errorDescriptionForValue() should not assume error value is an Object
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
2
3         errorDescriptionForValue() should not assume error value is an Object
4         https://bugs.webkit.org/show_bug.cgi?id=119812
5
6         Reviewed by Geoffrey Garen.
7
8         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
9         has no type, the function now returns the empty string. 
10         * runtime/ExceptionHelpers.cpp:
11         (JSC::errorDescriptionForValue):
12
13 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
14
15         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
16         https://bugs.webkit.org/show_bug.cgi?id=120107
17
18         Reviewed by Yong Li.
19
20         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
21
22         * dfg/DFGSpeculativeJIT.h:
23         (JSC::DFG::SpeculativeJIT::callOperation):
24
25 2013-08-21  Commit Queue  <commit-queue@webkit.org>
26
27         Unreviewed, rolling out r154416.
28         http://trac.webkit.org/changeset/154416
29         https://bugs.webkit.org/show_bug.cgi?id=120147
30
31         Broke Windows builds (Requested by rniwa on #webkit).
32
33         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
34         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
35         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
36         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
37         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
38         * JavaScriptCore.vcxproj/build-generated-files.sh:
39
40 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
41
42         Clarify var/const/function declaration
43         https://bugs.webkit.org/show_bug.cgi?id=120144
44
45         Reviewed by Sam Weinig.
46
47         Add methods to JSGlobalObject to declare vars, consts, and functions.
48
49         * runtime/Executable.cpp:
50         (JSC::ProgramExecutable::initializeGlobalProperties):
51         * runtime/Executable.h:
52             - Moved declaration code to JSGlobalObject
53         * runtime/JSGlobalObject.cpp:
54         (JSC::JSGlobalObject::addGlobalVar):
55             - internal implementation of addVar, addConst, addFunction
56         * runtime/JSGlobalObject.h:
57         (JSC::JSGlobalObject::addVar):
58         (JSC::JSGlobalObject::addConst):
59         (JSC::JSGlobalObject::addFunction):
60             - Added methods to declare vars, consts, and functions
61
62 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
63
64         https://bugs.webkit.org/show_bug.cgi?id=119900
65         Exception in global setter doesn't unwind correctly
66
67         Reviewed by Geoffrey Garen.
68
69         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
70
71         * jit/JITStubs.cpp:
72         (JSC::DEFINE_STUB_FUNCTION):
73
74 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
75
76         Rename/refactor setButterfly/setStructure
77         https://bugs.webkit.org/show_bug.cgi?id=120138
78
79         Reviewed by Geoffrey Garen.
80
81         setButterfly becomes setStructureAndButterfly.
82
83         Also removed the Butterfly* argument from setStructure and just implicitly
84         used m_butterfly internally since that's what every single client of setStructure
85         was doing already.
86
87         * jit/JITStubs.cpp:
88         (JSC::DEFINE_STUB_FUNCTION):
89         * runtime/JSObject.cpp:
90         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
91         (JSC::JSObject::createInitialUndecided):
92         (JSC::JSObject::createInitialInt32):
93         (JSC::JSObject::createInitialDouble):
94         (JSC::JSObject::createInitialContiguous):
95         (JSC::JSObject::createArrayStorage):
96         (JSC::JSObject::convertUndecidedToInt32):
97         (JSC::JSObject::convertUndecidedToDouble):
98         (JSC::JSObject::convertUndecidedToContiguous):
99         (JSC::JSObject::convertUndecidedToArrayStorage):
100         (JSC::JSObject::convertInt32ToDouble):
101         (JSC::JSObject::convertInt32ToContiguous):
102         (JSC::JSObject::convertInt32ToArrayStorage):
103         (JSC::JSObject::genericConvertDoubleToContiguous):
104         (JSC::JSObject::convertDoubleToArrayStorage):
105         (JSC::JSObject::convertContiguousToArrayStorage):
106         (JSC::JSObject::switchToSlowPutArrayStorage):
107         (JSC::JSObject::setPrototype):
108         (JSC::JSObject::putDirectAccessor):
109         (JSC::JSObject::seal):
110         (JSC::JSObject::freeze):
111         (JSC::JSObject::preventExtensions):
112         (JSC::JSObject::reifyStaticFunctionsForDelete):
113         (JSC::JSObject::removeDirect):
114         * runtime/JSObject.h:
115         (JSC::JSObject::setStructureAndButterfly):
116         (JSC::JSObject::setStructure):
117         (JSC::JSObject::putDirectInternal):
118         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
119         (JSC::JSObject::putDirectWithoutTransition):
120         * runtime/Structure.cpp:
121         (JSC::Structure::flattenDictionaryStructure):
122
123 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
124
125         https://bugs.webkit.org/show_bug.cgi?id=120127
126         Remove JSObject::propertyIsEnumerable
127
128         Unreviewed typo fix
129
130         * runtime/JSObject.h:
131             - fix typo
132
133 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
134
135         https://bugs.webkit.org/show_bug.cgi?id=120139
136         PropertyDescriptor argument to define methods should be const
137
138         Rubber stamped by Sam Weinig.
139
140         This should never be modified, and this way we can use rvalues.
141
142         * debugger/DebuggerActivation.cpp:
143         (JSC::DebuggerActivation::defineOwnProperty):
144         * debugger/DebuggerActivation.h:
145         * runtime/Arguments.cpp:
146         (JSC::Arguments::defineOwnProperty):
147         * runtime/Arguments.h:
148         * runtime/ClassInfo.h:
149         * runtime/JSArray.cpp:
150         (JSC::JSArray::defineOwnProperty):
151         * runtime/JSArray.h:
152         * runtime/JSArrayBuffer.cpp:
153         (JSC::JSArrayBuffer::defineOwnProperty):
154         * runtime/JSArrayBuffer.h:
155         * runtime/JSArrayBufferView.cpp:
156         (JSC::JSArrayBufferView::defineOwnProperty):
157         * runtime/JSArrayBufferView.h:
158         * runtime/JSCell.cpp:
159         (JSC::JSCell::defineOwnProperty):
160         * runtime/JSCell.h:
161         * runtime/JSFunction.cpp:
162         (JSC::JSFunction::defineOwnProperty):
163         * runtime/JSFunction.h:
164         * runtime/JSGenericTypedArrayView.h:
165         * runtime/JSGenericTypedArrayViewInlines.h:
166         (JSC::::defineOwnProperty):
167         * runtime/JSGlobalObject.cpp:
168         (JSC::JSGlobalObject::defineOwnProperty):
169         * runtime/JSGlobalObject.h:
170         * runtime/JSObject.cpp:
171         (JSC::JSObject::putIndexedDescriptor):
172         (JSC::JSObject::defineOwnIndexedProperty):
173         (JSC::putDescriptor):
174         (JSC::JSObject::defineOwnNonIndexProperty):
175         (JSC::JSObject::defineOwnProperty):
176         * runtime/JSObject.h:
177         * runtime/JSProxy.cpp:
178         (JSC::JSProxy::defineOwnProperty):
179         * runtime/JSProxy.h:
180         * runtime/RegExpMatchesArray.h:
181         (JSC::RegExpMatchesArray::defineOwnProperty):
182         * runtime/RegExpObject.cpp:
183         (JSC::RegExpObject::defineOwnProperty):
184         * runtime/RegExpObject.h:
185         * runtime/StringObject.cpp:
186         (JSC::StringObject::defineOwnProperty):
187         * runtime/StringObject.h:
188             - make PropertyDescriptor const
189
190 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
191
192         REGRESSION: Crash under JITCompiler::link while loading Gmail
193         https://bugs.webkit.org/show_bug.cgi?id=119872
194
195         Reviewed by Mark Hahnenberg.
196         
197         Apparently, unsigned + signed = unsigned. Work around it with a cast.
198
199         * dfg/DFGByteCodeParser.cpp:
200         (JSC::DFG::ByteCodeParser::parseBlock):
201
202 2013-08-21  Alex Christensen  <achristensen@apple.com>
203
204         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
205
206         Reviewed by Brent Fulgham.
207
208         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
209         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
210         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
211         Pass PlatformArchitecture as a command line parameter to bash scripts.
212         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
213         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
214         * JavaScriptCore.vcxproj/build-generated-files.sh:
215         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
216
217 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
218
219         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
220         https://bugs.webkit.org/show_bug.cgi?id=120099
221
222         Reviewed by Mark Hahnenberg.
223         
224         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
225         JSDataView may have ordinary JS indexed properties.
226
227         * runtime/ClassInfo.h:
228         * runtime/JSArrayBufferView.cpp:
229         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
230         (JSC::JSArrayBufferView::finishCreation):
231         * runtime/JSArrayBufferView.h:
232         (JSC::hasArrayBuffer):
233         * runtime/JSArrayBufferViewInlines.h:
234         (JSC::JSArrayBufferView::buffer):
235         (JSC::JSArrayBufferView::neuter):
236         (JSC::JSArrayBufferView::byteOffset):
237         * runtime/JSCell.cpp:
238         (JSC::JSCell::slowDownAndWasteMemory):
239         * runtime/JSCell.h:
240         * runtime/JSDataView.cpp:
241         (JSC::JSDataView::JSDataView):
242         (JSC::JSDataView::create):
243         (JSC::JSDataView::slowDownAndWasteMemory):
244         * runtime/JSDataView.h:
245         (JSC::JSDataView::buffer):
246         * runtime/JSGenericTypedArrayView.h:
247         * runtime/JSGenericTypedArrayViewInlines.h:
248         (JSC::::visitChildren):
249         (JSC::::slowDownAndWasteMemory):
250
251 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
252
253         Remove incorrect ASSERT from CopyVisitor::visitItem
254
255         Rubber stamped by Filip Pizlo.
256
257         * heap/CopyVisitorInlines.h:
258         (JSC::CopyVisitor::visitItem):
259
260 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
261
262         https://bugs.webkit.org/show_bug.cgi?id=120127
263         Remove JSObject::propertyIsEnumerable
264
265         Reviewed by Sam Weinig.
266
267         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
268
269         * runtime/JSObject.cpp:
270         * runtime/JSObject.h:
271             - remove propertyIsEnumerable
272         * runtime/ObjectPrototype.cpp:
273         (JSC::objectProtoFuncPropertyIsEnumerable):
274             - Move implementation here using getOwnPropertyDescriptor directly.
275
276 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
277
278         DFG should inline new typedArray()
279         https://bugs.webkit.org/show_bug.cgi?id=120022
280
281         Reviewed by Oliver Hunt.
282         
283         Adds inlining of typed array allocations in the DFG. Any operation of the
284         form:
285         
286             new foo(blah)
287         
288         or:
289         
290             foo(blah)
291         
292         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
293         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
294         is predicted integer, we generate inline code for an allocation. Otherwise
295         it turns into a call to an operation that behaves like the constructor would
296         if it was passed one argument (i.e. it may wrap a buffer or it may create a
297         copy or another array, or it may allocate an array of that length).
298
299         * bytecode/SpeculatedType.cpp:
300         (JSC::speculationFromTypedArrayType):
301         (JSC::speculationFromClassInfo):
302         * bytecode/SpeculatedType.h:
303         * dfg/DFGAbstractInterpreterInlines.h:
304         (JSC::DFG::::executeEffects):
305         * dfg/DFGBackwardsPropagationPhase.cpp:
306         (JSC::DFG::BackwardsPropagationPhase::propagate):
307         * dfg/DFGByteCodeParser.cpp:
308         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
309         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
310         * dfg/DFGCCallHelpers.h:
311         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
312         * dfg/DFGCSEPhase.cpp:
313         (JSC::DFG::CSEPhase::putStructureStoreElimination):
314         * dfg/DFGClobberize.h:
315         (JSC::DFG::clobberize):
316         * dfg/DFGFixupPhase.cpp:
317         (JSC::DFG::FixupPhase::fixupNode):
318         * dfg/DFGGraph.cpp:
319         (JSC::DFG::Graph::dump):
320         * dfg/DFGNode.h:
321         (JSC::DFG::Node::hasTypedArrayType):
322         (JSC::DFG::Node::typedArrayType):
323         * dfg/DFGNodeType.h:
324         * dfg/DFGOperations.cpp:
325         (JSC::DFG::newTypedArrayWithSize):
326         (JSC::DFG::newTypedArrayWithOneArgument):
327         * dfg/DFGOperations.h:
328         (JSC::DFG::operationNewTypedArrayWithSizeForType):
329         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
330         * dfg/DFGPredictionPropagationPhase.cpp:
331         (JSC::DFG::PredictionPropagationPhase::propagate):
332         * dfg/DFGSafeToExecute.h:
333         (JSC::DFG::safeToExecute):
334         * dfg/DFGSpeculativeJIT.cpp:
335         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
336         * dfg/DFGSpeculativeJIT.h:
337         (JSC::DFG::SpeculativeJIT::callOperation):
338         * dfg/DFGSpeculativeJIT32_64.cpp:
339         (JSC::DFG::SpeculativeJIT::compile):
340         * dfg/DFGSpeculativeJIT64.cpp:
341         (JSC::DFG::SpeculativeJIT::compile):
342         * jit/JITOpcodes.cpp:
343         (JSC::JIT::emit_op_new_object):
344         * jit/JITOpcodes32_64.cpp:
345         (JSC::JIT::emit_op_new_object):
346         * runtime/JSArray.h:
347         (JSC::JSArray::allocationSize):
348         * runtime/JSArrayBufferView.h:
349         (JSC::JSArrayBufferView::allocationSize):
350         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
351         (JSC::constructGenericTypedArrayView):
352         * runtime/JSObject.h:
353         (JSC::JSFinalObject::allocationSize):
354         * runtime/TypedArrayType.cpp:
355         (JSC::constructorClassInfoForType):
356         * runtime/TypedArrayType.h:
357         (JSC::indexToTypedArrayType):
358
359 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
360
361         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
362
363         Reviewed by Geoffrey Garen.
364
365         * dfg/DFGOperations.h:
366
367 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
368
369         https://bugs.webkit.org/show_bug.cgi?id=120093
370         Remove getOwnPropertyDescriptor trap
371
372         Reviewed by Geoff Garen.
373
374         All implementations of this method are now called via the method table, and equivalent in behaviour.
375         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
376
377         * API/JSCallbackObject.h:
378         * API/JSCallbackObjectFunctions.h:
379         * debugger/DebuggerActivation.cpp:
380         * debugger/DebuggerActivation.h:
381         * runtime/Arguments.cpp:
382         * runtime/Arguments.h:
383         * runtime/ArrayConstructor.cpp:
384         * runtime/ArrayConstructor.h:
385         * runtime/ArrayPrototype.cpp:
386         * runtime/ArrayPrototype.h:
387         * runtime/BooleanPrototype.cpp:
388         * runtime/BooleanPrototype.h:
389             - remove getOwnPropertyDescriptor
390         * runtime/ClassInfo.h:
391             - remove getOwnPropertyDescriptor from MethodTable
392         * runtime/DateConstructor.cpp:
393         * runtime/DateConstructor.h:
394         * runtime/DatePrototype.cpp:
395         * runtime/DatePrototype.h:
396         * runtime/ErrorPrototype.cpp:
397         * runtime/ErrorPrototype.h:
398         * runtime/JSActivation.cpp:
399         * runtime/JSActivation.h:
400         * runtime/JSArray.cpp:
401         * runtime/JSArray.h:
402         * runtime/JSArrayBuffer.cpp:
403         * runtime/JSArrayBuffer.h:
404         * runtime/JSArrayBufferView.cpp:
405         * runtime/JSArrayBufferView.h:
406         * runtime/JSCell.cpp:
407         * runtime/JSCell.h:
408         * runtime/JSDataView.cpp:
409         * runtime/JSDataView.h:
410         * runtime/JSDataViewPrototype.cpp:
411         * runtime/JSDataViewPrototype.h:
412         * runtime/JSFunction.cpp:
413         * runtime/JSFunction.h:
414         * runtime/JSGenericTypedArrayView.h:
415         * runtime/JSGenericTypedArrayViewInlines.h:
416         * runtime/JSGlobalObject.cpp:
417         * runtime/JSGlobalObject.h:
418         * runtime/JSNotAnObject.cpp:
419         * runtime/JSNotAnObject.h:
420         * runtime/JSONObject.cpp:
421         * runtime/JSONObject.h:
422             - remove getOwnPropertyDescriptor
423         * runtime/JSObject.cpp:
424         (JSC::JSObject::propertyIsEnumerable):
425             - switch to call new getOwnPropertyDescriptor member function
426         (JSC::JSObject::getOwnPropertyDescriptor):
427             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
428         (JSC::JSObject::defineOwnNonIndexProperty):
429             - switch to call new getOwnPropertyDescriptor member function
430         * runtime/JSObject.h:
431         * runtime/JSProxy.cpp:
432         * runtime/JSProxy.h:
433         * runtime/NamePrototype.cpp:
434         * runtime/NamePrototype.h:
435         * runtime/NumberConstructor.cpp:
436         * runtime/NumberConstructor.h:
437         * runtime/NumberPrototype.cpp:
438         * runtime/NumberPrototype.h:
439             - remove getOwnPropertyDescriptor
440         * runtime/ObjectConstructor.cpp:
441         (JSC::objectConstructorGetOwnPropertyDescriptor):
442         (JSC::objectConstructorSeal):
443         (JSC::objectConstructorFreeze):
444         (JSC::objectConstructorIsSealed):
445         (JSC::objectConstructorIsFrozen):
446             - switch to call new getOwnPropertyDescriptor member function
447         * runtime/ObjectConstructor.h:
448             - remove getOwnPropertyDescriptor
449         * runtime/PropertyDescriptor.h:
450             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
451         * runtime/RegExpConstructor.cpp:
452         * runtime/RegExpConstructor.h:
453         * runtime/RegExpMatchesArray.cpp:
454         * runtime/RegExpMatchesArray.h:
455         * runtime/RegExpObject.cpp:
456         * runtime/RegExpObject.h:
457         * runtime/RegExpPrototype.cpp:
458         * runtime/RegExpPrototype.h:
459         * runtime/StringConstructor.cpp:
460         * runtime/StringConstructor.h:
461         * runtime/StringObject.cpp:
462         * runtime/StringObject.h:
463             - remove getOwnPropertyDescriptor
464
465 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
466
467         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
468
469         Reviewed by Oliver Hunt.
470
471         When we flatten an object in dictionary mode, we compact its properties. If the object 
472         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
473         compaction its properties fit inline, the object's Structure "forgets" that the object 
474         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
475         with bytes = 0, which causes all sorts of badness in CopiedSpace.
476
477         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
478         Butterfly pointer so that the GC doesn't get confused later.
479
480         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
481         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
482         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
483         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
484
485         * heap/SlotVisitorInlines.h:
486         (JSC::SlotVisitor::copyLater):
487         * runtime/JSObject.cpp:
488         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
489         (JSC::JSObject::convertUndecidedToInt32):
490         (JSC::JSObject::convertUndecidedToDouble):
491         (JSC::JSObject::convertUndecidedToContiguous):
492         (JSC::JSObject::convertInt32ToDouble):
493         (JSC::JSObject::convertInt32ToContiguous):
494         (JSC::JSObject::genericConvertDoubleToContiguous):
495         (JSC::JSObject::switchToSlowPutArrayStorage):
496         (JSC::JSObject::setPrototype):
497         (JSC::JSObject::putDirectAccessor):
498         (JSC::JSObject::seal):
499         (JSC::JSObject::freeze):
500         (JSC::JSObject::preventExtensions):
501         (JSC::JSObject::reifyStaticFunctionsForDelete):
502         (JSC::JSObject::removeDirect):
503         * runtime/JSObject.h:
504         (JSC::JSObject::setButterfly):
505         (JSC::JSObject::putDirectInternal):
506         (JSC::JSObject::setStructure):
507         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
508         * runtime/Structure.cpp:
509         (JSC::Structure::flattenDictionaryStructure):
510
511 2013-08-20  Alex Christensen  <achristensen@apple.com>
512
513         Compile fix for Win64 after r154156.
514
515         Rubber stamped by Oliver Hunt.
516
517         * jit/JITStubsMSVC64.asm:
518         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
519         cti_vm_throw_slowpath to cti_vm_handle_exception.
520
521 2013-08-20  Alex Christensen  <achristensen@apple.com>
522
523         <https://webkit.org/b/120076> More work towards a Win64 build
524
525         Reviewed by Brent Fulgham.
526
527         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
528         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
529         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
530         * JavaScriptCore.vcxproj/copy-files.cmd:
531         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
532         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
533         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
534
535 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
536
537         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
538
539         Reviewed by Geoffrey Garen.
540
541         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
542         initializeLazyWriteBarrierFor* wrapper functions more sane. 
543
544         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
545         and index when triggering the WriteBarrier at the end of compilation. 
546
547         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
548         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
549         little extra work that really shouldn't have been its responsibility.
550
551         * dfg/DFGByteCodeParser.cpp:
552         (JSC::DFG::ByteCodeParser::addConstant):
553         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
554         * dfg/DFGDesiredWriteBarriers.cpp:
555         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
556         (JSC::DFG::DesiredWriteBarrier::trigger):
557         * dfg/DFGDesiredWriteBarriers.h:
558         (JSC::DFG::DesiredWriteBarriers::add):
559         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
560         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
561         (JSC::DFG::initializeLazyWriteBarrierForConstant):
562         * dfg/DFGFixupPhase.cpp:
563         (JSC::DFG::FixupPhase::truncateConstantToInt32):
564         * dfg/DFGGraph.h:
565         (JSC::DFG::Graph::constantRegisterForConstant):
566
567 2013-08-20  Michael Saboff  <msaboff@apple.com>
568
569         https://bugs.webkit.org/show_bug.cgi?id=120075
570         REGRESSION (r128400): BBC4 website not displaying pictures
571
572         Reviewed by Oliver Hunt.
573
574         * runtime/RegExpMatchesArray.h:
575         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
576         so that the match results will be reified before any other modification to the results array.
577
578 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
579
580         Incorrect behavior on emscripten-compiled cube2hash
581         https://bugs.webkit.org/show_bug.cgi?id=120033
582
583         Reviewed by Mark Hahnenberg.
584         
585         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
586         then we should bail attempts to CSE.
587
588         * dfg/DFGCSEPhase.cpp:
589         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
590         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
591
592 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
593
594         https://bugs.webkit.org/show_bug.cgi?id=120073
595         Remove use of GOPD from JSFunction::defineProperty
596
597         Reviewed by Oliver Hunt.
598
599         Call getOwnPropertySlot to check for existing properties instead.
600
601         * runtime/JSFunction.cpp:
602         (JSC::JSFunction::defineOwnProperty):
603             - getOwnPropertyDescriptor -> getOwnPropertySlot
604
605 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
606
607         https://bugs.webkit.org/show_bug.cgi?id=120067
608         Remove getPropertyDescriptor
609
610         Reviewed by Oliver Hunt.
611
612         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
613         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
614
615         * runtime/JSObject.cpp:
616         * runtime/JSObject.h:
617             - remove getPropertyDescriptor
618         * runtime/ObjectPrototype.cpp:
619         (JSC::objectProtoFuncLookupGetter):
620         (JSC::objectProtoFuncLookupSetter):
621             - replace call to getPropertyDescriptor with getPropertySlot
622         * runtime/PropertyDescriptor.h:
623         * runtime/PropertySlot.h:
624         (JSC::PropertySlot::isAccessor):
625         (JSC::PropertySlot::isCacheableGetter):
626         (JSC::PropertySlot::getterSetter):
627             - rename isGetter() to isAccessor()
628
629 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
630
631         https://bugs.webkit.org/show_bug.cgi?id=120054
632         Remove some dead code following getOwnPropertyDescriptor cleanup
633
634         Reviewed by Oliver Hunt.
635
636         * runtime/Lookup.h:
637         (JSC::getStaticFunctionSlot):
638             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
639
640 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
641
642         https://bugs.webkit.org/show_bug.cgi?id=120052
643         Remove custom getOwnPropertyDescriptor for JSProxy
644
645         Reviewed by Geoff Garen.
646
647         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
648         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
649         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
650         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
651         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
652
653         * runtime/JSProxy.cpp:
654             - Remove custom getOwnPropertyDescriptor implementation.
655         * runtime/PropertyDescriptor.h:
656             - Modify own property access check to perform toThis conversion.
657
658 2013-08-20  Alex Christensen  <achristensen@apple.com>
659
660         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
661         https://bugs.webkit.org/show_bug.cgi?id=119512
662
663         Reviewed by Brent Fulgham.
664
665         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
666         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
667         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
668         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
669         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
670         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
671         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
672         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
673
674 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
675
676         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
677
678         Reviewed by Allan Sandfeld Jensen.
679
680         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
681         instructions and two constants now DFG is enabled for sh4 architecture.
682         These missing ensureSpace calls lead to random crashes.
683
684         * assembler/MacroAssemblerSH4.h:
685         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
686
687 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
688
689         https://bugs.webkit.org/show_bug.cgi?id=120034
690         Remove custom getOwnPropertyDescriptor for global objects
691
692         Reviewed by Geoff Garen.
693
694         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
695
696         * runtime/JSGlobalObject.cpp:
697             - Remove custom getOwnPropertyDescriptor implementation.
698         * runtime/JSSymbolTableObject.h:
699         (JSC::symbolTableGet):
700             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
701         * runtime/PropertyDescriptor.h:
702             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
703         * runtime/PropertySlot.h:
704         (JSC::PropertySlot::setUndefined):
705             - This is used by WebCore when blocking access to properties on cross-frame access.
706               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
707
708 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
709
710         DFG should inline typedArray.byteOffset
711         https://bugs.webkit.org/show_bug.cgi?id=119962
712
713         Reviewed by Oliver Hunt.
714         
715         This adds a new node, GetTypedArrayByteOffset, which inlines
716         typedArray.byteOffset.
717         
718         Also, I improved a bunch of the clobbering logic related to typed arrays
719         and clobbering in general. For example, PutByOffset/PutStructure are not
720         clobber-world so they can be handled by most default cases in CSE. Also,
721         It's better to use the 'Class_field' notation for typed arrays now that
722         they no longer involve magical descriptor thingies.
723
724         * bytecode/SpeculatedType.h:
725         * dfg/DFGAbstractHeap.h:
726         * dfg/DFGAbstractInterpreterInlines.h:
727         (JSC::DFG::::executeEffects):
728         * dfg/DFGArrayMode.h:
729         (JSC::DFG::neverNeedsStorage):
730         * dfg/DFGCSEPhase.cpp:
731         (JSC::DFG::CSEPhase::getByValLoadElimination):
732         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
733         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
734         (JSC::DFG::CSEPhase::checkArrayElimination):
735         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
736         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
737         (JSC::DFG::CSEPhase::performNodeCSE):
738         * dfg/DFGClobberize.h:
739         (JSC::DFG::clobberize):
740         * dfg/DFGFixupPhase.cpp:
741         (JSC::DFG::FixupPhase::fixupNode):
742         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
743         (JSC::DFG::FixupPhase::convertToGetArrayLength):
744         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
745         * dfg/DFGNodeType.h:
746         * dfg/DFGPredictionPropagationPhase.cpp:
747         (JSC::DFG::PredictionPropagationPhase::propagate):
748         * dfg/DFGSafeToExecute.h:
749         (JSC::DFG::safeToExecute):
750         * dfg/DFGSpeculativeJIT.cpp:
751         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
752         * dfg/DFGSpeculativeJIT.h:
753         * dfg/DFGSpeculativeJIT32_64.cpp:
754         (JSC::DFG::SpeculativeJIT::compile):
755         * dfg/DFGSpeculativeJIT64.cpp:
756         (JSC::DFG::SpeculativeJIT::compile):
757         * dfg/DFGTypeCheckHoistingPhase.cpp:
758         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
759         * runtime/ArrayBuffer.h:
760         (JSC::ArrayBuffer::offsetOfData):
761         * runtime/Butterfly.h:
762         (JSC::Butterfly::offsetOfArrayBuffer):
763         * runtime/IndexingHeader.h:
764         (JSC::IndexingHeader::offsetOfArrayBuffer):
765
766 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
767
768         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
769
770         Reviewed by Geoffrey Garen.
771
772         * dfg/DFGByteCodeParser.cpp:
773         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
774
775 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
776
777         https://bugs.webkit.org/show_bug.cgi?id=119995
778         Start removing custom implementations of getOwnPropertyDescriptor
779
780         Reviewed by Oliver Hunt.
781
782         This can now typically implemented in terms of getOwnPropertySlot.
783         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
784         Switch over most classes in JSC & the WebCore bindings generator to use this.
785
786         * API/JSCallbackObjectFunctions.h:
787         * debugger/DebuggerActivation.cpp:
788         * runtime/Arguments.cpp:
789         * runtime/ArrayConstructor.cpp:
790         * runtime/ArrayPrototype.cpp:
791         * runtime/BooleanPrototype.cpp:
792         * runtime/DateConstructor.cpp:
793         * runtime/DatePrototype.cpp:
794         * runtime/ErrorPrototype.cpp:
795         * runtime/JSActivation.cpp:
796         * runtime/JSArray.cpp:
797         * runtime/JSArrayBuffer.cpp:
798         * runtime/JSArrayBufferView.cpp:
799         * runtime/JSCell.cpp:
800         * runtime/JSDataView.cpp:
801         * runtime/JSDataViewPrototype.cpp:
802         * runtime/JSFunction.cpp:
803         * runtime/JSGenericTypedArrayViewInlines.h:
804         * runtime/JSNotAnObject.cpp:
805         * runtime/JSONObject.cpp:
806         * runtime/JSObject.cpp:
807         * runtime/NamePrototype.cpp:
808         * runtime/NumberConstructor.cpp:
809         * runtime/NumberPrototype.cpp:
810         * runtime/ObjectConstructor.cpp:
811             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
812         * runtime/PropertyDescriptor.h:
813             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
814         * runtime/PropertySlot.h:
815         (JSC::PropertySlot::isValue):
816         (JSC::PropertySlot::isGetter):
817         (JSC::PropertySlot::isCustom):
818         (JSC::PropertySlot::isCacheableValue):
819         (JSC::PropertySlot::isCacheableGetter):
820         (JSC::PropertySlot::isCacheableCustom):
821         (JSC::PropertySlot::attributes):
822         (JSC::PropertySlot::getterSetter):
823             - Add accessors necessary to convert PropertySlot to descriptor.
824         * runtime/RegExpConstructor.cpp:
825         * runtime/RegExpMatchesArray.cpp:
826         * runtime/RegExpMatchesArray.h:
827         * runtime/RegExpObject.cpp:
828         * runtime/RegExpPrototype.cpp:
829         * runtime/StringConstructor.cpp:
830         * runtime/StringObject.cpp:
831             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
832
833 2013-08-19  Michael Saboff  <msaboff@apple.com>
834
835         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
836
837         Reviewed by Sam Weinig.
838
839         * dfg/DFGSpeculativeJIT32_64.cpp:
840         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
841         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
842         all versions of fillSpeculateBoolean().
843
844 2013-08-19  Michael Saboff  <msaboff@apple.com>
845
846         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
847
848         Reviewed by Benjamin Poulain.
849
850         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
851         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
852
853         * assembler/MacroAssemblerX86Common.h:
854         (JSC::MacroAssemblerX86Common::branchTest32):
855
856 2013-08-16  Oliver Hunt  <oliver@apple.com>
857
858         <https://webkit.org/b/119860> Crash during exception unwinding
859
860         Reviewed by Filip Pizlo.
861
862         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
863         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
864
865         We need this so that Throw and ThrowReferenceError no longer need to be treated as
866         terminals and the subsequent flush keeps the activation (and other registers) live.
867
868         * dfg/DFGAbstractInterpreterInlines.h:
869         (JSC::DFG::::executeEffects):
870         * dfg/DFGByteCodeParser.cpp:
871         (JSC::DFG::ByteCodeParser::parseBlock):
872         * dfg/DFGClobberize.h:
873         (JSC::DFG::clobberize):
874         * dfg/DFGFixupPhase.cpp:
875         (JSC::DFG::FixupPhase::fixupNode):
876         * dfg/DFGNode.h:
877         (JSC::DFG::Node::isTerminal):
878         * dfg/DFGNodeType.h:
879         * dfg/DFGPredictionPropagationPhase.cpp:
880         (JSC::DFG::PredictionPropagationPhase::propagate):
881         * dfg/DFGSafeToExecute.h:
882         (JSC::DFG::safeToExecute):
883         * dfg/DFGSpeculativeJIT32_64.cpp:
884         (JSC::DFG::SpeculativeJIT::compile):
885         * dfg/DFGSpeculativeJIT64.cpp:
886         (JSC::DFG::SpeculativeJIT::compile):
887
888 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
889
890         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
891
892         Reviewed by Oliver Hunt.
893
894         Guard the compilation of these files only if DFG_JIT is enabled.
895
896         * dfg/DFGDesiredTransitions.cpp:
897         * dfg/DFGDesiredTransitions.h:
898         * dfg/DFGDesiredWeakReferences.cpp:
899         * dfg/DFGDesiredWeakReferences.h:
900         * dfg/DFGDesiredWriteBarriers.cpp:
901         * dfg/DFGDesiredWriteBarriers.h:
902
903 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
904
905         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
906         https://bugs.webkit.org/show_bug.cgi?id=119961
907
908         Reviewed by Mark Hahnenberg.
909
910         * dfg/DFGFixupPhase.cpp:
911         (JSC::DFG::FixupPhase::fixupNode):
912
913 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
914
915         https://bugs.webkit.org/show_bug.cgi?id=119972
916         Add attributes field to PropertySlot
917
918         Reviewed by Geoff Garen.
919
920         For all JSC types, this makes getOwnPropertyDescriptor redundant.
921         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
922         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
923
924         No performance impact.
925
926         * runtime/PropertySlot.h:
927         (JSC::PropertySlot::setValue):
928         (JSC::PropertySlot::setCustom):
929         (JSC::PropertySlot::setCacheableCustom):
930         (JSC::PropertySlot::setCustomIndex):
931         (JSC::PropertySlot::setGetterSlot):
932         (JSC::PropertySlot::setCacheableGetterSlot):
933             - These mathods now all require 'attributes'.
934         * runtime/JSObject.h:
935         (JSC::JSObject::getDirect):
936         (JSC::JSObject::getDirectOffset):
937         (JSC::JSObject::inlineGetOwnPropertySlot):
938             - Added variants of getDirect, getDirectOffset that return the attributes.
939         * API/JSCallbackObjectFunctions.h:
940         (JSC::::getOwnPropertySlot):
941         * runtime/Arguments.cpp:
942         (JSC::Arguments::getOwnPropertySlotByIndex):
943         (JSC::Arguments::getOwnPropertySlot):
944         * runtime/JSActivation.cpp:
945         (JSC::JSActivation::symbolTableGet):
946         (JSC::JSActivation::getOwnPropertySlot):
947         * runtime/JSArray.cpp:
948         (JSC::JSArray::getOwnPropertySlot):
949         * runtime/JSArrayBuffer.cpp:
950         (JSC::JSArrayBuffer::getOwnPropertySlot):
951         * runtime/JSArrayBufferView.cpp:
952         (JSC::JSArrayBufferView::getOwnPropertySlot):
953         * runtime/JSDataView.cpp:
954         (JSC::JSDataView::getOwnPropertySlot):
955         * runtime/JSFunction.cpp:
956         (JSC::JSFunction::getOwnPropertySlot):
957         * runtime/JSGenericTypedArrayViewInlines.h:
958         (JSC::::getOwnPropertySlot):
959         (JSC::::getOwnPropertySlotByIndex):
960         * runtime/JSObject.cpp:
961         (JSC::JSObject::getOwnPropertySlotByIndex):
962         (JSC::JSObject::fillGetterPropertySlot):
963         * runtime/JSString.h:
964         (JSC::JSString::getStringPropertySlot):
965         * runtime/JSSymbolTableObject.h:
966         (JSC::symbolTableGet):
967         * runtime/Lookup.cpp:
968         (JSC::setUpStaticFunctionSlot):
969         * runtime/Lookup.h:
970         (JSC::getStaticPropertySlot):
971         (JSC::getStaticPropertyDescriptor):
972         (JSC::getStaticValueSlot):
973         (JSC::getStaticValueDescriptor):
974         * runtime/RegExpObject.cpp:
975         (JSC::RegExpObject::getOwnPropertySlot):
976         * runtime/SparseArrayValueMap.cpp:
977         (JSC::SparseArrayEntry::get):
978             - Pass attributes to PropertySlot::set* methods.
979
980 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
981
982         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
983
984         Reviewed by Filip Pizlo.
985
986         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
987         Vector of WriteBarriers rather than the specific address. The fact that we were 
988         arbitrarily storing into a Vector's backing store for constants at the end of 
989         compilation after the Vector could have resized was causing crashes.
990
991         * bytecode/CodeBlock.h:
992         (JSC::CodeBlock::constants):
993         (JSC::CodeBlock::addConstantLazily):
994         * dfg/DFGByteCodeParser.cpp:
995         (JSC::DFG::ByteCodeParser::addConstant):
996         * dfg/DFGDesiredWriteBarriers.cpp:
997         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
998         (JSC::DFG::DesiredWriteBarrier::trigger):
999         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1000         * dfg/DFGDesiredWriteBarriers.h:
1001         (JSC::DFG::DesiredWriteBarriers::add):
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1004         * dfg/DFGGraph.h:
1005         (JSC::DFG::Graph::constantRegisterForConstant):
1006
1007 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1008
1009         DFG should optimize typedArray.byteLength
1010         https://bugs.webkit.org/show_bug.cgi?id=119909
1011
1012         Reviewed by Oliver Hunt.
1013         
1014         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1015         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1016         legal since the byteLength of a typed array cannot exceed
1017         numeric_limits<int32_t>::max().
1018
1019         * bytecode/SpeculatedType.cpp:
1020         (JSC::typedArrayTypeFromSpeculation):
1021         * bytecode/SpeculatedType.h:
1022         * dfg/DFGArrayMode.cpp:
1023         (JSC::DFG::toArrayType):
1024         * dfg/DFGArrayMode.h:
1025         * dfg/DFGFixupPhase.cpp:
1026         (JSC::DFG::FixupPhase::fixupNode):
1027         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1028         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1029         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1030         (JSC::DFG::FixupPhase::prependGetArrayLength):
1031         * dfg/DFGGraph.h:
1032         (JSC::DFG::Graph::constantRegisterForConstant):
1033         (JSC::DFG::Graph::convertToConstant):
1034         * runtime/TypedArrayType.h:
1035         (JSC::logElementSize):
1036         (JSC::elementSize):
1037
1038 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1039
1040         DFG optimizes out strict mode arguments tear off
1041         https://bugs.webkit.org/show_bug.cgi?id=119504
1042
1043         Reviewed by Mark Hahnenberg and Oliver Hunt.
1044         
1045         Don't do the optimization for strict mode.
1046
1047         * dfg/DFGArgumentsSimplificationPhase.cpp:
1048         (JSC::DFG::ArgumentsSimplificationPhase::run):
1049         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1050
1051 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1052
1053         [JSC] x86: improve code generation for xxxTest32
1054         https://bugs.webkit.org/show_bug.cgi?id=119876
1055
1056         Reviewed by Geoffrey Garen.
1057
1058         Try to use testb whenever possible when testing for an immediate value.
1059
1060         When the input is an address and an offset, we can tweak the mask
1061         and offset to be able to generate testb for any byte of the mask.
1062
1063         When the input is a register, we can use testb if we are only interested
1064         in testing the low bits.
