Object properties added using dot syntax (o.f = ...) from code that isn't in eval...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2
3         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
4         https://bugs.webkit.org/show_bug.cgi?id=119897
5
6         Reviewed by Oliver Hunt.
7         
8         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
9         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
10         to turn objects into dictionaries when you're storing using bracket syntax or using
11         eval is still in place.
12
13         * bytecode/CodeBlock.h:
14         (JSC::CodeBlock::putByIdContext):
15         * dfg/DFGOperations.cpp:
16         * jit/JITStubs.cpp:
17         (JSC::DEFINE_STUB_FUNCTION):
18         * llint/LLIntSlowPaths.cpp:
19         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20         * runtime/JSObject.h:
21         (JSC::JSObject::putDirectInternal):
22         * runtime/PutPropertySlot.h:
23         (JSC::PutPropertySlot::PutPropertySlot):
24         (JSC::PutPropertySlot::context):
25         * runtime/Structure.cpp:
26         (JSC::Structure::addPropertyTransition):
27         * runtime/Structure.h:
28
29 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
30
31         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
32
33         Reviewed by Allan Sandfeld Jensen.
34
35         ctiVMHandleException must jump/return using register ra (r31).
36
37         * jit/JITStubsMIPS.h:
38
39 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
40
41         <https://webkit.org/b/119879> Fix sh4 build after r154156.
42
43         Reviewed by Allan Sandfeld Jensen.
44
45         Fix typo in JITStubsSH4.h file.
46
47         * jit/JITStubsSH4.h:
48
49 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
50
51         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
52
53         Reviewed by Oliver Hunt.
54
55         The concurrent compilation thread should interact minimally with the Heap, including not 
56         triggering WriteBarriers. This is a prerequisite for generational GC.
57
58         * JavaScriptCore.xcodeproj/project.pbxproj:
59         * bytecode/CodeBlock.cpp:
60         (JSC::CodeBlock::addOrFindConstant):
61         (JSC::CodeBlock::findConstant):
62         * bytecode/CodeBlock.h:
63         (JSC::CodeBlock::addConstantLazily):
64         * dfg/DFGByteCodeParser.cpp:
65         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
66         (JSC::DFG::ByteCodeParser::constantUndefined):
67         (JSC::DFG::ByteCodeParser::constantNull):
68         (JSC::DFG::ByteCodeParser::one):
69         (JSC::DFG::ByteCodeParser::constantNaN):
70         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
71         * dfg/DFGCommonData.cpp:
72         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
73         * dfg/DFGCommonData.h:
74         * dfg/DFGDesiredTransitions.cpp: Added.
75         (JSC::DFG::DesiredTransition::DesiredTransition):
76         (JSC::DFG::DesiredTransition::reallyAdd):
77         (JSC::DFG::DesiredTransitions::DesiredTransitions):
78         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
79         (JSC::DFG::DesiredTransitions::addLazily):
80         (JSC::DFG::DesiredTransitions::reallyAdd):
81         * dfg/DFGDesiredTransitions.h: Added.
82         * dfg/DFGDesiredWeakReferences.cpp: Added.
83         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
84         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
85         (JSC::DFG::DesiredWeakReferences::addLazily):
86         (JSC::DFG::DesiredWeakReferences::reallyAdd):
87         * dfg/DFGDesiredWeakReferences.h: Added.
88         * dfg/DFGDesiredWriteBarriers.cpp: Added.
89         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
90         (JSC::DFG::DesiredWriteBarrier::trigger):
91         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
92         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
93         (JSC::DFG::DesiredWriteBarriers::addImpl):
94         (JSC::DFG::DesiredWriteBarriers::trigger):
95         * dfg/DFGDesiredWriteBarriers.h: Added.
96         (JSC::DFG::DesiredWriteBarriers::add):
97         (JSC::DFG::initializeLazyWriteBarrier):
98         * dfg/DFGFixupPhase.cpp:
99         (JSC::DFG::FixupPhase::truncateConstantToInt32):
100         * dfg/DFGGraph.h:
101         (JSC::DFG::Graph::convertToConstant):
102         * dfg/DFGJITCompiler.h:
103         (JSC::DFG::JITCompiler::addWeakReference):
104         * dfg/DFGPlan.cpp:
105         (JSC::DFG::Plan::Plan):
106         (JSC::DFG::Plan::reallyAdd):
107         * dfg/DFGPlan.h:
108         * dfg/DFGSpeculativeJIT32_64.cpp:
109         (JSC::DFG::SpeculativeJIT::compile):
110         * dfg/DFGSpeculativeJIT64.cpp:
111         (JSC::DFG::SpeculativeJIT::compile):
112         * runtime/WriteBarrier.h:
113         (JSC::WriteBarrierBase::set):
114         (JSC::WriteBarrier::WriteBarrier):
115
116 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
117
118         Fix x86 32bits build after r154158
119
120         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
121
122 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
123
124         Build fix attempt after r154156.
125
126         * jit/JITStubs.cpp:
127         (JSC::cti_vm_handle_exception): encode!
128
129 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
130
131         [JSC] x86: Use inc and dec when possible
132         https://bugs.webkit.org/show_bug.cgi?id=119831
133
134         Reviewed by Geoffrey Garen.
135
136         When incrementing or decrementing by an immediate of 1, use the insctructions
137         inc and dec instead of add and sub.
138         The instructions have good timing and their encoding is smaller.
139
140         * assembler/MacroAssemblerX86Common.h:
141         (JSC::MacroAssemblerX86_64::add32):
142         (JSC::MacroAssemblerX86_64::sub32):
143         * assembler/MacroAssemblerX86_64.h:
144         (JSC::MacroAssemblerX86_64::add64):
145         (JSC::MacroAssemblerX86_64::sub64):
146         * assembler/X86Assembler.h:
147         (JSC::X86Assembler::dec_r):
148         (JSC::X86Assembler::decq_r):
149         (JSC::X86Assembler::inc_r):
150         (JSC::X86Assembler::incq_r):
151
152 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
153
154         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
155         https://bugs.webkit.org/show_bug.cgi?id=119874
156
157         Reviewed by Oliver Hunt and Mark Hahnenberg.
158         
159         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
160         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
161         sometimes for typed array length accesses, and the FixupPhase assuming that a
162         ForceExit ArrayMode means that it should continue using a generic GetById.
163
164         This fixes the confusion.
165
166         * dfg/DFGFixupPhase.cpp:
167         (JSC::DFG::FixupPhase::fixupNode):
168
169 2013-08-15  Mark Lam  <mark.lam@apple.com>
170
171         Fix crash when performing activation tearoff.
172         https://bugs.webkit.org/show_bug.cgi?id=119848
173
174         Reviewed by Oliver Hunt.
175
176         The activation tearoff crash was due to a bug in the baseline JIT.
177         If we have a scenario where the a baseline JIT frame calls a LLINT
178         frame, an exception may be thrown while in the LLINT.
179
180         Interpreter::throwException() which handles the exception will unwind
181         all frames until it finds a catcher or sees a host frame. When we
182         return from the LLINT to the baseline JIT code, the baseline JIT code
183         errorneously sets topCallFrame to the value in its call frame register,
184         and starts unwinding the stack frames that have already been unwound.
185
186         The fix is:
187         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
188            This is a more accurate description of what this runtime function
189            is supposed to do i.e. it handles the exception which include doing
190            nothing (if there are no more frames to unwind).
191         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
192            set on it.
193         3. Reloading the call frame register from topCallFrame when we're
194            returning from a callee and detect exception handling in progress.
195
196         * interpreter/Interpreter.cpp:
197         (JSC::Interpreter::unwindCallFrame):
198         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
199         (JSC::Interpreter::getStackTrace):
200         * interpreter/Interpreter.h:
201         (JSC::TopCallFrameSetter::TopCallFrameSetter):
202         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
203         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
204         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
205         * jit/JIT.h:
206         * jit/JITExceptions.cpp:
207         (JSC::uncaughtExceptionHandler):
208         - Convenience function to get the handler for uncaught exceptions.
209         * jit/JITExceptions.h:
210         * jit/JITInlines.h:
211         (JSC::JIT::reloadCallFrameFromTopCallFrame):
212         * jit/JITOpcodes32_64.cpp:
213         (JSC::JIT::privateCompileCTINativeCall):
214         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
215         * jit/JITStubs.cpp:
216         (JSC::throwExceptionFromOpCall):
217         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
218         (JSC::cti_vm_handle_exception):
219         - Check for the case when there are no more frames to unwind.
220         * jit/JITStubs.h:
221         * jit/JITStubsARM.h:
222         * jit/JITStubsARMv7.h:
223         * jit/JITStubsMIPS.h:
224         * jit/JITStubsSH4.h:
225         * jit/JITStubsX86.h:
226         * jit/JITStubsX86_64.h:
227         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
228         * jit/SlowPathCall.h:
229         (JSC::JITSlowPathCall::call):
230         - reload cfr from topcallFrame when handling an exception.
231         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
232         * jit/ThunkGenerators.cpp:
233         (JSC::nativeForGenerator):
234         * llint/LowLevelInterpreter32_64.asm:
235         * llint/LowLevelInterpreter64.asm:
236         - reload cfr from topcallFrame when handling an exception.
237         * runtime/VM.cpp:
238         (JSC::VM::VM):
239         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
240
241 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
242
243         Remove some code duplication.
244         
245         Rubber stamped by Mark Hahnenberg.
246
247         * runtime/JSDataViewPrototype.cpp:
248         (JSC::getData):
249         (JSC::setData):
250
251 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
252
253         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
254         https://bugs.webkit.org/show_bug.cgi?id=119794
255
256         Reviewed by Filip Pizlo.
257
258         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
259
260         * dfg/DFGUseKind.h:
261         (JSC::DFG::isNumerical):
262         (JSC::DFG::isDouble):
263
264 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
265
266         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
267
268         Rubber stamped by Oliver Hunt.
269         
270         This was causing some test crashes for me.
271
272         * dfg/DFGCapabilities.cpp:
273         (JSC::DFG::capabilityLevel):
274
275 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
276
277         [Windows] Clear up improper export declaration.
278
279         * runtime/ArrayBufferView.h:
280
281 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
282
283         Unreviewed, remove some unnecessary periods from exceptions.
284
285         * runtime/JSDataViewPrototype.cpp:
286         (JSC::getData):
287         (JSC::setData):
288
289 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
290
291         Unreviewed, fix 32-bit build.
292
293         * dfg/DFGSpeculativeJIT32_64.cpp:
294         (JSC::DFG::SpeculativeJIT::compile):
295
296 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
297
298         Typed arrays should be rewritten
299         https://bugs.webkit.org/show_bug.cgi?id=119064
300
301         Reviewed by Oliver Hunt.
302         
303         Typed arrays were previously deficient in several major ways:
304         
305         - They were defined separately in WebCore and in the jsc shell. The two
306           implementations were different, and the jsc shell one was basically wrong.
307           The WebCore one was quite awful, also.
308         
309         - Typed arrays were not visible to the JIT except through some weird hooks.
310           For example, the JIT could not ask "what is the Structure that this typed
311           array would have if I just allocated it from this global object". Also,
312           it was difficult to wire any of the typed array intrinsics, because most
313           of the functionality wasn't visible anywhere in JSC.
314         
315         - Typed array allocation was brain-dead. Allocating a typed array involved
316           two JS objects, two GC weak handles, and three malloc allocations.
317         
318         - Neutering. It involved keeping tabs on all native views but not the view
319           wrappers, even though the native views can autoneuter just by asking the
320           buffer if it was neutered anytime you touch them; while the JS view
321           wrappers are the ones that you really want to reach out to.
322         
323         - Common case-ing. Most typed arrays have one buffer and one view, and
324           usually nobody touches the buffer. Yet we created all of that stuff
325           anyway, using data structures optimized for the case where you had a lot
326           of views.
327         
328         - Semantic goofs. Typed arrays should, in the future, behave like ES
329           features rather than DOM features, for example when it comes to exceptions.
330           Firefox already does this and I agree with them.
331         
332         This patch cleanses our codebase of these sins:
333         
334         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
335           management of native references to buffers is left to WebCore.
336         
337         - Allocating a typed array requires either two GC allocations (a cell and a
338           copied storage vector) or one GC allocation, a malloc allocation, and a
339           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
340           latter). The latter is only used for oversize arrays. Remember that before
341           it was 7 allocations no matter what.
342         
343         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
344           mode/length, void* vector. Before it was a lot more than that - remember,
345           there were five additional objects that did absolutely nothing for anybody.
346         
347         - Native views aren't tracked by the buffer, or by the wrappers. They are
348           transient. In the future we'll probably switch to not even having them be
349           malloc'd.
350         
351         - Native array buffers have an efficient way of tracking all of their JS view
352           wrappers, both for neutering, and for lifecycle management. The GC
353           special-cases native array buffers. This saves a bunch of grief; for example
354           it means that a JS view wrapper can refer to its buffer via the butterfly,
355           which would be dead by the time we went to finalize.
356         
357         - Typed array semantics now match Firefox, which also happens to be where the
358           standards are going. The discussion on webkit-dev seemed to confirm that
359           Chrome is also heading in this direction. This includes making
360           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
361           ArrayBufferView as a JS-visible construct.
362         
363         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
364         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
365         further typed array optimizations in the JSC JITs, including inlining typed
366         array allocation, inlining more of the accessors, reducing the cost of type
367         checks, etc.
368         
369         An additional property of this patch is that typed arrays are mostly
370         implemented using templates. This deduplicates a bunch of code, but does mean
371         that we need some hacks for exporting s_info's of template classes. See
372         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
373         low-impact compared to code duplication.
374         
375         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
376
377         * CMakeLists.txt:
378         * DerivedSources.make:
379         * GNUmakefile.list.am:
380         * JSCTypedArrayStubs.h: Removed.
381         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
382         * JavaScriptCore.xcodeproj/project.pbxproj:
383         * Target.pri:
384         * bytecode/ByValInfo.h:
385         (JSC::hasOptimizableIndexingForClassInfo):
386         (JSC::jitArrayModeForClassInfo):
387         (JSC::typedArrayTypeForJITArrayMode):
388         * bytecode/SpeculatedType.cpp:
389         (JSC::speculationFromClassInfo):
390         * dfg/DFGArrayMode.cpp:
391         (JSC::DFG::toTypedArrayType):
392         * dfg/DFGArrayMode.h:
393         (JSC::DFG::ArrayMode::typedArrayType):
394         * dfg/DFGSpeculativeJIT.cpp:
395         (JSC::DFG::SpeculativeJIT::checkArray):
396         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
397         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
398         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
399         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
400         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
401         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
402         * dfg/DFGSpeculativeJIT.h:
403         * dfg/DFGSpeculativeJIT32_64.cpp:
404         (JSC::DFG::SpeculativeJIT::compile):
405         * dfg/DFGSpeculativeJIT64.cpp:
406         (JSC::DFG::SpeculativeJIT::compile):
407         * heap/CopyToken.h:
408         * heap/DeferGC.h:
409         (JSC::DeferGCForAWhile::DeferGCForAWhile):
410         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
411         * heap/GCIncomingRefCounted.h: Added.
412         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
413         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
414         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
415         (JSC::GCIncomingRefCounted::incomingReferenceAt):
416         (JSC::GCIncomingRefCounted::singletonFlag):
417         (JSC::GCIncomingRefCounted::hasVectorOfCells):
418         (JSC::GCIncomingRefCounted::hasAnyIncoming):
419         (JSC::GCIncomingRefCounted::hasSingleton):
420         (JSC::GCIncomingRefCounted::singleton):
421         (JSC::GCIncomingRefCounted::vectorOfCells):
422         * heap/GCIncomingRefCountedInlines.h: Added.
423         (JSC::::addIncomingReference):
424         (JSC::::filterIncomingReferences):
425         * heap/GCIncomingRefCountedSet.h: Added.
426         (JSC::GCIncomingRefCountedSet::size):
427         * heap/GCIncomingRefCountedSetInlines.h: Added.
428         (JSC::::GCIncomingRefCountedSet):
429         (JSC::::~GCIncomingRefCountedSet):
430         (JSC::::addReference):
431         (JSC::::sweep):
432         (JSC::::removeAll):
433         (JSC::::removeDead):
434         * heap/Heap.cpp:
435         (JSC::Heap::addReference):
436         (JSC::Heap::extraSize):
437         (JSC::Heap::size):
438         (JSC::Heap::capacity):
439         (JSC::Heap::collect):
440         (JSC::Heap::decrementDeferralDepth):
441         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
442         * heap/Heap.h:
443         * interpreter/CallFrame.h:
444         (JSC::ExecState::dataViewTable):
445         * jit/JIT.h:
446         * jit/JITPropertyAccess.cpp:
447         (JSC::JIT::privateCompileGetByVal):
448         (JSC::JIT::privateCompilePutByVal):
449         (JSC::JIT::emitIntTypedArrayGetByVal):
450         (JSC::JIT::emitFloatTypedArrayGetByVal):
451         (JSC::JIT::emitIntTypedArrayPutByVal):
452         (JSC::JIT::emitFloatTypedArrayPutByVal):
453         * jsc.cpp:
454         (GlobalObject::finishCreation):
455         * runtime/ArrayBuffer.cpp:
456         (JSC::ArrayBuffer::transfer):
457         * runtime/ArrayBuffer.h:
458         (JSC::ArrayBuffer::createAdopted):
459         (JSC::ArrayBuffer::ArrayBuffer):
460         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
461         (JSC::ArrayBuffer::pin):
462         (JSC::ArrayBuffer::unpin):
463         (JSC::ArrayBufferContents::tryAllocate):
464         * runtime/ArrayBufferView.cpp:
465         (JSC::ArrayBufferView::ArrayBufferView):
466         (JSC::ArrayBufferView::~ArrayBufferView):
467         (JSC::ArrayBufferView::setNeuterable):
468         * runtime/ArrayBufferView.h:
469         (JSC::ArrayBufferView::isNeutered):
470         (JSC::ArrayBufferView::buffer):
471         (JSC::ArrayBufferView::baseAddress):
472         (JSC::ArrayBufferView::byteOffset):
473         (JSC::ArrayBufferView::verifySubRange):
474         (JSC::ArrayBufferView::clampOffsetAndNumElements):
475         (JSC::ArrayBufferView::calculateOffsetAndLength):
476         * runtime/ClassInfo.h:
477         * runtime/CommonIdentifiers.h:
478         * runtime/DataView.cpp: Added.
479         (JSC::DataView::DataView):
480         (JSC::DataView::create):
481         (JSC::DataView::wrap):
482         * runtime/DataView.h: Added.
483         (JSC::DataView::byteLength):
484         (JSC::DataView::getType):
485         (JSC::DataView::get):
486         (JSC::DataView::set):
487         * runtime/Float32Array.h:
488         * runtime/Float64Array.h:
489         * runtime/GenericTypedArrayView.h: Added.
490         (JSC::GenericTypedArrayView::data):
491         (JSC::GenericTypedArrayView::set):
492         (JSC::GenericTypedArrayView::setRange):
493         (JSC::GenericTypedArrayView::zeroRange):
494         (JSC::GenericTypedArrayView::zeroFill):
495         (JSC::GenericTypedArrayView::length):
496         (JSC::GenericTypedArrayView::byteLength):
497         (JSC::GenericTypedArrayView::item):
498         (JSC::GenericTypedArrayView::checkInboundData):
499         (JSC::GenericTypedArrayView::getType):
500         * runtime/GenericTypedArrayViewInlines.h: Added.
