<https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-16  Mark Lam  <mark.lam@apple.com>
2
3         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
4         error message that an object is not a constructor though it expects a function
5
6         Reviewed by Michael Saboff.
7
8         * jit/JITStubs.cpp:
9         (JSC::DEFINE_STUB_FUNCTION):
10
11 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
12
13         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
14         https://bugs.webkit.org/show_bug.cgi?id=119897
15
16         Reviewed by Oliver Hunt.
17         
18         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
19         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
20         to turn objects into dictionaries when you're storing using bracket syntax or using
21         eval is still in place.
22
23         * bytecode/CodeBlock.h:
24         (JSC::CodeBlock::putByIdContext):
25         * dfg/DFGOperations.cpp:
26         * jit/JITStubs.cpp:
27         (JSC::DEFINE_STUB_FUNCTION):
28         * llint/LLIntSlowPaths.cpp:
29         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
30         * runtime/JSObject.h:
31         (JSC::JSObject::putDirectInternal):
32         * runtime/PutPropertySlot.h:
33         (JSC::PutPropertySlot::PutPropertySlot):
34         (JSC::PutPropertySlot::context):
35         * runtime/Structure.cpp:
36         (JSC::Structure::addPropertyTransition):
37         * runtime/Structure.h:
38
39 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
40
41         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
42
43         Reviewed by Allan Sandfeld Jensen.
44
45         ctiVMHandleException must jump/return using register ra (r31).
46
47         * jit/JITStubsMIPS.h:
48
49 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
50
51         <https://webkit.org/b/119879> Fix sh4 build after r154156.
52
53         Reviewed by Allan Sandfeld Jensen.
54
55         Fix typo in JITStubsSH4.h file.
56
57         * jit/JITStubsSH4.h:
58
59 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
60
61         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
62
63         Reviewed by Oliver Hunt.
64
65         The concurrent compilation thread should interact minimally with the Heap, including not 
66         triggering WriteBarriers. This is a prerequisite for generational GC.
67
68         * JavaScriptCore.xcodeproj/project.pbxproj:
69         * bytecode/CodeBlock.cpp:
70         (JSC::CodeBlock::addOrFindConstant):
71         (JSC::CodeBlock::findConstant):
72         * bytecode/CodeBlock.h:
73         (JSC::CodeBlock::addConstantLazily):
74         * dfg/DFGByteCodeParser.cpp:
75         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
76         (JSC::DFG::ByteCodeParser::constantUndefined):
77         (JSC::DFG::ByteCodeParser::constantNull):
78         (JSC::DFG::ByteCodeParser::one):
79         (JSC::DFG::ByteCodeParser::constantNaN):
80         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
81         * dfg/DFGCommonData.cpp:
82         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
83         * dfg/DFGCommonData.h:
84         * dfg/DFGDesiredTransitions.cpp: Added.
85         (JSC::DFG::DesiredTransition::DesiredTransition):
86         (JSC::DFG::DesiredTransition::reallyAdd):
87         (JSC::DFG::DesiredTransitions::DesiredTransitions):
88         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
89         (JSC::DFG::DesiredTransitions::addLazily):
90         (JSC::DFG::DesiredTransitions::reallyAdd):
91         * dfg/DFGDesiredTransitions.h: Added.
92         * dfg/DFGDesiredWeakReferences.cpp: Added.
93         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
94         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
95         (JSC::DFG::DesiredWeakReferences::addLazily):
96         (JSC::DFG::DesiredWeakReferences::reallyAdd):
97         * dfg/DFGDesiredWeakReferences.h: Added.
98         * dfg/DFGDesiredWriteBarriers.cpp: Added.
99         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
100         (JSC::DFG::DesiredWriteBarrier::trigger):
101         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
102         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
103         (JSC::DFG::DesiredWriteBarriers::addImpl):
104         (JSC::DFG::DesiredWriteBarriers::trigger):
105         * dfg/DFGDesiredWriteBarriers.h: Added.
106         (JSC::DFG::DesiredWriteBarriers::add):
107         (JSC::DFG::initializeLazyWriteBarrier):
108         * dfg/DFGFixupPhase.cpp:
109         (JSC::DFG::FixupPhase::truncateConstantToInt32):
110         * dfg/DFGGraph.h:
111         (JSC::DFG::Graph::convertToConstant):
112         * dfg/DFGJITCompiler.h:
113         (JSC::DFG::JITCompiler::addWeakReference):
114         * dfg/DFGPlan.cpp:
115         (JSC::DFG::Plan::Plan):
116         (JSC::DFG::Plan::reallyAdd):
117         * dfg/DFGPlan.h:
118         * dfg/DFGSpeculativeJIT32_64.cpp:
119         (JSC::DFG::SpeculativeJIT::compile):
120         * dfg/DFGSpeculativeJIT64.cpp:
121         (JSC::DFG::SpeculativeJIT::compile):
122         * runtime/WriteBarrier.h:
123         (JSC::WriteBarrierBase::set):
124         (JSC::WriteBarrier::WriteBarrier):
125
126 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
127
128         Fix x86 32bits build after r154158
129
130         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
131
132 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
133
134         Build fix attempt after r154156.
135
136         * jit/JITStubs.cpp:
137         (JSC::cti_vm_handle_exception): encode!
138
139 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
140
141         [JSC] x86: Use inc and dec when possible
142         https://bugs.webkit.org/show_bug.cgi?id=119831
143
144         Reviewed by Geoffrey Garen.
145
146         When incrementing or decrementing by an immediate of 1, use the insctructions
147         inc and dec instead of add and sub.
148         The instructions have good timing and their encoding is smaller.
149
150         * assembler/MacroAssemblerX86Common.h:
151         (JSC::MacroAssemblerX86_64::add32):
152         (JSC::MacroAssemblerX86_64::sub32):
153         * assembler/MacroAssemblerX86_64.h:
154         (JSC::MacroAssemblerX86_64::add64):
155         (JSC::MacroAssemblerX86_64::sub64):
156         * assembler/X86Assembler.h:
157         (JSC::X86Assembler::dec_r):
158         (JSC::X86Assembler::decq_r):
159         (JSC::X86Assembler::inc_r):
160         (JSC::X86Assembler::incq_r):
161
162 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
163
164         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
165         https://bugs.webkit.org/show_bug.cgi?id=119874
166
167         Reviewed by Oliver Hunt and Mark Hahnenberg.
168         
169         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
170         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
171         sometimes for typed array length accesses, and the FixupPhase assuming that a
172         ForceExit ArrayMode means that it should continue using a generic GetById.
173
174         This fixes the confusion.
175
176         * dfg/DFGFixupPhase.cpp:
177         (JSC::DFG::FixupPhase::fixupNode):
178
179 2013-08-15  Mark Lam  <mark.lam@apple.com>
180
181         Fix crash when performing activation tearoff.
182         https://bugs.webkit.org/show_bug.cgi?id=119848
183
184         Reviewed by Oliver Hunt.
185
186         The activation tearoff crash was due to a bug in the baseline JIT.
187         If we have a scenario where the a baseline JIT frame calls a LLINT
188         frame, an exception may be thrown while in the LLINT.
189
190         Interpreter::throwException() which handles the exception will unwind
191         all frames until it finds a catcher or sees a host frame. When we
192         return from the LLINT to the baseline JIT code, the baseline JIT code
193         errorneously sets topCallFrame to the value in its call frame register,
194         and starts unwinding the stack frames that have already been unwound.
195
196         The fix is:
197         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
198            This is a more accurate description of what this runtime function
199            is supposed to do i.e. it handles the exception which include doing
200            nothing (if there are no more frames to unwind).
201         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
202            set on it.
203         3. Reloading the call frame register from topCallFrame when we're
204            returning from a callee and detect exception handling in progress.
205
206         * interpreter/Interpreter.cpp:
207         (JSC::Interpreter::unwindCallFrame):
208         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
209         (JSC::Interpreter::getStackTrace):
210         * interpreter/Interpreter.h:
211         (JSC::TopCallFrameSetter::TopCallFrameSetter):
212         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
213         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
214         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
215         * jit/JIT.h:
216         * jit/JITExceptions.cpp:
217         (JSC::uncaughtExceptionHandler):
218         - Convenience function to get the handler for uncaught exceptions.
219         * jit/JITExceptions.h:
220         * jit/JITInlines.h:
221         (JSC::JIT::reloadCallFrameFromTopCallFrame):
222         * jit/JITOpcodes32_64.cpp:
223         (JSC::JIT::privateCompileCTINativeCall):
224         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
225         * jit/JITStubs.cpp:
226         (JSC::throwExceptionFromOpCall):
227         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
228         (JSC::cti_vm_handle_exception):
229         - Check for the case when there are no more frames to unwind.
230         * jit/JITStubs.h:
231         * jit/JITStubsARM.h:
232         * jit/JITStubsARMv7.h:
233         * jit/JITStubsMIPS.h:
234         * jit/JITStubsSH4.h:
235         * jit/JITStubsX86.h:
236         * jit/JITStubsX86_64.h:
237         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
238         * jit/SlowPathCall.h:
239         (JSC::JITSlowPathCall::call):
240         - reload cfr from topcallFrame when handling an exception.
241         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
242         * jit/ThunkGenerators.cpp:
243         (JSC::nativeForGenerator):
244         * llint/LowLevelInterpreter32_64.asm:
245         * llint/LowLevelInterpreter64.asm:
246         - reload cfr from topcallFrame when handling an exception.
247         * runtime/VM.cpp:
248         (JSC::VM::VM):
249         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
250
251 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
252
253         Remove some code duplication.
254         
255         Rubber stamped by Mark Hahnenberg.
256
257         * runtime/JSDataViewPrototype.cpp:
258         (JSC::getData):
259         (JSC::setData):
260
261 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
262
263         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
264         https://bugs.webkit.org/show_bug.cgi?id=119794
265
266         Reviewed by Filip Pizlo.
267
268         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
269
270         * dfg/DFGUseKind.h:
271         (JSC::DFG::isNumerical):
272         (JSC::DFG::isDouble):
273
274 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
275
276         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
277
278         Rubber stamped by Oliver Hunt.
279         
280         This was causing some test crashes for me.
281
282         * dfg/DFGCapabilities.cpp:
283         (JSC::DFG::capabilityLevel):
284
285 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
286
287         [Windows] Clear up improper export declaration.
288
289         * runtime/ArrayBufferView.h:
290
291 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
292
293         Unreviewed, remove some unnecessary periods from exceptions.
294
295         * runtime/JSDataViewPrototype.cpp:
296         (JSC::getData):
297         (JSC::setData):
298
299 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
300
301         Unreviewed, fix 32-bit build.
302
303         * dfg/DFGSpeculativeJIT32_64.cpp:
304         (JSC::DFG::SpeculativeJIT::compile):
305
306 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
307
308         Typed arrays should be rewritten
309         https://bugs.webkit.org/show_bug.cgi?id=119064
310
311         Reviewed by Oliver Hunt.
312         
313         Typed arrays were previously deficient in several major ways:
314         
315         - They were defined separately in WebCore and in the jsc shell. The two
316           implementations were different, and the jsc shell one was basically wrong.
317           The WebCore one was quite awful, also.
318         
319         - Typed arrays were not visible to the JIT except through some weird hooks.
320           For example, the JIT could not ask "what is the Structure that this typed
321           array would have if I just allocated it from this global object". Also,
322           it was difficult to wire any of the typed array intrinsics, because most
323           of the functionality wasn't visible anywhere in JSC.
324         
325         - Typed array allocation was brain-dead. Allocating a typed array involved
326           two JS objects, two GC weak handles, and three malloc allocations.
327         
328         - Neutering. It involved keeping tabs on all native views but not the view
329           wrappers, even though the native views can autoneuter just by asking the
330           buffer if it was neutered anytime you touch them; while the JS view
331           wrappers are the ones that you really want to reach out to.
332         
333         - Common case-ing. Most typed arrays have one buffer and one view, and
334           usually nobody touches the buffer. Yet we created all of that stuff
335           anyway, using data structures optimized for the case where you had a lot
336           of views.
337         
338         - Semantic goofs. Typed arrays should, in the future, behave like ES
339           features rather than DOM features, for example when it comes to exceptions.
340           Firefox already does this and I agree with them.
341         
342         This patch cleanses our codebase of these sins:
343         
344         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
345           management of native references to buffers is left to WebCore.
346         
347         - Allocating a typed array requires either two GC allocations (a cell and a
348           copied storage vector) or one GC allocation, a malloc allocation, and a
349           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
350           latter). The latter is only used for oversize arrays. Remember that before
351           it was 7 allocations no matter what.
352         
353         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
354           mode/length, void* vector. Before it was a lot more than that - remember,
355           there were five additional objects that did absolutely nothing for anybody.
356         
357         - Native views aren't tracked by the buffer, or by the wrappers. They are
358           transient. In the future we'll probably switch to not even having them be
359           malloc'd.
360         
361         - Native array buffers have an efficient way of tracking all of their JS view
362           wrappers, both for neutering, and for lifecycle management. The GC
363           special-cases native array buffers. This saves a bunch of grief; for example
364           it means that a JS view wrapper can refer to its buffer via the butterfly,
365           which would be dead by the time we went to finalize.
366         
367         - Typed array semantics now match Firefox, which also happens to be where the
368           standards are going. The discussion on webkit-dev seemed to confirm that
369           Chrome is also heading in this direction. This includes making
370           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
371           ArrayBufferView as a JS-visible construct.
372         
373         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
374         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
375         further typed array optimizations in the JSC JITs, including inlining typed
376         array allocation, inlining more of the accessors, reducing the cost of type
377         checks, etc.
378         
379         An additional property of this patch is that typed arrays are mostly
380         implemented using templates. This deduplicates a bunch of code, but does mean
381         that we need some hacks for exporting s_info's of template classes. See
382         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
383         low-impact compared to code duplication.
384         
385         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
386
387         * CMakeLists.txt:
388         * DerivedSources.make:
389         * GNUmakefile.list.am:
390         * JSCTypedArrayStubs.h: Removed.
391         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
392         * JavaScriptCore.xcodeproj/project.pbxproj:
393         * Target.pri:
394         * bytecode/ByValInfo.h:
395         (JSC::hasOptimizableIndexingForClassInfo):
396         (JSC::jitArrayModeForClassInfo):
397         (JSC::typedArrayTypeForJITArrayMode):
398         * bytecode/SpeculatedType.cpp:
399         (JSC::speculationFromClassInfo):
400         * dfg/DFGArrayMode.cpp:
401         (JSC::DFG::toTypedArrayType):
402         * dfg/DFGArrayMode.h:
403         (JSC::DFG::ArrayMode::typedArrayType):
404         * dfg/DFGSpeculativeJIT.cpp:
405         (JSC::DFG::SpeculativeJIT::checkArray):
406         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
407         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
408         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
409         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
410         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
411         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
412         * dfg/DFGSpeculativeJIT.h:
413         * dfg/DFGSpeculativeJIT32_64.cpp:
414         (JSC::DFG::SpeculativeJIT::compile):
415         * dfg/DFGSpeculativeJIT64.cpp:
416         (JSC::DFG::SpeculativeJIT::compile):
417         * heap/CopyToken.h:
418         * heap/DeferGC.h:
419         (JSC::DeferGCForAWhile::DeferGCForAWhile):
420         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
421         * heap/GCIncomingRefCounted.h: Added.
422         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
423         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
424         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
425         (JSC::GCIncomingRefCounted::incomingReferenceAt):
426         (JSC::GCIncomingRefCounted::singletonFlag):
427         (JSC::GCIncomingRefCounted::hasVectorOfCells):
428         (JSC::GCIncomingRefCounted::hasAnyIncoming):
429         (JSC::GCIncomingRefCounted::hasSingleton):
430         (JSC::GCIncomingRefCounted::singleton):
431         (JSC::GCIncomingRefCounted::vectorOfCells):
432         * heap/GCIncomingRefCountedInlines.h: Added.
433         (JSC::::addIncomingReference):
434         (JSC::::filterIncomingReferences):
435         * heap/GCIncomingRefCountedSet.h: Added.
436         (JSC::GCIncomingRefCountedSet::size):
437         * heap/GCIncomingRefCountedSetInlines.h: Added.
438         (JSC::::GCIncomingRefCountedSet):
439         (JSC::::~GCIncomingRefCountedSet):
440         (JSC::::addReference):
441         (JSC::::sweep):
442         (JSC::::removeAll):
443         (JSC::::removeDead):
444         * heap/Heap.cpp:
445         (JSC::Heap::addReference):
446         (JSC::Heap::extraSize):
447         (JSC::Heap::size):
448         (JSC::Heap::capacity):
449         (JSC::Heap::collect):
450         (JSC::Heap::decrementDeferralDepth):
451         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
452         * heap/Heap.h:
453         * interpreter/CallFrame.h:
454         (JSC::ExecState::dataViewTable):
455         * jit/JIT.h:
456         * jit/JITPropertyAccess.cpp:
457         (JSC::JIT::privateCompileGetByVal):
458         (JSC::JIT::privateCompilePutByVal):
459         (JSC::JIT::emitIntTypedArrayGetByVal):
460         (JSC::JIT::emitFloatTypedArrayGetByVal):
461         (JSC::JIT::emitIntTypedArrayPutByVal):
462         (JSC::JIT::emitFloatTypedArrayPutByVal):
463         * jsc.cpp:
464         (GlobalObject::finishCreation):
465         * runtime/ArrayBuffer.cpp:
466         (JSC::ArrayBuffer::transfer):
467         * runtime/ArrayBuffer.h:
468         (JSC::ArrayBuffer::createAdopted):
469         (JSC::ArrayBuffer::ArrayBuffer):
470         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
471         (JSC::ArrayBuffer::pin):
472         (JSC::ArrayBuffer::unpin):
473         (JSC::ArrayBufferContents::tryAllocate):
474         * runtime/ArrayBufferView.cpp:
475         (JSC::ArrayBufferView::ArrayBufferView):
476         (JSC::ArrayBufferView::~ArrayBufferView):
477         (JSC::ArrayBufferView::setNeuterable):
478         * runtime/ArrayBufferView.h:
479         (JSC::ArrayBufferView::isNeutered):
480         (JSC::ArrayBufferView::buffer):
481         (JSC::ArrayBufferView::baseAddress):
482         (JSC::ArrayBufferView::byteOffset):
483         (JSC::ArrayBufferView::verifySubRange):
484         (JSC::ArrayBufferView::clampOffsetAndNumElements):
485         (JSC::ArrayBufferView::calculateOffsetAndLength):
486         * runtime/ClassInfo.h:
487         * runtime/CommonIdentifiers.h:
488         * runtime/DataView.cpp: Added.
489         (JSC::DataView::DataView):
490         (JSC::DataView::create):
491         (JSC::DataView::wrap):
492         * runtime/DataView.h: Added.
493         (JSC::DataView::byteLength):
494         (JSC::DataView::getType):
495         (JSC::DataView::get):
496         (JSC::DataView::set):
497         * runtime/Float32Array.h:
498         * runtime/Float64Array.h:
499         * runtime/GenericTypedArrayView.h: Added.
500         (JSC::GenericTypedArrayView::data):
501         (JSC::GenericTypedArrayView::set):
502         (JSC::GenericTypedArrayView::setRange):
503         (JSC::GenericTypedArrayView::zeroRange):
504         (JSC::GenericTypedArrayView::zeroFill):
505         (JSC::GenericTypedArrayView::length):
506         (JSC::GenericTypedArrayView::byteLength):
507         (JSC::GenericTypedArrayView::item):
508         (JSC::GenericTypedArrayView::checkInboundData):
509         (JSC::GenericTypedArrayView::getType):
510         * runtime/GenericTypedArrayViewInlines.h: Added.