1065
1066         * assembler/MacroAssemblerX86Common.h:
1067         (JSC::MacroAssemblerX86Common::branchTest32):
1068         (JSC::MacroAssemblerX86Common::test32):
1069         (JSC::MacroAssemblerX86Common::generateTest32):
1070
1071 2013-08-16  Mark Lam  <mark.lam@apple.com>
1072
1073         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1074         error message that an object is not a constructor though it expects a function
1075
1076         Reviewed by Michael Saboff.
1077
1078         * jit/JITStubs.cpp:
1079         (JSC::DEFINE_STUB_FUNCTION):
1080
1081 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1082
1083         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1084         https://bugs.webkit.org/show_bug.cgi?id=119897
1085
1086         Reviewed by Oliver Hunt.
1087         
1088         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1089         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1090         to turn objects into dictionaries when you're storing using bracket syntax or using
1091         eval is still in place.
1092
1093         * bytecode/CodeBlock.h:
1094         (JSC::CodeBlock::putByIdContext):
1095         * dfg/DFGOperations.cpp:
1096         * jit/JITStubs.cpp:
1097         (JSC::DEFINE_STUB_FUNCTION):
1098         * llint/LLIntSlowPaths.cpp:
1099         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1100         * runtime/JSObject.h:
1101         (JSC::JSObject::putDirectInternal):
1102         * runtime/PutPropertySlot.h:
1103         (JSC::PutPropertySlot::PutPropertySlot):
1104         (JSC::PutPropertySlot::context):
1105         * runtime/Structure.cpp:
1106         (JSC::Structure::addPropertyTransition):
1107         * runtime/Structure.h:
1108
1109 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1110
1111         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1112
1113         Reviewed by Allan Sandfeld Jensen.
1114
1115         ctiVMHandleException must jump/return using register ra (r31).
1116
1117         * jit/JITStubsMIPS.h:
1118
1119 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1120
1121         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1122
1123         Reviewed by Allan Sandfeld Jensen.
1124
1125         Fix typo in JITStubsSH4.h file.
1126
1127         * jit/JITStubsSH4.h:
1128
1129 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1130
1131         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1132
1133         Reviewed by Oliver Hunt.
1134
1135         The concurrent compilation thread should interact minimally with the Heap, including not 
1136         triggering WriteBarriers. This is a prerequisite for generational GC.
1137
1138         * JavaScriptCore.xcodeproj/project.pbxproj:
1139         * bytecode/CodeBlock.cpp:
1140         (JSC::CodeBlock::addOrFindConstant):
1141         (JSC::CodeBlock::findConstant):
1142         * bytecode/CodeBlock.h:
1143         (JSC::CodeBlock::addConstantLazily):
1144         * dfg/DFGByteCodeParser.cpp:
1145         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1146         (JSC::DFG::ByteCodeParser::constantUndefined):
1147         (JSC::DFG::ByteCodeParser::constantNull):
1148         (JSC::DFG::ByteCodeParser::one):
1149         (JSC::DFG::ByteCodeParser::constantNaN):
1150         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1151         * dfg/DFGCommonData.cpp:
1152         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1153         * dfg/DFGCommonData.h:
1154         * dfg/DFGDesiredTransitions.cpp: Added.
1155         (JSC::DFG::DesiredTransition::DesiredTransition):
1156         (JSC::DFG::DesiredTransition::reallyAdd):
1157         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1158         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1159         (JSC::DFG::DesiredTransitions::addLazily):
1160         (JSC::DFG::DesiredTransitions::reallyAdd):
1161         * dfg/DFGDesiredTransitions.h: Added.
1162         * dfg/DFGDesiredWeakReferences.cpp: Added.
1163         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1164         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1165         (JSC::DFG::DesiredWeakReferences::addLazily):
1166         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1167         * dfg/DFGDesiredWeakReferences.h: Added.
1168         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1169         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1170         (JSC::DFG::DesiredWriteBarrier::trigger):
1171         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1172         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1173         (JSC::DFG::DesiredWriteBarriers::addImpl):
1174         (JSC::DFG::DesiredWriteBarriers::trigger):
1175         * dfg/DFGDesiredWriteBarriers.h: Added.
1176         (JSC::DFG::DesiredWriteBarriers::add):
1177         (JSC::DFG::initializeLazyWriteBarrier):
1178         * dfg/DFGFixupPhase.cpp:
1179         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1180         * dfg/DFGGraph.h:
1181         (JSC::DFG::Graph::convertToConstant):
1182         * dfg/DFGJITCompiler.h:
1183         (JSC::DFG::JITCompiler::addWeakReference):
1184         * dfg/DFGPlan.cpp:
1185         (JSC::DFG::Plan::Plan):
1186         (JSC::DFG::Plan::reallyAdd):
1187         * dfg/DFGPlan.h:
1188         * dfg/DFGSpeculativeJIT32_64.cpp:
1189         (JSC::DFG::SpeculativeJIT::compile):
1190         * dfg/DFGSpeculativeJIT64.cpp:
1191         (JSC::DFG::SpeculativeJIT::compile):
1192         * runtime/WriteBarrier.h:
1193         (JSC::WriteBarrierBase::set):
1194         (JSC::WriteBarrier::WriteBarrier):
1195
1196 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1197
1198         Fix x86 32bits build after r154158
1199
1200         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1201
1202 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1203
1204         Build fix attempt after r154156.
1205
1206         * jit/JITStubs.cpp:
1207         (JSC::cti_vm_handle_exception): encode!
1208
1209 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1210
1211         [JSC] x86: Use inc and dec when possible
1212         https://bugs.webkit.org/show_bug.cgi?id=119831
1213
1214         Reviewed by Geoffrey Garen.
1215
1216         When incrementing or decrementing by an immediate of 1, use the insctructions
1217         inc and dec instead of add and sub.
1218         The instructions have good timing and their encoding is smaller.
1219
1220         * assembler/MacroAssemblerX86Common.h:
1221         (JSC::MacroAssemblerX86_64::add32):
1222         (JSC::MacroAssemblerX86_64::sub32):
1223         * assembler/MacroAssemblerX86_64.h:
1224         (JSC::MacroAssemblerX86_64::add64):
1225         (JSC::MacroAssemblerX86_64::sub64):
1226         * assembler/X86Assembler.h:
1227         (JSC::X86Assembler::dec_r):
1228         (JSC::X86Assembler::decq_r):
1229         (JSC::X86Assembler::inc_r):
1230         (JSC::X86Assembler::incq_r):
1231
1232 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1233
1234         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1235         https://bugs.webkit.org/show_bug.cgi?id=119874
1236
1237         Reviewed by Oliver Hunt and Mark Hahnenberg.
1238         
1239         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1240         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1241         sometimes for typed array length accesses, and the FixupPhase assuming that a
1242         ForceExit ArrayMode means that it should continue using a generic GetById.
1243
1244         This fixes the confusion.
1245
1246         * dfg/DFGFixupPhase.cpp:
1247         (JSC::DFG::FixupPhase::fixupNode):
1248
1249 2013-08-15  Mark Lam  <mark.lam@apple.com>
1250
1251         Fix crash when performing activation tearoff.
1252         https://bugs.webkit.org/show_bug.cgi?id=119848
1253
1254         Reviewed by Oliver Hunt.
1255
1256         The activation tearoff crash was due to a bug in the baseline JIT.
1257         If we have a scenario where the a baseline JIT frame calls a LLINT
1258         frame, an exception may be thrown while in the LLINT.
1259
1260         Interpreter::throwException() which handles the exception will unwind
1261         all frames until it finds a catcher or sees a host frame. When we
1262         return from the LLINT to the baseline JIT code, the baseline JIT code
1263         errorneously sets topCallFrame to the value in its call frame register,
1264         and starts unwinding the stack frames that have already been unwound.
1265
1266         The fix is:
1267         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1268            This is a more accurate description of what this runtime function
1269            is supposed to do i.e. it handles the exception which include doing
1270            nothing (if there are no more frames to unwind).
1271         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1272            set on it.
1273         3. Reloading the call frame register from topCallFrame when we're
1274            returning from a callee and detect exception handling in progress.
1275
1276         * interpreter/Interpreter.cpp:
1277         (JSC::Interpreter::unwindCallFrame):
1278         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1279         (JSC::Interpreter::getStackTrace):
1280         * interpreter/Interpreter.h:
1281         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1282         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1283         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1284         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1285         * jit/JIT.h:
1286         * jit/JITExceptions.cpp:
1287         (JSC::uncaughtExceptionHandler):
1288         - Convenience function to get the handler for uncaught exceptions.
1289         * jit/JITExceptions.h:
1290         * jit/JITInlines.h:
1291         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1292         * jit/JITOpcodes32_64.cpp:
1293         (JSC::JIT::privateCompileCTINativeCall):
1294         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1295         * jit/JITStubs.cpp:
1296         (JSC::throwExceptionFromOpCall):
1297         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1298         (JSC::cti_vm_handle_exception):
1299         - Check for the case when there are no more frames to unwind.
1300         * jit/JITStubs.h:
1301         * jit/JITStubsARM.h:
1302         * jit/JITStubsARMv7.h:
1303         * jit/JITStubsMIPS.h:
1304         * jit/JITStubsSH4.h:
1305         * jit/JITStubsX86.h:
1306         * jit/JITStubsX86_64.h:
1307         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1308         * jit/SlowPathCall.h:
1309         (JSC::JITSlowPathCall::call):
1310         - reload cfr from topcallFrame when handling an exception.
1311         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1312         * jit/ThunkGenerators.cpp:
1313         (JSC::nativeForGenerator):
1314         * llint/LowLevelInterpreter32_64.asm:
1315         * llint/LowLevelInterpreter64.asm:
1316         - reload cfr from topcallFrame when handling an exception.
1317         * runtime/VM.cpp:
1318         (JSC::VM::VM):
1319         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1320
1321 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1322
1323         Remove some code duplication.
1324         
1325         Rubber stamped by Mark Hahnenberg.
1326
1327         * runtime/JSDataViewPrototype.cpp:
1328         (JSC::getData):
1329         (JSC::setData):
1330
1331 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1332
1333         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1334         https://bugs.webkit.org/show_bug.cgi?id=119794
1335
1336         Reviewed by Filip Pizlo.
1337
1338         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1339
1340         * dfg/DFGUseKind.h:
1341         (JSC::DFG::isNumerical):
1342         (JSC::DFG::isDouble):
1343
1344 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1345
1346         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1347
1348         Rubber stamped by Oliver Hunt.
1349         
1350         This was causing some test crashes for me.
1351
1352         * dfg/DFGCapabilities.cpp:
1353         (JSC::DFG::capabilityLevel):
1354
1355 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1356
1357         [Windows] Clear up improper export declaration.
1358
1359         * runtime/ArrayBufferView.h:
1360
1361 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1362
1363         Unreviewed, remove some unnecessary periods from exceptions.
1364
1365         * runtime/JSDataViewPrototype.cpp:
1366         (JSC::getData):
1367         (JSC::setData):
1368
1369 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1370
1371         Unreviewed, fix 32-bit build.
1372
1373         * dfg/DFGSpeculativeJIT32_64.cpp:
1374         (JSC::DFG::SpeculativeJIT::compile):
1375
1376 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1377
1378         Typed arrays should be rewritten
1379         https://bugs.webkit.org/show_bug.cgi?id=119064
1380
1381         Reviewed by Oliver Hunt.
1382         
1383         Typed arrays were previously deficient in several major ways:
1384         
1385         - They were defined separately in WebCore and in the jsc shell. The two
1386           implementations were different, and the jsc shell one was basically wrong.
1387           The WebCore one was quite awful, also.
1388         
1389         - Typed arrays were not visible to the JIT except through some weird hooks.
1390           For example, the JIT could not ask "what is the Structure that this typed
1391           array would have if I just allocated it from this global object". Also,
1392           it was difficult to wire any of the typed array intrinsics, because most
1393           of the functionality wasn't visible anywhere in JSC.
1394         
1395         - Typed array allocation was brain-dead. Allocating a typed array involved
1396           two JS objects, two GC weak handles, and three malloc allocations.
1397         
1398         - Neutering. It involved keeping tabs on all native views but not the view
1399           wrappers, even though the native views can autoneuter just by asking the
1400           buffer if it was neutered anytime you touch them; while the JS view
1401           wrappers are the ones that you really want to reach out to.
1402         
1403         - Common case-ing. Most typed arrays have one buffer and one view, and
1404           usually nobody touches the buffer. Yet we created all of that stuff
1405           anyway, using data structures optimized for the case where you had a lot
1406           of views.
1407         
1408         - Semantic goofs. Typed arrays should, in the future, behave like ES
1409           features rather than DOM features, for example when it comes to exceptions.
1410           Firefox already does this and I agree with them.
1411         
1412         This patch cleanses our codebase of these sins:
1413         
1414         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1415           management of native references to buffers is left to WebCore.
1416         
1417         - Allocating a typed array requires either two GC allocations (a cell and a
1418           copied storage vector) or one GC allocation, a malloc allocation, and a
1419           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1420           latter). The latter is only used for oversize arrays. Remember that before
1421           it was 7 allocations no matter what.
1422         
1423         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1424           mode/length, void* vector. Before it was a lot more than that - remember,
1425           there were five additional objects that did absolutely nothing for anybody.
1426         
1427         - Native views aren't tracked by the buffer, or by the wrappers. They are
1428           transient. In the future we'll probably switch to not even having them be
1429           malloc'd.
1430         
1431         - Native array buffers have an efficient way of tracking all of their JS view
1432           wrappers, both for neutering, and for lifecycle management. The GC
1433           special-cases native array buffers. This saves a bunch of grief; for example
1434           it means that a JS view wrapper can refer to its buffer via the butterfly,
1435           which would be dead by the time we went to finalize.
1436         
1437         - Typed array semantics now match Firefox, which also happens to be where the
1438           standards are going. The discussion on webkit-dev seemed to confirm that
1439           Chrome is also heading in this direction. This includes making
1440           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1441           ArrayBufferView as a JS-visible construct.
1442         
1443         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1444         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1445         further typed array optimizations in the JSC JITs, including inlining typed
1446         array allocation, inlining more of the accessors, reducing the cost of type
1447         checks, etc.
1448         
1449         An additional property of this patch is that typed arrays are mostly
1450         implemented using templates. This deduplicates a bunch of code, but does mean
1451         that we need some hacks for exporting s_info's of template classes. See
1452         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1453         low-impact compared to code duplication.
1454         
1455         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1456
1457         * CMakeLists.txt:
1458         * DerivedSources.make:
1459         * GNUmakefile.list.am:
1460         * JSCTypedArrayStubs.h: Removed.
1461         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1462         * JavaScriptCore.xcodeproj/project.pbxproj:
1463         * Target.pri:
1464         * bytecode/ByValInfo.h:
1465         (JSC::hasOptimizableIndexingForClassInfo):
1466         (JSC::jitArrayModeForClassInfo):
1467         (JSC::typedArrayTypeForJITArrayMode):
1468         * bytecode/SpeculatedType.cpp:
1469         (JSC::speculationFromClassInfo):
1470         * dfg/DFGArrayMode.cpp:
1471         (JSC::DFG::toTypedArrayType):
1472         * dfg/DFGArrayMode.h:
1473         (JSC::DFG::ArrayMode::typedArrayType):
1474         * dfg/DFGSpeculativeJIT.cpp:
1475         (JSC::DFG::SpeculativeJIT::checkArray):
1476         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1477         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1478         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1479         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1480         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1481         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1482         * dfg/DFGSpeculativeJIT.h:
1483         * dfg/DFGSpeculativeJIT32_64.cpp:
1484         (JSC::DFG::SpeculativeJIT::compile):
1485         * dfg/DFGSpeculativeJIT64.cpp:
1486         (JSC::DFG::SpeculativeJIT::compile):
1487         * heap/CopyToken.h:
1488         * heap/DeferGC.h:
1489         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1490         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1491         * heap/GCIncomingRefCounted.h: Added.
1492         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1493         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1494         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1495         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1496         (JSC::GCIncomingRefCounted::singletonFlag):
1497         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1498         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1499         (JSC::GCIncomingRefCounted::hasSingleton):
1500         (JSC::GCIncomingRefCounted::singleton):
1501         (JSC::GCIncomingRefCounted::vectorOfCells):
1502         * heap/GCIncomingRefCountedInlines.h: Added.
1503         (JSC::::addIncomingReference):
1504         (JSC::::filterIncomingReferences):
1505         * heap/GCIncomingRefCountedSet.h: Added.
1506         (JSC::GCIncomingRefCountedSet::size):
1507         * heap/GCIncomingRefCountedSetInlines.h: Added.
1508         (JSC::::GCIncomingRefCountedSet):
1509         (JSC::::~GCIncomingRefCountedSet):
1510         (JSC::::addReference):
1511         (JSC::::sweep):
1512         (JSC::::removeAll):
1513         (JSC::::removeDead):
1514         * heap/Heap.cpp:
1515         (JSC::Heap::addReference):
1516         (JSC::Heap::extraSize):
1517         (JSC::Heap::size):
1518         (JSC::Heap::capacity):
1519         (JSC::Heap::collect):
1520         (JSC::Heap::decrementDeferralDepth):
1521         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1522         * heap/Heap.h:
1523         * interpreter/CallFrame.h:
1524         (JSC::ExecState::dataViewTable):
1525         * jit/JIT.h:
1526         * jit/JITPropertyAccess.cpp:
1527         (JSC::JIT::privateCompileGetByVal):
1528         (JSC::JIT::privateCompilePutByVal):
1529         (JSC::JIT::emitIntTypedArrayGetByVal):
1530         (JSC::JIT::emitFloatTypedArrayGetByVal):
1531         (JSC::JIT::emitIntTypedArrayPutByVal):
1532         (JSC::JIT::emitFloatTypedArrayPutByVal):
1533         * jsc.cpp:
1534         (GlobalObject::finishCreation):
1535         * runtime/ArrayBuffer.cpp:
1536         (JSC::ArrayBuffer::transfer):
1537         * runtime/ArrayBuffer.h:
1538         (JSC::ArrayBuffer::createAdopted):
1539         (JSC::ArrayBuffer::ArrayBuffer):
1540         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1541         (JSC::ArrayBuffer::pin):
1542         (JSC::ArrayBuffer::unpin):
1543         (JSC::ArrayBufferContents::tryAllocate):
1544         * runtime/ArrayBufferView.cpp:
1545         (JSC::ArrayBufferView::ArrayBufferView):
1546         (JSC::ArrayBufferView::~ArrayBufferView):
1547         (JSC::ArrayBufferView::setNeuterable):
1548         * runtime/ArrayBufferView.h:
1549         (JSC::ArrayBufferView::isNeutered):
1550         (JSC::ArrayBufferView::buffer):
1551         (JSC::ArrayBufferView::baseAddress):
1552         (JSC::ArrayBufferView::byteOffset):
1553         (JSC::ArrayBufferView::verifySubRange):
1554         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1555         (JSC::ArrayBufferView::calculateOffsetAndLength):
1556         * runtime/ClassInfo.h:
1557         * runtime/CommonIdentifiers.h:
1558         * runtime/DataView.cpp: Added.
1559         (JSC::DataView::DataView):
1560         (JSC::DataView::create):
1561         (JSC::DataView::wrap):
1562         * runtime/DataView.h: Added.
1563         (JSC::DataView::byteLength):
1564         (JSC::DataView::getType):
1565         (JSC::DataView::get):
1566         (JSC::DataView::set):
1567         * runtime/Float32Array.h:
1568         * runtime/Float64Array.h:
1569         * runtime/GenericTypedArrayView.h: Added.
1570         (JSC::GenericTypedArrayView::data):
1571         (JSC::GenericTypedArrayView::set):
1572         (JSC::GenericTypedArrayView::setRange):
1573         (JSC::GenericTypedArrayView::zeroRange):
1574         (JSC::GenericTypedArrayView::zeroFill):
1575         (JSC::GenericTypedArrayView::length):
1576         (JSC::GenericTypedArrayView::byteLength):
1577         (JSC::GenericTypedArrayView::item):
1578         (JSC::GenericTypedArrayView::checkInboundData):
1579         (JSC::GenericTypedArrayView::getType):
1580         * runtime/GenericTypedArrayViewInlines.h: Added.
1581         (JSC::::GenericTypedArrayView):
1582         (JSC::::create):
1583         (JSC::::createUninitialized):
1584         (JSC::::subarray):
1585         (JSC::::wrap):
1586         * runtime/IndexingHeader.h:
1587         (JSC::IndexingHeader::arrayBuffer):
1588         (JSC::IndexingHeader::setArrayBuffer):
1589         * runtime/Int16Array.h:
1590         * runtime/Int32Array.h:
1591         * runtime/Int8Array.h:
1592         * runtime/JSArrayBuffer.cpp: Added.
1593         (JSC::JSArrayBuffer::JSArrayBuffer):
1594         (JSC::JSArrayBuffer::finishCreation):
1595         (JSC::JSArrayBuffer::create):
1596         (JSC::JSArrayBuffer::createStructure):
1597         (JSC::JSArrayBuffer::getOwnPropertySlot):
1598         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1599         (JSC::JSArrayBuffer::put):
1600         (JSC::JSArrayBuffer::defineOwnProperty):
1601         (JSC::JSArrayBuffer::deleteProperty):
1602         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1603         * runtime/JSArrayBuffer.h: Added.
1604         (JSC::JSArrayBuffer::impl):
1605         (JSC::toArrayBuffer):
1606         * runtime/JSArrayBufferConstructor.cpp: Added.
1607         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1608         (JSC::JSArrayBufferConstructor::finishCreation):
1609         (JSC::JSArrayBufferConstructor::create):
1610         (JSC::JSArrayBufferConstructor::createStructure):
1611         (JSC::constructArrayBuffer):
1612         (JSC::JSArrayBufferConstructor::getConstructData):
1613         (JSC::JSArrayBufferConstructor::getCallData):
1614         * runtime/JSArrayBufferConstructor.h: Added.
1615         * runtime/JSArrayBufferPrototype.cpp: Added.
1616         (JSC::arrayBufferProtoFuncSlice):
1617         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1618         (JSC::JSArrayBufferPrototype::finishCreation):
1619         (JSC::JSArrayBufferPrototype::create):
1620         (JSC::JSArrayBufferPrototype::createStructure):
1621         * runtime/JSArrayBufferPrototype.h: Added.
1622         * runtime/JSArrayBufferView.cpp: Added.
1623         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1624         (JSC::JSArrayBufferView::JSArrayBufferView):
1625         (JSC::JSArrayBufferView::finishCreation):
1626         (JSC::JSArrayBufferView::getOwnPropertySlot):
1627         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1628         (JSC::JSArrayBufferView::put):
1629         (JSC::JSArrayBufferView::defineOwnProperty):
1630         (JSC::JSArrayBufferView::deleteProperty):
1631         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1632         (JSC::JSArrayBufferView::finalize):
1633         * runtime/JSArrayBufferView.h: Added.
1634         (JSC::JSArrayBufferView::sizeOf):
1635         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1636         (JSC::JSArrayBufferView::ConstructionContext::structure):
1637         (JSC::JSArrayBufferView::ConstructionContext::vector):
1638         (JSC::JSArrayBufferView::ConstructionContext::length):
1639         (JSC::JSArrayBufferView::ConstructionContext::mode):
1640         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1641         (JSC::JSArrayBufferView::mode):
1642         (JSC::JSArrayBufferView::vector):
1643         (JSC::JSArrayBufferView::length):
1644         (JSC::JSArrayBufferView::offsetOfVector):
1645         (JSC::JSArrayBufferView::offsetOfLength):
1646         (JSC::JSArrayBufferView::offsetOfMode):
1647         * runtime/JSArrayBufferViewInlines.h: Added.
1648         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1649         (JSC::JSArrayBufferView::buffer):
1650         (JSC::JSArrayBufferView::impl):
1651         (JSC::JSArrayBufferView::neuter):
1652         (JSC::JSArrayBufferView::byteOffset):
1653         * runtime/JSCell.cpp:
1654         (JSC::JSCell::slowDownAndWasteMemory):
1655         (JSC::JSCell::getTypedArrayImpl):
1656         * runtime/JSCell.h:
1657         * runtime/JSDataView.cpp: Added.
1658         (JSC::JSDataView::JSDataView):
1659         (JSC::JSDataView::create):
1660         (JSC::JSDataView::createUninitialized):
1661         (JSC::JSDataView::set):
1662         (JSC::JSDataView::typedImpl):
1663         (JSC::JSDataView::getOwnPropertySlot):
1664         (JSC::JSDataView::getOwnPropertyDescriptor):
1665         (JSC::JSDataView::slowDownAndWasteMemory):
1666         (JSC::JSDataView::getTypedArrayImpl):
1667         (JSC::JSDataView::createStructure):
1668         * runtime/JSDataView.h: Added.
1669         * runtime/JSDataViewPrototype.cpp: Added.
1670         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1671         (JSC::JSDataViewPrototype::create):
1672         (JSC::JSDataViewPrototype::createStructure):
1673         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1674         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1675         (JSC::getData):
1676         (JSC::setData):
1677         (JSC::dataViewProtoFuncGetInt8):
1678         (JSC::dataViewProtoFuncGetInt16):
1679         (JSC::dataViewProtoFuncGetInt32):
1680         (JSC::dataViewProtoFuncGetUint8):
1681         (JSC::dataViewProtoFuncGetUint16):
1682         (JSC::dataViewProtoFuncGetUint32):
1683         (JSC::dataViewProtoFuncGetFloat32):
1684         (JSC::dataViewProtoFuncGetFloat64):
1685         (JSC::dataViewProtoFuncSetInt8):
1686         (JSC::dataViewProtoFuncSetInt16):
1687         (JSC::dataViewProtoFuncSetInt32):
1688         (JSC::dataViewProtoFuncSetUint8):
1689         (JSC::dataViewProtoFuncSetUint16):
1690         (JSC::dataViewProtoFuncSetUint32):
1691         (JSC::dataViewProtoFuncSetFloat32):
1692         (JSC::dataViewProtoFuncSetFloat64):
1693         * runtime/JSDataViewPrototype.h: Added.
1694         * runtime/JSFloat32Array.h: Added.
1695         * runtime/JSFloat64Array.h: Added.
1696         * runtime/JSGenericTypedArrayView.h: Added.
1697         (JSC::JSGenericTypedArrayView::byteLength):
1698         (JSC::JSGenericTypedArrayView::byteSize):
1699         (JSC::JSGenericTypedArrayView::typedVector):
1700         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1701         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1702         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1703         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1704         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1705         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1706         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1707         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1708         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1709         (JSC::JSGenericTypedArrayView::typedImpl):
1710         (JSC::JSGenericTypedArrayView::createStructure):
1711         (JSC::JSGenericTypedArrayView::info):
1712         (JSC::toNativeTypedView):
1713         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1714         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1715         (JSC::::JSGenericTypedArrayViewConstructor):
1716         (JSC::::finishCreation):
1717         (JSC::::create):
1718         (JSC::::createStructure):
1719         (JSC::constructGenericTypedArrayView):
1720         (JSC::::getConstructData):
1721         (JSC::::getCallData):
1722         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1723         (JSC::::JSGenericTypedArrayView):
1724         (JSC::::create):
1725         (JSC::::createUninitialized):
1726         (JSC::::validateRange):
1727         (JSC::::setWithSpecificType):
1728         (JSC::::set):
1729         (JSC::::getOwnPropertySlot):
1730         (JSC::::getOwnPropertyDescriptor):
1731         (JSC::::put):
1732         (JSC::::defineOwnProperty):
1733         (JSC::::deleteProperty):
1734         (JSC::::getOwnPropertySlotByIndex):
1735         (JSC::::putByIndex):
1736         (JSC::::deletePropertyByIndex):
1737         (JSC::::getOwnNonIndexPropertyNames):
1738         (JSC::::getOwnPropertyNames):
1739         (JSC::::visitChildren):
1740         (JSC::::copyBackingStore):
1741         (JSC::::slowDownAndWasteMemory):
1742         (JSC::::getTypedArrayImpl):
1743         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1744         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1745         (JSC::genericTypedArrayViewProtoFuncSet):
1746         (JSC::genericTypedArrayViewProtoFuncSubarray):
1747         (JSC::::JSGenericTypedArrayViewPrototype):
1748         (JSC::::finishCreation):
1749         (JSC::::create):
1750         (JSC::::createStructure):
1751         * runtime/JSGlobalObject.cpp:
1752         (JSC::JSGlobalObject::reset):
1753         (JSC::JSGlobalObject::visitChildren):
1754         * runtime/JSGlobalObject.h:
1755         (JSC::JSGlobalObject::arrayBufferPrototype):
1756         (JSC::JSGlobalObject::arrayBufferStructure):
1757         (JSC::JSGlobalObject::typedArrayStructure):
1758         * runtime/JSInt16Array.h: Added.
1759         * runtime/JSInt32Array.h: Added.
1760         * runtime/JSInt8Array.h: Added.
1761         * runtime/JSTypedArrayConstructors.cpp: Added.
1762         * runtime/JSTypedArrayConstructors.h: Added.
1763         * runtime/JSTypedArrayPrototypes.cpp: Added.
1764         * runtime/JSTypedArrayPrototypes.h: Added.
1765         * runtime/JSTypedArrays.cpp: Added.
1766         * runtime/JSTypedArrays.h: Added.
1767         * runtime/JSUint16Array.h: Added.
1768         * runtime/JSUint32Array.h: Added.
1769         * runtime/JSUint8Array.h: Added.
1770         * runtime/JSUint8ClampedArray.h: Added.
1771         * runtime/Operations.h:
1772         * runtime/Options.h:
1773         * runtime/SimpleTypedArrayController.cpp: Added.
1774         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1775         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1776         (JSC::SimpleTypedArrayController::toJS):
1777         * runtime/SimpleTypedArrayController.h: Added.
1778         * runtime/Structure.h:
1779         (JSC::Structure::couldHaveIndexingHeader):
1780         * runtime/StructureInlines.h:
1781         (JSC::Structure::hasIndexingHeader):
1782         * runtime/TypedArrayAdaptors.h: Added.
1783         (JSC::IntegralTypedArrayAdaptor::toNative):
1784         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1785         (JSC::IntegralTypedArrayAdaptor::toDouble):
1786         (JSC::FloatTypedArrayAdaptor::toNative):
1787         (JSC::FloatTypedArrayAdaptor::toJSValue):
1788         (JSC::FloatTypedArrayAdaptor::toDouble):
1789         (JSC::Uint8ClampedAdaptor::toNative):
1790         (JSC::Uint8ClampedAdaptor::toJSValue):
1791         (JSC::Uint8ClampedAdaptor::toDouble):
1792         (JSC::Uint8ClampedAdaptor::clamp):
1793         * runtime/TypedArrayController.cpp: Added.
1794         (JSC::TypedArrayController::TypedArrayController):
1795         (JSC::TypedArrayController::~TypedArrayController):
1796         * runtime/TypedArrayController.h: Added.
1797         * runtime/TypedArrayDescriptor.h: Removed.
1798         * runtime/TypedArrayInlines.h: Added.
1799         * runtime/TypedArrayType.cpp: Added.
1800         (JSC::classInfoForType):
1801         (WTF::printInternal):
1802         * runtime/TypedArrayType.h: Added.
1803         (JSC::toIndex):
1804         (JSC::isTypedView):
1805         (JSC::elementSize):
1806         (JSC::isInt):
1807         (JSC::isFloat):
1808         (JSC::isSigned):
1809         (JSC::isClamped):
1810         * runtime/TypedArrays.h: Added.
1811         * runtime/Uint16Array.h:
1812         * runtime/Uint32Array.h:
1813         * runtime/Uint8Array.h:
1814         * runtime/Uint8ClampedArray.h:
1815         * runtime/VM.cpp:
1816         (JSC::VM::VM):
1817         (JSC::VM::~VM):
1818         * runtime/VM.h:
1819
1820 2013-08-15  Oliver Hunt  <oliver@apple.com>
1821
1822         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1823
1824         Reviewed by Filip Pizlo.
1825
1826         Make sure dfgCapabilities doesn't report a Dynamic put as
1827         being compilable when we don't actually support it.  
1828
1829         * bytecode/CodeBlock.cpp:
1830         (JSC::CodeBlock::dumpBytecode):
1831         * dfg/DFGCapabilities.cpp:
1832         (JSC::DFG::capabilityLevel):
1833
1834 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1835
1836         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1837         https://bugs.webkit.org/show_bug.cgi?id=119847
1838
1839         Reviewed by Oliver Hunt.
1840
1841         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1842         * runtime/ArrayBufferView.h: Ditto.
1843
1844 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1845
1846         https://bugs.webkit.org/show_bug.cgi?id=119843
1847         PropertySlot::setValue is ambiguous
1848
1849         Reviewed by Geoff Garen.
1850
1851         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1852         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1853         Unify on always providing the object, and remove the version that just takes a value.
1854         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1855         Provide a version of setValue that takes a JSString as the owner of the property.
1856         We won't store this, but it makes it clear that this interface should only be used from JSString.
1857
1858         * API/JSCallbackObjectFunctions.h:
1859         (JSC::::getOwnPropertySlot):
1860         * JSCTypedArrayStubs.h:
1861         * runtime/Arguments.cpp:
1862         (JSC::Arguments::getOwnPropertySlotByIndex):
1863         (JSC::Arguments::getOwnPropertySlot):
1864         * runtime/JSActivation.cpp:
1865         (JSC::JSActivation::symbolTableGet):
1866         (JSC::JSActivation::getOwnPropertySlot):
1867         * runtime/JSArray.cpp:
1868         (JSC::JSArray::getOwnPropertySlot):
1869         * runtime/JSObject.cpp:
1870         (JSC::JSObject::getOwnPropertySlotByIndex):
1871         * runtime/JSString.h:
1872         (JSC::JSString::getStringPropertySlot):
1873         * runtime/JSSymbolTableObject.h:
1874         (JSC::symbolTableGet):
1875         * runtime/SparseArrayValueMap.cpp:
1876         (JSC::SparseArrayEntry::get):
1877             - Pass object containing property to PropertySlot::setValue
1878         * runtime/PropertySlot.h:
1879         (JSC::PropertySlot::setValue):
1880             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1881         (JSC::PropertySlot::setUndefined):
1882             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1883
1884 2013-08-15  Oliver Hunt  <oliver@apple.com>
1885
1886         Remove bogus assertion.
1887
1888         RS=Filip Pizlo
1889
1890         * dfg/DFGAbstractInterpreterInlines.h:
1891         (JSC::DFG::::executeEffects):
1892
1893 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1894
1895         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1896         https://bugs.webkit.org/show_bug.cgi?id=114913
1897
1898         Reviewed by Filip Pizlo.
1899
1900         The X87 register was not freed before some calls. Instead
1901         of inserting resetX87Registers to the last call sites,
1902         the two X87 registers are now freed in every call.
1903
1904         * llint/LowLevelInterpreter32_64.asm:
1905         * llint/LowLevelInterpreter64.asm:
1906         * offlineasm/instructions.rb:
1907         * offlineasm/x86.rb:
1908
1909 2013-08-14  Michael Saboff  <msaboff@apple.com>
1910
1911         Fixed jit on Win64.
1912         https://bugs.webkit.org/show_bug.cgi?id=119601
1913
1914         Reviewed by Oliver Hunt.
1915
1916         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1917         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1918         * jit/SlowPathCall.h:
1919         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1920
1921 2013-08-14  Alex Christensen  <achristensen@apple.com>
1922
1923         Compile fix for Win64 with jit disabled.
1924         https://bugs.webkit.org/show_bug.cgi?id=119804
1925
1926         Reviewed by Michael Saboff.
1927
1928         * offlineasm/cloop.rb: Added std:: before isnan.
1929
1930 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1931
1932         DFG_JIT implementation for sh4 architecture.
1933         https://bugs.webkit.org/show_bug.cgi?id=119737
1934
1935         Reviewed by Oliver Hunt.
1936
1937         * assembler/MacroAssemblerSH4.h:
1938         (JSC::MacroAssemblerSH4::invert):
1939         (JSC::MacroAssemblerSH4::add32):
1940         (JSC::MacroAssemblerSH4::and32):
1941         (JSC::MacroAssemblerSH4::lshift32):
1942         (JSC::MacroAssemblerSH4::mul32):
1943         (JSC::MacroAssemblerSH4::or32):
1944         (JSC::MacroAssemblerSH4::rshift32):
1945         (JSC::MacroAssemblerSH4::sub32):
1946         (JSC::MacroAssemblerSH4::xor32):
1947         (JSC::MacroAssemblerSH4::store32):
1948         (JSC::MacroAssemblerSH4::swapDouble):
1949         (JSC::MacroAssemblerSH4::storeDouble):
1950         (JSC::MacroAssemblerSH4::subDouble):
1951         (JSC::MacroAssemblerSH4::mulDouble):
1952         (JSC::MacroAssemblerSH4::divDouble):
1953         (JSC::MacroAssemblerSH4::negateDouble):
1954         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1955         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1956         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1957         (JSC::MacroAssemblerSH4::swap):
1958         (JSC::MacroAssemblerSH4::jump):
1959         (JSC::MacroAssemblerSH4::branchNeg32):
1960         (JSC::MacroAssemblerSH4::branchAdd32):
1961         (JSC::MacroAssemblerSH4::branchMul32):
1962         (JSC::MacroAssemblerSH4::urshift32):
1963         * assembler/SH4Assembler.h:
1964         (JSC::SH4Assembler::SH4Assembler):
1965         (JSC::SH4Assembler::labelForWatchpoint):
1966         (JSC::SH4Assembler::label):
1967         (JSC::SH4Assembler::debugOffset):
1968         * dfg/DFGAssemblyHelpers.h:
1969         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1970         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1971         (JSC::DFG::AssemblyHelpers::debugCall):
1972         * dfg/DFGCCallHelpers.h:
1973         (JSC::DFG::CCallHelpers::setupArguments):
1974         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1975         * dfg/DFGFPRInfo.h:
1976         (JSC::DFG::FPRInfo::toRegister):
1977         (JSC::DFG::FPRInfo::toIndex):
1978         (JSC::DFG::FPRInfo::debugName):
1979         * dfg/DFGGPRInfo.h:
1980         (JSC::DFG::GPRInfo::toRegister):
1981         (JSC::DFG::GPRInfo::toIndex):
1982         (JSC::DFG::GPRInfo::debugName):
1983         * dfg/DFGOperations.cpp:
1984         * dfg/DFGSpeculativeJIT.h:
1985         (JSC::DFG::SpeculativeJIT::callOperation):
1986         * jit/JITStubs.h:
1987         * jit/JITStubsSH4.h:
1988
1989 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1990
1991         Unreviewed, fix build.
1992
1993         * API/JSValue.mm:
1994         (isDate):
1995         (isArray):
1996         * API/JSWrapperMap.mm:
1997         (tryUnwrapObjcObject):
1998         * API/ObjCCallbackFunction.mm:
1999         (tryUnwrapBlock):
2000
2001 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2002
2003         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2004         https://bugs.webkit.org/show_bug.cgi?id=119770
2005
2006         Reviewed by Mark Hahnenberg.
2007
2008         * API/JSCallbackConstructor.cpp:
2009         (JSC::JSCallbackConstructor::finishCreation):
2010         * API/JSCallbackConstructor.h:
2011         (JSC::JSCallbackConstructor::createStructure):
2012         * API/JSCallbackFunction.cpp:
2013         (JSC::JSCallbackFunction::finishCreation):
2014         * API/JSCallbackFunction.h:
2015         (JSC::JSCallbackFunction::createStructure):
2016         * API/JSCallbackObject.cpp:
2017         (JSC::::createStructure):
2018         * API/JSCallbackObject.h:
2019         (JSC::JSCallbackObject::visitChildren):
2020         * API/JSCallbackObjectFunctions.h:
2021         (JSC::::asCallbackObject):
2022         (JSC::::finishCreation):
2023         * API/JSObjectRef.cpp:
2024         (JSObjectGetPrivate):
2025         (JSObjectSetPrivate):
2026         (JSObjectGetPrivateProperty):
2027         (JSObjectSetPrivateProperty):
2028         (JSObjectDeletePrivateProperty):
2029         * API/JSValueRef.cpp:
2030         (JSValueIsObjectOfClass):
2031         * API/JSWeakObjectMapRefPrivate.cpp:
2032         * API/ObjCCallbackFunction.h:
2033         (JSC::ObjCCallbackFunction::createStructure):
2034         * JSCTypedArrayStubs.h:
2035         * bytecode/CallLinkStatus.cpp:
2036         (JSC::CallLinkStatus::CallLinkStatus):
2037         (JSC::CallLinkStatus::function):
2038         (JSC::CallLinkStatus::internalFunction):
2039         * bytecode/CodeBlock.h:
2040         (JSC::baselineCodeBlockForInlineCallFrame):
2041         * bytecode/SpeculatedType.cpp:
2042         (JSC::speculationFromClassInfo):
2043         * bytecode/UnlinkedCodeBlock.cpp:
2044         (JSC::UnlinkedFunctionExecutable::visitChildren):
2045         (JSC::UnlinkedCodeBlock::visitChildren):
2046         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2047         * bytecode/UnlinkedCodeBlock.h:
2048         (JSC::UnlinkedFunctionExecutable::createStructure):
2049         (JSC::UnlinkedProgramCodeBlock::createStructure):
2050         (JSC::UnlinkedEvalCodeBlock::createStructure):
2051         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2052         * debugger/Debugger.cpp:
2053         * debugger/DebuggerActivation.cpp:
2054         (JSC::DebuggerActivation::visitChildren):
2055         * debugger/DebuggerActivation.h:
2056         (JSC::DebuggerActivation::createStructure):
2057         * debugger/DebuggerCallFrame.cpp:
2058         (JSC::DebuggerCallFrame::functionName):
2059         * dfg/DFGAbstractInterpreterInlines.h:
2060         (JSC::DFG::::executeEffects):
2061         * dfg/DFGByteCodeParser.cpp:
2062         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2063         (JSC::DFG::ByteCodeParser::parseBlock):
2064         * dfg/DFGFixupPhase.cpp:
2065         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2066         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2067         * dfg/DFGGraph.cpp:
2068         (JSC::DFG::Graph::dump):
2069         * dfg/DFGGraph.h:
2070         (JSC::DFG::Graph::isInternalFunctionConstant):
2071         * dfg/DFGOperations.cpp:
2072         * dfg/DFGSpeculativeJIT.cpp:
2073         (JSC::DFG::SpeculativeJIT::checkArray):
2074         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2075         * dfg/DFGThunks.cpp:
2076         (JSC::DFG::virtualForThunkGenerator):
2077         * interpreter/Interpreter.cpp:
2078         (JSC::loadVarargs):
2079         * jsc.cpp:
2080         (GlobalObject::createStructure):
2081         * profiler/LegacyProfiler.cpp:
2082         (JSC::LegacyProfiler::createCallIdentifier):
2083         * runtime/Arguments.cpp:
2084         (JSC::Arguments::visitChildren):
2085         * runtime/Arguments.h:
2086         (JSC::Arguments::createStructure):
2087         (JSC::asArguments):
2088         (JSC::Arguments::finishCreation):
2089         * runtime/ArrayConstructor.cpp:
2090         (JSC::arrayConstructorIsArray):
2091         * runtime/ArrayConstructor.h:
2092         (JSC::ArrayConstructor::createStructure):
2093         * runtime/ArrayPrototype.cpp:
2094         (JSC::ArrayPrototype::finishCreation):
2095         (JSC::arrayProtoFuncConcat):
2096         (JSC::attemptFastSort):
2097         * runtime/ArrayPrototype.h:
2098         (JSC::ArrayPrototype::createStructure):
2099         * runtime/BooleanConstructor.h:
2100         (JSC::BooleanConstructor::createStructure):
2101         * runtime/BooleanObject.cpp:
2102         (JSC::BooleanObject::finishCreation):
2103         * runtime/BooleanObject.h:
2104         (JSC::BooleanObject::createStructure):
2105         (JSC::asBooleanObject):
2106         * runtime/BooleanPrototype.cpp:
2107         (JSC::BooleanPrototype::finishCreation):
2108         (JSC::booleanProtoFuncToString):
2109         (JSC::booleanProtoFuncValueOf):
2110         * runtime/BooleanPrototype.h:
2111         (JSC::BooleanPrototype::createStructure):
2112         * runtime/DateConstructor.cpp:
2113         (JSC::constructDate):
2114         * runtime/DateConstructor.h:
2115         (JSC::DateConstructor::createStructure):
2116         * runtime/DateInstance.cpp:
2117         (JSC::DateInstance::finishCreation):
2118         * runtime/DateInstance.h:
2119         (JSC::DateInstance::createStructure):
2120         (JSC::asDateInstance):
2121         * runtime/DatePrototype.cpp:
2122         (JSC::formateDateInstance):
2123         (JSC::DatePrototype::finishCreation):
2124         (JSC::dateProtoFuncToISOString):
2125         (JSC::dateProtoFuncToLocaleString):
2126         (JSC::dateProtoFuncToLocaleDateString):
2127         (JSC::dateProtoFuncToLocaleTimeString):
2128         (JSC::dateProtoFuncGetTime):
2129         (JSC::dateProtoFuncGetFullYear):
2130         (JSC::dateProtoFuncGetUTCFullYear):
2131         (JSC::dateProtoFuncGetMonth):
2132         (JSC::dateProtoFuncGetUTCMonth):
2133         (JSC::dateProtoFuncGetDate):
2134         (JSC::dateProtoFuncGetUTCDate):
2135         (JSC::dateProtoFuncGetDay):
2136         (JSC::dateProtoFuncGetUTCDay):
2137         (JSC::dateProtoFuncGetHours):
2138         (JSC::dateProtoFuncGetUTCHours):
2139         (JSC::dateProtoFuncGetMinutes):
2140         (JSC::dateProtoFuncGetUTCMinutes):
2141         (JSC::dateProtoFuncGetSeconds):
2142         (JSC::dateProtoFuncGetUTCSeconds):
2143         (JSC::dateProtoFuncGetMilliSeconds):
2144         (JSC::dateProtoFuncGetUTCMilliseconds):
2145         (JSC::dateProtoFuncGetTimezoneOffset):
2146         (JSC::dateProtoFuncSetTime):
2147         (JSC::setNewValueFromTimeArgs):
2148         (JSC::setNewValueFromDateArgs):
2149         (JSC::dateProtoFuncSetYear):
2150         (JSC::dateProtoFuncGetYear):
2151         * runtime/DatePrototype.h:
2152         (JSC::DatePrototype::createStructure):
2153         * runtime/Error.h:
2154         (JSC::StrictModeTypeErrorFunction::createStructure):
2155         * runtime/ErrorConstructor.h:
2156         (JSC::ErrorConstructor::createStructure):
2157         * runtime/ErrorInstance.cpp:
2158         (JSC::ErrorInstance::finishCreation):
2159         * runtime/ErrorInstance.h:
2160         (JSC::ErrorInstance::createStructure):
2161         * runtime/ErrorPrototype.cpp:
2162         (JSC::ErrorPrototype::finishCreation):
2163         * runtime/ErrorPrototype.h:
2164         (JSC::ErrorPrototype::createStructure):
2165         * runtime/ExceptionHelpers.cpp:
2166         (JSC::isTerminatedExecutionException):
2167         * runtime/ExceptionHelpers.h:
2168         (JSC::TerminatedExecutionError::createStructure):
2169         * runtime/Executable.cpp:
2170         (JSC::EvalExecutable::visitChildren):
2171         (JSC::ProgramExecutable::visitChildren):
2172         (JSC::FunctionExecutable::visitChildren):
2173         (JSC::ExecutableBase::hashFor):
2174         * runtime/Executable.h:
2175         (JSC::ExecutableBase::createStructure):
2176         (JSC::NativeExecutable::createStructure):
2177         (JSC::EvalExecutable::createStructure):
2178         (JSC::ProgramExecutable::createStructure):
2179         (JSC::FunctionExecutable::compileFor):
2180         (JSC::FunctionExecutable::compileOptimizedFor):
2181         (JSC::FunctionExecutable::createStructure):
2182         * runtime/FunctionConstructor.h:
2183         (JSC::FunctionConstructor::createStructure):
2184         * runtime/FunctionPrototype.cpp:
2185         (JSC::functionProtoFuncToString):
2186         (JSC::functionProtoFuncApply):
2187         (JSC::functionProtoFuncBind):
2188         * runtime/FunctionPrototype.h:
2189         (JSC::FunctionPrototype::createStructure):
2190         * runtime/GetterSetter.cpp:
2191         (JSC::GetterSetter::visitChildren):
2192         * runtime/GetterSetter.h:
2193         (JSC::GetterSetter::createStructure):
2194         * runtime/InternalFunction.cpp:
2195         (JSC::InternalFunction::finishCreation):
2196         * runtime/InternalFunction.h:
2197         (JSC::InternalFunction::createStructure):
2198         (JSC::asInternalFunction):
2199         * runtime/JSAPIValueWrapper.h:
2200         (JSC::JSAPIValueWrapper::createStructure):
2201         * runtime/JSActivation.cpp:
2202         (JSC::JSActivation::visitChildren):
2203         (JSC::JSActivation::argumentsGetter):
2204         * runtime/JSActivation.h:
2205         (JSC::JSActivation::createStructure):
2206         (JSC::asActivation):
2207         * runtime/JSArray.h:
2208         (JSC::JSArray::createStructure):
2209         (JSC::asArray):
2210         (JSC::isJSArray):
2211         * runtime/JSBoundFunction.cpp:
2212         (JSC::JSBoundFunction::finishCreation):
2213         (JSC::JSBoundFunction::visitChildren):
2214         * runtime/JSBoundFunction.h:
2215         (JSC::JSBoundFunction::createStructure):
2216         * runtime/JSCJSValue.cpp:
2217         (JSC::JSValue::dumpInContext):
2218         * runtime/JSCJSValueInlines.h:
2219         (JSC::JSValue::isFunction):
2220         * runtime/JSCell.h:
2221         (JSC::jsCast):
2222         (JSC::jsDynamicCast):
2223         * runtime/JSCellInlines.h:
2224         (JSC::allocateCell):
2225         * runtime/JSFunction.cpp:
2226         (JSC::JSFunction::finishCreation):
2227         (JSC::JSFunction::visitChildren):
2228         (JSC::skipOverBoundFunctions):
2229         (JSC::JSFunction::callerGetter):
2230         * runtime/JSFunction.h:
2231         (JSC::JSFunction::createStructure):
2232         * runtime/JSGlobalObject.cpp:
2233         (JSC::JSGlobalObject::visitChildren):
2234         (JSC::slowValidateCell):
2235         * runtime/JSGlobalObject.h:
2236         (JSC::JSGlobalObject::createStructure):
2237         * runtime/JSNameScope.cpp:
2238         (JSC::JSNameScope::visitChildren):
2239         * runtime/JSNameScope.h:
2240         (JSC::JSNameScope::createStructure):
2241         * runtime/JSNotAnObject.h:
2242         (JSC::JSNotAnObject::createStructure):
2243         * runtime/JSONObject.cpp:
2244         (JSC::JSONObject::finishCreation):
2245         (JSC::unwrapBoxedPrimitive):
2246         (JSC::Stringifier::Stringifier):
2247         (JSC::Stringifier::appendStringifiedValue):
2248         (JSC::Stringifier::Holder::Holder):
2249         (JSC::Walker::walk):
2250         (JSC::JSONProtoFuncStringify):
2251         * runtime/JSONObject.h:
2252         (JSC::JSONObject::createStructure):
2253         * runtime/JSObject.cpp:
2254         (JSC::getCallableObjectSlow):
2255         (JSC::JSObject::visitChildren):
2256         (JSC::JSObject::copyBackingStore):
2257         (JSC::JSFinalObject::visitChildren):
2258         (JSC::JSObject::ensureInt32Slow):
2259         (JSC::JSObject::ensureDoubleSlow):
2260         (JSC::JSObject::ensureContiguousSlow):
2261         (JSC::JSObject::ensureArrayStorageSlow):
2262         * runtime/JSObject.h:
2263         (JSC::JSObject::finishCreation):
2264         (JSC::JSObject::createStructure):
2265         (JSC::JSNonFinalObject::createStructure):
2266         (JSC::JSFinalObject::createStructure):
2267         (JSC::isJSFinalObject):
2268         * runtime/JSPropertyNameIterator.cpp:
2269         (JSC::JSPropertyNameIterator::visitChildren):
2270         * runtime/JSPropertyNameIterator.h:
2271         (JSC::JSPropertyNameIterator::createStructure):
2272         * runtime/JSProxy.cpp:
2273         (JSC::JSProxy::visitChildren):
2274         * runtime/JSProxy.h:
2275         (JSC::JSProxy::createStructure):
2276         * runtime/JSScope.cpp:
2277         (JSC::JSScope::visitChildren):
2278         * runtime/JSSegmentedVariableObject.cpp:
2279         (JSC::JSSegmentedVariableObject::visitChildren):
2280         * runtime/JSString.h:
2281         (JSC::JSString::createStructure):
2282         (JSC::isJSString):
2283         * runtime/JSSymbolTableObject.cpp:
2284         (JSC::JSSymbolTableObject::visitChildren):
2285         * runtime/JSVariableObject.h:
2286         * runtime/JSWithScope.cpp:
2287         (JSC::JSWithScope::visitChildren):
2288         * runtime/JSWithScope.h:
2289         (JSC::JSWithScope::createStructure):
2290         * runtime/JSWrapperObject.cpp:
2291         (JSC::JSWrapperObject::visitChildren):
2292         * runtime/JSWrapperObject.h:
2293         (JSC::JSWrapperObject::createStructure):
2294         * runtime/MathObject.cpp:
2295         (JSC::MathObject::finishCreation):
2296         * runtime/MathObject.h:
2297         (JSC::MathObject::createStructure):
2298         * runtime/NameConstructor.h:
2299         (JSC::NameConstructor::createStructure):
2300         * runtime/NameInstance.h:
2301         (JSC::NameInstance::createStructure):
2302         (JSC::NameInstance::finishCreation):
2303         * runtime/NamePrototype.cpp:
2304         (JSC::NamePrototype::finishCreation):
2305         (JSC::privateNameProtoFuncToString):
2306         * runtime/NamePrototype.h:
2307         (JSC::NamePrototype::createStructure):
2308         * runtime/NativeErrorConstructor.cpp:
2309         (JSC::NativeErrorConstructor::visitChildren):
2310         * runtime/NativeErrorConstructor.h:
2311         (JSC::NativeErrorConstructor::createStructure):
2312         (JSC::NativeErrorConstructor::finishCreation):
2313         * runtime/NumberConstructor.cpp:
2314         (JSC::NumberConstructor::finishCreation):
2315         * runtime/NumberConstructor.h:
2316         (JSC::NumberConstructor::createStructure):
2317         * runtime/NumberObject.cpp:
2318         (JSC::NumberObject::finishCreation):
2319         * runtime/NumberObject.h:
2320         (JSC::NumberObject::createStructure):
2321         * runtime/NumberPrototype.cpp:
2322         (JSC::NumberPrototype::finishCreation):
2323         * runtime/NumberPrototype.h:
2324         (JSC::NumberPrototype::createStructure):
2325         * runtime/ObjectConstructor.h:
2326         (JSC::ObjectConstructor::createStructure):
2327         * runtime/ObjectPrototype.cpp:
2328         (JSC::ObjectPrototype::finishCreation):
2329         * runtime/ObjectPrototype.h:
2330         (JSC::ObjectPrototype::createStructure):
2331         * runtime/PropertyMapHashTable.h:
2332         (JSC::PropertyTable::createStructure):
2333         * runtime/PropertyTable.cpp:
2334         (JSC::PropertyTable::visitChildren):
2335         * runtime/RegExp.h:
2336         (JSC::RegExp::createStructure):
2337         * runtime/RegExpConstructor.cpp:
2338         (JSC::RegExpConstructor::finishCreation):
2339         (JSC::RegExpConstructor::visitChildren):
2340         (JSC::constructRegExp):
2341         * runtime/RegExpConstructor.h:
2342         (JSC::RegExpConstructor::createStructure):
2343         (JSC::asRegExpConstructor):
2344         * runtime/RegExpMatchesArray.cpp:
2345         (JSC::RegExpMatchesArray::visitChildren):
2346         * runtime/RegExpMatchesArray.h:
2347         (JSC::RegExpMatchesArray::createStructure):
2348         * runtime/RegExpObject.cpp:
2349         (JSC::RegExpObject::finishCreation):
2350         (JSC::RegExpObject::visitChildren):
2351         * runtime/RegExpObject.h:
2352         (JSC::RegExpObject::createStructure):
2353         (JSC::asRegExpObject):
2354         * runtime/RegExpPrototype.cpp:
2355         (JSC::regExpProtoFuncTest):
2356         (JSC::regExpProtoFuncExec):
2357         (JSC::regExpProtoFuncCompile):
2358         (JSC::regExpProtoFuncToString):
2359         * runtime/RegExpPrototype.h:
2360         (JSC::RegExpPrototype::createStructure):
2361         * runtime/SparseArrayValueMap.cpp:
2362         (JSC::SparseArrayValueMap::createStructure):
2363         * runtime/SparseArrayValueMap.h:
2364         * runtime/StrictEvalActivation.h:
2365         (JSC::StrictEvalActivation::createStructure):
2366         * runtime/StringConstructor.h:
2367         (JSC::StringConstructor::createStructure):
2368         * runtime/StringObject.cpp:
2369         (JSC::StringObject::finishCreation):
2370         * runtime/StringObject.h:
2371         (JSC::StringObject::createStructure):
2372         (JSC::asStringObject):
2373         * runtime/StringPrototype.cpp:
2374         (JSC::StringPrototype::finishCreation):
2375         (JSC::stringProtoFuncReplace):
2376         (JSC::stringProtoFuncToString):
2377         (JSC::stringProtoFuncMatch):
2378         (JSC::stringProtoFuncSearch):
2379         (JSC::stringProtoFuncSplit):
2380         * runtime/StringPrototype.h:
2381         (JSC::StringPrototype::createStructure):
2382         * runtime/Structure.cpp:
2383         (JSC::Structure::Structure):
2384         (JSC::Structure::materializePropertyMap):
2385         (JSC::Structure::get):
2386         (JSC::Structure::visitChildren):
2387         * runtime/Structure.h:
2388         (JSC::Structure::typeInfo):
2389         (JSC::Structure::previousID):
2390         (JSC::Structure::outOfLineSize):
2391         (JSC::Structure::totalStorageCapacity):
2392         (JSC::Structure::materializePropertyMapIfNecessary):
2393         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2394         * runtime/StructureChain.cpp:
2395         (JSC::StructureChain::visitChildren):
2396         * runtime/StructureChain.h:
2397         (JSC::StructureChain::createStructure):
2398         * runtime/StructureInlines.h:
2399         (JSC::Structure::get):
2400         * runtime/StructureRareData.cpp:
2401         (JSC::StructureRareData::createStructure):
2402         (JSC::StructureRareData::visitChildren):
2403         * runtime/StructureRareData.h:
2404         * runtime/SymbolTable.h:
2405         (JSC::SharedSymbolTable::createStructure):
2406         * runtime/VM.cpp:
2407         (JSC::VM::VM):
2408         (JSC::StackPreservingRecompiler::operator()):
2409         (JSC::VM::releaseExecutableMemory):
2410         * runtime/WriteBarrier.h:
2411         (JSC::validateCell):
2412         * testRegExp.cpp:
2413         (GlobalObject::createStructure):
2414
2415 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2416
2417         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2418         https://bugs.webkit.org/show_bug.cgi?id=119762
2419
2420         Reviewed by Geoffrey Garen.
2421
2422         * heap/Heap.cpp:
2423         (JSC::Heap::Heap):
2424         (JSC::Heap::markRoots):
2425         (JSC::Heap::collect):
2426         * jsc.cpp:
2427         (StopWatch::start):
2428         (StopWatch::stop):
2429         * testRegExp.cpp:
2430         (StopWatch::start):
2431         (StopWatch::stop):
2432
2433 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2434
2435         [sh4] Prepare LLINT for DFG_JIT implementation.
2436         https://bugs.webkit.org/show_bug.cgi?id=119755
2437
2438         Reviewed by Oliver Hunt.
2439
2440         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2441         * offlineasm/sh4.rb:
2442             - Handle storeb opcode.
2443             - Make relative jumps when possible using braf opcode.
2444             - Update bmulio implementation to be consistent with baseline JIT.
2445             - Remove useless code from leap opcode.
2446             - Fix incorrect comment.
2447
2448 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2449
2450         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2451         https://bugs.webkit.org/show_bug.cgi?id=119758
2452
2453         Reviewed by Oliver Hunt.
2454
2455         * assembler/MacroAssemblerSH4.h:
2456             - Introduce a loadEffectiveAddress function to avoid code duplication.
2457             - Add ASSERTs and clean code.
2458         * assembler/SH4Assembler.h:
2459             - Prepare DFG_JIT implementation.
2460             - Add ASSERTs.
2461         * jit/JITStubs.cpp:
2462             - Add SH4 specific call for assertions.
2463         * jit/JITStubs.h:
2464             - Cosmetic change.
2465         * jit/JITStubsSH4.h:
2466             - Use constants to be more flexible with sh4 JIT stack frame.
2467         * jit/JSInterfaceJIT.h:
2468             - Cosmetic change.
2469
2470 2013-08-13  Oliver Hunt  <oliver@apple.com>
2471
2472         Harden executeConstruct against incorrect return types from host functions
2473         https://bugs.webkit.org/show_bug.cgi?id=119757
2474
2475         Reviewed by Mark Hahnenberg.
2476
2477         Add logic to guard against bogus return types.  There doesn't seem to be any
2478         class in webkit that does this wrong, but the typed array stubs in debug JSC
2479         do exhibit this bad behaviour.
2480
2481         * interpreter/Interpreter.cpp:
2482         (JSC::Interpreter::executeConstruct):
2483
2484 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2485
2486         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2487         https://bugs.webkit.org/show_bug.cgi?id=119736
2488
2489         Reviewed by Anders Carlsson.
2490
2491         Don't force C++11 mode off anymore.
2492
2493         * Target.pri:
2494
2495 2013-08-12  Oliver Hunt  <oliver@apple.com>
2496
2497         Remove CodeBlock's notion of adding identifiers entirely
2498         https://bugs.webkit.org/show_bug.cgi?id=119708
2499
2500         Reviewed by Geoffrey Garen.
2501
2502         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2503         Move the addition of identifiers to DFGPlan::reallyAdd
2504
2505         * bytecode/CodeBlock.h:
2506         * dfg/DFGDesiredIdentifiers.cpp:
2507         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2508         * dfg/DFGDesiredIdentifiers.h:
2509         * dfg/DFGPlan.cpp:
2510         (JSC::DFG::Plan::reallyAdd):
2511         (JSC::DFG::Plan::finalize):
2512         * dfg/DFGPlan.h:
2513
2514 2013-08-12  Oliver Hunt  <oliver@apple.com>
2515
2516         Build fix
2517
2518         * runtime/JSCell.h:
2519
2520 2013-08-12  Oliver Hunt  <oliver@apple.com>
2521
2522         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2523         https://bugs.webkit.org/show_bug.cgi?id=119705
2524
2525         Reviewed by Geoffrey Garen.
2526
2527         Relatively trivial refactoring
2528
2529         * bytecode/CodeBlock.h:
2530         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2531         (JSC::CodeBlock::addAdditionalIdentifier):
2532         (JSC::CodeBlock::identifier):
2533         (JSC::CodeBlock::numberOfIdentifiers):
2534         * dfg/DFGCommonData.h:
2535
2536 2013-08-12  Oliver Hunt  <oliver@apple.com>
2537
2538         Stop making unnecessary copy of CodeBlock Identifier Vector
2539         https://bugs.webkit.org/show_bug.cgi?id=119702
2540
2541         Reviewed by Michael Saboff.
2542
2543         Make CodeBlock simply use a separate Vector for additional Identifiers
2544         and use the UnlinkedCodeBlock for the initial set of identifiers.
2545
2546         * bytecode/CodeBlock.cpp:
2547         (JSC::CodeBlock::printGetByIdOp):
2548         (JSC::dumpStructure):
2549         (JSC::dumpChain):
2550         (JSC::CodeBlock::printGetByIdCacheStatus):
2551         (JSC::CodeBlock::printPutByIdOp):
2552         (JSC::CodeBlock::dumpBytecode):
2553         (JSC::CodeBlock::CodeBlock):
2554         (JSC::CodeBlock::shrinkToFit):
2555         * bytecode/CodeBlock.h:
2556         (JSC::CodeBlock::numberOfIdentifiers):
2557         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2558         (JSC::CodeBlock::addAdditionalIdentifier):
2559         (JSC::CodeBlock::identifier):
2560         * dfg/DFGDesiredIdentifiers.cpp:
2561         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2562         * jit/JIT.h:
2563         * jit/JITOpcodes.cpp:
2564         (JSC::JIT::emitSlow_op_get_arguments_length):
2565         * jit/JITPropertyAccess.cpp:
2566         (JSC::JIT::emit_op_get_by_id):
2567         (JSC::JIT::compileGetByIdHotPath):
2568         (JSC::JIT::emitSlow_op_get_by_id):
2569         (JSC::JIT::compileGetByIdSlowCase):
2570         (JSC::JIT::emitSlow_op_put_by_id):
2571         * jit/JITPropertyAccess32_64.cpp:
2572         (JSC::JIT::emit_op_get_by_id):
2573         (JSC::JIT::compileGetByIdHotPath):
2574         (JSC::JIT::compileGetByIdSlowCase):
2575         * jit/JITStubs.cpp:
2576         (JSC::DEFINE_STUB_FUNCTION):
2577         * llint/LLIntSlowPaths.cpp:
2578         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2579
2580 2013-08-08  Mark Lam  <mark.lam@apple.com>
2581
2582         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2583         https://bugs.webkit.org/show_bug.cgi?id=119575.
2584
2585         Reviewed by Oliver Hunt.
2586
2587         * interpreter/Interpreter.h:
2588         - Made getStackTrace() private.
2589         * interpreter/StackIterator.cpp:
2590         (JSC::StackIterator::StackIterator):
2591         (JSC::StackIterator::numberOfFrames):
2592         - Computes the number of frames by iterating through the whole stack
2593           from the starting frame. The iterator will save its current frame
2594           position before counting the frames, and then restoring it after
2595           the counting.
2596         (JSC::StackIterator::gotoFrameAtIndex):
2597         (JSC::StackIterator::gotoNextFrame):
2598         (JSC::StackIterator::resetIterator):
2599         - Points the iterator to the starting frame.
2600         * interpreter/StackIteratorPrivate.h:
2601
2602 2013-08-08  Mark Lam  <mark.lam@apple.com>
2603
2604         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2605         the Interpreter class.
2606         https://bugs.webkit.org/show_bug.cgi?id=119576.
2607
2608         Reviewed by Oliver Hunt.
2609
2610         This change is needed to prepare for making Interpreter::getStackTrace()
2611         private. It does not change the behavior of the code, only the lexical
2612         scoping.
2613
2614         * interpreter/Interpreter.h:
2615         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2616         * runtime/ErrorConstructor.cpp:
2617         (JSC::Interpreter::constructWithErrorConstructor):
2618         (JSC::ErrorConstructor::getConstructData):
2619         (JSC::Interpreter::callErrorConstructor):
2620         (JSC::ErrorConstructor::getCallData):
2621         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2622           directly. So, we moved the helper functions into the Interpreter
2623           class.
2624         * runtime/NativeErrorConstructor.cpp:
2625         (JSC::Interpreter::constructWithNativeErrorConstructor):
2626         (JSC::NativeErrorConstructor::getConstructData):
2627         (JSC::Interpreter::callNativeErrorConstructor):
2628         (JSC::NativeErrorConstructor::getCallData):
2629         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2630           directly. So, we moved the helper functions into the Interpreter
2631           class.
2632
2633 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2634
2635         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2636         https://bugs.webkit.org/show_bug.cgi?id=119555
2637
2638         Reviewed by Geoffrey Garen.
2639
2640         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2641         This was causing crashes on maps.google.com in 32-bit debug builds.
2642
2643         * dfg/DFGSpeculativeJIT32_64.cpp:
2644         (JSC::DFG::SpeculativeJIT::compile):
2645
2646 2013-08-06  Michael Saboff  <msaboff@apple.com>
2647
2648         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2649         https://bugs.webkit.org/show_bug.cgi?id=119405
2650
2651         Reviewed by Geoffrey Garen.
2652
2653         * dfg/DFGSpeculativeJIT.cpp:
2654         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2655         ourselves to save a register and then load from it.
2656
2657 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2658
2659         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2660         https://bugs.webkit.org/show_bug.cgi?id=119528
2661
2662         Reviewed by Geoffrey Garen.
2663
2664         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2665         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2666         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2667         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2668         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2669
2670         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2671
2672         * bytecode/CodeBlock.cpp:
2673         (JSC::CodeBlock::finalizeUnconditionally):
2674         * dfg/DFGDriver.cpp:
2675         (JSC::DFG::compile):
2676         * dfg/DFGFixupPhase.cpp:
2677         (JSC::DFG::FixupPhase::fixupNode):
2678         * dfg/DFGGraph.cpp:
2679         (JSC::DFG::Graph::dump):
2680         * dfg/DFGSpeculativeJIT64.cpp:
2681         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2682         * runtime/JSObject.h:
2683         (JSC::JSObject::getIndexQuickly):
2684         (JSC::JSObject::tryGetIndexQuickly):
2685
2686 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2687
2688         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2689
2690         Unreviewed.
2691
2692         Ensure llint symbols are in source order.
2693
2694         * JavaScriptCore.order:
2695
2696 2013-08-06  Mark Lam  <mark.lam@apple.com>
2697
2698         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2699         https://bugs.webkit.org/show_bug.cgi?id=119532.
2700
2701         Reviewed by Oliver Hunt.
2702
2703         * parser/Parser.cpp:
2704         (JSC::::Parser):
2705         - Just need to initialize the Parser's JSTokenLocation's initial line and
2706           startOffset as well during Parser construction.
2707
2708 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2709
2710         Update Order Files for Safari
2711         <rdar://problem/14517392>
2712
2713         Unreviewed.
2714
2715         * JavaScriptCore.order:
2716
2717 2013-08-04  Sam Weinig  <sam@webkit.org>
2718
2719         Remove support for HTML5 MicroData
2720         https://bugs.webkit.org/show_bug.cgi?id=119480
2721
2722         Reviewed by Anders Carlsson.
2723
2724         * Configurations/FeatureDefines.xcconfig:
2725
2726 2013-08-05  Oliver Hunt  <oliver@apple.com>
2727
2728         Delay Arguments creation in strict mode
2729         https://bugs.webkit.org/show_bug.cgi?id=119505
2730
2731         Reviewed by Geoffrey Garen.
2732
2733         Make use of the write tracking performed by the parser to
2734         allow us to know if we're modifying the parameters to a function.
2735         Then use that information to make strict mode function opt out
2736         of eager arguments creation.
2737
2738         * bytecompiler/BytecodeGenerator.cpp:
2739         (JSC::BytecodeGenerator::BytecodeGenerator):
2740         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2741         (JSC::BytecodeGenerator::emitReturn):
2742         * bytecompiler/BytecodeGenerator.h:
2743         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2744         * parser/Nodes.h:
2745         (JSC::ScopeNode::modifiesParameter):
2746         * parser/Parser.cpp:
2747         (JSC::::parseInner):
2748         * parser/Parser.h:
2749         (JSC::Scope::declareParameter):
2750         (JSC::Scope::getCapturedVariables):
2751         (JSC::Parser::declareWrite):
2752         * parser/ParserModes.h:
2753
2754 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2755
2756         Remove useless code from COMPILER(RVCT) JITStubs
2757         https://bugs.webkit.org/show_bug.cgi?id=119521
2758
2759         Reviewed by Geoffrey Garen.
2760
2761         * jit/JITStubsARMv7.h:
2762         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2763         (JSC::ctiOpThrowNotCaught): Ditto.
2764
2765 2013-07-23  David Farler  <dfarler@apple.com>
2766
2767         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2768         https://bugs.webkit.org/show_bug.cgi?id=117762
2769
2770         Reviewed by Mark Rowe.
2771
2772         * Configurations/DebugRelease.xcconfig:
2773         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2774         * Configurations/JavaScriptCore.xcconfig:
2775         Add ASAN_OTHER_LDFLAGS.
2776         * Configurations/ToolExecutable.xcconfig:
2777         Don't use ASAN for build tools.
2778
2779 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2780
2781         Build fix for ARM MSVC after r153222 and r153648.
2782
2783         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2784
2785 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2786
2787         Build fix for ARM MSVC after r150109.
2788
2789         Read the stub template from a header files instead of the JITStubs.cpp.
2790
2791         * CMakeLists.txt:
2792         * DerivedSources.pri:
2793         * create_jit_stubs:
2794
2795 2013-08-05  Oliver Hunt  <oliver@apple.com>
2796
2797         Move TypedArray implementation into JSC
2798         https://bugs.webkit.org/show_bug.cgi?id=119489
2799
2800         Reviewed by Filip Pizlo.
2801
2802         Move TypedArray implementation into JSC in advance of re-implementation
2803
2804         * GNUmakefile.list.am:
2805         * JSCTypedArrayStubs.h:
2806         * JavaScriptCore.xcodeproj/project.pbxproj:
2807         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2808         (JSC::ArrayBuffer::transfer):
2809         (JSC::ArrayBuffer::addView):
2810         (JSC::ArrayBuffer::removeView):
2811         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2812         (JSC::ArrayBufferContents::ArrayBufferContents):
2813         (JSC::ArrayBufferContents::data):
2814         (JSC::ArrayBufferContents::sizeInBytes):
2815         (JSC::ArrayBufferContents::transfer):
2816         (JSC::ArrayBufferContents::copyTo):
2817         (JSC::ArrayBuffer::isNeutered):
2818         (JSC::ArrayBuffer::~ArrayBuffer):
2819         (JSC::ArrayBuffer::clampValue):
2820         (JSC::ArrayBuffer::create):
2821         (JSC::ArrayBuffer::createUninitialized):
2822         (JSC::ArrayBuffer::ArrayBuffer):
2823         (JSC::ArrayBuffer::data):
2824         (JSC::ArrayBuffer::byteLength):
2825         (JSC::ArrayBuffer::slice):
2826         (JSC::ArrayBuffer::sliceImpl):
2827         (JSC::ArrayBuffer::clampIndex):
2828         (JSC::ArrayBufferContents::tryAllocate):
2829         (JSC::ArrayBufferContents::~ArrayBufferContents):
2830         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2831         (JSC::ArrayBufferView::ArrayBufferView):
2832         (JSC::ArrayBufferView::~ArrayBufferView):
2833         (JSC::ArrayBufferView::neuter):
2834         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2835         (JSC::ArrayBufferView::buffer):
2836         (JSC::ArrayBufferView::baseAddress):
2837         (JSC::ArrayBufferView::byteOffset):
2838         (JSC::ArrayBufferView::setNeuterable):
2839         (JSC::ArrayBufferView::isNeuterable):
2840         (JSC::ArrayBufferView::verifySubRange):
2841         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2842         (JSC::ArrayBufferView::setImpl):
2843         (JSC::ArrayBufferView::setRangeImpl):
2844         (JSC::ArrayBufferView::zeroRangeImpl):
2845         (JSC::ArrayBufferView::calculateOffsetAndLength):
2846         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2847         (JSC::Float32Array::set):
2848         (JSC::Float32Array::getType):
2849         (JSC::Float32Array::create):
2850         (JSC::Float32Array::createUninitialized):
2851         (JSC::Float32Array::Float32Array):
2852         (JSC::Float32Array::subarray):
2853         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2854         (JSC::Float64Array::set):
2855         (JSC::Float64Array::getType):
2856         (JSC::Float64Array::create):
2857         (JSC::Float64Array::createUninitialized):
2858         (JSC::Float64Array::Float64Array):
2859         (JSC::Float64Array::subarray):
2860         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2861         (JSC::Int16Array::getType):
2862         (JSC::Int16Array::create):
2863         (JSC::Int16Array::createUninitialized):
2864         (JSC::Int16Array::Int16Array):
2865         (JSC::Int16Array::subarray):
2866         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2867         (JSC::Int32Array::getType):
2868         (JSC::Int32Array::create):
2869         (JSC::Int32Array::createUninitialized):
2870         (JSC::Int32Array::Int32Array):
2871         (JSC::Int32Array::subarray):
2872         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2873         (JSC::Int8Array::getType):
2874         (JSC::Int8Array::create):
2875         (JSC::Int8Array::createUninitialized):
2876         (JSC::Int8Array::Int8Array):
2877         (JSC::Int8Array::subarray):
2878         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2879         (JSC::IntegralTypedArrayBase::set):
2880         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2881         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2882         (JSC::TypedArrayBase::data):
2883         (JSC::TypedArrayBase::set):
2884         (JSC::TypedArrayBase::setRange):
2885         (JSC::TypedArrayBase::zeroRange):
2886         (JSC::TypedArrayBase::length):
2887         (JSC::TypedArrayBase::byteLength):
2888         (JSC::TypedArrayBase::item):
2889         (JSC::TypedArrayBase::checkInboundData):
2890         (JSC::TypedArrayBase::TypedArrayBase):
2891         (JSC::TypedArrayBase::create):
2892         (JSC::TypedArrayBase::createUninitialized):
2893         (JSC::TypedArrayBase::subarrayImpl):
2894         (JSC::TypedArrayBase::neuter):
2895         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2896         (JSC::Uint16Array::getType):
2897         (JSC::Uint16Array::create):
2898         (JSC::Uint16Array::createUninitialized):
2899         (JSC::Uint16Array::Uint16Array):
2900         (JSC::Uint16Array::subarray):
2901         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2902         (JSC::Uint32Array::getType):
2903         (JSC::Uint32Array::create):
2904         (JSC::Uint32Array::createUninitialized):
2905         (JSC::Uint32Array::Uint32Array):
2906         (JSC::Uint32Array::subarray):
2907         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2908         (JSC::Uint8Array::getType):
2909         (JSC::Uint8Array::create):
2910         (JSC::Uint8Array::createUninitialized):
2911         (JSC::Uint8Array::Uint8Array):
2912         (JSC::Uint8Array::subarray):
2913         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2914         (JSC::Uint8ClampedArray::getType):
2915         (JSC::Uint8ClampedArray::create):
2916         (JSC::Uint8ClampedArray::createUninitialized):
2917         (JSC::Uint8ClampedArray::zeroFill):
2918         (JSC::Uint8ClampedArray::set):
2919         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2920         (JSC::Uint8ClampedArray::subarray):
2921         * runtime/VM.h:
2922
2923 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2924
2925         Copied space should be able to handle more than one copied backing store per JSCell
2926         https://bugs.webkit.org/show_bug.cgi?id=119471
2927
2928         Reviewed by Mark Hahnenberg.
2929         
2930         This allows a cell to call copyLater() multiple times for multiple different
2931         backing stores, and then have copyBackingStore() called exactly once for each
2932         of those. A token tells it which backing store to copy. All backing stores
2933         must be named using the CopyToken, an enumeration which currently cannot
2934         exceed eight entries.
2935         
2936         When copyBackingStore() is called, it's up to the callee to (a) use the token
2937         to decide what to copy and (b) call its base class's copyBackingStore() in
2938         case the base class had something that needed copying. The only exception is
2939         that JSCell never asks anything to be copied, and so if your base is JSCell
2940         then you don't have to do anything.
2941
2942         * GNUmakefile.list.am:
2943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2944         * JavaScriptCore.xcodeproj/project.pbxproj:
2945         * heap/CopiedBlock.h:
2946         * heap/CopiedBlockInlines.h:
2947         (JSC::CopiedBlock::reportLiveBytes):
2948         * heap/CopyToken.h: Added.
2949         * heap/CopyVisitor.cpp:
2950         (JSC::CopyVisitor::copyFromShared):
2951         * heap/CopyVisitor.h:
2952         * heap/CopyVisitorInlines.h:
2953         (JSC::CopyVisitor::visitItem):
2954         * heap/CopyWorkList.h:
2955         (JSC::CopyWorklistItem::CopyWorklistItem):
2956         (JSC::CopyWorklistItem::cell):
2957         (JSC::CopyWorklistItem::token):
2958         (JSC::CopyWorkListSegment::get):
2959         (JSC::CopyWorkListSegment::append):
2960         (JSC::CopyWorkListSegment::data):
2961         (JSC::CopyWorkListIterator::get):
2962         (JSC::CopyWorkListIterator::operator*):
2963         (JSC::CopyWorkListIterator::operator->):
2964         (JSC::CopyWorkList::append):
2965         * heap/SlotVisitor.h:
2966         * heap/SlotVisitorInlines.h:
2967         (JSC::SlotVisitor::copyLater):
2968         * runtime/ClassInfo.h:
2969         * runtime/JSCell.cpp:
2970         (JSC::JSCell::copyBackingStore):
2971         * runtime/JSCell.h:
2972         * runtime/JSObject.cpp:
2973         (JSC::JSObject::visitButterfly):
2974         (JSC::JSObject::copyBackingStore):
2975         * runtime/JSObject.h:
2976
2977 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2978
2979         [Automake] Define ENABLE_JIT through the Autoconf header
2980         https://bugs.webkit.org/show_bug.cgi?id=119445
2981
2982         Reviewed by Martin Robinson.
2983
2984         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2985
2986 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2987
2988         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2989         https://bugs.webkit.org/show_bug.cgi?id=119470
2990
2991         Reviewed by Oliver Hunt.
2992         
2993         Structure can still tell you if the object "could" (in the conservative sense)
2994         have an indexing header; that's used by the compiler.
2995         
2996         Most of the time if you want to know if there's an indexing header, you ask the
2997         JSObject.
2998         
2999         In some cases, the JSObject wants to know if it would have an indexing header if
3000         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3001
3002         * dfg/DFGRepatch.cpp:
3003         (JSC::DFG::tryCachePutByID):
3004         (JSC::DFG::tryBuildPutByIdList):
3005         * dfg/DFGSpeculativeJIT.cpp:
3006         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3007         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3008         * runtime/ButterflyInlines.h:
3009         (JSC::Butterfly::create):
3010         (JSC::Butterfly::growPropertyStorage):
3011         (JSC::Butterfly::growArrayRight):
3012         (JSC::Butterfly::resizeArray):
3013         * runtime/JSObject.cpp:
3014         (JSC::JSObject::copyButterfly):
3015         (JSC::JSObject::visitButterfly):
3016         * runtime/JSObject.h:
3017         (JSC::JSObject::hasIndexingHeader):
3018         (JSC::JSObject::setButterfly):
3019         * runtime/Structure.h:
3020         (JSC::Structure::couldHaveIndexingHeader):
3021         (JSC::Structure::hasIndexingHeader):
3022
3023 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3024
3025         Give the error object's stack property accessor attributes.
3026         https://bugs.webkit.org/show_bug.cgi?id=119404
3027
3028         Reviewed by Geoffrey Garen.
3029         
3030         Changed the attributes of error object's stack property to allow developers to write
3031         and delete the stack property. This will match the functionality of Chrome. Firefox  
3032         allows developers to write the error's stack, but not delete it. 
3033
3034         * interpreter/Interpreter.cpp:
3035         (JSC::Interpreter::addStackTraceIfNecessary):
3036         * runtime/ErrorInstance.cpp:
3037         (JSC::ErrorInstance::finishCreation):
3038
3039 2013-08-02  Oliver Hunt  <oliver@apple.com>
3040
3041         Incorrect type speculation reported by ToPrimitive
3042         https://bugs.webkit.org/show_bug.cgi?id=119458
3043
3044         Reviewed by Mark Hahnenberg.
3045
3046         Make sure that we report the correct type possibilities for the output
3047         from ToPrimitive
3048
3049         * dfg/DFGAbstractInterpreterInlines.h:
3050         (JSC::DFG::::executeEffects):
3051
3052 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3053
3054         Remove no-arguments constructor to PropertySlot
3055         https://bugs.webkit.org/show_bug.cgi?id=119460
3056
3057         Reviewed by Geoff Garen.
3058
3059         This constructor was unsafe if getValue is subsequently called,
3060         and the property is a getter. Simplest to just remove it.
3061
3062         * runtime/Arguments.cpp:
3063         (JSC::Arguments::defineOwnProperty):
3064         * runtime/JSActivation.cpp:
3065         (JSC::JSActivation::getOwnPropertyDescriptor):
3066         * runtime/JSFunction.cpp:
3067         (JSC::JSFunction::getOwnPropertyDescriptor):
3068         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3069         (JSC::JSFunction::put):
3070         (JSC::JSFunction::defineOwnProperty):
3071         * runtime/JSGlobalObject.cpp:
3072         (JSC::JSGlobalObject::defineOwnProperty):
3073         * runtime/JSGlobalObject.h:
3074         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3075         * runtime/JSNameScope.cpp:
3076         (JSC::JSNameScope::put):
3077         * runtime/JSONObject.cpp:
3078         (JSC::Stringifier::Holder::appendNextProperty):
3079         (JSC::Walker::walk):
3080         * runtime/JSObject.cpp:
3081         (JSC::JSObject::hasProperty):
3082         (JSC::JSObject::hasOwnProperty):
3083         (JSC::JSObject::reifyStaticFunctionsForDelete):
3084         * runtime/Lookup.h:
3085         (JSC::getStaticPropertyDescriptor):
3086         (JSC::getStaticFunctionDescriptor):
3087         (JSC::getStaticValueDescriptor):
3088         * runtime/ObjectConstructor.cpp:
3089         (JSC::defineProperties):
3090         * runtime/PropertySlot.h:
3091
3092 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3093
3094         DFG validation can cause assertion failures due to dumping
3095         https://bugs.webkit.org/show_bug.cgi?id=119456
3096
3097         Reviewed by Geoffrey Garen.
3098
3099         * bytecode/CodeBlock.cpp:
3100         (JSC::CodeBlock::hasHash):
3101         (JSC::CodeBlock::isSafeToComputeHash):
3102         (JSC::CodeBlock::hash):
3103         (JSC::CodeBlock::dumpAssumingJITType):
3104         * bytecode/CodeBlock.h:
3105
3106 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3107
3108         Have vm's exceptionStack match java's vm's exceptionStack.
3109         https://bugs.webkit.org/show_bug.cgi?id=119362
3110
3111         Reviewed by Geoffrey Garen.
3112         
3113         The error object's stack is only updated if it does not exist yet. This matches 
3114         the functionality of other browsers, and Java VMs. 
3115
3116         * interpreter/Interpreter.cpp:
3117         (JSC::Interpreter::addStackTraceIfNecessary):
3118         (JSC::Interpreter::throwException):
3119         * runtime/VM.cpp:
3120         (JSC::VM::clearExceptionStack):
3121         * runtime/VM.h:
3122         (JSC::VM::lastExceptionStack):
3123
3124 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3125
3126         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3127         https://bugs.webkit.org/show_bug.cgi?id=119447
3128
3129         Reviewed by Geoffrey Garen.
3130
3131         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3132         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3133         r153583 (sh4) and r153648 (ARM).
3134
3135         * jit/JITStubsMIPS.h:
3136
3137 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3138
3139         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3140         https://bugs.webkit.org/show_bug.cgi?id=119422
3141
3142         Reviewed by Oliver Hunt.
3143         
3144         This simplifies some code and also allows Structure to claim that an object
3145         has an indexing header even if it doesn't have indexed properties.
3146         
3147         I also changed some calls to use hasIndexedProperties() since in some cases,
3148         that's what we actually meant. Currently the two are synonyms.
3149
3150         * dfg/DFGRepatch.cpp:
3151         (JSC::DFG::tryCachePutByID):
3152         (JSC::DFG::tryBuildPutByIdList):
3153         * dfg/DFGSpeculativeJIT.cpp:
3154         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3155         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3156         * runtime/ButterflyInlines.h:
3157         (JSC::Butterfly::create):
3158         (JSC::Butterfly::growPropertyStorage):
3159         (JSC::Butterfly::growArrayRight):
3160         (JSC::Butterfly::resizeArray):
3161         * runtime/IndexingType.h:
3162         * runtime/JSObject.cpp:
3163         (JSC::JSObject::copyButterfly):
3164         (JSC::JSObject::visitButterfly):
3165         (JSC::JSObject::setPrototype):
3166         * runtime/JSObject.h:
3167         (JSC::JSObject::setButterfly):
3168         * runtime/JSPropertyNameIterator.cpp:
3169         (JSC::JSPropertyNameIterator::create):
3170         * runtime/Structure.h:
3171         (JSC::Structure::hasIndexingHeader):
3172
3173 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3174
3175         REGRESSION: ARM still crashes after change set r153612.
3176         https://bugs.webkit.org/show_bug.cgi?id=119433
3177
3178         Reviewed by Michael Saboff.
3179
3180         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3181         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3182         for sh4 architecture.
3183
3184         * jit/JITStubsARM.h:
3185         * jit/JITStubsARMv7.h:
3186
3187 2013-08-02  Michael Saboff  <msaboff@apple.com>
3188
3189         REGRESSION(r153612): It made jsc and layout tests crash
3190         https://bugs.webkit.org/show_bug.cgi?id=119440
3191
3192         Reviewed by Csaba Osztrogonác.
3193
3194         Made the changes if changeset r153612 only apply to 32 bit builds.
3195
3196         * jit/JITExceptions.cpp:
3197         * jit/JITExceptions.h:
3198         * jit/JITStubs.cpp:
3199         (JSC::cti_vm_throw_slowpath):
3200         * jit/JITStubs.h:
3201
3202 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3203
3204         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3205
3206         * CMakeLists.txt:
3207
3208 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3209
3210         [Forms: color] <input type='color'> popover color well implementation
3211         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3212
3213         Reviewed by Benjamin Poulain.
3214
3215         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3216
3217 2013-08-01  Oliver Hunt  <oliver@apple.com>
3218
3219         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3220         https://bugs.webkit.org/show_bug.cgi?id=119408
3221
3222         Reviewed by Filip Pizlo.
3223
3224         Construct ToString and Phantom nodes in advance of MakeRope
3225         nodes to ensure that ordering is ensured, and correct values
3226         will be reified on OSR exit.
3227
3228         * dfg/DFGByteCodeParser.cpp:
3229         (JSC::DFG::ByteCodeParser::parseBlock):
3230
3231 2013-08-01  Michael Saboff  <msaboff@apple.com>
3232
3233         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3234         https://bugs.webkit.org/show_bug.cgi?id=119140
3235
3236         Reviewed by Filip Pizlo.
3237
3238         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3239
3240         * jit/JITExceptions.cpp:
3241         (JSC::encode):
3242         * jit/JITExceptions.h:
3243         * jit/JITStubs.cpp:
3244         (JSC::cti_vm_throw_slowpath):
3245         * jit/JITStubs.h:
3246
3247 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3248
3249         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3250         https://bugs.webkit.org/show_bug.cgi?id=119391
3251
3252         Reviewed by Csaba Osztrogonác.
3253
3254         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3255             - Call frame is in r14 register.
3256             - Do not restore registers from JIT stack frame here.
3257
3258 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3259
3260         More cleanup in PropertySlot
3261         https://bugs.webkit.org/show_bug.cgi?id=119359
3262
3263         Reviewed by Geoff Garen.
3264
3265         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3266         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3267
3268         * dfg/DFGRepatch.cpp:
3269         (JSC::DFG::tryCacheGetByID):
3270         (JSC::DFG::tryBuildGetByIDList):
3271             - No need to ASSERT slotBase is an object.
3272         * jit/JITStubs.cpp:
3273         (JSC::tryCacheGetByID):
3274         (JSC::DEFINE_STUB_FUNCTION):
3275             - No need to ASSERT slotBase is an object.
3276         * runtime/JSObject.cpp:
3277         (JSC::JSObject::getOwnPropertySlotByIndex):
3278         (JSC::JSObject::fillGetterPropertySlot):
3279             - Pass an object through to setGetterSlot.
3280         * runtime/JSObject.h:
3281         (JSC::PropertySlot::getValue):
3282             - Moved from PropertySlot (need to know anout JSObject).
3283         * runtime/PropertySlot.cpp:
3284         (JSC::PropertySlot::functionGetter):
3285             - update per member name changes
3286         * runtime/PropertySlot.h:
3287         (JSC::PropertySlot::PropertySlot):
3288             - Argument to constructor set to 'thisValue'.
3289         (JSC::PropertySlot::slotBase):
3290             - This returns a JSObject*.
3291         (JSC::PropertySlot::setValue):
3292         (JSC::PropertySlot::setCustom):
3293         (JSC::PropertySlot::setCacheableCustom):
3294         (JSC::PropertySlot::setCustomIndex):
3295         (JSC::PropertySlot::setGetterSlot):
3296         (JSC::PropertySlot::setCacheableGetterSlot):
3297             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3298         * runtime/SparseArrayValueMap.cpp:
3299         (JSC::SparseArrayEntry::get):
3300             - Pass an object through to setGetterSlot.
3301         * runtime/SparseArrayValueMap.h:
3302             - Pass an object through to setGetterSlot.
3303
3304 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3305
3306         Reduce JSC API static value setter/getter overhead.
3307         https://bugs.webkit.org/show_bug.cgi?id=119277
3308
3309         Reviewed by Geoffrey Garen.
3310
3311         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3312         need to get called every time when set or get the static value.
3313
3314         * API/JSCallbackObjectFunctions.h:
3315         (JSC::::put):
3316         (JSC::::putByIndex):
3317         (JSC::::getStaticValue):
3318         * API/JSClassRef.cpp:
3319         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3320         * API/JSClassRef.h:
3321         (StaticValueEntry::StaticValueEntry):
3322
3323 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3324
3325         Use emptyString instead of String("")
3326         https://bugs.webkit.org/show_bug.cgi?id=119335
3327
3328         Reviewed by Darin Adler.
3329
3330         Use emptyString() instead of String("") because it is better style and
3331         faster. This is a followup to r116908, removing all occurrences of
3332         String("") from WebKit.
3333
3334         * runtime/RegExpConstructor.cpp:
3335         (JSC::constructRegExp):
3336         * runtime/RegExpPrototype.cpp:
3337         (JSC::regExpProtoFuncCompile):
3338         * runtime/StringPrototype.cpp:
3339         (JSC::stringProtoFuncMatch):
3340         (JSC::stringProtoFuncSearch):
3341
3342 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3343
3344         <input type=color> Mac UI behaviour
3345         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3346
3347         Reviewed by Brady Eidson.
3348
3349         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3350
3351 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3352
3353         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3354         https://bugs.webkit.org/show_bug.cgi?id=119349
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3359         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3360         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3361         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3362         JIT then this resizing never happens and we crash at link time in the DFG.
3363
3364         We can fix this by also doing the resize in the DFG to catch this case.
3365
3366         * dfg/DFGJITCompiler.cpp:
3367         (JSC::DFG::JITCompiler::link):
3368
3369 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3370
3371         Speculative Windows build fix.
3372
3373         Reviewed by NOBODY
3374
3375         * runtime/JSString.cpp:
3376         (JSC::JSRopeString::getIndexSlowCase):
3377         * runtime/JSString.h:
3378
3379 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3380
3381         Some cleanup in JSValue::get
3382         https://bugs.webkit.org/show_bug.cgi?id=119343
3383
3384         Reviewed by Geoff Garen.
3385
3386         JSValue::get is implemented to:
3387             1) Check if the value is a cell – if not, synthesize a prototype to search,
3388             2) call getOwnPropertySlot on the cell,
3389             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3390         By all rights this should crash when passed a string and accessing a property that does not exist, because
3391         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3392         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3393         prototype chain, and faking out a return value of undefined if no property is found.
3394
3395         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3396         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3397
3398         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3399         slots anyway.
3400
3401         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3402
3403 2013-07-31  Michael Saboff  <msaboff@apple.com>
3404
3405         [Win] JavaScript crash.
3406         https://bugs.webkit.org/show_bug.cgi?id=119339
3407
3408         Reviewed by Mark Hahnenberg.
3409
3410         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3411         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3412
3413 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3414
3415         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3416         https://bugs.webkit.org/show_bug.cgi?id=119281
3417
3418         Reviewed by Geoffrey Garen.
3419
3420         This leads to out of bounds accesses and subsequent crashes.
3421
3422         * dfg/DFGSpeculativeJIT.cpp:
3423         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3424         * dfg/DFGSpeculativeJIT64.cpp:
3425         (JSC::DFG::SpeculativeJIT::compile):
3426
3427 2013-07-30  Oliver Hunt  <oliver@apple.com>
3428
3429         Add an assertion to SpeculateCellOperand
3430         https://bugs.webkit.org/show_bug.cgi?id=119276
3431
3432         Reviewed by Michael Saboff.
3433
3434         More assertions are better
3435
3436         * dfg/DFGSpeculativeJIT64.cpp:
3437         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3438         (JSC::DFG::SpeculativeJIT::compile):
3439
3440 2013-07-30  Mark Lam  <mark.lam@apple.com>
3441
3442         Fix problems with divot and lineStart mismatches.
3443         https://bugs.webkit.org/show_bug.cgi?id=118662.
3444
3445         Reviewed by Oliver Hunt.
3446
3447         r152494 added the recording of lineStart values for divot positions.
3448         This is needed for the computation of column numbers. Similarly, it also
3449         added the recording of line numbers for the divot positions. One problem
3450         with the approach taken was that the line and lineStart values were
3451         recorded independently, and hence were not always guaranteed to be
3452         sampled at the same place that the divot position is recorded. This
3453         resulted in potential mismatches that cause some assertions to fail.
3454
3455         The solution is to introduce a JSTextPosition abstraction that records
3456         the divot position, line, and lineStart as a single quantity. Wherever
3457         we record the divot position as an unsigned int previously, we now record
3458         its JSTextPosition which captures all 3 values in one go. This ensures
3459         that the captured line and lineStart will always match the captured divot
3460         position.
3461
3462         * bytecompiler/BytecodeGenerator.cpp:
3463         (JSC::BytecodeGenerator::emitCall):
3464         (JSC::BytecodeGenerator::emitCallEval):
3465         (JSC::BytecodeGenerator::emitCallVarargs):
3466         (JSC::BytecodeGenerator::emitConstruct):
3467         (JSC::BytecodeGenerator::emitDebugHook):
3468         - Use JSTextPosition instead of passing line and lineStart explicitly.
3469         * bytecompiler/BytecodeGenerator.h:
3470         (JSC::BytecodeGenerator::emitExpressionInfo):
3471         - Use JSTextPosition instead of passing line and lineStart explicitly.
3472         * bytecompiler/NodesCodegen.cpp:
3473         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3474         (JSC::ResolveNode::emitBytecode):
3475         (JSC::BracketAccessorNode::emitBytecode):
3476         (JSC::DotAccessorNode::emitBytecode):
3477         (JSC::NewExprNode::emitBytecode):
3478         (JSC::EvalFunctionCallNode::emitBytecode):
3479         (JSC::FunctionCallValueNode::emitBytecode):
3480         (JSC::FunctionCallResolveNode::emitBytecode):
3481         (JSC::FunctionCallBracketNode::emitBytecode):
3482         (JSC::FunctionCallDotNode::emitBytecode):
3483         (JSC::CallFunctionCallDotNode::emitBytecode):
3484         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3485         (JSC::PostfixNode::emitResolve):
3486         (JSC::PostfixNode::emitBracket):
3487         (JSC::PostfixNode::emitDot):
3488         (JSC::DeleteResolveNode::emitBytecode):
3489         (JSC::DeleteBracketNode::emitBytecode):
3490         (JSC::DeleteDotNode::emitBytecode):
3491         (JSC::PrefixNode::emitResolve):
3492         (JSC::PrefixNode::emitBracket):
3493         (JSC::PrefixNode::emitDot):
3494         (JSC::UnaryOpNode::emitBytecode):
3495         (JSC::BinaryOpNode::emitStrcat):
3496         (JSC::BinaryOpNode::emitBytecode):
3497         (JSC::ThrowableBinaryOpNode::emitBytecode):
3498         (JSC::InstanceOfNode::emitBytecode):
3499         (JSC::emitReadModifyAssignment):
3500         (JSC::ReadModifyResolveNode::emitBytecode):
3501         (JSC::AssignResolveNode::emitBytecode):
3502         (JSC::AssignDotNode::emitBytecode):
3503         (JSC::ReadModifyDotNode::emitBytecode):
3504         (JSC::AssignBracketNode::emitBytecode):
3505         (JSC::ReadModifyBracketNode::emitBytecode):
3506         (JSC::ForInNode::emitBytecode):
3507         (JSC::WithNode::emitBytecode):
3508         (JSC::ThrowNode::emitBytecode):
3509         - Use JSTextPosition instead of passing line and lineStart explicitly.
3510         * parser/ASTBuilder.h:
3511         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3512         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
3513         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
3514         (JSC::ASTBuilder::createResolve):
3515         (JSC::ASTBuilder::createBracketAccess):
3516         (JSC::ASTBuilder::createDotAccess):
3517         (JSC::ASTBuilder::createRegExp):
3518         (JSC::ASTBuilder::createNewExpr):
3519         (JSC::ASTBuilder::createAssignResolve):
3520         (JSC::ASTBuilder::createExprStatement):
3521         (JSC::ASTBuilder::createForInLoop):
3522         (JSC::ASTBuilder::createReturnStatement):
3523         (JSC::ASTBuilder::createBreakStatement):
3524         (JSC::ASTBuilder::createContinueStatement):
3525         (JSC::ASTBuilder::createLabelStatement):
3526         (JSC::ASTBuilder::createWithStatement):
3527         (JSC::ASTBuilder::createThrowStatement):
3528         (JSC::ASTBuilder::appendBinaryExpressionInfo):
3529         (JSC::ASTBuilder::appendUnaryToken):
3530         (JSC::ASTBuilder::unaryTokenStackLastStart):
3531         (JSC::ASTBuilder::assignmentStackAppend):
3532         (JSC::ASTBuilder::createAssignment):
3533         (JSC::ASTBuilder::setExceptionLocation):
3534         (JSC::ASTBuilder::makeDeleteNode):
3535         (JSC::ASTBuilder::makeFunctionCallNode):
3536         (JSC::ASTBuilder::makeBinaryNode):
3537         (JSC::ASTBuilder::makeAssignNode):
3538         (JSC::ASTBuilder::makePrefixNode):
3539         (JSC::ASTBuilder::makePostfixNode):
3540         - Use JSTextPosition instead of passing line and lineStart explicitly.
3541         * parser/Lexer.cpp:
3542         (JSC::::lex):
3543         - Added support for capturing the appropriate JSTextPositions instead
3544           of just the character offset.
3545         * parser/Lexer.h:
3546         (JSC::Lexer::currentPosition):
3547         (JSC::::lexExpectIdentifier):
3548         - Added support for capturing the appropriate JSTextPositions instead
3549           of just the character offset.
3550         * parser/NodeConstructors.h:
3551         (JSC::Node::Node):
3552         (JSC::ResolveNode::ResolveNode):
3553         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3554         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3555         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3556         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3557         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3558         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3559         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3560         (JSC::PostfixNode::PostfixNode):
3561         (JSC::DeleteResolveNode::DeleteResolveNode):
3562         (JSC::DeleteBracketNode::DeleteBracketNode):
3563         (JSC::DeleteDotNode::DeleteDotNode):
3564         (JSC::PrefixNode::PrefixNode):
3565         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3566         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3567         (JSC::AssignBracketNode::AssignBracketNode):
3568         (JSC::AssignDotNode::AssignDotNode):
3569         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3570         (JSC::AssignErrorNode::AssignErrorNode):
3571         (JSC::WithNode::WithNode):
3572         (JSC::ForInNode::ForInNode):
3573         - Use JSTextPosition instead of passing line and lineStart explicitly.
3574         * parser/Nodes.cpp:
3575         (JSC::StatementNode::setLoc):
3576         - Use JSTextPosition instead of passing line and lineStart explicitly.
3577         * parser/Nodes.h:
3578         (JSC::Node::lineNo):
3579         (JSC::Node::startOffset):
3580         (JSC::Node::lineStartOffset):
3581         (JSC::Node::position):
3582         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3583         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3584         (JSC::ThrowableExpressionData::divot):
3585         (JSC::ThrowableExpressionData::divotStart):
3586         (JSC::ThrowableExpressionData::divotEnd):
3587         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3588         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3589         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3590         (JSC::ThrowableSubExpressionData::subexpressionStart):
3591         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3592         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3593         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3594         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3595         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3596         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3597         - Use JSTextPosition instead of passing line and lineStart explicitly.
3598         * parser/Parser.cpp:
3599         (JSC::::Parser):
3600         (JSC::::parseInner):
3601         - Use JSTextPosition instead of passing line and lineStart explicitly.
3602         (JSC::::didFinishParsing):
3603         - Remove setting of m_lastLine value. We always pass in the value from
3604           m_lastLine anyway. So, this assignment is effectively a nop.
3605         (JSC::::parseVarDeclaration):
3606         (JSC::::parseVarDeclarationList):
3607         (JSC::::parseForStatement):
3608         (JSC::::parseBreakStatement):
3609         (JSC::::parseContinueStatement):
3610         (JSC::::parseReturnStatement):
3611         (JSC::::parseThrowStatement):
3612         (JSC::::parseWithStatement):
3613         (JSC::::parseTryStatement):
3614         (JSC::::parseBlockStatement):
3615         (JSC::::parseFunctionDeclaration):
3616         (JSC::LabelInfo::LabelInfo):
3617         (JSC::::parseExpressionOrLabelStatement):
3618         (JSC::::parseExpressionStatement):
3619         (JSC::::parseAssignmentExpression):
3620         (JSC::::parseBinaryExpression):
3621         (JSC::::parseProperty):
3622         (JSC::::parsePrimaryExpression):
3623         (JSC::::parseMemberExpression):
3624         (JSC::::parseUnaryExpression):
3625         - Use JSTextPosition instead of passing line and lineStart explicitly.
3626         * parser/Parser.h:
3627         (JSC::Parser::next):
3628         (JSC::Parser::nextExpectIdentifier):
3629         (JSC::Parser::getToken):
3630         (JSC::Parser::tokenStartPosition):
3631         (JSC::Parser::tokenEndPosition):
3632         (JSC::Parser::lastTokenEndPosition):
3633         (JSC::::parse):
3634         - Use JSTextPosition instead of passing line and lineStart explicitly.
3635         * parser/ParserTokens.h:
3636         (JSC::JSTextPosition::JSTextPosition):
3637         (JSC::JSTextPosition::operator+):
3638         (JSC::JSTextPosition::operator-):
3639         (JSC::JSTextPosition::operator int):
3640         - Added JSTextPosition.
3641         * parser/SyntaxChecker.h:
3642         (JSC::SyntaxChecker::makeFunctionCallNode):
3643         (JSC::SyntaxChecker::makeAssignNode):
3644         (JSC::SyntaxChecker::makePrefixNode):
3645         (JSC::SyntaxChecker::makePostfixNode):
3646         (JSC::SyntaxChecker::makeDeleteNode):
3647         (JSC::SyntaxChecker::createResolve):
3648         (JSC::SyntaxChecker::createBracketAccess):
3649         (JSC::SyntaxChecker::createDotAccess):
3650         (JSC::SyntaxChecker::createRegExp):
3651         (JSC::SyntaxChecker::createNewExpr):
3652         (JSC::SyntaxChecker::createAssignResolve):
3653         (JSC::SyntaxChecker::createForInLoop):
3654         (JSC::SyntaxChecker::createReturnStatement):
3655         (JSC::SyntaxChecker::createBreakStatement):
3656         (JSC::SyntaxChecker::createContinueStatement):
3657         (JSC::SyntaxChecker::createWithStatement):
3658         (JSC::SyntaxChecker::createLabelStatement):
3659         (JSC::SyntaxChecker::createThrowStatement):
3660         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3661         (JSC::SyntaxChecker::operatorStackPop):
3662         - Use JSTextPosition instead of passing line and lineStart explicitly.
3663
3664 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3665
3666         Unreviewed. Fix make distcheck.
3667
3668         * GNUmakefile.list.am: Add missing files to compilation.
3669         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3670         include FTL header files not included in the compilation.
3671         * dfg/DFGDriver.cpp: Ditto.
3672         * dfg/DFGPlan.cpp: Ditto.
3673
3674 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3675
3676         Eager stack trace for error objects.
3677         https://bugs.webkit.org/show_bug.cgi?id=118918
3678
3679         Reviewed by Geoffrey Garen.
3680         
3681         Chrome and Firefox give error objects the stack property and we wanted to match
3682         that functionality. This allows developers to see the stack without throwing an object.
3683
3684         * runtime/ErrorInstance.cpp:
3685         (JSC::ErrorInstance::finishCreation):
3686          For error objects that are not thrown as an exception, we pass the stackTrace in 
3687          as a parameter. This allows the error object to have the stack property.
3688         
3689         * interpreter/Interpreter.cpp:
3690         (JSC::stackTraceAsString):
3691         Helper function used to eliminate duplicate code.
3692
3693         (JSC::Interpreter::addStackTraceIfNecessary):
3694         When an error object is created by the user the vm->exceptionStack is not set.
3695         If the user throws this error object later the stack that is in the error object 
3696         may not be the correct stack for the throw, so when we set the vm->exception stack,
3697         the stack property on the error object is set as well.
3698         
3699         * runtime/ErrorConstructor.cpp:
3700         (JSC::constructWithErrorConstructor):
3701         (JSC::callErrorConstructor):
3702         * runtime/NativeErrorConstructor.cpp:
3703         (JSC::constructWithNativeErrorConstructor):
3704         (JSC::callNativeErrorConstructor):
3705         These functions indicate that the user created an error object. For all error objects 
3706         that the user explicitly creates, the topCallFrame is at a new frame created to 
3707         handle the user's call. In this case though, the error object needs the caller's 
3708         frame to create the stack trace correctly.
3709         
3710         * interpreter/Interpreter.h:
3711         * runtime/ErrorInstance.h:
3712         (JSC::ErrorInstance::create):
3713
3714 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3715
3716         Some cleanup in PropertySlot
3717         https://bugs.webkit.org/show_bug.cgi?id=119189
3718
3719         Reviewed by Geoff Garen.
3720
3721         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3722         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3723         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3724         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3725         (this is invalidOffset if not cacheable).
3726
3727             * Internally, always track the type of the property using an enum value, PropertyType.
3728             * Use m_offset to indicate cacheable.
3729             * Keep the external interface (CachedPropertyType) unchanged.
3730             * Better pack data into the m_data union.
3731
3732         Performance neutral.
3733
3734         * dfg/DFGRepatch.cpp:
3735         (JSC::DFG::tryCacheGetByID):
3736         (JSC::DFG::tryBuildGetByIDList):
3737             - cachedPropertyType() -> isCacheable*()
3738         * jit/JITPropertyAccess.cpp:
3739         (JSC::JIT::privateCompileGetByIdProto):
3740         (JSC::JIT::privateCompileGetByIdSelfList):
3741         (JSC::JIT::privateCompileGetByIdProtoList):
3742         (JSC::JIT::privateCompileGetByIdChainList):
3743         (JSC::JIT::privateCompileGetByIdChain):
3744             - cachedPropertyType() -> isCacheable*()
3745         * jit/JITPropertyAccess32_64.cpp:
3746         (JSC::JIT::privateCompileGetByIdProto):
3747         (JSC::JIT::privateCompileGetByIdSelfList):
3748         (JSC::JIT::privateCompileGetByIdProtoList):
3749         (JSC::JIT::privateCompileGetByIdChainList):
3750         (JSC::JIT::privateCompileGetByIdChain):
3751             - cachedPropertyType() -> isCacheable*()
3752         * jit/JITStubs.cpp:
3753         (JSC::tryCacheGetByID):
3754             - cachedPropertyType() -> isCacheable*()
3755         * llint/LLIntSlowPaths.cpp:
3756         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3757             - cachedPropertyType() -> isCacheable*()
3758         * runtime/PropertySlot.cpp:
3759         (JSC::PropertySlot::functionGetter):
3760             - refactoring described above.
3761         * runtime/PropertySlot.h:
3762         (JSC::PropertySlot::PropertySlot):
3763         (JSC::PropertySlot::getValue):
3764         (JSC::PropertySlot::isCacheable):
3765         (JSC::PropertySlot::isCacheableValue):
3766         (JSC::PropertySlot::isCacheableGetter):
3767         (JSC::PropertySlot::isCacheableCustom):
3768         (JSC::PropertySlot::cachedOffset):
3769         (JSC::PropertySlot::customGetter):
3770         (JSC::PropertySlot::setValue):
3771         (JSC::PropertySlot::setCustom):
3772         (JSC::PropertySlot::setCacheableCustom):
3773         (JSC::PropertySlot::setCustomIndex):
3774         (JSC::PropertySlot::setGetterSlot):
3775         (JSC::PropertySlot::setCacheableGetterSlot):
3776         (JSC::PropertySlot::setUndefined):
3777         (JSC::PropertySlot::slotBase):
3778         (JSC::PropertySlot::setBase):
3779             - refactoring described above.
3780
3781 2013-07-28  Oliver Hunt  <oliver@apple.com>
3782
3783         REGRESSION: Crash when opening Facebook.com
3784         https://bugs.webkit.org/show_bug.cgi?id=119155
3785
3786         Reviewed by Andreas Kling.
3787
3788         Scope nodes are always objects, so we should be using SpecObjectOther
3789         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3790         contradiction in the CFA, resulting in bogus codegen.
3791
3792         * dfg/DFGAbstractInterpreterInlines.h:
3793         (JSC::DFG::::executeEffects):
3794         * dfg/DFGPredictionPropagationPhase.cpp:
3795         (JSC::DFG::PredictionPropagationPhase::propagate):
3796
3797 2013-07-26  Oliver Hunt  <oliver@apple.com>
3798
3799         REGRESSION(FTL?): Crashes in plugin tests
3800         https://bugs.webkit.org/show_bug.cgi?id=119141
3801
3802         Reviewed by Michael Saboff.
3803
3804         Re-export getStackTrace
3805
3806         * interpreter/Interpreter.h:
3807
3808 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3809
3810         REGRESSION: Crash when opening a message on Gmail
3811         https://bugs.webkit.org/show_bug.cgi?id=119105
3812
3813         Reviewed by Oliver Hunt and Mark Hahnenberg.
3814         
3815         - GetById patching in the DFG needs to be more disciplined about how it derives the
3816           slow path.
3817         
3818         - Fix some dumping code thread safety issues.
3819
3820         * bytecode/CallLinkStatus.cpp:
3821         (JSC::CallLinkStatus::dump):
3822         * bytecode/CodeBlock.cpp:
3823         (JSC::CodeBlock::dumpBytecode):
3824         * dfg/DFGRepatch.cpp:
3825         (JSC::DFG::getPolymorphicStructureList):
3826         (JSC::DFG::tryBuildGetByIDList):
3827
3828 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3829
3830         [mips] Fix LLINT build for mips backend
3831         https://bugs.webkit.org/show_bug.cgi?id=119152
3832
3833         Reviewed by Oliver Hunt.
3834
3835         * offlineasm/mips.rb:
3836
3837 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3838
3839         Setting a large numeric property on an object causes it to allocate a huge backing store
3840         https://bugs.webkit.org/show_bug.cgi?id=118914
3841
3842         Reviewed by Geoffrey Garen.
3843
3844         There are two distinct actions that we're trying to optimize for:
3845
3846         new Array(100000);
3847
3848         and:
3849
3850         a = [];
3851         a[100000] = 42;
3852         
3853         In the first case, the programmer has indicated that they expect this Array to be very big, 
3854         so they should get a contiguous array up until some threshold, above which we perform density 
3855         calculations to see if it is indeed dense enough to warrant being contiguous.
3856         
3857         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3858         we should be more conservative and assume it should be sparse until we've proven otherwise.
3859         
3860         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3861         between them for the purposes of not over-allocating large backing stores like we see on 
3862         http://www.peekanalytics.com/burgerjoints/
3863         
3864         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3865         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3866         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3867         map instead. So for example, in the second case above the empty array has a blank indexing 
3868         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3869
3870         This fix is ~800x speedup on the accompanying regression test :-o
3871
3872         * runtime/ArrayConventions.h:
3873         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3874         * runtime/JSObject.cpp:
3875         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3876         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3877         (JSC::JSObject::putByIndexBeyondVectorLength):
3878         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3879
3880 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3881
3882         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3883         https://bugs.webkit.org/show_bug.cgi?id=119148
3884
3885         Reviewed by Csaba Osztrogonác.
3886
3887         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3888         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3889         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3890         code duplication.
3891
3892 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3893
3894         REGRESSION(FTL): Crash in sh4 baseline JIT.
3895         https://bugs.webkit.org/show_bug.cgi?id=119138
3896
3897         Reviewed by Csaba Osztrogonác.
3898
3899         This crash is due to incomplete report of r150146 and r148474.
3900
3901         * jit/JITStubsSH4.h:
3902
3903 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3904
3905         Unreviewed.
3906
3907         * Target.pri: Adding missing DFG files to the Qt build.
3908
3909 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3910
3911         GTK and Qt buildfix after the intrusive win buildfix r153360.
3912
3913         * GNUmakefile.list.am:
3914         * Target.pri:
3915
3916 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3917
3918         Unreviewed, fix build break after r153360.
3919
3920         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3921
3922 2013-07-25  Roger Fong  <roger_fong@apple.com>
3923
3924         Unreviewed build fix, AppleWin port.
3925
3926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3928         * JavaScriptCore.vcxproj/copy-files.cmd:
3929
3930 2013-07-25  Roger Fong  <roger_fong@apple.com>
3931
3932         Unreviewed. Followup to r153360.
3933
3934         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3935         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3936
3937 2013-07-25  Michael Saboff  <msaboff@apple.com>
3938
3939         [Windows] Speculative build fix.
3940
3941         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3942         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3943
3944         * JavaScriptCore.xcodeproj/project.pbxproj:
3945         * llint/LLIntExceptions.cpp:
3946         * llint/LLIntExceptions.h:
3947         * llint/LLIntSlowPaths.cpp:
3948         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3949         * runtime/CommonSlowPaths.cpp:
3950         (JSC::SLOW_PATH_DECL):
3951         * runtime/CommonSlowPathsExceptions.cpp: Added.
3952         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3953         * runtime/CommonSlowPathsExceptions.h: Added.
3954
3955 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3956
3957         [Windows] Unreviewed build fix.
3958
3959         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3960         parser/SourceCode.h,.cpp.