501         (JSC::::GenericTypedArrayView):
502         (JSC::::create):
503         (JSC::::createUninitialized):
504         (JSC::::subarray):
505         (JSC::::wrap):
506         * runtime/IndexingHeader.h:
507         (JSC::IndexingHeader::arrayBuffer):
508         (JSC::IndexingHeader::setArrayBuffer):
509         * runtime/Int16Array.h:
510         * runtime/Int32Array.h:
511         * runtime/Int8Array.h:
512         * runtime/JSArrayBuffer.cpp: Added.
513         (JSC::JSArrayBuffer::JSArrayBuffer):
514         (JSC::JSArrayBuffer::finishCreation):
515         (JSC::JSArrayBuffer::create):
516         (JSC::JSArrayBuffer::createStructure):
517         (JSC::JSArrayBuffer::getOwnPropertySlot):
518         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
519         (JSC::JSArrayBuffer::put):
520         (JSC::JSArrayBuffer::defineOwnProperty):
521         (JSC::JSArrayBuffer::deleteProperty):
522         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
523         * runtime/JSArrayBuffer.h: Added.
524         (JSC::JSArrayBuffer::impl):
525         (JSC::toArrayBuffer):
526         * runtime/JSArrayBufferConstructor.cpp: Added.
527         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
528         (JSC::JSArrayBufferConstructor::finishCreation):
529         (JSC::JSArrayBufferConstructor::create):
530         (JSC::JSArrayBufferConstructor::createStructure):
531         (JSC::constructArrayBuffer):
532         (JSC::JSArrayBufferConstructor::getConstructData):
533         (JSC::JSArrayBufferConstructor::getCallData):
534         * runtime/JSArrayBufferConstructor.h: Added.
535         * runtime/JSArrayBufferPrototype.cpp: Added.
536         (JSC::arrayBufferProtoFuncSlice):
537         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
538         (JSC::JSArrayBufferPrototype::finishCreation):
539         (JSC::JSArrayBufferPrototype::create):
540         (JSC::JSArrayBufferPrototype::createStructure):
541         * runtime/JSArrayBufferPrototype.h: Added.
542         * runtime/JSArrayBufferView.cpp: Added.
543         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
544         (JSC::JSArrayBufferView::JSArrayBufferView):
545         (JSC::JSArrayBufferView::finishCreation):
546         (JSC::JSArrayBufferView::getOwnPropertySlot):
547         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
548         (JSC::JSArrayBufferView::put):
549         (JSC::JSArrayBufferView::defineOwnProperty):
550         (JSC::JSArrayBufferView::deleteProperty):
551         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
552         (JSC::JSArrayBufferView::finalize):
553         * runtime/JSArrayBufferView.h: Added.
554         (JSC::JSArrayBufferView::sizeOf):
555         (JSC::JSArrayBufferView::ConstructionContext::operator!):
556         (JSC::JSArrayBufferView::ConstructionContext::structure):
557         (JSC::JSArrayBufferView::ConstructionContext::vector):
558         (JSC::JSArrayBufferView::ConstructionContext::length):
559         (JSC::JSArrayBufferView::ConstructionContext::mode):
560         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
561         (JSC::JSArrayBufferView::mode):
562         (JSC::JSArrayBufferView::vector):
563         (JSC::JSArrayBufferView::length):
564         (JSC::JSArrayBufferView::offsetOfVector):
565         (JSC::JSArrayBufferView::offsetOfLength):
566         (JSC::JSArrayBufferView::offsetOfMode):
567         * runtime/JSArrayBufferViewInlines.h: Added.
568         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
569         (JSC::JSArrayBufferView::buffer):
570         (JSC::JSArrayBufferView::impl):
571         (JSC::JSArrayBufferView::neuter):
572         (JSC::JSArrayBufferView::byteOffset):
573         * runtime/JSCell.cpp:
574         (JSC::JSCell::slowDownAndWasteMemory):
575         (JSC::JSCell::getTypedArrayImpl):
576         * runtime/JSCell.h:
577         * runtime/JSDataView.cpp: Added.
578         (JSC::JSDataView::JSDataView):
579         (JSC::JSDataView::create):
580         (JSC::JSDataView::createUninitialized):
581         (JSC::JSDataView::set):
582         (JSC::JSDataView::typedImpl):
583         (JSC::JSDataView::getOwnPropertySlot):
584         (JSC::JSDataView::getOwnPropertyDescriptor):
585         (JSC::JSDataView::slowDownAndWasteMemory):
586         (JSC::JSDataView::getTypedArrayImpl):
587         (JSC::JSDataView::createStructure):
588         * runtime/JSDataView.h: Added.
589         * runtime/JSDataViewPrototype.cpp: Added.
590         (JSC::JSDataViewPrototype::JSDataViewPrototype):
591         (JSC::JSDataViewPrototype::create):
592         (JSC::JSDataViewPrototype::createStructure):
593         (JSC::JSDataViewPrototype::getOwnPropertySlot):
594         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
595         (JSC::getData):
596         (JSC::setData):
597         (JSC::dataViewProtoFuncGetInt8):
598         (JSC::dataViewProtoFuncGetInt16):
599         (JSC::dataViewProtoFuncGetInt32):
600         (JSC::dataViewProtoFuncGetUint8):
601         (JSC::dataViewProtoFuncGetUint16):
602         (JSC::dataViewProtoFuncGetUint32):
603         (JSC::dataViewProtoFuncGetFloat32):
604         (JSC::dataViewProtoFuncGetFloat64):
605         (JSC::dataViewProtoFuncSetInt8):
606         (JSC::dataViewProtoFuncSetInt16):
607         (JSC::dataViewProtoFuncSetInt32):
608         (JSC::dataViewProtoFuncSetUint8):
609         (JSC::dataViewProtoFuncSetUint16):
610         (JSC::dataViewProtoFuncSetUint32):
611         (JSC::dataViewProtoFuncSetFloat32):
612         (JSC::dataViewProtoFuncSetFloat64):
613         * runtime/JSDataViewPrototype.h: Added.
614         * runtime/JSFloat32Array.h: Added.
615         * runtime/JSFloat64Array.h: Added.
616         * runtime/JSGenericTypedArrayView.h: Added.
617         (JSC::JSGenericTypedArrayView::byteLength):
618         (JSC::JSGenericTypedArrayView::byteSize):
619         (JSC::JSGenericTypedArrayView::typedVector):
620         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
621         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
622         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
623         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
624         (JSC::JSGenericTypedArrayView::getIndexQuickly):
625         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
626         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
627         (JSC::JSGenericTypedArrayView::setIndexQuickly):
628         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
629         (JSC::JSGenericTypedArrayView::typedImpl):
630         (JSC::JSGenericTypedArrayView::createStructure):
631         (JSC::JSGenericTypedArrayView::info):
632         (JSC::toNativeTypedView):
633         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
634         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
635         (JSC::::JSGenericTypedArrayViewConstructor):
636         (JSC::::finishCreation):
637         (JSC::::create):
638         (JSC::::createStructure):
639         (JSC::constructGenericTypedArrayView):
640         (JSC::::getConstructData):
641         (JSC::::getCallData):
642         * runtime/JSGenericTypedArrayViewInlines.h: Added.
643         (JSC::::JSGenericTypedArrayView):
644         (JSC::::create):
645         (JSC::::createUninitialized):
646         (JSC::::validateRange):
647         (JSC::::setWithSpecificType):
648         (JSC::::set):
649         (JSC::::getOwnPropertySlot):
650         (JSC::::getOwnPropertyDescriptor):
651         (JSC::::put):
652         (JSC::::defineOwnProperty):
653         (JSC::::deleteProperty):
654         (JSC::::getOwnPropertySlotByIndex):
655         (JSC::::putByIndex):
656         (JSC::::deletePropertyByIndex):
657         (JSC::::getOwnNonIndexPropertyNames):
658         (JSC::::getOwnPropertyNames):
659         (JSC::::visitChildren):
660         (JSC::::copyBackingStore):
661         (JSC::::slowDownAndWasteMemory):
662         (JSC::::getTypedArrayImpl):
663         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
664         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
665         (JSC::genericTypedArrayViewProtoFuncSet):
666         (JSC::genericTypedArrayViewProtoFuncSubarray):
667         (JSC::::JSGenericTypedArrayViewPrototype):
668         (JSC::::finishCreation):
669         (JSC::::create):
670         (JSC::::createStructure):
671         * runtime/JSGlobalObject.cpp:
672         (JSC::JSGlobalObject::reset):
673         (JSC::JSGlobalObject::visitChildren):
674         * runtime/JSGlobalObject.h:
675         (JSC::JSGlobalObject::arrayBufferPrototype):
676         (JSC::JSGlobalObject::arrayBufferStructure):
677         (JSC::JSGlobalObject::typedArrayStructure):
678         * runtime/JSInt16Array.h: Added.
679         * runtime/JSInt32Array.h: Added.
680         * runtime/JSInt8Array.h: Added.
681         * runtime/JSTypedArrayConstructors.cpp: Added.
682         * runtime/JSTypedArrayConstructors.h: Added.
683         * runtime/JSTypedArrayPrototypes.cpp: Added.
684         * runtime/JSTypedArrayPrototypes.h: Added.
685         * runtime/JSTypedArrays.cpp: Added.
686         * runtime/JSTypedArrays.h: Added.
687         * runtime/JSUint16Array.h: Added.
688         * runtime/JSUint32Array.h: Added.
689         * runtime/JSUint8Array.h: Added.
690         * runtime/JSUint8ClampedArray.h: Added.
691         * runtime/Operations.h:
692         * runtime/Options.h:
693         * runtime/SimpleTypedArrayController.cpp: Added.
694         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
695         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
696         (JSC::SimpleTypedArrayController::toJS):
697         * runtime/SimpleTypedArrayController.h: Added.
698         * runtime/Structure.h:
699         (JSC::Structure::couldHaveIndexingHeader):
700         * runtime/StructureInlines.h:
701         (JSC::Structure::hasIndexingHeader):
702         * runtime/TypedArrayAdaptors.h: Added.
703         (JSC::IntegralTypedArrayAdaptor::toNative):
704         (JSC::IntegralTypedArrayAdaptor::toJSValue):
705         (JSC::IntegralTypedArrayAdaptor::toDouble):
706         (JSC::FloatTypedArrayAdaptor::toNative):
707         (JSC::FloatTypedArrayAdaptor::toJSValue):
708         (JSC::FloatTypedArrayAdaptor::toDouble):
709         (JSC::Uint8ClampedAdaptor::toNative):
710         (JSC::Uint8ClampedAdaptor::toJSValue):
711         (JSC::Uint8ClampedAdaptor::toDouble):
712         (JSC::Uint8ClampedAdaptor::clamp):
713         * runtime/TypedArrayController.cpp: Added.
714         (JSC::TypedArrayController::TypedArrayController):
715         (JSC::TypedArrayController::~TypedArrayController):
716         * runtime/TypedArrayController.h: Added.
717         * runtime/TypedArrayDescriptor.h: Removed.
718         * runtime/TypedArrayInlines.h: Added.
719         * runtime/TypedArrayType.cpp: Added.
720         (JSC::classInfoForType):
721         (WTF::printInternal):
722         * runtime/TypedArrayType.h: Added.
723         (JSC::toIndex):
724         (JSC::isTypedView):
725         (JSC::elementSize):
726         (JSC::isInt):
727         (JSC::isFloat):
728         (JSC::isSigned):
729         (JSC::isClamped):
730         * runtime/TypedArrays.h: Added.
731         * runtime/Uint16Array.h:
732         * runtime/Uint32Array.h:
733         * runtime/Uint8Array.h:
734         * runtime/Uint8ClampedArray.h:
735         * runtime/VM.cpp:
736         (JSC::VM::VM):
737         (JSC::VM::~VM):
738         * runtime/VM.h:
739
740 2013-08-15  Oliver Hunt  <oliver@apple.com>
741
742         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
743
744         Reviewed by Filip Pizlo.
745
746         Make sure dfgCapabilities doesn't report a Dynamic put as
747         being compilable when we don't actually support it.  
748
749         * bytecode/CodeBlock.cpp:
750         (JSC::CodeBlock::dumpBytecode):
751         * dfg/DFGCapabilities.cpp:
752         (JSC::DFG::capabilityLevel):
753
754 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
755
756         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
757         https://bugs.webkit.org/show_bug.cgi?id=119847
758
759         Reviewed by Oliver Hunt.
760
761         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
762         * runtime/ArrayBufferView.h: Ditto.
763
764 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
765
766         https://bugs.webkit.org/show_bug.cgi?id=119843
767         PropertySlot::setValue is ambiguous
768
769         Reviewed by Geoff Garen.
770
771         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
772         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
773         Unify on always providing the object, and remove the version that just takes a value.
774         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
775         Provide a version of setValue that takes a JSString as the owner of the property.
776         We won't store this, but it makes it clear that this interface should only be used from JSString.
777
778         * API/JSCallbackObjectFunctions.h:
779         (JSC::::getOwnPropertySlot):
780         * JSCTypedArrayStubs.h:
781         * runtime/Arguments.cpp:
782         (JSC::Arguments::getOwnPropertySlotByIndex):
783         (JSC::Arguments::getOwnPropertySlot):
784         * runtime/JSActivation.cpp:
785         (JSC::JSActivation::symbolTableGet):
786         (JSC::JSActivation::getOwnPropertySlot):
787         * runtime/JSArray.cpp:
788         (JSC::JSArray::getOwnPropertySlot):
789         * runtime/JSObject.cpp:
790         (JSC::JSObject::getOwnPropertySlotByIndex):
791         * runtime/JSString.h:
792         (JSC::JSString::getStringPropertySlot):
793         * runtime/JSSymbolTableObject.h:
794         (JSC::symbolTableGet):
795         * runtime/SparseArrayValueMap.cpp:
796         (JSC::SparseArrayEntry::get):
797             - Pass object containing property to PropertySlot::setValue
798         * runtime/PropertySlot.h:
799         (JSC::PropertySlot::setValue):
800             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
801         (JSC::PropertySlot::setUndefined):
802             - removed setValue(JSValue), added setValue(JSString*, JSValue)
803
804 2013-08-15  Oliver Hunt  <oliver@apple.com>
805
806         Remove bogus assertion.
807
808         RS=Filip Pizlo
809
810         * dfg/DFGAbstractInterpreterInlines.h:
811         (JSC::DFG::::executeEffects):
812
813 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
814
815         REGRESSION(r148790) Made 7 tests fail on x86 32bit
816         https://bugs.webkit.org/show_bug.cgi?id=114913
817
818         Reviewed by Filip Pizlo.
819
820         The X87 register was not freed before some calls. Instead
821         of inserting resetX87Registers to the last call sites,
822         the two X87 registers are now freed in every call.
823
824         * llint/LowLevelInterpreter32_64.asm:
825         * llint/LowLevelInterpreter64.asm:
826         * offlineasm/instructions.rb:
827         * offlineasm/x86.rb:
828
829 2013-08-14  Michael Saboff  <msaboff@apple.com>
830
831         Fixed jit on Win64.
832         https://bugs.webkit.org/show_bug.cgi?id=119601
833
834         Reviewed by Oliver Hunt.
835
836         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
837         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
838         * jit/SlowPathCall.h:
839         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
840
841 2013-08-14  Alex Christensen  <achristensen@apple.com>
842
843         Compile fix for Win64 with jit disabled.
844         https://bugs.webkit.org/show_bug.cgi?id=119804
845
846         Reviewed by Michael Saboff.
847
848         * offlineasm/cloop.rb: Added std:: before isnan.
849
850 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
851
852         DFG_JIT implementation for sh4 architecture.
853         https://bugs.webkit.org/show_bug.cgi?id=119737
854
855         Reviewed by Oliver Hunt.
856
857         * assembler/MacroAssemblerSH4.h:
858         (JSC::MacroAssemblerSH4::invert):
859         (JSC::MacroAssemblerSH4::add32):
860         (JSC::MacroAssemblerSH4::and32):
861         (JSC::MacroAssemblerSH4::lshift32):
862         (JSC::MacroAssemblerSH4::mul32):
863         (JSC::MacroAssemblerSH4::or32):
864         (JSC::MacroAssemblerSH4::rshift32):
865         (JSC::MacroAssemblerSH4::sub32):
866         (JSC::MacroAssemblerSH4::xor32):
867         (JSC::MacroAssemblerSH4::store32):
868         (JSC::MacroAssemblerSH4::swapDouble):
869         (JSC::MacroAssemblerSH4::storeDouble):
870         (JSC::MacroAssemblerSH4::subDouble):
871         (JSC::MacroAssemblerSH4::mulDouble):
872         (JSC::MacroAssemblerSH4::divDouble):
873         (JSC::MacroAssemblerSH4::negateDouble):
874         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
875         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
876         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
877         (JSC::MacroAssemblerSH4::swap):
878         (JSC::MacroAssemblerSH4::jump):
879         (JSC::MacroAssemblerSH4::branchNeg32):
880         (JSC::MacroAssemblerSH4::branchAdd32):
881         (JSC::MacroAssemblerSH4::branchMul32):
882         (JSC::MacroAssemblerSH4::urshift32):
883         * assembler/SH4Assembler.h:
884         (JSC::SH4Assembler::SH4Assembler):
885         (JSC::SH4Assembler::labelForWatchpoint):
886         (JSC::SH4Assembler::label):
887         (JSC::SH4Assembler::debugOffset):
888         * dfg/DFGAssemblyHelpers.h:
889         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
890         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
891         (JSC::DFG::AssemblyHelpers::debugCall):
892         * dfg/DFGCCallHelpers.h:
893         (JSC::DFG::CCallHelpers::setupArguments):
894         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
895         * dfg/DFGFPRInfo.h:
896         (JSC::DFG::FPRInfo::toRegister):
897         (JSC::DFG::FPRInfo::toIndex):
898         (JSC::DFG::FPRInfo::debugName):
899         * dfg/DFGGPRInfo.h:
900         (JSC::DFG::GPRInfo::toRegister):
901         (JSC::DFG::GPRInfo::toIndex):
902         (JSC::DFG::GPRInfo::debugName):
903         * dfg/DFGOperations.cpp:
904         * dfg/DFGSpeculativeJIT.h:
905         (JSC::DFG::SpeculativeJIT::callOperation):
906         * jit/JITStubs.h:
907         * jit/JITStubsSH4.h:
908
909 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
910
911         Unreviewed, fix build.
912
913         * API/JSValue.mm:
914         (isDate):
915         (isArray):
916         * API/JSWrapperMap.mm:
917         (tryUnwrapObjcObject):
918         * API/ObjCCallbackFunction.mm:
919         (tryUnwrapBlock):
920
921 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
922
923         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
924         https://bugs.webkit.org/show_bug.cgi?id=119770
925
926         Reviewed by Mark Hahnenberg.
927
928         * API/JSCallbackConstructor.cpp:
929         (JSC::JSCallbackConstructor::finishCreation):
930         * API/JSCallbackConstructor.h:
931         (JSC::JSCallbackConstructor::createStructure):
932         * API/JSCallbackFunction.cpp:
933         (JSC::JSCallbackFunction::finishCreation):
934         * API/JSCallbackFunction.h:
935         (JSC::JSCallbackFunction::createStructure):
936         * API/JSCallbackObject.cpp:
937         (JSC::::createStructure):
938         * API/JSCallbackObject.h:
939         (JSC::JSCallbackObject::visitChildren):
940         * API/JSCallbackObjectFunctions.h:
941         (JSC::::asCallbackObject):
942         (JSC::::finishCreation):
943         * API/JSObjectRef.cpp:
944         (JSObjectGetPrivate):
945         (JSObjectSetPrivate):
946         (JSObjectGetPrivateProperty):
947         (JSObjectSetPrivateProperty):
948         (JSObjectDeletePrivateProperty):
949         * API/JSValueRef.cpp:
950         (JSValueIsObjectOfClass):
951         * API/JSWeakObjectMapRefPrivate.cpp:
952         * API/ObjCCallbackFunction.h:
953         (JSC::ObjCCallbackFunction::createStructure):
954         * JSCTypedArrayStubs.h:
955         * bytecode/CallLinkStatus.cpp:
956         (JSC::CallLinkStatus::CallLinkStatus):
957         (JSC::CallLinkStatus::function):
958         (JSC::CallLinkStatus::internalFunction):
959         * bytecode/CodeBlock.h:
960         (JSC::baselineCodeBlockForInlineCallFrame):
961         * bytecode/SpeculatedType.cpp:
962         (JSC::speculationFromClassInfo):
963         * bytecode/UnlinkedCodeBlock.cpp:
964         (JSC::UnlinkedFunctionExecutable::visitChildren):
965         (JSC::UnlinkedCodeBlock::visitChildren):
966         (JSC::UnlinkedProgramCodeBlock::visitChildren):
967         * bytecode/UnlinkedCodeBlock.h:
968         (JSC::UnlinkedFunctionExecutable::createStructure):
969         (JSC::UnlinkedProgramCodeBlock::createStructure):
970         (JSC::UnlinkedEvalCodeBlock::createStructure):
971         (JSC::UnlinkedFunctionCodeBlock::createStructure):
972         * debugger/Debugger.cpp:
973         * debugger/DebuggerActivation.cpp:
974         (JSC::DebuggerActivation::visitChildren):
975         * debugger/DebuggerActivation.h:
976         (JSC::DebuggerActivation::createStructure):
977         * debugger/DebuggerCallFrame.cpp:
978         (JSC::DebuggerCallFrame::functionName):
979         * dfg/DFGAbstractInterpreterInlines.h:
980         (JSC::DFG::::executeEffects):
981         * dfg/DFGByteCodeParser.cpp:
982         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
983         (JSC::DFG::ByteCodeParser::parseBlock):
984         * dfg/DFGFixupPhase.cpp:
985         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
986         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
987         * dfg/DFGGraph.cpp:
988         (JSC::DFG::Graph::dump):
989         * dfg/DFGGraph.h:
990         (JSC::DFG::Graph::isInternalFunctionConstant):
991         * dfg/DFGOperations.cpp:
992         * dfg/DFGSpeculativeJIT.cpp:
993         (JSC::DFG::SpeculativeJIT::checkArray):
994         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
995         * dfg/DFGThunks.cpp:
996         (JSC::DFG::virtualForThunkGenerator):
997         * interpreter/Interpreter.cpp:
998         (JSC::loadVarargs):
999         * jsc.cpp:
1000         (GlobalObject::createStructure):
1001         * profiler/LegacyProfiler.cpp:
1002         (JSC::LegacyProfiler::createCallIdentifier):
1003         * runtime/Arguments.cpp:
1004         (JSC::Arguments::visitChildren):
1005         * runtime/Arguments.h:
1006         (JSC::Arguments::createStructure):
1007         (JSC::asArguments):
1008         (JSC::Arguments::finishCreation):
1009         * runtime/ArrayConstructor.cpp:
1010         (JSC::arrayConstructorIsArray):
1011         * runtime/ArrayConstructor.h:
1012         (JSC::ArrayConstructor::createStructure):
1013         * runtime/ArrayPrototype.cpp:
1014         (JSC::ArrayPrototype::finishCreation):
1015         (JSC::arrayProtoFuncConcat):
1016         (JSC::attemptFastSort):
1017         * runtime/ArrayPrototype.h:
1018         (JSC::ArrayPrototype::createStructure):
1019         * runtime/BooleanConstructor.h:
1020         (JSC::BooleanConstructor::createStructure):
1021         * runtime/BooleanObject.cpp:
1022         (JSC::BooleanObject::finishCreation):
1023         * runtime/BooleanObject.h:
1024         (JSC::BooleanObject::createStructure):
1025         (JSC::asBooleanObject):
1026         * runtime/BooleanPrototype.cpp:
1027         (JSC::BooleanPrototype::finishCreation):
1028         (JSC::booleanProtoFuncToString):
1029         (JSC::booleanProtoFuncValueOf):
1030         * runtime/BooleanPrototype.h:
1031         (JSC::BooleanPrototype::createStructure):
1032         * runtime/DateConstructor.cpp:
1033         (JSC::constructDate):
1034         * runtime/DateConstructor.h:
1035         (JSC::DateConstructor::createStructure):
1036         * runtime/DateInstance.cpp:
1037         (JSC::DateInstance::finishCreation):
1038         * runtime/DateInstance.h:
1039         (JSC::DateInstance::createStructure):
1040         (JSC::asDateInstance):
1041         * runtime/DatePrototype.cpp:
1042         (JSC::formateDateInstance):
1043         (JSC::DatePrototype::finishCreation):
1044         (JSC::dateProtoFuncToISOString):
1045         (JSC::dateProtoFuncToLocaleString):
1046         (JSC::dateProtoFuncToLocaleDateString):
1047         (JSC::dateProtoFuncToLocaleTimeString):
1048         (JSC::dateProtoFuncGetTime):
1049         (JSC::dateProtoFuncGetFullYear):
1050         (JSC::dateProtoFuncGetUTCFullYear):
1051         (JSC::dateProtoFuncGetMonth):
1052         (JSC::dateProtoFuncGetUTCMonth):
1053         (JSC::dateProtoFuncGetDate):
1054         (JSC::dateProtoFuncGetUTCDate):
1055         (JSC::dateProtoFuncGetDay):
1056         (JSC::dateProtoFuncGetUTCDay):
1057         (JSC::dateProtoFuncGetHours):
1058         (JSC::dateProtoFuncGetUTCHours):
1059         (JSC::dateProtoFuncGetMinutes):
1060         (JSC::dateProtoFuncGetUTCMinutes):
1061         (JSC::dateProtoFuncGetSeconds):
1062         (JSC::dateProtoFuncGetUTCSeconds):
1063         (JSC::dateProtoFuncGetMilliSeconds):
1064         (JSC::dateProtoFuncGetUTCMilliseconds):
1065         (JSC::dateProtoFuncGetTimezoneOffset):
1066         (JSC::dateProtoFuncSetTime):
1067         (JSC::setNewValueFromTimeArgs):
1068         (JSC::setNewValueFromDateArgs):
1069         (JSC::dateProtoFuncSetYear):
1070         (JSC::dateProtoFuncGetYear):
1071         * runtime/DatePrototype.h:
1072         (JSC::DatePrototype::createStructure):
1073         * runtime/Error.h:
1074         (JSC::StrictModeTypeErrorFunction::createStructure):
1075         * runtime/ErrorConstructor.h:
1076         (JSC::ErrorConstructor::createStructure):
1077         * runtime/ErrorInstance.cpp:
1078         (JSC::ErrorInstance::finishCreation):
1079         * runtime/ErrorInstance.h:
1080         (JSC::ErrorInstance::createStructure):
1081         * runtime/ErrorPrototype.cpp:
1082         (JSC::ErrorPrototype::finishCreation):
1083         * runtime/ErrorPrototype.h:
1084         (JSC::ErrorPrototype::createStructure):
1085         * runtime/ExceptionHelpers.cpp:
1086         (JSC::isTerminatedExecutionException):
1087         * runtime/ExceptionHelpers.h:
1088         (JSC::TerminatedExecutionError::createStructure):
1089         * runtime/Executable.cpp:
1090         (JSC::EvalExecutable::visitChildren):
1091         (JSC::ProgramExecutable::visitChildren):
1092         (JSC::FunctionExecutable::visitChildren):
1093         (JSC::ExecutableBase::hashFor):
1094         * runtime/Executable.h:
1095         (JSC::ExecutableBase::createStructure):
1096         (JSC::NativeExecutable::createStructure):
1097         (JSC::EvalExecutable::createStructure):
1098         (JSC::ProgramExecutable::createStructure):
1099         (JSC::FunctionExecutable::compileFor):
1100         (JSC::FunctionExecutable::compileOptimizedFor):
1101         (JSC::FunctionExecutable::createStructure):
1102         * runtime/FunctionConstructor.h:
1103         (JSC::FunctionConstructor::createStructure):
1104         * runtime/FunctionPrototype.cpp:
1105         (JSC::functionProtoFuncToString):
1106         (JSC::functionProtoFuncApply):
1107         (JSC::functionProtoFuncBind):
1108         * runtime/FunctionPrototype.h:
1109         (JSC::FunctionPrototype::createStructure):
1110         * runtime/GetterSetter.cpp:
1111         (JSC::GetterSetter::visitChildren):
1112         * runtime/GetterSetter.h:
1113         (JSC::GetterSetter::createStructure):
1114         * runtime/InternalFunction.cpp:
1115         (JSC::InternalFunction::finishCreation):
1116         * runtime/InternalFunction.h:
1117         (JSC::InternalFunction::createStructure):
1118         (JSC::asInternalFunction):
1119         * runtime/JSAPIValueWrapper.h:
1120         (JSC::JSAPIValueWrapper::createStructure):
1121         * runtime/JSActivation.cpp:
1122         (JSC::JSActivation::visitChildren):
1123         (JSC::JSActivation::argumentsGetter):
1124         * runtime/JSActivation.h:
1125         (JSC::JSActivation::createStructure):
1126         (JSC::asActivation):
1127         * runtime/JSArray.h:
1128         (JSC::JSArray::createStructure):
1129         (JSC::asArray):
1130         (JSC::isJSArray):
1131         * runtime/JSBoundFunction.cpp:
1132         (JSC::JSBoundFunction::finishCreation):
1133         (JSC::JSBoundFunction::visitChildren):
1134         * runtime/JSBoundFunction.h:
1135         (JSC::JSBoundFunction::createStructure):
1136         * runtime/JSCJSValue.cpp:
1137         (JSC::JSValue::dumpInContext):
1138         * runtime/JSCJSValueInlines.h:
1139         (JSC::JSValue::isFunction):
1140         * runtime/JSCell.h:
1141         (JSC::jsCast):
1142         (JSC::jsDynamicCast):
1143         * runtime/JSCellInlines.h:
1144         (JSC::allocateCell):
1145         * runtime/JSFunction.cpp:
1146         (JSC::JSFunction::finishCreation):
1147         (JSC::JSFunction::visitChildren):
1148         (JSC::skipOverBoundFunctions):
1149         (JSC::JSFunction::callerGetter):
1150         * runtime/JSFunction.h:
1151         (JSC::JSFunction::createStructure):
1152         * runtime/JSGlobalObject.cpp:
1153         (JSC::JSGlobalObject::visitChildren):
1154         (JSC::slowValidateCell):
1155         * runtime/JSGlobalObject.h:
1156         (JSC::JSGlobalObject::createStructure):
1157         * runtime/JSNameScope.cpp:
1158         (JSC::JSNameScope::visitChildren):
1159         * runtime/JSNameScope.h:
1160         (JSC::JSNameScope::createStructure):
1161         * runtime/JSNotAnObject.h:
1162         (JSC::JSNotAnObject::createStructure):
1163         * runtime/JSONObject.cpp:
1164         (JSC::JSONObject::finishCreation):
1165         (JSC::unwrapBoxedPrimitive):
1166         (JSC::Stringifier::Stringifier):
1167         (JSC::Stringifier::appendStringifiedValue):
1168         (JSC::Stringifier::Holder::Holder):
1169         (JSC::Walker::walk):
1170         (JSC::JSONProtoFuncStringify):
1171         * runtime/JSONObject.h:
1172         (JSC::JSONObject::createStructure):
1173         * runtime/JSObject.cpp:
1174         (JSC::getCallableObjectSlow):
1175         (JSC::JSObject::visitChildren):
1176         (JSC::JSObject::copyBackingStore):
1177         (JSC::JSFinalObject::visitChildren):
1178         (JSC::JSObject::ensureInt32Slow):
1179         (JSC::JSObject::ensureDoubleSlow):
1180         (JSC::JSObject::ensureContiguousSlow):
1181         (JSC::JSObject::ensureArrayStorageSlow):
1182         * runtime/JSObject.h:
1183         (JSC::JSObject::finishCreation):
1184         (JSC::JSObject::createStructure):
1185         (JSC::JSNonFinalObject::createStructure):
1186         (JSC::JSFinalObject::createStructure):
1187         (JSC::isJSFinalObject):
1188         * runtime/JSPropertyNameIterator.cpp:
1189         (JSC::JSPropertyNameIterator::visitChildren):
1190         * runtime/JSPropertyNameIterator.h:
1191         (JSC::JSPropertyNameIterator::createStructure):
1192         * runtime/JSProxy.cpp:
1193         (JSC::JSProxy::visitChildren):
1194         * runtime/JSProxy.h:
1195         (JSC::JSProxy::createStructure):
1196         * runtime/JSScope.cpp:
1197         (JSC::JSScope::visitChildren):
1198         * runtime/JSSegmentedVariableObject.cpp:
1199         (JSC::JSSegmentedVariableObject::visitChildren):
1200         * runtime/JSString.h:
1201         (JSC::JSString::createStructure):
1202         (JSC::isJSString):
1203         * runtime/JSSymbolTableObject.cpp:
1204         (JSC::JSSymbolTableObject::visitChildren):
1205         * runtime/JSVariableObject.h:
1206         * runtime/JSWithScope.cpp:
1207         (JSC::JSWithScope::visitChildren):
1208         * runtime/JSWithScope.h:
1209         (JSC::JSWithScope::createStructure):
1210         * runtime/JSWrapperObject.cpp:
1211         (JSC::JSWrapperObject::visitChildren):
1212         * runtime/JSWrapperObject.h:
1213         (JSC::JSWrapperObject::createStructure):
1214         * runtime/MathObject.cpp:
1215         (JSC::MathObject::finishCreation):
1216         * runtime/MathObject.h:
1217         (JSC::MathObject::createStructure):
1218         * runtime/NameConstructor.h:
1219         (JSC::NameConstructor::createStructure):
1220         * runtime/NameInstance.h:
1221         (JSC::NameInstance::createStructure):
1222         (JSC::NameInstance::finishCreation):
1223         * runtime/NamePrototype.cpp:
1224         (JSC::NamePrototype::finishCreation):
1225         (JSC::privateNameProtoFuncToString):
1226         * runtime/NamePrototype.h:
1227         (JSC::NamePrototype::createStructure):
1228         * runtime/NativeErrorConstructor.cpp:
1229         (JSC::NativeErrorConstructor::visitChildren):
1230         * runtime/NativeErrorConstructor.h:
1231         (JSC::NativeErrorConstructor::createStructure):
1232         (JSC::NativeErrorConstructor::finishCreation):
1233         * runtime/NumberConstructor.cpp:
1234         (JSC::NumberConstructor::finishCreation):
1235         * runtime/NumberConstructor.h:
1236         (JSC::NumberConstructor::createStructure):
1237         * runtime/NumberObject.cpp:
1238         (JSC::NumberObject::finishCreation):
1239         * runtime/NumberObject.h:
1240         (JSC::NumberObject::createStructure):
1241         * runtime/NumberPrototype.cpp:
1242         (JSC::NumberPrototype::finishCreation):
1243         * runtime/NumberPrototype.h:
1244         (JSC::NumberPrototype::createStructure):
1245         * runtime/ObjectConstructor.h:
1246         (JSC::ObjectConstructor::createStructure):
1247         * runtime/ObjectPrototype.cpp:
1248         (JSC::ObjectPrototype::finishCreation):
1249         * runtime/ObjectPrototype.h:
1250         (JSC::ObjectPrototype::createStructure):
1251         * runtime/PropertyMapHashTable.h:
1252         (JSC::PropertyTable::createStructure):
1253         * runtime/PropertyTable.cpp:
1254         (JSC::PropertyTable::visitChildren):
1255         * runtime/RegExp.h:
1256         (JSC::RegExp::createStructure):
1257         * runtime/RegExpConstructor.cpp:
1258         (JSC::RegExpConstructor::finishCreation):
1259         (JSC::RegExpConstructor::visitChildren):
1260         (JSC::constructRegExp):
1261         * runtime/RegExpConstructor.h:
1262         (JSC::RegExpConstructor::createStructure):
1263         (JSC::asRegExpConstructor):
1264         * runtime/RegExpMatchesArray.cpp:
1265         (JSC::RegExpMatchesArray::visitChildren):
1266         * runtime/RegExpMatchesArray.h:
1267         (JSC::RegExpMatchesArray::createStructure):
1268         * runtime/RegExpObject.cpp:
1269         (JSC::RegExpObject::finishCreation):
1270         (JSC::RegExpObject::visitChildren):
1271         * runtime/RegExpObject.h:
1272         (JSC::RegExpObject::createStructure):
1273         (JSC::asRegExpObject):
1274         * runtime/RegExpPrototype.cpp:
1275         (JSC::regExpProtoFuncTest):
1276         (JSC::regExpProtoFuncExec):
1277         (JSC::regExpProtoFuncCompile):
1278         (JSC::regExpProtoFuncToString):
1279         * runtime/RegExpPrototype.h:
1280         (JSC::RegExpPrototype::createStructure):
1281         * runtime/SparseArrayValueMap.cpp:
1282         (JSC::SparseArrayValueMap::createStructure):
1283         * runtime/SparseArrayValueMap.h:
1284         * runtime/StrictEvalActivation.h:
1285         (JSC::StrictEvalActivation::createStructure):
1286         * runtime/StringConstructor.h:
1287         (JSC::StringConstructor::createStructure):
1288         * runtime/StringObject.cpp:
1289         (JSC::StringObject::finishCreation):
1290         * runtime/StringObject.h:
1291         (JSC::StringObject::createStructure):
1292         (JSC::asStringObject):
1293         * runtime/StringPrototype.cpp:
1294         (JSC::StringPrototype::finishCreation):
1295         (JSC::stringProtoFuncReplace):
1296         (JSC::stringProtoFuncToString):
1297         (JSC::stringProtoFuncMatch):
1298         (JSC::stringProtoFuncSearch):
1299         (JSC::stringProtoFuncSplit):
1300         * runtime/StringPrototype.h:
1301         (JSC::StringPrototype::createStructure):
1302         * runtime/Structure.cpp:
1303         (JSC::Structure::Structure):
1304         (JSC::Structure::materializePropertyMap):
1305         (JSC::Structure::get):
1306         (JSC::Structure::visitChildren):
1307         * runtime/Structure.h:
1308         (JSC::Structure::typeInfo):
1309         (JSC::Structure::previousID):
1310         (JSC::Structure::outOfLineSize):
1311         (JSC::Structure::totalStorageCapacity):
1312         (JSC::Structure::materializePropertyMapIfNecessary):
1313         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1314         * runtime/StructureChain.cpp:
1315         (JSC::StructureChain::visitChildren):
1316         * runtime/StructureChain.h:
1317         (JSC::StructureChain::createStructure):
1318         * runtime/StructureInlines.h:
1319         (JSC::Structure::get):
1320         * runtime/StructureRareData.cpp:
1321         (JSC::StructureRareData::createStructure):
1322         (JSC::StructureRareData::visitChildren):
1323         * runtime/StructureRareData.h:
1324         * runtime/SymbolTable.h:
1325         (JSC::SharedSymbolTable::createStructure):
1326         * runtime/VM.cpp:
1327         (JSC::VM::VM):
1328         (JSC::StackPreservingRecompiler::operator()):
1329         (JSC::VM::releaseExecutableMemory):
1330         * runtime/WriteBarrier.h:
1331         (JSC::validateCell):
1332         * testRegExp.cpp:
1333         (GlobalObject::createStructure):
1334
1335 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1336
1337         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1338         https://bugs.webkit.org/show_bug.cgi?id=119762
1339
1340         Reviewed by Geoffrey Garen.
1341
1342         * heap/Heap.cpp:
1343         (JSC::Heap::Heap):
1344         (JSC::Heap::markRoots):
1345         (JSC::Heap::collect):
1346         * jsc.cpp:
1347         (StopWatch::start):
1348         (StopWatch::stop):
1349         * testRegExp.cpp:
1350         (StopWatch::start):
1351         (StopWatch::stop):
1352
1353 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1354
1355         [sh4] Prepare LLINT for DFG_JIT implementation.
1356         https://bugs.webkit.org/show_bug.cgi?id=119755
1357
1358         Reviewed by Oliver Hunt.
1359
1360         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1361         * offlineasm/sh4.rb:
1362             - Handle storeb opcode.
1363             - Make relative jumps when possible using braf opcode.
1364             - Update bmulio implementation to be consistent with baseline JIT.
1365             - Remove useless code from leap opcode.
1366             - Fix incorrect comment.
1367
1368 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1369
1370         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1371         https://bugs.webkit.org/show_bug.cgi?id=119758
1372
1373         Reviewed by Oliver Hunt.
1374
1375         * assembler/MacroAssemblerSH4.h:
1376             - Introduce a loadEffectiveAddress function to avoid code duplication.
1377             - Add ASSERTs and clean code.
1378         * assembler/SH4Assembler.h:
1379             - Prepare DFG_JIT implementation.
1380             - Add ASSERTs.
1381         * jit/JITStubs.cpp:
1382             - Add SH4 specific call for assertions.
1383         * jit/JITStubs.h:
1384             - Cosmetic change.
1385         * jit/JITStubsSH4.h:
1386             - Use constants to be more flexible with sh4 JIT stack frame.
1387         * jit/JSInterfaceJIT.h:
1388             - Cosmetic change.
1389
1390 2013-08-13  Oliver Hunt  <oliver@apple.com>
1391
1392         Harden executeConstruct against incorrect return types from host functions
1393         https://bugs.webkit.org/show_bug.cgi?id=119757
1394
1395         Reviewed by Mark Hahnenberg.
1396
1397         Add logic to guard against bogus return types.  There doesn't seem to be any
1398         class in webkit that does this wrong, but the typed array stubs in debug JSC
1399         do exhibit this bad behaviour.
1400
1401         * interpreter/Interpreter.cpp:
1402         (JSC::Interpreter::executeConstruct):
1403
1404 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1405
1406         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1407         https://bugs.webkit.org/show_bug.cgi?id=119736
1408
1409         Reviewed by Anders Carlsson.
1410
1411         Don't force C++11 mode off anymore.
1412
1413         * Target.pri:
1414
1415 2013-08-12  Oliver Hunt  <oliver@apple.com>
1416
1417         Remove CodeBlock's notion of adding identifiers entirely
1418         https://bugs.webkit.org/show_bug.cgi?id=119708
1419
1420         Reviewed by Geoffrey Garen.
1421
1422         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1423         Move the addition of identifiers to DFGPlan::reallyAdd
1424
1425         * bytecode/CodeBlock.h:
1426         * dfg/DFGDesiredIdentifiers.cpp:
1427         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1428         * dfg/DFGDesiredIdentifiers.h:
1429         * dfg/DFGPlan.cpp:
1430         (JSC::DFG::Plan::reallyAdd):
1431         (JSC::DFG::Plan::finalize):
1432         * dfg/DFGPlan.h:
1433
1434 2013-08-12  Oliver Hunt  <oliver@apple.com>
1435
1436         Build fix
1437
1438         * runtime/JSCell.h:
1439
1440 2013-08-12  Oliver Hunt  <oliver@apple.com>
1441
1442         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1443         https://bugs.webkit.org/show_bug.cgi?id=119705
1444
1445         Reviewed by Geoffrey Garen.
1446
1447         Relatively trivial refactoring
1448
1449         * bytecode/CodeBlock.h:
1450         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1451         (JSC::CodeBlock::addAdditionalIdentifier):
1452         (JSC::CodeBlock::identifier):
1453         (JSC::CodeBlock::numberOfIdentifiers):
1454         * dfg/DFGCommonData.h:
1455
1456 2013-08-12  Oliver Hunt  <oliver@apple.com>
1457
1458         Stop making unnecessary copy of CodeBlock Identifier Vector
1459         https://bugs.webkit.org/show_bug.cgi?id=119702
1460
1461         Reviewed by Michael Saboff.
1462
1463         Make CodeBlock simply use a separate Vector for additional Identifiers
1464         and use the UnlinkedCodeBlock for the initial set of identifiers.
1465
1466         * bytecode/CodeBlock.cpp:
1467         (JSC::CodeBlock::printGetByIdOp):
1468         (JSC::dumpStructure):
1469         (JSC::dumpChain):
1470         (JSC::CodeBlock::printGetByIdCacheStatus):
1471         (JSC::CodeBlock::printPutByIdOp):
1472         (JSC::CodeBlock::dumpBytecode):
1473         (JSC::CodeBlock::CodeBlock):
1474         (JSC::CodeBlock::shrinkToFit):
1475         * bytecode/CodeBlock.h:
1476         (JSC::CodeBlock::numberOfIdentifiers):
1477         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1478         (JSC::CodeBlock::addAdditionalIdentifier):
1479         (JSC::CodeBlock::identifier):
1480         * dfg/DFGDesiredIdentifiers.cpp:
1481         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1482         * jit/JIT.h:
1483         * jit/JITOpcodes.cpp:
1484         (JSC::JIT::emitSlow_op_get_arguments_length):
1485         * jit/JITPropertyAccess.cpp:
1486         (JSC::JIT::emit_op_get_by_id):
1487         (JSC::JIT::compileGetByIdHotPath):
1488         (JSC::JIT::emitSlow_op_get_by_id):
1489         (JSC::JIT::compileGetByIdSlowCase):
1490         (JSC::JIT::emitSlow_op_put_by_id):
1491         * jit/JITPropertyAccess32_64.cpp:
1492         (JSC::JIT::emit_op_get_by_id):
1493         (JSC::JIT::compileGetByIdHotPath):
1494         (JSC::JIT::compileGetByIdSlowCase):
1495         * jit/JITStubs.cpp:
1496         (JSC::DEFINE_STUB_FUNCTION):
1497         * llint/LLIntSlowPaths.cpp:
1498         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1499
1500 2013-08-08  Mark Lam  <mark.lam@apple.com>
1501
1502         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1503         https://bugs.webkit.org/show_bug.cgi?id=119575.
1504
1505         Reviewed by Oliver Hunt.
1506
1507         * interpreter/Interpreter.h:
1508         - Made getStackTrace() private.
1509         * interpreter/StackIterator.cpp:
1510         (JSC::StackIterator::StackIterator):
1511         (JSC::StackIterator::numberOfFrames):
1512         - Computes the number of frames by iterating through the whole stack
1513           from the starting frame. The iterator will save its current frame
1514           position before counting the frames, and then restoring it after
1515           the counting.
1516         (JSC::StackIterator::gotoFrameAtIndex):
1517         (JSC::StackIterator::gotoNextFrame):
1518         (JSC::StackIterator::resetIterator):
1519         - Points the iterator to the starting frame.
1520         * interpreter/StackIteratorPrivate.h:
1521
1522 2013-08-08  Mark Lam  <mark.lam@apple.com>
1523
1524         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1525         the Interpreter class.
1526         https://bugs.webkit.org/show_bug.cgi?id=119576.
1527
1528         Reviewed by Oliver Hunt.
1529
1530         This change is needed to prepare for making Interpreter::getStackTrace()
1531         private. It does not change the behavior of the code, only the lexical
1532         scoping.
1533
1534         * interpreter/Interpreter.h:
1535         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1536         * runtime/ErrorConstructor.cpp:
1537         (JSC::Interpreter::constructWithErrorConstructor):
1538         (JSC::ErrorConstructor::getConstructData):
1539         (JSC::Interpreter::callErrorConstructor):
1540         (JSC::ErrorConstructor::getCallData):
1541         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1542           directly. So, we moved the helper functions into the Interpreter
1543           class.
1544         * runtime/NativeErrorConstructor.cpp:
1545         (JSC::Interpreter::constructWithNativeErrorConstructor):
1546         (JSC::NativeErrorConstructor::getConstructData):
1547         (JSC::Interpreter::callNativeErrorConstructor):
1548         (JSC::NativeErrorConstructor::getCallData):
1549         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1550           directly. So, we moved the helper functions into the Interpreter
1551           class.
1552
1553 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1554
1555         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1556         https://bugs.webkit.org/show_bug.cgi?id=119555
1557
1558         Reviewed by Geoffrey Garen.
1559
1560         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1561         This was causing crashes on maps.google.com in 32-bit debug builds.
1562
1563         * dfg/DFGSpeculativeJIT32_64.cpp:
1564         (JSC::DFG::SpeculativeJIT::compile):
1565
1566 2013-08-06  Michael Saboff  <msaboff@apple.com>
1567
1568         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1569         https://bugs.webkit.org/show_bug.cgi?id=119405
1570
1571         Reviewed by Geoffrey Garen.
1572
1573         * dfg/DFGSpeculativeJIT.cpp:
1574         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1575         ourselves to save a register and then load from it.
1576
1577 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1578
1579         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1580         https://bugs.webkit.org/show_bug.cgi?id=119528
1581
1582         Reviewed by Geoffrey Garen.
1583
1584         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1585         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1586         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1587         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1588         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1589
1590         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1591
1592         * bytecode/CodeBlock.cpp:
1593         (JSC::CodeBlock::finalizeUnconditionally):
1594         * dfg/DFGDriver.cpp:
1595         (JSC::DFG::compile):
1596         * dfg/DFGFixupPhase.cpp:
1597         (JSC::DFG::FixupPhase::fixupNode):
1598         * dfg/DFGGraph.cpp:
1599         (JSC::DFG::Graph::dump):
1600         * dfg/DFGSpeculativeJIT64.cpp:
1601         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1602         * runtime/JSObject.h:
1603         (JSC::JSObject::getIndexQuickly):
1604         (JSC::JSObject::tryGetIndexQuickly):
1605
1606 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1607
1608         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1609
1610         Unreviewed.
1611
1612         Ensure llint symbols are in source order.
1613
1614         * JavaScriptCore.order:
1615
1616 2013-08-06  Mark Lam  <mark.lam@apple.com>
1617
1618         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1619         https://bugs.webkit.org/show_bug.cgi?id=119532.
1620
1621         Reviewed by Oliver Hunt.
1622
1623         * parser/Parser.cpp:
1624         (JSC::::Parser):
1625         - Just need to initialize the Parser's JSTokenLocation's initial line and
1626           startOffset as well during Parser construction.
1627
1628 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1629
1630         Update Order Files for Safari
1631         <rdar://problem/14517392>
1632
1633         Unreviewed.
1634
1635         * JavaScriptCore.order:
1636
1637 2013-08-04  Sam Weinig  <sam@webkit.org>
1638
1639         Remove support for HTML5 MicroData
1640         https://bugs.webkit.org/show_bug.cgi?id=119480
1641
1642         Reviewed by Anders Carlsson.
1643
1644         * Configurations/FeatureDefines.xcconfig:
1645
1646 2013-08-05  Oliver Hunt  <oliver@apple.com>
1647
1648         Delay Arguments creation in strict mode
1649         https://bugs.webkit.org/show_bug.cgi?id=119505
1650
1651         Reviewed by Geoffrey Garen.
1652
1653         Make use of the write tracking performed by the parser to
1654         allow us to know if we're modifying the parameters to a function.
1655         Then use that information to make strict mode function opt out
1656         of eager arguments creation.
1657
1658         * bytecompiler/BytecodeGenerator.cpp:
1659         (JSC::BytecodeGenerator::BytecodeGenerator):
1660         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1661         (JSC::BytecodeGenerator::emitReturn):
1662         * bytecompiler/BytecodeGenerator.h:
1663         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1664         * parser/Nodes.h:
1665         (JSC::ScopeNode::modifiesParameter):
1666         * parser/Parser.cpp:
1667         (JSC::::parseInner):
1668         * parser/Parser.h:
1669         (JSC::Scope::declareParameter):
1670         (JSC::Scope::getCapturedVariables):
1671         (JSC::Parser::declareWrite):
1672         * parser/ParserModes.h:
1673
1674 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1675
1676         Remove useless code from COMPILER(RVCT) JITStubs
1677         https://bugs.webkit.org/show_bug.cgi?id=119521
1678
1679         Reviewed by Geoffrey Garen.
1680
1681         * jit/JITStubsARMv7.h:
1682         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1683         (JSC::ctiOpThrowNotCaught): Ditto.
1684
1685 2013-07-23  David Farler  <dfarler@apple.com>
1686
1687         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1688         https://bugs.webkit.org/show_bug.cgi?id=117762
1689
1690         Reviewed by Mark Rowe.
1691
1692         * Configurations/DebugRelease.xcconfig:
1693         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1694         * Configurations/JavaScriptCore.xcconfig:
1695         Add ASAN_OTHER_LDFLAGS.
1696         * Configurations/ToolExecutable.xcconfig:
1697         Don't use ASAN for build tools.
1698
1699 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1700
1701         Build fix for ARM MSVC after r153222 and r153648.
1702
1703         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1704
1705 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1706
1707         Build fix for ARM MSVC after r150109.
1708
1709         Read the stub template from a header files instead of the JITStubs.cpp.
1710
1711         * CMakeLists.txt:
1712         * DerivedSources.pri:
1713         * create_jit_stubs:
1714
1715 2013-08-05  Oliver Hunt  <oliver@apple.com>
1716
1717         Move TypedArray implementation into JSC
1718         https://bugs.webkit.org/show_bug.cgi?id=119489
1719
1720         Reviewed by Filip Pizlo.
1721
1722         Move TypedArray implementation into JSC in advance of re-implementation
1723
1724         * GNUmakefile.list.am:
1725         * JSCTypedArrayStubs.h:
1726         * JavaScriptCore.xcodeproj/project.pbxproj:
1727         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1728         (JSC::ArrayBuffer::transfer):
1729         (JSC::ArrayBuffer::addView):
1730         (JSC::ArrayBuffer::removeView):
1731         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1732         (JSC::ArrayBufferContents::ArrayBufferContents):
1733         (JSC::ArrayBufferContents::data):
1734         (JSC::ArrayBufferContents::sizeInBytes):
1735         (JSC::ArrayBufferContents::transfer):
1736         (JSC::ArrayBufferContents::copyTo):
1737         (JSC::ArrayBuffer::isNeutered):
1738         (JSC::ArrayBuffer::~ArrayBuffer):
1739         (JSC::ArrayBuffer::clampValue):
1740         (JSC::ArrayBuffer::create):
1741         (JSC::ArrayBuffer::createUninitialized):
1742         (JSC::ArrayBuffer::ArrayBuffer):
1743         (JSC::ArrayBuffer::data):
1744         (JSC::ArrayBuffer::byteLength):
1745         (JSC::ArrayBuffer::slice):
1746         (JSC::ArrayBuffer::sliceImpl):
1747         (JSC::ArrayBuffer::clampIndex):
1748         (JSC::ArrayBufferContents::tryAllocate):
1749         (JSC::ArrayBufferContents::~ArrayBufferContents):
1750         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1751         (JSC::ArrayBufferView::ArrayBufferView):
1752         (JSC::ArrayBufferView::~ArrayBufferView):
1753         (JSC::ArrayBufferView::neuter):
1754         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1755         (JSC::ArrayBufferView::buffer):
1756         (JSC::ArrayBufferView::baseAddress):
1757         (JSC::ArrayBufferView::byteOffset):
1758         (JSC::ArrayBufferView::setNeuterable):
1759         (JSC::ArrayBufferView::isNeuterable):
1760         (JSC::ArrayBufferView::verifySubRange):
1761         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1762         (JSC::ArrayBufferView::setImpl):
1763         (JSC::ArrayBufferView::setRangeImpl):
1764         (JSC::ArrayBufferView::zeroRangeImpl):
1765         (JSC::ArrayBufferView::calculateOffsetAndLength):
1766         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1767         (JSC::Float32Array::set):
1768         (JSC::Float32Array::getType):
1769         (JSC::Float32Array::create):
1770         (JSC::Float32Array::createUninitialized):
1771         (JSC::Float32Array::Float32Array):
1772         (JSC::Float32Array::subarray):
1773         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1774         (JSC::Float64Array::set):
1775         (JSC::Float64Array::getType):
1776         (JSC::Float64Array::create):
1777         (JSC::Float64Array::createUninitialized):
1778         (JSC::Float64Array::Float64Array):
1779         (JSC::Float64Array::subarray):
1780         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1781         (JSC::Int16Array::getType):
1782         (JSC::Int16Array::create):
1783         (JSC::Int16Array::createUninitialized):
1784         (JSC::Int16Array::Int16Array):
1785         (JSC::Int16Array::subarray):
1786         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1787         (JSC::Int32Array::getType):
1788         (JSC::Int32Array::create):
1789         (JSC::Int32Array::createUninitialized):
1790         (JSC::Int32Array::Int32Array):
1791         (JSC::Int32Array::subarray):
1792         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1793         (JSC::Int8Array::getType):
1794         (JSC::Int8Array::create):
1795         (JSC::Int8Array::createUninitialized):
1796         (JSC::Int8Array::Int8Array):
1797         (JSC::Int8Array::subarray):
1798         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1799         (JSC::IntegralTypedArrayBase::set):
1800         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1801         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1802         (JSC::TypedArrayBase::data):
1803         (JSC::TypedArrayBase::set):
1804         (JSC::TypedArrayBase::setRange):
1805         (JSC::TypedArrayBase::zeroRange):
1806         (JSC::TypedArrayBase::length):
1807         (JSC::TypedArrayBase::byteLength):
1808         (JSC::TypedArrayBase::item):
1809         (JSC::TypedArrayBase::checkInboundData):
1810         (JSC::TypedArrayBase::TypedArrayBase):
1811         (JSC::TypedArrayBase::create):
1812         (JSC::TypedArrayBase::createUninitialized):
1813         (JSC::TypedArrayBase::subarrayImpl):
1814         (JSC::TypedArrayBase::neuter):
1815         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1816         (JSC::Uint16Array::getType):
1817         (JSC::Uint16Array::create):
1818         (JSC::Uint16Array::createUninitialized):
1819         (JSC::Uint16Array::Uint16Array):
1820         (JSC::Uint16Array::subarray):
1821         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1822         (JSC::Uint32Array::getType):
1823         (JSC::Uint32Array::create):
1824         (JSC::Uint32Array::createUninitialized):
1825         (JSC::Uint32Array::Uint32Array):
1826         (JSC::Uint32Array::subarray):
1827         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1828         (JSC::Uint8Array::getType):
1829         (JSC::Uint8Array::create):
1830         (JSC::Uint8Array::createUninitialized):
1831         (JSC::Uint8Array::Uint8Array):
1832         (JSC::Uint8Array::subarray):
1833         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1834         (JSC::Uint8ClampedArray::getType):
1835         (JSC::Uint8ClampedArray::create):
1836         (JSC::Uint8ClampedArray::createUninitialized):
1837         (JSC::Uint8ClampedArray::zeroFill):
1838         (JSC::Uint8ClampedArray::set):
1839         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1840         (JSC::Uint8ClampedArray::subarray):
1841         * runtime/VM.h:
1842
1843 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1844
1845         Copied space should be able to handle more than one copied backing store per JSCell
1846         https://bugs.webkit.org/show_bug.cgi?id=119471
1847
1848         Reviewed by Mark Hahnenberg.
1849         
1850         This allows a cell to call copyLater() multiple times for multiple different
1851         backing stores, and then have copyBackingStore() called exactly once for each
1852         of those. A token tells it which backing store to copy. All backing stores
1853         must be named using the CopyToken, an enumeration which currently cannot
1854         exceed eight entries.
1855         
1856         When copyBackingStore() is called, it's up to the callee to (a) use the token
1857         to decide what to copy and (b) call its base class's copyBackingStore() in
1858         case the base class had something that needed copying. The only exception is
1859         that JSCell never asks anything to be copied, and so if your base is JSCell
1860         then you don't have to do anything.
1861
1862         * GNUmakefile.list.am:
1863         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1864         * JavaScriptCore.xcodeproj/project.pbxproj:
1865         * heap/CopiedBlock.h:
1866         * heap/CopiedBlockInlines.h:
1867         (JSC::CopiedBlock::reportLiveBytes):
1868         * heap/CopyToken.h: Added.
1869         * heap/CopyVisitor.cpp:
1870         (JSC::CopyVisitor::copyFromShared):
1871         * heap/CopyVisitor.h:
1872         * heap/CopyVisitorInlines.h:
1873         (JSC::CopyVisitor::visitItem):
1874         * heap/CopyWorkList.h:
1875         (JSC::CopyWorklistItem::CopyWorklistItem):
1876         (JSC::CopyWorklistItem::cell):
1877         (JSC::CopyWorklistItem::token):
1878         (JSC::CopyWorkListSegment::get):
1879         (JSC::CopyWorkListSegment::append):
1880         (JSC::CopyWorkListSegment::data):
1881         (JSC::CopyWorkListIterator::get):
1882         (JSC::CopyWorkListIterator::operator*):
1883         (JSC::CopyWorkListIterator::operator->):
1884         (JSC::CopyWorkList::append):
1885         * heap/SlotVisitor.h:
1886         * heap/SlotVisitorInlines.h:
1887         (JSC::SlotVisitor::copyLater):
1888         * runtime/ClassInfo.h:
1889         * runtime/JSCell.cpp:
1890         (JSC::JSCell::copyBackingStore):
1891         * runtime/JSCell.h:
1892         * runtime/JSObject.cpp:
1893         (JSC::JSObject::visitButterfly):
1894         (JSC::JSObject::copyBackingStore):
1895         * runtime/JSObject.h:
1896
1897 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1898
1899         [Automake] Define ENABLE_JIT through the Autoconf header
1900         https://bugs.webkit.org/show_bug.cgi?id=119445
1901
1902         Reviewed by Martin Robinson.
1903
1904         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1905
1906 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1907
1908         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1909         https://bugs.webkit.org/show_bug.cgi?id=119470
1910
1911         Reviewed by Oliver Hunt.
1912         
1913         Structure can still tell you if the object "could" (in the conservative sense)
1914         have an indexing header; that's used by the compiler.
1915         
1916         Most of the time if you want to know if there's an indexing header, you ask the
1917         JSObject.
1918         
1919         In some cases, the JSObject wants to know if it would have an indexing header if
1920         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1921
1922         * dfg/DFGRepatch.cpp:
1923         (JSC::DFG::tryCachePutByID):
1924         (JSC::DFG::tryBuildPutByIdList):
1925         * dfg/DFGSpeculativeJIT.cpp:
1926         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1927         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1928         * runtime/ButterflyInlines.h:
1929         (JSC::Butterfly::create):
1930         (JSC::Butterfly::growPropertyStorage):
1931         (JSC::Butterfly::growArrayRight):
1932         (JSC::Butterfly::resizeArray):
1933         * runtime/JSObject.cpp:
1934         (JSC::JSObject::copyButterfly):
1935         (JSC::JSObject::visitButterfly):
1936         * runtime/JSObject.h:
1937         (JSC::JSObject::hasIndexingHeader):
1938         (JSC::JSObject::setButterfly):
1939         * runtime/Structure.h:
1940         (JSC::Structure::couldHaveIndexingHeader):
1941         (JSC::Structure::hasIndexingHeader):
1942
1943 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1944
1945         Give the error object's stack property accessor attributes.
1946         https://bugs.webkit.org/show_bug.cgi?id=119404
1947
1948         Reviewed by Geoffrey Garen.
1949         
1950         Changed the attributes of error object's stack property to allow developers to write
1951         and delete the stack property. This will match the functionality of Chrome. Firefox  
1952         allows developers to write the error's stack, but not delete it. 
1953
1954         * interpreter/Interpreter.cpp:
1955         (JSC::Interpreter::addStackTraceIfNecessary):
1956         * runtime/ErrorInstance.cpp:
1957         (JSC::ErrorInstance::finishCreation):
1958
1959 2013-08-02  Oliver Hunt  <oliver@apple.com>
1960
1961         Incorrect type speculation reported by ToPrimitive
1962         https://bugs.webkit.org/show_bug.cgi?id=119458
1963
1964         Reviewed by Mark Hahnenberg.
1965
1966         Make sure that we report the correct type possibilities for the output
1967         from ToPrimitive
1968
1969         * dfg/DFGAbstractInterpreterInlines.h:
1970         (JSC::DFG::::executeEffects):
1971
1972 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1973
1974         Remove no-arguments constructor to PropertySlot
1975         https://bugs.webkit.org/show_bug.cgi?id=119460
1976
1977         Reviewed by Geoff Garen.
1978
1979         This constructor was unsafe if getValue is subsequently called,
1980         and the property is a getter. Simplest to just remove it.
1981
1982         * runtime/Arguments.cpp:
1983         (JSC::Arguments::defineOwnProperty):
1984         * runtime/JSActivation.cpp:
1985         (JSC::JSActivation::getOwnPropertyDescriptor):
1986         * runtime/JSFunction.cpp:
1987         (JSC::JSFunction::getOwnPropertyDescriptor):
1988         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1989         (JSC::JSFunction::put):
1990         (JSC::JSFunction::defineOwnProperty):
1991         * runtime/JSGlobalObject.cpp:
1992         (JSC::JSGlobalObject::defineOwnProperty):
1993         * runtime/JSGlobalObject.h:
1994         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1995         * runtime/JSNameScope.cpp:
1996         (JSC::JSNameScope::put):
1997         * runtime/JSONObject.cpp:
1998         (JSC::Stringifier::Holder::appendNextProperty):
1999         (JSC::Walker::walk):
2000         * runtime/JSObject.cpp:
2001         (JSC::JSObject::hasProperty):
2002         (JSC::JSObject::hasOwnProperty):
2003         (JSC::JSObject::reifyStaticFunctionsForDelete):
2004         * runtime/Lookup.h:
2005         (JSC::getStaticPropertyDescriptor):
2006         (JSC::getStaticFunctionDescriptor):
2007         (JSC::getStaticValueDescriptor):
2008         * runtime/ObjectConstructor.cpp:
2009         (JSC::defineProperties):
2010         * runtime/PropertySlot.h:
2011
2012 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2013
2014         DFG validation can cause assertion failures due to dumping
2015         https://bugs.webkit.org/show_bug.cgi?id=119456
2016
2017         Reviewed by Geoffrey Garen.
2018
2019         * bytecode/CodeBlock.cpp:
2020         (JSC::CodeBlock::hasHash):
2021         (JSC::CodeBlock::isSafeToComputeHash):
2022         (JSC::CodeBlock::hash):
2023         (JSC::CodeBlock::dumpAssumingJITType):
2024         * bytecode/CodeBlock.h:
2025
2026 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2027
2028         Have vm's exceptionStack match java's vm's exceptionStack.
2029         https://bugs.webkit.org/show_bug.cgi?id=119362
2030
2031         Reviewed by Geoffrey Garen.
2032         
2033         The error object's stack is only updated if it does not exist yet. This matches 
2034         the functionality of other browsers, and Java VMs. 
2035
2036         * interpreter/Interpreter.cpp:
2037         (JSC::Interpreter::addStackTraceIfNecessary):
2038         (JSC::Interpreter::throwException):
2039         * runtime/VM.cpp:
2040         (JSC::VM::clearExceptionStack):
2041         * runtime/VM.h:
2042         (JSC::VM::lastExceptionStack):
2043
2044 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2045
2046         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2047         https://bugs.webkit.org/show_bug.cgi?id=119447
2048
2049         Reviewed by Geoffrey Garen.
2050
2051         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2052         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2053         r153583 (sh4) and r153648 (ARM).
2054
2055         * jit/JITStubsMIPS.h:
2056
2057 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2058
2059         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2060         https://bugs.webkit.org/show_bug.cgi?id=119422
2061
2062         Reviewed by Oliver Hunt.
2063         
2064         This simplifies some code and also allows Structure to claim that an object
2065         has an indexing header even if it doesn't have indexed properties.
2066         
2067         I also changed some calls to use hasIndexedProperties() since in some cases,
2068         that's what we actually meant. Currently the two are synonyms.
2069
2070         * dfg/DFGRepatch.cpp:
2071         (JSC::DFG::tryCachePutByID):
2072         (JSC::DFG::tryBuildPutByIdList):
2073         * dfg/DFGSpeculativeJIT.cpp:
2074         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2075         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2076         * runtime/ButterflyInlines.h:
2077         (JSC::Butterfly::create):
2078         (JSC::Butterfly::growPropertyStorage):
2079         (JSC::Butterfly::growArrayRight):
2080         (JSC::Butterfly::resizeArray):
2081         * runtime/IndexingType.h:
2082         * runtime/JSObject.cpp:
2083         (JSC::JSObject::copyButterfly):
2084         (JSC::JSObject::visitButterfly):
2085         (JSC::JSObject::setPrototype):
2086         * runtime/JSObject.h:
2087         (JSC::JSObject::setButterfly):
2088         * runtime/JSPropertyNameIterator.cpp:
2089         (JSC::JSPropertyNameIterator::create):
2090         * runtime/Structure.h:
2091         (JSC::Structure::hasIndexingHeader):
2092
2093 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2094
2095         REGRESSION: ARM still crashes after change set r153612.
2096         https://bugs.webkit.org/show_bug.cgi?id=119433
2097
2098         Reviewed by Michael Saboff.
2099
2100         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2101         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2102         for sh4 architecture.
2103
2104         * jit/JITStubsARM.h:
2105         * jit/JITStubsARMv7.h:
2106
2107 2013-08-02  Michael Saboff  <msaboff@apple.com>
2108
2109         REGRESSION(r153612): It made jsc and layout tests crash
2110         https://bugs.webkit.org/show_bug.cgi?id=119440
2111
2112         Reviewed by Csaba Osztrogonác.
2113
2114         Made the changes if changeset r153612 only apply to 32 bit builds.
2115
2116         * jit/JITExceptions.cpp:
2117         * jit/JITExceptions.h:
2118         * jit/JITStubs.cpp:
2119         (JSC::cti_vm_throw_slowpath):
2120         * jit/JITStubs.h:
2121
2122 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2123
2124         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2125
2126         * CMakeLists.txt:
2127
2128 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2129
2130         [Forms: color] <input type='color'> popover color well implementation
2131         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2132
2133         Reviewed by Benjamin Poulain.
2134
2135         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2136
2137 2013-08-01  Oliver Hunt  <oliver@apple.com>
2138
2139         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2140         https://bugs.webkit.org/show_bug.cgi?id=119408
2141
2142         Reviewed by Filip Pizlo.
2143
2144         Construct ToString and Phantom nodes in advance of MakeRope
2145         nodes to ensure that ordering is ensured, and correct values
2146         will be reified on OSR exit.
2147
2148         * dfg/DFGByteCodeParser.cpp:
2149         (JSC::DFG::ByteCodeParser::parseBlock):
2150
2151 2013-08-01  Michael Saboff  <msaboff@apple.com>
2152
2153         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2154         https://bugs.webkit.org/show_bug.cgi?id=119140
2155
2156         Reviewed by Filip Pizlo.
2157
2158         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2159
2160         * jit/JITExceptions.cpp:
2161         (JSC::encode):
2162         * jit/JITExceptions.h:
2163         * jit/JITStubs.cpp:
2164         (JSC::cti_vm_throw_slowpath):
2165         * jit/JITStubs.h:
2166
2167 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2168
2169         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2170         https://bugs.webkit.org/show_bug.cgi?id=119391
2171
2172         Reviewed by Csaba Osztrogonác.
2173
2174         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2175             - Call frame is in r14 register.
2176             - Do not restore registers from JIT stack frame here.
2177
2178 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2179
2180         More cleanup in PropertySlot
2181         https://bugs.webkit.org/show_bug.cgi?id=119359
2182
2183         Reviewed by Geoff Garen.
2184
2185         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2186         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2187
2188         * dfg/DFGRepatch.cpp:
2189         (JSC::DFG::tryCacheGetByID):
2190         (JSC::DFG::tryBuildGetByIDList):
2191             - No need to ASSERT slotBase is an object.
2192         * jit/JITStubs.cpp:
2193         (JSC::tryCacheGetByID):
2194         (JSC::DEFINE_STUB_FUNCTION):
2195             - No need to ASSERT slotBase is an object.
2196         * runtime/JSObject.cpp:
2197         (JSC::JSObject::getOwnPropertySlotByIndex):
2198         (JSC::JSObject::fillGetterPropertySlot):
2199             - Pass an object through to setGetterSlot.
2200         * runtime/JSObject.h:
2201         (JSC::PropertySlot::getValue):
2202             - Moved from PropertySlot (need to know anout JSObject).
2203         * runtime/PropertySlot.cpp:
2204         (JSC::PropertySlot::functionGetter):
2205             - update per member name changes
2206         * runtime/PropertySlot.h:
2207         (JSC::PropertySlot::PropertySlot):
2208             - Argument to constructor set to 'thisValue'.
2209         (JSC::PropertySlot::slotBase):
2210             - This returns a JSObject*.
2211         (JSC::PropertySlot::setValue):
2212         (JSC::PropertySlot::setCustom):
2213         (JSC::PropertySlot::setCacheableCustom):
2214         (JSC::PropertySlot::setCustomIndex):
2215         (JSC::PropertySlot::setGetterSlot):
2216         (JSC::PropertySlot::setCacheableGetterSlot):
2217             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2218         * runtime/SparseArrayValueMap.cpp:
2219         (JSC::SparseArrayEntry::get):
2220             - Pass an object through to setGetterSlot.
2221         * runtime/SparseArrayValueMap.h:
2222             - Pass an object through to setGetterSlot.
2223
2224 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2225
2226         Reduce JSC API static value setter/getter overhead.
2227         https://bugs.webkit.org/show_bug.cgi?id=119277
2228
2229         Reviewed by Geoffrey Garen.
2230
2231         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2232         need to get called every time when set or get the static value.
2233
2234         * API/JSCallbackObjectFunctions.h:
2235         (JSC::::put):
2236         (JSC::::putByIndex):
2237         (JSC::::getStaticValue):
2238         * API/JSClassRef.cpp:
2239         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2240         * API/JSClassRef.h:
2241         (StaticValueEntry::StaticValueEntry):
2242
2243 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2244
2245         Use emptyString instead of String("")
2246         https://bugs.webkit.org/show_bug.cgi?id=119335
2247
2248         Reviewed by Darin Adler.
2249
2250         Use emptyString() instead of String("") because it is better style and
2251         faster. This is a followup to r116908, removing all occurrences of
2252         String("") from WebKit.
2253
2254         * runtime/RegExpConstructor.cpp:
2255         (JSC::constructRegExp):
2256         * runtime/RegExpPrototype.cpp:
2257         (JSC::regExpProtoFuncCompile):
2258         * runtime/StringPrototype.cpp:
2259         (JSC::stringProtoFuncMatch):
2260         (JSC::stringProtoFuncSearch):
2261
2262 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2263
2264         <input type=color> Mac UI behaviour
2265         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2266
2267         Reviewed by Brady Eidson.
2268
2269         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2270
2271 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2272
2273         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2274         https://bugs.webkit.org/show_bug.cgi?id=119349
2275
2276         Reviewed by Geoffrey Garen.
2277
2278         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2279         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2280         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2281         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2282         JIT then this resizing never happens and we crash at link time in the DFG.
2283
2284         We can fix this by also doing the resize in the DFG to catch this case.
2285
2286         * dfg/DFGJITCompiler.cpp:
2287         (JSC::DFG::JITCompiler::link):
2288
2289 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2290
2291         Speculative Windows build fix.
2292
2293         Reviewed by NOBODY
2294
2295         * runtime/JSString.cpp:
2296         (JSC::JSRopeString::getIndexSlowCase):
2297         * runtime/JSString.h:
2298
2299 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2300
2301         Some cleanup in JSValue::get
2302         https://bugs.webkit.org/show_bug.cgi?id=119343
2303
2304         Reviewed by Geoff Garen.
2305
2306         JSValue::get is implemented to:
2307             1) Check if the value is a cell – if not, synthesize a prototype to search,
2308             2) call getOwnPropertySlot on the cell,
2309             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2310         By all rights this should crash when passed a string and accessing a property that does not exist, because
2311         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2312         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2313         prototype chain, and faking out a return value of undefined if no property is found.
2314
2315         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2316         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2317
2318         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2319         slots anyway.
2320
2321         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2322
2323 2013-07-31  Michael Saboff  <msaboff@apple.com>
2324
2325         [Win] JavaScript crash.
2326         https://bugs.webkit.org/show_bug.cgi?id=119339
2327
2328         Reviewed by Mark Hahnenberg.
2329
2330         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2331         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2332
2333 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2334
2335         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2336         https://bugs.webkit.org/show_bug.cgi?id=119281
2337
2338         Reviewed by Geoffrey Garen.
2339
2340         This leads to out of bounds accesses and subsequent crashes.
2341
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2344         * dfg/DFGSpeculativeJIT64.cpp:
2345         (JSC::DFG::SpeculativeJIT::compile):
2346
2347 2013-07-30  Oliver Hunt  <oliver@apple.com>
2348
2349         Add an assertion to SpeculateCellOperand
2350         https://bugs.webkit.org/show_bug.cgi?id=119276
2351
2352         Reviewed by Michael Saboff.
2353
2354         More assertions are better
2355
2356         * dfg/DFGSpeculativeJIT64.cpp:
2357         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2358         (JSC::DFG::SpeculativeJIT::compile):
2359
2360 2013-07-30  Mark Lam  <mark.lam@apple.com>
2361
2362         Fix problems with divot and lineStart mismatches.
2363         https://bugs.webkit.org/show_bug.cgi?id=118662.
2364
2365         Reviewed by Oliver Hunt.
2366
2367         r152494 added the recording of lineStart values for divot positions.
2368         This is needed for the computation of column numbers. Similarly, it also
2369         added the recording of line numbers for the divot positions. One problem
2370         with the approach taken was that the line and lineStart values were
2371         recorded independently, and hence were not always guaranteed to be
2372         sampled at the same place that the divot position is recorded. This
2373         resulted in potential mismatches that cause some assertions to fail.
2374
2375         The solution is to introduce a JSTextPosition abstraction that records
2376         the divot position, line, and lineStart as a single quantity. Wherever
2377         we record the divot position as an unsigned int previously, we now record
2378         its JSTextPosition which captures all 3 values in one go. This ensures
2379         that the captured line and lineStart will always match the captured divot
2380         position.
2381
2382         * bytecompiler/BytecodeGenerator.cpp:
2383         (JSC::BytecodeGenerator::emitCall):
2384         (JSC::BytecodeGenerator::emitCallEval):
2385         (JSC::BytecodeGenerator::emitCallVarargs):
2386         (JSC::BytecodeGenerator::emitConstruct):
2387         (JSC::BytecodeGenerator::emitDebugHook):
2388         - Use JSTextPosition instead of passing line and lineStart explicitly.
2389         * bytecompiler/BytecodeGenerator.h:
2390         (JSC::BytecodeGenerator::emitExpressionInfo):
2391         - Use JSTextPosition instead of passing line and lineStart explicitly.
2392         * bytecompiler/NodesCodegen.cpp:
2393         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2394         (JSC::ResolveNode::emitBytecode):
2395         (JSC::BracketAccessorNode::emitBytecode):
2396         (JSC::DotAccessorNode::emitBytecode):
2397         (JSC::NewExprNode::emitBytecode):
2398         (JSC::EvalFunctionCallNode::emitBytecode):
2399         (JSC::FunctionCallValueNode::emitBytecode):
2400         (JSC::FunctionCallResolveNode::emitBytecode):
2401         (JSC::FunctionCallBracketNode::emitBytecode):
2402         (JSC::FunctionCallDotNode::emitBytecode):
2403         (JSC::CallFunctionCallDotNode::emitBytecode):
2404         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2405         (JSC::PostfixNode::emitResolve):
2406         (JSC::PostfixNode::emitBracket):
2407         (JSC::PostfixNode::emitDot):
2408         (JSC::DeleteResolveNode::emitBytecode):
2409         (JSC::DeleteBracketNode::emitBytecode):
2410         (JSC::DeleteDotNode::emitBytecode):
2411         (JSC::PrefixNode::emitResolve):
2412         (JSC::PrefixNode::emitBracket):
2413         (JSC::PrefixNode::emitDot):
2414         (JSC::UnaryOpNode::emitBytecode):
2415         (JSC::BinaryOpNode::emitStrcat):
2416         (JSC::BinaryOpNode::emitBytecode):
2417         (JSC::ThrowableBinaryOpNode::emitBytecode):
2418         (JSC::InstanceOfNode::emitBytecode):
2419         (JSC::emitReadModifyAssignment):
2420         (JSC::ReadModifyResolveNode::emitBytecode):
2421         (JSC::AssignResolveNode::emitBytecode):
2422         (JSC::AssignDotNode::emitBytecode):
2423         (JSC::ReadModifyDotNode::emitBytecode):
2424         (JSC::AssignBracketNode::emitBytecode):
2425         (JSC::ReadModifyBracketNode::emitBytecode):
2426         (JSC::ForInNode::emitBytecode):
2427         (JSC::WithNode::emitBytecode):
2428         (JSC::ThrowNode::emitBytecode):
2429         - Use JSTextPosition instead of passing line and lineStart explicitly.
2430         * parser/ASTBuilder.h:
2431         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2432         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2433         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2434         (JSC::ASTBuilder::createResolve):
2435         (JSC::ASTBuilder::createBracketAccess):
2436         (JSC::ASTBuilder::createDotAccess):
2437         (JSC::ASTBuilder::createRegExp):
2438         (JSC::ASTBuilder::createNewExpr):
2439         (JSC::ASTBuilder::createAssignResolve):
2440         (JSC::ASTBuilder::createExprStatement):
2441         (JSC::ASTBuilder::createForInLoop):
2442         (JSC::ASTBuilder::createReturnStatement):
2443         (JSC::ASTBuilder::createBreakStatement):
2444         (JSC::ASTBuilder::createContinueStatement):
2445         (JSC::ASTBuilder::createLabelStatement):
2446         (JSC::ASTBuilder::createWithStatement):
2447         (JSC::ASTBuilder::createThrowStatement):
2448         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2449         (JSC::ASTBuilder::appendUnaryToken):
2450         (JSC::ASTBuilder::unaryTokenStackLastStart):
2451         (JSC::ASTBuilder::assignmentStackAppend):
2452         (JSC::ASTBuilder::createAssignment):
2453         (JSC::ASTBuilder::setExceptionLocation):
2454         (JSC::ASTBuilder::makeDeleteNode):
2455         (JSC::ASTBuilder::makeFunctionCallNode):
2456         (JSC::ASTBuilder::makeBinaryNode):
2457         (JSC::ASTBuilder::makeAssignNode):
2458         (JSC::ASTBuilder::makePrefixNode):
2459         (JSC::ASTBuilder::makePostfixNode):
2460         - Use JSTextPosition instead of passing line and lineStart explicitly.
2461         * parser/Lexer.cpp:
2462         (JSC::::lex):
2463         - Added support for capturing the appropriate JSTextPositions instead
2464           of just the character offset.
2465         * parser/Lexer.h:
2466         (JSC::Lexer::currentPosition):
2467         (JSC::::lexExpectIdentifier):
2468         - Added support for capturing the appropriate JSTextPositions instead
2469           of just the character offset.
2470         * parser/NodeConstructors.h:
2471         (JSC::Node::Node):
2472         (JSC::ResolveNode::ResolveNode):
2473         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2474         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2475         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2476         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2477         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2478         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2479         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2480         (JSC::PostfixNode::PostfixNode):
2481         (JSC::DeleteResolveNode::DeleteResolveNode):
2482         (JSC::DeleteBracketNode::DeleteBracketNode):
2483         (JSC::DeleteDotNode::DeleteDotNode):
2484         (JSC::PrefixNode::PrefixNode):
2485         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2486         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2487         (JSC::AssignBracketNode::AssignBracketNode):
2488         (JSC::AssignDotNode::AssignDotNode):
2489         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2490         (JSC::AssignErrorNode::AssignErrorNode):
2491         (JSC::WithNode::WithNode):
2492         (JSC::ForInNode::ForInNode):
2493         - Use JSTextPosition instead of passing line and lineStart explicitly.
2494         * parser/Nodes.cpp:
2495         (JSC::StatementNode::setLoc):
2496         - Use JSTextPosition instead of passing line and lineStart explicitly.
2497         * parser/Nodes.h:
2498         (JSC::Node::lineNo):
2499         (JSC::Node::startOffset):
2500         (JSC::Node::lineStartOffset):
2501         (JSC::Node::position):
2502         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2503         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2504         (JSC::ThrowableExpressionData::divot):
2505         (JSC::ThrowableExpressionData::divotStart):
2506         (JSC::ThrowableExpressionData::divotEnd):
2507         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2508         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2509         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2510         (JSC::ThrowableSubExpressionData::subexpressionStart):
2511         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2512         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2513         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2514         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2515         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2516         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2517         - Use JSTextPosition instead of passing line and lineStart explicitly.
2518         * parser/Parser.cpp:
2519         (JSC::::Parser):
2520         (JSC::::parseInner):
2521         - Use JSTextPosition instead of passing line and lineStart explicitly.
2522         (JSC::::didFinishParsing):
2523         - Remove setting of m_lastLine value. We always pass in the value from
2524           m_lastLine anyway. So, this assignment is effectively a nop.
2525         (JSC::::parseVarDeclaration):
2526         (JSC::::parseVarDeclarationList):
2527         (JSC::::parseForStatement):
2528         (JSC::::parseBreakStatement):
2529         (JSC::::parseContinueStatement):
2530         (JSC::::parseReturnStatement):
2531         (JSC::::parseThrowStatement):
2532         (JSC::::parseWithStatement):
2533         (JSC::::parseTryStatement):
2534         (JSC::::parseBlockStatement):
2535         (JSC::::parseFunctionDeclaration):
2536         (JSC::LabelInfo::LabelInfo):
2537         (JSC::::parseExpressionOrLabelStatement):
2538         (JSC::::parseExpressionStatement):
2539         (JSC::::parseAssignmentExpression):
2540         (JSC::::parseBinaryExpression):
2541         (JSC::::parseProperty):
2542         (JSC::::parsePrimaryExpression):
2543         (JSC::::parseMemberExpression):
2544         (JSC::::parseUnaryExpression):
2545         - Use JSTextPosition instead of passing line and lineStart explicitly.
2546         * parser/Parser.h:
2547         (JSC::Parser::next):
2548         (JSC::Parser::nextExpectIdentifier):
2549         (JSC::Parser::getToken):
2550         (JSC::Parser::tokenStartPosition):
2551         (JSC::Parser::tokenEndPosition):
2552         (JSC::Parser::lastTokenEndPosition):
2553         (JSC::::parse):
2554         - Use JSTextPosition instead of passing line and lineStart explicitly.
2555         * parser/ParserTokens.h:
2556         (JSC::JSTextPosition::JSTextPosition):
2557         (JSC::JSTextPosition::operator+):
2558         (JSC::JSTextPosition::operator-):
2559         (JSC::JSTextPosition::operator int):
2560         - Added JSTextPosition.
2561         * parser/SyntaxChecker.h:
2562         (JSC::SyntaxChecker::makeFunctionCallNode):
2563         (JSC::SyntaxChecker::makeAssignNode):
2564         (JSC::SyntaxChecker::makePrefixNode):
2565         (JSC::SyntaxChecker::makePostfixNode):
2566         (JSC::SyntaxChecker::makeDeleteNode):
2567         (JSC::SyntaxChecker::createResolve):
2568         (JSC::SyntaxChecker::createBracketAccess):
2569         (JSC::SyntaxChecker::createDotAccess):
2570         (JSC::SyntaxChecker::createRegExp):
2571         (JSC::SyntaxChecker::createNewExpr):
2572         (JSC::SyntaxChecker::createAssignResolve):
2573         (JSC::SyntaxChecker::createForInLoop):
2574         (JSC::SyntaxChecker::createReturnStatement):
2575         (JSC::SyntaxChecker::createBreakStatement):
2576         (JSC::SyntaxChecker::createContinueStatement):
2577         (JSC::SyntaxChecker::createWithStatement):
2578         (JSC::SyntaxChecker::createLabelStatement):
2579         (JSC::SyntaxChecker::createThrowStatement):
2580         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2581         (JSC::SyntaxChecker::operatorStackPop):
2582         - Use JSTextPosition instead of passing line and lineStart explicitly.
2583
2584 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2585
2586         Unreviewed. Fix make distcheck.
2587
2588         * GNUmakefile.list.am: Add missing files to compilation.
2589         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2590         include FTL header files not included in the compilation.
2591         * dfg/DFGDriver.cpp: Ditto.
2592         * dfg/DFGPlan.cpp: Ditto.
2593
2594 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2595
2596         Eager stack trace for error objects.
2597         https://bugs.webkit.org/show_bug.cgi?id=118918
2598
2599         Reviewed by Geoffrey Garen.
2600         
2601         Chrome and Firefox give error objects the stack property and we wanted to match
2602         that functionality. This allows developers to see the stack without throwing an object.
2603
2604         * runtime/ErrorInstance.cpp:
2605         (JSC::ErrorInstance::finishCreation):
2606          For error objects that are not thrown as an exception, we pass the stackTrace in 
2607          as a parameter. This allows the error object to have the stack property.
2608         
2609         * interpreter/Interpreter.cpp:
2610         (JSC::stackTraceAsString):
2611         Helper function used to eliminate duplicate code.
2612
2613         (JSC::Interpreter::addStackTraceIfNecessary):
2614         When an error object is created by the user the vm->exceptionStack is not set.
2615         If the user throws this error object later the stack that is in the error object 
2616         may not be the correct stack for the throw, so when we set the vm->exception stack,
2617         the stack property on the error object is set as well.
2618         
2619         * runtime/ErrorConstructor.cpp:
2620         (JSC::constructWithErrorConstructor):
2621         (JSC::callErrorConstructor):
2622         * runtime/NativeErrorConstructor.cpp:
2623         (JSC::constructWithNativeErrorConstructor):
2624         (JSC::callNativeErrorConstructor):
2625         These functions indicate that the user created an error object. For all error objects 
2626         that the user explicitly creates, the topCallFrame is at a new frame created to 
2627         handle the user's call. In this case though, the error object needs the caller's 
2628         frame to create the stack trace correctly.
2629         
2630         * interpreter/Interpreter.h:
2631         * runtime/ErrorInstance.h:
2632         (JSC::ErrorInstance::create):
2633
2634 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2635
2636         Some cleanup in PropertySlot
2637         https://bugs.webkit.org/show_bug.cgi?id=119189
2638
2639         Reviewed by Geoff Garen.
2640
2641         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2642         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2643         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2644         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2645         (this is invalidOffset if not cacheable).
2646
2647             * Internally, always track the type of the property using an enum value, PropertyType.
2648             * Use m_offset to indicate cacheable.
2649             * Keep the external interface (CachedPropertyType) unchanged.
2650             * Better pack data into the m_data union.
2651
2652         Performance neutral.
2653
2654         * dfg/DFGRepatch.cpp:
2655         (JSC::DFG::tryCacheGetByID):
2656         (JSC::DFG::tryBuildGetByIDList):
2657             - cachedPropertyType() -> isCacheable*()
2658         * jit/JITPropertyAccess.cpp:
2659         (JSC::JIT::privateCompileGetByIdProto):
2660         (JSC::JIT::privateCompileGetByIdSelfList):
2661         (JSC::JIT::privateCompileGetByIdProtoList):
2662         (JSC::JIT::privateCompileGetByIdChainList):
2663         (JSC::JIT::privateCompileGetByIdChain):
2664             - cachedPropertyType() -> isCacheable*()
2665         * jit/JITPropertyAccess32_64.cpp:
2666         (JSC::JIT::privateCompileGetByIdProto):
2667         (JSC::JIT::privateCompileGetByIdSelfList):
2668         (JSC::JIT::privateCompileGetByIdProtoList):
2669         (JSC::JIT::privateCompileGetByIdChainList):
2670         (JSC::JIT::privateCompileGetByIdChain):
2671             - cachedPropertyType() -> isCacheable*()
2672         * jit/JITStubs.cpp:
2673         (JSC::tryCacheGetByID):
2674             - cachedPropertyType() -> isCacheable*()
2675         * llint/LLIntSlowPaths.cpp:
2676         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2677             - cachedPropertyType() -> isCacheable*()
2678         * runtime/PropertySlot.cpp:
2679         (JSC::PropertySlot::functionGetter):
2680             - refactoring described above.
2681         * runtime/PropertySlot.h:
2682         (JSC::PropertySlot::PropertySlot):
2683         (JSC::PropertySlot::getValue):
2684         (JSC::PropertySlot::isCacheable):
2685         (JSC::PropertySlot::isCacheableValue):
2686         (JSC::PropertySlot::isCacheableGetter):
2687         (JSC::PropertySlot::isCacheableCustom):
2688         (JSC::PropertySlot::cachedOffset):
2689         (JSC::PropertySlot::customGetter):
2690         (JSC::PropertySlot::setValue):
2691         (JSC::PropertySlot::setCustom):
2692         (JSC::PropertySlot::setCacheableCustom):
2693         (JSC::PropertySlot::setCustomIndex):
2694         (JSC::PropertySlot::setGetterSlot):
2695         (JSC::PropertySlot::setCacheableGetterSlot):
2696         (JSC::PropertySlot::setUndefined):
2697         (JSC::PropertySlot::slotBase):
2698         (JSC::PropertySlot::setBase):
2699             - refactoring described above.
2700
2701 2013-07-28  Oliver Hunt  <oliver@apple.com>
2702
2703         REGRESSION: Crash when opening Facebook.com
2704         https://bugs.webkit.org/show_bug.cgi?id=119155
2705
2706         Reviewed by Andreas Kling.
2707
2708         Scope nodes are always objects, so we should be using SpecObjectOther
2709         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2710         contradiction in the CFA, resulting in bogus codegen.
2711
2712         * dfg/DFGAbstractInterpreterInlines.h:
2713         (JSC::DFG::::executeEffects):
2714         * dfg/DFGPredictionPropagationPhase.cpp:
2715         (JSC::DFG::PredictionPropagationPhase::propagate):
2716
2717 2013-07-26  Oliver Hunt  <oliver@apple.com>
2718
2719         REGRESSION(FTL?): Crashes in plugin tests
2720         https://bugs.webkit.org/show_bug.cgi?id=119141
2721
2722         Reviewed by Michael Saboff.
2723
2724         Re-export getStackTrace
2725
2726         * interpreter/Interpreter.h:
2727
2728 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2729
2730         REGRESSION: Crash when opening a message on Gmail
2731         https://bugs.webkit.org/show_bug.cgi?id=119105
2732
2733         Reviewed by Oliver Hunt and Mark Hahnenberg.
2734         
2735         - GetById patching in the DFG needs to be more disciplined about how it derives the
2736           slow path.
2737         
2738         - Fix some dumping code thread safety issues.
2739
2740         * bytecode/CallLinkStatus.cpp:
2741         (JSC::CallLinkStatus::dump):
2742         * bytecode/CodeBlock.cpp:
2743         (JSC::CodeBlock::dumpBytecode):
2744         * dfg/DFGRepatch.cpp:
2745         (JSC::DFG::getPolymorphicStructureList):
2746         (JSC::DFG::tryBuildGetByIDList):
2747
2748 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2749
2750         [mips] Fix LLINT build for mips backend
2751         https://bugs.webkit.org/show_bug.cgi?id=119152
2752
2753         Reviewed by Oliver Hunt.
2754
2755         * offlineasm/mips.rb:
2756
2757 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2758
2759         Setting a large numeric property on an object causes it to allocate a huge backing store
2760         https://bugs.webkit.org/show_bug.cgi?id=118914
2761
2762         Reviewed by Geoffrey Garen.
2763
2764         There are two distinct actions that we're trying to optimize for:
2765
2766         new Array(100000);
2767
2768         and:
2769
2770         a = [];
2771         a[100000] = 42;
2772         
2773         In the first case, the programmer has indicated that they expect this Array to be very big, 
2774         so they should get a contiguous array up until some threshold, above which we perform density 
2775         calculations to see if it is indeed dense enough to warrant being contiguous.
2776         
2777         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2778         we should be more conservative and assume it should be sparse until we've proven otherwise.
2779         
2780         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2781         between them for the purposes of not over-allocating large backing stores like we see on 
2782         http://www.peekanalytics.com/burgerjoints/
2783         
2784         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2785         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2786         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2787         map instead. So for example, in the second case above the empty array has a blank indexing 
2788         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2789
2790         This fix is ~800x speedup on the accompanying regression test :-o
2791
2792         * runtime/ArrayConventions.h:
2793         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2794         * runtime/JSObject.cpp:
2795         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2796         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2797         (JSC::JSObject::putByIndexBeyondVectorLength):
2798         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2799
2800 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2801
2802         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2803         https://bugs.webkit.org/show_bug.cgi?id=119148
2804
2805         Reviewed by Csaba Osztrogonác.
2806
2807         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2808         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2809         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2810         code duplication.
2811
2812 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2813
2814         REGRESSION(FTL): Crash in sh4 baseline JIT.
2815         https://bugs.webkit.org/show_bug.cgi?id=119138
2816
2817         Reviewed by Csaba Osztrogonác.
2818
2819         This crash is due to incomplete report of r150146 and r148474.
2820
2821         * jit/JITStubsSH4.h:
2822
2823 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2824
2825         Unreviewed.
2826
2827         * Target.pri: Adding missing DFG files to the Qt build.
2828
2829 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2830
2831         GTK and Qt buildfix after the intrusive win buildfix r153360.
2832
2833         * GNUmakefile.list.am:
2834         * Target.pri:
2835
2836 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2837
2838         Unreviewed, fix build break after r153360.
2839
2840         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2841
2842 2013-07-25  Roger Fong  <roger_fong@apple.com>
2843
2844         Unreviewed build fix, AppleWin port.
2845
2846         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2847         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2848         * JavaScriptCore.vcxproj/copy-files.cmd:
2849
2850 2013-07-25  Roger Fong  <roger_fong@apple.com>
2851
2852         Unreviewed. Followup to r153360.
2853
2854         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2855         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2856
2857 2013-07-25  Michael Saboff  <msaboff@apple.com>
2858
2859         [Windows] Speculative build fix.
2860
2861         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2862         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2863
2864         * JavaScriptCore.xcodeproj/project.pbxproj:
2865         * llint/LLIntExceptions.cpp:
2866         * llint/LLIntExceptions.h:
2867         * llint/LLIntSlowPaths.cpp:
2868         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2869         * runtime/CommonSlowPaths.cpp:
2870         (JSC::SLOW_PATH_DECL):
2871         * runtime/CommonSlowPathsExceptions.cpp: Added.
2872         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2873         * runtime/CommonSlowPathsExceptions.h: Added.
2874
2875 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2876
2877         [Windows] Unreviewed build fix.
2878
2879         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2880         parser/SourceCode.h,.cpp.
2881         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2882
2883 2013-07-25  Anders Carlsson  <andersca@apple.com>
2884
2885         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2886         https://bugs.webkit.org/show_bug.cgi?id=119108
2887
2888         Reviewed by Mark Hahnenberg.
2889
2890         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2891
2892         * heap/CopiedSpace.cpp:
2893         (JSC::CopiedSpace::tryAllocateSlowCase):
2894         * heap/Heap.cpp:
2895         (JSC::Heap::protect):
2896         (JSC::Heap::unprotect):
2897         (JSC::Heap::collect):
2898         * heap/MarkedAllocator.cpp:
2899         (JSC::MarkedAllocator::allocateSlowCase):
2900         * runtime/JSGlobalObject.cpp:
2901         (JSC::JSGlobalObject::init):
2902         * runtime/VM.h:
2903         (JSC::VM::currentThreadIsHoldingAPILock):
2904
2905 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2906
2907         REGRESSION(FTL): Most layout tests crashes
2908         https://bugs.webkit.org/show_bug.cgi?id=119089
2909
2910         Reviewed by Oliver Hunt.
2911
2912         * runtime/ExecutionHarness.h:
2913         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2914         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2915         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2916         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2917         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2918         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2919
2920 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2921
2922         [Windows] Unreviewed build fix.
2923
2924         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2925         include path.
2926
2927 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2928
2929         [Windows] Unreviewed build fix.
2930
2931         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2932         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2933         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2934
2935 2013-07-25  Oliver Hunt  <oliver@apple.com>
2936
2937         Make all jit & non-jit combos build cleanly
2938         https://bugs.webkit.org/show_bug.cgi?id=119102
2939
2940         Reviewed by Anders Carlsson.
2941
2942         * bytecode/CodeBlock.cpp:
2943         (JSC::CodeBlock::counterValueForOptimizeSoon):
2944         * bytecode/CodeBlock.h:
2945         (JSC::CodeBlock::optimizeAfterWarmUp):
2946         (JSC::CodeBlock::numberOfDFGCompiles):
2947
2948 2013-07-25  Oliver Hunt  <oliver@apple.com>
2949
2950         32 bit portion of load validation logic
2951         https://bugs.webkit.org/show_bug.cgi?id=118878
2952
2953         Reviewed by NOBODY (Build fix).
2954
2955         * dfg/DFGSpeculativeJIT32_64.cpp:
2956         (JSC::DFG::SpeculativeJIT::compile):
2957
2958 2013-07-25  Oliver Hunt  <oliver@apple.com>
2959
2960         More 32bit build fixes
2961
2962         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2963
2964         * API/APICallbackFunction.h:
2965         (JSC::APICallbackFunction::call):
2966         * bytecode/CodeBlock.cpp:
2967         * runtime/Structure.cpp:
2968
2969 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2970
2971         Optimize the thread locks for API Shims
2972         https://bugs.webkit.org/show_bug.cgi?id=118573
2973
2974         Reviewed by Geoffrey Garen.
2975
2976         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2977         only used by WebCore's main thread).
2978
2979         * API/APIShims.h:
2980         (JSC::APIEntryShim::APIEntryShim):
2981         (JSC::APICallbackShim::APICallbackShim):
2982         * runtime/JSLock.cpp:
2983         (JSC::JSLockHolder::JSLockHolder):
2984         (JSC::JSLockHolder::init):
2985         (JSC::JSLockHolder::~JSLockHolder):
2986         (JSC::JSLock::DropAllLocks::DropAllLocks):
2987         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2988         * runtime/VM.cpp:
2989         (JSC::VM::VM):
2990         * runtime/VM.h:
2991
2992 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2993
2994         Unreviewed build fix after r153218.
2995
2996         Broke the EFL port build with gcc 4.7.
2997
2998         * interpreter/StackIterator.cpp:
2999         (JSC::printif):
3000
3001 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3002
3003         Build fix: add missing #include.
3004         https://bugs.webkit.org/show_bug.cgi?id=119087
3005
3006         Reviewed by Allan Sandfeld Jensen.
3007
3008         * bytecode/ArrayProfile.cpp:
3009
3010 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3011
3012         Unreviewed, build fix on the EFL port.
3013
3014         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3015
3016 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3017
3018         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3019         https://bugs.webkit.org/show_bug.cgi?id=119083
3020
3021         Reviewed by Allan Sandfeld Jensen.
3022
3023         * assembler/MacroAssemblerSH4.h:
3024         (JSC::MacroAssemblerSH4::store8):
3025
3026 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3027
3028         [Qt] Fix test build after FTL upstream
3029
3030         Unreviewed build fix.
3031
3032         * Target.pri:
3033
3034 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3035
3036         [Qt] Build fix after FTL.
3037
3038         Un Reviewed build fix.
3039
3040         * Target.pri:
3041         * interpreter/StackIterator.cpp:
3042         (JSC::StackIterator::Frame::print):
3043
3044 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3045
3046         Unreviewed build fix after FTL upstream.
3047
3048         * dfg/DFGWorklist.cpp:
3049         (JSC::DFG::Worklist::~Worklist):
3050
3051 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3052
3053         Unreviewed, build fix on the EFL port.
3054
3055         * CMakeLists.txt:
3056         Added SourceCode.cpp and removed BlackBerry file.
3057         * jit/JITCode.h:
3058         (JSC::JITCode::nextTierJIT):
3059         Fixed to build break because of -Werror=return-type
3060         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3061         * runtime/JSScope.h:
3062         (JSC::makeType):
3063         Fixed to build break because of -Werror=return-type
3064
3065 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3066
3067         Unreviewed build fixing after FTL upstream.
3068
3069         * runtime/Executable.cpp:
3070         (JSC::FunctionExecutable::produceCodeBlockFor):
3071
3072 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3073
3074         Add missing implementation of bxxxnz in sh4 LLINT.
3075         https://bugs.webkit.org/show_bug.cgi?id=119079
3076
3077         Reviewed by Allan Sandfeld Jensen.
3078
3079         * offlineasm/sh4.rb:
3080
3081 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3082
3083         Unreviewed, build fix on the Qt port.
3084
3085         * Target.pri: Add additional build files for the FTL.
3086
3087 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3088
3089         Unreviewed buildfix after FTL upstream..
3090
3091         * interpreter/StackIterator.cpp:
3092         (JSC::StackIterator::Frame::codeType):
3093         (JSC::StackIterator::Frame::functionName):
3094         (JSC::StackIterator::Frame::sourceURL):
3095         (JSC::StackIterator::Frame::logicalFrame):
3096
3097 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3098
3099         Unreviewed.
3100
3101         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3102         method is not left undefined, causing build failures on (at least) the GTK port.
3103
3104 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3105
3106         Unreviewed, further build fixing on the GTK port.
3107
3108         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3109
3110 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3111
3112         Unreviewed GTK build fixing.
3113
3114         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3115         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3116
3117 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3118
3119         Buildfix after this error:
3120         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3121
3122         * dfg/DFGPlan.cpp:
3123         (JSC::DFG::Plan::compileInThread):
3124
3125 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3126
3127         One more buildfix after FTL upstream.
3128
3129         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3130
3131         * dfg/DFGLazyJSValue.cpp:
3132         (JSC::DFG::LazyJSValue::getValue):
3133         (JSC::DFG::LazyJSValue::strictEqual):
3134
3135 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3136
3137         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3138         https://bugs.webkit.org/show_bug.cgi?id=119076
3139
3140         Reviewed by Allan Sandfeld Jensen.
3141
3142         * offlineasm/mips.rb:
3143         * offlineasm/sh4.rb:
3144
3145 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3146
3147         Unreviewed GTK build fix.
3148
3149         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3150
3151 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3152
3153         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3154         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3155
3156         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3157
3158 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3159
3160         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3161
3162         * GNUmakefile.am:
3163         * GNUmakefile.list.am:
3164
3165 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3166
3167         Unreviewed buildfix after FTL upstream.
3168
3169         * runtime/JSScope.h:
3170         (JSC::needsVarInjectionChecks):
3171
3172 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3173
3174         One more fix after FTL upstream.
3175
3176         * Target.pri:
3177         * bytecode/CodeBlock.h:
3178         * bytecode/GetByIdStatus.h:
3179         (JSC::GetByIdStatus::GetByIdStatus):
3180
3181 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3182
3183         Unreviewed buildfix after FTL upstream.
3184
3185         Add ftl directory as include path.
3186
3187         * CMakeLists.txt:
3188         * JavaScriptCore.pri:
3189
3190 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3191
3192         Unreviewed buildfix after FTL upstream for non C++11 builds.
3193
3194         * interpreter/CallFrame.h:
3195         * interpreter/StackIteratorPrivate.h:
3196         (JSC::StackIterator::end):
3197
3198 2013-07-24  Oliver Hunt  <oliver@apple.com>
3199
3200         Endeavour to fix CMakelist builds
3201
3202         * CMakeLists.txt:
3203
3204 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3205
3206         fourthTier: DFG IR dumps should be easier to read
3207         https://bugs.webkit.org/show_bug.cgi?id=119050
3208
3209         Reviewed by Mark Hahnenberg.
3210         
3211         Added a DumpContext that includes support for printing an endnote
3212         that describes all structures in full, while the main flow of the
3213         dump just uses made-up names for the structures. This is helpful
3214         since Structure::dump() may print a lot. The stuff it prints is
3215         useful, but if it's all inline with the surrounding thing you're        
3216         dumping (often, a node in the DFG), then you get a ridiculously
3217         long print-out. All classes that dump structures (including
3218         Structure itself) now have dumpInContext() methods that use
3219         inContext() for dumping anything that might transitively print a
3220         structure. If Structure::dumpInContext() is called with a NULL
3221         context, it just uses dump() like before. Hence you don't have to
3222         know anything about DumpContext unless you want to.
3223         
3224         inContext(*structure, context) dumps something like %B4:Array,
3225         and the endnote will have something like:
3226         
3227             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3228         
3229         where B4 is the inferred name that StringHashDumpContext came up
3230         with.
3231         
3232         Also shortened a bunch of other dumps, removing information that
3233         isn't so important.
3234         
3235         * JavaScriptCore.xcodeproj/project.pbxproj:
3236         * bytecode/ArrayProfile.cpp:
3237         (JSC::dumpArrayModes):
3238         * bytecode/CodeBlockHash.cpp:
3239         (JSC):
3240         (JSC::CodeBlockHash::CodeBlockHash):
3241         (JSC::CodeBlockHash::dump):
3242         * bytecode/CodeOrigin.cpp:
3243         (JSC::CodeOrigin::dumpInContext):
3244         (JSC):
3245         (JSC::InlineCallFrame::dumpInContext):
3246         (JSC::InlineCallFrame::dump):
3247         * bytecode/CodeOrigin.h:
3248         (CodeOrigin):
3249         (InlineCallFrame):
3250         * bytecode/Operands.h:
3251         (JSC::OperandValueTraits::isEmptyForDump):
3252         (Operands):
3253         (JSC::Operands::dump):
3254         (JSC):
3255         * bytecode/OperandsInlines.h: Added.
3256         (JSC):
3257         (JSC::::dumpInContext):
3258         * bytecode/StructureSet.h:
3259         (JSC::StructureSet::dumpInContext):
3260         (JSC::StructureSet::dump):
3261         (StructureSet):
3262         * dfg/DFGAbstractValue.cpp:
3263         (JSC::DFG::AbstractValue::dump):
3264         (DFG):
3265         (JSC::DFG::AbstractValue::dumpInContext):
3266         * dfg/DFGAbstractValue.h:
3267         (JSC::DFG::AbstractValue::operator!):
3268         (AbstractValue):
3269         * dfg/DFGCFAPhase.cpp:
3270         (JSC::DFG::CFAPhase::performBlockCFA):
3271         * dfg/DFGCommon.cpp:
3272         * dfg/DFGCommon.h:
3273         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3274         * dfg/DFGDisassembler.cpp:
3275         (JSC::DFG::Disassembler::createDumpList):
3276         * dfg/DFGDisassembler.h:
3277         (Disassembler):
3278         * dfg/DFGFlushFormat.h:
3279         (WTF::inContext):
3280         (WTF):
3281         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3282         * dfg/DFGGraph.cpp:
3283         (JSC::DFG::Graph::dumpCodeOrigin):
3284         (JSC::DFG::Graph::dump):
3285         (JSC::DFG::Graph::dumpBlockHeader):
3286         * dfg/DFGGraph.h:
3287         (Graph):
3288         * dfg/DFGLazyJSValue.cpp:
3289         (JSC::DFG::LazyJSValue::dumpInContext):
3290         (JSC::DFG::LazyJSValue::dump):
3291         (DFG):
3292         * dfg/DFGLazyJSValue.h:
3293         (LazyJSValue):
3294         * dfg/DFGNode.h:
3295         (JSC::DFG::nodeMapDump):
3296         (WTF::inContext):
3297         (WTF):
3298         * dfg/DFGOSRExitCompiler32_64.cpp:
3299         (JSC::DFG::OSRExitCompiler::compileExit):
3300         * dfg/DFGOSRExitCompiler64.cpp:
3301         (JSC::DFG::OSRExitCompiler::compileExit):
3302         * dfg/DFGStructureAbstractValue.h:
3303         (JSC::DFG::StructureAbstractValue::dumpInContext):
3304         (JSC::DFG::StructureAbstractValue::dump):
3305         (StructureAbstractValue):
3306         * ftl/FTLExitValue.cpp:
3307         (JSC::FTL::ExitValue::dumpInContext):
3308         (JSC::FTL::ExitValue::dump):
3309         (FTL):
3310         * ftl/FTLExitValue.h:
3311         (ExitValue):
3312         * ftl/FTLLowerDFGToLLVM.cpp:
3313         * ftl/FTLValueSource.cpp:
3314         (JSC::FTL::ValueSource::dumpInContext):
3315         (FTL):
3316         * ftl/FTLValueSource.h:
3317         (ValueSource):
3318         * runtime/DumpContext.cpp: Added.
3319         (JSC):
3320         (JSC::DumpContext::DumpContext):
3321         (JSC::DumpContext::~DumpContext):
3322         (JSC::DumpContext::isEmpty):
3323         (JSC::DumpContext::dump):
3324         * runtime/DumpContext.h: Added.
3325         (JSC):
3326         (DumpContext):
3327         * runtime/JSCJSValue.cpp:
3328         (JSC::JSValue::dump):
3329         (JSC):
3330         (JSC::JSValue::dumpInContext):
3331         * runtime/JSCJSValue.h:
3332         (JSC):
3333         (JSValue):
3334         * runtime/Structure.cpp:
3335         (JSC::Structure::dumpInContext):
3336         (JSC):
3337         (JSC::Structure::dumpBrief):
3338         (JSC::Structure::dumpContextHeader):
3339         * runtime/Structure.h:
3340         (JSC):
3341         (Structure):
3342
3343 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3344
3345         fourthTier: DFG should do a high-level LICM before going to FTL
3346         https://bugs.webkit.org/show_bug.cgi?id=118749
3347
3348         Reviewed by Oliver Hunt.
3349         
3350         Implements LICM hoisting for nodes that never write anything and never read
3351         things that are clobbered by the loop. There are some other preconditions for
3352         hoisting, see DFGLICMPhase.cpp.
3353
3354         Also did a few fixes:
3355         
3356         - ClobberSet::add was failing to switch Super entries to Direct entries in
3357           some cases.
3358         
3359         - DFGClobberize.cpp needed to #include "Operations.h".
3360         
3361         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3362         
3363         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3364           Knowing the indexInBlock is an optional optimization that all other clients
3365           of AI still opt into, but LICM doesn't.
3366         
3367         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3368
3369         * JavaScriptCore.xcodeproj/project.pbxproj:
3370         * dfg/DFGAbstractInterpreter.h:
3371         (AbstractInterpreter):
3372         * dfg/DFGAbstractInterpreterInlines.h:
3373         (JSC::DFG::::executeEffects):
3374         (JSC::DFG::::execute):
3375         (DFG):
3376         (JSC::DFG::::clobberWorld):
3377         (JSC::DFG::::clobberStructures):
3378         * dfg/DFGAtTailAbstractState.cpp: Added.
3379         (DFG):
3380         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3381         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3382         (JSC::DFG::AtTailAbstractState::createValueForNode):
3383         (JSC::DFG::AtTailAbstractState::forNode):
3384         * dfg/DFGAtTailAbstractState.h: Added.
3385         (DFG):
3386         (AtTailAbstractState):
3387         (JSC::DFG::AtTailAbstractState::initializeTo):
3388         (JSC::DFG::AtTailAbstractState::forNode):
3389         (JSC::DFG::AtTailAbstractState::variables):
3390         (JSC::DFG::AtTailAbstractState::block):
3391         (JSC::DFG::AtTailAbstractState::isValid):
3392         (JSC::DFG::AtTailAbstractState::setDidClobber):
3393         (JSC::DFG::AtTailAbstractState::setIsValid):
3394         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3395         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3396         (JSC::DFG::AtTailAbstractState::haveStructures):
3397         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3398         * dfg/DFGBasicBlock.h:
3399         (JSC::DFG::BasicBlock::insertBeforeLast):
3400         * dfg/DFGBasicBlockInlines.h:
3401         (DFG):
3402         * dfg/DFGClobberSet.cpp:
3403         (JSC::DFG::ClobberSet::add):
3404         (JSC::DFG::ClobberSet::addAll):
3405         * dfg/DFGClobberize.cpp:
3406         (JSC::DFG::doesWrites):
3407         * dfg/DFGClobberize.h:
3408         (DFG):
3409         * dfg/DFGDCEPhase.cpp:
3410         (JSC::DFG::DCEPhase::DCEPhase):
3411         (JSC::DFG::DCEPhase::run):
3412         (JSC::DFG::DCEPhase::fixupBlock):
3413         (DCEPhase):
3414         * dfg/DFGEdgeDominates.h: Added.
3415         (DFG):
3416         (EdgeDominates):
3417         (JSC::DFG::EdgeDominates::EdgeDominates):
3418         (JSC::DFG::EdgeDominates::operator()):
3419         (JSC::DFG::EdgeDominates::result):
3420         (JSC::DFG::edgesDominate):
3421         * dfg/DFGFixupPhase.cpp:
3422         (JSC::DFG::FixupPhase::fixupNode):
3423         (JSC::DFG::FixupPhase::checkArray):
3424         * dfg/DFGLICMPhase.cpp: Added.
3425         (LICMPhase):
3426         (JSC::DFG::LICMPhase::LICMPhase):
3427         (JSC::DFG::LICMPhase::run):
3428         (JSC::DFG::LICMPhase::attemptHoist):
3429         (DFG):
3430         (JSC::DFG::performLICM):
3431         * dfg/DFGLICMPhase.h: Added.
3432         (DFG):
3433         * dfg/DFGPlan.cpp:
3434         (JSC::DFG::Plan::compileInThreadImpl):
3435
3436 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3437
3438         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3439         https://bugs.webkit.org/show_bug.cgi?id=118910
3440
3441         Reviewed by Sam Weinig.
3442         
3443         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3444         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3445         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3446         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3447         create them all up front). FTL AbstractHeaps also don't actually give you the
3448         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3449         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3450         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3451         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3452         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3453         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3454         payload is the direct subtype of its corresponding TOP Kind).
3455         
3456         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3457         clobbered. It represents the set that results from unifying a bunch of
3458         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3459         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3460         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3461         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3462         member is equal to it, or if any of its ancestors are equal to a direct member.
3463         
3464         Example #1:
3465         
3466             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3467               is a subtype of Variables, which is a subtype of World.
3468             - You query Variables. I.e. Variables with a TOP payload, which is the
3469               supertype of Variables(X) for any X, and a subtype of World.
3470             
3471             The set will have Variables(5) as a direct member, and Variables and World as
3472             super members. The Variables query will immediately return true, because
3473             Variables is indeed a super member.
3474         
3475         Example #2:
3476         
3477             - I add Variables(5)
3478             - You query NamedProperties
3479             
3480             NamedProperties is not a member at all (neither direct or super). We next
3481             query World. World is a member, but it's a super member, so we return false.
3482         
3483         Example #3:
3484         
3485             - I add Variables
3486             - You query Variables(5)
3487             
3488             The set will have Variables as a direct member, and World as a super member.
3489             The Variables(5) query will not find Variables(5) in the set, but then it
3490             will query Variables. Variables is a direct member, so we return true.
3491         
3492         Example #4:
3493         
3494             - I add Variables
3495             - You query NamedProperties(5)
3496             
3497             Neither NamedProperties nor NamedProperties(5) are members. We next query
3498             World. World is a member, but it's a super member, so we return false.
3499         
3500         Overlap queries require that either the heap being queried is in the set (either
3501         direct or super), or that one of its ancestors is a direct member. Another way to
3502         think about how this works is that two heaps A and B are said to overlap if
3503         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3504         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3505         heaps and answers the question, "is any member in the set an ancestor (i.e.
3506         supertype) of some other heap". We would have the set contain the heaps themselves,
3507         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3508         chain of A, and repeatedly querying its membership in the set. This is what the
3509         "direct" members of our set do. Now consider the other part, where we want to ask if
3510         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3511         would implement this by implementing set.add(B) as adding not just B but also all of
3512         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3513         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3514         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3515         heap" question. ClobberSet does this, but combines the two sets into a single
3516         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3517         supertype set and the subtype set; if it's false then it's only a member of one of
3518         them.
3519         
3520         Finally, this adds a functorized clobberize() method that adds the read and write
3521         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3522         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3523         are also provided. This allows you to say things like:
3524         
3525             ClobberSet set;
3526             addWrites(graph, node1, set);
3527             if (readsOverlap(graph, node2, set))
3528                 // We know that node1 may write to something that node2 may read from.
3529         
3530         Currently this facility is only used to improve graph dumping, but it will be
3531         instrumental in both LICM and GVN. In the future, I want to completely kill the
3532         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3533         of accomplishing almost exactly what AbstractHeap gives you.
3534
3535         * JavaScriptCore.xcodeproj/project.pbxproj:
3536         * dfg/DFGAbstractHeap.cpp: Added.
3537         (DFG):
3538         (JSC::DFG::AbstractHeap::Payload::dump):
3539         (JSC::DFG::AbstractHeap::dump):
3540         (WTF):
3541         (WTF::printInternal):
3542         * dfg/DFGAbstractHeap.h: Added.
3543         (DFG):
3544         (AbstractHeap):
3545         (Payload):
3546         (JSC::DFG::AbstractHeap::Payload::Payload):
3547         (JSC::DFG::AbstractHeap::Payload::top):
3548         (JSC::DFG::AbstractHeap::Payload::isTop):
3549         (JSC::DFG::AbstractHeap::Payload::value):
3550         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3551         (JSC::DFG::AbstractHeap::Payload::operator==):
3552         (JSC::DFG::AbstractHeap::Payload::operator!=):
3553         (JSC::DFG::AbstractHeap::Payload::operator<):
3554         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3555         (JSC::DFG::AbstractHeap::Payload::overlaps):
3556         (JSC::DFG::AbstractHeap::AbstractHeap):
3557         (JSC::DFG::AbstractHeap::operator!):
3558         (JSC::DFG::AbstractHeap::kind):
3559         (JSC::DFG::AbstractHeap::payload):
3560         (JSC::DFG::AbstractHeap::isDisjoint):
3561         (JSC::DFG::AbstractHeap::overlaps):
3562         (JSC::DFG::AbstractHeap::supertype):
3563         (JSC::DFG::AbstractHeap::hash):
3564         (JSC::DFG::AbstractHeap::operator==):
3565         (JSC::DFG::AbstractHeap::operator!=):
3566         (JSC::DFG::AbstractHeap::operator<):
3567         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3568         (JSC::DFG::AbstractHeap::payloadImpl):
3569         (JSC::DFG::AbstractHeap::encode):
3570         (JSC::DFG::AbstractHeapHash::hash):
3571         (JSC::DFG::AbstractHeapHash::equal):
3572         (AbstractHeapHash):
3573         (WTF):
3574         * dfg/DFGClobberSet.cpp: Added.
3575         (DFG):
3576         (JSC::DFG::ClobberSet::ClobberSet):
3577         (JSC::DFG::ClobberSet::~ClobberSet):
3578         (JSC::DFG::ClobberSet::add):
3579         (JSC::DFG::ClobberSet::addAll):
3580         (JSC::DFG::ClobberSet::contains):
3581         (JSC::DFG::ClobberSet::overlaps):
3582         (JSC::DFG::ClobberSet::clear):
3583         (JSC::DFG::ClobberSet::direct):
3584         (JSC::DFG::ClobberSet::super):
3585         (JSC::DFG::ClobberSet::dump):
3586         (JSC::DFG::ClobberSet::setOf):
3587         (JSC::DFG::addReads):
3588         (JSC::DFG::addWrites):
3589         (JSC::DFG::addReadsAndWrites):
3590         (JSC::DFG::readsOverlap):
3591         (JSC::DFG::writesOverlap):
3592         * dfg/DFGClobberSet.h: Added.
3593         (DFG):
3594         (ClobberSet):
3595         (JSC::DFG::ClobberSet::isEmpty):
3596         (ClobberSetAdd):
3597         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
3598         (JSC::DFG::ClobberSetAdd::operator()):
3599         (ClobberSetOverlaps):
3600         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
3601         (JSC::DFG::ClobberSetOverlaps::operator()):
3602         (JSC::DFG::ClobberSetOverlaps::result):
3603         * dfg/DFGClobberize.cpp: Added.
3604         (DFG):
3605         (JSC::DFG::didWrites):
3606         * dfg/DFGClobberize.h: Added.
3607         (DFG):
3608         (JSC::DFG::clobberize):
3609         (NoOpClobberize):
3610         (JSC::DFG::NoOpClobberize::NoOpClobberize):
3611         (JSC::DFG::NoOpClobberize::operator()):
3612         (CheckClobberize):
3613         (JSC::DFG::CheckClobberize::CheckClobberize):
3614         (JSC::DFG::CheckClobberize::operator()):
3615         (JSC::DFG::CheckClobberize::result):
3616         * dfg/DFGGraph.cpp:
3617         (JSC::DFG::Graph::dump):
3618
3619 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3620
3621         fourthTier: It should be easy to figure out which blocks nodes belong to
3622         https://bugs.webkit.org/show_bug.cgi?id=118957
3623
3624         Reviewed by Sam Weinig.
3625
3626         * dfg/DFGGraph.cpp:
3627         (DFG):
3628         (JSC::DFG::Graph::initializeNodeOwners):
3629         * dfg/DFGGraph.h:
3630         (Graph):
3631         * dfg/DFGNode.h:
3632
3633 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3634
3635         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
3636         https://bugs.webkit.org/show_bug.cgi?id=118956
3637
3638         Reviewed by Sam Weinig.
3639         
3640         We had two way of expressing that something exits forward: the NodeExitsForward
3641         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
3642         makes it just be a flag.
3643
3644         * dfg/DFGAbstractInterpreterInlines.h:
3645         (JSC::DFG::::executeEffects):
3646         * dfg/DFGArgumentsSimplificationPhase.cpp:
3647         (JSC::DFG::ArgumentsSimplificationPhase::run):
3648         * dfg/DFGCSEPhase.cpp:
3649         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
3650         (JSC::DFG::CSEPhase::checkStructureElimination):
3651         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3652         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3653         (JSC::DFG::CSEPhase::checkArrayElimination):
3654         (JSC::DFG::CSEPhase::performNodeCSE):
3655         * dfg/DFGConstantFoldingPhase.cpp:
3656         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3657         * dfg/DFGFixupPhase.cpp:
3658         (JSC::DFG::FixupPhase::fixupNode):
3659         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3660         * dfg/DFGMinifiedNode.h:
3661         (JSC::DFG::belongsInMinifiedGraph):
3662         (JSC::DFG::MinifiedNode::hasChild):
3663         * dfg/DFGNode.h:
3664         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3665         (JSC::DFG::Node::hasStructureSet):
3666         (JSC::DFG::Node::hasStructure):
3667         (JSC::DFG::Node::hasArrayMode):
3668         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3669         * dfg/DFGNodeType.h:
3670         (DFG):
3671         (JSC::DFG::needsOSRForwardRewiring):
3672         * dfg/DFGPredictionPropagationPhase.cpp:
3673         (JSC::DFG::PredictionPropagationPhase::propagate):
3674         * dfg/DFGSafeToExecute.h:
3675         (JSC::DFG::safeToExecute):
3676         * dfg/DFGSpeculativeJIT.cpp:
3677         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3678         * dfg/DFGSpeculativeJIT32_64.cpp:
3679         (JSC::DFG::SpeculativeJIT::compile):
3680         * dfg/DFGSpeculativeJIT64.cpp:
3681         (JSC::DFG::SpeculativeJIT::compile):
3682         * dfg/DFGTypeCheckHoistingPhase.cpp:
3683         (JSC::DFG::TypeCheckHoistingPhase::run):
3684         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3685         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3686         * dfg/DFGVariableEventStream.cpp:
3687         (JSC::DFG::VariableEventStream::reconstruct):
3688         * ftl/FTLCapabilities.cpp:
3689         (JSC::FTL::canCompile):
3690         * ftl/FTLLowerDFGToLLVM.cpp:
3691         (JSC::FTL::LowerDFGToLLVM::compileNode):
3692         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3693
3694 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3695
3696         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
3697         https://bugs.webkit.org/show_bug.cgi?id=118946
3698
3699         Reviewed by Geoffrey Garen.
3700         
3701         We want to decouple the exit target code origin of a node from the code origin
3702         for all other purposes. The purposes of code origins are:
3703         
3704         - Where the node will exit, if it exits. The exit target should be consistent with
3705           the surrounding nodes, in that if you just looked at the code origins of nodes in
3706           the graph, they would be consistent with the code origins in bytecode. This is
3707           necessary for live-at-bytecode analyses to work, and to preserve the original
3708           bytecode semantics when exiting.
3709         
3710         - What kind of code the node came from, for semantics thingies. For example, we
3711           might use the code origin to find the node's global object for doing an original
3712           array check. Or we might use it to determine if the code is in strict mode. Or
3713           other similar things. When we use the code origin in this way, we're basically
3714           using it as a way of describing the node's meta-data without putting it into the
3715           node directly, to save space. In the absurd extreme you could imagine nodes not
3716           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
3717           what bytecode the node originated from. We won't do that, but you can think of
3718           this use of code origins as just a way of compressing meta-data.
3719         
3720         - What code origin we should supply profiling to, if we exit. This is closely
3721           related to the semantics thingies, in that the exit profiling is a persistent
3722           kind of semantic meta-data that survives between recompiles, and the only way to
3723           do that is to ascribe it to the original bytecode via the code origin.
3724         
3725         If we hoist a node, we need to change the exit target code origin, but we must not
3726         change the code origin for other purposes. The best way to do this is to decouple
3727         the two kinds of code origin.
3728         
3729         OSR exit data structures already do this, because they may edit the exit target
3730         code origin while keeping the code origin for profiling intact. This happens for
3731         forward exits. So, we just need to thread separation all the way back to DFG::Node.
3732         That's what this patch does.
3733
3734         * dfg/DFGNode.h:
3735         (JSC::DFG::Node::Node):
3736         (Node):
3737         * dfg/DFGOSRExit.cpp:
3738         (JSC::DFG::OSRExit::OSRExit):
3739         * dfg/DFGOSRExitBase.h:
3740         (JSC::DFG::OSRExitBase::OSRExitBase):
3741         * dfg/DFGSpeculativeJIT.cpp:
3742         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3743         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3744         * dfg/DFGSpeculativeJIT.h:
3745         (SpeculativeJIT):
3746         * ftl/FTLLowerDFGToLLVM.cpp:
3747         (JSC::FTL::LowerDFGToLLVM::compileNode):
3748         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3749         (LowerDFGToLLVM):
3750         * ftl/FTLOSRExit.cpp:
3751         (JSC::FTL::OSRExit::OSRExit):
3752         * ftl/FTLOSRExit.h:
3753         (OSRExit):
3754
3755 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3756
3757         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
3758         https://bugs.webkit.org/show_bug.cgi?id=118866
3759
3760         Reviewed by Sam Weinig.
3761         
3762         Adds a safeToExecute() method that takes a node and an abstract state and tells you
3763         if the node will run without crashing under that state.
3764
3765         * JavaScriptCore.xcodeproj/project.pbxproj:
3766         * bytecode/CodeBlock.cpp:
3767         (JSC::CodeBlock::CodeBlock):
3768         * dfg/DFGCFAPhase.cpp:
3769         (CFAPhase):
3770         (JSC::DFG::CFAPhase::CFAPhase):
3771         (JSC::DFG::CFAPhase::run):
3772         (JSC::DFG::CFAPhase::performBlockCFA):
3773         (JSC::DFG::CFAPhase::performForwardCFA):
3774         * dfg/DFGSafeToExecute.h: Added.
3775         (DFG):
3776         (SafeToExecuteEdge):
3777         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3778         (JSC::DFG::SafeToExecuteEdge::operator()):
3779         (JSC::DFG::SafeToExecuteEdge::result):
3780         (JSC::DFG::safeToExecute):
3781         * dfg/DFGStructureAbstractValue.h:
3782         (JSC::DFG::StructureAbstractValue::isValidOffset):
3783         (StructureAbstractValue):
3784         * runtime/Options.h:
3785         (JSC):
3786
3787 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3788
3789         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
3790         https://bugs.webkit.org/show_bug.cgi?id=118948
3791
3792         Reviewed by Sam Weinig.
3793         
3794         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
3795           This allows doing "what if" experiments with IR generation, even if the generated IR
3796           can't yet execute.
3797         
3798         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
3799           off-ramp.
3800
3801         * JavaScriptCore.xcodeproj/project.pbxproj:
3802         * dfg/DFGPlan.cpp:
3803         (JSC::DFG::Plan::compileInThreadImpl):
3804         * ftl/FTLFail.cpp: Added.
3805         (FTL):
3806         (JSC::FTL::fail):
3807         * ftl/FTLFail.h: Added.
3808         (FTL):
3809         * ftl/FTLIntrinsicRepository.h:
3810         (FTL):
3811         * ftl/FTLLowerDFGToLLVM.cpp:
3812         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3813         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3814         * runtime/Options.h:
3815         (JSC):
3816
3817 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3818
3819         fourthTier: StringObjectUse uses structures, and CSE should know that
3820         https://bugs.webkit.org/show_bug.cgi?id=118940
3821
3822         Reviewed by Geoffrey Garen.
3823         
3824         This is asymptomatic right now, but we should fix it.
3825
3826         * JavaScriptCore.xcodeproj/project.pbxproj:
3827         * dfg/DFGCSEPhase.cpp:
3828         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3829         * dfg/DFGEdgeUsesStructure.h: Added.
3830         (DFG):
3831         (EdgeUsesStructure):
3832         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3833         (JSC::DFG::EdgeUsesStructure::operator()):
3834         (JSC::DFG::EdgeUsesStructure::result):
3835         (JSC::DFG::edgesUseStructure):
3836         * dfg/DFGUseKind.h:
3837         (DFG):
3838         (JSC::DFG::usesStructure):
3839
3840 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3841
3842         fourthTier: String GetByVal out-of-bounds handling is so wrong
3843         https://bugs.webkit.org/show_bug.cgi?id=118935
3844
3845         Reviewed by Geoffrey Garen.
3846         
3847         Bunch of String GetByVal out-of-bounds fixes:
3848         
3849         - Even if the string proto chain is sane, we need to watch out for negative
3850           indices. They may get values or call getters in the prototypes, since proto
3851           sanity doesn't check for negative indexed properties, as they are not
3852           technically indexed properties.
3853         
3854         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3855           given this information.
3856         
3857         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3858           given this information.
3859         
3860         Also fixed some other things:
3861         
3862         - If the DFG is disabled, the testRunner should pretend that we've done a
3863           bunch of DFG compiles. That's necessary to prevent the tests from timing
3864           out.
3865         
3866         - Disassembler shouldn't try to dump source code since it's not safe in the
3867           concurrent JIT.
3868
3869         * API/JSCTestRunnerUtils.cpp:
3870         (JSC::numberOfDFGCompiles):
3871         * JavaScriptCore.xcodeproj/project.pbxproj:
3872         * dfg/DFGAbstractInterpreterInlines.h:
3873         (JSC::DFG::::executeEffects):
3874         * dfg/DFGDisassembler.cpp:
3875         (JSC::DFG::Disassembler::dumpHeader):
3876         * dfg/DFGGraph.h:
3877         (JSC::DFG::Graph::byValIsPure):
3878         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3879         (DFG):
3880         (SaneStringGetByValSlowPathGenerator):
3881         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3882         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3883         * dfg/DFGSpeculativeJIT.cpp:
3884         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3885
3886 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3887
3888         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3889         https://bugs.webkit.org/show_bug.cgi?id=118911
3890
3891         Reviewed by Geoffrey Garen.
3892         
3893         We could also have a separate method like "willNotCrash(offset)", but that's not
3894         what isValidOffset() is intended to mean.
3895
3896         * runtime/Structure.h:
3897         (JSC::Structure::isValidOffset):
3898
3899 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3900
3901         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3902         https://bugs.webkit.org/show_bug.cgi?id=118878
3903
3904         Reviewed by Oliver Hunt.
3905         
3906         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3907           to load from an object of this structure, at this offset, would I commit suicide
3908           or would I get back some kind of value?"
3909         
3910         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3911           way from the start.
3912         
3913         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3914         
3915         - Make GetByOffset also reference the base object in addition to the butterfly.
3916         
3917         The future use of this power will be to answer questions like "If I hoisted this
3918         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3919         fine?"
3920         
3921         I don't currently plan to use this power to perform validation, since the CSE has
3922         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3923         remove - both in the case of StructureSets where size >= 2 and in the case of
3924         CheckStructures that match across PutStructures. At first I tried to write a
3925         validator that was aware of this, but the validation code got way too complicated
3926         and I started having nightmares of spurious assertion bugs being filed against me.
3927         
3928         This also changes some of the code for how we hash FunctionExecutable's for debug
3929         dumps, since that code still had some thread-safety issues. Basically, the
3930         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3931         that could transitively try to compute the hash from the source code. The source
3932         code is a string that may be lazily computed, and that involves all manner of thread
3933         unsafe things.
3934
3935         * bytecode/CodeOrigin.cpp:
3936         (JSC::InlineCallFrame::hash):
3937         * dfg/DFGAbstractInterpreterInlines.h:
3938         (JSC::DFG::::executeEffects):
3939         * dfg/DFGByteCodeParser.cpp:
3940         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3941         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3942         (JSC::DFG::ByteCodeParser::parseBlock):
3943         * dfg/DFGCFAPhase.cpp:
3944         (JSC::DFG::CFAPhase::performBlockCFA):
3945         * dfg/DFGConstantFoldingPhase.cpp:
3946         (JSC::DFG::ConstantFoldingPhase::foldConstants):