511         (JSC::::GenericTypedArrayView):
512         (JSC::::create):
513         (JSC::::createUninitialized):
514         (JSC::::subarray):
515         (JSC::::wrap):
516         * runtime/IndexingHeader.h:
517         (JSC::IndexingHeader::arrayBuffer):
518         (JSC::IndexingHeader::setArrayBuffer):
519         * runtime/Int16Array.h:
520         * runtime/Int32Array.h:
521         * runtime/Int8Array.h:
522         * runtime/JSArrayBuffer.cpp: Added.
523         (JSC::JSArrayBuffer::JSArrayBuffer):
524         (JSC::JSArrayBuffer::finishCreation):
525         (JSC::JSArrayBuffer::create):
526         (JSC::JSArrayBuffer::createStructure):
527         (JSC::JSArrayBuffer::getOwnPropertySlot):
528         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
529         (JSC::JSArrayBuffer::put):
530         (JSC::JSArrayBuffer::defineOwnProperty):
531         (JSC::JSArrayBuffer::deleteProperty):
532         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
533         * runtime/JSArrayBuffer.h: Added.
534         (JSC::JSArrayBuffer::impl):
535         (JSC::toArrayBuffer):
536         * runtime/JSArrayBufferConstructor.cpp: Added.
537         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
538         (JSC::JSArrayBufferConstructor::finishCreation):
539         (JSC::JSArrayBufferConstructor::create):
540         (JSC::JSArrayBufferConstructor::createStructure):
541         (JSC::constructArrayBuffer):
542         (JSC::JSArrayBufferConstructor::getConstructData):
543         (JSC::JSArrayBufferConstructor::getCallData):
544         * runtime/JSArrayBufferConstructor.h: Added.
545         * runtime/JSArrayBufferPrototype.cpp: Added.
546         (JSC::arrayBufferProtoFuncSlice):
547         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
548         (JSC::JSArrayBufferPrototype::finishCreation):
549         (JSC::JSArrayBufferPrototype::create):
550         (JSC::JSArrayBufferPrototype::createStructure):
551         * runtime/JSArrayBufferPrototype.h: Added.
552         * runtime/JSArrayBufferView.cpp: Added.
553         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
554         (JSC::JSArrayBufferView::JSArrayBufferView):
555         (JSC::JSArrayBufferView::finishCreation):
556         (JSC::JSArrayBufferView::getOwnPropertySlot):
557         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
558         (JSC::JSArrayBufferView::put):
559         (JSC::JSArrayBufferView::defineOwnProperty):
560         (JSC::JSArrayBufferView::deleteProperty):
561         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
562         (JSC::JSArrayBufferView::finalize):
563         * runtime/JSArrayBufferView.h: Added.
564         (JSC::JSArrayBufferView::sizeOf):
565         (JSC::JSArrayBufferView::ConstructionContext::operator!):
566         (JSC::JSArrayBufferView::ConstructionContext::structure):
567         (JSC::JSArrayBufferView::ConstructionContext::vector):
568         (JSC::JSArrayBufferView::ConstructionContext::length):
569         (JSC::JSArrayBufferView::ConstructionContext::mode):
570         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
571         (JSC::JSArrayBufferView::mode):
572         (JSC::JSArrayBufferView::vector):
573         (JSC::JSArrayBufferView::length):
574         (JSC::JSArrayBufferView::offsetOfVector):
575         (JSC::JSArrayBufferView::offsetOfLength):
576         (JSC::JSArrayBufferView::offsetOfMode):
577         * runtime/JSArrayBufferViewInlines.h: Added.
578         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
579         (JSC::JSArrayBufferView::buffer):
580         (JSC::JSArrayBufferView::impl):
581         (JSC::JSArrayBufferView::neuter):
582         (JSC::JSArrayBufferView::byteOffset):
583         * runtime/JSCell.cpp:
584         (JSC::JSCell::slowDownAndWasteMemory):
585         (JSC::JSCell::getTypedArrayImpl):
586         * runtime/JSCell.h:
587         * runtime/JSDataView.cpp: Added.
588         (JSC::JSDataView::JSDataView):
589         (JSC::JSDataView::create):
590         (JSC::JSDataView::createUninitialized):
591         (JSC::JSDataView::set):
592         (JSC::JSDataView::typedImpl):
593         (JSC::JSDataView::getOwnPropertySlot):
594         (JSC::JSDataView::getOwnPropertyDescriptor):
595         (JSC::JSDataView::slowDownAndWasteMemory):
596         (JSC::JSDataView::getTypedArrayImpl):
597         (JSC::JSDataView::createStructure):
598         * runtime/JSDataView.h: Added.
599         * runtime/JSDataViewPrototype.cpp: Added.
600         (JSC::JSDataViewPrototype::JSDataViewPrototype):
601         (JSC::JSDataViewPrototype::create):
602         (JSC::JSDataViewPrototype::createStructure):
603         (JSC::JSDataViewPrototype::getOwnPropertySlot):
604         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
605         (JSC::getData):
606         (JSC::setData):
607         (JSC::dataViewProtoFuncGetInt8):
608         (JSC::dataViewProtoFuncGetInt16):
609         (JSC::dataViewProtoFuncGetInt32):
610         (JSC::dataViewProtoFuncGetUint8):
611         (JSC::dataViewProtoFuncGetUint16):
612         (JSC::dataViewProtoFuncGetUint32):
613         (JSC::dataViewProtoFuncGetFloat32):
614         (JSC::dataViewProtoFuncGetFloat64):
615         (JSC::dataViewProtoFuncSetInt8):
616         (JSC::dataViewProtoFuncSetInt16):
617         (JSC::dataViewProtoFuncSetInt32):
618         (JSC::dataViewProtoFuncSetUint8):
619         (JSC::dataViewProtoFuncSetUint16):
620         (JSC::dataViewProtoFuncSetUint32):
621         (JSC::dataViewProtoFuncSetFloat32):
622         (JSC::dataViewProtoFuncSetFloat64):
623         * runtime/JSDataViewPrototype.h: Added.
624         * runtime/JSFloat32Array.h: Added.
625         * runtime/JSFloat64Array.h: Added.
626         * runtime/JSGenericTypedArrayView.h: Added.
627         (JSC::JSGenericTypedArrayView::byteLength):
628         (JSC::JSGenericTypedArrayView::byteSize):
629         (JSC::JSGenericTypedArrayView::typedVector):
630         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
631         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
632         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
633         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
634         (JSC::JSGenericTypedArrayView::getIndexQuickly):
635         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
636         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
637         (JSC::JSGenericTypedArrayView::setIndexQuickly):
638         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
639         (JSC::JSGenericTypedArrayView::typedImpl):
640         (JSC::JSGenericTypedArrayView::createStructure):
641         (JSC::JSGenericTypedArrayView::info):
642         (JSC::toNativeTypedView):
643         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
644         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
645         (JSC::::JSGenericTypedArrayViewConstructor):
646         (JSC::::finishCreation):
647         (JSC::::create):
648         (JSC::::createStructure):
649         (JSC::constructGenericTypedArrayView):
650         (JSC::::getConstructData):
651         (JSC::::getCallData):
652         * runtime/JSGenericTypedArrayViewInlines.h: Added.
653         (JSC::::JSGenericTypedArrayView):
654         (JSC::::create):
655         (JSC::::createUninitialized):
656         (JSC::::validateRange):
657         (JSC::::setWithSpecificType):
658         (JSC::::set):
659         (JSC::::getOwnPropertySlot):
660         (JSC::::getOwnPropertyDescriptor):
661         (JSC::::put):
662         (JSC::::defineOwnProperty):
663         (JSC::::deleteProperty):
664         (JSC::::getOwnPropertySlotByIndex):
665         (JSC::::putByIndex):
666         (JSC::::deletePropertyByIndex):
667         (JSC::::getOwnNonIndexPropertyNames):
668         (JSC::::getOwnPropertyNames):
669         (JSC::::visitChildren):
670         (JSC::::copyBackingStore):
671         (JSC::::slowDownAndWasteMemory):
672         (JSC::::getTypedArrayImpl):
673         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
674         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
675         (JSC::genericTypedArrayViewProtoFuncSet):
676         (JSC::genericTypedArrayViewProtoFuncSubarray):
677         (JSC::::JSGenericTypedArrayViewPrototype):
678         (JSC::::finishCreation):
679         (JSC::::create):
680         (JSC::::createStructure):
681         * runtime/JSGlobalObject.cpp:
682         (JSC::JSGlobalObject::reset):
683         (JSC::JSGlobalObject::visitChildren):
684         * runtime/JSGlobalObject.h:
685         (JSC::JSGlobalObject::arrayBufferPrototype):
686         (JSC::JSGlobalObject::arrayBufferStructure):
687         (JSC::JSGlobalObject::typedArrayStructure):
688         * runtime/JSInt16Array.h: Added.
689         * runtime/JSInt32Array.h: Added.
690         * runtime/JSInt8Array.h: Added.
691         * runtime/JSTypedArrayConstructors.cpp: Added.
692         * runtime/JSTypedArrayConstructors.h: Added.
693         * runtime/JSTypedArrayPrototypes.cpp: Added.
694         * runtime/JSTypedArrayPrototypes.h: Added.
695         * runtime/JSTypedArrays.cpp: Added.
696         * runtime/JSTypedArrays.h: Added.
697         * runtime/JSUint16Array.h: Added.
698         * runtime/JSUint32Array.h: Added.
699         * runtime/JSUint8Array.h: Added.
700         * runtime/JSUint8ClampedArray.h: Added.
701         * runtime/Operations.h:
702         * runtime/Options.h:
703         * runtime/SimpleTypedArrayController.cpp: Added.
704         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
705         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
706         (JSC::SimpleTypedArrayController::toJS):
707         * runtime/SimpleTypedArrayController.h: Added.
708         * runtime/Structure.h:
709         (JSC::Structure::couldHaveIndexingHeader):
710         * runtime/StructureInlines.h:
711         (JSC::Structure::hasIndexingHeader):
712         * runtime/TypedArrayAdaptors.h: Added.
713         (JSC::IntegralTypedArrayAdaptor::toNative):
714         (JSC::IntegralTypedArrayAdaptor::toJSValue):
715         (JSC::IntegralTypedArrayAdaptor::toDouble):
716         (JSC::FloatTypedArrayAdaptor::toNative):
717         (JSC::FloatTypedArrayAdaptor::toJSValue):
718         (JSC::FloatTypedArrayAdaptor::toDouble):
719         (JSC::Uint8ClampedAdaptor::toNative):
720         (JSC::Uint8ClampedAdaptor::toJSValue):
721         (JSC::Uint8ClampedAdaptor::toDouble):
722         (JSC::Uint8ClampedAdaptor::clamp):
723         * runtime/TypedArrayController.cpp: Added.
724         (JSC::TypedArrayController::TypedArrayController):
725         (JSC::TypedArrayController::~TypedArrayController):
726         * runtime/TypedArrayController.h: Added.
727         * runtime/TypedArrayDescriptor.h: Removed.
728         * runtime/TypedArrayInlines.h: Added.
729         * runtime/TypedArrayType.cpp: Added.
730         (JSC::classInfoForType):
731         (WTF::printInternal):
732         * runtime/TypedArrayType.h: Added.
733         (JSC::toIndex):
734         (JSC::isTypedView):
735         (JSC::elementSize):
736         (JSC::isInt):
737         (JSC::isFloat):
738         (JSC::isSigned):
739         (JSC::isClamped):
740         * runtime/TypedArrays.h: Added.
741         * runtime/Uint16Array.h:
742         * runtime/Uint32Array.h:
743         * runtime/Uint8Array.h:
744         * runtime/Uint8ClampedArray.h:
745         * runtime/VM.cpp:
746         (JSC::VM::VM):
747         (JSC::VM::~VM):
748         * runtime/VM.h:
749
750 2013-08-15  Oliver Hunt  <oliver@apple.com>
751
752         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
753
754         Reviewed by Filip Pizlo.
755
756         Make sure dfgCapabilities doesn't report a Dynamic put as
757         being compilable when we don't actually support it.  
758
759         * bytecode/CodeBlock.cpp:
760         (JSC::CodeBlock::dumpBytecode):
761         * dfg/DFGCapabilities.cpp:
762         (JSC::DFG::capabilityLevel):
763
764 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
765
766         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
767         https://bugs.webkit.org/show_bug.cgi?id=119847
768
769         Reviewed by Oliver Hunt.
770
771         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
772         * runtime/ArrayBufferView.h: Ditto.
773
774 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
775
776         https://bugs.webkit.org/show_bug.cgi?id=119843
777         PropertySlot::setValue is ambiguous
778
779         Reviewed by Geoff Garen.
780
781         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
782         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
783         Unify on always providing the object, and remove the version that just takes a value.
784         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
785         Provide a version of setValue that takes a JSString as the owner of the property.
786         We won't store this, but it makes it clear that this interface should only be used from JSString.
787
788         * API/JSCallbackObjectFunctions.h:
789         (JSC::::getOwnPropertySlot):
790         * JSCTypedArrayStubs.h:
791         * runtime/Arguments.cpp:
792         (JSC::Arguments::getOwnPropertySlotByIndex):
793         (JSC::Arguments::getOwnPropertySlot):
794         * runtime/JSActivation.cpp:
795         (JSC::JSActivation::symbolTableGet):
796         (JSC::JSActivation::getOwnPropertySlot):
797         * runtime/JSArray.cpp:
798         (JSC::JSArray::getOwnPropertySlot):
799         * runtime/JSObject.cpp:
800         (JSC::JSObject::getOwnPropertySlotByIndex):
801         * runtime/JSString.h:
802         (JSC::JSString::getStringPropertySlot):
803         * runtime/JSSymbolTableObject.h:
804         (JSC::symbolTableGet):
805         * runtime/SparseArrayValueMap.cpp:
806         (JSC::SparseArrayEntry::get):
807             - Pass object containing property to PropertySlot::setValue
808         * runtime/PropertySlot.h:
809         (JSC::PropertySlot::setValue):
810             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
811         (JSC::PropertySlot::setUndefined):
812             - removed setValue(JSValue), added setValue(JSString*, JSValue)
813
814 2013-08-15  Oliver Hunt  <oliver@apple.com>
815
816         Remove bogus assertion.
817
818         RS=Filip Pizlo
819
820         * dfg/DFGAbstractInterpreterInlines.h:
821         (JSC::DFG::::executeEffects):
822
823 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
824
825         REGRESSION(r148790) Made 7 tests fail on x86 32bit
826         https://bugs.webkit.org/show_bug.cgi?id=114913
827
828         Reviewed by Filip Pizlo.
829
830         The X87 register was not freed before some calls. Instead
831         of inserting resetX87Registers to the last call sites,
832         the two X87 registers are now freed in every call.
833
834         * llint/LowLevelInterpreter32_64.asm:
835         * llint/LowLevelInterpreter64.asm:
836         * offlineasm/instructions.rb:
837         * offlineasm/x86.rb:
838
839 2013-08-14  Michael Saboff  <msaboff@apple.com>
840
841         Fixed jit on Win64.
842         https://bugs.webkit.org/show_bug.cgi?id=119601
843
844         Reviewed by Oliver Hunt.
845
846         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
847         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
848         * jit/SlowPathCall.h:
849         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
850
851 2013-08-14  Alex Christensen  <achristensen@apple.com>
852
853         Compile fix for Win64 with jit disabled.
854         https://bugs.webkit.org/show_bug.cgi?id=119804
855
856         Reviewed by Michael Saboff.
857
858         * offlineasm/cloop.rb: Added std:: before isnan.
859
860 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
861
862         DFG_JIT implementation for sh4 architecture.
863         https://bugs.webkit.org/show_bug.cgi?id=119737
864
865         Reviewed by Oliver Hunt.
866
867         * assembler/MacroAssemblerSH4.h:
868         (JSC::MacroAssemblerSH4::invert):
869         (JSC::MacroAssemblerSH4::add32):
870         (JSC::MacroAssemblerSH4::and32):
871         (JSC::MacroAssemblerSH4::lshift32):
872         (JSC::MacroAssemblerSH4::mul32):
873         (JSC::MacroAssemblerSH4::or32):
874         (JSC::MacroAssemblerSH4::rshift32):
875         (JSC::MacroAssemblerSH4::sub32):
876         (JSC::MacroAssemblerSH4::xor32):
877         (JSC::MacroAssemblerSH4::store32):
878         (JSC::MacroAssemblerSH4::swapDouble):
879         (JSC::MacroAssemblerSH4::storeDouble):
880         (JSC::MacroAssemblerSH4::subDouble):
881         (JSC::MacroAssemblerSH4::mulDouble):
882         (JSC::MacroAssemblerSH4::divDouble):
883         (JSC::MacroAssemblerSH4::negateDouble):
884         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
885         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
886         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
887         (JSC::MacroAssemblerSH4::swap):
888         (JSC::MacroAssemblerSH4::jump):
889         (JSC::MacroAssemblerSH4::branchNeg32):
890         (JSC::MacroAssemblerSH4::branchAdd32):
891         (JSC::MacroAssemblerSH4::branchMul32):
892         (JSC::MacroAssemblerSH4::urshift32):
893         * assembler/SH4Assembler.h:
894         (JSC::SH4Assembler::SH4Assembler):
895         (JSC::SH4Assembler::labelForWatchpoint):
896         (JSC::SH4Assembler::label):
897         (JSC::SH4Assembler::debugOffset):
898         * dfg/DFGAssemblyHelpers.h:
899         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
900         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
901         (JSC::DFG::AssemblyHelpers::debugCall):
902         * dfg/DFGCCallHelpers.h:
903         (JSC::DFG::CCallHelpers::setupArguments):
904         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
905         * dfg/DFGFPRInfo.h:
906         (JSC::DFG::FPRInfo::toRegister):
907         (JSC::DFG::FPRInfo::toIndex):
908         (JSC::DFG::FPRInfo::debugName):
909         * dfg/DFGGPRInfo.h:
910         (JSC::DFG::GPRInfo::toRegister):
911         (JSC::DFG::GPRInfo::toIndex):
912         (JSC::DFG::GPRInfo::debugName):
913         * dfg/DFGOperations.cpp:
914         * dfg/DFGSpeculativeJIT.h:
915         (JSC::DFG::SpeculativeJIT::callOperation):
916         * jit/JITStubs.h:
917         * jit/JITStubsSH4.h:
918
919 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
920
921         Unreviewed, fix build.
922
923         * API/JSValue.mm:
924         (isDate):
925         (isArray):
926         * API/JSWrapperMap.mm:
927         (tryUnwrapObjcObject):
928         * API/ObjCCallbackFunction.mm:
929         (tryUnwrapBlock):
930
931 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
932
933         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
934         https://bugs.webkit.org/show_bug.cgi?id=119770
935
936         Reviewed by Mark Hahnenberg.
937
938         * API/JSCallbackConstructor.cpp:
939         (JSC::JSCallbackConstructor::finishCreation):
940         * API/JSCallbackConstructor.h:
941         (JSC::JSCallbackConstructor::createStructure):
942         * API/JSCallbackFunction.cpp:
943         (JSC::JSCallbackFunction::finishCreation):
944         * API/JSCallbackFunction.h:
945         (JSC::JSCallbackFunction::createStructure):
946         * API/JSCallbackObject.cpp:
947         (JSC::::createStructure):
948         * API/JSCallbackObject.h:
949         (JSC::JSCallbackObject::visitChildren):
950         * API/JSCallbackObjectFunctions.h:
951         (JSC::::asCallbackObject):
952         (JSC::::finishCreation):
953         * API/JSObjectRef.cpp:
954         (JSObjectGetPrivate):
955         (JSObjectSetPrivate):
956         (JSObjectGetPrivateProperty):
957         (JSObjectSetPrivateProperty):
958         (JSObjectDeletePrivateProperty):
959         * API/JSValueRef.cpp:
960         (JSValueIsObjectOfClass):
961         * API/JSWeakObjectMapRefPrivate.cpp:
962         * API/ObjCCallbackFunction.h:
963         (JSC::ObjCCallbackFunction::createStructure):
964         * JSCTypedArrayStubs.h:
965         * bytecode/CallLinkStatus.cpp:
966         (JSC::CallLinkStatus::CallLinkStatus):
967         (JSC::CallLinkStatus::function):
968         (JSC::CallLinkStatus::internalFunction):
969         * bytecode/CodeBlock.h:
970         (JSC::baselineCodeBlockForInlineCallFrame):
971         * bytecode/SpeculatedType.cpp:
972         (JSC::speculationFromClassInfo):
973         * bytecode/UnlinkedCodeBlock.cpp:
974         (JSC::UnlinkedFunctionExecutable::visitChildren):
975         (JSC::UnlinkedCodeBlock::visitChildren):
976         (JSC::UnlinkedProgramCodeBlock::visitChildren):
977         * bytecode/UnlinkedCodeBlock.h:
978         (JSC::UnlinkedFunctionExecutable::createStructure):
979         (JSC::UnlinkedProgramCodeBlock::createStructure):
980         (JSC::UnlinkedEvalCodeBlock::createStructure):
981         (JSC::UnlinkedFunctionCodeBlock::createStructure):
982         * debugger/Debugger.cpp:
983         * debugger/DebuggerActivation.cpp:
984         (JSC::DebuggerActivation::visitChildren):
985         * debugger/DebuggerActivation.h:
986         (JSC::DebuggerActivation::createStructure):
987         * debugger/DebuggerCallFrame.cpp:
988         (JSC::DebuggerCallFrame::functionName):
989         * dfg/DFGAbstractInterpreterInlines.h:
990         (JSC::DFG::::executeEffects):
991         * dfg/DFGByteCodeParser.cpp:
992         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
993         (JSC::DFG::ByteCodeParser::parseBlock):
994         * dfg/DFGFixupPhase.cpp:
995         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
996         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
997         * dfg/DFGGraph.cpp:
998         (JSC::DFG::Graph::dump):
999         * dfg/DFGGraph.h:
1000         (JSC::DFG::Graph::isInternalFunctionConstant):
1001         * dfg/DFGOperations.cpp:
1002         * dfg/DFGSpeculativeJIT.cpp:
1003         (JSC::DFG::SpeculativeJIT::checkArray):
1004         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1005         * dfg/DFGThunks.cpp:
1006         (JSC::DFG::virtualForThunkGenerator):
1007         * interpreter/Interpreter.cpp:
1008         (JSC::loadVarargs):
1009         * jsc.cpp:
1010         (GlobalObject::createStructure):
1011         * profiler/LegacyProfiler.cpp:
1012         (JSC::LegacyProfiler::createCallIdentifier):
1013         * runtime/Arguments.cpp:
1014         (JSC::Arguments::visitChildren):
1015         * runtime/Arguments.h:
1016         (JSC::Arguments::createStructure):
1017         (JSC::asArguments):
1018         (JSC::Arguments::finishCreation):
1019         * runtime/ArrayConstructor.cpp:
1020         (JSC::arrayConstructorIsArray):
1021         * runtime/ArrayConstructor.h:
1022         (JSC::ArrayConstructor::createStructure):
1023         * runtime/ArrayPrototype.cpp:
1024         (JSC::ArrayPrototype::finishCreation):
1025         (JSC::arrayProtoFuncConcat):
1026         (JSC::attemptFastSort):
1027         * runtime/ArrayPrototype.h:
1028         (JSC::ArrayPrototype::createStructure):
1029         * runtime/BooleanConstructor.h:
1030         (JSC::BooleanConstructor::createStructure):
1031         * runtime/BooleanObject.cpp:
1032         (JSC::BooleanObject::finishCreation):
1033         * runtime/BooleanObject.h:
1034         (JSC::BooleanObject::createStructure):
1035         (JSC::asBooleanObject):
1036         * runtime/BooleanPrototype.cpp:
1037         (JSC::BooleanPrototype::finishCreation):
1038         (JSC::booleanProtoFuncToString):
1039         (JSC::booleanProtoFuncValueOf):
1040         * runtime/BooleanPrototype.h:
1041         (JSC::BooleanPrototype::createStructure):
1042         * runtime/DateConstructor.cpp:
1043         (JSC::constructDate):
1044         * runtime/DateConstructor.h:
1045         (JSC::DateConstructor::createStructure):
1046         * runtime/DateInstance.cpp:
1047         (JSC::DateInstance::finishCreation):
1048         * runtime/DateInstance.h:
1049         (JSC::DateInstance::createStructure):
1050         (JSC::asDateInstance):
1051         * runtime/DatePrototype.cpp:
1052         (JSC::formateDateInstance):
1053         (JSC::DatePrototype::finishCreation):
1054         (JSC::dateProtoFuncToISOString):
1055         (JSC::dateProtoFuncToLocaleString):
1056         (JSC::dateProtoFuncToLocaleDateString):
1057         (JSC::dateProtoFuncToLocaleTimeString):
1058         (JSC::dateProtoFuncGetTime):
1059         (JSC::dateProtoFuncGetFullYear):
1060         (JSC::dateProtoFuncGetUTCFullYear):
1061         (JSC::dateProtoFuncGetMonth):
1062         (JSC::dateProtoFuncGetUTCMonth):
1063         (JSC::dateProtoFuncGetDate):
1064         (JSC::dateProtoFuncGetUTCDate):
1065         (JSC::dateProtoFuncGetDay):
1066         (JSC::dateProtoFuncGetUTCDay):
1067         (JSC::dateProtoFuncGetHours):
1068         (JSC::dateProtoFuncGetUTCHours):
1069         (JSC::dateProtoFuncGetMinutes):
1070         (JSC::dateProtoFuncGetUTCMinutes):
1071         (JSC::dateProtoFuncGetSeconds):
1072         (JSC::dateProtoFuncGetUTCSeconds):
1073         (JSC::dateProtoFuncGetMilliSeconds):
1074         (JSC::dateProtoFuncGetUTCMilliseconds):
1075         (JSC::dateProtoFuncGetTimezoneOffset):
1076         (JSC::dateProtoFuncSetTime):
1077         (JSC::setNewValueFromTimeArgs):
1078         (JSC::setNewValueFromDateArgs):
1079         (JSC::dateProtoFuncSetYear):
1080         (JSC::dateProtoFuncGetYear):
1081         * runtime/DatePrototype.h:
1082         (JSC::DatePrototype::createStructure):
1083         * runtime/Error.h:
1084         (JSC::StrictModeTypeErrorFunction::createStructure):
1085         * runtime/ErrorConstructor.h:
1086         (JSC::ErrorConstructor::createStructure):
1087         * runtime/ErrorInstance.cpp:
1088         (JSC::ErrorInstance::finishCreation):
1089         * runtime/ErrorInstance.h:
1090         (JSC::ErrorInstance::createStructure):
1091         * runtime/ErrorPrototype.cpp:
1092         (JSC::ErrorPrototype::finishCreation):
1093         * runtime/ErrorPrototype.h:
1094         (JSC::ErrorPrototype::createStructure):
1095         * runtime/ExceptionHelpers.cpp:
1096         (JSC::isTerminatedExecutionException):
1097         * runtime/ExceptionHelpers.h:
1098         (JSC::TerminatedExecutionError::createStructure):
1099         * runtime/Executable.cpp:
1100         (JSC::EvalExecutable::visitChildren):
1101         (JSC::ProgramExecutable::visitChildren):
1102         (JSC::FunctionExecutable::visitChildren):
1103         (JSC::ExecutableBase::hashFor):
1104         * runtime/Executable.h:
1105         (JSC::ExecutableBase::createStructure):
1106         (JSC::NativeExecutable::createStructure):
1107         (JSC::EvalExecutable::createStructure):
1108         (JSC::ProgramExecutable::createStructure):
1109         (JSC::FunctionExecutable::compileFor):
1110         (JSC::FunctionExecutable::compileOptimizedFor):
1111         (JSC::FunctionExecutable::createStructure):
1112         * runtime/FunctionConstructor.h:
1113         (JSC::FunctionConstructor::createStructure):
1114         * runtime/FunctionPrototype.cpp:
1115         (JSC::functionProtoFuncToString):
1116         (JSC::functionProtoFuncApply):
1117         (JSC::functionProtoFuncBind):
1118         * runtime/FunctionPrototype.h:
1119         (JSC::FunctionPrototype::createStructure):
1120         * runtime/GetterSetter.cpp:
1121         (JSC::GetterSetter::visitChildren):
1122         * runtime/GetterSetter.h:
1123         (JSC::GetterSetter::createStructure):
1124         * runtime/InternalFunction.cpp:
1125         (JSC::InternalFunction::finishCreation):
1126         * runtime/InternalFunction.h:
1127         (JSC::InternalFunction::createStructure):
1128         (JSC::asInternalFunction):
1129         * runtime/JSAPIValueWrapper.h:
1130         (JSC::JSAPIValueWrapper::createStructure):
1131         * runtime/JSActivation.cpp:
1132         (JSC::JSActivation::visitChildren):
1133         (JSC::JSActivation::argumentsGetter):
1134         * runtime/JSActivation.h:
1135         (JSC::JSActivation::createStructure):
1136         (JSC::asActivation):
1137         * runtime/JSArray.h:
1138         (JSC::JSArray::createStructure):
1139         (JSC::asArray):
1140         (JSC::isJSArray):
1141         * runtime/JSBoundFunction.cpp:
1142         (JSC::JSBoundFunction::finishCreation):
1143         (JSC::JSBoundFunction::visitChildren):
1144         * runtime/JSBoundFunction.h:
1145         (JSC::JSBoundFunction::createStructure):
1146         * runtime/JSCJSValue.cpp:
1147         (JSC::JSValue::dumpInContext):
1148         * runtime/JSCJSValueInlines.h:
1149         (JSC::JSValue::isFunction):
1150         * runtime/JSCell.h:
1151         (JSC::jsCast):
1152         (JSC::jsDynamicCast):
1153         * runtime/JSCellInlines.h:
1154         (JSC::allocateCell):
1155         * runtime/JSFunction.cpp:
1156         (JSC::JSFunction::finishCreation):
1157         (JSC::JSFunction::visitChildren):
1158         (JSC::skipOverBoundFunctions):
1159         (JSC::JSFunction::callerGetter):
1160         * runtime/JSFunction.h:
1161         (JSC::JSFunction::createStructure):
1162         * runtime/JSGlobalObject.cpp:
1163         (JSC::JSGlobalObject::visitChildren):
1164         (JSC::slowValidateCell):
1165         * runtime/JSGlobalObject.h:
1166         (JSC::JSGlobalObject::createStructure):
1167         * runtime/JSNameScope.cpp:
1168         (JSC::JSNameScope::visitChildren):
1169         * runtime/JSNameScope.h:
1170         (JSC::JSNameScope::createStructure):
1171         * runtime/JSNotAnObject.h:
1172         (JSC::JSNotAnObject::createStructure):
1173         * runtime/JSONObject.cpp:
1174         (JSC::JSONObject::finishCreation):
1175         (JSC::unwrapBoxedPrimitive):
1176         (JSC::Stringifier::Stringifier):
1177         (JSC::Stringifier::appendStringifiedValue):
1178         (JSC::Stringifier::Holder::Holder):
1179         (JSC::Walker::walk):
1180         (JSC::JSONProtoFuncStringify):
1181         * runtime/JSONObject.h:
1182         (JSC::JSONObject::createStructure):
1183         * runtime/JSObject.cpp:
1184         (JSC::getCallableObjectSlow):
1185         (JSC::JSObject::visitChildren):
1186         (JSC::JSObject::copyBackingStore):
1187         (JSC::JSFinalObject::visitChildren):
1188         (JSC::JSObject::ensureInt32Slow):
1189         (JSC::JSObject::ensureDoubleSlow):
1190         (JSC::JSObject::ensureContiguousSlow):
1191         (JSC::JSObject::ensureArrayStorageSlow):
1192         * runtime/JSObject.h:
1193         (JSC::JSObject::finishCreation):
1194         (JSC::JSObject::createStructure):
1195         (JSC::JSNonFinalObject::createStructure):
1196         (JSC::JSFinalObject::createStructure):
1197         (JSC::isJSFinalObject):
1198         * runtime/JSPropertyNameIterator.cpp:
1199         (JSC::JSPropertyNameIterator::visitChildren):
1200         * runtime/JSPropertyNameIterator.h:
1201         (JSC::JSPropertyNameIterator::createStructure):
1202         * runtime/JSProxy.cpp:
1203         (JSC::JSProxy::visitChildren):
1204         * runtime/JSProxy.h:
1205         (JSC::JSProxy::createStructure):
1206         * runtime/JSScope.cpp:
1207         (JSC::JSScope::visitChildren):
1208         * runtime/JSSegmentedVariableObject.cpp:
1209         (JSC::JSSegmentedVariableObject::visitChildren):
1210         * runtime/JSString.h:
1211         (JSC::JSString::createStructure):
1212         (JSC::isJSString):
1213         * runtime/JSSymbolTableObject.cpp:
1214         (JSC::JSSymbolTableObject::visitChildren):
1215         * runtime/JSVariableObject.h:
1216         * runtime/JSWithScope.cpp:
1217         (JSC::JSWithScope::visitChildren):
1218         * runtime/JSWithScope.h:
1219         (JSC::JSWithScope::createStructure):
1220         * runtime/JSWrapperObject.cpp:
1221         (JSC::JSWrapperObject::visitChildren):
1222         * runtime/JSWrapperObject.h:
1223         (JSC::JSWrapperObject::createStructure):
1224         * runtime/MathObject.cpp:
1225         (JSC::MathObject::finishCreation):
1226         * runtime/MathObject.h:
1227         (JSC::MathObject::createStructure):
1228         * runtime/NameConstructor.h:
1229         (JSC::NameConstructor::createStructure):
1230         * runtime/NameInstance.h:
1231         (JSC::NameInstance::createStructure):
1232         (JSC::NameInstance::finishCreation):
1233         * runtime/NamePrototype.cpp:
1234         (JSC::NamePrototype::finishCreation):
1235         (JSC::privateNameProtoFuncToString):
1236         * runtime/NamePrototype.h:
1237         (JSC::NamePrototype::createStructure):
1238         * runtime/NativeErrorConstructor.cpp:
1239         (JSC::NativeErrorConstructor::visitChildren):
1240         * runtime/NativeErrorConstructor.h:
1241         (JSC::NativeErrorConstructor::createStructure):
1242         (JSC::NativeErrorConstructor::finishCreation):
1243         * runtime/NumberConstructor.cpp:
1244         (JSC::NumberConstructor::finishCreation):
1245         * runtime/NumberConstructor.h:
1246         (JSC::NumberConstructor::createStructure):
1247         * runtime/NumberObject.cpp:
1248         (JSC::NumberObject::finishCreation):
1249         * runtime/NumberObject.h:
1250         (JSC::NumberObject::createStructure):
1251         * runtime/NumberPrototype.cpp:
1252         (JSC::NumberPrototype::finishCreation):
1253         * runtime/NumberPrototype.h:
1254         (JSC::NumberPrototype::createStructure):
1255         * runtime/ObjectConstructor.h:
1256         (JSC::ObjectConstructor::createStructure):
1257         * runtime/ObjectPrototype.cpp:
1258         (JSC::ObjectPrototype::finishCreation):
1259         * runtime/ObjectPrototype.h:
1260         (JSC::ObjectPrototype::createStructure):
1261         * runtime/PropertyMapHashTable.h:
1262         (JSC::PropertyTable::createStructure):
1263         * runtime/PropertyTable.cpp:
1264         (JSC::PropertyTable::visitChildren):
1265         * runtime/RegExp.h:
1266         (JSC::RegExp::createStructure):
1267         * runtime/RegExpConstructor.cpp:
1268         (JSC::RegExpConstructor::finishCreation):
1269         (JSC::RegExpConstructor::visitChildren):
1270         (JSC::constructRegExp):
1271         * runtime/RegExpConstructor.h:
1272         (JSC::RegExpConstructor::createStructure):
1273         (JSC::asRegExpConstructor):
1274         * runtime/RegExpMatchesArray.cpp:
1275         (JSC::RegExpMatchesArray::visitChildren):
1276         * runtime/RegExpMatchesArray.h:
1277         (JSC::RegExpMatchesArray::createStructure):
1278         * runtime/RegExpObject.cpp:
1279         (JSC::RegExpObject::finishCreation):
1280         (JSC::RegExpObject::visitChildren):
1281         * runtime/RegExpObject.h:
1282         (JSC::RegExpObject::createStructure):
1283         (JSC::asRegExpObject):
1284         * runtime/RegExpPrototype.cpp:
1285         (JSC::regExpProtoFuncTest):
1286         (JSC::regExpProtoFuncExec):
1287         (JSC::regExpProtoFuncCompile):
1288         (JSC::regExpProtoFuncToString):
1289         * runtime/RegExpPrototype.h:
1290         (JSC::RegExpPrototype::createStructure):
1291         * runtime/SparseArrayValueMap.cpp:
1292         (JSC::SparseArrayValueMap::createStructure):
1293         * runtime/SparseArrayValueMap.h:
1294         * runtime/StrictEvalActivation.h:
1295         (JSC::StrictEvalActivation::createStructure):
1296         * runtime/StringConstructor.h:
1297         (JSC::StringConstructor::createStructure):
1298         * runtime/StringObject.cpp:
1299         (JSC::StringObject::finishCreation):
1300         * runtime/StringObject.h:
1301         (JSC::StringObject::createStructure):
1302         (JSC::asStringObject):
1303         * runtime/StringPrototype.cpp:
1304         (JSC::StringPrototype::finishCreation):
1305         (JSC::stringProtoFuncReplace):
1306         (JSC::stringProtoFuncToString):
1307         (JSC::stringProtoFuncMatch):
1308         (JSC::stringProtoFuncSearch):
1309         (JSC::stringProtoFuncSplit):
1310         * runtime/StringPrototype.h:
1311         (JSC::StringPrototype::createStructure):
1312         * runtime/Structure.cpp:
1313         (JSC::Structure::Structure):
1314         (JSC::Structure::materializePropertyMap):
1315         (JSC::Structure::get):
1316         (JSC::Structure::visitChildren):
1317         * runtime/Structure.h:
1318         (JSC::Structure::typeInfo):
1319         (JSC::Structure::previousID):
1320         (JSC::Structure::outOfLineSize):
1321         (JSC::Structure::totalStorageCapacity):
1322         (JSC::Structure::materializePropertyMapIfNecessary):
1323         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1324         * runtime/StructureChain.cpp:
1325         (JSC::StructureChain::visitChildren):
1326         * runtime/StructureChain.h:
1327         (JSC::StructureChain::createStructure):
1328         * runtime/StructureInlines.h:
1329         (JSC::Structure::get):
1330         * runtime/StructureRareData.cpp:
1331         (JSC::StructureRareData::createStructure):
1332         (JSC::StructureRareData::visitChildren):
1333         * runtime/StructureRareData.h:
1334         * runtime/SymbolTable.h:
1335         (JSC::SharedSymbolTable::createStructure):
1336         * runtime/VM.cpp:
1337         (JSC::VM::VM):
1338         (JSC::StackPreservingRecompiler::operator()):
1339         (JSC::VM::releaseExecutableMemory):
1340         * runtime/WriteBarrier.h:
1341         (JSC::validateCell):
1342         * testRegExp.cpp:
1343         (GlobalObject::createStructure):
1344
1345 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1346
1347         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1348         https://bugs.webkit.org/show_bug.cgi?id=119762
1349
1350         Reviewed by Geoffrey Garen.
1351
1352         * heap/Heap.cpp:
1353         (JSC::Heap::Heap):
1354         (JSC::Heap::markRoots):
1355         (JSC::Heap::collect):
1356         * jsc.cpp:
1357         (StopWatch::start):
1358         (StopWatch::stop):
1359         * testRegExp.cpp:
1360         (StopWatch::start):
1361         (StopWatch::stop):
1362
1363 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1364
1365         [sh4] Prepare LLINT for DFG_JIT implementation.
1366         https://bugs.webkit.org/show_bug.cgi?id=119755
1367
1368         Reviewed by Oliver Hunt.
1369
1370         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1371         * offlineasm/sh4.rb:
1372             - Handle storeb opcode.
1373             - Make relative jumps when possible using braf opcode.
1374             - Update bmulio implementation to be consistent with baseline JIT.
1375             - Remove useless code from leap opcode.
1376             - Fix incorrect comment.
1377
1378 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1379
1380         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1381         https://bugs.webkit.org/show_bug.cgi?id=119758
1382
1383         Reviewed by Oliver Hunt.
1384
1385         * assembler/MacroAssemblerSH4.h:
1386             - Introduce a loadEffectiveAddress function to avoid code duplication.
1387             - Add ASSERTs and clean code.
1388         * assembler/SH4Assembler.h:
1389             - Prepare DFG_JIT implementation.
1390             - Add ASSERTs.
1391         * jit/JITStubs.cpp:
1392             - Add SH4 specific call for assertions.
1393         * jit/JITStubs.h:
1394             - Cosmetic change.
1395         * jit/JITStubsSH4.h:
1396             - Use constants to be more flexible with sh4 JIT stack frame.
1397         * jit/JSInterfaceJIT.h:
1398             - Cosmetic change.
1399
1400 2013-08-13  Oliver Hunt  <oliver@apple.com>
1401
1402         Harden executeConstruct against incorrect return types from host functions
1403         https://bugs.webkit.org/show_bug.cgi?id=119757
1404
1405         Reviewed by Mark Hahnenberg.
1406
1407         Add logic to guard against bogus return types.  There doesn't seem to be any
1408         class in webkit that does this wrong, but the typed array stubs in debug JSC
1409         do exhibit this bad behaviour.
1410
1411         * interpreter/Interpreter.cpp:
1412         (JSC::Interpreter::executeConstruct):
1413
1414 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1415
1416         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1417         https://bugs.webkit.org/show_bug.cgi?id=119736
1418
1419         Reviewed by Anders Carlsson.
1420
1421         Don't force C++11 mode off anymore.
1422
1423         * Target.pri:
1424
1425 2013-08-12  Oliver Hunt  <oliver@apple.com>
1426
1427         Remove CodeBlock's notion of adding identifiers entirely
1428         https://bugs.webkit.org/show_bug.cgi?id=119708
1429
1430         Reviewed by Geoffrey Garen.
1431
1432         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1433         Move the addition of identifiers to DFGPlan::reallyAdd
1434
1435         * bytecode/CodeBlock.h:
1436         * dfg/DFGDesiredIdentifiers.cpp:
1437         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1438         * dfg/DFGDesiredIdentifiers.h:
1439         * dfg/DFGPlan.cpp:
1440         (JSC::DFG::Plan::reallyAdd):
1441         (JSC::DFG::Plan::finalize):
1442         * dfg/DFGPlan.h:
1443
1444 2013-08-12  Oliver Hunt  <oliver@apple.com>
1445
1446         Build fix
1447
1448         * runtime/JSCell.h:
1449
1450 2013-08-12  Oliver Hunt  <oliver@apple.com>
1451
1452         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1453         https://bugs.webkit.org/show_bug.cgi?id=119705
1454
1455         Reviewed by Geoffrey Garen.
1456
1457         Relatively trivial refactoring
1458
1459         * bytecode/CodeBlock.h:
1460         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1461         (JSC::CodeBlock::addAdditionalIdentifier):
1462         (JSC::CodeBlock::identifier):
1463         (JSC::CodeBlock::numberOfIdentifiers):
1464         * dfg/DFGCommonData.h:
1465
1466 2013-08-12  Oliver Hunt  <oliver@apple.com>
1467
1468         Stop making unnecessary copy of CodeBlock Identifier Vector
1469         https://bugs.webkit.org/show_bug.cgi?id=119702
1470
1471         Reviewed by Michael Saboff.
1472
1473         Make CodeBlock simply use a separate Vector for additional Identifiers
1474         and use the UnlinkedCodeBlock for the initial set of identifiers.
1475
1476         * bytecode/CodeBlock.cpp:
1477         (JSC::CodeBlock::printGetByIdOp):
1478         (JSC::dumpStructure):
1479         (JSC::dumpChain):
1480         (JSC::CodeBlock::printGetByIdCacheStatus):
1481         (JSC::CodeBlock::printPutByIdOp):
1482         (JSC::CodeBlock::dumpBytecode):
1483         (JSC::CodeBlock::CodeBlock):
1484         (JSC::CodeBlock::shrinkToFit):
1485         * bytecode/CodeBlock.h:
1486         (JSC::CodeBlock::numberOfIdentifiers):
1487         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1488         (JSC::CodeBlock::addAdditionalIdentifier):
1489         (JSC::CodeBlock::identifier):
1490         * dfg/DFGDesiredIdentifiers.cpp:
1491         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1492         * jit/JIT.h:
1493         * jit/JITOpcodes.cpp:
1494         (JSC::JIT::emitSlow_op_get_arguments_length):
1495         * jit/JITPropertyAccess.cpp:
1496         (JSC::JIT::emit_op_get_by_id):
1497         (JSC::JIT::compileGetByIdHotPath):
1498         (JSC::JIT::emitSlow_op_get_by_id):
1499         (JSC::JIT::compileGetByIdSlowCase):
1500         (JSC::JIT::emitSlow_op_put_by_id):
1501         * jit/JITPropertyAccess32_64.cpp:
1502         (JSC::JIT::emit_op_get_by_id):
1503         (JSC::JIT::compileGetByIdHotPath):
1504         (JSC::JIT::compileGetByIdSlowCase):
1505         * jit/JITStubs.cpp:
1506         (JSC::DEFINE_STUB_FUNCTION):
1507         * llint/LLIntSlowPaths.cpp:
1508         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1509
1510 2013-08-08  Mark Lam  <mark.lam@apple.com>
1511
1512         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1513         https://bugs.webkit.org/show_bug.cgi?id=119575.
1514
1515         Reviewed by Oliver Hunt.
1516
1517         * interpreter/Interpreter.h:
1518         - Made getStackTrace() private.
1519         * interpreter/StackIterator.cpp:
1520         (JSC::StackIterator::StackIterator):
1521         (JSC::StackIterator::numberOfFrames):
1522         - Computes the number of frames by iterating through the whole stack
1523           from the starting frame. The iterator will save its current frame
1524           position before counting the frames, and then restoring it after
1525           the counting.
1526         (JSC::StackIterator::gotoFrameAtIndex):
1527         (JSC::StackIterator::gotoNextFrame):
1528         (JSC::StackIterator::resetIterator):
1529         - Points the iterator to the starting frame.
1530         * interpreter/StackIteratorPrivate.h:
1531
1532 2013-08-08  Mark Lam  <mark.lam@apple.com>
1533
1534         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1535         the Interpreter class.
1536         https://bugs.webkit.org/show_bug.cgi?id=119576.
1537
1538         Reviewed by Oliver Hunt.
1539
1540         This change is needed to prepare for making Interpreter::getStackTrace()
1541         private. It does not change the behavior of the code, only the lexical
1542         scoping.
1543
1544         * interpreter/Interpreter.h:
1545         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1546         * runtime/ErrorConstructor.cpp:
1547         (JSC::Interpreter::constructWithErrorConstructor):
1548         (JSC::ErrorConstructor::getConstructData):
1549         (JSC::Interpreter::callErrorConstructor):
1550         (JSC::ErrorConstructor::getCallData):
1551         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1552           directly. So, we moved the helper functions into the Interpreter
1553           class.
1554         * runtime/NativeErrorConstructor.cpp:
1555         (JSC::Interpreter::constructWithNativeErrorConstructor):
1556         (JSC::NativeErrorConstructor::getConstructData):
1557         (JSC::Interpreter::callNativeErrorConstructor):
1558         (JSC::NativeErrorConstructor::getCallData):
1559         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1560           directly. So, we moved the helper functions into the Interpreter
1561           class.
1562
1563 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1564
1565         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1566         https://bugs.webkit.org/show_bug.cgi?id=119555
1567
1568         Reviewed by Geoffrey Garen.
1569
1570         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1571         This was causing crashes on maps.google.com in 32-bit debug builds.
1572
1573         * dfg/DFGSpeculativeJIT32_64.cpp:
1574         (JSC::DFG::SpeculativeJIT::compile):
1575
1576 2013-08-06  Michael Saboff  <msaboff@apple.com>
1577
1578         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1579         https://bugs.webkit.org/show_bug.cgi?id=119405
1580
1581         Reviewed by Geoffrey Garen.
1582
1583         * dfg/DFGSpeculativeJIT.cpp:
1584         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1585         ourselves to save a register and then load from it.
1586
1587 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1588
1589         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1590         https://bugs.webkit.org/show_bug.cgi?id=119528
1591
1592         Reviewed by Geoffrey Garen.
1593
1594         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1595         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1596         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1597         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1598         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1599
1600         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1601
1602         * bytecode/CodeBlock.cpp:
1603         (JSC::CodeBlock::finalizeUnconditionally):
1604         * dfg/DFGDriver.cpp:
1605         (JSC::DFG::compile):
1606         * dfg/DFGFixupPhase.cpp:
1607         (JSC::DFG::FixupPhase::fixupNode):
1608         * dfg/DFGGraph.cpp:
1609         (JSC::DFG::Graph::dump):
1610         * dfg/DFGSpeculativeJIT64.cpp:
1611         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1612         * runtime/JSObject.h:
1613         (JSC::JSObject::getIndexQuickly):
1614         (JSC::JSObject::tryGetIndexQuickly):
1615
1616 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1617
1618         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1619
1620         Unreviewed.
1621
1622         Ensure llint symbols are in source order.
1623
1624         * JavaScriptCore.order:
1625
1626 2013-08-06  Mark Lam  <mark.lam@apple.com>
1627
1628         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1629         https://bugs.webkit.org/show_bug.cgi?id=119532.
1630
1631         Reviewed by Oliver Hunt.
1632
1633         * parser/Parser.cpp:
1634         (JSC::::Parser):
1635         - Just need to initialize the Parser's JSTokenLocation's initial line and
1636           startOffset as well during Parser construction.
1637
1638 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1639
1640         Update Order Files for Safari
1641         <rdar://problem/14517392>
1642
1643         Unreviewed.
1644
1645         * JavaScriptCore.order:
1646
1647 2013-08-04  Sam Weinig  <sam@webkit.org>
1648
1649         Remove support for HTML5 MicroData
1650         https://bugs.webkit.org/show_bug.cgi?id=119480
1651
1652         Reviewed by Anders Carlsson.
1653
1654         * Configurations/FeatureDefines.xcconfig:
1655
1656 2013-08-05  Oliver Hunt  <oliver@apple.com>
1657
1658         Delay Arguments creation in strict mode
1659         https://bugs.webkit.org/show_bug.cgi?id=119505
1660
1661         Reviewed by Geoffrey Garen.
1662
1663         Make use of the write tracking performed by the parser to
1664         allow us to know if we're modifying the parameters to a function.
1665         Then use that information to make strict mode function opt out
1666         of eager arguments creation.
1667
1668         * bytecompiler/BytecodeGenerator.cpp:
1669         (JSC::BytecodeGenerator::BytecodeGenerator):
1670         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1671         (JSC::BytecodeGenerator::emitReturn):
1672         * bytecompiler/BytecodeGenerator.h:
1673         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1674         * parser/Nodes.h:
1675         (JSC::ScopeNode::modifiesParameter):
1676         * parser/Parser.cpp:
1677         (JSC::::parseInner):
1678         * parser/Parser.h:
1679         (JSC::Scope::declareParameter):
1680         (JSC::Scope::getCapturedVariables):
1681         (JSC::Parser::declareWrite):
1682         * parser/ParserModes.h:
1683
1684 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1685
1686         Remove useless code from COMPILER(RVCT) JITStubs
1687         https://bugs.webkit.org/show_bug.cgi?id=119521
1688
1689         Reviewed by Geoffrey Garen.
1690
1691         * jit/JITStubsARMv7.h:
1692         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1693         (JSC::ctiOpThrowNotCaught): Ditto.
1694
1695 2013-07-23  David Farler  <dfarler@apple.com>
1696
1697         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1698         https://bugs.webkit.org/show_bug.cgi?id=117762
1699
1700         Reviewed by Mark Rowe.
1701
1702         * Configurations/DebugRelease.xcconfig:
1703         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1704         * Configurations/JavaScriptCore.xcconfig:
1705         Add ASAN_OTHER_LDFLAGS.
1706         * Configurations/ToolExecutable.xcconfig:
1707         Don't use ASAN for build tools.
1708
1709 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1710
1711         Build fix for ARM MSVC after r153222 and r153648.
1712
1713         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1714
1715 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1716
1717         Build fix for ARM MSVC after r150109.
1718
1719         Read the stub template from a header files instead of the JITStubs.cpp.
1720
1721         * CMakeLists.txt:
1722         * DerivedSources.pri:
1723         * create_jit_stubs:
1724
1725 2013-08-05  Oliver Hunt  <oliver@apple.com>
1726
1727         Move TypedArray implementation into JSC
1728         https://bugs.webkit.org/show_bug.cgi?id=119489
1729
1730         Reviewed by Filip Pizlo.
1731
1732         Move TypedArray implementation into JSC in advance of re-implementation
1733
1734         * GNUmakefile.list.am:
1735         * JSCTypedArrayStubs.h:
1736         * JavaScriptCore.xcodeproj/project.pbxproj:
1737         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1738         (JSC::ArrayBuffer::transfer):
1739         (JSC::ArrayBuffer::addView):
1740         (JSC::ArrayBuffer::removeView):
1741         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1742         (JSC::ArrayBufferContents::ArrayBufferContents):
1743         (JSC::ArrayBufferContents::data):
1744         (JSC::ArrayBufferContents::sizeInBytes):
1745         (JSC::ArrayBufferContents::transfer):
1746         (JSC::ArrayBufferContents::copyTo):
1747         (JSC::ArrayBuffer::isNeutered):
1748         (JSC::ArrayBuffer::~ArrayBuffer):
1749         (JSC::ArrayBuffer::clampValue):
1750         (JSC::ArrayBuffer::create):
1751         (JSC::ArrayBuffer::createUninitialized):
1752         (JSC::ArrayBuffer::ArrayBuffer):
1753         (JSC::ArrayBuffer::data):
1754         (JSC::ArrayBuffer::byteLength):
1755         (JSC::ArrayBuffer::slice):
1756         (JSC::ArrayBuffer::sliceImpl):
1757         (JSC::ArrayBuffer::clampIndex):
1758         (JSC::ArrayBufferContents::tryAllocate):
1759         (JSC::ArrayBufferContents::~ArrayBufferContents):
1760         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1761         (JSC::ArrayBufferView::ArrayBufferView):
1762         (JSC::ArrayBufferView::~ArrayBufferView):
1763         (JSC::ArrayBufferView::neuter):
1764         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1765         (JSC::ArrayBufferView::buffer):
1766         (JSC::ArrayBufferView::baseAddress):
1767         (JSC::ArrayBufferView::byteOffset):
1768         (JSC::ArrayBufferView::setNeuterable):
1769         (JSC::ArrayBufferView::isNeuterable):
1770         (JSC::ArrayBufferView::verifySubRange):
1771         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1772         (JSC::ArrayBufferView::setImpl):
1773         (JSC::ArrayBufferView::setRangeImpl):
1774         (JSC::ArrayBufferView::zeroRangeImpl):
1775         (JSC::ArrayBufferView::calculateOffsetAndLength):
1776         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1777         (JSC::Float32Array::set):
1778         (JSC::Float32Array::getType):
1779         (JSC::Float32Array::create):
1780         (JSC::Float32Array::createUninitialized):
1781         (JSC::Float32Array::Float32Array):
1782         (JSC::Float32Array::subarray):
1783         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1784         (JSC::Float64Array::set):
1785         (JSC::Float64Array::getType):
1786         (JSC::Float64Array::create):
1787         (JSC::Float64Array::createUninitialized):
1788         (JSC::Float64Array::Float64Array):
1789         (JSC::Float64Array::subarray):
1790         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1791         (JSC::Int16Array::getType):
1792         (JSC::Int16Array::create):
1793         (JSC::Int16Array::createUninitialized):
1794         (JSC::Int16Array::Int16Array):
1795         (JSC::Int16Array::subarray):
1796         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1797         (JSC::Int32Array::getType):
1798         (JSC::Int32Array::create):
1799         (JSC::Int32Array::createUninitialized):
1800         (JSC::Int32Array::Int32Array):
1801         (JSC::Int32Array::subarray):
1802         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1803         (JSC::Int8Array::getType):
1804         (JSC::Int8Array::create):
1805         (JSC::Int8Array::createUninitialized):
1806         (JSC::Int8Array::Int8Array):
1807         (JSC::Int8Array::subarray):
1808         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1809         (JSC::IntegralTypedArrayBase::set):
1810         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1811         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1812         (JSC::TypedArrayBase::data):
1813         (JSC::TypedArrayBase::set):
1814         (JSC::TypedArrayBase::setRange):
1815         (JSC::TypedArrayBase::zeroRange):
1816         (JSC::TypedArrayBase::length):
1817         (JSC::TypedArrayBase::byteLength):
1818         (JSC::TypedArrayBase::item):
1819         (JSC::TypedArrayBase::checkInboundData):
1820         (JSC::TypedArrayBase::TypedArrayBase):
1821         (JSC::TypedArrayBase::create):
1822         (JSC::TypedArrayBase::createUninitialized):
1823         (JSC::TypedArrayBase::subarrayImpl):
1824         (JSC::TypedArrayBase::neuter):
1825         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1826         (JSC::Uint16Array::getType):
1827         (JSC::Uint16Array::create):
1828         (JSC::Uint16Array::createUninitialized):
1829         (JSC::Uint16Array::Uint16Array):
1830         (JSC::Uint16Array::subarray):
1831         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1832         (JSC::Uint32Array::getType):
1833         (JSC::Uint32Array::create):
1834         (JSC::Uint32Array::createUninitialized):
1835         (JSC::Uint32Array::Uint32Array):
1836         (JSC::Uint32Array::subarray):
1837         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1838         (JSC::Uint8Array::getType):
1839         (JSC::Uint8Array::create):
1840         (JSC::Uint8Array::createUninitialized):
1841         (JSC::Uint8Array::Uint8Array):
1842         (JSC::Uint8Array::subarray):
1843         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1844         (JSC::Uint8ClampedArray::getType):
1845         (JSC::Uint8ClampedArray::create):
1846         (JSC::Uint8ClampedArray::createUninitialized):
1847         (JSC::Uint8ClampedArray::zeroFill):
1848         (JSC::Uint8ClampedArray::set):
1849         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1850         (JSC::Uint8ClampedArray::subarray):
1851         * runtime/VM.h:
1852
1853 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1854
1855         Copied space should be able to handle more than one copied backing store per JSCell
1856         https://bugs.webkit.org/show_bug.cgi?id=119471
1857
1858         Reviewed by Mark Hahnenberg.
1859         
1860         This allows a cell to call copyLater() multiple times for multiple different
1861         backing stores, and then have copyBackingStore() called exactly once for each
1862         of those. A token tells it which backing store to copy. All backing stores
1863         must be named using the CopyToken, an enumeration which currently cannot
1864         exceed eight entries.
1865         
1866         When copyBackingStore() is called, it's up to the callee to (a) use the token
1867         to decide what to copy and (b) call its base class's copyBackingStore() in
1868         case the base class had something that needed copying. The only exception is
1869         that JSCell never asks anything to be copied, and so if your base is JSCell
1870         then you don't have to do anything.
1871
1872         * GNUmakefile.list.am:
1873         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1874         * JavaScriptCore.xcodeproj/project.pbxproj:
1875         * heap/CopiedBlock.h:
1876         * heap/CopiedBlockInlines.h:
1877         (JSC::CopiedBlock::reportLiveBytes):
1878         * heap/CopyToken.h: Added.
1879         * heap/CopyVisitor.cpp:
1880         (JSC::CopyVisitor::copyFromShared):
1881         * heap/CopyVisitor.h:
1882         * heap/CopyVisitorInlines.h:
1883         (JSC::CopyVisitor::visitItem):
1884         * heap/CopyWorkList.h:
1885         (JSC::CopyWorklistItem::CopyWorklistItem):
1886         (JSC::CopyWorklistItem::cell):
1887         (JSC::CopyWorklistItem::token):
1888         (JSC::CopyWorkListSegment::get):
1889         (JSC::CopyWorkListSegment::append):
1890         (JSC::CopyWorkListSegment::data):
1891         (JSC::CopyWorkListIterator::get):
1892         (JSC::CopyWorkListIterator::operator*):
1893         (JSC::CopyWorkListIterator::operator->):
1894         (JSC::CopyWorkList::append):
1895         * heap/SlotVisitor.h:
1896         * heap/SlotVisitorInlines.h:
1897         (JSC::SlotVisitor::copyLater):
1898         * runtime/ClassInfo.h:
1899         * runtime/JSCell.cpp:
1900         (JSC::JSCell::copyBackingStore):
1901         * runtime/JSCell.h:
1902         * runtime/JSObject.cpp:
1903         (JSC::JSObject::visitButterfly):
1904         (JSC::JSObject::copyBackingStore):
1905         * runtime/JSObject.h:
1906
1907 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1908
1909         [Automake] Define ENABLE_JIT through the Autoconf header
1910         https://bugs.webkit.org/show_bug.cgi?id=119445
1911
1912         Reviewed by Martin Robinson.
1913
1914         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1915
1916 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1917
1918         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1919         https://bugs.webkit.org/show_bug.cgi?id=119470
1920
1921         Reviewed by Oliver Hunt.
1922         
1923         Structure can still tell you if the object "could" (in the conservative sense)
1924         have an indexing header; that's used by the compiler.
1925         
1926         Most of the time if you want to know if there's an indexing header, you ask the
1927         JSObject.
1928         
1929         In some cases, the JSObject wants to know if it would have an indexing header if
1930         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1931
1932         * dfg/DFGRepatch.cpp:
1933         (JSC::DFG::tryCachePutByID):
1934         (JSC::DFG::tryBuildPutByIdList):
1935         * dfg/DFGSpeculativeJIT.cpp:
1936         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1937         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1938         * runtime/ButterflyInlines.h:
1939         (JSC::Butterfly::create):
1940         (JSC::Butterfly::growPropertyStorage):
1941         (JSC::Butterfly::growArrayRight):
1942         (JSC::Butterfly::resizeArray):
1943         * runtime/JSObject.cpp:
1944         (JSC::JSObject::copyButterfly):
1945         (JSC::JSObject::visitButterfly):
1946         * runtime/JSObject.h:
1947         (JSC::JSObject::hasIndexingHeader):
1948         (JSC::JSObject::setButterfly):
1949         * runtime/Structure.h:
1950         (JSC::Structure::couldHaveIndexingHeader):
1951         (JSC::Structure::hasIndexingHeader):
1952
1953 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1954
1955         Give the error object's stack property accessor attributes.
1956         https://bugs.webkit.org/show_bug.cgi?id=119404
1957
1958         Reviewed by Geoffrey Garen.
1959         
1960         Changed the attributes of error object's stack property to allow developers to write
1961         and delete the stack property. This will match the functionality of Chrome. Firefox  
1962         allows developers to write the error's stack, but not delete it. 
1963
1964         * interpreter/Interpreter.cpp:
1965         (JSC::Interpreter::addStackTraceIfNecessary):
1966         * runtime/ErrorInstance.cpp:
1967         (JSC::ErrorInstance::finishCreation):
1968
1969 2013-08-02  Oliver Hunt  <oliver@apple.com>
1970
1971         Incorrect type speculation reported by ToPrimitive
1972         https://bugs.webkit.org/show_bug.cgi?id=119458
1973
1974         Reviewed by Mark Hahnenberg.
1975
1976         Make sure that we report the correct type possibilities for the output
1977         from ToPrimitive
1978
1979         * dfg/DFGAbstractInterpreterInlines.h:
1980         (JSC::DFG::::executeEffects):
1981
1982 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1983
1984         Remove no-arguments constructor to PropertySlot
1985         https://bugs.webkit.org/show_bug.cgi?id=119460
1986
1987         Reviewed by Geoff Garen.
1988
1989         This constructor was unsafe if getValue is subsequently called,
1990         and the property is a getter. Simplest to just remove it.
1991
1992         * runtime/Arguments.cpp:
1993         (JSC::Arguments::defineOwnProperty):
1994         * runtime/JSActivation.cpp:
1995         (JSC::JSActivation::getOwnPropertyDescriptor):
1996         * runtime/JSFunction.cpp:
1997         (JSC::JSFunction::getOwnPropertyDescriptor):
1998         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1999         (JSC::JSFunction::put):
2000         (JSC::JSFunction::defineOwnProperty):
2001         * runtime/JSGlobalObject.cpp:
2002         (JSC::JSGlobalObject::defineOwnProperty):
2003         * runtime/JSGlobalObject.h:
2004         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2005         * runtime/JSNameScope.cpp:
2006         (JSC::JSNameScope::put):
2007         * runtime/JSONObject.cpp:
2008         (JSC::Stringifier::Holder::appendNextProperty):
2009         (JSC::Walker::walk):
2010         * runtime/JSObject.cpp:
2011         (JSC::JSObject::hasProperty):
2012         (JSC::JSObject::hasOwnProperty):
2013         (JSC::JSObject::reifyStaticFunctionsForDelete):
2014         * runtime/Lookup.h:
2015         (JSC::getStaticPropertyDescriptor):
2016         (JSC::getStaticFunctionDescriptor):
2017         (JSC::getStaticValueDescriptor):
2018         * runtime/ObjectConstructor.cpp:
2019         (JSC::defineProperties):
2020         * runtime/PropertySlot.h:
2021
2022 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2023
2024         DFG validation can cause assertion failures due to dumping
2025         https://bugs.webkit.org/show_bug.cgi?id=119456
2026
2027         Reviewed by Geoffrey Garen.
2028
2029         * bytecode/CodeBlock.cpp:
2030         (JSC::CodeBlock::hasHash):
2031         (JSC::CodeBlock::isSafeToComputeHash):
2032         (JSC::CodeBlock::hash):
2033         (JSC::CodeBlock::dumpAssumingJITType):
2034         * bytecode/CodeBlock.h:
2035
2036 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2037
2038         Have vm's exceptionStack match java's vm's exceptionStack.
2039         https://bugs.webkit.org/show_bug.cgi?id=119362
2040
2041         Reviewed by Geoffrey Garen.
2042         
2043         The error object's stack is only updated if it does not exist yet. This matches 
2044         the functionality of other browsers, and Java VMs. 
2045
2046         * interpreter/Interpreter.cpp:
2047         (JSC::Interpreter::addStackTraceIfNecessary):
2048         (JSC::Interpreter::throwException):
2049         * runtime/VM.cpp:
2050         (JSC::VM::clearExceptionStack):
2051         * runtime/VM.h:
2052         (JSC::VM::lastExceptionStack):
2053
2054 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2055
2056         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2057         https://bugs.webkit.org/show_bug.cgi?id=119447
2058
2059         Reviewed by Geoffrey Garen.
2060
2061         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2062         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2063         r153583 (sh4) and r153648 (ARM).
2064
2065         * jit/JITStubsMIPS.h:
2066
2067 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2068
2069         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2070         https://bugs.webkit.org/show_bug.cgi?id=119422
2071
2072         Reviewed by Oliver Hunt.
2073         
2074         This simplifies some code and also allows Structure to claim that an object
2075         has an indexing header even if it doesn't have indexed properties.
2076         
2077         I also changed some calls to use hasIndexedProperties() since in some cases,
2078         that's what we actually meant. Currently the two are synonyms.
2079
2080         * dfg/DFGRepatch.cpp:
2081         (JSC::DFG::tryCachePutByID):
2082         (JSC::DFG::tryBuildPutByIdList):
2083         * dfg/DFGSpeculativeJIT.cpp:
2084         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2085         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2086         * runtime/ButterflyInlines.h:
2087         (JSC::Butterfly::create):
2088         (JSC::Butterfly::growPropertyStorage):
2089         (JSC::Butterfly::growArrayRight):
2090         (JSC::Butterfly::resizeArray):
2091         * runtime/IndexingType.h:
2092         * runtime/JSObject.cpp:
2093         (JSC::JSObject::copyButterfly):
2094         (JSC::JSObject::visitButterfly):
2095         (JSC::JSObject::setPrototype):
2096         * runtime/JSObject.h:
2097         (JSC::JSObject::setButterfly):
2098         * runtime/JSPropertyNameIterator.cpp:
2099         (JSC::JSPropertyNameIterator::create):
2100         * runtime/Structure.h:
2101         (JSC::Structure::hasIndexingHeader):
2102
2103 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2104
2105         REGRESSION: ARM still crashes after change set r153612.
2106         https://bugs.webkit.org/show_bug.cgi?id=119433
2107
2108         Reviewed by Michael Saboff.
2109
2110         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2111         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2112         for sh4 architecture.
2113
2114         * jit/JITStubsARM.h:
2115         * jit/JITStubsARMv7.h:
2116
2117 2013-08-02  Michael Saboff  <msaboff@apple.com>
2118
2119         REGRESSION(r153612): It made jsc and layout tests crash
2120         https://bugs.webkit.org/show_bug.cgi?id=119440
2121
2122         Reviewed by Csaba Osztrogonác.
2123
2124         Made the changes if changeset r153612 only apply to 32 bit builds.
2125
2126         * jit/JITExceptions.cpp:
2127         * jit/JITExceptions.h:
2128         * jit/JITStubs.cpp:
2129         (JSC::cti_vm_throw_slowpath):
2130         * jit/JITStubs.h:
2131
2132 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2133
2134         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2135
2136         * CMakeLists.txt:
2137
2138 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2139
2140         [Forms: color] <input type='color'> popover color well implementation
2141         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2142
2143         Reviewed by Benjamin Poulain.
2144
2145         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2146
2147 2013-08-01  Oliver Hunt  <oliver@apple.com>
2148
2149         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2150         https://bugs.webkit.org/show_bug.cgi?id=119408
2151
2152         Reviewed by Filip Pizlo.
2153
2154         Construct ToString and Phantom nodes in advance of MakeRope
2155         nodes to ensure that ordering is ensured, and correct values
2156         will be reified on OSR exit.
2157
2158         * dfg/DFGByteCodeParser.cpp:
2159         (JSC::DFG::ByteCodeParser::parseBlock):
2160
2161 2013-08-01  Michael Saboff  <msaboff@apple.com>
2162
2163         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2164         https://bugs.webkit.org/show_bug.cgi?id=119140
2165
2166         Reviewed by Filip Pizlo.
2167
2168         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2169
2170         * jit/JITExceptions.cpp:
2171         (JSC::encode):
2172         * jit/JITExceptions.h:
2173         * jit/JITStubs.cpp:
2174         (JSC::cti_vm_throw_slowpath):
2175         * jit/JITStubs.h:
2176
2177 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2178
2179         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2180         https://bugs.webkit.org/show_bug.cgi?id=119391
2181
2182         Reviewed by Csaba Osztrogonác.
2183
2184         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2185             - Call frame is in r14 register.
2186             - Do not restore registers from JIT stack frame here.
2187
2188 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2189
2190         More cleanup in PropertySlot
2191         https://bugs.webkit.org/show_bug.cgi?id=119359
2192
2193         Reviewed by Geoff Garen.
2194
2195         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2196         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2197
2198         * dfg/DFGRepatch.cpp:
2199         (JSC::DFG::tryCacheGetByID):
2200         (JSC::DFG::tryBuildGetByIDList):
2201             - No need to ASSERT slotBase is an object.
2202         * jit/JITStubs.cpp:
2203         (JSC::tryCacheGetByID):
2204         (JSC::DEFINE_STUB_FUNCTION):
2205             - No need to ASSERT slotBase is an object.
2206         * runtime/JSObject.cpp:
2207         (JSC::JSObject::getOwnPropertySlotByIndex):
2208         (JSC::JSObject::fillGetterPropertySlot):
2209             - Pass an object through to setGetterSlot.
2210         * runtime/JSObject.h:
2211         (JSC::PropertySlot::getValue):
2212             - Moved from PropertySlot (need to know anout JSObject).
2213         * runtime/PropertySlot.cpp:
2214         (JSC::PropertySlot::functionGetter):
2215             - update per member name changes
2216         * runtime/PropertySlot.h:
2217         (JSC::PropertySlot::PropertySlot):
2218             - Argument to constructor set to 'thisValue'.
2219         (JSC::PropertySlot::slotBase):
2220             - This returns a JSObject*.
2221         (JSC::PropertySlot::setValue):
2222         (JSC::PropertySlot::setCustom):
2223         (JSC::PropertySlot::setCacheableCustom):
2224         (JSC::PropertySlot::setCustomIndex):
2225         (JSC::PropertySlot::setGetterSlot):
2226         (JSC::PropertySlot::setCacheableGetterSlot):
2227             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2228         * runtime/SparseArrayValueMap.cpp:
2229         (JSC::SparseArrayEntry::get):
2230             - Pass an object through to setGetterSlot.
2231         * runtime/SparseArrayValueMap.h:
2232             - Pass an object through to setGetterSlot.
2233
2234 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2235
2236         Reduce JSC API static value setter/getter overhead.
2237         https://bugs.webkit.org/show_bug.cgi?id=119277
2238
2239         Reviewed by Geoffrey Garen.
2240
2241         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2242         need to get called every time when set or get the static value.
2243
2244         * API/JSCallbackObjectFunctions.h:
2245         (JSC::::put):
2246         (JSC::::putByIndex):
2247         (JSC::::getStaticValue):
2248         * API/JSClassRef.cpp:
2249         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2250         * API/JSClassRef.h:
2251         (StaticValueEntry::StaticValueEntry):
2252
2253 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2254
2255         Use emptyString instead of String("")
2256         https://bugs.webkit.org/show_bug.cgi?id=119335
2257
2258         Reviewed by Darin Adler.
2259
2260         Use emptyString() instead of String("") because it is better style and
2261         faster. This is a followup to r116908, removing all occurrences of
2262         String("") from WebKit.
2263
2264         * runtime/RegExpConstructor.cpp:
2265         (JSC::constructRegExp):
2266         * runtime/RegExpPrototype.cpp:
2267         (JSC::regExpProtoFuncCompile):
2268         * runtime/StringPrototype.cpp:
2269         (JSC::stringProtoFuncMatch):
2270         (JSC::stringProtoFuncSearch):
2271
2272 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2273
2274         <input type=color> Mac UI behaviour
2275         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2276
2277         Reviewed by Brady Eidson.
2278
2279         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2280
2281 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2282
2283         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2284         https://bugs.webkit.org/show_bug.cgi?id=119349
2285
2286         Reviewed by Geoffrey Garen.
2287
2288         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2289         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2290         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2291         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2292         JIT then this resizing never happens and we crash at link time in the DFG.
2293
2294         We can fix this by also doing the resize in the DFG to catch this case.
2295
2296         * dfg/DFGJITCompiler.cpp:
2297         (JSC::DFG::JITCompiler::link):
2298
2299 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2300
2301         Speculative Windows build fix.
2302
2303         Reviewed by NOBODY
2304
2305         * runtime/JSString.cpp:
2306         (JSC::JSRopeString::getIndexSlowCase):
2307         * runtime/JSString.h:
2308
2309 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2310
2311         Some cleanup in JSValue::get
2312         https://bugs.webkit.org/show_bug.cgi?id=119343
2313
2314         Reviewed by Geoff Garen.
2315
2316         JSValue::get is implemented to:
2317             1) Check if the value is a cell – if not, synthesize a prototype to search,
2318             2) call getOwnPropertySlot on the cell,
2319             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2320         By all rights this should crash when passed a string and accessing a property that does not exist, because
2321         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2322         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2323         prototype chain, and faking out a return value of undefined if no property is found.
2324
2325         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2326         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2327
2328         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2329         slots anyway.
2330
2331         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2332
2333 2013-07-31  Michael Saboff  <msaboff@apple.com>
2334
2335         [Win] JavaScript crash.
2336         https://bugs.webkit.org/show_bug.cgi?id=119339
2337
2338         Reviewed by Mark Hahnenberg.
2339
2340         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2341         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2342
2343 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2344
2345         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2346         https://bugs.webkit.org/show_bug.cgi?id=119281
2347
2348         Reviewed by Geoffrey Garen.
2349
2350         This leads to out of bounds accesses and subsequent crashes.
2351
2352         * dfg/DFGSpeculativeJIT.cpp:
2353         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2354         * dfg/DFGSpeculativeJIT64.cpp:
2355         (JSC::DFG::SpeculativeJIT::compile):
2356
2357 2013-07-30  Oliver Hunt  <oliver@apple.com>
2358
2359         Add an assertion to SpeculateCellOperand
2360         https://bugs.webkit.org/show_bug.cgi?id=119276
2361
2362         Reviewed by Michael Saboff.
2363
2364         More assertions are better
2365
2366         * dfg/DFGSpeculativeJIT64.cpp:
2367         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2368         (JSC::DFG::SpeculativeJIT::compile):
2369
2370 2013-07-30  Mark Lam  <mark.lam@apple.com>
2371
2372         Fix problems with divot and lineStart mismatches.
2373         https://bugs.webkit.org/show_bug.cgi?id=118662.
2374
2375         Reviewed by Oliver Hunt.
2376
2377         r152494 added the recording of lineStart values for divot positions.
2378         This is needed for the computation of column numbers. Similarly, it also
2379         added the recording of line numbers for the divot positions. One problem
2380         with the approach taken was that the line and lineStart values were
2381         recorded independently, and hence were not always guaranteed to be
2382         sampled at the same place that the divot position is recorded. This
2383         resulted in potential mismatches that cause some assertions to fail.
2384
2385         The solution is to introduce a JSTextPosition abstraction that records
2386         the divot position, line, and lineStart as a single quantity. Wherever
2387         we record the divot position as an unsigned int previously, we now record
2388         its JSTextPosition which captures all 3 values in one go. This ensures
2389         that the captured line and lineStart will always match the captured divot
2390         position.
2391
2392         * bytecompiler/BytecodeGenerator.cpp:
2393         (JSC::BytecodeGenerator::emitCall):
2394         (JSC::BytecodeGenerator::emitCallEval):
2395         (JSC::BytecodeGenerator::emitCallVarargs):
2396         (JSC::BytecodeGenerator::emitConstruct):
2397         (JSC::BytecodeGenerator::emitDebugHook):
2398         - Use JSTextPosition instead of passing line and lineStart explicitly.
2399         * bytecompiler/BytecodeGenerator.h:
2400         (JSC::BytecodeGenerator::emitExpressionInfo):
2401         - Use JSTextPosition instead of passing line and lineStart explicitly.
2402         * bytecompiler/NodesCodegen.cpp:
2403         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2404         (JSC::ResolveNode::emitBytecode):
2405         (JSC::BracketAccessorNode::emitBytecode):
2406         (JSC::DotAccessorNode::emitBytecode):
2407         (JSC::NewExprNode::emitBytecode):
2408         (JSC::EvalFunctionCallNode::emitBytecode):
2409         (JSC::FunctionCallValueNode::emitBytecode):
2410         (JSC::FunctionCallResolveNode::emitBytecode):
2411         (JSC::FunctionCallBracketNode::emitBytecode):
2412         (JSC::FunctionCallDotNode::emitBytecode):
2413         (JSC::CallFunctionCallDotNode::emitBytecode):
2414         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2415         (JSC::PostfixNode::emitResolve):
2416         (JSC::PostfixNode::emitBracket):
2417         (JSC::PostfixNode::emitDot):
2418         (JSC::DeleteResolveNode::emitBytecode):
2419         (JSC::DeleteBracketNode::emitBytecode):
2420         (JSC::DeleteDotNode::emitBytecode):
2421         (JSC::PrefixNode::emitResolve):
2422         (JSC::PrefixNode::emitBracket):
2423         (JSC::PrefixNode::emitDot):
2424         (JSC::UnaryOpNode::emitBytecode):
2425         (JSC::BinaryOpNode::emitStrcat):
2426         (JSC::BinaryOpNode::emitBytecode):
2427         (JSC::ThrowableBinaryOpNode::emitBytecode):
2428         (JSC::InstanceOfNode::emitBytecode):
2429         (JSC::emitReadModifyAssignment):
2430         (JSC::ReadModifyResolveNode::emitBytecode):
2431         (JSC::AssignResolveNode::emitBytecode):
2432         (JSC::AssignDotNode::emitBytecode):
2433         (JSC::ReadModifyDotNode::emitBytecode):
2434         (JSC::AssignBracketNode::emitBytecode):
2435         (JSC::ReadModifyBracketNode::emitBytecode):
2436         (JSC::ForInNode::emitBytecode):
2437         (JSC::WithNode::emitBytecode):
2438         (JSC::ThrowNode::emitBytecode):
2439         - Use JSTextPosition instead of passing line and lineStart explicitly.
2440         * parser/ASTBuilder.h:
2441         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2442         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2443         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2444         (JSC::ASTBuilder::createResolve):
2445         (JSC::ASTBuilder::createBracketAccess):
2446         (JSC::ASTBuilder::createDotAccess):
2447         (JSC::ASTBuilder::createRegExp):
2448         (JSC::ASTBuilder::createNewExpr):
2449         (JSC::ASTBuilder::createAssignResolve):
2450         (JSC::ASTBuilder::createExprStatement):
2451         (JSC::ASTBuilder::createForInLoop):
2452         (JSC::ASTBuilder::createReturnStatement):
2453         (JSC::ASTBuilder::createBreakStatement):
2454         (JSC::ASTBuilder::createContinueStatement):
2455         (JSC::ASTBuilder::createLabelStatement):
2456         (JSC::ASTBuilder::createWithStatement):
2457         (JSC::ASTBuilder::createThrowStatement):
2458         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2459         (JSC::ASTBuilder::appendUnaryToken):
2460         (JSC::ASTBuilder::unaryTokenStackLastStart):
2461         (JSC::ASTBuilder::assignmentStackAppend):
2462         (JSC::ASTBuilder::createAssignment):
2463         (JSC::ASTBuilder::setExceptionLocation):
2464         (JSC::ASTBuilder::makeDeleteNode):
2465         (JSC::ASTBuilder::makeFunctionCallNode):
2466         (JSC::ASTBuilder::makeBinaryNode):
2467         (JSC::ASTBuilder::makeAssignNode):
2468         (JSC::ASTBuilder::makePrefixNode):
2469         (JSC::ASTBuilder::makePostfixNode):
2470         - Use JSTextPosition instead of passing line and lineStart explicitly.
2471         * parser/Lexer.cpp:
2472         (JSC::::lex):
2473         - Added support for capturing the appropriate JSTextPositions instead
2474           of just the character offset.
2475         * parser/Lexer.h:
2476         (JSC::Lexer::currentPosition):
2477         (JSC::::lexExpectIdentifier):
2478         - Added support for capturing the appropriate JSTextPositions instead
2479           of just the character offset.
2480         * parser/NodeConstructors.h:
2481         (JSC::Node::Node):
2482         (JSC::ResolveNode::ResolveNode):
2483         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2484         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2485         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2486         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2487         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2488         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2489         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2490         (JSC::PostfixNode::PostfixNode):
2491         (JSC::DeleteResolveNode::DeleteResolveNode):
2492         (JSC::DeleteBracketNode::DeleteBracketNode):
2493         (JSC::DeleteDotNode::DeleteDotNode):
2494         (JSC::PrefixNode::PrefixNode):
2495         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2496         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2497         (JSC::AssignBracketNode::AssignBracketNode):
2498         (JSC::AssignDotNode::AssignDotNode):
2499         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2500         (JSC::AssignErrorNode::AssignErrorNode):
2501         (JSC::WithNode::WithNode):
2502         (JSC::ForInNode::ForInNode):
2503         - Use JSTextPosition instead of passing line and lineStart explicitly.
2504         * parser/Nodes.cpp:
2505         (JSC::StatementNode::setLoc):
2506         - Use JSTextPosition instead of passing line and lineStart explicitly.
2507         * parser/Nodes.h:
2508         (JSC::Node::lineNo):
2509         (JSC::Node::startOffset):
2510         (JSC::Node::lineStartOffset):
2511         (JSC::Node::position):
2512         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2513         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2514         (JSC::ThrowableExpressionData::divot):
2515         (JSC::ThrowableExpressionData::divotStart):
2516         (JSC::ThrowableExpressionData::divotEnd):
2517         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2518         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2519         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2520         (JSC::ThrowableSubExpressionData::subexpressionStart):
2521         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2522         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2523         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2524         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2525         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2526         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2527         - Use JSTextPosition instead of passing line and lineStart explicitly.
2528         * parser/Parser.cpp:
2529         (JSC::::Parser):
2530         (JSC::::parseInner):
2531         - Use JSTextPosition instead of passing line and lineStart explicitly.
2532         (JSC::::didFinishParsing):
2533         - Remove setting of m_lastLine value. We always pass in the value from
2534           m_lastLine anyway. So, this assignment is effectively a nop.
2535         (JSC::::parseVarDeclaration):
2536         (JSC::::parseVarDeclarationList):
2537         (JSC::::parseForStatement):
2538         (JSC::::parseBreakStatement):
2539         (JSC::::parseContinueStatement):
2540         (JSC::::parseReturnStatement):
2541         (JSC::::parseThrowStatement):
2542         (JSC::::parseWithStatement):
2543         (JSC::::parseTryStatement):
2544         (JSC::::parseBlockStatement):
2545         (JSC::::parseFunctionDeclaration):
2546         (JSC::LabelInfo::LabelInfo):
2547         (JSC::::parseExpressionOrLabelStatement):
2548         (JSC::::parseExpressionStatement):
2549         (JSC::::parseAssignmentExpression):
2550         (JSC::::parseBinaryExpression):
2551         (JSC::::parseProperty):
2552         (JSC::::parsePrimaryExpression):
2553         (JSC::::parseMemberExpression):
2554         (JSC::::parseUnaryExpression):
2555         - Use JSTextPosition instead of passing line and lineStart explicitly.
2556         * parser/Parser.h:
2557         (JSC::Parser::next):
2558         (JSC::Parser::nextExpectIdentifier):
2559         (JSC::Parser::getToken):
2560         (JSC::Parser::tokenStartPosition):
2561         (JSC::Parser::tokenEndPosition):
2562         (JSC::Parser::lastTokenEndPosition):
2563         (JSC::::parse):
2564         - Use JSTextPosition instead of passing line and lineStart explicitly.
2565         * parser/ParserTokens.h:
2566         (JSC::JSTextPosition::JSTextPosition):
2567         (JSC::JSTextPosition::operator+):
2568         (JSC::JSTextPosition::operator-):
2569         (JSC::JSTextPosition::operator int):
2570         - Added JSTextPosition.
2571         * parser/SyntaxChecker.h:
2572         (JSC::SyntaxChecker::makeFunctionCallNode):
2573         (JSC::SyntaxChecker::makeAssignNode):
2574         (JSC::SyntaxChecker::makePrefixNode):
2575         (JSC::SyntaxChecker::makePostfixNode):
2576         (JSC::SyntaxChecker::makeDeleteNode):
2577         (JSC::SyntaxChecker::createResolve):
2578         (JSC::SyntaxChecker::createBracketAccess):
2579         (JSC::SyntaxChecker::createDotAccess):
2580         (JSC::SyntaxChecker::createRegExp):
2581         (JSC::SyntaxChecker::createNewExpr):
2582         (JSC::SyntaxChecker::createAssignResolve):
2583         (JSC::SyntaxChecker::createForInLoop):
2584         (JSC::SyntaxChecker::createReturnStatement):
2585         (JSC::SyntaxChecker::createBreakStatement):
2586         (JSC::SyntaxChecker::createContinueStatement):
2587         (JSC::SyntaxChecker::createWithStatement):
2588         (JSC::SyntaxChecker::createLabelStatement):
2589         (JSC::SyntaxChecker::createThrowStatement):
2590         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2591         (JSC::SyntaxChecker::operatorStackPop):
2592         - Use JSTextPosition instead of passing line and lineStart explicitly.
2593
2594 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2595
2596         Unreviewed. Fix make distcheck.
2597
2598         * GNUmakefile.list.am: Add missing files to compilation.
2599         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2600         include FTL header files not included in the compilation.
2601         * dfg/DFGDriver.cpp: Ditto.
2602         * dfg/DFGPlan.cpp: Ditto.
2603
2604 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2605
2606         Eager stack trace for error objects.
2607         https://bugs.webkit.org/show_bug.cgi?id=118918
2608
2609         Reviewed by Geoffrey Garen.
2610         
2611         Chrome and Firefox give error objects the stack property and we wanted to match
2612         that functionality. This allows developers to see the stack without throwing an object.
2613
2614         * runtime/ErrorInstance.cpp:
2615         (JSC::ErrorInstance::finishCreation):
2616          For error objects that are not thrown as an exception, we pass the stackTrace in 
2617          as a parameter. This allows the error object to have the stack property.
2618         
2619         * interpreter/Interpreter.cpp:
2620         (JSC::stackTraceAsString):
2621         Helper function used to eliminate duplicate code.
2622
2623         (JSC::Interpreter::addStackTraceIfNecessary):
2624         When an error object is created by the user the vm->exceptionStack is not set.
2625         If the user throws this error object later the stack that is in the error object 
2626         may not be the correct stack for the throw, so when we set the vm->exception stack,
2627         the stack property on the error object is set as well.
2628         
2629         * runtime/ErrorConstructor.cpp:
2630         (JSC::constructWithErrorConstructor):
2631         (JSC::callErrorConstructor):
2632         * runtime/NativeErrorConstructor.cpp:
2633         (JSC::constructWithNativeErrorConstructor):
2634         (JSC::callNativeErrorConstructor):
2635         These functions indicate that the user created an error object. For all error objects 
2636         that the user explicitly creates, the topCallFrame is at a new frame created to 
2637         handle the user's call. In this case though, the error object needs the caller's 
2638         frame to create the stack trace correctly.
2639         
2640         * interpreter/Interpreter.h:
2641         * runtime/ErrorInstance.h:
2642         (JSC::ErrorInstance::create):
2643
2644 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2645
2646         Some cleanup in PropertySlot
2647         https://bugs.webkit.org/show_bug.cgi?id=119189
2648
2649         Reviewed by Geoff Garen.
2650
2651         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2652         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2653         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2654         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2655         (this is invalidOffset if not cacheable).
2656
2657             * Internally, always track the type of the property using an enum value, PropertyType.
2658             * Use m_offset to indicate cacheable.
2659             * Keep the external interface (CachedPropertyType) unchanged.
2660             * Better pack data into the m_data union.
2661
2662         Performance neutral.
2663
2664         * dfg/DFGRepatch.cpp:
2665         (JSC::DFG::tryCacheGetByID):
2666         (JSC::DFG::tryBuildGetByIDList):
2667             - cachedPropertyType() -> isCacheable*()
2668         * jit/JITPropertyAccess.cpp:
2669         (JSC::JIT::privateCompileGetByIdProto):
2670         (JSC::JIT::privateCompileGetByIdSelfList):
2671         (JSC::JIT::privateCompileGetByIdProtoList):
2672         (JSC::JIT::privateCompileGetByIdChainList):
2673         (JSC::JIT::privateCompileGetByIdChain):
2674             - cachedPropertyType() -> isCacheable*()
2675         * jit/JITPropertyAccess32_64.cpp:
2676         (JSC::JIT::privateCompileGetByIdProto):
2677         (JSC::JIT::privateCompileGetByIdSelfList):
2678         (JSC::JIT::privateCompileGetByIdProtoList):
2679         (JSC::JIT::privateCompileGetByIdChainList):
2680         (JSC::JIT::privateCompileGetByIdChain):
2681             - cachedPropertyType() -> isCacheable*()
2682         * jit/JITStubs.cpp:
2683         (JSC::tryCacheGetByID):
2684             - cachedPropertyType() -> isCacheable*()
2685         * llint/LLIntSlowPaths.cpp:
2686         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2687             - cachedPropertyType() -> isCacheable*()
2688         * runtime/PropertySlot.cpp:
2689         (JSC::PropertySlot::functionGetter):
2690             - refactoring described above.
2691         * runtime/PropertySlot.h:
2692         (JSC::PropertySlot::PropertySlot):
2693         (JSC::PropertySlot::getValue):
2694         (JSC::PropertySlot::isCacheable):
2695         (JSC::PropertySlot::isCacheableValue):
2696         (JSC::PropertySlot::isCacheableGetter):
2697         (JSC::PropertySlot::isCacheableCustom):
2698         (JSC::PropertySlot::cachedOffset):
2699         (JSC::PropertySlot::customGetter):
2700         (JSC::PropertySlot::setValue):
2701         (JSC::PropertySlot::setCustom):
2702         (JSC::PropertySlot::setCacheableCustom):
2703         (JSC::PropertySlot::setCustomIndex):
2704         (JSC::PropertySlot::setGetterSlot):
2705         (JSC::PropertySlot::setCacheableGetterSlot):
2706         (JSC::PropertySlot::setUndefined):
2707         (JSC::PropertySlot::slotBase):
2708         (JSC::PropertySlot::setBase):
2709             - refactoring described above.
2710
2711 2013-07-28  Oliver Hunt  <oliver@apple.com>
2712
2713         REGRESSION: Crash when opening Facebook.com
2714         https://bugs.webkit.org/show_bug.cgi?id=119155
2715
2716         Reviewed by Andreas Kling.
2717
2718         Scope nodes are always objects, so we should be using SpecObjectOther
2719         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2720         contradiction in the CFA, resulting in bogus codegen.
2721
2722         * dfg/DFGAbstractInterpreterInlines.h:
2723         (JSC::DFG::::executeEffects):
2724         * dfg/DFGPredictionPropagationPhase.cpp:
2725         (JSC::DFG::PredictionPropagationPhase::propagate):
2726
2727 2013-07-26  Oliver Hunt  <oliver@apple.com>
2728
2729         REGRESSION(FTL?): Crashes in plugin tests
2730         https://bugs.webkit.org/show_bug.cgi?id=119141
2731
2732         Reviewed by Michael Saboff.
2733
2734         Re-export getStackTrace
2735
2736         * interpreter/Interpreter.h:
2737
2738 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2739
2740         REGRESSION: Crash when opening a message on Gmail
2741         https://bugs.webkit.org/show_bug.cgi?id=119105
2742
2743         Reviewed by Oliver Hunt and Mark Hahnenberg.
2744         
2745         - GetById patching in the DFG needs to be more disciplined about how it derives the
2746           slow path.
2747         
2748         - Fix some dumping code thread safety issues.
2749
2750         * bytecode/CallLinkStatus.cpp:
2751         (JSC::CallLinkStatus::dump):
2752         * bytecode/CodeBlock.cpp:
2753         (JSC::CodeBlock::dumpBytecode):
2754         * dfg/DFGRepatch.cpp:
2755         (JSC::DFG::getPolymorphicStructureList):
2756         (JSC::DFG::tryBuildGetByIDList):
2757
2758 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2759
2760         [mips] Fix LLINT build for mips backend
2761         https://bugs.webkit.org/show_bug.cgi?id=119152
2762
2763         Reviewed by Oliver Hunt.
2764
2765         * offlineasm/mips.rb:
2766
2767 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2768
2769         Setting a large numeric property on an object causes it to allocate a huge backing store
2770         https://bugs.webkit.org/show_bug.cgi?id=118914
2771
2772         Reviewed by Geoffrey Garen.
2773
2774         There are two distinct actions that we're trying to optimize for:
2775
2776         new Array(100000);
2777
2778         and:
2779
2780         a = [];
2781         a[100000] = 42;
2782         
2783         In the first case, the programmer has indicated that they expect this Array to be very big, 
2784         so they should get a contiguous array up until some threshold, above which we perform density 
2785         calculations to see if it is indeed dense enough to warrant being contiguous.
2786         
2787         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2788         we should be more conservative and assume it should be sparse until we've proven otherwise.
2789         
2790         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2791         between them for the purposes of not over-allocating large backing stores like we see on 
2792         http://www.peekanalytics.com/burgerjoints/
2793         
2794         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2795         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2796         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2797         map instead. So for example, in the second case above the empty array has a blank indexing 
2798         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2799
2800         This fix is ~800x speedup on the accompanying regression test :-o
2801
2802         * runtime/ArrayConventions.h:
2803         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2804         * runtime/JSObject.cpp:
2805         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2806         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2807         (JSC::JSObject::putByIndexBeyondVectorLength):
2808         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2809
2810 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2811
2812         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2813         https://bugs.webkit.org/show_bug.cgi?id=119148
2814
2815         Reviewed by Csaba Osztrogonác.
2816
2817         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2818         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2819         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2820         code duplication.
2821
2822 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2823
2824         REGRESSION(FTL): Crash in sh4 baseline JIT.
2825         https://bugs.webkit.org/show_bug.cgi?id=119138
2826
2827         Reviewed by Csaba Osztrogonác.
2828
2829         This crash is due to incomplete report of r150146 and r148474.
2830
2831         * jit/JITStubsSH4.h:
2832
2833 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2834
2835         Unreviewed.
2836
2837         * Target.pri: Adding missing DFG files to the Qt build.
2838
2839 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2840
2841         GTK and Qt buildfix after the intrusive win buildfix r153360.
2842
2843         * GNUmakefile.list.am:
2844         * Target.pri:
2845
2846 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2847
2848         Unreviewed, fix build break after r153360.
2849
2850         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2851
2852 2013-07-25  Roger Fong  <roger_fong@apple.com>
2853
2854         Unreviewed build fix, AppleWin port.
2855
2856         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2857         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2858         * JavaScriptCore.vcxproj/copy-files.cmd:
2859
2860 2013-07-25  Roger Fong  <roger_fong@apple.com>
2861
2862         Unreviewed. Followup to r153360.
2863
2864         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2865         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2866
2867 2013-07-25  Michael Saboff  <msaboff@apple.com>
2868
2869         [Windows] Speculative build fix.
2870
2871         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2872         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2873
2874         * JavaScriptCore.xcodeproj/project.pbxproj:
2875         * llint/LLIntExceptions.cpp:
2876         * llint/LLIntExceptions.h:
2877         * llint/LLIntSlowPaths.cpp:
2878         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2879         * runtime/CommonSlowPaths.cpp:
2880         (JSC::SLOW_PATH_DECL):
2881         * runtime/CommonSlowPathsExceptions.cpp: Added.
2882         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2883         * runtime/CommonSlowPathsExceptions.h: Added.
2884
2885 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2886
2887         [Windows] Unreviewed build fix.
2888
2889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2890         parser/SourceCode.h,.cpp.
2891         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2892
2893 2013-07-25  Anders Carlsson  <andersca@apple.com>
2894
2895         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2896         https://bugs.webkit.org/show_bug.cgi?id=119108
2897
2898         Reviewed by Mark Hahnenberg.
2899
2900         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2901
2902         * heap/CopiedSpace.cpp:
2903         (JSC::CopiedSpace::tryAllocateSlowCase):
2904         * heap/Heap.cpp:
2905         (JSC::Heap::protect):
2906         (JSC::Heap::unprotect):
2907         (JSC::Heap::collect):
2908         * heap/MarkedAllocator.cpp:
2909         (JSC::MarkedAllocator::allocateSlowCase):
2910         * runtime/JSGlobalObject.cpp:
2911         (JSC::JSGlobalObject::init):
2912         * runtime/VM.h:
2913         (JSC::VM::currentThreadIsHoldingAPILock):
2914
2915 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2916
2917         REGRESSION(FTL): Most layout tests crashes
2918         https://bugs.webkit.org/show_bug.cgi?id=119089
2919
2920         Reviewed by Oliver Hunt.
2921
2922         * runtime/ExecutionHarness.h:
2923         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2924         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2925         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2926         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2927         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2928         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2929
2930 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2931
2932         [Windows] Unreviewed build fix.
2933
2934         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2935         include path.
2936
2937 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2938
2939         [Windows] Unreviewed build fix.
2940
2941         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2942         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2944
2945 2013-07-25  Oliver Hunt  <oliver@apple.com>
2946
2947         Make all jit & non-jit combos build cleanly
2948         https://bugs.webkit.org/show_bug.cgi?id=119102
2949
2950         Reviewed by Anders Carlsson.
2951
2952         * bytecode/CodeBlock.cpp:
2953         (JSC::CodeBlock::counterValueForOptimizeSoon):
2954         * bytecode/CodeBlock.h:
2955         (JSC::CodeBlock::optimizeAfterWarmUp):
2956         (JSC::CodeBlock::numberOfDFGCompiles):
2957
2958 2013-07-25  Oliver Hunt  <oliver@apple.com>
2959
2960         32 bit portion of load validation logic
2961         https://bugs.webkit.org/show_bug.cgi?id=118878
2962
2963         Reviewed by NOBODY (Build fix).
2964
2965         * dfg/DFGSpeculativeJIT32_64.cpp:
2966         (JSC::DFG::SpeculativeJIT::compile):
2967
2968 2013-07-25  Oliver Hunt  <oliver@apple.com>
2969
2970         More 32bit build fixes
2971
2972         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2973
2974         * API/APICallbackFunction.h:
2975         (JSC::APICallbackFunction::call):
2976         * bytecode/CodeBlock.cpp:
2977         * runtime/Structure.cpp:
2978
2979 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2980
2981         Optimize the thread locks for API Shims
2982         https://bugs.webkit.org/show_bug.cgi?id=118573
2983
2984         Reviewed by Geoffrey Garen.
2985
2986         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2987         only used by WebCore's main thread).
2988
2989         * API/APIShims.h:
2990         (JSC::APIEntryShim::APIEntryShim):
2991         (JSC::APICallbackShim::APICallbackShim):
2992         * runtime/JSLock.cpp:
2993         (JSC::JSLockHolder::JSLockHolder):
2994         (JSC::JSLockHolder::init):
2995         (JSC::JSLockHolder::~JSLockHolder):
2996         (JSC::JSLock::DropAllLocks::DropAllLocks):
2997         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2998         * runtime/VM.cpp:
2999         (JSC::VM::VM):
3000         * runtime/VM.h:
3001
3002 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3003
3004         Unreviewed build fix after r153218.
3005
3006         Broke the EFL port build with gcc 4.7.
3007
3008         * interpreter/StackIterator.cpp:
3009         (JSC::printif):
3010
3011 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3012
3013         Build fix: add missing #include.
3014         https://bugs.webkit.org/show_bug.cgi?id=119087
3015
3016         Reviewed by Allan Sandfeld Jensen.
3017
3018         * bytecode/ArrayProfile.cpp:
3019
3020 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3021
3022         Unreviewed, build fix on the EFL port.
3023
3024         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3025
3026 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3027
3028         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3029         https://bugs.webkit.org/show_bug.cgi?id=119083
3030
3031         Reviewed by Allan Sandfeld Jensen.
3032
3033         * assembler/MacroAssemblerSH4.h:
3034         (JSC::MacroAssemblerSH4::store8):
3035
3036 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3037
3038         [Qt] Fix test build after FTL upstream
3039
3040         Unreviewed build fix.
3041
3042         * Target.pri:
3043
3044 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3045
3046         [Qt] Build fix after FTL.
3047
3048         Un Reviewed build fix.
3049
3050         * Target.pri:
3051         * interpreter/StackIterator.cpp:
3052         (JSC::StackIterator::Frame::print):
3053
3054 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3055
3056         Unreviewed build fix after FTL upstream.
3057
3058         * dfg/DFGWorklist.cpp:
3059         (JSC::DFG::Worklist::~Worklist):
3060
3061 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3062
3063         Unreviewed, build fix on the EFL port.
3064
3065         * CMakeLists.txt:
3066         Added SourceCode.cpp and removed BlackBerry file.
3067         * jit/JITCode.h:
3068         (JSC::JITCode::nextTierJIT):
3069         Fixed to build break because of -Werror=return-type
3070         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3071         * runtime/JSScope.h:
3072         (JSC::makeType):
3073         Fixed to build break because of -Werror=return-type
3074
3075 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3076
3077         Unreviewed build fixing after FTL upstream.
3078
3079         * runtime/Executable.cpp:
3080         (JSC::FunctionExecutable::produceCodeBlockFor):
3081
3082 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3083
3084         Add missing implementation of bxxxnz in sh4 LLINT.
3085         https://bugs.webkit.org/show_bug.cgi?id=119079
3086
3087         Reviewed by Allan Sandfeld Jensen.
3088
3089         * offlineasm/sh4.rb:
3090
3091 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3092
3093         Unreviewed, build fix on the Qt port.
3094
3095         * Target.pri: Add additional build files for the FTL.
3096
3097 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3098
3099         Unreviewed buildfix after FTL upstream..
3100
3101         * interpreter/StackIterator.cpp:
3102         (JSC::StackIterator::Frame::codeType):
3103         (JSC::StackIterator::Frame::functionName):
3104         (JSC::StackIterator::Frame::sourceURL):
3105         (JSC::StackIterator::Frame::logicalFrame):
3106
3107 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3108
3109         Unreviewed.
3110
3111         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3112         method is not left undefined, causing build failures on (at least) the GTK port.
3113
3114 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3115
3116         Unreviewed, further build fixing on the GTK port.
3117
3118         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3119
3120 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3121
3122         Unreviewed GTK build fixing.
3123
3124         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3125         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3126
3127 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3128
3129         Buildfix after this error:
3130         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3131
3132         * dfg/DFGPlan.cpp:
3133         (JSC::DFG::Plan::compileInThread):
3134
3135 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3136
3137         One more buildfix after FTL upstream.
3138
3139         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3140
3141         * dfg/DFGLazyJSValue.cpp:
3142         (JSC::DFG::LazyJSValue::getValue):
3143         (JSC::DFG::LazyJSValue::strictEqual):
3144
3145 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3146
3147         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3148         https://bugs.webkit.org/show_bug.cgi?id=119076
3149
3150         Reviewed by Allan Sandfeld Jensen.
3151
3152         * offlineasm/mips.rb:
3153         * offlineasm/sh4.rb:
3154
3155 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3156
3157         Unreviewed GTK build fix.
3158
3159         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3160
3161 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3162
3163         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3164         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3165
3166         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3167
3168 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3169
3170         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3171
3172         * GNUmakefile.am:
3173         * GNUmakefile.list.am:
3174
3175 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3176
3177         Unreviewed buildfix after FTL upstream.
3178
3179         * runtime/JSScope.h:
3180         (JSC::needsVarInjectionChecks):
3181
3182 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3183
3184         One more fix after FTL upstream.
3185
3186         * Target.pri:
3187         * bytecode/CodeBlock.h:
3188         * bytecode/GetByIdStatus.h:
3189         (JSC::GetByIdStatus::GetByIdStatus):
3190
3191 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3192
3193         Unreviewed buildfix after FTL upstream.
3194
3195         Add ftl directory as include path.
3196
3197         * CMakeLists.txt:
3198         * JavaScriptCore.pri:
3199
3200 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3201
3202         Unreviewed buildfix after FTL upstream for non C++11 builds.
3203
3204         * interpreter/CallFrame.h:
3205         * interpreter/StackIteratorPrivate.h:
3206         (JSC::StackIterator::end):
3207
3208 2013-07-24  Oliver Hunt  <oliver@apple.com>
3209
3210         Endeavour to fix CMakelist builds
3211
3212         * CMakeLists.txt:
3213
3214 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3215
3216         fourthTier: DFG IR dumps should be easier to read
3217         https://bugs.webkit.org/show_bug.cgi?id=119050
3218
3219         Reviewed by Mark Hahnenberg.
3220         
3221         Added a DumpContext that includes support for printing an endnote
3222         that describes all structures in full, while the main flow of the
3223         dump just uses made-up names for the structures. This is helpful
3224         since Structure::dump() may print a lot. The stuff it prints is
3225         useful, but if it's all inline with the surrounding thing you're        
3226         dumping (often, a node in the DFG), then you get a ridiculously
3227         long print-out. All classes that dump structures (including
3228         Structure itself) now have dumpInContext() methods that use
3229         inContext() for dumping anything that might transitively print a
3230         structure. If Structure::dumpInContext() is called with a NULL
3231         context, it just uses dump() like before. Hence you don't have to
3232         know anything about DumpContext unless you want to.
3233         
3234         inContext(*structure, context) dumps something like %B4:Array,
3235         and the endnote will have something like:
3236         
3237             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3238         
3239         where B4 is the inferred name that StringHashDumpContext came up
3240         with.
3241         
3242         Also shortened a bunch of other dumps, removing information that
3243         isn't so important.
3244         
3245         * JavaScriptCore.xcodeproj/project.pbxproj:
3246         * bytecode/ArrayProfile.cpp:
3247         (JSC::dumpArrayModes):
3248         * bytecode/CodeBlockHash.cpp:
3249         (JSC):
3250         (JSC::CodeBlockHash::CodeBlockHash):
3251         (JSC::CodeBlockHash::dump):
3252         * bytecode/CodeOrigin.cpp:
3253         (JSC::CodeOrigin::dumpInContext):
3254         (JSC):
3255         (JSC::InlineCallFrame::dumpInContext):
3256         (JSC::InlineCallFrame::dump):
3257         * bytecode/CodeOrigin.h:
3258         (CodeOrigin):
3259         (InlineCallFrame):
3260         * bytecode/Operands.h:
3261         (JSC::OperandValueTraits::isEmptyForDump):
3262         (Operands):
3263         (JSC::Operands::dump):
3264         (JSC):
3265         * bytecode/OperandsInlines.h: Added.
3266         (JSC):
3267         (JSC::::dumpInContext):
3268         * bytecode/StructureSet.h:
3269         (JSC::StructureSet::dumpInContext):
3270         (JSC::StructureSet::dump):
3271         (StructureSet):
3272         * dfg/DFGAbstractValue.cpp:
3273         (JSC::DFG::AbstractValue::dump):
3274         (DFG):
3275         (JSC::DFG::AbstractValue::dumpInContext):
3276         * dfg/DFGAbstractValue.h:
3277         (JSC::DFG::AbstractValue::operator!):
3278         (AbstractValue):
3279         * dfg/DFGCFAPhase.cpp:
3280         (JSC::DFG::CFAPhase::performBlockCFA):
3281         * dfg/DFGCommon.cpp:
3282         * dfg/DFGCommon.h:
3283         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3284         * dfg/DFGDisassembler.cpp:
3285         (JSC::DFG::Disassembler::createDumpList):
3286         * dfg/DFGDisassembler.h:
3287         (Disassembler):
3288         * dfg/DFGFlushFormat.h:
3289         (WTF::inContext):
3290         (WTF):
3291         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3292         * dfg/DFGGraph.cpp:
3293         (JSC::DFG::Graph::dumpCodeOrigin):
3294         (JSC::DFG::Graph::dump):
3295         (JSC::DFG::Graph::dumpBlockHeader):
3296         * dfg/DFGGraph.h:
3297         (Graph):
3298         * dfg/DFGLazyJSValue.cpp:
3299         (JSC::DFG::LazyJSValue::dumpInContext):
3300         (JSC::DFG::LazyJSValue::dump):
3301         (DFG):
3302         * dfg/DFGLazyJSValue.h:
3303         (LazyJSValue):
3304         * dfg/DFGNode.h:
3305         (JSC::DFG::nodeMapDump):
3306         (WTF::inContext):
3307         (WTF):
3308         * dfg/DFGOSRExitCompiler32_64.cpp:
3309         (JSC::DFG::OSRExitCompiler::compileExit):
3310         * dfg/DFGOSRExitCompiler64.cpp:
3311         (JSC::DFG::OSRExitCompiler::compileExit):
3312         * dfg/DFGStructureAbstractValue.h:
3313         (JSC::DFG::StructureAbstractValue::dumpInContext):
3314         (JSC::DFG::StructureAbstractValue::dump):
3315         (StructureAbstractValue):
3316         * ftl/FTLExitValue.cpp:
3317         (JSC::FTL::ExitValue::dumpInContext):
3318         (JSC::FTL::ExitValue::dump):
3319         (FTL):
3320         * ftl/FTLExitValue.h:
3321         (ExitValue):
3322         * ftl/FTLLowerDFGToLLVM.cpp:
3323         * ftl/FTLValueSource.cpp:
3324         (JSC::FTL::ValueSource::dumpInContext):
3325         (FTL):
3326         * ftl/FTLValueSource.h:
3327         (ValueSource):
3328         * runtime/DumpContext.cpp: Added.
3329         (JSC):
3330         (JSC::DumpContext::DumpContext):
3331         (JSC::DumpContext::~DumpContext):
3332         (JSC::DumpContext::isEmpty):
3333         (JSC::DumpContext::dump):
3334         * runtime/DumpContext.h: Added.
3335         (JSC):
3336         (DumpContext):
3337         * runtime/JSCJSValue.cpp:
3338         (JSC::JSValue::dump):
3339         (JSC):
3340         (JSC::JSValue::dumpInContext):
3341         * runtime/JSCJSValue.h:
3342         (JSC):
3343         (JSValue):
3344         * runtime/Structure.cpp:
3345         (JSC::Structure::dumpInContext):
3346         (JSC):
3347         (JSC::Structure::dumpBrief):
3348         (JSC::Structure::dumpContextHeader):
3349         * runtime/Structure.h:
3350         (JSC):
3351         (Structure):
3352
3353 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3354
3355         fourthTier: DFG should do a high-level LICM before going to FTL
3356         https://bugs.webkit.org/show_bug.cgi?id=118749
3357
3358         Reviewed by Oliver Hunt.
3359         
3360         Implements LICM hoisting for nodes that never write anything and never read
3361         things that are clobbered by the loop. There are some other preconditions for
3362         hoisting, see DFGLICMPhase.cpp.
3363
3364         Also did a few fixes:
3365         
3366         - ClobberSet::add was failing to switch Super entries to Direct entries in
3367           some cases.
3368         
3369         - DFGClobberize.cpp needed to #include "Operations.h".
3370         
3371         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3372         
3373         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3374           Knowing the indexInBlock is an optional optimization that all other clients
3375           of AI still opt into, but LICM doesn't.
3376         
3377         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3378
3379         * JavaScriptCore.xcodeproj/project.pbxproj:
3380         * dfg/DFGAbstractInterpreter.h:
3381         (AbstractInterpreter):
3382         * dfg/DFGAbstractInterpreterInlines.h:
3383         (JSC::DFG::::executeEffects):
3384         (JSC::DFG::::execute):
3385         (DFG):
3386         (JSC::DFG::::clobberWorld):
3387         (JSC::DFG::::clobberStructures):
3388         * dfg/DFGAtTailAbstractState.cpp: Added.
3389         (DFG):
3390         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3391         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3392         (JSC::DFG::AtTailAbstractState::createValueForNode):
3393         (JSC::DFG::AtTailAbstractState::forNode):
3394         * dfg/DFGAtTailAbstractState.h: Added.
3395         (DFG):
3396         (AtTailAbstractState):
3397         (JSC::DFG::AtTailAbstractState::initializeTo):
3398         (JSC::DFG::AtTailAbstractState::forNode):
3399         (JSC::DFG::AtTailAbstractState::variables):
3400         (JSC::DFG::AtTailAbstractState::block):
3401         (JSC::DFG::AtTailAbstractState::isValid):
3402         (JSC::DFG::AtTailAbstractState::setDidClobber):
3403         (JSC::DFG::AtTailAbstractState::setIsValid):
3404         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3405         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3406         (JSC::DFG::AtTailAbstractState::haveStructures):
3407         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3408         * dfg/DFGBasicBlock.h:
3409         (JSC::DFG::BasicBlock::insertBeforeLast):
3410         * dfg/DFGBasicBlockInlines.h:
3411         (DFG):
3412         * dfg/DFGClobberSet.cpp:
3413         (JSC::DFG::ClobberSet::add):
3414         (JSC::DFG::ClobberSet::addAll):
3415         * dfg/DFGClobberize.cpp:
3416         (JSC::DFG::doesWrites):
3417         * dfg/DFGClobberize.h:
3418         (DFG):
3419         * dfg/DFGDCEPhase.cpp:
3420         (JSC::DFG::DCEPhase::DCEPhase):
3421         (JSC::DFG::DCEPhase::run):
3422         (JSC::DFG::DCEPhase::fixupBlock):
3423         (DCEPhase):
3424         * dfg/DFGEdgeDominates.h: Added.
3425         (DFG):
3426         (EdgeDominates):
3427         (JSC::DFG::EdgeDominates::EdgeDominates):
3428         (JSC::DFG::EdgeDominates::operator()):
3429         (JSC::DFG::EdgeDominates::result):
3430         (JSC::DFG::edgesDominate):
3431         * dfg/DFGFixupPhase.cpp:
3432         (JSC::DFG::FixupPhase::fixupNode):
3433         (JSC::DFG::FixupPhase::checkArray):
3434         * dfg/DFGLICMPhase.cpp: Added.
3435         (LICMPhase):
3436         (JSC::DFG::LICMPhase::LICMPhase):
3437         (JSC::DFG::LICMPhase::run):
3438         (JSC::DFG::LICMPhase::attemptHoist):
3439         (DFG):
3440         (JSC::DFG::performLICM):
3441         * dfg/DFGLICMPhase.h: Added.
3442         (DFG):
3443         * dfg/DFGPlan.cpp:
3444         (JSC::DFG::Plan::compileInThreadImpl):
3445
3446 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3447
3448         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3449         https://bugs.webkit.org/show_bug.cgi?id=118910
3450
3451         Reviewed by Sam Weinig.
3452         
3453         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3454         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3455         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3456         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3457         create them all up front). FTL AbstractHeaps also don't actually give you the
3458         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3459         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3460         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3461         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3462         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3463         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3464         payload is the direct subtype of its corresponding TOP Kind).
3465         
3466         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3467         clobbered. It represents the set that results from unifying a bunch of
3468         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3469         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3470         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3471         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3472         member is equal to it, or if any of its ancestors are equal to a direct member.
3473         
3474         Example #1:
3475         
3476             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3477               is a subtype of Variables, which is a subtype of World.
3478             - You query Variables. I.e. Variables with a TOP payload, which is the
3479               supertype of Variables(X) for any X, and a subtype of World.
3480             
3481             The set will have Variables(5) as a direct member, and Variables and World as
3482             super members. The Variables query will immediately return true, because
3483             Variables is indeed a super member.
3484         
3485         Example #2:
3486         
3487             - I add Variables(5)
3488             - You query NamedProperties
3489             
3490             NamedProperties is not a member at all (neither direct or super). We next
3491             query World. World is a member, but it's a super member, so we return false.
3492         
3493         Example #3:
3494         
3495             - I add Variables
3496             - You query Variables(5)
3497             
3498             The set will have Variables as a direct member, and World as a super member.
3499             The Variables(5) query will not find Variables(5) in the set, but then it
3500             will query Variables. Variables is a direct member, so we return true.
3501         
3502         Example #4:
3503         
3504             - I add Variables
3505             - You query NamedProperties(5)
3506             
3507             Neither NamedProperties nor NamedProperties(5) are members. We next query
3508             World. World is a member, but it's a super member, so we return false.
3509         
3510         Overlap queries require that either the heap being queried is in the set (either
3511         direct or super), or that one of its ancestors is a direct member. Another way to
3512         think about how this works is that two heaps A and B are said to overlap if
3513         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3514         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3515         heaps and answers the question, "is any member in the set an ancestor (i.e.
3516         supertype) of some other heap". We would have the set contain the heaps themselves,
3517         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3518         chain of A, and repeatedly querying its membership in the set. This is what the
3519         "direct" members of our set do. Now consider the other part, where we want to ask if
3520         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3521         would implement this by implementing set.add(B) as adding not just B but also all of
3522         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3523         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3524         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3525         heap" question. ClobberSet does this, but combines the two sets into a single
3526         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3527         supertype set and the subtype set; if it's false then it's only a member of one of
3528         them.
3529         
3530         Finally, this adds a functorized clobberize() method that adds the read and write
3531         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3532         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3533         are also provided. This allows you to say things like:
3534         
3535             ClobberSet set;
3536             addWrites(graph, node1, set);
3537             if (readsOverlap(graph, node2, set))
3538                 // We know that node1 may write to something that node2 may read from.
3539         
3540         Currently this facility is only used to improve graph dumping, but it will be
3541         instrumental in both LICM and GVN. In the future, I want to completely kill the
3542         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3543         of accomplishing almost exactly what AbstractHeap gives you.
3544
3545         * JavaScriptCore.xcodeproj/project.pbxproj:
3546         * dfg/DFGAbstractHeap.cpp: Added.
3547         (DFG):
3548         (JSC::DFG::AbstractHeap::Payload::dump):
3549         (JSC::DFG::AbstractHeap::dump):
3550         (WTF):
3551         (WTF::printInternal):
3552         * dfg/DFGAbstractHeap.h: Added.
3553         (DFG):
3554         (AbstractHeap):
3555         (Payload):
3556         (JSC::DFG::AbstractHeap::Payload::Payload):
3557         (JSC::DFG::AbstractHeap::Payload::top):
3558         (JSC::DFG::AbstractHeap::Payload::isTop):
3559         (JSC::DFG::AbstractHeap::Payload::value):
3560         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3561         (JSC::DFG::AbstractHeap::Payload::operator==):
3562         (JSC::DFG::AbstractHeap::Payload::operator!=):
3563         (JSC::DFG::AbstractHeap::Payload::operator<):
3564         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3565         (JSC::DFG::AbstractHeap::Payload::overlaps):
3566         (JSC::DFG::AbstractHeap::AbstractHeap):
3567         (JSC::DFG::AbstractHeap::operator!):
3568         (JSC::DFG::AbstractHeap::kind):
3569         (JSC::DFG::AbstractHeap::payload):
3570         (JSC::DFG::AbstractHeap::isDisjoint):
3571         (JSC::DFG::AbstractHeap::overlaps):
3572         (JSC::DFG::AbstractHeap::supertype):
3573         (JSC::DFG::AbstractHeap::hash):
3574         (JSC::DFG::AbstractHeap::operator==):
3575         (JSC::DFG::AbstractHeap::operator!=):
3576         (JSC::DFG::AbstractHeap::operator<):
3577         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3578         (JSC::DFG::AbstractHeap::payloadImpl):
3579         (JSC::DFG::AbstractHeap::encode):
3580         (JSC::DFG::AbstractHeapHash::hash):
3581         (JSC::DFG::AbstractHeapHash::equal):
3582         (AbstractHeapHash):
3583         (WTF):
3584         * dfg/DFGClobberSet.cpp: Added.
3585         (DFG):
3586         (JSC::DFG::ClobberSet::ClobberSet):
3587         (JSC::DFG::ClobberSet::~ClobberSet):
3588         (JSC::DFG::ClobberSet::add):
3589         (JSC::DFG::ClobberSet::addAll):
3590         (JSC::DFG::ClobberSet::contains):
3591         (JSC::DFG::ClobberSet::overlaps):
3592         (JSC::DFG::ClobberSet::clear):
3593         (JSC::DFG::ClobberSet::direct):
3594         (JSC::DFG::ClobberSet::super):
3595         (JSC::DFG::ClobberSet::dump):
3596         (JSC::DFG::ClobberSet::setOf):
3597         (JSC::DFG::addReads):
3598         (JSC::DFG::addWrites):
3599         (JSC::DFG::addReadsAndWrites):
3600         (JSC::DFG::readsOverlap):
3601         (JSC::DFG::writesOverlap):
3602         * dfg/DFGClobberSet.h: Added.
3603         (DFG):
3604         (ClobberSet):
3605         (JSC::DFG::ClobberSet::isEmpty):
3606         (ClobberSetAdd):
3607         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
3608         (JSC::DFG::ClobberSetAdd::operator()):
3609         (ClobberSetOverlaps):
3610         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
3611         (JSC::DFG::ClobberSetOverlaps::operator()):
3612         (JSC::DFG::ClobberSetOverlaps::result):
3613         * dfg/DFGClobberize.cpp: Added.
3614         (DFG):
3615         (JSC::DFG::didWrites):
3616         * dfg/DFGClobberize.h: Added.
3617         (DFG):
3618         (JSC::DFG::clobberize):
3619         (NoOpClobberize):
3620         (JSC::DFG::NoOpClobberize::NoOpClobberize):
3621         (JSC::DFG::NoOpClobberize::operator()):
3622         (CheckClobberize):
3623         (JSC::DFG::CheckClobberize::CheckClobberize):
3624         (JSC::DFG::CheckClobberize::operator()):
3625         (JSC::DFG::CheckClobberize::result):
3626         * dfg/DFGGraph.cpp:
3627         (JSC::DFG::Graph::dump):
3628
3629 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3630
3631         fourthTier: It should be easy to figure out which blocks nodes belong to
3632         https://bugs.webkit.org/show_bug.cgi?id=118957
3633
3634         Reviewed by Sam Weinig.
3635
3636         * dfg/DFGGraph.cpp:
3637         (DFG):
3638         (JSC::DFG::Graph::initializeNodeOwners):
3639         * dfg/DFGGraph.h:
3640         (Graph):
3641         * dfg/DFGNode.h:
3642
3643 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3644
3645         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
3646         https://bugs.webkit.org/show_bug.cgi?id=118956
3647
3648         Reviewed by Sam Weinig.
3649         
3650         We had two way of expressing that something exits forward: the NodeExitsForward
3651         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
3652         makes it just be a flag.
3653
3654         * dfg/DFGAbstractInterpreterInlines.h:
3655         (JSC::DFG::::executeEffects):
3656         * dfg/DFGArgumentsSimplificationPhase.cpp:
3657         (JSC::DFG::ArgumentsSimplificationPhase::run):
3658         * dfg/DFGCSEPhase.cpp:
3659         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
3660         (JSC::DFG::CSEPhase::checkStructureElimination):
3661         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3662         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3663         (JSC::DFG::CSEPhase::checkArrayElimination):
3664         (JSC::DFG::CSEPhase::performNodeCSE):
3665         * dfg/DFGConstantFoldingPhase.cpp:
3666         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3667         * dfg/DFGFixupPhase.cpp:
3668         (JSC::DFG::FixupPhase::fixupNode):
3669         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3670         * dfg/DFGMinifiedNode.h:
3671         (JSC::DFG::belongsInMinifiedGraph):
3672         (JSC::DFG::MinifiedNode::hasChild):
3673         * dfg/DFGNode.h:
3674         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3675         (JSC::DFG::Node::hasStructureSet):
3676         (JSC::DFG::Node::hasStructure):
3677         (JSC::DFG::Node::hasArrayMode):
3678         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3679         * dfg/DFGNodeType.h:
3680         (DFG):
3681         (JSC::DFG::needsOSRForwardRewiring):
3682         * dfg/DFGPredictionPropagationPhase.cpp:
3683         (JSC::DFG::PredictionPropagationPhase::propagate):
3684         * dfg/DFGSafeToExecute.h:
3685         (JSC::DFG::safeToExecute):
3686         * dfg/DFGSpeculativeJIT.cpp:
3687         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3688         * dfg/DFGSpeculativeJIT32_64.cpp:
3689         (JSC::DFG::SpeculativeJIT::compile):
3690         * dfg/DFGSpeculativeJIT64.cpp:
3691         (JSC::DFG::SpeculativeJIT::compile):
3692         * dfg/DFGTypeCheckHoistingPhase.cpp:
3693         (JSC::DFG::TypeCheckHoistingPhase::run):
3694         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3695         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3696         * dfg/DFGVariableEventStream.cpp:
3697         (JSC::DFG::VariableEventStream::reconstruct):
3698         * ftl/FTLCapabilities.cpp:
3699         (JSC::FTL::canCompile):
3700         * ftl/FTLLowerDFGToLLVM.cpp:
3701         (JSC::FTL::LowerDFGToLLVM::compileNode):
3702         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3703
3704 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3705
3706         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
3707         https://bugs.webkit.org/show_bug.cgi?id=118946
3708
3709         Reviewed by Geoffrey Garen.
3710         
3711         We want to decouple the exit target code origin of a node from the code origin
3712         for all other purposes. The purposes of code origins are:
3713         
3714         - Where the node will exit, if it exits. The exit target should be consistent with
3715           the surrounding nodes, in that if you just looked at the code origins of nodes in
3716           the graph, they would be consistent with the code origins in bytecode. This is
3717           necessary for live-at-bytecode analyses to work, and to preserve the original
3718           bytecode semantics when exiting.
3719         
3720         - What kind of code the node came from, for semantics thingies. For example, we
3721           might use the code origin to find the node's global object for doing an original
3722           array check. Or we might use it to determine if the code is in strict mode. Or
3723           other similar things. When we use the code origin in this way, we're basically
3724           using it as a way of describing the node's meta-data without putting it into the
3725           node directly, to save space. In the absurd extreme you could imagine nodes not
3726           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
3727           what bytecode the node originated from. We won't do that, but you can think of
3728           this use of code origins as just a way of compressing meta-data.
3729         
3730         - What code origin we should supply profiling to, if we exit. This is closely
3731           related to the semantics thingies, in that the exit profiling is a persistent
3732           kind of semantic meta-data that survives between recompiles, and the only way to
3733           do that is to ascribe it to the original bytecode via the code origin.
3734         
3735         If we hoist a node, we need to change the exit target code origin, but we must not
3736         change the code origin for other purposes. The best way to do this is to decouple
3737         the two kinds of code origin.
3738         
3739         OSR exit data structures already do this, because they may edit the exit target
3740         code origin while keeping the code origin for profiling intact. This happens for
3741         forward exits. So, we just need to thread separation all the way back to DFG::Node.
3742         That's what this patch does.
3743
3744         * dfg/DFGNode.h:
3745         (JSC::DFG::Node::Node):
3746         (Node):
3747         * dfg/DFGOSRExit.cpp:
3748         (JSC::DFG::OSRExit::OSRExit):
3749         * dfg/DFGOSRExitBase.h:
3750         (JSC::DFG::OSRExitBase::OSRExitBase):
3751         * dfg/DFGSpeculativeJIT.cpp:
3752         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3753         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3754         * dfg/DFGSpeculativeJIT.h:
3755         (SpeculativeJIT):
3756         * ftl/FTLLowerDFGToLLVM.cpp:
3757         (JSC::FTL::LowerDFGToLLVM::compileNode):
3758         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3759         (LowerDFGToLLVM):
3760         * ftl/FTLOSRExit.cpp:
3761         (JSC::FTL::OSRExit::OSRExit):
3762         * ftl/FTLOSRExit.h:
3763         (OSRExit):
3764
3765 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3766
3767         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
3768         https://bugs.webkit.org/show_bug.cgi?id=118866
3769
3770         Reviewed by Sam Weinig.
3771         
3772         Adds a safeToExecute() method that takes a node and an abstract state and tells you
3773         if the node will run without crashing under that state.
3774
3775         * JavaScriptCore.xcodeproj/project.pbxproj:
3776         * bytecode/CodeBlock.cpp:
3777         (JSC::CodeBlock::CodeBlock):
3778         * dfg/DFGCFAPhase.cpp:
3779         (CFAPhase):
3780         (JSC::DFG::CFAPhase::CFAPhase):
3781         (JSC::DFG::CFAPhase::run):
3782         (JSC::DFG::CFAPhase::performBlockCFA):
3783         (JSC::DFG::CFAPhase::performForwardCFA):
3784         * dfg/DFGSafeToExecute.h: Added.
3785         (DFG):
3786         (SafeToExecuteEdge):
3787         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3788         (JSC::DFG::SafeToExecuteEdge::operator()):
3789         (JSC::DFG::SafeToExecuteEdge::result):
3790         (JSC::DFG::safeToExecute):
3791         * dfg/DFGStructureAbstractValue.h:
3792         (JSC::DFG::StructureAbstractValue::isValidOffset):
3793         (StructureAbstractValue):
3794         * runtime/Options.h:
3795         (JSC):
3796
3797 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3798
3799         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
3800         https://bugs.webkit.org/show_bug.cgi?id=118948
3801
3802         Reviewed by Sam Weinig.
3803         
3804         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
3805           This allows doing "what if" experiments with IR generation, even if the generated IR
3806           can't yet execute.
3807         
3808         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
3809           off-ramp.
3810
3811         * JavaScriptCore.xcodeproj/project.pbxproj:
3812         * dfg/DFGPlan.cpp:
3813         (JSC::DFG::Plan::compileInThreadImpl):
3814         * ftl/FTLFail.cpp: Added.
3815         (FTL):
3816         (JSC::FTL::fail):
3817         * ftl/FTLFail.h: Added.
3818         (FTL):
3819         * ftl/FTLIntrinsicRepository.h:
3820         (FTL):
3821         * ftl/FTLLowerDFGToLLVM.cpp:
3822         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3823         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3824         * runtime/Options.h:
3825         (JSC):
3826
3827 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3828
3829         fourthTier: StringObjectUse uses structures, and CSE should know that
3830         https://bugs.webkit.org/show_bug.cgi?id=118940
3831
3832         Reviewed by Geoffrey Garen.
3833         
3834         This is asymptomatic right now, but we should fix it.
3835
3836         * JavaScriptCore.xcodeproj/project.pbxproj:
3837         * dfg/DFGCSEPhase.cpp:
3838         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3839         * dfg/DFGEdgeUsesStructure.h: Added.
3840         (DFG):
3841         (EdgeUsesStructure):
3842         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3843         (JSC::DFG::EdgeUsesStructure::operator()):
3844         (JSC::DFG::EdgeUsesStructure::result):
3845         (JSC::DFG::edgesUseStructure):
3846         * dfg/DFGUseKind.h:
3847         (DFG):
3848         (JSC::DFG::usesStructure):
3849
3850 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3851
3852         fourthTier: String GetByVal out-of-bounds handling is so wrong
3853         https://bugs.webkit.org/show_bug.cgi?id=118935
3854
3855         Reviewed by Geoffrey Garen.
3856         
3857         Bunch of String GetByVal out-of-bounds fixes:
3858         
3859         - Even if the string proto chain is sane, we need to watch out for negative
3860           indices. They may get values or call getters in the prototypes, since proto
3861           sanity doesn't check for negative indexed properties, as they are not
3862           technically indexed properties.
3863         
3864         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3865           given this information.
3866         
3867         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3868           given this information.
3869         
3870         Also fixed some other things:
3871         
3872         - If the DFG is disabled, the testRunner should pretend that we've done a
3873           bunch of DFG compiles. That's necessary to prevent the tests from timing
3874           out.
3875         
3876         - Disassembler shouldn't try to dump source code since it's not safe in the
3877           concurrent JIT.
3878
3879         * API/JSCTestRunnerUtils.cpp:
3880         (JSC::numberOfDFGCompiles):
3881         * JavaScriptCore.xcodeproj/project.pbxproj:
3882         * dfg/DFGAbstractInterpreterInlines.h:
3883         (JSC::DFG::::executeEffects):
3884         * dfg/DFGDisassembler.cpp:
3885         (JSC::DFG::Disassembler::dumpHeader):
3886         * dfg/DFGGraph.h:
3887         (JSC::DFG::Graph::byValIsPure):
3888         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3889         (DFG):
3890         (SaneStringGetByValSlowPathGenerator):
3891         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3892         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3893         * dfg/DFGSpeculativeJIT.cpp:
3894         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3895
3896 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3897
3898         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3899         https://bugs.webkit.org/show_bug.cgi?id=118911
3900
3901         Reviewed by Geoffrey Garen.
3902         
3903         We could also have a separate method like "willNotCrash(offset)", but that's not
3904         what isValidOffset() is intended to mean.
3905
3906         * runtime/Structure.h:
3907         (JSC::Structure::isValidOffset):
3908
3909 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3910
3911         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3912         https://bugs.webkit.org/show_bug.cgi?id=118878
3913
3914         Reviewed by Oliver Hunt.
3915         
3916         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3917           to load from an object of this structure, at this offset, would I commit suicide
3918           or would I get back some kind of value?"
3919         
3920         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3921           way from the start.
3922         
3923         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3924         
3925         - Make GetByOffset also reference the base object in addition to the butterfly.
3926         
3927         The future use of this power will be to answer questions like "If I hoisted this
3928         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3929         fine?"
3930         
3931         I don't currently plan to use this power to perform validation, since the CSE has
3932         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3933         remove - both in the case of StructureSets where size >= 2 and in the case of
3934         CheckStructures that match across PutStructures. At first I tried to write a
3935         validator that was aware of this, but the validation code got way too complicated
3936         and I started having nightmares of spurious assertion bugs being filed against me.
3937         
3938         This also changes some of the code for how we hash FunctionExecutable's for debug
3939         dumps, since that code still had some thread-safety issues. Basically, the
3940         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3941         that could transitively try to compute the hash from the source code. The source
3942         code is a string that may be lazily computed, and that involves all manner of thread
3943         unsafe things.
3944
3945         * bytecode/CodeOrigin.cpp:
3946         (JSC::InlineCallFrame::hash):
3947         * dfg/DFGAbstractInterpreterInlines.h: