificType):
3391         (JSC::::set):
3392         (JSC::::getOwnPropertySlot):
3393         (JSC::::getOwnPropertyDescriptor):
3394         (JSC::::put):
3395         (JSC::::defineOwnProperty):
3396         (JSC::::deleteProperty):
3397         (JSC::::getOwnPropertySlotByIndex):
3398         (JSC::::putByIndex):
3399         (JSC::::deletePropertyByIndex):
3400         (JSC::::getOwnNonIndexPropertyNames):
3401         (JSC::::getOwnPropertyNames):
3402         (JSC::::visitChildren):
3403         (JSC::::copyBackingStore):
3404         (JSC::::slowDownAndWasteMemory):
3405         (JSC::::getTypedArrayImpl):
3406         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
3407         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
3408         (JSC::genericTypedArrayViewProtoFuncSet):
3409         (JSC::genericTypedArrayViewProtoFuncSubarray):
3410         (JSC::::JSGenericTypedArrayViewPrototype):
3411         (JSC::::finishCreation):
3412         (JSC::::create):
3413         (JSC::::createStructure):
3414         * runtime/JSGlobalObject.cpp:
3415         (JSC::JSGlobalObject::reset):
3416         (JSC::JSGlobalObject::visitChildren):
3417         * runtime/JSGlobalObject.h:
3418         (JSC::JSGlobalObject::arrayBufferPrototype):
3419         (JSC::JSGlobalObject::arrayBufferStructure):
3420         (JSC::JSGlobalObject::typedArrayStructure):
3421         * runtime/JSInt16Array.h: Added.
3422         * runtime/JSInt32Array.h: Added.
3423         * runtime/JSInt8Array.h: Added.
3424         * runtime/JSTypedArrayConstructors.cpp: Added.
3425         * runtime/JSTypedArrayConstructors.h: Added.
3426         * runtime/JSTypedArrayPrototypes.cpp: Added.
3427         * runtime/JSTypedArrayPrototypes.h: Added.
3428         * runtime/JSTypedArrays.cpp: Added.
3429         * runtime/JSTypedArrays.h: Added.
3430         * runtime/JSUint16Array.h: Added.
3431         * runtime/JSUint32Array.h: Added.
3432         * runtime/JSUint8Array.h: Added.
3433         * runtime/JSUint8ClampedArray.h: Added.
3434         * runtime/Operations.h:
3435         * runtime/Options.h:
3436         * runtime/SimpleTypedArrayController.cpp: Added.
3437         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
3438         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
3439         (JSC::SimpleTypedArrayController::toJS):
3440         * runtime/SimpleTypedArrayController.h: Added.
3441         * runtime/Structure.h:
3442         (JSC::Structure::couldHaveIndexingHeader):
3443         * runtime/StructureInlines.h:
3444         (JSC::Structure::hasIndexingHeader):
3445         * runtime/TypedArrayAdaptors.h: Added.
3446         (JSC::IntegralTypedArrayAdaptor::toNative):
3447         (JSC::IntegralTypedArrayAdaptor::toJSValue):
3448         (JSC::IntegralTypedArrayAdaptor::toDouble):
3449         (JSC::FloatTypedArrayAdaptor::toNative):
3450         (JSC::FloatTypedArrayAdaptor::toJSValue):
3451         (JSC::FloatTypedArrayAdaptor::toDouble):
3452         (JSC::Uint8ClampedAdaptor::toNative):
3453         (JSC::Uint8ClampedAdaptor::toJSValue):
3454         (JSC::Uint8ClampedAdaptor::toDouble):
3455         (JSC::Uint8ClampedAdaptor::clamp):
3456         * runtime/TypedArrayController.cpp: Added.
3457         (JSC::TypedArrayController::TypedArrayController):
3458         (JSC::TypedArrayController::~TypedArrayController):
3459         * runtime/TypedArrayController.h: Added.
3460         * runtime/TypedArrayDescriptor.h: Removed.
3461         * runtime/TypedArrayInlines.h: Added.
3462         * runtime/TypedArrayType.cpp: Added.
3463         (JSC::classInfoForType):
3464         (WTF::printInternal):
3465         * runtime/TypedArrayType.h: Added.
3466         (JSC::toIndex):
3467         (JSC::isTypedView):
3468         (JSC::elementSize):
3469         (JSC::isInt):
3470         (JSC::isFloat):
3471         (JSC::isSigned):
3472         (JSC::isClamped):
3473         * runtime/TypedArrays.h: Added.
3474         * runtime/Uint16Array.h:
3475         * runtime/Uint32Array.h:
3476         * runtime/Uint8Array.h:
3477         * runtime/Uint8ClampedArray.h:
3478         * runtime/VM.cpp:
3479         (JSC::VM::VM):
3480         (JSC::VM::~VM):
3481         * runtime/VM.h:
3482
3483 2013-08-15  Oliver Hunt  <oliver@apple.com>
3484
3485         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
3486
3487         Reviewed by Filip Pizlo.
3488
3489         Make sure dfgCapabilities doesn't report a Dynamic put as
3490         being compilable when we don't actually support it.  
3491
3492         * bytecode/CodeBlock.cpp:
3493         (JSC::CodeBlock::dumpBytecode):
3494         * dfg/DFGCapabilities.cpp:
3495         (JSC::DFG::capabilityLevel):
3496
3497 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3498
3499         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
3500         https://bugs.webkit.org/show_bug.cgi?id=119847
3501
3502         Reviewed by Oliver Hunt.
3503
3504         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
3505         * runtime/ArrayBufferView.h: Ditto.
3506
3507 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
3508
3509         https://bugs.webkit.org/show_bug.cgi?id=119843
3510         PropertySlot::setValue is ambiguous
3511
3512         Reviewed by Geoff Garen.
3513
3514         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
3515         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
3516         Unify on always providing the object, and remove the version that just takes a value.
3517         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
3518         Provide a version of setValue that takes a JSString as the owner of the property.
3519         We won't store this, but it makes it clear that this interface should only be used from JSString.
3520
3521         * API/JSCallbackObjectFunctions.h:
3522         (JSC::::getOwnPropertySlot):
3523         * JSCTypedArrayStubs.h:
3524         * runtime/Arguments.cpp:
3525         (JSC::Arguments::getOwnPropertySlotByIndex):
3526         (JSC::Arguments::getOwnPropertySlot):
3527         * runtime/JSActivation.cpp:
3528         (JSC::JSActivation::symbolTableGet):
3529         (JSC::JSActivation::getOwnPropertySlot):
3530         * runtime/JSArray.cpp:
3531         (JSC::JSArray::getOwnPropertySlot):
3532         * runtime/JSObject.cpp:
3533         (JSC::JSObject::getOwnPropertySlotByIndex):
3534         * runtime/JSString.h:
3535         (JSC::JSString::getStringPropertySlot):
3536         * runtime/JSSymbolTableObject.h:
3537         (JSC::symbolTableGet):
3538         * runtime/SparseArrayValueMap.cpp:
3539         (JSC::SparseArrayEntry::get):
3540             - Pass object containing property to PropertySlot::setValue
3541         * runtime/PropertySlot.h:
3542         (JSC::PropertySlot::setValue):
3543             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
3544         (JSC::PropertySlot::setUndefined):
3545             - removed setValue(JSValue), added setValue(JSString*, JSValue)
3546
3547 2013-08-15  Oliver Hunt  <oliver@apple.com>
3548
3549         Remove bogus assertion.
3550
3551         RS=Filip Pizlo
3552
3553         * dfg/DFGAbstractInterpreterInlines.h:
3554         (JSC::DFG::::executeEffects):
3555
3556 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3557
3558         REGRESSION(r148790) Made 7 tests fail on x86 32bit
3559         https://bugs.webkit.org/show_bug.cgi?id=114913
3560
3561         Reviewed by Filip Pizlo.
3562
3563         The X87 register was not freed before some calls. Instead
3564         of inserting resetX87Registers to the last call sites,
3565         the two X87 registers are now freed in every call.
