[DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2
3         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
4         https://bugs.webkit.org/show_bug.cgi?id=119794
5
6         Reviewed by Filip Pizlo.
7
8         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
9
10         * dfg/DFGUseKind.h:
11         (JSC::DFG::isNumerical):
12         (JSC::DFG::isDouble):
13
14 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
15
16         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
17
18         Rubber stamped by Oliver Hunt.
19         
20         This was causing some test crashes for me.
21
22         * dfg/DFGCapabilities.cpp:
23         (JSC::DFG::capabilityLevel):
24
25 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
26
27         [Windows] Clear up improper export declaration.
28
29         * runtime/ArrayBufferView.h:
30
31 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
32
33         Unreviewed, remove some unnecessary periods from exceptions.
34
35         * runtime/JSDataViewPrototype.cpp:
36         (JSC::getData):
37         (JSC::setData):
38
39 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
40
41         Unreviewed, fix 32-bit build.
42
43         * dfg/DFGSpeculativeJIT32_64.cpp:
44         (JSC::DFG::SpeculativeJIT::compile):
45
46 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
47
48         Typed arrays should be rewritten
49         https://bugs.webkit.org/show_bug.cgi?id=119064
50
51         Reviewed by Oliver Hunt.
52         
53         Typed arrays were previously deficient in several major ways:
54         
55         - They were defined separately in WebCore and in the jsc shell. The two
56           implementations were different, and the jsc shell one was basically wrong.
57           The WebCore one was quite awful, also.
58         
59         - Typed arrays were not visible to the JIT except through some weird hooks.
60           For example, the JIT could not ask "what is the Structure that this typed
61           array would have if I just allocated it from this global object". Also,
62           it was difficult to wire any of the typed array intrinsics, because most
63           of the functionality wasn't visible anywhere in JSC.
64         
65         - Typed array allocation was brain-dead. Allocating a typed array involved
66           two JS objects, two GC weak handles, and three malloc allocations.
67         
68         - Neutering. It involved keeping tabs on all native views but not the view
69           wrappers, even though the native views can autoneuter just by asking the
70           buffer if it was neutered anytime you touch them; while the JS view
71           wrappers are the ones that you really want to reach out to.
72         
73         - Common case-ing. Most typed arrays have one buffer and one view, and
74           usually nobody touches the buffer. Yet we created all of that stuff
75           anyway, using data structures optimized for the case where you had a lot
76           of views.
77         
78         - Semantic goofs. Typed arrays should, in the future, behave like ES
79           features rather than DOM features, for example when it comes to exceptions.
80           Firefox already does this and I agree with them.
81         
82         This patch cleanses our codebase of these sins:
83         
84         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
85           management of native references to buffers is left to WebCore.
86         
87         - Allocating a typed array requires either two GC allocations (a cell and a
88           copied storage vector) or one GC allocation, a malloc allocation, and a
89           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
90           latter). The latter is only used for oversize arrays. Remember that before
91           it was 7 allocations no matter what.
92         
93         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
94           mode/length, void* vector. Before it was a lot more than that - remember,
95           there were five additional objects that did absolutely nothing for anybody.
96         
97         - Native views aren't tracked by the buffer, or by the wrappers. They are
98           transient. In the future we'll probably switch to not even having them be
99           malloc'd.
100         
101         - Native array buffers have an efficient way of tracking all of their JS view
102           wrappers, both for neutering, and for lifecycle management. The GC
103           special-cases native array buffers. This saves a bunch of grief; for example
104           it means that a JS view wrapper can refer to its buffer via the butterfly,
105           which would be dead by the time we went to finalize.
106         
107         - Typed array semantics now match Firefox, which also happens to be where the
108           standards are going. The discussion on webkit-dev seemed to confirm that
109           Chrome is also heading in this direction. This includes making
110           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
111           ArrayBufferView as a JS-visible construct.
112         
113         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
114         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
115         further typed array optimizations in the JSC JITs, including inlining typed
116         array allocation, inlining more of the accessors, reducing the cost of type
117         checks, etc.
118         
119         An additional property of this patch is that typed arrays are mostly
120         implemented using templates. This deduplicates a bunch of code, but does mean
121         that we need some hacks for exporting s_info's of template classes. See
122         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
123         low-impact compared to code duplication.
124         
125         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
126
127         * CMakeLists.txt:
128         * DerivedSources.make:
129         * GNUmakefile.list.am:
130         * JSCTypedArrayStubs.h: Removed.
131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
132         * JavaScriptCore.xcodeproj/project.pbxproj:
133         * Target.pri:
134         * bytecode/ByValInfo.h:
135         (JSC::hasOptimizableIndexingForClassInfo):
136         (JSC::jitArrayModeForClassInfo):
137         (JSC::typedArrayTypeForJITArrayMode):
138         * bytecode/SpeculatedType.cpp:
139         (JSC::speculationFromClassInfo):
140         * dfg/DFGArrayMode.cpp:
141         (JSC::DFG::toTypedArrayType):
142         * dfg/DFGArrayMode.h:
143         (JSC::DFG::ArrayMode::typedArrayType):
144         * dfg/DFGSpeculativeJIT.cpp:
145         (JSC::DFG::SpeculativeJIT::checkArray):
146         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
147         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
148         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
149         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
150         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
151         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
152         * dfg/DFGSpeculativeJIT.h:
153         * dfg/DFGSpeculativeJIT32_64.cpp:
154         (JSC::DFG::SpeculativeJIT::compile):
155         * dfg/DFGSpeculativeJIT64.cpp:
156         (JSC::DFG::SpeculativeJIT::compile):
157         * heap/CopyToken.h:
158         * heap/DeferGC.h:
159         (JSC::DeferGCForAWhile::DeferGCForAWhile):
160         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
161         * heap/GCIncomingRefCounted.h: Added.
162         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
163         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
164         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
165         (JSC::GCIncomingRefCounted::incomingReferenceAt):
166         (JSC::GCIncomingRefCounted::singletonFlag):
167         (JSC::GCIncomingRefCounted::hasVectorOfCells):
168         (JSC::GCIncomingRefCounted::hasAnyIncoming):
169         (JSC::GCIncomingRefCounted::hasSingleton):
170         (JSC::GCIncomingRefCounted::singleton):
171         (JSC::GCIncomingRefCounted::vectorOfCells):
172         * heap/GCIncomingRefCountedInlines.h: Added.
173         (JSC::::addIncomingReference):
174         (JSC::::filterIncomingReferences):
175         * heap/GCIncomingRefCountedSet.h: Added.
176         (JSC::GCIncomingRefCountedSet::size):
177         * heap/GCIncomingRefCountedSetInlines.h: Added.
178         (JSC::::GCIncomingRefCountedSet):
179         (JSC::::~GCIncomingRefCountedSet):
180         (JSC::::addReference):
181         (JSC::::sweep):
182         (JSC::::removeAll):
183         (JSC::::removeDead):
184         * heap/Heap.cpp:
185         (JSC::Heap::addReference):
186         (JSC::Heap::extraSize):
187         (JSC::Heap::size):
188         (JSC::Heap::capacity):
189         (JSC::Heap::collect):
190         (JSC::Heap::decrementDeferralDepth):
191         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
192         * heap/Heap.h:
193         * interpreter/CallFrame.h:
194         (JSC::ExecState::dataViewTable):
195         * jit/JIT.h:
196         * jit/JITPropertyAccess.cpp:
197         (JSC::JIT::privateCompileGetByVal):
198         (JSC::JIT::privateCompilePutByVal):
199         (JSC::JIT::emitIntTypedArrayGetByVal):
200         (JSC::JIT::emitFloatTypedArrayGetByVal):
201         (JSC::JIT::emitIntTypedArrayPutByVal):
202         (JSC::JIT::emitFloatTypedArrayPutByVal):
203         * jsc.cpp:
204         (GlobalObject::finishCreation):
205         * runtime/ArrayBuffer.cpp:
206         (JSC::ArrayBuffer::transfer):
207         * runtime/ArrayBuffer.h:
208         (JSC::ArrayBuffer::createAdopted):
209         (JSC::ArrayBuffer::ArrayBuffer):
210         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
211         (JSC::ArrayBuffer::pin):
212         (JSC::ArrayBuffer::unpin):
213         (JSC::ArrayBufferContents::tryAllocate):
214         * runtime/ArrayBufferView.cpp:
215         (JSC::ArrayBufferView::ArrayBufferView):
216         (JSC::ArrayBufferView::~ArrayBufferView):
217         (JSC::ArrayBufferView::setNeuterable):
218         * runtime/ArrayBufferView.h:
219         (JSC::ArrayBufferView::isNeutered):
220         (JSC::ArrayBufferView::buffer):
221         (JSC::ArrayBufferView::baseAddress):
222         (JSC::ArrayBufferView::byteOffset):
223         (JSC::ArrayBufferView::verifySubRange):
224         (JSC::ArrayBufferView::clampOffsetAndNumElements):
225         (JSC::ArrayBufferView::calculateOffsetAndLength):
226         * runtime/ClassInfo.h:
227         * runtime/CommonIdentifiers.h:
228         * runtime/DataView.cpp: Added.
229         (JSC::DataView::DataView):
230         (JSC::DataView::create):
231         (JSC::DataView::wrap):
232         * runtime/DataView.h: Added.
233         (JSC::DataView::byteLength):
234         (JSC::DataView::getType):
235         (JSC::DataView::get):
236         (JSC::DataView::set):
237         * runtime/Float32Array.h:
238         * runtime/Float64Array.h:
239         * runtime/GenericTypedArrayView.h: Added.
240         (JSC::GenericTypedArrayView::data):
241         (JSC::GenericTypedArrayView::set):
242         (JSC::GenericTypedArrayView::setRange):
243         (JSC::GenericTypedArrayView::zeroRange):
244         (JSC::GenericTypedArrayView::zeroFill):
245         (JSC::GenericTypedArrayView::length):
246         (JSC::GenericTypedArrayView::byteLength):
247         (JSC::GenericTypedArrayView::item):
248         (JSC::GenericTypedArrayView::checkInboundData):
249         (JSC::GenericTypedArrayView::getType):
250         * runtime/GenericTypedArrayViewInlines.h: Added.
251         (JSC::::GenericTypedArrayView):
252         (JSC::::create):
253         (JSC::::createUninitialized):
254         (JSC::::subarray):
255         (JSC::::wrap):
256         * runtime/IndexingHeader.h:
257         (JSC::IndexingHeader::arrayBuffer):
258         (JSC::IndexingHeader::setArrayBuffer):
259         * runtime/Int16Array.h:
260         * runtime/Int32Array.h:
261         * runtime/Int8Array.h:
262         * runtime/JSArrayBuffer.cpp: Added.
263         (JSC::JSArrayBuffer::JSArrayBuffer):
264         (JSC::JSArrayBuffer::finishCreation):
265         (JSC::JSArrayBuffer::create):
266         (JSC::JSArrayBuffer::createStructure):
267         (JSC::JSArrayBuffer::getOwnPropertySlot):
268         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
269         (JSC::JSArrayBuffer::put):
270         (JSC::JSArrayBuffer::defineOwnProperty):
271         (JSC::JSArrayBuffer::deleteProperty):
272         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
273         * runtime/JSArrayBuffer.h: Added.
274         (JSC::JSArrayBuffer::impl):
275         (JSC::toArrayBuffer):
276         * runtime/JSArrayBufferConstructor.cpp: Added.
277         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
278         (JSC::JSArrayBufferConstructor::finishCreation):
279         (JSC::JSArrayBufferConstructor::create):
280         (JSC::JSArrayBufferConstructor::createStructure):
281         (JSC::constructArrayBuffer):
282         (JSC::JSArrayBufferConstructor::getConstructData):
283         (JSC::JSArrayBufferConstructor::getCallData):
284         * runtime/JSArrayBufferConstructor.h: Added.
285         * runtime/JSArrayBufferPrototype.cpp: Added.
286         (JSC::arrayBufferProtoFuncSlice):
287         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
288         (JSC::JSArrayBufferPrototype::finishCreation):
289         (JSC::JSArrayBufferPrototype::create):
290         (JSC::JSArrayBufferPrototype::createStructure):
291         * runtime/JSArrayBufferPrototype.h: Added.
292         * runtime/JSArrayBufferView.cpp: Added.
293         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
294         (JSC::JSArrayBufferView::JSArrayBufferView):
295         (JSC::JSArrayBufferView::finishCreation):
296         (JSC::JSArrayBufferView::getOwnPropertySlot):
297         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
298         (JSC::JSArrayBufferView::put):
299         (JSC::JSArrayBufferView::defineOwnProperty):
300         (JSC::JSArrayBufferView::deleteProperty):
301         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
302         (JSC::JSArrayBufferView::finalize):
303         * runtime/JSArrayBufferView.h: Added.
304         (JSC::JSArrayBufferView::sizeOf):
305         (JSC::JSArrayBufferView::ConstructionContext::operator!):
306         (JSC::JSArrayBufferView::ConstructionContext::structure):
307         (JSC::JSArrayBufferView::ConstructionContext::vector):
308         (JSC::JSArrayBufferView::ConstructionContext::length):
309         (JSC::JSArrayBufferView::ConstructionContext::mode):
310         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
311         (JSC::JSArrayBufferView::mode):
312         (JSC::JSArrayBufferView::vector):
313         (JSC::JSArrayBufferView::length):
314         (JSC::JSArrayBufferView::offsetOfVector):
315         (JSC::JSArrayBufferView::offsetOfLength):
316         (JSC::JSArrayBufferView::offsetOfMode):
317         * runtime/JSArrayBufferViewInlines.h: Added.
318         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
319         (JSC::JSArrayBufferView::buffer):
320         (JSC::JSArrayBufferView::impl):
321         (JSC::JSArrayBufferView::neuter):
322         (JSC::JSArrayBufferView::byteOffset):
323         * runtime/JSCell.cpp:
324         (JSC::JSCell::slowDownAndWasteMemory):
325         (JSC::JSCell::getTypedArrayImpl):
326         * runtime/JSCell.h:
327         * runtime/JSDataView.cpp: Added.
328         (JSC::JSDataView::JSDataView):
329         (JSC::JSDataView::create):
330         (JSC::JSDataView::createUninitialized):
331         (JSC::JSDataView::set):
332         (JSC::JSDataView::typedImpl):
333         (JSC::JSDataView::getOwnPropertySlot):
334         (JSC::JSDataView::getOwnPropertyDescriptor):
335         (JSC::JSDataView::slowDownAndWasteMemory):
336         (JSC::JSDataView::getTypedArrayImpl):
337         (JSC::JSDataView::createStructure):
338         * runtime/JSDataView.h: Added.
339         * runtime/JSDataViewPrototype.cpp: Added.
340         (JSC::JSDataViewPrototype::JSDataViewPrototype):
341         (JSC::JSDataViewPrototype::create):
342         (JSC::JSDataViewPrototype::createStructure):
343         (JSC::JSDataViewPrototype::getOwnPropertySlot):
344         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
345         (JSC::getData):
346         (JSC::setData):
347         (JSC::dataViewProtoFuncGetInt8):
348         (JSC::dataViewProtoFuncGetInt16):
349         (JSC::dataViewProtoFuncGetInt32):
350         (JSC::dataViewProtoFuncGetUint8):
351         (JSC::dataViewProtoFuncGetUint16):
352         (JSC::dataViewProtoFuncGetUint32):
353         (JSC::dataViewProtoFuncGetFloat32):
354         (JSC::dataViewProtoFuncGetFloat64):
355         (JSC::dataViewProtoFuncSetInt8):
356         (JSC::dataViewProtoFuncSetInt16):
357         (JSC::dataViewProtoFuncSetInt32):
358         (JSC::dataViewProtoFuncSetUint8):
359         (JSC::dataViewProtoFuncSetUint16):
360         (JSC::dataViewProtoFuncSetUint32):
361         (JSC::dataViewProtoFuncSetFloat32):
362         (JSC::dataViewProtoFuncSetFloat64):
363         * runtime/JSDataViewPrototype.h: Added.
364         * runtime/JSFloat32Array.h: Added.
365         * runtime/JSFloat64Array.h: Added.
366         * runtime/JSGenericTypedArrayView.h: Added.
367         (JSC::JSGenericTypedArrayView::byteLength):
368         (JSC::JSGenericTypedArrayView::byteSize):
369         (JSC::JSGenericTypedArrayView::typedVector):
370         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
371         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
372         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
373         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
374         (JSC::JSGenericTypedArrayView::getIndexQuickly):
375         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
376         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
377         (JSC::JSGenericTypedArrayView::setIndexQuickly):
378         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
379         (JSC::JSGenericTypedArrayView::typedImpl):
380         (JSC::JSGenericTypedArrayView::createStructure):
381         (JSC::JSGenericTypedArrayView::info):
382         (JSC::toNativeTypedView):
383         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
384         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
385         (JSC::::JSGenericTypedArrayViewConstructor):
386         (JSC::::finishCreation):
387         (JSC::::create):
388         (JSC::::createStructure):
389         (JSC::constructGenericTypedArrayView):
390         (JSC::::getConstructData):
391         (JSC::::getCallData):
392         * runtime/JSGenericTypedArrayViewInlines.h: Added.
393         (JSC::::JSGenericTypedArrayView):
394         (JSC::::create):
395         (JSC::::createUninitialized):
396         (JSC::::validateRange):
397         (JSC::::setWithSpecificType):
398         (JSC::::set):
399         (JSC::::getOwnPropertySlot):
400         (JSC::::getOwnPropertyDescriptor):
401         (JSC::::put):
402         (JSC::::defineOwnProperty):
403         (JSC::::deleteProperty):
404         (JSC::::getOwnPropertySlotByIndex):
405         (JSC::::putByIndex):
406         (JSC::::deletePropertyByIndex):
407         (JSC::::getOwnNonIndexPropertyNames):
408         (JSC::::getOwnPropertyNames):
409         (JSC::::visitChildren):
410         (JSC::::copyBackingStore):
411         (JSC::::slowDownAndWasteMemory):
412         (JSC::::getTypedArrayImpl):
413         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
414         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
415         (JSC::genericTypedArrayViewProtoFuncSet):
416         (JSC::genericTypedArrayViewProtoFuncSubarray):
417         (JSC::::JSGenericTypedArrayViewPrototype):
418         (JSC::::finishCreation):
419         (JSC::::create):
420         (JSC::::createStructure):
421         * runtime/JSGlobalObject.cpp:
422         (JSC::JSGlobalObject::reset):
423         (JSC::JSGlobalObject::visitChildren):
424         * runtime/JSGlobalObject.h:
425         (JSC::JSGlobalObject::arrayBufferPrototype):
426         (JSC::JSGlobalObject::arrayBufferStructure):
427         (JSC::JSGlobalObject::typedArrayStructure):
428         * runtime/JSInt16Array.h: Added.
429         * runtime/JSInt32Array.h: Added.
430         * runtime/JSInt8Array.h: Added.
431         * runtime/JSTypedArrayConstructors.cpp: Added.
432         * runtime/JSTypedArrayConstructors.h: Added.
433         * runtime/JSTypedArrayPrototypes.cpp: Added.
434         * runtime/JSTypedArrayPrototypes.h: Added.
435         * runtime/JSTypedArrays.cpp: Added.
436         * runtime/JSTypedArrays.h: Added.
437         * runtime/JSUint16Array.h: Added.
438         * runtime/JSUint32Array.h: Added.
439         * runtime/JSUint8Array.h: Added.
440         * runtime/JSUint8ClampedArray.h: Added.
441         * runtime/Operations.h:
442         * runtime/Options.h:
443         * runtime/SimpleTypedArrayController.cpp: Added.
444         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
445         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
446         (JSC::SimpleTypedArrayController::toJS):
447         * runtime/SimpleTypedArrayController.h: Added.
448         * runtime/Structure.h:
449         (JSC::Structure::couldHaveIndexingHeader):
450         * runtime/StructureInlines.h:
451         (JSC::Structure::hasIndexingHeader):
452         * runtime/TypedArrayAdaptors.h: Added.
453         (JSC::IntegralTypedArrayAdaptor::toNative):
454         (JSC::IntegralTypedArrayAdaptor::toJSValue):
455         (JSC::IntegralTypedArrayAdaptor::toDouble):
456         (JSC::FloatTypedArrayAdaptor::toNative):
457         (JSC::FloatTypedArrayAdaptor::toJSValue):
458         (JSC::FloatTypedArrayAdaptor::toDouble):
459         (JSC::Uint8ClampedAdaptor::toNative):
460         (JSC::Uint8ClampedAdaptor::toJSValue):
461         (JSC::Uint8ClampedAdaptor::toDouble):
462         (JSC::Uint8ClampedAdaptor::clamp):
463         * runtime/TypedArrayController.cpp: Added.
464         (JSC::TypedArrayController::TypedArrayController):
465         (JSC::TypedArrayController::~TypedArrayController):
466         * runtime/TypedArrayController.h: Added.
467         * runtime/TypedArrayDescriptor.h: Removed.
468         * runtime/TypedArrayInlines.h: Added.
469         * runtime/TypedArrayType.cpp: Added.
470         (JSC::classInfoForType):
471         (WTF::printInternal):
472         * runtime/TypedArrayType.h: Added.
473         (JSC::toIndex):
474         (JSC::isTypedView):
475         (JSC::elementSize):
476         (JSC::isInt):
477         (JSC::isFloat):
478         (JSC::isSigned):
479         (JSC::isClamped):
480         * runtime/TypedArrays.h: Added.
481         * runtime/Uint16Array.h:
482         * runtime/Uint32Array.h:
483         * runtime/Uint8Array.h:
484         * runtime/Uint8ClampedArray.h:
485         * runtime/VM.cpp:
486         (JSC::VM::VM):
487         (JSC::VM::~VM):
488         * runtime/VM.h:
489
490 2013-08-15  Oliver Hunt  <oliver@apple.com>
491
492         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
493
494         Reviewed by Filip Pizlo.
495
496         Make sure dfgCapabilities doesn't report a Dynamic put as
497         being compilable when we don't actually support it.  
498
499         * bytecode/CodeBlock.cpp:
500         (JSC::CodeBlock::dumpBytecode):
501         * dfg/DFGCapabilities.cpp:
502         (JSC::DFG::capabilityLevel):
503
504 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
505
506         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
507         https://bugs.webkit.org/show_bug.cgi?id=119847
508
509         Reviewed by Oliver Hunt.
510
511         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
512         * runtime/ArrayBufferView.h: Ditto.
513
514 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
515
516         https://bugs.webkit.org/show_bug.cgi?id=119843
517         PropertySlot::setValue is ambiguous
518
519         Reviewed by Geoff Garen.
520
521         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
522         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
523         Unify on always providing the object, and remove the version that just takes a value.
524         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
525         Provide a version of setValue that takes a JSString as the owner of the property.
526         We won't store this, but it makes it clear that this interface should only be used from JSString.
527
528         * API/JSCallbackObjectFunctions.h:
529         (JSC::::getOwnPropertySlot):
530         * JSCTypedArrayStubs.h:
531         * runtime/Arguments.cpp:
532         (JSC::Arguments::getOwnPropertySlotByIndex):
533         (JSC::Arguments::getOwnPropertySlot):
534         * runtime/JSActivation.cpp:
535         (JSC::JSActivation::symbolTableGet):
536         (JSC::JSActivation::getOwnPropertySlot):
537         * runtime/JSArray.cpp:
538         (JSC::JSArray::getOwnPropertySlot):
539         * runtime/JSObject.cpp:
540         (JSC::JSObject::getOwnPropertySlotByIndex):
541         * runtime/JSString.h:
542         (JSC::JSString::getStringPropertySlot):
543         * runtime/JSSymbolTableObject.h:
544         (JSC::symbolTableGet):
545         * runtime/SparseArrayValueMap.cpp:
546         (JSC::SparseArrayEntry::get):
547             - Pass object containing property to PropertySlot::setValue
548         * runtime/PropertySlot.h:
549         (JSC::PropertySlot::setValue):
550             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
551         (JSC::PropertySlot::setUndefined):
552             - removed setValue(JSValue), added setValue(JSString*, JSValue)
553
554 2013-08-15  Oliver Hunt  <oliver@apple.com>
555
556         Remove bogus assertion.
557
558         RS=Filip Pizlo
559
560         * dfg/DFGAbstractInterpreterInlines.h:
561         (JSC::DFG::::executeEffects):
562
563 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
564
565         REGRESSION(r148790) Made 7 tests fail on x86 32bit
566         https://bugs.webkit.org/show_bug.cgi?id=114913
567
568         Reviewed by Filip Pizlo.
569
570         The X87 register was not freed before some calls. Instead
571         of inserting resetX87Registers to the last call sites,
572         the two X87 registers are now freed in every call.
573
574         * llint/LowLevelInterpreter32_64.asm:
575         * llint/LowLevelInterpreter64.asm:
576         * offlineasm/instructions.rb:
577         * offlineasm/x86.rb:
578
579 2013-08-14  Michael Saboff  <msaboff@apple.com>
580
581         Fixed jit on Win64.
582         https://bugs.webkit.org/show_bug.cgi?id=119601
583
584         Reviewed by Oliver Hunt.
585
586         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
587         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
588         * jit/SlowPathCall.h:
589         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
590
591 2013-08-14  Alex Christensen  <achristensen@apple.com>
592
593         Compile fix for Win64 with jit disabled.
594         https://bugs.webkit.org/show_bug.cgi?id=119804
595
596         Reviewed by Michael Saboff.
597
598         * offlineasm/cloop.rb: Added std:: before isnan.
599
600 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
601
602         DFG_JIT implementation for sh4 architecture.
603         https://bugs.webkit.org/show_bug.cgi?id=119737
604
605         Reviewed by Oliver Hunt.
606
607         * assembler/MacroAssemblerSH4.h:
608         (JSC::MacroAssemblerSH4::invert):
609         (JSC::MacroAssemblerSH4::add32):
610         (JSC::MacroAssemblerSH4::and32):
611         (JSC::MacroAssemblerSH4::lshift32):
612         (JSC::MacroAssemblerSH4::mul32):
613         (JSC::MacroAssemblerSH4::or32):
614         (JSC::MacroAssemblerSH4::rshift32):
615         (JSC::MacroAssemblerSH4::sub32):
616         (JSC::MacroAssemblerSH4::xor32):
617         (JSC::MacroAssemblerSH4::store32):
618         (JSC::MacroAssemblerSH4::swapDouble):
619         (JSC::MacroAssemblerSH4::storeDouble):
620         (JSC::MacroAssemblerSH4::subDouble):
621         (JSC::MacroAssemblerSH4::mulDouble):
622         (JSC::MacroAssemblerSH4::divDouble):
623         (JSC::MacroAssemblerSH4::negateDouble):
624         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
625         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
626         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
627         (JSC::MacroAssemblerSH4::swap):
628         (JSC::MacroAssemblerSH4::jump):
629         (JSC::MacroAssemblerSH4::branchNeg32):
630         (JSC::MacroAssemblerSH4::branchAdd32):
631         (JSC::MacroAssemblerSH4::branchMul32):
632         (JSC::MacroAssemblerSH4::urshift32):
633         * assembler/SH4Assembler.h:
634         (JSC::SH4Assembler::SH4Assembler):
635         (JSC::SH4Assembler::labelForWatchpoint):
636         (JSC::SH4Assembler::label):
637         (JSC::SH4Assembler::debugOffset):
638         * dfg/DFGAssemblyHelpers.h:
639         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
640         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
641         (JSC::DFG::AssemblyHelpers::debugCall):
642         * dfg/DFGCCallHelpers.h:
643         (JSC::DFG::CCallHelpers::setupArguments):
644         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
645         * dfg/DFGFPRInfo.h:
646         (JSC::DFG::FPRInfo::toRegister):
647         (JSC::DFG::FPRInfo::toIndex):
648         (JSC::DFG::FPRInfo::debugName):
649         * dfg/DFGGPRInfo.h:
650         (JSC::DFG::GPRInfo::toRegister):
651         (JSC::DFG::GPRInfo::toIndex):
652         (JSC::DFG::GPRInfo::debugName):
653         * dfg/DFGOperations.cpp:
654         * dfg/DFGSpeculativeJIT.h:
655         (JSC::DFG::SpeculativeJIT::callOperation):
656         * jit/JITStubs.h:
657         * jit/JITStubsSH4.h:
658
659 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
660
661         Unreviewed, fix build.
662
663         * API/JSValue.mm:
664         (isDate):
665         (isArray):
666         * API/JSWrapperMap.mm:
667         (tryUnwrapObjcObject):
668         * API/ObjCCallbackFunction.mm:
669         (tryUnwrapBlock):
670
671 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
672
673         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
674         https://bugs.webkit.org/show_bug.cgi?id=119770
675
676         Reviewed by Mark Hahnenberg.
677
678         * API/JSCallbackConstructor.cpp:
679         (JSC::JSCallbackConstructor::finishCreation):
680         * API/JSCallbackConstructor.h:
681         (JSC::JSCallbackConstructor::createStructure):
682         * API/JSCallbackFunction.cpp:
683         (JSC::JSCallbackFunction::finishCreation):
684         * API/JSCallbackFunction.h:
685         (JSC::JSCallbackFunction::createStructure):
686         * API/JSCallbackObject.cpp:
687         (JSC::::createStructure):
688         * API/JSCallbackObject.h:
689         (JSC::JSCallbackObject::visitChildren):
690         * API/JSCallbackObjectFunctions.h:
691         (JSC::::asCallbackObject):
692         (JSC::::finishCreation):
693         * API/JSObjectRef.cpp:
694         (JSObjectGetPrivate):
695         (JSObjectSetPrivate):
696         (JSObjectGetPrivateProperty):
697         (JSObjectSetPrivateProperty):
698         (JSObjectDeletePrivateProperty):
699         * API/JSValueRef.cpp:
700         (JSValueIsObjectOfClass):
701         * API/JSWeakObjectMapRefPrivate.cpp:
702         * API/ObjCCallbackFunction.h:
703         (JSC::ObjCCallbackFunction::createStructure):
704         * JSCTypedArrayStubs.h:
705         * bytecode/CallLinkStatus.cpp:
706         (JSC::CallLinkStatus::CallLinkStatus):
707         (JSC::CallLinkStatus::function):
708         (JSC::CallLinkStatus::internalFunction):
709         * bytecode/CodeBlock.h:
710         (JSC::baselineCodeBlockForInlineCallFrame):
711         * bytecode/SpeculatedType.cpp:
712         (JSC::speculationFromClassInfo):
713         * bytecode/UnlinkedCodeBlock.cpp:
714         (JSC::UnlinkedFunctionExecutable::visitChildren):
715         (JSC::UnlinkedCodeBlock::visitChildren):
716         (JSC::UnlinkedProgramCodeBlock::visitChildren):
717         * bytecode/UnlinkedCodeBlock.h:
718         (JSC::UnlinkedFunctionExecutable::createStructure):
719         (JSC::UnlinkedProgramCodeBlock::createStructure):
720         (JSC::UnlinkedEvalCodeBlock::createStructure):
721         (JSC::UnlinkedFunctionCodeBlock::createStructure):
722         * debugger/Debugger.cpp:
723         * debugger/DebuggerActivation.cpp:
724         (JSC::DebuggerActivation::visitChildren):
725         * debugger/DebuggerActivation.h:
726         (JSC::DebuggerActivation::createStructure):
727         * debugger/DebuggerCallFrame.cpp:
728         (JSC::DebuggerCallFrame::functionName):
729         * dfg/DFGAbstractInterpreterInlines.h:
730         (JSC::DFG::::executeEffects):
731         * dfg/DFGByteCodeParser.cpp:
732         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
733         (JSC::DFG::ByteCodeParser::parseBlock):
734         * dfg/DFGFixupPhase.cpp:
735         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
736         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
737         * dfg/DFGGraph.cpp:
738         (JSC::DFG::Graph::dump):
739         * dfg/DFGGraph.h:
740         (JSC::DFG::Graph::isInternalFunctionConstant):
741         * dfg/DFGOperations.cpp:
742         * dfg/DFGSpeculativeJIT.cpp:
743         (JSC::DFG::SpeculativeJIT::checkArray):
744         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
745         * dfg/DFGThunks.cpp:
746         (JSC::DFG::virtualForThunkGenerator):
747         * interpreter/Interpreter.cpp:
748         (JSC::loadVarargs):
749         * jsc.cpp:
750         (GlobalObject::createStructure):
751         * profiler/LegacyProfiler.cpp:
752         (JSC::LegacyProfiler::createCallIdentifier):
753         * runtime/Arguments.cpp:
754         (JSC::Arguments::visitChildren):
755         * runtime/Arguments.h:
756         (JSC::Arguments::createStructure):
757         (JSC::asArguments):
758         (JSC::Arguments::finishCreation):
759         * runtime/ArrayConstructor.cpp:
760         (JSC::arrayConstructorIsArray):
761         * runtime/ArrayConstructor.h:
762         (JSC::ArrayConstructor::createStructure):
763         * runtime/ArrayPrototype.cpp:
764         (JSC::ArrayPrototype::finishCreation):
765         (JSC::arrayProtoFuncConcat):
766         (JSC::attemptFastSort):
767         * runtime/ArrayPrototype.h:
768         (JSC::ArrayPrototype::createStructure):
769         * runtime/BooleanConstructor.h:
770         (JSC::BooleanConstructor::createStructure):
771         * runtime/BooleanObject.cpp:
772         (JSC::BooleanObject::finishCreation):
773         * runtime/BooleanObject.h:
774         (JSC::BooleanObject::createStructure):
775         (JSC::asBooleanObject):
776         * runtime/BooleanPrototype.cpp:
777         (JSC::BooleanPrototype::finishCreation):
778         (JSC::booleanProtoFuncToString):
779         (JSC::booleanProtoFuncValueOf):
780         * runtime/BooleanPrototype.h:
781         (JSC::BooleanPrototype::createStructure):
782         * runtime/DateConstructor.cpp:
783         (JSC::constructDate):
784         * runtime/DateConstructor.h:
785         (JSC::DateConstructor::createStructure):
786         * runtime/DateInstance.cpp:
787         (JSC::DateInstance::finishCreation):
788         * runtime/DateInstance.h:
789         (JSC::DateInstance::createStructure):
790         (JSC::asDateInstance):
791         * runtime/DatePrototype.cpp:
792         (JSC::formateDateInstance):
793         (JSC::DatePrototype::finishCreation):
794         (JSC::dateProtoFuncToISOString):
795         (JSC::dateProtoFuncToLocaleString):
796         (JSC::dateProtoFuncToLocaleDateString):
797         (JSC::dateProtoFuncToLocaleTimeString):
798         (JSC::dateProtoFuncGetTime):
799         (JSC::dateProtoFuncGetFullYear):
800         (JSC::dateProtoFuncGetUTCFullYear):
801         (JSC::dateProtoFuncGetMonth):
802         (JSC::dateProtoFuncGetUTCMonth):
803         (JSC::dateProtoFuncGetDate):
804         (JSC::dateProtoFuncGetUTCDate):
805         (JSC::dateProtoFuncGetDay):
806         (JSC::dateProtoFuncGetUTCDay):
807         (JSC::dateProtoFuncGetHours):
808         (JSC::dateProtoFuncGetUTCHours):
809         (JSC::dateProtoFuncGetMinutes):
810         (JSC::dateProtoFuncGetUTCMinutes):
811         (JSC::dateProtoFuncGetSeconds):
812         (JSC::dateProtoFuncGetUTCSeconds):
813         (JSC::dateProtoFuncGetMilliSeconds):
814         (JSC::dateProtoFuncGetUTCMilliseconds):
815         (JSC::dateProtoFuncGetTimezoneOffset):
816         (JSC::dateProtoFuncSetTime):
817         (JSC::setNewValueFromTimeArgs):
818         (JSC::setNewValueFromDateArgs):
819         (JSC::dateProtoFuncSetYear):
820         (JSC::dateProtoFuncGetYear):
821         * runtime/DatePrototype.h:
822         (JSC::DatePrototype::createStructure):
823         * runtime/Error.h:
824         (JSC::StrictModeTypeErrorFunction::createStructure):
825         * runtime/ErrorConstructor.h:
826         (JSC::ErrorConstructor::createStructure):
827         * runtime/ErrorInstance.cpp:
828         (JSC::ErrorInstance::finishCreation):
829         * runtime/ErrorInstance.h:
830         (JSC::ErrorInstance::createStructure):
831         * runtime/ErrorPrototype.cpp:
832         (JSC::ErrorPrototype::finishCreation):
833         * runtime/ErrorPrototype.h:
834         (JSC::ErrorPrototype::createStructure):
835         * runtime/ExceptionHelpers.cpp:
836         (JSC::isTerminatedExecutionException):
837         * runtime/ExceptionHelpers.h:
838         (JSC::TerminatedExecutionError::createStructure):
839         * runtime/Executable.cpp:
840         (JSC::EvalExecutable::visitChildren):
841         (JSC::ProgramExecutable::visitChildren):
842         (JSC::FunctionExecutable::visitChildren):
843         (JSC::ExecutableBase::hashFor):
844         * runtime/Executable.h:
845         (JSC::ExecutableBase::createStructure):
846         (JSC::NativeExecutable::createStructure):
847         (JSC::EvalExecutable::createStructure):
848         (JSC::ProgramExecutable::createStructure):
849         (JSC::FunctionExecutable::compileFor):
850         (JSC::FunctionExecutable::compileOptimizedFor):
851         (JSC::FunctionExecutable::createStructure):
852         * runtime/FunctionConstructor.h:
853         (JSC::FunctionConstructor::createStructure):
854         * runtime/FunctionPrototype.cpp:
855         (JSC::functionProtoFuncToString):
856         (JSC::functionProtoFuncApply):
857         (JSC::functionProtoFuncBind):
858         * runtime/FunctionPrototype.h:
859         (JSC::FunctionPrototype::createStructure):
860         * runtime/GetterSetter.cpp:
861         (JSC::GetterSetter::visitChildren):
862         * runtime/GetterSetter.h:
863         (JSC::GetterSetter::createStructure):
864         * runtime/InternalFunction.cpp:
865         (JSC::InternalFunction::finishCreation):
866         * runtime/InternalFunction.h:
867         (JSC::InternalFunction::createStructure):
868         (JSC::asInternalFunction):
869         * runtime/JSAPIValueWrapper.h:
870         (JSC::JSAPIValueWrapper::createStructure):
871         * runtime/JSActivation.cpp:
872         (JSC::JSActivation::visitChildren):
873         (JSC::JSActivation::argumentsGetter):
874         * runtime/JSActivation.h:
875         (JSC::JSActivation::createStructure):
876         (JSC::asActivation):
877         * runtime/JSArray.h:
878         (JSC::JSArray::createStructure):
879         (JSC::asArray):
880         (JSC::isJSArray):
881         * runtime/JSBoundFunction.cpp:
882         (JSC::JSBoundFunction::finishCreation):
883         (JSC::JSBoundFunction::visitChildren):
884         * runtime/JSBoundFunction.h:
885         (JSC::JSBoundFunction::createStructure):
886         * runtime/JSCJSValue.cpp:
887         (JSC::JSValue::dumpInContext):
888         * runtime/JSCJSValueInlines.h:
889         (JSC::JSValue::isFunction):
890         * runtime/JSCell.h:
891         (JSC::jsCast):
892         (JSC::jsDynamicCast):
893         * runtime/JSCellInlines.h:
894         (JSC::allocateCell):
895         * runtime/JSFunction.cpp:
896         (JSC::JSFunction::finishCreation):
897         (JSC::JSFunction::visitChildren):
898         (JSC::skipOverBoundFunctions):
899         (JSC::JSFunction::callerGetter):
900         * runtime/JSFunction.h:
901         (JSC::JSFunction::createStructure):
902         * runtime/JSGlobalObject.cpp:
903         (JSC::JSGlobalObject::visitChildren):
904         (JSC::slowValidateCell):
905         * runtime/JSGlobalObject.h:
906         (JSC::JSGlobalObject::createStructure):
907         * runtime/JSNameScope.cpp:
908         (JSC::JSNameScope::visitChildren):
909         * runtime/JSNameScope.h:
910         (JSC::JSNameScope::createStructure):
911         * runtime/JSNotAnObject.h:
912         (JSC::JSNotAnObject::createStructure):
913         * runtime/JSONObject.cpp:
914         (JSC::JSONObject::finishCreation):
915         (JSC::unwrapBoxedPrimitive):
916         (JSC::Stringifier::Stringifier):
917         (JSC::Stringifier::appendStringifiedValue):
918         (JSC::Stringifier::Holder::Holder):
919         (JSC::Walker::walk):
920         (JSC::JSONProtoFuncStringify):
921         * runtime/JSONObject.h:
922         (JSC::JSONObject::createStructure):
923         * runtime/JSObject.cpp:
924         (JSC::getCallableObjectSlow):
925         (JSC::JSObject::visitChildren):
926         (JSC::JSObject::copyBackingStore):
927         (JSC::JSFinalObject::visitChildren):
928         (JSC::JSObject::ensureInt32Slow):
929         (JSC::JSObject::ensureDoubleSlow):
930         (JSC::JSObject::ensureContiguousSlow):
931         (JSC::JSObject::ensureArrayStorageSlow):
932         * runtime/JSObject.h:
933         (JSC::JSObject::finishCreation):
934         (JSC::JSObject::createStructure):
935         (JSC::JSNonFinalObject::createStructure):
936         (JSC::JSFinalObject::createStructure):
937         (JSC::isJSFinalObject):
938         * runtime/JSPropertyNameIterator.cpp:
939         (JSC::JSPropertyNameIterator::visitChildren):
940         * runtime/JSPropertyNameIterator.h:
941         (JSC::JSPropertyNameIterator::createStructure):
942         * runtime/JSProxy.cpp:
943         (JSC::JSProxy::visitChildren):
944         * runtime/JSProxy.h:
945         (JSC::JSProxy::createStructure):
946         * runtime/JSScope.cpp:
947         (JSC::JSScope::visitChildren):
948         * runtime/JSSegmentedVariableObject.cpp:
949         (JSC::JSSegmentedVariableObject::visitChildren):
950         * runtime/JSString.h:
951         (JSC::JSString::createStructure):
952         (JSC::isJSString):
953         * runtime/JSSymbolTableObject.cpp:
954         (JSC::JSSymbolTableObject::visitChildren):
955         * runtime/JSVariableObject.h:
956         * runtime/JSWithScope.cpp:
957         (JSC::JSWithScope::visitChildren):
958         * runtime/JSWithScope.h:
959         (JSC::JSWithScope::createStructure):
960         * runtime/JSWrapperObject.cpp:
961         (JSC::JSWrapperObject::visitChildren):
962         * runtime/JSWrapperObject.h:
963         (JSC::JSWrapperObject::createStructure):
964         * runtime/MathObject.cpp:
965         (JSC::MathObject::finishCreation):
966         * runtime/MathObject.h:
967         (JSC::MathObject::createStructure):
968         * runtime/NameConstructor.h:
969         (JSC::NameConstructor::createStructure):
970         * runtime/NameInstance.h:
971         (JSC::NameInstance::createStructure):
972         (JSC::NameInstance::finishCreation):
973         * runtime/NamePrototype.cpp:
974         (JSC::NamePrototype::finishCreation):
975         (JSC::privateNameProtoFuncToString):
976         * runtime/NamePrototype.h:
977         (JSC::NamePrototype::createStructure):
978         * runtime/NativeErrorConstructor.cpp:
979         (JSC::NativeErrorConstructor::visitChildren):
980         * runtime/NativeErrorConstructor.h:
981         (JSC::NativeErrorConstructor::createStructure):
982         (JSC::NativeErrorConstructor::finishCreation):
983         * runtime/NumberConstructor.cpp:
984         (JSC::NumberConstructor::finishCreation):
985         * runtime/NumberConstructor.h:
986         (JSC::NumberConstructor::createStructure):
987         * runtime/NumberObject.cpp:
988         (JSC::NumberObject::finishCreation):
989         * runtime/NumberObject.h:
990         (JSC::NumberObject::createStructure):
991         * runtime/NumberPrototype.cpp:
992         (JSC::NumberPrototype::finishCreation):
993         * runtime/NumberPrototype.h:
994         (JSC::NumberPrototype::createStructure):
995         * runtime/ObjectConstructor.h:
996         (JSC::ObjectConstructor::createStructure):
997         * runtime/ObjectPrototype.cpp:
998         (JSC::ObjectPrototype::finishCreation):
999         * runtime/ObjectPrototype.h:
1000         (JSC::ObjectPrototype::createStructure):
1001         * runtime/PropertyMapHashTable.h:
1002         (JSC::PropertyTable::createStructure):
1003         * runtime/PropertyTable.cpp:
1004         (JSC::PropertyTable::visitChildren):
1005         * runtime/RegExp.h:
1006         (JSC::RegExp::createStructure):
1007         * runtime/RegExpConstructor.cpp:
1008         (JSC::RegExpConstructor::finishCreation):
1009         (JSC::RegExpConstructor::visitChildren):
1010         (JSC::constructRegExp):
1011         * runtime/RegExpConstructor.h:
1012         (JSC::RegExpConstructor::createStructure):
1013         (JSC::asRegExpConstructor):
1014         * runtime/RegExpMatchesArray.cpp:
1015         (JSC::RegExpMatchesArray::visitChildren):
1016         * runtime/RegExpMatchesArray.h:
1017         (JSC::RegExpMatchesArray::createStructure):
1018         * runtime/RegExpObject.cpp:
1019         (JSC::RegExpObject::finishCreation):
1020         (JSC::RegExpObject::visitChildren):
1021         * runtime/RegExpObject.h:
1022         (JSC::RegExpObject::createStructure):
1023         (JSC::asRegExpObject):
1024         * runtime/RegExpPrototype.cpp:
1025         (JSC::regExpProtoFuncTest):
1026         (JSC::regExpProtoFuncExec):
1027         (JSC::regExpProtoFuncCompile):
1028         (JSC::regExpProtoFuncToString):
1029         * runtime/RegExpPrototype.h:
1030         (JSC::RegExpPrototype::createStructure):
1031         * runtime/SparseArrayValueMap.cpp:
1032         (JSC::SparseArrayValueMap::createStructure):
1033         * runtime/SparseArrayValueMap.h:
1034         * runtime/StrictEvalActivation.h:
1035         (JSC::StrictEvalActivation::createStructure):
1036         * runtime/StringConstructor.h:
1037         (JSC::StringConstructor::createStructure):
1038         * runtime/StringObject.cpp:
1039         (JSC::StringObject::finishCreation):
1040         * runtime/StringObject.h:
1041         (JSC::StringObject::createStructure):
1042         (JSC::asStringObject):
1043         * runtime/StringPrototype.cpp:
1044         (JSC::StringPrototype::finishCreation):
1045         (JSC::stringProtoFuncReplace):
1046         (JSC::stringProtoFuncToString):
1047         (JSC::stringProtoFuncMatch):
1048         (JSC::stringProtoFuncSearch):
1049         (JSC::stringProtoFuncSplit):
1050         * runtime/StringPrototype.h:
1051         (JSC::StringPrototype::createStructure):
1052         * runtime/Structure.cpp:
1053         (JSC::Structure::Structure):
1054         (JSC::Structure::materializePropertyMap):
1055         (JSC::Structure::get):
1056         (JSC::Structure::visitChildren):
1057         * runtime/Structure.h:
1058         (JSC::Structure::typeInfo):
1059         (JSC::Structure::previousID):
1060         (JSC::Structure::outOfLineSize):
1061         (JSC::Structure::totalStorageCapacity):
1062         (JSC::Structure::materializePropertyMapIfNecessary):
1063         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1064         * runtime/StructureChain.cpp:
1065         (JSC::StructureChain::visitChildren):
1066         * runtime/StructureChain.h:
1067         (JSC::StructureChain::createStructure):
1068         * runtime/StructureInlines.h:
1069         (JSC::Structure::get):
1070         * runtime/StructureRareData.cpp:
1071         (JSC::StructureRareData::createStructure):
1072         (JSC::StructureRareData::visitChildren):
1073         * runtime/StructureRareData.h:
1074         * runtime/SymbolTable.h:
1075         (JSC::SharedSymbolTable::createStructure):
1076         * runtime/VM.cpp:
1077         (JSC::VM::VM):
1078         (JSC::StackPreservingRecompiler::operator()):
1079         (JSC::VM::releaseExecutableMemory):
1080         * runtime/WriteBarrier.h:
1081         (JSC::validateCell):
1082         * testRegExp.cpp:
1083         (GlobalObject::createStructure):
1084
1085 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1086
1087         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1088         https://bugs.webkit.org/show_bug.cgi?id=119762
1089
1090         Reviewed by Geoffrey Garen.
1091
1092         * heap/Heap.cpp:
1093         (JSC::Heap::Heap):
1094         (JSC::Heap::markRoots):
1095         (JSC::Heap::collect):
1096         * jsc.cpp:
1097         (StopWatch::start):
1098         (StopWatch::stop):
1099         * testRegExp.cpp:
1100         (StopWatch::start):
1101         (StopWatch::stop):
1102
1103 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1104
1105         [sh4] Prepare LLINT for DFG_JIT implementation.
1106         https://bugs.webkit.org/show_bug.cgi?id=119755
1107
1108         Reviewed by Oliver Hunt.
1109
1110         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1111         * offlineasm/sh4.rb:
1112             - Handle storeb opcode.
1113             - Make relative jumps when possible using braf opcode.
1114             - Update bmulio implementation to be consistent with baseline JIT.
1115             - Remove useless code from leap opcode.
1116             - Fix incorrect comment.
1117
1118 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1119
1120         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1121         https://bugs.webkit.org/show_bug.cgi?id=119758
1122
1123         Reviewed by Oliver Hunt.
1124
1125         * assembler/MacroAssemblerSH4.h:
1126             - Introduce a loadEffectiveAddress function to avoid code duplication.
1127             - Add ASSERTs and clean code.
1128         * assembler/SH4Assembler.h:
1129             - Prepare DFG_JIT implementation.
1130             - Add ASSERTs.
1131         * jit/JITStubs.cpp:
1132             - Add SH4 specific call for assertions.
1133         * jit/JITStubs.h:
1134             - Cosmetic change.
1135         * jit/JITStubsSH4.h:
1136             - Use constants to be more flexible with sh4 JIT stack frame.
1137         * jit/JSInterfaceJIT.h:
1138             - Cosmetic change.
1139
1140 2013-08-13  Oliver Hunt  <oliver@apple.com>
1141
1142         Harden executeConstruct against incorrect return types from host functions
1143         https://bugs.webkit.org/show_bug.cgi?id=119757
1144
1145         Reviewed by Mark Hahnenberg.
1146
1147         Add logic to guard against bogus return types.  There doesn't seem to be any
1148         class in webkit that does this wrong, but the typed array stubs in debug JSC
1149         do exhibit this bad behaviour.
1150
1151         * interpreter/Interpreter.cpp:
1152         (JSC::Interpreter::executeConstruct):
1153
1154 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1155
1156         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1157         https://bugs.webkit.org/show_bug.cgi?id=119736
1158
1159         Reviewed by Anders Carlsson.
1160
1161         Don't force C++11 mode off anymore.
1162
1163         * Target.pri:
1164
1165 2013-08-12  Oliver Hunt  <oliver@apple.com>
1166
1167         Remove CodeBlock's notion of adding identifiers entirely
1168         https://bugs.webkit.org/show_bug.cgi?id=119708
1169
1170         Reviewed by Geoffrey Garen.
1171
1172         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1173         Move the addition of identifiers to DFGPlan::reallyAdd
1174
1175         * bytecode/CodeBlock.h:
1176         * dfg/DFGDesiredIdentifiers.cpp:
1177         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1178         * dfg/DFGDesiredIdentifiers.h:
1179         * dfg/DFGPlan.cpp:
1180         (JSC::DFG::Plan::reallyAdd):
1181         (JSC::DFG::Plan::finalize):
1182         * dfg/DFGPlan.h:
1183
1184 2013-08-12  Oliver Hunt  <oliver@apple.com>
1185
1186         Build fix
1187
1188         * runtime/JSCell.h:
1189
1190 2013-08-12  Oliver Hunt  <oliver@apple.com>
1191
1192         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1193         https://bugs.webkit.org/show_bug.cgi?id=119705
1194
1195         Reviewed by Geoffrey Garen.
1196
1197         Relatively trivial refactoring
1198
1199         * bytecode/CodeBlock.h:
1200         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1201         (JSC::CodeBlock::addAdditionalIdentifier):
1202         (JSC::CodeBlock::identifier):
1203         (JSC::CodeBlock::numberOfIdentifiers):
1204         * dfg/DFGCommonData.h:
1205
1206 2013-08-12  Oliver Hunt  <oliver@apple.com>
1207
1208         Stop making unnecessary copy of CodeBlock Identifier Vector
1209         https://bugs.webkit.org/show_bug.cgi?id=119702
1210
1211         Reviewed by Michael Saboff.
1212
1213         Make CodeBlock simply use a separate Vector for additional Identifiers
1214         and use the UnlinkedCodeBlock for the initial set of identifiers.
1215
1216         * bytecode/CodeBlock.cpp:
1217         (JSC::CodeBlock::printGetByIdOp):
1218         (JSC::dumpStructure):
1219         (JSC::dumpChain):
1220         (JSC::CodeBlock::printGetByIdCacheStatus):
1221         (JSC::CodeBlock::printPutByIdOp):
1222         (JSC::CodeBlock::dumpBytecode):
1223         (JSC::CodeBlock::CodeBlock):
1224         (JSC::CodeBlock::shrinkToFit):
1225         * bytecode/CodeBlock.h:
1226         (JSC::CodeBlock::numberOfIdentifiers):
1227         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1228         (JSC::CodeBlock::addAdditionalIdentifier):
1229         (JSC::CodeBlock::identifier):
1230         * dfg/DFGDesiredIdentifiers.cpp:
1231         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1232         * jit/JIT.h:
1233         * jit/JITOpcodes.cpp:
1234         (JSC::JIT::emitSlow_op_get_arguments_length):
1235         * jit/JITPropertyAccess.cpp:
1236         (JSC::JIT::emit_op_get_by_id):
1237         (JSC::JIT::compileGetByIdHotPath):
1238         (JSC::JIT::emitSlow_op_get_by_id):
1239         (JSC::JIT::compileGetByIdSlowCase):
1240         (JSC::JIT::emitSlow_op_put_by_id):
1241         * jit/JITPropertyAccess32_64.cpp:
1242         (JSC::JIT::emit_op_get_by_id):
1243         (JSC::JIT::compileGetByIdHotPath):
1244         (JSC::JIT::compileGetByIdSlowCase):
1245         * jit/JITStubs.cpp:
1246         (JSC::DEFINE_STUB_FUNCTION):
1247         * llint/LLIntSlowPaths.cpp:
1248         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1249
1250 2013-08-08  Mark Lam  <mark.lam@apple.com>
1251
1252         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1253         https://bugs.webkit.org/show_bug.cgi?id=119575.
1254
1255         Reviewed by Oliver Hunt.
1256
1257         * interpreter/Interpreter.h:
1258         - Made getStackTrace() private.
1259         * interpreter/StackIterator.cpp:
1260         (JSC::StackIterator::StackIterator):
1261         (JSC::StackIterator::numberOfFrames):
1262         - Computes the number of frames by iterating through the whole stack
1263           from the starting frame. The iterator will save its current frame
1264           position before counting the frames, and then restoring it after
1265           the counting.
1266         (JSC::StackIterator::gotoFrameAtIndex):
1267         (JSC::StackIterator::gotoNextFrame):
1268         (JSC::StackIterator::resetIterator):
1269         - Points the iterator to the starting frame.
1270         * interpreter/StackIteratorPrivate.h:
1271
1272 2013-08-08  Mark Lam  <mark.lam@apple.com>
1273
1274         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1275         the Interpreter class.
1276         https://bugs.webkit.org/show_bug.cgi?id=119576.
1277
1278         Reviewed by Oliver Hunt.
1279
1280         This change is needed to prepare for making Interpreter::getStackTrace()
1281         private. It does not change the behavior of the code, only the lexical
1282         scoping.
1283
1284         * interpreter/Interpreter.h:
1285         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1286         * runtime/ErrorConstructor.cpp:
1287         (JSC::Interpreter::constructWithErrorConstructor):
1288         (JSC::ErrorConstructor::getConstructData):
1289         (JSC::Interpreter::callErrorConstructor):
1290         (JSC::ErrorConstructor::getCallData):
1291         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1292           directly. So, we moved the helper functions into the Interpreter
1293           class.
1294         * runtime/NativeErrorConstructor.cpp:
1295         (JSC::Interpreter::constructWithNativeErrorConstructor):
1296         (JSC::NativeErrorConstructor::getConstructData):
1297         (JSC::Interpreter::callNativeErrorConstructor):
1298         (JSC::NativeErrorConstructor::getCallData):
1299         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1300           directly. So, we moved the helper functions into the Interpreter
1301           class.
1302
1303 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1304
1305         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1306         https://bugs.webkit.org/show_bug.cgi?id=119555
1307
1308         Reviewed by Geoffrey Garen.
1309
1310         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1311         This was causing crashes on maps.google.com in 32-bit debug builds.
1312
1313         * dfg/DFGSpeculativeJIT32_64.cpp:
1314         (JSC::DFG::SpeculativeJIT::compile):
1315
1316 2013-08-06  Michael Saboff  <msaboff@apple.com>
1317
1318         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1319         https://bugs.webkit.org/show_bug.cgi?id=119405
1320
1321         Reviewed by Geoffrey Garen.
1322
1323         * dfg/DFGSpeculativeJIT.cpp:
1324         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1325         ourselves to save a register and then load from it.
1326
1327 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1328
1329         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1330         https://bugs.webkit.org/show_bug.cgi?id=119528
1331
1332         Reviewed by Geoffrey Garen.
1333
1334         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1335         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1336         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1337         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1338         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1339
1340         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1341
1342         * bytecode/CodeBlock.cpp:
1343         (JSC::CodeBlock::finalizeUnconditionally):
1344         * dfg/DFGDriver.cpp:
1345         (JSC::DFG::compile):
1346         * dfg/DFGFixupPhase.cpp:
1347         (JSC::DFG::FixupPhase::fixupNode):
1348         * dfg/DFGGraph.cpp:
1349         (JSC::DFG::Graph::dump):
1350         * dfg/DFGSpeculativeJIT64.cpp:
1351         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1352         * runtime/JSObject.h:
1353         (JSC::JSObject::getIndexQuickly):
1354         (JSC::JSObject::tryGetIndexQuickly):
1355
1356 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1357
1358         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1359
1360         Unreviewed.
1361
1362         Ensure llint symbols are in source order.
1363
1364         * JavaScriptCore.order:
1365
1366 2013-08-06  Mark Lam  <mark.lam@apple.com>
1367
1368         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1369         https://bugs.webkit.org/show_bug.cgi?id=119532.
1370
1371         Reviewed by Oliver Hunt.
1372
1373         * parser/Parser.cpp:
1374         (JSC::::Parser):
1375         - Just need to initialize the Parser's JSTokenLocation's initial line and
1376           startOffset as well during Parser construction.
1377
1378 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1379
1380         Update Order Files for Safari
1381         <rdar://problem/14517392>
1382
1383         Unreviewed.
1384
1385         * JavaScriptCore.order:
1386
1387 2013-08-04  Sam Weinig  <sam@webkit.org>
1388
1389         Remove support for HTML5 MicroData
1390         https://bugs.webkit.org/show_bug.cgi?id=119480
1391
1392         Reviewed by Anders Carlsson.
1393
1394         * Configurations/FeatureDefines.xcconfig:
1395
1396 2013-08-05  Oliver Hunt  <oliver@apple.com>
1397
1398         Delay Arguments creation in strict mode
1399         https://bugs.webkit.org/show_bug.cgi?id=119505
1400
1401         Reviewed by Geoffrey Garen.
1402
1403         Make use of the write tracking performed by the parser to
1404         allow us to know if we're modifying the parameters to a function.
1405         Then use that information to make strict mode function opt out
1406         of eager arguments creation.
1407
1408         * bytecompiler/BytecodeGenerator.cpp:
1409         (JSC::BytecodeGenerator::BytecodeGenerator):
1410         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1411         (JSC::BytecodeGenerator::emitReturn):
1412         * bytecompiler/BytecodeGenerator.h:
1413         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1414         * parser/Nodes.h:
1415         (JSC::ScopeNode::modifiesParameter):
1416         * parser/Parser.cpp:
1417         (JSC::::parseInner):
1418         * parser/Parser.h:
1419         (JSC::Scope::declareParameter):
1420         (JSC::Scope::getCapturedVariables):
1421         (JSC::Parser::declareWrite):
1422         * parser/ParserModes.h:
1423
1424 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1425
1426         Remove useless code from COMPILER(RVCT) JITStubs
1427         https://bugs.webkit.org/show_bug.cgi?id=119521
1428
1429         Reviewed by Geoffrey Garen.
1430
1431         * jit/JITStubsARMv7.h:
1432         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1433         (JSC::ctiOpThrowNotCaught): Ditto.
1434
1435 2013-07-23  David Farler  <dfarler@apple.com>
1436
1437         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1438         https://bugs.webkit.org/show_bug.cgi?id=117762
1439
1440         Reviewed by Mark Rowe.
1441
1442         * Configurations/DebugRelease.xcconfig:
1443         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1444         * Configurations/JavaScriptCore.xcconfig:
1445         Add ASAN_OTHER_LDFLAGS.
1446         * Configurations/ToolExecutable.xcconfig:
1447         Don't use ASAN for build tools.
1448
1449 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1450
1451         Build fix for ARM MSVC after r153222 and r153648.
1452
1453         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1454
1455 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1456
1457         Build fix for ARM MSVC after r150109.
1458
1459         Read the stub template from a header files instead of the JITStubs.cpp.
1460
1461         * CMakeLists.txt:
1462         * DerivedSources.pri:
1463         * create_jit_stubs:
1464
1465 2013-08-05  Oliver Hunt  <oliver@apple.com>
1466
1467         Move TypedArray implementation into JSC
1468         https://bugs.webkit.org/show_bug.cgi?id=119489
1469
1470         Reviewed by Filip Pizlo.
1471
1472         Move TypedArray implementation into JSC in advance of re-implementation
1473
1474         * GNUmakefile.list.am:
1475         * JSCTypedArrayStubs.h:
1476         * JavaScriptCore.xcodeproj/project.pbxproj:
1477         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1478         (JSC::ArrayBuffer::transfer):
1479         (JSC::ArrayBuffer::addView):
1480         (JSC::ArrayBuffer::removeView):
1481         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1482         (JSC::ArrayBufferContents::ArrayBufferContents):
1483         (JSC::ArrayBufferContents::data):
1484         (JSC::ArrayBufferContents::sizeInBytes):
1485         (JSC::ArrayBufferContents::transfer):
1486         (JSC::ArrayBufferContents::copyTo):
1487         (JSC::ArrayBuffer::isNeutered):
1488         (JSC::ArrayBuffer::~ArrayBuffer):
1489         (JSC::ArrayBuffer::clampValue):
1490         (JSC::ArrayBuffer::create):
1491         (JSC::ArrayBuffer::createUninitialized):
1492         (JSC::ArrayBuffer::ArrayBuffer):
1493         (JSC::ArrayBuffer::data):
1494         (JSC::ArrayBuffer::byteLength):
1495         (JSC::ArrayBuffer::slice):
1496         (JSC::ArrayBuffer::sliceImpl):
1497         (JSC::ArrayBuffer::clampIndex):
1498         (JSC::ArrayBufferContents::tryAllocate):
1499         (JSC::ArrayBufferContents::~ArrayBufferContents):
1500         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1501         (JSC::ArrayBufferView::ArrayBufferView):
1502         (JSC::ArrayBufferView::~ArrayBufferView):
1503         (JSC::ArrayBufferView::neuter):
1504         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1505         (JSC::ArrayBufferView::buffer):
1506         (JSC::ArrayBufferView::baseAddress):
1507         (JSC::ArrayBufferView::byteOffset):
1508         (JSC::ArrayBufferView::setNeuterable):
1509         (JSC::ArrayBufferView::isNeuterable):
1510         (JSC::ArrayBufferView::verifySubRange):
1511         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1512         (JSC::ArrayBufferView::setImpl):
1513         (JSC::ArrayBufferView::setRangeImpl):
1514         (JSC::ArrayBufferView::zeroRangeImpl):
1515         (JSC::ArrayBufferView::calculateOffsetAndLength):
1516         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1517         (JSC::Float32Array::set):
1518         (JSC::Float32Array::getType):
1519         (JSC::Float32Array::create):
1520         (JSC::Float32Array::createUninitialized):
1521         (JSC::Float32Array::Float32Array):
1522         (JSC::Float32Array::subarray):
1523         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1524         (JSC::Float64Array::set):
1525         (JSC::Float64Array::getType):
1526         (JSC::Float64Array::create):
1527         (JSC::Float64Array::createUninitialized):
1528         (JSC::Float64Array::Float64Array):
1529         (JSC::Float64Array::subarray):
1530         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1531         (JSC::Int16Array::getType):
1532         (JSC::Int16Array::create):
1533         (JSC::Int16Array::createUninitialized):
1534         (JSC::Int16Array::Int16Array):
1535         (JSC::Int16Array::subarray):
1536         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1537         (JSC::Int32Array::getType):
1538         (JSC::Int32Array::create):
1539         (JSC::Int32Array::createUninitialized):
1540         (JSC::Int32Array::Int32Array):
1541         (JSC::Int32Array::subarray):
1542         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1543         (JSC::Int8Array::getType):
1544         (JSC::Int8Array::create):
1545         (JSC::Int8Array::createUninitialized):
1546         (JSC::Int8Array::Int8Array):
1547         (JSC::Int8Array::subarray):
1548         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1549         (JSC::IntegralTypedArrayBase::set):
1550         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1551         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1552         (JSC::TypedArrayBase::data):
1553         (JSC::TypedArrayBase::set):
1554         (JSC::TypedArrayBase::setRange):
1555         (JSC::TypedArrayBase::zeroRange):
1556         (JSC::TypedArrayBase::length):
1557         (JSC::TypedArrayBase::byteLength):
1558         (JSC::TypedArrayBase::item):
1559         (JSC::TypedArrayBase::checkInboundData):
1560         (JSC::TypedArrayBase::TypedArrayBase):
1561         (JSC::TypedArrayBase::create):
1562         (JSC::TypedArrayBase::createUninitialized):
1563         (JSC::TypedArrayBase::subarrayImpl):
1564         (JSC::TypedArrayBase::neuter):
1565         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1566         (JSC::Uint16Array::getType):
1567         (JSC::Uint16Array::create):
1568         (JSC::Uint16Array::createUninitialized):
1569         (JSC::Uint16Array::Uint16Array):
1570         (JSC::Uint16Array::subarray):
1571         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1572         (JSC::Uint32Array::getType):
1573         (JSC::Uint32Array::create):
1574         (JSC::Uint32Array::createUninitialized):
1575         (JSC::Uint32Array::Uint32Array):
1576         (JSC::Uint32Array::subarray):
1577         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1578         (JSC::Uint8Array::getType):
1579         (JSC::Uint8Array::create):
1580         (JSC::Uint8Array::createUninitialized):
1581         (JSC::Uint8Array::Uint8Array):
1582         (JSC::Uint8Array::subarray):
1583         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1584         (JSC::Uint8ClampedArray::getType):
1585         (JSC::Uint8ClampedArray::create):
1586         (JSC::Uint8ClampedArray::createUninitialized):
1587         (JSC::Uint8ClampedArray::zeroFill):
1588         (JSC::Uint8ClampedArray::set):
1589         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1590         (JSC::Uint8ClampedArray::subarray):
1591         * runtime/VM.h:
1592
1593 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1594
1595         Copied space should be able to handle more than one copied backing store per JSCell
1596         https://bugs.webkit.org/show_bug.cgi?id=119471
1597
1598         Reviewed by Mark Hahnenberg.
1599         
1600         This allows a cell to call copyLater() multiple times for multiple different
1601         backing stores, and then have copyBackingStore() called exactly once for each
1602         of those. A token tells it which backing store to copy. All backing stores
1603         must be named using the CopyToken, an enumeration which currently cannot
1604         exceed eight entries.
1605         
1606         When copyBackingStore() is called, it's up to the callee to (a) use the token
1607         to decide what to copy and (b) call its base class's copyBackingStore() in
1608         case the base class had something that needed copying. The only exception is
1609         that JSCell never asks anything to be copied, and so if your base is JSCell
1610         then you don't have to do anything.
1611
1612         * GNUmakefile.list.am:
1613         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1614         * JavaScriptCore.xcodeproj/project.pbxproj:
1615         * heap/CopiedBlock.h:
1616         * heap/CopiedBlockInlines.h:
1617         (JSC::CopiedBlock::reportLiveBytes):
1618         * heap/CopyToken.h: Added.
1619         * heap/CopyVisitor.cpp:
1620         (JSC::CopyVisitor::copyFromShared):
1621         * heap/CopyVisitor.h:
1622         * heap/CopyVisitorInlines.h:
1623         (JSC::CopyVisitor::visitItem):
1624         * heap/CopyWorkList.h:
1625         (JSC::CopyWorklistItem::CopyWorklistItem):
1626         (JSC::CopyWorklistItem::cell):
1627         (JSC::CopyWorklistItem::token):
1628         (JSC::CopyWorkListSegment::get):
1629         (JSC::CopyWorkListSegment::append):
1630         (JSC::CopyWorkListSegment::data):
1631         (JSC::CopyWorkListIterator::get):
1632         (JSC::CopyWorkListIterator::operator*):
1633         (JSC::CopyWorkListIterator::operator->):
1634         (JSC::CopyWorkList::append):
1635         * heap/SlotVisitor.h:
1636         * heap/SlotVisitorInlines.h:
1637         (JSC::SlotVisitor::copyLater):
1638         * runtime/ClassInfo.h:
1639         * runtime/JSCell.cpp:
1640         (JSC::JSCell::copyBackingStore):
1641         * runtime/JSCell.h:
1642         * runtime/JSObject.cpp:
1643         (JSC::JSObject::visitButterfly):
1644         (JSC::JSObject::copyBackingStore):
1645         * runtime/JSObject.h:
1646
1647 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1648
1649         [Automake] Define ENABLE_JIT through the Autoconf header
1650         https://bugs.webkit.org/show_bug.cgi?id=119445
1651
1652         Reviewed by Martin Robinson.
1653
1654         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1655
1656 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1657
1658         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1659         https://bugs.webkit.org/show_bug.cgi?id=119470
1660
1661         Reviewed by Oliver Hunt.
1662         
1663         Structure can still tell you if the object "could" (in the conservative sense)
1664         have an indexing header; that's used by the compiler.
1665         
1666         Most of the time if you want to know if there's an indexing header, you ask the
1667         JSObject.
1668         
1669         In some cases, the JSObject wants to know if it would have an indexing header if
1670         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1671
1672         * dfg/DFGRepatch.cpp:
1673         (JSC::DFG::tryCachePutByID):
1674         (JSC::DFG::tryBuildPutByIdList):
1675         * dfg/DFGSpeculativeJIT.cpp:
1676         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1677         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1678         * runtime/ButterflyInlines.h:
1679         (JSC::Butterfly::create):
1680         (JSC::Butterfly::growPropertyStorage):
1681         (JSC::Butterfly::growArrayRight):
1682         (JSC::Butterfly::resizeArray):
1683         * runtime/JSObject.cpp:
1684         (JSC::JSObject::copyButterfly):
1685         (JSC::JSObject::visitButterfly):
1686         * runtime/JSObject.h:
1687         (JSC::JSObject::hasIndexingHeader):
1688         (JSC::JSObject::setButterfly):
1689         * runtime/Structure.h:
1690         (JSC::Structure::couldHaveIndexingHeader):
1691         (JSC::Structure::hasIndexingHeader):
1692
1693 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1694
1695         Give the error object's stack property accessor attributes.
1696         https://bugs.webkit.org/show_bug.cgi?id=119404
1697
1698         Reviewed by Geoffrey Garen.
1699         
1700         Changed the attributes of error object's stack property to allow developers to write
1701         and delete the stack property. This will match the functionality of Chrome. Firefox  
1702         allows developers to write the error's stack, but not delete it. 
1703
1704         * interpreter/Interpreter.cpp:
1705         (JSC::Interpreter::addStackTraceIfNecessary):
1706         * runtime/ErrorInstance.cpp:
1707         (JSC::ErrorInstance::finishCreation):
1708
1709 2013-08-02  Oliver Hunt  <oliver@apple.com>
1710
1711         Incorrect type speculation reported by ToPrimitive
1712         https://bugs.webkit.org/show_bug.cgi?id=119458
1713
1714         Reviewed by Mark Hahnenberg.
1715
1716         Make sure that we report the correct type possibilities for the output
1717         from ToPrimitive
1718
1719         * dfg/DFGAbstractInterpreterInlines.h:
1720         (JSC::DFG::::executeEffects):
1721
1722 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1723
1724         Remove no-arguments constructor to PropertySlot
1725         https://bugs.webkit.org/show_bug.cgi?id=119460
1726
1727         Reviewed by Geoff Garen.
1728
1729         This constructor was unsafe if getValue is subsequently called,
1730         and the property is a getter. Simplest to just remove it.
1731
1732         * runtime/Arguments.cpp:
1733         (JSC::Arguments::defineOwnProperty):
1734         * runtime/JSActivation.cpp:
1735         (JSC::JSActivation::getOwnPropertyDescriptor):
1736         * runtime/JSFunction.cpp:
1737         (JSC::JSFunction::getOwnPropertyDescriptor):
1738         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1739         (JSC::JSFunction::put):
1740         (JSC::JSFunction::defineOwnProperty):
1741         * runtime/JSGlobalObject.cpp:
1742         (JSC::JSGlobalObject::defineOwnProperty):
1743         * runtime/JSGlobalObject.h:
1744         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1745         * runtime/JSNameScope.cpp:
1746         (JSC::JSNameScope::put):
1747         * runtime/JSONObject.cpp:
1748         (JSC::Stringifier::Holder::appendNextProperty):
1749         (JSC::Walker::walk):
1750         * runtime/JSObject.cpp:
1751         (JSC::JSObject::hasProperty):
1752         (JSC::JSObject::hasOwnProperty):
1753         (JSC::JSObject::reifyStaticFunctionsForDelete):
1754         * runtime/Lookup.h:
1755         (JSC::getStaticPropertyDescriptor):
1756         (JSC::getStaticFunctionDescriptor):
1757         (JSC::getStaticValueDescriptor):
1758         * runtime/ObjectConstructor.cpp:
1759         (JSC::defineProperties):
1760         * runtime/PropertySlot.h:
1761
1762 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1763
1764         DFG validation can cause assertion failures due to dumping
1765         https://bugs.webkit.org/show_bug.cgi?id=119456
1766
1767         Reviewed by Geoffrey Garen.
1768
1769         * bytecode/CodeBlock.cpp:
1770         (JSC::CodeBlock::hasHash):
1771         (JSC::CodeBlock::isSafeToComputeHash):
1772         (JSC::CodeBlock::hash):
1773         (JSC::CodeBlock::dumpAssumingJITType):
1774         * bytecode/CodeBlock.h:
1775
1776 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1777
1778         Have vm's exceptionStack match java's vm's exceptionStack.
1779         https://bugs.webkit.org/show_bug.cgi?id=119362
1780
1781         Reviewed by Geoffrey Garen.
1782         
1783         The error object's stack is only updated if it does not exist yet. This matches 
1784         the functionality of other browsers, and Java VMs. 
1785
1786         * interpreter/Interpreter.cpp:
1787         (JSC::Interpreter::addStackTraceIfNecessary):
1788         (JSC::Interpreter::throwException):
1789         * runtime/VM.cpp:
1790         (JSC::VM::clearExceptionStack):
1791         * runtime/VM.h:
1792         (JSC::VM::lastExceptionStack):
1793
1794 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1795
1796         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1797         https://bugs.webkit.org/show_bug.cgi?id=119447
1798
1799         Reviewed by Geoffrey Garen.
1800
1801         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1802         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1803         r153583 (sh4) and r153648 (ARM).
1804
1805         * jit/JITStubsMIPS.h:
1806
1807 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1808
1809         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1810         https://bugs.webkit.org/show_bug.cgi?id=119422
1811
1812         Reviewed by Oliver Hunt.
1813         
1814         This simplifies some code and also allows Structure to claim that an object
1815         has an indexing header even if it doesn't have indexed properties.
1816         
1817         I also changed some calls to use hasIndexedProperties() since in some cases,
1818         that's what we actually meant. Currently the two are synonyms.
1819
1820         * dfg/DFGRepatch.cpp:
1821         (JSC::DFG::tryCachePutByID):
1822         (JSC::DFG::tryBuildPutByIdList):
1823         * dfg/DFGSpeculativeJIT.cpp:
1824         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1825         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1826         * runtime/ButterflyInlines.h:
1827         (JSC::Butterfly::create):
1828         (JSC::Butterfly::growPropertyStorage):
1829         (JSC::Butterfly::growArrayRight):
1830         (JSC::Butterfly::resizeArray):
1831         * runtime/IndexingType.h:
1832         * runtime/JSObject.cpp:
1833         (JSC::JSObject::copyButterfly):
1834         (JSC::JSObject::visitButterfly):
1835         (JSC::JSObject::setPrototype):
1836         * runtime/JSObject.h:
1837         (JSC::JSObject::setButterfly):
1838         * runtime/JSPropertyNameIterator.cpp:
1839         (JSC::JSPropertyNameIterator::create):
1840         * runtime/Structure.h:
1841         (JSC::Structure::hasIndexingHeader):
1842
1843 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1844
1845         REGRESSION: ARM still crashes after change set r153612.
1846         https://bugs.webkit.org/show_bug.cgi?id=119433
1847
1848         Reviewed by Michael Saboff.
1849
1850         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1851         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1852         for sh4 architecture.
1853
1854         * jit/JITStubsARM.h:
1855         * jit/JITStubsARMv7.h:
1856
1857 2013-08-02  Michael Saboff  <msaboff@apple.com>
1858
1859         REGRESSION(r153612): It made jsc and layout tests crash
1860         https://bugs.webkit.org/show_bug.cgi?id=119440
1861
1862         Reviewed by Csaba Osztrogonác.
1863
1864         Made the changes if changeset r153612 only apply to 32 bit builds.
1865
1866         * jit/JITExceptions.cpp:
1867         * jit/JITExceptions.h:
1868         * jit/JITStubs.cpp:
1869         (JSC::cti_vm_throw_slowpath):
1870         * jit/JITStubs.h:
1871
1872 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1873
1874         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1875
1876         * CMakeLists.txt:
1877
1878 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1879
1880         [Forms: color] <input type='color'> popover color well implementation
1881         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1882
1883         Reviewed by Benjamin Poulain.
1884
1885         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1886
1887 2013-08-01  Oliver Hunt  <oliver@apple.com>
1888
1889         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1890         https://bugs.webkit.org/show_bug.cgi?id=119408
1891
1892         Reviewed by Filip Pizlo.
1893
1894         Construct ToString and Phantom nodes in advance of MakeRope
1895         nodes to ensure that ordering is ensured, and correct values
1896         will be reified on OSR exit.
1897
1898         * dfg/DFGByteCodeParser.cpp:
1899         (JSC::DFG::ByteCodeParser::parseBlock):
1900
1901 2013-08-01  Michael Saboff  <msaboff@apple.com>
1902
1903         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1904         https://bugs.webkit.org/show_bug.cgi?id=119140
1905
1906         Reviewed by Filip Pizlo.
1907
1908         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1909
1910         * jit/JITExceptions.cpp:
1911         (JSC::encode):
1912         * jit/JITExceptions.h:
1913         * jit/JITStubs.cpp:
1914         (JSC::cti_vm_throw_slowpath):
1915         * jit/JITStubs.h:
1916
1917 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1918
1919         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1920         https://bugs.webkit.org/show_bug.cgi?id=119391
1921
1922         Reviewed by Csaba Osztrogonác.
1923
1924         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1925             - Call frame is in r14 register.
1926             - Do not restore registers from JIT stack frame here.
1927
1928 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1929
1930         More cleanup in PropertySlot
1931         https://bugs.webkit.org/show_bug.cgi?id=119359
1932
1933         Reviewed by Geoff Garen.
1934
1935         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1936         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1937
1938         * dfg/DFGRepatch.cpp:
1939         (JSC::DFG::tryCacheGetByID):
1940         (JSC::DFG::tryBuildGetByIDList):
1941             - No need to ASSERT slotBase is an object.
1942         * jit/JITStubs.cpp:
1943         (JSC::tryCacheGetByID):
1944         (JSC::DEFINE_STUB_FUNCTION):
1945             - No need to ASSERT slotBase is an object.
1946         * runtime/JSObject.cpp:
1947         (JSC::JSObject::getOwnPropertySlotByIndex):
1948         (JSC::JSObject::fillGetterPropertySlot):
1949             - Pass an object through to setGetterSlot.
1950         * runtime/JSObject.h:
1951         (JSC::PropertySlot::getValue):
1952             - Moved from PropertySlot (need to know anout JSObject).
1953         * runtime/PropertySlot.cpp:
1954         (JSC::PropertySlot::functionGetter):
1955             - update per member name changes
1956         * runtime/PropertySlot.h:
1957         (JSC::PropertySlot::PropertySlot):
1958             - Argument to constructor set to 'thisValue'.
1959         (JSC::PropertySlot::slotBase):
1960             - This returns a JSObject*.
1961         (JSC::PropertySlot::setValue):
1962         (JSC::PropertySlot::setCustom):
1963         (JSC::PropertySlot::setCacheableCustom):
1964         (JSC::PropertySlot::setCustomIndex):
1965         (JSC::PropertySlot::setGetterSlot):
1966         (JSC::PropertySlot::setCacheableGetterSlot):
1967             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1968         * runtime/SparseArrayValueMap.cpp:
1969         (JSC::SparseArrayEntry::get):
1970             - Pass an object through to setGetterSlot.
1971         * runtime/SparseArrayValueMap.h:
1972             - Pass an object through to setGetterSlot.
1973
1974 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1975
1976         Reduce JSC API static value setter/getter overhead.
1977         https://bugs.webkit.org/show_bug.cgi?id=119277
1978
1979         Reviewed by Geoffrey Garen.
1980
1981         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1982         need to get called every time when set or get the static value.
1983
1984         * API/JSCallbackObjectFunctions.h:
1985         (JSC::::put):
1986         (JSC::::putByIndex):
1987         (JSC::::getStaticValue):
1988         * API/JSClassRef.cpp:
1989         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1990         * API/JSClassRef.h:
1991         (StaticValueEntry::StaticValueEntry):
1992
1993 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1994
1995         Use emptyString instead of String("")
1996         https://bugs.webkit.org/show_bug.cgi?id=119335
1997
1998         Reviewed by Darin Adler.
1999
2000         Use emptyString() instead of String("") because it is better style and
2001         faster. This is a followup to r116908, removing all occurrences of
2002         String("") from WebKit.
2003
2004         * runtime/RegExpConstructor.cpp:
2005         (JSC::constructRegExp):
2006         * runtime/RegExpPrototype.cpp:
2007         (JSC::regExpProtoFuncCompile):
2008         * runtime/StringPrototype.cpp:
2009         (JSC::stringProtoFuncMatch):
2010         (JSC::stringProtoFuncSearch):
2011
2012 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2013
2014         <input type=color> Mac UI behaviour
2015         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2016
2017         Reviewed by Brady Eidson.
2018
2019         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2020
2021 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2022
2023         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2024         https://bugs.webkit.org/show_bug.cgi?id=119349
2025
2026         Reviewed by Geoffrey Garen.
2027
2028         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2029         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2030         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2031         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2032         JIT then this resizing never happens and we crash at link time in the DFG.
2033
2034         We can fix this by also doing the resize in the DFG to catch this case.
2035
2036         * dfg/DFGJITCompiler.cpp:
2037         (JSC::DFG::JITCompiler::link):
2038
2039 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2040
2041         Speculative Windows build fix.
2042
2043         Reviewed by NOBODY
2044
2045         * runtime/JSString.cpp:
2046         (JSC::JSRopeString::getIndexSlowCase):
2047         * runtime/JSString.h:
2048
2049 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2050
2051         Some cleanup in JSValue::get
2052         https://bugs.webkit.org/show_bug.cgi?id=119343
2053
2054         Reviewed by Geoff Garen.
2055
2056         JSValue::get is implemented to:
2057             1) Check if the value is a cell – if not, synthesize a prototype to search,
2058             2) call getOwnPropertySlot on the cell,
2059             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2060         By all rights this should crash when passed a string and accessing a property that does not exist, because
2061         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2062         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2063         prototype chain, and faking out a return value of undefined if no property is found.
2064
2065         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2066         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2067
2068         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2069         slots anyway.
2070
2071         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2072
2073 2013-07-31  Michael Saboff  <msaboff@apple.com>
2074
2075         [Win] JavaScript crash.
2076         https://bugs.webkit.org/show_bug.cgi?id=119339
2077
2078         Reviewed by Mark Hahnenberg.
2079
2080         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2081         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2082
2083 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2084
2085         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2086         https://bugs.webkit.org/show_bug.cgi?id=119281
2087
2088         Reviewed by Geoffrey Garen.
2089
2090         This leads to out of bounds accesses and subsequent crashes.
2091
2092         * dfg/DFGSpeculativeJIT.cpp:
2093         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2094         * dfg/DFGSpeculativeJIT64.cpp:
2095         (JSC::DFG::SpeculativeJIT::compile):
2096
2097 2013-07-30  Oliver Hunt  <oliver@apple.com>
2098
2099         Add an assertion to SpeculateCellOperand
2100         https://bugs.webkit.org/show_bug.cgi?id=119276
2101
2102         Reviewed by Michael Saboff.
2103
2104         More assertions are better
2105
2106         * dfg/DFGSpeculativeJIT64.cpp:
2107         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2108         (JSC::DFG::SpeculativeJIT::compile):
2109
2110 2013-07-30  Mark Lam  <mark.lam@apple.com>
2111
2112         Fix problems with divot and lineStart mismatches.
2113         https://bugs.webkit.org/show_bug.cgi?id=118662.
2114
2115         Reviewed by Oliver Hunt.
2116
2117         r152494 added the recording of lineStart values for divot positions.
2118         This is needed for the computation of column numbers. Similarly, it also
2119         added the recording of line numbers for the divot positions. One problem
2120         with the approach taken was that the line and lineStart values were
2121         recorded independently, and hence were not always guaranteed to be
2122         sampled at the same place that the divot position is recorded. This
2123         resulted in potential mismatches that cause some assertions to fail.
2124
2125         The solution is to introduce a JSTextPosition abstraction that records
2126         the divot position, line, and lineStart as a single quantity. Wherever
2127         we record the divot position as an unsigned int previously, we now record
2128         its JSTextPosition which captures all 3 values in one go. This ensures
2129         that the captured line and lineStart will always match the captured divot
2130         position.
2131
2132         * bytecompiler/BytecodeGenerator.cpp:
2133         (JSC::BytecodeGenerator::emitCall):
2134         (JSC::BytecodeGenerator::emitCallEval):
2135         (JSC::BytecodeGenerator::emitCallVarargs):
2136         (JSC::BytecodeGenerator::emitConstruct):
2137         (JSC::BytecodeGenerator::emitDebugHook):
2138         - Use JSTextPosition instead of passing line and lineStart explicitly.
2139         * bytecompiler/BytecodeGenerator.h:
2140         (JSC::BytecodeGenerator::emitExpressionInfo):
2141         - Use JSTextPosition instead of passing line and lineStart explicitly.
2142         * bytecompiler/NodesCodegen.cpp:
2143         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2144         (JSC::ResolveNode::emitBytecode):
2145         (JSC::BracketAccessorNode::emitBytecode):
2146         (JSC::DotAccessorNode::emitBytecode):
2147         (JSC::NewExprNode::emitBytecode):
2148         (JSC::EvalFunctionCallNode::emitBytecode):
2149         (JSC::FunctionCallValueNode::emitBytecode):
2150         (JSC::FunctionCallResolveNode::emitBytecode):
2151         (JSC::FunctionCallBracketNode::emitBytecode):
2152         (JSC::FunctionCallDotNode::emitBytecode):
2153         (JSC::CallFunctionCallDotNode::emitBytecode):
2154         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2155         (JSC::PostfixNode::emitResolve):
2156         (JSC::PostfixNode::emitBracket):
2157         (JSC::PostfixNode::emitDot):
2158         (JSC::DeleteResolveNode::emitBytecode):
2159         (JSC::DeleteBracketNode::emitBytecode):
2160         (JSC::DeleteDotNode::emitBytecode):
2161         (JSC::PrefixNode::emitResolve):
2162         (JSC::PrefixNode::emitBracket):
2163         (JSC::PrefixNode::emitDot):
2164         (JSC::UnaryOpNode::emitBytecode):
2165         (JSC::BinaryOpNode::emitStrcat):
2166         (JSC::BinaryOpNode::emitBytecode):
2167         (JSC::ThrowableBinaryOpNode::emitBytecode):
2168         (JSC::InstanceOfNode::emitBytecode):
2169         (JSC::emitReadModifyAssignment):
2170         (JSC::ReadModifyResolveNode::emitBytecode):
2171         (JSC::AssignResolveNode::emitBytecode):
2172         (JSC::AssignDotNode::emitBytecode):
2173         (JSC::ReadModifyDotNode::emitBytecode):
2174         (JSC::AssignBracketNode::emitBytecode):
2175         (JSC::ReadModifyBracketNode::emitBytecode):
2176         (JSC::ForInNode::emitBytecode):
2177         (JSC::WithNode::emitBytecode):
2178         (JSC::ThrowNode::emitBytecode):
2179         - Use JSTextPosition instead of passing line and lineStart explicitly.
2180         * parser/ASTBuilder.h:
2181         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2182         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2183         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2184         (JSC::ASTBuilder::createResolve):
2185         (JSC::ASTBuilder::createBracketAccess):
2186         (JSC::ASTBuilder::createDotAccess):
2187         (JSC::ASTBuilder::createRegExp):
2188         (JSC::ASTBuilder::createNewExpr):
2189         (JSC::ASTBuilder::createAssignResolve):
2190         (JSC::ASTBuilder::createExprStatement):
2191         (JSC::ASTBuilder::createForInLoop):
2192         (JSC::ASTBuilder::createReturnStatement):
2193         (JSC::ASTBuilder::createBreakStatement):
2194         (JSC::ASTBuilder::createContinueStatement):
2195         (JSC::ASTBuilder::createLabelStatement):
2196         (JSC::ASTBuilder::createWithStatement):
2197         (JSC::ASTBuilder::createThrowStatement):
2198         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2199         (JSC::ASTBuilder::appendUnaryToken):
2200         (JSC::ASTBuilder::unaryTokenStackLastStart):
2201         (JSC::ASTBuilder::assignmentStackAppend):
2202         (JSC::ASTBuilder::createAssignment):
2203         (JSC::ASTBuilder::setExceptionLocation):
2204         (JSC::ASTBuilder::makeDeleteNode):
2205         (JSC::ASTBuilder::makeFunctionCallNode):
2206         (JSC::ASTBuilder::makeBinaryNode):
2207         (JSC::ASTBuilder::makeAssignNode):
2208         (JSC::ASTBuilder::makePrefixNode):
2209         (JSC::ASTBuilder::makePostfixNode):
2210         - Use JSTextPosition instead of passing line and lineStart explicitly.
2211         * parser/Lexer.cpp:
2212         (JSC::::lex):
2213         - Added support for capturing the appropriate JSTextPositions instead
2214           of just the character offset.
2215         * parser/Lexer.h:
2216         (JSC::Lexer::currentPosition):
2217         (JSC::::lexExpectIdentifier):
2218         - Added support for capturing the appropriate JSTextPositions instead
2219           of just the character offset.
2220         * parser/NodeConstructors.h:
2221         (JSC::Node::Node):
2222         (JSC::ResolveNode::ResolveNode):
2223         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2224         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2225         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2226         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2227         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2228         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2229         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2230         (JSC::PostfixNode::PostfixNode):
2231         (JSC::DeleteResolveNode::DeleteResolveNode):
2232         (JSC::DeleteBracketNode::DeleteBracketNode):
2233         (JSC::DeleteDotNode::DeleteDotNode):
2234         (JSC::PrefixNode::PrefixNode):
2235         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2236         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2237         (JSC::AssignBracketNode::AssignBracketNode):
2238         (JSC::AssignDotNode::AssignDotNode):
2239         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2240         (JSC::AssignErrorNode::AssignErrorNode):
2241         (JSC::WithNode::WithNode):
2242         (JSC::ForInNode::ForInNode):
2243         - Use JSTextPosition instead of passing line and lineStart explicitly.
2244         * parser/Nodes.cpp:
2245         (JSC::StatementNode::setLoc):
2246         - Use JSTextPosition instead of passing line and lineStart explicitly.
2247         * parser/Nodes.h:
2248         (JSC::Node::lineNo):
2249         (JSC::Node::startOffset):
2250         (JSC::Node::lineStartOffset):
2251         (JSC::Node::position):
2252         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2253         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2254         (JSC::ThrowableExpressionData::divot):
2255         (JSC::ThrowableExpressionData::divotStart):
2256         (JSC::ThrowableExpressionData::divotEnd):
2257         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2258         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2259         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2260         (JSC::ThrowableSubExpressionData::subexpressionStart):
2261         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2262         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2263         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2264         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2265         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2266         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2267         - Use JSTextPosition instead of passing line and lineStart explicitly.
2268         * parser/Parser.cpp:
2269         (JSC::::Parser):
2270         (JSC::::parseInner):
2271         - Use JSTextPosition instead of passing line and lineStart explicitly.
2272         (JSC::::didFinishParsing):
2273         - Remove setting of m_lastLine value. We always pass in the value from
2274           m_lastLine anyway. So, this assignment is effectively a nop.
2275         (JSC::::parseVarDeclaration):
2276         (JSC::::parseVarDeclarationList):
2277         (JSC::::parseForStatement):
2278         (JSC::::parseBreakStatement):
2279         (JSC::::parseContinueStatement):
2280         (JSC::::parseReturnStatement):
2281         (JSC::::parseThrowStatement):
2282         (JSC::::parseWithStatement):
2283         (JSC::::parseTryStatement):
2284         (JSC::::parseBlockStatement):
2285         (JSC::::parseFunctionDeclaration):
2286         (JSC::LabelInfo::LabelInfo):
2287         (JSC::::parseExpressionOrLabelStatement):
2288         (JSC::::parseExpressionStatement):
2289         (JSC::::parseAssignmentExpression):
2290         (JSC::::parseBinaryExpression):
2291         (JSC::::parseProperty):
2292         (JSC::::parsePrimaryExpression):
2293         (JSC::::parseMemberExpression):
2294         (JSC::::parseUnaryExpression):
2295         - Use JSTextPosition instead of passing line and lineStart explicitly.
2296         * parser/Parser.h:
2297         (JSC::Parser::next):
2298         (JSC::Parser::nextExpectIdentifier):
2299         (JSC::Parser::getToken):
2300         (JSC::Parser::tokenStartPosition):
2301         (JSC::Parser::tokenEndPosition):
2302         (JSC::Parser::lastTokenEndPosition):
2303         (JSC::::parse):
2304         - Use JSTextPosition instead of passing line and lineStart explicitly.
2305         * parser/ParserTokens.h:
2306         (JSC::JSTextPosition::JSTextPosition):
2307         (JSC::JSTextPosition::operator+):
2308         (JSC::JSTextPosition::operator-):
2309         (JSC::JSTextPosition::operator int):
2310         - Added JSTextPosition.
2311         * parser/SyntaxChecker.h:
2312         (JSC::SyntaxChecker::makeFunctionCallNode):
2313         (JSC::SyntaxChecker::makeAssignNode):
2314         (JSC::SyntaxChecker::makePrefixNode):
2315         (JSC::SyntaxChecker::makePostfixNode):
2316         (JSC::SyntaxChecker::makeDeleteNode):
2317         (JSC::SyntaxChecker::createResolve):
2318         (JSC::SyntaxChecker::createBracketAccess):
2319         (JSC::SyntaxChecker::createDotAccess):
2320         (JSC::SyntaxChecker::createRegExp):
2321         (JSC::SyntaxChecker::createNewExpr):
2322         (JSC::SyntaxChecker::createAssignResolve):
2323         (JSC::SyntaxChecker::createForInLoop):
2324         (JSC::SyntaxChecker::createReturnStatement):
2325         (JSC::SyntaxChecker::createBreakStatement):
2326         (JSC::SyntaxChecker::createContinueStatement):
2327         (JSC::SyntaxChecker::createWithStatement):
2328         (JSC::SyntaxChecker::createLabelStatement):
2329         (JSC::SyntaxChecker::createThrowStatement):
2330         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2331         (JSC::SyntaxChecker::operatorStackPop):
2332         - Use JSTextPosition instead of passing line and lineStart explicitly.
2333
2334 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2335
2336         Unreviewed. Fix make distcheck.
2337
2338         * GNUmakefile.list.am: Add missing files to compilation.
2339         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2340         include FTL header files not included in the compilation.
2341         * dfg/DFGDriver.cpp: Ditto.
2342         * dfg/DFGPlan.cpp: Ditto.
2343
2344 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2345
2346         Eager stack trace for error objects.
2347         https://bugs.webkit.org/show_bug.cgi?id=118918
2348
2349         Reviewed by Geoffrey Garen.
2350         
2351         Chrome and Firefox give error objects the stack property and we wanted to match
2352         that functionality. This allows developers to see the stack without throwing an object.
2353
2354         * runtime/ErrorInstance.cpp:
2355         (JSC::ErrorInstance::finishCreation):
2356          For error objects that are not thrown as an exception, we pass the stackTrace in 
2357          as a parameter. This allows the error object to have the stack property.
2358         
2359         * interpreter/Interpreter.cpp:
2360         (JSC::stackTraceAsString):
2361         Helper function used to eliminate duplicate code.
2362
2363         (JSC::Interpreter::addStackTraceIfNecessary):
2364         When an error object is created by the user the vm->exceptionStack is not set.
2365         If the user throws this error object later the stack that is in the error object 
2366         may not be the correct stack for the throw, so when we set the vm->exception stack,
2367         the stack property on the error object is set as well.
2368         
2369         * runtime/ErrorConstructor.cpp:
2370         (JSC::constructWithErrorConstructor):
2371         (JSC::callErrorConstructor):
2372         * runtime/NativeErrorConstructor.cpp:
2373         (JSC::constructWithNativeErrorConstructor):
2374         (JSC::callNativeErrorConstructor):
2375         These functions indicate that the user created an error object. For all error objects 
2376         that the user explicitly creates, the topCallFrame is at a new frame created to 
2377         handle the user's call. In this case though, the error object needs the caller's 
2378         frame to create the stack trace correctly.
2379         
2380         * interpreter/Interpreter.h:
2381         * runtime/ErrorInstance.h:
2382         (JSC::ErrorInstance::create):
2383
2384 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2385
2386         Some cleanup in PropertySlot
2387         https://bugs.webkit.org/show_bug.cgi?id=119189
2388
2389         Reviewed by Geoff Garen.
2390
2391         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2392         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2393         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2394         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2395         (this is invalidOffset if not cacheable).
2396
2397             * Internally, always track the type of the property using an enum value, PropertyType.
2398             * Use m_offset to indicate cacheable.
2399             * Keep the external interface (CachedPropertyType) unchanged.
2400             * Better pack data into the m_data union.
2401
2402         Performance neutral.
2403
2404         * dfg/DFGRepatch.cpp:
2405         (JSC::DFG::tryCacheGetByID):
2406         (JSC::DFG::tryBuildGetByIDList):
2407             - cachedPropertyType() -> isCacheable*()
2408         * jit/JITPropertyAccess.cpp:
2409         (JSC::JIT::privateCompileGetByIdProto):
2410         (JSC::JIT::privateCompileGetByIdSelfList):
2411         (JSC::JIT::privateCompileGetByIdProtoList):
2412         (JSC::JIT::privateCompileGetByIdChainList):
2413         (JSC::JIT::privateCompileGetByIdChain):
2414             - cachedPropertyType() -> isCacheable*()
2415         * jit/JITPropertyAccess32_64.cpp:
2416         (JSC::JIT::privateCompileGetByIdProto):
2417         (JSC::JIT::privateCompileGetByIdSelfList):
2418         (JSC::JIT::privateCompileGetByIdProtoList):
2419         (JSC::JIT::privateCompileGetByIdChainList):
2420         (JSC::JIT::privateCompileGetByIdChain):
2421             - cachedPropertyType() -> isCacheable*()
2422         * jit/JITStubs.cpp:
2423         (JSC::tryCacheGetByID):
2424             - cachedPropertyType() -> isCacheable*()
2425         * llint/LLIntSlowPaths.cpp:
2426         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2427             - cachedPropertyType() -> isCacheable*()
2428         * runtime/PropertySlot.cpp:
2429         (JSC::PropertySlot::functionGetter):
2430             - refactoring described above.
2431         * runtime/PropertySlot.h:
2432         (JSC::PropertySlot::PropertySlot):
2433         (JSC::PropertySlot::getValue):
2434         (JSC::PropertySlot::isCacheable):
2435         (JSC::PropertySlot::isCacheableValue):
2436         (JSC::PropertySlot::isCacheableGetter):
2437         (JSC::PropertySlot::isCacheableCustom):
2438         (JSC::PropertySlot::cachedOffset):
2439         (JSC::PropertySlot::customGetter):
2440         (JSC::PropertySlot::setValue):
2441         (JSC::PropertySlot::setCustom):
2442         (JSC::PropertySlot::setCacheableCustom):
2443         (JSC::PropertySlot::setCustomIndex):
2444         (JSC::PropertySlot::setGetterSlot):
2445         (JSC::PropertySlot::setCacheableGetterSlot):
2446         (JSC::PropertySlot::setUndefined):
2447         (JSC::PropertySlot::slotBase):
2448         (JSC::PropertySlot::setBase):
2449             - refactoring described above.
2450
2451 2013-07-28  Oliver Hunt  <oliver@apple.com>
2452
2453         REGRESSION: Crash when opening Facebook.com
2454         https://bugs.webkit.org/show_bug.cgi?id=119155
2455
2456         Reviewed by Andreas Kling.
2457
2458         Scope nodes are always objects, so we should be using SpecObjectOther
2459         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2460         contradiction in the CFA, resulting in bogus codegen.
2461
2462         * dfg/DFGAbstractInterpreterInlines.h:
2463         (JSC::DFG::::executeEffects):
2464         * dfg/DFGPredictionPropagationPhase.cpp:
2465         (JSC::DFG::PredictionPropagationPhase::propagate):
2466
2467 2013-07-26  Oliver Hunt  <oliver@apple.com>
2468
2469         REGRESSION(FTL?): Crashes in plugin tests
2470         https://bugs.webkit.org/show_bug.cgi?id=119141
2471
2472         Reviewed by Michael Saboff.
2473
2474         Re-export getStackTrace
2475
2476         * interpreter/Interpreter.h:
2477
2478 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2479
2480         REGRESSION: Crash when opening a message on Gmail
2481         https://bugs.webkit.org/show_bug.cgi?id=119105
2482
2483         Reviewed by Oliver Hunt and Mark Hahnenberg.
2484         
2485         - GetById patching in the DFG needs to be more disciplined about how it derives the
2486           slow path.
2487         
2488         - Fix some dumping code thread safety issues.
2489
2490         * bytecode/CallLinkStatus.cpp:
2491         (JSC::CallLinkStatus::dump):
2492         * bytecode/CodeBlock.cpp:
2493         (JSC::CodeBlock::dumpBytecode):
2494         * dfg/DFGRepatch.cpp:
2495         (JSC::DFG::getPolymorphicStructureList):
2496         (JSC::DFG::tryBuildGetByIDList):
2497
2498 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2499
2500         [mips] Fix LLINT build for mips backend
2501         https://bugs.webkit.org/show_bug.cgi?id=119152
2502
2503         Reviewed by Oliver Hunt.
2504
2505         * offlineasm/mips.rb:
2506
2507 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2508
2509         Setting a large numeric property on an object causes it to allocate a huge backing store
2510         https://bugs.webkit.org/show_bug.cgi?id=118914
2511
2512         Reviewed by Geoffrey Garen.
2513
2514         There are two distinct actions that we're trying to optimize for:
2515
2516         new Array(100000);
2517
2518         and:
2519
2520         a = [];
2521         a[100000] = 42;
2522         
2523         In the first case, the programmer has indicated that they expect this Array to be very big, 
2524         so they should get a contiguous array up until some threshold, above which we perform density 
2525         calculations to see if it is indeed dense enough to warrant being contiguous.
2526         
2527         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2528         we should be more conservative and assume it should be sparse until we've proven otherwise.
2529         
2530         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2531         between them for the purposes of not over-allocating large backing stores like we see on 
2532         http://www.peekanalytics.com/burgerjoints/
2533         
2534         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2535         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2536         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2537         map instead. So for example, in the second case above the empty array has a blank indexing 
2538         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2539
2540         This fix is ~800x speedup on the accompanying regression test :-o
2541
2542         * runtime/ArrayConventions.h:
2543         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2544         * runtime/JSObject.cpp:
2545         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2546         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2547         (JSC::JSObject::putByIndexBeyondVectorLength):
2548         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2549
2550 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2551
2552         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2553         https://bugs.webkit.org/show_bug.cgi?id=119148
2554
2555         Reviewed by Csaba Osztrogonác.
2556
2557         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2558         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2559         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2560         code duplication.
2561
2562 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2563
2564         REGRESSION(FTL): Crash in sh4 baseline JIT.
2565         https://bugs.webkit.org/show_bug.cgi?id=119138
2566
2567         Reviewed by Csaba Osztrogonác.
2568
2569         This crash is due to incomplete report of r150146 and r148474.
2570
2571         * jit/JITStubsSH4.h:
2572
2573 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2574
2575         Unreviewed.
2576
2577         * Target.pri: Adding missing DFG files to the Qt build.
2578
2579 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2580
2581         GTK and Qt buildfix after the intrusive win buildfix r153360.
2582
2583         * GNUmakefile.list.am:
2584         * Target.pri:
2585
2586 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2587
2588         Unreviewed, fix build break after r153360.
2589
2590         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2591
2592 2013-07-25  Roger Fong  <roger_fong@apple.com>
2593
2594         Unreviewed build fix, AppleWin port.
2595
2596         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2597         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2598         * JavaScriptCore.vcxproj/copy-files.cmd:
2599
2600 2013-07-25  Roger Fong  <roger_fong@apple.com>
2601
2602         Unreviewed. Followup to r153360.
2603
2604         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2605         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2606
2607 2013-07-25  Michael Saboff  <msaboff@apple.com>
2608
2609         [Windows] Speculative build fix.
2610
2611         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2612         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2613
2614         * JavaScriptCore.xcodeproj/project.pbxproj:
2615         * llint/LLIntExceptions.cpp:
2616         * llint/LLIntExceptions.h:
2617         * llint/LLIntSlowPaths.cpp:
2618         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2619         * runtime/CommonSlowPaths.cpp:
2620         (JSC::SLOW_PATH_DECL):
2621         * runtime/CommonSlowPathsExceptions.cpp: Added.
2622         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2623         * runtime/CommonSlowPathsExceptions.h: Added.
2624
2625 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2626
2627         [Windows] Unreviewed build fix.
2628
2629         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2630         parser/SourceCode.h,.cpp.
2631         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2632
2633 2013-07-25  Anders Carlsson  <andersca@apple.com>
2634
2635         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2636         https://bugs.webkit.org/show_bug.cgi?id=119108
2637
2638         Reviewed by Mark Hahnenberg.
2639
2640         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2641
2642         * heap/CopiedSpace.cpp:
2643         (JSC::CopiedSpace::tryAllocateSlowCase):
2644         * heap/Heap.cpp:
2645         (JSC::Heap::protect):
2646         (JSC::Heap::unprotect):
2647         (JSC::Heap::collect):
2648         * heap/MarkedAllocator.cpp:
2649         (JSC::MarkedAllocator::allocateSlowCase):
2650         * runtime/JSGlobalObject.cpp:
2651         (JSC::JSGlobalObject::init):
2652         * runtime/VM.h:
2653         (JSC::VM::currentThreadIsHoldingAPILock):
2654
2655 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2656
2657         REGRESSION(FTL): Most layout tests crashes
2658         https://bugs.webkit.org/show_bug.cgi?id=119089
2659
2660         Reviewed by Oliver Hunt.
2661
2662         * runtime/ExecutionHarness.h:
2663         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2664         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2665         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2666         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2667         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2668         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2669
2670 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2671
2672         [Windows] Unreviewed build fix.
2673
2674         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2675         include path.
2676
2677 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2678
2679         [Windows] Unreviewed build fix.
2680
2681         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2682         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2683         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2684
2685 2013-07-25  Oliver Hunt  <oliver@apple.com>
2686
2687         Make all jit & non-jit combos build cleanly
2688         https://bugs.webkit.org/show_bug.cgi?id=119102
2689
2690         Reviewed by Anders Carlsson.
2691
2692         * bytecode/CodeBlock.cpp:
2693         (JSC::CodeBlock::counterValueForOptimizeSoon):
2694         * bytecode/CodeBlock.h:
2695         (JSC::CodeBlock::optimizeAfterWarmUp):
2696         (JSC::CodeBlock::numberOfDFGCompiles):
2697
2698 2013-07-25  Oliver Hunt  <oliver@apple.com>
2699
2700         32 bit portion of load validation logic
2701         https://bugs.webkit.org/show_bug.cgi?id=118878
2702
2703         Reviewed by NOBODY (Build fix).
2704
2705         * dfg/DFGSpeculativeJIT32_64.cpp:
2706         (JSC::DFG::SpeculativeJIT::compile):
2707
2708 2013-07-25  Oliver Hunt  <oliver@apple.com>
2709
2710         More 32bit build fixes
2711
2712         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2713
2714         * API/APICallbackFunction.h:
2715         (JSC::APICallbackFunction::call):
2716         * bytecode/CodeBlock.cpp:
2717         * runtime/Structure.cpp:
2718
2719 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2720
2721         Optimize the thread locks for API Shims
2722         https://bugs.webkit.org/show_bug.cgi?id=118573
2723
2724         Reviewed by Geoffrey Garen.
2725
2726         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2727         only used by WebCore's main thread).
2728
2729         * API/APIShims.h:
2730         (JSC::APIEntryShim::APIEntryShim):
2731         (JSC::APICallbackShim::APICallbackShim):
2732         * runtime/JSLock.cpp:
2733         (JSC::JSLockHolder::JSLockHolder):
2734         (JSC::JSLockHolder::init):
2735         (JSC::JSLockHolder::~JSLockHolder):
2736         (JSC::JSLock::DropAllLocks::DropAllLocks):
2737         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2738         * runtime/VM.cpp:
2739         (JSC::VM::VM):
2740         * runtime/VM.h:
2741
2742 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2743
2744         Unreviewed build fix after r153218.
2745
2746         Broke the EFL port build with gcc 4.7.
2747
2748         * interpreter/StackIterator.cpp:
2749         (JSC::printif):
2750
2751 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2752
2753         Build fix: add missing #include.
2754         https://bugs.webkit.org/show_bug.cgi?id=119087
2755
2756         Reviewed by Allan Sandfeld Jensen.
2757
2758         * bytecode/ArrayProfile.cpp:
2759
2760 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2761
2762         Unreviewed, build fix on the EFL port.
2763
2764         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2765
2766 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2767
2768         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2769         https://bugs.webkit.org/show_bug.cgi?id=119083
2770
2771         Reviewed by Allan Sandfeld Jensen.
2772
2773         * assembler/MacroAssemblerSH4.h:
2774         (JSC::MacroAssemblerSH4::store8):
2775
2776 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2777
2778         [Qt] Fix test build after FTL upstream
2779
2780         Unreviewed build fix.
2781
2782         * Target.pri:
2783
2784 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2785
2786         [Qt] Build fix after FTL.
2787
2788         Un Reviewed build fix.
2789
2790         * Target.pri:
2791         * interpreter/StackIterator.cpp:
2792         (JSC::StackIterator::Frame::print):
2793
2794 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2795
2796         Unreviewed build fix after FTL upstream.
2797
2798         * dfg/DFGWorklist.cpp:
2799         (JSC::DFG::Worklist::~Worklist):
2800
2801 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2802
2803         Unreviewed, build fix on the EFL port.
2804
2805         * CMakeLists.txt:
2806         Added SourceCode.cpp and removed BlackBerry file.
2807         * jit/JITCode.h:
2808         (JSC::JITCode::nextTierJIT):
2809         Fixed to build break because of -Werror=return-type
2810         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2811         * runtime/JSScope.h:
2812         (JSC::makeType):
2813         Fixed to build break because of -Werror=return-type
2814
2815 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2816
2817         Unreviewed build fixing after FTL upstream.
2818
2819         * runtime/Executable.cpp:
2820         (JSC::FunctionExecutable::produceCodeBlockFor):
2821
2822 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2823
2824         Add missing implementation of bxxxnz in sh4 LLINT.
2825         https://bugs.webkit.org/show_bug.cgi?id=119079
2826
2827         Reviewed by Allan Sandfeld Jensen.
2828
2829         * offlineasm/sh4.rb:
2830
2831 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2832
2833         Unreviewed, build fix on the Qt port.
2834
2835         * Target.pri: Add additional build files for the FTL.
2836
2837 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2838
2839         Unreviewed buildfix after FTL upstream..
2840
2841         * interpreter/StackIterator.cpp:
2842         (JSC::StackIterator::Frame::codeType):
2843         (JSC::StackIterator::Frame::functionName):
2844         (JSC::StackIterator::Frame::sourceURL):
2845         (JSC::StackIterator::Frame::logicalFrame):
2846
2847 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2848
2849         Unreviewed.
2850
2851         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2852         method is not left undefined, causing build failures on (at least) the GTK port.
2853
2854 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2855
2856         Unreviewed, further build fixing on the GTK port.
2857
2858         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2859
2860 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2861
2862         Unreviewed GTK build fixing.
2863
2864         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2865         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2866
2867 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2868
2869         Buildfix after this error:
2870         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2871
2872         * dfg/DFGPlan.cpp:
2873         (JSC::DFG::Plan::compileInThread):
2874
2875 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2876
2877         One more buildfix after FTL upstream.
2878
2879         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2880
2881         * dfg/DFGLazyJSValue.cpp:
2882         (JSC::DFG::LazyJSValue::getValue):
2883         (JSC::DFG::LazyJSValue::strictEqual):
2884
2885 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2886
2887         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2888         https://bugs.webkit.org/show_bug.cgi?id=119076
2889
2890         Reviewed by Allan Sandfeld Jensen.
2891
2892         * offlineasm/mips.rb:
2893         * offlineasm/sh4.rb:
2894
2895 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2896
2897         Unreviewed GTK build fix.
2898
2899         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2900
2901 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2902
2903         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2904         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2905
2906         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2907
2908 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2909
2910         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2911
2912         * GNUmakefile.am:
2913         * GNUmakefile.list.am:
2914
2915 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2916
2917         Unreviewed buildfix after FTL upstream.
2918
2919         * runtime/JSScope.h:
2920         (JSC::needsVarInjectionChecks):
2921
2922 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2923
2924         One more fix after FTL upstream.
2925
2926         * Target.pri:
2927         * bytecode/CodeBlock.h:
2928         * bytecode/GetByIdStatus.h:
2929         (JSC::GetByIdStatus::GetByIdStatus):
2930
2931 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2932
2933         Unreviewed buildfix after FTL upstream.
2934
2935         Add ftl directory as include path.
2936
2937         * CMakeLists.txt:
2938         * JavaScriptCore.pri:
2939
2940 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2941
2942         Unreviewed buildfix after FTL upstream for non C++11 builds.
2943
2944         * interpreter/CallFrame.h:
2945         * interpreter/StackIteratorPrivate.h:
2946         (JSC::StackIterator::end):
2947
2948 2013-07-24  Oliver Hunt  <oliver@apple.com>
2949
2950         Endeavour to fix CMakelist builds
2951
2952         * CMakeLists.txt:
2953
2954 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2955
2956         fourthTier: DFG IR dumps should be easier to read
2957         https://bugs.webkit.org/show_bug.cgi?id=119050
2958
2959         Reviewed by Mark Hahnenberg.
2960         
2961         Added a DumpContext that includes support for printing an endnote
2962         that describes all structures in full, while the main flow of the
2963         dump just uses made-up names for the structures. This is helpful
2964         since Structure::dump() may print a lot. The stuff it prints is
2965         useful, but if it's all inline with the surrounding thing you're        
2966         dumping (often, a node in the DFG), then you get a ridiculously
2967         long print-out. All classes that dump structures (including
2968         Structure itself) now have dumpInContext() methods that use
2969         inContext() for dumping anything that might transitively print a
2970         structure. If Structure::dumpInContext() is called with a NULL
2971         context, it just uses dump() like before. Hence you don't have to
2972         know anything about DumpContext unless you want to.
2973         
2974         inContext(*structure, context) dumps something like %B4:Array,
2975         and the endnote will have something like:
2976         
2977             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2978         
2979         where B4 is the inferred name that StringHashDumpContext came up
2980         with.
2981         
2982         Also shortened a bunch of other dumps, removing information that
2983         isn't so important.
2984         
2985         * JavaScriptCore.xcodeproj/project.pbxproj:
2986         * bytecode/ArrayProfile.cpp:
2987         (JSC::dumpArrayModes):
2988         * bytecode/CodeBlockHash.cpp:
2989         (JSC):
2990         (JSC::CodeBlockHash::CodeBlockHash):
2991         (JSC::CodeBlockHash::dump):
2992         * bytecode/CodeOrigin.cpp:
2993         (JSC::CodeOrigin::dumpInContext):
2994         (JSC):
2995         (JSC::InlineCallFrame::dumpInContext):
2996         (JSC::InlineCallFrame::dump):
2997         * bytecode/CodeOrigin.h:
2998         (CodeOrigin):
2999         (InlineCallFrame):
3000         * bytecode/Operands.h:
3001         (JSC::OperandValueTraits::isEmptyForDump):
3002         (Operands):
3003         (JSC::Operands::dump):
3004         (JSC):
3005         * bytecode/OperandsInlines.h: Added.
3006         (JSC):
3007         (JSC::::dumpInContext):
3008         * bytecode/StructureSet.h:
3009         (JSC::StructureSet::dumpInContext):
3010         (JSC::StructureSet::dump):
3011         (StructureSet):
3012         * dfg/DFGAbstractValue.cpp:
3013         (JSC::DFG::AbstractValue::dump):
3014         (DFG):
3015         (JSC::DFG::AbstractValue::dumpInContext):
3016         * dfg/DFGAbstractValue.h:
3017         (JSC::DFG::AbstractValue::operator!):
3018         (AbstractValue):
3019         * dfg/DFGCFAPhase.cpp:
3020         (JSC::DFG::CFAPhase::performBlockCFA):
3021         * dfg/DFGCommon.cpp:
3022         * dfg/DFGCommon.h:
3023         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3024         * dfg/DFGDisassembler.cpp:
3025         (JSC::DFG::Disassembler::createDumpList):
3026         * dfg/DFGDisassembler.h:
3027         (Disassembler):
3028         * dfg/DFGFlushFormat.h:
3029         (WTF::inContext):
3030         (WTF):
3031         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3032         * dfg/DFGGraph.cpp:
3033         (JSC::DFG::Graph::dumpCodeOrigin):
3034         (JSC::DFG::Graph::dump):
3035         (JSC::DFG::Graph::dumpBlockHeader):
3036         * dfg/DFGGraph.h:
3037         (Graph):
3038         * dfg/DFGLazyJSValue.cpp:
3039         (JSC::DFG::LazyJSValue::dumpInContext):
3040         (JSC::DFG::LazyJSValue::dump):
3041         (DFG):
3042         * dfg/DFGLazyJSValue.h:
3043         (LazyJSValue):
3044         * dfg/DFGNode.h:
3045         (JSC::DFG::nodeMapDump):
3046         (WTF::inContext):
3047         (WTF):
3048         * dfg/DFGOSRExitCompiler32_64.cpp:
3049         (JSC::DFG::OSRExitCompiler::compileExit):
3050         * dfg/DFGOSRExitCompiler64.cpp:
3051         (JSC::DFG::OSRExitCompiler::compileExit):
3052         * dfg/DFGStructureAbstractValue.h:
3053         (JSC::DFG::StructureAbstractValue::dumpInContext):
3054         (JSC::DFG::StructureAbstractValue::dump):
3055         (StructureAbstractValue):
3056         * ftl/FTLExitValue.cpp:
3057         (JSC::FTL::ExitValue::dumpInContext):
3058         (JSC::FTL::ExitValue::dump):
3059         (FTL):
3060         * ftl/FTLExitValue.h:
3061         (ExitValue):
3062         * ftl/FTLLowerDFGToLLVM.cpp:
3063         * ftl/FTLValueSource.cpp:
3064         (JSC::FTL::ValueSource::dumpInContext):
3065         (FTL):
3066         * ftl/FTLValueSource.h:
3067         (ValueSource):
3068         * runtime/DumpContext.cpp: Added.
3069         (JSC):
3070         (JSC::DumpContext::DumpContext):
3071         (JSC::DumpContext::~DumpContext):
3072         (JSC::DumpContext::isEmpty):
3073         (JSC::DumpContext::dump):
3074         * runtime/DumpContext.h: Added.
3075         (JSC):
3076         (DumpContext):
3077         * runtime/JSCJSValue.cpp:
3078         (JSC::JSValue::dump):
3079         (JSC):
3080         (JSC::JSValue::dumpInContext):
3081         * runtime/JSCJSValue.h:
3082         (JSC):
3083         (JSValue):
3084         * runtime/Structure.cpp:
3085         (JSC::Structure::dumpInContext):
3086         (JSC):
3087         (JSC::Structure::dumpBrief):
3088         (JSC::Structure::dumpContextHeader):
3089         * runtime/Structure.h:
3090         (JSC):
3091         (Structure):
3092
3093 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3094
3095         fourthTier: DFG should do a high-level LICM before going to FTL
3096         https://bugs.webkit.org/show_bug.cgi?id=118749
3097
3098         Reviewed by Oliver Hunt.
3099         
3100         Implements LICM hoisting for nodes that never write anything and never read
3101         things that are clobbered by the loop. There are some other preconditions for
3102         hoisting, see DFGLICMPhase.cpp.
3103
3104         Also did a few fixes:
3105         
3106         - ClobberSet::add was failing to switch Super entries to Direct entries in
3107           some cases.
3108         
3109         - DFGClobberize.cpp needed to #include "Operations.h".
3110         
3111         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3112         
3113         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3114           Knowing the indexInBlock is an optional optimization that all other clients
3115           of AI still opt into, but LICM doesn't.
3116         
3117         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3118
3119         * JavaScriptCore.xcodeproj/project.pbxproj:
3120         * dfg/DFGAbstractInterpreter.h:
3121         (AbstractInterpreter):
3122         * dfg/DFGAbstractInterpreterInlines.h:
3123         (JSC::DFG::::executeEffects):
3124         (JSC::DFG::::execute):
3125         (DFG):
3126         (JSC::DFG::::clobberWorld):
3127         (JSC::DFG::::clobberStructures):
3128         * dfg/DFGAtTailAbstractState.cpp: Added.
3129         (DFG):
3130         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3131         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3132         (JSC::DFG::AtTailAbstractState::createValueForNode):
3133         (JSC::DFG::AtTailAbstractState::forNode):
3134         * dfg/DFGAtTailAbstractState.h: Added.
3135         (DFG):
3136         (AtTailAbstractState):
3137         (JSC::DFG::AtTailAbstractState::initializeTo):
3138         (JSC::DFG::AtTailAbstractState::forNode):
3139         (JSC::DFG::AtTailAbstractState::variables):
3140         (JSC::DFG::AtTailAbstractState::block):
3141         (JSC::DFG::AtTailAbstractState::isValid):
3142         (JSC::DFG::AtTailAbstractState::setDidClobber):
3143         (JSC::DFG::AtTailAbstractState::setIsValid):
3144         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3145         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3146         (JSC::DFG::AtTailAbstractState::haveStructures):
3147         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3148         * dfg/DFGBasicBlock.h:
3149         (JSC::DFG::BasicBlock::insertBeforeLast):
3150         * dfg/DFGBasicBlockInlines.h:
3151         (DFG):
3152         * dfg/DFGClobberSet.cpp:
3153         (JSC::DFG::ClobberSet::add):
3154         (JSC::DFG::ClobberSet::addAll):
3155         * dfg/DFGClobberize.cpp:
3156         (JSC::DFG::doesWrites):
3157         * dfg/DFGClobberize.h:
3158         (DFG):
3159         * dfg/DFGDCEPhase.cpp:
3160         (JSC::DFG::DCEPhase::DCEPhase):
3161         (JSC::DFG::DCEPhase::run):
3162         (JSC::DFG::DCEPhase::fixupBlock):
3163         (DCEPhase):
3164         * dfg/DFGEdgeDominates.h: Added.
3165         (DFG):
3166         (EdgeDominates):
3167         (JSC::DFG::EdgeDominates::EdgeDominates):
3168         (JSC::DFG::EdgeDominates::operator()):
3169         (JSC::DFG::EdgeDominates::result):
3170         (JSC::DFG::edgesDominate):
3171         * dfg/DFGFixupPhase.cpp:
3172         (JSC::DFG::FixupPhase::fixupNode):
3173         (JSC::DFG::FixupPhase::checkArray):
3174         * dfg/DFGLICMPhase.cpp: Added.
3175         (LICMPhase):
3176         (JSC::DFG::LICMPhase::LICMPhase):
3177         (JSC::DFG::LICMPhase::run):
3178         (JSC::DFG::LICMPhase::attemptHoist):
3179         (DFG):
3180         (JSC::DFG::performLICM):
3181         * dfg/DFGLICMPhase.h: Added.
3182         (DFG):
3183         * dfg/DFGPlan.cpp:
3184         (JSC::DFG::Plan::compileInThreadImpl):
3185
3186 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3187
3188         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3189         https://bugs.webkit.org/show_bug.cgi?id=118910
3190
3191         Reviewed by Sam Weinig.
3192         
3193         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3194         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3195         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3196         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3197         create them all up front). FTL AbstractHeaps also don't actually give you the
3198         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3199         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3200         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3201         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3202         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3203         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3204         payload is the direct subtype of its corresponding TOP Kind).
3205         
3206         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3207         clobbered. It represents the set that results from unifying a bunch of
3208         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3209         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3210         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3211         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3212         member is equal to it, or if any of its ancestors are equal to a direct member.
3213         
3214         Example #1:
3215         
3216             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3217               is a subtype of Variables, which is a subtype of World.
3218             - You query Variables. I.e. Variables with a TOP payload, which is the
3219               supertype of Variables(X) for any X, and a subtype of World.
3220             
3221             The set will have Variables(5) as a direct member, and Variables and World as
3222             super members. The Variables query will immediately return true, because
3223             Variables is indeed a super member.
3224         
3225         Example #2:
3226         
3227             - I add Variables(5)
3228             - You query NamedProperties
3229             
3230             NamedProperties is not a member at all (neither direct or super). We next
3231             query World. World is a member, but it's a super member, so we return false.
3232         
3233         Example #3:
3234         
3235             - I add Variables
3236             - You query Variables(5)
3237             
3238             The set will have Variables as a direct member, and World as a super member.
3239             The Variables(5) query will not find Variables(5) in the set, but then it
3240             will query Variables. Variables is a direct member, so we return true.
3241         
3242         Example #4:
3243         
3244             - I add Variables
3245             - You query NamedProperties(5)
3246             
3247             Neither NamedProperties nor NamedProperties(5) are members. We next query
3248             World. World is a member, but it's a super member, so we return false.
3249         
3250         Overlap queries require that either the heap being queried is in the set (either
3251         direct or super), or that one of its ancestors is a direct member. Another way to
3252         think about how this works is that two heaps A and B are said to overlap if
3253         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3254         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3255         heaps and answers the question, "is any member in the set an ancestor (i.e.
3256         supertype) of some other heap". We would have the set contain the heaps themselves,
3257         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3258         chain of A, and repeatedly querying its membership in the set. This is what the
3259         "direct" members of our set do. Now consider the other part, where we want to ask if
3260         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3261         would implement this by implementing set.add(B) as adding not just B but also all of
3262         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3263         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3264         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3265         heap" question. ClobberSet does this, but combines the two sets into a single
3266         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3267         supertype set and the subtype set; if it's false then it's only a member of one of
3268         them.
3269         
3270         Finally, this adds a functorized clobberize() method that adds the read and write
3271         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3272         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3273         are also provided. This allows you to say things like:
3274         
3275             ClobberSet set;
3276             addWrites(graph, node1, set);
3277             if (readsOverlap(graph, node2, set))
3278                 // We know that node1 may write to something that node2 may read from.
3279         
3280         Currently this facility is only used to improve graph dumping, but it will be
3281         instrumental in both LICM and GVN. In the future, I want to completely kill the
3282         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3283         of accomplishing almost exactly what AbstractHeap gives you.
3284
3285         * JavaScriptCore.xcodeproj/project.pbxproj:
3286         * dfg/DFGAbstractHeap.cpp: Added.
3287         (DFG):
3288         (JSC::DFG::AbstractHeap::Payload::dump):
3289         (JSC::DFG::AbstractHeap::dump):
3290         (WTF):
3291         (WTF::printInternal):
3292         * dfg/DFGAbstractHeap.h: Added.
3293         (DFG):
3294         (AbstractHeap):
3295         (Payload):
3296         (JSC::DFG::AbstractHeap::Payload::Payload):
3297         (JSC::DFG::AbstractHeap::Payload::top):
3298         (JSC::DFG::AbstractHeap::Payload::isTop):
3299         (JSC::DFG::AbstractHeap::Payload::value):
3300         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3301         (JSC::DFG::AbstractHeap::Payload::operator==):
3302         (JSC::DFG::AbstractHeap::Payload::operator!=):
3303         (JSC::DFG::AbstractHeap::Payload::operator<):
3304         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3305         (JSC::DFG::AbstractHeap::Payload::overlaps):
3306         (JSC::DFG::AbstractHeap::AbstractHeap):
3307         (JSC::DFG::AbstractHeap::operator!):
3308         (JSC::DFG::AbstractHeap::kind):
3309         (JSC::DFG::AbstractHeap::payload):
3310         (JSC::DFG::AbstractHeap::isDisjoint):
3311         (JSC::DFG::AbstractHeap::overlaps):
3312         (JSC::DFG::AbstractHeap::supertype):
3313         (JSC::DFG::AbstractHeap::hash):
3314         (JSC::DFG::AbstractHeap::operator==):
3315         (JSC::DFG::AbstractHeap::operator!=):
3316         (JSC::DFG::AbstractHeap::operator<):
3317         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3318         (JSC::DFG::AbstractHeap::payloadImpl):
3319         (JSC::DFG::AbstractHeap::encode):
3320         (JSC::DFG::AbstractHeapHash::hash):
3321         (JSC::DFG::AbstractHeapHash::equal):
3322         (AbstractHeapHash):
3323         (WTF):
3324         * dfg/DFGClobberSet.cpp: Added.
3325         (DFG):
3326         (JSC::DFG::ClobberSet::ClobberSet):
3327         (JSC::DFG::ClobberSet::~ClobberSet):
3328         (JSC::DFG::ClobberSet::add):
3329         (JSC::DFG::ClobberSet::addAll):
3330         (JSC::DFG::ClobberSet::contains):
3331         (JSC::DFG::ClobberSet::overlaps):
3332         (JSC::DFG::ClobberSet::clear):
3333         (JSC::DFG::ClobberSet::direct):
3334         (JSC::DFG::ClobberSet::super):
3335         (JSC::DFG::ClobberSet::dump):
3336         (JSC::DFG::ClobberSet::setOf):
3337         (JSC::DFG::addReads):
3338         (JSC::DFG::addWrites):
3339         (JSC::DFG::addReadsAndWrites):
3340         (JSC::DFG::readsOverlap):
3341         (JSC::DFG::writesOverlap):
3342         * dfg/DFGClobberSet.h: Added.
3343         (DFG):
3344         (ClobberSet):
3345         (JSC::DFG::ClobberSet::isEmpty):
3346         (ClobberSetAdd):
3347         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
3348         (JSC::DFG::ClobberSetAdd::operator()):
3349         (ClobberSetOverlaps):
3350         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
3351         (JSC::DFG::ClobberSetOverlaps::operator()):
3352         (JSC::DFG::ClobberSetOverlaps::result):
3353         * dfg/DFGClobberize.cpp: Added.
3354         (DFG):
3355         (JSC::DFG::didWrites):
3356         * dfg/DFGClobberize.h: Added.
3357         (DFG):
3358         (JSC::DFG::clobberize):
3359         (NoOpClobberize):
3360         (JSC::DFG::NoOpClobberize::NoOpClobberize):
3361         (JSC::DFG::NoOpClobberize::operator()):
3362         (CheckClobberize):
3363         (JSC::DFG::CheckClobberize::CheckClobberize):
3364         (JSC::DFG::CheckClobberize::operator()):
3365         (JSC::DFG::CheckClobberize::result):
3366         * dfg/DFGGraph.cpp:
3367         (JSC::DFG::Graph::dump):
3368
3369 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3370
3371         fourthTier: It should be easy to figure out which blocks nodes belong to
3372         https://bugs.webkit.org/show_bug.cgi?id=118957
3373
3374         Reviewed by Sam Weinig.
3375
3376         * dfg/DFGGraph.cpp:
3377         (DFG):
3378         (JSC::DFG::Graph::initializeNodeOwners):
3379         * dfg/DFGGraph.h:
3380         (Graph):
3381         * dfg/DFGNode.h:
3382
3383 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3384
3385         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
3386         https://bugs.webkit.org/show_bug.cgi?id=118956
3387
3388         Reviewed by Sam Weinig.
3389         
3390         We had two way of expressing that something exits forward: the NodeExitsForward
3391         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
3392         makes it just be a flag.
3393
3394         * dfg/DFGAbstractInterpreterInlines.h:
3395         (JSC::DFG::::executeEffects):
3396         * dfg/DFGArgumentsSimplificationPhase.cpp:
3397         (JSC::DFG::ArgumentsSimplificationPhase::run):
3398         * dfg/DFGCSEPhase.cpp:
3399         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
3400         (JSC::DFG::CSEPhase::checkStructureElimination):
3401         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3402         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3403         (JSC::DFG::CSEPhase::checkArrayElimination):
3404         (JSC::DFG::CSEPhase::performNodeCSE):
3405         * dfg/DFGConstantFoldingPhase.cpp:
3406         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3407         * dfg/DFGFixupPhase.cpp:
3408         (JSC::DFG::FixupPhase::fixupNode):
3409         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3410         * dfg/DFGMinifiedNode.h:
3411         (JSC::DFG::belongsInMinifiedGraph):
3412         (JSC::DFG::MinifiedNode::hasChild):
3413         * dfg/DFGNode.h:
3414         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3415         (JSC::DFG::Node::hasStructureSet):
3416         (JSC::DFG::Node::hasStructure):
3417         (JSC::DFG::Node::hasArrayMode):
3418         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3419         * dfg/DFGNodeType.h:
3420         (DFG):
3421         (JSC::DFG::needsOSRForwardRewiring):
3422         * dfg/DFGPredictionPropagationPhase.cpp:
3423         (JSC::DFG::PredictionPropagationPhase::propagate):
3424         * dfg/DFGSafeToExecute.h:
3425         (JSC::DFG::safeToExecute):
3426         * dfg/DFGSpeculativeJIT.cpp:
3427         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3428         * dfg/DFGSpeculativeJIT32_64.cpp:
3429         (JSC::DFG::SpeculativeJIT::compile):
3430         * dfg/DFGSpeculativeJIT64.cpp:
3431         (JSC::DFG::SpeculativeJIT::compile):
3432         * dfg/DFGTypeCheckHoistingPhase.cpp:
3433         (JSC::DFG::TypeCheckHoistingPhase::run):
3434         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3435         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3436         * dfg/DFGVariableEventStream.cpp:
3437         (JSC::DFG::VariableEventStream::reconstruct):
3438         * ftl/FTLCapabilities.cpp:
3439         (JSC::FTL::canCompile):
3440         * ftl/FTLLowerDFGToLLVM.cpp:
3441         (JSC::FTL::LowerDFGToLLVM::compileNode):
3442         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3443
3444 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3445
3446         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
3447         https://bugs.webkit.org/show_bug.cgi?id=118946
3448
3449         Reviewed by Geoffrey Garen.
3450         
3451         We want to decouple the exit target code origin of a node from the code origin
3452         for all other purposes. The purposes of code origins are:
3453         
3454         - Where the node will exit, if it exits. The exit target should be consistent with
3455           the surrounding nodes, in that if you just looked at the code origins of nodes in
3456           the graph, they would be consistent with the code origins in bytecode. This is
3457           necessary for live-at-bytecode analyses to work, and to preserve the original
3458           bytecode semantics when exiting.
3459         
3460         - What kind of code the node came from, for semantics thingies. For example, we
3461           might use the code origin to find the node's global object for doing an original
3462           array check. Or we might use it to determine if the code is in strict mode. Or
3463           other similar things. When we use the code origin in this way, we're basically
3464           using it as a way of describing the node's meta-data without putting it into the
3465           node directly, to save space. In the absurd extreme you could imagine nodes not
3466           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
3467           what bytecode the node originated from. We won't do that, but you can think of
3468           this use of code origins as just a way of compressing meta-data.
3469         
3470         - What code origin we should supply profiling to, if we exit. This is closely
3471           related to the semantics thingies, in that the exit profiling is a persistent
3472           kind of semantic meta-data that survives between recompiles, and the only way to
3473           do that is to ascribe it to the original bytecode via the code origin.
3474         
3475         If we hoist a node, we need to change the exit target code origin, but we must not
3476         change the code origin for other purposes. The best way to do this is to decouple
3477         the two kinds of code origin.
3478         
3479         OSR exit data structures already do this, because they may edit the exit target
3480         code origin while keeping the code origin for profiling intact. This happens for
3481         forward exits. So, we just need to thread separation all the way back to DFG::Node.
3482         That's what this patch does.
3483
3484         * dfg/DFGNode.h:
3485         (JSC::DFG::Node::Node):
3486         (Node):
3487         * dfg/DFGOSRExit.cpp:
3488         (JSC::DFG::OSRExit::OSRExit):
3489         * dfg/DFGOSRExitBase.h:
3490         (JSC::DFG::OSRExitBase::OSRExitBase):
3491         * dfg/DFGSpeculativeJIT.cpp:
3492         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3493         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3494         * dfg/DFGSpeculativeJIT.h:
3495         (SpeculativeJIT):
3496         * ftl/FTLLowerDFGToLLVM.cpp:
3497         (JSC::FTL::LowerDFGToLLVM::compileNode):
3498         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3499         (LowerDFGToLLVM):
3500         * ftl/FTLOSRExit.cpp:
3501         (JSC::FTL::OSRExit::OSRExit):
3502         * ftl/FTLOSRExit.h:
3503         (OSRExit):
3504
3505 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3506
3507         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
3508         https://bugs.webkit.org/show_bug.cgi?id=118866
3509
3510         Reviewed by Sam Weinig.
3511         
3512         Adds a safeToExecute() method that takes a node and an abstract state and tells you
3513         if the node will run without crashing under that state.
3514
3515         * JavaScriptCore.xcodeproj/project.pbxproj:
3516         * bytecode/CodeBlock.cpp:
3517         (JSC::CodeBlock::CodeBlock):
3518         * dfg/DFGCFAPhase.cpp:
3519         (CFAPhase):
3520         (JSC::DFG::CFAPhase::CFAPhase):
3521         (JSC::DFG::CFAPhase::run):
3522         (JSC::DFG::CFAPhase::performBlockCFA):
3523         (JSC::DFG::CFAPhase::performForwardCFA):
3524         * dfg/DFGSafeToExecute.h: Added.
3525         (DFG):
3526         (SafeToExecuteEdge):
3527         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3528         (JSC::DFG::SafeToExecuteEdge::operator()):
3529         (JSC::DFG::SafeToExecuteEdge::result):
3530         (JSC::DFG::safeToExecute):
3531         * dfg/DFGStructureAbstractValue.h:
3532         (JSC::DFG::StructureAbstractValue::isValidOffset):
3533         (StructureAbstractValue):
3534         * runtime/Options.h:
3535         (JSC):
3536
3537 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3538
3539         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
3540         https://bugs.webkit.org/show_bug.cgi?id=118948
3541
3542         Reviewed by Sam Weinig.
3543         
3544         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
3545           This allows doing "what if" experiments with IR generation, even if the generated IR
3546           can't yet execute.
3547         
3548         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
3549           off-ramp.
3550
3551         * JavaScriptCore.xcodeproj/project.pbxproj:
3552         * dfg/DFGPlan.cpp:
3553         (JSC::DFG::Plan::compileInThreadImpl):
3554         * ftl/FTLFail.cpp: Added.
3555         (FTL):
3556         (JSC::FTL::fail):
3557         * ftl/FTLFail.h: Added.
3558         (FTL):
3559         * ftl/FTLIntrinsicRepository.h:
3560         (FTL):
3561         * ftl/FTLLowerDFGToLLVM.cpp:
3562         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3563         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3564         * runtime/Options.h:
3565         (JSC):
3566
3567 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3568
3569         fourthTier: StringObjectUse uses structures, and CSE should know that
3570         https://bugs.webkit.org/show_bug.cgi?id=118940
3571
3572         Reviewed by Geoffrey Garen.
3573         
3574         This is asymptomatic right now, but we should fix it.
3575
3576         * JavaScriptCore.xcodeproj/project.pbxproj:
3577         * dfg/DFGCSEPhase.cpp:
3578         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3579         * dfg/DFGEdgeUsesStructure.h: Added.
3580         (DFG):
3581         (EdgeUsesStructure):
3582         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3583         (JSC::DFG::EdgeUsesStructure::operator()):
3584         (JSC::DFG::EdgeUsesStructure::result):
3585         (JSC::DFG::edgesUseStructure):
3586         * dfg/DFGUseKind.h:
3587         (DFG):
3588         (JSC::DFG::usesStructure):
3589
3590 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3591
3592         fourthTier: String GetByVal out-of-bounds handling is so wrong
3593         https://bugs.webkit.org/show_bug.cgi?id=118935
3594
3595         Reviewed by Geoffrey Garen.
3596         
3597         Bunch of String GetByVal out-of-bounds fixes:
3598         
3599         - Even if the string proto chain is sane, we need to watch out for negative
3600           indices. They may get values or call getters in the prototypes, since proto
3601           sanity doesn't check for negative indexed properties, as they are not
3602           technically indexed properties.
3603         
3604         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3605           given this information.
3606         
3607         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3608           given this information.
3609         
3610         Also fixed some other things:
3611         
3612         - If the DFG is disabled, the testRunner should pretend that we've done a
3613           bunch of DFG compiles. That's necessary to prevent the tests from timing
3614           out.
3615         
3616         - Disassembler shouldn't try to dump source code since it's not safe in the
3617           concurrent JIT.
3618
3619         * API/JSCTestRunnerUtils.cpp:
3620         (JSC::numberOfDFGCompiles):
3621         * JavaScriptCore.xcodeproj/project.pbxproj:
3622         * dfg/DFGAbstractInterpreterInlines.h:
3623         (JSC::DFG::::executeEffects):
3624         * dfg/DFGDisassembler.cpp:
3625         (JSC::DFG::Disassembler::dumpHeader):
3626         * dfg/DFGGraph.h:
3627         (JSC::DFG::Graph::byValIsPure):
3628         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3629         (DFG):
3630         (SaneStringGetByValSlowPathGenerator):
3631         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3632         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3633         * dfg/DFGSpeculativeJIT.cpp:
3634         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3635
3636 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3637
3638         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3639         https://bugs.webkit.org/show_bug.cgi?id=118911
3640
3641         Reviewed by Geoffrey Garen.
3642         
3643         We could also have a separate method like "willNotCrash(offset)", but that's not
3644         what isValidOffset() is intended to mean.
3645
3646         * runtime/Structure.h:
3647         (JSC::Structure::isValidOffset):
3648
3649 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3650
3651         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3652         https://bugs.webkit.org/show_bug.cgi?id=118878
3653
3654         Reviewed by Oliver Hunt.
3655         
3656         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3657           to load from an object of this structure, at this offset, would I commit suicide
3658           or would I get back some kind of value?"
3659         
3660         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3661           way from the start.
3662         
3663         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3664         
3665         - Make GetByOffset also reference the base object in addition to the butterfly.
3666         
3667         The future use of this power will be to answer questions like "If I hoisted this
3668         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3669         fine?"
3670         
3671         I don't currently plan to use this power to perform validation, since the CSE has
3672         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3673         remove - both in the case of StructureSets where size >= 2 and in the case of
3674         CheckStructures that match across PutStructures. At first I tried to write a
3675         validator that was aware of this, but the validation code got way too complicated
3676         and I started having nightmares of spurious assertion bugs being filed against me.
3677         
3678         This also changes some of the code for how we hash FunctionExecutable's for debug
3679         dumps, since that code still had some thread-safety issues. Basically, the
3680         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3681         that could transitively try to compute the hash from the source code. The source
3682         code is a string that may be lazily computed, and that involves all manner of thread
3683         unsafe things.
3684
3685         * bytecode/CodeOrigin.cpp:
3686         (JSC::InlineCallFrame::hash):
3687         * dfg/DFGAbstractInterpreterInlines.h:
3688         (JSC::DFG::::executeEffects):
3689         * dfg/DFGByteCodeParser.cpp:
3690         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3691         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3692         (JSC::DFG::ByteCodeParser::parseBlock):
3693         * dfg/DFGCFAPhase.cpp:
3694         (JSC::DFG::CFAPhase::performBlockCFA):
3695         * dfg/DFGConstantFoldingPhase.cpp:
3696         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3697         * dfg/DFGFixupPhase.cpp:
3698         (JSC::DFG::FixupPhase::fixupNode):
3699         * dfg/DFGGraph.h:
3700         (StorageAccessData):
3701         * dfg/DFGNode.h:
3702         (JSC::DFG::Node::convertToGetByOffset):
3703         * dfg/DFGSpeculativeJIT64.cpp:
3704         (JSC::DFG::SpeculativeJIT::compile):
3705         * ftl/FTLLowerDFGToLLVM.cpp:
3706         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3707         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3708         * runtime/FunctionExecutableDump.cpp:
3709         (JSC::FunctionExecutableDump::dump):
3710         * runtime/Structure.h:
3711         (Structure):
3712         (JSC::Structure::isValidOffset):
3713
3714 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3715
3716         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3717         https://bugs.webkit.org/show_bug.cgi?id=118880
3718
3719         Reviewed by Sam Weinig.
3720         
3721         It should be possible to have an AbstractState that is backed by a HashMap. But to
3722         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3723         the map, since otherwise the idiom of getting a reference to the AbstractValue
3724         returned by forNode() would cause really subtle memory corruption bugs.
3725
3726         * dfg/DFGAbstractInterpreterInlines.h:
3727         (JSC::DFG::::executeEffects):
3728         * dfg/DFGInPlaceAbstractState.h:
3729         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3730         (InPlaceAbstractState):
3731
3732 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3733
3734         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3735         https://bugs.webkit.org/show_bug.cgi?id=118835
3736
3737         Reviewed by Oliver Hunt.
3738         
3739         This separates AbstractState into two things:
3740         
3741         - InPlaceAbstractState, which can tell you the abstract state of anything you
3742           might care about, and uses the old AbstractState's algorithms and data
3743           structures for doing so.
3744         
3745         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3746           respect to an AbstractStateType. Currently we always use
3747           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3748           class that supports basic primitives like forNode() and variables().
3749         
3750         This is important because:
3751         
3752         - We want to hoist things out of loops.
3753
3754         - We don't know what things rely on what type checks.
3755
3756         - We only want to hoist type checks out of loops if they aren't clobbered.
3757
3758         - We may want to still hoist things that depended on those type checks, if it's
3759           safe to do those things based on the CFA state at the tail of the loop
3760           pre-header.
3761
3762         - We don't want things to rely on their type checks by way of a token, because
3763           that's just weird.
3764
3765         So, we want to be able to have a special form of the CFA that can
3766         incrementally update a basic block's state-at-tail, and we want to be able to
3767         do this for multiple blocks simultaneously. This requires *not* storing the
3768         per-node state in the nodes themselves, but instead using the at-tail HashMap
3769         directly.
3770
3771         Hence we need to have a way of making the abstract interpreter (i.e.
3772         AbstractState::execute) polymorphic with respect to state representation. Put
3773         another way, we need to separate the way that abstract state is represented
3774         from the way DFG IR is abstractly interpreted.
3775
3776         * JavaScriptCore.xcodeproj/project.pbxproj:
3777         * dfg/DFGAbstractInterpreter.h: Added.
3778         (DFG):
3779         (AbstractInterpreter):
3780         (JSC::DFG::AbstractInterpreter::forNode):
3781         (JSC::DFG::AbstractInterpreter::variables):
3782         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3783         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3784         (JSC::DFG::AbstractInterpreter::filter):
3785         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3786         (JSC::DFG::AbstractInterpreter::filterByValue):
3787         (JSC::DFG::AbstractInterpreter::trySetConstant):
3788         (JSC::DFG::AbstractInterpreter::filterByType):
3789         * dfg/DFGAbstractInterpreterInlines.h: Added.
3790         (DFG):
3791         (JSC::DFG::::AbstractInterpreter):
3792         (JSC::DFG::::~AbstractInterpreter):
3793         (JSC::DFG::::booleanResult):
3794         (JSC::DFG::::startExecuting):
3795         (JSC::DFG::::executeEdges):
3796         (JSC::DFG::::verifyEdge):
3797         (JSC::DFG::::verifyEdges):
3798         (JSC::DFG::::executeEffects):
3799         (JSC::DFG::::execute):
3800         (JSC::DFG::::clobberWorld):
3801         (JSC::DFG::::clobberCapturedVars):
3802         (JSC::DFG::::clobberStructures):
3803         (JSC::DFG::::dump):
3804         (JSC::DFG::::filter):
3805         (JSC::DFG::::filterArrayModes):
3806         (JSC::DFG::::filterByValue):
3807         * dfg/DFGAbstractState.cpp: Removed.
3808         * dfg/DFGAbstractState.h: Removed.
3809         * dfg/DFGArgumentsSimplificationPhase.cpp:
3810         * dfg/DFGCFAPhase.cpp:
3811         (JSC::DFG::CFAPhase::CFAPhase):
3812         (JSC::DFG::CFAPhase::performBlockCFA):
3813         (CFAPhase):
3814         * dfg/DFGCFGSimplificationPhase.cpp:
3815         * dfg/DFGConstantFoldingPhase.cpp:
3816         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3817         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3818         (ConstantFoldingPhase):
3819         * dfg/DFGInPlaceAbstractState.cpp: Added.
3820         (DFG):
3821         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3822         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3823         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3824         (JSC::DFG::setLiveValues):
3825         (JSC::DFG::InPlaceAbstractState::initialize):
3826         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3827         (JSC::DFG::InPlaceAbstractState::reset):
3828         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3829         (JSC::DFG::InPlaceAbstractState::merge):
3830         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3831         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3832         * dfg/DFGInPlaceAbstractState.h: Added.
3833         (DFG):
3834         (InPlaceAbstractState):
3835         (JSC::DFG::InPlaceAbstractState::forNode):
3836         (JSC::DFG::InPlaceAbstractState::variables):
3837         (JSC::DFG::InPlaceAbstractState::block):
3838         (JSC::DFG::InPlaceAbstractState::didClobber):
3839         (JSC::DFG::InPlaceAbstractState::isValid):
3840         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3841         (JSC::DFG::InPlaceAbstractState::setIsValid):
3842         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3843         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3844         (JSC::DFG::InPlaceAbstractState::haveStructures):
3845         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3846         * dfg/DFGMergeMode.h: Added.
3847         (DFG):
3848         * dfg/DFGSpeculativeJIT.cpp:
3849         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3850         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3851         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3852         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3853         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3854         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3855         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3856         * dfg/DFGSpeculativeJIT.h:
3857         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3858         (SpeculativeJIT):
3859         * dfg/DFGSpeculativeJIT32_64.cpp:
3860         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3861         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3862         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3863         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3864         * dfg/DFGSpeculativeJIT64.cpp:
3865         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3866         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3867         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3868         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3869         * ftl/FTLLowerDFGToLLVM.cpp:
3870         (FTL):
3871         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3872         (JSC::FTL::LowerDFGToLLVM::compileNode):
3873         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3874         (JSC::FTL::LowerDFGToLLVM::speculate):
3875         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3876         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3877         (LowerDFGToLLVM):
3878
3879 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3880
3881         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3882         https://bugs.webkit.org/show_bug.cgi?id=118867
3883
3884         Reviewed by Mark Hahnenberg.
3885         
3886         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3887         ArrayProfile.
3888
3889         It also makes it easier to ask any array-using node how to create its type check.
3890         
3891         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3892         an array profile, thinking that it was storing into a value profile. Reshuffling the
3893         fields in ArrayProfile revealed this.
3894
3895         * bytecode/ArrayProfile.cpp:
3896         (JSC::ArrayProfile::computeUpdatedPrediction):
3897         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3898         * bytecode/ArrayProfile.h:
3899         (JSC::ArrayProfile::ArrayProfile):
3900         (ArrayProfile):
3901         * bytecode/CodeBlock.cpp:
3902         (JSC::CodeBlock::updateAllArrayPredictions):
3903         (JSC::CodeBlock::updateAllPredictions):
3904         * bytecode/CodeBlock.h:
3905         (CodeBlock):
3906         (JSC::CodeBlock::updateAllArrayPredictions):
3907         * dfg/DFGArrayMode.h:
3908         (ArrayMode):
3909         * dfg/DFGByteCodeParser.cpp:
3910         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3911         (JSC::DFG::ByteCodeParser::parseBlock):
3912         * dfg/DFGFixupPhase.cpp:
3913         (JSC::DFG::FixupPhase::fixupNode):
3914         (FixupPhase):
3915         (JSC::DFG::FixupPhase::checkArray):
3916         (JSC::DFG::FixupPhase::blessArrayOperation):
3917         * llint/LowLevelInterpreter64.asm:
3918
3919 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3920
3921         fourthTier: CFA should consider live-at-head for clobbering and dumping
3922         https://bugs.webkit.org/show_bug.cgi?id=118857
3923
3924         Reviewed by Mark Hahnenberg.
3925         
3926         - clobberStructures() was not considering nodes live-at-head when in SSA
3927           form. This means it would fail to clobber some structures.
3928         
3929         - dump() was not considering nodes live-at-head when in SSA form. This
3930           means it wouldn't dump everything that you might be interested in.
3931         
3932         - AbstractState::m_currentNode is a useless variable and we should get
3933           rid of it.
3934
3935         * dfg/DFGAbstractState.cpp:
3936         (JSC::DFG::AbstractState::AbstractState):
3937         (JSC::DFG::AbstractState::beginBasicBlock):
3938         (JSC::DFG::AbstractState::reset):
3939         (JSC::DFG::AbstractState::startExecuting):
3940         (JSC::DFG::AbstractState::clobberStructures):
3941         (JSC::DFG::AbstractState::dump):