3566
3567         * llint/LowLevelInterpreter32_64.asm:
3568         * llint/LowLevelInterpreter64.asm:
3569         * offlineasm/instructions.rb:
3570         * offlineasm/x86.rb:
3571
3572 2013-08-14  Michael Saboff  <msaboff@apple.com>
3573
3574         Fixed jit on Win64.
3575         https://bugs.webkit.org/show_bug.cgi?id=119601
3576
3577         Reviewed by Oliver Hunt.
3578
3579         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3580         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3581         * jit/SlowPathCall.h:
3582         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3583
3584 2013-08-14  Alex Christensen  <achristensen@apple.com>
3585
3586         Compile fix for Win64 with jit disabled.
3587         https://bugs.webkit.org/show_bug.cgi?id=119804
3588
3589         Reviewed by Michael Saboff.
3590
3591         * offlineasm/cloop.rb: Added std:: before isnan.
3592
3593 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3594
3595         DFG_JIT implementation for sh4 architecture.
3596         https://bugs.webkit.org/show_bug.cgi?id=119737
3597
3598         Reviewed by Oliver Hunt.
3599
3600         * assembler/MacroAssemblerSH4.h:
3601         (JSC::MacroAssemblerSH4::invert):
3602         (JSC::MacroAssemblerSH4::add32):
3603         (JSC::MacroAssemblerSH4::and32):
3604         (JSC::MacroAssemblerSH4::lshift32):
3605         (JSC::MacroAssemblerSH4::mul32):
3606         (JSC::MacroAssemblerSH4::or32):
3607         (JSC::MacroAssemblerSH4::rshift32):
3608         (JSC::MacroAssemblerSH4::sub32):
3609         (JSC::MacroAssemblerSH4::xor32):
3610         (JSC::MacroAssemblerSH4::store32):
3611         (JSC::MacroAssemblerSH4::swapDouble):
3612         (JSC::MacroAssemblerSH4::storeDouble):
3613         (JSC::MacroAssemblerSH4::subDouble):
3614         (JSC::MacroAssemblerSH4::mulDouble):
3615         (JSC::MacroAssemblerSH4::divDouble):
3616         (JSC::MacroAssemblerSH4::negateDouble):
3617         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3618         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3619         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3620         (JSC::MacroAssemblerSH4::swap):
3621         (JSC::MacroAssemblerSH4::jump):
3622         (JSC::MacroAssemblerSH4::branchNeg32):
3623         (JSC::MacroAssemblerSH4::branchAdd32):
3624         (JSC::MacroAssemblerSH4::branchMul32):
3625         (JSC::MacroAssemblerSH4::urshift32):
3626         * assembler/SH4Assembler.h:
3627         (JSC::SH4Assembler::SH4Assembler):
3628         (JSC::SH4Assembler::labelForWatchpoint):
3629         (JSC::SH4Assembler::label):
3630         (JSC::SH4Assembler::debugOffset):
3631         * dfg/DFGAssemblyHelpers.h:
3632         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3633         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3634         (JSC::DFG::AssemblyHelpers::debugCall):
3635         * dfg/DFGCCallHelpers.h:
3636         (JSC::DFG::CCallHelpers::setupArguments):
3637         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3638         * dfg/DFGFPRInfo.h:
3639         (JSC::DFG::FPRInfo::toRegister):
3640         (JSC::DFG::FPRInfo::toIndex):
3641         (JSC::DFG::FPRInfo::debugName):
3642         * dfg/DFGGPRInfo.h:
3643         (JSC::DFG::GPRInfo::toRegister):
3644         (JSC::DFG::GPRInfo::toIndex):
3645         (JSC::DFG::GPRInfo::debugName):
3646         * dfg/DFGOperations.cpp:
3647         * dfg/DFGSpeculativeJIT.h:
3648         (JSC::DFG::SpeculativeJIT::callOperation):
3649         * jit/JITStubs.h:
3650         * jit/JITStubsSH4.h:
3651
3652 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3653
3654         Unreviewed, fix build.
3655
3656         * API/JSValue.mm:
3657         (isDate):
3658         (isArray):
3659         * API/JSWrapperMap.mm:
3660         (tryUnwrapObjcObject):
3661         * API/ObjCCallbackFunction.mm:
3662         (tryUnwrapBlock):
3663
3664 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3665
3666         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3667         https://bugs.webkit.org/show_bug.cgi?id=119770
3668
3669         Reviewed by Mark Hahnenberg.
3670
3671         * API/JSCallbackConstructor.cpp:
3672         (JSC::JSCallbackConstructor::finishCreation):
3673         * API/JSCallbackConstructor.h:
3674         (JSC::JSCallbackConstructor::createStructure):
3675         * API/JSCallbackFunction.cpp:
3676         (JSC::JSCallbackFunction::finishCreation):
3677         * API/JSCallbackFunction.h:
3678         (JSC::JSCallbackFunction::createStructure):
3679         * API/JSCallbackObject.cpp:
3680         (JSC::::createStructure):
3681         * API/JSCallbackObject.h:
3682         (JSC::JSCallbackObject::visitChildren):
3683         * API/JSCallbackObjectFunctions.h:
3684         (JSC::::asCallbackObject):
3685         (JSC::::finishCreation):
3686         * API/JSObjectRef.cpp:
3687         (JSObjectGetPrivate):
3688         (JSObjectSetPrivate):
3689         (JSObjectGetPrivateProperty):
3690         (JSObjectSetPrivateProperty):
3691         (JSObjectDeletePrivateProperty):
3692         * API/JSValueRef.cpp:
3693         (JSValueIsObjectOfClass):
3694         * API/JSWeakObjectMapRefPrivate.cpp:
3695         * API/ObjCCallbackFunction.h:
3696         (JSC::ObjCCallbackFunction::createStructure):
3697         * JSCTypedArrayStubs.h:
3698         * bytecode/CallLinkStatus.cpp:
3699         (JSC::CallLinkStatus::CallLinkStatus):
3700         (JSC::CallLinkStatus::function):
3701         (JSC::CallLinkStatus::internalFunction):
3702         * bytecode/CodeBlock.h:
3703         (JSC::baselineCodeBlockForInlineCallFrame):
3704         * bytecode/SpeculatedType.cpp:
3705         (JSC::speculationFromClassInfo):
3706         * bytecode/UnlinkedCodeBlock.cpp:
3707         (JSC::UnlinkedFunctionExecutable::visitChildren):
3708         (JSC::UnlinkedCodeBlock::visitChildren):
3709         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3710         * bytecode/UnlinkedCodeBlock.h:
3711         (JSC::UnlinkedFunctionExecutable::createStructure):
3712         (JSC::UnlinkedProgramCodeBlock::createStructure):
3713         (JSC::UnlinkedEvalCodeBlock::createStructure):
3714         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3715         * debugger/Debugger.cpp:
3716         * debugger/DebuggerActivation.cpp:
3717         (JSC::DebuggerActivation::visitChildren):
3718         * debugger/DebuggerActivation.h:
3719         (JSC::DebuggerActivation::createStructure):
3720         * debugger/DebuggerCallFrame.cpp:
3721         (JSC::DebuggerCallFrame::functionName):
3722         * dfg/DFGAbstractInterpreterInlines.h:
3723         (JSC::DFG::::executeEffects):
3724         * dfg/DFGByteCodeParser.cpp:
3725         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3726         (JSC::DFG::ByteCodeParser::parseBlock):
3727         * dfg/DFGFixupPhase.cpp:
3728         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3729         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3730         * dfg/DFGGraph.cpp:
3731         (JSC::DFG::Graph::dump):
3732         * dfg/DFGGraph.h:
3733         (JSC::DFG::Graph::isInternalFunctionConstant):
3734         * dfg/DFGOperations.cpp:
3735         * dfg/DFGSpeculativeJIT.cpp:
3736         (JSC::DFG::SpeculativeJIT::checkArray):
3737         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3738         * dfg/DFGThunks.cpp:
3739         (JSC::DFG::virtualForThunkGenerator):
3740         * interpreter/Interpreter.cpp:
3741         (JSC::loadVarargs):
3742         * jsc.cpp:
3743         (GlobalObject::createStructure):
3744         * profiler/LegacyProfiler.cpp:
3745         (JSC::LegacyProfiler::createCallIdentifier):
3746         * runtime/Arguments.cpp:
3747         (JSC::Arguments::visitChildren):
3748         * runtime/Arguments.h:
3749         (JSC::Arguments::createStructure):
3750         (JSC::asArguments):
3751         (JSC::Arguments::finishCreation):
3752         * runtime/ArrayConstructor.cpp:
3753         (JSC::arrayConstructorIsArray):
3754         * runtime/ArrayConstructor.h:
3755         (JSC::ArrayConstructor::createStructure):
3756         * runtime/ArrayPrototype.cpp:
3757         (JSC::ArrayPrototype::finishCreation):
3758         (JSC::arrayProtoFuncConcat):
3759         (JSC::attemptFastSort):
3760         * runtime/ArrayPrototype.h:
3761         (JSC::ArrayPrototype::createStructure):
3762         * runtime/BooleanConstructor.h:
3763         (JSC::BooleanConstructor::createStructure):
3764         * runtime/BooleanObject.cpp:
3765         (JSC::BooleanObject::finishCreation):
3766         * runtime/BooleanObject.h:
3767         (JSC::BooleanObject::createStructure):
3768         (JSC::asBooleanObject):
3769         * runtime/BooleanPrototype.cpp:
3770         (JSC::BooleanPrototype::finishCreation):
3771         (JSC::booleanProtoFuncToString):
3772         (JSC::booleanProtoFuncValueOf):
3773         * runtime/BooleanPrototype.h:
3774         (JSC::BooleanPrototype::createStructure):
3775         * runtime/DateConstructor.cpp:
3776         (JSC::constructDate):
3777         * runtime/DateConstructor.h:
3778         (JSC::DateConstructor::createStructure):
3779         * runtime/DateInstance.cpp:
3780         (JSC::DateInstance::finishCreation):
3781         * runtime/DateInstance.h:
3782         (JSC::DateInstance::createStructure):
3783         (JSC::asDateInstance):
3784         * runtime/DatePrototype.cpp:
3785         (JSC::formateDateInstance):
3786         (JSC::DatePrototype::finishCreation):
3787         (JSC::dateProtoFuncToISOString):
3788         (JSC::dateProtoFuncToLocaleString):
3789         (JSC::dateProtoFuncToLocaleDateString):
3790         (JSC::dateProtoFuncToLocaleTimeString):
3791         (JSC::dateProtoFuncGetTime):
3792         (JSC::dateProtoFuncGetFullYear):
3793         (JSC::dateProtoFuncGetUTCFullYear):
3794         (JSC::dateProtoFuncGetMonth):
3795         (JSC::dateProtoFuncGetUTCMonth):
3796         (JSC::dateProtoFuncGetDate):
3797         (JSC::dateProtoFuncGetUTCDate):
3798         (JSC::dateProtoFuncGetDay):
3799         (JSC::dateProtoFuncGetUTCDay):
3800         (JSC::dateProtoFuncGetHours):
3801         (JSC::dateProtoFuncGetUTCHours):
3802         (JSC::dateProtoFuncGetMinutes):
3803         (JSC::dateProtoFuncGetUTCMinutes):
3804         (JSC::dateProtoFuncGetSeconds):
3805         (JSC::dateProtoFuncGetUTCSeconds):
3806         (JSC::dateProtoFuncGetMilliSeconds):
3807         (JSC::dateProtoFuncGetUTCMilliseconds):
3808         (JSC::dateProtoFuncGetTimezoneOffset):
3809         (JSC::dateProtoFuncSetTime):
3810         (JSC::setNewValueFromTimeArgs):
3811         (JSC::setNewValueFromDateArgs):
3812         (JSC::dateProtoFuncSetYear):
3813         (JSC::dateProtoFuncGetYear):
3814         * runtime/DatePrototype.h:
3815         (JSC::DatePrototype::createStructure):
3816         * runtime/Error.h:
3817         (JSC::StrictModeTypeErrorFunction::createStructure):
3818         * runtime/ErrorConstructor.h:
3819         (JSC::ErrorConstructor::createStructure):
3820         * runtime/ErrorInstance.cpp:
3821         (JSC::ErrorInstance::finishCreation):
3822         * runtime/ErrorInstance.h:
3823         (JSC::ErrorInstance::createStructure):
3824         * runtime/ErrorPrototype.cpp:
3825         (JSC::ErrorPrototype::finishCreation):
3826         * runtime/ErrorPrototype.h:
3827         (JSC::ErrorPrototype::createStructure):
3828         * runtime/ExceptionHelpers.cpp:
3829         (JSC::isTerminatedExecutionException):
3830         * runtime/ExceptionHelpers.h:
3831         (JSC::TerminatedExecutionError::createStructure):
3832         * runtime/Executable.cpp:
3833         (JSC::EvalExecutable::visitChildren):
3834         (JSC::ProgramExecutable::visitChildren):
3835         (JSC::FunctionExecutable::visitChildren):
3836         (JSC::ExecutableBase::hashFor):
3837         * runtime/Executable.h:
3838         (JSC::ExecutableBase::createStructure):
3839         (JSC::NativeExecutable::createStructure):
3840         (JSC::EvalExecutable::createStructure):
3841         (JSC::ProgramExecutable::createStructure):
3842         (JSC::FunctionExecutable::compileFor):
3843         (JSC::FunctionExecutable::compileOptimizedFor):
3844         (JSC::FunctionExecutable::createStructure):
3845         * runtime/FunctionConstructor.h:
3846         (JSC::FunctionConstructor::createStructure):
3847         * runtime/FunctionPrototype.cpp:
3848         (JSC::functionProtoFuncToString):
3849         (JSC::functionProtoFuncApply):
3850         (JSC::functionProtoFuncBind):
3851         * runtime/FunctionPrototype.h:
3852         (JSC::FunctionPrototype::createStructure):
3853         * runtime/GetterSetter.cpp:
3854         (JSC::GetterSetter::visitChildren):
3855         * runtime/GetterSetter.h:
3856         (JSC::GetterSetter::createStructure):
3857         * runtime/InternalFunction.cpp:
3858         (JSC::InternalFunction::finishCreation):
3859         * runtime/InternalFunction.h:
3860         (JSC::InternalFunction::createStructure):
3861         (JSC::asInternalFunction):
3862         * runtime/JSAPIValueWrapper.h:
3863         (JSC::JSAPIValueWrapper::createStructure):
3864         * runtime/JSActivation.cpp:
3865         (JSC::JSActivation::visitChildren):
3866         (JSC::JSActivation::argumentsGetter):
3867         * runtime/JSActivation.h:
3868         (JSC::JSActivation::createStructure):
3869         (JSC::asActivation):
3870         * runtime/JSArray.h:
3871         (JSC::JSArray::createStructure):
3872         (JSC::asArray):
3873         (JSC::isJSArray):
3874         * runtime/JSBoundFunction.cpp:
3875         (JSC::JSBoundFunction::finishCreation):
3876         (JSC::JSBoundFunction::visitChildren):
3877         * runtime/JSBoundFunction.h:
3878         (JSC::JSBoundFunction::createStructure):
3879         * runtime/JSCJSValue.cpp:
3880         (JSC::JSValue::dumpInContext):
3881         * runtime/JSCJSValueInlines.h:
3882         (JSC::JSValue::isFunction):
3883         * runtime/JSCell.h:
3884         (JSC::jsCast):
3885         (JSC::jsDynamicCast):
3886         * runtime/JSCellInlines.h:
3887         (JSC::allocateCell):
3888         * runtime/JSFunction.cpp:
3889         (JSC::JSFunction::finishCreation):
3890         (JSC::JSFunction::visitChildren):
3891         (JSC::skipOverBoundFunctions):
3892         (JSC::JSFunction::callerGetter):
3893         * runtime/JSFunction.h:
3894         (JSC::JSFunction::createStructure):
3895         * runtime/JSGlobalObject.cpp:
3896         (JSC::JSGlobalObject::visitChildren):
3897         (JSC::slowValidateCell):
3898         * runtime/JSGlobalObject.h:
3899         (JSC::JSGlobalObject::createStructure):
3900         * runtime/JSNameScope.cpp:
3901         (JSC::JSNameScope::visitChildren):
3902         * runtime/JSNameScope.h:
3903         (JSC::JSNameScope::createStructure):
3904         * runtime/JSNotAnObject.h:
3905         (JSC::JSNotAnObject::createStructure):
3906         * runtime/JSONObject.cpp: